Abstract: A novel design of a gateway that handles traffic in and out of a network by using a datapath pipeline is provided. The datapath pipeline includes multiple stages for performing various data-plane packet-processing operations at the edge of the network. The processing stages include centralized routing stages and distributed routing stages. The processing stages can include service-providing stages such as NAT and firewall. The gateway caches the result previous packet operations and reapplies the result to subsequent packets that meet certain criteria. For packets that do not have applicable or valid result from previous packet processing operations, the gateway datapath daemon executes the pipelined packet processing stages and records a set of data from each stage of the pipeline and synthesizes those data into a cache entry for subsequent packets.

Abstract: The technology disclosed herein enables micro-segmentation of virtual computing elements. In a particular embodiment, a method provides identifying one or more multi-tier applications comprising a plurality of virtual machines. Each application tier of the one or more multi-tier applications comprises at least one of the plurality of virtual machines. The method further provides maintaining information about the one or more multi-tier applications. The information at least indicates a security group for each virtual machine of the plurality of virtual machines. Additionally, the method provides identifying communication traffic flows between virtual machines of the plurality of virtual machines and identifying one or more removable traffic flows of the communication traffic flows based, at least in part, on the information. The method then provides blocking the one or more removable traffic flows.

Abstract: Some embodiments provide a method for a network controller that manages several logical networks. The method receives a specification of a logical network that includes at least one logical forwarding element attached to a logical service (e.g., DHCP). The method selects at least one host machine to host the specified logical service from several host machines designated for hosting logical services. The method generates logical service configuration information for distribution to the selected host machine. In some embodiments, the method selects a master host machine and a backup host machine for hosting logical service. In some embodiments, a particular one of the designated host machines hosts at least two DHCP services for two different logical networks as separate processes operating on the particular host machine.

Abstract: Systems and techniques are described for monitoring network communications using a distributed firewall. One of the techniques includes receiving, at a driver executing in a guest operating system of a virtual machine, a request to open a network connection from a process associated with a user, wherein the driver performs operations comprising: obtaining identity information for the user; providing the identity information and data identifying the network connection to an identity module external to the driver; and receiving, by a distributed firewall, data associating the identity information with the data identifying the network connection from the identity module, wherein the distributed firewall performs operations comprising: receiving an outgoing packet from the virtual machine; determining that the identity information corresponds to the outgoing packet; and evaluating one or more routing rules based at least in part on the identity information.

Abstract: A method of utilizing the same hardware network interface card (NIC) in a gateway of a datacenter to communicate datacenter tenant packet traffic and packet traffic for a set of applications that execute in the user space of the gateway and utilize a network stack in the kernel space of the gateway. The method sends and receives packets for the datacenter tenant packet traffic through a packet datapath in the user space. The method sends incoming packets from the NIC to the set of applications through the datapath in the user space, a user-kernel transport driver connecting the kernel network stack to the datapath in the user space, and the kernel network stack. The method receives outgoing packets at the NIC from the set of applications through the kernel network stack, the user-kernel transport driver, and the data path in the user space.

Abstract: Some embodiments provide a novel way to insert a service (e.g., a third party service) in the path of a data message flow, between two machines (e.g., two VMs, two containers, etc.) in a public cloud environment. For a particular tenant of the public cloud, some embodiments create an overlay logical network with a logical overlay address space. To perform a service on data messages of a flow between two machines, the logical overlay network passes to the public cloud's underlay network the data messages with their destination address (e.g., destination IP addresses) defined in the logical overlay network. The underlay network (e.g., an underlay default downlink gateway) is configured to pass data messages with such destination addresses (e.g., with logical overlay destination addresses) to a set of one or more service machines. The underlay network (e.g.

Abstract: Example methods are provided for assigning a routing domain identifier in a logical network environment that includes one or more logical distributed routers and one or more logical switches. In one example, the method may comprise obtaining network topology information specifying how the one or more logical distributed routers are connected with the one or more logical switches; and selecting, from the one or more logical switches, a particular logical switch for which routing domain identifier assignment is required. The method may also comprise: identifying a particular logical distributed router that is connected with the particular logical switch based on the network topology information; assigning the particular logical switch with the routing domain identifier that is associated with the particular logical distributed router; and using the routing domain identifier in a communication between a management entity and a host.

Abstract: For a network controller for managing hosts in a network, a method for configuring a host to resolve network addresses is described. The method configures an address resolution module in a host to resolve a network address. The method configures a managed forwarding element in the host to (1) avoid sending a request to resolve the network address to another host by using the address resolution module to resolve the network address and (2) forward packets using the resolved network address.

Abstract: Systems and methods for managing a network are described. A view of current state of the network is maintained where the current state of the network characterizes network topology and network constituents, including network entities and network elements residing in or on the network. Events are announced that correspond to changes in the state of the network and one or more network elements can be configured accordingly. Methods for managing network traffic are described that ensure forwarding and other actions taken by network elements implement globally declared network policy and refer to high-level names, independently of network topology and the location of network constituents. Methods for discovering network constituents are described, whereby are automatically configured. Routing may be performed using ACL and packets can be intercepted to permit host to continue in sleep mode. The methods are applicable to virtual environments.

Abstract: Some embodiments provide a method for clustering a set of data compute nodes (DCNs), which communicate with each other more frequently, on one or more host machines. The method groups together guest DCNs (GDCNs) that (1) execute on different host machines and (2) exchange network data among themselves more frequently, in order to reduce interhost network traffic. The more frequently-communicating GDCNs can be a set of GDCNs that implement a distributed application, GDCNs of a particular tier in a multi-tier network architecture (e.g., a web tier in a three-tier architecture), GDCNs that are dedicated to a particular tenant in a hosting system, or any other set of GDCNs that exchange data among each other regularly for a particular purpose.

Abstract: Some embodiments of the invention provide a method for implementing a logical switching element that includes multiple logical ports through which the logical switching element receives and sends data packets. The method configures multiple managed forwarding elements to implement the logical switching element. The method also determines that port isolation has been enabled for the logical switching element. The method further provides a set of data directing the managed forwarding elements to drop a particular data packet received through a first logical port when the particular data packet is addressed to a second logical port different than the first logical port to implement the port isolation.

Abstract: Some embodiments provide a novel method for distributing control-channel communication load between multiple controllers in a network control system. In some embodiments, the controllers manage physical forwarding elements that forward data between several computing devices (also called hosts or host computers), some or all of which execute one or more virtual machines (VMs). The method of some embodiments distributes a controller assignment list to the host computers. The host computers use this list to identify the controllers with which they need to interact to perform some of the forwarding operations of their associated logical forwarding elements. In some embodiments, agents executing on the host computers (1) review the controller assignment list to identify the appropriate controllers, and (2) establish control channel communications with these controllers to obtain the needed data for effectuating the forwarding operations of their associated physical forwarding elements.

Abstract: In one aspect, a computerized system useful for implementing a virtual private network (VPN) including an edge device that automatically establishes an Internet Protocol Security (IPsec) tunnel alongside an unsecure Multipath Protocol (MP) tunnel with a gateway device in preparation for a transmission of a secure traffic communication. The edge device has a list of local subnets. The edge device sends the list of local subnets to the gateway during an initial MP tunnel establishment handshake message exchange between the edge device and the gateway device. Each subnet includes an indication of whether the subnet is reachable over the VPN. A gateway device that automatically establishes the IPsec tunnel alongside the unsecure MP tunnel with the edge device. An enterprise datacenter server that comprises an orchestrator module that receives a toggle the VPN command and enables the VPN on the orchestrator.

Abstract: Example methods are provided for a destination host to implement a firewall in a virtualized computing environment that includes the destination host and a source host. The method may comprise receiving, via a physical network interface controller (PNIC) of the destination host, an ingress packet sent by the source host. The ingress packet may be destined for a destination virtualized computing instance that is supported by the destination host and associated with a destination virtual network interface controller (VNIC). The method may further comprise retrieving a PNIC-level firewall rule associated with the destination virtualized computing instance, the PNIC-level firewall rule being applicable at the PNIC and generated by based on a VNIC-level firewall rule applicable at the destination VNIC. In response to determination that the PNIC-level firewall rule blocks the ingress packet from passing through, the ingress packet may be dropped such that the ingress packet is not sent to the destination VNIC.

Abstract: A non-transitory machine readable medium storing a program that configures managed forwarding elements to establish tunnels between the managed forwarding elements is described. From a particular managed forwarding element, the program receives information regarding coupling of a network element to the first managed forwarding element. Upon receiving the information, the program generates a set of universal flow entries for configuring another managed forwarding element to establish a tunnel to the particular managed forwarding element.

Abstract: The technology disclosed herein enables a data plane of a packet handler in a host to be changed while minimizing disruption to the operation of guests that are associated therewith. In a particular embodiment, the method provides, in a control plane of the packet handler, extracting state information about states of the data plane and pausing network traffic to the data plane. After pausing the network traffic to the data plane, the method provides applying changes to components of the data plane. After applying changes to the components of the data plane, the method provides restoring the states to the data plane using the state information and resuming the network traffic to the data plane.

Abstract: The technology disclosed herein enables an L3 network fabric including one or more spine switches having a leaf-spine topology to be self-expanded. In a particular embodiment, a method provides transferring one or more probe messages from each of the spine switches. The probe messages detect whether new computing nodes have been attached to the communication network. The method further provides receiving a reply to at least one of the probe messages. The reply identifies a new computing node that is not yet included in the L3 fabric.

Abstract: Some embodiments provide a method that generates different network measurements data (e.g., network topology, bandwidth estimation of different paths, etc.) for a pair of endpoints upon receiving a network administrative request (e.g., an application programming interface (API) request) or by other means (e.g., automatically and without intervention of a user). In some embodiments, the method is implemented by a network measurement agent operating on each endpoint and a centralized service component (e.g., web service layer) executing on a network manager machine (e.g., a controller) that responds to measurement requests. The network measurement agent probes the network periodically (i.e., in certain time intervals) or upon an API request that it receives through the network manager machine to gather the measurement data of a particular network topology between a pair of endpoints.

Abstract: Some embodiments provide a method that allows a first data compute node (DCN) to forward outgoing traffic to a second DCN directly in spite of receiving the incoming traffic from the second DCN through a load balancer. That is, the return traffic's network path from the first DCN (e.g., a server machine) to the second DCN (e.g., a client machine) bypasses the load balancer, even though a request that initiated the return traffic is received through the load balancer. The load balancer receives a connection session request from a client machine to connect to a server. It identifies a set of parameters for the connection session and after selecting a server for the connection, passes the identified set of parameters to a host machine that executes the server. The server establishes the connection session directly with the client machine based on the identified set of parameters.

Abstract: Some embodiments provide a method that processes network data through a network. The method receives a packet destined for a network host associated with a logical datapath set implemented by a set of managed edge switching elements and a set of managed non-edge switching elements in the network. The method determines whether the packet is a known packet. When the packet is a known packet, the method forwards the packet to a managed switching element in the set of managed edge switching elements for forwarding to the network host. When the packet is not a known packet, the method forwards the packet to a managed switching element in the set of managed non-edge switching elements for further processing.