Re: Fast, Cheap, Out of Control?
Great question, Drew. To be perfectly transparent, this is an approach that is still new and is getting fleshed out by early adopters. The key in the approach is the adoption of network controllers for heavy automation. This lets the controller take care of keeping track of all those instances, which VLANs they run on, and which apps they are tied to. Thus, when an app is moved all the VMs that made up the app plus the supporting infrastructure (firewalls, load balancers, etc.) are taken along for the ride. Ditto with handling of instantiation and decommission.
Increasingly, some notion of a configuration template or recipie (think ACI or Puppet) is used to driving configuration across each instance. The vast majority of apps use a small handful of recipies while the remaining start to leverage one-off changes. This makes the changes easy to track from a central location and state management of the device easy to do. (Unsure of the device state? Let the system get it back to a known configuration for you.)
Net-net, the goal is to make changes quick. We can either trust developers (which I clearly don't agree with) or empower the security team to be able to drive change quickly. A highly automated template driven network is one approach to empowering the security team that I believe will be the method of choice for most organizations in the future.