Abstract: A load balancer capable of instantiating a data plane within the load balancer, deleting the data plane from the load balancer, and/or enacting a change to the data plane. The load balancer instantiates a data plane for an identified tenant. The instantiated data plane is placed in a data path of network data transmitted from one or more sources to a plurality of tenant addresses that each corresponds to a different tenant or group of tenants. The instantiated data plane is also dedicated to the identified tenant such that the data plane isolates first network data destined to a first tenant address that corresponds to the identified tenant from second network data destined to one or more other tenant addresses. The load balancer also deletes the instantiated data plane from the load balancer, or enacts a change to the instantiated data plane.

Abstract: A system that includes multiple hosts, each running a plurality of virtual machines. The system may be, for example, a cloud computing environment in which there are services and a service coordination system that communicates with the hosts and with the services. The services include a middleware management service that is configured to maintain per-tenant middleware policy for each of multiple tenants. The middleware management service causes the middleware policy to be applied to network traffic by directing network traffic to a middleware enforcement mechanism. This middleware policy is per-tenant in that it depends on an identity of a tenant.

Abstract: Techniques are disclosed for capturing network traffic in a virtualized computing environment. A packet to be captured in the virtualized environment is identified. The packet is tagged using a pattern of one or more bits in a header of the packet. The pattern indicates that the packet is to be traced. The pattern is propagated to an outer layer during encapsulation of the packet. A header of the encapsulated packet includes the pattern of one or more bits. At least one network device is caused to mirror identified packets based on the reserved bit.

Abstract: Techniques for allowing access to shared cloud resource using private network addresses are disclosed herein. In one embodiment, a connection packet representing a connection request to a shared cloud resource in the cloud computing system can be intercepted. In response, the connection packet can be encapsulated with data representing one or more of a VNET ID, a VNET source address, or a VNET destination address of a virtual network from which the connection packet is received. The encapsulated connection packet can then be forwarded to the shared cloud resource while retaining the data representing one or more of the VNET ID, the VNET source address, or the VNET destination address for access control at the shared cloud resource.

Abstract: A route tracing request packet is generated comprising a time-to-live value, a source address of a source of the route tracing request packet, and an address of a destination of the route tracing request packet. The source and destination are in the virtual network; the route tracing request packet is usable to identify the virtual appliance, and the virtual appliance is configured to examine the route tracing request packet for a time-to-live value indicating that the route tracing request packet has expired and sending a time-to-live exceeded message to the source address. The time-to-live exceeded message comprises an identifier for the virtual appliance. The route tracing request packet is forwarded to the destination. The time-to-live exceeded message is received. Data is extracted to determine network virtual appliances that were traversed by the route tracing request packet prior to expiration of the time-to-live. The network virtual appliances are reported.

Abstract: Described herein is a system and method of connectivity migration of an executing virtual application and/or guest operating system. State associated with a first instance of an application and/or a guest operating system executing on a first virtual machine is captured. Information regarding connectivity state associated with a plurality of running connections between the first virtual machine and client device(s) is also captured (e.g., layers 2, 3 and 4). The captured state information can be provided to a second virtual machine which utilizes the captured station information to establish state for a second instance of the application, a second instance of the guest operating system, and/or connectivity of the plurality of running connections between the second virtual machine and client device(s). The state of the second instance of the application can be synchronized with the state of the second instance of the guest operating system.

Abstract: A route tracing request packet is generated comprising a time-to-live value, a source address of a source of the route tracing request packet, and an address of a destination of the route tracing request packet. The source and destination are in the virtual network; the route tracing request packet is usable to identify the virtual appliance, and the virtual appliance is configured to examine the route tracing request packet for a time-to-live value indicating that the route tracing request packet has expired and sending a time-to-live exceeded message to the source address. The time-to-live exceeded message comprises an identifier for the virtual appliance. The route tracing request packet is forwarded to the destination. The time-to-live exceeded message is received. Data is extracted to determine network virtual appliances that were traversed by the route tracing request packet prior to expiration of the time-to-live. The network virtual appliances are reported.

Abstract: Described herein are systems and methods for supporting multicast for virtual networks. In some embodiments, a native multicast approach can utilized in which packet replication is performed on a host node of a virtual machine (VM) with a multicast data packet encapsulated in uniquely address unicast packets. In some embodiments, a network virtual appliance can be utilized. A multicast packet sent from the VM can be unicasted to the network virtual appliance. The multicast appliance can then replicate the packet into multiple copies and send the packets to the receivers in the virtual network as unicast data packets encapsulating the multicast packet.

Abstract: A network appliance is configured to receive a packet having an address of a custom device as a source address. Policies are accessed that are applicable to a virtual network associated with the custom device. The policies are applied to the packet. A hairpin layer redirects the packet to a destination address contained in the packet. For subsequent packets, application of the policies is bypassed to the subsequent packets. Application of the policies is offloaded to an acceleration device.

Abstract: Systems and methods for enabling access to dedicated resources in a virtual network using top of rack switches are disclosed. A method includes a virtual filtering platform encapsulating at least one packet, received from a virtual machine, to generate at least one encapsulated packet comprising a virtual network identifier (VNI). The method further includes a TOR switch: (1) receiving the at least one encapsulated packet and decapsulating the at least one encapsulated packet to create at least one decapsulated packet, (2) using the VNI to identify a virtual routing and forwarding artifact to determine a virtual local area network interface associated with the dedicated hardware portion, and (3) transmitting the at least one decapsulated packet to the dedicated hardware portion based on at least one policy provided by a controller, where the at least one policy comprises information related to a customer of the service provider.

Abstract: Techniques are disclosed for communicating data in a virtualized environment comprising virtual machines executing on one or more computing devices. An underlying physical destination address of a virtual machine executing on a virtual network is changed from a first physical address to a second physical address. A traffic forwarder function is executed on a virtual switch within the virtual network. The traffic forwarder function is executed during a time threshold determined based on a reprogramming time for network devices in the virtualized environment to update the underlying physical destination address. A data packet addressed to the first physical address is by the traffic forwarder function on a network external to the virtual network. A destination address of the data packet is updated from the first physical address to the second physical address. The data packet is forwarded to the updated destination address.

Abstract: Techniques are disclosed for capturing network traffic in a virtualized computing environment. A packet to be captured in the virtualized environment is identified. The packet is tagged using a pattern of one or more bits in a header of the packet. The pattern indicates that the packet is to be traced. The pattern is propagated to an outer layer during encapsulation of the packet. A header of the encapsulated packet includes the pattern of one or more bits. At least one network device is caused to mirror identified packets based on the reserved bit.

Abstract: The disclosed system implements techniques to secure communications for injecting a workload (e.g., a container) into a virtual network hosted by a cloud-based platform. Based on a delegation instruction received from a tenant, a virtual network of the tenant can connect to and execute a workload via a virtual machine that is part of a virtual network that belongs to a resource provider. To secure calls and authorize access to the tenant's virtual network, authentication information provided in association with a call from the virtual network of the resource provider may need to match authorization information made available via a publication service of the cloud-based platform. Moreover, an identifier of a NIC used to make a call may need to correspond to a registered name of the resource provider for the call to be authorized. These checks provide increased security by preventing unauthorized calls from accessing the tenant's virtual network.

Abstract: Methods of tuning a receive window. A receiving device and a sending device may be in communication over a network. The receiving device may advertise a receive window to the sending device. The size of the receive window may be adjusted over time based on one or more connection parameters, application parameters and/or operating system parameters.

Abstract: A load balancer capable of instantiating a data plane within the load balancer, deleting the data plane from the load balancer, and/or enacting a change to the data plane. The load balancer instantiates a data plane for an identified tenant. The instantiated data plane is placed in a data path of network data transmitted from one or more sources to a plurality of tenant addresses that each corresponds to a different tenant or group of tenants. The instantiated data plane is also dedicated to the identified tenant such that the data plane isolates first network data destined to a first tenant address that corresponds to the identified tenant from second network data destined to one or more other tenant addresses. The load balancer also deletes the instantiated data plane from the load balancer, or enacts a change to the instantiated data plane.

Abstract: Techniques are described herein that are capable of monitoring connectivity and latency of network links in virtual networks. For instance, a ping agent injects first ping packets into network traffic on behalf of hosts in the virtual network. The ping agent monitors incoming packets to identify first ping response packets, which are in response to the first ping packets, among the incoming packets. A ping responder rule that is included in inbound packet filter rules for a port in a virtual switch intercepts second ping packets in the network traffic. The ping responder rule converts the second ping packets into second ping response packets and injects the second ping response packets into outbound packet filter rules to be transferred to sources from which the second ping packets are received.

Abstract: Techniques for allowing access to shared cloud resource using private network addresses are disclosed herein. In one embodiment, a connection packet representing a connection request to a shared cloud resource in the cloud computing system can be intercepted. In response, the connection packet can be encapsulated with data representing one or more of a VNET ID, a VNET source address, or a VNET destination address of a virtual network from which the connection packet is received. The encapsulated connection packet can then be forwarded to the shared cloud resource while retaining the data representing one or more of the VNET ID, the VNET source address, or the VNET destination address for access control at the shared cloud resource.

Abstract: Virtual networks located in different regions of cloud provider are peered using unique regional identifiers for the virtual networks. The regional identifiers and other information are pushed down a network management stack to implement the peering.

Abstract: The ensuring of predictable and quantifiable networking performance includes adaptively throttling the rate of VM-to-VM traffic flow. A receiving hypervisor can detect congestion and communicate messages for throttling traffic flow to reduce congestion at the receiving hypervisor.

Abstract: A load balancer capable of adjusting how network data is distributed to a tenant or group of tenants by manipulating the data plane. The load balancer is placed directly in the flow path of network data that is destined for a tenant or group of tenants having a tenant address. The load balancer includes a control plane and one or more data planes. Each data plane may contain one or more network traffic multiplexors. Further, each data plane may be dedicated to a tenant or group of tenants. Data planes may be added or deleted from the load balancer; additionally, multiplexors may be added or deleted from a data plane. Accordingly, network data directed towards one tenant is less likely to affect the performance of load balancing performed for another tenant.