For IP to evolve into a true carrier-grade transport facility, it needs to support fast resilience out-of-the-box. Unfortunately the de facto IP protection mechanism, Loop-Free Alternates (LFA), does no cover all possible failure scenarios that can show up in an operational network. The main concern in this paper is, correspondingly, to construct an overlay on top of the physical network, whereas virtual routers are provisioned that provide LFA protection to otherwise unprotected failure cases. Our main contribution is a new Resilient IP Overlay Design algorithm, which, in contrast to previous work, is guaranteed to terminate with a fully protected topology, runs in polynomial time, and eliminates all adverse LFA loops. According to the numerical evaluations the performance of our algorithm is on par with, or even better than, that of previous ones, lending itself as the first practically viable option to build highly resilient IP networks.