Skip to content
/ azure-spending-limits Public

Learn how to set soft and hard limits on Microsoft Azure to prevent unexpected costs.

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

flavienbwk/azure-spending-limits

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits

.github/workflows

.github/workflows

 
 

.gitignore

.gitignore

 
 

README.md

README.md

 
 

delete-resource-workflow-azure.drawio

delete-resource-workflow-azure.drawio

 
 

delete-resource-workflow-azure.jpg

delete-resource-workflow-azure.jpg

 
 

list-and-delete-resource.py

list-and-delete-resource.py

 
 

Repository files navigation

Azure Spending Limits

Minimal configuration to set soft and hard limits on Microsoft Azure to avoid overspending with a "Pay-as-you-go" account.

Some examples of why it's useful :

  • Avoid unexpected API consumption spending (such as infinite loops)
  • Avoid cost for forgotten VMs or resources

The provided script will delete the services in a resource group with an action group. It won't delete the resource group, which is convenient. Also, this is a last resort solution as it will require you to reconfigure your services after removal.

This method is probably not the best but is "quick" to setup and just works. You might prefer rate-limiting API calls, or trigger an action group on a carefully analyzed spending (spoiler: this is hard).

How to set soft and hard limits

Remember that accumulated cost showing in your "Cost Management" console is an estimate only. Real cost may take time to update and is generally stabilized one day after a resource is consumed. However, it is possible to set hard limits based on forecasted cost.

This schema represents the steps to set soft and hard limits on a resource group :

Schema of the workflow configured to delete resources when a spending limit is reached.

  1. Group resources into a group that can be controlled for expenses.

    Click on the browsing bar and search for the Resource Group page.

    Click on your subscription.

    Note down the Subscription ID as SUBSCRIPTION_ID.

    Create a Resource Group "MyServices".

    Add any resource you want inside (VM, API services...). These are the resources that will be limited through our budget.

  2. Create a budget and set a soft limit (alert).

    Go to the Subscription page of the Azure portal and select Budgets on the left pane.

    At top of the page, click the Add button.

    Configure the budget :

    • Name it MyBudget with a monthly reset period and set the Amount to the hard limit you're willing to spend.
    • Click Next.
    • Create two Alert conditions :
      1. Type Actual to 80% of budget
      2. Type Actual to 100% of budget
      3. Type Forecast to 110% of budget (reminder : the actual cost is not the real-time one)
    • Add your email address as Alert recipients
    • Click Create.

    You now have set your soft limit. It will e-mail you when reaching these thresholds.

  3. Configure an "App" in Active Directory to retrieve credentials to be used in our runbook.

    Click on the browsing bar and search for the Azure Active Directory page.

    On the left pane, click App registrations.

    At top of the page, click the New registration button.

    Configure the app registration :

    • Name it DeleteResources.
    • In the Supported account types menu, select Accounts in this organizational directory only (Répertoire par défaut only - Single tenant).
    • Click Register.

    Let's now generate an app secret and retrieve TENANT_ID, CLIENT_ID and CLIENT_SECRET values for the list-and-delete-resource.py script.

    Enter your DeleteResources app configuration from the App registrations page.

    On the left pane, click Certificates & secrets.

    Click New client secret and create one with the default expiration date (recommended). You need to make sure this secret is up-to-date in the later-to-be-created runbook.

    Note down the CLIENT_SECRET value.

    On the left pane, click Overview.

    Note down the Object ID as CLIENT_ID and Directory (tenant) ID as TENANT_ID.

  4. Create the runbook that will delete resources when budget is exceeded.

    Click on the browsing bar and search for the Automation Accounts page.

    At top of the page, click the Create button.

    Configure the automation account :

    • Attribute our previously-created Resource group MyServices.
    • Name it MyAutomation and click Next.
    • In the Advanced tab, select System assigned.
    • In the Networking tab, select Public access.
    • Click the Review + Create button

    In your MyAutomation Automation Accounts, click Runbooks in the left pane.

    At top of the page, click the Create a runbook button.

    Configure the runbook :

    • Name it DeleteResources.
    • Select Runbook type Python.
    • Select Runtime version 3.8.
    • Click Create.

    Copy/paste the content of the list-and-delete-resource.py file.

    Replace the content of the TENANT_ID, CLIENT_ID, CLIENT_SECRET, SUBSCRIPTION_ID and RESOURCE_GROUP variables.

    Click Save, then Publish.

  5. Create an action group that can then be triggered when a spending threshold is reached.

    Click on the browsing bar and search for the Monitor page.

    In the left pane, click Applications.

    At top of the page, click the Create button.

    Configure the "application insights" :

    • Attribute our previously-created Resource group MyServices.
    • Name it MyAppInsight.
    • Set Resource Mode Classic.
    • Click Review + Create.

    Go back to the Monitor page.

    On the left pane, click Alerts.

    At top of the page, click the Create > Action group button.

    Configure the "application insights" :

    • Attribute our previously-created Resource group MyServices.
    • Set Action group name to DeleteResources.
    • Set Display name to DeleteResources and click Next.
    • In the Notifications tab, select Notification type Email/SMS message/Push/Voice.
      • In the drawer that opened, select Email and enter your email adress.
      • Click OK.
    • Click Next.
    • In the Actions tab, select Automation Runbook.
      • In the drawer that opened, set Run runbook to Enabled.
      • Set Runbook source to User.
      • Select your subscription.
      • Select Automation account MyAutomation.
      • Select Runbook DeleteResources.
      • Click OK.
    • Click Review + Create.

  6. Allow the app the list/delete resources in our resource group

    Click on the browsing bar and search for the Resource groups page.

    Select the resource group MyServices.

    On the left pane, click Access control (IAM)

    At top of the page, click the Add > Add role assignment button.

    Configure the role assignment :

    • In the Role tab, click the Privileged administrator roles sub-tab.
    • Select (click) Contributor.
    • Select Assign access to User, group or service principal.
      • In the drawer that opened, type DeleteResources in the Select textbox.
      • Click on DeleteResources.
      • Click Select.
    • Click Review + assign.

    ℹ️ The Contributor role is broad. You might want to create a custom role to attribute specific permissions (list/delete) to specific services (i.e: Cognitive Services, Search, VMs).

  7. Assign the action group to a budget threshold

    Go to the Subscription page of the Azure portal and select Budgets on the left pane.

    Select your MyBudget budget.

    At top of the page, click the Edit budget button.

    Select the Set alerts tab.

    In our previously-created Alert conditions of type Actual and threshold 100%, set Action group DeleteServices.

    Click Save.

You are now safe!

About

Learn how to set soft and hard limits on Microsoft Azure to prevent unexpected costs.

Topics

python azure finops

Resources

Readme
Activity

Stars

0 stars

Watchers

3 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages