VXLAN is a technology that allows Ethernet frames (layer 2) to be encapsulated in UDP packets (layer 3) to create virtual overlay networks.
In practice, this means you can tie together a bunch of virtual machines on a virtual network that look like a bunch of servers on the same switch but are actually spread out over many racks, switches, and networks.
The nodes only ever see the encapsulated network and cannot break out of encapsulation; as a result, different overlay networks can securely share the same physical network.
Cloud providers use VXLAN to implement the virtual networks that tie together virtual machines and cloud services. Exactly how VXLAN is implemented varies, though. VXLAN tunnel endpoints (VTEPs) can be terminated in
- the switch
- the NIC on the node, if it is a smartNIC
- the hyperviser running inside the node
The location where VTEPs are terminated are the security boundary between untrusted (cloud customers) and trusted (the cloud itself) domains. VTEPs are where encapsulation happens.