The below article from is a great collection of some of the practicioners in the microsegmentation space and generally has good advice that makes a lot of sense.

What is striking everytime again to me is that we as networker, architects and security people often still rely on a identifier for a workload that we know might change in the future (and that future may be very short when you think of something like containers or VMs).

By decoupling segmentation away from the network architecture you can abstract the IP away as the identifier for the workload and use meaningful metadata to define, write and enforce policy for your application.

The operational overhead of maintaining policy that is tied to IP addresses can now be used to concentrate on writing good and meaningful policy and not on understanding and maintaining lists of IP addresses. Humans can now understand policy because we are using readable names instead of a 4 byte identifier. Incident response handlers will have context with connection logs and be able to assess a incident much quicker. Scaling up to more workloads will not require you to rewrite the policy, you will have more of the same thing and more of the same thing will be protected automatically by the metadata driven policy. Automation will become possible only by using metadata and you can finally start to tackle the security automation.

Learn to love metadata.