Abstract: A network system that implements quality of service (QoS) by rate limiting at a logical network entity is provided. The logical network entity includes multiple transport nodes for transporting network traffic in and out of the logical network entity. The system monitors traffic loads of the multiple transport nodes of the logical network entity. The system allocates a local CR and a local BS to each of the multiple transport nodes. The allocated local CR and the local BS are determined based on the CR and BS parameters of the logical network entity and based on the monitored traffic loads. Each transport node of the logical network entity in turn controls an amount of data being processed by the transport node based on a token bucket value that is computed based on the local CR and the local BS of the transport node.

Abstract: Disclosed are various examples for Internet of Things (IoT) device discovery and configuration. In some embodiments, a management service generates a console user interface. Through the console user interface, an Internet-of-Things (IoT) protocol is selected for an IoT discovery campaign to discover IoT devices that are deployed in an enterprise environment and utilize the IoT protocol. A gateway distribution list is defined for the IoT discovery campaign. A command is transmitted according to the IoT discovery campaign, causing a gateway device to discover IoT devices that are deployed in the enterprise environment and utilize the IoT protocol.

Abstract: Techniques for implementing a software-as-a-service (SaaS) infrastructure that supports flexible multi-tenancy are provided. In various embodiments, this SaaS infrastructure employs a hybrid design that can flexibly accommodate both single-tenant and multi-tenant instances of a SaaS application. Accordingly, with this infrastructure, a SaaS provider can advantageously support high levels of isolation between certain tenants of its application (as dictated by the tenants' needs and/or other criteria) while keeping the marginal cost of operating the infrastructure as low as possible.

Abstract: A plug-in based framework provides high availability (HA), including fault tolerance, in a distributed system, such as provided by a virtualized computing environment. The framework uses blueprints that define entities to be monitored, failure conditions, failover actions, restoration actions, and other aspects associated with HA. Microservices execute the blueprints, and a load balancer may balance the execution of the blueprints amongst microservices.

Abstract: Systems and methods are disclosed for updating network configuration documentation. In an example, a user can upload network configuration documentation with updates to a network to a server. The server can create an update topology corresponding to the documentation by identifying symbols that represent network components. The server can identify changes by comparing the update topology to a configuration data of an existing network. For example, the address of a gateway or the connections to the gateway can change. The server can cause the changes to be presented to a user, such as by highlighting the changes in a diagram. The user can confirm the changes, such as with a conversational workflow, and the server can save the changes to a database. The system can also send commands to the applicable network components to effectuate the confirmed changes.

Abstract: Methods and systems described herein are directed to aggregating and querying log messages. Methods and systems determine event types of log message generated by event sources of the distributed computing system. The event types are aggregated into aggregated records for a shortest time unit and event types are aggregated into aggregated records for longer time units based on the aggregated records associated with the shortest time unit. In response to a query regarding occurrences of an event type in a query time interval, the query time interval is split into subintervals with time lengths that range from the shortest time unit to a longest time unit that lie within the query time interval. The method determines a total event count of occurrences of the event type in the query time interval based on the aggregated records with time stamps in the subintervals. The event count in the query time interval may be used to detect abnormal behavior of the event sources.

Abstract: Some embodiments provide a method for distributing a service rule that is to be enforced across a first set of sites and that is defined by reference to a group identifier that identifies a group of machines. The method distributes the service rule to each site in the first set of sites. The method identifies at least one site in the first set of sites that is not in a second set of sites that has already received a definition of the group. The method distributes the group definition to each identified site in the first set of sites that has not already received the definition of the group.

Abstract: A method for deleting one or more snapshots using micro-batch processing is provided. The method includes receiving a request to delete the one or more snapshots, identifying one or more middle map extents exclusively owned by the one or more snapshots requested to be deleted, wherein metadata for the one or more snapshots is stored in one or more logical maps having logical map extents mapping logical block addresses (LBAs) to middle block addresses (MBAs) and a middle map having middle map extents mapping MBAs to physical block addresses (PBAs) of physical locations where data blocks are written, adding MBAs of the identified one or more middle map extents in a batch, determining a first micro-batch including a first subset of the MBAs in the batch, the first subset of MBAs being MBAs less than a first upper bound MBA, and using a first transaction to delete the middle map extents corresponding to the first subset of MBAs included in the first micro-batch.

Abstract: One or more embodiments provide techniques that permit virtual computing instances in isolated environments to communicate information outside the isolated environments without requiring networking. In one embodiment, an encoder which runs in a virtual machine (VM) within an isolated environment, such as one of the VMs of a packaged virtual machine application that does not have external network connectivity, is configured to encode information, such as state information of the packaged virtual machine application, in portion(s) of a network address. The encoder further configures an unconnected network interface of the same VM, or another VM in the isolated environment, with the network address that includes the encoded information. A decoder, which could not otherwise communicate with the virtual computing instance via any network, may then retrieve the network address assigned to the unconnected network interface and decode that network address to obtain the information encoded therein.

Abstract: A framework is provided that assigns a digital certificate to each VM-based control plane element and computing node (i.e., worker VM) of a workload orchestration platform implemented in a virtualized environment, where the digital certificate is signed by a trusted entity and provides cryptographic proof that the control plane element/worker VM has been successfully attested by that trusted entity using hardware-based attestation. Each control plane element/worker VM is configured to verify the digital certificates of other platform components prior to communicating with those components. With these digital certificates in place, when an end-user submits to the platform's front-end control plane element a new workload for deployment, the end-user can verify the digital certificate of the front-end control plane element in order to be assured that the workload will be deployed and executed by the platform in a secure manner.

Abstract: Some embodiments provide a method that identifies a first number of requests received at a first application. Based on the first number of requests received at the first application, the method determines that a second application that processes requests after processing by the first application requires additional resources to handle a second number of requests that will be received at the second application. The method increases the amount of resources available to the second application prior to the second application receiving the second number of requests.

Abstract: A technique is described for managing processor (CPU) resources in a host having virtual machines (VMs) executed thereon. A target size of a VM is determined based on its demand and CPU entitlement. If the VM's current size exceeds the target size, the technique dynamically changes the size of a VM in the host by increasing or decreasing the number of virtual CPUs available to the VM. To “deactivate” virtual CPUs, a high-priority balloon thread is launched and pinned to one of the virtual CPUs targeted for deactivation, and the underlying hypervisor deschedules execution of the virtual CPU accordingly. To “activate” virtual CPUs, the number of virtual CPUs, the launched balloon thread may be killed.

Abstract: A cluster of computer systems, each of which is configured with a virtualization software layer to support execution of virtual computing instances, includes a first computer system in which a first virtual computing instance is executing, the first computer system including a first local storage unit in which a first log file is stored to capture write operations to a virtual disk of the first virtual computing instance. The cluster also includes a second computer system, networked to the first computer system, in which a second virtual computing instance is executing, the second computer system including a second local storage unit in which a second log file is stored to capture write operations to a virtual disk of the second virtual computing instance and in which a replica of the first log file is stored.

Abstract: Software development kit (“SDK”) applications may be implemented with user data on an enterprise end-user or shared device subsequent to a single check-out process on the device. A user profile and a context ID for a user can be accessed based on user provided credentials. An SDK application can be identified as one application of an application cluster including at least two applications. A status of a local context ID (“LCID”) of the SDK application can be determined, and a value for the LCID can be established based on the status and a value of a comparison context ID obtained from a server or an agent application. The LCID and a context ID for a keychain for the application cluster can be compared, and the SDK application can be implemented with user specific user data obtained from the agent application or the keychain based on a result of the comparison.

Abstract: The disclosure provides an approach for segmenting a user datagram protocol (UDP) packets. A method includes generating the UDP packet, containing UDP data, at a virtual computing instance (VCI) running on a host machine; sending the UDP packet from the VCI to a hypervisor running on the host machine; after sending the UDP packet to the hypervisor, segmenting the UDP packet into a plurality of UDP segments, wherein each of the plurality of UDP segments includes a portion of the UDP data and a UDP header; and transmitting the plurality of UDP segments, over a network, to a destination of the UDP packet.

Abstract: Some embodiments provide a method that, at a first domain name system (DNS) cluster of a set of DNS clusters, receives a DNS request from a client. The first DNS cluster identifies, based on an identifier of the client in the DNS request, a home DNS cluster of the client. The method forwards the DNS request to the home DNS cluster. The home DNS cluster supplies a DNS response to the client. Identifying the home DNS cluster, in some embodiments, includes performing a hash on the identifier of the client. Supplying the DNS response, in some embodiments, includes receiving a virtual IP (VIP) address associated with one of a plurality of sets of application servers to the client and providing the received VIP address to the client in the DNS response.

Abstract: Techniques for predicting the outcome of a storage management operation on a hyper-converged infrastructure (HCI) deployment are provided. In one set of embodiments, a computer system can retrieve a current storage resource state of the HCI deployment. The computer system can then execute a simulation of the storage management operation in view of the current storage resource state, where the executing includes performing one or more simulated data movements between one or more host systems in the HCI deployment. Upon completing the simulation, the computer system can generate a report including, among other things, a predicted result status of the storage management operation based on the simulation.

Abstract: Example methods are provided a computer system to perform context-aware domain name system (DNS) query handling in a software-defined networking (SDN) environment. One example method may comprise detecting a DNS query to translate a domain name; identifying DNS record information that translates the domain name to a network address assigned to a virtualized computing instance; and identifying context information that is associated with the virtualized computing instance and mapped to the DNS record information. The method may also comprise: in response to detecting a potential security threat based on the context information, performing a remediation action to block access to the virtualized computing instance; but otherwise, generating and sending a DNS reply specifying the network address assigned to allow access to the virtualized computing instance.

Abstract: Some embodiments provide a method for forwarding data messages between edge nodes that perform stateful processing on flows between a logical network and an external network. At a particular edge node, the method receives a data message belonging to a flow. The edge nodes use a deterministic algorithm to select one of the edge nodes to perform processing for each flow. The method identifies a first edge node to perform processing for the flow in a previous configuration and a second edge node to perform processing for the flow in a new configuration according to the algorithm. When the first and second edge nodes are different, the method uses a probabilistic filter and a stateful connection tracker to determine whether the flow existed prior to a particular time. When the flow did not exist prior to that time, the method selects the second edge node for the received data message.

Abstract: Example methods and systems for creating a plurality of snapshots of a storage object backed by a plurality of copy-on-write (COW) B+ tree data structure including a first COW B+ tree data structure having a first root node and leaf nodes maintaining mappings of LBAs to PBAs associated with a first snapshot of the storage object are disclosed. One example method includes creating a first root node of a first B+ tree data structure, maintaining a delta mapping table between a set of LBAs to a set of PBAs in the first leaf node, in response to receiving a request to create a second snapshot of the storage object: creating a second root node of a second COW B+ tree data structure and creating leaf nodes of the second COW B+ tree data structure in batches based on an order of the set of LBAs.