I’ve had this debate several times with people…in the light of all things being virtual why do we still need physical firewalls? In my opinion, the best way to secure an environment would be to use a combination of physical and virtual firewalls and load balancers. A regular x86 server with a generic CPU is not meant to handle the performance needs of deep packet inspection. That’s what the specialized asics in physical firewalls are built to handle. Keep in mind, I’m not saying you shouldn’t use virtual firewalls to handle internal security, or microsegmentation if you prefer, to handle scalability and the like.
Also, something else to keep in mind is that many virtual firewalls do not have the next generation capabilities that physical firewalls have…for example application based inspection. So this is definitely something to consider when designing your security solution. Most environments are also not 100% virtualized, so there’s really no argument there. You need to have some sort of physical firewall at least at the perimeter to handle security for your physical infrastructure.