Abstract: In an example, systems and methods enable automatic implementation of intent-based security policies in a network system, such as a software-defined wide area network system, in which network segment prefixes for network segments at one or more sites are dynamically learned. A service orchestrator controller translates an intent-based security policy input by a user to a security policy for a first site. The security policy for the first site specifies a segment-specific queryable resource associated with a second site. To implement the security policy, a device associated with the first site queries the segment-specific queryable resource associated with the second site, and updates one or more forwarding tables of the device with the network segment prefixes associated with one or more network segments at the second site received in response to the query. The first site forwards network traffic to the second site based on the updated forwarding tables.

Abstract: In general, techniques are described for determining reorder commands for remote reordering of policy rules. A device management system comprising a memory, a processor, and an interface may be configured to perform the techniques. A memory may store a currently configured policy for a managed network device and an updated policy for the managed device. The processor may determine a longest increasing subsequence (LIS) between a source list comprising the plurality of policy rules in a first ordering and a destination list of the plurality of policy rules in a second ordering. The processor may generate, based on the LIS, one or more policy configuration commands for the managed network device that direct the managed network device to conform the currently configured policy to the updated policy. The interface may output the one or more policy configuration commands to the managed network device.

Abstract: In an example, a method comprises obtaining, by a policy controller from a first SDN architecture system, flow metadata for packet flows exchanged among workloads of a distributed application deployed to the first SDN architecture system; identifying, using flow metadata for a packet flow of the packet flows, a source endpoint workload and a destination endpoint workload of the packet flow; generating a network policy rule to allow packet flows from the source endpoint workload to the destination endpoint workload of the packet flow; and adding the network policy rule to a configuration repository as configuration data for a second SDN architecture system to cause a deployment system to configure the second SDN architecture system with the network policy rule to allow packet flows from the source endpoint workload to the destination endpoint workload when the distributed application is deployed to the second SDN architecture system.

Abstract: A controller device manages a plurality of network devices. The controller device includes a memory comprising a configuration database including a set of stored network device configurations, wherein each stored network device configuration of the set of stored network device configurations corresponds to a network device of the set of network devices. Additionally, the controller device includes processing circuitry configured to receive an intent file corresponding to an intended configuration for the set of network devices; receive a message from a network device of the set of network devices indicating an out-of-band configuration change at the network device; and determine, based on a stored network device configuration corresponding to the network device and an actual configuration of the network device, whether the intent file is compatible with the out-of-band configuration change.

Abstract: In an example, a method comprises obtaining, by a policy controller from a first SDN architecture system, flow metadata for packet flows exchanged among workloads of a distributed application deployed to the first SDN architecture system; identifying, using flow metadata for a packet flow of the packet flows, a source endpoint workload and a destination endpoint workload of the packet flow; generating a network policy rule to allow packet flows from the source endpoint workload to the destination endpoint workload of the packet flow; and adding the network policy rule to a configuration repository as configuration data for a second SDN architecture system to cause a deployment system to configure the second SDN architecture system with the network policy rule to allow packet flows from the source endpoint workload to the destination endpoint workload when the distributed application is deployed to the second SDN architecture system.

Abstract: An example computing system includes one or more processing units implemented in circuitry and configured to: process an intent for configuration of a plurality of managed network devices, the intent representing authorization of access to capabilities of applications accessible to users of the managed network devices according to roles assigned to the users; receive advertised capabilities from a new application accessible to the users; receive a request for authorization to one of the capabilities of the new application from one of the users; determine one of the roles assigned to the one of the users; determine whether the intent grants authorization to the one of the capabilities according to the one of the roles; and grant the one of the users access to the one of the capabilities when the intent grants authorization to the one of the capabilities according to the one of the roles.

Abstract: A controller device manages a plurality of network devices. The controller device includes a memory comprising a configuration database including a set of stored network device configurations, wherein each stored network device configuration of the set of stored network device configurations corresponds to a network device of the set of network devices. Additionally, the controller device includes processing circuitry configured to receive an intent file corresponding to an intended configuration for the set of network devices; receive a message from a network device of the set of network devices indicating an out-of-band configuration change at the network device; and determine, based on a stored network device configuration corresponding to the network device and an actual configuration of the network device, whether the intent file is compatible with the out-of-band configuration change.

Abstract: In an example, a method includes processing, by an application programming interface (API) server implemented by a configuration node of a network controller for a software-defined networking (SDN) architecture system, requests for operations on native resources of a container orchestration system; processing, by a custom API server implemented by the configuration node, requests for operations on custom resources for SDN architecture configuration, wherein each of the custom resources for SDN architecture configuration corresponds to a type of configuration object in the SDN architecture system; detecting, by a control node of the network controller, an event on an instance of a first custom resource of the custom resources; and by the control node, in response to detecting the event on the instance of the first custom resource, obtaining configuration data for the instance of the first custom resource and configuring a corresponding instance of a configuration object in the SDN architecture.

Abstract: In an example, a method comprises obtaining, by a policy controller from a first SDN architecture system, flow metadata for packet flows exchanged among workloads of a distributed application deployed to the first SDN architecture system; identifying, using flow metadata for a packet flow of the packet flows, a source endpoint workload and a destination endpoint workload of the packet flow; generating a network policy rule to allow packet flows from the source endpoint workload to the destination endpoint workload of the packet flow; and adding the network policy rule to a configuration repository as configuration data for a second SDN architecture system to cause a deployment system to configure the second SDN architecture system with the network policy rule to allow packet flows from the source endpoint workload to the destination endpoint workload when the distributed application is deployed to the second SDN architecture system.

Abstract: A controller device manages a plurality of network devices. The controller device includes a memory comprising a configuration database including a set of stored network device configurations, wherein each stored network device configuration of the set of stored network device configurations corresponds to a network device of the set of network devices. Additionally, the controller device includes processing circuitry configured to receive an intent file corresponding to an intended configuration for the set of network devices; receive a message from a network device of the set of network devices indicating an out-of-band configuration change at the network device; and determine, based on a stored network device configuration corresponding to the network device and an actual configuration of the network device, whether the intent file is compatible with the out-of-band configuration change.

Abstract: In an example, systems and methods enable automatic implementation of intent-based security policies in a network system, such as a software-defined wide area network system, in which network segment prefixes for network segments at one or more sites are dynamically learned. A service orchestrator controller translates an intent-based security policy input by a user to a security policy for a first site. The security policy for the first site specifies a segment-specific queryable resource associated with a second site. To implement the security policy, a device associated with the first site queries the segment-specific queryable resource associated with the second site, and updates one or more forwarding tables of the device with the network segment prefixes associated with one or more network segments at the second site received in response to the query. The first site forwards network traffic to the second site based on the updated forwarding tables.