Abstract: Example methods are provided for a destination host to implement a firewall in a virtualized computing environment that includes the destination host and a source host. The method may comprise receiving, via a physical network interface controller (PNIC) of the destination host, an ingress packet sent by the source host. The ingress packet may be destined for a destination virtualized computing instance that is supported by the destination host and associated with a destination virtual network interface controller (VNIC). The method may further comprise retrieving a PNIC-level firewall rule associated with the destination virtualized computing instance, the PNIC-level firewall rule being applicable at the PNIC and generated by based on a VNIC-level firewall rule applicable at the destination VNIC. In response to determination that the PNIC-level firewall rule blocks the ingress packet from passing through, the ingress packet may be dropped such that the ingress packet is not sent to the destination VNIC.

Abstract: Some embodiments provide a method of operating several logical networks over a network virtualization infrastructure. The method defines a managed physical switching element (MPSE) that includes several ports for forwarding packets to and from a plurality of virtual machines. Each port is associated with a unique media access control (MAC) address. The method defines several managed physical routing elements (MPREs) for the several different logical networks. Each MPRE is for receiving data packets from a same port of the MPSE. Each MPRE is defined for a different logical network and for routing data packets between different segments of the logical network. The method provides the defined MPSE and the defined plurality of MPREs to a plurality of host machines as configuration data.

Abstract: Example methods are provided for a computer system to validate routing information in a software-defined networking (SDN) environment. The method may comprise obtaining routing information associated with a logical router in a first autonomous system and network topology information associated with the first autonomous system. The routing information may specify multiple first routes to respective multiple first networks, and the network topology information may specify multiple second routes that connect the logical router to respective multiple second networks. The method may also comprise validating the routing information based on the network topology information to determine whether the multiple first routes are valid based on the multiple second routes; and in response to determination that a particular first route from the multiple first routes is invalid, configuring the logical router to exclude the particular first route from route advertisement information destined for a second autonomous system.

Abstract: Some embodiments of the invention provide a novel architecture for capturing contextual attributes on host computers that execute one or more machines, and for consuming the captured contextual attributes to perform services on the host computers. The machines are virtual machines (VMs) in some embodiments, containers in other embodiments, or a mix of VMs and containers in still other embodiments. Some embodiments execute a guest-introspection (GI) agent on each machine from which contextual attributes need to be captured. In addition to executing one or more machines on each host computer, these embodiments also execute a context engine and one or more attribute-based service engines on each host computer. One of these service engines is a firewall engine. Through the GI agents of the machines on a host, the context engine of that host in some embodiments collects contextual attributes associated with network events and/or process events on the machines.

Abstract: A method to selectively encrypting packets includes filtering calls, at a virtual machine on a host, to connect sockets to server applications. When a call by a client application to connect a socket to a server application is detected, the method includes determining if the socket between the client and the server applications is to be encrypted based on identities of the client application, a user logged in on the virtual machine, or the client application and the user logged in on the virtual machine. The method includes filtering outbound packets in a protocol stack of the virtual machine. When the socket is to be encrypted and an outbound packet for the socket is detected, the method includes tagging the outbound packet for encryption by a hypervisor on the host and sending the outbound packet to a virtual network interface card (vNIC) emulated by the hypervisor.

Abstract: Some embodiments provide an ARP-offload service node for several managed hardware forwarding elements (MHFEs) in a datacenter in order to offload ARP query processing by the MHFEs. The MHFEs are managed elements because one or more network controllers (e.g., one or more management servers) send configuration data to the MHFEs to configure their operations. In some of these embodiments, the network controllers configure the MHFEs to create logical forwarding elements (e.g., logical switches, logical routers, etc.) each of which can span two or more managed forwarding elements.

Abstract: Some embodiments provide a method for generating a multi-layer network map from network configuration data. The method receives network configuration data that defines network components and connections between the network components for a network that spans one or more datacenters. Based on the received network configuration data, the method generates multiple data layers for a multi-layer interactive map of the network. Different data layers include different network components and connections. The method generates a visual representation of the network for each data layer. Each visual representation includes a map of the network at a different level of hierarchy.

Abstract: Some embodiments provide a network system. The network system includes a first set of host machines for hosting virtual machines that connect to each other through a logical network. The first set of host machines includes managed forwarding elements for forwarding data between the host machines. The network system includes a second set of host machines for hosting virtualized containers that operate as gateways for forwarding data between the virtual machines and an external network. At least one of the virtualized containers peers with at least one physical router in the external network in order to advertise addresses of the virtual machines to the physical router.

Abstract: Some embodiments provide a method for displaying a multi-layer network map for a network configured in at least one datacenter. The method displays a visualization of a first layer of the multi-layer network map. The visualization includes a first set of selectable items corresponding to components of the network and connections between the components. At least a subset of the first set of selectable items link to other layers of the network map. The method receives input selecting one of the selectable items. In response to the input, the method displays a visualization of a second layer of the network map. The second layer provides information about the network configuration at a different level of detail than the first layer. The visualization of the second layer includes a second set of selectable items corresponding to components of the network and connections between the components.

Abstract: A method of collecting health check metrics for a network is provided. The method, at a deep packet inspector on a physical host in a datacenter, receives a copy of a network packet from a load balancer. The packet includes a plurality of layers. Each layer corresponds to a communication protocol in a plurality of communication protocols. The method identifies an application referenced in the packet. The method analyzes the information in one or more layers of the packet to determine metrics for the source application. The method sends the determined metrics to the load balancer.

Abstract: A method for monitoring several data compute nodes (DCNs) on a group of managed host machines is provided. The method receives service usage data from a group of managed hosts. The service usage data identifies service usage for each of a plurality of entities associated with each managed host. The method aggregates the received service usage data. The method displays the aggregated service usage data.

Abstract: Some embodiments provide a method for a network controller that manages multiple managed forwarding elements (MFEs) that implement multiple logical networks. The method stores (i) a first data structure including an entry for each logical entity in a desired state of the multiple logical networks and (ii) a second data structure including an entry for each logical entity referred to by an update for at least one MFE. Upon receiving updates specifying modifications to the logical entities, the method adds separate updates to separate queues for the MFEs that require the update. The separate updates reference the logical entity entries in the second data structure. When the second data structure reaches a threshold size in comparison to the first data structure, the method compacts the updates in at least one of the queues so that each queue has no more than one update referencing a particular logical entity entry.

Abstract: A novel method for stateful packet classification that uses hardware resources for performing stateless lookups and software resources for performing stateful connection flow handshaking is provided. To classify an incoming packet from a network, some embodiments perform stateless look up operations for the incoming packet in hardware and forward the result of the stateless look up to the software. The software in turn uses the result of the stateless look up to perform the stateful connection flow handshaking and to determine the result of the stateful packet classification.

Abstract: Described herein are systems, methods, and software to enhance flow operations on a host computing system. In one implementation, a virtual switch on a host identifies a packet from a virtual node. In response to identifying the packet, the virtual switch determines whether the packet corresponds to a cached result action based on traits of the packet. If the packet corresponds to a cached result action, then the virtual switch may process the packet in accordance with the cached result action. In contrast, if the packet does not correspond to a cached result action, then the virtual switch may process the packet in accordance with first flow operations to determine a result action, and cache the result action for use with future packets.

Abstract: Some embodiments provide a method for a first data compute node (DCN) operating in a public datacenter. The method receives an encryption rule from a centralized network controller. The method determines that the network encryption rule requires encryption of packets between second and third DCNs operating in the public datacenter. The method requests a first key from a secure key storage. Upon receipt of the first key, the method uses the first key and additional parameters to generate second and third keys. The method distributes the second key to the second DCN and the third key to the third DCN in the public datacenter.

Abstract: A network control system that achieves high availability for forwarding state computation within a controller cluster by replicating different levels of table state between controllers of the controller cluster. To build a highly available controller cluster, the tables for storing the forwarding state are replicated across the controllers. In order to reduce network traffic between the controllers, fewer tables are replicated to slave controllers, which then recompute the forwarding state of the master controller in order to have a replicate copy of the master controller's forwarding state for possible failover. In other embodiments, more tables are replicated to minimize the recomputations and processor load on the slave controller. The network control system of some embodiments performs continuous snapshotting to minimize downtime associated with reaching a fixed point and replicating the state.

Abstract: A method of enforcing security rules for a packet on a host is provided. The method at a security service dispatcher, determines a dispatching action on a packet for each of a group of security services. Each security service is for enforcing a set of security rules on each packet. The method for each security service, sends the packet to the security service when the dispatch rule for the security service indicates that the set of security rules of the security service has to be enforced on the packet. The method for each security service, bypasses the enforcement of the security rules of the security service when the dispatch rule for the security service indicates that the set of security rules of the security service has to be bypassed for the packet.

Abstract: Exemplary methods, apparatuses, and systems include a first network edge device configuring a mapping between a physical network interface and a plurality of logical interfaces. A second network edge device also configures a mapping between a physical network interface and a copy of the plurality of logical interfaces. Each of the logical interfaces is assigned a corresponding set of first and second layer networking addresses that is replicated across the first and second network edge devices. The first network edge device receives a first address resolution request via the physical network interface of the first network edge device that includes a source and a destination. The destination is an address assigned to one of the plurality of logical interfaces. The first network edge device determines a second layer networking address assigned to the destination logical interface and transmits an address resolution response including the determined second layer networking address.

Abstract: For a managed network including multiple host machines implementing multiple logical networks, some embodiments provide a method that reduces the memory and traffic load required to implement the multiple logical networks. The method generates configuration data for each of multiple host machines including (i) data to configure a host machine to implement a set of logical forwarding elements that belong to a set of routing domains and (ii) identifiers for each routing domain in the set of routing domains. The method then receives data regarding tunnels endpoints operating on each of the host machines and an association with the routing identifiers sent to the host machines. The method then generates a routing domain tunnel endpoint list for each routing domain based on the data received from each of the host machines including a list of the tunnel endpoints associated with the routing domain which the host machines can use to facilitate packet processing.

Abstract: Some embodiments provide a novel method for managing hardware forwarding elements (MHFEs) that facilitate the creation of multiple logical networks on a set of shared physical forwarding elements. The method uses a set of logical controllers that generate data that defines a set of logical networks, and a set physical controllers to distribute the generated data to the hardware forwarding elements. In some embodiments, each MHFE can serve as either a master MHFE or a slave MHFE for one set of computing end nodes (e.g., VMs, containers, etc.) in a logical network. To ensure proper routing of data packets to the computing end nodes, each MHFE sends to its physical controller an inventory (e.g., a table, a list, etc.) of the set of computing end nodes for which it serves as the master MHFE or the slave MHFE. Each physical controller forwards the inventory for each logical network to the logical controller for the logical network.