A network enables the exchange of information between computing devices. A physical network includes hardware adapters, routers, switches, cabling, modems, or other hardware for forwarding data packets via physical network architecture. Of course, any of these physical devices may be implemented on commodity central processing unit (CPU) devices with software. A logical overlay network is a network abstraction that is decoupled from the underlying physical infrastructure and can include logical network components, such as, but not limited to, logical switches, routers, firewalls, load balancers, virtual network adapters, and/or logical ports. Virtual computing instances (VCI), such as virtual machines and namespace based containers, running on a host cluster share physical computing resources, as well as network resource access. This enables improved efficiency and flexibility in provisioning network resources within the host cluster.
Firewalls control input, output, and access to and from applications and/or services. Firewalls monitor and block input and output in accordance with configuration policies or that otherwise indicate intrusions, malformed communications, or other undesirable communications. However, current virtual network firewalls provide level four transport layer firewall capabilities, level three network layer security capabilities, and level two data link layer security. These services can be provided in physical devices, which can function with very high throughput performance using specialized application specific integrated circuit (ASIC) processors. However, such physical devices can only operate on the physical network layer, not the logical overlay network because the network packets operated on by these devices are encapsulated and potentially encrypted. Virtual network appliances written for general purpose CPUs can operate on or in a hypervisor, and therefore, secure the logical overlay network, but generally not at the levels of performance expected of hardware network appliances.