What's the difference between an Underlay and an Overlay

Understand the difference between an Underlay and an Overlay.

There is a common misconception about our product that traffic can traverse an Airwall Gateway from the Underlay (your existing network) to the Overlay (a segment of your Airwall secure network). Unfortunately, this misconception can lead to incorrect network configurations, IP conflicts, and broadcast storms.

This article will describe the differences between these networks.

The Underlay network

On an Airwall Gateway, the Underlay network is what's behind behind Port 1. This is the interface where the Airwall Gateway acts as a MAP client and an Airwall client.

The Underlay network is your existing network and all networks in between (including the Internet). It can be:

  • Your local LAN or corporate PtP network.
  • A Cable, DSL or Fiber connection.
  • A Cellular APN, or a long-range wireless network.

Basically, the Underlay network is where Airwall Gateways talk to each other over an existing network.

The Overlay network

The Overlay network is the protected device network created by the Airwall Solution. It can be the protected network behind an Airwall Gateway, or a Windows/Linux/macOS/iOS/Android computer running our Airwall Agent software.

On an Airwall Gateway, the Overlay network is what's behind Ports 2 and up. These are the interfaces where the Airwall Gateway acts as a gateway.

Getting data from the Overlay to the Underlay

These two networks may be different, but as you likely noticed, traffic still goes in one Airwall Gateway and comes out another. The Underlay is the only way they can communicate with each other, so that data must traverse the Underlay somehow.

And it does, but not without first getting processed by our HIP processing. This HIP process can see both the Overlay and the Underlay networks; however, it treats these networks completely differently.

On the Overlay (Protected Device) side, it captures all network traffic from connected devices, and according to trust policy it routes that data to its peers in encrypted HIP tunnels. No packet ever makes it through the HIP process without either being truncated, or encrypted and tunneled to a peer. No packet can ever make it through the Airwall Gateway from the Overlay to the Underlay, or vise versa, intact.

HIP is all configured via a MAP connection to the Conductor, where the Airwall Gateway is given information on trust policy, the addresses of their peers, and the cryptographic keys needed to exchange information with their peers.

Network diagram showing how overlay traffic is processed and encrypted before it traverses the underlay