Abstract: A method for encrypting data blocks is provided. The method receives a plurality of data blocks and encrypts each data block using an LBA of the data block as a tweak. The method writes the plurality of encrypted data blocks to physical blocks of the plurality of physical disks. The method then performs deduplication on the physical disks by determining that first and second physical blocks in the physical disks are duplicates, decrypting encrypted data in the first physical block using a first LBA associated with the first physical block as the tweak, and re-encrypting decrypted data in the first physical block using a PBA associated with the first physical block as the tweak. When reading the data back, either the LBA or PBA is used as the tweak, depending on whether the data was encrypted using LBA or re-encrypted using PBA during the deduplication process.

Abstract: A computer-implemented method of adjusting a resource credit configuration for cloud resources that includes collecting a resource credit inventory and attributing metadata related to resources from one or more cloud resources. An expected resource demand is determined. A plurality of resource credit configurations is determined that matches the determined expected resource demand. An improved resource credit benefit based on the resource credit inventory and on the plurality of credit configurations is determined that matches the determined expected resource demand. A modified attribute metadata based on the determined improved resource credit benefit is then determined.

Abstract: Examples described herein include systems and methods performing scalable and dynamic data processing and extraction. A first example method relates to processing events from a source. The method can include detecting an event generated by the source and predicting a probability of that event being part of a span including multiple events. The method can include waiting for the additional multiple events to occur within the predicted timeframe and, if occurring, packaging the events together for handling by a single dynamic function. Otherwise, the events can each be handled by separate dynamic functions. A second example method relates to performing dynamic data extraction from a source. The method can include waking up a function based on a regular poll interval, determining a probability of a data change at the source based on historical data extractions, and invoking an extraction function based on the probability of the data change.

Abstract: Certain Embodiments described herein relate to configuring the network-storage stack of two devices (e.g., physical or virtual) communicating together (e.g., an initiator and a target, as defined below) with Internet Small Computer Systems Interface (iSCSI) extension for remote direct memory access (RDMA) iSER, which is a protocol designed to utilize RDMA to accelerate iSCSI data transfer. The iSER protocol is implemented as an iSER datamover layer that acts as an interface between an iSCSI layer and an RDMA layer of the network-storage stacks of the two devices. Using iSER in conjunction with RDMA allows for bypassing the existing traditional network protocol layers (e.g., TCP/IP protocol layers) of the devices and permits data to be transferred directly, between the two devices, using certain memory buffers, thereby avoiding memory copies taking place when the existing network protocol layers are used.

Abstract: Systems and methods for analyzing a customer deployment in a converged or hyper-converged infrastructure are disclosed. A machine learning model is trained based upon historical usage data of other customer deployments. A k-means clustering is performed to generate a prediction as to whether a deployment is configured for optimal failover. Recommendations to improve failover performance can also be generated.

Abstract: Mechanisms to protect the integrity of memory of a virtual machine are provided. The mechanisms involve utilizing certain capabilities of the hypervisor underlying the virtual machine to monitor writes to memory pages of the virtual machine. A guest integrity driver communicates with the hypervisor to request such functionality. Additional protections are provided for protecting the guest integrity driver and associated data, as well as for preventing use of these mechanisms by malicious software. These additional protections include an elevated execution mode, termed “integrity mode,” which can only be entered from a specified entry point, as well as protections on the memory pages that store the guest integrity driver and associated data.

Abstract: A maintenance recommendation for containerized services can find a time to perform maintenance on a particular service based on resource usage patterns such that the maintenance will have a reduced impact on dependent services. The dependent services can be determined for the particular service based on network interactions between the services.

Abstract: Some embodiments provide a method that, at a first machine that operates at a first physical site as a primary global manager for a logical network spanning a plurality of physical sites, receives a set of ordered data describing a configuration of the logical network. The method stores, in a particular order, the received set of ordered data in a first database located at the first physical site. Through a channel between (i) the first machine and (ii) a second machine that operates at a second physical site as a secondary global manager for the logical network in case of failure of the primary global manager, the method provides the set of ordered data in the particular order for the second machine to store in a second database in the particular order. The second database located at the second physical site.

Abstract: Example methods and systems for service request handling with protocol translation are described. In one example, in response to intercepting a service request from a virtualized computing instance, a computer system may generate and send a translated service request towards a service node. The translated service request may be generated by performing a first translation of the service request from a service protocol to a data exchange protocol supported by both a client node running on the computer system and a service node. In response to receiving the service response that is generated according to the data exchange protocol from the service node, the computer system may generate and send a translated service response towards the virtualized computing instance. The translated service response may be generated by performing a second translation of the service response from the data exchange protocol to the service protocol.

Abstract: Techniques for providing virtualized entity-related services to a group of users are provided. The techniques include collecting entity-related data from multiple cloud providers. The data is collected via a data stream. Various portions of the data stream are stored in various databases. A portion of the data stream is stored in a graph database that stores relationships between the entities. A portion of the data stream is stored in a key-value database that persistently stores historical virtualized entity data for the group of users. A portion of the data stream is stored in a reverse-indexed database that stores globally-searchable entity data for the entities. A search query is received. Based on the content of the query, a combination of the databases searched. Search results are compared to policies or rules of the group. If an entity is out of compliance, a warning is issued and remedial action taken.

Abstract: The present disclosure relates to techniques for handling of bidirectional command protocols via a unidirectional communication connection established between a client computing environment and a cloud-services computing environment. In one embodiment, a command request message is pushed from a service component of the cloud-services computing environment to a client gateway of the client computing environment via the unidirectional communication connection. A token indicating routing information to the service component is embedded in the pushed command request message. A command response message is received at the cloud gateway from the client gateway via a bidirectional communication connection established between the client computing environment and the cloud-services computing environment. The command response message includes the token and data associated with executing the command request message at the client computing environment.

Abstract: Example methods and systems for context-aware intrusion detection are described. In one example, in response to determination that there is a matching intrusion detection signature based on packet flow information associated with a packet, a computer system may generate an intrusion detection alert that identifies the matching intrusion detection signature and the packet flow information. Further, the computer system may map the intrusion detection alert to contextual information, and generate a context-aware intrusion detection alert to trigger a context-aware remediation action based on at least the contextual information. The intrusion detection alert may be enhanced with context information associated with at least one of the following: the virtualized computing instance, a client device associated with the virtualized computing instance, and a user operating the client device.

Abstract: Example methods and computer systems for packet handling for active-active stateful service insertion are disclosed. One example may involve in response to detecting a first packet from a first active logical service router (SR), a computer system generating and storing state information that associates (a) the first active logical SR and (b) first tuple information specified by the first packet. The first active logical SR and a second active logical SR may be both associated with the service endpoint address and configured to operate in an active-active mode. In response to detecting the second packet from a destination responsive to the first packet, the computer system may select the first active logical SR over the second active logical SR based on the state information and second tuple information specified by the second packet; and send the second packet towards the first active logical SR for processing according to a stateful service.

Abstract: Example methods and systems for logical overlay tunnel monitoring are described. One example may involve a first computer system obtaining control information identifying a list of multiple logical overlay tunnels to be monitored, including a first logical overlay tunnel between a first virtual tunnel endpoint (VTEP) and a second VTEP. Based on the control information, a first monitoring agent may configure and inject a probe packet at the first VTEP to cause the first VTEP to perform encapsulation and send an encapsulated probe packet over the first logical overlay tunnel. In response, an encapsulated response packet that includes a response packet may be received from the second monitoring agent over the first logical overlay tunnel. Based on the response packet, a tunnel performance metric associated with the first logical overlay tunnel may be determined.

Abstract: A system and method for observing and controlling a programmable network via higher layer attributes is disclosed. According to one embodiment, the system includes one or more collectors and a remote network manager. The one or more collectors are configured to receive network traffic data from a plurality of network elements in the network. The remote network manager is configured to connect to the one or more collectors over the Internet via a network interface. The one or more collectors extract metadata from the network traffic data and send the metadata to the network manager.

Abstract: Disclosed are aspects of memory-aware placement in systems that include graphics processing units (GPUs) that are virtual GPU (vGPU) enabled. Virtual graphics processing unit (vGPU) data is identified for graphics processing units (GPUs). A configured GPU list and an unconfigured GPU list are generated using the GPU data. The configured GPU list specifies configured vGPU profiles for configured GPUs. The unconfigured GPU list specifies a total GPU memory for unconfigured GPUs. A vGPU request is assigned to a vGPU of a GPU. The GPU is a first fit, from the configured GPU list or the unconfigured GPU list that satisfies a GPU memory requirement of the vGPU request.

Abstract: Some embodiments provide a method for distributing rules associated with a particular logical network element that is implemented across one or more physical sites. The method uses a set of attributes of a set of elements associated with the particular logical network element to identify a particular set of physical sites spanned by the particular logical network element. The method identifies a set of rules associated with the particular logical network element. The method distributes the identified set of rules to each site of the identified set of physical sites.

Abstract: A container image registry is managed in a virtualized computing system. The container image registry manages container images for deploying containers in a host cluster, the host cluster includes hosts and a virtualization layer executing on hardware platforms of the hosts, and the virtualization layer supports execution of virtual machines (VMs). The method includes: creating a namespace for an orchestration control plane integrated with the virtualization layer, the namespace including constraints for deploying workloads in the VMs; invoking, by a registry service in response to creation of the namespace, a management application programming interface (API) of the container image registry to create a project for the container images; and invoking, by the registry service, the management API of the container image registry to both add members to the project, and assign image registry roles to the members, in response to bindings of users and namespace roles derived from the constraints.

Abstract: Techniques disclosed herein relate to migrating virtual computing instances such as virtual machines (VMs). In one embodiment, VMs are migrated across different virtual infrastructure platforms by, among other things, translating between resource models used by virtual infrastructure managers (VIMs) that manage the different virtual infrastructure platforms. VM migrations may also be validated prior to being performed, including based on resource policies that define what is and/or is not allowed to migrate, thereby providing compliance and controls for borderless data centers. In addition, an agent-based technique may be used to migrate VMs and physical servers to virtual infrastructure, without requiring access to an underlying hypervisor layer.

Abstract: In a slice-based network, slice multiplexers can be used to anchor inter-cloud tunnels across different clouds in a slice path. The slice multiplexers can dynamically change a total allocated bandwidth of an outer tunnel and reconfigure relative slice bandwidths of inner tunnels. This can result in an optimized bandwidth allocation that enforces slice priorities, maintains required SLA performance levels, and minimizes total allocated bandwidth on the network connection. The dynamic changes can be based on slice priority levels, total number of slices, and historical slice throughput.