GCP Labels vs Tags: Labels, Network Tags, and Resource Manager Tags Explained
GCP gives you three different systems for attaching metadata to resources: labels, network tags, and Resource Manager tags. They look superficially similar but do completely different jobs, and confusing them is one of the most common beginner mistakes in GCP.
By the end of this page you will understand exactly what each system does, when to use each one, how they interact with billing and firewall rules, and how to build a simple labelling strategy that scales as your environment grows.
Simple explanation
Here is the short version before we go deeper:
Labels are metadata key-value pairs you attach to GCP resources. They are used for organisation, resource filtering, and cost attribution in billing reports. They do not affect runtime behaviour.
Network tags are plain strings attached to Compute Engine VMs. They control which firewall rules and VPC routes apply to a VM. They are Compute Engine-only and have nothing to do with billing or organisation.
Resource Manager tags are a newer governance feature used in large organisations. They can be used in IAM conditions and Organisation Policies to enforce rules based on resource attributes. Beginners usually do not need them.
To organise resources or track costs: use labels.
To target a firewall rule at a group of VMs: use network tags.
To enforce governance policies at organisation scale: use Resource Manager tags.
Warehouse tags, event wristbands, and building policy
Think of labels as the tags on items in a warehouse. Each item has a tag showing which department ordered it and what project it belongs to. The tag does not open or close any doors. It just tells you what the item is for and who pays for it.
Network tags are more like wristbands at an event. A wristband that says “backstage” gets you through doors marked “backstage access only”. The wristband says nothing about your name or team. It just unlocks specific access.
Resource Manager tags are like a building-wide security policy. A policy that says “only contractors with clearance level 2 can enter server rooms” applies to everyone across the whole building without needing to configure each door individually.
How it works
Labels
You attach labels to a resource at creation time or afterwards. Labels are key-value
pairs like env=production or team=backend. GCP stores them
as metadata on the resource. They appear in the Cloud Console, in gcloud
describe output, and crucially, in your
billing export to BigQuery.
Once billing export is enabled, every line item in the export includes any labels
attached to the resource that generated it.
Labels work across most GCP resource types: Compute Engine VMs, persistent disks, Cloud Storage buckets, Cloud SQL instances, BigQuery datasets, Cloud Run services, and more.
Network tags
Network tags are attached only to Compute Engine VMs. When you create a firewall rule, you can target it at all VMs carrying a specific tag rather than at individual IPs or subnets. Any VM you add the tag to immediately inherits the firewall rule. Any VM without the tag is unaffected, even if it is in the same subnet.
Network tags can also be used with VPC routes. See the network tags guide and firewall rules explained for the full detail on how these interact.
Resource Manager tags
Resource Manager tags are attached at the project, folder, or organisation level and cascade down to resources. Unlike labels, their values are strongly typed and controlled by IAM, meaning only authorised users can create or modify them. They are primarily used for enforcing Organisation Policies or writing IAM conditions that depend on resource attributes. This is an advanced governance feature most beginners will not need.
Why are these three systems separate?
They evolved to solve different problems. Labels came first as a general-purpose metadata layer. Network tags were a Compute Engine-specific mechanism for firewall targeting that predates labels. Resource Manager tags were introduced later to support policy-as-code governance at enterprise scale. They share similar terminology but were built independently and serve different purposes.
When to use this
Use labels when you want to:
- Know which team or environment a resource belongs to at a glance
- Filter long resource lists by environment, app, or team in the Cloud Console or gcloud
- Break down monthly cloud spend by environment, team, or application in BigQuery
- Charge costs back to different teams or business units
- Audit which resources are missing required metadata
Use network tags when you want to:
- Allow HTTP/HTTPS traffic to a group of web server VMs without listing each IP
- Restrict database VMs to only accept connections from application-tier VMs
- Apply different routing behaviour to specific VMs in a VPC
Use Resource Manager tags when you want to:
- Prevent resources tagged as
data-classification=sensitivefrom being created in certain regions - Write IAM conditions that grant access only to resources with a specific attribute
- Enforce governance rules consistently across a large multi-project organisation
Labels vs network tags vs Resource Manager tags
| Feature | Labels | Network tags | Resource Manager tags |
|---|---|---|---|
| Primary purpose | Organisation, filtering, cost attribution | Firewall and route targeting | Governance, IAM conditions, policy enforcement |
| Format | Key-value pairs (env=production) | Plain strings (http-server) | Typed key-value pairs with IAM-controlled values |
| Supported resources | Most GCP resource types | Compute Engine VMs only | Projects, folders, organisations (cascades to resources) |
| Affects billing? | Yes — appears in billing export for cost queries | No | No |
| Affects firewall rules? | No | Yes — firewall rules can target VMs by tag | No |
| Affects IAM / policies? | No | No | Yes — used in IAM conditions and Organisation Policies |
| Beginner relevance | High — set these up from day one | Medium — needed as soon as you create VMs | Low — an advanced governance feature |
| Typical example | team=data, env=staging | http-server, allow-ssh | data-classification=sensitive |
Labels in depth
A label is a key-value pair you define. GCP does not prescribe keys or values. The convention is entirely yours. Common patterns that cover most organisations:
env=production,env=staging,env=devteam=backend,team=data,team=platformapp=checkout-api,app=reporting-servicecost-centre=marketing,cost-centre=engineering
Label syntax rules
- Keys and values must be lowercase letters, numbers, hyphens, or underscores
- Keys must start with a letter
- Maximum 64 labels per resource
- Keys up to 63 characters; values up to 63 characters
Create a VM with labels at creation time (the most important moment to label):
gcloud compute instances create my-vm \
--zone=us-central1-a \
--labels=env=production,team=backend,app=payments-apiAdd or update labels on an existing resource:
gcloud compute instances add-labels my-vm \
--zone=us-central1-a \
--labels=cost-centre=engineeringFilter a resource list by label value. Works in gcloud and the Cloud Console:
gcloud compute instances list \
--filter="labels.env=production"Add labels to a Cloud Storage bucket:
gcloud storage buckets update gs://my-bucket \
--update-labels=env=staging,team=dataLabels and cost attribution
The most practical use of labels is breaking down cloud costs. When you enable billing export to BigQuery, GCP writes every line item from your bill into a BigQuery dataset. The labels attached to each resource are included in that export. You can then query spending by any label key.
“Billing export to BigQuery” simply means: GCP writes a detailed record of every charge to a BigQuery table you own, updated daily. From there you can run SQL queries to answer questions like “how much did the production environment cost this month?” or “which team is responsible for the highest storage spend?”
-- Monthly spend breakdown by team label
SELECT
labels.value AS team,
ROUND(SUM(cost), 2) AS total_cost_usd
FROM `my-project.billing_export.gcp_billing_export_v1_XXXXXX`
CROSS JOIN UNNEST(labels) AS labels
WHERE labels.key = 'team'
AND DATE(usage_start_time) >= DATE_TRUNC(CURRENT_DATE(), MONTH)
GROUP BY team
ORDER BY total_cost_usd DESC;Expense receipts and categories
Adding a label like team=backend to a VM is like writing “backend team”
on an expense receipt before you file it. When you later look at the monthly report
(your billing export), you can filter by that category and see exactly what the
backend team spent.
But if you filed three months of receipts without writing anything on them, you cannot go back and add categories retroactively. The receipts are already in the system, unmarked. That is exactly how GCP billing export works with labels.
Labels added to a resource today will not appear on billing records from before today. If a VM has been running unlabelled for three months and you add labels now, those three months of cost data stay unlabelled in your export forever. Apply labels at resource creation time. There is also a 24-48 hour delay before new labels appear in billing exports.
For a fuller picture of how GCP cost management works, see cost breakdown reports and billing budgets and alerts. Labels also complement project-level cost separation. See GCP Projects to understand when to separate by project versus by label.
Network tags (Compute Engine-specific)
Network tags are not labels. They are plain strings attached to Compute Engine VMs that GCP uses to match firewall rules and VPC routes. They have no connection to billing, no key-value structure, and no effect on other resource types.
A firewall rule can target all VMs carrying a specific network tag. Any VM you add that tag to automatically inherits the rule. Any VM without the tag is unaffected, even if it sits in the same subnet.
Create a VM with network tags:
gcloud compute instances create my-web-server \
--zone=us-central1-a \
--tags=http-server,https-serverCreate a firewall rule that targets all VMs tagged http-server:
gcloud compute firewall-rules create allow-http \
--direction=INGRESS \
--action=ALLOW \
--rules=tcp:80 \
--target-tags=http-serverAny VM created later with the http-server tag automatically receives
port 80 access. Any VM without the tag does not. This is far more manageable than
maintaining firewall rules by IP address as your fleet grows.
For the complete picture of how network tags interact with VPC routing, see the dedicated network tags guide.
Network tags do not work on Cloud Run, Cloud Functions, Cloud SQL, or any other resource type. Labels work across all of these. The two systems are completely independent.
Resource Manager tags
Resource Manager tags are a separate governance feature. You probably do not need them yet, but you should know they exist so you do not confuse them with labels or network tags.
Unlike labels, Resource Manager tags have strongly-typed values that are controlled by IAM. Only users with the right permissions can create or assign them. They cascade down through the resource hierarchy: attach a tag at the organisation or folder level and it applies to all child projects and resources automatically.
They are primarily used for:
- Writing IAM conditions that grant access only to resources with a specific tag value
- Enforcing Organisation Policies, for example, blocking resource creation in specific regions unless the resource carries an approved tag
For most teams, labels and network tags are sufficient. Resource Manager tags become relevant when you are managing a large multi-project environment and need policy enforcement that cannot be handled by project structure alone.
Best practice naming strategy
Labels are only useful when applied consistently. A good starting convention uses four keys and applies them to every resource from day one:
env:production,staging,developmentteam: the owning team, e.g.backend,data,platformapp: the application or service, e.g.checkout-api,reporting-servicecost-centre: the cost centre for billing chargebacks, e.g.engineering,marketing
Four label keys applied to every single resource is far more useful than ten keys applied inconsistently. Decide your convention before you create resources, write it down in a team doc, and enforce it in code review. Once you have stability, Organisation Policies can block resource creation if required labels are missing.
Audit VMs missing the env label:
gcloud compute instances list \
--format="table(name,zone,labels.env)" \
--filter="NOT labels.env:*"Inspect all labels on a specific resource:
gcloud compute instances describe my-vm \
--zone=us-central1-a \
--format="value(labels)"Common mistakes
Confusing labels with network tags. Labels are metadata for organisation and billing. Network tags control firewall rules. Using one when you need the other produces no error but also no effect. Check which system you need before adding anything.
Expecting labels to affect firewall behaviour. They will not. Firewall rules look for network tags, not labels. If your firewall rule is not working, check the network tags on the VM, not its labels.
Adding labels after resources already exist. Labels applied retroactively do not appear in historical billing records. Any resources that ran unlabelled have that cost data permanently unattributed. Apply labels at creation time, every time.
Expecting labels in billing immediately. New labels take 24-48 hours to appear in BigQuery billing exports. If you need cost data for a resource labelled today, check tomorrow.
Using uppercase or spaces in label keys.
Team=Backendis invalid. Keys and values must be lowercase.team=backendis correct.Overcomplicating the labelling strategy early. Starting with ten label keys and applying them inconsistently is worse than four keys applied to everything. Keep it simple until you have a clear reason to expand.
Summary
- Labels are key-value pairs for organisation, filtering, and cost attribution. They work across most GCP resource types.
- Labels appear in billing exports and let you query spending by team, environment, or application in BigQuery.
- Label keys must be lowercase. Labels are not applied retroactively to historical billing data.
- Network tags are Compute Engine-specific strings that control which firewall rules apply to a VM.
- A firewall rule targeting a network tag applies to any VM you add that tag to, even ones created later.
- Resource Manager tags are a governance feature for large organisations using IAM conditions and Organisation Policies.
- Start with four label keys: env, team, app, cost-centre. Apply them at resource creation time.
Frequently asked questions
What are labels in GCP?
Labels are key-value pairs you attach to GCP resources for organisation, filtering, and cost attribution. For example, labelling a VM with env:production and team:backend lets you filter your resource list and, when billing export is enabled, query how much the production environment costs each month in BigQuery.
What is the difference between labels and tags in GCP?
GCP has three separate systems often called "tags". Labels are metadata key-value pairs used for organisation and billing attribution across most resource types. Network tags are plain strings attached to Compute Engine VMs that control which firewall rules apply to those VMs. Resource Manager tags are a newer governance feature used with IAM conditions and Organisation Policies. All three are completely independent: adding a label does not add a network tag, and vice versa.
Do labels affect billing costs or reduce them?
Labels do not reduce billing costs. They are metadata. To use labels for cost attribution, you export billing data to BigQuery and then filter spending by label key and value. Labels must already be applied before billing data is exported. They do not apply retroactively to historical billing records.
Do labels affect firewall rules?
No. Labels have no effect on firewall rules or network routing. That is what network tags do. A network tag on a Compute Engine VM tells GCP which firewall rules apply to it. Labels and network tags are completely separate systems.
When should I use Resource Manager tags?
Resource Manager tags are designed for large organisations that need to enforce governance policies or IAM conditions based on resource attributes. For most teams and beginners, labels and network tags are sufficient. Start with labels for organisation and billing, and revisit Resource Manager tags when you need policy enforcement at scale.