Abstract: The ensuring of predictable and quantifiable networking performance includes adaptively throttling the rate of VM-to-VM traffic flow. A receiving hypervisor can detect congestion and communicate messages for throttling traffic flow to reduce congestion at the receiving hypervisor.

Abstract: A load balancer capable of adjusting how network data is distributed to a tenant or group of tenants by manipulating the data plane. The load balancer is placed directly in the flow path of network data that is destined for a tenant or group of tenants having a tenant address. The load balancer includes a control plane and one or more data planes. Each data plane may contain one or more network traffic multiplexors. Further, each data plane may be dedicated to a tenant or group of tenants. Data planes may be added or deleted from the load balancer; additionally, multiplexors may be added or deleted from a data plane. Accordingly, network data directed towards one tenant is less likely to affect the performance of load balancing performed for another tenant.

Abstract: Computerized methods, systems, and computer-readable media for promoting cooperation between a first and second virtual network overlay (“overlay”) are provided. The first overlay is governed by a first authority domain and includes members assigned virtual IP addresses from a first address range. The second overlay is governed by a second authority domain, which is associated with a second federation mechanism, for negotiating on behalf of the second overlay. The second federation mechanism is capable of negotiating with, or soliciting delegation of authority from, a first federation mechanism that is associated with the first authority domain. When negotiations are successful or authority is delegated, the second federation mechanism establishes a communication link between the second overlay and the first overlay or joins a member of the second overlay to the first overlay. Joining involves allocating a guest IP address from the first address range to the member.

Abstract: Aspects of the subject matter described herein relate to selecting a source interface with which to establish a connection. In aspects, a profile for each network location a host has seen is maintained in a data store. The profile includes information about the network interfaces available to a source host at the network location. This information indicates, among other things, the reliability of each interface of the source host. Based on the profile, an interface is selected with which to establish a connection. If the interface is unsuccessful in establishing the connection, the interface is de-prioritized and another interface may be selected.

Abstract: Various embodiments described herein are directed to optimizing cloud computing infrastructures functionality based on an abuse prevention and remediation platform. A tenant profile may have a tenant confidence score for a tenant, the tenant confidence score being an indicator of the reputation of the tenant usage of cloud computing resources. Based on the confidence score of the tenant, one or more policies for the tenant may be identified limiting access to cloud computing resources. If the virtual internet protocol address (VIP) of the tenant is determined to be tainted, the VIP may be quarantined in a tainted VIP pool, the quarantining excluding the VIP from being selected for use until the VIP is clean. A cleanup routine may be executed, the cleanup routine communicating remedial actions for the tainted VIP. Upon completion of the cleanup routine, the VIP may be restored to a clean VIP pool.

Abstract: The ensuring of predictable and quantifiable networking performance. Embodiments of the invention combine a congestion free network core with a hypervisor based (i.e., edge-based) throttling design to help insure quantitative and invariable subscription bandwidth rates. A lightweight shim layer in a hypervisor can adaptively throttle the rate of VM-to-VM traffic flow. A receiving hypervisor can detect congestion and communicate back to sending hypervisors that rates are to be regulated. In response, sending hypervisors can reduce transmission rate to mitigate congestion at the receiving hypervisor. In some embodiments, the principles are extended to any message processors communicating over a congestion free network.

Abstract: The technology described herein manages the deployment of a group of machines from a staged state to a production state, while maintaining both the production and staged machines behind a single virtual internet protocol (VIP) address. The machines may be deployed within one or more data centers. Requests for service addressed to the VIP can be sent by a load balancer to machines within a staged pool or a production pool. The load balancer can evaluate characteristics of the request against a policy to determine whether to communicate the request to a machine in the first or second pool.

Abstract: Aspects of the subject matter described herein relate to selecting a source interface with which to establish a connection. In aspects, a profile for each network location a host has seen is maintained in a data store. The profile includes information about the network interfaces available to a source host at the network location. This information indicates, among other things, the reliability of each interface of the source host. Based on the profile, an interface is selected with which to establish a connection. If the interface is unsuccessful in establishing the connection, the interface is de-prioritized and another interface may be selected.

Abstract: The provisioning of a host computing system by a controller located over a wide area network. The host computing system has power-on code that automatically executes upon powering up, and causes the host to notify the controller of the host address. In a first level of bootstrapping, the controller instructs the host to download a maintenance operating system. The host responds by downloading and installing a maintenance operating system, enabling further bootstrapping. The persistent memory may further have security data, such as a public key, that allows the host computing system to securely identify the source of the download instructions (and subsequent instructions) as originating from the controller. A second level of bootstrapping may accomplish the configuring of the host with a hypervisor and a host agent. A third level of bootstrapping may accomplish the provisioning of virtual machines on the host.

Abstract: Disclosed are a connectivity platform that allows for proprietary connectivity modules to plug into the operating system and also allows the operating system users and various existing networking applications in the operating system that are authorized by those providers to use that connectivity via existing APIs without the need for the applications to change or for extra configuration of the application to be performed. In an example disclosed herein, the providers provide NAT or firewall traversal and implement the appropriate transport mechanism. This allows for applications and computing devices to communicate in environments where connectivity is prevented by intermediate systems.

Abstract: A network device includes a plurality of blades, each having a plurality of CPU cores that process requests received by the network device. Each blade further includes an accumulator circuit. Each accumulator circuit periodically aggregates the local counter values of the CPU cores of the corresponding blade. One accumulator circuit is designated as a master, and the other accumulator circuit(s) are designated as slave(s). The slave accumulator circuits transmit their aggregated local counter values to the master accumulator circuit. The master accumulator circuit aggregates the sets of aggregated local counter values to create a set of global counter values. The master accumulator circuit transmits the global counter values to a management processor (for display), to the CPU cores located on its corresponding blade, and to each of the slave accumulator circuits. Each slave accumulator circuit then transmits the global counter values to the CPU cores located on its corresponding blade.

Abstract: The performance of multicast and/or broadcasting between virtual machines over a virtual network. A source hypervisor accesses a network message originated from a source virtual machine, and uses the network message to determine a virtual network address associated with destination virtual machines (after potentially resolving group virtual network addresses). Using each virtual network address, the hypervisor determines a physical network address of the corresponding hypervisor that supports the destination virtual machine, and also determines a unique identifier for the destination virtual machine. The source hypervisor may then dispatch the network message along with the unique identifier to the destination hypervisor over the physical network using the physical network address of the hypervisor. The destination hypervisor passes the network message to the destination virtual machine identified by the unique identifier.

Abstract: When a load balancer detects that a virtual address is associated with a single destination address, the load balancer sets a flag to distinguish the virtual address from virtual addresses that are associated with a plurality of destination addresses. The load balancer instructs the router to bypass the load balancer for network packets that are addressed to the virtual address, and refrains from storing subsequent flow state for the virtual address. When the virtual address is to be scaled up with an additional destination address, the load balancer sets a flag to distinguish the virtual address from virtual addresses that are associated with a single destination addresses. The load balancer instructs the router to route network packets that are addressed to the virtual address through the load balancer, instead of bypassing the load balancer, and starts storing flow state for the virtual address.

Abstract: A system that includes multiple hosts, each running a plurality of virtual machines. The system may be, for example, a cloud computing environment in which there are services and a service coordination system that communicates with the hosts and with the services. The services include a middleware management service that is configured to maintain per-tenant middleware policy for each of multiple tenants. The middleware management service causes the middleware policy to be applied to network traffic by directing network traffic to a middleware enforcement mechanism. This middleware policy is per-tenant in that it depends on an identity of a tenant.

Abstract: Methods of tuning a receive window. A receiving device and a sending device may be in communication over a network. The receiving device may advertise a receive window to the sending device. The size of the receive window may be adjusted over time based on one or more connection parameters, application parameters and/or operating system parameters.

Abstract: The ensuring of predictable and quantifiable networking performance. Embodiments of the invention combine a congestion free network core with a hypervisor based (i.e., edge-based) throttling design to help insure quantitative and invariable subscription bandwidth rates. A lightweight shim layer in a hypervisor can adaptively throttle the rate of VM-to-VM traffic flow. A receiving hypervisor can detect congestion and communicate back to sending hypervisors that rates are to be regulated. In response, sending hypervisors can reduce transmission rate to mitigate congestion at the receiving hypervisor. In some embodiments, the principles are extended to any message processors communicating over a congestion free network.

Abstract: Various techniques for partitioning an overlay network is disclosed herein. In certain embodiments, an overlay network can be partitioned into overlay partitions with manageable sizes. Each overlay partition can independently manage and update reachability information only for end points that belong to a virtual network with at least one end point in the overlay partition. Thus, each overlay partition can operate independently from others to achieve fast reachability updating for relocated virtual machines or other end points.

Abstract: Various techniques for virtual entity migration in a computer network is disclosed herein. In one embodiment, a method includes receiving an indication to migrate a virtual machine in a virtual network from an originating network node of the underlay network to a target network node of the underlay network. The method also includes establishing a network tunnel in the underlay network from the originating network node to the target network node in response to receiving the indication to migrate the virtual machine. The method further includes migrating the virtual machine from the originating network node to the target network node following the established network tunnel in the underlay network while maintaining an address of the migrated virtual machine in the virtual network.

Abstract: Various techniques for migrating virtual entities via a label based underlay network is disclosed herein. In one embodiment, a method includes receiving packets associated with migrating a virtual machine from an originating network node of the underlay network to a target network node of the underlay network. The received packets individually include a label associated with a network path from the originating network node to the target network node in the underlay network. In response to receiving the packets, the method includes examining the labels of the packets to determine the network paths associated the labels and forwarding the packets following the determined network paths in the underlay network.

Abstract: Redirecting message flows to bypass load balancers. A destination intermediary receives a source-side message that includes a virtual address of a load balancer as a destination, and that is augmented to include a network address of a destination machine as a destination. The destination intermediary determines that a source intermediary should address subsequent network messages that originate from a source machine and that are associated with the same multi-message flow to the destination machine while bypassing the load balancer. The destination intermediary modifies the source-side message so the destination for the source-side message addresses the source machine, and passes the modified source-side message to the destination machine.