As per the configuration guide of ACI 5.0(x), the Endpoint Security Groups (ESGs) are a new security component in ACI. It will not replace the endpoint groups (EPGs) which are already here to group a set of endpoints, but to add a new layer of segmentation.
EPGs are associated to a single bridge domain (BD) and used to define security zones within a BD. EPGs define both forwarding and security segmentation at the same time. The direct relationship between the BD and an EPG limits the possibility of an EPG to spanning more than one BD.This limitation of EPGs is resolved by using the new ESG constructs because it will allow the relationship between endpoints from multiple BD / EPGs (but limited to a single VRF).
