A virtual switch connected to at least one virtual machine of multiple virtual machines communicatively connected through an overlay network, receives a data packet, each of the virtual machines configured within a separate one of multiple virtual groups in the overlay network, the data packet comprising a packet header comprising at least one address. The virtual switch receives a virtual group identifier for the at least one address from at least one address resolution service returning the virtual group identifier and a resolved address for the at least one address, in response to an address resolution request for the at least one address. The virtual switch sends the data packet through the virtual switch to the resolved address only if the virtual group identifier is allowed according to a filtering policy applied by the virtual switch for a particular virtual group identified by the virtual group identifier.