Abstract: Some embodiments provide a method of performing load balancing for a group of machines that are distributed across several physical sites. The method of some embodiments iteratively computes (1) first and second sets of load values respectively for first and second sets of machines that are respectively located at first and second physical sites, and (2) uses the computed first and second sets of load values to distribute received data messages that the group of machines needs to process, among the machines in the first and second physical sites. The iterative computations entail repeated calculations of first and second sets of weight values that are respectively used to combine first and second load metric values for the first and second sets of machines to repeatedly produce the first and second sets of load values for the first and second sets of machines.

Abstract: A method for direct communication between a source endpoint executing in a first datacenter and a destination endpoint executing in a second datacenter. The method receives, at a gateway of the second datacenter, a packet sent by the source endpoint, the packet having a header that includes a source IP address corresponding to a public IP address of the first datacenter, a destination IP address corresponding to a public IP address of the second datacenter, and source and destination port numbers. The method performs a DNAT process on the packet to replace at least the destination IP address in the header with a private IP address of the destination endpoint. The DNAT process identifies the private IP address by mapping the source and destination port numbers to the private IP address of the destination endpoint. The method then transmits the packet to the destination endpoint in the second datacenter.

Abstract: Some embodiments provide a hierarchical data service (HDS) that manages many resource clusters that are in a resource cluster hierarchy. In some embodiments, each resource cluster has its own cluster manager, and the cluster managers are in a cluster manager hierarchy that mimics the hierarchy of the resource clusters. In some embodiments, both the resource cluster hierarchy and the cluster manager hierarchy are tree structures, e.g., a directed acyclic graph (DAG) structure that has one root node with multiple other nodes in a hierarchy, with each other node having only one parent node and one or more possible child nodes.

Abstract: Disclosed herein are embodiments for managing the placement of virtual machines in a virtual machine network. In an embodiment, a method involves determining whether to separate at least one virtual machine in a set of virtual machines supporting a process and running on a first host computer from other virtual machines in the set. If at least one virtual machine is to be separated, then at least one virtual machine is selected based on a number of memory pages changed. The selected virtual machine is then separated from the other virtual machines in the set.

Abstract: Plugins are authenticated for purposes of accessing and using application program interfaces (APIs) of a management service of a virtualized computing environment. In an authentication process, each plugin is associated with a session ticket that is unique to the plugin. The session ticket may be in the form of a single-use token that has a finite duration, and which may be used by the plugin to establish a session with the APIs of the management service. Because of the single-use and finite duration constraints of the token, the plugin is unable to use the token for other sessions and other plugins are also unable to use the same token to conduct their own sessions with the management service.

Abstract: Methods, apparatus, systems, and articles of manufacture to manage resources when performing an account health check are disclosed. An example apparatus includes memory; computer readable instructions; and processor circuitry to execute the computer readable instructions to: perform health checks on a cloud account at a first polling frequency; after a failure count at the first polling frequency meets a first threshold, perform the health checks on the cloud account at a second polling frequency lower than the first polling frequency; and after the failure count at the second polling frequency meets a second threshold, suspend the cloud account.

Abstract: A method and system for performing a flexible Byzantine fault tolerant (BFT) protocol. The method includes sending, from a client device, a proposed value to a plurality of replica devices and receiving, from at least one of the plurality of replica devices, a safe vote on the proposed value. The replica device sends the safe vote, based on a first quorum being reached, to the client device and each of the other replica devices of the plurality of replica devices. The method further includes determining that a number of received safe votes for the proposed value meets or exceeds a second quorum threshold, selecting the proposed value based on the determination, and setting a period of time within which to receive additional votes. The method further includes, based on the period of time elapsing without receiving the additional votes, committing the selected value for the single view.

Abstract: Described herein are embodiments for transferring knowledge of intrusion signatures derived from a number of software-defined data centers (SDDCs), each of which has an intrusion detection system (IDS) with a convolutional neural network (CNN) to a centralized neural network. The centralized neural network is implemented as a generative adversarial neural network (GANN) having a multi-feed discriminator and a generator, which is trained from the discriminator. Knowledge in the GANN is then transferred back to the CNNs in each of the SDDCs. In this manner, each CNN obtains the learning of the CNNs in nearby IDSs of a region so that a distributed attack on each of the CNNs, such as a denial of service attack, can be defended by each of the CNNs.

Abstract: Container images are fetched in a clustered container host system with a shared storage device. Fetching a first container image in a first virtual machine includes creating a first virtual disk in the shared storage device, storing an image of the first container in the first virtual disk, mounting the first virtual disk to the first virtual machine, and updating a metadata cache to associate the image of the first container to the first virtual disk. Fetching a second container image in a second virtual machine includes checking the metadata cache to determine that a portion of the image of the second container is stored in the first virtual disk, creating a second virtual disk in the shared storage device, adding a reference to the first virtual disk in a metadata of the second virtual disk, and mounting the second virtual disk to the second virtual machine.

Abstract: Example methods and systems for flow-based secure packet forwarding are described. In one example, a first computer system may assess validity of a security token associated with a flow of one or more packets. In response to determination that the security token is valid, a security association associated with the flow and the security token may be negotiated with a second computer system. The first computer system may process a packet associated with the flow and the security token to generate an encapsulated encrypted packet by performing encryption and encapsulation based on the security association. The encapsulated encrypted packet may be forwarded towards the second computer system to cause the second computer system to perform decapsulation and decryption, and to forward a decapsulated and decrypted packet towards the destination.

Abstract: Some embodiments provide a method for performing radio access network (RAN) functions in a cloud at a medium access control (MAC) scheduler application that executes on a machine deployed on a host computer in the cloud. The method receives data, via a RAN intelligent controller (RIC), from a first RAN component. The method uses the received data to generate a MAC scheduling output. The method provides the MAC scheduling output to a second RAN component via the RIC.

Abstract: Some embodiments provide policy-driven methods for deploying edge forwarding elements in a public or private SDDC for tenants or applications. For instance, the method of some embodiments allows administrators to create different traffic groups for different applications and/or tenants, deploys edge forwarding elements for the different traffic groups, and configures forwarding elements in the SDDC to direct data message flows of the applications and/or tenants through the edge forwarding elements deployed for them. The policy-driven method of some embodiments also dynamically deploys edge forwarding elements in the SDDC for applications and/or tenants after detecting the need for the edge forwarding elements based on monitored traffic flow conditions.

Abstract: Boot failure protection on smartNICs and other computing devices is described. During a power-on stage of a booting process for a computing device, a boot loading environment is directed to install an application programming interface (API) able to be invoked to control operation of a hardware-implemented watchdog. During an operating system loading stage of the booting process, the application programming interface is invoked to enable the hardware-implemented watchdog. During an operating system hand-off stage of the booting process, a last watchdog refresh of the hardware-implemented watchdog is performed, and execution of the boot loading environment is handed off to a kernel boot loader of an operating system. The application programming interface may not be accessible after the hand off to the kernel boot loader.

Abstract: Some embodiments provide a method for associating data message flows from applications executing on a host computer with network interfaces of the computer. The method of some embodiments identifies a set of applications operating on a machine executing on the host computer, identifies candidate teaming policies for associating each identified application with a subset of one or more interfaces, and generates a report to display the identified candidate teaming policies per application to a user. In response to user input selecting a first teaming policy for a first application, the method generates a rule, and distributes the rule, to the host computer to associate the first application with a first subset of the network interfaces specified by the first teaming policy.

Abstract: A first server can generate user profiles and receive requests from user devices for enrollment in a first server-managed system that includes user groups. The first server can provide a unique key to a user device during an enrolment process based on a user group the user device is assigned to. The first server can include an enrollment notification for the user device in a first notification transmitted to a messaging service. The messaging service can transmit a second notification to the user device, and the user device can request a user profile from a second server based on second server access information included in the second notification. The second server can use the unique key to access user profile information which it transmits to the user device based on the request. The user device can access the user profile from the profile information using the unique key.

Abstract: Configuring network packet event related execution is disclosed, including: receiving a set of virtual service configuration information associated with a specified virtual service; using the set of virtual service configuration information to generate a set of event context information corresponding to the virtual service; and storing the set of event context information in a shared memory. Executing scripts related to a network packet event is disclosed, including: determining, using a service engine data path (SEDP) executing at the core, an event associated with a received network packet directed to a virtual service; determining a set of scripts to be executed corresponding to the event; generating a child interpreter context corresponding to the parent interpreter context corresponding to the virtual service; and using the child interpreter context to execute the set of scripts in the core specific memory corresponding to the core.

Abstract: Disclosed are various approaches for workflow service email integration. In some examples, an email application executed on a client device receives an email message that includes a workflow micro application. The workflow micro application has a workflow information component, and evaluation component, and a workflow actions component. The evaluation component identifies a presence or an absence of a management software development kit (SDK) on the client device. The email application renders a user interface that shows or hides a workflow actions interface area based on the presence or absence of the management SDK.

Abstract: Some embodiments of the invention provide a method for connecting deployed machines in a set of one or more software-defined datacenters (SDDCs) to a virtual private cloud (VPC) in an availability zone (AZ). The method deploys network plugin agents (e.g. listening agents) on multiple host computers and configures the network plugin agents to receive notifications of events related to the deployment of network elements from a set of compute deployment agents executing on the particular deployed network plugin agent's host computer. The method, in some embodiments, is performed by a network manager that receives notifications from the deployed network plugin agents regarding events relating to the deployed machines and, in response to the received notifications, configures network elements to connect one or more sets of the deployed machines.

Abstract: The disclosure herein describes storing data using a capacity data storage tier and a smaller performance data storage tier. The capacity data storage tier includes capacity data storage hardware configured to store log-structured leaf pages (LLPs), and the performance data storage tier includes performance data storage hardware. A virtual address table (VAT) includes a set of virtual address entries referencing the LLPs. A tree-structured index includes index nodes referencing the set of virtual address entries of the VAT. Data to be stored is received, and at least a first portion of metadata associated with the received data is stored in the LLPs using the VAT, and at least a second portion of metadata associated with the received data is stored in the performance data storage tier. The architecture reduces space usage of the performance data storage tier.

Abstract: Some embodiments provide a novel secure method for suppressing address discovery messaging. In some embodiments, the method receives an address discovery record that provides a network address associated with a machine connected to a network. The method then identifies a set of one or more rules for evaluating the received address discovery record to determine whether the address discovery record or its provided network address should be distributed to one or more hosts and/or devices associated with the network. The method then processes the set of rules to determine whether the received address discovery record violates a rule in the set of rules so as to prevent the distribution of its provided network address. When the address discovery record violates a rule, the method discards it in some embodiments.