Private ethernet overlay networks over a shared ethernet in a virtual environment

Abstract

Methods, systems, and computer programs for implementing private Ethernet overlay networks over a shared Ethernet infrastructure in a virtual environment are presented. In one embodiment, a method includes an operation for sending a packet on a private virtual network from a first virtual machine (VM) in a first host to a second VM. The first and second VMs are members of a fenced group of computers that have exclusive direct access to the private virtual network, where VMs outside the fenced group do not have direct access to the packets that travel on the private virtual network. Further, the method includes encapsulating the packet at the first host to include a new header as well as a fence identifier for the fenced group. If the encapsulated packet is too big for the underlying network, the packet is fragmented for transmission between hosts. The packet is received at a host where the second VM is executing and the packet is de-encapsulated to extract the new header and the fence identifier. Additionally, the method includes an operation for delivering the de-encapsulated packet to the second VM after validating that the destination address in the packet and the fence identifier correspond to the destination address and the fence identifier, respectively, of the second VM. The private virtual network scheme is transparent to the VM's operating system, and unicast messaging within the fenced group improves network efficiency.