Authentication for logical overlay network traffic

We claim: 1. A method for a first computer system to perform authentication for logical overlay network traffic, the method comprising: detecting an inner packet having an inner header that is addressed from a first virtualized computing instance to a second virtualized computing instance; based on control information from a manager, generating authentication information associated with the inner packet, wherein the authentication information indicates that the inner packet originates from a trusted zone; generating an encapsulated packet by encapsulating the inner packet with an outer header specifying the authentication information, wherein the outer header is addressed from the first computer system to a second computer system; and sending the encapsulated packet towards the second virtualized computing instance to cause the second computer system to verify that the inner packet originates from the trusted zone based on the authentication information and to forward the inner packet towards the second virtualized computing instance. 2. The method of claim 1 , wherein sending the encapsulated packet comprises: sending the encapsulated packet via a first virtual tunnel endpoint (VTEP) supported by the first computer system to a second VTEP supported by the second computer system, wherein the first VTEP is an open interface that is accessible by a source from a non-trusted zone. 3. The method of claim 2 , wherein generating the authentication information comprises: identifying, by a managed bridge supported by the first computer system, authentication key information from the control information; and generating, by the managed bridge, the authentication information based on the authentication key information and the inner packet, wherein the second computer system is configured to verify the authentication information based on the same authentication key. 4. The method of claim 2 , wherein generating the encapsulated packet comprises: generating the encapsulated packet using a transport bridge that is supported by the first computer system but not managed by the manager. 5. The method of claim 1 , wherein generating the encapsulated packet comprises: configuring an option field in the outer header of the encapsulated packet to include the authentication information. 6. The method of claim 1 , further comprising: receiving, from the second computer system or a third computer system, an ingress encapsulated packet that includes an ingress inner packet and an ingress outer header; extracting ingress authentication information from the ingress outer header; and based on the ingress authentication information and the control information from the manager, determining whether the ingress inner packet originates from the trusted zone. 7. The method of claim 6 , further comprising: in response to determination that the ingress inner packet does not originate from the trusted zone, dropping the ingress inner packet. 8. A non-transitory computer-readable storage medium that includes a set of instructions which, in response to execution by a processor of a first computer system, cause the processor to perform authentication for logical overlay network traffic, wherein the method comprises: detecting an inner packet having an inner header that is addressed from a first virtualized computing instance to a second virtualized computing instance; based on control information from a manager, generating authentication information associated with the inner packet, wherein the authentication information indicates that the inner packet originates from a trusted zone; generating an encapsulated packet by encapsulating the inner packet with an outer header specifying the authentication information, wherein the outer header is addressed from the first computer system to a second computer system; and sending the encapsulated packet towards the second virtualized computing instance to cause the second computer system to verify that the inner packet originates from the trusted zone based on the authentication information and to forward the inner packet towards the second virtualized computing instance. 9. The non-transitory computer-readable storage medium of claim 8 , wherein sending the encapsulated packet comprises: sending the encapsulated packet via a first virtual tunnel endpoint (VTEP) supported by the first computer system to a second VTEP supported by the second computer system, wherein the first VTEP is an open interface that is accessible by a source from a non-trusted zone. 10. The non-transitory computer-readable storage medium of claim 9 , wherein generating the authentication information comprises: identifying, by a managed bridge supported by the first computer system, authentication key information from the control information; and generating, by the managed bridge, the authentication information based on the authentication key information and the inner packet, wherein the second computer system is configured to verify the authentication information based on the same authentication key. 11. The non-transitory computer-readable storage medium of claim 9 , wherein generating the encapsulated packet comprises: generating the encapsulated packet using a transport bridge that is supported by the first computer system but not managed by the manager. 12. The non-transitory computer-readable storage medium of claim 8 , wherein generating the encapsulated packet comprises: configuring an option field in the outer header of the encapsulated packet to include the authentication information. 13. The non-transitory computer-readable storage medium of claim 8 , wherein the method further comprises: receiving, from the second computer system or a third computer system, an ingress encapsulated packet that includes an ingress inner packet and an ingress outer header; extracting ingress authentication information from the ingress outer header; and based on the ingress authentication information and the control information from the manager, determining whether the ingress inner packet originates from the trusted zone. 14. The non-transitory computer-readable storage medium of claim 13 , wherein the method further comprises: in response to determination that the ingress inner packet does not originate from the trusted zone, dropping the ingress inner packet. 15. A computer system, being a first computer system, comprising: a processor; and a non-transitory computer-readable medium having stored thereon instructions that, in response to execution by the processor, cause the processor to: detect an inner packet having an inner header that is addressed from a first virtualized computing instance to a second virtualized computing instance; based on control information from a manager, generate authentication information associated with the inner packet, wherein the authentication information indicates that the inner packet originates from a trusted zone; generate an encapsulated packet by encapsulating the inner packet with an outer header specifying the authentication information, wherein the outer header is addressed from the first computer system to a second computer system; and send the encapsulated packet towards the second virtualized computing instance to cause the second computer system to verify that the inner packet originates from the trusted zone based on the authentication information and to forward the inner packet towards the second virtualized computing instance. 16. The computer system of claim 15 , wherein the instructions that cause the processor to send the encapsul