Abstract: In one embodiment, a cloud connection appliance features a processor and a non-transitory storage medium. The non-transitory storage medium comprises management control logic, that when executed by the processor, controls registration with a controller adapted to control data traffic between gateway instance and to establish a communication path including a reverse tunnel with the controller. The controller and cloud connection appliance operate in a client-server relationship with the cloud connection appliance operates as a client when establishing the communication path and operates as a server when receiving control information through the reverse tunnel. The reverse tunnel enables the cloud connection appliance to directly receive the control information from the controller despite the cloud connection application lacking a publicly routable Internet Protocol (IP) address.

Abstract: In an embodiment, a secure object transfer system is described. The system features a virtual private cloud network (VPC) and a controller. The VPC includes a plurality of gateways and a network load balancer, which configured to conduct a load balancing scheme on access messages from computing devices deployed within an on-premises network to direct the access memory to one of the plurality of gateways for storage or retrieval of an object from a cloud-based storage element. Each gateway includes filtering logic to restrict access of the computing devices to certain cloud-based storage elements in accordance with a security policy. The controller is configured to maintain and update the security policy utilized by each gateway of the plurality of gateways.

Abstract: A distributed cloud computing system is disclosed that includes a controller configured to deploy a first gateway in a first cloud computing network and a second gateway in a second cloud computing network, and logic. The logic, upon execution by one or more processors, causes performance of operations including receiving, from the controller, metadata pertaining to a plurality of constructs corresponding to a plurality of time instances, receiving, from each of the first and second gateways, network data corresponding to the plurality of time instances, wherein the metadata and the network data identify each of the plurality of constructs, communication paths between each construct, and in which cloud computing network each construct is deployed, generating a visualization illustrating differences between the plurality of constructs and communication paths at the first time instance and at the second time instance, and causing rendering of the visualization on a display screen.

Abstract: In one embodiment, a computing platform features a controller in communication with one or more virtual private cloud networks, including a first virtual private cloud network (VPC). The virtual private cloud network includes at least a first egress filtering gateway configured to filter egress traffic data received from a first gateway and route the filtered egress traffic data to a public network in accordance with a first set of filter rules. The first set of filter rules are included as part of a first security policy provided by the controller.

Abstract: A distributed cloud computing system is disclosed that includes a controller configured to deploy a first gateway in a first cloud computing network and a second gateway in a second cloud computing network and logic that, upon execution by one or more processors, causes performance of operations including: obtaining metadata pertaining to each of the first gateway and the second gateway, obtaining network data, wherein a combination of the metadata and the network data identify each of a plurality of constructs, the communication paths between each construct, and in which cloud computing network each construct is deployed, generating an elliptical layout of a network topology graph illustrating a first segment including the first gateway representing deployment in the first cloud network and a second segment including the second gateway representing deployment in the second cloud computing network, and causing rendering of the visualization on a network device display screen.

Abstract: A distributed cloud computing system is disclosed that includes a controller configured to deploy a transit gateway and a first gateway in a security virtual private cloud (VPC) in a cloud computing network, wherein the first gateway is configured to connect to a first firewall instance deployed within the security VPC, and logic. The logic, upon execution by one or more processors, causes performance of operations including receiving network traffic at the transit gateway from an originating VPC deployed within the cloud computing network, routing the network traffic from the transit gateway to the first gateway, providing the network traffic to the first firewall instance for inspection, and routing the network traffic to a destination VPC deployed within the cloud computing network. In embodiments, the first gateway is connected to a plurality of firewall instances, where each instance of the plurality of firewall instances is an active firewall instance.

Abstract: A non-transitory storage medium featuring logic to obtain construct metadata and network data spanning multiple cloud networks includes a path determination logic, upon execution by one or more processors, configured to perform operations including: generate a topology mapping including a plurality of constructs and connections between the plurality of constructs extending across a multi-cloud network including a first cloud network and a second cloud network different than the first cloud network; receive user input corresponding to a selection of a source construct operating in the first cloud network and a destination construct operating in the second cloud network; analyze metadata and network data regarding the source construct and the destination construct to determine a data transmission path between the source and destination constructs; and determine a shortest path between the source construct and the destination constructs.

Abstract: A system for facilitating communications between client devices in geographically separated networks is described. First, message monitoring is conducted by each of a plurality of virtual appliances within a local network to detect a message of a first message type. Responsive to failing to locate a Media Access Control (MAC) address of a destination for the message within a prescribed table by a default gateway, one of the plurality of virtual appliances is selected for handling a forwarding of the message to a plurality of remote networks, and the message via the selected virtual appliance is forwarded to a plurality of gateways associated with a plurality of remote networks. Responsive to locating the MAC address of the destination within the table, the virtual appliance previously handling communications with the destination to forward the message to the destination.

Abstract: A distributed cloud computing system is disclosed that includes a controller configured to deploy a first gateway in a first cloud computing network and a second gateway in a second cloud computing network, and a topology system logic, stored on non-transitory, computer-medium, and comprising a topology snapshot logic. Upon execution by one or more processors, the topology system logic causes performance of operations that includes periodically saving states of a plurality of constructs at first and second time states, receiving user input corresponding to a selection of one or more constructs of the plurality of constructs, generating a topology mapping visualization that illustrates differences between the first and second states of the selection of one or more constructs of the plurality of constructs, and causing rendering of the topology mapping visualization on a display screen of a network device.

Abstract: In one embodiment, a controller features a first data store, a second data store and route determination logic. The first data store is configured to store current routing information from a source transit gateway within at least a first transit cloud network to a destination transit gateway within at least a second transit cloud network of the cloud network. Each of the source transit gateway and the destination transit gateway being one of a plurality of transit gateways associated with the cloud network. The second data store is configured to store alternative routing information between the source transit gateway and the destination transit gateway. The route determination logic is configured to (i) conduct analytics on all available route paths for a message intended to be sent from the source transit gateway to the destination transit gateway and (ii) select a best route path for the message.

Abstract: In one embodiment, a secure exchange system is described. The secure exchange system includes a virtual private cloud network and a controller. The virtual private cloud network includes a plurality of gateways, each gateway of the plurality of gateways is configured to generate one or more local directories. Each local directory of the one or more local directories representing one or more stored objects within a public cloud storage element. The controller is configured to authenticate a user prior to granting the user access to the virtual private cloud network. The gateways are accessible by the user over AWS Direct Connect, where the public cloud storage element is a S3 bucket.

Abstract: A system supporting transferring content between an on-premises network and a public cloud network includes a first cloud computing platform comprising a first software instance having a first IP address, a subnet configured to extend across on-premises network and a public cloud network, a first gateway associated with the on-premises network, a second gateway associate with the public cloud network, a secure communication path between the first and second gateways. The subnet comprises a shared IP address range between the public cloud network and the on-premises network, and the first IP address of the first software instance is the same as an IP address of the first software instance that resided on the on-premises network.

Abstract: A computerized method for providing network policy-based routing of a data flow is described. After obtaining attributes associated with an incoming data flow, a first gateway is configured to determine one or more network policies based on the attributes associated with the incoming data flow and assign a classification identifier based on the one or more network policies. The classification identifier is configured to influence routing paths through at least one cloud network, where the classification identifier is encapsulated into content of the incoming data flow to generate a classified data flow for routing from a source to a destination through the at least one cloud network.

Abstract: According to one embodiment, a network system features a first virtual private cloud (VPC) network and a second VPC network. The first VPC network includes a first plurality of gateways. Each gateway of the first plurality of gateways is in communications with other gateways. Similarly, a second VPC network includes a second plurality of gateways. Each of the second plurality of gateways is communicatively coupled to the each of the first plurality of gateways to support data exchanges between resources deployed in different public cloud networks.

Abstract: In an embodiment, a secure object transfer system is described. The system features a virtual private cloud network (VPC) and a controller. The VPC includes a plurality of gateways and a network load balancer, which configured to conduct a load balancing scheme on access messages from computing devices deployed within an on-premises network to direct the access memory to one of the plurality of gateways for storage or retrieval of an object from a cloud-based storage element. Each gateway includes Fully Qualified Domain Name (FQDN) filtering logic to restrict access of the computing devices to certain cloud-based storage elements in accordance with a security policy. The controller is configured to maintain and update the security policy utilized by each gateway of the plurality of gateways.

Abstract: A method is described that enables communication between two disjoined networks with overlapping IP address ranges. An intermediary function in each of the networks and a unique IP address pool are deployed to facilitate the communication. This method also enables communications between one network with a group of networks with overlapping IP address ranges.

Abstract: In one embodiment, a computing platform features a controller in communication with one or more virtual private cloud networks, including a first virtual private cloud network (VPC). The virtual private cloud network includes at least a first egress filtering gateway configured to filter egress traffic data received from a first gateway and route the filtered egress traffic data to a public network in accordance with a first set of filter rules. The first set of filter rules are included as part of a first security policy provided by the controller.

Abstract: A computerized method for utilizing private Internet Protocol (IP) addressing for communications between components of one or more public cloud networks. The method features determining whether outbound traffic corresponds to a first type of outbound traffic being forwarded from a cloud instance supported by the gateway. In response to determining that the first type of outbound traffic is being forwarded from the cloud instance, the first type of outbound traffic is directed via a data interface of the gateway. Also, the method features determining whether the outbound traffic corresponds to a second type of outbound traffic being initiated by logic within the gateway. In response to determining that the second type of outbound traffic is being initiated by logic within the gateway, directing the second type of outbound traffic via a management interface of the gateway.

Abstract: A distributed cloud computing system is disclosed that includes a controller configured to deploy a first gateway in a first cloud computing network and a second gateway in a second cloud computing network and logic that, upon execution by one or more processors, causes performance of operations including: obtaining metadata pertaining to each of the first gateway and the second gateway, obtaining network data, wherein a combination of the metadata and the network data identify each of a plurality of constructs, the communication paths between each construct, and in which cloud computing network each construct is deployed, generating an elliptical layout of a network topology graph illustrating a first segment including the first gateway representing deployment in the first cloud network and a second segment including the second gateway representing deployment in the second cloud computing network, and causing rendering of the visualization on a network device display screen.

Abstract: A non-transitory storage medium featuring logic to obtain construct metadata and network data spanning multiple cloud networks includes a path determination logic, upon execution by one or more processors, configured to perform operations including: generate a topology mapping including a plurality of constructs and connections between the plurality of constructs extending across a multi-cloud network including a first cloud network and a second cloud network different than the first cloud network; receive user input corresponding to a selection of a source construct operating in the first cloud network and a destination construct operating in the second cloud network; analyze metadata and network data regarding the source construct and the destination construct to determine a data transmission path between the source and destination constructs; and determine a shortest path between the source construct and the destination constructs.