>>YokoZa+(OP)
There isn't a great reason. It's just that the people who set the policy wanted to prevent lateral attacker movement at all costs. The VMs and the enterprise applications are in the same building, but no longer have network connectivity because they don't routinely communicate (in the past, a VM would make an outbound TCP connection only after an SRE decided that a problem existed).