The VMware NSX Distributed Firewall can be used for micro-segmentation. There are no choke points and there is scale-out performance up to 20 Gbps.
It acts like firewall on the vNic. Each vNic has it’s own rule set. Performance is close to line-rate. Traffic Redirection is possible to 3th party.
Of course there is the Rest API.
DFW is a stateful engine. During a VMotion the state table is migrated tand is in place before the VM arrives on the destination host