Network virtualization totally separates network resources from physical hardware by recreating those networking resources in software- by virtualizing them. Physical routers (which forwards data across multiple networks,) switches (which forwards data on a single Local Area Network or LAN) and load balancers (which even out workloads to prevent servers from being overwhelmed) are virtualized in the hypervisor layer using off-the-shelf, industry-standard servers (server/compute hosts). This virtualized pool can then be used as needed, on-demand. The underlying physical hardware remains important (it's still used for forwarding) but no longer needs to be reconfigured every time a new VM or container is added or updated, or every time a device on the network is moved to a different part of the network. The whole network can now be run in software.
This hypervisor-based networking software (which will include security services as well) uses a controller to send network services to virtual switches and attaches the services to individual virtual machines (VMs) and containers. The result is a virtual network (The exact services will be determined by the policies already assigned to the VM/containers.). In this virtual network, whenever new VMs and containers are created, the appropriate policies are automatically applied to them. When VMs and containers move, their networking and security move with them. (You'll sometimes hear VMs and containers referred to as workloads, so we'll use that term here to familiarize you with it.)
Creating a virtual network on top of a physical network is known as overlay networking. Imagine two devices (or endpoints) on an organization’s network – Finance Department Laptop and Sales Department Laptop, for example. Both are connected to physical network ports. (VMs and containers can be endpoints, too.) Both laptops are given a virtual network ID (VNID) and assigned to a virtual network. Virtual switches then connect Finance Department Laptop to Sales Department Laptop via virtual links (software representations of physical links) that form a tunnel across the network. Each virtual link corresponds to a path in the underlying physical network.
Network virtualization works just as well in the cloud and can be managed by using a Cloud Management Platform (CMP) such as VMware’s vRealize Automation or an open-source option such as Apache CloudStack and OpenStack. Hypervisor-based network virtualization can be set up and run using a Graphical User Interface (GUI) and a Command-Line Interface (CLI) or using Application Programming Interfaces (APIs).
Network virtualization provides administrators with tremendous flexibility. It can be used for networks as small as two connected devices, or as large as networks spanning multiple sites of major enterprises. In addition, it is flexible enough to work with any cloud or cluster (or pod if you’re using a new application framework like Kubernetes) while having different virtual networks that can be associated with different workloads. VMware’s NSX for vSphere (NSX-V) virtual network and security product works with ESXi (a Type 1 hypervisor - i.e., one that runs directly on the host’s hardware, independent of the host’s operation system), while their NSX-T Data Center works with ESXi and with KVM (a Type 2 hypervisor running within the host’s operating system).
Virtual networks are not to be confused with virtual local area networks – VLANs. A VLAN takes the ports of a physical switch and groups (or isolates) them to fit a specific purpose. An organization might have its Finance Department on the first floor, HR on the second and third, Production on the fourth, Sales on the fifth, and printers scattered around the building. On one physical switch, five VLANs could be created for these separate functions, each with its own broadcast domain.
However, only a maximum of 4096 VLANS can be created on a Layer 2 network. (This is a reference to the OSI networking model, which has 7 layers that together describe the different communication functions of a networking system.) This may seem like a lot, but imagine being a company that gave each of its customers 5 VLANS: after customer 819, you would have no more VLANS, which would mean no new customers. Security is an issue since VLANs are separated from a logical perspective but are actually running through the same connection, and a security breach on one can affect them all. And every time a VLAN is extended, a time-consuming physical configuration is needed.
With network virtualization, on the other hand, network services beyond data transfer are also available – switching, routing, firewalling, and load balancing (Layer 3 to Layer 7 functions). The network in its entirety (Finance, HR, Production, Sales, and printers) can be recreated in software in seconds, and cloned or moved if needed; or snapshots representing the exact state of a network at a particular point in time can be created, saved, and used to recreate the network if required. Every networking and security service is virtualized (handled in software) and attached directly to individual workloads, reducing the need for physical configuration.