This disclosure relates generally to computer system networking, and more particularly to creating network isolation between virtual machines.
In networking technology, virtual local area networks (VLANs) are used to isolate network traffic. However, in a cloud environment, it may not be possible to create enough VLANs to isolate traffic due to limitations on the physical Ethernet adapters and switches, for example. A physical computer may include several virtual machines (VMs), which are logical emulations of a physical computer. The physical computer may host multiple VMs, each sharing the hardware resources of the physical computer, and each emulating a physical computer. In a cloud environment, a physical computer may include VMs that may belong to different organizations within the same enterprise, or to several unrelated enterprises, each sharing the physical computing environment. In general, several VMs may share the same physical Ethernet adapter. Although one physical network adapter may be trunked, i.e., carry multiple VLANs, it may not be physically possible to create enough VLANs to keep traffic segregated, for example to ensure security and to maintain adequate performance.
To maintain network security, VLANs, internet protocol (IP) subnets and addresses, and media access control (MAC) addresses may be used to keep network traffic segregated among the different organizations. However, in a cloud environment an organization or enterprise may only lease a VM for a brief period of time, such as for example, to process a monthly payroll. Consequently, VMs may be continually deployed and destroyed, resulting in repeated reuse of IP addresses and MAC on the physical computer. This, along with the probability that VMs on a physical computer may belong to multiple enterprises, increases the challenge of isolating network traffic and keeping out external undesired network traffic.