Tags and identity
Each object in Microsegmentation has a set of key-value pairs that describe its attributes. We call these tags. Tags allow you to identify users and workloads to determine whether they should be allowed to access resources and communicate.
Microsegmentation populates the values of tags from various sources, such as hosts, cloud providers, and the Microsegmentation Console.
You can also add tags manually using the Network Security section of the Prisma Cloud web interface, from the command line with
apoctl, or a Microsegmentation Console API call.
The following diagram shows an example Microsegmentation tag.
Each Microsegmentation tag has at a minimum a key and a value, separated by an equals sign. The key portion of the tag may also include the following symbols.
- It may begin with either a
@symbol identifies the tag as consisting of metadata, populated by the Microsegmentation Console at the time that the object is created. The
$symbol identifies a tag based on attributes of the object. Tags without these symbols are generated manually by users like yourself.
- For more complex keys, consisting of several parts, a colon is used as a delimiter.
You can link tags together with
OR operators to form tag expressions.
For example, you can create an expression like:
(size=big and color=blue) or (size=small and color=red) or (type=admin)
Microsegmentation represents this information in a two-dimensional array, where:
- The first dimension is
- The second dimension is
The above expression is then represented by:
[ ["size=big", "color=blue"], ["size=small", "color=red"], ["type=admin"], ]
The web interface provides graphical controls to help you build these expressions easily.
We recommend resisting the temptation to add a large number of tags. Too many tags can cause confusion.
For example, if you deploy a three-tier application, you may only need:
In turn, you can create a network ruleset that will allow:
- allow from
app=myapp and role=frontend and env=productionto
app=myapp and role=backend and env=production
- allow from
app=myapp and role=backend and env=productionto
app=myapp and role=database and env=production