Abstract: Some embodiments of the invention provide a method for deploying network elements for a set of machines in a set of one or more datacenters. The datacenter set is part of one availability zone in some embodiments. The method receives intent-based API (Application Programming Interface) requests, and parses these API requests to identify a set of network elements to connect and/or perform services for the set of machines. In some embodiments, the API is a hierarchical document that can specify multiple different compute and/or network elements at different levels of compute and/or network element hierarchy. The method performs automated processes to define a virtual private cloud (VPC) to connect the set of machines to a logical network that segregates the set of machines from other machines in the datacenter set. In some embodiments, the set of machines include virtual machines and containers, the VPC is defined with a supervisor cluster namespace, and the API requests are provided as YAML, files.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for managing access to network security policies. One of the methods includes determining, for a policy access request i) received from a device and ii) that requests access to a network security policy that defines a rule for controlling network traffic, whether there is an entitlement for the network security policy, wherein the entitlement indicates one or more types of operations that a subset of user accounts can perform on the network security policy; in response to determining that there is an entitlement, determining, using a mapping for the entitlement that identifies the subset of user accounts that have access to the network security policy, whether a user account for the device is included in the subset of user accounts; and selectively allowing or denying the policy access request using the entitlement and a result of the determination.

Abstract: Some embodiments of the invention provide a method for deploying network elements for a set of machines in a set of one or more datacenters. The datacenter set is part of one availability zone in some embodiments. The method receives intent-based API (Application Programming Interface) requests, and parses these API requests to identify a set of network elements to connect and/or perform services for the set of machines. In some embodiments, the API is a hierarchical document that can specify multiple different compute and/or network elements at different levels of compute and/or network element hierarchy. The method performs automated processes to define a virtual private cloud (VPC) to connect the set of machines to a logical network that segregates the set of machines from other machines in the datacenter set. In some embodiments, the set of machines include virtual machines and containers, the VPC is defined with a supervisor cluster namespace, and the API requests are provided as YAML files.

Abstract: Example methods and systems for container-based connectivity check in a software-defined networking (SDN) environment are disclosed. One example method may comprise detecting, a request for a connectivity check between a first container-based resource and a second container-based resource; identifying a first logical network element and a second logical network element; and injecting a connectivity check packet at the first logical network element for forwarding towards the second logical network element. The example method also may comprise: obtaining report information associated with one or more intermediate logical network elements located along a path that is traversed by the connectivity check packet; and determining a connectivity status associated with the first container-based resource and the second container-based resource based on the report information.

Abstract: Some embodiments of the invention provide a method for deploying network elements for a set of machines in a set of one or more datacenters. The datacenter set is part of one availability zone in some embodiments. The method receives intent-based API (Application Programming Interface) requests, and parses these API requests to identify a set of network elements to connect and/or perform services for the set of machines. In some embodiments, the API is a hierarchical document that can specify multiple different compute and/or network elements at different levels of compute and/or network element hierarchy. The method performs automated processes to define a virtual private cloud (VPC) to connect the set of machines to a logical network that segregates the set of machines from other machines in the datacenter set. In some embodiments, the set of machines include virtual machines and containers, the VPC is defined with a supervisor cluster namespace, and the API requests are provided as YAML files.

Abstract: Some embodiments of the invention provide a method for deploying network elements for a set of machines in a set of one or more datacenters. The datacenter set is part of one availability zone in some embodiments. The method receives intent-based API (Application Programming Interface) requests, and parses these API requests to identify a set of network elements to connect and/or perform services for the set of machines. In some embodiments, the API is a hierarchical document that can specify multiple different compute and/or network elements at different levels of compute and/or network element hierarchy. The method performs automated processes to define a virtual private cloud (VPC) to connect the set of machines to a logical network that segregates the set of machines from other machines in the datacenter set. In some embodiments, the set of machines include virtual machines and containers, the VPC is defined with a supervisor cluster namespace, and the API requests are provided as YAML files.

Abstract: Some embodiments of the invention provide a method for deploying network elements for a set of machines in a set of one or more datacenters. The datacenter set is part of one availability zone in some embodiments. The method receives intent-based API (Application Programming Interface) requests, and parses these API requests to identify a set of network elements to connect and/or perform services for the set of machines. In some embodiments, the API is a hierarchical document that can specify multiple different compute and/or network elements at different levels of compute and/or network element hierarchy. The method performs automated processes to define a virtual private cloud (VPC) to connect the set of machines to a logical network that segregates the set of machines from other machines in the datacenter set. In some embodiments, the set of machines include virtual machines and containers, the VPC is defined with a supervisor cluster namespace, and the API requests are provided as YAML, files.

Abstract: Example methods and systems for container-based connectivity check in a software-defined networking (SDN) environment are disclosed. One example method may comprise detecting, a request for a connectivity check between a first container-based resource and a second container-based resource; identifying a first logical network element and a second logical network element; and injecting a connectivity check packet at the first logical network element for forwarding towards the second logical network element. The example method also may comprise: obtaining report information associated with one or more intermediate logical network elements located along a path that is traversed by the connectivity check packet; and determining a connectivity status associated with the first container-based resource and the second container-based resource based on the report information.

Abstract: Example methods and systems for container-based network policy configuration in a software-defined networking (SDN) environment are disclosed. One example method may comprise: in response to detecting a first request to assign a container-based resource with a first label via a container orchestration system, assigning a logical network element associated with the container-based resource with a second label. The example method may also comprise: in response to detecting a second request to configure a container-based network policy associated with the container-based resource via the container orchestration system, identifying the logical network element by mapping the first label to the second label; and configuring the container-based network policy to be applicable to network traffic that is forwarded via the logical network element.