Abstract: An approach for improving throughput for encapsulated network traffic is provided. In an embodiment, a method comprises obtaining a plurality of network addresses of a plurality of intermediaries that facilitate communications between a plurality of virtual machines. A set of source-destination intermediary pairs is determined based on the plurality of network addresses, and for each source-destination intermediary pair, from the set of source-destination intermediary pairs, a precomputed encapsulated header is generated and included in a set of precomputed encapsulated headers.

Abstract: For a set of gateway devices at the edge of a logical network, some embodiments provide a method for ensuring that data messages from an external network requiring a stateful service are received at an active gateway device. The method advertises the availability of a set of internet protocol (IP) addresses from standby gateway devices with a higher cost than the cost advertised by an active gateway device. In some embodiments, the advertisement is made using a border gateway protocol. Data messages may be unexpectedly received on a standby node despite the higher advertised cost. This could happen due to asymmetric network failures. The method determines if a stateful service is needed for the data messages received on standby node. Based on the determination, the method forwards the received data message to the active gateway device for the active gateway device to provide the stateful service.

Abstract: For a managed network implementing at least one logical router having centralized and distributed components, some embodiments provide a method that better supports the provision of certain network applications and/or services. The method receives at a host implementing (1) a distributed logical router and (2) a plurality of logical switches of a logical network along with other hosts, a message from a first data compute node (DCN) executing on the host. The host logically forwards the message to the distributed logical router that uses a particular anycast internet protocol (IP) address using a first media access control (MAC) address. The distributed router determines that the message requires processing by a centralized logical router (e.g., a service router, edge node, etc.) executing on an edge node host and forwards the message to the centralized logical router using the same anycast IP address and a second, unique MAC address.

Abstract: Example methods are provided for a first host to maintain data-plane connectivity with a second host via a third host in a virtualized computing environment. The method may comprise identifying an intermediate host, being the third host, having data-plane connectivity with both the first host and the second host. The method may also comprise: in response to detecting, from a first virtualized computing instance supported by the first host, an egress packet that includes an inner header addressed to a second virtualized computing instance supported by the second host, generating an encapsulated packet by encapsulating the egress packet with an outer header that is addressed from the first host to the third host instead of the second host; and sending the encapsulated packet to the third host for subsequent forwarding to the second host.

Abstract: A method of defining distributed firewall rules in a group of datacenters is provided. Each datacenter includes a group of data compute nodes (DCNs). The method sends a set of security tags from a particular datacenter to other datacenters. The method, at each datacenter, associates a unique identifier of one or more DCNs of the datacenter to each security tag. The method associates one or more security tags to each of a set of security group at the particular datacenter and defines a set of distributed firewall rules at the particular datacenter based on the security tags. The method sends the set of distributed firewall rules from the particular datacenter to other datacenters. The method, at each datacenter, translates the firewall rules by mapping the unique identifier of each DCN in a distributed firewall rule to a corresponding static address associated with the DCN.

Abstract: Some embodiments of the invention provide a method for gathering data for logical network traffic analysis by sampling flows of packets forwarded through a logical network. Some embodiments are implemented by a set of network virtualization controllers that, on a shared physical infrastructure, can implement two or more sets of logical forwarding elements that define two or more logical networks. In some embodiments, the method (1) defines an identifier for a logical network probe, (2) associates this identifier with one or more logical observation points in the logical network, and (3) distributes logical probe configuration data, including sample-action flow entry data, to one or more managed forwarding elements that implement the logical processing pipeline at the logical observation points associated with the logical network probe identifier.

Abstract: Some embodiments of the invention provide a novel method for specifying firewall rules. In some embodiments, the method provides the ability to specify for a particular firewall rule, a set of network nodes (also called a set of enforcement points below) at which the particular firewall should be enforced. To provide this ability, the method of some embodiments adds an extra tuple (referred to below as the AppliedTo tuple) to a firewall rule. This added AppliedTo tuple lists the set of enforcement points at which the firewall rule has to be applied (i.e., enforced).

Abstract: Described herein are systems, methods, and software to capture packets of interest in a virtual switch. In one implementation, a method of capturing packets of interest in a virtual switch includes identifying a request to capture packets associated with first packet attributes. The method further includes, in response to the request, assigning a virtual port for forwarding the packets associated with the first packet attributes, and implementing a forwarding rule in the virtual switch to forward the packets associated with the first packet attributes to at least the virtual port. The method further provides for directing traffic over the virtual switch using the forwarding rule.

Abstract: Some embodiments provide a method for a controller that manages a physical network that implements multiple logical networks that include multiple logical routers. The method receives a command to change a particular centralized routing component of a logical router to an inactive state. At least two centralized routing components of the logical router are implemented on at least two different host machines in the physical network. The method identifies a host machine on which the particular centralized routing component operates. Other centralized routing components of other logical routers also operate on the identified host machine. The method sends a message to the identified host machine to cause the particular centralized routing component to change to an inactive state, without modifying a state of the identified host machine or the other centralized routing components operating on the identified host machine.

Abstract: The technology disclosed herein enables segregation of network traffic on an application basis. In a particular embodiment, a method is performed in a virtual network interface for a first guest Operating System (OS) executing on a host and includes receiving guest data packets from the first guest OS. The method further includes associating the guest data packets with respective ones of a plurality of applications executing within the first guest OS and separating the guest data packets into respective ones of a plurality of application port interfaces each corresponding to at least one of the plurality of applications. The method also includes passing the guest data packets to a host network interface using the plurality of application port interfaces.

Abstract: A method of defining a virtual network across a plurality of physical hosts is provided. At least two hosts utilize network virtualization software provided by two different vendors. Each host hosts a set of data compute nodes (DCNs) for one or more tenants. The method, at an agent at a host, receives a command from a network controller, the command includes (i) an identification a resource on a tenant logical network and (ii) an action to perform on the identified resource. The method, at the agent, determines the network virtualization software utilized by the host. The method, at the agent, translates the received action into a set of configuration commands compatible with the network virtualization software utilized by the host. The method sends the configuration commands to a network configuration interface on the host to perform the action on the identified resource.

Abstract: A method of defining distributed firewall rules in a group of datacenters is provided. Each datacenter includes a group of data compute nodes (DCNs). The method sends a set of security tags from a particular datacenter to other datacenters. The method, at each datacenter, associates a unique identifier of one or more DCNs of the datacenter to each security tag. The method associates one or more security tags to each of a set of security group at the particular datacenter and defines a set of distributed firewall rules at the particular datacenter based on the security tags. The method sends the set of distributed firewall rules from the particular datacenter to other datacenters. The method, at each datacenter, translates the firewall rules by mapping the unique identifier of each DCN in a distributed firewall rule to a corresponding static address associated with the DCN.

Abstract: A physical host machine of a public cloud system includes a set of processing units for executing instructions stored in non-transitory machine readable media. The physical host machine also includes a physical network interface cars (PNIC) and a non-transitory machine readable medium that stores a data compute node (DCN). The DCN includes first and second applications, first and second logical interfaces, a network stack, and a managed forwarding element (MFE). The first application is connected to the pNIC through the network stack, the first logical interface, and the MFE. The second application is connected to the PNIC through the network stack, the second logical interface, and the MFE.

Abstract: A method of determining the span of logical entities in a network is provided. The method generates a directed graph. Each node of the graph corresponds to a logical network entity. Each edge of the graph has one or two directions. A direction from a first node to a second node identifies the first node as the source of span for the second node. The method determines the span of each node based on the direction of the edges of the directed graph. The method groups each set of nodes that are accessible by all other nodes in the set in a strongly connected group (SCC) sub-graph. The method generates a group node in a directed acyclic graph (DAG) to correspond to each SCC sub-graph in the directed graph. The method assigns the span of each SCC to the corresponding group node of the DAG.

Abstract: A first host receives a packet from a first compute node for a second compute node of a second host. The payload is larger than a maximum transmission unit size. The first packet is encapsulated with an outer header. The first host analyzes a length of at least a portion of the outer header in determining a size of an encrypted segment of the payload. Then, the first host forms a plurality of packets where each packet in the packets includes an encrypted segment of the payload, a respective encryption header, and a respective authentication value. The payload of the first packet is segmented to form a plurality of encrypted segments based on the size. The first host sends the packets to the second host and receives an indication that a packet was not received. A second packet including the encrypted segment is sent to the second compute node.

Abstract: A method for offloading packet encapsulation for an overlay network is provided. The method, at a virtualization software of a host, sends a mapping table of the overlay network to a physical network interface controller (NIC) associated with the host. The mapping table maps the identification of each of a set of virtual machine (VM) of a tenant on the host to an identification of a tunnel on the overlay network. The method, at the virtualization software, receives a packet from a VM of the tenant. The method sends the packet to the physical NIC. The method, at the physical NIC, encapsulates the packet for transmission over the overlay network by using the mapping table. The method of claim also tags the packet by the virtualization software as a packet that requires encapsulation for transmission in the overlay network prior to sending the packet to the physical NIC.

Abstract: A computer security system provides for auto-populating process-connection whitelists using process wildcarding and connection wildcarding. Process wildcarding involves grouping process-connection requests together in a process* group without regard to the presence of distinct process arguments; in contrast, some process-connection requests may be separated both by process and by argument into process?argument groups. The process-connection requests may then be analyzed on a group-by-group basis to determine which processes can be mapped to wildcarded connection in a respective process-connection whitelist.

Abstract: Some embodiments provide a method for a managed forwarding element that processes packets through a set of packet processing tables by matching rules in the tables. The method receives an update that requires modification to at least one of the packet processing tables. Each rule in the packet processing tables is assigned a range of packet processing table versions in which the rule is valid for processing packets. The method modifies the packet processing tables according to the received update by at least one of (i) modifying the range of packet processing table versions in which an existing rule is valid to end after a current packet processing table version and (ii) adding a new rule with a range of valid packet processing table versions that begins with a next packet processing table version. The method increments the current version of the packet processing tables to commit the modifications.

Abstract: A novel design of a gateway that handles traffic in and out of a network by using a datapath daemon is provided. The datapath daemon is a run-to-completion process that performs various data-plane packet-processing operations at the edge of the network. The datapath daemon dispatches packets to other processes or processing threads outside of the daemon by utilizing a user space network stack.

Abstract: A method of providing a set of network addresses associated with a managed forwarding element (MFE) in a logical network that includes a set of data compute nodes (DCNs). The DCNs are hosted on a set of physical hosts. Each DCN is connected to an MFE on the corresponding host. The method receives a request to translate an MFE into a set of network addresses, the request comprising an identification of the MFE. The method identifies a logical network entity associated with the MFE based on the identification of the MFE. The method identifies a set of network addresses associated with the identified network entity and provides the set of network addresses as the set of network addresses associated with the identified network entity.