Endpoint groups are used to create a logical group of hosts or servers that perform similar functions within the fabric and that share similar policies. Each EPG created can have a unique monitoring policy or QoS policy and is associated with a bridge domain.
An EPG is a child object of the application profile, and an application profile can contain multiple endpoint groups. Each endpoint within an EPG is susceptible to the same policy in the fabric.
All of the endpoints inside an EPG can communicate with each other. Communications between EPGs is governed by contracts and not traditional Layer 2/Layer 3 forwarding constructs. For example, Host A in EPG A can be on the same IP subnet with Host B in EPG B. In this case, they would not be allowed to communicate unless a contract that permitted connectivity existed between EPG A and EPG B.
Some types of endpoint groups within the fabric are not contained under application profiles, such as application endpoint groups, external bridge networks (aka Layer2 External), external routed networks (aka Layer3 External), and management endpoint groups. These EPGs might have special requirements; for example, in external bridge networks, MAC addresses of the endpoints are not learned by the leaf switches.
Endpoint groups are linked to bridge domains, but they will receive a VLAN ID different from the bridge domain, unless Bridge Domain legacy mode is used.
It is important to understand that a single subnet can be extended across several EPGs. Each EPG is identified by an encapsulation VLAN or VXLAN so that the same subnet uses different encapsulation IDs across the fabric. This concept is different from traditional networking.