Abstract: In some cases, a network monitoring system may determine an operating or health condition of a node or connection link in a network (e.g., a datacenter network) by preparing an encapsulated data packet according to a tunneling protocol. Depending on a result of routing the encapsulated data packet, the network monitoring system determines whether the node or connection link is functioning normally or is experiencing an issue such as overloading or malfunctioning.

Abstract: Network management of cloud computing environments subject to different data control policies is standardized in a manner that ensures compliance with the data control policies. An execution service remote from a cloud computing environment being managed implements workflows to manage different aspects of the cloud computing environment, including monitoring, incident management, deployment, and/or buildout. The execution service issues requests to perform management actions for network devices in the cloud computing environment. A device access service in the cloud computing environments receives the requests, and, in response to the requests, the device access service obtains access control data to access the network devices and perform the requested management actions for the network devices.

Abstract: Described is a server monitoring technology that is scalable to large numbers of servers, e.g., in a datacenter. Agents on servers run queries to monitor data sources for that server, such as performance counters and other events. The agents monitor their resource usage and those of monitored events to stay within an administrator-specified resource budget (policy), e.g., by modifying the running queries and/or monitoring parameters. A controller receives results of the monitoring, analyzes the results, and takes action as needed with respect to server operation and monitoring. The controller may dynamically update an agent's queries, monitoring parameters and/or monitored data post-processing operations. The controller may issue alerts and reports, including alerts indicative of inter-server problems between two or more servers.

Abstract: Aspects of the present disclosure relate to incident routing in a cloud environment. In an example, cloud provider teams utilize a scout framework to build a team-specific scout based on that team's expertise. In examples, an incident is detected and a description is sent to each team-specific scout. Each team-specific scout uses the incident description and the scout specifications provided by the team to identify, access, and process monitoring data from cloud components relevant to the incident. Each team-specific scout utilizes one or more machine learning models to evaluate the monitoring data and generate an incident-classification prediction about whether the team is responsible for resolving the incident. In examples, a scout master receives predictions from each of the team-specific scouts and compares the predictions to determine to which team an incident should be routed.

Abstract: Techniques are disclosed for capturing network traffic in a virtualized computing environment. A packet to be captured in the virtualized environment is identified. The packet is tagged using a pattern of one or more bits in a header of the packet. The pattern indicates that the packet is to be traced. The pattern is propagated to an outer layer during encapsulation of the packet. A header of the encapsulated packet includes the pattern of one or more bits. At least one network device is caused to mirror identified packets based on the reserved bit.

Abstract: N nodes are assigned to a first layer of nodes having a first domain name server (DNS) anycast Internet Protocol (IP) address and a first fully qualified domain name (FQDN). M nodes are assigned to a second layer of nodes having a second DNS anycast IP address and a second FQDN. When a request to resolve the first FQDN for the first layer of nodes is received by a DNS of a node of the first layer and a load on the ES of the node is less than a threshold, the DNS handles the request by returning an edge server (ES) anycast IP address for the ES of the node. When the load on the ES is greater than the threshold, the DNS offloads the request by returning the second FQDN so that the second FQDN of the second layer is resolved to the second DNS anycast IP address.

Abstract: Network management of cloud computing environments subject to different data control policies is standardized in a manner that ensures compliance with the data control policies. An execution service remote from a cloud computing environment being managed implements workflows to manage different aspects of the cloud computing environment, including monitoring, incident management, deployment, and/or buildout. The execution service issues requests to perform management actions for network devices in the cloud computing environment. A device access service in the cloud computing environments receives the requests, and, in response to the requests, the device access service obtains access control data to access the network devices and perform the requested management actions for the network devices.

Abstract: Network buildout of cloud computing environments subject to different data control policies is performed in a manner that ensures compliance with the data control policies. A buildout service is located in a remote cloud computing environment separate from the cloud computing environments at which buildout is being performed. The buildout service implements workflows to manage different aspects of network buildout in the cloud computing environments. The buildout service does not have access to restricted data in the cloud computing environments, including access control data, such that the buildout service cannot directly interact with network devices. The buildout service issues requests for device configuration to hardware proxies in the cloud computing environments. In response to the requests, the hardware proxies obtain access control data to access and configure the network devices.

Abstract: Network management of cloud computing environments subject to different data control policies is standardized in a manner that ensures compliance with the data control policies. Executions services and source of truth services are located in a remote cloud computing environment separate from the cloud computing environments being managed. The execution services implement workflows to manage different aspects of the cloud computing environments, including monitoring, incident management, deployment, and buildout. The source of truth services provide network configuration information for the cloud computing environments to allow automated operation of the execution services. The execution services issue requests for management operations to device access services in the cloud computing environments. In response to the requests, the device access services obtain access control data to access the network devices and perform the management operations.

Abstract: Techniques are disclosed for capturing network traffic in a virtualized computing environment. A packet to be captured in the virtualized environment is identified. The packet is tagged using a pattern of one or more bits in a header of the packet. The pattern indicates that the packet is to be traced. The pattern is propagated to an outer layer during encapsulation of the packet. A header of the encapsulated packet includes the pattern of one or more bits. At least one network device is caused to mirror identified packets based on the reserved bit.

Abstract: Monitoring of cloud computing environments subject to different data control policies is performed in a manner that ensures compliance with the data control policies. A monitoring service is located in a remote cloud computing environment separate from the cloud computing environments being monitored. The monitoring service does not have access to restricted data in the cloud computing environments, including access control data, such that the monitoring service cannot directly interact with network devices. The monitoring service issues requests for monitoring data to device access services in the cloud computing environments. In response to the requests, the device access services obtain access control data to access the network devices and obtain the requested data, which is returned to the monitoring service.

Abstract: N nodes are assigned to a first layer of nodes having a first domain name server (DNS) anycast Internet Protocol (IP) address and a first fully qualified domain name (FQDN). M nodes are assigned to a second layer of nodes having a second DNS anycast IP address and a second FQDN. When a request to resolve the first FQDN for the first layer of nodes is received by a DNS of a node of the first layer and a load on the ES of the node is less than a threshold, the DNS handles the request by returning an edge server (ES) anycast IP address for the ES of the node. When the load on the ES is greater than the threshold, the DNS offloads the request by returning the second FQDN so that the second FQDN of the second layer is resolved to the second DNS anycast IP address.

Abstract: Systems and methods are provided for facilitating automated compliance with security, audit and network configuration policies. In some instances, new runtime configuration files are iteratively generated and compared to a baseline configuration file to determine whether a threshold variance exists between the baseline configuration file and each separate and new runtime configuration file. If the threshold variance exists, remedial actions are triggered. In some instances, runtime configuration files are scanned for blacklist configuration settings. When blacklist configuration settings are found, remedial actions can also be triggered. In some instances, configuration files are scrubbed by omitting detected blacklist items from the configuration files. In some instances, changes are only made to configuration files when they match changes on an approved change list and are absent from an open incident list.

Abstract: Systems and methods are provided for facilitating automated compliance with security, audit and network configuration policies. In some instances, new runtime configuration files are iteratively generated and compared to a baseline configuration file to determine whether a threshold variance exists between the baseline configuration file and each separate and new runtime configuration file. If the threshold variance exists, remedial actions are triggered. In some instances, runtime configuration files are scanned for blacklist configuration settings. When blacklist configuration settings are found, remedial actions can also be triggered. In some instances, configuration files are scrubbed by omitting detected blacklist items from the configuration files. In some instances, changes are only made to configuration files when they match changes on an approved change list and are absent from an open incident list.

Abstract: N nodes are assigned to a first layer of nodes having a first domain name server (DNS) anycast Internet Protocol (IP) address and a first fully qualified domain name (FQDN). M nodes are assigned to a second layer of nodes having a second DNS anycast IP address and a second FQDN. When a request to resolve the first FQDN for the first layer of nodes is received by a DNS of a node of the first layer and a load on the ES of the node is less than a threshold, the DNS handles the request by returning an edge server (ES) anycast IP address for the ES of the node. When the load on the ES is greater than the threshold, the DNS offloads the request by returning the second FQDN so that the second FQDN of the second layer is resolved to the second DNS anycast IP address.

Abstract: Described is a server monitoring technology that is scalable to large numbers of servers, e.g., in a datacenter. Agents on servers run queries to monitor data sources for that server, such as performance counters and other events. The agents monitor their resource usage and those of monitored events to stay within an administrator-specified resource budget (policy), e.g., by modifying the running queries and/or monitoring parameters. A controller receives results of the monitoring, analyzes the results, and takes action as needed with respect to server operation and monitoring. The controller may dynamically update an agent's queries, monitoring parameters and/or monitored data post-processing operations. The controller may issue alerts and reports, including alerts indicative of inter-server problems between two or more servers.

Abstract: Described is a server monitoring technology that is scalable to large numbers of servers, e.g., in a datacenter. Agents on servers run queries to monitor data sources for that server, such as performance counters and other events. The agents monitor their resource usage and those of monitored events to stay within an administrator-specified resource budget (policy), e.g., by modifying the running queries and/or monitoring parameters. A controller receives results of the monitoring, analyzes the results, and takes action as needed with respect to server operation and monitoring. The controller may dynamically update an agent's queries, monitoring parameters and/or monitored data post-processing operations. The controller may issue alerts and reports, including alerts indicative of inter-server problems between two or more servers.

Abstract: Software deployment to network devices in cloud computing environments subject to data control policies is provided in a manner that ensures compliance with the data control policies. A deployment service is located in a remote cloud computing environment separate from the cloud computing environments to which software is being deployed. The deployment service does not have access to restricted data in the cloud computing environments, including access control data, such that the deployment service cannot directly interact with network devices. The deployment service issues deployment requests to hardware proxies in the cloud computing environments. In response to the requests, the hardware proxies obtain access control data to access the network devices and issue commands to install the software on the network devices.

Abstract: Network buildout of cloud computing environments subject to different data control policies is performed in a manner that ensures compliance with the data control policies. A buildout service is located in a remote cloud computing environment separate from the cloud computing environments at which buildout is being performed. The buildout service implements workflows to manage different aspects of network buildout in the cloud computing environments. The buildout service does not have access to restricted data in the cloud computing environments, including access control data, such that the buildout service cannot directly interact with network devices. The buildout service issues requests for device configuration to hardware proxies in the cloud computing environments. In response to the requests, the hardware proxies obtain access control data to access and configure the network devices.

Abstract: Monitoring of cloud computing environments subject to different data control policies is performed in a manner that ensures compliance with the data control policies. A monitoring service is located in a remote cloud computing environment separate from the cloud computing environments being monitored. The monitoring service does not have access to restricted data in the cloud computing environments, including access control data, such that the monitoring service cannot directly interact with network devices. The monitoring service issues requests for monitoring data to device access services in the cloud computing environments. In response to the requests, the device access services obtain access control data to access the network devices and obtain the requested data, which is returned to the monitoring service.