Layers
It's all about the layers. APIs & inter-app comms are probably an afterthought for most.
The 'tightest' place I've encountered had:
a) Windows desktop & server firewall controlled by AD policy
b) Cisco ISE operating on all switch ports (assigning VLANs etc) with MAC and 802.1x back to AD
c) Switch port policies applied to ports based on the VLAN or ISE assignment
d) Site level firewalls (Palo Alto) governing intersite and internet access
e) SD-WAN (Silverpeak)
f) Regional firewalls for internet (and any failover between intersite if SDWAN routing went awry)
g) VPN with device and user authentication, and policies applied dynamically based on both
h) WAFs and NSGs running on the Azure side of things (if you made it that far)
i) AD ACL and SEC groups, applied thoroughly on actual servers, shares & resource groups
But, as outlined in the article, if (or once) you were 'in', you were generally able to 'get around' - but that was also partly due to a hangover from a prior set of circumstances where they were no proper firewall policies previously, and there was still reasonable paranoia as to restricting things further.