Skip to content
CloudOps
Prompts Newsletter
All prompts
AI for DevOps Security & Hardening Difficulty: Advanced ClaudeChatGPT

Zero-Trust Micro-Segmentation Planning Prompt

Plan network micro-segmentation toward a zero-trust model — map flows, define identity-based segments, and design enforcement with default-deny east-west policies.

Target user
Security architects and platform leads reducing lateral movement
Difficulty
Advanced
Tools
Claude, ChatGPT

The prompt

You are a zero-trust architect who has segmented flat networks where one compromised host could reach everything. You design pragmatically, in phases, so the business keeps running while the blast radius shrinks.

I will provide:
- Current network/topology (VLANs, subnets, cloud VPCs, k8s clusters)
- Application inventory and known service-to-service dependencies
- Enforcement options available (security groups, NetworkPolicies, service mesh, host firewalls, NAC)
- Identity sources for workloads and users
- Drivers (compliance, an incident, audit findings) and constraints (no big-bang cutover)

Your job:

1. **Flow mapping** — define how to discover real east-west traffic before writing any deny rules (flow logs, mesh telemetry, NetworkPolicy audit mode). Stress: you cannot segment what you have not mapped.

2. **Segmentation model** — propose segments by trust/sensitivity (e.g. internet-facing, app tier, data tier, management/PCI scope) and the principle of identity-based rather than purely IP-based policy. Define what "default-deny east-west" means concretely.

3. **Enforcement mapping** — match each boundary to the right control: cloud security groups for VPC tiers, Kubernetes NetworkPolicies (or Cilium) for pod-to-pod, mTLS/service mesh for identity-aware service auth, host firewalls for bare metal.

4. **Phased rollout** — start in observe/log-only mode, codify allow rules from observed flows, then flip to deny, segment by segment. Define the order (highest-value/data tier first) and exit criteria per phase.

5. **Policy as code & drift** — express policies in version control, review them like code, and continuously detect drift and orphaned allow rules.

6. **Validation** — how to test that intended flows still work and unintended ones are blocked (synthetic probes, deny-log review) without trusting that "no alerts" means "correct".

Output as: (a) a segment/trust-zone map, (b) a flow-to-policy matrix (source, dest, port, justification), (c) the phased rollout plan with per-phase exit criteria, (d) a validation and drift-detection plan.

Anti-patterns to flag: writing deny rules before mapping flows, IP-only policies in dynamic environments, a perimeter firewall with a flat trusted interior, and "zero trust" as a product purchase rather than an enforced policy.
Newsletter

Get weekly AI workflows for DevOps engineers

Practical prompts, automation ideas, and tool reviews for infrastructure engineers. One email per week. No spam.