When I speak to security architects who are in the midst of a cloud migration, they often relay the challenges they have when writing firewall rules to connect servers their internal data center to servers in the public cloud.   This becomes even bigger problem  when there is more than one public cloud provider.  This is primarily due to the fact that many organizations still look to secure their applications by using conventional methods such as ACL's and firewalls.  

Data and applications need to be secured where they live and in order to do that, security needs to be decoupled from the network and access must move from implicit allow to default deny. By decoupling enforcement from the actual network infrastructure, fine-grained policy is achieved within the compute without requiring access to anything except the workload itself – something that is available across all cloud providers.