Lab 9: common tenant reusable policy

Use the ACI common tenant for reusable filters and contracts while keeping consumers explicitly approved.

Lab 9 uses the built-in ACI tenant:

common

The common tenant is useful when several tenants should reuse the same filters or contracts. It is also risky if it becomes a shortcut for broad, unreviewed access.

Target model

Tenant common reusable policy

Filters lab-common-web-filter lab-common-api-filter

Contracts lab-common-web-access lab-common-api-access

lab-prod local interfaces web access api access

Approved EPGs web -> web access app -> API access

lab-dev local interfaces web access api access

Approved EPGs frontend -> web access api -> API access

What you configure

Area	Value
Reusable policy tenant	`common`
Web filter	`lab-common-web-filter`
API filter	`lab-common-api-filter`
Web contract	`lab-common-web-access`
API contract	`lab-common-api-access`

The filters are simple on purpose:

Filter	Ports
`lab-common-web-filter`	TCP 80, TCP 443
`lab-common-api-filter`	TCP 8443

Consumer-side interfaces

The reusable contracts live in common. The consuming tenants get local contract interfaces:

Consumer tenant	Interfaces
`lab-prod`	`lab-common-web-access-if`, `lab-common-api-access-if`
`lab-dev`	`lab-common-web-access-if`, `lab-common-api-access-if`

Those local interfaces point back to the contracts in common.

Approved consumers

The approved list is deliberately small:

Tenant	App profile	EPG	Contract interface
`lab-prod`	`three-tier-app`	`web`	`lab-common-web-access-if`
`lab-prod`	`three-tier-app`	`app`	`lab-common-api-access-if`
`lab-dev`	`dev-three-tier-app`	`frontend`	`lab-common-web-access-if`
`lab-dev`	`dev-three-tier-app`	`api`	`lab-common-api-access-if`

There is no tenant-wide shortcut in this lab.

Automation

The lab repo has an idempotent script:

./scripts/configure-aci-lab-9-common-tenant-reusable-policy.sh

The latest run returned:

ready: true
common_tenant common
contracts lab-common-web-access, lab-common-api-access
approved_consumer_count 4
observed_consumer_count 4
unexpected_common_interface_consumers []
fault_counts lab-prod=0 lab-dev=0 common=0

Verification checklist

In APIC, check these before calling the lab complete:

Tenant common exists.
Filters lab-common-web-filter and lab-common-api-filter exist.
Contracts lab-common-web-access and lab-common-api-access exist.
lab-prod has local interfaces lab-common-web-access-if and lab-common-api-access-if.
lab-dev has local interfaces lab-common-web-access-if and lab-common-api-access-if.
Only the approved EPGs consume those interfaces.
lab-prod, lab-dev, and common have zero active faults.

Why this matters

The common tenant is a shared namespace. That makes it powerful.

It can standardize policy names such as:

web access
API access
DNS access
NTP access
monitoring access

But if every team starts consuming common policy without review, the blast radius becomes hard to understand.

What this lab teaches

You should leave Lab 9 understanding:

common is best for reusable policy building blocks.
A reusable contract still needs a clear owner and purpose.
Consumer-side contract interfaces make shared references visible.
Reuse should not mean broad access.
The dedicated shared-services tenant pattern and the common tenant pattern solve different problems.

The next lab should compare contract scopes and show how scope changes policy blast radius.