Lab 7: multi-tenant isolation

Create a second isolated ACI tenant and verify that production and development policy remain separate.

Lab 7 adds a second tenant to the simulator.

So far, the labs used one production-style tenant:

lab-prod

Now you add a separate development tenant:

lab-dev

The lesson is that an ACI tenant is a policy namespace. Production and development should not share policy by accident.

Target model

Tenant lab-prod production policy

VRF prod-vrf BD prod-bd

EPGs web app db shared-services

Tenant lab-dev development policy

VRF dev-vrf BD dev-bd

EPG frontend consumes API

EPG api provides API consumes DB

EPG database provides DB

No cross-tenant contract refs

What you will configure

Area	Production	Development
Tenant	`lab-prod`	`lab-dev`
VRF	`prod-vrf`	`dev-vrf`
Bridge domain	`prod-bd`	`dev-bd`
Subnet gateway	`10.10.10.1/24`	`10.20.10.1/24`
App profile	`three-tier-app`	`dev-three-tier-app`

The development tenant has three EPGs:

EPG	Role
`frontend`	User-facing tier
`api`	Application service tier
`database`	Data tier

Tenant-local contracts

The development tenant gets its own contracts:

Contract	Consumer	Provider	Port
`dev-frontend-to-api`	`frontend`	`api`	TCP 8080
`dev-api-to-database`	`api`	`database`	TCP 5432

The important part is what you do not configure:

lab-prod does not consume lab-dev contracts
lab-dev does not consume lab-prod contracts

Automation

The lab repo has an idempotent script:

./scripts/configure-aci-lab-7-multi-tenant-isolation.sh

The latest run returned:

ready: true
prod_tenant lab-prod
dev_tenant lab-dev
prod_tenant_fault_count 0
dev_tenant_fault_count 0
cross_tenant_contract_refs []

Verification checklist

In APIC, check these before calling the lab complete:

Tenant lab-prod still exists.
Tenant lab-dev exists.
lab-dev has VRF dev-vrf.
lab-dev has bridge domain dev-bd.
dev-bd has subnet 10.20.10.1/24.
Application profile dev-three-tier-app exists.
EPGs frontend, api, and database exist.
Contracts dev-frontend-to-api and dev-api-to-database exist.
Tenant lab-dev has no active faults.
There are no intentional cross-tenant contract relationships yet.

Why this matters

Multi-tenant ACI design should start from isolation.

That means each tenant gets its own:

VRF
bridge domains
EPGs
contracts
operating boundary

After isolation is clear, you can deliberately add shared services, L3Outs, or cross-tenant contract patterns. Doing that too early makes the policy hard to reason about.

What this lab teaches

You should leave Lab 7 understanding:

Tenants are separate policy namespaces.
A second tenant can repeat the same application pattern without touching production.
Tenant-local contracts keep policy easier to audit.
Cross-tenant sharing should be explicit and documented.
The simulator proves policy shape, not real endpoint traffic.

The next lab should introduce shared services across tenants carefully, with a clear provider, consumer, and audit trail.