Lab 8: cross-tenant shared services

Create a shared-services tenant and expose DNS/NTP-style contracts only to approved EPGs in production and development.

Lab 8 is the first controlled cross-tenant sharing lab.

Lab 7 kept production and development completely separate. Lab 8 adds a third tenant:

lab-shared

That tenant represents common services such as DNS and NTP.

Target model

Tenant lab-shared service owner

EPG dns-ntp-services provides services

Contracts shared-dns shared-ntp

lab-prod contract interfaces shared-dns-if shared-ntp-if

Approved EPGs web app db

lab-dev contract interfaces shared-dns-if shared-ntp-if

Approved EPGs frontend api database

What you configure

Area	Value
Shared tenant	`lab-shared`
Shared VRF	`shared-vrf`
Shared bridge domain	`shared-bd`
Shared subnet	`10.30.10.1/24`
Shared app profile	`shared-services-app`
Provider EPG	`dns-ntp-services`
Provider contracts	`shared-dns`, `shared-ntp`

The provider tenant owns the real contracts. The consuming tenants get local contract interfaces:

Consumer tenant	Local interfaces
`lab-prod`	`shared-dns-if`, `shared-ntp-if`
`lab-dev`	`shared-dns-if`, `shared-ntp-if`

Those interfaces point back to the contracts in lab-shared.

Approved consumers

The consumer list is explicit:

Tenant	App profile	EPGs
`lab-prod`	`three-tier-app`	`web`, `app`, `db`
`lab-dev`	`dev-three-tier-app`	`frontend`, `api`, `database`

There is no tenant-wide shortcut in this lab. Each approved EPG consumes the shared DNS and NTP interfaces directly.

Automation

The lab repo has an idempotent script:

./scripts/configure-aci-lab-8-cross-tenant-shared-services.sh

The latest run returned:

ready: true
shared_tenant lab-shared
provider_epg dns-ntp-services
approved_consumer_count 12
observed_consumer_count 12
unexpected_shared_interface_consumers []
fault_counts lab-prod=0 lab-dev=0 lab-shared=0

Verification checklist

In APIC, check these before calling the lab complete:

Tenant lab-shared exists.
lab-shared has VRF shared-vrf.
lab-shared has bridge domain shared-bd.
shared-bd has subnet 10.30.10.1/24.
Application profile shared-services-app exists.
EPG dns-ntp-services exists.
Contracts shared-dns and shared-ntp exist.
lab-prod has contract interfaces shared-dns-if and shared-ntp-if.
lab-dev has contract interfaces shared-dns-if and shared-ntp-if.
Only the approved EPGs consume those interfaces.
lab-prod, lab-dev, and lab-shared have zero active faults.

Why this matters

Real ACI environments often need shared services. DNS, NTP, identity services, patch repositories, monitoring, and logging are common examples.

The design mistake is to make sharing broad just because the service is common.

This lab keeps the model narrow:

shared service provider tenant
named contracts
consumer-side contract interfaces
approved EPG consumers
zero broad tenant-wide access

What this lab teaches

You should leave Lab 8 understanding:

ACI tenants can stay isolated while still consuming approved shared services.
The provider tenant owns the service contracts.
Consumer tenants can hold local contract interfaces that point to provider contracts.
Shared services should be named, audited, and narrow.
The simulator proves APIC policy relationships, not packet flow.

The next lab should compare this dedicated shared-services tenant pattern with reusable policy in the built-in common tenant.