VXLAN Features
As TCPShield expands its infrastructure to support more diverse application traffic beyond Minecraft, from April 2025, we’re proud to introduce VXLAN TUNNEL as the next evolution of clean traffic delivery. Built for modern cloud-scale networking, VXLAN is a refined, high-performance solution that allows us to protect and forward any TCP/UDP traffic, with greater flexibility, speed, and compatibility than legacy tunneling protocols.
Why VXLAN for DDoS Mitigation?
1. Optimized for Anycast and Scrubbing Efficiency
VXLAN uses stateless UDP-based encapsulation, which fits perfectly with our anycast infrastructure. That means:
Traffic is always routed to the nearest DDoS protection/scrubbing center, keeping latency low.
Failover between locations is instant and seamless, no handshakes or reconnections needed.
We can run multi-point tunnel topologies, where multiple TCPShield nodes send clean traffic back to your origin—without managing dozens of individual tunnels.
2. Higher cost efficiency
Compared to our flagship Minecraft proxy product, tunnels allow for a higher number of tenants behind a single IP address, allowing you to not just protect many customers across different ports on the same machine, but also any assortment of protocols and services as well on the same protected IP.
For instance, you can protect a dozen Minecraft customers between ports 25565 to 25577, and 5 customers operating CS:GO servers on ports 27015 to 27020.
You can then use the firewall page to define layer 7 protocol filters for these port ranges which apply across our edge and ensure seamless protection and protocol conformity for these ports
Port ranges can be modified on existing rules at any time, in case further customers are added on the same IP. You can also automate this process via our API.
3. Minimal Overhead, Maximum Performance
VXLAN introduces only ~50 bytes of overhead per packet, yet it delivers major throughput advantages:
Hardware offload support on modern NICs allows VXLAN packets to be processed at line rate with minimal CPU usage.
UDP-based encapsulation leverages features like Large Receive Offload (LRO) and Generic Segmentation Offload (GSO) for enhanced performance.
VXLAN gives us the ability to move gigabits of cleaned traffic per second, efficiently and cost-effectively.
4. Protocol-Agnostic: Support More Games, More Applications
It supports any protocol that rides on Layer 2: IPv4, IPv6, ARP, multicast, and more.
VXLAN can tunnel exotic or legacy traffic used in non-standard game engines, custom UDP protocols, or multiplayer applications that rely on broadcast or L2 adjacency.
VXLAN also works seamlessly across NAT environments, making it suitable for home hosting setups as well as cloud platforms like AWS, Azure Cloud, and others where NAT is often unavoidable.
That flexibility means we can now support far more than just Minecraft. If your app uses UDP or TCP, VXLAN can carry it—no sweat.
5. Better than GRE: A Refined Solution for Modern Needs
While GRE has been a traditional choice for clean traffic tunnels, it shows its age in key areas:
No NAT traversal: GRE doesn’t play well with firewalls and NAT devices — VXLAN’s UDP base does.
No built-in segmentation: GRE lacks fine-grained identifiers. VXLAN supports up to 16 million VNIs to isolate tenants, services, or regions.
Lower performance: GRE generally lacks hardware offload support and suffers on multi-core platforms without UDP port hashing.
VXLAN delivers all the benefits of GRE — and then some — making it a natural upgrade for modern cloud-native protection.
What This Means for TCPShield Users
Expanded Game Support: Any UDP or TCP-based game can now be protected — not just Minecraft.
Lower Latency: Anycast tunnel endpoints ensure you always connect to the nearest scrubbing node.
Scalable Protection: VXLAN’s design enables us to scale DDoS mitigation globally with multi-tenant separation and flexible routing.
Ready to Deploy
Last updated
Was this helpful?