Abstract: Some embodiments provide a method for configuring a logical middlebox in a hosting system that includes a set of nodes. The logical middlebox is part of a logical network that includes a set of logical forwarding elements that connect a set of end machines. The method receives a set of configuration data for the logical middlebox. The method uses a stored set of tables describing physical locations of the end machines to identify a set of nodes at which to implement the logical middlebox. The method provides the logical middlebox configuration for distribution to the identified nodes.

Abstract: Techniques disclosed herein provide an approach for managing aggregation service hierarchies. In some embodiments, a hierarchy of an aggregation service is identified. The hierarchy comprises a plurality of nodes, where a respective node is associated with at least one host computer. The aggregation service places resource consumers based on the nodes. A host computer is assigned as a child host of a leaf node based on a clustering heuristic. The clustering heuristic requires the host computer to have access to at least one resource that is accessible to an existing child host of the leaf node. A resource consumer associated with the leaf node is executed on the host computer.

Abstract: Some embodiments provide a method for configuring a logical middlebox in a hosting system that includes a set of nodes. The logical middlebox is part of a logical network that includes a set of logical forwarding elements that connect a set of end machines. The method receives a set of configuration data for the logical middlebox. The method uses a stored set of tables describing physical locations of the end machines to identify a set of nodes at which to implement the logical middlebox. The method provides the logical middlebox configuration for distribution to the identified nodes.

Abstract: Techniques disclosed herein provide an approach for creating and managing aggregation service hierarchies, such as hierarchies used in distributed scheduling services and heartbeat services. In one embodiment, management nodes accept host computer registration events and add host computers to a hierarchy used as the aggregation mechanism in an aggregation service. The management nodes each manage a portion of the hierarchy and configure registered hosts to take the roles of leaf, branch, and root nodes in the hierarchy. Further, the management nodes dynamically mutate the hierarchy by reassigning host roles, in response to host additions and failures, thereby maximizing fault tolerance/high availability and efficiency.

Abstract: Some embodiments provide a set of one or more network controllers that communicates with a wide range of devices, ranging from switches to appliances such as firewalls, load balancers, etc. The set of network controllers communicates with such devices to connect them to its managed virtual networks. The set of network controllers can define each virtual network through software switches and/or software appliances. To extend the control beyond software network elements, some embodiments implement a database server on each dedicated hardware. The set of network controllers accesses the database server to send management data. The hardware then translates the management data to connect to a managed virtual network.

Abstract: A controller of a network control system for configuring several middlebox instances is described. The middlebox instances implement a middlebox in a distributed manner in several hosts. The controller configures, in a first host, a first middlebox instance to receive a notification from a migration module before a virtual machine (VM) running in the first host migrates to a second host and to send middlebox state related to the VM to the migration module.

Abstract: Some embodiments provide a non-transitory machine readable medium of a first middlebox element of several middlebox elements to implement a middlebox instance in a distributed manner in several hosts. The non-transitory machine readable medium stores a set of instructions for receiving (1) configuration data for configuring the middlebox instance to implement a middlebox in a logical network and (2) a particular identifier associated with the middlebox in the logical network. The non-transitory machine readable medium stores a set of instructions for generating (1) a set of rules to process packets for the middlebox in the logical network and (2) an internal identifier associated with the set of rules. The non-transitory machine readable medium stores a set of instructions for associating the particular identifier with the internal identifier for later processing of packets having the particular identifier.

Abstract: Some embodiments provide a method for identifying unnecessary firewall rules for a distributed firewall of a logical network. The method identifies a firewall policy for network traffic of the logical network. The firewall policy includes a set of firewall rules. The method generates a set of data for implementing the firewall policy on a set of managed forwarding elements that implement the logical network. The method analyzes potential network traffic based on the generated set of data to identify a subset of unnecessary data. The method identifies a subset of unnecessary firewall rules of the set of firewall rules that corresponds to the subset of unnecessary data.

Abstract: Some embodiments provide a novel network control system that provides publications for managing different slices (e.g., logical and/or physical entities) of a network. The publications are published from publisher controllers in the network control system to subscriber controllers. The network control system uses publications with generation numbers and buffered subscribers to implement the fixed points in order to help maintain a consistent network state. Buffered subscribers buffer the inputs received from a publisher in case the publisher becomes unavailable. Rather than deleting all of the output state that is based on the published inputs, the buffered subscriber allows the subscriber to maintain the network state until an explicit change to the state is received at the subscriber from a publisher (e.g., a restarted publisher, a backup publisher, etc.).

Abstract: Some embodiments provide a set of one or more network controllers that communicates with a wide range of devices, ranging from switches to appliances such as firewalls, load balancers, etc. The set of network controllers communicates with such devices to connect them to its managed virtual networks. The set of network controllers can define each virtual network through software switches and/or software appliances. To extend the control beyond software network elements, some embodiments implement a database server on each dedicated hardware. The set of network controllers accesses the database server to send management data. The hardware then translates the management data to connect to a managed virtual network.

Abstract: Some embodiments provide a non-transitory machine readable medium of a first middlebox element of several middlebox elements to implement a middlebox instance in a distributed manner in several hosts. The non-transitory machine readable medium stores a set of instructions for receiving (1) configuration data for configuring the middlebox instance to implement a middlebox in a logical network and (2) a particular identifier associated with the middlebox in the logical network. The non-transitory machine readable medium stores a set of instructions for generating (1) a set of rules to process packets for the middlebox in the logical network and (2) an internal identifier associated with the set of rules. The non-transitory machine readable medium stores a set of instructions for associating the particular identifier with the internal identifier for later processing of packets having the particular identifier.

Abstract: Some embodiments provide a novel network control system that uses secondary input queues to receive and store inputs from multiple input sources prior to moving the inputs to a primary input queue for processing. The secondary input queues provide a separate storage for each input source so that the inputs from the different sources do not get mixed with each other to ensure that fixed points and barriers sent to the controller maintain their integrity.

Abstract: A method for upgrading a set of controller nodes in a controller cluster that manages a plurality of forwarding elements in a way that minimizes dataplane outages. The method of some embodiments upgrades the control applications of a subset of the controller nodes before upgrading a decisive controller node. Once the decisive controller node is upgraded, the method switches the controller cluster to use a new version of the control applications.

Abstract: Some embodiments provide a method for identifying unnecessary firewall rules for a distributed firewall of a logical network. The method identifies a firewall policy for network traffic of the logical network. The firewall policy includes a set of firewall rules. The method generates a set of data for implementing the firewall policy on a set of managed forwarding elements that implement the logical network. The method analyzes potential network traffic based on the generated set of data to identify a subset of unnecessary data. The method identifies a subset of unnecessary firewall rules of the set of firewall rules that corresponds to the subset of unnecessary data.

Abstract: For a controller for managing a network comprising several managed forwarding elements that forward data in the network, a method for configuring a managed forwarding element is described. The method generates a first set of flow entries for defining forwarding behaviors of the managed forwarding element based on a current network policy for a logical network implemented in the several managed forwarding elements. The method sends the first set of flow entries to the managed forwarding element in order for the managed forwarding element to forward data that the managed forwarding element directly receives from an end machine based on the current network policy. The method generates a second set of flow entries for modifying forwarding behaviors of the managed forwarding element based on a new network policy for the logical network. The method sends the second set of flow entries to the managed forwarding element in order for the managed forwarding element to forward the data based on the new network policy.

Abstract: A method for upgrading a set of controller nodes in a controller cluster that manages a plurality of forwarding elements in a way that minimizes dataplane outages. The method of some embodiments upgrades the control applications of a subset of the controller nodes before upgrading a decisive controller node. Once the decisive controller node is upgraded, the method switches the controller cluster to use a new version of the control applications.

Abstract: Techniques disclosed herein provide an approach for assigning resource consumers to available resources. In one embodiment, components of a distributed scheduler are organized into a hierarchy, such as a tree. A placement request received at a root scheduler of the hierarchy is propagated down the hierarchy, either to all children or to randomly selected subsets of children of each scheduler in the hierarchy. Leaf schedulers in the hierarchy that receive the request each propagate back up a score indicating the amount of free resources in its corresponding resource bucket. Branch schedulers then compare scores that they receive, and each further propagate one of the received scores, such as the highest score, based on the comparison, until the root scheduler is reached. The root scheduler makes an additional comparison and returns one of the resource buckets in response to the received placement request.

Abstract: Some embodiments provide a set of one or more network controllers that communicates with a wide range of devices, ranging from switches to appliances such as firewalls, load balancers, etc. The set of network controllers communicates with such devices to connect them to its managed virtual networks. The set of network controllers can define each virtual network through software switches and/or software appliances. To extend the control beyond software network elements, some embodiments implement a database server on each dedicated hardware. The set of network controllers accesses the database server to send management data. The hardware then translates the management data to connect to a managed virtual network.

Abstract: Techniques disclosed herein provide an approach for creating and managing aggregation service hierarchies, such as hierarchies used in distributed scheduling services and heartbeat services. In one embodiment, management nodes accept host computer registration events and add host computers to a hierarchy used as the aggregation mechanism in an aggregation service. The management nodes each manage a portion of the hierarchy and configure registered hosts to take the roles of leaf, branch, and root nodes in the hierarchy. Further, the management nodes dynamically mutate the hierarchy by reassigning host roles, in response to host additions and failures, thereby maximizing fault tolerance/high availability and efficiency.

Abstract: Some embodiments provide a set of one or more network controllers that communicates with a wide range of devices, ranging from switches to appliances such as firewalls, load balancers, etc. The set of network controllers communicates with such devices to connect them to its managed virtual networks. The set of network controllers can define each virtual network through software switches and/or software appliances. To extend the control beyond software network elements, some embodiments implement a database server on each dedicated hardware. The set of network controllers accesses the database server to send management data. The hardware then translates the management data to connect to a managed virtual network.