The Coffee Shop Network: Zero Trust Overlay Architecture for Enterprise Networks
There's an idea in enterprise networking that sounds like a contradiction: your corporate network should work like the Wi-Fi at a coffee shop.
Not the security model of a coffee shop. The design philosophy. No implicit trust in the physical network. Every device earns its access, every session is encrypted, and the underlying network is just a transport layer. Interchangeable. Unimportant.
If you design your office network the same way you'd design for a roaming employee at a Starbucks, you end up with something simpler to operate and harder to compromise. The industry is starting to call this "coffee shop networking," and we think the concept is directionally right. But most implementations we've seen stop short of what's actually possible.
The Traditional Network Has Become the Problem
The conventional enterprise network design looks like this: a corporate site with segmented VLANs, a /16 or larger address space carved up by function. VLAN 10 for servers, VLAN 20 for workstations, VLAN 30 for guests. 10.0.0.0/8 with every new site getting its own slice. Firewalls between segments. ACLs on the switches. A VPN concentrator for remote users.
This model made sense when applications lived in the data center and users sat at desks. The segmentation is complex to maintain, the VPN is a bottleneck, and the trust boundaries are drawn around physical infrastructure that's increasingly disconnected from where work actually happens. Once you're on the right VLAN, you have lateral movement. The implicit trust is the attack surface.
And yet, the operational weight of maintaining it all keeps growing. More firewall rules means more misconfigurations. More VLANs means more change windows. Your network team spends their time managing the complexity of the trust model instead of focusing on what the business actually needs to connect to.
What the Coffee Shop Model Gets Right
Instead of building concentric rings of trust based on physical location, you start from the assumption that the network is untrusted. Every connection is authenticated. Every session is encrypted. Access is granted per-user, per-device, per-resource, not per-network-segment.
William, one of our engineers, frames it this way: you can make nearly all of your physical access guest-only and unprivileged for human users, then use the overlay mesh to get users to what they need and only what they need.
For your LAN, that means you stop maintaining complex VLAN hierarchies with /22 subnets for infrastructure, clients, and guests, each with their own firewall rules, and instead run a flatter, simpler network. A few VLANs for IoT and infrastructure devices that can't run an agent. Everything else goes through the overlay.
This doesn't mean ripping out your existing switches and firewalls. The coffee shop model is additive. Your physical network stays in place, but the trust model migrates to the overlay. You can run both in parallel while you transition, moving user populations and resources at whatever pace makes sense for your organization. The network team's job shifts from managing segmentation complexity to managing access policy, which is where the actual security value is anyway.
The Hard Part Nobody Wants to Talk About: IP Address Deconfliction
When you tell network engineers "just use an overlay," the first question is always: what happens when address spaces collide?
This isn't a theoretical concern. It's probably the most common networking pain point in practice. You're sitting in an airport on 10.50.0.0/16. Your home lab is also on 10.50.0.0/16. Your office is on 10.0.0.0/8. Your client's network that you need to reach is on 172.16.0.0/12, which happens to be what the hotel Wi-Fi uses too.
Traditional VPNs break here. The OS sees two routes to the same prefix and picks the local one. Your tunnel is useless.
We wrote an entire blog post about this because it's a problem that most vendors either ignore or solve with workarounds that create their own operational burden. This is an architectural decision, not a band-aid. It makes IP conflicts a solved problem, which is what makes the coffee shop model viable in real environments, not just conference talks.
M&A, Multi-Site, and the Growth Problem
If you've ever been through an acquisition where both organizations run 10.0.0.0/8, you know the pain. Renumbering projects take months. They're disruptive, error-prone, and expensive.
With an overlay that handles addressing natively, the merge gets simpler. Each organization keeps its own IPv6 prefix. Resources are accessible through the mesh regardless of underlying address conflicts. No renumbering. No coordination war rooms.
The same applies to multi-site design. Traditional best practice says to start your address space at 10.128.0.0/9 and divide by half for new sites (192, then 160, then 144) so that adjacent space is available for growth and supernetting. It's a proven approach, but it requires upfront planning and breaks when you combine networks with another organization.
With the overlay, each site publishes its ranges and the mesh routes traffic. Address space coordination becomes optional rather than mandatory.
Resilience: Coffee Shop Wi-Fi Is Unreliable, and So Is Everything Else
One more thing about coffee shop Wi-Fi: it drops. Bandwidth fluctuates. The network partitions.
If your zero trust overlay depends on a centralized control plane, unreliable transport means unreliable access. Bowtie's control plane uses CRDTs (Conflict-free Replicated Data Types) to synchronize state across controllers. Every controller holds a complete replica of the configuration. When controllers can't reach each other, they keep operating independently. When connectivity returns, they reconcile automatically.
This matters in practice. Gateway-based ZTNA solutions terminate your connection and rebuild it on the other side. When the gateway hiccups, both halves break and your session is gone. Fast reconnects are the standard answer, but that's cold comfort when your SSH session dies mid-command or your file transfer restarts from zero.
Bowtie can use BGP to advertise client address pools directly to your infrastructure. Sessions survive controller failover because routes migrate, not session state. Your security team gets consistent policy enforcement, and your users get connections that stay up.
Simplify the Network
The physical network becomes a transport layer. The access control, segmentation, and identity-aware policy enforcement happen in the overlay. Every network your users connect to is just another coffee shop. And the security posture stays the same regardless. Users simply open their laptop and go, regardless of where they're working.
If this sounds useful to you, reach out!
