In this document I’m going to experiment with multiple app domain membership: a VM belongs to more than on app domain.

If you are not familiar with the feature, please visit my previous blog on useg to get started:
Test Deployment
I have a small environment with two spokes (spoke30 and spoke40) where I deployed three test VMs:
- spoke30-useg-vm1

- spoke40-useg-vm1

- spoke40-useg-vm2

Each one has a tag with its own VM name.
App Domain “appdomain-blue”:

The two VMs matches the logical OR condition and are correctly classified as belonging to the “appdomain-blue”:

App Domain “appdomain-green”:

The two VMs matches the logical OR condition and are correctly classified as belonging to the “appdomain-green”:

The policies created for testing are represented on the diagram below:
- base policy denies all traffic
- icmp is allowed intra app-domain

The rules will look like:

Testing
Intra-blue flow:
- ping is allowed
- ssh is not

Intra-green flow:
- ping is allowed
- ssh is not
