TroutTrout
All docs

Overlay Networking

How Access Gate adds protection on top of your existing network.

4 min read · Last updated 2026-05-02

This page explains what an overlay network is, why Access Gate uses it, and how it applies in real deployments.

What Is Overlay Networking?

An overlay network is a logical network built on top of an existing physical network (the underlay).

  • The underlay network remains unchanged
  • The overlay network introduces new IPs, routing, and security controls
  • Traffic is redirected to the overlay only when protection is required

With Access Gate, the overlay allows traffic to be intercepted, authenticated, logged, and controlled—without re-IPing assets, modifying VLANs, or inserting devices inline.

Underlay vs Overlay

DimensionUnderlay NetworkOverlay Network
What it isYour existing LAN, OT network, or plant networkLogical IP space owned and controlled by Access Gate
IP addressingAssets keep their original IPsSeparate logical range (typically 100.64.0.0/16 CGNAT)
Topology changesNone — switches, VLANs, firewalls unchangedLayered on top of the underlay, no rewiring
ScopeCarries all existing trafficOnly protected access paths
Security modelImplicit trust within the segmentIdentity-enforced proxying, no direct connectivity

Key concept: Assets stay where they are. Access control happens in the overlay.

How Overlay Routing Works

Every protected communication has two legs — one in the overlay, one in the underlay — and Access Gate translates between them. For every session, one leg is always still in the existing network, which is why assets never need to be re-IP'd or moved.

  • Inbound (client → asset). The client sends a packet with source = its own underlay IP and destination = the asset's overlay IP. Routes on the existing network steer overlay-destined traffic to Access Gate.
  • NAT at the gateway. Access Gate terminates the connection, applies policy, and opens a new session toward the asset's underlay IP. The source on this new session is Access Gate's own underlay IP (a NAT). The asset never sees the overlay address — from its perspective the traffic comes from another underlay device.
  • Outbound (asset → client). The asset replies to Access Gate's underlay IP. Access Gate maps the reply back onto the original overlay session and returns it to the client with source = the overlay IP, destination = the client's underlay IP.

The asset-side leg is always in the underlay. The overlay only exists between the client and Access Gate. That is the property that lets Access Gate add identity-enforced access in front of legacy assets without touching their addressing or the underlay topology.

Why Access Gate Uses an Overlay

Traditional security approaches rely on inline devices, VLAN segmentation, or flat VPNs. These approaches introduce risk in operational environments.

Overlay networking avoids those pitfalls:

  1. No Inline Risk
    1. Access Gate does not sit in the physical traffic path
    2. No single point of failure
    3. Production traffic continues even if Access Gate is offline
  2. No Network Redesign
    1. No VLAN changes
    2. No IP reassignments
    3. No switch or router reconfiguration beyond routing to Access Gate
  3. Access Control
    1. Clients never connect directly to assets
    2. All protected access flows through the Access Gate proxy
    3. Authentication, authorization, and logging are enforced centrally

This overlay approach is especially interesting when you have a network already in place, legacy configuration that are difficult to move.

What the Overlay Enables

Overlay networking allows Access Gate to enforce:

  • Identity-based access (who can reach what)
  • Time-bound and task-based permissions
  • Protocol-aware proxying (HTTP, RDP, SSH, SMB, industrial protocols)
  • Full session logging and traceability
  • Rapid isolation or revocation without touching the network

All without changing how your network is physically built.

Overlay Networking vs VLANs + Firewall

DimensionVLAN SegmentationOverlay Networking
Network changesRequires redesignMinimal changes
Trust modelStatic boundariesIdentity-based policies
AuditabilityHard to auditFull access logging
OT suitabilityRiskyGreat fit

Overlay networking shifts security from network topology to policy and identity.

Key Takeaway

Overlay networking lets you add security, control, and compliance on top of existing IT and OT networks—without disrupting operations.

It is the foundation that allows Access Gate to be:

  • Non-intrusive
  • Agentless
  • Safe for production
  • Aligned with NIS2, CMMC, and Zero Trust principles
Next
Network Topology