Abstract: Some embodiments provide a method for automatically configuring VPN gateways. The method receives a first configuration for a first VPN gateway located at a first datacenter. The configuration includes configuration data for a first set of VPNs connecting a first set of networks at the first datacenter to other networks at other datacenters. The method automatically modifies the configuration data to generate a second configuration for a second VPN gateway. The method configures the second VPN gateway using the second configuration to setup a second set of VPNs connecting a second set of networks to the other networks at the other datacenters.

Abstract: Embodiments described herein relate to load balancing using multiple CPUs. A method for tunnel creation according to a security protocol at a source tunnel endpoint (TEP) includes exchanging messages with a destination TEP to create a security association (SA) for the tunnel creation; sending a message to the destination TEP, wherein the message is an encrypted message based on the first message exchange, and the message includes a traffic selector of the source TEP and a number of available CPUs of the source TEP; receiving a message from the destination TEP, wherein the message is an encrypted message based on the first message exchange, and the message includes a traffic selector of the destination TEP and a number of available CPUs of the destination TEP; and determining a number of SAs to create with the destination TEP, wherein the determination is based on the traffic selectors and the number of available CPUs.

Abstract: The disclosure provides an approach for processing inter-network communications. Embodiments include configuring, by a management component of a data center, a first virtual private network (VPN) session between a first endpoint outside of the data center and a first gateway of the data center. Embodiments include configuring, by the management component, a second VPN session between a second endpoint outside of the data center and a second gateway of the data center. Embodiments include programming, by the management component, one or more network address translation (NAT) tables of the data center such that, for the first VPN session and the second VPN session, a single public network address of the data center is exposed to the first endpoint and the second endpoint.

Abstract: A method for direct communication between a source endpoint executing in a first datacenter and a destination endpoint executing in a second datacenter. The method receives, at a gateway of the second datacenter, a packet sent by the source endpoint, the packet having a header that includes a source IP address corresponding to a public IP address of the first datacenter, a destination IP address corresponding to a public IP address of the second datacenter, and source and destination port numbers. The method performs a DNAT process on the packet to replace at least the destination IP address in the header with a private IP address of the destination endpoint. The DNAT process identifies the private IP address by mapping the source and destination port numbers to the private IP address of the destination endpoint. The method then transmits the packet to the destination endpoint in the second datacenter.

Abstract: The disclosure provides an approach for processing communications between connected data centers. Embodiments include receiving, at a first gateway of a first data center from a second gateway of a second data center, one or more policies associated with traffic attributes. Embodiments include programming priority routes between the first gateway and the second gateway over a virtual private network (VPN) tunnel based on the one or more policies, wherein each of the priority routes is associated with a traffic attribute of the traffic attributes. Embodiments include providing the one or more policies to a central controller of the first data center and programming, by the central controller, one or more tables associated with a centrally-managed virtual switch based on the one or more policies. Embodiments include updating a database associated with each of a plurality of hosts based on the programming of the one or more tables.

Abstract: A method for direct communication between a source endpoint executing in a first datacenter and a destination endpoint executing in a second datacenter. The method receives, at a gateway of the second datacenter, a packet sent by the source endpoint, the packet having a header that includes a source IP address corresponding to a public IP address of the first datacenter, a destination IP address corresponding to a public IP address of the second datacenter, and source and destination port numbers. The method performs a DNAT process on the packet to replace at least the destination IP address in the header with a private IP address of the destination endpoint. The DNAT process identifies the private IP address by mapping the source and destination port numbers to the private IP address of the destination endpoint. The method then transmits the packet to the destination endpoint in the second datacenter.

Abstract: The disclosure provides an approach for service provisioning. Embodiments include receiving first configuration data related to a first network endpoint and second configuration data related to a second network endpoint. Embodiments include generating a service map based on the first configuration data and the second configuration data. Embodiments include receiving a request to provision a service between the first network endpoint and the second network endpoint. Embodiments include determining in response to the request and based on the service map, first service configuration data for the first network endpoint and second service configuration data for the second network endpoint. Embodiments include provisioning the service between the first network endpoint and the second network endpoint by pushing the first service configuration data to the first network endpoint and pushing the second service configuration data to the second network endpoint.

Abstract: The disclosure provides an approach for service provisioning. Embodiments include receiving first configuration data related to a first network endpoint and second configuration data related to a second network endpoint. Embodiments include generating a service map based on the first configuration data and the second configuration data. Embodiments include receiving a request to provision a service between the first network endpoint and the second network endpoint. Embodiments include determining in response to the request and based on the service map, first service configuration data for the first network endpoint and second service configuration data for the second network endpoint. Embodiments include provisioning the service between the first network endpoint and the second network endpoint by pushing the first service configuration data to the first network endpoint and pushing the second service configuration data to the second network endpoint.

Abstract: The disclosure provides an approach for service provisioning. Embodiments include receiving first configuration data related to a first network endpoint and second configuration data related to a second network endpoint. Embodiments include generating a service map based on the first configuration data and the second configuration data. Embodiments include receiving a request to provision a service between the first network endpoint and the second network endpoint. Embodiments include determining in response to the request and based on the service map, first service configuration data for the first network endpoint and second service configuration data for the second network endpoint. Embodiments include provisioning the service between the first network endpoint and the second network endpoint by pushing the first service configuration data to the first network endpoint and pushing the second service configuration data to the second network endpoint.