Identity-Based Microsegmentation Guide
LAST UPDATED: October 8, 2021

Tags and identity

Basics

Each object in Microsegmentation has a set of key-value pairs that describe its attributes. We call these tags. Tags allow you to identify users and workloads to determine whether they should be allowed to access resources and communicate.

Microsegmentation populates the values of tags from various sources, such as hosts, cloud providers, and the Microsegmentation Console. You can also add tags manually using the Network Security section of the Prisma Cloud web interface, from the command line with apoctl, or a Microsegmentation Console API call.

Tag syntax

The following diagram shows an example Microsegmentation tag.

Each Microsegmentation tag has at a minimum a key and a value, separated by an equals sign. The key portion of the tag may also include the following symbols.

  • It may begin with either a @ or a $ character. The @symbol identifies the tag as consisting of metadata, populated by the Microsegmentation Console at the time that the object is created. The $ symbol identifies a tag based on attributes of the object. Tags without these symbols are generated manually by users like yourself.
  • For more complex keys, consisting of several parts, a colon is used as a delimiter.

Tag expressions

You can link tags together with AND or OR operators to form tag expressions.

For example, you can create an expression like:

(size=big and color=blue) or (size=small and color=red) or (type=admin)

Microsegmentation represents this information in a two-dimensional array, where:

  • The first dimension is OR s
  • The second dimension is AND s

The above expression is then represented by:

[
  ["size=big", "color=blue"],
  ["size=small", "color=red"],
  ["type=admin"],
]

The web interface provides graphical controls to help you build these expressions easily.

Best practices

We recommend resisting the temptation to add a large number of tags. Too many tags can cause confusion.

For example, if you deploy a three-tier application, you may only need:

  • app=myapp
  • role=frontend, role=backend, role=database
  • env=production

In turn, you can create a network ruleset that will allow:

  • allow from app=myapp and role=frontend and env=production to app=myapp and role=backend and env=production
  • allow from app=myapp and role=backend and env=production to app=myapp and role=database and env=production