Abstract: Embodiments are directed to managing communication over networks. A gateway identifier (GID), a network address, source nodes, relays, or the like, may be determined based on an overlay network. Two or more relays may be ranked based on metrics associated with each relay such that a top ranked relay is designated as a preferred relay.

Abstract: Embodiments are directed to managing communication. Credentials of a user may be provided to an authorization service such that the authorization service authenticates the user as a member of authorization groups and such that the user may be associated with a gateway on an overlay network. The authorization groups may be compared with user groups to associate the user with one or more user group. The gateway may be associated with one or more resource group based on the user groups. Policy information may be generated for the gateway based on each resource group. The policy information may be provided to the gateway to define policies associated with resources in the overlay network. The policy information may be enforced against source nodes providing overlay traffic directed to target nodes in the overlay network.

Abstract: Embodiments are directed to managing communication over one or more networks. An underlay network that couples a source gateway and a target gateway using underlay protocols may be provided such that the target gateway includes two or more port groups that may each be associated with a separate target node. An overlay network may be provided on the underlay network based on policy information such that the source gateway and the target gateway may each be assigned separate gateway identifiers (GIDs) that are associated with the overlay network. In response to the source gateway authorizing a source node to employ the overlay network to communicate one or more encrypted payloads to a target node, the one or more encrypted payloads may be provided to the target node based on the overlay network and the policy information.

Abstract: Embodiments are directed to managing communication over one or more networks. A monitoring engine may be instantiated to perform actions including receiving network traffic from a physical network that may be associated with network addresses of the physical network. The monitoring engine may analyze the network traffic to associate activity with gateway identifiers (GIDs) associated with gateway computers in an overlay network such that the GIDs are separate from the network addresses. The monitoring engine may be arranged to monitor the network traffic based on monitoring rules. The monitoring engine may provide metrics associated with the gateway computers based on the monitoring of the network traffic. The monitoring engine may compare the metrics to event rules. The monitoring engine may generate events based on affirmative results of the comparison. The events may be mapped to actions based on characteristics of the events and executed.

Abstract: Embodiments are directed to managing communication over one or more networks. A monitoring engine may be instantiated to perform actions including receiving network traffic from a physical network that may be associated with network addresses of the physical network. The monitoring engine may analyze the network traffic to associate activity with gateway identifiers (GIDs) associated with gateway computers in an overlay network such that the GIDs are separate from the network addresses. The monitoring engine may be arranged to monitor the network traffic based on monitoring rules. The monitoring engine may provide metrics associated with the gateway computers based on the monitoring of the network traffic. The monitoring engine may compare the metrics to event rules. The monitoring engine may generate events based on affirmative results of the comparison. The events may be mapped to actions based on characteristics of the events and executed.

Abstract: Embodiments are directed to managing communication. Credentials of a user may be provided to an authorization service such that the authorization service authenticates the user as a member of authorization groups and such that the user may be associated with a gateway on an overlay network. The authorization groups may be compared with user groups to associate the user with one or more user group. The gateway may be associated with one or more resource group based on the user groups. Policy information may be generated for the gateway based on each resource group. The policy information may be provided to the gateway to define policies associated with resources in the overlay network. The policy information may be enforced against source nodes providing overlay traffic directed to target nodes in the overlay network.

Abstract: Embodiments are directed to managing communication over networks. A gateway identifier (GID), a network address, source nodes, relays, or the like, may be determined based on an overlay network. Two or more relays may be ranked based on metrics associated with each relay such that a top ranked relay is designated as a preferred relay.

Abstract: Embodiments are directed to managing communication over one or more networks. An underlay network that couples a source gateway and a target gateway using underlay protocols may be provided such that the target gateway includes two or more port groups that may each be associated with a separate target node. An overlay network may be provided on the underlay network based on policy information such that the source gateway and the target gateway may each be assigned separate gateway identifiers (GIDs) that are associated with the overlay network. In response to the source gateway authorizing a source node to employ the overlay network to communicate one or more encrypted payloads to a target node, the one or more encrypted payloads may be provided to the target node based on the overlay network and the policy information.

Abstract: Embodiments are directed to managing communication networks. One or more links associated with a gateway computer may be monitored. Each link may be associated with a network addresses, and the gateway computer is associated with a gateway identifier (GID). Metrics associated with the monitored links may be provided. Scores may be associated with the links based on the metrics. The scores may be modified based on policy information. The links may be compared based on the scores and the policy information. A comparison may be employed to activate a portion of the links such that the activated links may be employed to communicate over the networks with other gateway computers. The links may be compared based on updated metrics. The comparison of the updated metrics may be used to activate another portion of the links that are associated with the GID.

Abstract: Embodiments are directed to a relay that receives packets from a source gateway associated with a source gateway identifier (GID) and a target GID associated with a target gateway where each GID is separate from a network address or a hostname of the source gateway or the target gateway. The relay determines a connection route based on an association between the connection route and an ingress identifier obtained from the packets. The relay provides the connection route based on the source GID and the target GID. The relay determines network address information associated with the target gateway based on the connection route. And, the relay forwards the packets provided by the source gateway to the target gateway based on the network address information.

Abstract: Embodiments are directed to secure communication over a network. If a source node sends a communication to a target node, a source gateway may forward the communication to the target node. The source gateway may provide a gateway identifier (GID) that may be associated with one or more target gateways associated with the target node. Further, the source gateway may embed marker information that includes at least a portion of the GID in the communication. If the GID is associated with more than one target gateway, a TMD selects one target gateway from the more than one target gateways. Also, the TMD provides a gateway key associated with the selected target gateway that is associated with the communication. And, the TMD may provide the communication to the selected target gateway that provides the communication to the target node.

Abstract: Embodiments are directed to a relay that receives packets from a source gateway associated with a source gateway identifier (GID) and a target GID associated with a target gateway where each GID is separate from a network address or a hostname of the source gateway or the target gateway. The relay determines a connection route based on an association between the connection route and an ingress identifier obtained from the packets. The relay provides the connection route based on the source GID and the target GID. The relay determines network address information associated with the target gateway based on the connection route. And, the relay forwards the packets provided by the source gateway to the target gateway based on the network address information.

Abstract: Embodiments are directed towards, gateway computers and management platform server computers for managing secure communication over a network. Gateway computer may intercept communications from unauthenticated source node computers directed to target node computers. If the unauthenticated node computer provides its credentials in response to a request for credentials from the gateway computer, the credentials and the intercepted communications may be provided to a management platform server for further processing. The management platform server may authenticate the unauthenticated source node computer based on its credentials and the intercepted communication and the management platform server may determine a target gateway computer that corresponds to the target node computer based on content of the intercepted communication. The management platform server may provide configuration information for generating a secure private network connection between the gateway computer and the target gateway computer.

Abstract: Embodiments are directed to managing communication over one or more networks. A monitoring engine may be instantiated to perform actions including receiving network traffic from a physical network that may be associated with network addresses of the physical network. The monitoring engine may analyze the network traffic to associate activity with gateway identifiers (GIDs) associated with gateway computers in an overlay network such that the GIDs are separate from the network addresses. The monitoring engine may be arranged to monitor the network traffic based on monitoring rules. The monitoring engine may provide metrics associated with the gateway computers based on the monitoring of the network traffic. The monitoring engine may compare the metrics to event rules. The monitoring engine may generate events based on affirmative results of the comparison. The events may be mapped to actions based on characteristics of the events and executed.

Abstract: Embodiments are directed to managing communication networks. One or more links associated with a gateway computer may be monitored. Each link may be associated with a network addresses, and the gateway computer is associated with a gateway identifier (GID). Metrics associated with the monitored links may be provided. Scores may be associated with the links based on the metrics. The scores may be modified based on policy information. The links may be compared based on the scores and the policy information. A comparison may be employed to activate a portion of the links such that the activated links may be employed to communicate over the networks with other gateway computers. The links may be compared based on updated metrics. The comparison of the updated metrics may be used to activate another portion of the links that are associated with the GID.

Abstract: Embodiments are directed to a relay that receives packets from a source gateway. associated with a source gateway identifier (GID) and a target GID associated with a target gateway where each GID is separate from a network address or a hostname of the source gateway or the target gateway. The relay determines a connection route based on an association between the connection route and an ingress identifier obtained from the packets The relay provides the connection route based on the source GID and the target GID. The relay determines network address information associated with the target gateway based on the connection route. And, the relay forwards the packets provided by the source gateway to the target gateway based on the network address information.

Abstract: A private overlay network is introduced into an existing core network infrastructure to control information flow between private secure environments. Such a scheme can be used to connect a factory automation network linking operations devices to a corporate network linking various business units, with enhanced network security. Such a connection can be facilitated by introducing into the existing infrastructure a set of industrial security appliances (ISAs) that work together to create an encrypted tunnel between the two networks. The set of ISAs can be scalable to overlay differently sized core networks, to create the private overlay network. Connections to the private overlay network can be managed by the ISAs in a distributed fashion, implementing a peer-to-peer dynamic mesh policy. The industrial security system disclosed may be particularly advantageous in environments such as public utility systems, medical facilities, and energy delivery systems.

Abstract: Embodiments are directed towards, gateway computers and management platform server computers for managing secure communication over a network. Gateway computer may intercept communications from unauthenticated source node computers directed to target node computers. If the unauthenticated node computer provides its credentials in response to a request for credentials from the gateway computer, the credentials and the intercepted communications may be provided to a management platform server for further processing. The management platform server may authenticate the unauthenticated source node computer based on its credentials and the intercepted communication and the management platform server may determine a target gateway computer that corresponds to the target node computer based on content of the intercepted communication. The management platform server may provide configuration information for generating a secure private network connection between the gateway computer and the target gateway computer.

Abstract: Embodiments are directed to secure communication over a network. If a source node sends a communication to a target node, a source gateway may forward the communication to the target node. The source gateway may provide a gateway identifier (GID) that may be associated with one or more target gateways associated with the target node. Further, the source gateway may embed marker information that includes at least a portion of the GID in the communication. If the GID is associated with more than one target gateway, a TMD selects one target gateway from the more than one target gateways. Also, the TMD provides a gateway key associated with the selected target gateway that is associated with the communication. And, the TMD may provide the communication to the selected target gateway that provides the communication to the target node.

Abstract: Embodiments are directed to managing secure communication between a plurality of node computers over a network. If overlay networks for node computers are provided for communicating between the node computers, a mesh network may be configured. If a node computer that may be associated with the overlay networks sends a communication to other node computers also associated with the overlay networks, a gateway computer associated with the node computer may perform actions to process the communication. The gateway computer may select an overlay network based on the node computer. Target gateway computers associated with the other node computers may be determined based on the overlay network and the mesh network. Physical paths from the gateway computer to the target gateway computers may be determined. The gateway computer may send the communication to the target gateway computers over the physical paths and then to the other node computers.