VNS3 can do things that cloud providers' networks, like the Amazon VPC, can’t do.
Many of our customers already use VNS3 to augment the capabilities of AWS VPC (or stand in for their absence at other service providers).
The biggest reasons to use a VNS3 overlay network are: full encryption, multicast support, and region/cloud federation.
Within a cloud network, individual virtual machines (VMs) are connected over a private part of the cloud provider's switched network. The traffic on that network may be hidden from the public internet, but it is visible to the cloud provider. Within a VNS3 overlay network, all traffic moves through encrypted tunnels.
Here are 10 reasons to use an overlay:
Limit access to your cipher suites and keys
Are you really happy to share your pre-shared keys (PSKs) with a 3rd party service provider? Also, if your industry regulations or internal policies require additional encryption algorithms, an overlay network lets you use AES-256, or 3DES in addition to AWS VPC's AES-128.
Connect availability zones, regions, and other clouds
Using an overlay network, VNS3 subnets can span across availability zones, regions, and even into different clouds such as Azure, IBM, and private clouds.
In Amazon, VPCs are limited within a region (and subnets are tied to a specific availability zone). If you want VPC-like functionality in another cloud, you have to use an overlay network.
Multicast (and other neglected protocols)
Most public clouds do not support multicast, meaning applications that use multicast for discovery and messaging (e.g. various types of grid middleware and pub/sub messaging) don’t work in cloud.
VNS3 overlay networks enable multicast in the cloud and allows you to connect to enterprise multicast networks. VNS3 uses generic routing encapsulation (GRE) to get other protocols out of the data center and into the cloud.
Connect subnets and IPsec endpoints that are using the same IP range
What do you do if everyone is using the default network subnet? VNS3 overlay networks can map network address ranges, so you can still connect to customers or partners who might have picked the default.
This also applies to IPsec end points, so you can connect to multiple parties with the same IP ranges on their internal networks.
Multiple IPsec tunnels
Cloud providers allow you to connect to a corporate network through one edge device. Using a VNS3 overlay network allows you to connect and route to multiple edge devices, regardless of region.
Connect your VPN gateway to more than one network
Once you assign a public IP for a remote endpoint, you cannot use that public IP again in that region. While you can assign another IP at the gateway end, but that’s extra cost and hassle.
Connect with partners and customers who want to use IPsec over NAT-T
Most cloud providers only support native IPsec. VNS3 overlay networks can deal with either native IPsec or IPsec with network address translation traversal (NAT-T). You can even use multiple VNS3 Controllers to enable native IPsec alongside NAT-T.
Monitor your network separate from the provider
VNS3 overlays allow SNMP, and you can also dump traffic from network interfaces for additional logging and debugging.
Added reliability without performance sacrifices
Because you control the overlay networks, you can ensure your network is up and running without relying on your provider to troubleshoot. With an overlay network's virtual network abstractions you have the same operational interfaces of the physical networks, with much more complete.
In a real life example, a major telco's cloud based customers were having repeated connectivity problems. All but a handful had repeated issues with connectivity and uptime. It turned out that handful not having issues were running VNS3.