The approaches described in this section are approaches that could be pursued, but not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated, it should not be assumed that any of the approaches described in this section qualify as prior art merely by their inclusion in this section.
The vast majority of organizations today rely on computer systems and networks for an increasingly wide variety of business operations. As the reliance on these systems and networks has grown, so too has the importance of securing those computer systems and networks against internal and external security threats. However, the breadth and complexity of security threats targeting such computer systems and networks is far and wide and ever growing. To monitor and address these security threats, organizations increasingly rely on sophisticated computer network security applications and hardware such as firewalls, anti-virus tools, data loss prevention software, etc.
One aspect of a network security application often involves monitoring and performing security operations on network traffic generated by monitored components of a computing environment. For example, a security application might use deep packet inspection (DPI) operations, data loss prevention (DLP) operations, and other services to analyze network traffic for the presence of potential security threats. In computing environments which include virtualized computing resources, for example, the network traffic to be monitored can include traffic generated by virtual machines (VMs) and applications running thereon.
Computing environments including VMs may further include one or more virtual switches (also referred to herein as a “vSwitch”), where a vSwitch manages network traffic for some number of VMs connected to virtualized ports of the vSwitch and forming one or more virtual local area networks (VLANs). The configuration of vSwitch can also include port groups, where a port group is a logical grouping of vSwitch ports (and by extension the VMs connected to those ports). Furthermore, port groups of a vSwitch can be assigned a trunk group, where a trunk group merges a group of virtual network links into a single logical link and can enable VLANs to span across different vSwitches.
While the ability to assign vSwitch ports to port groups and trunk groups can enable efficiencies in managing network traffic at the vSwitch, these configurations also present challenges for examining traffic routed by a vSwitch for security purposes. For example, assume a web application running on a first VM accesses a SQL server running on a second VM accessible via a network routed by a vSwitch. In this example, a network administrator might desire to monitor and perform security operations on network traffic sent by the VM to the SQL server (e.g., for possible instances of SQL injection attacks or other database-related threats), but to ignore other types of network traffic sent from the VM and from other VMs on a same VLAN. If the VLAN is assigned to a trunk group (where the links of the trunk group are treated a single logical link), then a security application can perform such security processing by routing the trunk group traffic through the security application. However, performing security processing on the trunk group traffic can involve processing a significant amount of traffic from other VMs and applications which are irrelevant to the SQL traffic for the VM of interest.