Abstract: Techniques for transferring connection data for a migrated virtual computing instance are described. The connection data transfer process includes the steps of, responsive to determining the virtual computing instance is to be migrated, transmitting the connection data, from a first memory buffer shared between a first instance of a service virtual computing instance and a first hardware abstraction layer executing in a source host, to a second memory buffer shared between a second instance of the service virtual computing instance and a second hardware abstraction layer executing in a destination host; responsive to determining the virtual computing instance is stopped in the source host, packing connection data changes including changes made to the connection data at the source host during a time period beginning when the connection data is copied and ending when the virtual computing instance is stopped; and transmitting the connection data changes to the destination host.

Abstract: A method of generating a network topology map in a datacenter comprising a network manager server and a set of host machines is provided. Each host machine hosts a set of data compute nodes (DCNs). The method receives information regarding the configuration of each of a set of logical networks from the network manager server. Each logical network is connected to several DCNs. The method identifies logical connections configured between the DCNs using the configuration of the overlay networks. The method generates a network topology map based on the identified logical configuration. The network topology identifies the DCNs that are connected to each overlay network. The method displays the network topology map on a graphical user interface.

Abstract: Certain embodiments described herein are generally directed to consistent processing of transport node network configuration data in a physical sharding architecture. For example, in some embodiments a first central control plane (CCP) node of a plurality of CCP nodes determines a sharding table, which is shared by the plurality of CCP nodes. In certain embodiments, the first CCP node determines a connection establishment between a first transport node and the first CCP node. In some embodiments, if the first CCP node determines, based on the sharding table, that it is a physical master of the first transport node, the first CCP node receives network configuration data from the first transport node, stores at least a portion of the network configuration data, and transmits a data update comprising at least a portion of the network configuration data to a shared data store accessible by the plurality of CCP nodes.

Abstract: Some embodiments provide a method for maintaining a cluster topology for a cluster of application instances operating across several datacenters. On a particular machine at which a particular one of the application instances operates, the method maintains a cluster topology that identifies, for each application instance of the cluster, the datacenter in which the application instance operates. From the particular application instance, the method receives a query request for at least a portion of the cluster topology through a programmatic interface. The method provides the requested portion of the cluster topology to the particular application instance. The particular application instance uses the cluster topology for processing application data based on the locations of a set of application instances within the several datacenters.

Abstract: A method of performing ingress traffic optimization for active/active data centers. The method creates site-specific grouping constructs for virtual machines that run applications that are advertised to the external networks. The site specific grouping constructs provide an abstraction to decouple virtual machines from traditional networks for common ingress network policies. Each site-specific container includes a list of the virtual machines currently located at the site as well as a unique identifier of the site. Each virtual machine in a container is identified through the abstraction of metadata tag, logical data center objects, or the virtual machine's unique name. The IP address of each virtual machine is retrieved from the guest operating system and a network policy is generated to advertise the IP addresses of the virtual machines to the site's routing peer.

Abstract: A novel method for troubleshooting a logical network is provided. The logical network has logical forwarding elements operating inside virtual network forwarding engines. The method receives a source identifier and a destination identifier that correspond to nodes in the logical network. The method then retrieves a set of network data from a virtual network forwarding engine and identifies a path in the logical network by traversing the logical network according to the retrieved set of network data. This traversal starts at an initial network node that is identified by the source identifier and continues through a set of next-hop network nodes that are each identified based on the destination identifier. At least some of the network nodes are logical ports associated with logical forwarding elements implemented by the virtual network forwarding engine. The method then reports the set of traversed logical nodes.

Abstract: A method of creating containers in a physical host that includes a managed forwarding element (MFE) configured to forward packets to and from a set of data compute nodes (DCNs) hosted by the physical host. The method creates a container DCN in the host. The container DCN includes a virtual network interface card (VNIC) configured to exchange packets with the MFE. The method creates a plurality of containers in the container DCN. The method, for each container in the container DCN, creates a corresponding port on the MFE. The method sends packets addressed to each of the plurality of containers from the corresponding MFE port to the VNIC of the container DCN.

Abstract: Some embodiments provide a method for a network controller that manages several managed forwarding elements. The method receives a request to trace a specified packet having a particular source on a logical switching element. The method generates the packet at the network controller according to the packet specification. The generated packet includes an indicator that the packet is for a trace operation. The method inserts the packet into a managed forwarding element associated with the particular source. The method receives a set of messages from a set of managed forwarding elements that process the packet regarding operations performed on the packet.

Abstract: A method of utilizing the same hardware network interface card (NIC) in a gateway of a datacenter to communicate datacenter tenant packet traffic and packet traffic for a set of applications that execute in the user space of the gateway and utilize a network stack in the kernel space of the gateway. The method sends and receives packets for the datacenter tenant packet traffic through a packet datapath in the user space. The method sends incoming packets from the NIC to the set of applications through the datapath in the user space, a user-kernel transport driver connecting the kernel network stack to the datapath in the user space, and the kernel network stack. The method receives outgoing packets at the NIC from the set of applications through the kernel network stack, the user-kernel transport driver, and the data path in the user space.

Abstract: Certain embodiments described herein are generally directed to performing receive side scaling at a virtual network interface card for encapsulated encrypted data packets based on an security parameter index value of the encapsulated encrypted data packets.

Abstract: Some embodiments provide a novel method of configuring a managed hardware forwarding element (MHFE) that implements a logical forwarding element (LFE) of a logical network to handle address resolution requests (e.g., Address Resolution Protocol (ARP) requests) for multiple addresses (e.g., IP addresses) associated with a single network interface of the logical network. The method identifies a physical port of the MHFE with which the multiple addresses are to be associated. The physical port is coupled to an end machine (e.g., a virtual machine, server, container, etc.) of the logical network. The method then modifies associations stored at the MHFE to associate the physical port with the multiple addresses.

Abstract: Some embodiments provide a statistics collection framework that is used to aggregate statistic for interfaces such as logical ports and logical port pairs. Flows that are related with these interfaces are tagged with the identifier of the logical entities for which statistics are being collected. The interface statistics is periodically sent in the background to a statistics aggregator. The read queries for the interface statistics are directed to the statistics aggregator. The statistics aggregator, therefore, acts as a cumulative cache for the interface statistics.

Abstract: Systems and techniques are described for virtual machine security. A described technique includes operating one or more virtual machines each in accordance with a respective security container, wherein the respective security container is associated with a respective rule that specifies transfer of the virtual machine from the respective security container to a quarantine container based on one or more criteria. One or more security services are operated on the one or more virtual machines to identify one or more security threats associated with one or more of the virtual machines. One or more tags generated by the endpoint security services are obtained, where each tag is for a virtual machine that is associated with one of the identified security threats. And one of the virtual machines is identified as requiring transfer to the quarantine container based on, at least, one or more of the obtained tags and the one or more criteria.

Abstract: A method for providing multi-tenancy support for RDMA in a system that includes a plurality of physical hosts. Each physical host hosts a set of data compute nodes (DCNs). The method, at an RDMA protocol stack of the first host, receives a packet that includes a request from a first DCN hosted on a first host for RDMA data transfer from a second DCN hosted on a second host. The method sends a set of parameters of an overlay network that are associated with the first DCN to an RDMA physical network interface controller of the first host. The set of parameters are used by the RDMA physical NIC to encapsulate the packet with an RDMA data transfer header and an overlay network header by using the set of parameters of the overlay network to transfer the encapsulated packet to the second physical host using the overlay network.

Abstract: Some embodiments of the invention provide a novel method of managing network nodes that implement a logical multi-node application. The method can comprise obtaining log data describing events relating to a plurality of network nodes and obtaining network flow data describing flow of data between the plurality of network nodes. The method may identify roles performed by the network nodes. The method may detect relationships between the network nodes. The identified roles and the detected relationships are analyzed to identify which of the network nodes implement a logical multi-node application. Implementation data based on the identification of which of the network nodes implement the logical multi-node application can be processed to automatically control management of at least one of the network nodes.

Abstract: A logical routing element (LRE) having multiple designated instances for routing packets from physical hosts (PH) to a logical network is provided. A PH in a network segment with multiple designated instances can choose among the multiple designated instances for sending network traffic to other network nodes in the logical network according to a load balancing algorithm. Each logical interface (LIF) of an LRE is defined to be addressable by multiple identifiers or addresses, and each LIF identifier or address is assigned to a different designated instance.

Abstract: A method is provided for a protection module or a process to use a hypervisor to protect memory pages of a guest operating system on the hypervisor. The method includes modifying a shared memory page in a context of the process, which causes the guest operating system to allocate a private memory page to the process, copy data from the shared memory page to the private memory page, and modify the private memory page. The method further includes causing the hypervisor to protect the private memory page by monitoring the private memory page and generating an alert when the private memory page is accessed.

Abstract: Examples provide a deep packet inspection for performing security operations on network data packets by a plurality of enhanced packet analyzers. A copy of a mirrored network data packet is sent to each of the packet analyzers. Each packet analyzer performs one or more security operations on the copy in parallel, and generates an allow recommendation or a deny recommendation. If all the recommendations are allow recommendations, a virtual network interface controller (VNIC) routes the network data packet to its destination. If at least one of the recommendations is a deny recommendation, the VNIC discards the network data packet.

Abstract: Disclosed is a technique for communicating message objects from a first process to a second process in transport node of a virtualized network, the message objects specifying a change to status of a virtualized network object in the virtualized network. In technique, message objects are separated from operation objects, which have fields corresponding to the fields of the message objects, a field of the operations object being capable of specifying a change to or a status of a field of the message object to which it corresponds. Yet another object combines a message object and an operation object so that the protocol for communication between the first and second process is the same regardless of the contents of the actual message.

Abstract: A novel method for distributing firewall configuration of a software defined data center is provided. The network manager of the data center receives update requests from tenants of the data center and correspondingly generates update fragments and delivers the generated update fragment to local control planes controlling the enforcing devices. Each local control plane in turn integrates the update fragments it receives into its firewall rules table. For each rule and/or section thusly integrated, the local control plane uses the rule or the section's assigned priority number to establish ordering in the firewall rules table of the local control plane.