Lab 6: preferred group trust zone

Use ACI preferred groups to model a trusted app zone while keeping the database tier outside the broad trust boundary.

Lab 6 introduces ACI preferred groups. Preferred groups are a way to say: these selected EPGs inside a VRF are trusted enough to communicate more freely with each other.

In this lab, the trusted app zone is:

web
app
shared-services

The database tier stays outside that broad trust zone:

db

That keeps the database dependent on explicit contracts.

Target model

VRF prod-vrf pcEnfPref enforced

Preferred group trusted app zone

EPG web include

EPG app include

EPG shared-services include

EPG db exclude

Explicit contracts still protect db

What you will configure

Object	Setting
VRF `prod-vrf`	Policy enforcement stays enabled
EPG `web`	Preferred group membership `include`
EPG `app`	Preferred group membership `include`
EPG `shared-services`	Preferred group membership `include`
EPG `db`	Preferred group membership `exclude`

Why preferred groups matter

Without preferred groups, EPGs normally need contracts to communicate in an enforced VRF.

With preferred groups, selected EPGs can be treated as a trusted group. This reduces policy noise for closely related tiers.

Preferred groups are useful for:

small trusted app zones
management services within a VRF
shared tooling tiers
temporary migration simplification

Preferred groups are risky for:

database tiers
regulated systems
untrusted tenant workloads
broad production networks

Build the trust zone

Keep VRF prod-vrf in enforced mode.

Set these EPGs as preferred-group members:

EPG	Membership
`web`	`include`
`app`	`include`
`shared-services`	`include`

Then explicitly keep the sensitive tier out:

EPG	Membership
`db`	`exclude`

How this compares with vzAny

Lab 5 used vzAny to attach shared DNS and NTP contracts at the VRF level.

Preferred group is different. It changes how included EPGs relate to each other inside the VRF.

Use this rule of thumb:

Feature	Best for
`vzAny`	Common service contracts consumed by many EPGs
Preferred group	A trusted zone of EPGs that can communicate more freely

Both are powerful. Both can accidentally make policy too broad.

Automation

The lab repo has an idempotent script:

./scripts/configure-aci-lab-6-preferred-group.sh

The latest run returned:

ready: true
tenant_fault_count: 0
prod-vrf pcEnfPref enforced
web prefGrMemb include
app prefGrMemb include
shared-services prefGrMemb include
db prefGrMemb exclude

Verification checklist

In APIC, check these before calling the lab complete:

VRF prod-vrf exists.
VRF prod-vrf policy enforcement remains enabled.
EPG web is a preferred-group member.
EPG app is a preferred-group member.
EPG shared-services is a preferred-group member.
EPG db is not a preferred-group member.
Tenant lab-prod has no active faults.

What this lab teaches

You should leave Lab 6 understanding:

Preferred group is a trust-zone feature inside a VRF.
Membership is configured on EPGs.
Sensitive EPGs can be kept outside the preferred group.
Contracts still matter for non-preferred EPGs.
Preferred groups reduce policy complexity but can broaden access too much.

This remains an APIC policy lab. It does not prove actual endpoint traffic. For packet tests, build the same trust-zone model in EVE-NG with Linux endpoints and a forwarding fabric.