Introduction
In the evolving world of hybrid and on-prem data centers, Azure Local SDN (formerly Azure Stack HCI SDN) has emerged as a critical component for achieving secure, scalable, and policy-driven networking. As more enterprises modernize their infrastructure, understanding how Azure Local SDN leverages VLANs and VXLANs becomes essential for network administrators tasked with architecting reliable and efficient environments.
This article explores how Azure Local SDN supports both VLAN (Virtual LAN) and VXLAN (Virtual Extensible LAN), when to use each, and how these technologies integrate with the Azure hybrid networking stack.
VLANs vs VXLANs: A Technical Overview
What is VLAN?
A VLAN (IEEE 802.1Q) segments Layer 2 broadcast domains within a single Layer 3 network. It’s a well-established method for isolating traffic and managing subnets without requiring additional physical switches.
What is VXLAN?
VXLAN (RFC 7348) encapsulates Layer 2 Ethernet frames in UDP packets, allowing networks to span Layer 3 boundaries. VXLAN supports over 16 million segment IDs (VNIs), far exceeding the 4096 limit of VLANs.
Comparison Table
| Feature | VLAN | VXLAN |
|---|---|---|
| Layer | Layer 2 | Layer 2 over Layer 3 |
| Max IDs | 4096 | 16,000,000+ |
| Encapsulation | 802.1Q | UDP + VXLAN Header |
| Hardware Dependency | Yes (Switches) | No (Software-based) |
| Azure SDN Support | Yes | Yes |
Azure Local SDN and VLAN Integration
Azure Local SDN supports VLAN-based networking natively through Hyper-V and the Host Virtual Switch. VLANs are configured per virtual NIC or at the host level to isolate traffic across workloads.
Key Features
- VLAN-aware VM networks
- Tagged and untagged VLAN support
- Physical switch trunking compatibility
PowerShell Example
Set-VMNetworkAdapterVlan -VMName "AppVM01" -Access -VlanId 120This command assigns VLAN 120 to the virtual NIC of AppVM01.
Use Cases
- Segmentation of application tiers (Web, App, DB)
- Enforcing compliance zones (PCI, HIPAA)
- Legacy infrastructure compatibility
Azure Local SDN and VXLAN Overlays
VXLAN is fully supported in Azure Local SDN via the Network Controller, Host Networking Service (HNS), and SDN-managed virtual switches. This allows for dynamic overlay networks that abstract physical topology.
VXLAN Architecture in Azure Local SDN
- PA/CA Model: Provider Addresses (PA) identify hosts, Customer Addresses (CA) represent VMs.
- Encapsulation: VXLAN frames are encapsulated in UDP with a VXLAN header (VNI).
- Control Plane: SDN controller manages VNIs, routing tables, and policy enforcement.
Diagram: VXLAN Packet Structure
[Ethernet Frame] → [IP Header] → [UDP Header] → [VXLAN Header (VNI)] → [Original Ethernet Frame]Benefits
- True L2 overlays across L3 boundaries
- Tenant isolation in multi-tenant environments
- Simplified IP management
Deployment Scenarios
Scenario 1: VLAN-Based App Segmentation
- Web, App, and DB tiers use VLAN 100, 110, 120 respectively
- Trunked switch ports enable shared physical NICs
Scenario 2: VXLAN for Multi-Tenant Hosting
- Each tenant gets a unique VNI (e.g., 5001, 5002)
- Backed by dynamic SDN policies and ACLs
Scenario 3: Hybrid Connectivity via Azure Arc
- VXLAN overlays bridge on-prem Azure Local SDN with Azure-native VNETs
- Supports policy extension and identity enforcement via Azure Policy
Best Practices for Network Admins
Decision Matrix
| Use Case | VLAN | VXLAN |
| Simple segmentation | ✅ | ❌ |
| Multi-tenant architecture | ❌ | ✅ |
| On-prem only deployments | ✅ | ✅ |
| Hybrid cloud integration | ❌ | ✅ |
| High-scale segmentation | ❌ | ✅ |
Configuration Tips
- Use jumbo frames (MTU 9014) for VXLAN overlays
- Define logical networks and VM networks via SDN controller
- Avoid VLAN nesting when possible
Monitoring Tools
- Windows Admin Center SDN extension
- Network Controller REST API
- SDN Diagnostics PowerShell module
PowerShell & Bicep Snippets
Create a VLAN-backed VM NIC
New-VMNetworkAdapter -VMName "DBVM" -SwitchName "SDNvSwitch"
Set-VMNetworkAdapterVlan -VMName "DBVM" -Access -VlanId 200Deploy VXLAN VNET via Bicep
resource vnet 'Microsoft.Network/virtualNetworks@2023-05-01' = {
name: 'vxlan-vnet'
location: resourceGroup().location
properties: {
addressSpace: {
addressPrefixes: ['10.20.0.0/16']
}
}
}Limitations and Considerations
- VLANs limited to 4096 IDs
- VXLAN introduces encapsulation overhead (adds ~50 bytes)
- VXLAN may require hardware offload (e.g., NICs with VXLAN offload support)
- MTU mismatches can drop VXLAN packets silently
Conclusion
Azure Local SDN delivers the flexibility of supporting both VLANs and VXLANs, allowing administrators to tailor their network fabric for performance, isolation, and scalability. VLANs remain effective for legacy environments and simple segmentation, while VXLANs unlock massive scalability and hybrid extensibility.
Recommendation Matrix
| Situation | Recommended Tech |
| On-prem legacy isolation | VLAN |
| Multi-tenant cloud hosting | VXLAN |
| Hybrid network extension | VXLAN |
| Compliance zone separation | VLAN |
*The thoughts and opinions in this article are mine and hold no reflect on my employer*