Abstract: A system that includes multiple hosts, each running a plurality of virtual machines. The system may be, for example, a cloud computing environment in which there are services and a service coordination system that communicates with the hosts and with the services. The services include a middleware management service that is configured to maintain per-tenant middleware policy for each of multiple tenants. The middleware management service causes the middleware policy to be applied to network traffic by directing network traffic to a middleware enforcement mechanism. This middleware policy is per-tenant in that it depends on an identity of a tenant.

Abstract: Aspects of the subject matter described herein relate to selecting a source interface with which to establish a connection. In aspects, a profile for each network location a host has seen is maintained in a data store. The profile includes information about the network interfaces available to a source host at the network location. This information indicates, among other things, the reliability of each interface of the source host. Based on the profile, an interface is selected with which to establish a connection. If the interface is unsuccessful in establishing the connection, the interface is de-prioritized and another interface may be selected.

Abstract: A system that includes multiple hosts, each running a plurality of virtual machines. The system may be, for example, a cloud computing environment in which there are services and a service coordination system that communicates with the hosts and with the services. The services include a middleware management service that is configured to maintain per-tenant middleware policy for each of multiple tenants. The middleware management service causes the middleware policy to be applied to network traffic by directing network traffic to a middleware enforcement mechanism. This middleware policy is per-tenant in that it depends on an identity of a tenant.

Abstract: The technology described herein manages the deployment of a group of machines from a staged state to a production state, while maintaining both the production and staged machines behind a single virtual internet protocol (VIP) address. The machines may be deployed within one or more data centers. Requests for service addressed to the VIP can be sent by a load balancer to machines within a staged pool or a production pool. The load balancer can evaluate characteristics of the request against a policy to determine whether to communicate the request to a machine in the first or second pool.

Abstract: Various embodiments described herein are directed to optimizing cloud computing infrastructures functionality based on an abuse prevention and remediation platform. A tenant profile may have a tenant confidence score for a tenant, the tenant confidence score being an indicator of the reputation of the tenant usage of cloud computing resources. Based on the confidence score of the tenant, one or more policies for the tenant may be identified limiting access to cloud computing resources. If the virtual internet protocol address (VIP) of the tenant is determined to be tainted, the VIP may be quarantined in a tainted VIP pool, the quarantining excluding the VIP from being selected for use until the VIP is clean. A cleanup routine may be executed, the cleanup routine communicating remedial actions for the tainted VIP. Upon completion of the cleanup routine, the VIP may be restored to a clean VIP pool.

Abstract: A system is provided and includes a processor and a non-transitory computer-readable medium configured to store instructions for execution by the processor. The instructions include: accessing a resource via a first machine in a cloud-based network, where the first machine is a virtual machine; converting at the first machine an IPv4 packet to a IPv6 packet; while converting the IPv4 packet, embedding metadata in the IPv6 packet, where the metadata includes information identifying the first machine or a virtual network of the first machine; and transmitting the IPv6 packet to a second machine to limit access to the resource based on the information identifying the the first machine or the virtual network of the first machine. The second machine limits access to the resource based on the information identifying the at least one of the first machine or the virtual network of the first machine.

Abstract: Various techniques for migrating virtual entities via a label based underlay network is disclosed herein. In one embodiment, a method includes receiving packets associated with migrating a virtual machine from an originating network node of the underlay network to a target network node of the underlay network. The received packets individually include a label associated with a network path from the originating network node to the target network node in the underlay network. In response to receiving the packets, the method includes examining the labels of the packets to determine the network paths associated the labels and forwarding the packets following the determined network paths in the underlay network.

Abstract: A load balancer capable of adjusting how network data is distributed to a tenant or group of tenants by manipulating the data plane. The load balancer is placed directly in the flow path of network data that is destined for a tenant or group of tenants having a tenant address. The load balancer includes a control plane and one or more data planes. Each data plane may contain one or more network traffic multiplexors. Further, each data plane may be dedicated to a tenant or group of tenants. Data planes may be added or deleted from the load balancer; additionally, multiplexors may be added or deleted from a data plane. Accordingly, network data directed towards one tenant is less likely to affect the performance of load balancing performed for another tenant.

Abstract: Methods of tuning a receive window. A receiving device and a sending device may be in communication over a network. The receiving device may advertise a receive window to the sending device. The size of the receive window may be adjusted over time based on one or more connection parameters, application parameters and/or operating system parameters.

Abstract: Various techniques for virtual entity migration in a computer network is disclosed herein. In one embodiment, a method includes receiving an indication to migrate a virtual machine in a virtual network from an originating network node of the underlay network to a target network node of the underlay network. The method also includes establishing a network tunnel in the underlay network from the originating network node to the target network node in response to receiving the indication to migrate the virtual machine. The method further includes migrating the virtual machine from the originating network node to the target network node following the established network tunnel in the underlay network while maintaining an address of the migrated virtual machine in the virtual network.

Abstract: Various techniques for partitioning an overlay network is disclosed herein. In certain embodiments, an overlay network can be partitioned into overlay partitions with manageable sizes. Each overlay partition can independently manage and update reachability information only for end points that belong to a virtual network with at least one end point in the overlay partition. Thus, each overlay partition can operate independently from others to achieve fast reachability updating for relocated virtual machines or other end points.

Abstract: A load balancing system is provided including: one or more virtual machines implemented in a cloud-based network and including a processor; and a load balancing application implemented in the virtual machines and executed by the processor. The load balancing application is configured such that the processor: receives one or more health messages indicating states of health of network appliances implemented in an appliance layer of the cloud-based network; receives a forwarding packet from a network device for an application server; based on the health messages, determines whether to perform a failover process or select a network appliance; performs a first iteration of a symmetric conversion to route the forwarding packet to the application server via the selected network appliance; receives a return packet from the application server based on the forwarding packet; and performs a second iteration of the symmetric conversion to route the return packet to the network device.

Abstract: Methods of tuning a receive window. A receiving device and a sending device may be in communication over a network. The receiving device may advertise a receive window to the sending device. The size of the receive window may be adjusted over time based on one or more connection parameters, application parameters and/or operating system parameters.

Abstract: A load balancer capable of adjusting how network data is distributed to a tenant or group of tenants by manipulating the data plane. The load balancer is placed directly in the flow path of network data that is destined for a tenant or group of tenants having a tenant address. The load balancer includes a control plane and one or more data planes. Each data plane may contain one or more network traffic multiplexors. Further, each data plane may be dedicated to a tenant or group of tenants. Data planes may be added or deleted from the load balancer; additionally, multiplexors may be added or deleted from a data plane. Accordingly, network data directed towards one tenant is less likely to affect the performance of load balancing performed for another tenant.

Abstract: Redirecting message flows to bypass load balancers. A destination intermediary receives a source-side message that includes a virtual address of a load balancer as a destination, and that is augmented to include a network address of a destination machine as a destination. The destination intermediary determines that a source intermediary should address subsequent network messages that originate from a source machine and that are associated with the same multi-message flow to the destination machine while bypassing the load balancer. The destination intermediary modifies the source-side message so the destination for the source-side message addresses the destination machine, and passes the modified source-side message to the destination machine.

Abstract: A system that includes multiple hosts, each running a plurality of virtual machines. The system may be, for example, a cloud computing environment in which there are services and a service coordination system that communicates with the hosts and with the services. The services include a middleware management service that is configured to maintain per-tenant middleware policy for each of multiple tenants. The middleware management service causes the middleware policy to be applied to network traffic by directing network traffic to a middleware enforcement mechanism. This middleware policy is per-tenant in that it depends on an identity of a tenant.

Abstract: Techniques of network virtualization of containers in cloud-based system are disclosed herein. In one embodiment, a method includes receiving a selection of a host in the computer system to instantiate a container in response to a request from a user. In response to the received selection, the method includes identifying parameters of network operations on the selected host to instantiate the requested container and assigning a network address to the container to be instantiated on the selected host in the computer system, the assigned network address is addressable from outside of the selected host without network name translation. The method can then include transmitting an instruction to the selected host to instantiate the requested container based on the assigned network address.

Abstract: Disclosed are an approach form managing and assigning addresses in a connectivity platform that allows for proprietary connectivity modules (Providers) to plug into the operating system. In this disclosure, when a user/application/computing device, connects to another user on another computing device an address is generated for that user. However, because of a limited number of addresses that are available in an address space, it is necessary to ensure that a conflicting address is not present. To ensure this the connectivity platform determines if the address assigned is in conflict with another address associated with users that are located on the other computing devices. If an address is found to be in conflict the connectivity platform reassigns the address until a non-conflicting address is found. If a non-conflicting address cannot be found the connectivity platform blocks the connection between the user and the other user.

Abstract: A system that includes multiple hosts, each running a plurality of virtual machines. The system may be, for example, a cloud computing environment in which there are services and a service coordination system that communicates with the hosts and with the services. The services include a middleware management service that is configured to maintain per-tenant middleware policy for each of multiple tenants. The middleware management service causes the middleware policy to be applied to network traffic by directing network traffic to a middleware enforcement mechanism. This middleware policy is per-tenant in that it depends on an identity of a tenant.

Abstract: The use of physical addresses with virtual machines. A virtual machine is identified and assigned virtual and physical addresses. A data packet with a header including virtual addresses for the virtual machine and a destination virtual machine is sent from the virtual machine. An additional header including physical addresses associated with a large capacity addressing scope of the virtual machine and destination virtual machine is placed on the data packet at the virtual machine host. The data packet is sent from the host to a destination virtual machine host. Similarly, a data packet including headers with physical addresses associated with a large capacity addressing scope and virtual addresses for a destination and source virtual machine is received at the destination virtual machine's host. The header containing the physical addresses of the source and destination virtual machines is removed from the data packet and sent to the destination virtual machine.