Abstract: A method for selecting between a plurality of paths for sending an encrypted packet from a source endpoint to a destination endpoint is provided. The method selects a first path of the plurality of paths for sending the encrypted packet from the source endpoint to the destination endpoint, each of the plurality of paths associated with a different one of a plurality of source ports, the encrypted packet being encrypted based on a security association established between the source endpoint and the destination endpoint in accordance with an IPSec protocol. The method further encapsulates, based on the SA having NAT-T enabled, the encrypted packet with a UDP header having a first source port associated with the first path. The method then transmits the encapsulated encrypted packet from the source endpoint to the destination endpoint via the first path.

Abstract: The disclosure provides an approach for cross-network communication by self-replicating applications. Embodiments include identifying, by a first instance of a self-replicating application on a first computing device having a first network connection to a parent component, a second computing device that is connected to the first computing device via a second network connection. Embodiments include self-replicating, by the first instance of the self-replicating application, across the second network connection to produce a second instance of the self-replicating application on the second computing device. Embodiments include initiating, by the first instance of the self-replicating application, a proxy tunnel on the first computing device. Embodiments include receiving, by the proxy tunnel, a first communication from the second instance of the self-replicating application via the second network connection.

Abstract: The detection of utilized virtual machines through usage pattern analysis is described. In one example, a computing device can collect utilization metrics from a virtual machine over time. The utilization metrics can be related to one or more processing usage, disk usage, network usage, and memory usage metrics, among others. The utilization metrics can be used to determine a number of clusters, and the clusters can be used to organize the utilization metrics into groups. Depending upon the number or overall percentage of the utilization metrics assigned to individual ones of the plurality of clusters, it is possible to determine whether or not the virtual machine is a utilized or an idle virtual machine. Once identified, utilized virtual machines can be migrated in some cases. Idle virtual machines can be shut down to conserve processing resources and costs in some cases.

Abstract: An example virtualized computing system includes a cluster of hosts having a virtualization layer executing thereon and configured to manage virtual machines (VMs); first and second local storage devices in a first host, the first local storage device being part of a virtual storage area network (vSAN) and the second local storage device being exclusive of the vSAN; and an orchestration control plane, integrated with the virtualization layer and including a master server managing state of the orchestration control plane, the state including objects representing the hosts and the VMs, the orchestration control plane deploying a persistent application executing on a first VM, the persistent application storing persistent data on the second local storage device; and a virtualization management server configured to manage the cluster and to cooperate with the orchestration control plane to modify the state to notify the master server of a virtual infrastructure (VI) event.

Abstract: Disclosed are various approaches for providing a virtual badge credential to a user's device that is enrolled with a management service as a managed device. Upon authentication of a user's identity via an identity provider, a virtual badge credential can be provided to an application on the client device. The virtual badge credential can be presented by the client device to access control readers to gain access to physical resources, such as doors and buildings, that are secured by the access control readers.

Abstract: A computerized method for implementing distributed application security mesh systems comprising: providing a service graph; and providing an underlying mesh graph with a pre-defined paths.

Abstract: A system can reduce congestion in slice-based networks, such as a virtual service network (“VSN”). The system can include a monitoring module that communicates with agents on switches, such as routers or servers. The switches report telematics data to the monitoring module, which determines slice-specific performance attributes such as slice latency and slice throughput. These slice-specific performance attributes are compared against software license agreement (“SLA”) requirements. When the SLA is not met, the monitoring module can implement a new slice path for the slice to reduce the congestion.

Abstract: Some embodiments of the invention provide a novel network architecture for providing edge services of a virtual private cloud (VPC) at host computers hosting machines of the VPC. The host computers in the novel network architecture are reachable from external networks through a gateway router of an availability zone (AZ). The gateway router receives a data message from the external network addressed to one or more data compute nodes (DCNs) in the VPC and forwards the data message to a particular host computer identified as providing a distributed edge service for the VPC. The particular host computer, upon receiving the forwarded data message, performs the distributed edge service and provides the serviced data message to a destination DCN.

Abstract: A disclosed example to determine a migration recommendation of a service between geographic regions includes: a graph generator to generate an interaction graph, the interaction graph including first and second nodes and an edge therebetween, the first node representative of a first service in a first geographic region, the second node representative of a second service in a second geographic region, and the edge representative of a network path of interactions between the first and second services; a weighing engine to determine a weight value of the edge between the first and second services based on a count of network interactions between the first and second services and a real-time latency between the first and second services; and a recommendation engine to generate a migration recommendation to migrate the first service to the second geographic region based on the weight value of the edge.

Abstract: Described herein are systems, methods, and software to manage power consumption in a software build environment. In one implementation, a monitoring service monitors power consumption information associated with a build environment for one or more software components. The monitoring service further identifies one or more trends associated with the power consumption information based at least on the power consumption information satisfying one or more criteria and generates a summary for display that indicates at least the one or more trends. The monitoring service may also identify and display as part of the summary one or more suggestions to improve power consumption based on the one or more trends.

Abstract: Some embodiments provide a method for performing data message processing at a smart NIC of a computer that executes a software forwarding element (SFE). The method stores (i) a set of cache entries that the smart NIC uses to process a set of received data messages without providing the data messages to the SFE and (ii) rule updates used by the smart NIC to validate the cache entries. After a period of time, the method determines that the rule updates are incorporated into a data message processing structure of the SFE. Upon incorporating the rule updates, the method deletes from the smart NIC (i) the rule updates and (ii) at least a subset of the cache entries.

Abstract: Methods and systems are described for analyzing and attesting physical access to a location. In an example, an administrator can create a survey for users in an organization. The survey can be sent to a user device as a notification. The user can complete the survey, and the user's physical access rights can be determined based on the survey answers. When the user attempts to gain access to a location of the organization, the user can provide a digital access badge. The digital access badge can be mapped to the user's access permissions. The user can be granted or denied access depending on whether the user answered the survey and, if answered, what answers the user provided.

Abstract: A method of enabling remote access to a console of a virtual machine (VM) running in a host and managed by a VM management server, from a remote computing device, includes the steps of: in response to a request to access the console of the VM from the remote computing device, issuing a request for a first ticket, the first ticket including an identifier of the host in which the VM is running; upon receiving the first ticket, issuing a request for a second ticket to access a proxy server; and upon receiving the second ticket, transmitting a uniform resource locator (URL) identifying the proxy server and the second ticket to the remote computing device. The remote computing device accesses the console of the VM through the URL and the proxy server.

Abstract: In an embodiment, a computer-implemented method for using virtual tunnel interface teaming to achieve load balance and redundancy in virtual private networks (“VPNs”) is disclosed. In an embodiment, a method comprises: receiving, by a gateway, configuration data from a control plane; based on the configuration data, configuring on the gateway a bonded virtual tunnel interface (“bonded VTI”) having a plurality of slave virtual tunnel interfaces (“slave VTIs”); configuring a plurality of VPN tunnels between the plurality of slave VTIs configured on the gateway and a plurality of slave VTIs configured on a remote gateway; configuring an IPsec VPN tunnel between the bonded VTI configured on the gateway and a corresponding bonded VTI configured on the remote gateway; logically combining the plurality of VPN tunnels into the IPsec VPN tunnel; and enabling communications of IPsec VPN traffic via the IPsec VPN tunnel.

Abstract: Systems and methods are described for extracting and populating content from an email link. In an example, a machine learning (“ML”) model can be trained based on user interactions with emails. When an email is received for the user, the ML model can be applied to score the email. An application can extract a link in the email. The application can retrieve a web page with the link and store it locally. The application can create a card for the email that includes the link and insert the card into a graphical user interface (“GUI”). A user can access the GUI and select the card. The web page can be retrieved from the local storage and displayed in the GUI.

Abstract: A method of upgrading an application in a software-defined data center (SDDC) includes: deploying, by lifecycle management software executing in the SDDC, a second appliance, a first appliance executing services of the application at a first version, the second appliance having services of the application at a second version, the services in the first appliance being active and the services in the second appliance being inactive; expanding, by the lifecycle management software, state of the first appliance to support both the services at the first version and the services at the second version; replicating, by the lifecycle management software, the state of the first appliance to the second appliance; performing, by the lifecycle management software, a switchover to stop the services of the first appliance and start the services of the second appliance; and contracting, by the lifecycle management software, state of the second appliance to remove a portion unused by the services at the second version.

Abstract: An optimistic byzantine agreement protocol (the protocol) first tries to reach agreement via an efficient deterministic algorithm (synchronous protocol) that relies on synchrony for termination. If an agreement is not reached (e.g., due to asynchrony), the protocol uses a randomized asynchronous algorithm (asynchronous protocol) for fallback. Although randomized asynchronous algorithms are considered to be costly, the rationale here is to bound communication in non-synchronous runs after an equivalent cost has already paid.

Abstract: Some embodiments of the invention provide a method of sending data in a network that includes at least one worker node executing one or more sets of containers and a virtual switch, the virtual switch including a gateway interface, a virtual local area network (VLAN) tunnel interface, and a set of virtual Ethernet interfaces associated with the one or more sets of containers. The method configures the gateway interface of the worker node to associate the gateway interface with multiple subnets that are each associated with a namespace. The worker node executes at least (1) first and second sets of containers of a first namespace, and (2) a third set of containers of a second namespace. The method sends data between the first and second sets of containers through a first virtual Ethernet interface associated with the first set of containers and a second virtual Ethernet interface associated with the second set of containers.

Abstract: A method for an electronic device for managing one or more browsing tabs of a browsing sessions is provided. The method receives a request for a browsing tab. The method determines whether to process the request for the browsing tab locally on the electronic device based on one or more parameters associated with at least one of the electronic device or a destination associated with the request. When it is determined to process the request locally, the method performs the browsing tab locally on the electronic device. However, when it is determined not to process the request locally, the method sends the request for the browsing tab to a remote server to perform the browsing tab remotely on the remote server.

Abstract: Decentralized deduplication operations in a computer system employ a hash index that is a variant of a B+ tree to support both efficient sequential updates as well as efficient random updates. Sequential update is selected when deduplication is infrequently performed, such as on the order of days, and random update is selected when deduplication is performed more frequently, such as on the order of seconds. More frequent deduplication may be beneficial during periods when large amounts of temporary duplicate data are created, and the system may not have enough storage space to accommodate the temporary spike in demand.