Abstract: A method for allocating resources of a virtual controller is disclosed. The method comprises: allocating resources of a virtual controller to a first tenant, wherein the first tenant is allocated a first tenant quantity of guaranteed resources of the virtual controller and a second tenant is allocated a second tenant quantity of guaranteed resources of the virtual controller; determining that resources requested by the first tenant are greater than the first tenant quantity of guaranteed resources; determining that the virtual controller has unutilized resources sufficient to at least partially provide additional resources beyond the first tenant quantity of guaranteed resources to the first tenant; and temporarily provisioning the additional resources to the first tenant, wherein the additional resources are greater than the first tenant quantity of guaranteed resources.

Abstract: Systems, methods, and computer-readable media for performing threat remediation through a switch fabric of a virtualized network environment. Data traffic passing into a virtualized network environment including a plurality of virtual machines running on a switch fabric is monitored. A network threat introduced through at a least a portion of the data traffic is identified at the switch fabric. One or more remedial measures are performed in the network environment based on the identification of the network threat in the virtualized network environment.

Abstract: A process can include determining affinity information indicative of route preferences between branch routers and gateway routers. A prefix can be determined for a subnet of branch routers located at a same branch location. An affinity position of a first gateway router can be determined based on affinity information of the branch routers in the subnet. A mapping can be determined between a local preference Border Gateway Protocol (BGP) community attribute and the affinity position of the first gateway router, wherein a mapped local preference BGP community attribute and the affinity position are indicative of a same routing preference. The mapped local preference BGP community attribute can be attached to routes from the first gateway router into a cloud service provider. Affinity-based route preferences are indicated to the cloud service provider by redistributing the routes from the first gateway router with the mapped local preference BGP community attribute attached.

Abstract: A process can include determining a plurality of Network Address Translation (NAT) routes associated with respective edge routers included in a same virtual private network (VPN) for communicating with a software-defined wide area network (SDWAN). A process can include identifying a first subset of the plurality of NAT routes as mapped to a first public NAT address included in a NAT pool associated with the VPN. A process can include tagging each NAT route of the first subset with a tag value indicative of a preferred router for receiving return traffic of the respective NAT route. A process can include routing traffic on a respective NAT route of the plurality of NAT routes based on applying, at an SDWAN controller, a corresponding control policy matching the tag value of the respective NAT route.

Abstract: Symmetric networking techniques disclosed herein can be applied by gateway routers in cloud networks. The techniques can ensure that both outbound traffic received at a cloud from a branch device and return traffic directed from the cloud back to the branch device are processed by a same gateway router. The gateway router can use network address translation to insert IP addresses from an inside pool and an outside pool assigned to the router.

Abstract: Systems, methods, and computer-readable media for performing threat remediation through a switch fabric of a virtualized network environment. Data traffic passing into a virtualized network environment including a plurality of virtual machines running on a switch fabric is monitored. A network threat introduced through at a least a portion of the data traffic is identified at the switch fabric. One or more remedial measures are performed in the network environment based on the identification of the network threat in the virtualized network environment.

Abstract: The present technology pertains to receiving a tag associating at least one routing domain in an on-premises site with at least one virtual network in a cloud environment associated with a cloud service provider. The present technology also pertains to the automation of populating route and propagation tables with the cloud service provider.

Abstract: Techniques for sharing the probing of software-as-a-service clouds among a cluster of routers are described herein. The techniques may include establishing a first path between a cluster of routers and an application infrastructure. Establishing a second path between the cluster of routers and the application infrastructure. Designating a first router in the cluster of routers to send probes over the first path to the application infrastructure. Designating a second router in the cluster of routers to send probes over the second path to the application infrastructure. Distributing, by the first router and to the cluster of routers, first routing performance data indicating a performance of the first path when communicating with the application infrastructure over the first path, distributing, by the second router and to the cluster of routers, second routing performance data indicating a performance of the second path when communicating with the application infrastructure over the second path.

Abstract: Generally, Software-Defined Wide Area Networks (SD-WAN) generally do not support network segmentation. The concepts disclosed herein connects IPSec SD-WAN fabric to a Virtual Routing and Forwarding (VRF) router and make use of a Software Defined Cloud Interconnect (SDCI) Router to route traffic from IPSec SD-WAN to various cloud services from the SDCI Router in the fabric. The concepts disclosed herein also provides for tunnel multi-plexing that takes incoming and outgoing traffic and maps VPNs to any service VRF associated with the cloud based services.

Abstract: Systems and methods are provided for re-balancing and healing of an SD-WAN in an unbalanced state and/or experiencing one or more failure states. In response to a request to connect to a new controller resulting from OMP load shedding from a first controller, the system can identify other controllers capable of handling the load requirements of the edge router. The system can incorporate the controller group preference of the edge router and select a second controller based on the identified other controllers and within the preferred controller group. If not possible, the system can temporarily assign the edge router to non-preferred controller groups and move them back to controllers in the preferred controller group once it becomes viable. The system further enhances OMP graceful restart (GR) logic to incorporate the load shedding effect and avoid unnecessary route retention that GR entails.

Abstract: Systems and methods are provided for re-balancing and healing of an SD-WAN in an unbalanced state and/or experiencing one or more failure states. In response to a request to connect to a new controller resulting from OMP load shedding from a first controller, the system can identify other controllers capable of handling the load requirements of the edge router. The system can incorporate the controller group preference of the edge router and select a second controller based on the identified other controllers and within the preferred controller group. If not possible, the system can temporarily assign the edge router to non-preferred controller groups and move them back to controllers in the preferred controller group once it becomes viable. The system further enhances OMP graceful restart (GR) logic to incorporate the load shedding effect and avoid unnecessary route retention that GR entails.

Abstract: This disclosure describes techniques for improving routing policy awareness in a network. The method includes detecting, by a controller, an application initiated for use at an edge node of a network. Then, generating, by an analytics engine coupled to the controller, analytical data of traffic flow at the edge node of the network wherein the traffic flow is in accordance with a routing policy for routing traffic associated with the application. Further, routing of the traffic through a path from one or more paths configured at the edge node that is in accordance with at least a Service Level Agreement (SLA) for traffic flow. Also, in response to an SLA violation during routing of the traffic, causing an action, by the controller, of routing traffic flow through another path that is in accordance with at least the SLA for traffic flow based on analytical data received of the traffic flow.

Abstract: Systems, methods, and computer-readable media for performing threat remediation through a switch fabric of a virtualized network environment. Data traffic passing into a virtualized network environment including a plurality of virtual machines running on a switch fabric is monitored. A network threat introduced through at a least a portion of the data traffic is identified at the switch fabric. One or more remedial measures are performed in the network environment based on the identification of the network threat in the virtualized network environment.

Abstract: Techniques for user identity-based security policy enforcement. The techniques may include sending, to an edge device associated with a network, a networking policy associated with a user. The techniques may also include receiving, from an identity provider, an IP address associated with the user. Additionally, the techniques may include sending, to the edge device, an indication to associate the IP address with the user such that the edge device applies the networking policy to packets that include the IP address.

Abstract: The present technology pertains to receiving a tag associating at least one routing domain in an on-premises site with at least one virtual network in a cloud environment associated with a cloud service provider. The present technology also pertains to the automation of populating route and propagation tables with the cloud service provider.

Abstract: Techniques for automatically providing per tenant weighted DCMP over shared transport interfaces and automated flow has load balancing are described. The techniques may include onboarding, by an SD-WAN controller, the tenant with a resource profile to a first multi-tenant edge device, where the resource profile defines a traffic allowance per transport interface for the tenant on the first multi-tenant edge device. The SD-WAN controller receives, from the first multi-tenant edge device, information including a first weight per transport interface of the first multi-tenant edge device for the tenant. The SD-WAN controller transmits the information to a second multi-tenant device. The SD-WAN controller receives, from the second multi-tenant edge device, information including a second weight per transport interface of the second multi-tenant edge device, and transmits the information to the first multi-tenant edge device.

Abstract: Techniques for automatically integrating SD-WAN constructs to security policies are described. The techniques may include defining, by a security cloud provider, a security policy for an entity, the entity represented by a VPN security policy label and the security policy absent source and destination CIDR IP addresses. The security cloud provider notifies an SD-WAN controller of the security policy. The SD-WAN controller maps the VPN security policy label to an IP address pool and a VPN ID. The SD-WAN controller generates an enhanced security policy by automatically adding source and destination CIDR IP addresses to the security policy. The SD-WAN controller deploys the enhanced security policy to an SD-WAN branch router and generates a VPN segment between the SD-WAN branch router and the security cloud provider to establish a common secure internet gateway tunnel for the IP address pool.

Abstract: According to certain embodiments, a method by a network device includes receiving a handshake message for a traffic flow from a Software-Defined Wide-Area Network (SDWAN) and determining, from a traffic policy, whether the traffic flow should be symmetrical. In response to determining from the traffic policy that the traffic flow should be symmetrical, the method further includes performing a flow lookup on the traffic flow to determine if the network device originated the traffic flow. In response to determining that the network device did not originate the traffic flow, the method further includes determining a second network device that originated the traffic flow and sending the handshake message for the traffic flow to the second network device in order to maintain symmetry for the traffic flow.

Abstract: Methods and systems are described herein for dynamically applying a security policy based on one or more tag attributes. The method comprises receiving, at a network controller, information about an instance of a cloud workload instantiated at a cloud provider. The cloud workload is associated with a tag attribute. The method further comprises querying the cloud provider for at least one IP address associated with the tag attribute and learning the at least one IP address associated with the tag attribute, including the IP address for the instance of the cloud workload. The method further comprises associating a security policy with the at least one IP address associated with the tag attribute and propagating the security policy to at least one edge router for implementation.

Abstract: A process can include determining a plurality of Network Address Translation (NAT) routes associated with respective edge routers included in a same virtual private network (VPN) for communicating with a software-defined wide area network (SDWAN). A process can include identifying a first subset of the plurality of NAT routes as mapped to a first public NAT address included in a NAT pool associated with the VPN. A process can include tagging each NAT route of the first subset with a tag value indicative of a preferred router for receiving return traffic of the respective NAT route. A process can include routing traffic on a respective NAT route of the plurality of NAT routes based on applying, at an SDWAN controller, a corresponding control policy matching the tag value of the respective NAT route.