When considering how to bring a subnet from your legacy network into an ACI environment, you have a couple of options: using a normal EPG or an L2Out. Let's break down the use cases for each and address your questions.

Normal EPG:

If you want to use the subnet in the ACI fabric and allow communication between endpoints within the fabric, you can create a normal EPG with a Bridge Domain. This is the most straightforward option when your goal is to enable communication between endpoints within the ACI fabric.
L2Out:

L2Out is generally used when you want to extend your ACI fabric to communicate with devices or networks outside of the ACI fabric. This is particularly useful when you need to maintain connectivity with legacy networks or devices that are not part of the ACI fabric. L2Out allows you to connect ACI to an external Layer 2 network. It's typically used for scenarios where you need to stretch VLANs and maintain the same subnet between the ACI fabric and the external network. It can be used to maintain compatibility with existing devices in your legacy network.
L2Out is not typically used for internal communication within the ACI fabric, but rather for connectivity between the ACI fabric and external networks.
The purpose of L2Out is not to provide more granularity or security within the ACI fabric, but rather to facilitate communication between the ACI fabric and external Layer 2 networks that are not part of the ACI fabric.

Regarding your question about creating a contract between L2Outs: Contracts in ACI are used to define communication policies between EPGs. They are not used to define communication between L2Outs. L2Outs are meant to connect to external networks, and communication policies for these connections are often defined on the external devices themselves rather than within the ACI fabric

Ok, Seems that If I create a contract manually with one L2OUT as the Provider and another as the Consumer, I can make the two L2OUTs communicate with each other. But this seems shady haha.

Hi @BertiniB ,

I have a little more time now.

---

I am studying for ACI and I came across a situation. I have this subnet that currently only exists in my legacy network, so there are no current EPGs with Bridge Domains in such subnet. If I want to bring the gateway to ACI, would I create a normal EPG or a L2OUT?

Like I said before, create a normal Application EPG. EPGs are very flexible and easy to use. L2Outs are complicated and very restrictive - locked to a single VLAN

Is Layer 2 Out only used when extending already existing EPGs with the same subnet to a legacy L2 network?

No, there is NO use case for L2Out that can't be handled better by a normal Application EPG

I am struggling to see the purpose of L2OUT, some say it is useless others say it gives more granularity (security).

There is NO purpose for L2Outs - it is useless and no more secure than a normal EPG

EDIT: How would I create a contract between L2OUTs? I can`t get it to work.

Don't try. Stick with EPGs

Re @seonandla comments

"L2Out is generally used when you want to extend your ACI fabric to communicate with devices or networks outside of the ACI fabric. This is particularly useful when you need to maintain connectivity with legacy networks or devices that are not part of the ACI fabric."

I disagree that L2Outs are any more useful than regular EPGs.  You can configure a regular EPG to behave exactly like a L2Out, with the flexibility of future choice and not having to reconfigure your configuration when things change and another VLAN is required.

Thanks @RedNectar for the answer and kind words!

I marked your aswer as correct haha, since it has the correction regarding the VLAN statement. Thanks!

Hi, 

If you want to move a Legacy environment L3 subnet gateway to ACI but still some hosts will be left on legacy. Note- You need to perform it during maintenance.

1.) Create a L3 EPG in ACI with IP subnet need to be moved

2.) Add a physical domain to the EPG, Physical domain should be attached to a VLAN pool having same VLAN ID (Assume VLAN X) which need to be moved 

3.) Connect the legacy switch to ACI with redundant or single network connection

4.) Add a policy(policy A) to the physical port where legacy switch is connected

5.) Delete the L3 gateway from legacy switch

6.) Go to new EPG static binding, attach the policy A with Vlan "X"

7.) Configure port as trunk on legacy switch side so packet sent to ACI tagged with Vlan "X"

8.) Now hosts connected to legacy switches should be able to use IP gateway configured in ACI

9.) Once all the hosts moved from Legacy to ACI, you can delete the static binding from ACI.

I hope this helps !!