Abstract: Techniques for implementing secure GPU virtualization using sandboxing are provided. In one set of embodiments, a hypervisor of a host system can receive one or more first graphics/compute commands issued by a guest application running within a VM of the host system. The hypervisor can further communicate the one or more first graphics/compute commands to a sandboxed software process that is separate from the hypervisor. The sandboxed software process can then translate the one or more first graphics/compute commands into one or more second graphics/compute commands and issue the one or more second graphics/compute commands for execution on a physical GPU.

Abstract: Disclosed are various approaches for performing automated actions in a conferencing service. Distractions can be detected and users can be muted. Breakout rooms can be suggested to attendees based upon the user's identity. Additionally, event summaries and recaps can be generated for users who are late-arriving or who depart and return to the event.

Abstract: Some embodiments of the invention provide novel methods for providing a stateful service at a network edge device (e.g., an NSX edge) that has a plurality of north-facing interfaces (e.g., interfaces to an external network) and a plurality of corresponding south-facing interfaces (e.g., interfaces to a logical network). A set of interfaces on each side of the network edge device for a set of equal cost paths, in some embodiments, are bonded together in the network edge device to correspond to a single interface on either side of a logical bridge including at least one logical switch providing a stateful service implemented by the network edge device. The bond is implemented, in some embodiments, by a bonding module executing on the network edge device that maintains a mapping between ingress and egress interfaces to allow deterministic forwarding through the network edge device in the presence of bonded interfaces.

Abstract: A method for selecting between a plurality of paths for sending an encrypted packet from a source endpoint to a destination endpoint is provided. The method selects a first path of the plurality of paths for sending the encrypted packet from the source endpoint to the destination endpoint, each of the plurality of paths associated with a different one of a plurality of source ports, the encrypted packet being encrypted based on a security association established between the source endpoint and the destination endpoint in accordance with an IPSec protocol. The method further encapsulates, based on the SA having NAT-T enabled, the encrypted packet with a UDP header having a first source port associated with the first path. The method then transmits the encapsulated encrypted packet from the source endpoint to the destination endpoint via the first path.

Abstract: Decentralized deduplication operations in a computer system employ a hash index that is a variant of a B+ tree to support both efficient sequential updates as well as efficient random updates. Sequential update is selected when deduplication is infrequently performed, such as on the order of days, and random update is selected when deduplication is performed more frequently, such as on the order of seconds. More frequent deduplication may be beneficial during periods when large amounts of temporary duplicate data are created, and the system may not have enough storage space to accommodate the temporary spike in demand.

Abstract: An optimistic byzantine agreement protocol (the protocol) first tries to reach agreement via an efficient deterministic algorithm (synchronous protocol) that relies on synchrony for termination. If an agreement is not reached (e.g., due to asynchrony), the protocol uses a randomized asynchronous algorithm (asynchronous protocol) for fallback. Although randomized asynchronous algorithms are considered to be costly, the rationale here is to bound communication in non-synchronous runs after an equivalent cost has already paid.

Abstract: Techniques are disclosed for reallocating host resources in a virtualized computing environment when certain criteria have been met. In some embodiments, a system identifies a host disabling event. In view of the disabling event, the system identifies a resource for reallocation from a first host to a second host. Based on the identification, the computer system disassociates the identified resource's virtual identifier from the first host device and associates the virtual identifier with the second host device. Thus, the techniques disclosed significantly reduce a system's planned and unplanned downtime.

Abstract: Disclosed are various approaches for providing a virtual badge credential to a user's device that is enrolled with a management service as a managed device. Upon authentication of a user's identity via an identity provider, a virtual badge credential can be provided to an application on the client device. The virtual badge credential can be presented by the client device to access control readers to gain access to physical resources, such as doors and buildings, that are secured by the access control readers.

Abstract: Systems and methods are described for extracting and populating content from an email link. In an example, a machine learning (“ML”) model can be trained based on user interactions with emails. When an email is received for the user, the ML model can be applied to score the email. An application can extract a link in the email. The application can retrieve a web page with the link and store it locally. The application can create a card for the email that includes the link and insert the card into a graphical user interface (“GUI”). A user can access the GUI and select the card. The web page can be retrieved from the local storage and displayed in the GUI.

Abstract: Automated methods and systems for identifying and resolving performance problems of objects of a data center are described. The automated methods and systems construct a model for identifying objects of the datacenter that are experiencing performance problems based on baseline distributions of events of the objects in a historical time period and event distributions of events of the objects in a time window located outside the historical time period. A root causes and recommendations database is constructed for resolving performance problems based on remedial measures previously performed for resolving performance problems. The model is used to monitor the objects of data center for runtime performance problems. When a performance problem with an object is detected, the root causes and recommendations database is used to identify a root cause of the performance problem and generate a recommendation for resolving the performance problem in near real time.

Abstract: A method of enabling remote access to a console of a virtual machine (VM) running in a host and managed by a VM management server, from a remote computing device, includes the steps of: in response to a request to access the console of the VM from the remote computing device, issuing a request for a first ticket, the first ticket including an identifier of the host in which the VM is running; upon receiving the first ticket, issuing a request for a second ticket to access a proxy server; and upon receiving the second ticket, transmitting a uniform resource locator (URL) identifying the proxy server and the second ticket to the remote computing device. The remote computing device accesses the console of the VM through the URL and the proxy server.

Abstract: In an embodiment, a computer-implemented method for using virtual tunnel interface teaming to achieve load balance and redundancy in virtual private networks (“VPNs”) is disclosed. In an embodiment, a method comprises: receiving, by a gateway, configuration data from a control plane; based on the configuration data, configuring on the gateway a bonded virtual tunnel interface (“bonded VTI”) having a plurality of slave virtual tunnel interfaces (“slave VTIs”); configuring a plurality of VPN tunnels between the plurality of slave VTIs configured on the gateway and a plurality of slave VTIs configured on a remote gateway; configuring an IPsec VPN tunnel between the bonded VTI configured on the gateway and a corresponding bonded VTI configured on the remote gateway; logically combining the plurality of VPN tunnels into the IPsec VPN tunnel; and enabling communications of IPsec VPN traffic via the IPsec VPN tunnel.

Abstract: A method of executing workflows in virtual machines that have been deployed to implement virtual network functions of a network service, wherein the virtual machines are running in a plurality of data centers each having a cloud management server running a cloud computing management software to provision virtual infrastructure resources thereof for a plurality of tenants, includes upon receiving a request to execute a workflow along with a plurality of parameters including first and second parameters at a data center, identifying a virtual machine deployed in the data center, in which the workflow is to be executed based on the first parameter, designating one of a plurality of methods by which the workflow is to be executed in the virtual machine according to the second parameter, and issuing a command to the virtual machine to execute the workflow according to the designated method.

Abstract: Some embodiments of the invention provide a novel network architecture for providing edge services of a virtual private cloud (VPC) at host computers hosting machines of the VPC. The host computers in the novel network architecture are reachable from external networks through a gateway router of an availability zone (AZ). The gateway router receives a data message from the external network addressed to one or more data compute nodes (DCNs) in the VPC and forwards the data message to a particular host computer identified as providing a distributed edge service for the VPC. The particular host computer, upon receiving the forwarded data message, performs the distributed edge service and provides the serviced data message to a destination DCN.

Abstract: Methods and systems are described for analyzing and attesting physical access to a location. In an example, an administrator can create a survey for users in an organization. The survey can be sent to a user device as a notification. The user can complete the survey, and the user's physical access rights can be determined based on the survey answers. When the user attempts to gain access to a location of the organization, the user can provide a digital access badge. The digital access badge can be mapped to the user's access permissions. The user can be granted or denied access depending on whether the user answered the survey and, if answered, what answers the user provided.

Abstract: The disclosure provides an approach for cross-network communication by self-replicating applications. Embodiments include identifying, by a first instance of a self-replicating application on a first computing device having a first network connection to a parent component, a second computing device that is connected to the first computing device via a second network connection. Embodiments include self-replicating, by the first instance of the self-replicating application, across the second network connection to produce a second instance of the self-replicating application on the second computing device. Embodiments include initiating, by the first instance of the self-replicating application, a proxy tunnel on the first computing device. Embodiments include receiving, by the proxy tunnel, a first communication from the second instance of the self-replicating application via the second network connection.

Abstract: Disclosed are various examples for enrollment of gateways using a client device. In one example, a request is transmitted from a client device to a management service. The request comprises the gateway identifier. Gateway credentials are relayed through the client device from the management service to the gateway device. The gateway credentials are unexposed to users of the client device.

Abstract: An example virtualized computing system includes a cluster of hosts having a virtualization layer executing thereon and configured to manage virtual machines (VMs); first and second local storage devices in a first host, the first local storage device being part of a virtual storage area network (vSAN) and the second local storage device being exclusive of the vSAN; and an orchestration control plane, integrated with the virtualization layer and including a master server managing state of the orchestration control plane, the state including objects representing the hosts and the VMs, the orchestration control plane deploying a persistent application executing on a first VM, the persistent application storing persistent data on the second local storage device; and a virtualization management server configured to manage the cluster and to cooperate with the orchestration control plane to modify the state to notify the master server of a virtual infrastructure (VI) event.

Abstract: A computerized method for implementing distributed application security mesh systems comprising: providing a service graph; and providing an underlying mesh graph with a pre-defined paths.

Abstract: A system can reduce congestion in slice-based networks, such as a virtual service network (“VSN”). The system can include a monitoring module that communicates with agents on switches, such as routers or servers. The switches report telematics data to the monitoring module, which determines slice-specific performance attributes such as slice latency and slice throughput. These slice-specific performance attributes are compared against software license agreement (“SLA”) requirements. When the SLA is not met, the monitoring module can implement a new slice path for the slice to reduce the congestion.