Abstract: Some embodiments provide a method for a first data compute node (DCN) operating in a public datacenter. The method receives an encryption rule from a centralized network controller. The method determines that the network encryption rule requires encryption of packets between second and third DCNs operating in the public datacenter. The method requests a first key from a secure key storage. Upon receipt of the first key, the method uses the first key and additional parameters to generate second and third keys. The method distributes the second key to the second DCN and the third key to the third DCN in the public datacenter.

Abstract: A system and method for using private native security groups and private native firewall policy rules for a private cloud computing environment and a public cloud computing environment uses a public cloud gateway for routing data traffic between at least a cloud network created in the public cloud computing environment and the private cloud computing environment. For each of some private native firewall policy rules that has any of newly created private native security groups as one of source and destination, a cloud native security group (CNSG) rule object with an CNSG outbound rule object and an CNSG inbound rule object for the public cloud is created and at least one of the CNSG outbound rule object and the CNSG inbound rule object is updated so that the private native firewall policy rule can be used in the cloud network.

Abstract: Some embodiments provide a method for a first data compute node (DCN) operating in a public datacenter. The method receives an encryption rule from a centralized network controller. The method determines that the network encryption rule requires encryption of packets between second and third DCNs operating in the public datacenter. The method requests a first key from a secure key storage. Upon receipt of the first key, the method uses the first key and additional parameters to generate second and third keys. The method distributes the second key to the second DCN and the third key to the third DCN in the public datacenter.

Abstract: System and computer-implemented method for secure hybrid cloud connectivity between an application in a public cloud service and an on-premises service supported by an on-premises appliance includes launching a public cloud gateway appliance in the public cloud service. The public cloud gateway appliance is configured with security information associated with the on-premises appliance. The on-premises appliance is provided with contact information associated with the public cloud gateway appliance. A communication channel is established, using an outbound port, from the on-premises appliance to the public cloud gateway appliance that is secured based on the security information associated with the on-premises appliance and the contact information associated with the public cloud gateway appliance.

Abstract: The disclosure provides an approach for decentralizing control plane operations in a network environment that includes transport nodes configured to implement a logical overlay network. A method includes transmitting a global list of transport nodes to each of the plurality of transport nodes from a management plane, the global list including an ordered list of the plurality of transport nodes. The method also includes transmitting a neighbor index value to each of the plurality of transport nodes, where the transport nodes each compute a corresponding list of neighbor transport nodes based on the neighbor index value and the global list of transport nodes. The method also includes, based on determining an update to a state of the logical overlay network has occurred by a first transport node, transmitting an update message from the first transport node to each transport node in the first transport node's list of neighbor transport nodes.

Abstract: A system provisions global logical entities that facilitate the operation of logical networks that span two or more datacenters. These global logical entities include global logical switches that provide L2 switching as well as global routers that provide L3 routing among network nodes in multiple datacenters. The global logical entities operate along side local logical entities that are for operating logical networks that are local within a datacenter.

Abstract: System and computer-implemented method for secure hybrid cloud connectivity between an application in a public cloud service and an on-premises service supported by an on-premises appliance includes launching a public cloud gateway appliance in the public cloud service. The public cloud gateway appliance is configured with security information associated with the on-premises appliance. The on-premises appliance is provided with contact information associated with the public cloud gateway appliance. A communication channel is established, using an outbound port, from the on-premises appliance to the public cloud gateway appliance that is secured based on the security information associated with the on-premises appliance and the contact information associated with the public cloud gateway appliance.

Abstract: A system and method for using private native security groups and private native firewall policy rules for a private cloud computing environment and a public cloud computing environment uses a public cloud gateway for routing data traffic between at least a cloud network created in the public cloud computing environment and the private cloud computing environment. For each of some private native firewall policy rules that has any of newly created private native security groups as one of source and destination, a cloud native security group (CNSG) rule object with an CNSG outbound rule object and an CNSG inbound rule object for the public cloud is created and at least one of the CNSG outbound rule object and the CNSG inbound rule object is updated so that the private native firewall policy rule can be used in the cloud network.

Abstract: Some embodiments provide a method for a first data compute node (DCN) operating in a public datacenter. The method receives an encryption rule from a centralized network controller. The method determines that the network encryption rule requires encryption of packets between second and third DCNs operating in the public datacenter. The method requests a first key from a secure key storage. Upon receipt of the first key, the method uses the first key and additional parameters to generate second and third keys. The method distributes the second key to the second DCN and the third key to the third DCN in the public datacenter.

Abstract: The disclosure provides an approach for decentralizing control plane operations in a network environment that includes transport nodes configured to implement a logical overlay network. A method includes transmitting a global list of transport nodes to each of the plurality of transport nodes from a management plane, the global list including an ordered list of the plurality of transport nodes. The method also includes transmitting a neighbor index value to each of the plurality of transport nodes, where the transport nodes each compute a corresponding list of neighbor transport nodes based on the neighbor index value and the global list of transport nodes. The method also includes, based on determining an update to a state of the logical overlay network has occurred by a first transport node, transmitting an update message from the first transport node to each transport node in the first transport node's list of neighbor transport nodes.

Abstract: A system and method for managing a trusted connection within a public cloud comprises transmitting a first token and a second token from a cloud service manager to a public cloud controller, initializing a public cloud manager in response to receipt of the first token and the second token, and generate a cloud certificate, and transmitting the cloud certificate and the second token from the public cloud manager to a management plane. The method further comprises establishing a trusted connection between the public cloud controller and the management plane in response to receipt of the cloud certificate and the second token by the management plane.

Abstract: The disclosure provides an approach for decentralizing control plane operations in a network environment that includes transport nodes configured to implement a logical overlay network. A method includes transmitting a global list of transport nodes to each of the plurality of transport nodes from a management plane, the global list including an ordered list of the plurality of transport nodes. The method also includes transmitting a neighbor index value to each of the plurality of transport nodes, where the transport nodes each compute a corresponding list of neighbor transport nodes based on the neighbor index value and the global list of transport nodes. The method also includes, based on determining an update to a state of the logical overlay network has occurred by a first transport node, transmitting an update message from the first transport node to each transport node in the first transport node's list of neighbor transport nodes.

Abstract: The present disclosure generally relates to deploying a proxy control plane and/or north-south data plane in a control virtual private cloud of a logical network implemented on a software-defined datacenter. The control virtual private cloud is shared by a plurality of compute virtual private clouds of the network. In some embodiments, a proxy control plane is deployed on the control virtual private cloud and disseminates policies directly to endpoints of the logical network. In some embodiments, a north-south data plane is deployed on the control virtual private cloud and directly manages north-south network traffic from endpoints of the logical network. In some embodiments, a proxy control plane and a north-south network data plane are deployed on the control virtual private cloud.

Abstract: Some embodiments provide a method for a public cloud manager that interacts with a management system of a public datacenter. The method receives a notification from a network controller that a second data compute node is compromised. The second data compute node operates on a host machine in the public datacenter and executes a forwarding element managed by network controller. The method interacts with application programming interfaces (APIs) of the public datacenter to quarantine the data compute node.

Abstract: A system provisions global logical entities that facilitate the operation of logical networks that span two or more datacenters. These global logical entities include global logical switches that provide L2 switching as well as global routers that provide L3 routing among network nodes in multiple datacenters. The global logical entities operate along side local logical entities that are for operating logical networks that are local within a datacenter.

Abstract: The disclosure provides an approach for decentralizing control plane operations in a network environment that includes transport nodes configured to implement a logical overlay network. A method includes transmitting a global list of transport nodes to each of the plurality of transport nodes from a management plane, the global list including an ordered list of the plurality of transport nodes. The method also includes transmitting a neighbor index value to each of the plurality of transport nodes, where the transport nodes each compute a corresponding list of neighbor transport nodes based on the neighbor index value and the global list of transport nodes. The method also includes, based on determining an update to a state of the logical overlay network has occurred by a first transport node, transmitting an update message from the first transport node to each transport node in the first transport node's list of neighbor transport nodes.

Abstract: Virtual computing instances are provisioned with network resource allocation constraints, which may include hard constraints that must be met in order for the virtual computing instances to be created in a host server. Network resources from multiple hosts may be pooled in a virtual switch, and a cloud management system (CMS) may ensure that a network bandwidth reservation for a new virtual computing instance can be accommodated by network bandwidth in the pool that is reserved for communication endpoint traffic. In addition to such CMS-level constraint enforcement, techniques disclosed herein may also enforce network bandwidths constraints at the host level to guarantee that network bandwidth reservation requirements for communication endpoint(s) of a new virtual computing instance can be satisfied by a particular host before creating the virtual computing instance in that host.

Abstract: A system provisions global logical entities that facilitate the operation of logical networks that span two or more datacenters. These global logical entities include global logical switches that provide L2 switching as well as global routers that provide L3 routing among network nodes in multiple datacenters. The global logical entities operate along side local logical entities that are for operating logical networks that are local within a datacenter.

Abstract: An approach for an adaptive network input-output control for optimizing allocation of network transmission resources to data flows is provided. In an embodiment, a method comprises: determining, based on, at least in part, default data communications policy, one or more default settings for optimizing allocation of one or more network transmission resources to one or more data flows. The default settings are transmitted to a switch to cause the switch to implement the default settings with respect to the data flows. Upon detecting that stats information about network traffic has been received, one or more updated settings for reallocating at least one of the network transmission resources to at least one of the data flows are determined. The updated settings are transmitted to the switch to cause the switch to implement the updated settings with respect to the at least one of the data flows.

Abstract: Some embodiments provide a method for a public cloud manager that interacts with a management system of a public datacenter. The method receives a notification from a network controller that a second data compute node is compromised. The second data compute node operates on a host machine in the public datacenter and executes a forwarding element managed by network controller. The method interacts with application programming interfaces (APIs) of the public datacenter to quarantine the data compute node.