Software-defined networking started as a marketing phrase, but the underlying idea is useful. The definition is precise, published, and practical. It is why clicking “create VPC” gives you a working isolated network in seconds instead of a ticket to someone who owns a router.
The definition: control plane separated from data plane
Every network device does two things. The data plane (or forwarding plane) moves packets. It looks at a header and decides which port the packet leaves on. The control plane decides the rules the data plane follows: which routes exist, which flows are allowed, which VLAN a port belongs to. On a traditional switch or router, both planes run on the same box and the control plane is configured by hand or by a routing protocol.
SDN moves the control plane off the device. The Open Networking Foundation’s definition describes SDN as an architecture where network control and forwarding functions are separated, network control becomes programmable, and infrastructure is abstracted for applications and services. A logically centralised controller computes forwarding rules and pushes them down to the switches.
The canonical realisation is OpenFlow, introduced in McKeown et al., “OpenFlow: Enabling Innovation in Campus Networks” (ACM SIGCOMM Computer Communication Review, Vol. 38 No. 2, April 2008). OpenFlow defines a standard protocol so a controller installs flow-table entries on commodity switches from any vendor. This paper is roughly where the modern SDN field starts. RFC 7426, the ONF architecture documents, and modern cloud control planes build on the same separation.
Why Cloud Networking Depends On It
A traditional network is a physical fact. Two ports are in the same VLAN because someone configured a switch this way. Changing it means reconfiguring the switch.
A cloud network is a logical fact. When you create a VPC, you are not waiting for a human to patch a cable. A controller updates forwarding tables across many hypervisors and gateways at once. The VPC, its routing table, its firewall rules, the floating IP you attached, and the private subnet all map to flow rules and overlay encapsulation driven by software. This is SDN, and it enables the “create, destroy, resize on demand” property of cloud computing at multi-tenant scale.
On-demand IP assignment, tenant isolation, per-VM firewall rules, L2 overlays across racks, every one of these requires the control plane to be detached from individual switches.
How ZCP does it
ZCP’s networking layer is software-defined end to end:
- VPCs. Every tenant gets isolated VPC networking, software-defined routing, software-defined subnets, software-defined firewall rules, starting at $18/mo, or $28/mo for a redundant VPC. L2 and isolated networks are both supported.
- Firewall. OPNsense handles stateful firewalling and gateway functions, programmable via REST API. Rules are applied per-VM and per-network. DDoS protection is included on every public IP.
- IP addressing. Additional IPv4 addresses are $3/mo. Floating IPs (movable between VMs) are $1/mo. A managed Load Balancer is $15/mo.
- Inter-zone connectivity. WireGuard VPN connects zones and customer networks on Standard private cloud and above.
None of those features would be configurable in seconds without SDN. You would be calling a network engineer. The point of the definition is simple: the network is now an API.