“Traditional networking is crumbling under the weight of today’s hyperconnected world. The future lies in networking as software—where agility, security, and scalability are embedded in code.”
Mike Gorman, NetFoundry CISO & Head of Operations
Every enterprise network was designed for a world that no longer exists. It assumed your applications lived in one data center, your users connected from inside one building, and your perimeter firewall could draw a clean line between ‘trusted’ and ‘untrusted.’
None of that holds anymore. Workloads span multiple clouds. Employees and contractors connect from everywhere. APIs, IoT devices, and AI agents now need access to resources that traditional network architecture was never built to secure without exposing everything around them.
The result is a familiar bind: organizations either leave inbound ports open and hope their firewall rules are airtight, or they bolt on VPN after VPN until the network becomes too brittle and complex to operate safely. Neither approach scales, and both create exactly the kind of attack surface that Zero Trust architecture exists to eliminate.
Overlay networking is the alternative—and it’s quickly becoming the default way enterprises build secure, scalable connectivity without ripping out what’s already in place. But not every overlay network is built the same way, and the difference matters once you move past a handful of connections to real enterprise scale.
What Is Overlay Networking?
An overlay network is a logical network built on top of an existing physical (or ‘underlay’) network. Instead of relying on physical proximity or hardwired connections, overlay networks use software to define how traffic flows between endpoints—making it possible to connect resources across clouds, data centers, edge devices, and remote users as if they were on the same private network.
Key Takeaway: Overlay networking decouples logical connectivity from physical infrastructure. When paired with identity-based access controls and Zero Trust principles, it eliminates the need for open inbound ports, static firewall rules, and the operational overhead that makes traditional networks brittle.
Overlay networking is not new. Two familiar examples illustrate the concept:
- VXLAN (Virtual Extensible LAN): Used in large data centers to virtualize connectivity across physical racks, enabling faster and more flexible resource provisioning.
- VPNs (Virtual Private Networks): The most widely recognized overlay technology. VPNs allow logical connections to traverse multiple network nodes and public networks to securely link users and resources.
Both approaches share a core purpose: decoupling logical network connectivity from the physical layer, so organizations can extend their network capabilities without managing access controls at every individual node or link.
Why Overlay Networking Matters Today
As infrastructure moved to the cloud (and then to multi-cloud, edge, and IoT environments) the limitations of physical networking became impossible to ignore. Today, organizations face:
- Cloud and hybrid architectures that span multiple providers with no shared physical infrastructure
- IoT and IIoT deployments that place devices deep inside third-party and operational networks
- Edge computing requirements that demand connectivity in environments where IT has limited control
- Third-party and partner access needs that introduce significant security risk when managed with traditional VPNs or firewall rules
Overlay networking addresses these challenges by treating the underlying physical network as pure infrastructure, the same way you treat electricity. You don’t reconfigure the power grid every time you add a new device to your office; you just plug it in, and the grid handles delivery. Overlay networking works on the same principle: define what needs to connect in software, and let the physical network underneath handle the routing. No manual ACL updates. No reconfiguring switches. No worrying about what’s physically between point A and point B.
Overlay Networking and Zero Trust
Overlay networking is also the enabling infrastructure for Zero Trust Network Access (ZTNA). Zero Trust’s core principle—never trust, always verify—requires the ability to:
- Microsegment: Restrict connectivity between any two endpoints to only what’s required for a specific interaction
- Authenticate continuously: Verify identity at every connection attempt, not just at login
- Authorize dynamically: Apply policy in real time based on identity, device posture, and context
- Monitor everything: Capture detailed usage data for anomaly detection and forensic investigation
When an overlay network is built with strong identity and policy controls, it becomes the connectivity layer that makes Zero Trust architecture real, instead of just a framework on a whiteboard.
Where Most Overlay Networks Fail at Scale
The rise of Zero Trust has produced a wave of overlay networking solutions. Most of them work…up to a point. But the problem gets messier with scale and operability.
Traditional overlay topologies rely on point-to-point connection models: VPN tunnels, GRE connections, IPsec links. Managing a handful is straightforward; managing hundreds or thousands is a different problem entirely. Teams end up:
- Manually maintaining ACLs and subnet routing tables across dozens of devices
- Operating without meaningful visibility into connection failures or traffic anomalies
- Relying on high-value engineering staff to perform routine network operations
- Accepting reduced reliability as complexity increases
These aren’t edge cases; they’re the predictable failure modes of any overlay architecture that wasn’t designed to be managed at enterprise scale. While the fundamental requirements of the solution may be met, it comes at very high cost and risk.
This is the gap NetFoundry was built to close. Our approach, rooted in an Identity-First Reachability™ model, treats operability as a first-class requirement, not an afterthought.
The FCAPS Model: A Production-Grade Overlay Network
The ISO’s Fault, Configuration, Accounting, Performance, and Security (FCAPS) framework defines what a production-class network management system must provide, and is a useful lens for evaluating any overlay networking solution. Here’s how NetFoundry Cloud addresses each dimension.
Fault
NetFoundry’s control layer continuously collects and emits events from every component of the network—controllers, routers, links, and sessions. Every connection attempt (called a fabric circuit) is logged as a success or failure with details on the failure type. This provides real-time fault detection and the forensic data needed to resolve issues quickly.
Configuration
The NetFoundry console provides a web-based interface for configuring policies, service definitions, and identity attributes, without requiring CLI access or manual text configuration. Integrations with IAM systems like Active Directory enable automated identity provisioning. All console functionality is also available via RESTful APIs for custom integrations.
Accounting
NetFoundry captures per-minute utilization data at the identity-to-service level. Because identities are cryptographically secured, this data supports not just usage accounting but nonrepudiation—a verifiable record of who accessed what, and when.
Performance
Every connection attempt is logged with success/failure status and categorized failure causes, enabling rapid troubleshooting. Data can be sliced by service, node, or link, and aggregated into views that provide insight into network performance trends and optimization opportunities.
Security
Security is embedded in the NetFoundry architecture from the ground up.
- Identities are cryptographically secured using X.509 certificates
- Each connection is dynamically and ephemerally encrypted end-to-end
- Traffic traversing the fabric is doubly encrypted, once per-circuit and again per-link
- All connections use mutual TLS (mTLS), with both sides verifying the other’s identity
- Services are completely invisible to unauthorized identities
- Optional: MFA, security posture checks, and PKCS11 hardware token support
NetFoundry: Production-Class Overlay Networking as a Service
NetFoundry Cloud is a Network-as-a-Service (NaaS) built on the NetFoundry Platform (and its open-source foundation, OpenZiti). It delivers all the FCAPS capabilities above with additional enhancements for enterprise reliability, SLA-backed operations, and simplified management.
The platform treats the underlay network—whatever physical or cloud infrastructure exists underneath—as a utility. NetFoundry’s overlay sits on top, applying identity-based access controls in real time, with no requirement to open inbound firewall ports or reconfigure existing network infrastructure.
Key Platform Capabilities
- No open inbound ports: Services are dark to unauthorized traffic. Connectivity is initiated from the identity outward, not exposed inbound.
- Application-embedded Zero Trust: NetFoundry SDKs (available in multiple languages) allow Zero Trust connectivity to be embedded directly into applications and devices—not bolted on at the network layer.
- Flexible deployment: Available as fully managed NaaS (NetFoundry Cloud), hybrid, or on-premise. Organizations can start with a single use case and expand incrementally.
- OpenZiti-compatible: The underlying Ziti architecture is fully open source. Applications built on OpenZiti run on any Ziti network, including NetFoundry Cloud.
For organizations beginning a Zero Trust journey, NetFoundry recommends starting with the highest-value use case (typically securing a critical API, an OT network, or an AI workload) and expanding from there. See use cases for examples across IT/OT, API security, and AI agent connectivity.
See Overlay Networking in Action
NetFoundry Cloud can be running in minutes with no firewall changes, no open ports, and no infrastructure disruption. Start with your highest-priority use case and see what production-class Zero Trust connectivity looks like in your environment.
Frequently Asked Questions
NetFoundry describes overlay networking as a software layer that sits on top of your existing physical network infrastructure. Instead of managing physical cables, switches, and routers, an overlay network lets you define connectivity in software, connecting any two endpoints securely, regardless of where they are physically located or what infrastructure sits between them.
VPNs are a type of overlay network; they create a logical tunnel between two points over a public network. But they rely on static configurations, open inbound ports, and network-level access (once you’re in, you can reach everything on the network). NetFoundry’s overlay network takes a more advanced approach: identity-based, application-level access with no inbound ports, no static tunnels, and zero standing access between endpoints.
NetFoundry’s overlay network is the connectivity layer that makes Zero Trust operational. Our platform enforces the Zero Trust principles of continuous verification, least-privilege access, and microsegmentation at the network level, so unauthorized endpoints can’t discover or reach services, even if they’re on the same underlay network. Learn more: Identity-First Reachability™
NetFoundry uses the ISO’s FCAPS framework—Fault, Configuration, Accounting, Performance, Security—as a benchmark for production-grade network management. Most overlay solutions address basic connectivity but fall short on operability: they don’t provide real-time fault detection, granular usage accounting, or the security telemetry needed to run a network reliably at scale. NetFoundry Cloud is built to satisfy all five FCAPS requirements out of the box.
NetFoundry is designed to coexist with—and gradually replace—existing VPN infrastructure. We recommend starting with a specific high-value use case (a critical API, a remote OT site, an AI deployment) and expanding NetFoundry’s overlay incrementally. This avoids disruptive rip-and-replace transitions while delivering immediate security improvements. See NetFoundry vs. VPNs for a detailed comparison.
