Using contracts between tenants

Contracts allow EPGs to communicate with each other, according to the rules we set. Contracts can be very granular, including the protocol, port, and direction of the traffic. We do not need a contract for intra-EPG traffic--this is implicitly permitted--but a contract is essential for inter-EPG traffic.

An EPG can be a provider of a contract, a consumer of a contract, or can perform both functions, providing and consuming at the same time. We can also provide or consume multiple contracts simultaneously. Contracts are (to simplify them) access lists. However, they are not bound by the same limitations that access lists are. To read about why contracts are better than access lists, refer to http://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/aci-fundamentals/b_ACI-Fundamentals/b_ACI_Fundamentals_BigBook_chapter_0100.html#concept_0DEE0F8BB4614E3183CD568EA4C259F4. To try and simplify the definition of provider and consumer, we have two contracts. One opens up HTTP access to a particular destination (it provides), the other permits access from the other EPG to the HTTP server (consuming). We can also be less stringent and have full TCP and UDP access between two EPGs, so would have two contracts and both EPGs would consume one and provide the other, allowing full bidirectional connectivity.