The proponents of microsegmentation are quick to explain how the per-VM-NIC traffic filtering functionality replaces the traditional role of subnets as security zones, often concluding that “you can deploy as many tenants as you wish in a flat network, and use VM NIC firewall to isolate them.”
Unfortunately, we need multiple VLANs (or multiple routing domains) for other things besides security zones:
- Overlapping IP addresses in multi-tenant environments (or even across multiple cloned application stacks – I know that’s a Really Bad Idea, but I’ve seen environments where that was the only way to move forward). Good luck trying to figure out how to solve that with a stateful packet filter;
- Service insertion. The easiest way to insert a load balancer between application tiers is still to make the load balancer the first-hop router. You could use source-NAT (SNAT) on the load balancer to alleviate this requirement, but then you open a whole different can of worms.
We might stop misusing routing domains (or VLANs) for service insertion if we rewrite all the applications and make them service-aware, or once the virtualized networks start supporting proper service insertion functionality (in most cases it’s still done with VLAN stitching), but I haven’t yet heard of a solution that would allow duplicate IP addresses in the same VLAN/IP subnet.