Abstract: Systems and methods of interface-based ACLs in a virtual Layer-2 network. The method can include sending a packet from source compute instance in a virtual network to a destination compute instance via a destination virtual network interface card (destination VNIC) within a first virtual layer 2 network and evaluating an access control list (ACL) for the packet with a source virtual network interface card (source VNIC). ACL information relevant to the packet can be embedded in the packet. The VSRS can receive the packet and can identify the destination VNIC within the first virtual layer 2 network for delivery of the packet based on information received with the packet and mapping information contained within a mapping table. The VSRS can access ACL information from the packet and can apply the ACL information to the packet.

Abstract: The present disclosure provides dynamic routing for data flows to a customer network hosted in the cloud. A plurality of compute instances may share a common virtual IP address. Each of the plurality of compute instances may advertise information to a respective network virtualization device (NVD). The information may include the IP address, cost, and/or active/standby status of the compute instance. The NVD may then provide the information to the control plane of a virtual cloud network (VCN), which may aggregate the information from the plurality of compute instances and generate a forwarding table, which may be sent to the NVDs. These techniques may allow a customer to automatically remove a compute instance whose service host has failed. These techniques may also allow a customer to add compute instances and to route data flows according to an active-standby operation, an equal cost active-active operation, or an unequal cost active-active operation.

Abstract: A network interface card, such as a SmartNIC, is used to provide encryption, such as network encryption virtual function (NEVF), for a virtual machine, so that a customer can control network keys in a virtual cloud network. The NEVF includes a memory device (e.g., SRAM) and a crypto processor (e.g., a crypto core). The memory device stores a crypto key. The crypto processor uses the crypto key to encrypt data to and from a virtual machine in the virtual cloud network. A key management system can be used to securely transfer crypto keys to the NEVF. Having one NEVF per virtual machine can enable a customer to manage the crypto key for a virtual cloud network.

Abstract: For end-to-end encryption of a virtual cloud network, a VPN tunnel from a customer device is terminated at a host network headend device using encryption keys secured in hardware and managed by the customer. The network headend device can be a card in a bare-metal server with one or more network virtualization devices. The network headend device is configured to receive a first key provisioned by a customer; receive a first data packet sent from a device of the customer; and decrypt the first data packet using the first key to obtain information. A network virtualization device is configured to receive the information from the network headend device; ascertain that the information is to be sent to a virtual machine in a virtual cloud network; ascertain that data in the virtual cloud network is configured to be encrypted; and encrypt the information with a second key to generate a second data packet before routing the second data packet to the virtual machine.

Abstract: Systems and methods for a virtual layer-2 network are described herein. The method can include providing a virtual Layer 3 network in a virtualized cloud environment. The virtual Layer 3 network can be hosted by an underlying physical network. The method can include providing a virtual Layer 2 network in the virtualized cloud environment. The virtual Layer 2 network can be hosted by the underlying physical network.

Abstract: Techniques are disclosed for scaling an IP address in overlay networks without using load balancers. In certain implementations, an overlay IP address can be attached to multiple compute instances via virtual network interface cards (VNICs) associated with the multiple compute instances. Traffic directed to the multi-attached IP address is distributed across the multiple compute instances. In some other implementations, ECMP techniques in overlay networks are used to scale an overlay IP address. In forwarding tables used for routing packets, the IP address being scaled is associated with multiple next hop paths to multiple network virtualization devices (NVDs) associated with the multiple compute instances. When a particular packet directed to the overlay IP address is to be routed, one of the multiple next hop paths is selected for routing the packet. This enables packets directed to the IP address to be distributed across the multiple compute instances.

Abstract: Techniques are described for communications in an L2 virtual network. In an example, the L2 virtual network includes a plurality of L2 compute instances hosted on a set of host machines and a plurality of L2 virtual network interfaces and L2 virtual switches hosted on a set of network virtualization devices. An L2 virtual network interface emulates an L2 port of the L2 virtual network. Storm control information applicable to the L2 port is sent to a network virtualization device that hosts the L2 virtual network interface.

Abstract: Systems and methods for highly-available host networking with active-active or active-backup traffic load-balancing are disclosed herein. The method can include selecting a compute instance from an overlay network residing on a substrate network, identifying a plurality of Network Virtualization Devices (“NVD”) for association with the compute instance, creating a loopback interface on each of the NVDs, each of which loopback interfaces can include a shared IP address that can be in the substrate layer, prepopulating a table in each of the NVDs, the table linking the shared IP address to the compute instance, and each of the plurality of NVDs advertising a unique route to the compute instance via the shared IP address.

Abstract: Systems and methods for a VLAN switching and routing service (VSRS) are disclosed herein. A method can include generating a table for an instance of a VSRS, which VSRS couples a first virtual layer 2 network (VLAN) with a second network. The table can contain information identifying IP addresses, MAC addresses, and virtual interface identifiers for instances within the virtual layer 2 network. The method can include receiving with the VSRS a packet from a first instance designated for delivery to a second instance within the virtual layer 2 network, identifying with the VSRS the second instance within the virtual layer 2 network for delivery of the packet based on information received with the packet and information contained within the table, and delivering the packet to the identified second instance.

Abstract: Discussed herein is a framework that provisions for customized processing for different classes of traffic. A network device in a communication path between a source host machine and a destination host machine extracts a tag from a packet received by the network device. The packet originates at a source executing on the source host machine and whose destination is the destination host machine. The tag set by the source and indicative of a first traffic class to be associated with the packet, the first traffic class being selected by the source from a plurality of traffic classes. The network device determines, based on the tag, that the first traffic class corresponds to a bandwidth sensitive traffic and processes the packet using one or more settings configured at the network device for processing packets associated with the first traffic class.

Abstract: Discussed herein is a framework that provisions for customized processing for different classes of traffic. A network device in a communication path between a source host machine and 5 a destination host machine extracts a tag from a packet received by the network device. The packet originates at a source executing on the source host machine and whose destination is the destination host machine. The tag set by the source and indicative of a first traffic class to be associated with the packet, the first traffic class being selected by the source from a plurality of traffic classes. The network device determines the first traffic class based on the tag extracted from the packet and 10 processes the packet based on the first traffic class.

Abstract: When a cloud services provider infrastructure (CSPI) receives a request from an administrator to perform an operation on an appliance, a load balancer may select a first server within the CSPI to process the request. If the first server does not have a connection with the appliance, the first server may generate a redirect response that includes server identification information identifying a particular server having a pre-established connection with the appliance. The first server may send the redirect response to the application that the administrator used to send the request. The application may then generate a second request that includes the server identification information, and send the second request to the CSPI. A load balancer in the CSPI may then forward the second request to the particular server, and the particular server may use the pre-established connection to send a request to the appliance requesting performance of the operation.

Abstract: Systems and methods for transparent high availability for multi-customer support with hypervisor based bond implementation. The method can include creating a network path bond between a plurality of compute instances and a plurality of Network Virtualization Devices (“NVD”), the network path bond comprising a plurality of network paths, identifying a monitoring bond coupling the plurality of NVDs to a monitoring agent, creating a number of monitoring VNICs, each of the number of monitoring VNICs residing in one of the plurality of NVDs, overlaying a unique IP address to each of the monitoring VNICs, determining with the monitoring agent a health of at least one of network paths, the network paths including an active network path and an inactive network path, and activating the inactive network path when the active network path fails.

Abstract: Techniques are described for communications in an L2 virtual network. In an example, the L2 virtual network includes a plurality of L2 compute instances hosted on a set of host machines and a plurality of L2 virtual network interfaces and L2 virtual switches hosted on a set of network virtualization devices. An L2 virtual network interface emulates an L2 port of the L2 virtual network. Span port information applicable to the L2 port is sent to a network virtualization device that hosts the L2 virtual network interface.

Abstract: Techniques are described for communications in an L2 virtual network. In an example, the L2 virtual network includes a plurality of L2 compute instances hosted on a set of host machines and a plurality of L2 virtual network interfaces and L2 virtual switches hosted on a set of network virtualization devices. An L2 virtual network interface emulates an L2 port of the L2 virtual network. Storm control information applicable to the L2 port is sent to a network virtualization device that hosts the L2 virtual network interface.

Abstract: Techniques for loop prevention while allowing multipath in a virtual L2 network are described. In an example, a network virtualization device can generate a first L2 bridge protocol data unit by applying a first loop detection protocol specific to only the first port and the first host machine. The network virtualization device can transmit, to the first compute instance via the first port, a first frame that includes the first L2 BPDU. The network virtualization device can receive, from the first compute instance via the first port, a second frame. The network virtualization device can determine that the second frame comprises the first L2 BPDU. The network virtualization device can determine that a loop exists between the network virtualization device and the first compute instance based on the first loop detection protocol and the first L2 BPDU of the second frame.

Abstract: Techniques are disclosed for scaling an IP address in overlay networks without using load balancers. In certain implementations, an overlay IP address can be attached to multiple compute instances via virtual network interface cards (VNICs) associated with the multiple compute instances. Traffic directed to the multi-attached IP address is distributed across the multiple compute instances. In some other implementations, ECMP techniques in overlay networks are used to scale an overlay IP address. In forwarding tables used for routing packets, the IP address being scaled is associated with multiple next hop paths to multiple network virtualization devices (NVDs) associated with the multiple compute instances. When a particular packet directed to the overlay IP address is to be routed, one of the multiple next hop paths is selected for routing the packet. This enables packets directed to the IP address to be distributed across the multiple compute instances.

Abstract: Techniques for controlling packet flows through the generation of packet flow rules are described. In an example, a network virtualization device receives network data. The network virtualization device determines a set of networks of a virtual network based on the network data. The network virtualization device receives flow data of the customer. The network virtualization device generates a packet flow rule based on the flow data and the set of networks. The packet flow rule defines a network boundary of one or more networks such that a first packet having a destination within the network boundary can flow and such that a second packet having a destination outside of the network boundary is to be dropped. The network virtualization device stores the packet flow rule in association with the compute instance.

Abstract: Techniques for controlling packet flows are described. In an example, a packet is sent on a virtual network. The packet’s header includes scoping data that indicates a network boundary within which the packet is permitted and/or prohibited to flow. A network virtualization device of a substrate network receives the packet. The network virtualization device determines the scoping data from the header and, based on network configuration information, determines the forward flow of the packet. If the forward flow falls within a permitted network boundary indicated by the scoping data, the network virtualization device sends the packet forward. Otherwise, the packet is dropped.

Abstract: When a cloud services provider infrastructure (CSPI) receives a request from an administrator to perform an operation on an appliance, a load balancer may select a first server within the CSPI to process the request. If the first server does not have a connection with the appliance, the first server may generate a redirect response that includes server identification information identifying a particular server having a pre-established connection with the appliance. The first server may send the redirect response to the application that the administrator used to send the request. The application may then generate a second request that includes the server identification information, and send the second request to the CSPI. A load balancer in the CSPI may then forward the second request to the particular server, and the particular server may use the pre-established connection to send a request to the appliance requesting performance of the operation.