This document discusses securing microservices in CloudFoundry. It begins by noting the need for microsegmentation as applications move to the cloud and become more elastic. Traditionally defining firewall rules by IP address becomes unmanageable in this environment. The document then proposes defining policies based on application roles and grouping endpoints into policy-defined segments. It provides examples of defining policies by application groups rather than individual IP addresses, avoiding state explosion. This group-based policy approach allows for secure, scalable and intent-based policy definition.