Abstract: Some embodiments provide a novel method for collecting and reporting attributes of data flows associated with machines executing on a plurality of host computers to an analysis appliance. Some embodiments collect, each time a request for a new data message flow is initiated, a set of contextual attributes (i.e., context data) associated with the requested new data message flow. The method, in some embodiments, generates a correlation data set and provides the correlation data set to be included in flow data regarding the requested data message flow to be used by the analysis appliance to correlate context data and flow data received as separate data sets from multiple host computers.

Abstract: Some embodiments provide a method of identifying packet latency in a software defined datacenter (SDDC) that includes a network and multiple host computers executing multiple machines. At a first host computer, the method identifies and stores (i) multiple time values associated with several packet processing operations performed on a particular packet sent by a first machine executing on the first host computer, and (ii) a time value associated with packet transmission through the SDDC network from the first host computer to a second host computer that is a destination of the particular packet. The method provides the stored time values to a set of one or more controllers to process to identify multiple latencies experienced by multiple packets processed in the SDDC.

Abstract: This disclosure is directed to automated processes for attesting to trustworthiness of a host considered for connection to a data center network. The attestation process is performed in two attestation phases. In the first phase, attestation is performed on a smart network interface controller (“SNIC”) connected to an internal bus of the host using a first trusted platform module (“TPM”) of the SNIC. In the second phase, attestation is performed on the host by the SNIC using a second TPM connected to the internal bus of the host in response to a determination that the SNIC is trustworthy. The host is connected to the data center network in response to a determination by the SNIC that the host is trustworthy.

Abstract: A system and method for observing and controlling a programmable network via higher layer attributes is disclosed. According to one embodiment, the system includes one or more collectors and a remote network manager. The one or more collectors are configured to receive network traffic data from a plurality of network elements in the network. The remote network manager is configured to connect to the one or more collectors over the Internet via a network interface. The one or more collectors extract metadata from the network traffic data and send the metadata to the network manager.

Abstract: Some embodiments of the invention provide a novel method for performing firewall operations on a computer. The method of some embodiments instantiates first and second firewall processes on the computer. These two processes are two separate processes, which in some embodiments have separate memory allocations in the memory system of the computer. The method uses the first firewall process to examine a data message to determine whether an encryption based firewall policy (e.g., a TLS-based firewall policy) has to be enforced on the data message. Based on a determination that the encryption-based firewall policy has to be enforced on the data message, the method provides metadata, which is produced by the first firewall process in its examination of the data message, to the second firewall process. The second firewall process then uses the provided metadata to perform an encryption-based firewall operation based on the encryption-based firewall policy.

Abstract: Some embodiments provide a novel method of performing health monitoring for resources associated with a global server load balancing (GSLB) system. This system is implemented by several domain name system (DNS) servers that perform DNS services for resources located at several geographically separate sites. The method identifies several different groupings of the resources. It then assigns the health monitoring of the different resource groups to different DNS servers. The method then configures each particular DNS server (1) to send health monitoring messages to the particular group of resources assigned to the particular DNS server, (2) to generate data by analyzing responses to the sent health monitoring messages, and (3) to distribute the generated data to the other DNS servers. The method in some embodiments is performed by a set of one or more controllers.

Abstract: Techniques for managing namespaces in a multi-cluster management (MCM) system to facilitate multi-cluster application development are provided. In one set of embodiments, a computer system executing the MCM system can create a workspace for an application being developed by a software development team of an organization, where the workspace is a logical grouping of namespaces on which the application has been or will be deployed, and where at least a subset of the namespaces can belong to different clusters of the organization. The computer system can then assign a member of the development team as a workspace administrator of the workspace, thereby enabling that development team member to perform management tasks on the workspace and its member namespaces via the MCM system (e.g., creating and adding namespaces to the workspace, setting access/image/network policies on the workspace, etc.), without help from the organization's IT staff.

Abstract: Some embodiments of the invention provide novel methods for providing a stateful service at a network edge device (e.g., an NSX edge) that has a plurality of north-facing interfaces (e.g., interfaces to an external network) and a plurality of corresponding south-facing interfaces (e.g., interfaces to a logical network). A set of interfaces on each side of the network edge device for a set of equal cost paths, in some embodiments, are bonded together in the network edge device to correspond to a single interface on either side of a logical bridge including at least one logical switch providing a stateful service implemented by the network edge device. The bond is implemented, in some embodiments, by a bonding module executing on the network edge device that maintains a mapping between ingress and egress interfaces to allow deterministic forwarding through the network edge device in the presence of bonded interfaces.

Abstract: A method for creating overlay networking constructs to establish network connectivity between virtual routers and remote physical gateways is provided. An orchestrator receives a mapping between tenant network identifiers for multiple tenant networks and overlay network identifiers for multiple overlay networks. The orchestrator attaches a virtual router to a parent logical port of an overlay logical switch for connectivity between a physical gateway and the multiple tenant networks. The orchestrator creates multiple child logical ports that are sub-interfaces of the parent logical port. Each child logical port is uniquely identified by a tenant network identifier. The orchestrator connects multiple child logical switches to the multiple child logical ports according to the received mapping. Each child logical switch is uniquely identified by an overlay network identifier.

Abstract: Some embodiments provide a method of implementing context-aware routing for a software-defined wide-area network, at an SD-WAN edge forwarding element (FE) located at a branch network connected to the SD-WAN. The method receives, from an SD-WAN controller, geolocation route weights for each of multiple cloud datacenters across which a set of application resources is distributed. The application resources are all reachable at a same virtual network address. For each of the cloud datacenters, the method installs a route for the virtual network address between the branch network and the cloud datacenter. The routes have different total costs based at least in part on the geolocation metrics received from the SD-WAN controller. The SD-WAN edge FE selects between the routes to establish connections to the set of application resources.

Abstract: Techniques for implementing secure GPU virtualization using sandboxing are provided. In one set of embodiments, a hypervisor of a host system can receive one or more first graphics/compute commands issued by a guest application running within a VM of the host system. The hypervisor can further communicate the one or more first graphics/compute commands to a sandboxed software process that is separate from the hypervisor. The sandboxed software process can then translate the one or more first graphics/compute commands into one or more second graphics/compute commands and issue the one or more second graphics/compute commands for execution on a physical GPU.

Abstract: Rate limiting of cloud account change events and state management is described herein. One embodiment includes instructions to process each of a first stream of change events received from a cloud provider and associated with any assets of a particular public cloud account, determine that the first stream of change events exceeds a rate threshold, discard each of a second stream of change events received from the public cloud provider and associated with any assets of the particular public cloud account, query the cloud provider to perform a collection on all the assets of the particular public cloud account after a particular delay period, and process each of a third stream of change events received from the cloud provider and associated with any assets of the particular public cloud account responsive to a completion of the collection.

Abstract: A computer implemented processing service for efficient streaming of data input from one or more sources to one or more receivers is disclosed. The processing service includes a schema manager that receives commands from a tenant of the data stream processing service. The processing service includes a processing services gateway that validates the data and sends the data to a transformation processor. The transformation processor receives the data and parses the data into the one or more data formats in accordance with the instructions and sends the data in the one or more data formats to an egress service. The egress service outputs the data in the one or more data formats to the one or more receivers, each receiver receiving the data in a data pipeline in one of the one or more formats.

Abstract: Described herein are systems, methods, and software to manage power consumption in a software build environment. In one implementation, a monitoring service monitors power consumption information associated with a build environment for one or more software components. The monitoring service further identifies one or more trends associated with the power consumption information based at least on the power consumption information satisfying one or more criteria and generates a summary for display that indicates at least the one or more trends. The monitoring service may also identify and display as part of the summary one or more suggestions to improve power consumption based on the one or more trends.

Abstract: Some embodiments of the invention provide a method of sending data in a network that includes at least one worker node executing one or more sets of containers and a virtual switch, the virtual switch including a gateway interface, a virtual local area network (VLAN) tunnel interface, and a set of virtual Ethernet interfaces associated with the one or more sets of containers. The method configures the gateway interface of the worker node to associate the gateway interface with multiple subnets that are each associated with a namespace. The worker node executes at least (1) first and second sets of containers of a first namespace, and (2) a third set of containers of a second namespace. The method sends data between the first and second sets of containers through a first virtual Ethernet interface associated with the first set of containers and a second virtual Ethernet interface associated with the second set of containers.

Abstract: Some embodiments provide a method for performing data message processing at a smart NIC of a computer that executes a software forwarding element (SFE). The method stores (i) a set of cache entries that the smart NIC uses to process a set of received data messages without providing the data messages to the SFE and (ii) rule updates used by the smart NIC to validate the cache entries. After a period of time, the method determines that the rule updates are incorporated into a data message processing structure of the SFE. Upon incorporating the rule updates, the method deletes from the smart NIC (i) the rule updates and (ii) at least a subset of the cache entries.

Abstract: Techniques are disclosed for reallocating host resources in a virtualized computing environment when certain criteria have been met. In some embodiments, a system identifies a host disabling event. In view of the disabling event, the system identifies a resource for reallocation from a first host to a second host. Based on the identification, the computer system disassociates the identified resource's virtual identifier from the first host device and associates the virtual identifier with the second host device. Thus, the techniques disclosed significantly reduce a system's planned and unplanned downtime.

Abstract: An optimistic byzantine agreement protocol (the protocol) first tries to reach agreement via an efficient deterministic algorithm (synchronous protocol) that relies on synchrony for termination. If an agreement is not reached (e.g., due to asynchrony), the protocol uses a randomized asynchronous algorithm (asynchronous protocol) for fallback. Although randomized asynchronous algorithms are considered to be costly, the rationale here is to bound communication in non-synchronous runs after an equivalent cost has already paid.

Abstract: A disclosed example to determine a migration recommendation of a service between geographic regions includes: a graph generator to generate an interaction graph, the interaction graph including first and second nodes and an edge therebetween, the first node representative of a first service in a first geographic region, the second node representative of a second service in a second geographic region, and the edge representative of a network path of interactions between the first and second services; a weighing engine to determine a weight value of the edge between the first and second services based on a count of network interactions between the first and second services and a real-time latency between the first and second services; and a recommendation engine to generate a migration recommendation to migrate the first service to the second geographic region based on the weight value of the edge.

Abstract: Some embodiments of the invention provide a novel network architecture for providing edge services of a virtual private cloud (VPC) at host computers hosting machines of the VPC. The host computers in the novel network architecture are reachable from external networks through a gateway router of an availability zone (AZ). The gateway router receives a data message from the external network addressed to one or more data compute nodes (DCNs) in the VPC and forwards the data message to a particular host computer identified as providing a distributed edge service for the VPC. The particular host computer, upon receiving the forwarded data message, performs the distributed edge service and provides the serviced data message to a destination DCN.