Abstract: Example methods are provided for a host to perform multicast packet handling a software-defined networking (SDN) environment. One example method may comprise: in response to detecting, from a virtualized computing instance supported by the host, a request to join a first inner multicast group address, obtaining an outer multicast group address that is assigned to the first inner multicast group address and one or more second inner multicast group addresses; and generating and sending a request to join the outer multicast group address to one or more multicast-enabled network devices. In response to detecting an ingress encapsulated multicast packet that includes an outer header addressed to the outer multicast group address and an inner header addressed to the first inner multicast group address, the host may generate and send a decapsulated multicast packet to the virtualized computing instance that has joined the first inner multicast group address.

Abstract: A system and method for managing a trusted connection within a public cloud comprises transmitting a first token and a second token from a cloud service manager to a public cloud controller, initializing a public cloud manager in response to receipt of the first token and the second token, and generate a cloud certificate, and transmitting the cloud certificate and the second token from the public cloud manager to a management plane. The method further comprises establishing a trusted connection between the public cloud controller and the management plane in response to receipt of the cloud certificate and the second token by the management plane.

Abstract: Some embodiments provide a non-transitory machine readable medium of a first middlebox element of several middlebox elements to implement a middlebox instance in a distributed manner in several hosts. The non-transitory machine readable medium stores a set of instructions for receiving (1) configuration data for configuring the middlebox instance to implement a middlebox in a logical network and (2) a particular identifier associated with the middlebox in the logical network. The non-transitory machine readable medium stores a set of instructions for generating (1) a set of rules to process packets for the middlebox in the logical network and (2) an internal identifier associated with the set of rules. The non-transitory machine readable medium stores a set of instructions for associating the particular identifier with the internal identifier for later processing of packets having the particular identifier.

Abstract: A security system for a distributed application obtains and, in effect, preserves provisioning information for the purpose of auto-populating whitelists used to protect the distributed application from intrusions. The provisioning information identifies allowable connections on a software-package level. Entries mapping processes to connection destinations are added to a whitelist if a process requesting a connection results from execution of an executable file installed as part of a software package for which the connection was allowed according to the provisioning information.

Abstract: For a managed network implementing at least one logical router having centralized and distributed components, some embodiments provide a method for configuring a managed forwarding element (MFE) executing on a first host machine to implement a distributed multicast logical router and multiple logical switches logically connected to the logical router in conjunction with a set of additional MFEs executing on additional host machines to process multicast data messages. The method receives a multicast group report from a data compute node (DCN) that executes on the first host, sends a summarized multicast group report indicating multicast groups joined by DCNs executing on the first host to a set of central controllers, receives data based on an aggregated multicast group report from the set of central controllers, and uses the data based on the aggregated multicast group report to configure the MFE to implement the distributed multicast logical router.

Abstract: For a managed network, some embodiments provide a method for a set of service nodes in an active-active service node cluster in conjunction with a host computer hosting a destination data compute node (DCN) to improve the efficiency of directing a data message to a service node storing state information for the flow to which the data message belongs. a first service node receives a data message in a particular data message flow for which it does not maintain state information. The first service node then identifies a second service node to process the data message and forwards the data message to the second service node. The second service node sends state information for the particular data message flow to the first service node, for the first service node to use to process subsequent data messages in the particular data message flow.

Abstract: A system for private networking within a virtual infrastructure is presented. The system includes a virtual machine (VM) in a first host, the VM being associated with a first virtual network interface card (VNIC), a second VM in a second host, the second VM being associated with a second VNIC, the first and second VNICs being members of a fenced group of computers that have exclusive direct access to a private virtual network, wherein VNICs outside the fenced group do not have direct access to packets on the private virtual network, a filter in the first host that encapsulates a packet sent on the private virtual network from the first VNIC, the encapsulation adding to the packet a new header and a fence identifier for the fenced group, and a second filter in the second host that de-encapsulates the packet to extract the new header and the fence identifier.

Abstract: Methods, apparatus and articles of manufacture to use artificial intelligence to define encryption and security policies in a software defined data center are disclosed. Example apparatus include a language parser to parse a natural language statement into a policy statement that defines a distributed network encryption policy or a distributed network security policy. Example apparatus also include a comparator to compare the policy statement to a set of reference policy templates and a template configurer to select a first policy template from the set of reference policy templates in response to the comparator determining the first policy template corresponds to the policy statement. A policy distributor distributes a policy rule defined by the first policy template for enforcement at network nodes of a software defined data center. The policy rule is a distributed network encryption policy rule or a security policy rule.

Abstract: A controller of a network control system for configuring several middlebox instances is described. The middlebox instances implement a middlebox in a distributed manner in several hosts. The controller configures a first middlebox instance to obtain status of a set of servers and disseminate the obtained status to a second middlebox instance. The controller configures the second middlebox instance to use the status to select a server from the set of servers.

Abstract: Example methods are provided for a first endpoint to communicate with a second endpoint over a public network, the second endpoint being in a private network. The method may comprise detecting a chunk of data directly from an application executing on the first endpoint. The virtual adapter may emulate a transport protocol task offload to bypass transport protocol processing by a protocol stack of the first endpoint. The method may comprise processing the chunk of data to generate a chunk of processed data for transfer through a tunnel connecting the virtual adapter over the public network with a gateway associated with the private network and sending the chunk of processed data through a tunnel in a plurality of tunnel segments, wherein the gateway is configured to perform transport protocol processing to generate a plurality of transport protocol segments from the chunk of processed data for transfer to the second endpoint.

Abstract: A novel method for managing firewall configuration of a software defined data center is provided. Such a firewall configuration is divided into multiple sections that each contains a set of firewall rules. Each tenant of the software defined data center has a corresponding set of sections in the firewall configuration. The method allows each tenant to independently access and update/manage its own corresponding set of sections. Multiple tenants or users are allowed to make changes to the firewall configuration simultaneously.

Abstract: A novel algorithm for packet classification that is based on a novel search structure for packet classification rules is provided. Addresses from all the containers are merged and maintained in a single Trie. Each entry in the Trie has additional information that can be traced back to the container from where the address originated. This information is used to keep the Trie in sync with the containers when the container definition dynamically changes.

Abstract: For a network including multiple host machines that together implement at least one logical network including a firewall, some embodiments provide a method for collecting traffic flow data that includes identifiers for firewall rules applied to the traffic flow and a logical entity identifier. In some embodiments, the host machines receive traffic monitoring configuration data for a logical network. The traffic monitoring configuration data in some embodiments indicates a set of logical entities of the logical network for which to collect traffic flow data and a set of traffic flow data collectors associated with the set of logical entities. The indicated logical entities may be logical forwarding elements (logical switches, routers, etc.) or logical ports of logical forwarding elements.

Abstract: Some embodiments provide a method for a central network manager that stores desired state information for multiple logical network entities for a logical network. The method stores (i) a desired state configuration for a logical network entity and (ii) a first state tracking object that identifies a version of the desired state configuration for at least the logical network entity. The method propagates to a set of managed forwarding elements (i) configuration data for the logical network entity and (ii) a second state tracking object for the logical network entity that identifies a version of the propagated configuration data. The first and second state tracking objects are compared to determine whether the propagated configuration data is based on the most recent desired state configuration.

Abstract: Some embodiments provide a novel method for monitoring network requests from a machine. The method captures the network request at various layers of a protocol stack. At a first layer of a protocol stack, the method tags a packet related to the network request with a tag value, maps the tag value to a set of tuples associated with the packet, and sends a first set of data related to the packet to a security engine. At a second layer of the network stack, the method determines whether the packet has been modified through the network stack, and sends an updated second set of data to the security engine when the packet has been modified.

Abstract: In one aspect, a computerized method includes the step of providing process monitor in a Gateway. The method includes the step of, with the process monitor, launching a Gateway. Daemon (GWD). The GWD runs a GWD process that implements a Network Address Translation (NAT) process. The NAT process includes receiving a set of data packets from one or more Edge devices and forwarding the set of data packets to a public Internet. The method includes the step of receiving another set of data packets from the public Internet and forwarding the other set of data packets to the one or more Edge devices. The method includes the step of launching a Network Address Translation daemon (NATD). The method includes the step of detecting that the GWD process is interrupted; moving the NAT process to the NATD.

Abstract: In general, the present invention relates to a virtual platform in which one or more distributed virtual switches can be created for use in virtual networking. According to some aspects, the distributed virtual switch according to the invention provides the ability for virtual and physical machines to more readily, securely, and efficiently communicate with each other even if they are not located on the same physical host and/or in the same subnet or VLAN. According other aspects, the distributed virtual switches of the invention can support integration with traditional IP networks and support sophisticated IP technologies including NAT functionality, stateful firewalling, and notifying the IP network of workload migration. According to further aspects, the virtual platform of the invention creates one or more distributed virtual switches which may be allocated to a tenant, application, or other entity requiring isolation and/or independent configuration state.

Abstract: A network system that includes a first set of network hosts in a first domain and a second set of network hosts in a second domain. Within each of the domains, the system includes several edge switching elements (SEs) that each couple to the network hosts and forward network data to and from the set of network hosts. Within the first domain, the system includes (i) an interior SE that couples to a particular edge SE in order to receive network data for forwarding from the edge SE when the edge SE does not recognize a destination location of the network data and (ii) an interconnection SE that couples to the interior SE, the edge SE, and the second domain through an external network. When the edge SE receives network data with a destination address in the second domain, it forwards the network data directly to the interconnection SE.

Abstract: Some embodiments provide a method for configuring a logical middlebox in a hosting system that includes a set of nodes. The logical middlebox is part of a logical network that includes a set of logical forwarding elements that connect a set of end machines. The method receives a set of configuration data for the logical middlebox. The method uses a stored set of tables describing physical locations of the end machines to identify a set of nodes at which to implement the logical middlebox. The method provides the logical middlebox configuration for distribution to the identified nodes.

Abstract: Some embodiments provide a method for a managed first forwarding element executing on a first data compute node (DCN) that operates on a first host machine within a public datacenter. The managed first forwarding element is configured to implement a logical network. The method receives a data packet from an application, executing on the first data compute node, that sends and receives data packets through the logical network. When the data packet has a destination address that is not associated with the logical network, the method sends the packet directly to a second forwarding element configured by an administrator of the datacenter. When the data packet has a destination address associated with the logical network, the method sends the packet to a managed third forwarding element configured to implement the logical network. The managed third forwarding element executes on a second DCN on a second host machine within the datacenter.