Abstract: A system that includes multiple hosts, each running a plurality of virtual machines. The system may be, for example, a cloud computing environment in which there are services and a service coordination system that communicates with the hosts and with the services. The services include a middleware management service that is configured to maintain per-tenant middleware policy for each of multiple tenants. The middleware management service causes the middleware policy to be applied to network traffic by directing network traffic to a middleware enforcement mechanism. This middleware policy is per-tenant in that it depends on an identity of a tenant.

Abstract: A multi-processor architecture for a network device that includes a plurality of barrel cards, each including: a plurality of processors, a PCIe switch coupled to each of the plurality of processors, and packet processing logic coupled to the PCIe switch. The PCIe switch on each barrel card provides high speed flexible data paths for the transmission of incoming/outgoing packets to/from the processors on the barrel card. An external PCIe switch is commonly coupled to the PCIe switches on the barrel cards, as well as to a management processor, thereby providing high speed connections between processors on separate barrel cards, and between the management processor and the processors on the barrel cards.

Abstract: Disclosed are a connectivity platform that allows for proprietary connectivity modules to plug into the operating system and also allows the operating system users and various existing networking applications in the operating system that are authorized by those providers to use that connectivity via existing APIs without the need for the applications to change or for extra configuration of the application to be performed. In an example disclosed herein, the providers provide NAT or firewall traversal and implement the appropriate transport mechanism. This allows for applications and computing devices to communicate in environments where connectivity is prevented by intermediate systems.

Abstract: The ensuring of predictable and quantifiable networking performance. Embodiments of the invention combine a congestion free network core with a hypervisor based (i.e., edge-based) throttling design to help insure quantitative and invariable subscription bandwidth rates. A lightweight shim layer in a hypervisor can adaptively throttle the rate of VM-to-VM traffic flow. A receiving hypervisor can detect congestion and communicate back to sending hypervisors that rates are to be regulated. In response, sending hypervisors can reduce transmission rate to mitigate congestion at the receiving hypervisor. In some embodiments, the principles are extended to any message processors communicating over a congestion free network.

Abstract: When a load balancer detects that a virtual address is associated with a single destination address, the load balancer sets a flag to distinguish the virtual address from virtual addresses that are associated with a plurality of destination addresses. The load balancer instructs the router to bypass the load balancer for network packets that are addressed to the virtual address, and refrains from storing subsequent flow state for the virtual address. When the virtual address is to be scaled up with an additional destination address, the load balancer sets a flag to distinguish the virtual address from virtual addresses that are associated with a single destination addresses. The load balancer instructs the router to route network packets that are addressed to the virtual address through the load balancer, instead of bypassing the load balancer, and starts storing flow state for the virtual address.

Abstract: Computerized methods, systems, and computer-readable media for promoting cooperation between a first and second virtual network overlay (“overlay”) are provided. The first overlay is governed by a first authority domain and includes members assigned virtual IP addresses from a first address range. The second overlay is governed by a second authority domain, which is associated with a second federation mechanism, for negotiating on behalf of the second overlay. The second federation mechanism is capable of negotiating with, or soliciting delegation of authority from, a first federation mechanism that is associated with the first authority domain. When negotiations are successful or authority is delegated, the second federation mechanism establishes a communication link between the second overlay and the first overlay or joins a member of the second overlay to the first overlay. Joining involves allocating a guest IP address from the first address range to the member.

Abstract: A system that includes multiple hosts, each running a plurality of virtual machines. The system may be, for example, a cloud computing environment in which there are services and a service coordination system that communicates with the hosts and with the services. The services include a middleware management service that is configured to maintain per-tenant middleware policy for each of multiple tenants. The middleware management service causes the middleware policy to be applied to network traffic by directing network traffic to a middleware enforcement mechanism. This middleware policy is per-tenant in that it depends on an identity of a tenant.

Abstract: Discovery of intermediate network devices is performed using a technique that piggybacks upon the existing standard TCP (Transport Control Protocol) “SACK” (Selective Acknowledgment) option in a SYN/ACK packet so that discovery information may be shared between pair-wise-deployed peer intermediate devices when a TCP/IP connection (Transport Control Protocol/Internet Protocol) is first established between network endpoints using a conventional three-way handshake. Use of the SACK option is combined with another technique which comprises modifying the original 16-bit value of the TCP receive window size to a special arbitrary value to mark a SYN packet as being generated by a first peer device. The marked SYN when received by the second peer device triggers that device's discovery information to be piggybacked in the SACK option of the SYN/ACK packet. The first device then piggybacks its discovery information in the SACK option of the ACK packet which completes the three-way handshake.

Abstract: Methods of tuning a receive window. A receiving device and a sending device may be in communication over a network. The receiving device may advertise a receive window to the sending device. The size of the receive window may be adjusted over time based on one or more connection parameters, application parameters and/or operating system parameters.

Abstract: Bypassing a load balancer that initially appeared in a multi-message flow from a source machine served by a source intermediary and a target machine served on a target intermediary. One or more original network messages (and perhaps just the first) of the flow arrive from the source intermediary at the load balancer, which selects which machine is to be a destination machine, and it turns out selects the destination machine serviced by the destination intermediary. In response to receiving this message, the destination intermediary instructs the source intermediary to transmit subsequent messages in the flow in a manner that bypasses the load balancer. To facilitate this, the source intermediary may modify addressing of subsequent flow messages from the source machine such that they are rerouted to the destination machine without addressing the load balancer.

Abstract: The performance of multicast and/or broadcasting between virtual machines over a virtual network. A source hypervisor accesses a network message originated from a source virtual machine, and uses the network message to determine a virtual network address associated with destination virtual machines (after potentially resolving group virtual network addresses). Using each virtual network address, the hypervisor determines a physical network address of the corresponding hypervisor that supports the destination virtual machine, and also determines a unique identifier for the destination virtual machine. The source hypervisor may then dispatch the network message along with the unique identifier to the destination hypervisor over the physical network using the physical network address of the hypervisor. The destination hypervisor passes the network message to the destination virtual machine identified by the unique identifier.

Abstract: Computerized methods, systems, and computer-readable media for promoting cooperation between a first and second virtual network overlay (“overlay”) are provided. The first overlay is governed by a first authority domain and includes members assigned virtual IP addresses from a first address range. The second overlay is governed by a second authority domain, which is associated with a second federation mechanism, for negotiating on behalf of the second overlay. The second federation mechanism is capable of negotiating with, or soliciting delegation of authority from, a first federation mechanism that is associated with the first authority domain. When negotiations are successful or authority is delegated, the second federation mechanism establishes a communication link between the second overlay and the first overlay or joins a member of the second overlay to the first overlay. Joining involves allocating a guest IP address from the first address range to the member.

Abstract: A cloud computing environment providing a network service for a client computing entity. The network service is not an application level service, but rather a service that operates at or below the network layer in the protocol stack. For instance, the network service might be a network endpoint service such as a network address service (such as DNS) or a dynamic network service (such as DHCP), or a network traffic service such as a firewall service or a secure tunneling service (such as VPN). The service might also provide a pipeline of network services for network level traffic to and from the client computing entity. The cloud environment uses policy to determine which of a plurality of communication channels to use when exchanging cloud service data for the network service.

Abstract: Load balancing for single-address tenants. When a load balancer detects that a virtual address is associated with a single destination address, the load balancer sets a flag to distinguish the virtual address from virtual addresses that are associated with a plurality of destination addresses. The load balancer instructs the router to bypass the load balancer for network packets that are addressed to the virtual address, and refrains from storing subsequent flow state for the virtual address. When the virtual address is to be scaled up with an additional destination address, the load balancer sets a flag to distinguish the virtual address from virtual addresses that are associated with a single destination addresses. The load balancer instructs the router to route network packets that are addressed to the virtual address through the load balancer, instead of bypassing the load balancer, and starts storing flow state for the virtual address.

Abstract: The ensuring of predictable and quantifiable networking performance. Embodiments of the invention combine a congestion free network core with a hypervisor based (i.e., edge-based) throttling design to help insure quantitative and invariable subscription bandwidth rates. A lightweight shim layer in a hypervisor can adaptively throttle the rate of VM-to-VM traffic flow. A receiving hypervisor can detect congestion and communicate back to sending hypervisors that rates are to be regulated. In response, sending hypervisors can reduce transmission rate to mitigate congestion at the receiving hypervisor. In some embodiments, the principles are extended to any message processors communicating over a congestion free network.

Abstract: A delivery controller for use in an enterprise environment that communicates with a cloud computing environment that is providing a service for the enterprise. As the cloud service processing progresses, some cloud service data is transferred from the cloud computing environment to the enterprise environment, and vice versa. The cloud service data may be exchanged over any one of a number of different types of communication channels. The delivery controller selects which communication channel to use to transfer specific data, depending on enterprise policy. Such policy might consider any business goals of the enterprise, and may be applied at the application level.

Abstract: The provisioning of a host computing system by a controller located over a wide area network. The host computing system has power-on code that automatically executes upon powering up, and causes the host to notify the controller of the host address. In a first level of bootstrapping, the controller instructs the host to download a maintenance operating system. The host responds by downloading and installing a maintenance operating system, enabling further bootstrapping. The persistent memory may further have security data, such as a public key, that allows the host computing system to securely identify the source of the download instructions (and subsequent instructions) as originating from the controller. A second level of bootstrapping may accomplish the configuring of the host with a hypervisor and a host agent. A third level of bootstrapping may accomplish the provisioning of virtual machines on the host.

Abstract: The present invention extends to methods, systems, and computer program products for offloading virtual machine flows to physical queues. A computer system executes one or more virtual machines, and programs a physical network device with one or more rules that manage network traffic for the virtual machines. The computer system also programs the network device to manage network traffic using the rules. In particular, the network device is programmed to determine availability of one or more physical queues at the network device that are usable for processing network flows for the virtual machines. The network device is also programmed to identify network flows for the virtual machines, including identifying characteristics of each network flow. The network device is also programmed to, based on the characteristics of the network flows and based on the rules, assign one or more of the network flows to at least one of the physical queues.

Abstract: A system that includes multiple hosts, each running a plurality of virtual machines. The system may be, for example, a cloud computing environment in which there are services and a service coordination system that communicates with the hosts and with the services. The services include a middleware management service that is configured to maintain per-tenant middleware policy for each of multiple tenants. The middleware management service causes the middleware policy to be applied to network traffic by directing network traffic to a middleware enforcement mechanism. This middleware policy is per-tenant in that it depends on an identity of a tenant.

Abstract: Cloud computing platforms having computer-readable media that perform methods to shape virtual machine communication traffic. The cloud computing platform includes virtual machines and a controller. The controller limits the traffic associated with the virtual machines to enable the virtual machines to achieve desired communication rates, especially when a network servicing the virtual machines is congested. The controller may drop communication messages associated with the virtual machines based on a drop probability evaluated for the virtual machines.