VIRTUAL NETWORKING ARCHITECTURE

Overlay models, distributed switching, and security policy — where hypervisor decisions become network consequences

SPECIALIZATION TRACK — NETWORKING ARCHITECTURE

• Track Discipline: How the network layer is created, governed, and migrated across hypervisor platforms — the software-defined overlay stack and the policy models that govern it.
• Primary Architectural Tension: Overlay flexibility vs. operational complexity — every abstraction layer that simplifies provisioning adds a failure domain that operations must own and a policy boundary that migrations must translate.
• Architectural Boundary: This Track does not govern physical underlay design, routing protocol selection, or WAN architecture — those disciplines live in the Modern Infrastructure & IaC path. This Track governs the overlay: where enforcement happens, who owns the intent, and what breaks when the model changes.
• Domain Path Relationship: Deepens Stage 03 (Storage & Network Architecture) and Stage 04 (Deterministic Platform Operations) of the Virtualization Architecture Path — both stages treat networking at breadth; this Track provides the depth those stages assume.
• Who This Track Is For: You’re mid-migration and your network reachability issues aren’t compute or storage — they’re policy translation artifacts from moving a network-centric security model into a platform that enforces security by workload identity, not by topology.
• Architectural Failure Signal: Workloads remain reachable but policy intent no longer matches enforcement reality — segmentation boundaries exist in configuration but not in behaviour.

>_ WHY THIS TRACK EXISTS

Virtual networking architecture has a hidden dependency that most platform migrations ignore: every overlay model is a policy distribution system, and policy is not platform-neutral. When the overlay changes — vDS to OVS, NSX-T to Flow, or any cross-platform transition — the Policy Translation Boundary (#108) becomes the point where network security policy ceases to be portable, because the destination platform expresses segmentation, traffic control, and identity through a fundamentally different architectural model than the source. The boundary is invisible during migration validation because connectivity survives. Security intent does not. The Virtualization Architecture Path covers network integration across Stages 03 and 04, but breadth-level coverage cannot resolve the philosophical difference between network-centric and workload-centric enforcement models, or prepare an architect for the governance consequences of overlay state during live migration. This Track provides the architectural depth to design, migrate, and operate virtual networking across hypervisor transitions — with the Policy Translation Boundary as the diagnostic lens that makes silent failures visible before they become production incidents.

WHAT THIS TRACK IS NOT

NETWORKING ARCHITECTURE — READING SCOPE

Virtual Networking Is Policy Distribution, Not Transport

Virtual networking in enterprise platforms isn’t switching — it’s policy distribution. Every platform decision (vDS, OVS, NSX, Flow) is a decision about where enforcement happens and who owns intent. These articles establish the execution model across the three major platform architectures: the vSphere distributed switching model, the AHV/OVS integrated stack, and the Stage 03 Domain Path integration that connects networking to storage at the overlay layer. The discipline framework — what makes the overlay a governance system rather than a transport layer — follows in Cluster 02. Read this cluster first if the distinction between enforcement location and policy intent is not yet operational in your decision-making.

Where Overlay Design Decisions Become Policy Translation Problems

This is the architectural core of the Track. The Policy Translation Boundary (#108) is the point where network policy ceases to be portable — not because the rules cannot be re-expressed, but because the destination platform enforces segmentation through a different model than the source. NSX-T attaches security policy to network constructs: IP sets, security tags, port groups, DFW rules tied to topology. Nutanix Flow attaches policy to workload identity: VM categories, attributes, application tiers. Moving from one to the other is not a firewall rule export — it is a philosophy migration. Connectivity survives the boundary. Security intent does not. These three articles establish the translation mechanics, the policy migration sequencing, and the cross-platform context for the Modern Infrastructure networking layer where these decisions propagate.

Where Virtual Networking Failures Hide Until Production

Virtual networking failures rarely appear as network outages. They emerge as policy-enforcement mismatches where reachability, segmentation, and observability diverge from architectural intent — often days or weeks after cutover, when a lateral movement event or compliance audit reveals the gap. The most common source is vDS feature dependency blindness: teams spend years building port mirroring configurations, private VLANs, and NetFlow collection inside vCenter without inventorying those dependencies before migration. When they move to AHV’s OVS architecture, those constructs don’t translate — and the operational tools built on them break on Day 1. These two articles cover the Day 2 network failure landscape from both angles: the immediate post-migration reachability failures and the AHV operational networking model that replaces the constructs teams relied on.

The Physical Constraints That Software-Defined Overlays Cannot Abstract Away

Software-defined overlays abstract the physical layer — but they do not eliminate it. MTU mismatches, LACP configuration errors, and jumbo frame assumptions inherited from the source environment become silent performance constraints after migration, concentrating on high-throughput VMs where storage and network traffic compete on the same physical uplinks. The deeper constraint is fabric-level: as the network layer transitions from hardware-defined performance to software-defined policy, the overlay becomes responsible for guarantees the physical layer used to enforce. The InfiniBand vs. RoCEv2 architecture analysis makes this precise — the lesson for virtual networking architects is that every overlay model carries an implicit assumption about the physical substrate beneath it, and those assumptions must be validated explicitly, not inherited.

Who Owns Policy Intent When the Platform Changes

The Policy Translation Boundary (#108) is not only a migration problem — it is an ongoing governance problem. Every overlay model creates a policy authority: a platform that owns the expression of segmentation intent. When that platform is proprietary, policy portability becomes constrained by vendor architecture decisions. When the overlay is the only place where security intent is expressed — and it is expressed in vendor-specific constructs — the organisation’s security posture becomes as portable as its licensing contract. Overlay sovereignty is the condition where policy intent can survive a platform transition — where the security model is expressed at a level of abstraction that the underlying overlay enforces but does not own. The sovereign networking article covers the control plane isolation model that makes this possible; the planned Framework #108 anchor post — The Policy Translation Boundary — will provide the full governance portability framework when published.

Having worked through the virtual networking stack — from overlay model selection through policy translation, failure domain analysis, overlay physics, and governance portability — you can now reason about the network as a policy-bearing architectural layer, not a provisioning task. The operational consequences of platform decisions are now predictable rather than discovered post-cutover: the Policy Translation Boundary is a diagnostic tool, not a surprise. The final capability bridges the overlay model directly into the IaC and sovereignty layers where these decisions propagate.

• Design overlay segment models aligned to workload-centric security policy — not inherited from physical topology or source-platform network constructs
• Identify the Policy Translation Boundary before migration — map NSX-T network-centric constructs to Flow workload-centric equivalents in the design phase, not during a Day 1 reachability incident
• Inventory vDS feature dependencies (port mirroring, private VLANs, NetFlow configurations) before committing to a target overlay model — so operational tooling breakage is a planned migration task, not an unplanned outage
• Diagnose post-migration network failures by failure domain — overlay state loss, policy translation artifact, underlay assumption violation, or policy sprawl — and trace each to its architectural root cause
• Apply virtual network policy governance to overlay models expressed as IaC — the overlay design decisions from this Track determine what network policy drift looks like in the Modern Infrastructure path, and whether sovereignty constraints at the network layer can actually be enforced

>_ WHERE DO YOU GO FROM HERE

YOUR NETWORK POLICIES MAY NOT SURVIVE THE PLATFORM TRANSITION

Most overlay migrations validate connectivity and never validate policy intent. The Infrastructure Architecture Review identifies Policy Translation Boundaries, governance portability gaps, and operational ownership risks before they become production incidents.