Abstract: Some embodiments of the invention provide a method for network-aware load balancing for data messages traversing a software-defined wide area network (SD-WAN) (e.g., a virtual network) including multiple connection links between different elements of the SD-WAN. The method includes receiving, at a load balancer in a multi-machine site, link state data relating to a set of SD-WAN datapaths including connection links of the multiple connection links. The load balancer, in some embodiments, provides load balancing for data messages sent from a machine in the multi-machine site to a set of destination machines (e.g., web servers, database servers, etc.) connected to the load balancer over the set of SD-WAN datapaths. The load balancer selects, for the data message, a particular destination machine (e.g., a frontend machine for a set of backend servers) in the set of destination machines by performing a load balancing operation based on the received link state data.

Abstract: Some embodiments provide a method of selecting data links for an application in a network. The method receives, from a machine implementing the application, a set of identifiers of required link characteristics. Based on at least one of the identifiers, the method selects a transport group that includes a set of optional links matching the identifiers. From the selected transport group, the method selects a link matching the set of identifiers.

Abstract: Some embodiments of the invention provide a method for WAN (wide area network) optimization for a WAN that connects multiple sites, each of which has at least one router. At a gateway router deployed to a public cloud, the method receives from at least two routers at least two sites, multiple data streams destined for a particular centralized datacenter. The method performs a WAN optimization operation to aggregate the multiple streams into one outbound stream that is WAN optimized for forwarding to the particular centralized datacenter. The method then forwards the WAN-optimized data stream to the particular centralized datacenter.

Abstract: Some embodiments provide a method for forwarding multicast data messages at a forwarding element on a host computer. The method receives a multicast data message from a routing element executing on the host computer along with metadata appended to the multicast data message by the routing element. Based on a destination address of the multicast data message, the method identifies a set of recipient ports for a multicast group with which the multicast data message is associated. For each recipient port, the method uses the metadata appended to the multicast data message by the routing element to determine whether to deliver a copy of the multicast data message to the recipient port.

Abstract: Methods, apparatus, systems and articles of manufacture for automatic configuration of a containerized computing namespace are disclosed. An example method includes identifying, in response to creation of a containerized computing namespace, a user account that is to be granted access to a containerized computing namespace, creating a service account, the service account representing the user account for the containerized computing namespace creating a role within the containerized computing namespace, and assigning a role binding between the role and the service account.

Abstract: Some embodiments provide a method for configuring a first Pod in a container cluster to perform layer 7 (L7) services for a logical router. At a second Pod that performs logical forwarding operations for the logical router, the method receives configuration data for the logical router from a network management system that defines a logical network for which the logical router routes data messages and performs L7 services. The method provides a set of Pod definition data to a cluster controller to create the first Pod. After creation of the first Pod, the method provides to the first Pod (i) networking information to enable a connection between the first and second Pods and (ii) configuration data defining the L7 services for the first Pod to perform the L7 services on data traffic sent from the second Pod to the first Pod.

Abstract: The present disclosure is related to devices, systems, and methods for virtual infrastructure provisioning on government compliant and non-compliant endpoints based on configuration. One embodiment includes receiving a request made by a user to provision a catalog item in a cloud computing environment, determining that the user is assigned to a project required to comply with governmental requirements concerning virtual infrastructure, selecting a cloud zone of a cloud region in which to provision the catalog item, wherein the cloud region is configured to provide compliance with the governmental requirements, and deploying the provisioned catalog item in the selected cloud zone.

Abstract: The present disclosure is directed to an adjusted group execution framework (“AGEF”) that adjusts execution of a monolithic cloud application based on predictive diagnostics. The AGEF aids owners of monolithic applications with offloading existing overloaded tasks to other nodes in a cluster of server computers. The AGEF includes an executor that is responsible for running specified execution flows described in an instruction file and a built-in predictive diagnostic engine that is trained on metric data recorded in a historical time period during prior executions of the monolithic application. The predictive diagnostic system generate a performance value that reveals the state of the monolithic application in one of two categories, such as success or fail, or in multiple categories, such as high, moderator, or low performance.

Abstract: The present disclosure relates to bootstrapping an encrypted single node VSAN cluster. One method includes receiving a request to create an encrypted VSAN cluster from a single host in a software-defined datacenter, deploying a virtual server on a VSAN datastore of the software-defined datacenter, registering a native key provider (NKP) in the virtual server, creating an empty VSAN cluster encrypted by the NKP, adding the single host to the encrypted empty cluster to create a one-host encrypted cluster, registering a KMIP KMS in the virtual server, switching encryption of the one-host encrypted cluster from the NKP to the KMIP KMS, and adding another host to the one-host encrypted cluster to create the encrypted cluster.

Abstract: Some embodiments provide a novel method for dynamically deploying gateways for a first network connecting machines. The first network includes segments, routers, and a first gateway that connects to an external network. The method identifies a set of two or more segments that consumes more than a threshold amount of bandwidth of the first gateway. The identified set includes at least first and second segments. The method identifies one or more segment groups by aggregating two or more segments in the identified set. A first segment group includes the first and second segments and a third segment that is not in the identified set of two or more segments. The method configures a second gateway to process flows associated with each identified group including the first group. The method configures a set of routers to forward flows from machines of each segment of each identified group to the second gateway.

Abstract: Example methods and systems for blockchain-based licensing as a service are described. In one example, a computer system may receive a first request to obtain a first license associated with a first product from a first client system. In response, the computer system may (a) select a first blockchain from multiple blockchains, and (b) generate and store a first non-fungible token (NFT) on the first blockchain to issue the first license. Further, the computer system may receive a second request to obtain a second license associated with the first product or a second product from a second client system. In response, the computer system may (a) select a second blockchain from multiple blockchains, and (b) generate and store a second NFT on the second blockchain to issue the second license.

Abstract: Some embodiments provide a method for providing access in a scalable manner to resources in a first datacenter to clients operating in one or more public clouds. The method of some embodiments implements with multiple machines a public-cloud proxy to connect clients in the public cloud(s) to a reverse proxy in the first datacenter.

Abstract: JavaScript library isolation can include replacing instances of a read/write call to a particular object from JavaScript code of a user interface (UI) plugin to a hosting application with a proxy as the JavaScript code is compiled to a JavaScript file, defining a function by which the proxy operates, directing a first subset of read/write calls to the particular object in runtime according to the function, and redirecting a second subset of read/write calls to a different object in runtime according to the function.

Abstract: Cascading style sheets (CSS) library isolation can include replacing instances of a definition of a base root element font size from CSS code of a user interface (UI) plugin to a hosting application with a CSS variable as the CSS code is compiled to a CSS file, reading a definition of a quantity of pixels per one root element font size from the UI plugin, calculating a ratio between the base root element font size of the UI plugin and a base root element font size of the hosting application in pixels, and defining the CSS variable as the ratio at runtime.

Abstract: Disclosed are various embodiments for optimizing the migration of pages of memory servers in cluster memory systems. To begin, a computing device can mark in a page table of the computing device that a page stored on a first memory host is not present. Then, the computing device can flush a translation lookaside buffer of the computing device. Next, the computing device can copy the page from the first memory host to a second memory host. Moving on, the computing device can update a page mapping table to reflect that the page is stored in the second memory host. Then, the computing device can mark in the page table of the computing device that the page stored in the second memory host is present. Subsequently, the computing device can discard the page stored on the first memory host.

Abstract: Some embodiments provide a method for using a first SDN controller as a Network Controller as a Service (NCaaS). The first SDN controller receives a first set of network attributes regarding network elements in a first container cluster configured by a second SDN controller, and a second set of network attributes regarding network elements in a second container cluster configured by a third SDN controller. These container clusters do not have a controller for defining particular network policies. Based on the sets of network attributes, the first SDN controller defines the particular network policies to control forwarding data messages between the first and second container clusters. The first SDN controller distributes at least a subset of the particular network policies to the first container cluster in order for network elements at the first container cluster to enforce on data messages exchanged between the first and second container clusters.

Abstract: The method of some embodiments assigns a client to a particular datacenter from among multiple datacenters. The method is performed at a first datacenter, starting when it receives security data associated with a second datacenter. Then the method receives a DNS request from the client. Based on the received security data, the method sends a DNS reply assigning the client to the particular datacenter instead of the second datacenter. The receiving and sending is performed by a DNS cluster of the datacenter in some embodiments. The particular datacenter includes a set of servers implementing an application for the client in some embodiments. The datacenter to which the client gets assigned can be the first datacenter or a third datacenter.

Abstract: Some embodiments of the invention provide a simplified mechanism to deploy and control a multi-segmented application by using application-based manifests that express how application segments of the multi-segment application are to be defined or modified, and how the communication profiles between these segments. In some embodiments, these manifests are application specific. Also, in some embodiments, deployment managers in a software defined datacenter (SDDC) provide these manifests as templates to administrators, who can use these templates to express their intent when they are deploying multi-segment applications in the datacenter. Application-based manifests can also be used to control previously deployed multi-segmented applications in the SDDC. Using such manifests would enable the administrators to be able to manage fine grained micro-segmentation rules based on endpoint and network attributes.

Abstract: Disclosed are various examples of provisioning a data processing unit (DPU) management operating system (OS). A management hypervisor installer executed on a host device launches or causes a server component to provide a management operating system (OS) installer image at a particular URI accessible over a network internal to the host device. A baseboard management controller (BMC) transfers the DPU management OS installer image to the DPU device. A volatile memory based virtual disk is created using the DPU management OS installer image. The DPU device is booted to a DPU management OS installer on the volatile memory based virtual disk. The DPU management OS installer installs a DPU management operating system to a nonvolatile memory of the DPU device on reboot of the DPU device.

Abstract: A noisy neighbor in a cloud multitenant system can present resource governance issues. Usage quotas can be applied, and traffic can be throttled to mitigate the problem. Network traffic can be monitored from routers of a software defined data center (SDDC) configured to process network traffic for machines of different tenants. By default, the network traffic from the routers can be processed via a first edge router for the SDDC. A second edge router can be deployed for the SDDC in response to the network traffic from a particular router exceeding a threshold. Network traffic from the particular router can be processed via the second edge router while the remaining traffic can continue to be processed via the first edge router.