Ctrl+Alt+Route

Modern networks are more dynamic than ever. Between cloud adoption, virtualization, SD-WAN, and distributed applications, organizations rely heavily on technologies that sit on top of their physical infrastructure. But behind every modern overlay, there’s still a physical foundation powering it.

That foundation is the underlay network, and the virtualized layer built above it is the overlay network. Both are essential, but they solve very different problems.

What Is an Underlay Network?

The underlay is the physical, tangible network, the switches, routers, firewalls, cables, fiber, and transport services that move packets from point A to point B. It’s the foundation everything else relies on.

How It Works

Underlay networks operate at OSI Layers 1–3 and use standard routing and switching protocols to forward traffic:

• IP routing with OSPF, IS-IS, or BGP
• Ethernet switching
• Transport technologies such as MPLS, DWDM, and private optical services

The underlay decides how packets flow physically across the network.

Key Characteristics

• Hardware-centric – Changes often require touching physical infrastructure.
• High performance and reliability – Optimized for low latency, predictable throughput, and stable connectivity.
• Limited flexibility – Scaling or segmenting often requires new gear or manual redesign.
• Foundation for everything else – The overlay can’t perform well if the underlay is weak.

What Is an Overlay Network?

An overlay network is a virtual network that sits on top of the underlay. It does not replace the physical network, instead, it uses software to create logical topologies, tunnels, and abstractions that the physical network alone can’t provide.

How It Works

Overlays use encapsulation to wrap traffic inside another protocol before sending it across the underlay. Common encapsulation methods include:

• VXLAN (Commonly found in data centers)
• GRE
• IPsec (commonly used in SD-WAN)

These tunnels allow the overlay to create virtual segments, enforce policy, and add intelligence without modifying the physical network.

Key Characteristics

• Software-driven – Changes happen through control-plane software or orchestration tools.
• Highly flexible and scalable – New segments, sites, and policies can be deployed quickly.
• Supports overlapping IP spaces – Ideal for multi-tenant or large distributed environments.
• Built-in intelligence – Often includes QoS, encryption, security policies, and traffic steering.
• Decoupled from physical constraints – You can build dozens of virtual networks on the same hardware.

If you’ve ever created a VPN, segmented a network using VXLAN, or deployed SD-WAN, you’ve worked with overlays.

Underlay vs Overlay: Side-by-Side Comparison

Feature	Underlay Network	Overlay Network
Definition	Physical infrastructure (switches, routers, cables).	Virtual network built on top of the underlay.
Main Function	Provides basic connectivity and packet forwarding.	Adds segmentation, security, traffic steering, and policy control.
Key Technologies	OSPF, BGP, MPLS, DWDM, Ethernet.	VXLAN, GRE, IPsec, SD-WAN, VPN.
Flexibility	Low — physical changes needed.	High — software-defined and dynamic.
Scalability	Limited by hardware.	Highly scalable for multi-tenant and cloud environments.
Security	Mostly physical controls.	Encryption, DDoS protection, microsegmentation.
Use Cases	Backbone, data center, and enterprise physical networks.	Cloud networking, virtual fabrics, SD-WAN, VPNs.
Management	Managed through physical NMS tools.	Managed through SDN controllers or orchestration platforms.

How the Two Work Together

Despite the hype around overlays, neither exists without the other:

• The underlay delivers raw connectivity, speed, reliability, and packet transport.
• The overlay adds intelligence, segmentation, policy, automation, and security.

A strong overlay requires a stable, predictable, and well-designed underlay.

Think of it like a highway system (underlay) with GPS navigation and traffic management (overlay). One provides the infrastructure; the other provides intelligence and control.