Tags not getting applied to VMSS NICs by BuiltIn Policy

Question

We have a BuiltIn Policy Add or replace a tag on resources that is supposed to add a moniker tag on all resources. It is not working for NICs created within Virtual Machine Scale Sets. We've noticed that initially the tag gets applied, but once the VM creation is complete the tag for the NICs vanish.

Answer 1

Thanks for reaching Microsoft Q&A.

The issue is because VMSS manages NICs dynamically. Here's how to fix it:

Solutions

1. Target VMSS Directly: Create a policy for Microsoft.Compute/virtualMachineScaleSets to ensure NICs inherit tags.
2. Policy Timing: Use a custom policy for NICs and ensure it evaluates after VMSS creation.
3. Remediation Task: Periodically reapply tags using a remediation task.
4. ARM Templates: Embed tags in ARM templates or deployment scripts.

Key Considerations

• Scope: Assign the policy at the correct scope.
• Existing VMSS: Update or redeploy existing VMSS instances.
• Testing: Test your policy and remediation tasks thoroughly. You're encountering an issue where tags on VMSS NICs are lost after VM creation. This happens because VMSS manages NICs dynamically. Here's how to fix it: Solutions
  1. Target VMSS Directly: Create a policy for Microsoft.Compute/virtualMachineScaleSets to ensure NICs inherit tags.
  2. Policy Timing: Use a custom policy for NICs and ensure it evaluates after VMSS creation.
  3. Remediation Task: Periodically reapply tags using a remediation task.
  4. ARM Templates: Embed tags in ARM templates or deployment scripts.
  Key Considerations
  • Scope: Assign the policy at the correct scope.
  • Existing VMSS: Update the existing VMSS instances.
  • Testing: Test your policy and remediation tasks thoroughly.

Please refer below documentation tagging policies and policy remediation.

Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.