What is an EPG in Cisco ACI [Explained]
Why EPG (End Point Group) is needed
Today’s networks group applications by virtual Local Area Network (VLAN) and subnet. As a result, the connectivity and the policies are applied according to VLANs/subnets. This causes a limitation on how applications can be treated and the way policy can be applied to the application components (Example 3 tier Application: Web, Database, and App).
These applications parts are grouped into VLANs and subnets are coupled to those VLANs. From their connectivity through routing is configured and network services are applied to the subnet addressing:
The current model lends itself to misconfiguration and policy configuration which is so wide than desired. As an example, Web and App VM can exist in the same VLAN/Subnet, as a result, they can communicate with each other by default (if you need to limit their access, multiple ACLs should be implemented). Also, Manual configurations, processes, and coupled constructs lead to slower deployment, higher configuration error rates.
So, in order for the network to be compatible with the Applications approach and to enforce better security among Application EPs, EPGs (End Point Group) are needed.
What is an EPG (End Point Group)
ACI Endpoint Groups (EPGs) define a new model for mapping applications to the network. Rather than using forwarding constructs such as addressing or VLANs to apply connectivity and policy, EPGs use a grouping of application endpoints.
EPGs are containers for collections of applications, or application components that can be used to apply policies and forwarding restrictions according to them. They decouple the VLAN/subnet from the forwarding Policies that could be applied to the Application tiers.
Within an EPG separate endpoints can exist in one or more subnets, and subnets could be applied to one or more EPGs.
Regardless of the separate subnets, the policy is applied to both Subnets within this EPG in the example above.
EPGs are designed as flexible containers for endpoints that have common Policies and their forwarding can be treated in the same way.
In simple words, EPGs allow the forwarding policy to be applied based on logical grouping rather than VLAN/addressing.