The main purpose of a virtual network is to enable a data center or service provider network to provision the most suitable and efficient networking structure for the applications it hosts – and to alter that structure as conditions warrant, using software rather than requiring physical changes in connections to hardware. The ability to virtualize workloads (applications) and to transport them across network infrastructure with minimal service degradation gave rise to the first cloud architectures.
Software and Hardware Disaggregation
Using virtual networking techniques, it has become feasible to rapidly construct logical networks that are decoupled from physical servers or networking hardware, enabling the orchestration of digital workloads across this logical space. This is also known as disaggregation, where the function of networking software is decoupled from proprietary hardware and can be deployed on any standard, commodity hardware.
The principal functions of a physical network, from the perspective of any application residing on the host, involve switches and routers at Layers 2 and 3 of the Open Systems Interconnection (OSI) model, and load balancers and firewalls at Layers 4 through 7. A virtual network adapter or network interface card (NIC, although typically no longer a “card” in the sense of form factor) serves as the gateway between the server (virtual or physical) and the network.
With a virtual network, some or all of these functions are accomplished with software. For example, a virtual switch commonly contains all the packet forwarding logic contained within a physical switch, but represented as software. That logic performs packet forwarding operations, looking up the address of a packet’s destination and sending it that direction. Breaking physical devices free from this one-to-one association with hardened addresses and endpoints, is one example of the virtualization principle of decoupling.
Classes of Virtual Networks
The most common network virtualization schemes can fall under one of the following classes:
- In a virtual private network (VPN), extra data is attached to the headers of packets, describing routing information that corresponds to a locally relevant address space. Each host in that space maintains its own, local port-forwarding table. These special instructions help form a tunnel of addresses, which may only be traversed by means of these extra packet headers. In this way, a VPN produces a virtual address space and encrypts the traffic to become private, by way of how the forwarding tables connect their address points. Technically, this is a virtualization of a network, although it has a much narrower scope and scale than the virtual networks used to stage hypervisor-hosted and containerized workloads.
- For a virtual LAN (VLAN, pictured above, courtesy Cisco), a network switch may be subdivided into a set of virtual port addresses; a device (physical or virtual) may be subdivided into a set of MAC addresses; or a subnet may be subdivided into separate domains of local IP addresses and associated ports. Within a VLAN domain, devices can communicate with one another without the use of routing. These devices are said to reside within a collision domain, where it’s conceivable they may receive the same packet more than once. Special switches are required to mitigate networks where multiple VLANs are deployed, where they serve as VLAN routers.
- With a virtual extensible LAN (VXLAN, pictured above, courtesy Arista), Layer 3 infrastructure is coopted to provide a mechanism for tunneling across multiple Layer 2 networks (flipping the metaphor upside down in the process). Virtual switches (vSwitches) serve as virtual tunnel endpoints (VTEPs) between NICs; and a device called a base case (physical or virtual) may route packets between VTEPs. As opposed to dividing networks into subnets, a VXLAN may virtualize an entire data center to create new and more efficient routes for the sake of running applications. With VXLAN, the job of forwarding packets between hypervisors is reduced to its simplest form: building a direct route through a network overlay, and forwarding packets along that route according to the needs and the state of the network at the time.
Virtual Network Environments
The graph of a virtual network is usually shown as bridging a span between two physical sets of addresses. For a VPN, this span is referred to as a tunnel, comprising remapped addresses. For a VXLAN used in a VM or containerization environment, where virtualized devices comprise the span, it’s called a virtual overlay.
In a Linux container environment, each container is mapped to some unique reference. By default, in Docker, this reference is a port residing on an IP subnet address. However, through the use of alternative network overlays such as Weave or with a virtualized service platform, references instead may be mapped to full IP addresses. This method enables networks to stage multiple workloads, especially microservices, and scale them dynamically as necessary.