Cisco SD-Access uses virtual networks as macro-segmentation boundaries, and those VNs are represented as VRF instances in the fabric. By design, separate VNs do not communicate directly inside the overlay unless the design introduces controlled inter-VN routing. Cisco SD-Access designs commonly use an external fusion router, firewall, or shared-services device to map fabric VNs to external VRFs and selectively exchange routes between them. That is the correct design because it preserves segmentation while allowing policy-controlled access to shared resources or selected networks. GRE tunnels between fabric edges are not the normal SD-Access inter-VN communication method and would bypass the intended fabric policy model. Security Group Tags provide microsegmentation within or across policy domains, but SGTs do not by themselves leak routes between separate virtual networks. Route leaking on fabric border nodes is not the recommended standalone answer here because inter-VN communication is normally provided through a fusion device or firewall outside the fabric. Therefore, the correct solution is external fusion routing with controlled VRF route exchange.