Identity-Based Microsegmentation Guide
LAST UPDATED: October 8, 2021

Create namespaces

About creating Microsegmentation namespaces

TIP

Before proceeding, we recommend reviewing basic Microsegmentation namespace concepts.


You have one parent namespace, represented by your Prisma ID, an eighteen-character string of integers. For example: /826920578209172635. You also have a child namespace for each cloud account you've onboarded to Prisma Cloud. These bear the friendly name of your cloud account, as well as its ID. For example: /aws-dev-826088932159. You may need to manually create child namespaces if:
  • You have cloud accounts that you did not onboard to Prisma Cloud.
  • You are hosting your own infrastructure or have on-premise workloads.

To create children namespaces, you must have namespace editor privileges in the parent namespace. Once you have your children namespaces created, you must create grandchildren namespaces before deploying your enforcers. After an enforcer has registered in a namespace, you can’t move it to another namespace. You have to uninstall and reinstall the enforcer to switch namespaces.

/826920578209172635 DaemonSet host /826920578209172635 /k8s-cluster /aws-dev-826088932159 /826920578209172635 /aws-dev-826088932159 /826920578209172635 /aws-prod-826088932159 /826920578209172635 /vm /aws-dev-826088932159 /826920578209172635 /k8s-cluster /aws-prod-826088932159 /826920578209172635 /vm /aws-prod-826088932159 create me! create me! create me! create me! enforcer enforcer

Create one grandchild namespace for each Kubernetes/OpenShift cluster. You should not have multiple Kubernetes/OpenShift clusters in a single Microsegmentation namespace. For the virtual machines, you can create one namespace per host, or group them together as desired.

You can use the Network Security section of the Prisma Cloud web interface to create your namespaces. Alternatively, you can use apoctl to create them, as described below.

Set environment variables

Copy your parent namespace from the web interface, as shown below.

Copy tenant namespace

Set a PARENT environment variable and paste in the value you copied.

export PARENT=/803920923337065472

If you have children namespaces that already exist, create CHILD environment variables containing their names. In the example below, we use aws-dev-826088932159 and aws-prod-826088932159.

export CHILD1=aws-dev-826088932159
export CHILD2=aws-prod-826088932159

Create child namespaces

Set CHILD environment variables containing the desired names for the children namespaces.

export CHILD3=my-private-cloud
export CHILD4=bare-metal-infra

Use the following command to create the first child namespace.

cat <<EOF | apoctl api create namespace -n $PARENT -f -
name: $CHILD3
type: CloudAccount
defaultPUIncomingTrafficAction: Allow
defaultPUOutgoingTrafficAction: Allow
EOF

Next, create the second child namespace.

cat <<EOF | apoctl api create namespace -n $PARENT -f -
name: $CHILD4
type: CloudAccount
defaultPUIncomingTrafficAction: Allow
defaultPUOutgoingTrafficAction: Allow
EOF

Confirm the creation.

apoctl api list namespace -n $PARENT --output yaml

Repeat these steps to add other children as needed.

Create grandchild namespaces

Create environment variables containing the desired names for your grandchild namespaces. An example follows.

export GRANDCHILD1=k8s
export GRANDCHILD2=vm

Use the following command to create the first grandchild namespace under aws-dev-826088932159.

cat <<EOF | apoctl api create namespace -n $PARENT/$CHILD1 -f -
name: $GRANDCHILD1
type: Group
defaultPUIncomingTrafficAction: Allow
defaultPUOutgoingTrafficAction: Allow
EOF

Next, create the second grandchild namespace under aws-dev-826088932159.

cat <<EOF | apoctl api create namespace -n $PARENT/$CHILD1 -f -
name: $GRANDCHILD2
type: Group
defaultPUIncomingTrafficAction: Allow
defaultPUOutgoingTrafficAction: Allow
EOF

Confirm the creation.

apoctl api list namespace -n $PARENT/$CHILD1 --output yaml

Now create the first grandchild namespace under aws-prod-826088932159.

cat <<EOF | apoctl api create namespace -n $PARENT/$CHILD2 -f -
name: $GRANDCHILD1
type: Group
defaultPUIncomingTrafficAction: Allow
defaultPUOutgoingTrafficAction: Allow
EOF

Create the second grandchild namespace under aws-prod-826088932159.

cat <<EOF | apoctl api create namespace -n $PARENT/$CHILD2 -f -
name: $GRANDCHILD2
type: Group
defaultPUIncomingTrafficAction: Allow
defaultPUOutgoingTrafficAction: Allow
EOF

Confirm the creation.

apoctl api list namespace -n $PARENT/$CHILD2 --output yaml

Repeat these steps to add other grandchildren, as desired. You should now have a basic namespace structure and can proceed to deploy enforcers.