Abstract: Some embodiments provide a method for efficient data message transfer across a hypervisor, service DCN, and containers implementing partner network services. The method allocates memory to a service DCN that operates a set of containers for providing partner network services for data messages received by the service DCN. The service DCN and the containers share the allocated memory and the method stores data messages received by the service DCN in the allocated memory. The method then accesses the data message stored in the shared memory from a set of partner network service containers to perform the partner network services. In some embodiments, the host machine or a process of the host machine on which the service DCN executes also shares the allocated memory. The host machine process, in some embodiments is a kernel process.

Abstract: Some embodiments provide a method of forwarding data messages between source and destination host computers that execute source and destination machines. At a source computer on which a source machine for a data message flow executes, the method in some embodiments identifies a source tunnel endpoint group (TEPG) associated with the source machine. For the flow, the method selects one TEP of the TEPG as the source TEP. The method then uses the selected source TEP to forward the flow to the destination computer on which the destination machine executes.

Abstract: Described herein are systems and methods to manage blacklists and duplicate addresses in software defined networks (SDNs). In one implementation, a method includes, in a control plane and data plane of an SDN environment, obtaining a blacklist for a logical port in the SDN environment. The method further includes deleting realized address bindings in a realized address list for the logical port that match the one or more address bindings in the blacklist and preventing subsequent address bindings that match the one or more address bindings in the blacklist from being added to the realized address list.

Abstract: Some embodiments provide policy-driven methods for deploying edge forwarding elements in a public or private SDDC for tenants or applications. For instance, the method of some embodiments allows administrators to create different traffic groups for different applications and/or tenants, deploys edge forwarding elements for the different traffic groups, and configures forwarding elements in the SDDC to direct data message flows of the applications and/or tenants through the edge forwarding elements deployed for them. The policy-driven method of some embodiments also dynamically deploys edge forwarding elements in the SDDC for applications and/or tenants after detecting the need for the edge forwarding elements based on monitored traffic flow conditions.

Abstract: The disclosure provides an approach for deploying an software defined networking (SDN) solution for overlay routing of traffic on a host with colocated a workload virtual machine (VM), addressable on an overlay network and VM addressable on an underlay network. An overlay interceptor in a hypervisor of the host can intercept traffic from a virtual switch and route the traffic to destination VM. The overlay interceptor can route the traffic directly, without the traffic exiting the host. A fast path can be created for the routing.

Abstract: Certain embodiments herein are directed to a method of by a source virtual tunnel endpoint (VTEP) for selecting a tunneling protocol for encapsulating a packet destined for a destination VTEP. In some embodiments, the method includes receiving the packet for transmission to the destination VTEP. The method further includes determining whether the destination VTEP is configured with a first tunneling protocol. Upon determining that the destination VTEP is configured with the first tunneling protocol, the method includes encapsulating the packet using the first tunneling protocol, and transmitting the encapsulated packet to the destination VTEP. Upon determining that the destination VTEP is not configured with the first tunneling protocol, encapsulating the packet using a second tunneling protocol, and transmitting the encapsulated packet to the destination VTEP.

Abstract: A method of transmitting multicast traffic to workloads of tenants communicating over overlay networks provisioned on top of a physical network includes the steps of: detecting the multicast traffic; determining that the multicast traffic is bound for workloads of a first tenant and workloads of a second tenant; encapsulating one instance of the multicast traffic using a Layer 2 (L2) over Layer 3 (L3) encapsulation protocol to generate encapsulated traffic, wherein the encapsulated traffic includes an identifier of a first backplane network corresponding to the first tenant and an identifier of a second backplane network corresponding to the second tenant in a header portion of each packet of the encapsulated traffic; and transmitting, to a first host computing device, the encapsulated traffic with the identifiers of the first and second overlay networks.

Abstract: Some embodiments provide a method, for configuring logical network entities at a host computer. The method receives configuration data for a particular logical networking entity implemented at the host computer. The method identifies that the configuration data for the particular logical networking entity includes at least two conflicting configuration settings for the particular logical networking entity. At least one of the configuration settings for the particular logical networking entity is based on association of a configuration profile to a group of logical entities that includes the particular logical networking entity. The method determines a particular one of the conflicting configuration settings with a highest priority to apply to the particular logical networking entity at the host computer.

Abstract: Example methods and systems for virtual tunnel endpoint (VTEP) mapping for overlay networking are described. One example may involve a computer system monitoring multiple VTEPs that are configured for overlay networking. In response to detecting a state transition associated with a first VTEP from a healthy state to an unhealthy state, the computer system may identify mapping information that associates a virtualized computing instance with the first VTEP in the unhealthy state; and update the mapping information to associate the virtualized computing instance with a second VTEP in the healthy state. In response to detecting an egress packet from the virtualized computing instance to a destination, an encapsulated packet may be generated and sent towards the destination based on the updated mapping information. The encapsulated packet may include the egress packet and an outer header identifying the second VTEP to be a source VTEP.

Abstract: Described herein are systems and methods to manage Internet Protocol (IP) address discovery in a software defined networking (SDN) environment. In one example, a manager may generate an IP address discovery configuration and pass the IP address discovery configuration to a controller. Once received, the controller may obtain a discovered list from a hypervisor of one or more IP addresses associated with one or more logical ports and update a realized list for the one or more logical ports based on the discovered list and the IP address discovery configuration.

Abstract: Some embodiments provide a method for clustering a set of data compute nodes (DCNs), which communicate with each other more frequently, on one or more host machines. The method groups together guest DCNs (GDCNs) that (1) execute on different host machines and (2) exchange network data among themselves more frequently, in order to reduce interhost network traffic. The more frequently-communicating GDCNs can be a set of GDCNs that implement a distributed application, GDCNs of a particular tier in a multi-tier network architecture (e.g., a web tier in a three-tier architecture), GDCNs that are dedicated to a particular tenant in a hosting system, or any other set of GDCNs that exchange data among each other regularly for a particular purpose.

Abstract: In some embodiments, a method receives a packet for a flow from a first application in a first workload to a second application in a second workload. The packet includes an inner header that includes layer 4 information for the first application. The method determines if a setting indicates an outer source port in an outer header should be generated using layer 4 information from the inner header. The setting is based on an analysis of packet types in the flow to determine if fragmented packets are sent. When the setting indicates the outer source port in the outer header should be generated using layer 4 information from the inner header, the method generates the outer source port using the layer 4 information for the first application from the inner header. The packet is encapsulated using the outer header, wherein the outer header includes the outer source port.

Abstract: In an embodiment, a computer-implemented method provides mechanisms for identifying a source location in a service chaining topology. In an embodiment, a method comprises: receiving a query, from a service plane implementation module executing on a host of a service virtual machine (“SVM”), for a location of a source host implementing a guest virtual machine (“source GVM”) that originated a packet in a computer network and that serviced the packet; in response to receiving the query, performing a search of bindings associated with one or more virtual network identifiers (“VNIs”) or service virtual network identifiers (“SVNIs”) to identify a particular binding that includes a MAC address of the host implementing the source GVM; identifying, in the particular binding, the location of the source host; and providing the location of the source host to the host of the SVM to facilitate forwarding of the packet from the SVM to the GVM.

Abstract: A method of transmitting multicast traffic to workloads of tenants communicating over overlay networks provisioned on top of a physical network includes the steps of: detecting the multicast traffic; determining that the multicast traffic is bound for workloads of a first tenant and workloads of a second tenant; encapsulating one instance of the multicast traffic using a Layer 2 (L2) over Layer 3 (L3) encapsulation protocol to generate encapsulated traffic, wherein the encapsulated traffic includes an identifier of a first backplane network corresponding to the first tenant and an identifier of a second backplane network corresponding to the second tenant in a header portion of each packet of the encapsulated traffic; and transmitting, to a first host computing device, the encapsulated traffic with the identifiers of the first and second overlay networks.

Abstract: Described herein are systems and methods to manage blacklists and duplicate addresses in software defined networks (SDNs). In one implementation, a method includes, in a control plane and data plane of an SDN environment, obtaining a blacklist for a logical port in the SDN environment. The method further includes deleting realized address bindings in a realized address list for the logical port that match the one or more address bindings in the blacklist and preventing subsequent address bindings that match the one or more address bindings in the blacklist from being added to the realized address list.

Abstract: Some embodiments provide policy-driven methods for deploying edge forwarding elements in a public or private SDDC for tenants or applications. For instance, the method of some embodiments allows administrators to create different traffic groups for different applications and/or tenants, deploys edge forwarding elements for the different traffic groups, and configures forwarding elements in the SDDC to direct data message flows of the applications and/or tenants through the edge forwarding elements deployed for them. The policy-driven method of some embodiments also dynamically deploys edge forwarding elements in the SDDC for applications and/or tenants after detecting the need for the edge forwarding elements based on monitored traffic flow conditions.

Abstract: In some embodiments, a method receives a packet for a flow from a first application in a first workload to a second application in a second workload. The packet includes an inner header that includes layer 4 information for the first application. The method determines if a setting indicates an outer source port in an outer header should be generated using layer 4 information from the inner header. The setting is based on an analysis of packet types in the flow to determine if fragmented packets are sent. When the setting indicates the outer source port in the outer header should be generated using layer 4 information from the inner header, the method generates the outer source port using the layer 4 information for the first application from the inner header. The packet is encapsulated using the outer header, wherein the outer header includes the outer source port.

Abstract: Some embodiments provide a method for clustering a set of data compute nodes (DCNs), which communicate with each other more frequently, on one or more host machines. The method groups together guest DCNs (GDCNs) that (1) execute on different host machines and (2) exchange network data among themselves more frequently, in order to reduce interhost network traffic. The more frequently-communicating GDCNs can be a set of GDCNs that implement a distributed application, GDCNs of a particular tier in a multi-tier network architecture (e.g., a web tier in a three-tier architecture), GDCNs that are dedicated to a particular tenant in a hosting system, or any other set of GDCNs that exchange data among each other regularly for a particular purpose.

Abstract: A method of transmitting multicast traffic to workloads of tenants communicating over overlay networks provisioned on top of a physical network includes the steps of: detecting the multicast traffic; determining that the multicast traffic is bound for workloads of a first tenant and workloads of a second tenant; encapsulating one instance of the multicast traffic using a Layer 2 (L2) over Layer 3 (L3) encapsulation protocol to generate encapsulated traffic, wherein the encapsulated traffic includes an identifier of a first backplane network corresponding to the first tenant and an identifier of a second backplane network corresponding to the second tenant in a header portion of each packet of the encapsulated traffic; and transmitting, to a first host computing device, the encapsulated traffic with the identifiers of the first and second overlay networks.

Abstract: Some embodiments provide a method of replicating messages for a logical network. At a particular tunnel endpoint in a particular datacenter, the method receives a message to be replicated to members of a replication group. The method replicates the message to a set of tunnel endpoints of the replication group located in a same segment of the particular datacenter as the particular tunnel endpoint. The method replicates the message to a first set of proxy endpoints of the replication group, each of which is located in a different segment of the particular datacenter and for replicating the message to tunnel endpoints located in its respective segment of the particular datacenter. The method replicates the message to a second set of proxy endpoints of the replication group, each of which is located in a different datacenter and for replicating the message to tunnel endpoints located in its respective datacenter.