Abstract: Some embodiments provide a method for forwarding data messages at multiple edge gateways of a logical network that process data messages between the logical network and an external network. At a first edge gateway, the method receives a data message, having an external address as a destination address, from the logical network. Based on the destination address, the method applies a default route to the data message that routes the data message to a second edge gateway and specifies a first output interface of the first edge gateway for the data message. After routing the data message, the method applies a stored NAT entry that (i) modifies a source address of the data message to be a public NAT address associated with the first edge gateway and (ii) redirects the modified data message to a second output interface of the first edge gateway instead of the first output interface.

Abstract: An example method of handling traffic for an existing connection of a virtual machine (VM) migrated from a source site to a destination site includes: receiving, at an edge server of the destination site, the traffic, the traffic being associated with a network flow; determining, by the edge server of the destination site, that a stateful service of the edge server does not have state for the network flow; sending, by the edge server of the destination site, a threshold number of packets of the traffic to a plurality of sites; receiving, at the edge server of the destination site, an acknowledgement from the source site that the source site has the state for the network flow; and creating, by the edge server of the destination site, a flow mapping to send the traffic associated with the network flow to the source site.

Abstract: In some embodiments, a method receives a set of packets for a flow and determines a set of features for the flow from the set of packets. A classification of an elephant flow or a mice flow is selected based on the set of features. The classification is selected before assigning the flow to a network resource in a plurality of network resources. The method assigns the flow to a network resource in the plurality of network resources based on the classification for the flow and a set of classifications for flows currently assigned to the plurality of network resources. Then, the method sends the set of packets for the flow using the assigned network resource.

Abstract: A software-defined wide area network (SD-WAN) environment that leverages network virtualization management deployment is provided. Edge security services managed by the network virtualization management deployment are made available in the SD-WAN environment. Cloud gateways forward SD-WAN traffic to managed service nodes to apply security services. Network traffic is encapsulated with corresponding metadata to ensure that services can be performed according to the desired policy. Point-to-point tunnels are established between cloud gateways and the managed service nodes to transport the metadata to the managed service nodes using an overlay logical network. Virtual network identifiers (VNIs) in the metadata are used by the managed service nodes to identify tenants/policies.

Abstract: Some embodiments provide a method for controlling flow processing by an edge cluster including a first edge machine set operating in a first location set of a public cloud and a second edge machine set operating in a second location set of the public cloud. A controller set configures first and second managed forwarding element (MFE) sets operating in the first and second location sets respectively, with first and second forwarding rule sets to respectively forward first and second flows sets to the first and second edge machine sets for performing services. The first forwarding rule set specifies a first network address set for the first edge machine set, and the second forwarding rule set specifies a second network address set for the second edge machine set. The controller set monitors each edge machine to determine whether it is available to perform the services.

Abstract: Some embodiments provide a novel method for deploying an edge device as a cluster of pods. The method receives a set of criteria for deploying the edge device. The method uses the set of criteria to deploy the edge device as a set of one or more pods executing on a set of one or more nodes. The method implements, on the set of pods, a set of one or more services to perform on data message flows. At least two pods deployed for the edge cluster perform different service operations of different service types such that the different service types are able to be scaled independently.

Abstract: Some embodiments provide a method for configuring a logical router implemented in a Kubernetes cluster. The method receives configuration data specifying a service rule for the logical router. The service rule requires processing of L5-L7 headers of data messages sent to the logical router. Based on the service rule, the method defines (i) a redirection rule specifying a set of data messages to which the service rule applies based on L2-L4 header values and (ii) an L5-L7 processing rule for application of the service rule. the method provides the redirection rule to a first set of Pods in the cluster and the L5-L7 processing rule to a second set of Pods in the cluster.

Abstract: Some embodiments provide a method for configuring logical routers of a logical network. The logical routers are implemented in a Kubernetes cluster as a first set of Pods that each perform logical forwarding operations for the logical routers and a second set of Pods that each perform L7 service operations for a respective logical router. From a Kubernetes control plane component, the method receives a notification that the first set requires scaling to include an additional Pod. The first-set Pods process data messages between the logical network and external networks. Within the network management system, the method defines at least one new interface for processing data messages between the logical network and external networks. The method configures the at least one interface on the additional Pod to communicate with external physical routers to receive traffic from the external networks and send traffic to the external networks.

Abstract: Some embodiments provide a method for configuring a logical network in a Kubernetes cluster, at a network management system external to the Kubernetes cluster. The method receives a definition of a logical router for the logical network. The logical router definition specifies a set of one or more L7 services to be performed on data messages processed by the logical router. Via a control plane of the Kubernetes cluster, the method defines (i) a first CR instance associated with a first CRD for implementing logical forwarding for the logical router and (ii) for each L7 service, a separate CR instance associated with a second CRD for implementing the L7 service.

Abstract: Some embodiments provide a novel method for configuring components of a software-defined network (SDN) to automatically deploy and monitor a logical edge router for a user. The method configures a policy parser to parse an intent-based Application Programming Interface (API) request to identify a set of attributes for the logical edge router. The method also configures a set of multi-cloud edge orchestrators (1) to use the set of attributes to derive an edge deployment plan specifying a set of two or more edge instances to implement the logical edge router, and (2) to deploy the set of edge instances in a set of two or more clouds based on the edge deployment plan.

Abstract: Some embodiments provide a novel method for automatically deploying and monitoring logical forwarding elements (LFEs) for network administrators. To represent an LFE that a network administrator wants to implement, the method defines an edge object based on a first set of attributes provided by the network administrator for the LFE. The method analyzes a second set of attributes of the edge object to derive an edge deployment plan that specifies a set of two or more edge instances that implements the LFE in a set of one or more clouds. The method deploys the set of edge instances in the set of clouds. The method collects metrics associated with each edge instance in the set of two or more edge instances. The method analyzes the collected metrics to modify the edge deployment plan and revise the set of edge instances based on the modified edge deployment plan.

Abstract: In some embodiments, a method receives a set of packets for a flow and determines a set of features for the flow from the set of packets. A classification of an elephant flow or a mice flow is selected based on the set of features. The classification is selected before assigning the flow to a network resource in a plurality of network resources. The method assigns the flow to a network resource in the plurality of network resources based on the classification for the flow and a set of classifications for flows currently assigned to the plurality of network resources. Then, the method sends the set of packets for the flow using the assigned network resource.

Abstract: An example method of implementing a logical network in a software-defined data center (SDDC) includes: receiving, at a control plane, first configurations for first logical routers comprising advertised routes and a second configuration for a second logical router comprising a global in-filter, the global in-filter including filter rules, applicable to all southbound logical routers, which determine a set of allowable routes for the second logical router, the first logical routers connected to a southbound interface of the second logical router; determining, based on the filter rules, that a first advertised route is an allowed route; determining, based on the filter rules, that a second advertised route is a disallowed route; and distributing routing information to a host that implements at least a portion of the second logical router, the routing information including a route for the first advertised route and excluding any route for the second advertised route.

Abstract: Described herein are systems, methods, and software to manage secure tunnel communications in multi-edge gateway computing environments. In one implementation, a control system identifies an edge gateway from a plurality of edge gateways to support a private network tunnel. The control system further identifies addressing attributes associated with communications directed over the private network tunnel and configures the plurality of edge gateways to forward packets associated with the addressing attributes to the identified edge gateway, wherein the edge gateway can process and forward the packets over the private network tunnel.

Abstract: The technology disclosed herein enables. In a particular example, a control plane for a software-defined data center performs a method including identifying a tenant network address space for use by a tenant of the software-defined data center. The method further includes generating a filter rule for a tenant gateway between the tenant network address space and a provider gateway outside of the tenant network address space. Also, the method includes implementing the filter rule in the tenant gateway, wherein the filter rule prevents the tenant gateway from advertising network addresses outside of the tenant network address space.

Abstract: Some embodiments provide a method for forwarding data messages at multiple edge gateways of a logical network that process data messages between the logical network and an external network. At a first edge gateway, the method receives a data message, having an external address as a destination address, from the logical network. Based on the destination address, the method applies a default route to the data message that routes the data message to a second edge gateway and specifies a first output interface of the first edge gateway for the data message. After routing the data message, the method applies a stored NAT entry that (i) modifies a source address of the data message to be a public NAT address associated with the first edge gateway and (ii) redirects the modified data message to a second output interface of the first edge gateway instead of the first output interface.

Abstract: Some embodiments provide a method for configuring logical routers of a logical network. The logical routers are implemented in a Kubernetes cluster as a first set of Pods that each perform logical forwarding operations for the logical routers and a second set of Pods that each perform L7 service operations for a respective logical router. From a Kubernetes control plane component, the method receives a notification that the first set requires scaling to include an additional Pod. The first-set Pods process data messages between the logical network and external networks. Within the network management system, the method defines at least one new interface for processing data messages between the logical network and external networks. The method configures the at least one interface on the additional Pod to communicate with external physical routers to receive traffic from the external networks and send traffic to the external networks.

Abstract: Some embodiments provide a method for forwarding data messages at multiple edge gateways of a logical network that process data messages between the logical network and an external network. At a first edge gateway, the method receives a data message, having an external address as a destination address, from the logical network. Based on the destination address, the method applies a default route to the data message that routes the data message to a second edge gateway and specifies a first output interface of the first edge gateway for the data message. After routing the data message, the method applies a stored NAT entry that (i) modifies a source address of the data message to be a public NAT address associated with the first edge gateway and (ii) redirects the modified data message to a second output interface of the first edge gateway instead of the first output interface.

Abstract: An example method of handling traffic for an existing connection of a virtual machine (VM) migrated from a source site to a destination site includes: receiving, at an edge server of the destination site, the traffic, the traffic being associated with a network flow; determining, by the edge server of the destination site, that a stateful service of the edge server does not have state for the network flow; sending, by the edge server of the destination site, a threshold number of packets of the traffic to a plurality of sites; receiving, at the edge server of the destination site, an acknowledgement from the source site that the source site has the state for the network flow; and creating, by the edge server of the destination site, a flow mapping to send the traffic associated with the network flow to the source site.

Abstract: Some embodiments provide a method of implementing context-aware routing for a software-defined wide-area network, at an SD-WAN edge forwarding element (FE) located at a branch network connected to the SD-WAN. The method receives, from an SD-WAN controller, geolocation route weights for each of multiple cloud datacenters across which a set of application resources is distributed. The application resources are all reachable at a same virtual network address. For each of the cloud datacenters, the method installs a route for the virtual network address between the branch network and the cloud datacenter. The routes have different total costs based at least in part on the geolocation metrics received from the SD-WAN controller. The SD-WAN edge FE selects between the routes to establish connections to the set of application resources.