Abstract: Some embodiments provide a method for providing a resource to a particular virtual private cloud that is deployed in a set of datacenters that host multiple virtual private clouds. At a resource issuer, the method receives a resource request from a particular machine deployed in the particular virtual private cloud, the resource request including a first set of cloud-specific data. The method obtains a cloud identifier for the particular machine from a registry service of the particular virtual private cloud that interacts with a datacenter-set cloud service that deploys machines in the datacenter set for different virtual private clouds. The method uses the obtained cloud identifier to obtain a second set of cloud-specific data for the particular machine from the datacenter-set cloud service. Upon determining that the first and second sets of cloud-specific data match, the method authenticates the particular machine and issues the resource for the particular machine.

Abstract: Some embodiments provide a method for, at a network interface controller (NIC) of a computer, accessing data in a network. From the computer, the method receives a request to access data stored at a logical memory address. The method translates the logical memory address into a memory address of a particular network device storing the requested data. The method sends a data message to the particular network device to retrieve the requested data.

Abstract: Some embodiments provide a method for performing data message processing at a smart NIC of a computer that executes a software forwarding element (SFE). The method determines whether a received data message matches an entry in a data message classification cache stored on the smart NIC based on data message classification results of the SFE. When the data message matches an entry, the method determines whether the matched entry is valid by comparing a timestamp of the entry to a set of rules stored on the smart NIC. When the matched entry is valid, the method processes the data message according to the matched entry without providing the data message to the SFE executing on the computer.

Abstract: Some embodiments provide a method for performing data message processing at a smart NIC of a computer that executes a software forwarding element (SFE). The method stores (i) a set of cache entries that the smart NIC uses to process a set of received data messages without providing the data messages to the SFE and (ii) rule updates used by the smart NIC to validate the cache entries. After a period of time, the method determines that the rule updates are incorporated into a data message processing structure of the SFE. Upon incorporating the rule updates, the method deletes from the smart NIC (i) the rule updates and (ii) at least a subset of the cache entries.

Abstract: Some embodiments establish for an entity a virtual network over several public clouds of several public cloud providers and/or in several regions. In some embodiments, the virtual network is an overlay network that spans across several public clouds to interconnect one or more private networks (e.g., networks within branches, divisions, departments of the entity or their associated datacenters), mobile users, and SaaS (Software as a Service) provider machines, and other web applications of the entity. The virtual network in some embodiments can be configured to optimize the routing of the entity's data messages to their destinations for best end-to-end performance, reliability and security, while trying to minimize the routing of this traffic through the Internet. Also, the virtual network in some embodiments can be configured to optimize the layer 4 processing of the data message flows passing through the network.

Abstract: Some embodiments establish for an entity a virtual network over several public clouds of several public cloud providers and/or in several regions. In some embodiments, the virtual network is an overlay network that spans across several public clouds to interconnect one or more private networks (e.g., networks within branches, divisions, departments of the entity or their associated datacenters), mobile users, and SaaS (Software as a Service) provider machines, and other web applications of the entity. The virtual network in some embodiments can be configured to optimize the routing of the entity's data messages to their destinations for best end-to-end performance, reliability and security, while trying to minimize the routing of this traffic through the Internet. Also, the virtual network in some embodiments can be configured to optimize the layer 4 processing of the data message flows passing through the network.

Abstract: Some embodiments establish for an entity a virtual network over several public clouds of several public cloud providers and/or in several regions. In some embodiments, the virtual network is an overlay network that spans across several public clouds to interconnect one or more private networks (e.g., networks within branches, divisions, departments of the entity or their associated datacenters), mobile users, and SaaS (Software as a Service) provider machines, and other web applications of the entity. The virtual network in some embodiments can be configured to optimize the routing of the entity's data messages to their destinations for best end-to-end performance, reliability and security, while trying to minimize the routing of this traffic through the Internet. Also, the virtual network in some embodiments can be configured to optimize the layer 4 processing of the data message flows passing through the network.

Abstract: Some embodiments of the invention provide a method for WAN (wide area network) optimization for a WAN that connects multiple sites, each of which has at least one router. At a gateway router deployed to a public cloud, the method receives from at least two routers at least two sites, multiple data streams destined for a particular centralized datacenter. The method performs a WAN optimization operation to aggregate the multiple streams into one outbound stream that is WAN optimized for forwarding to the particular centralized datacenter. The method then forwards the WAN-optimized data stream to the particular centralized datacenter.

Abstract: Some embodiments establish for an entity a virtual network over several public clouds of several public cloud providers and/or in several regions. In some embodiments, the virtual network is an overlay network that spans across several public clouds to interconnect one or more private networks (e.g., networks within branches, divisions, departments of the entity or their associated datacenters), mobile users, and SaaS (Software as a Service) provider machines, and other web applications of the entity. The virtual network in some embodiments can be configured to optimize the routing of the entity's data messages to their destinations for best end-to-end performance, reliability and security, while trying to minimize the routing of this traffic through the Internet. Also, the virtual network in some embodiments can be configured to optimize the layer 4 processing of the data message flows passing through the network.

Abstract: Some embodiments provide a novel method for deploying different virtual networks over several public cloud datacenters for different entities. For each entity, the method (1) identifies a set of public cloud datacenters of one or more public cloud providers to connect a set of machines of the entity, (2) deploys managed forwarding nodes (MFNs) for the entity in the identified set of public cloud datacenters, and then (3) configures the MFNs to implement a virtual network that connects the entity's set of machines across its identified set of public cloud datacenters. In some embodiments, the method identifies the set of public cloud datacenters for an entity by receiving input from the entity's network administrator. In some embodiments, this input specifies the public cloud providers to use and/or the public cloud regions in which the virtual network should be defined. Conjunctively, or alternatively, this input in some embodiments specifies actual public cloud datacenters to use.

Abstract: Some embodiments provide a method for performing data message processing at a smart NIC of a computer that executes a software forwarding element (SFE). The method stores (i) a set of cache entries that the smart NIC uses to process a set of received data messages without providing the data messages to the SFE and (ii) rule updates used by the smart NIC to validate the cache entries. After a period of time, the method determines that the rule updates are incorporated into a data message processing structure of the SFE. Upon incorporating the rule updates, the method deletes from the smart NIC (i) the rule updates and (ii) at least a subset of the cache entries.

Abstract: Some embodiments provide a method for transmitting data at a network interface controller (NIC) of a computer that operates as a server. The computer includes multiple storage devices. The method receives a request from a client device for a particular file. The method translates the particular file into a memory location corresponding to a particular one of the storage devices at the computer. The method transmits the requested file from the particular storage location to the client device.

Abstract: Some embodiments provide a method for, at a network interface controller (NIC) of a computer, accessing data in a network. From the computer, the method receives a request to access data stored at a logical memory address. The method translates the logical memory address into a memory address of a particular network device storing the requested data. The method sends a data message to the particular network device to retrieve the requested data.

Abstract: Some embodiments provide a method for performing data message processing at a smart NIC of a computer that executes a software forwarding element (SFE). The method determines whether a received data message matches an entry in a data message classification cache stored on the smart NIC based on data message classification results of the SFE. When the data message matches an entry, the method determines whether the matched entry is valid by comparing a timestamp of the entry to a set of rules stored on the smart NIC. When the matched entry is valid, the method processes the data message according to the matched entry without providing the data message to the SFE executing on the computer.

Abstract: Some embodiments provide a method for sending data messages at a network interface controller (NIC) of a computer. From a network stack executing on the computer, the method receives (i) a header for a data message to send and (ii) a logical memory address of a payload for the data message. The method translates the logical memory address into a memory address for accessing a particular one of multiple devices connected to the computer. The method reads payload data from the memory address of the particular device. The method sends the data message with the header received from the network stack and the payload data read from the particular device.

Abstract: Some embodiments provide a novel method for deploying different virtual networks over several public cloud datacenters for different entities. For each entity, the method (1) identifies a set of public cloud datacenters of one or more public cloud providers to connect a set of machines of the entity, (2) deploys managed forwarding nodes (MFNs) for the entity in the identified set of public cloud datacenters, and then (3) configures the MFNs to implement a virtual network that connects the entity's set of machines across its identified set of public cloud datacenters. In some embodiments, the method identifies the set of public cloud datacenters for an entity by receiving input from the entity's network administrator. In some embodiments, this input specifies the public cloud providers to use and/or the public cloud regions in which the virtual network should be defined. Conjunctively, or alternatively, this input in some embodiments specifies actual public cloud datacenters to use.

Abstract: Some embodiments provide a method for performing distributed machine learning (ML) across multiple computers. At a smart network interface controller (NIC) of a first computer, the method receives a set of ML parameters from the first computer related to training an ML model. The method compresses the set of ML parameters based on a current state of a connection to a central computer that receives sets of ML parameters from a plurality of the computers. The method sends the compressed set of ML parameters to the central computer for the central computer to process the compressed set of ML parameters along with corresponding sets of ML parameters received from the other computers of the plurality of computers.

Abstract: Techniques for implementing distributed registration and authentication via threshold secret sharing and additively homomorphic encryption are provided. A threshold secret sharing scheme is a cryptographic method for sharing a secret among N parties in a manner that requires at least T+1 of the N parties to cooperate in order to reconstruct/reveal the secret, where T is some threshold value less than N. Additively homomorphic encryption is an encryption scheme that enables users to perform additive computations on encrypted data without first decrypting that data. With these techniques, a group of N nodes can efficiently perform distributed registration and authentication in a correct, secure, and privacy-preserving fashion, even if up to T of the N nodes are corrupted by an adversary.

Abstract: Some embodiments provide a method for using a machine learning (ML) model to respond to a query, at a smart NIC of a computer. The method receives a query including an input. The method applies a first ML model to the input to generate an output and a confidence measure for the output. When the confidence measure for the output is below a threshold, the method discards the output and provides the query to the computer for the computer to apply a second ML model to the input.

Abstract: In one set of embodiments, a computer system can initialize a counter that is shared by a plurality of software processes, where each software process is programmed to increment the counter a predefined number of times. The computer system can further run the plurality of software processes concurrently. Upon completion of the plurality of software processes, the computer system can apply one or more functions to the shared counter and output the result as an entropy sample.