Abstract: In one aspect, a computerized method of an application routing service includes the step of using a deep-packet inspection (DPI) technique on a first network flow to identify an application. The method includes the step of storing an Internet-protocol (IP) address and a port number used by the application and an identity of the application in a database. The method includes the step of detecting a second network flow. The method includes the step of identifying the IP address and the port number of the application in the second network flow. The method includes the step of looking up the IP address and the port number in the database. The method includes the step of identifying the application based on the IP address and the port number.

Abstract: Some embodiments provide a method for a managed forwarding element (MFE). At the MFE, the method receives a first packet from a particular tunnel endpoint. The first packet originates from a particular data compute node associated with multiple tunnel endpoints including the particular tunnel endpoint. Based on the first packet, the method stores an association of the particular tunnel endpoint with the particular data compute node. The method uses the stored association to encapsulate subsequent packets received at the MFE and having the particular data compute node as a destination address with the particular tunnel endpoint as a destination tunnel endpoint.

Abstract: The disclosure herein describes a system, which provides service switching in a datacenter environment. The system can include a service switching gateway, which can identify a service tag associated with a received packet. During operation, the service switching gateway determines a source client, a requested service, or both for the packet based on the service tag, identifies a corresponding service portal based on the service tag, and forwards the packet toward the service portal. The service switching gateway can optionally maintain a mapping between the service tag and one or more of: a source client, a required service, the service portal, and a tunnel encapsulation. The service switching gateway can encapsulate the packet based on an encapsulation mechanism supported by the service portal and forward the packet based on the mapping.

Abstract: Some embodiments provide a method for processing a packet received by a managed forwarding element. The method performs a series of packet classification operations based on header values of the received packet. The packet classifications operations determine a next destination of the received packet. When the series of packet classification operations specifies to send the packet to a network service that performs payload transformations on the packet, the method (1) assigns a service operation identifier to the packet that identifies the service operations for the network service to perform on the packet, (2) sends the packet to the network service with the service operation identifier, and (3) stores a cache entry for processing subsequent packets without the series of packet classification operations. The cache entry includes the assigned service operation identifier. The network service uses the assigned service operation identifier to process packets without performing its own classification operations.

Abstract: The method for implementing mechanisms for Layer 7 context accumulation for enforcing Layers 4, 7, and verb-based rules is presented. The method comprises: receiving stream data, and identifying a packet in the stream. If the packet includes Layer 7 headers: for each Layer 7 header: determining content of the packet identified by a Layer 7 header's identifier; and parsing the content to extract firewall input data. If one or more rules at least partially match the firewall input data, determining that a particular rule also includes additional information that cannot be found in the firewall input data; performing a DPI on the content to determine whether at least a portion of the additional information is found in the content; extracting additional input data from the content and adding it to the firewall input data; and applying the rules to the firewall input data to process the packet.

Abstract: Some embodiments provide a method for configuring a set of logical routers in a logical network. The method receives a configuration of an advertised route for a first logical router and a set of allowable routes for a second logical router to which the first logical router connects. The method determines whether the set of allowable routes for the second logical router includes the advertised route as an allowed route from the first logical router. Only when the advertised route is an allowed route from the first logical router, the method adds the advertised route to a routing table for at least one component of the second logical router.

Abstract: In general, the present invention relates to a virtual platform in which one or more distributed virtual switches can be created for use in virtual networking. According to some aspects, the distributed virtual switch according to the invention provides the ability for virtual and physical machines to more readily, securely, and efficiently communicate with each other even if they are not located on the same physical host and/or in the same subnet or VLAN. According other aspects, the distributed virtual switches of the invention can support integration with traditional IP networks and support sophisticated IP technologies including NAT functionality, stateful firewalling, and notifying the IP network of workload migration. According to further aspects, the virtual platform of the invention creates one or more distributed virtual switches which may be allocated to a tenant, application, or other entity requiring isolation and/or independent configuration state.

Abstract: Some embodiments provide a method for dynamically implementing quality of service (QoS) for machines of a network. The method identifies a QoS policy rule that defines a QoS policy to be implemented for machines that meet a set of criteria specified by the QoS policy rule. The method dynamically identifies a set of machines that meet the set of criteria. The method configures a set of managed forwarding elements of the network to implement the QoS policy rule for network traffic associated with the set of machines. In some embodiments, the method monitors network events (e.g., user logins, addition of new machines, etc.) and identifies a corresponding QoS policy rule to be enforced at corresponding locations in the network based on the detected event.

Abstract: A novel method for managing firewall configuration of a software defined data center is provided. Such a firewall configuration is divided into multiple sections that each contains a set of firewall rules. Each tenant of the software defined data center has a corresponding set of sections in the firewall configuration. The method allows each tenant to independently access and update/manage its own corresponding set of sections. Multiple tenants or users are allowed to make changes to the firewall configuration simultaneously.

Abstract: Some embodiments provide a method for a network controller operating on a host machine that hosts a particular one of multiple centralized routing components for a logical router. The method receives a routing table from a routing protocol application operating on the host machine. Each of the other centralized routing components operates on a different host machine and implements a different interface of the logical router that connects to at least one physical router external to the logical network. The routing protocol application operates as a router server for all of the centralized routing components. For each of the other centralized routing components, the method identifies a set of routes in the routing table to distribute to the centralized routing component. The method sends the identified routes for each centralized routing component to the centralized routing component.

Abstract: Techniques are disclosed for securing traffic flowing across multi-tenant virtualized infrastructures using group key-based encryption. In one embodiment, an encryption module of a virtual machine (VM) host intercepts layer 2 (L2) frames sent via a virtual NIC (vNIC). The encryption module determines whether the vNIC is connected to a “secure wire,” and invokes an API exposed by a key management module to encrypt the frames using a group key associated with the secure wire, if any. Encryption may be performed for all frames from the vNIC, or according to a policy. In one embodiment, the encryption module may be located at a layer farthest from the vNIC, and encryption may be transparent to both the VM and a virtual switch. Unauthorized network entities which lack the group key cannot decipher the data of encrypted frames, even if they gain access to such frames.

Abstract: The technology disclosed herein enables remote gateways to quickly re-learn MAC addresses of workloads for a gateway that has taken over for another gateway. In a particular embodiment, a method provides determining that a backup gateway should begin handling communications exchanged with one or more workloads of an active gateway for a logical network. The method further provides transferring a control message to one or more remote gateways in communication with the backup gateway. The control message instructs the remote gateways to change MAC addresses learned from, and associated with, the active gateway to being associated with the backup gateway. The method also provides, in the backup gateway, receiving network communications directed to one or more of the workloads from one or more of the remote gateways.

Abstract: Described herein are systems, methods, and software to enhance network traffic management. In one implementation, a first host identifies a packet to be transferred from a first virtual machine on the first host to a second virtual machine on a second host. In response to identifying the packet, the first host identifies a source logical port for the first virtual machine, and transferring a communication to the second host, wherein the communication encapsulates the data packet and the source logical port. Once the packet is received by the second host, the second host may use the source logical port to determine a forwarding action for the packet.

Abstract: Some embodiments provide a novel content switching method that distributes requests for different types of content to different sets of content servers. In some embodiments, the method deploys a content switch in the ingress data path of a first content server that is part of a first set of servers that processes requests for a first type of content. This content switch receives each content request that is directed to the first content server, and determines whether the received request is for the first content type that is processed by the first content server. If so, the content switch directs the request to the first content server. On the other hand, if the request is for a second type of content that is processed by a second set of servers, the content switch identifies a second content server in the second set and forwards the request to the second content server.

Abstract: Methods and apparatus for application and/or context-based management of virtual networks using customizable workflows are disclosed. An example apparatus includes a context engine to monitor data traffic from a virtual machine in a data plane of a virtual network to capture context information to identify an application executing on the virtual machine; and a policy manager to receive the context information to instantiate an application entity corresponding to the application in a policy plane of the virtual network and to generate a policy associated with the application entity in the policy plane of the virtual network, the policy and the application entity enabling monitoring and management of the application via the policy plane.

Abstract: A novel method of providing virtual private access to a software defined data center (SDDC) is provided. The SDDC uses distributed VPN tunneling to allow external access to application services hosted in the SDDC. The SDDC includes host machines for providing computing and networking resources and a VPN gateway for providing external access to those resources. The host machines that host the VMs running the applications that VPN clients are interested in connecting performs the VPN encryption and decryption. The VPN gateway does not perform any encryption and decryption operations. The packet structure is such that the VPN gateway can read the IP address of the VM without decrypting the packet.

Abstract: For a host that executes one or more guest virtual machines (GVMs), some embodiments provide a novel virtualization architecture for utilizing a firewall service virtual machine (SVM) on the host to check the packets sent by and/or received for the GVMs. In some embodiments, the GVMs connect to a software forwarding element (e.g., a software switch) that executes on the host to connect to each other and to other devices operating outside of the host. Instead of connecting the firewall SVM to the host's software forwarding element that connects its GVMs, the virtualization architecture of some embodiments provides an SVM interface (SVMI) through which the firewall SVM can be accessed to check the packets sent by and/or received for the GVMs.

Abstract: Described herein are systems, methods, and software to enhance connectivity between cloud computing service endpoints and virtual machines. In one implementation, a method of managing data packet addressing in a first namespace includes receiving a data packet at a first interface for the first namespace, wherein the first interface is paired with a second interface of a second namespace. The method also includes identifying if the packet is destined for a service node in an underlay network outside of an overlay network for the second namespace, and if destined for a service node outside of an overlay network for the second namespace, modifying addressing in the data packet to support the underlay network and transferring the data packet over a virtual network interface for the virtual machine.

Abstract: In one aspect, a computerized system useful for implementing a cloud-based multipath routing protocol to an Internet endpoint includes an edge device that provides an entry point into an entity's core network. The entity's core network includes a set of resources to be reliably accessed. The computerized system includes a cloud-edge device instantiated in a public-cloud computing platform. The cloud-edge device joins a same virtual routing and forwarding table as the edge device. The cloud-edge device receives a set of sources and destinations of network traffic that are permitted to access the edge device and the set of resources.

Abstract: Some embodiments provide a system for implementing a logical network that includes a set of end machines, a first logical middlebox, and a second logical middlebox connected by a set of logical forwarding elements. The system includes a set of nodes. Each of several nodes includes (i) a virtual machine for implementing an end machine of the logical network, (ii) a managed switching element for implementing the set of logical forwarding elements of the logical network, and (iii) a middlebox element for implementing the first logical middlebox of the logical network. The system includes a physical middlebox appliance for implementing the second logical middlebox.