This blog post is related to my research into segmentation. More specifically, what the differences are between macro- and microsegmentation, and the levels of granularity in between, which I call mesosegmentation.

The goal is to specifically define levels between macro- and microsegmentation, as fully microsegmenting a complete environment is simply not advisable. Instead, pick and choose a different level that suits your level of accepted risk for different parts/segments/areas of your infrastructure.

By giving these levels a distinct name and definition, the conversation around segmentation should hopefully go much more smoothly, because now you can just give your type of segmentation a name. Less miscommunication equals getting more stuff done!

Please fill in the survey on what you think of these levels of segmentation! It helps my research tremendously: Link to the Google Forms (no sign in required!). I finished my Master’s! Big thanks to everyone who filled it out!


Macrosegmentation is separation based on VLANs, networks or other large, sweeping distinctions. Examples include different business units, departments, or other broad functionality. Usually this is done on the physical routing and switching infrastructure with a gateway firewall at each boundary, rather than using distributed firewalling.

Mesosegmentation – Environments

Environment separation is based around production, development, staging, or otherwise large distinctions within the datacenter. Provides high-level separation based upon risk and requirements for each of the environments.

Separation can also be for environments such as VDI, or maybe PCI compliant resources versus those that aren’t. Or for a hospital environment resources that house patient information and those that need to access them.

Mesosegmentation – Applications

Application separation is based around the functionality that a workload provides. Access to each application is arranged to all workloads within equally. This means that in order to give access to the application, you give access to ALL VMs within that application segment.

Mesosegmentation – Tiers

Tier separation is done within the application based around the 3-tier model so often found in the literature. Usually follows separation around frontend, middleware, backend or database. Workloads within each tier have free-flowing access.

This allows for access specifically to VMs that serve one aspect of the application, rather than to the application as a whole.


Microsegmentation involves separating each individual workload, even within an application tier. Access can be granted to each individual VM, but requires the creation of unique rules for each of those flows.

Closing thoughts

These are just the different levels of segmentation as a quick primer on the subject. In the future I’ll make more posts regarding the effects and what the actual rule sets look like, or at least which principles I’ve used to define the segments.

The original article was posted on:

Robert Cranendonk Virtualization Consultant

Let's talk!

Knowledge is key for our existence. This knowledge we use for disruptive innovation and changing organizations. Are you ready for change?

"*" indicates required fields

First name*
Last name*