Is there any way to connect different tenants, via F5, to a shared common services network without put in communication the tenants each other?
The idea is in the picture below:
Thanks in advance!
you could create a route domain for each VRF and put the shared zone in the default (parent) domain. Keeping the "strict isolation" enabled avoids a VRF-VRF communication.
About strict isolation
You can control the forwarding of traffic across route domain boundaries by configuring the strict isolation feature of a route domain:
If strict isolation is enabled, the BIG-IP system allows traffic forwarding from that route domain to the specified parent route domain only. This is the default behavior. Note that for successful isolation, you must enable the strict isolation feature on both the child and the parent route domains.
If strict isolation is disabled, the BIG-IP system allows traffic forwarding from that route domain to any route domain on the system, without the need to define a parent-child relationship between route domains. Note that in this case, for successful forwarding, you must disable the strict isolation feature on both the forwarding route domain and the target route domain (that is, the route domain to which the traffic is being forwarded).