In virtualized computing systems, host machines generally host a plurality of virtual machines. In hosting virtual machines, a host machine may provide a virtual switch that connects virtual machines running on the host to communicate with other virtual machines hosted on the same host machine as well as virtual machines hosted on other hosts. For example, the virtual machines may be interconnected as part of a logical overlay network. Logical overlay networks may be implemented by the host by encapsulating egress packets from the virtual machines and decapsulating ingress packets. For example, Virtual Extensible Local Area Network (VXLAN) tunnel endpoint (VTEP) services for encapsulating packets (e.g., Geneve packet, VXLAN packet, etc.) may be implemented at each host or at a gateway. Edge VTEPs or hypervisor-based VTEPs are generally connected to virtual switches implemented by the hypervisor for virtual machines on the same physical host. Hardware VTEPs are often integrated into top-of-rack (TOR) switches, but could be provided as a stand-alone appliance for bridging logical overlay networks with physical networks. While the term “VTEP” refers to “VXLAN” tunneling protocol, it is now often used regardless of the tunneling protocol. The host may refer to internally-maintained forwarding tables that are populated by a control plane for determining whether to encapsulate packets and the targets of the encapsulation header based on the destination address of the original packet's header.
For example, a source virtual machine may generate an IP/MAC packet with the address of the source virtual machine set as the source address and the address of the destination virtual machine on a different host set as the destination address. The source virtual machine may send the packet to a virtual switch implemented on the same physical host as the source virtual machine. The virtual switch may, in accordance with forwarding tables associated with the virtual switch be connected to a VTEP which encapsulates the packet received from the source virtual machine to generate an encapsulated packet. The original packet may be referred to as an inner packet, and the encapsulated packet may be referred to as an outer packet. Further, a header of the inner packet including the address of the source virtual machine set as the source address and the address of the destination virtual machine set as the destination address may be referred to as an inner header. The VTEP may further include an outer header as part of the outer packet. The outer header may include a source address of the VTEP (e.g., source VTEP) generating and transmitting the encapsulated packet, and further may include a destination address of a VTEP (e.g., destination VTEP) associated with the destination virtual machine. Accordingly, in the overlay network, the outer header is used to forward the encapsulated packet through the overlay network from the source VTEP to the destination VTEP. The destination VTEP may then extract the inner packet and forward the original packet to a virtual switch connected to the destination VTEP, which forwards the original packet to the destination virtual machine based on the inner header of the decapsulated original packet.
In some aspects, physical machines that are not virtualized may be connected into the logical overlay network. For example, certain services (e.g., file server, database server, etc.) may run on a specific physical machine (e.g., physical servers) instead of in a virtual machine (VM) that is part of the overlay network. It may still be desirable, however, to connect the physical machine into the overlay network to gain the benefits of a software defined networking (SDN) solution. In order to couple the physical machines to the overlay network, hardware VTEPs may be utilized in the network to bridge packets between the physical machine's network and the overlay network. Securing use of such hardware VTEPs to protect against attacks (e.g., denial of service (DoS) attacks) of the overlay network may be desirable.