* [Blog](https://www.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://www.paloaltonetworks.com/blog/corporate/)
* [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/)
* Perimeter Is Where Your W...

# Perimeter Is Where Your Workload Is: Policy Abstracted from IP Addressing

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2019%2F12%2Fnetwork-data-center-security%2F)  
[](https://twitter.com/share?text=Perimeter+Is+Where+Your+Workload+Is%3A+Policy+Abstracted+from+IP+Addressing&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2019%2F12%2Fnetwork-data-center-security%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2019%2F12%2Fnetwork-data-center-security%2F&title=Perimeter+Is+Where+Your+Workload+Is%3A+Policy+Abstracted+from+IP+Addressing&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/2019/12/network-data-center-security/&ts=markdown)  
\[\](mailto:?subject=Perimeter Is Where Your Workload Is: Policy Abstracted from IP Addressing)  
Link copied  
By [Christer Swartz](https://www.paloaltonetworks.com/blog/author/christer-swartz/?ts=markdown "Posts by Christer Swartz")  
Dec 04, 2019  
6 minutes  
[Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)  
[data center security](https://www.paloaltonetworks.com/blog/tag/data-center-security/?ts=markdown)  
[Dynamic Address Groups](https://www.paloaltonetworks.com/blog/tag/dynamic-address-groups/?ts=markdown)  
[Security Policy](https://www.paloaltonetworks.com/blog/tag/security-policy/?ts=markdown)

By Christer Swartz, global consulting engineer

Cloud, containers and microservices are some of the disruptive technologies that have had a transformative impact on enterprise security in recent years. In this new landscape, securing the perimeter no longer works and IP addresses are not an efficient or reliable way to keep track of workloads that are dynamic and moving in and out of the data center and cloud. When I visit customers around the world, my advice to them is, "If you are still defining security along IP addresses, your security model will quickly break."

Policy in the data center needs to be defined in a totally new way, and this idea is captured by an expression popular among network engineers, "Perimeter is where your workload is." We need to evolve away from the legacy approach to defining policy boundaries in the data center. The perimeter is no longer a network perimeter, it is a perimeter defined by metadata associated with workloads, regardless of network location.

**Traditional Approaches to Security Boundaries Are Outdated**

Security boundaries in the data center have traditionally been network centric. Firewalls were deployed along boundaries between VLANs and IP subnets, and policy was defined to state that specific VLANs could talk to each other, or this IP subnet could communicate with that IP subnet, over some specific set of ports. The most basic trust boundary was the data center network perimeter; everything outside that network perimeter was untrusted, and everything inside that network perimeter was trusted.

![This illustration conceptualizes how modern data center security has changed as data moves beyond the traditional network perimeter.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2019/11/blog_ngfw.gif)

This traditional approach to data center security boundaries has been used for many decades now, and it assumes that workloads remain mostly on a specific network segment and rarely migrate or change IP addresses. If they do, this approach calls for updating the firewall, which generally requires some kind of manual change-control process, which is rarely executed in real-time.

This is a long-since outdated model, since most workloads are now either deployed on virtual machines or on a microservices container model, which is the emerging application-architecture platform. Modern hybrid cloud architectures allow workloads to be on either side of the traditional network boundary, which means that the traditional definition of a trust boundary is no longer relevant. A fundamental detail of this modern model is that workloads move around dynamically, live-migrating between hypervisors, hosts, data centers or public or private clouds. These dynamic movements of workloads are orchestrated by a central controller, which decides where to migrate workloads based on resource utilization or demand. As workloads move in this way, IP addresses often change.

If you are using the traditional firewall network boundary model, this means you need to touch the firewall every time such a move happens. Alternately, you need to create rules that are so broad and wide-open that they no longer provide any real security.

**Policy Should Be Defined Against Identity**

Firewalls can no longer define policy based on network location, since it is simply not scalable to have to modify policy every time a workload moves. Instead, policy needs to be defined against an identity that remains associated with a workload even if its IP address changes. Doing so allows firewalls to define policy against workload identity once. Then, as the data center and hybrid cloud scale out, these policies remain quiet unless new identities need to be defined.

Almost all controllers, both in private and public cloud fabrics, are able to associate metadata, or "tags," to workloads. This is true for both host-based controllers, such as Cisco ACI and VMware NSX, and for container controllers, such as Kubernetes. As a workload is spun up, the controller will assign a current IP address to that workload, and then it will assign a permanent tag to it, which does not change, regardless of how often it migrates around the network.

For example, one VM could be assigned a tag of "Database," another could be assigned a tag of "Web" and a third could be assigned a tag of "App." If the controller needs to migrate any of these VMs to a different network segment, the IP address may change but this tag will not. The tag is permanently associated with the workload, for the life of that workload, regardless of network location.

This tag is not a network tag, such as an MPLS tag in an Ethernet frame. This is simply a string which is associated with specific workloads in the controller, almost like a field in a database. The tag is the permanent identity of the workload. Think of it like a user ID for workloads.

The controller keeps records of which workload's IP address is currently assigned to a specific tag - its identity - and these tags can be sent to Palo Alto Networks firewalls. This enables Palo Alto Networks firewalls to create policy that refers to tags, and not to specific IP addresses.

Palo Alto Networks calls these tags [Dynamic Address Groups](https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin/policy/use-dynamic-address-groups-in-policy), or simply "DAGs." This means users can create policies that look less like computer code and more like human sentences. For example, a policy might say, "Any workload tagged as Web can talk to any workload tagged as App." This is especially useful because it aligns with how users or developers usually perceive data center resources.

Typical IT support tickets often open with a complaint like, "My App servers can no longer contact my Web servers." The first question the help desk will ask in response is which IP addresses and ports are being used, and usually the user will have no idea. This simply delays troubleshooting.

Better, more modern security practices will prevent this delay. If we write policy that resembles how data center resources are perceived by users, the help desk engineer can click through a tag name, see its current IP address and much more quickly remediate problems.

I strongly recommend using tagging when designing a private or hybrid cloud architecture. Tags are required in the case of VMware NSX, since NSX uses them to make forwarding decisions. Tagging is available but optional for other controllers, such as Cisco ACI and OpenStack. The APIs required to push these tag-to-IP mappings to [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown), Palo Alto Networks security management, are included in [VM-Series on VMware NSX](https://www.paloaltonetworks.com/cloud-security/vm-series-on-vmware-nsx?ts=markdown), and they are implemented as a [Panorama plugin](https://docs.paloaltonetworks.com/compatibility-matrix/panorama/plugins.html) in the case of Cisco ACI.

Configuring your controllers to send tag-to-IP mappings to Panorama means you can write policy that allows data center and hybrid cloud architectures to be deployed and scaled out without firewalls becoming an operational bottleneck. The security perimeter is now the identity of the workload, no longer defined by the workload's location on the network. Policy is mapped to this permanent identity, no longer being limited to how the network is segmented. Remember, "Identity is the new perimeter," and Palo Alto Networks can help you [define policy against identity](https://www.paloaltonetworks.com/resources/videos/automating-security-for-dynamic-workloads?ts=markdown).

*For more on data center security, see Christer Swartz's piece on "[Protecting Data Center Interconnect Links](https://www.paloaltonetworks.com/blog/2019/10/network-data-center-interconnect-links/?ts=markdown)."*

*** ** * ** ***

## Related Blogs

### [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)

[#### Better Security Policy Enforcement with Panorama Plugin for Cisco TrustSec](https://www.paloaltonetworks.com/blog/2020/01/network-panorama-plugin/)

### [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)

[#### Protecting Data Center Interconnect Links](https://www.paloaltonetworks.com/blog/2019/10/network-data-center-interconnect-links/)

### [5G Security](https://www.paloaltonetworks.com/blog/network-security/category/5g-security/?ts=markdown), [IoT Security](https://www.paloaltonetworks.com/blog/network-security/category/iot-security/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)

[#### Converged Secure Connectivity For Critical Private Infrastructure](https://www.paloaltonetworks.com/blog/network-security/converged-secure-connectivity-for-critical-private-infrastructure/)

### [Industrial OT Security](https://www.paloaltonetworks.com/blog/network-security/category/industrial-ot-security/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)

[#### Navigating the TSA Cybersecurity Directive for OT Compliance](https://www.paloaltonetworks.com/blog/network-security/navigating-the-tsa-cybersecurity-directive-for-ot-compliance/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)

[#### Experience Cloud-Delivered Security Services with New Video Series](https://www.paloaltonetworks.com/blog/network-security/experience-cloud-delivered-security-services-new-video-series/)

### [Industrial OT Security](https://www.paloaltonetworks.com/blog/network-security/category/industrial-ot-security/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)

[#### How OT Connectivity Is Changing the Security Landscape](https://www.paloaltonetworks.com/blog/network-security/how-ot-connectivity-is-changing-the-security-landscape/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language