Recently before I moved to an environment that was heavily virtualized (95% or more), DMZs were simple to implement because I could just plug a switch into a DMZ port on my security appliance and call it a day. However, with heavily virtualized environments, it's a bit more complex with multiple servers sharing the same hosts. So I don't bother with a physical DMZ which is basically plugging your server into a different logical network and then controlling access to that via ACLs.
However, you don't need a DMZ to control access to a server but I remember reading articles on theoretical attacks on the hypervisor which would compromise all VMs on the breached host. Is anyone concerned about that? I can't bother myself to. Should I be?
Right now all I'm doing is just opening the ports that need to be opened for public facing applications or sites. For example opening 443 and 80 for a web server and opening FTP ports for FTP servers. Should I be more concerned?