Abstract: Aggregating traffic over multiple VPN connections is described. A first Virtual Private Network (VPN) connection is established between a client device and a first VPN server via a a first access network of the client device. A second Virtual Private Network (VPN) connection is established between the client device and a second VPN server via a second access network of the client device. Application traffic associated with a connection between an application server and a client application that corresponds to the client device is received. The application traffic associated with the connection between the application server and the client application is distributed between at least the first VPN connection and the second VPN connection.

Abstract: Template-driven locally calculated policy updates for virtualized machines in a datacenter environment are described. A central control and monitoring node calculates and pushes down policy templates to local control and monitoring nodes. The templates provide boundaries and/or a pool of networking resources, from which the local control and monitoring node is enabled to calculate policy updates for locally instantiated virtual machines and containers.

Abstract: Distribution and management of services in virtual environments is described herein. In one or more implementations, a service distribution and management model is implemented in which system services and applications are seamlessly distributed across multiple containers which each implement a different runtime environment. In one or more implementations, a system for distributing access to services in a host operating system of a computing device includes a host operating system configured to implement a host runtime environment, and one or more services implemented by the host operating system. The system further includes a service control manager configured to enable communication between a client stub of a service implemented in a client runtime environment and a service provider of the service that is implemented in a service runtime environment that is separate from the first client runtime environment.

Abstract: Anonymous containers are discussed herein. An operating system running on a computing device, also referred to herein as a host operating system running on a host device, prevents an application from accessing personal information (e.g., user information or corporate information) by activating an anonymous container that is isolated from the host operating system. In order to create and activate the anonymous container, a container manager anonymizes the configuration and settings data of the host operating system, and injects the anonymous configuration and settings data into the anonymous container. Such anonymous configuration and settings data may include, by way of example and not limitation, application data, machine configuration data, and user settings data. The host operating system then allows the application to run in the anonymous container.

Abstract: Template-driven locally calculated policy updates for virtualized machines in a datacenter environment are described. A central control and monitoring node calculates and pushes down policy templates to local control and monitoring nodes. The templates provide boundaries and/or a pool of networking resources, from which the local control and monitoring node is enabled to calculate policy updates for locally instantiated virtual machines and containers.

Abstract: Different containers are used for different usage sessions, a container referring to a virtualization layer for a computing device and used for isolation as well as hardware resource partitioning. A usage session refers to the time span beginning when one or more users begin to use the computing device, and ending when the one or more users cease using the computing device. During a particular usage session that uses a container, all interaction with the computing device is maintained in the container. The container is deleted when the usage session ends, leaving no data from the usage session behind after the usage session ends. Additionally, some usage sessions need not be run in containers, so data generated during such usage sessions is maintained after usage session ends. The host operating system automatically determines which usage sessions to run in containers and which usage sessions to run separate from any containers.

Abstract: A control and monitoring system orders a service chain—an order of data flow through a plurality of network nodes—based on network node identifiers. The control and monitoring system provide a policy to networking nodes in order to enforce the order of the service chain. In some embodiments, features are implemented to improve the availability of service chains. Such features include load-balancing, fail-over, traffic engineering, and automated deployment of virtualized network functions at various stages of a service chain, among others.

Abstract: Techniques for implementing operating system layering are described herein. In one example, a method includes managing one or more container temporary storage spaces and one or more container runtime environments. Furthermore, the method includes loading, one or more drivers to provide compatibility between a container operating system and a host operating system, the one or more drivers comprising application program interface (API) compatibility libraries to enable API compatibility between the container operating system and the host operating system; metadata arbitration logic to enable compatibility between the container operating system and the host operating system by modifying container operating system references; and file arbitration logic to modify operating system file locations accessed by the container operating system and the host operating system.

Abstract: The techniques described herein monitor, store, and evaluate network information associated with an application to determine a connectivity option to use to communicate data. A connectivity option includes a network interface and a type of network connection. The determination is made based on power consumption information associated with available connectivity options. Consequently, a device on which the application is installed can better manage its power consumption associated with network communications.

Abstract: A host operating system running on a computing device monitors network communications for the computing device to identify network resources that are requested by the computing device. The host operating system compares requested network resources against security policies to determine if the requested network resources are trusted. When an untrusted network resource is identified, the host operating system accesses the untrusted network resource within a container that is isolated from the host operating system kernel using techniques discussed herein. By restricting access to untrusted network resources to isolated containers, the host operating system is protected from even kernel-level attacks or infections that may result from an untrusted network resource.

Abstract: Techniques for isolating interfaces of a protocol stack are discussed herein. In some instances, an apparatus may store a firewall policy that defines a set of rules for a component or type of component of a layer of a protocol stack, such as an Internet Protocol (IP) interface(s), an IP address(es), a TCP port(s), a socket(s), an application(s), a virtual network interface(s), an interface associated with a Virtual Private Network (VPN), and so on. The apparatus may include a firewall configured to implement the firewall policy at the layer of the protocol stack when data traffic is received at the layer. In some instances, the apparatus may include a monitor module to determine environmental context associated with the device, such as a geo-location of the apparatus or a connection of the apparatus to a network. The firewall may select a firewall policy that is applicable to the environmental context.

Abstract: Techniques described herein can dynamically generate images. In one example, a method includes detecting a request to generate a container image based on a policy file and identifying a host image from a host operating system. The method can also include generating the container image based on the host image and the policy file, the policy file indicating a first set of files to be copied from the host image to the container image, a set of reparse points corresponding to a second set of files not to be copied from the host image to the container image, and a third set of files to be loaded into the container image from a remote source.

Abstract: An operating system running on a computing device uses containers for hardware resource partitioning. Using the techniques discussed herein, pausing and resuming of containers is managed to reduce the pressure a container exerts on system resources when paused. Resuming of containers can further be managed to reduce the startup time for containers. This managing of containers can implemented various different techniques, such as stopping scheduling of virtual processors, stopping scheduling of processes or threads, compressing memory, swapping pages of memory for the container to a page file on a hard drive, and so forth.

Abstract: Configuring a node. A method includes at a first configuration layer, modifying configuration settings. The method further includes propagating the modified configuration settings to one or more other configuration layers implemented at the first configuration layer to configure a node.

Abstract: The techniques and systems described herein improve security and improve connection reliability by providing a framework for an application to communicate its intent to an authority service so that the authority service can enforce networking security requirements. In various examples, an intent to access a resource over a network is received and queries are sent to resolve a network connection that enables access to the resource. Information for the resource is then collected and stored together in a trusted and secure environment. For instance, the information can include proxy data or can include hostname data. A ticket can be created based on the information. The ticket can be used to establish and maintain a secure network connection to the resource.

Abstract: Techniques for implementing operating system layering are described herein. In one example, a method includes managing one or more container temporary storage spaces and one or more container runtime environments. Furthermore, the method includes loading, one or more drivers to provide compatibility between a container operating system and a host operating system, the one or more drivers comprising application program interface (API) compatibility libraries to enable API compatibility between the container operating system and the host operating system; metadata arbitration logic to enable compatibility between the container operating system and the host operating system by modifying container operating system references; and file arbitration logic to modify operating system file locations accessed by the container operating system and the host operating system.

Abstract: This application describes client devices that control network transmission based on a power state. The client device determines a power state of the computing device and a priority of an application executing on the computing device. The client device determines whether to permit the application to communicate with a remote network accessible device via the network communication hardware based at least on the priority of the application and the power state of the computing device. Also described is a power state service that selects a client device to be provided with a notification based on power states of the client devices.

Abstract: Functionality is described herein for performing at least one network connectivity task on a client device with the aid of one or more assistant devices. In some implementations, a client device (such as a smartphone, desktop personal computing device, etc.) relies on an assistant device to assist it in updating its programs, including its driver programs. In other implementations, a client device relies on an assistant device in establishing a network connection with a network-accessible entity. Functionality is also described herein for performing at least one program execution task on a client device with the aid of one or more assistant devices. For instance, the client device may rely on the assistant device to assist it in executing a driver program. The driver program, in turn, enables the client device to interact with a peripheral device or some other component.

Abstract: Disclosed are an approach form managing and assigning addresses in a connectivity platform that allows for proprietary connectivity modules (Providers) to plug into the operating system. In this disclosure, when a user/application/computing device, connects to another user on another computing device an address is generated for that user. However, because of a limited number of addresses that are available in an address space, it is necessary to ensure that a conflicting address is not present. To ensure this the connectivity platform determines if the address assigned is in conflict with another address associated with users that are located on the other computing devices. If an address is found to be in conflict the connectivity platform reassigns the address until a non-conflicting address is found. If a non-conflicting address cannot be found the connectivity platform blocks the connection between the user and the other user.

Abstract: Template-driven locally calculated policy updates for virtualized machines in a datacenter environment are described. A central control and monitoring node calculates and pushes down policy templates to local control and monitoring nodes. The templates provide boundaries and/or a pool of networking resources, from which the local control and monitoring node is enabled to calculate policy updates for locally instantiated virtual machines and containers.