Service Graph is a concept that enables you to insert Layer 4 through Layer 7 functions in ACI , redirecting traffic between security zones to a firewall or a load balancer, without the need for the FW or the LB to be the default gateway for the servers.
In this way ACI can selectively send traffic to L4-L7 devices, with almost no modification to existing routing and switching configurations basing on Policy Based Redirect. The approach that Service Graph introduces, differs from the traditional operation model of service insertion where the fabric configuration consisted only of physical connectivity for FWs and LBs simply seen outside the box; with ACI and Service Graph now, security and load-balancing administrators can define their own policies using the mgmt tool of their vendor integrated in ACI.
…But… Let’s stop here!
Have a look at Service Graph with PBR… considering as an example, Palo Alto FW scenario.