In situations where you are using both the Overlay Network for encrypted cloud traffic and the Cloud underlay VLAN for access to cloud services or devices that don't require end-to-end encryption (e.g. AWS ELB), understanding the interface path is key to success.

If the same interfaces are not used for response traffic like TCP, packets will be lost and connections will fail.

There are two options for combining Overlay and Underlay Networks in a single topology. (Overlay Network: VNS3 encrypted VLAN, Underlay Network: AWS VPC, Azure VNET, etc.)

VNS3 as the Gateway to the Underlay
This option provides a route on each Overlay Network cloud server that instructs all traffic destined for the the underlay network to pass through the VNS3 controller.

  • Scenario:
    VNS3 is receiving traffic from the cloud VLAN underlay network (e.g. VPC VLAN Subnet) that needs to pass through to the Overlay Network cloud servers and responses need to be passed back through VNS3 to the cloud VLAN underlay network.

    ELB <--- AWS VLC Underlay ---> VNS3 <--- VNS3 Overlay ---> Overlay Cloud Servers


    The Overlay Network cloud servers don't have access to the Underlay network via their primary network interface. This can be the result of running a "sealed" Overlay network where no traffic is allowed out of the primary interface or the Overlay network servers are running in a VLAN underlay segment that doesn't have routes/access to the VLAN underlay you are trying to reach.

  • Solution:
    In order for the Overlay Network cloud servers to communicate with the cloud VLAN underlay network through the correct response path, a route needs to be added to VNS3.

    From the VNS3 Route page, add a Route Advertisement so the Overlay Network clients know the path to the VLAN underlay network is through the VNS3 controller on the Overlay interface.

    Also a route needs to be added in the cloud route tables so the VLAN underlay network knows the route to the Overlay Network is through the VNS3 controller.

  • Advantages:
    All traffic passing through the VNS3 controller is managed by the VNS3 firewall and can be configured to be passed through a WAF or NIDS VNS3 controller. All traffic between the VNS3 controller and Overlay connected servers is encrypted.


Direct communication to Underlay via Underlay interface
This option keeps the underlay traffic on the cloud server's underlay network interface and Overlay traffic on the cloud server's overlay network interface.

  • Scenario:
    Cloud deployment has servers running in the same or connected VLAN underlay networks with some using the Overlay and others just running on the encrypted VLAN. Overlay and underlay network servers need to communicate with each other.

  • Solution:
    Allow traffic on the underlay network so all servers can communicate with each other via primary network interface.

  • Advantage:
    Simple solution that utilizes the cloud provided unencrypted underlay network.


As always, our enablement and onboarding teams are available to help you realize your aspirational cloud deployment topology.