August 28, 2019 By Frank Chodacki 6 min read

Exploring virtual networking architecture and the many benefits it provides users and organizations.

It can be costly for organizations to build their own physical infrastructure, so many are now implementing a virtual infrastructure where they can access enterprise-grade servers and applications via the cloud. However, in order to set up their virtualized environment, they must first set up a virtual networking solution to operate.

In this video, I’m going to map out what a virtual networking architecture looks like and explains the many benefits it provides users, such as the ability to interconnect between VMs, virtual servers, and other related components in a virtualized computing environment.

Learn more

Video Transcript

What is virtual networking?

Hello, my name’s Frank Chodacki. I’m part of the IBM Cloud team, and I’m here to explain the basics of virtual networking.

Virtual networking is primarily used for cloud—that’s why it’s important to at least understand the basics. 

So we’re gonna start off with a couple of concepts within this video that’ll explain what are the key components to any given virtual infrastructure, specifically with regards to virtual networking.

So, we’re gonna start off by two concepts really, we have the physical underlay, and we’ll talk about that first, and then we have the virtual overlay.

The physical underlay

So, let’s start off by talking about the underlay.

The underlay is really just the physical infrastructure—it’s computers, it’s physical switches, physical routers, it’s just with some specific software to be able to enable the virtual network, which we call the overlay. 

So, let’s start off by talking about the underlay and in some of these concepts we’ll talk about really lend themselves to both the underlay and the overlay.

The fabric

So, first off, with regards to the underlay, we have something called a fabric.

So what is the fabric? The fabric is actually all of the physical components required to run, let’s say, a single instance of a virtual networking environment or infrastructure. So, if we have our three servers and a router that we have down here in our physical underlay, really, anything outside of that would really constitute the fabric. 

Now there’s some variance in this, and as you get in more advanced topics, you’ll find out the fabric can extend to lots of things, but for the basics, let’s just say it’s the physical infrastructure that actually runs your virtual networking infrastructure.

TEP: Tunneling end point

And within that, we have something called a TEP. What is a TEP?

A TEP stands for tunneling end point. Okay, a tunneling end point—and let’s just draw it here, got our TEP here, TEP here, and a TEP here.

A tunneling end point is the point at which a virtual network actually touches the physical network when it’s going between the devices that actually comprise the fabric. So, when a virtual network goes across physical devices, it actually needs to be encapsulated.

Think about those Russian dolls, you know are you open it up and there’s another doll—it’s kind of the same concept. When it goes on to the physical wire, it’s the little doll inside the big doll. The big doll goes across and then when it hits the next server, you open it up and the little doll and goes to the virtual network, right? So, it’s encapsulation. Pretty basic terms right, so tunneling end point.

Physical routers and bridges

The next thing we’ll talk about is routing. And this could be virtual routers, but at this level, let’s talk about physical routers and bridges. These will appear both in virtual and physical layers because they bridge both.

So, a router—in this case, this router here in the physical environment—is really the embark, disembark, egress, ingress (and more networking terms) of where the physical network touches and gets into the virtual network.

So, this could be one interface that touches a physical network, and the other interface is in the virtual network, which we will describe in a minute.

So, it’s essential. If you didn’t have this, you’d basically just have a snow globe where everything could talk to each other but they couldn’t get out. So, it’s essential that we have routers bridges running at (or at least part of running in) the physical layer. 

So, I also like to call the physical layer a big dumb pipe. So, basically, a network that doesn’t really have much intelligence it just connects everything together. The intelligence we’re gonna talk about is actually in the overlay.

The virtual overlay 

And the overlay is the virtual.

So, the virtual layer is actually where I can be very prescriptive about the networking, the firewalls—I can have much diversity within the topology on top of what is a big dumb pipe. I can put all the intelligence in the virtual network, and I can have many of these duplicated on the same physical infrastructure.

So, let’s talk about some concepts within the virtual network. 


When in virtual network we have segments.

So, what is the segment? A segment is really just a layer-2 network on its own.

So, it would be the equivalent to having a switch here and a switch here. If they’re not connected, or maybe they’re connected by a router, those are segments.

Transport zone

The next concept is a transport zone.

So, transport zone is a collection of segments, and what does that mean? Well, I may not want my virtual fabric up here—maybe I only want it to go across these two hosts, but not that host.

So, a transport zone is a way to limit which of those segments and this fabric of what physical devices making up the physical fabric—what devices they can actually run across.

Routers and bridges

And then we have our old friend routers and bridges.

So again, routers and bridges would really be the virtual point. We could also—within the fabric, we could have a pure virtual router.

So, if I wanted to route between different segments and not really the traverse out of the virtual network, I have a purely virtual router and then I can uplink to a physical router, which allows us to de-encapsulate the packet (remember our friend TEP over here which is a doll inside of a doll). Now I can de-encapsulate the packet and allow it to traverse out on to the physical network to get to the internet, or another site, etc., etc.


And then, actually, there’s one more concept which is called micro-segmentation. Micro-segmentation—what is that? Well that means I can firewall—because all of this is really running on top of another operating system which is down here in the physical layer—means I can insert all kinds of services in the network fabric that makes up the overlay.

And so, one of those things can be a firewall. So I can firewall traffic between VMs on the same segment if I wanted to.

So, it’s akin to having a physical switch port where every physical computer you plug into that port is firewalled off from every other port. You can configure exactly what type of traffic you want to traverse across your fabric.

And there you have it—those are the basics of a virtual network.

Was this article helpful?

More from Cloud

Enhance your data security posture with a no-code approach to application-level encryption

4 min read - Data is the lifeblood of every organization. As your organization’s data footprint expands across the clouds and between your own business lines to drive value, it is essential to secure data at all stages of the cloud adoption and throughout the data lifecycle. While there are different mechanisms available to encrypt data throughout its lifecycle (in transit, at rest and in use), application-level encryption (ALE) provides an additional layer of protection by encrypting data at its source. ALE can enhance…

Attention new clients: exciting financial incentives for VMware Cloud Foundation on IBM Cloud

4 min read - New client specials: Get up to 50% off when you commit to a 1- or 3-year term contract on new VCF-as-a-Service offerings, plus an additional value of up to USD 200K in credits through 30 June 2025 when you migrate your VMware workloads to IBM Cloud®.1 Low starting prices: On-demand VCF-as-a-Service deployments begin under USD 200 per month.2 The IBM Cloud benefit: See the potential for a 201%3 return on investment (ROI) over 3 years with reduced downtime, cost and…

The history of the central processing unit (CPU)

10 min read - The central processing unit (CPU) is the computer’s brain. It handles the assignment and processing of tasks, in addition to functions that make a computer run. There’s no way to overstate the importance of the CPU to computing. Virtually all computer systems contain, at the least, some type of basic CPU. Regardless of whether they’re used in personal computers (PCs), laptops, tablets, smartphones or even in supercomputers whose output is so strong it must be measured in floating-point operations per…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters