Abstract: A network controller for managing several managed switching elements that forward data in a network that includes the managed switching elements. The network controller is further for creating a logical switching element to be implemented in a set of managed switching elements. The network controller includes a set of modules for receiving input data specifying a logical switching element and for creating, based on the received input data, a set of logical switch constructs for the logical switching element by performing a set of database join operations. At least one of the logical switch constructs is for facilitating non-forwarding behavior of the logical switching element.

Abstract: Some embodiments of the invention provide a method for implementing a logical switching element that includes multiple logical ports through which the logical switching element receives and sends data packets. The method configures multiple managed forwarding elements to implement the logical switching element. The method also determines that port isolation has been enabled for the logical switching element. The method further provides a set of data directing the managed forwarding elements to drop a particular data packet received through a first logical port when the particular data packet is addressed to a second logical port different than the first logical port to implement the port isolation.

Abstract: Some embodiments provide a method gaining insight into applicability of policies that authorize access to at least one service through application programming interface (API) calls by a plurality of users. The method receives an authentication policy that defines multiple users of a system providing the service, and also receives an authorization policy that defines access to the service by the users. The method generates an authorization policy for defining access to the service by authenticated users by combining the first and second policies. The method receives a query regarding access to the service from a particular set of one or more users, and uses the third policy to provide a response to the query that describes access to the service for the particular user set.

Abstract: Some embodiments provide a method gaining insight into applicability of policies that authorize access to at least one service through application programming interface (API) calls by a plurality of users. The method receives an authentication policy that defines multiple users of a system providing the service, and also receives an authorization policy that defines access to the service by the users. The method generates an authorization policy for defining access to the service by authenticated users by combining the first and second policies. The method receives a query regarding access to the service from a particular set of one or more users, and uses the third policy to provide a response to the query that describes access to the service for the particular user set.

Abstract: Some embodiments provide a method for gaining insight into applicability of policies that authorize access to at least one service through application programming interface (API) calls by a plurality of users. The method receives at least one authorization policy that defines access to the service by the users, where the service includes multiple resources. The method identifies combinations of users and resources referenced by the policy, and for each identified combination of user and resource, executes the policy in order to define access to the identified resource by the identified user. The method receives a query regarding access to a particular resource from a particular set of one or more users, and uses the executed policy to provide a response to the query that describes access to the particular resource for the particular user set.

Abstract: Some embodiments provide a method for gaining insight into applicability of policies that authorize access to at least one service through application programming interface (API) calls by multiple users. The method receives at least one authorization policy that defines access to the service by the users, where the service includes multiple resources. Based on an analysis of the received policy, the method identifies a set of two or more access rules, each access rule associating at least one user to at least one resource. The method receives a query regarding access to a particular resource from a particular set of one or more users, and uses the identified access rules to provide a response to the query that describes access to the particular resource for the particular user set.

Abstract: Some embodiments provide a method for providing insight into applicability of policies that authorize access to at least one service through application programming interface (API) calls by multiple users. The method receives at least one authorization policy that defines access to the service by the users, where the policy includes two or more access rules. The method identifies a subset of unnecessary access rules in the received policy, based on a set of contextual data that is associated with the users, and filters the received policy by removing the identified subset of unnecessary access rules. The method receives a query regarding access to the service from a particular set of one or more users, and uses the filtered policy to provide a response to the query that describes access to the service for the particular user set.

Abstract: Some embodiments provide a method for gaining insight into authorization policy enforcement for application programming interface (API) calls to at least one service that includes multiple resources. The method generates a permissions graph including nodes that represent the resources and multiple users, based on two or more received authorization policies that restrict access to the service for the users. The method receives a selection of a node that corresponds to a user, and in response to the received selection, modifies the graph to display connections between the node corresponding to the user and one or more nodes associated with resources of the service that the user is authorized to access based on the authorization policies.

Abstract: The network control system of some embodiments implements logical port classifications to implement different features of logical networks onto a physical network. The network control system of some embodiments modifies flow entries at forwarding elements of the physical network to implement the logical network. The network control system classifies logical source and destination ports into disjoint equivalence classes for logical network flows in a virtualized network, and encodes this information in the tunneled traffic carrying the logical flow. The network control system of some such embodiments provides logical port classifications to minimize the necessary flow entries at each forwarding element of the physical network.

Abstract: A network controller for managing several managed switching elements that forward data in a network that includes the managed switching elements. The network controller is further for creating a logical switching element to be implemented in a set of managed switching elements. The network controller includes a set of modules for receiving input data specifying a logical switching element and for creating, based on the received input data, a set of logical switch constructs for the logical switching element by performing a set of database join operations. At least one of the logical switch constructs is for facilitating non-forwarding behavior of the logical switching element.

Abstract: The network control system of some embodiments implements logical port classifications to implement different features of logical networks onto a physical network. The network control system of some embodiments modifies flow entries at forwarding elements of the physical network to implement the logical network. The network control system classifies logical source and destination ports into disjoint equivalence classes for logical network flows in a virtualized network, and encodes this information in the tunneled traffic carrying the logical flow. The network control system of some such embodiments provides logical port classifications to minimize the necessary flow entries at each forwarding element of the physical network.

Abstract: The network control system of some embodiments implements logical port classifications to implement different features of logical networks onto a physical network. The network control system of some embodiments modifies flow entries at forwarding elements of the physical network to implement the logical network. The network control system classifies logical source and destination ports into disjoint equivalence classes for logical network flows in a virtualized network, and encodes this information in the tunneled traffic carrying the logical flow. The network control system of some such embodiments provides logical port classifications to minimize the necessary flow entries at each forwarding element of the physical network.

Abstract: A network controller for managing several managed switching elements that forward data in a network that includes the managed switching elements. The network controller is further for creating a logical switching element to be implemented in a set of managed switching elements. The network controller includes a set of modules for receiving input data specifying a logical switching element and for creating, based on the received input data, a set of logical switch constructs for the logical switching element by performing a set of database join operations. At least one of the logical switch constructs is for facilitating non-forwarding behavior of the logical switching element.

Abstract: A network controller for managing several managed switching elements that forward data in a network that includes the managed switching elements. The network controller is further for creating a logical switching element to be implemented in a set of managed switching elements. The network controller includes a set of modules for receiving input data specifying a logical switching element and for creating, based on the received input data, a set of logical switch constructs for the logical switching element by performing a set of database join operations. At least one of the logical switch constructs is for facilitating non-forwarding behavior of the logical switching element.

Abstract: The network control system of some embodiments implements logical port classifications to implement different features of logical networks onto a physical network. The network control system of some embodiments modifies flow entries at forwarding elements of the physical network to implement the logical network. The network control system classifies logical source and destination ports into disjoint equivalence classes for logical network flows in a virtualized network, and encodes this information in the tunneled traffic carrying the logical flow. The network control system of some such embodiments provides logical port classifications to minimize the necessary flow entries at each forwarding element of the physical network.

Abstract: A non-transitory machine readable medium storing a program that manages a plurality managed forwarding elements that forward data through a network is described. The program receives user inputs that define forwarding performance constraints of a set of managed forwarding elements. Based on the inputs, the program generates a set of universal flow entries for configuring the set of managed forwarding elements to apply the forwarding performance constraints to data traffic that the managed forwarding elements forward. The set of universal flow entries is for subsequent conversion into a set of customized flow entries for the managed forwarding elements.

Abstract: Some embodiments provide a method for managing a logical switching element that includes several logical ports. The logical switching element receives and sends data packets through the logical ports. The logical switching element is implemented in a set of managed switching elements that forward data packets in a network. The method provides a set of tables for specifying forwarding behaviors of the logical switching element. The method performs a set of database join operations on the tables to specify in the tables that the logical forwarding element drops a data packet received through a first logical port when the data packet is headed to a second logical port different than the first logical port.

Abstract: Port security in some embodiments is a technique to apply to a particular port of a logical switching element such that the network data entering and existing the logical switching element through the particular logical port have certain addresses that the switching element has restricted the logical port to use. For instance, a logical switching element may restrict a particular logical port to one or more certain network addresses To enable a logical port of a logical switch for port security, the control application of some embodiments receives user inputs that designate a particular logical port and a logical switch to which the particular logical port belongs. The control application in some embodiments formats the user inputs into logical control plane data specifying the designation. The control application in some embodiments then converts the logical control plane data into logical forwarding data that specify port security functions.

Abstract: A control application of some embodiments allows a user to enable a logical switching element for Quality of Service (QoS). QoS in some embodiments is a technique to apply to a particular logical port of a logical switching element such that the switching element can guarantee a certain level of performance to network data that a machine sends through the particular logical port. The control application of some embodiments receives user inputs that specify a particular logical switch to enable for QoS. The control application may additionally receive performance constraints data. The control application in some embodiments formats the user inputs into logical control plane data. The control application in some embodiments then converts the logical control plane data into logical forwarding data that specify QoS functions.

Abstract: Port security in some embodiments is a technique to apply to a particular port of a logical switching element such that the network data entering and existing the logical switching element through the particular logical port have certain addresses that the switching element has restricted the logical port to use. For instance, a logical switching element may restrict a particular logical port to one or more certain network addresses. To enable a logical port of a logical switch for port security, the control application of some embodiments receives user inputs that designate a particular logical port and a logical switch to which the particular logical port belongs. The control application in some embodiments formats the user inputs into logical control plane data specifying the designation. The control application in some embodiments then converts the logical control plane data into logical forwarding data that specify port security functions.