Virtual networking enables a data center to provision the most suitable and efficient routing structure for cloud applications and to alter the network configuration as conditions warrant, using software-based management. The capability to virtualize networks, workloads, and applications and then move them across network infrastructure gave rise to the first cloud architectures.
As virtual networking has evolved, it has become feasible to rapidly construct logical networks that are decoupled from physical servers and orchestrate workloads across this logical space. This way, virtual networks can extend beyond the boundaries of a physical network. There are other benefits, as well, such as the flexibility and automation that can be achieved with software-based management of the network.
Disaggregating Hardware and Software
One of the key approaches of virtual networking is that it disaggregates the networking functions from hardware, into software. Some of the functions of a physical network, from the perspective of any application residing on the host, involve switches and routers at Layers 2 and 3 of the Open Systems Interconnection (OSI) model, or Layer 4 through Layer 7 functions such as load balancers and firewalls. A virtual network adapter or network interface card (NIC, although typically no longer a “card” in the sense of form factor) serves as the Layer 2 gateway between the server (virtual or physical) and the network.
Using virtual networking, some or all of these functions may be substituted with software. For example, a virtual switch commonly contains all the packet forwarding logic contained within a physical switch, represented as software. That logic performs packet forwarding operations, looking up the address of a packet’s destination and sending it that direction. Breaking physical devices free from this one-to-one association with hardened addresses and endpoints, is one example of the virtualization principle of decoupling.
Classes of Virtual Networking
The most common network virtualization schemes typically fall under one of the following classes:
In a virtual private network, data is attached to the headers of packets describing routing information that corresponds to a locally relevant address space. Each host in that space maintains its own, local port forwarding table. These special instructions help form a tunnel of addresses, which may only be traversed by means of these extra packet headers. The data may also be encrypted. In this way, a VPN produces a virtual address space that becomes private, by way of how the forwarding tables connect their address points.
For a virtual LAN (pictured above, courtesy Cisco), a network switch may be subdivided into a set of virtual port addresses; a device (physical or virtual) may be subdivided into a set of MAC addresses; or a subnet may be subdivided into separate domains of local IP addresses and associated ports. Within a VLAN domain, devices can communicate with one another without the use of routing. These devices are said to reside within a collision domain, where it’s conceivable they may receive the same packet more than once. Special switches are required to mitigate networks where multiple VLANs are deployed, where they serve as VLAN routers.
With virtual extensible LAN (pictured above, courtesy Arista), Layer 3 infrastructure is co-opted to provide a mechanism for tunneling across multiple Layer 2 networks. Virtual switches (vSwitches) serve as virtual tunnel endpoints (VTEPs) between NICs, and a device called a base case (physical or virtual) may route packets between VTEPs. As opposed to dividing networks into subnets, a VXLAN may virtualize an entire data center, ostensibly to create new and more efficient routes for the sake of running applications. It’s this class of virtual network that’s used by overlay networks for Docker, such as Weave. With VXLAN, the job of forwarding packets between hypervisors is reduced to its simplest form: building a direct route through the network overlay, and forwarding packets along that route according to the needs and the situation of the network at the time.
Virtual Networking Scales Beyond the VLAN
The graph of a virtual network is usually shown as bridging a span between two physical sets of addresses. For a VPN, this span is referred to as a tunnel, comprised of re-mapped addresses. For a VXLAN used in a VM or containerization environment, where virtualized devices comprise the span, it’s called a virtual overlay.
One of the main advantages of new SDN-based virtual overlay networking systems is that protocols such as VXLAN and others do not have the limitations of traditional VLANs, which have an address limitation of 4096 endpoints. Modern SDN platforms and networking overlays are designed to scale to many more devices – in some case, millions.