Abstract: Techniques are disclosed for a network device to preserve packet flow information across bump-in-the-wire (BITW) firewalls. For example, a method comprises receiving, by a network device, a packet. The method also comprises determining, by the network device, that the packet matches a packet flow that is associated with an action to redirect the packet to a firewall configured as a bump-in-the-wire. The method further comprises, in response to the determination: modifying, by the network device, a Media Access Control (MAC) address field of a layer 2 (L2) packet header with a flow identifier of the packet flow; sending, by the network device, the packet to the firewall; receiving, by the network device, the packet from the firewall; and recovering, by the network device, the packet flow by modifying the packet according to the flow identifier in the packet to restore the L2 packet header of the packet.

Abstract: Techniques are disclosed for redirecting network traffic of virtualized application workload to a host-based firewall. For example, a system comprises a software defined networking (SDN) controller of a multi-tenant virtualized data center configured to: receive a security policy expressed as one or more tags to redirect traffic of a virtualized application workload to a host-based firewall (HBF) of the multi-tenant virtualized data center; configure network connectivity to the HBF in accordance with the security policy; a security controller that manages the HBF configured to: obtain the one or more tags from the SDN controller; receive one or more firewall policies expressed in terms of the one or more tags, wherein each of the one or more firewall policies specifies a function of the HBF; and configure the function of the HBF in accordance with the one or more firewall policies.

Abstract: Techniques are disclosed for redirecting network traffic of virtualized application workload to a host-based firewall. For example, a system comprises a software defined networking (SDN) controller of a multi-tenant virtualized data center configured to: receive a security policy expressed as one or more tags to redirect traffic of a virtualized application workload to a host-based firewall (HBF) of the multi-tenant virtualized data center; configure network connectivity to the HBF in accordance with the security policy; a security controller that manages the HBF configured to: obtain the one or more tags from the SDN controller; receive one or more firewall policies expressed in terms of the one or more tags, wherein each of the one or more firewall policies specifies a function of the HBF; and configure the function of the HBF in accordance with the one or more firewall policies.

Abstract: Techniques are disclosed for implementing scalable port range policies across a plurality of categories that support application workloads. In one example, a policy agent receives, from a centralized controller for a computer network, a plurality of policies. Each policy of the plurality of policies includes one or more policy rules, and each of the one or more policy rules specifies one or more tags specifying one or more dimensions for application workloads executed by the one or more computing devices and a corresponding port range. The policy agent assigns, based on a policy rule, a port range specified by the policy rule to objects of the one or more computing devices that belong to categories described by the one or more dimensions of the one or more tags of the policy rule. The categories support the application workloads and are assigned to the tags by a centralized controller.

Abstract: An example method includes receiving a resource request for at least one compute and/or storage resource from a distributed computing system distributed among multiple data centers, determining a resource policy that is associated with the resource request, wherein the resource policy includes a rule specifying at least one metadata tag and at least one criterion associated with the at least one metadata tag, identifying at least one object included in a resource object model that complies with the rule of the resource policy, wherein the at least one object has an assigned value for the metadata tag that satisfies the at least one criterion, selecting a data center that is associated with the at least one object identified from the resource object model, and deploying, on the selected data center, the at least one compute or storage resource.

Abstract: An example method includes receiving a resource request for at least one compute and/or storage resource from a distributed computing system distributed among multiple data centers, determining a resource policy that is associated with the resource request, wherein the resource policy includes a rule specifying at least one metadata tag and at least one criterion associated with the at least one metadata tag, identifying at least one object included in a resource object model that complies with the rule of the resource policy, wherein the at least one object has an assigned value for the metadata tag that satisfies the at least one criterion, selecting a data center that is associated with the at least one object identified from the resource object model, and deploying, on the selected data center, the at least one compute or storage resource.

Abstract: Techniques are disclosed for implementing scalable port range policies across a plurality of categories that support application workloads. In one example, a policy agent receives, from a centralized controller for a computer network, a plurality of policies. Each policy of the plurality of policies includes one or more policy rules, and each of the one or more policy rules specifies one or more tags specifying one or more dimensions for application workloads executed by the one or more computing devices and a corresponding port range. The policy agent assigns, based on a policy rule, a port range specified by the policy rule to objects of the one or more computing devices that belong to categories described by the one or more dimensions of the one or more tags of the policy rule. The categories support the application workloads and are assigned to the tags by a centralized controller.

Abstract: Techniques are disclosed for providing an inter-autonomous system (inter-AS) service between virtualized entities of one autonomous system with external entities of a different autonomous system. For example, a controller (e.g., software defined networking (SDN) controller) may provide multi-hop exterior Border Gateway Protocol (eBGP) redistribution of virtual private networking (VPN) labels between endpoints of different autonomous systems, otherwise referred to as “inter-AS option C.” As described in this disclosure, the SDN controller may facilitate the exchange of appropriate routing labels between endpoints of different autonomous systems to enable forwarding of traffic between the different autonomous systems.