The below article from DarkReading.com is a great collection of some of the practicioners in the microsegmentation space and generally has good advice that makes a lot of sense.
What is striking everytime again to me is that we as networker, architects and security people often still rely on a identifier for a workload that we know might change in the future (and that future may be very short when you think of something like containers or VMs).
By decoupling segmentation away from the network architecture you can abstract the IP away as the identifier for the workload and use meaningful metadata to define, write and enforce policy for your application.
The operational overhead of maintaining policy that is tied to IP addresses can now be used to concentrate on writing good and meaningful policy and not on understanding and maintaining lists of IP addresses. Humans can now understand policy because we are using readable names instead of a 4 byte identifier. Incident response handlers will have context with connection logs and be able to assess a incident much quicker. Scaling up to more workloads will not require you to rewrite the policy, you will have more of the same thing and more of the same thing will be protected automatically by the metadata driven policy. Automation will become possible only by using metadata and you can finally start to tackle the security automation.
Learn to love metadata.
"Avoid an approach to microsegmentation that relies on network topology and addresses, such as using VLANs and restricting communications through firewalls and access-control lists. The administrative overhead of implementing and maintaining the configuration changes needed can be large, and these address-based approaches are still not secure. For example, addresses cannot be authenticated nor are they extensible to cloud environments."