Reference // Front9/Back9

Complete Naming Convention Reference

Every pattern, type code, purpose code, real-world example, and automation helper for the Front9/Back9 Azure resource naming system. This is the full specification.

On This Page

Quick Start Patterns

Resource Group: rg-{fullcleanedsubname} Example: rg-AlignInfraITIOComputingDev Key Vault: kv{#}{first9}-{last9} Example: kv1AlignInfr-putingDev Storage Account: sa{type2}{first9}{last9} Example: sa11aligninfrputingdev Log Analytics: law-{fullcleanedsubname} Example: law-AlignInfraITIOComputingDev Windows VM: {env}{loc}{#}{func}{inst} Example: devaz1rgtapp01 (15 chars max!) NIC: nic-{vmname} Example: nic-devaz1rgtapp01 OS Disk: disk-{vmname}-os Example: disk-devaz1rgtapp01-os Data Disk: disk-{vmname}-data{##} Example: disk-devaz1rgtapp01-data01

Resource Scoping Model

Each naming pattern is driven by the resource's Azure scope. This determines whether the name carries the full subscription identity, a compressed F9/B9 extraction, or operational context like region and environment.

ScopeResourcesIdentity StrategyRegion in Name?
Subscription-scopedRG, LAW, RSV, VNetFull cleaned subscription nameNo (spans regions)
Globally unique (DNS)Key Vault, Storage AccountF9/B9 extraction (24 char limit)No
Region-lockedVM, NIC, Disk, NSGEnv + region + purpose (15 char limit)Yes

Why three tiers? Subscription-scoped resources have generous limits (RG=90, LAW=63, VNet=64), so the full name fits. Globally-unique resources have tight limits (24 chars), forcing F9/B9 truncation. Region-locked resources have the tightest limit (15 chars for Windows VMs), so they encode operational context instead of subscription identity.

Storage Account Naming

Storage Account 3-24 chars / lowercase + numbers ONLY / globally unique
sa{type2}{first9}{last9}
sa11aligninfrputingdev (22 chars)
sa = prefix (2 chars) + {type2} = 2-digit purpose code (2 chars) + {first9} = first 9 alphanumeric chars of subscription, lowercase (9 chars) + {last9} = last 9 alphanumeric chars of subscription, lowercase (9 chars) = 22 total

Storage Account Type Codes

CodePurposeUse CaseDev RedundancyProd Redundancy
11Boot Diagnostics (Primary)VM boot logs and screenshotsLRSLRS or GRS
12Boot Diagnostics (Secondary)DR region boot logsLRSLRS
21VM Data StorageAdditional VM data disksLRSGRS
31Backup / RecoveryAzure Backup storageLRSGRS
41Application DataApp-specific storageLRSGRS
51Log StorageApplication logsLRSLRS
61File SharesSMB file sharesLRSGRS or ZRS
71Blob StorageGeneral-purpose blobsLRSGRS
81Table / QueueNoSQL tables and messagingLRSGRS
91Archive / ColdLong-term compliance archiveLRSGRS

Key Vault Naming

Key Vault 3-24 chars / alphanumeric + dashes / globally unique (DNS)
kv{#}{first9}-{last9}
kv1AlignInfr-putingDev (22 chars, case preserved)
kv = prefix (2 chars) + {#} = vault number 1-9 (1 char) + {first9} = first 9 alphanumeric chars, case preserved (9 chars) + - = readability separator (1 char) + {last9} = last 9 alphanumeric chars, case preserved (9 chars) = 22 total

Key Vault Number Reference

#PurposeTypical ContentsAccess Pattern
1Infrastructure / PrimaryVM passwords, SSH keys, TLS certsInfrastructure team
2Application SecretsAPI keys, connection strings, OAuthApplication team
3Regional (Primary)West US 2 region secretsPrimary region resources
4Regional (Secondary / DR)East US region secretsDR region resources
5Cost Center 1Business unit 1 secretsCost center 1 only
6Cost Center 2Business unit 2 secretsCost center 2 only
7DevOps / CI-CDPipeline secrets, service principalsDevOps pipelines
8Security / ComplianceSecurity keys, audit certsSecurity team
9Backup / DRDR keys, recovery secretsBackup systems

Virtual Machine Naming

Windows Virtual Machine 1-15 chars (CRITICAL!) / alphanumeric + dashes / RG-scoped
{env}{location}{team}{purpose}{instance}
devaz1rgtapp01 (14 chars)
{env} = 3 chars: dev, tst, stg, prd + {location} = 3 chars: az1, az2, az3 + {team} = 3 chars: rgt, ops, sec, dba + {purpose} = 3 chars: app, web, sql, db + {instance} = 2 chars: 01, 02, 03

Location Codes

CodeAzure Region
az1West US 2
az2East US
az3Central US
az4North Europe
az5West Europe

VM Name Examples

NameBreakdownChars
devaz1rgtapp01Dev, West US 2, RGT team, App server, Instance 0114/15
devaz1rgtdb01Dev, West US 2, RGT team, Database, Instance 0113/15
prdaz1sqldb01Prod, West US 2, SQL server, Instance 0113/15
tstaz2webfe02Test, East US, Web frontend, Instance 0213/15

Tier 2: Subscription-Scoped Resources

These resources use the full cleaned subscription name (no F9/B9 extraction needed) because their generous character limits accommodate it. No region or workload in these names — they are subscription-scoped and can span regions.

ResourcePatternExampleLimit
Resource Grouprg-{fullcleanedsubname}rg-AlignInfraITIOComputingDev90
Log Analytics Workspacelaw-{fullcleanedsubname}law-AlignInfraITIOComputingDev63
Recovery Services Vaultrsv-{fullcleanedsubname}rsv-AlignInfraITIOComputingDev50
Virtual Networkvnet-{fullcleanedsubname}vnet-AlignInfraITIOComputingDev64

Tier 3: VM-Dependent Resources

These resources inherit their name from the VM they belong to.

ResourcePatternExampleLimit
Network Interfacenic-{vmname}nic-devaz1rgtapp0180
NIC (multi-NIC)nic-{vmname}-{##}nic-devaz1rgtapp01-0280
OS Diskdisk-{vmname}-osdisk-devaz1rgtapp01-os80
Data Diskdisk-{vmname}-data{##}disk-devaz1rgtapp01-data0180
Public IPpip-{vmname}pip-devaz1rgtapp0180
NSGnsg-{subnet}-{region}nsg-default-westus280

The Dash Pattern Language

During implementation, we discovered that dash placement creates an unintentional but valuable visual language. You can identify a resource's role just by looking at its dash pattern:

PatternMeaningExample
No dashesAzure constraint or globally unique servicesa11aligninfrputingdev
Internal dashSubscription identity separatorkv1AlignInfr-putingDev
Prefix dash"Belongs to" relationshipnic-devaz1rgtapp01
Multiple dashesHierarchical ownership chaindisk-devaz1rgtapp01-data01

Quick recognition in Azure Portal: See sa... with no dashes? Standalone storage. See kv...-... with an internal dash? Key Vault with subscription identity. See nic-... with a prefix dash? Attached to a VM. See disk-...-...-... with multiple dashes? VM disk with a type indicator.

Real-World Deployment Examples

Example 1: Single VM Deployment

Subscription: "Align Infra ITIO Computing Dev" | Region: West US 2

Resource Group: rg-AlignInfraITIOComputingDev KeyVault: kv1AlignInfr-putingDev Storage Account: sa11aligninfrputingdev Log Analytics: law-AlignInfraITIOComputingDev Virtual Machine: devaz1rgtapp01 Network Interface: nic-devaz1rgtapp01 OS Disk: disk-devaz1rgtapp01-os

Example 2: Multi-Tier Application (3 VMs)

Same subscription | Web + App + Database tiers

KeyVault: kv1AlignInfr-putingDev (shared infra secrets) Storage Account: sa11aligninfrputingdev (all boot diagnostics) Storage Account: sa21aligninfrputingdev (database data storage) Web Tier: VM: devaz1rgtweb01 NIC: nic-devaz1rgtweb01 OS Disk: disk-devaz1rgtweb01-os App Tier: VM: devaz1rgtapp01 NIC: nic-devaz1rgtapp01 OS Disk: disk-devaz1rgtapp01-os Database Tier: VM: devaz1rgtdb01 NIC: nic-devaz1rgtdb01 OS Disk: disk-devaz1rgtdb01-os Data Disk 1: disk-devaz1rgtdb01-data01 Data Disk 2: disk-devaz1rgtdb01-data02

Example 3: Multi-Key Vault (Team Isolation)

Same subscription | Separate vaults per team/region

kv1AlignInfr-putingDev Infrastructure team (VM passwords, SSH keys) kv2AlignInfr-putingDev Application team (API keys, connection strings) kv3AlignInfr-putingDev West US 2 regional secrets kv4AlignInfr-putingDev East US DR secrets kv5AlignInfr-putingDev Cost center 30398 secrets kv6AlignInfr-putingDev Cost center 40567 secrets kv7AlignInfr-putingDev DevOps pipeline secrets

PowerShell Helper Functions

Get-KeyVaultName

function Get-KeyVaultName { param( [Parameter(Mandatory=$true)] [string]$SubscriptionName, [ValidateRange(1, 9)] [int]$Number = 1 ) $cleanName = $SubscriptionName -replace '[^a-zA-Z0-9]', '' $first9 = $cleanName.Substring(0, [Math]::Min(9, $cleanName.Length)) $last9 = $cleanName.Substring([Math]::Max(0, $cleanName.Length - 9)) $kvName = "kv$Number$first9-$last9" if ($kvName.Length -gt 24) { Write-Warning "KeyVault name exceeds 24 characters: $($kvName.Length)" return $null } Write-Host "KeyVault Name: $kvName ($($kvName.Length) chars)" return $kvName } # Usage: Get-KeyVaultName "Align Infra ITIO Computing Dev" -Number 1 # Returns: kv1AlignInfr-putingDev

Get-StorageAccountName

function Get-StorageAccountName { param( [Parameter(Mandatory=$true)] [string]$SubscriptionName, [ValidateRange(11, 99)] [int]$TypeCode = 11 ) $cleanName = ($SubscriptionName -replace '[^a-zA-Z0-9]', '').ToLower() $first9 = $cleanName.Substring(0, [Math]::Min(9, $cleanName.Length)) $last9 = $cleanName.Substring([Math]::Max(0, $cleanName.Length - 9)) $saName = "sa$TypeCode$first9$last9".ToLower() if ($saName.Length -gt 24) { Write-Warning "Storage name exceeds 24 chars: $($saName.Length)" $saName = $saName.Substring(0, 24) } Write-Host "Storage Account: $saName ($($saName.Length) chars)" return $saName } # Usage: Get-StorageAccountName "Align Infra ITIO Computing Dev" -TypeCode 11 # Returns: sa11aligninfrputingdev

Terraform Example

locals { subscription_name = "Align Infra ITIO Computing Dev" clean_sub_name = replace(local.subscription_name, "/[^a-zA-Z0-9]/", "") first9 = substr(local.clean_sub_name, 0, 9) last9 = substr(local.clean_sub_name, length(local.clean_sub_name) - 9, 9) kv_name = "kv1${local.first9}-${local.last9}" sa_name = lower("sa11${substr(local.clean_sub_name, 0, 9)}${substr(local.clean_sub_name, length(local.clean_sub_name) - 9, 9)}") } resource "azurerm_key_vault" "main" { name = local.kv_name # ... rest of config }

Character Limits Quick Reference

CRITICAL CHARACTER LIMITS ========================= Windows VM: 15 chars << TIGHTEST CONSTRAINT Linux VM: 64 chars KeyVault: 24 chars Storage Account: 24 chars (lowercase + numbers ONLY) Resource Group: 90 chars Recovery Vault: 50 chars Virtual Network: 64 chars NIC / Disk / PIP: 80 chars

FAQ

Can I change a resource name after creation?

Most Azure resources are immutable. VMs, Storage Accounts, Key Vaults, and VNets cannot be renamed. You have to create a new resource with the correct name, migrate data, and delete the old one. This is why validating names before deployment matters.

Why can't storage accounts use dashes?

Azure platform constraint. Storage accounts create DNS names like {name}.blob.core.windows.net, which have strict requirements: lowercase letters and numbers only.

What if my subscription name is very short?

If the subscription name has fewer than 9 alphanumeric characters, the algorithm uses the full cleaned name for both segments. For names between 9 and 17 characters, Front9 and Back9 overlap, reducing discriminating power. The segments are fully independent only when the cleaned name is 18+ characters. Enterprise subscriptions are typically 20-40 characters, so this is rarely an issue in practice.

Can I use these patterns with Terraform instead of Bicep?

Yes. The naming patterns are tool-agnostic. See the Terraform example above. The same logic works in ARM templates, Pulumi, or any IaC tool.

What if I need more than 9 Key Vaults?

The single-digit pattern supports 1-9 vaults per subscription. Needing 10+ is extremely rare and usually indicates the subscription should be split. If you truly need more, switch to two-letter codes (kva, kvb) at the cost of reducing identity characters by one.

How do I enforce these standards across teams?

Three approaches: Azure Policy (deny non-compliant names at deploy time), CI/CD validation (run Test-AzureResourceName in your pipeline), and the Bicep Deployment Wizard (generates compliant names automatically so engineers never have to think about it).

Interested in working together?

Let's discuss how this approach could solve your infrastructure challenges.

Schedule a 30-Minute Call