Abstract: A fleet manager within a cloud computing system utilizes a registration framework with one or more cloud infrastructure managers having corresponding infrastructure data plane nodes, which may be in use by different tenants. Instead of having the infrastructure managers communicate directly with its corresponding infrastructure data plane nodes via a management network or domain, the fleet manager communicates with infrastructure managers and relay commands, instructions, and other payloads to the infrastructure data plane nodes using a virtual machine (VM) communication backchannel.

Abstract: A centralized namespace controller allocates addresses in a distributed cloud infrastructure on-demand. Upon receiving a request to allocate addresses for a network to be provisioned by a cloud computing system included in the distributed cloud infrastructure, the centralized namespace controller allocates a network address that is unique within the distributed cloud infrastructure. Further, the centralized namespace controller allocates a range of virtual network interface cards (NIC) addresses that are unique within the network. The centralized namespace controller then allocates addresses from the range of virtual NIC addresses on an as-requested basis—when a virtual NIC is being created by the first cloud computing system on the network.

Abstract: A method is provide for managing a migration of a virtual machine from a private data center managed by a first organization to a public cloud computing system by a second organization and where the first organization is a tenant. The configurations of physical infrastructure of the private data center that underlies the virtual machine are determined, along with a corresponding match preference indicating a level of criticality for some corresponding configuration at the public cloud system. The configurations and match preferences generated as part of a migration package. The public cloud computing system instantiates a corresponding VM based on the determined configurations and corresponding match preferences.

Abstract: Conditional address translation is performed in a multi-tenant cloud infrastructure to effectively support tenant-assigned addresses. For each tenant, the multi-tenant cloud infrastructure deploys both a private network used to communicate between the tenant and the cloud and a tenant-facing gateway to manage the private network. The multi-tenant cloud infrastructure also includes an externally-facing gateway used to communicate between the multi-tenant cloud and a public network. The tenant-facing gateways are configured to bypass address translation—providing consistent addressing across each private network irrespective of the physical location of resources linked by the private network. By contrast, the public-facing gateway is configured to translate source addresses in outgoing packets to addresses that are unique within the public network.

Abstract: Some embodiments of the invention provide a novel method for specifying firewall rules. In some embodiments, the method provides the ability to specify for a particular firewall rule, a set of network nodes (also called a set of enforcement points below) at which the particular firewall should be enforced. To provide this ability, the method of some embodiments adds an extra tuple (referred to below as the AppliedTo tuple) to a firewall rule. This added AppliedTo tuple lists the set of enforcement points at which the firewall rule has to be applied (i.e., enforced).

Abstract: Some embodiments of the invention provide a novel method for specifying firewall rules. In some embodiments, the method provides the ability to specify for a particular firewall rule, a set of network nodes (also called a set of enforcement points below) at which the particular firewall should be enforced. To provide this ability, the method of some embodiments adds an extra tuple (referred to below as the AppliedTo tuple) to a firewall rule. This added AppliedTo tuple lists the set of enforcement points at which the firewall rule has to be applied (i.e., enforced).

Abstract: The disclosure herein describes an edge device of a network for distributed policy enforcement. During operation, the edge device receives an initial packet for an outgoing traffic flow, and identifies a policy being triggered by the initial packet. The edge device performs a reverse lookup to identify at least an intermediate node that is previously traversed by the initial packet and traffic parameters associated with the initial packet at the identified intermediate node. The edge device translates the policy based on the traffic parameters at the intermediate node, and forwards the translated policy to the intermediate node, thus facilitating the intermediate node in applying the policy to the traffic flow.

Abstract: Some embodiments of the invention provide a novel method for specifying firewall rules. In some embodiments, the method provides the ability to specify for a particular firewall rule, a set of network nodes (also called a set of enforcement points below) at which the particular firewall should be enforced. To provide this ability, the method of some embodiments adds an extra tuple (referred to below as the AppliedTo tuple) to a firewall rule. This added AppliedTo tuple lists the set of enforcement points at which the firewall rule has to be applied (i.e., enforced).

Abstract: A method of blocking spoofed packets. The method receives an address allocation message from an address provisioning server that provisions addresses for virtual machines. The address allocation message includes a source address. The method stores the source address of the address allocation message. The method forwards the address allocation message to a virtual machine. The method receives, from the virtual machine, a packet with a second source address. When the second source address is the same as the first source address, the method allows the packet to be forwarded. When the second source address is not the same as the first source address, the method blocks the second packet. An additional method determines the first source address from an initial packet sent from the virtual machine instead of the address allocation method.

Abstract: Some embodiments of the invention provide a novel method for specifying firewall rules. In some embodiments, the method provides the ability to specify for a particular firewall rule, a set of network nodes (also called a set of enforcement points below) at which the particular firewall should be enforced. To provide this ability, the method of some embodiments adds an extra tuple (referred to below as the AppliedTo tuple) to a firewall rule. This added AppliedTo tuple lists the set of enforcement points at which the firewall rule has to be applied (i.e., enforced).

Abstract: Some embodiments of the invention provide a novel method for specifying firewall rules. In some embodiments, the method provides the ability to specify for a particular firewall rule, a set of network nodes (also called a set of enforcement points below) at which the particular firewall should be enforced. To provide this ability, the method of some embodiments adds an extra tuple (referred to below as the AppliedTo tuple) to a firewall rule. This added AppliedTo tuple lists the set of enforcement points at which the firewall rule has to be applied (i.e., enforced).

Abstract: Some embodiments of the invention provide a novel method for specifying firewall rules. In some embodiments, the method provides the ability to specify for a particular firewall rule, a set of network nodes (also called a set of enforcement points below) at which the particular firewall should be enforced. To provide this ability, the method of some embodiments adds an extra tuple (referred to below as the AppliedTo tuple) to a firewall rule. This added AppliedTo tuple lists the set of enforcement points at which the firewall rule has to be applied (i.e., enforced).

Abstract: Techniques for dynamic configuration of a domain name system (DNS) server in a virtual network environment are described. In one example embodiment, DNS rules are configured using virtual machine (VM) inventory objects and associated DNS names. Further, the configured DNS rules are transformed by replacing the VM inventory objects in the configured DNS rules with associated Internet protocol (IP) addresses using an IP address management (IPAM) table or a network address translation (NAT) table and the DNS names in the configured DNS rules with modified DNS names using a zone table and a view table. Furthermore, the transformed DNS rules are sent to the DNS server for performing domain name resolutions associated with multiple VMs running on a plurality of host computing systems in a computing network.

Abstract: Techniques for dynamically configuring a dynamic host configuration protocol (DHCP) server in a virtual network environment are described. In one example embodiment, DHCP bindings are configured using virtual machine (VM) inventory objects. Further, the configured DHCP bindings are transformed by replacing the VM inventory objects in the configured DHCP bindings with associated media access control (MAC) addresses using a VM object attribute table. Furthermore, the transformed DHCP bindings are sent to the DHCP sever for assigning Internet protocol (IP) addresses to multiple VMs running on a plurality of host computing systems in a computing network.

Abstract: Techniques for dynamic configuration of a load balancer in a virtual network environment are described. In one example embodiment, load balancing rules are configured using virtual machine (VM) inventory objects. The configured load balancing rules are then transformed by replacing the VM inventory objects in the configured load balancing rules with associated Internet protocol (IP) addresses using an IP address management (IPAM) table or a network address translation (NAT) table. The transformed load balancing rules are then sent to the load balancer for load balancing network traffic between a plurality of VMs running on one or more host computing systems in one or more computing networks.

Abstract: Techniques for automatic firewall configuration in a virtual network environment are described. In one example embodiment, firewall rules are configured using virtual machine (VM) inventory objects. The firewall rules are then transformed by replacing the VM inventory objects in the configured firewall rules with associated Internet protocol (IP) addresses using an IP address management table (IPAM) table and a network address translation (NAT) table. The transformed firewall rules are then sent to a firewall engine for filtering communication from and to VMs running on a first machine on one or more computing networks and communication from and to VMs running on a second machine on one or more computing networks at a firewall according to the transformed firewall rules.

Abstract: The disclosure herein describes an edge device of a network for distributed policy enforcement. During operation, the edge device receives an initial packet for an outgoing traffic flow, and identifies a policy being triggered by the initial packet. The edge device performs a reverse lookup to identify at least an intermediate node that is previously traversed by the initial packet and traffic parameters associated with the initial packet at the identified intermediate node. The edge device translates the policy based on the traffic parameters at the intermediate node, and forwards the translated policy to the intermediate node, thus facilitating the intermediate node in applying the policy to the traffic flow.

Abstract: The invention is directed to a method and a device for separating plasma from whole blood. The method combines size exclusion filtration through a separation membrane and erythrocyte (RBC) agglutination.

Abstract: The present invention provides umbrella-topology glycan decoys. The present invention provides systems and methods treating influenza infection utilizing inventive umbrella-topology glycan decoys. The present invention provides methods for identifying novel umbrella-topology glycan decoys.

Abstract: The invention relates, in part, to the improved analysis of carbohydrates. In particular, the invention relates to the analysis of carbohydrates, such as N-glycans and O-glycans found on proteins and saccharides attached to lipids. Improved methods, therefore, for the study of glycosylation patterns on cells, tissue and body fluids are also provided. Information from the analysis of glycans, such as the glycosylation patterns on cells, tissues and in body fluids, can be used in diagnostic and treatment methods as well as for facilitating the study of the effects of glycosylation/altered glycosylation. Such methods are also provided. Methods are further provided to assess production processes, to assess the purity of samples containing glycoconjugates, and to select glycoconjugates with the desired glycosylation.