Azure Resource Group Naming Conventions: CAF Best Practices
How to name Azure resource groups consistently using Microsoft's Cloud Adoption Framework — patterns, examples, and strategies for multi-environment and multi-region setups.
Resource groups are the foundational organizational unit in Azure. Every resource lives in one, and your resource group names are the first thing anyone sees when they open the portal. Getting the naming pattern right from the start saves a significant amount of refactoring later — Azure doesn’t let you rename resource groups or move them between subscriptions without redeployment.
The CAF pattern for resource groups
Microsoft’s Cloud Adoption Framework uses the prefix rg for resource groups:
rg-{workload}-{environment}-{region}-{instance}Or with company and department added for larger organizations:
rg-{company}-{department}-{workload}-{environment}-{region}-{instance}Constraints:
- Maximum length: 90 characters
- Allowed characters: alphanumerics, hyphens, underscores, periods, and parentheses
- Cannot end with a period
- Case-insensitive (but lowercase is the convention)
Examples
| Workload | Environment | Region | Resource group name |
|---|---|---|---|
| Payments API | Production | East US | rg-payments-prod-eus-001 |
| Payments API | Development | East US | rg-payments-dev-eus-001 |
| HR portal | Staging | West Europe | rg-hrportal-stg-weu-001 |
| Shared networking | Production | East US | rg-network-prod-eus-001 |
| Shared services | Production | East US | rg-shared-prod-eus-001 |
Strategies for grouping resources
How you group resources into resource groups matters as much as what you name them. Three common strategies:
By workload (recommended for most teams)
All resources for a given application or service live in one resource group per environment:
rg-payments-prod-eus-001 ← production: API, DB, Key Vault, storage
rg-payments-dev-eus-001 ← dev: same resources, isolated
rg-payments-stg-eus-001 ← stagingWhy: Deleting an environment means deleting one resource group. Access control maps cleanly to workloads.
By lifecycle
Resources with the same update/delete frequency live together:
rg-payments-app-prod-eus-001 ← app tier (deployed often)
rg-payments-data-prod-eus-001 ← data tier (rarely replaced)
rg-payments-net-prod-eus-001 ← networking (almost never replaced)Why: Reduces blast radius when redeploying app-tier resources. Good for teams with separate database administration.
By environment across workloads (avoid for large estates)
rg-prod-eus-001 ← all production resources
rg-dev-eus-001 ← all dev resourcesWhy to avoid: Fine for very small projects, but RBAC becomes coarse, and deleting a resource group in dev risks taking down too many services at once.
Multi-region naming
If you deploy to multiple regions, include the region abbreviation to avoid name collisions and make the primary/failover relationship obvious:
rg-payments-prod-eus-001 ← primary (East US)
rg-payments-prod-wus2-001 ← failover (West US 2)Common region abbreviations:
| Azure region | Abbreviation |
|---|---|
| East US | eus |
| East US 2 | eus2 |
| West US 2 | wus2 |
| West Europe | weu |
| North Europe | neu |
| UK South | uks |
| Southeast Asia | sea |
Shared and platform resource groups
Beyond workload resource groups, most organizations need a small set of shared resource groups for cross-cutting resources:
| Purpose | Example name |
|---|---|
| Shared networking (VNet, NSG, etc.) | rg-network-prod-eus-001 |
| Shared security (Key Vault, policies) | rg-security-prod-eus-001 |
| Shared monitoring (Log Analytics, etc.) | rg-monitoring-prod-eus-001 |
| Image gallery / golden images | rg-images-prod-eus-001 |
| Terraform / Bicep state backends | rg-tfstate-prod-eus-001 |
Tagging resource groups
Tags on resource groups are not inherited by child resources in Azure — each resource needs its own tags. However, tagging the resource group itself is still useful for cost reporting and filtering in the portal:
| Tag | Example value |
|---|---|
environment | prod |
workload | payments |
owner | platform-team@contoso.com |
cost-center | CC-1042 |
Naming in IaC
Terraform:
variable "workload" { default = "payments" }
variable "environment" { default = "prod" }
variable "region" { default = "eus" }
resource "azurerm_resource_group" "main" {
name = "rg-${var.workload}-${var.environment}-${var.region}-001"
location = "eastus"
}Bicep:
param workload string = 'payments'
param environment string = 'prod'
param region string = 'eus'
resource rg 'Microsoft.Resources/resourceGroups@2023-07-01' = {
name: 'rg-${workload}-${environment}-${region}-001'
location: deployment().location
}Enforcing resource group naming with Azure Policy
To prevent resource groups from being created with non-compliant names, use a Policy with the Deny effect scoped to your management group or subscription:
{
"if": {
"allOf": [
{ "field": "type", "equals": "Microsoft.Resources/subscriptions/resourceGroups" },
{ "field": "name", "notMatch": "rg-*" }
]
},
"then": { "effect": "Deny" }
}AzureNamer generates CAF-compliant resource group names and the corresponding Azure Policy — for all 203 Azure resource types, free and without login.
Try AzureNamer
Generate CAF-compliant names for all 203 Azure resource types — free, no login required.
Open the Generator →