Abstract: Some embodiments of the invention provide a method for deploying software-implemented resources in a software defined datacenter (SDDC). The method initially receives a hierarchical API command that, in a declarative format, specifies several operation requests for several software-defined (SD) resources at several resource levels of a resource hierarchy in the SDDC. The method parses the API command to identify the SD resources at the plurality of resource levels. Based on the parsed API command, the method deploys the SD resources by using a deployment process that ensures that any first SD resource on which a second SD resource depends is deployed before the second resource. In some embodiments, a second SD resource depends on a first SD resource when the second SD resource is a child of the first SD resource. Alternatively, or conjunctively, a second SD resource can also depend on a first SD resource in some embodiments when the second SD resource has some operational dependency on the first SD resource.

Abstract: Examples for managing virtual infrastructure resources in cloud environments can include (1) instantiating an orchestration node for managing local control planes at multiple clouds, (2) instantiating first and second local control planes at different respective clouds, the first and second local control planes interfacing with different respective virtualized infrastructure managers (“VIMs”), where the first and second local control planes establish secure communication with the orchestration node, and (3) deploying, by the orchestration node, services to the first and second local control planes. Further, the first and second local control planes can cause the respective VIMs to manage the services at the different respective clouds.

Abstract: A decentralized identity access management (IAM) architecture that executes IAM service code on the distributed nodes (i.e., replicas) of a Byzantine fault tolerant (BFT) state machine replication (SMR) system is provided. For example, the IAM service code may be implemented as a blockchain smart contract or as a native execution engine that runs on each replica. With this decentralized architecture, up to f replicas (where f is a threshold number defined by the system's BFT consensus protocol) can be faulty/corrupted without affecting the security of the system.

Abstract: A hybrid scheme is provided for performing translation lookaside buffer (TLB) shootdowns in a computer system whose processing cores support both inter-processor interrupt (IPI) and broadcast TLB invalidate (TLBI) shootdown mechanisms. In one set of embodiments, this hybrid scheme dynamically determines, for each instance where a TLB shootdown is needed, whether to use the IPI mechanism or the broadcast TLBI mechanism to optimize shootdown performance (or otherwise make the TLB shootdown operation functional/practical).

Abstract: Some embodiments provide a method of performing load balancing for a group of machines that are distributed across several physical sites. The method of some embodiments iteratively computes (1) first and second sets of load values respectively for first and second sets of machines that are respectively located at first and second physical sites, and (2) uses the computed first and second sets of load values to distribute received data messages that the group of machines needs to process, among the machines in the first and second physical sites. The iterative computations entail repeated calculations of first and second sets of weight values that are respectively used to combine first and second load metric values for the first and second sets of machines to repeatedly produce the first and second sets of load values for the first and second sets of machines.

Abstract: A method of protecting an endpoint against a security threat detected at the endpoint, wherein the endpoint includes, in memory pages of the endpoint, an operating system (OS), a separate software entity, and remediation code, includes the steps of: transferring control of virtual CPUs (vCPUs) of the endpoint from the OS to the separate software entity; and while the separate software entity controls the vCPUs, storing, in an interrupt dispatch table, an instruction address corresponding to an interrupt, wherein the remediation code is stored at the instruction address, and replacing a next instruction to be executed by the OS, with an interrupt instruction, wherein the interrupt is raised when the OS executes the interrupt instruction, and the remediation code is executed as a result of handling of the interrupt that is raised.

Abstract: In one set of embodiments, a computer system can receive a request to provision a virtual machine (VM) in a host cluster, where the VM is associated with a virtual graphics processing unit (GPU) profile indicating a desired or required framebuffer memory size of a virtual GPU of the VM. In response, the computer system can execute an algorithm that identifies, from among a plurality of physical GPUs installed in the host cluster, a physical GPU on which the VM may be placed, where the identified physical GPU has sufficient free framebuffer memory to accommodate the desired or required framebuffer memory size, and where the algorithm allows multiple VMs associated with different virtual GPU profiles to be placed on a single physical GPU in the plurality of physical GPUs. The computer system can then place the VM on the identified physical GPU.

Abstract: Some embodiments provide a method for configuring an edge computing device to implement a logical router belonging to a logical network. The method configures a datapath executing on the edge computing device to use a first routing table associated with the logical router for processing data messages routed to the logical router. The method configures a routing protocol application executing on the edge computing device to (i) use the first routing table for exchanging routes with a network external to the logical network and (ii) use a second routing table for exchanging routes with other edge computing devices that implement the logical router.

Abstract: Some embodiments provide novel methods for performing services for machines operating in one or more datacenters. For instance, for a group of related guest machines (e.g., a group of tenant machines), some embodiments define two different forwarding planes: (I) a guest forwarding plane and (2) a service forwarding plane. The guest forwarding plane connects to the machines in the group and performs L2 and/or L3 forwarding for these machines. The service forwarding plane (1) connects to the service nodes that perform services on data messages sent to and from these machines, and (2) forwards these data messages to the service nodes. In some embodiments, the guest machines do not connect directly with the service forwarding plane.

Abstract: Some embodiments provide a method for performing data traffic monitoring. The method processes a packet through a packet processing pipeline that includes multiple stages. At a filtering stage, the method tags the packet with a set of monitoring actions for subsequent stages to perform on the packet based on a determination that the packet matches a particular filter. For each stage of a set of packet processing stages subsequent to the filtering stage, the method (i) executes any monitoring actions specified for the stage to perform on the packet and (ii) sends the packet to a next stage in the packet processing pipeline.

Abstract: Some embodiments of the invention provide novel methods for facilitating a distributed SNAT (dSNAT) middlebox service operation for a first network at a host computer in the first network on which the dSNAT middlebox service operation is performed and a gateway device between the first network and a second network. The novel methods enable dSNAT that provides stateful SNAT at multiple host computers, thus avoiding the bottleneck problem associated with providing stateful SNAT at gateways and also significantly reduces the need to redirect packets received at the wrong host by using a capacity of off-the-shelf gateway devices to perform IPV6 encapsulation for IPv4 packets and assigning locally unique IPv6 addresses to each host executing a dSNAT middlebox service instance that are used by the gateway device.

Abstract: The present disclosure is directed to a leader-based partially synchronous BFT SMR protocol that improves upon existing protocols by exhibiting two rounds of communication latency, linear authenticator complexity, and optimistic responsiveness. This is achieved through the novel use of an aggregate signature scheme as part of the protocol's view-change procedure.

Abstract: An example method of managing guest time for a virtual machine (VM) supported by a hypervisor of a virtualized host computer includes: configuring, by the hypervisor, a central processing unit (CPU) of the host computer to trap, to the hypervisor, access by guest code in the VM to a physical counter and timer of the CPU; configuring, by the hypervisor, the guest code in the VM to use the physical counter and timer of the CPU rather than a virtual counter and timer of the CPU; trapping, at the hypervisor, an access to the physical counter and timer by the guest code; and executing, by the hypervisor, the access to the physical counter and timer on behalf of the guest code while compensating for an adjustment of a system count of the physical counter and timer to maintain the guest time as scaled with respect to frequency of the physical counter and timer.

Abstract: The disclosure provides an approach for upgrading a virtual machine (VM) using an instant clone. A method includes initiating updating of the VM on a host in a datacenter; creating a clone of the VM on the host, in response to initiating the update; receiving a first write input/output (I/O) request for a first data block; checking a first disk bitmap associated with a first delta disk for whether a first bit associated with the first data block is set; based on the first bit being set, checking a scanner bitmap for whether a second bit associated with the first data block is set; and based on the second bit being set: waiting until the first data block is merged into a second disk; and performing the first write I/O to the first data block in the second disk after the first data block is merged into the second disk.

Abstract: Solutions for discovering and onboarding edge devices at scale include: receiving, by a device aggregator, edge device state information including state information for a first edge device; based on at least the state information for the first edge device, configuring the first edge device to perform as a software-defined wide area network (SD-WAN) node; based on at least the edge device state information, determining a first device profile for the first edge device; and transmitting the first device profile to a workload manager. In some examples, the edge device state information includes state information for a second edge device; the second edge device is configured to perform as an SD-WAN node; and a second device profile is determined for the second edge device and transmitted to the workload manager. The workload manager allocates an SD-WAN workload among the first edge device and the second edge device.

Abstract: Disclosed are various embodiments for rate proportional scheduling to reduce packet loss in virtualized network function chains. A congestion monitor executed by a first virtual machine executed by a host computing device can detect congestion in a receive queue associated with a first virtualized network function implemented by a first virtual machine. The congestion monitor can send a pause signal to a rate controller executed by a second virtual machine executed by the host computing device. The rate controller can receive the pause signal. In response, the rate controller can pause the processing of packets by a second virtualized network function implemented by the second virtual machine to reduce congestion in the receive queue of the first virtualized network function.

Abstract: Some embodiments of the invention provide a method of deploying a tenant deployable element to one public cloud. The method identifies first and second candidate resource elements respectively of first and second resource element sub-types to deploy in a public cloud to implement the tenant deployable element. The method identifies, for the first and second candidate resource elements respectively first and second sets of performance metric values to evaluate. The method evaluates the identified first and second sets of metrics to select one candidate resource element to implement the tenant deployable element in the public cloud. The method uses the selected resource element to implement the tenant deployable element in the public cloud.

Abstract: Linked clone read performance when retrieving data from a clone is improved at least by aggregating block mapping metadata efficiently. Primary metadata for a child clone maps a logical block address (LBA) for data in a data region of the child clone to a physical sector address (PSA) for data in the data region of the child clone. At least a portion of primary metadata for a parent clone of the child clone is copied into archival metadata for the child clone. In response to a read request, data is returned from the child clone, parent clone, or another ancestor of the child clone based on whether or not a read request LBA is within the primary metadata for the child clone, or within the archival metadata.

Abstract: The current document is directed to an infrastructure-as-code (“IaC”) cloud-infrastructure-management service or system that automatically generates parameterized cloud templates that represent already deployed cloud-based infrastructure, including virtual networks, virtual machines, load balancers, and connection topologies. The IaC cloud-infrastructure manager provides an infrastructure-discovery service that accesses a cloud-computing facility to obtain information about already deployed cloud infrastructure and that generates a textual description of the deployed infrastructure, which the IaC cloud-infrastructure-manager then transforms into a set of parameterized cloud-infrastructure-specification-and-configuration files, a resource_ids file, and a parameters file that together comprise a parameterized cloud template.

Abstract: The current document is directed to a cloud-infrastructure-management service that allows users and upstream management systems to define and deploy infrastructure, such as virtual networks, virtual machines, load balancers, and connection topologies, within cloud-computing systems. The cloud-infrastructure-management service includes a describe state module that includes a describe function that generates a configuration file that specifies the current state of a target server running a server-side cloud-infrastructure-management service.