Managing costs in the cloud is a large and ongoing challenge. As an Azure administrator, you can start to tackle this challenge by tracking the monthly costs of your Azure environment. Azure’s Cost Analysis tool provides some helpful tools for this, which will allow you to view your cost data and create customized views for those specific resources that are relevant to you and your organization. This tool also allows you to manage costs by creating Budgets. An Azure Budget lets you set a cost monitor at either the Subscription or Resource Group level and receive an alert if the budget threshold is exceeded.
For example, let’s say a user manages a Resource Group for development or POC purposes and you want to ensure costs don’t get too high. Rather than actively checking everything daily, you could set a budget for that Resource Group.
Below is a sample budget setup. I set a $100 threshold on this Resource Group and then set the Budget to alert specified recipients when 100% of the budget is exceeded (note that you can include multiple email addresses here as well as multiple percentage levels for budget actions). Even with just this basic Azure Budget setup, we can provide awareness of rising costs for a Resource Group/Subscription.
Additionally, there’s an Action Group setting for the budget actions. Azure Action Groups give us additional options for Notifications (emailing all users of a specified RBAC Role, SMS text notifications, voice calls, push notifications to Azure app) and Actions (triggering an Automation Runbook, an Azure Function, Logic App, or Webhook). This gives you the tools to create more powerful and customizable actions that can be triggered by a budget.
Another example: you might have a basic notification email that goes out to all relevant parties when the Resource Group cost hits 70% of budget and again at 80% of budget. Then, at 90% of budget, a runbook is triggered that can scale down specific resources in that Resource Group. And at 100% of budget, you trigger a separate runbook to start deallocating resources (ex: Azure VMs).
As an example, let’s setup a budget to trigger an Automation Runbook that will set a ReadOnly lock on the Resource Group. This lock will effectively make the Resource Group (and everything within it) read-only; new resources cannot be deployed to it and current resources cannot be modified or deleted. Once this lock is set, only an Owner or User Access Administrator can remove it (though ideally, you would first have a discussion with the end user about managing their resources better). I have this setup in an Azure Automation Runbook using the below PowerShell script to create the resource group lock on the resource group name specified in the $ResourceGroup parameter.
# Name of RG to be locked
[Parameter (Mandatory= $true)]
# Create resource lock on specified RG
New-AzResourceLock -LockLevel ReadOnly -LockName “RGOverBudgetLock” -LockNotes “Resource group locked due to hitting budget threshold.” -Scope “/subscriptions/SubscriptionID/resourceGroups/$ResourceGroup“ -Force
This script requires the input parameter to be set in order to run. This will be set when you configure the Action Group. So, if the Action Group is triggered by a Budget, it will pass the setting to the runbook.
To create an Action Group, go to Alerts in the Azure portal and click Manage Actions, then Add Action Group. Under Basics, set the Subscription and Resource Group where this Action Group will be contained. Then give the Action Group a name (must be unique among all your Action Groups) and set the Display Name (does not need to be unique but is limited to 12 characters max).
Additional notification options may be set under Notifications. You don’t need to set anything here, but this is where you would set an email notification to an Azure RBAC Role and/or SMS message/Azure app push/voice-call notifications.
Under Actions, set the Action Type to Automation Runbook. This sends you to a page where you set how the runbook will run.
Notice there are several built-in runbooks in the Action Group, all of which are geared towards managing VMs. If you want to use a custom runbook from an Automation Account, you will need to set Runbook Source to User.
Once you have Runbook Source set, you will need to specify the Subscription, Automation Account, and Runbook you want to trigger with this Action Group. Since this is a custom runbook, you will see a section to configure parameters. Any parameters in the Runbook script will be listed in this section.
With the runbook set and parameters configured, go to Review + Create to create the Action Group. Now, go back to the Budget you created previously on the Resource Group. Originally, I only had this set to notify specified users when the Resource Group spend exceeded 100% of the budget (which was set to $100 limit). We are going to change this, so click Edit Budget to change Budget settings.
To add the Action Group to this Budget, go to the Set Alerts page and update the Action Group setting for each budget threshold. For this example, set the Budget to just send out an email alert at 80% of budget. Then at 100% of budget, the Action Group will be triggered, in addition to the email alert. This will set the ReadOnly lock on this Resource Group, preventing any further deployments or changes to current resources in this Resource Group.
Once a budget is created, it will take some time for it to start evaluating spend on the Resource Group.
Following these steps will help you get started with setting up your own budget policing. Simply set up your Azure Automation runbook with the script you want to run and link it to the Budget via Action Group. As mentioned previously, there are other, more detailed ways to set up these budget alerts and Action Groups (webhooks, calling Azure functions or logic apps, etc.), but this is a quick and basic way to set up some cost enforcement in your Azure environment.
Thanks for reading. If you still have any remaining questions around Cost Management in general, or if you’d like any help at all with the Budget tool, please feel free to reach out to Anexinet. We’d love to help you get started.