How are firewalls deployed in ACI?

In an ACI (Application Centric Infrastructure) environment, firewalls are primarily deployed using a Service Graph. This approach allows for the integration of various network services, including firewalls, in a streamlined manner. A Service Graph encapsulates the logical connectivity, defining how traffic flows between endpoints (EPGs) and which services (like firewalls) are to be applied to that traffic.

By using a Service Graph, you can define the service chain that dictates the order in which traffic passes through these services. This is particularly important in complex deployments where multiple services might be required for security, load balancing, or other network functions. The Service Graph provides a visual and logical representation of the service paths, making it easier to manage and orchestrate traffic through the firewall and other devices.

While APIC (Application Policy Infrastructure Controller) is indeed involved in the overarching management and policy enforcement within ACI, it is not the specific mechanism through which firewalls are directly deployed. Similarly, contracts define the communication rules between EPGs, but they do not directly implement the service chain for firewalls. Endpoint Groups (EPGs) themselves simply categorize endpoints for policy application but do not address the deployment of firewall services directly.