In this document I’m going to experiment with multiple app domain membership: a VM belongs to more than on app domain.
If you are not familiar with the feature, please visit my previous blog on useg to get started:
Test Deployment
I have a small environment with two spokes (spoke30 and spoke40) where I deployed three test VMs:
- spoke30-useg-vm1
- spoke40-useg-vm1
- spoke40-useg-vm2
Each one has a tag with its own VM name.
App Domain “appdomain-blue”:
The two VMs matches the logical OR condition and are correctly classified as belonging to the “appdomain-blue”:
App Domain “appdomain-green”:
The two VMs matches the logical OR condition and are correctly classified as belonging to the “appdomain-green”:
The policies created for testing are represented on the diagram below:
- base policy denies all traffic
- icmp is allowed intra app-domain
The rules will look like:
Testing
Intra-blue flow:
- ping is allowed
- ssh is not
Intra-green flow:
- ping is allowed
- ssh is not
