Turning Cloud Recommendations into Action
Cloud cost and hygiene reviews are often reactive. Teams receive Azure Advisor alerts about underutilized or idle resources but take little action. Why? Because the recommendations are detached from ownership. What if we could change that? What if every resource carried a clear accountability tag, like resourceManagerEmail, making it possible to trigger an automated notification and retirement strategy?
This is the promise of an automated cloud retirement model: combining Azure Advisor, Azure Resource Graph, serverless compute, and lightweight notifications to turn suggestions into decisions.
You Should Consider This Pattern If…
- You want to reduce cloud waste by acting on Azure Advisor cost recommendations.
- Your organization struggles with resource accountability and manual cleanup.
- You use tags to define resource ownership, e.g., resourceManagerEmail, projectCode, etc.
- You want to notify stakeholders before deleting resources.
- You prefer to implement non-intrusive governance through soft automation (notify first, retire later).
- You need to track resource decisions over time (accepted, deferred, auto-retired).
Architecture Overview
The architecture relies on a scheduled Azure Function App that queries Azure Resource Graph for Azure Advisor cost-related findings. The function looks for tagged resources and writes each finding to an Azure Table Storage with metadata and notification state. A notification is then sent via SendGrid to the contact defined in the tag. If after a defined delay (e.g., 30 days) no action is logged, the system can flag the resource for automated cleanup.
Workflow:
- Function App runs on a schedule (e.g., daily/weekly).
- It queries Azure Resource Graph for active Azure Advisor cost recommendations.
- For each resource, it verifies presence of tag resourceManagerEmail.
- Findings are written to Azure Table Storage (deduplication + state tracking).
- If no prior notification sent, send email via SendGrid.
- Optionally: send reminder + auto-retire (if configured).
Roles and Components
| Component | Role |
| Azure Advisor | Source of recommendations for cost optimization (e.g., idle VMs). |
| Azure Resource Graph | Allows querying resources and filtering based on tag and Advisor data. |
| Azure Function App | Orchestration engine to retrieve, process, and act on findings. |
| Azure Table Storage | Lightweight state tracking (deduplication, notification status). |
| SendGrid | Email service to notify resource managers. |
| Tags (e.g. resourceManagerEmail) | Used to identify ownership and send notifications. |
Security & Governance Posture
Security is woven into every layer of the pattern:
- Least Privilege Access: The Function App uses a Managed Identity scoped only to read from Azure Resource Graph and write to Table Storage.
- SendGrid API Key is securely stored in Azure Key Vault, never in code.
- IAM Controls: Table Storage is restricted via RBAC to allow only write/read from the function identity.
- Audit Trail: Every action (notification, deferral, deletion) is written to Table Storage for traceability.
- Defense in Depth: The API layer is not public-facing. The only exposed component is email delivery.
Challenge: Have you classified which resources are safe to retire automatically? What if a tagged email is outdated? Do you need a fallback contact logic?
Closing Thoughts
Automating Azure Advisor recommendations sounds simple but unlocks deep governance maturity. The moment resources are tied to a contact, decisions become trackable. And with the right triggers, cleanup becomes non-intrusive.
Still, you should ask: How do we handle shared resources? What if the owner tag is invalid? How do we escalate before retiring a production VM?
Governance starts with tagging but succeeds through automation.
CLOUD DESIGN LIBRARY 
Laisser un commentaire