Abstract: Some embodiments provide a method of reducing network congestion in a virtual network. The method, at a first CFE of the virtual network, receives multiple encapsulated data packets of a data stream. The encapsulated data packets having been encapsulated by a second CFE, operating on a server of the virtual network. The second CFE identifies a load percentage of the server, sets explicit congestion notification (ECN) bits on a percentage of the data packets based on the load percentage of the server, and encapsulates each data packet. The first CFE determines whether to forward a new connection to the second CFE based at least on the percentage of data packets from the first CFE with the ECN bits set.

Abstract: Disclosed are various approaches for the partitioning of virtualization on systems with multiple core processors. In one approach, hardware extensions for virtualizations are enabled on one or more first cores of a plurality of cores of the processor. The hardware extensions for virtualization are disabled on one or more second cores of the plurality of cores. A virtual machine instance is executed on the first cores having the hardware extensions for virtualization enabled. A real-time operating system is executed on the second cores having the hardware extensions for virtualization disabled.

Abstract: Some embodiments of the invention provide a method for adding routable subnets to a logical network that connects multiple machines and is implemented by a software defined network (SDN). The method receives an intent-based API that includes a request to add a routable subnet to the logical network. The method defines (i) a VLAN (virtual local area network) tag associated with the routable subnet, (ii) a first identifier associated with a first logical switch to which at least a first machine in the multiple machines that executes a set of containers belonging to the routable subnet attaches, and (iii) a second identifier associated with a second logical switch designated for the routable subnet. The method generates an API call that maps the VLAN tag and the first identifier to the second identifier. The method provides the API call to a management and control cluster of the SDN.

Abstract: Credentials management and usage in application modernization can be implemented as computer-readable methods, media and systems. A notification identifying an application modernization operation is received. The operation is to be performed on an application deployed by multiple resources arranged in multiple hierarchical levels. A resource residing at a hierarchical level of the multiple hierarchical levels is identified. The application modernization operation is to be performed on the identified resource which has a resource type. A search for a credential is performed. The credential grants access to the resource to enable performing the application modernization operation. In response to the searching, a credential included in the multiple credentials is identified. The identified credential grants access either to the resource or to resources of the resource type. In response to receiving the notification, the identified credential is provided.

Abstract: Some embodiments of the invention provide a method for processing requests for performing operations on resources in a software defined datacenter (SDDC). The resources are software-defined (SD) resources in some embodiments. The method initially receives a request to perform an operation with respect to a first resource in the SDDC. The method identifies a policy that matches (i.e., is applicable to) the received request for the first resource by comparing a set of attributes of the request with sets of attributes of a set of policies that place constraints on operations specified for resources. In some embodiments, several sets of attributes for several policies can be expressed for resources at different hierarchal resource levels of the SDDC. The method rejects the received request when the identified policy specifies that the requested operation violates a constraint on operations specified for the first resource.

Abstract: Computer-implemented processes and systems described herein are directed to reducing volumes of data sent from edge devices to a data center. Each edge device runs an agent that collects event information generated by event sources of the edge device in a runtime interval. Each agent reduces the event information to relevant event information at the edge device in accordance with instructions received from a controller server of the data center. The relevant event information contains less information than the event information. Each agent forwards the relevant event information over the internet to external services executed at the data center, where the relevant event information is stored in a data storage device of the data center.

Abstract: In an embodiment, a computer-implemented method for dynamically exchanging runtime state data between datacenters with a gateway using a controller bridge is disclosed. In an embodiment, the method comprises: receiving one or more first runtime state data from one or more logical sharding central control planes (“CCPs”) controlling one or more logical sharding hosts; receiving one or more second runtime state data from a gateway that is controlled by a CCP that also controls one or more physical sharding hosts; aggregating to aggregated runtime state data, the one or more first runtime state data received from the one or more logical sharding CCPs and the one or more second runtime state data received from the gateway; determining updated runtime state data based on the aggregated runtime state data, the one or more first runtime state data, and the one or more second runtime state data; and transmitting the updated runtime state data to at least one of the one or more logical sharding CCPs and the gateway.

Abstract: Disclosed are various examples of provisioning a data processing unit (DPU) management operating system (OS). A host device boots a host provisioning image, which executes a host provisioning agent. The host provisioning agent launches a server component that serves a DPU management OS. A provisioning command is transmitted to a DPU device installed to the host device. The server component transmits the DPU management OS from the host device to the DPU device. A host OS is executed once an indication that the DPU device is executing on the DPU management OS is received.

Abstract: Disclosed is a system for converting a high-level runtime model to a low-level runtime model where the high-level runtime model runs on a client computer system, and the low-level runtime model runs on a server computer system. The server system has installed thereon a pool of hardware accelerators, and the low-level runtime model is targeted to the pool of accelerators. Outputs of the low-level runtime model are returned to the high-level runtime model as if the high-level runtime model computed the outputs.

Abstract: The disclosure provides a method for caching data. The method generally includes receiving, from an application running in a first container, an I/O to write data in a storage virtual disk to a block associated with an LBA, determining a cache is assigned to the first container and the storage virtual disk using a container mapping table comprising a first container mapping table entry mapping the first container and the disk to the cache and a second container mapping table entry mapping a second container and the disk to the cache, writing the data to the block in the storage virtual disk and to a cache block in the cache, computing a hash of the data, adding an entry that maps the LBA to the hash in an LBA table, and adding an entry that maps the hash to the cache block and to the disk in a hash table.

Abstract: Methods, apparatus, systems, and articles of manufacture are disclosed for provisioning cloud infrastructure resources, the apparatus comprising: resource bundling circuitry to select cloud infrastructure resources to bundle as a virtual private zone; provisioning circuitry to provision the cloud infrastructure resources; and allocation circuitry to allocate the virtual private zone to a first tenant, the first tenant authorized to access the cloud infrastructure resources bundled in the virtual private zone.

Abstract: An image of a virtualization software and firmware in a plurality of hosts are upgraded by: retrieving metadata of a base image based on a first input that specifies a version of the base image, metadata of an add-on image based on a second input that specifies a server of an original equipment manufacturer (OEM) in which the virtualization software is to be installed, and metadata of drivers and agents based on a third input that specifies a firmware package for the server of the OEM; validating a desired image of the virtualization software by extracting dependencies and conflicts defined in metadata of all payloads of the desired image of the virtualization software, and confirming there are no violations of the extracted dependencies and conflicts; and upgrading the current image of the virtualization software to the desired image and upgrading the current version of the firmware to the desired version.

Abstract: Some embodiments provide an automated method for defining externally routable Pods within a Kubernetes cluster. In some embodiments, the Pod operates in a guest cluster has its own VPC (virtual private cloud) network in a datacenter with several other guest clusters that have their own VPC networks and their own set of managers. In some embodiments, a Pod within a GC can be made externally routable so that it can be directly addressable from an external client outside of the Pod's network by using two new Kubernetes CRDs (custom resource definitions), which are an IPPool CRD and a RouteSet CRD. Examples of such external clients include VMs or Pods in another GC or a supervisor cluster connected to the particular GC through a gateway, or from a machine outside of the network of all of the GCs or SC.

Abstract: Some embodiments provide a method for configuring a gateway machine in a datacenter. The method receives a definition of a logical network for implementation in the datacenter. The logical network includes at least one logical switch to which logical network endpoints attach and a logical router for handling data traffic between the logical network endpoints in the datacenter and an external network. The method receives configuration data attaching a third-party service to at least one interface of the logical router via an additional logical switch designated for service attachments. The third-party service is for performing non-forwarding processing on the data traffic between the logical network endpoints and the external network. The method configures the gateway machine in the datacenter to implement the logical router and redirect at least a subset of the data traffic between the logical network endpoints and the external network to the attached third-party service.

Abstract: Methods and apparatus to manage workload domains in virtual server racks are disclosed. An example apparatus includes processor circuitry to, in response to detecting that a number of available physical racks satisfies a threshold number of physical racks, apply a first resource allocation technique by reserving requested resources by exhausting first available resources of a first physical rack before using second available resources of a second physical rack; in response to detecting that the number of available physical racks does not satisfy the threshold number of physical racks, apply a second resource allocation technique by reserving the requested resources using a portion of the first available resources without exhausting the first available resources and using a portion of the second available resources without exhausting the second available resources; and execute one or more workload domains associated with a number of requested resources.

Abstract: Disclosed are various embodiments for optimized memory tiering. An ideal tier size for a first memory and an ideal tier size for a second memory can be determined for a process. Then, a host computing device can be identified that can accommodate the ideal tier size for the first memory and the second memory. Subsequently, the process can be assigned to the host computing device.

Abstract: Some embodiments provide a method for performing deep packet inspection (DPI) for an SD-WAN (software defined, wide area network) established for an entity by a plurality of edge nodes and a set of one or more cloud gateways. At a particular edge node, the method uses local and remote deep packet inspectors to perform DPI for a packet flow. Specifically, the method initially uses the local deep packet inspector to perform a first DPI operation on a set of packets of a first packet flow to generate a set of DPI parameters for the first packet flow. The method then forwards a copy of the set of packets to the remote deep packet inspector to perform a second DPI operation to generate a second set of DPI parameters. In some embodiments, the remote deep packet inspector is accessible by a controller cluster that configures the edge nodes and the gateways.

Abstract: A method for automatically reregistering a clone virtual machine with a cloud security monitoring service is provided. The method generally includes detecting a connection between a cloud agent running in a virtual machine on a host and a hypervisor module on the host. In response to detecting the connection, the cloud agent queries the hypervisor module for one or more first identifiers of the virtual machine. The method generally includes checking a database, by the cloud agent, for one or more second identifiers stored in the database matching the one or more first identifiers received from the hypervisor module and, based on finding no second identifiers stored in the database matching the one or more first identifiers, sending a request to the cloud security monitoring service to register the virtual machine with the cloud security monitoring service.

Abstract: Example methods and systems are provided a network device to perform tunnel-based service insertion in a public cloud environment. An example method may comprise establishing a tunnel between the network device and a service path. The method may also comprise: in response to receiving a first encapsulated packet, identifying the service path specified by a service insertion rule; generating and sending a second encapsulated packet over the tunnel to cause the service path to process an inner packet according to one or more services. The method may further comprise: in response to receiving, from the service path via the tunnel, a third encapsulated packet that includes the inner packet processed by the service path, sending the inner packet processed by the service path, or a fourth encapsulated packet, towards a destination address of the inner packet.

Abstract: Techniques that enable a hypervisor to (1) maintain shared memory pages and (2) handle memory accounting for VMs that are suspended to and resumed from the volatile memory of a host system are provided. Regarding (1), the hypervisor can maintain shared memory pages in volatile memory across the suspend-to-memory and resume-from-memory operations, without having to save their reference counts. Regarding (2), the hypervisor can keep track of the volatile memory reserved and consumed by VMs as they are suspended and resumed, without erroneously double counting that memory.