Our production network is mostly using a single VLan, and contains many weakly protected services. This creates a high barrier to entry for new services, while at the same time providing fairly weak security protection.
Concretely, this makes it difficult to get semi-production projects like HTML dumps, revision scoring, maps & others off the ground without also trusting those services with complete production access. Most of these services do not actually need this level of access, and would be happy to run in their own isolated network environment.
We need a way to run services that
a) have hardware and reliability requirements equivalent to other production services & exceeding those available in labs, and
b) are safely isolated from the production catch-all network environment, so that they can't directly talk to internal services on the production network, but are accessible from production.