Abstract: Techniques for intelligently managing a virtual private network (VPN) gateway in a cloud computing system are disclosed herein. In one embodiment, an instance of a VPN gateway can query whether a logic lock on a network address is maintained by another instance via periodic renewal. In response to receiving a query result indicating that a logic lock on the network address is lost by the another instance, the instance can migrate a VPN connection originally handled by the another instance from the another instance to the instance such that a private network is connected to the instance via the migrated VPN connection to reduce downtime for accessing computing resources in the cloud computing system.

Abstract: Techniques for dynamically scaling instances of virtual private network (VPN) gateway in a cloud computing system are disclosed herein. In one embodiment, a method includes determining whether a number of packets processed by a first instance of the VPN gateway exceeds a preset threshold. In response to determining that the number of packets exceeds the preset threshold, a new security association (SA) corresponding to a portion of the VPN network traffic is created. Upon completion of creating the SA, a load balancing policy at a load balancer is modified to forward a portion of the network traffic to a second instance of the VPN gateway when an incoming packet contains a security parameter index (SPI) corresponding to the created SA in its EPS header.

Abstract: Techniques for dynamically scaling instances of virtual private network (VPN) gateway in a cloud computing system are disclosed herein. In one embodiment, a method includes determining whether a number of packets processed by a first instance of the VPN gateway exceeds a preset threshold. In response to determining that the number of packets exceeds the preset threshold, a new security association (SA) corresponding to a portion of the VPN network traffic is created. Upon completion of creating the SA, a load balancing policy at a load balancer is modified to forward a portion of the network traffic to a second instance of the VPN gateway when an incoming packet contains a security parameter index (SPI) corresponding to the created SA in its EPS header.

Abstract: Techniques for intelligently managing a virtual private network (VPN) gateway in a cloud computing system are disclosed herein. In one embodiment, an instance of a VPN gateway can query whether a logic lock on a network address is maintained by another instance via periodic renewal. In response to receiving a query result indicating that a logic lock on the network address is lost by the another instance, the instance can migrate a VPN connection originally handled by the another instance from the another instance to the instance such that a private network is connected to the instance via the migrated VPN connection to reduce downtime for accessing computing resources in the cloud computing system.

Abstract: To reduce network connectivity downtime while connections are established or re-established after maintenance, a connection request that would be rejected is instead accepted, even though a corresponding outgoing request is still pending. In some cases, the connection request is a secure connection request, such as an INIT phase request or an AUTH phase request during an Internet Key Exchange protocol exchange. Single-ended and double-ended configurations are both presented. When colliding INIT attempts succeed, two results are produced, after which one may be selected and the other discarded. Alternately, both INIT results may be used in producing two security associations during a subsequent AUTH phase. Incoming traffic and outgoing traffic may then use respective security associations.

Abstract: The disclosed technology may include determining that a change is to be made in virtual private network (VPN) connectivity between a first site and a second site while a first VPN connection is operational between a first device at the first site and a first gateway at the second site. VPN information is provided to a second gateway at the second site, the VPN information including information that is associated with a second VPN connection to be established between the first device and the second gateway. It is detected that network traffic is flowing over the second VPN connection between the first device and the second gateway. In response to detecting that the network traffic is flowing between the first device and the second gateway, a notification is sent to the first gateway for the first gateway to deprovision the first VPN connection.

Abstract: To reduce network connectivity downtime while connections are established or re-established after maintenance, a connection request that would be rejected is instead accepted, even though a corresponding outgoing request is still pending. In some cases, the connection request is a secure connection request, such as an INIT phase request or an AUTH phase request during an Internet Key Exchange protocol exchange. Single-ended and double-ended configurations are both presented. When colliding INIT attempts succeed, two results are produced, after which one may be selected and the other discarded. Alternately, both INIT results may be used in producing two security associations during a subsequent AUTH phase. Incoming traffic and outgoing traffic may then use respective security associations.