Tenant, VRF, bridge domain, and EPG
The core ACI application model: tenant, VRF, bridge domain, subnet, application profile, and endpoint group.
Most ACI learning starts here. These objects form the basic application policy model.
The objects
| Object | Simple meaning |
|---|---|
| Tenant | A policy boundary for a customer, team, application, or environment |
| VRF | A routing table |
| Bridge domain | A layer-2 forwarding domain, usually with a subnet gateway |
| Application profile | A container for EPGs that belong to an application |
| EPG | A group of endpoints that share the same policy |
An EPG is not simply a VLAN. It is a policy group. A VLAN can be one way to attach endpoints to an EPG, but the EPG is the thing APIC uses when applying contracts and endpoint policy.
A simple lab model
Create a tenant named lab-prod.
Inside it:
| Object | Example |
|---|---|
| VRF | prod-vrf |
| Bridge domain | prod-bd |
| Subnet | 10.10.10.1/24 |
| Application profile | three-tier-app |
| EPGs | web, app, db |
This gives you a clean three-tier application skeleton. You can then add contracts in the next module.
What to verify
After building the objects, check:
- The bridge domain points to the right VRF.
- The subnet is on the bridge domain, not randomly attached elsewhere.
- Each EPG is under the expected application profile.
- Each EPG is associated with the intended bridge domain.
- APIC shows no obvious faults for missing relationships.
If the relationships feel verbose, that is normal. ACI makes implicit network assumptions explicit as policy objects.