@SecurityWriter I have to say, this is one area where cloud deployments can easily enable much tighter security. AWS/Azure/GCP make it easy to build rules at the NIC level, and tools like security groups (AWS) and application security groups (Azure) let you separate services from IPs to make management easier. You can enforce all this with tools like terraform which can allow audits of config changes through git which is nice.
It’s certainly possible to do per-NIC level firewall rules on-prem, but it’s expensive and tedious. In practice the best I’ve seen are highly segmented networks, with the app servers in one subnet/VLAN and the DBs in another, supporting services in another, etc. I’ve even deployed separate physical network for management interfaces. But hosts were still grouped and could see hosts in the same group.
The ease of cloud security just makes it all the more shameful to see flat networks in the cloud.