IO Overlay

IO Overlay / Software Defined Network

User-defined overlay network for guest VMs

The purpose of the HVX network layer (or virtual switch) is to create a secure, user-defined overlay network for guest VMs belonging to the application. This overlay network operates on top the cloud provider's network or even on top of multiple clouds simultaneously. The overlay network is completely user defined and can include multiple subnets, routers, and supplemental services such as DHCP and DNS servers. All of the network entities are operated by a virtual switch software component that resides in the HVX layer of each host VM. With this overlay network, the application is completely self-contained, it does not depend on any cloud provider network topologies or configurations. The only requirement is host connectivity to the cloud provider network. The application container formed by this overlay network enables easy duplication and mobility between different cloud operators without changing any networking parameters in the guest VMs.

P2P links, tunneling and isolation

When a distributed application is deployed, each virtual switch is configured with the application’s guest network topology. This allows the virtual switch to automatically create P2P links between the host VMs. These P2P links are used to create a virtual L2 network and to tunnel encapsulated Ethernet packet, thus creating complete isolation from the cloud provider network.

The packet forwarding logic in the HVX virtual switch is very similar to that of a regular network switch. For each virtual network device, the virtual switch creates a virtual port object that handles incoming and outgoing packets from the connected virtual NIC device. The virtual port learns MAC addresses of incoming packets and builds a forwarding table based on the MAC address. For broadcast frames, the virtual port floods the packet to all other distributed virtual ports in the same broadcast domain. Unicast frames are sent to their designated vPort based on  the learned data.

In addition, the virtual switch implements additional network services such as routers, DNS and DHCP servers. These entities operate just like their physical counterparts and enable building a complete and self-contained user-defined network for the application, that can then be deployed anywhere.