Abstract: The disclosure provides an approach for virtual computing instance (VCI) migration. Embodiments include scanning logical segments associated with a customer gateway to identify network addresses associated with the logical segments. Embodiments include determining one or more recommended supernets based on the network addresses associated with the logical segments. Embodiments include providing output to a user based on the one or more recommended supernets. Embodiments include based on the output, receiving input from the user configuring an aggregation supernet for the customer gateway. Embodiments include advertising the aggregation supernet to one or more endpoints separate from the customer gateway.

Abstract: Aspects of managing inventory for data transport connections within a virtualized computing environment are described. A virtualized management system managing a cluster of host devices obtains a data transport capacity parameter and an aggregate memory consumption value from respective host devices. The virtualized management system further identifies an update status associated with each of the host devices. In response to receiving a data transport connection request, the virtualized management system selects a host from the cluster of hosts to satisfy the data transport connection request based at least in part on the upgrade status, data transport capacity parameter and aggregate memory consumption value.

Abstract: An in-guest agent in a virtual machine (VM) operates in conjunction with a replication module. The replication module performs continuous data protection (CDP) by saving images of the VM as checkpoints at a disaster recovery site over time. Concurrently, the in-guest agent monitors for behavior in the VM that may be indicative of the presence of malicious code. If the in-guest agent identifies behavior (at a particular point in time) at the VM that may be indicative of the presence of malicious code, the replication module can tag a checkpoint that corresponds to the same particular point in time as a security risk. One or more checkpoints generated prior to the particular time may be determined to be secure checkpoints that are usable for restoration of the VM.

Abstract: Some embodiments provide a method of identifying packet latency in a software defined datacenter (SDDC) that includes a network and multiple host computers executing multiple machines. At a first host computer, the method identifies and stores (i) multiple time values associated with several packet processing operations performed on a particular packet sent by a first machine executing on the first host computer, and (ii) a time value associated with packet transmission through the SDDC network from the first host computer to a second host computer that is a destination of the particular packet. The method provides the stored time values to a set of one or more controllers to process to identify multiple latencies experienced by multiple packets processed in the SDDC.

Abstract: Systems and methods are described for efficient ways to manage storage of data in virtual desktops on writable volumes contained in attachable virtual disks. Multiple writeable volumes can be attached to a user's virtual desktop and data writes on the virtual desktop can be allocated among the writeable volumes based on preset policies or criteria, allowing the storage of different types of data in different writable volumes located on different storage devices.

Abstract: A version control interface for data provides a layer of abstraction that permits multiple readers and writers to access data lakes concurrently. An overlay file system, based on a data structure such as a tree, is used on top of one or more underlying storage instances to implement the interface. Each tree node tree is identified and accessed by means of any universally unique identifiers. Copy-on-write with the tree data structure implements snapshots of the overlay file system. The snapshots support a long-lived master branch, with point-in-time snapshots of its history, and one or more short-lived private branches. As data objects are written to the data lake, the private branch corresponding to a writer is updated. The private branches are merged back into the master branch using any merging logic, and conflict resolution policies are implemented. Readers read from the updated master branch or from any of the private branches.

Abstract: Examples of device-driven management are described. A management console can include a set of workflow objects to use in a workflow creation user interface. Workflow objects can be positioned in the workflow creation user interface area based on user manipulation. A device state criteria overlay can be painted on a connector workflow object to indicates that a branch of executable instructions corresponding to the connector workflow object is performed where a client device corresponds to the specified device state criteria.

Abstract: Some embodiments provide a hierarchical data service (HDS) that manages many resource clusters that are in a resource cluster hierarchy. In some embodiments, each resource cluster has its own cluster manager, and the cluster managers are in a cluster manager hierarchy that mimics the hierarchy of the resource clusters. In some embodiments, both the resource cluster hierarchy and the cluster manager hierarchy are tree structures, e.g., a directed acyclic graph (DAG) structure that has one root node with multiple other nodes in a hierarchy, with each other node having only one parent node and one or more possible child nodes.

Abstract: Some embodiments provide a novel method for collecting and reporting attributes of data flows associated with machines executing on a plurality of host computers to an analysis appliance. Some embodiments collect, each time a request for a new data message flow is initiated, a set of contextual attributes (i.e., context data) associated with the requested new data message flow. The method, in some embodiments, generates a correlation data set and provides the correlation data set to be included in flow data regarding the requested data message flow to be used by the analysis appliance to correlate context data and flow data received as separate data sets from multiple host computers.

Abstract: In an embodiment, a computer-implemented method for providing dynamic mechanisms for resource-path-based, dynamic group membership support for local and external membership groups is described. A method comprises: detecting, by a group resolver implemented in a management and control plane, that information about an object stored in the plane was created or updated; determining whether a URI of the object matches a URI regular expression and other conditions specified in membership criteria created for a membership group; in response to determining that a URI of the object matches a URI regular expression and other conditions specified in membership criteria created for a membership group: distributing the information about the object to network agents implemented in transport nodes to cause the network agents to automatically update a group membership policy associated with the membership group; and wherein the group membership policy affects packet forwarding behavior of a forwarding node.

Abstract: The disclosure provides an approach for implementing a distributed firewall within a data center. The firewall is implemented as a kernel space filter driver within the operating system of virtual machines. Each virtual machine hosts several user sessions. The firewall may be dynamically updated with new security policies, either by an administrator or a component of the data center.

Abstract: In an architecture of a virtualized computing system plugins are less tightly integrated with a core user interface of a management server. Rather than being installed and executed at the management server as local plugins, the plugins are served as remote plugins from a plugin server, and may be accessed by a web client through a reverse proxy at the management server. Plugin operations may be executed at the plugin server and/or invoked from a user device where the web client resides. Furthermore, a plugin sandbox and other isolation configurations are provided at the user device, so as to further control access capability and interaction of the plugins.

Abstract: Disclosed are various examples for an application settings module that provides uniform access to diverse types of data, such as mobile device settings. A client device, such as a mobile device, can be configured through execution of program instructions to access a schema file comprising a definition of a plurality of keypaths, where individual ones of the plurality of keypaths uniquely correspond to one of a plurality of device settings and the keypaths are defined in the schema file in association with a plurality of methods. The client device can identify a function invoked using one of the keypaths to read or write a corresponding one of the device settings, whether stored locally or remote, and, in response to the function being invoked, execute a portion of the methods corresponding to the one of the keypaths in the schema file and return a result to a requesting process.

Abstract: Disclosed are various examples of providing AI accelerator access as a service at the edge. In some embodiments an artificial intelligence (AI) accelerator device identifier is transmitted to register an AI accelerator with the AI broker service. An AI processing request for the AI accelerator is received from a networked computing device. A bus redirect of the AI accelerator to the networked device is enabled. An AI workload is performed controlled by the networked device through the bus redirect.

Abstract: Techniques are described providing improved ways to benchmark and validate virtual desktop deployments where targeted workloads are delivered to virtual desktops based on parameters such as the desktop type and origin, and where workload operations can be triggered from the client device. Client instructions for performing workload operations can be encoded into a digital image such as a Quick Response (QR) code on the virtual desktop and inserted into the virtual desktop graphical user interface (GUI). The client decodes the digital image in the received GUI to obtain the instructions and actuate the operations. Completion of operations can be tracked to benchmark desktop performance.

Abstract: System and method for managing migration of trusted execution environments (TEEs) based on migration policies utilizes a source migration agent in the source host computer and a destination migration agent in a destination host computer to migrate a source TEE in the source host computer to the destination host computer. A migration policy data of the source TEE is first transmitted to the destination migration agent from the source migration agent to determine whether the destination host computer satisfies migration policies specified in the migration policy data. In response to a determination that the destination host computer satisfies the migration policies specified in the migration policy data, a destination TEE is created in the destination host computer and memory pages of the source TEE are transmitted to the destination TEE. The memory pages are then restored at the destination TEE for execution.

Abstract: The disclosure provides an approach for cryptographic agility. Embodiments include establishing, by a proxy component associated with a cryptographic agility system, a first secure connection with an application. Embodiments include receiving, by the proxy component, via the first secure connection, a communication from the application directed to an endpoint. Embodiments include selecting, by the cryptographic agility system, a cryptographic technique based on contextual information related to the communication. Embodiments include establishing, by the proxy component, a second secure connection with the endpoint based on the cryptographic technique. Embodiments include transmitting, by the proxy component, a secure communication to the endpoint via the second secure connection based on the communication.

Abstract: A noisy neighbor in a cloud multitenant system can present resource governance issues. Usage quotas can be applied, and traffic can be throttled to mitigate the problem. Network traffic can be monitored from routers of a software defined data center (SDDC) configured to process network traffic for machines of different tenants. By default, the network traffic from the routers can be processed via a first edge router for the SDDC. A second edge router can be deployed for the SDDC in response to the network traffic from a particular router exceeding a threshold. Network traffic from the particular router can be processed via the second edge router while the remaining traffic can continue to be processed via the first edge router.

Abstract: Mapping of applications by the most common file path in which they are installed or found to be running. Embodiments of the disclosure may determine the most commonly occurring hash values appearing in events generated by a virtualized network. These most commonly occurring hash values may correspond to the hash values of file paths associated with the greatest number of detected events. The database may then be queried to determine the most commonly occurring file path for each of these hash values. A table of such most commonly occurring file paths and their associated hash values may then be compiled and stored. Use of the most commonly occurring file path in lieu of an alert's actual file path may prevent undesired or malicious processes from going undetected by simply adopting a new file path that has yet to be recognized as being associated with undesired behavior.

Abstract: Examples herein describe systems and methods for self-healing in a Telco network function virtualization cloud. KPI attributes for virtual network functions can be mapped to physical fault notifications to create synthesized alerts. The synthesized alerts can include information from both a virtual and physical layer, allowing a self-healing action framework to determine root causes of problems in the Telco cloud. Remedial actions can then be performed in either the virtual or physical layer of the Telco cloud. Remedial actions in one layer can be based on root causes identified in the other, which can allow for remediation before network downtime occurs.