Network Microsegmentation

• [](/)
• Guides
• Advanced Networking
• Network Microsegmentation

On this page

Create a network for each role​

Devices can join multiple networks at once. Networks are free on my.zerotier.com. Each network can have its own Network Flow Rules. "Network A allows only RDP traffic." for example.

Pros​

• Easy
• Automatic authorization of nodes with SSO/OIDC

Cons​

• Multiple sets of subnets, IP addresses, etc… to maintain. Can be automated with Terraform.
• Mobile devices can connect to only 1 network at a time

Summary​

• Create a ZeroTier network for each role: Red, Green, and Blue. Or: Sales, HR, IT. Or: Dev, Prod, Staging. Or: Customer A, Customer B
• Join shared resources to multiple networks
• Join users to the networks they need access to

ZeroTier Network Flow Rules​

Tag network members with roles.

Pros​

• Fine grained, low-level access control
• One network config and set of members to maintain

Cons​

• Tricky to build rule sets
• Rules not integrated with OIDC yet

Summary​

• Create a network
• Use the Flow Rules to segment the network

Here is the simplest possible ZeroTier Flow Rules example. More complex rules can be mixed in with these. See the docs or contact us for help.

Replace the default rules with:

undefined tag role id 1 default 0 flag 0 red flag 1 green flag 2 blue;drop tand role 0;accept;

Devices will be able to talk only if they have at least one overlapping role. The tagging system is based on bitwise math, which we won't try to explain here. Basically: Rename "red" "green" and "blue" with your real role names. Add more roles by adding flags in increasing order: flag 3 yellow, flag 4 indigo

After saving a rule set with tags. A tag interface appears below:

Updated on: 12/07/2024