Abstract: A centralized namespace controller allocates addresses in a distributed cloud infrastructure on-demand. Upon receiving a request to allocate addresses for a network to be provisioned by a cloud computing system included in the distributed cloud infrastructure, the centralized namespace controller allocates a network address that is unique within the distributed cloud infrastructure. Further, the centralized namespace controller allocates a range of virtual network interface cards (NIC) addresses that are unique within the network. The centralized namespace controller then allocates addresses from the range of virtual NIC addresses on an as-requested basis—when a virtual NIC is being created by the first cloud computing system on the network.

Abstract: A fleet manager within a cloud computing system utilizes a registration framework with one or more cloud infrastructure managers having corresponding infrastructure data plane nodes, which may be in use by different tenants. Instead of having the infrastructure managers communicate directly with its corresponding infrastructure data plane nodes via a management network or domain, the fleet manager communicates with infrastructure managers and relay commands, instructions, and other payloads to the infrastructure data plane nodes using a virtual machine (VM) communication backchannel.

Abstract: Techniques for stateful connection optimization over stretched networks are disclosed. In one embodiment, traffic of virtual machines (VMs) that are live-migrated from a data center to a cloud is temporarily tromboned back to the data center to preserve active sessions. In such a case, a stretched network is created that includes a network in the data center and two stub networks in the cloud, one of which is route optimized such that traffic does not trombone back to the data center and the other which is not so optimized. A VM that is live migrated to the cloud is first attached to the unoptimized network so that traffic tromboning occurs. Thereafter, when the VM is powered off (e.g., during a reboot), in a maintenance mode, or in a quiet period, the VM is switched to the route optimized network.

Abstract: Techniques for stateful connection optimization over stretched networks are disclosed. In one embodiment, hypervisor filtering modules in a cloud computing system are configured to modify packets sent by virtual computing instances (e.g., virtual machines (VMs)) in the cloud to local destinations in the cloud such that those packets have the destination Media Access Control (MAC) address of a local router that is also in the cloud. Doing so prevents tromboning traffic flows in which packets sent by virtual computing instances in the cloud to location destinations are routed to a stretched network's default gateway that is not in the cloud.

Abstract: Techniques for stateful connection optimization over stretched networks are disclosed. Such stretched networks may extend across both a data center and a cloud. In one embodiment, configuration changes are made to cloud layer 2 (L2) concentrators used by extended networks and a cloud router such that the L2 concentrators block packets with the cloud router's source MAC address and block address resolution protocol (ARP) requests for a gateway IP address from/to cloud networks that are part of the extended networks. Further, the cloud router is configured with the same gateway IP address as that of a default gateway router in the data center and responds to ARP requests for the gateway IP address with its own MAC address. In addition, specific prefix routes (e.g., /32 routes) for virtual computing instances on route optimized networks in the cloud are injected into the cloud router and propagating to a data center router.

Abstract: Techniques for creating layer 2 (L2) extension networks are disclosed. One embodiment permits an L2 extension network to be created by deploying, configuring, and connecting a pair of virtual appliances in the data center and the cloud so that the appliances communicate via secure tunnels and bridge networks in the data center and the cloud. A pair of virtual appliances are first deployed in the data center and the cloud, and secure tunnels are then created between the virtual appliances. Thereafter, a stretched network is created by connecting a network interface in each of the virtual appliances to a respective local network, configuring virtual switch ports to which the virtual appliances are connected as sink ports that receive traffic with non-local destinations, and configuring each of the virtual appliances to bridge the network interface therein that is connected to the local network and tunnels between the pair of virtual appliances.

Abstract: Techniques for upgrading virtual appliances in a hybrid cloud computing system are provided. In one embodiment, virtual appliances are upgraded by deploying the upgraded appliances in both a data center and a cloud, configuring the upgraded appliances to have the same IP addresses as original appliances, and disconnecting the original appliances from networks to which they are connected and connecting the upgraded appliances to those networks via the same ports previously used by the original appliances. In another embodiment, upgraded appliances are deployed in the data center and the cloud, but configured with new IP addresses that are different from those of the original appliances, and connections are switched from those of the original appliances to new connections with the new IP addresses. Embodiments disclosed herein permit virtual appliances to be upgraded or replaced with relatively little downtime so as to help minimize disruptions to existing traffic flows.

Abstract: Some embodiments provide a central firewall management system that can be used to manage different firewall devices from a single management interface. This management interface provides a uniform interface for defining different firewall rule sets and deploying these rules sets on different firewall devices (e.g., port-linked firewall engines, firewall service VMs, network-perimeter firewall devices, etc.). Also, this interface allows the location and/or behavior of the firewall rule sets to be dynamically modified. The management interface in some embodiments also provides controls for filtering and debugging firewall rules.

Abstract: A centralized namespace controller allocates addresses in a distributed cloud infrastructure on-demand. Upon receiving a request to allocate addresses for a network to be provisioned by a cloud computing system included in the distributed cloud infrastructure, the centralized namespace controller allocates a network address that is unique within the distributed cloud infrastructure. Further, the centralized namespace controller allocates a range of virtual network interface cards (NIC) addresses that are unique within the network. The centralized namespace controller then allocates addresses from the range of virtual NIC addresses on an as-requested basis—when a virtual NIC is being created by the first cloud computing system on the network.

Abstract: The disclosure herein describes an edge device of a network for distributed policy enforcement. During operation, the edge device receives an initial packet for an outgoing traffic flow, and identifies a policy being triggered by the initial packet. The edge device performs a reverse lookup to identify at least an intermediate node that is previously traversed by the initial packet and traffic parameters associated with the initial packet at the identified intermediate node. The edge device translates the policy based on the traffic parameters at the intermediate node, and forwards the translated policy to the intermediate node, thus facilitating the intermediate node in applying the policy to the traffic flow.

Abstract: Techniques for dynamically configuring a dynamic host configuration protocol (DHCP) server in a virtual network environment are described. In one example embodiment, DHCP bindings are configured using virtual machine (VM) inventory objects. Further, the configured DHCP bindings are transformed by replacing the VM inventory objects in the configured DHCP bindings with associated media access control (MAC) addresses using a VM object attribute table. Furthermore, the transformed DHCP bindings are sent to the DHCP sever for assigning Internet protocol (IP) addresses to multiple VMs running on a plurality of host computing systems in a computing network.

Abstract: Some embodiments provide a central firewall management system that can be used to manage different firewall devices from a single management interface. This management interface provides a uniform interface for defining different firewall rule sets and deploying these rules sets on different firewall devices (e.g., port-linked firewall engines, firewall service VMs, network-perimeter firewall devices, etc.). Also, this interface allows the location and/or behavior of the firewall rule sets to be dynamically modified. The management interface in some embodiments also provides controls for filtering and debugging firewall rules.

Abstract: Techniques for dynamic configuration of a load balancer in a virtual network environment are described. In one example embodiment, load balancing rules are configured using virtual machine (VM) inventory objects. The configured load balancing rules are then transformed by replacing the VM inventory objects in the configured load balancing rules with associated Internet protocol (IP) addresses using an IP address management (IPAM) table or a network address translation (NAT) table. The transformed load balancing rules are then sent to the load balancer for load balancing network traffic between a plurality of VMs running on one or more host computing systems in one or more computing networks.

Abstract: Connectivity between data centers in a hybrid cloud system is optimized by pre-loading a wide area network (WAN) optimization appliance in a first data center with data to initialize at least one WAN optimization of application. The first data center is managed by a first organization and a second data center managed by a second organization, the first organization being a tenant in the second data center. The described technique includes receiving application packets having the application data generated by an application executing in the first data center at the WAN optimization appliance from a first gateway in the first data center, and performing the at least one WAN optimization on the application packets using the pre-loaded data to initialize the at least one WAN optimization.

Abstract: A hybrid computing system includes an on-premise data center and a cloud computing system. To connect between an organization's multiple data centers, a gateway may instead utilize the connections between the private data center and the cloud computing system rather than a direct connection to the other of the organizations' data centers.

Abstract: Connectivity between data centers in a hybrid cloud system having a first data center managed by a first organization and a second data center managed by a second organization, the first organization being a tenant in the second data center, is optimized. According to the described technique, a path-optimized connection is established through a wide area network (WAN) between a first gateway of a first data center and a second gateway of a second data center for an application executing in the first data center based on performance of paths across a set of Internet Protocol (IP) flows. Application packets received from the application at the first gateway are forwarded to a WAN optimization appliance in the first data center. WAN optimized application packets received from the WAN optimization appliance at the first gateway are then sent to the second gateway over the path-optimized connection.

Abstract: A method of blocking spoofed packets. The method receives an address allocation message from an address provisioning server that provisions addresses for virtual machines. The address allocation message includes a source address. The method stores the source address of the address allocation message. The method forwards the address allocation message to a virtual machine. The method receives, from the virtual machine, a packet with a second source address. When the second source address is the same as the first source address, the method allows the packet to be forwarded. When the second source address is not the same as the first source address, the method blocks the second packet. An additional method determines the first source address from an initial packet sent from the virtual machine instead of the address allocation method.

Abstract: Some embodiments provide a central firewall management system that can be used to manage different firewall devices from a single management interface. This management interface provides a uniform interface for defining different firewall rule sets and deploying these rules sets on different firewall devices (e.g., port-linked firewall engines, firewall service VMs, network-perimeter firewall devices, etc.). Also, this interface allows the location and/or behavior of the firewall rule sets to be dynamically modified. The management interface in some embodiments also provides controls for filtering and debugging firewall rules.

Abstract: Techniques for dynamic configuration of a domain name system (DNS) server in a virtual network environment are described. In one example embodiment, DNS rules are configured using virtual machine (VM) inventory objects and associated DNS names. Further, the configured DNS rules are transformed by replacing the VM inventory objects in the configured DNS rules with associated Internet protocol (IP) addresses using an IP address management (IPAM) table or a network address translation (NAT) table and the DNS names in the configured DNS rules with modified DNS names using a zone table and a view table. Furthermore, the transformed DNS rules are sent to the DNS server for performing domain name resolutions associated with multiple VMs running on a plurality of host computing systems in a computing network.

Abstract: The disclosure herein describes an edge device of a network for distributed policy enforcement. During operation, the edge device receives an initial packet for an outgoing traffic flow, and identifies a policy being triggered by the initial packet. The edge device performs a reverse lookup to identify at least an intermediate node that is previously traversed by the initial packet and traffic parameters associated with the initial packet at the identified intermediate node. The edge device translates the policy based on the traffic parameters at the intermediate node, and forwards the translated policy to the intermediate node, thus facilitating the intermediate node in applying the policy to the traffic flow.