Traditional security has relied on edge filters for ages. I realize today there are solutions for micro segmentation (NSX-T, illumio, edgewise, etc), but they are too new, don’t support every OS or w/ever the limitations are that prevent them from becoming defacto and so we still operate edge firewalls (edge meaning on the VRF edge, not necessarily on the trusted network edge like an Internet connected firewall).

We discourage firewall policies that are based on a host IP in favor of policies that are based on subnet address which by the very nature of it means we dedicated subnets to a particular purpose. We also discourage crossing the boundary of the VRF in the first place through the perimeter firewall. Instead we encourage standing up a load balancer that is multi homed into 2 or more VRFs. I suppose it is very similar to AWS load balancers where they expose workloads in the VPC (one VRF) to the Internet (another VRF).

The main idea here is we want to enable horizontal scalability of throughput capacity between VRFs and routing everything through an edge firewall is the opposite of that (single firewall being the bottle neck for throughput and a SPOF). What do other folks do around the perimeter transit capacity balancing that out with security?