Abstract: Some embodiments provide a method for forwarding data messages at multiple edge gateways of a logical network that process data messages between the logical network and an external network. At a first edge gateway, the method receives a data message, having an external address as a destination address, from the logical network. Based on the destination address, the method applies a default route to the data message that routes the data message to a second edge gateway and specifies a first output interface of the first edge gateway for the data message. After routing the data message, the method applies a stored NAT entry that (i) modifies a source address of the data message to be a public NAT address associated with the first edge gateway and (ii) redirects the modified data message to a second output interface of the first edge gateway instead of the first output interface.

Abstract: An example method of handling traffic for an existing connection of a virtual machine (VM) migrated from a source site to a destination site includes: receiving, at an edge server of the destination site, the traffic, the traffic being associated with a network flow; determining, by the edge server of the destination site, that a stateful service of the edge server does not have state for the network flow; sending, by the edge server of the destination site, a threshold number of packets of the traffic to a plurality of sites; receiving, at the edge server of the destination site, an acknowledgement from the source site that the source site has the state for the network flow; and creating, by the edge server of the destination site, a flow mapping to send the traffic associated with the network flow to the source site.

Abstract: Some embodiments provide a method of implementing context-aware routing for a software-defined wide-area network, at an SD-WAN edge forwarding element (FE) located at a branch network connected to the SD-WAN. The method receives, from an SD-WAN controller, geolocation route weights for each of multiple cloud datacenters across which a set of application resources is distributed. The application resources are all reachable at a same virtual network address. For each of the cloud datacenters, the method installs a route for the virtual network address between the branch network and the cloud datacenter. The routes have different total costs based at least in part on the geolocation metrics received from the SD-WAN controller. The SD-WAN edge FE selects between the routes to establish connections to the set of application resources.

Abstract: In some embodiments, a method for selecting an egress point for accessing an external network associated with a distributed logical router that is distributed across at least a first computing device and a second computing device is provided. The method receives, by an instance of the logical router at the first computing device, first identification information and a first preference value. The method compares the first preference value to a second preference value. The second preference value is associated with second identification information corresponding to a current computing device that is identified as a current preferred egress point for the logical router. The method determines whether to set the egress point connected to the instance of the logical router in the second computing device as a new preferred egress point for the logical router.

Abstract: Some embodiments provide a method for implementing a logical router that spans multiple datacenters. The method receives a configuration for a set of logical switches and a logical router (LR) that (i) handles data traffic between data compute nodes (DCNs) connected to the logical switches and endpoints not connected to the set of logical switches and (ii) performs stateful services on the traffic. The DCNs include at least one DCN operating in each datacenter. For each datacenter, the method defines a centralized routing component (SR) for the LR for handling the traffic between the DCNs in the datacenter and the endpoints not connected to the set of logical switches. The method designates one of the SRs as a primary SR and the other SRs as secondary SRs. The secondary SRs forward traffic, received from DCNs in their respective datacenters and for which stateful services are required, to the primary SR.

Abstract: Some embodiments provide a method for forwarding data messages at multiple edge gateways of a logical network that process data messages between the logical network and an external network. At a first edge gateway, the method receives a data message, having an external address as a destination address, from the logical network. Based on the destination address, the method applies a default route to the data message that routes the data message to a second edge gateway and specifies a first output interface of the first edge gateway for the data message. After routing the data message, the method applies a stored NAT entry that (i) modifies a source address of the data message to be a public NAT address associated with the first edge gateway and (ii) redirects the modified data message to a second output interface of the first edge gateway instead of the first output interface.

Abstract: Some embodiments provide a method for implementing context-aware routing for a software-defined wide-area network (SD-WAN). The method is performed at a particular SD-WAN edge forwarding element (FE) connected to a particular cloud datacenter. The method receives a message specifying a weight for a virtual network address associated with a set of application resources distributed across multiple cloud datacenters including the particular cloud datacenter. The method converts the specified weight into a route weight for the SD-WAN. The method provides the converted route weight to a set of SD-WAN edge FEs connected to a set of branch networks, and each SD-WAN edge FE in the set of SD-WAN edge FEs uses the provided route weight to calculate a total cost for routing data messages directed to the virtual network address to the particular cloud datacenter.

Abstract: Some embodiments provide a method of implementing context-aware routing for a software-defined wide-area network, at an SD-WAN edge forwarding element (FE) located at a branch network connected to the SD-WAN. The method receives, from an SD-WAN controller, geolocation route weights for each of multiple cloud datacenters across which a set of application resources is distributed. The application resources are all reachable at a same virtual network address. For each of the cloud datacenters, the method installs a route for the virtual network address between the branch network and the cloud datacenter. The routes have different total costs based at least in part on the geolocation metrics received from the SD-WAN controller. The SD-WAN edge FE selects between the routes to establish connections to the set of application resources.

Abstract: Described herein are systems, methods, and software to manage the selection of an edge gateway or edge for processing a packet. In one implementation, a first edge may receive a packet and hash addressing information in the packet to select a second edge to process the packet. The first edge may further forward the packet to the second edge, permitting the second edge to process the packet. Once processed, the second edge may forward the packet to a destination host computing system and notify the host computing system to use the second edge for response packets directed at a source internet protocol (IP) address in the packet.

Abstract: In some embodiments, a method receives a set of packets for a flow and determines a set of features for the flow from the set of packets. A classification of an elephant flow or a mice flow is selected based on the set of features. The classification is selected before assigning the flow to a network resource in a plurality of network resources. The method assigns the flow to a network resource in the plurality of network resources based on the classification for the flow and a set of classifications for flows currently assigned to the plurality of network resources. Then, the method sends the set of packets for the flow using the assigned network resource.

Abstract: A method for visualizing network flows of a network is provided. The method monitors network flows between a group of machines in a network. The method associates identifiers with the monitored network flows. The method aggregates the monitored network flows into a set of groups based on the associated identifiers. The method displays a set of flow records for the each group of the set of groups.

Abstract: Some embodiments provide a method for a computing device that implements a first logical network gateway in a first datacenter to process data messages between data compute nodes (DCNs) belonging to the logical network and operating in the first datacenter and DCNs belonging to the logical network and operating in a second datacenter. From a host computer in the first datacenter, the method receives a logical network data message encapsulated with a first tunnel header including a first virtual network identifier corresponding to a logical forwarding element of the logical network. The method removes the first tunnel header and encapsulates the logical network data message with a second tunnel header include a second virtual network identifier corresponding to the logical forwarding element. The method transmits the logical network data message encapsulated with the second tunnel header to a second logical network gateway in the second datacenter.

Abstract: Described herein are systems, methods, and software to manage secure tunnel communications in multi-edge gateway computing environments. In one implementation, a control system identifies an edge gateway from a plurality of edge gateways to support a private network tunnel. The control system further identifies addressing attributes associated with communications directed over the private network tunnel and configures the plurality of edge gateways to forward packets associated with the addressing attributes to the identified edge gateway, wherein the edge gateway can process and forward the packets over the private network tunnel.

Abstract: Described herein are systems, methods, and software to manage secure tunnel communications in multi-edge gateway computing environments. In one implementation, a control system identifies an edge gateway from a plurality of edge gateways to support a private network tunnel. The control system further identifies addressing attributes associated with communications directed over the private network tunnel and configures the plurality of edge gateways to forward packets associated with the addressing attributes to the identified edge gateway, wherein the edge gateway can process and forward the packets over the private network tunnel.

Abstract: In some embodiments, a method receives a set of packets for a flow and determines a set of features for the flow from the set of packets. A classification of an elephant flow or a mice flow is selected based on the set of features. The classification is selected before assigning the flow to a network resource in a plurality of network resources. The method assigns the flow to a network resource in the plurality of network resources based on the classification for the flow and a set of classifications for flows currently assigned to the plurality of network resources. Then, the method sends the set of packets for the flow using the assigned network resource.

Abstract: Described herein are systems, methods, and software to manage state information and failover between edge gateways (edges) in a computing environment. In one example, a first edge receives state information associated with one or more logical routers on a second edge. The first edge further identifies a failure in association with the second edge and, in response to the failure, make one or more logical routers available in the first edge to operate in place of the one or more logical routers in the second edge based on the state information.

Abstract: Described herein are systems, methods, and software to select edge gateways for communications based on exchanged hash information. In one implementation, a first gateway may receive hash information associated with second gateways, wherein the hash information is used to select a gateway of the second gateways to communicate a packet. The first gateway further receives a packet. hashes addressing in the packet to select a destination gateway of the second gateways for the packet. The first gateway further encapsulates the packet and communicates the encapsulated packet to the selected destination gateway.

Abstract: A software-defined wide area network (SD-WAN) environment that leverages network virtualization management deployment is provided. Edge security services managed by the network virtualization management deployment are made available in the SD-WAN environment. Cloud gateways forward SD-WAN traffic to managed service nodes to apply security services. Network traffic is encapsulated with corresponding metadata to ensure that services can be performed according to the desired policy. Point-to-point tunnels are established between cloud gateways and the managed service nodes to transport the metadata to the managed service nodes using an overlay logical network. Virtual network identifiers (VNIs) in the metadata are used by the managed service nodes to identify tenants/policies.

Abstract: Described herein are systems, methods, and software to manage the selection of an edge gateway or edge for processing a packet. In one implementation, a first edge may receive a packet and hash addressing information in the packet to select a second edge to process the packet. The first edge may further forward the packet to the second edge, permitting the second edge to process the packet. Once processed, the second edge may forward the packet to a destination host computing system and notify the host computing system to use the second edge for response packets directed at a source internet protocol (IP) address in the packet.

Abstract: A software-defined wide area network (SD-WAN) environment that leverages network virtualization management deployment is provided. Edge security services managed by the network virtualization management deployment are made available in the SD-WAN environment. Cloud gateways forward SD-WAN traffic to managed service nodes to apply security services. Network traffic is encapsulated with corresponding metadata to ensure that services can be performed according to the desired policy. Point-to-point tunnels are established between cloud gateways and the managed service nodes to transport the metadata to the managed service nodes using an overlay logical network. Virtual network identifiers (VNIs) in the metadata are used by the managed service nodes to identify tenants/policies.