Thank you Flavio. Does the VN make up the VRF? Could I have a VRF with multiple VN associated?

Thanks

 VN and VRF have different meaning.  If the VN is a Layer 3 VN, then, yes, you can attach it to a VRF and yes, you can have multiples L3 VN on the same VRF,  but you can also have Layer 2 VN. On this case, you dont have VRF.

 VN would more like a VLAN.  VRF is the same VRF as always.

Thank you Flavio. One last question. If I can place multiple L3 VN's on the same VRF is security and same addressing not going to work?

Example is Customer A does not want Customer B to be able to see their network traffic and both customer A and B use the address space of 10.10.10.0/24.

 For environment with multiple Customer, the solution must be differents VRF. This way you can have the same address for different customer and they can not see each others traffic.

DNAC will not allow creating two subnet/pools with the same or overlapping subnet under the same VRF. The device itself would reject the command.

In DNAC 2.3.3.x (around July 2022), the overlapping feature support is added, but that only allows deploying the same subnet into different VRFs, which are already segmented by VRF-lite.

If Customer A and Customer B are using the same IP Pool, meaning that only a single 10.10.10.0/24 subnet exists and both make use of them buy you want to  restric their traffic, you can use micro-location/SGT Rules to deny that traffic.

Thank you Jalejand,

If I have a single VRF and multiple address pools could I segment customer traffic using SGT rules?

Customer A VRF1 with 10.10.10.0/24 and Customer B VRF1 with 10.20.20.0/24 and not allow Customer A to reach Customer B? Or just better to create another VRF?

This is exactly what we do for one our SDA customers. The customer supports a large number of third parties that install their own equipment throughout the network. Each third party requires communication between their equipment and internet only access. Instead of creating a new VN per third party, we place them all in the same VN (named managed_internet) each with a different IP Pool and VLAN (192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24....etc) and use SGTs to ensure that the third parties cannot communicate with each other within the fabric. The VN itself handoffs outside of the fabric to a firewall which provides the internet access. 

We could have created a dedicated VN per third party, however that would have introduced additional overhead in configuration and management that just was not needed (creating the new VN, border handoff, external routing etc). To add a new third party, all the customer needs to do is to create and provision a new IP pool and SGT. This a key use-case for micro-segmentation and one of the reasons that the customer chose Cisco SDA.

Thank you wetherman and everyone else who responded. Gave points all around!!