I don't think he wants your third thumb

If it's a layer 2 switch you can only have one VLAN through it, it's all on the same broadcast domain.

You can use roas "router-on-a-stick" approach if u want to use an L2 switch for the servers, so u can have separate vlans in each server.

Yes, you can and this is the best option rather than creating virtual Firewall for each zone. Therefore, simply assign each App, Data, Web systems (phsyical or virtualized servers) into a switch and segreate between them using VLANs. Connect the firewall to the switch as a Trunk and create sub-interfaces, where each sub-interface tagged with a VLAN for each zone. Then in firewall assign each sub-interface into different security zone (Web, App, Data) and start configuring firewall rules between zones.

Thank you for you question a) It's possible to use a virtual firewall if your organization prefers to avoid appliances: all major vendors have virtualized their products to work in both private-cloud or public-cloud environments. Also most vendors allow in-product virtualization (having multiple virtual firewalls inside one big hardware chassis). b) All firewall vendors offer clustered high-availability solutions to avoid a single-point-of-failure situations (so do router vendors) c) SDN and cloud platform providers (VMware, Cisco ACI, AWS, Azure, etc) all provide filtering capabilities within their fabric, which is another path to take So you have plenty of options - and in all them the considerations I discussed in the video are relevant . I hope this answers your question.