Abstract: Described herein are systems, methods, and software to monitor latency information in virtual desktop environments. In one example, a user computing system may obtain a first frame of video data from a second computing system, wherein the video data is streamed from the user computing system to the second computing system. The user computing system further identifies a first frame number for the first frame based on a code in the first frame, identifies a frame number for second frame of the video data to be streamed to the second computing system when first frame was received, and determines frame latency based on a difference between the first frame number and the second frame number.

Abstract: Aspects of managing inventory for data transport connections within a virtualized computing environment are described. A virtualized management system managing a cluster of host devices obtains a data transport capacity parameter and an aggregate memory consumption value from respective host devices. The virtualized management system further identifies an update status associated with each of the host devices. In response to receiving a data transport connection request, the virtualized management system selects a host from the cluster of hosts to satisfy the data transport connection request based at least in part on the upgrade status, data transport capacity parameter and aggregate memory consumption value.

Abstract: Some embodiments provide a method for, at a network interface controller (NIC) of a computer, accessing data in a network. From the computer, the method receives a request to access data stored at a logical memory address. The method translates the logical memory address into a memory address of a particular network device storing the requested data. The method sends a data message to the particular network device to retrieve the requested data.

Abstract: The disclosure provides an approach for virtual computing instance (VCI) migration. Embodiments include scanning logical segments associated with a customer gateway to identify network addresses associated with the logical segments. Embodiments include determining one or more recommended supernets based on the network addresses associated with the logical segments. Embodiments include providing output to a user based on the one or more recommended supernets. Embodiments include based on the output, receiving input from the user configuring an aggregation supernet for the customer gateway. Embodiments include advertising the aggregation supernet to one or more endpoints separate from the customer gateway.

Abstract: Disclosed are various approaches for polling federated services for notifications. A request for an access token for a federated service is sent to an authentication service. The access token for the federated service is received from the authentication service. A query is sent to the federated service for a notification, the query comprising the access token. The notification is received from the federated service.

Abstract: Described herein are systems, methods, and software to manage processing queue allocation based on addressing attributes of an inner packet. In one implementation, a first gateway identifies processing queues at a second gateway and assigns a unique flow label to each of the processing queues. The first gateway further receives a packet from a computing node that is directed toward the second gateway. The first gateway hashes addressing information in the packet to select a flow label, encapsulates the packet with the flow label in the outer encapsulation header for the encapsulated packet, and forwards the packet toward the second gateway.

Abstract: Some embodiments provide a method for scheduling networking threads associated with a data compute node (DCN) executing at a host computer. When a virtual networking device is instantiated for the DCN, the method assigns the virtual networking device to a particular non-uniform memory access (NUMA) node of multiple NUMA nodes associated with the DCN. Based on the assignment of the virtual networking device to the particular NUMA node, the method assigns networking threads associated with the DCN to the same particular NUMA node and provides information to the DCN regarding the particular NUMA node in order for the DCN to assign a thread associated with an application executing on the DCN to the same particular NUMA node.

Abstract: In an embodiment, a computer-implemented method for highly-scalable, in-network multicasting of statistics data is disclosed. In an embodiment, a method comprises: receiving, from an underlay controller, a match-and-action table that is indexed using one or more multicast (“MC”) group identifiers and includes one or more special MC headers; detecting a packet carrying statistics data; determining whether the packet includes an MC group identifier; in response to determining that the packet includes the MC group identifier: using the MC group identifier, retrieving a special MC header, of the one or more special MC headers, from the match-and-action table; generating an encapsulated packet by encapsulating the packet with the special MC header; and providing the encapsulated packet to an interface controller for transmitting the encapsulated packet to one or more physical switches.

Abstract: Some embodiments provide a novel method for assessing the suitability of network links for connecting compute nodes located at different geographic sites. The method of some embodiments identifies and analyzes sample packets from a set of flows exchanged between first and second compute sites that are connected through a first network link in order to identify attributes of the sampled packets. The method also computes attributes of predicted packets between the identified samples in order to identify attributes of each flow in the set of flows. The method then uses the identified and computed attributes of each flow in the set of flows to emulate the set of flows passing between the two compute sites through the second network link in order to assess whether a second network link should be used for future flows (e.g., future flows exchanged between the first and second compute sites).

Abstract: A method for protecting an OS disk of a computing device without block encrypting the OS disk. The method identifies one or more files that store configuration data associated with OS binaries executed on the computing device. The method encrypts the configuration data stored in the one or more files using an encryption key and seals the encryption key to a TPM of the computing device. The method then boots the computing device by attempting to unseal the encryption key by authenticating one or more of the OS binaries with the TPM. When authenticating the one or more of the OS binaries is successful, the method completes boot of the computing device by decrypting the configuration data using the encryption key. If authentication of the one or more of the OS binaries is not successful, however, the method aborts boot of the computing device.

Abstract: Some embodiments provide a method for performing data message processing at a smart NIC of a computer that executes a software forwarding element (SFE). The method determines whether a received data message matches an entry in a data message classification cache stored on the smart NIC based on data message classification results of the SFE. When the data message matches an entry, the method determines whether the matched entry is valid by comparing a timestamp of the entry to a set of rules stored on the smart NIC. When the matched entry is valid, the method processes the data message according to the matched entry without providing the data message to the SFE executing on the computer.

Abstract: Some embodiments provide a method for evaluating locations of applications in a multi-cloud network with applications located in different cloud datacenters of one or more cloud providers. The method receives data for flows collected from the cloud datacenters. The data for each flow indicates a source and destination of the flow and applications to which at least one of the source and destination of the flow belong. The method uses network topology data to identify a subset of the flows as egress flows, each of which is charged by a cloud provider at which the flow source is located. Based on data from the cloud providers, the method determines a cost for each of the egress flows and a cost associated with each of the applications. The method provides these costs to users of the network for the users to optimize locations of the applications in the different cloud datacenters.

Abstract: Methods and apparatus to cross configure network resources of software defined data centers are disclosed. Example instructions cause one or more processors to monitor a component of a network for a probe packet sent to the component. The example instructions cause the one or more processors to, in response to detecting the probe packet, determine whether the probe packet includes a unique source media access control (MAC) address that is included in a probe access control list (ACL), the unique source MAC address included in the probe ACL set by a decision engine. The example instructions cause the one or more processors to, in response to determining that the probe packet does not include the unique source MAC address, record probe packet receipt information indicating that the probe packet did not pass through a network port of the component and transmit the probe packet receipt information to the decision engine.

Abstract: Techniques for implementing unsupervised anomaly detection by self-prediction are provided. In one set of embodiments, a computer system can receive an unlabeled training data set comprising a plurality of unlabeled data instances, where each unlabeled data instance includes values for a plurality of features. The computer system can further train, for each feature in the plurality of features, a supervised machine learning (ML) model using a labeled training data set derived from the unlabeled training data set, receive a query data instance, and generate a self-prediction vector using at least a portion of the trained supervised ML models and the query data instance, where the self-prediction vector indicates what the query data instance should look like if it were normal. The computer system can then generate an anomaly score for the query data instance based on the self-prediction vector and the query data instance.

Abstract: In one set of embodiments, a hypervisor of a host system can determine that a delta between local and remote memory access latencies for each of a subset of NUMA nodes of the host system is less than a threshold. In response, the hypervisor can enable page sharing across the subset of NUMA nodes, where enabling page sharing comprises associating the subset of NUMA nodes with a single page sharing table, and where the single page sharing table holds entries identifying host physical memory pages of the host system that are shared by virtual machines (VMs) placed on the subset of NUMA nodes.

Abstract: Some embodiments provide a novel method for collecting and reporting attributes of data flows associated with machines executing on a plurality of host computers to an analysis appliance. Some embodiments collect, each time a request for a new data message flow is initiated, a set of contextual attributes (i.e., context data) associated with the requested new data message flow. The method, in some embodiments, generates a correlation data set and provides the correlation data set to be included in flow data regarding the requested data message flow to be used by the analysis appliance to correlate context data and flow data received as separate data sets from multiple host computers.

Abstract: In an embodiment, a computer-implemented method for providing dynamic mechanisms for resource-path-based, dynamic group membership support for local and external membership groups is described. A method comprises: detecting, by a group resolver implemented in a management and control plane, that information about an object stored in the plane was created or updated; determining whether a URI of the object matches a URI regular expression and other conditions specified in membership criteria created for a membership group; in response to determining that a URI of the object matches a URI regular expression and other conditions specified in membership criteria created for a membership group: distributing the information about the object to network agents implemented in transport nodes to cause the network agents to automatically update a group membership policy associated with the membership group; and wherein the group membership policy affects packet forwarding behavior of a forwarding node.

Abstract: Some embodiments provide a hierarchical data service (HDS) that manages many resource clusters that are in a resource cluster hierarchy. In some embodiments, each resource cluster has its own cluster manager, and the cluster managers are in a cluster manager hierarchy that mimics the hierarchy of the resource clusters. In some embodiments, both the resource cluster hierarchy and the cluster manager hierarchy are tree structures, e.g., a directed acyclic graph (DAG) structure that has one root node with multiple other nodes in a hierarchy, with each other node having only one parent node and one or more possible child nodes.

Abstract: The disclosure provides an approach for implementing a distributed firewall within a data center. The firewall is implemented as a kernel space filter driver within the operating system of virtual machines. Each virtual machine hosts several user sessions. The firewall may be dynamically updated with new security policies, either by an administrator or a component of the data center.

Abstract: The disclosure provides an approach for cryptographic agility. Embodiments include establishing, by a proxy component associated with a cryptographic agility system, a first secure connection with an application. Embodiments include receiving, by the proxy component, via the first secure connection, a communication from the application directed to an endpoint. Embodiments include selecting, by the cryptographic agility system, a cryptographic technique based on contextual information related to the communication. Embodiments include establishing, by the proxy component, a second secure connection with the endpoint based on the cryptographic technique. Embodiments include transmitting, by the proxy component, a secure communication to the endpoint via the second secure connection based on the communication.