Abstract: Some embodiments provide a method that identifies multiple paths between a first site and a second site. A security association (SA) is established for transmitting encrypted payload from the first site to the second site in a virtual private network (VPN) session. The method selects a path based on metrics that are obtained for the paths. The selected path is defined by a first endpoint address of the first site and a second endpoint address of the second site. The method sends a message from the first site to the second site to update the SA to switch from using an original path to using the selected path. The message indicates the first and second endpoint addresses. The method transmits a packet including a payload that is encrypted according to the updated SA.

Abstract: Methods and apparatus to manage a dynamic deployment environment including one or more virtual machines.

Abstract: The current document is directed to contention control for computational resources in distributed computer systems and, in particular, to contention control for memory in distributed metrics collection systems that collect and aggregate metric data in distributed computer systems. In one implementation, parallel metric-data collectors in a first distributed computer system collect metric data and one or more aggregators aggregate collected metric data and forward the aggregated metric data to a second distributed computer system, which uses the metric data for various monitoring, analysis, and management tasks. Each parallel data collector stores received metrics in a metrics container assigned to the parallel collector and a write/read-write lock provides contention control that allows multiple metric-data collectors to concurrently access metrics containers but only a single aggregator to access the metrics containers.

Abstract: An example method of hypervisor lifecycle management in a virtualized computing system having a cluster of hosts is described. The method includes: obtaining, by remediation software executing in a host of the hosts, a host state document from a distributed key-value store, the host state document defining a desired state of software in the host, the software including a hypervisor; and performing, by the remediation software in coordination with other hosts of the hosts through the distributed key-value store, a lifecycle operation on the software of the host in response to determining that a current state of the software does not match the desired state.

Abstract: Some embodiments provide a method that collects metrics for one or more paths of a first tunnel implementing a first security association (SA) and for one or more paths of a second tunnel implementing a second SA. The method selects a path based on the collected metrics of the paths of the first and second tunnels. When the selected path belongs to the first tunnel, the method encrypts data transmitted as encrypted payload of the first SA and transmits the encrypted payload in the first tunnel. When the selected path belongs to the second tunnel, the method encrypts data to be transmitted as encrypted payload of the second SA and transmits the encrypted payload in the second tunnel.

Abstract: The disclosure provides migration of control plane nodes across multiple architecture platforms. Embodiments include one or more processors configured to backup data of a source control plane node running on a first host, the first host having a first architecture platform, identify a second architecture platform of a second host, the second architecture platform being different than the first architecture platform, select a first control plane binary of a plurality of control plane binaries based on the first control plane binary being for the second architecture platform, wherein the plurality of control plane binaries are for a plurality of architecture platforms, deploy a target control plane node on the second host using the selected first control plane binary, copy the backed up data to the second host to configured the target control plane node, and run the target control plane node on the second host.

Abstract: Some embodiments provide a two-tier DNS (Domain Name System) service for processing DNS requests. In some embodiments, the two-tier DNS service deploys first and second tiers of service machines, with the second-tier having several groups of service machines each of which is configured to resolve DNS requests for a different set of domain names than the other second-tier group(s). Each service machine in the first-tier is configured to identify the second-tier group responsible for each particular DNS request that the service machine receives for each particular domain name, and to forward the particular DNS request to the second-tier group that it identifies for the particular DNS request. The first-tier DNS service in some embodiments has only one group of service machines. Each first or second service machine group in some embodiments can have one or more service machines, and can be scaled up or down to add or remove service machines to the group (e.g., through an active/active layer 3 scaleout with BGP).

Abstract: The disclosure provides an approach for database query management. Embodiments include receiving, by a service operating on a server, a request for data stored in a database. Embodiments also include determining, by the service, whether to handle the request as an internal request or an external request. Embodiments include, in response to determining to handle the request as an internal request: sending, by the service, a query for at least a portion of the data to the database; receiving, by the service, the at least the portion of the data, and storing query metadata of the request in local memory of the server and not in the database, the query metadata comprising parameters of the request.

Abstract: Some embodiments provide a method for one of multiple shared API processing services in a container cluster that implements a network policy manager shared between multiple tenants. The method receives a configuration request from a particular tenant to modify a logical network configuration for the particular tenant. Configuration requests from the plurality of tenants are balanced across the plurality of shared API processing services. Based on the received configuration request, the method posts a logical network configuration change to a configuration queue in the cluster. The configuration queue is dedicated to the logical network of the particular tenant. Services are instantiated separately in the container cluster for each tenant to distribute configuration changes from the respective configuration queues for the tenants to datacenters that implement the tenant logical networks such that configuration changes for one tenant do not slow down processing of configuration changes for other tenants.

Abstract: Systems and methods for analyzing the usage of a set of workloads in a hyper-converged infrastructure are disclosed. A neural network model is trained based upon historical usage data of the set of workloads. The neural network model can make usage predictions of future demands on the set of workloads to minimize over-allocation or under-allocation of resources to the workloads.

Abstract: Embodiments provide data in-flight (DIF) services to software applications such as virtual machines (VMs) at an application level without requiring modification to established storage protocols. In exemplary embodiments, a storage controller transmits an advertisement of one or more data in-flight (DIF) services supported by a storage container of the storage controller. One or more DIF services communication path is created with attributes corresponding to the DIF services supported by the storage container. The storage controller receives, over the DIF services communication path, tagged data that can include data transmitted by a virtual machine (VM) for storage in the storage container.

Abstract: Embodiments described herein generally involve identifying workloads in a multi-site networking environment. Embodiments include determining that a given network is stretched across a first network segment at a first site and a second network segment at a second site. Embodiments include creating a stretched administrative domain for the given network and mapping an address of the given network to the stretched administrative domain in a lookup table for an administrative domain associated with the first network segment. Embodiments include receiving a flow record from an observation point in the first network segment, the flow record having a source IP address associated with the second network segment and a destination IP address associated with the first network segment. Embodiments include identifying a source workload and destination workload of the flow record using the lookup table and a workload identification table that maps combinations of IP addresses and administrative domains to workloads.

Abstract: A log is received at a user space process of a host from a logical logging component of a virtual computing instance (VCI), the log generated by a container running on the VCI. The log is communicated from the user space process to a logical logging component of the host. The log is communicated from the logical logging component of the host to a logging process of the host. The log is configured and stored in host storage.

Abstract: A method for network address management is provided. Embodiments include determining a creation of a namespace associated with a cluster of computing devices, wherein a subset of computing resources of the cluster of computing devices is allocated to the namespace. Embodiments include assigning, to the namespace, a network address pool comprising a plurality of network addresses in a subnet, wherein the assigning causes the plurality of network addresses to be reserved exclusively for the namespace. Embodiments include receiving an indication that a pod is added to the namespace. Embodiments include, in response to the receiving of the indication, assigning a network address from the network address pool to the pod.

Abstract: Some embodiments of the invention provide a method of performing layer 7 (L7) packet processing for a set of Pods executing on a host computer, the set of Pods managed by a container orchestration platform. The method is performed at the host computer. The method receives notification of a creation of a traffic control (TC) custom resource (CR) that is defined by reference to a TC custom resource definition (CRD). The method identifies a set of interfaces of a set of one or more managed forwarding elements (MFEs) executing on the host computer that are candidate interfaces for receiving flows that need to be directed based on the TC CR to a layer 7 packet processor. Based on the identified set of interfaces, the method provides a set of flow records to the set of MFEs to process in order to direct a subset of flows that the set of MFEs receive to the layer 7 packet processor.

Abstract: Example methods are provided to identify unused memory regions in pages that are allocated for storing executable code. One or more of the unused memory regions are usable as a secure location to store confidential information shared between a hypervisor on the host and a guest (such as a guest virtual computing instance) that runs on the host. The one or more unused memory regions may also be used to store executable code (such as valid executable code of antivirus software or other security program) that has been prevented/delayed in its execution by malicious code that has occupied the pages, thereby providing the executable code with sufficient memory resources to enable the executable code to at least partially complete execution.

Abstract: In one set of embodiments, a computer system can receive a request to insert or delete a key into or from a plurality of keys maintained by a dynamic search data structure, where the dynamic search data structure is implemented using a balanced binary search tree (BBST) comprising a plurality of nodes corresponding to the plurality of keys, where a first subset of the plurality of nodes are stored in the first memory tier, and where a second subset of the plurality of nodes are stored in the second memory tier. The computer system can further execute the request to insert or delete the key, where the executing results in a change in height of at least one node in the plurality of nodes. In response to the executing, the computer system can move one or more nodes in the plurality of nodes between the first and second memory tiers, the moving causing a threshold number of nodes of highest height in the BBST to be stored in the first memory tier.

Abstract: A method for IPSec communication between a source machine and a destination machine is provided. The method includes receiving, at the destination machine, first and second packets from the source machine through first and second VPN tunnels established between a first VTI of the source machine and a second VTI of the destination machine; determining the first packet corresponds to a first SA and the second packet corresponds to a second SA; processing, by a first processing core, the first packet based on the first SA, and processing, by a second processing core, the second packet based on the second SA; and updating, at the second VTI, states of one or more flows based on the first and second packets, the second VTI providing one or more stateful services for the one or more packet flows based on the one or more states.

Abstract: Example methods and systems are described to add a watermark for printing in a virtual desktop environment having an agent side and a client side. A watermark can be configured at the agent side for printing at the client side. At the agent side, a fallback font can be determined for text of the watermark, and coordinate space calculation can be performed, so that the watermark prints correctly at the client side.

Abstract: System and method for backing up management components of a software-defined data center (SDDC) managed by a cloud-based service uses backup rules for the SDDC, which are used to configure a backup manager agent in the SDDC. The backup rules are then used by the backup manager agent to determine whether at least one of system logs generated by the management components in the SDDC, which are monitored by the backup manager agent, satisfies the backup rules to initiate a backup operation for at least one of the management components of the SDDC.