Abstract: A method for establishing a communication coupling within a cloud computing environment between a first gateway of a first virtual private cloud network deployed behind a firewall and a second gateway of a second virtual private cloud network is disclosed. The method includes operations of receiving, by the first gateway, a first controller message from a controller deployed within the cloud computing environment, the first controller message instructing the first gateway to transmit a first gateway message to the second gateway, transmitting, by the first gateway, the first gateway message to the second gateway, receiving, by the first gateway, a second gateway message from the second gateway, the second gateway message initiating a negotiation to establish a first tunnel between the first gateway and the second gateway in accordance with a first security protocol, and completing, by the first gateway, the negotiation thereby causing establishment of the first tunnel.

Abstract: According to one embodiment, a network device may be adapted to operate within a virtual private cloud where network address translation (NAT) is performed through virtual machines and each network address translation is handled differently by a different NAT control logic unit. The network device features one or more hardware processors, and a memory that stores at least a plurality of network address translation (NAT) control logic unit and demultiplexer logic. The demultiplexer logic, when executed, receives an incoming message and, based at least in part on information within the incoming message, determines a selected NAT control logic unit to receive at least a portion of the information within the incoming message. The selected NAT control logic unit handles address translation for routing of a message based on the incoming message to a public network.

Abstract: A cloud computing system built in accordance with a repeatable network architecture is disclosed that includes a controller, a first set of spoke gateways and a first transit gateway. The controller is configured to deploy the first set of spoke gateways in a first cloud thereby forming an applications layer of the repeatable network architecture, deploy the first transit gateway in the first cloud thereby forming a global transit layer of the repeatable network architecture, and establish communicative couplings between each of the first set of spoke gateways and the first transit gateway. The controller is also configured to deploy a first set of spoke VPCs within the first cloud, wherein each of the spoke VPCs has deployed therein one of the first set of spoke gateways, and a first transit VPC within the first cloud, wherein the first transit gateway is deployed in the first transit VPC.

Abstract: A computerized method for restricting communications between virtual private cloud networks comprises creating a plurality of security domains. Each of the plurality of security domains identifies gateways associated with one or more virtual private cloud networks. Also, the method features generating transit routing data stores in accordance with each of the plurality of security domains; determining whether a connection policy exists between at least a first security domain and a second security domain of the plurality of security domains; and precluding communications between gateways associated with the first security domain and gateways associated with the second security domain in response to determining that no connection policy exists between the first security domain and the second security domain.

Abstract: A controller configured to maintain a global virtual private cloud network (global VPC), which comprises a plurality of regions including a first region and a second region. The first region features at least a first workload and a first spoke subnetwork including a first set of spoke gateways. The second region features at least a second workload and a second spoke subnetwork including a second set of spoke gateways. These sets of spoke gateways are part of the cloud overlay network. Responsive to the first workload operating as a source for transmission of a first message to a first destination external to the global VPC, the logic is configured to (i) direct the first message from the first workload to a spoke gateway of the first set of spoke gateways residing withing the first region and (ii) preclude transmission of the first message to the second spoke subnetwork.

Abstract: A computerized method for establishing a secure channel between a virtual private network (VPN) client processing on a network device for a user and a network gateway is disclosed. The computerized method includes operations of the controller of transmitting an authentication request to an identity provider based on receipt of a resource request from the VPN client, receiving an authentication response from the identity provider, generating an authentication token based on the authentication response and transmitting the authentication token to the VPN client, wherein the controller further stores the authentication token.

Abstract: In one embodiment, a computing platform features a controller, one or more transit virtual private cloud networks (VPCs), and a plurality of spoke VPCs. Communicatively coupled to the transit virtual VPCs, the spoke VPCs include (i) a first spoke VPC associated with a first security region and (ii) a second spoke VPC associated with a second security region. Herein, the first security region is configured to permit spoke gateways of the first spoke VPC to communicate with each other while precluding communications with spoke gateways associated with another security region absent a connectivity policy being a set of rules established by the administrator/user of the network concerning permitted connectivity between different security regions.

Abstract: A distributed cloud computing system is disclosed that includes a controller configured to deploy a first gateway in a first cloud computing network and a second gateway in a second cloud computing network and logic, stored on non-transitory, computer-medium. The logic, upon execution by one or more processors, causes performance of operations including: transmitting one or more requests to the controller for metadata of at least the first gateway and the second gateway; receiving, from at least one of the first gateway and the second gateway, network data of the corresponding gateway; generating a visualization illustrating the metadata and the network data, wherein the metadata and the network data pertain to multiple cloud computing networks; and causing rendering of the visualization on a display screen of a network device.

Abstract: A multi-cloud overlay network for supporting communications between a first public cloud network and a second public cloud network. The overlay network features a management virtual private network, which includes a network load balancing (NLB) component and a controller registered as a target on a port of the NLB component. The overlay network further includes one or more spoke or transit gateways and a multi-cloud access virtual private cloud (VPC) operating within the first public cloud network, and a remote cloud load balancer component operating the second public cloud network. The remote cloud load balancer component is communicatively coupled between the multi-cloud access VPC and one or more remote spoke or transit gateways. The multi-cloud access VPC includes a VPC endpoint that is assigned a private IP address and communicatively coupled to the NLB component and a virtual private network (VPN) gateway communicatively coupled to a private transport.

Abstract: A distributed cloud computing system is disclosed that includes a controller configured to deploy a first gateway in a first cloud computing network and a second gateway in a second cloud computing network, and a topology system logic, stored on non-transitory, computer-medium, and comprising a topology snapshot logic. Upon execution by one or more processors, the topology system logic causes performance of operations that includes periodically saving states of a plurality of constructs at first and second time states, receiving user input corresponding to a selection of one or more constructs of the plurality of constructs, generating a topology mapping visualization that illustrates differences between the first and second states of the selection of one or more constructs of the plurality of constructs, and causing rendering of the topology mapping visualization on a display screen of a network device.

Abstract: In one embodiment, a controller features a first data store, a second data store and route determination logic. The first data store is configured to store current routing information from a source transit gateway within at least a first transit cloud network to a destination transit gateway within at least a second transit cloud network of the cloud network. Each of the source transit gateway and the destination transit gateway being one of a plurality of transit gateways associated with the cloud network. The second data store is configured to store alternative routing information between the source transit gateway and the destination transit gateway. The route determination logic is configured to (i) conduct analytics on all available route paths for a message intended to be sent from the source transit gateway to the destination transit gateway and (ii) select a best route path for the message.

Abstract: A computerized method for increasing throughput of encapsulated data over a network is described. First, a determination, at a first network device, of a number of available processing resources located at a second network device is conducted. Thereafter, a plurality of connections are generated between the first network device and the second device. The plurality of connections corresponding in number to the number of available processing resources. Data received by the first network device is associated with a first connection of the plurality of tunneling connections. Thereafter, translation data unique to a tunneling session associated with the first connection is generated and the received data is encapsulated with the translation data to generate the encapsulated data for transmission to the second network device.

Abstract: An edge gateway deployed within an overlay network interconnecting a first public cloud network with an on-premises network is described. Coupled to a controller, the edge gateway is configured to receive a configuration file and attestation data from a controller, analyze the configuration file to obtain at least a first network address being used as an interface for secure communications with the controller, establish a secure interconnect with the controller based on the attestation data, and conduct a provisioning operation to initiate a request to the controller for edge gateway software thereby automated provisioning the edge gateway without human intervention. The edge gateway experiences automated provisioning based on a configuration file and attestation data upload.

Abstract: A distributed cloud computing system further includes logic, stored on non-transitory, computer-medium, that, upon execution by one or more processors, causes performance of operations including generating a first fingerprint for the first VPC being a statistical measure of a plurality of network metrics during a learning phase, generating a second fingerprint for the second VPC being a statistical measure of the plurality of network metrics during the learning phase, receiving, from the controller, metadata pertaining to each of the first gateway and the second gateway, receiving, from each of the first gateway and the second gateway, network data, wherein the metadata and the network data identify each of the plurality of constructs, the communication paths between each construct, and in which cloud computing network each construct is deployed, detecting an anomaly in one or more network traffic metrics of either the first VPC or the second VPC based on a comparison of received network traffic and a corresp

Abstract: In one embodiment, a secure exchange system is described. The secure exchange system includes a virtual private cloud network and a controller. The virtual private cloud network includes a plurality of gateways, each gateway of the plurality of gateways is configured to generate one or more local directories. Each local directory of the one or more local directories representing one or more stored objects within a public cloud storage element. The controller is configured to authenticate a user prior to granting the user access to the virtual private cloud network. The gateways are accessible by the user over AWS Direct Connect, where the public cloud storage element is a S3 bucket.

Abstract: A system supporting transferring content between an on-premises network and a public cloud network includes a first cloud computing platform comprising a first software instance having a first IP address, a subnet configured to extend across on-premises network and a public cloud network, a first gateway associated with the on-premises network, a second gateway associate with the public cloud network, a secure communication path between the first and second gateways. The subnet comprises a shared IP address range between the public cloud network and the on-premises network, and the first IP address of the first software instance is the same as an IP address of the first software instance that resided on the on-premises network.

Abstract: According to one embodiment, a network system features a first virtual private cloud (VPC) network and a second VPC network. The first VPC network includes a first plurality of gateways. Each gateway of the first plurality of gateways is in communications with other gateways. Similarly, a second VPC network includes a second plurality of gateways. Each of the second plurality of gateways is communicatively coupled to the each of the first plurality of gateways to support data exchanges between resources deployed in different public cloud networks.

Abstract: In one embodiment, a cloud connection appliance features a processor and a non-transitory storage medium. The non-transitory storage medium comprises management control logic, that when executed by the processor, controls registration with a controller adapted to control data traffic between gateway instance and to establish a communication path including a reverse tunnel with the controller. The controller and cloud connection appliance operate in a client-server relationship with the cloud connection appliance operates as a client when establishing the communication path and operates as a server when receiving control information through the reverse tunnel. The reverse tunnel enables the cloud connection appliance to directly receive the control information from the controller despite the cloud connection application lacking a publicly routable Internet Protocol (IP) address.

Abstract: In an embodiment, a secure object transfer system is described. The system features a virtual private cloud network (VPC) and a controller. The VPC includes a plurality of gateways and a network load balancer, which configured to conduct a load balancing scheme on access messages from computing devices deployed within an on-premises network to direct the access memory to one of the plurality of gateways for storage or retrieval of an object from a cloud-based storage element. Each gateway includes filtering logic to restrict access of the computing devices to certain cloud-based storage elements in accordance with a security policy. The controller is configured to maintain and update the security policy utilized by each gateway of the plurality of gateways.

Abstract: A distributed cloud computing system is disclosed that includes a controller configured to deploy a first gateway in a first cloud computing network and a second gateway in a second cloud computing network, and logic. The logic, upon execution by one or more processors, causes performance of operations including receiving, from the controller, metadata pertaining to a plurality of constructs corresponding to a plurality of time instances, receiving, from each of the first and second gateways, network data corresponding to the plurality of time instances, wherein the metadata and the network data identify each of the plurality of constructs, communication paths between each construct, and in which cloud computing network each construct is deployed, generating a visualization illustrating differences between the plurality of constructs and communication paths at the first time instance and at the second time instance, and causing rendering of the visualization on a display screen.