Granular segmentation using events

What is claimed is: 1. A method implemented by at least one hardware processor for granular segmentation of data networks, the method comprising: receiving from a metadata source event metadata associated with a workload; identifying a workload type using the event metadata; determining a high-level declarative security policy using the workload type; launching a compiler to generate a low-level firewall rule set using the high-level declarative security policy and the event metadata; and configuring by a plurality of enforcement points a respective network switch of a plurality of network switches to process packets in accordance with the low-level firewall rule set, the plurality of network switches being collectively communicatively coupled to a plurality of workloads, such that network communications between a first group of workloads of the plurality of workloads and the workload are not permitted, and between a second group of workloads of the plurality of workloads and the workload are permitted. 2. The method of claim 1 , wherein the metadata source is at least one of a hypervisor and an orchestration layer. 3. The method of claim 1 , wherein the event metadata is received in response to an event. 4. The method of claim 3 , wherein the event is at least one of: the workload being instantiated, the workload being removed, the workload being migrated, and workload metadata being changed. 5. The method of claim 4 , further comprising: disseminating, to a destination enforcement point of a migrated workload, a state of a communications session of the migrated workload. 6. The method of claim 1 , wherein the workload is at least one of a: bare-metal server, virtual machine (VM), container, and microservice. 7. The method of claim 1 , wherein the event metadata includes at least one of: an event, an application name, a service name, a user-defined tag/label, an IP address, a port number, an operating system name, a software version, and a location. 8. The method of claim 1 , wherein: the event metadata includes at least one of: a date and a time; and the high-level declarative security policy includes a time-based provision. 9. The method of claim 1 , wherein the high-level declarative security policy comprises an intent-driven model, the intent-driven model specifying groups of workloads and describing permitted connectivity, security, and network services between the groups. 10. The method of claim 1 , wherein the low-level firewall rule set comprises individual workload addresses to and/or from which network communications are at least one of forwarded, blocked, redirected, and logged. 11. A system for granular segmentation of data networks, the system comprising: at least one hardware processor; and a memory coupled to the at least one hardware processor, the memory storing instructions executable by the at least one hardware processor to perform a method comprising: receiving from a metadata source event metadata associated with a workload; identifying a workload type using the event metadata; determining a high-level declarative security policy using the workload type; launching a compiler to generate a low-level firewall rule set using the high-level declarative security policy and the event metadata; and configuring by a plurality of enforcement points a respective network switch of a plurality of network switches to process packets in accordance with the low-level firewall rule set, the plurality of network switches being collectively communicatively coupled to a plurality of workloads, such that network communications between a first group of workloads of the plurality of workloads and the workload are not permitted, and between a second group of workloads of the plurality of workloads and the workload are permitted. 12. The system of claim 11 , wherein the metadata source is at least one of a hypervisor and an orchestration layer. 13. The system of claim 11 , wherein the metadata source sends the event metadata in response to an event. 14. The system of claim 13 , wherein the event is at least one of: the workload being instantiated, the workload being removed, the workload being migrated, and workload metadata being changed. 15. The system of claim 14 , wherein the method further comprises: disseminating, to a destination enforcement point of a migrated workload, a state of a communications session of the migrated workload. 16. The system of claim 11 , wherein the workload is at least one of a: bare-metal server, virtual machine, container, and microservice. 17. The system of claim 11 , wherein the event metadata includes at least one of: an event, an application name, a service name, a user-defined tag/label, an IP address, a port number, an operating system name, a software version, and a location. 18. The system of claim 11 , wherein: the event metadata includes at least one of a date and a time; and the high-level declarative security policy includes a time-based provision. 19. The system of claim 11 , wherein the high-level declarative policy comprises an intent-driven model, the intent-driven model specifying groups of workloads and describing permitted connectivity, security, and network services between the groups. 20. The system of claim 11 , wherein the low-level firewall rule set comprises individual workload addresses to and/or from which network communications are at least one of forwarded, blocked, redirected, and logged.