Abstract: Some embodiments provide a method for a managed forwarding element (MFE). At the MFE, the method receives a first packet from a particular tunnel endpoint. The first packet originates from a particular data compute node associated with multiple tunnel endpoints including the particular tunnel endpoint. Based on the first packet, the method stores an association of the particular tunnel endpoint with the particular data compute node. The method uses the stored association to encapsulate subsequent packets received at the MFE and having the particular data compute node as a destination address with the particular tunnel endpoint as a destination tunnel endpoint.

Abstract: The method of some embodiments allocates a secondary network interface for a pod, which has a primary network interface, in a container network operating on an underlying logical network. The method receives an ND that designates a network segment. The method receives the pod, wherein the pod includes an identifier of the ND. The method then creates a secondary network interface for the pod and connects the secondary network interface to the network segment. In some embodiments, the pods include multiple ND identifiers that each identify a network segment. The method of such embodiments creates multiple secondary network interfaces and attaches the multiple network segments to the multiple secondary network interfaces.

Abstract: Certain embodiments described herein are generally directed to handling a hypervisor restart event in a distributed network system. Embodiments include receiving, by a central controller, a session identifier from a first hypervisor. Embodiments further include comparing, by the central controller, the session identifier to a stored session identifier associated with the first hypervisor. Embodiments further include determining, by the central controller based on the session identifier not matching the stored session identifier associated with the first hypervisor, that the first hypervisor has restarted. Embodiments further include updating, by the central controller, the stored session identifier associated with the first hypervisor to match the session identifier. Embodiments further include identifying, by the central controller, a second hypervisor that is associated with the first hypervisor.

Abstract: Some embodiments of the invention provide a method for deploying network elements for a set of machines in a set of one or more datacenters. The datacenter set is part of one availability zone in some embodiments. The method receives intent-based API (Application Programming Interface) requests, and parses these API requests to identify a set of network elements to connect and/or perform services for the set of machines. In some embodiments, the API is a hierarchical document that can specify multiple different compute and/or network elements at different levels of compute and/or network element hierarchy. The method performs automated processes to define a virtual private cloud (VPC) to connect the set of machines to a logical network that segregates the set of machines from other machines in the datacenter set. In some embodiments, the set of machines include virtual machines and containers, the VPC is defined with a supervisor cluster namespace, and the API requests are provided as YAML files.

Abstract: Some embodiments provide a method of tracking errors in a container cluster network overlaying a software defined network (SDN), sometimes referred to as a virtual network. The method sends a request to instantiate a container cluster network object to an SDN manager of the SDN. The method then receives an identifier of a network resource of the SDN for instantiating the container cluster network object. The method associates the identified network resource with the container cluster network object. The method then receives an error message regarding the network resource from the SDN manager. The method identifies the error message as applying to the container cluster network object. The error message, in some embodiments, indicates a failure to initialize the network resource. The container cluster network object may be a namespace, a pod of containers, or a service.

Abstract: Some embodiments provide a novel secure method for suppressing address discovery messaging. In some embodiments, the method receives an address discovery record that provides a network address associated with a machine connected to a network. The method then identifies a set of one or more rules for evaluating the received address discovery record to determine whether the address discovery record or its provided network address should be distributed to one or more hosts and/or devices associated with the network. The method then processes the set of rules to determine whether the received address discovery record violates a rule in the set of rules so as to prevent the distribution of its provided network address. When the address discovery record violates a rule, the method discards it in some embodiments.

Abstract: Some embodiments provide a local network controller that manages a first managed forwarding element (MFE) operating to forward traffic on a host machine for several logical networks and configures the first MFE to forward traffic for a set of containers operating within a container virtual machine (VM) that connects to the first MFE. The local network controller receives, from a centralized network controller, logical network configuration information for a logical network to which the set of containers logically connect. The local network controller receives, from the container VM, a mapping of a tag value used by a second MFE operating on the container VM to a logical forwarding element of the logical network to which the set of containers connect. The local network controller configures the first MFE to apply the logical network configuration information to data messages received from the container VM that are tagged with the tag value.

Abstract: Some embodiments provide a method for a managed forwarding element (MFE). At the MFE, the method receives a first packet from a particular tunnel endpoint. The first packet originates from a particular data compute node associated with multiple tunnel endpoints including the particular tunnel endpoint. Based on the first packet, the method stores an association of the particular tunnel endpoint with the particular data compute node. The method uses the stored association to encapsulate subsequent packets received at the MFE and having the particular data compute node as a destination address with the particular tunnel endpoint as a destination tunnel endpoint.

Abstract: Some embodiments of the invention provide a method for deploying network elements for a set of machines in a set of one or more datacenters. The datacenter set is part of one availability zone in some embodiments. The method receives intent-based API (Application Programming Interface) requests, and parses these API requests to identify a set of network elements to connect and/or perform services for the set of machines. In some embodiments, the API is a hierarchical document that can specify multiple different compute and/or network elements at different levels of compute and/or network element hierarchy. The method performs automated processes to define a virtual private cloud (VPC) to connect the set of machines to a logical network that segregates the set of machines from other machines in the datacenter set. In some embodiments, the set of machines include virtual machines and containers, the VPC is defined with a supervisor cluster namespace, and the API requests are provided as YAML, files.

Abstract: Some embodiments provide a local network controller that manages a first managed forwarding element (MFE) operating to forward traffic on a host machine for several logical networks and configures the first MFE to forward traffic for a set of containers operating within a container virtual machine (VM) that connects to the first MFE. The local network controller receives, from a centralized network controller, logical network configuration information for a logical network to which the set of containers logically connect. The local network controller receives, from the container VM, a mapping of a tag value used by a second MFE operating on the container VM to a logical forwarding element of the logical network to which the set of containers connect. The local network controller configures the first MFE to apply the logical network configuration information to data messages received from the container VM that are tagged with the tag value.

Abstract: A computing system and method for providing a service for a guest container-based cluster of the computing system utilizes a translated service software object created in a supervisor container-based cluster of the computing system to create at least one resource to support the service requested for the guest container-based cluster. The translated service software object is created in response to a service software object being created in the guest container-based cluster. In response to the translated service software object being created in the supervisor container-based cluster, at least one service-related software object is then created in the supervisor container-based cluster that corresponds to the translated service software object.

Abstract: A computing system and method for providing a service for a guest container-based cluster of the computing system utilizes a translated service software object created in a supervisor container-based cluster of the computing system to create at least one resource to support the service requested for the guest container-based cluster. The translated service software object is created in response to a service software object being created in the guest container-based cluster. In response to the translated service software object being created in the supervisor container-based cluster, at least one service-related software object is then created in the supervisor container-based cluster that corresponds to the translated service software object.

Abstract: A method of creating containers in a physical host that includes a managed forwarding element (MFE) configured to forward packets to and from a set of data compute nodes (DCNs) hosted by the physical host. The method creates a container DCN in the host. The container DCN includes a virtual network interface card (VNIC) configured to exchange packets with the MFE. The method creates a plurality of containers in the container DCN. The method, for each container in the container DCN, creates a corresponding port on the MFE. The method sends packets addressed to each of the plurality of containers from the corresponding MFE port to the VNIC of the container DCN.

Abstract: Some embodiments of the invention provide a novel network architecture for deploying guest clusters (GCs) including workload machines for a tenant (or other entity) within an availability zone. The novel network architecture includes a virtual private cloud (VPC) deployed in the availability zone (AZ) that includes a centralized routing element that provides access to a gateway routing element of the AZ. In some embodiments, the centralized routing element provides a set of services for packets traversing a boundary of the VPC. The services, in some embodiments, include load balancing, firewall, quality of service (QoS) and may be stateful or stateless. Guest clusters are deployed within the VPC and use the centralized routing element of the VPC to access the gateway routing element of the AZ.

Abstract: Some embodiments provide a method for a module executing on a Kubernetes node in a cluster. The method retrieves data regarding ongoing connections processed by a forwarding element executing on the node. The method maps the retrieved data to Kubernetes concepts implemented in the cluster. The method exports the retrieved data along with the Kubernetes concepts to an aggregator that receives data regarding ongoing connections from a plurality of nodes in the cluster.

Abstract: Some mbodiments provide a method for an agent executing on a Kubernetes node in a cluster. The method instructs a forwarding element that also executes on the node to process a flow tracing packet. From the forwarding element, the method receives a message indicating a set of flow entries matched by the flow tracing packet as the forwarding element processes the flow tracing packet. For each flow entry of at least a subset of the flow entries matched by the flow tracing packet, the method generates mapping data that maps elements of the flow entry to Kubernetes concepts implemented in the cluster. The method reports data regarding the set of flow entries along with the generated mapping data.

Abstract: Certain embodiments described herein are generally directed to consistent processing of transport node network configuration data in a physical sharding architecture. For example, in some embodiments a first central control plane (CCP) node of a plurality of CCP nodes determines a sharding table, which is shared by the plurality of CCP nodes. In certain embodiments, the first CCP node determines a connection establishment between a first transport node and the first CCP node. In some embodiments, if the first CCP node determines, based on the sharding table, that it is a physical master of the first transport node, the first CCP node receives network configuration data from the first transport node, stores at least a portion of the network configuration data, and transmits a data update comprising at least a portion of the network configuration data to a shared data store accessible by the plurality of CCP nodes.

Abstract: A method of creating containers in a physical host that includes a managed forwarding element (MFE) configured to forward packets to and from a set of data compute nodes (DCNs) hosted by the physical host. The method creates a container DCN in the host. The container DCN includes a virtual network interface card (VNIC) configured to exchange packets with the MFE. The method creates a plurality of containers in the container DCN. The method, for each container in the container DCN, creates a corresponding port on the MFE. The method sends packets addressed to each of the plurality of containers from the corresponding MFE port to the VNIC of the container DCN.

Abstract: Some embodiments provide a method that receives a request for flow entries associated with a particular Kubernetes concept. The method identifies flow entries that match the request. For each flow entry that matches the request, the method generates mapping data that maps elements of the flow entry to additional Kubernetes concepts. The method provides the flow entries with the mapping data in response to the request.

Abstract: Example methods and systems for container-based connectivity check in a software-defined networking (SDN) environment are disclosed. One example method may comprise detecting, a request for a connectivity check between a first container-based resource and a second container-based resource; identifying a first logical network element and a second logical network element; and injecting a connectivity check packet at the first logical network element for forwarding towards the second logical network element. The example method also may comprise: obtaining report information associated with one or more intermediate logical network elements located along a path that is traversed by the connectivity check packet; and determining a connectivity status associated with the first container-based resource and the second container-based resource based on the report information.