Why it matters
Segmentation limits which paths are intended to exist between workloads, users, services, and administrative systems. VLANs and subnets separate broadcast or routing domains; firewall policy, VRFs, host controls, identity-aware access, cloud security groups, and application controls can add enforcement at different points.
What it can and cannot do
A separate VLAN is not, by itself, a security boundary. Routing, shared services, host agents, cloud identities, and broad policy can reconnect zones. Microsegmentation narrows east-west communication around workloads or identities, but it still needs accurate service dependencies, exception ownership, and observable enforcement.
Migration workflow
- Inventory current traffic and classify business, management, guest, IoT, and application dependencies.
- Define a small initial policy: source, destination, service, direction, owner, and expected evidence.
- Introduce monitoring or staged enforcement for one bounded group before changing a flat network broadly.
- Validate permitted flows, expected denials, DNS, time, update, backup, and administrative paths.
- Document exceptions with approver, scope, expiry, review date, and rollback condition.
Planning checklist
- Which flows are required for the service to start, authenticate, update, and recover?
- Where do routing and security policy interact?
- Are guest and IoT paths isolated from management by more than addressing?
- Can the team distinguish a policy denial from a routing or application failure?
Common mistakes
Do not copy a broad allow rule into every new segment, use any-to-any as a permanent migration shortcut, or assume a successful ping validates an application. A policy may allow ICMP while DNS, TLS, identity, or backend dependencies remain unavailable.
Fictional example
A clinic separates imaging devices into a dedicated subnet. During validation, the team finds a shared update proxy and a remote support path still cross into a general administration network. They record those flows, assign owners, and decide whether each needs a narrower policy or a separate service path.
Related Vuln Signal content
Use Subnet Calculator for planning arithmetic, CIDR and IP Range for address context, Network Learn, and professional DNS practice.