Software-defined networking (SDN) systems often include a plurality of physical host machines hosting hypervisors that run a plurality of virtual machines (VMs) (or other virtual computing instances, such as containers (e.g., Docker containers, data compute nodes, isolated user space instances, namespace containers). The VMs may be interconnected as part of a logical network configured by a network controller. Hypervisors generally communicate with a controller cluster (also referred to as a central control plane (CCP)) to send and receive control messages, such as via a local control plane (LCP) that is part of the hypervisor. Generally, there are no direct channels for communicating control messages directly between hypervisors. However, there are circumstances in which one or more hypervisors need to react to a hypervisor restart event that happens on another host (e.g., a restart event resulting from a hypervisor crash on the other host). One such circumstance arises in the context of distributed network encryption (DNE).
DNE techniques generally involve security associations established between hypervisors using mutually agreed-upon keys (e.g., encryption/decryption keys), security protocols, and/or security parameter index (SPI) values. Once a security association is established between two hypervisors, they may communicate securely with one another using the keys, protocols, and/or SPI values. However, if a hypervisor restarts, any other hypervisors that share a security association with the hypervisor need to be notified of the restart event so that new security associations may be established. Because there generally are no direct control messaging channels between hypervisors, the restarted hypervisor has no way of directly messaging other hypervisors after a hypervisor restart event such as to initiate procedures for establishing new security associations.