SSC Naming and Tagging Standard for Azure

Azure Virtual Data Centre

 

Cloud Research and Development

Cloud Product Management and Services Directorate

Chief Technology Officer Branch

Shared Services Canada

 

 

 

 

 

 

 

 

 

The signing authorities below concur with the conditions and responsibilities specified within this document.

 

 

 

_____________________	_____________________	_____________	_____________________
Jacqueline Morcos	Director, Cloud Research and Development Cloud Services Directorate Shared Services Canada	Date	Signature
_____________________	_____________________	_____________	_____________________
Philippe Lefebvre	Director, Digital Transformation Office Chief Information Office Shared Services Canada	Date	Signature

 

 

Document Author(s) & Co-Author(s), Position – Title

Full Name	Role	Department - Position - Title
Simon Earle	Author	SSC, CSD Research and Development

 

History of Changes

Ver. #	Date	Consulted/Reviewers (name of individual & working group consulted)	Brief description of Change	Author of Change
v0.1	2019-06-10	Project Team Review	Initial Release for R1b VDC	SSC Cloud R&D
v0.2	2019-06-14		CSD Review	SSC Cloud R&D
v0.3	2019-06-17		Additional network objects	SSC Cloud R&D
v0.4	2019-06-17		Fixed inconsistencies and extended the field definition tables	SSC Cloud R&D
v0.5	2019-09-10		Standard for PBMM Release 2c – first draft	SSC Cloud R&D
v0.6	2019-09-16	SSC CIO	Align with Azure GC Accelerators	SSC Cloud R&D
v0.7	2019-09-24		Document renamed: SSC Naming and Tagging Standard for Azure v0.7	SSC Cloud R&D
V0.8	2019-10-12	SSC CSD R&D	Arch team review and final decisions for R2c naming standard Note: This version does not have section 4 updated	SSC Cloud R&D
V0.9	2019-10-26	Project Team Review	Tagging section completed for R2c – updated with input from TBS	SSC Cloud R&D
V1.0	2019-11-7	Cloud Technical Working Group	Release candidate for signature	SSC Cloud R&D
V1.1	2019-12-10	SSC CSD & CIO	Director Review	SSC Cloud R&D
V1.2	2019-12-14	TBS Feedback	Updated TBS Governance tags	SSC Cloud R&D
V1.3	2020-1-13	GC Working Group Feedback	Removed case dependency on tags	SSC Cloud R&D
V1.4	2020-3-11		Updated object tables	SSC Cloud R&D
V1.5	2020-3-20		Updated Tenant AD object naming for multi-region	SSC Cloud R&D
V1.6	2020-04-15		Subscription and resource group change, new definition for owner and contact tags	SSC Cloud R&D
V1.7	2020-05-22		Added PaaS device type and new suffixes	SSC Cloud R&D
V1.8	2020-08-24		Update for R2c	SSC Cloud R&D
V1.9	2020-09-16		Fix object tables and general cleanup	SSC Cloud R&D
V2.0	2020-12-29	SSC Cloud teams Sourced Group (COM)	Replace field value table tracking with coding strategy, remove “_” as reserved character, add automation section	SSC Cloud R&D

1       Overview..................................................................................................................................................... 6

1.1   GC Cloud Governance for Object Naming....................................................................................................................................... 6

1.1.1         Field Delimitation....................................................................................................................................................................... 8

2       Azure Naming and Tagging High Level Design..................................................................................................... 9

2.1   Design Principles and Objectives...................................................................................................................................................... 9

2.1.1         Naming and Tagging Design Principles................................................................................................................................... 9

2.2   Infrastructure as Code (IaC)............................................................................................................................................................ 10

3       Azure Naming Standard Detailed Design.......................................................................................................... 11

3.1   SSC Global Naming Rules................................................................................................................................................................. 11

3.1.1         Optional Implementation Strategy....................................................................................................................................... 13

3.1.2         GC Governance Fields............................................................................................................................................................. 13

3.1.3         SSC Device Type Field - Service, Asset, and Configuration Management (SACM)....................................................... 14

3.1.4         Suffix – SSC Resource Type Table.......................................................................................................................................... 16

3.1.5         Workload Migration Considerations (WLM)....................................................................................................................... 17

3.1.6         Exception Management.......................................................................................................................................................... 17

3.2   Resource Object Naming Tables..................................................................................................................................................... 18

3.2.1         General Object Rules............................................................................................................................................................... 18

3.2.2         Compute Object Rules............................................................................................................................................................ 20

3.2.3         Storage Object Rules............................................................................................................................................................... 21

3.2.4         Networking Objects Rules...................................................................................................................................................... 23

3.2.5         Azure Automation Accounts and Service Principals.......................................................................................................... 28

3.2.6         Container Object Rules (placeholder).................................................................................................................................. 29

4       Azure VDC Detailed Tagging Convention.......................................................................................................... 30

4.1   Tagging Strategy............................................................................................................................................................................... 30

4.2   Tagging Convention Limitations..................................................................................................................................................... 32

4.2.1         Azure Tagging Limitations...................................................................................................................................................... 33

4.3   Global Object Tagging...................................................................................................................................................................... 33

4.3.1         Global Tagging Rules............................................................................................................................................................... 33

4.3.2         Tag Reservations by Scope..................................................................................................................................................... 34

4.3.3         GOVERNANCE TAGS................................................................................................................................................................ 34

4.3.4         Resource Tags (User Defined Tags)...................................................................................................................................... 39

5       Appendix A................................................................................................................................................. 42

 

 

Table 1: GC Naming Structure. 7

Table 2: Generic SACM Device Types. 14

Table 3: SACM Functional Device Types. 15

Table 4: Suffix Lookup Table. 16

Table 5: General Object Rules. 19

Table 6: Compute Object Rules. 21

Table 7: Storage Object Rules. 23

Table 8: Network Object Rules. 28

Table 9: Automation Accounts and SP Object Rules. 28

Table 10: Container Object Rules. 29

Table 11: Tagging Limitations. 32

Table 12: Tagging Scope. 34

Table 13: Governance Tags. 38

Table 14: User Defined Tables. 41

Table 15: Department Codes. 43

 

No table of figures entries found.

A consistent Cloud Resource Naming and Tagging Convention is required to help manage cost, improved resource tracking, standardize automation and reduce ambiguity in cloud resourcing. It is also required to implement a multi-Tenant GC wide Cloud Management Platform (CMP). The primary objective of having a single, standardized, naming/tagging convention is to enable reliability on the name/tag to reflect the state of resources and simplify management, tracking, reporting and automation. The key outcomes of this standards are as follows:

 

·         Application of Governance Frameworks: The implementation and maintenance of the cloud governance framework is dependent on consistent naming standards to enable enforcement and compliance auditing.

 

·         Resource Management: Quickly find resources associated with specific workloads, environments, ownership groups, or other important information. Resource identification is critical to assigning organizational roles and access permissions for resource management.

 

·         Security: Naming and tagging plays a key role in security monitoring and incident management. A naming and tagging standard is required for ITSG-33 compliance and the implementation of GC Guardrails.

 

·         Automation: In addition to making resources easier for IT to manage, a proper organizational naming scheme enables automation as part of resource creation, operational monitoring, and the creation of DevOps processes.

 

·         Accounting: Business owners need to be aware of cloud resource consumption to support chargeback/showback accounting, cloud resources need to be organized to reflect ownership and usage.

 

Defining a departmental Cloud Naming and Tagging Standard early on in the adoption process is critical to successful Cloud Governance. The convention must be well documented and agreed on by stakeholders to ensure consistent adoption and support enforcement through policy and automation. The standard will follow a periodic review cycle to ensure new requirements and inefficiencies are addressed, and be flexible enough to allow business owners to meet requirements without breaking mandatory field strings and tags. A single standard should be applied at the departmental level across all Cloud Service Providers.    

1.1        GC Cloud Governance for Object Naming

A base structure is defined for cloud resource naming that allows for governance while supporting flexibility to meet departmental business and technical requirements. The following proposal has been developed in discussion with TBS, SSC, CSE, and Vendors:

 

Cloud resource names use the following five fields:

 

Field	Description
<dept code>	Two character code that uniquely identifies departments across the GC. This will assist with GC wide initiatives such as the Canadian Centre for Cyber Security (CCCS) and the Secure Cloud Enablement and Defense (SCED) projects. System event logs do not contain cloud resource tags, including a departmental identifier in the resource name is considered a GC best practice.
<environment>	Single character code that identifies environment (P=Production, D=Development, S=Sandbox, Q=Quality Assurance, etc.) Should be defined at the Department level and consistent throughout all CSP deployments.
<csp region>	Single character code that identifies Cloud Service Provider and Region. The following assignments are used by SSC and proposed for GC Adoption          Cloud Regional Code CSP – Region C or (c) Azure – Canada Central D or (d) Azure – Canada East G or (g) AWS – Ca-central-1 H or (h) AWS – (reserved for future 2cd region) I or (i) Reserved for International CSP and Regions K or (k) GCP- Northamerica-northeast1 L or (l) GCP- (reserved for future 2cd region) M or (m) Reserved for multi-region O or (o) IBM – Canada Montreal P or (p) IBM – Canada Toronto … Extensible     Y or (y) Azure Stack SSC East (reserved for EDC Montreal) Z or (z) Azure Stack SSC Central (EDC Barrie)
<dept defined string>	Departmental standard is developed by Cloud Team, should align with existing dept. naming convention, DNS and asset management/CMDB datasets.
<suffix>	Placeholder for mandatory Departmental governance field. Can be implementation specific at the tenant, subscription or resource group level (SSC recommends using the cloud resource type as a tenant wide suffix based on Microsoft best practice documentation https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/naming-and-tagging).

Table 1: GC Naming Structure

 

 

The <dept defined string> is further broken down by each department’s cloud governance team. Shared Services has implemented a <device type> mandatory field as part of the departmental standard/governance that aligns with the current end-state data center (EDC) naming convention. This ensures alignment with the current asset management and trouble ticketing systems (CMDB). This document defines the SSC implementation of this standard in detail.

 

 

 

 

1.1.1       Field Delimitation

The Cloud naming convention uses specific field patterns and definitions. A strategy is applied at the department level to address field delimitation and string identification. The ability to extract specific fields from the resource name is critical to monitoring, reporting, automation and DevOps.

Optional strategies for field delimitation include:

·         Reserved Characters: Using the lowest common denominator approach across CSPs, the hyphen “-“ is reserved for field delimitation. The hyphen is used to separate mandatory fields applied at the department level. Resource owners may also leverage the “-“ or use other CSP supported characters for field delimitation within the <user defined string> (i.e. underscore “_”). 

·         Use of Camel Case: Each field must use uppercase for the first and lowercase for all remaining characters. Numbers are not allowed in the first character. Special characters are typically not supported (note: Camel Case is not used in this standard).

·         Fixed Length Fields: Each field has a fixed length and all resource names must have the correct number of characters for the object type.

 

A consistent strategy across all cloud service providers at the Departmental level is recommended. All of the above approaches have pros and cons, care should be taken when defining a departmental standard for field delimitation. A mixed approach may be required to meet requirements. The SSC convention leverages a hybrid of the reserved character and fixed length strategies. Case is not used as a field delimiter in the SSC standard, case is difficult to maintain and enforce, and is not applied consistently across Cloud Service Provider tagging implementations. Parsing strings for case also adds unnecessary complexity to automation (code).

This document provides implementation specifics of the SSC naming and tagging convention for IaaS/PaaS objects within the Azure portal and Azure Resource Manager (ARM) API. It is not the intention of this standard to address naming and tagging requirements for SaaS solutions. The environment will follow an agile approach to development and undergo iterative changes through periodic review. The goal is to provide an adaptable naming standard that includes enough governance structure to meet high level GC requirements but keep it flexible enough that departments can customize the implementation to meet business and technical needs.

2.1        Design Principles and Objectives

This section defines the high level design principles applied in the Azure naming and tagging convention. This document was developed from the proposed SSC Azure Governance Framework, the existing SSC naming convention used in the Enterprise Data Centers (EDC), and discussions with SSC CIO, TBS, and Vendors.

 

The standard follows a hierarchal approach that allows delegation of field definition based on resource type and scope (GC è Dept è Service). The objective is to produce an approved convention/implementation for Protected B consumption of Azure for Shared Services Canada. It is also the objective of this convention to share with the GC Cloud Technical Working Group to assist in the development of GC wide and departmental standards.

2.1.1       Naming and Tagging Design Principles

The following design principles and considerations are applied.

·         Support multi-cloud implementation (Azure, AWS, GCP, and IBM).

·         Align with existing departmental naming conventions, Domain Name System (DNS) and Configuration Management Database (CMDB) where possible.  

·         Allow for flexible adoption, extensibility and exceptions within the standard.

·         Enable easy identification of resource type and owner through the Cloud Service Provider (CSP) portal to simplify operational support.

·         Support automation through templates and CI/CD pipelines.

·         Tagging standard should provide a hierarchical approach to allow for GC wide requirements (CSE, TBS, and SSC) but also support delegation of authority for departments, business lines and application developers to define tags within their scope.

·         Support enforcement of names and tags through CSP policy and other automation mechanisms.

·         Allowed characters should support a lowest common denominator approach to ensure the standard applies across AWS, Azure, IBM, and GCP where possible (and other).

·         Support vendor templates where possible (some fields are mandatory).

·         Align with technical limitations (i.e. 15 character restriction on Windows NetBIOS names).

·         Address legacy system requirements and workload migration (WLM).

·         Define global date format at the departmental scope that aligns with CSP lowest common denominator approach. This implementation uses the GC standard (ISO8601) which is YYYY-MM-DD (note: the “/” is not supported in tags by all CSPs).

 

Note: Azure has character restrictions on some resource types (most notably storage accounts can only use lowercase alphanumeric characters). This naming standard allows for these exceptions, the rules and conventions for each cloud object type are clearly articulated in the resource object tables in section 3.2 of this document.

 

2.2        Infrastructure as Code (IaC)

A primary objective of this naming standard is to enable the deployment and management of cloud resources through code. Compliance enables the creation of reusable templates and modules that are centrally maintained and shared through SSC managed repositories. SSC has standardized on Terraform as the language of choice for automating deployments within Azure but this standard can easily be applied to other scripting languages (JSON, ARM templates, PowerShell, etc.).

 

The standard supports the delegation of ownership of resource names using a hierarchical approach starting at the GC level, then down through the department and subscription levels to the individual cloud resources. The use of global and local named variables enables individual application solutions to pass values to GC wide templates/modules for compliance and string concatenation. Naming modules exist (terraform) that can be leveraged to create compliant strings for Infrastructure as Code (IaC) deployments. Application developers always have the ability to assign <user defined strings> to meet specific coding requirements within this standard.

 

This naming standard is currently being used by two IaC Government of Canada initiatives supported by SSC:

 

·         Base Cloud Architecture (BCA): Part of the GC Accelerator initiative that provide Terraform modules that deploy ITSG-22 compliant Azure Virtual Data Centers based on Microsoft’s Cloud Adoption Framework (CAF). [https://github.com/canada-ca-terraform-modules] and [https://github.com/ssc-spc-cloud-nuage/]

 

·         Cloud Operating Model (COM): Advanced automation and orchestration solution that extend the Base Cloud Architecture to include CI/CD pipelines using yaml and Terragrunt. [https://github.com/ssc-spc-ccoe-cei]

 

Note: Specific coding examples and variable assignments are purposely left out of this document to avoid out-of-date references – refer to the links above or contact SSC Cloud Operations for more information. A quick reference guide/wiki is under development to simplify access to the latest information.

 

 

This section provides the detailed naming convention for Azure adopted by Shared Service Canada. The intent is to extend this standard to other GC departments once alignment between stakeholders is achieved. It is important to note that tagging rules are separate and included in Section 4. There are subtle differences between the rules for naming vs. tagging (i.e. allowed case, field extensibility, string length, etc.).

 

Note: This convention uses the SSC, TBS and Microsoft recommendation for the first four characters to enforce GC wide unique names to assist with system identification at the Canadian Centre for Cyber Security (CCCS) and other SSC/TBS governance initiatives. 

 

3.1        SSC Global Naming Rules

The following object naming rules must be respected by all cloud deployments that use this convention. The examples in this section illustrate how to build a compliant resource name. The resource type object tables in section 3.2 provide the detailed format, restrictions and examples for most IaaS resource types, these will be extended as the Azure footprint expands to include more resource types.

 

·         Infrastructure devices that require DNS entries (A records) should not exceed 15 characters. CNAME records are used to implement user friendly names as required. Windows virtual machine names must be a maximum of 15 characters to support synchronization with the NetBIOS host names.

·         Allowed characters: Camel Case (mix upper and lower), alphanumeric, hyphen “-“, and underscore “_”. 

·         Reserved character: Hyphen “-“ is reserved for field delimitation. Mandatory fields in an object name must be separated by a hyphen “-“ (unless otherwise stated in the object definition). The hyphen “-” may be used as an optional subfield delimiter in the <userDefined-string>.

·         Restricted characters: Spaces and other special characters are not allowed unless explicitly stated in object tables below (CSP restrictions apply).

·         Camel Case: This standard does not use case for field delimitation, it is recommended that case follow the examples in the object tables for consistency but this is not mandatory for compliance. Case is determined by the resource owner and used to improve readability of object names. This standard encourages mixed upper and lower case of the mandatory prefix as illustrated in the next bullet.  

·         Prefix: All object names use mandatory prefix fields that align with GC Cloud Governance best practice. The compliance fields are fixed length (4 characters) and do not use a delimiter.

 

<dept code><environment><csp region> : <2 char><1><1>

 

Example: ScPc (SSC, Production, Azure Central)

 

·         After the GC four character prefix, the <dept defined string> is further defined to align with departmental requirements such as existing conventions, DNS, and asset tracking/CMDB implementations. This document was developed for SSC, other departments using this standard may choose to apply all, some, or none of the departmental defined fields. Maintaining compliance with the GC wide governance framework outlined in section [1.1 GC Cloud Governance for Object Naming] is mandatory for departments using this convention.

·         Device Type: The device type field has been implemented as part of the SSC departmental convention, it is fixed length (3 characters) and follows the 4 character GC mandatory governance prefix. A delimiter is not used. The device types align with the SSC End-State naming convention (CMDB) and are included in the Azure Naming and Tagging Quick Reference v.21.docx guide for easy reference. This field is extensible, new values can be added if they are not used in the current naming convention. The authority for the three character device type is the SSC Service, Asset, and Configuration Management (SACM) team. Version 3.6 of the SACM cheat sheet is included below. New device types should periodically be synchronized with the SACM team so they can be reserved and tracked.

 

<dept code><environment><csp region><device type>

 

Examples: ScPcSWA (Server, Windows, Domain Controller)

          ScPcADC (Application Delivery Controller / Load Balancer)

 

·         User Defined String: The mandatory field delimiter (“-“) proceeds the user defined string to support code parsing and improve readability. The string is variable length and may use the hyphen (“-“) or underscore (“_”) as an optional subfield delimiter. Cloud objects must have at least one user defined string unless explicitly stated otherwise in the object tables. Subscription, resource group, and resource owners have the flexibility to implement their own standards within their scope, mandatory fields within the user defined string should be tracked by the subscription owner.

 

<dept code><environment><csp region><Device Type>-<userDefined-String>

 

Examples: ScPcSWA-MyApp01

          ScPcSWA-App-01

 

·         Suffix: A single mandatory suffix is defined within this naming standard and is used to identify object type on certain resources (defined in the object tables below). The rule of thumb is: if an object requires a DNS entry the object type suffix is not required. Typically an object will use a suffix if it is a child object of an infrastructure device (i.e. VM / VM-nic1). The “-“ must be used as the field delimiter for object suffixes. Object suffixes align with the Microsoft best practice guide: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/naming-and-tagging.

 

<dept code><environment><csp region><Device Type>-<UserDefined-string>-<suffix>

 

   Examples: ScPcSWA-MyApp01 (virtual machine)

              ScPcSWA-MyApp01-nic1 (first network interface)

              ScPcSWA-MyApp01-pip1 (first public network interface)

              ScPcSWA-MyApp01-nsg (network security group)  

              ScPcSWA-MyApp01-datadisk1 (first data disk)

 

·         Suffix (cont.): Resource type suffixes are also applied on some cloud constructs that do not have a parent infrastructure device (note: in the example below the <device type> “CNR” is used as a “catch all” for Cloud Network Resource object types – these are tracked in the Device Type table).

 

Examples: ScPcCSV-MyAppVault1-kv (Key Vault)

          ScPcCNR-Core-vnet (vnet)

          ScPcCNR-Core-Transit-rt (route table)

 

·         Exceptions: CSP restrictions may require exceptions to the global naming rules, these are identified in the object tables below (i.e. Azure Storage accounts and objects).

·         Management Groups, Subscriptions and Resource Groups are considered governance (or container) objects and have different filed restrictions and character exceptions. The <Device Type> field is not used in container object names. Instead, a 3 or 4 character <owner> field is defined and tracked at the subscription level. Governance container owners are responsible for naming compliance, security and cost management (the “how” is out of scope of this document and may vary by implementation – subscriptions and resource groups are used to manage these responsibilities).

·         Naming Conflicts: As the Cloud footprint grows there will be inevitable naming conflicts. The use of CNAMEs will help with DNS isolation of conflicting A records but unique names will still be required for applications and systems management (i.e. directory services, monitoring, asset management). If possible, extend current processes for assigning device names to the cloud teams. A single business unit should be responsible for naming standards across both ground and cloud infrastructure deployments (this falls under cloud governance and is out of scope of this document).

 

The structure of the Object Rule Tables are department specific. As previously mentioned, this document uses the SSC adoption of this standard to provide examples and may be leveraged.  

3.1.1       Optional Implementation Strategy

The above implementation strategy for SSC splits the <dept defined string> into two sub-strings <Device Type>-<userDefined-string>, the <Device Type> string (or field) is implemented as a department wide mandatory governance field for the purpose of aligning with SSC’s end-state data center naming standard and asset tracking / trouble ticket systems (CMDB). It is the responsibility of the subscription owner to ensure compliance with departmental standards and preform periodic audits of deployed resources.

 

Another implementation strategy that could be adopted by a department is to delegate the complete <dept defined string> to the subscription / resource owner, removing departmental governance from the cloud naming convention. The device type suffix should be maintained. This would result with:

 

<dept code><environment><csp region>-<userDefined-String>-<suffix>

 

   Examples: ScPc-MyApp001 (virtual machine)

              ScPd-MyApp001-nic1 (first network interface)

              ScPd-MyApp001-pip1 (first public network interface)

              ScPc-MyApp001-nsg (network security group)    

              ScPc-MyApp001-datadisk1 (first data disk)

 

Variants of this naming and tagging strategy are supported within this framework. The departmental cloud governance team should take responsibility for defining and maintaining the Naming and Tagging standard.

3.1.2       GC Governance Fields

The first four characters of the naming convention follow a GC wide structure to align with the proposed governance framework as described in section 1. These values are repeated here for the SSC implementation:

 

Two character department code <dept code> - SSC will use <Sc>

Single character <environment> - additional codes can be added to the Value tables

P=Production, D=Development, Q=Quality Assurance, S=Sandbox

Single character Cloud Service Provider Region <csp region>

c=Azure Central, d=Azure East

3.1.3       SSC Device Type Field - Service, Asset, and Configuration Management (SACM)

The device type field falls within the <dept defined string> section of the naming convention. Device Type field definitions and values are assigned and maintained by the SSC Service, Asset and Configuration Management team (SACM). These were created in 2013 for use in the end-state data center and configuration management database (CMDB). Alignment will ensure cloud resources are consistent with existing SSC naming standards, simplify operational support, and provide for future integration with SSC’s trouble ticketing system.

 

Table 2: Generic SACM Device Types

 

 

Within the existing end-state SSC naming standard is the concept of functional device types. Essentially this allows for resource owners to optionally include additional detail within the three-character device type string. For more detail on how this is implemented refer to the SSC end-state data center naming convention, a summary is provided here:

  

Table 3: SACM Functional Device Types

 

3.1.4       Suffix – SSC Resource Type Table

The SSC implementation of this standard defines a mandatory cloud resource type suffix on some objects. These are defined in detailed in the object tables in section 3.2 of this document. The following suffix table provides sample values for approved mandatory suffix fields, the list will be extended as more Azure resource types are implemented. New suffix short codes will follow Microsoft best practice guide by default, exceptions are allowed.

 

https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/naming-and-tagging

 

 

Object Type (Resource/Service):	Short Code:	Object Type (Resource/Service):	Short Code:
Subscription	“CBS billing #”	Application Gateway	agw
Resource Group	rg	App Service	asv
Virtual Machine	vm	Key Vault	kv
Availability Set	as	App Service Plan	asp
Virtual Network	vnet	Sql Database	sdb
Subnet	snet	Sql Server	sql
Public IP Address	pip#	Disk	dsk
Firewall	fw	Azure Bastion end-point	bstn
Network Security Group	nsg	Log Analytics Workspace	Law
Storage Account	stg	Function	Fnc
Traffic Manager	tm	Logic App	Log
Load Balancer	lb	Network Interface	nic#
Azure Load Balancer	lbi / lbe	Connection	Con
Load Balancer Rule	lbr	Route Table	Rt
Load Balancer Health Probe	lbhp	Route	route
Load Balancer Backend Pool	lbbp	VM OS Disk	osdisk#
Virtual Network Gateway	vgw	VM Data Disk	datadisk#
Local Network Gateway	lgw	Management Group	mg
Vnet peering	gwp	Azure Firewall	azfw
Network Watcher	nw	App Service Plan	svcplan
Azure Purview	pview	Application Service	svc
Application Insights	appi	Search Service	ss
Web Application	wapp	SQL Assessment	sgla
Databricks Service	dbw	Synapse Workspace	syn
Azure Data Factory	adf	Express Route circuit	erc

Table 4: Suffix Lookup Table

 

3.1.5       Workload Migration Considerations (WLM)

Moving existing infrastructure (virtual) to the cloud introduces additional challenges and complexity. The naming and tagging standard allows “as is” lift and shift of systems provided a mandatory tag is attached containing the compliant cloud object name. SSC Cloud team is investigating options and will update this strategy as requirements are identified in future releases of this document. Departments should develop a strategy to manage legacy names in the cloud.

The actual host name used by the Operating System/DNS does not have to match the resource name in the cloud fabric/portal for the virtual machine. An option is to correctly name the cloud resource but leave the legacy name for the operating system instance. Tags are used to map names between the cloud and legacy naming standards. These may also be used to bridge names between systems using automation.

 

WLM tag key:value pair examples:

 

<azname>:<dept code><environment><csp region><Device Type>-<UserDefined-string>-<suffix>

<legacyname>:<pre-migration name>

3.1.6       Exception Management

Microsoft Marketplace, GitHub quick starts, and third party vendor templates may include hardcoded device naming parameters and reserved script delimiters that may not work within this standard. In particular, VM disk naming, NIC numbering and object type suffix fields typically do not align when deploying resources from the Azure Marketplace through the portal. These are allowed as exceptions within the convention but should be tracked. Alignment with the first four GC governance characters as the prefix however is absolutely required, templates that do not support this are not allowed. Automation may be used to periodically remove/suspend cloud resources that violate this mandatory naming standard within the Azure Virtual Data Center for PBMM approval.

 

 

 

3.2        Resource Object Naming Tables

The object naming tables provide the naming structure, <> brackets are used to denote mandatory fields, [ ] denote optional fields, use of delimiters are described above. Object specific rules and examples are included, subscription and resource group owners can extend the standard to meet specific requirements within their scope. Mandatory governance fields cannot be modified.

 

Important: A child object will always use the parent device name with the suffix replaced to reflect object type. A child object is defined as a resource that exists only as a sub component of its parent. Examples are: <vm>/<vm>-nic1/<vm>-osdisk1 or <vnet>/<vnet>-snet.

3.2.1       General Object Rules

Table 5: General Object Rules

 

 

3.2.2       Compute Object Rules

 

Table 6: Compute Object Rules

3.2.3       Storage Object Rules

 

Note: Storage object names require globally unique lowercase alphanumeric strings, at this time the only mandatory string is the GC Governance field prefix. In this release, most storage objects follow the (tolower)<dept code><environment><CSP Region><userdefinedstring><random> standard discussed in section 2.2 of this document.

 

Table 7: Storage Object Rules

 

3.2.4       Networking Objects Rules

 

Typically, networking object names do not require DNS entries, resource suffixes are mandatory. Current SSC standard uses a “catch all” <device type> of CNR (Cloud Network Resource) to identify network infrastructure components and align with SACM functional device type reservation (“C”). Network Interface Cards (NIC), Public IPs, etc. use their parent object name to track ownership (VM / VM-nic1 or VNET / VNET-snet). The <userDefined-string> is leveraged to identify resource specifics. When using the parent object name as part of the child object name the suffix is truncated (see examples).

   

Table 8: Network Object Rules

3.2.5       Azure Automation Accounts and Service Principals

 

Table 9: Automation Accounts and SP Object Rules

3.2.6       Container Object Rules (placeholder)

 

Table 10: Container Object Rules

Excerpt: “Blob and container names are passed to the Blob service within a URL. Certain characters must be percent-encoded to appear in a URL, using UTF-8 (preferred) or MBCS. This encoding occurs automatically when you use the Azure Storage client libraries. However, there are certain characters that are not valid in URL paths even when encoded. These characters cannot appear in blob or container names. Code points like \uE000, while valid in NTFS filenames, are not valid Unicode characters, so they cannot be used. In addition, some ASCII or Unicode characters, like control characters (0x00 to 0x1F, \u0081, etc.), are also not allowed.

For rules governing Unicode strings in HTTP/1.1 see:”

·         RFC 2616, Section 2.2: Basic Rules and RFC 3987