Profitap Blog

Recent Posts

Stay up to date

Return to Blog

Tapping into the hidden network

Profitap vTAP for Modern Cloud Infrastructure

In modern software infrastructures, virtualisation and containerisation are ubiquitous. Enterprises increasingly run workloads inside VMware vSphere (or vSphere-native Kubernetes) and Kubernetes clusters (on-premises, in public clouds, or hybrid). But with rising complexity and scale, one perennial problem persists: lack of visibility into internal (“east-west”) traffic flows, microservices communication, and VM-to-VM exchanges.

Network taps (or virtual TAPs, vTAPs) are emerging as foundational tools for restoring visibility into these hidden domains. Among these, Profitap vTAP (and the related Cloud TAP solution) stand out by integrating tightly with hypervisors and container hosts to mirror, filter, and forward traffic at scale, without intruding into the monitored workloads themselves.

In this article, we explore the benefits, architecture, and use cases of Profitap vTAP (and Cloud TAP) in VMware and Kubernetes environments, along with best practices and caveats.

 

Why visibility is challenging in virtual and cloud-native environments

Before looking at the solutions, let’s understand the challenge that vTAPs and Cloud TAPs try to address.

The “blind spot” problem

  • In physical networks, one can insert physical TAPs or mirror switch ports to send copies of traffic to analysis or security tools.
  • But in virtualized environments, much of the traffic (especially east-west) never leaves the hypervisor’s virtual switches. VM-to-VM traffic on the same host is invisible to external taps.
  • Similarly, in containerized environments (Kubernetes), pod-to-pod traffic often stays inside the host’s kernel networking or overlay fabric, bypassing traditional physical taps.
  • Traditional span/mirror ports at the switch level are often insufficient, introduce contention, or cause packet loss under high load.
  • As a result, operations, security, and performance teams often struggle to see critical internal flows, making root-cause analysis, anomaly detection, and threat hunting much harder.

Requirements for a good vTAP solution

A robust vTAP (or cloud-native TAP) solution generally needs to meet:

  1. Non-intrusiveness — No changes to application VMs or containers.
  2. Scalability & orchestration — Support for many VMs/pods without ballooning operational overhead.
  3. Filtering & aggregation — Ability to reduce mirrored data to just what matters.
  4. Traffic export flexibility — Forwarding to virtual or physical collectors, packet brokers, or security appliances.
  5. Resilience to dynamics — Handle vMotion, host migrations, autoscaling, cluster changes.
  6. Visibility across hybrid/on-cloud deployments — Unified view across on-prem, cloud, and hybrid.

Profitap’s offerings address this set of requirements.

Profitap vTAP: architecture and how it works

Core architecture

Profitap vTAP is a virtual TAP solution designed primarily for VMware environments.

The vTAP solution consists of two main components:

  • vTAP Manager / Orchestrator: central control, policy management, and coordination across the environment.
  • vNPB (virtual Network Packet Broker) or “vBroker”: deployed on host(s) alongside tapped VMs, handling mirroring, filtering, aggregation, and forwarding.

When a tapping policy is defined (e.g. “mirror traffic to/from VM X, filter L4 ports 80,443, exclude other flows”), the vTAP Manager instructs the vNPBs accordingly. The vNPBs tap and copy VM traffic at the hypervisor’s virtual switch or distributed switch layer, apply include/exclude filters (L3/L4), and forward only relevant traffic to collectors or further stages.

Because the tapping is done at the hypervisor level, no changes or reconfiguration is needed inside the guest VMs. You don’t install agents in the VMs or reconfigure their network adapters.

The vTAP solution also supports dynamic adaptation: e.g. if vMotion moves a VM to another host, the tap configuration is automatically adjusted to maintain the intended traffic mirroring.

The vTAP Manager can scale to manage thousands of VMs.

 

Key features

  • East-west (inter-VM) traffic visibility: captures intra-host communication that would otherwise be invisible to external monitors.
  • Filtering and aggregation: include/exclude rules at L3/L4 to reduce data volume and avoid overloading downstream tools.
  • Flexible export: traffic can be forwarded to any virtual or physical collector, packet broker, or analyser.
  • Centralised management: one GUI (or API) to configure tapping across all vCenters.
  • Automatic adaptation: policies adapt to topology changes (e.g. host migrations) without manual intervention.
  • Scalability on demand: you can grow visibility capabilities as your virtualization estate expands.

Profitap vTAP gives you “visibility plumbing” inside VMware environments, tapping and filtering VM traffic at source, without touch on the VMs themselves.

Profitap Cloud TAP: visibility for Kubernetes & container environments

Profitap also offers Cloud TAP (sometimes called “Supervisor Cloud TAP”) aimed at Kubernetes environments — whether self-managed, EKS, AKS, GKE, or hybrid clusters.

How it works & what it offers

  • CNI-agnostic deployment: supports vanilla Kubernetes (with arbitrary CNI plugins) as well as managed distributions such as AWS EKS.
  • Kernel-level mirroring: taps traffic at the host kernel (rather than inside the pod/container), so traffic in/out of applications can be mirrored without modifying pods or container network configuration.
  • Service-to-pod granularity: filters can be applied at various levels (service, pod, port) so you only tap the traffic you’re interested in.
  • Smart encapsulation & transport: mirrored traffic can be encapsulated or tunneled as needed so it can traverse heterogeneous networks, cluster overlays, or cross-cloud paths.
  • Automated deployment & validation: tapping configuration is managed automatically and kept in sync with dynamic Kubernetes changes (e.g. pod scaling, node changes).
  • Unified export paths: traffic can be sent to Profitap packet brokers or external analysis/monitoring/security tools, allowing a unified observability plane across containers and VMs.

Thus, Cloud TAP brings the same principle (non-intrusive, filterable visibility) into containerized infrastructures.

 

Benefits in VMware + Kubernetes / hybrid cloud environments

Putting it all together, here are the key benefits of deploying a vTAP/Cloud TAP visibility plane in modern infrastructure stacks:

  1. End-to-end visibility across hybrid architectures

    With organisations increasingly adopting hybrid architectures (VMs, containers, multi-cloud), visibility is often fragmented. Using Profitap vTAP + Cloud TAP enables a unified visibility layer, allowing teams to trace flows across VM and container boundaries. For example, a front-end pod in Kubernetes might talk to a backend VM-hosted database — and you can capture and correlate traffic across that path.

  2. Non-disruptive deployment

    Since neither vTAP nor Cloud TAP require agents inside the workloads, there is zero risk of disrupting application VMs or containers. You don’t need to touch guest OSes, reconfigure networking, or risk performance overhead inside your workloads.

  3. Deep insight into east-west traffic

    Much of the relevant traffic in VMware and Kubernetes environments is intra-host or inter-VM / inter-pod — exactly the traffic traditional monitoring misses. With vTAP, you get visibility into east-west VM traffic. With Cloud TAP, you extend that to pod-level communications. This is invaluable for:

    • Microservices debugging and latency analysis
    • Detecting lateral movement or suspicious internal flows
    • Performance bottlenecks caused by “chatty” internal flows

  4. Reduced data volumes via filtering & aggregation

    Mirroring everything is wasteful. Profitap’s filtering capability ensures that only traffic relevant to your tools — e.g. flows matching your inclusion criteria — is sent forward, saving bandwidth, tool load, and storage. In effect, you turn raw VM/container chatter into “actionable” data streams.

  5. Scalability and dynamic adaptation

    As your VM count or container count scales up, and as workloads migrate (e.g. via vMotion, autoscaling, rolling upgrades), the vTAP / Cloud TAP systems adapt automatically, maintaining correct tap coverage without manual reconfiguration.

  6. Faster troubleshooting, root-cause, and MTTR

    By having full visibility into traffic flows, ops and network teams can answer questions such as:

    • Which VM or pod is introducing latency or packet drops?
    • Is there congestion on specific internal links?
    • Were there retransmissions or HTTP errors inside east-west paths?
    • Did a configuration change cause traffic to shift or vanish?

    Having packet-level insight speeds root-cause resolution (Mean Time To Repair).

  7. Strengthened security, compliance, and forensics

    Capturing and retaining internal flows is important for anomaly detection, threat hunting (e.g. lateral movement, internal reconnaissance), and post-incident forensics. The visibility you gain helps security tools see beyond perimeter traffic. In addition, internal traffic logs can support compliance and auditing requirements.

  8. Unified observability toolchain integration

    Because the tapped and filtered traffic can be exported to physical or virtual packet brokers (or simply into existing security/monitoring stacks), you can integrate seamlessly with IDS/IPS, flow analyzers, SIEMs, APMs, and network analytics tools.

Use-case scenarios and real-world patterns

Here are a few illustrative scenarios where vTAP / Cloud TAP deliver real value:

  • Diagnosing microservices latency: Suppose microservice A (in Kubernetes) talks to microservice B (in a VM). Clients observe random slowdowns. With visibility across both sides, you can correlate timing, packet losses, retransmits, and isolate whether the issue is in the VM side or the container side.
  • Detecting east-west traffic anomalies: Perhaps a compromised VM is trying lateral movement (probing internal ports). Without internal visibility, this may go unnoticed; with vTAP, you can detect internal scanning or anomalous flows.
  • Service-level monitoring in hybrid deployments: In a hybrid stack where front-end services are containerised but backend services remain VM-hosted, your monitoring and troubleshooting can follow the full path across layers.
  • Capacity planning and unused flows: By monitoring what inter-VM or inter-pod flows exist (or not), one can refine network segmentation, firewall rules, or identify unnecessary traffic.
  • Incident forensics: When an outage or breach occurs, having captured internal flows (especially east-west) may reveal the full chain of events.

 

Deployment considerations, best practices, and caveats

While vTAP / Cloud TAP are powerful tools, a few practical considerations must be kept in mind:

  • Host resource cost: Deploying vNPBs on hosts consumes CPU and memory (though relatively light). Sizing must be considered so taps don’t compete with application workloads.
  • Mirroring overhead: Even with filtering, mirrored traffic adds extra I/O load; careful planning is needed to avoid saturating host NICs or interconnects.
  • Filter design: Poorly designed include/exclude filters may either omit critical flows or overload downstream tools. Start with conservative filters and refine iteratively.
  • Scale limits: Documentation dictates that a vNPB supports up to 2048 MAC addresses per host, and up to 9 virtual switches per host.
  • License and configuration management: Managing tap policy consistency across environments (e.g. dev vs prod) is key. Backup and restore of configurations is supported.
  • Network path for mirrored traffic: The path used to export mirrored traffic must have sufficient capacity and low packet loss; encapsulation and MTU issues must be handled carefully (especially across cloud networks). Cloud TAP’s “smart encapsulation” is intended to help with this.
  • Security of tapped data: Mirrored traffic often contains sensitive data; guard the pipeline (encryption, access controls) of the mirrored stream.
  • Coordination with change control: Because vTAP must interact with vCenter, VDS, etc., it should be included in change control and security reviews.

 

Conclusion

Network visibility is a foundational requirement for performance, reliability, and security in virtualised and containerised infrastructures. Traditional tapping or span port techniques fall short in modern cloud-native environments.

Profitap’s vTAP (for VMware) and Cloud TAP (for Kubernetes) represent a sophisticated visibility plane that delivers packet-level insight with filtering, orchestration, and dynamic adaptation without touching the application workloads themselves. They help restore observability into  east-west traffic, accelerate troubleshooting, strengthen security posture, and integrate existing monitoring stacks across hybrid landscapes.

As enterprises continue to move to hybrid or even totally virtualised environments, such integrated visibility tools will become increasingly indispensable. Teams that adopt vTAP / Cloud TAP solutions position themselves to troubleshoot faster, enforce stronger security, and operate with deeper insight across evolving infrastructure.

Article written by Dom Fitzgibbon — TDS.
by Profitap | Oct 21, 2025 | Network Monitoring

Packet Capture & Analysis

 

ProfiShark

 

Accessories

 

 

 

 

Network Traffic Aggregators

 

Network Packet Brokers

 

NPB Features

Network TAPs

 

Cloud Visibility

 

Centralized Management

 

Solutions

About Us

 

Resources

 

Partners

 

Contact