Four Policies for Optimising Your Azure Cloud Costs
Stay on top of your cloud usage with some cost best practices. No need to do all the time-exhausting management work.
Azure policies can enforce rules for how your cloud environment will function.
There are several strategies for keeping Azure costs low, with the top strategies encouraging regular cleaning of idle resources as well as right-sizing resources. While these are solid techniques, they are reactive strategies, which means that an issue will be fixed only after it’s already happened. Sometimes, this can be a significant amount of time later.
Another strategy to optimise costs is to catch problems before the creation of a resource. Like “Shift-left testing”, the sooner a problem is prevented, the less significant its impact will be on your cloud environment and its bill. Azure policies can help you proactively maintain control of your cloud subscription.
Regardless of whether you’re using REST API, Azure CLI, Azure PowerShell, or any Azure SDKs, consider your Azure Policy to be a middleman that inspects all requests to Azure Resource Manager (ARM). This in turn ensures your policies are enforced. You can audit, deny or edit every resource within your Azure cloud. Through the management of your resources, including where and how they’re being used, can help optimise your spending.
Table of Contents
1. Azure Policy overview
2. Controlling costs through SKUs
3. Setting VM size limits
4. Improving costs through ‘not allowed’ resource styles
5. Implementing resources in tactical locations
1. Azure Policy overview
To sum it up, you need at least four things when assigning a policy:
· Scope: The level your policy will be applied on, such as Management Group, Subscription, or Resource Group. All child objects below this management group will submit to that policy.
· Policy Definition: Which policy definition you want to assign. This can be a built-in option, or a custom policy created by you. In this article, we’ll be primarily focusing on built-in options.
· Policy Enforcement: Policies always have an effect aligned that enforces what will occur if the policy condition has been met. When enabled, the policy effect will be honoured. When disabled, the policy effect will be denied and bypassed, but the compliance state will be spared.
· Parameters: Here you can (if applicable) configure your policy and pick options such as SKUS, regions, etc.
Great! Now that the basics have been covered, we can move on to discuss the built-in policies that can assist with optimising your Azure costs.
2. Controlling costs through SKUs
Policy: Allow store account SKUs
ID: 7433c107–6db4–4ad1-b57a-a76dce0154a1
With this policy, you can choose to limit specific Azure Storage SKU.
Regarding the types of SKUS, RAGRS and RAZGRS can provide additional high availability features within coupled Azure regions/zones. Some cases will call for this, such as if you want data resiliency, read fallback, etc. In most cases, however, LRS or GRS is sufficient enough and cheaper to use, so you can enforce a policy allowing those forms of storage options to be implemented.
Note that some parts of your organisation might require the more advanced and costly functions at some point or another. This means you need to be flexible about policy changes, because what might not be useful today may end up being vital later on.
3. Setting VM size limits
Policy: Allowed virtual machine size SKUs
ID: cccc23c7–8427–4f53-ad12-b6a63eb452b3
This policy can let you define a set of virtual machine (VM) size SKUS for your business to implement. What this means is that, with this policy, you can limit specific virtual machine families and sizes.
This policy essentially limits what VM families and SKUs are allowed in your cloud environment. You may not need a VM with 16+ CPU cores or one with a GPU. This reduces human errors and poorly optimised solutions.
4. Improving costs through ‘not allowed’ resource styles
Policy: Not allowed resource types
ID: 6c112d4e-5bc7–47ae-a041-ea2d9dccd749
This specific policy lets you define the resource types your organisation can and can’t employ. We’ve seen so far how some policies have strict boundaries for SKUs on certain resource styles (VM and storage). However, one of the best policies to stop surprises on your bill is to control what resource styles are acceptable.
If you prefer storage queues, you may choose to deny ServiceBus. Perhaps Machine Learning or Internet of Things (IoT) is not your speciality, so you don’t want them being implemented into your cloud environment. This is something that can be restricted with this policy.
There’s a policy called “Allowed resource types”, which does the opposite of the one mentioned prior. This policy can be a bit risky if you aren’t fully aware of what you’re doing. It’s better to filter out what you don’t want with “Not allowed resource types” rather than blocking everything and then whitelisting what’s needed with “Allowed resource types”. Things will eventually stop functioning around your environment because you end up using resource styles that you forgot to whitelist.
5. Implementing resources in tactical locations
Policy: Allowed locations
ID: e56962a6–4747–49cd-b67b-bf8b01975c4
This policy lets you enforce what locations your organisation can choose when implanting resources, so as to comply with your geo-compliance requirements. This excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories as well as resources that utilise the ‘global’ region.
Cost should be a factor considered when deploying to an Azure region. A resource in one region may not cost the same amount as one in another region. You’ll want to select the regions that have suitable resource types, availability and latency for end users, but you should also include cost as a factor within your decision-making process. If you compare and study your Azure regions, you’ll find yourself saving quite a sum in your bill at the end of the month.
CloudClarity offers tools that can make employing cost best practices and managing your cloud environment easier and more efficient, so you can spend your time elsewhere. Find out more https://portal.cloudclarity.app/
