Abstract: Disclosed are various embodiments for the controlling the amount of active updates that can occur during a given time on devices that are associated with tenants (e.g., organizations) and subtenants (e.g., sub-organizations) in a multi-tenant environment. In particular, each tenant and subtenant is assigned throttle corresponding to different update parameters (e.g., an amount of devices executing an active update, an amount of data to be downloaded during a campaign, a time for completing the update campaign, etc.). When an update campaign is established, the update campaign can define the different devices that are to be updated. In some situations, the number of active updates required may exceed the allotted resources for a given subtenant. When a subtenant requires additional resources than what is assigned to complete the update, the subtenant can borrow resources defined by the update parameters from a subtenant peer that has a surplus.

Abstract: Some embodiments provide a method for a first network controller executing at a first site of multiple sites spanned by a logical network. Network controllers execute at each site. The method generates logical network state data for the first site based on (i) data received from computing devices that implement the logical network at the first site and (ii) logical network configuration data from a network manager at the first site. The method provides the logical network state data for the first site to a second network controller executing at a second site. The method provides logical network state data received from the second site to the computing devices that implement the logical network at the first site.

Abstract: The current document is directed to a virtual-log-file system that provides a browser-like display interface to users, enabling users to view the contents of log files. The virtual-log-file system assembles a virtual log file from the contents of one or more physical log files, applying filters and other processing to physical-log-file entries in order to generate the virtual-log-file entries logically contained within the virtual log file. The virtual-log-file system allows users to navigate, by scrolling, through the entries of the virtual log file, with additional virtual-log-file entries obtained from physical log files by the virtual-log-file system to support logical infinite scrolling in either direction.

Abstract: A method for managing alarms in a virtual machine environment includes receiving alarm data related to a process and storing the alarm data in a database, where the alarm data comprises one or more features. The method further includes retrieving intended state information for the process and comparing the one more features of the alarm data to the intended state information to determine whether the alarm is an outlier. The method also includes computing a normal score for the alarm if the alarm is not an outlier, and computing an abnormal score for the alarm if the alarm is an outlier. The method also includes sending a notification for the alarm and the computed score.

Abstract: The disclosure provides an approach for rate limiting packets in a network. Embodiments include receiving, by a rate limiting engine running on a host machine, a network event related to a virtual computing instance running on the host machine, the network event comprising flow information about a network flow. Embodiments include receiving, by the rate limiting engine, context information corresponding to the network flow, wherein the context information comprises one or more of a user characteristic or an application characteristic. Embodiments include determining, by the rate limiting engine, a priority for the network flow by applying a rate limiting policy to the flow information and the context information. Embodiments include providing, by the rate limiting engine, the priority for the network flow to a multiplexer for use in rate limiting the network flow.

Abstract: A distributed storage system, such as a distributed storage system in a virtualized computing environment, stores data in storage nodes as immutable key-value entries. A coordinator storage node creates a key-value entry and attempts to store the key-value entry in the coordinator storage node and in neighbor storage nodes. If the storage of the key-value entry in the in the coordinator storage node and in the neighbor storage node is successful, the coordinator storage node pushes the key-value entry to other storage nodes in the distributed storage system for storage as replicas.

Abstract: A first user device can receive a communication certificate associated with a user of the first user device. The communication certificate can allow the first user device to exchange certain information with a second user device that also possesses the communication certificate. The first user device can receive a notification. The first user device can also determine that a second user device associated with the user did not receive the notification. The first user device can initiate a direct connection with the second user device. The first use device can verify that the second device possesses the communication certificate. After verification, the first user device can send the notification to the second user device.

Abstract: A method and system are disclosed. A first service engine among a plurality of service engines detects a traffic violation of a web application policy for an instantiation of a virtual service on the first service engine. The service engines maintain corresponding instances of a shared state of policy violations for the web application policy. In response to detecting the traffic violation, a first instance of the shared state on the first service engine is updated. The first service engine broadcasts the updated first instance of the shared state. Remaining service engines, which have instantiations of the virtual service, update their instances of the shared state in response to receiving the updated first instance. The instances of the shared state are aggregated to obtain an aggregated shared state. It is detected whether the aggregated shared state triggers an application policy rule for the web application policy.

Abstract: In some embodiments, a first network device in a first site sets a first IP address for an interface of the first network device to a value of a second IP address of a second network device in a second site. Policies are added in a policy table to cover IP addresses used in the second site and a specific route for a third IP address associated with a first workload migrated from the second site to the first site is added into a routing table. The first workload is on a stretched network that is coupled via a layer 2 channel. The policy table configures the first network device to send a second packet from the first workload to a third workload in the second site via the layer 2 channel when an IP address for the third workload does not match an eligible route in the routing table.

Abstract: In one set of embodiments, a storage system can execute a repair process for a first component of a file or object stored on the storage system, where the repair process is initiated in response to the first component becoming inaccessible by the storage system, and where the file or object is split across a plurality of components including the first component. The executing can include, for each chunk in an address space of the first component starting from an initial chunk pointed to by a cursor: (1) determining whether the chunk is mapped to the first component, (2) if the chunk is mapped to the first component, copying data for the chunk from a mirror copy of the first component to a second component in the plurality of components, and (3) updating the cursor to point to a next chunk in the address space.

Abstract: Some embodiments provide a novel method for deploying different virtual networks over several public cloud datacenters for different entities. For each entity, the method (1) identifies a set of public cloud datacenters of one or more public cloud providers to connect a set of machines of the entity, (2) deploys managed forwarding nodes (MFNs) for the entity in the identified set of public cloud datacenters, and then (3) configures the MFNs to implement a virtual network that connects the entity's set of machines across its identified set of public cloud datacenters. In some embodiments, the method identifies the set of public cloud datacenters for an entity by receiving input from the entity's network administrator. In some embodiments, this input specifies the public cloud providers to use and/or the public cloud regions in which the virtual network should be defined. Conjunctively, or alternatively, this input in some embodiments specifies actual public cloud datacenters to use.

Abstract: Described herein are systems and methods to manage blacklists and duplicate addresses in software defined networks (SDNs). In one implementation, a method includes, in a control plane and data plane of an SDN environment, obtaining a blacklist for a logical port in the SDN environment. The method further includes deleting realized address bindings in a realized address list for the logical port that match the one or more address bindings in the blacklist and preventing subsequent address bindings that match the one or more address bindings in the blacklist from being added to the realized address list.

Abstract: Embodiments described herein relate to managing firewall rules. Embodiments include identifying a plurality of firewall rules for request handling. Embodiments include determining a deny count for each given firewall rule of the plurality of firewall rules based on a number of requests flagged on account of the given firewall rule. Embodiments include determining an anomaly score for each given firewall rule of the plurality of firewall rules indicating a severity of attacks the given firewall rule protects against. Embodiments include determining an urgency measure for each given firewall rule of the plurality of firewall rules based on the deny count for the given firewall rule and the anomaly score for the given firewall rule. Embodiments include determining an update to at least one firewall rule of the plurality of firewall rules based on the urgency measure for each given firewall rule of the plurality of firewall rules.

Abstract: An example apparatus comprises a variable determiner to: parse a plurality of network command responses from a first data collector agent and from a second data collector agent; initialize a value for network connectivity parameters corresponding to the network command responses, the value corresponding to the parsed plurality of network command responses; and assign weighted values to the network connectivity parameters; a connectivity analyzer to determine a first network connectivity factor for the first data collector agent and a second network connectivity factor for the second data collector agent; and a recommender system to: determine whether the first network connectivity factor is a smaller value than the second network connectivity factor; and when the first network connectivity factor is the smaller value, initiate the first data collector agent corresponding to the first network connectivity factor to begin collecting data.

Abstract: The disclosure describes a failure-free execution agreement that includes n=3F+1 parties acting as replicas, and a number of parties acting as clients. One replica is designated as a primary. At most F replicas are presumed Byzantine faulty. The basic agreement protocol proceeds in three rounds: (1) client sends a request to the primary, who sends to all replicas; (2) each replica sends a threshold-part signature on hash to a first collector; (3) the collector combines the threshold-parts into a single signature and sends to all 3F+1 replicas which then commit and send to a second collector. The client proceeds when a signed block of requests arrives from the second collector.

Abstract: In some embodiments, a method receives a control message from a second host. The control message includes a first address to use as a next hop to reach an active workload that has migrated to the second host from another host. The method reprograms a local route table to include a policy to send packets to check a liveness of the active workload with the next hop of the first address. A packet is sent from a standby workload to the active workload using the next hop of the first address to check the liveness of the active workload. The packet is encapsulated and sent between the first host and the second host using an overlay channel between a first endpoint of the overlay channel on the first host and a second endpoint of the channel on the second host.

Abstract: Certain embodiments described herein are generally directed to techniques for computing grouping object memberships in a network. Embodiments include receiving a plurality of network configuration updates. Embodiments include identifying delta updates to a plurality of grouping objects based on the plurality of configuration updates. Embodiments include determining a parallel processing arrangement for the delta updates based on dependencies in a directed graph comprising representations of the plurality of grouping objects. Embodiments include processing the delta updates according to the parallel processing arrangement in order to determine memberships of the plurality of grouping objects. Embodiments include distributing one or more updates to one or more endpoints based on the memberships of the plurality of grouping objects.

Abstract: Some embodiments of the present invention include a method comprising: accessing units of network storage that encode state data of respective virtual machines, wherein the state data for respective ones of the virtual machines are stored in distinct ones of the network storage units such that the state data for more than one virtual machine are not commingled in any one of the network storage units.

Abstract: The disclosure provides an approach for deploying an software defined networking (SDN) solution on a host using a single virtual switch and a single active network interface card (NIC) to handle overlay traffic and also other types of network traffic, such as traffic between management components of the logical overlay networks, traffic of a virtual storage area network (VSAN), traffic used to move VMs between hosts, traffic associated with VMKernel services or network stacks provided by a VMKernel that is provided as part of the hypervisor on the host, a gateway device that may be implemented as a VCI on the host, and different SDN-related components, such as an SDN manager implementing the MP and an SDN controller implementing the CP, etc.

Abstract: Techniques for generating a stream processing pipeline are provided. In one embodiment, a method includes generating a plurality of pipeline stages of a stream processing pipeline in accordance with a configuration file. The plurality of pipeline stages includes a first processing stage designated for a first data service and a second processing stage designated for a second data service and operating in parallel to the first processing stage.