Abstract: System and computer-implemented method for generating multi-cloud recommendations for workloads uses costs and performance metrics of appropriate instance types in specific public clouds for target workloads to produce recommendation results. The appropriate instance types in the specific public clouds are determined based on instance capabilities and the workload type of the target workloads. In addition, a recommended cloud resource offering is determined for the target workloads, which is sent as a notification with the recommendation results of the appropriate instance types in the specific public clouds.

Abstract: Disclosed are various approaches for secure inter-application communication with unmanaged applications using certificate enrollment. A certificate signing request can be received from an unmanaged application via an inter-application communication method supported by an operating system of a computing device, and an identity of the unmanaged application can be verified. The certificate signing request can be provided to a certifying authority, and a certificate can be received from the certifying authority. The certificate can be provided to the unmanaged application.

Abstract: The disclosure herein describes integrity verification of a checksum of a canister data structure using built-in checksum verification capability. A kernel image is accessed, and a canister data structure is allocated in a section of memory. The canister data structure is loaded with canister data from the kernel image, wherein the loading is based on an interpreter obtained from the kernel image, wherein the canister data includes address relocation data and a checksum of the canister data. A binary image of the canister data structure is assembled, wherein the assembling includes at least performing reverse relocation on the canister data structure using the address relocation data. A checksum is generated based on the assembled binary image, and the checksum of the canister data is verified using the generated checksum. The integrity of the canister data structure is confirmed based on the verification.

Abstract: The disclosure herein describes the processing of malware scan requests from VCIs by an anti-malware scanner (AMS) on a host device. A malware scan request is received by the AMS from a VCI, the malware scan request including script data of a script from a memory buffer of the VCI. The AMS scans the script data of the malware scan request, outside of the VCI, and determines that the script includes malware. The AMS notifies the VCI that the script includes malware, whereby the VCI is configured to prevent execution of the script or take other mitigating action. The AMS provides scanning for fileless malware to VCIs on a host device without consuming or otherwise affecting resources of the VCIs.

Abstract: Some embodiments of the invention provide novel methods for using probabilistic filters to keep track of data message flows that are processed at an element (e.g., forwarding element or middlebox service element) of a network. In some embodiments, the method iteratively switches between two probabilistic filters as the active and backup filters as a way of maintaining and refreshing its active probabilistic filter without the need for maintaining time values for removing outdated records from its active filter.

Abstract: Systems and methods are described for creating a customized response to user feedback. In an example, a feedback system can receive user feedback about a product. The feedback system can parse the user feedback to extract keywords and assign categories to the keywords. The feedback system can also receive update information related to the product. The feedback system can parse the product update information in a similar manner to extract keywords and assign them to categories. The feedback system can compare the parsed user feedback and the parsed product update information and identify any matches that indicate that the product update addresses something mentioned in the user feedback. The feedback system can create a custom notification that highlights the portion of the product update information that matched to the user feedback.

Abstract: Techniques for delivering remote applications to servers in an on-demand fashion (i.e., as end-users need them) are provided. In one set of embodiments, these techniques include packaging the installed contents (e.g., executable code and configuration data) of the remote applications into containers, referred to as application packages, that are placed on shared storage and dynamically attaching (i.e., mounting) an application package to a server at a time an end-user requests access a remote application in that package, thereby enabling the server to launch the application.

Abstract: A network insight system that performs intent verification of network changes is provided. The system generates a first model of a network comprising a first set of one or more rule tables, each rule table described by one or more flow nodes. The system generates a second model of the network comprising a second set of one or more rule tables. Each rule table is described by one or more flow nodes. Each flow node specifies a set of packets and an action to be taken on the specified set of packets. They system determines a set of differential flow nodes for the second model based on the flow nodes of the first model and the flow nodes of the second model. Each differential flow node is classified as being one of (i) newly removed, (ii) newly added, and (iii) unaffected. The system verifies a network change based on the determined differential flow nodes.

Abstract: Methods, apparatus, systems, and articles of manufacture are disclosed to dynamically monitor and control compute device identities during operations. Disclosed is an apparatus comprising interface circuitry, machine readable instructions, and processor circuitry to at least one of instantiate or execute the machine readable instructions to generate a unique label for a node from a data plane, the unique label to identify the node, perform an operation on the node, the operation to be performed on the node by identifying the node associated with the unique label, and maintain the unique label until the operation on the node is successful.

Abstract: Methods and apparatus to scale in and/or scale out arbitrary resources managed by a cloud automation system are disclosed. An example apparatus includes processor circuitry; and a non-transitory computer readable medium comprising instructions which, when executed, cause the processor circuitry to: in response to an indication to scale a first component of an application to be deployed: determine an execution plan to scale the first component based on a dependency graph corresponding to a dependency within a blueprint specifying a logical topology of the application; perform a custom action to scale the first component, the custom action identified in a scaling parameter associated with the application; and update operation of a second component based on scaling the first component, the second component dependent on the first component, the update to enable the second component to interact with the first component after the scaling.

Abstract: Some embodiments provide a centralized overlay-network cloud gateway and a set of centralized services in a transit virtual cloud network (VCN) connected to multiple other compute VCNs hosting compute nodes (VMs, containers, etc.) that are part of (belong to) the overlay network. The centralized overlay-network cloud gateway provides connectivity between compute nodes of the overlay network (e.g., a logical network spanning multiple VCNs) and compute nodes in external networks. Some embodiments use the centralized overlay-network cloud gateway to provide transitive routing (e.g., routing through a transit VCN) in the absence of direct peering between source and destination VCNs. The overlay network, of some embodiments, uses the same subnetting and default gateway address for each compute node as the cloud provider network provided by the virtual private cloud provider.

Abstract: Examples of generating a result set from a data lake based upon a real-time data set are described. A data lake can be structured across multiple databases or tables that are not necessarily directly linked to one another. A conjunction schema can specify how data can be queried across the data lake. When an incoming real-time data set is obtained, a multi-query can be generated against the data lake by utilizing the conjunction schema.

Abstract: Data that includes user data and application data that is generated during a remote desktop session to a cloud computing system is stored in cloud storage according to a risk level of the remote desktop session. The storage device has provisioned therein a plurality of storage containers, including first and second storage containers, where the first storage container stores less percentage of the user data than the second storage container. The first storage container is selected for storing the user data if the determined risk level of the remote desktop session is at a first level and the second storage container is selected for storing the user data if the determined risk level of the remote desktop session is at a second level that is lower than the first level.

Abstract: A method for containerized workload scheduling can include determining a network state for a first hypervisor in a virtual computing cluster (VCC). The method can further include determining a network state for a second hypervisor. Containerized workload scheduling can further include deploying a container to run a containerized workload on a virtual computing instance (VCI) deployed on the first hypervisor or the second hypervisor based, at least in part, on the determined network state for the first hypervisor and the second hypervisor.

Abstract: A coherence protocol applied to memory pages maintains coherence between memory spaces on a plurality of nodes so that the threads of the runtime are operable on any of the nodes. The nodes operating according to the coherence protocol track a state and an epoch number for each memory page residing therein. The states include a modified state in which only one particular node has an up-to-date copy of the memory page, an exclusive state in which only one particular node owns the memory page, a shared state in which all nodes that have the memory page in the shared state have the same copy, and a lost state in which the memory page cannot be either read or written. The epoch number is a number that is incremented each time the page enters the modified state and is used to determine whether the page contains data that is stale.

Abstract: Some embodiments provide a method for automatically configuring VPN gateways. The method receives a first configuration for a first VPN gateway located at a first datacenter. The configuration includes configuration data for a first set of VPNs connecting a first set of networks at the first datacenter to other networks at other datacenters. The method automatically modifies the configuration data to generate a second configuration for a second VPN gateway. The method configures the second VPN gateway using the second configuration to setup a second set of VPNs connecting a second set of networks to the other networks at the other datacenters.

Abstract: A technique for performing adaptive rate limiting of flow probes is described. The technique includes sending a plurality of flow probes from a first service engine to at least one other service engine. The flow probes are sent at a rate that does not exceed a rate limit. A flow probe of the plurality of flow probes is generated in response to the first service engine receiving a mid-flow packet for a flow that is not recognized by the first service engine. A recipient service engine of the flow probe responds with a success indicator if the recipient service engine recognizes the flow. The technique also includes determining a success rate associated with success indicators received from the at least one other service engine and comparing the success rate with a first threshold. The rate limit is adjusted in response to a comparison result.

Abstract: An example system including a first top-of-rack (ToR) switch, and a second ToR switch, the second ToR switch is to receive a network packet from a first host, the network packet to include a destination address of a second host, and after a failure of a physical network interface card (pNIC) at the second host eliminates a first link between the second host and the second ToR switch, send the network packet to the first ToR switch via an inter-switch link between the first and second ToR switches to cause the first ToR switch to forward the network packet to the second host via a second link between the first ToR switch and the second host.

Abstract: An adaptive idle detection method determines whether software defined data centers (SDDCs) in a hyperconverged infrastructure (HCI) environment are idle. Idleness may be quantified via a coefficient of variation (CV) against resource usage, so as to adapt the idle detection method to SDDCs with different hardware specifications and workloads. Management overhead may also be filtered out by the idle detection method, and the idle detection method may use idleness scores to further reduce overhead.

Abstract: Described herein are systems and methods to filter and classify multicast network traffic. In one example, a first computing node may receive a multicast communication from a second computing node and register a for a flow associated with the multicast communication, wherein the context includes at least the multicast port associated with the multicast communication. The first computing node further identifies an outbound communication destined for the second computing node and determines that addressing attributes in the outbound communication match the context for the flow. Once it is determined that the attributes match the context for the flow, the first computing node associates the outbound communication with the flow.