Abstract: Some embodiments provide a method for implementing a logical router in a logical network. In some embodiments, the method receives a configuration of a static route for the logical router, which includes several routing components with separate routing tables. The method identifies which of the routing components require addition of a route to a corresponding routing table to implement the configuration of the static route. The method adds the routes to the corresponding separate routing tables of the identified routing components.

Abstract: Systems and methods described herein provide a high availability DHCP server capable of serving multiple tenants in a data center. The DHCP server may use a different logical DHCP server instance for each tenant, and may be implemented as one process without the use of namespaces. A DHCP server is executed on a gateway virtual machine (VM) that is capable of hosting a plurality of logical DHCP servers. For each tenant in a data center, a logical network and a corresponding logical DHCP server instance are implemented. The DHCP server may service requests for DHCP services from VMs via their physical host by determining the tenant that the VM originates from and leasing a DHCP resource from that tenant's corresponding logical DHCP server instance.

Abstract: In one aspect, a computerized method includes the step of providing process monitor in a Gateway. The method includes the step of, with the process monitor, launching a Gateway Daemon (GWD). The GWD runs a GWD process that implements a Network Address Translation (NAT) process. The NAT process includes receiving a set of data packets from one or more Edge devices and forwarding the set of data packets to a public Internet. The method includes the step of receiving another set of data packets from the public Internet and forwarding the other set of data packets to the one or more Edge devices. The method includes the step of launching a Network Address Translation daemon (NATD). The method includes the step of detecting that the GWD process is interrupted; moving the NAT process to the NATD.

Abstract: In order to enable dynamic scaling of network services at the edge, novel systems and methods are provided to enable addition of add new nodes or removal of existing nodes while retaining the affinity of the flows through the stateful services. The methods provide a cluster of network nodes that can be dynamically resized to handle and process network traffic that utilizes stateful network services. The existing traffic flows through the edge continue to function during and after the changes to membership of the cluster. All nodes in the cluster operate in active-active mode, i.e., they are receiving and processing traffic flows, thereby maximizing the utilization of the available processing power.

Abstract: Certain embodiments described herein are generally directed to handling a hypervisor restart event in a distributed network system. Embodiments include receiving, by a central controller, a session identifier from a first hypervisor. Embodiments further include comparing, by the central controller, the session identifier to a stored session identifier associated with the first hypervisor. Embodiments further include determining, by the central controller based on the session identifier not matching the stored session identifier associated with the first hypervisor, that the first hypervisor has restarted. Embodiments further include updating, by the central controller, the stored session identifier associated with the first hypervisor to match the session identifier. Embodiments further include identifying, by the central controller, a second hypervisor that is associated with the first hypervisor.

Abstract: Some embodiments provide a method for defining an adaptable monitoring profile for a network. The defined network monitoring profile is independent of the security policy defined for the network and includes one or more log generation rules, each of which defines a logging policy for a set of data compute nodes (DCNs) that share a common attribute. A log generation rule specifies whether the network activities of a set of DCNs that share a common attribute should be logged or not. A log generation rule can also specify other logging parameters such as priority level of the logs and the required logging protocol for transmission of the logs. The logging policy of a log generation rule is associated with a set of service rules (e.g., firewall rules) through a dynamic service group, and is applied to the service rules when any of these rules is triggered.

Abstract: Example methods are provided for a network scanning controller to perform agent-based network scanning in a software-defined networking (SDN) environment. In one example, the method may comprise identifying multiple networks for which network scanning is required, performing a first network scan using a first agent to obtain first address mapping information associated with multiple first workloads, and performing a second network scan using a second agent to obtain second address mapping information associated with multiple second workloads. The first agent and the multiple first workloads may be located in a first network, and the second agent and the multiple second workloads in a second network. The method may also comprise generating aggregated address information based on the first address mapping information and the second address mapping information.

Abstract: Some embodiments provide a set of one or more network controllers that communicates with a wide range of devices, ranging from switches to appliances such as firewalls, load balancers, etc. The set of network controllers communicates with such devices to connect them to its managed virtual networks. The set of network controllers can define each virtual network through software switches and/or software appliances. To extend the control beyond software network elements, some embodiments implement a database server on each dedicated hardware. The set of network controllers accesses the database server to send management data. The hardware then translates the management data to connect to a managed virtual network.

Abstract: The disclosure provides an approach for reducing multicast traffic within a network by optimizing placement of virtual machines within subnets and within hosts, and by optimizing mapping of overlay multicast groups to underlay multicast groups. In one embodiment, substantially all VMs of a multicast group are migrated to the same subnet of the network. Thereafter or independently, VMs in the same subnet are migrated to the same host, ideally to the subnet proxy endpoint of that subnet. In the same or in another embodiment, if multiple overlay groups map to the same underlay group, one or more of the overlay groups may be remapped to a separate underlay group to improve network performance.

Abstract: A network control system that includes several controllers for managing several switching elements. In some embodiments, each switching element implements at least one logical switching element and has a master controller. In some embodiments, at least one controller is a master of at least two switching elements. The network control system accepts definitions of the logical switching elements and, in some embodiments, each logical switching element has a master controller. In some embodiments, at least one controller is a master for at least two logical switching elements.

Abstract: A method for a hypervisor to implement flow-based local egress in a multisite datacenter is disclosed. The method comprises: determining whether a first data packet of a first data flow has been received. If the first data packet has been received, then the hypervisor determines a MAC address of a first local gateway in a first site of a multisite datacenter that communicated the first data packet, and stores the MAC address of the first local gateway and a 5-tuple for the first data flow. Upon determining that a response for the first data flow has been received, the hypervisor determines whether the response includes the MAC address of the first local gateway. If the response includes a MAC address of another local gateway, then the hypervisor replaces, in the response, the MAC address of another local gateway with the MAC address of the first local gateway.

Abstract: A method for configuring a managed forwarding element (MFE) to perform logical routing operations in a logical network on behalf of a hardware switch is described. The method of some embodiments receives data that defines a logical router that logically connects several different end machines operating on several different host machines to different physical machines that are connected to the hardware switch. The method, based on the received data, defines a number of routing components for the logical router. In some embodiments, the method then configures the MFE to implement the routing components in order to enable the MFE to perform logical routing operations on behalf of the hardware switch.

Abstract: Some embodiments provide a method or tool for automatically configuring a logical router on one or more edge nodes of an edge cluster (e.g., in a hosting system such as a datacenter). The method of some embodiments configures the logical router on the edge nodes based on a configuration policy that dictates the selection method of the edge nodes. In some embodiments, an edge cluster includes several edge nodes (e.g., gateway machines), through which one or more logical networks connect to external networks (e.g., external logical and/or physical networks). In some embodiments, the configured logical router connects a logical network to an external network through the edge nodes.

Abstract: A system provisions global logical entities that facilitate the operation of logical networks that span two or more datacenters. These global logical entities include global logical switches that provide L2 switching as well as global routers that provide L3 routing among network nodes in multiple datacenters. The global logical entities operate along side local logical entities that are for operating logical networks that are local within a datacenter.

Abstract: Some embodiments provide novel inline switches that distribute data messages from source compute nodes (SCNs) to different groups of destination service compute nodes (DSCNs). In some embodiments, the inline switches are deployed in the source compute nodes datapaths (e.g., egress datapath). The inline switches in some embodiments are service switches that (1) receive data messages from the SCNs, (2) identify service nodes in a service-node cluster for processing the data messages based on service policies that the switches implement, and (3) use tunnels to send the received data messages to their identified service nodes. Alternatively, or conjunctively, the inline service switches of some embodiments (1) identify service-nodes cluster for processing the data messages based on service policies that the switches implement, and (2) use tunnels to send the received data messages to the identified service-node clusters.

Abstract: Virtualization software that includes a VDRB (virtual distributed router/bridge) module for performing L3 routing and/or bridging operations is provided. At least some of the VDRBs are configured as VDBs (virtual distributed bridge) for performing bridging operations between different network segments in a distributed manner. The bridging tasks of a network are partitioned among several VDBs of the network based on MAC addresses. MAC addresses of VMs or other types of network nodes belonging to an overlay logical network are partitioned into several shards, each shard of MAC addresses assigned to a VDB in the network. Each VDB assigned a shard of MAC addresses performs bridging when it receives a packet bearing a MAC address belonging to its assigned shard. A VDB does not perform bridging on packets that do not have MAC address that falls within the VDB's shard of MAC addresses.

Abstract: A method of automatically identifying and recreating tenants environment issues in a set of datacenters by a workflow replay tool is provided. Each datacenter includes a network manager server. The method analyzes, by the workflow replay tool, a set of log files generated in the particular tenant's environment to identify tenant's workflows. The method analyzes, by the workflow replay tool, network manager server databases of the tenant's environment to identify the logical entities in the tenant environment used by the identified workflows. The method allocates resources in a lab environment to simulate the tenant's environment. The method reruns the identified tenant's workflows by the workflow replay tool using the allocated resources in the lab environment to recreate tenant environment issues.

Abstract: A method for coordinating distributed network address translation (NAT) in a network within which several logical networks are implemented. The logical networks include several tenant logical networks and at least one service logical network that include service virtual machines (VMs) that are accessed by VMs of the tenant logical networks. The method defines a group of replacement IP address and port number pairs. Each pair is used to uniquely identify a VM across all tenant logical networks. The method sends to at least one host that is hosting a VM of a particular tenant logical network, a set of replacement IP address and port number pairs. Each replacement IP address and port number pair can be used by the host to replace a source IP address and a source port number in a packet that is destined from the particular VM to a VM of the particular service logical network.

Abstract: A method of configuring networking, security, and operational parameters of workloads deployed in a virtualized computing environment includes the steps of: storing multiple policies, each defining one of networking, security, or operational parameters, and associating tags to each of the multiple policies, independent of deployment of a virtual computing instance in the virtual computing environment; responsive to a request to perform configuration of a virtual computing instance being deployed, retrieving policies among the stored multiple policies that are associated with same tags as tags contained in the request; generating configuration parameters for data path components in a host machine of the virtual computing instance and for data path components of the virtual computing instance based on the retrieved policies; and transmitting the generated configuration parameters to the host machine for the host machine to configure the networking, security, or operational parameters the virtual computing insta

Abstract: A method of selecting an egress interface for a source process running on an electronic device is provided. The device implements a TCP/IP stack utilized by a plurality of applications for sending network packets. The method receives a packet from a particular application in the plurality of applications to send to a network destination over a socket tagged with an identifier of the particular application. The method compares the socket tag with a set of network egress interface tags. Each network egress interface tag is associated with a network egress interface in a plurality of network egress interfaces. Each network egress interface tag includes the identifier of an application that utilizes the network egress interface. The method selects a network egress interface with a tag that matches the socket tag. The method sends the packet to the network destination through the selected network egress interface.