Abstract: An example method to provide communication between a first computer in a first computer network and a second computer in a second computer network is disclosed. The method includes aliasing the second computer's address in the second computer network to a loopback interface of a third computer in the first computer network and establishing a tunnel between the third computer and a fourth computer in the second computer network. Establishing the tunnel includes configuring the fourth computer to forward traffic received from the tunnel to the second computer. The method further includes configuring routing in the first computer network to direct traffic destined for the second computer network to the third computer, and configuring the first computer to transmit packets destined for the second computer with the second computer's address in the second computer network.

Abstract: Some embodiments provide a method for a network controller that manages multiple managed forwarding elements (MFEs) that implement multiple logical networks. The method stores (i) a first data structure including an entry for each logical entity in a desired state of the multiple logical networks and (ii) a second data structure including an entry for each logical entity referred to by an update for at least one MFE. Upon receiving updates specifying modifications to the logical entities, the method adds separate updates to separate queues for the MFEs that require the update. The separate updates reference the logical entity entries in the second data structure. When the second data structure reaches a threshold size in comparison to the first data structure, the method compacts the updates in at least one of the queues so that each queue has no more than one update referencing a particular logical entity entry.

Abstract: Some embodiments provide a method for configuring a logical router that interfaces with an external network. The method receives a configuration for a logical network that includes a logical router with several interfaces that connect to at least one physical router external to the logical network. The method selects a separate host machine to host a centralized routing component for each of the interfaces. The method selects a particular one of the host machines for operating a dynamic routing protocol control plane that receives routing protocol data from each of the centralized routing components and updates routing tables of each of the centralized routing components.

Abstract: Some embodiments provide a method for a network controller that manages multiple logical networks implemented by multiple managed forwarding elements (MFEs) operating on multiple host machines. The method receives a notification from a particular MFE that an interface corresponding to a logical port of a logical forwarding element has connected to the particular MFE and has a particular logical network address. The method assigns a unique physical network address to the interface. Each of multiple interfaces connected to the particular MFE is assigned a different physical network address. The method provides the assigned unique physical network address to the particular MFE for the particular MFE to convert data messages sent from the particular logical network address to have the unique physical network address.

Abstract: Some embodiments provide method for implementing a logical router of a logical network. The method receives a configuration for a first logical router. The configuration includes a static route for the first logical router. The method defines several routing components with separate routing tables for the logical router. The method adds a first route, having a first static route type, for the static route to the routing tables of at least a first subset of the routing components. Based on the connection of a second logical router to the first logical router, adding a second route, having a second static route type, to the routing tables of at least a second subset of the routing components.

Abstract: An approach for a hypervisor to throttle CPU utilization based on a CPU utilization throttling request received for a data flow is presented. A method comprises receiving a request for a CPU utilization throttling. The request is parsed to extract a CPU utilization level and a data flow identifier of the data flow. Upon receiving a data packet that belongs to the data flow identified by the data flow identifier, a packet size of the data packet is determined, and a rate limit table is accessed to determine, based on the CPU utilization level and the packet size, a rate limit for the data packet. If it is determined, based at least on the rate limit, that the CPU utilization level for the data flow would be exceeded if the data packet is transmitted toward its destination, then a recommendation is generated to drop the data packet.

Abstract: A novel algorithm for packet classification that is based on a novel search structure for packet classification rules is provided. Addresses from all the containers are merged and maintained in a single Trie. Each entry in the Trie has additional information that can be traced back to the container from where the address originated. This information is used to keep the Trie in sync with the containers when the container definition dynamically changes.

Abstract: Some embodiments provide a method for configuring a logical middlebox in a hosting system that includes a set of nodes. The logical middlebox is part of a logical network that includes a set of logical forwarding elements that connect a set of end machines. The method receives a set of configuration data for the logical middlebox. The method uses a stored set of tables describing physical locations of the end machines to identify a set of nodes at which to implement the logical middlebox. The method provides the logical middlebox configuration for distribution to the identified nodes.

Abstract: Described herein are systems, methods, and software to enhance the implementation of communication rules in a computing network. In one example, a method of operating a communication settings system maintains communication rules for a plurality of networks, wherein the communication rules define forwarding actions for ingress and egress packets to and from applications in the plurality of computing networks. The service further identifies a configuration request from a computing network with applications executing in the computing network, identifies a subset of the communication rules based on the plurality of applications, and provides the subset of the communication rules to the computing network.

Abstract: Some embodiments provide a method for clustering a set of data compute nodes (DCNs), which communicate with each other more frequently, on one or more host machines. The method groups together guest DCNs (GDCNs) that (1) execute on different host machines and (2) exchange network data among themselves more frequently, in order to reduce interhost network traffic. The more frequently-communicating GDCNs can be a set of GDCNs that implement a distributed application, GDCNs of a particular tier in a multi-tier network architecture (e.g., a web tier in a three-tier architecture), GDCNs that are dedicated to a particular tenant in a hosting system, or any other set of GDCNs that exchange data among each other regularly for a particular purpose.

Abstract: For a managed network, some embodiments provide a method for a set of service nodes in an active-active service node cluster in conjunction with a host computer hosting a destination data compute node (DCN) to improve the efficiency of directing a data message to a service node storing state information for the flow to which the data message belongs. a first service node receives a data message in a particular data message flow for which it does not maintain state information. The first service node then identifies a second service node to process the data message and forwards the data message to the second service node. The second service node sends state information for the particular data message flow to the first service node, for the first service node to use to process subsequent data messages in the particular data message flow.

Abstract: For a network with host machines that are hosting virtual machines, a method for facilitating BUM (broadcast, unknown unicast, and multicast) traffic between a hardware switch (e.g., ToR switch) and the host machines is provided. The network has a set of host machines configured as a cluster of replicators for replicating BUM traffic from the hardware switch to the host machines. A set of network controllers establishes failure-detection tunnels for links between the hardware switch and the replicator cluster. The replicator cluster informs the set of controllers of a change in the membership of the replicator cluster to initiate an update to the active failure-detection sessions. The set of network controllers communicates with the replicator cluster and a ToR switch to establish bidirectional forwarding detection (BFD) sessions between one or more replicator nodes in the replicator cluster and the ToR switch.

Abstract: Some embodiments of the invention provide a method for a first security controller that performs security operations on the packets that are transmitted within a network. The method of some embodiments receives a packet from a forwarding element in the network based on a decision made by a security agent that operates along with the forwarding element. When the first security controller stores a security rule for the packet, the method processes the packet according to the stored security rule. When the first security controller does not store a security rule for the packet, the method (i) determines that a second security controller stores a security rule for the packet based on a set of header values of the packet, and (ii) sends the packet to the second security controller for security processing according to the security rule for the packet stored on the second security controller.

Abstract: Example methods are provided for a host to perform authentication offload in a virtualized computing environment that includes the host and a destination server. The method may comprise detecting, from a virtualized computing instance, a packet destined for the destination server. The method may also comprise: in response to determination that the detected packet is an authentication request, obtaining, from the virtualized computing instance, metadata associated with a client application for which authentication is requested; and sending the authentication request and the metadata to the destination server to cause the destination server to authenticate the client application based on the metadata.

Abstract: A method of implementing a logical switching element. The method generates data for programming a set of two or more physical forwarding elements to implement the logical switching element. The method uses a first controller to distribute at least a first portion of the generated data to a first plurality of physical forwarding elements in the set of physical forwarding elements. The first controller serves as the master controller for the first plurality of physical forwarding elements. The method uses a second controller to distribute at least a second portion of the generated data to a second plurality of physical forwarding elements in the set of physical forwarding elements. The second controller serves as the master controller for the second plurality of physical forwarding elements.

Abstract: Some embodiments provide a system that detects whether a data flow is an elephant flow; and if so, the system treats it differently than a mouse flow. The system of some embodiments detects an elephant flow by examining, among other items, the operations of a machine. In detecting, the system identifies an initiation of a new data flow associated with the machine. The new data flow can be an outbound data flow or an inbound data flow. The system then determines, based on the amount of data being sent or received, if the data flow is an elephant flow. The system of some embodiments identifies the initiation of a new data flow by intercepting a socket call or request to transfer a file.

Abstract: Some embodiments provide a method for providing redundancy and fast convergence for modules operating in a network. The method configures modules to use a same anycast inner IP address, anycast MAC address, and to associate with a same anycast VTEP IP address. In some embodiments, the modules are operating in an active-active mode and all nodes running modules advertise the anycast VTEP IP addresses with equal local preference. In some embodiments, modules are operating in active-standby mode and the node running the active module advertises the anycast VTEP IP address with higher local preference.

Abstract: For an encryption management module of a host that executes one or more data compute nodes (DCNs), some embodiments of the invention provide a method of providing key management and encryption services. The method initially receives an encryption key ticket at an encryption management module to be used to retrieve an encryption key identified by the ticket from a key manager. When the encryption key has been retrieved, the method uses the encryption key to encrypt a message sent by a data compute node executing on the host requiring encryption according to an encryption rule. The encryption key ticket, in some embodiments, is generated for an encryption management module to implement the principle of least privilege. The ticket acts as a security token in retrieving encryption keys from a key manager. Ticket distribution and encryption rule distribution are independent of each other in some embodiments.

Abstract: Methods and systems for implementing private allocated networks in a virtual infrastructure are presented. One method operation creates virtual switches in one or more hosts in the virtual infrastructure. Each port in the virtual switches is associated with a private allocated network (PAN) from a group of possible PANs. In one embodiment, one or more PANs share the same physical media for data transmission. The intranet traffic within each PAN is not visible to nodes that are not connected to the each PAN. In another operation, the method defines addressing mode tables for the intranet traffic within each PAN. The entries in the addressing mode tables define addressing functions for routing the intranet traffic between the virtual switches, and different types of addressing functions are supported by the virtual switches.

Abstract: Some embodiments provide a method for implementing a logical router in a logical network. In some embodiments, the method receives a configuration of a static route for the logical router, which includes several routing components with separate routing tables. The method identifies which of the routing components require addition of a route to a corresponding routing table to implement the configuration of the static route. The method adds the routes to the corresponding separate routing tables of the identified routing components.