Abstract: Example methods are provided for a firewall controller to implement a distributed firewall in a virtualized computing environment that includes a source host and a destination host. The method may comprise retrieving a first firewall rule that is applicable at the destination host to an ingress packet destined for a destination virtualized computing instance supported by the destination host; and based on the first firewall rule, generating a second firewall rule that is applicable at the source host to an egress packet destined for the destination virtualized computing instance. The method may further comprise instructing the source host to apply the second firewall rule to, in response to determination that the egress packet is blocked by the second firewall rule, drop the egress packet such that the egress packet is not sent from the source host to the destination host.

Abstract: Example methods are provided for a destination host to implement a firewall in a virtualized computing environment that includes the destination host and a source host. The method may comprise receiving, via a physical network interface controller (PNIC) of the destination host, an ingress packet sent by the source host. The ingress packet may be destined for a destination virtualized computing instance that is supported by the destination host and associated with a destination virtual network interface controller (VNIC). The method may further comprise retrieving a PNIC-level firewall rule associated with the destination virtualized computing instance, the PNIC-level firewall rule being applicable at the PNIC and generated by based on a VNIC-level firewall rule applicable at the destination VNIC. In response to determination that the PNIC-level firewall rule blocks the ingress packet from passing through, the ingress packet may be dropped such that the ingress packet is not sent to the destination VNIC.

Abstract: A method of determining the span of logical entities in a network is provided. The method generates a directed graph. Each node of the graph corresponds to a logical network entity. Each edge of the graph has one or two directions. A direction from a first node to a second node identifies the first node as the source of span for the second node. The method determines the span of each node based on the direction of the edges of the directed graph. The method groups each set of nodes that are accessible by all other nodes in the set in a strongly connected group (SCC) sub-graph. The method generates a group node in a directed acyclic graph (DAG) to correspond to each SCC sub-graph in the directed graph. The method assigns the span of each SCC to the corresponding group node of the DAG.

Abstract: A method of creating containers in a physical host that includes a managed forwarding element (MFE) configured to forward packets to and from a set of data compute nodes (DCNs) hosted by the physical host. The method creates a container DCN in the host. The container DCN includes a virtual network interface card (VNIC) configured to exchange packets with the MFE. The method creates a plurality of containers in the container DCN. The method, for each container in the container DCN, creates a corresponding port on the MFE. The method sends packets addressed to each of the plurality of containers from the corresponding MFE port to the VNIC of the container DCN.

Abstract: A method of communicating packets in a physical host that includes a managed forwarding element (MFE) configured to communicate packets to a set of containers in a data compute node (DCN) hosted by the physical host. The method receives a packet from a particular container in the container DCN. The packet includes a tag that includes an identification of the particular container. The method uses the identification of the particular container included in the tag to identify a port of the MFE that correspond to the particular container. The method removes the tag from the packet. The method forwards the un-tagged packet to the port of the MFE that corresponds to the particular container.

Abstract: Some embodiments provide a method for diagnosing a logical network that includes several logical forwarding elements (LFEs) that logically connects a number of data compute nodes (DCNs) to each other. The method identifies a set of LFEs that logically connects a first DCN of the several DCNs to a second DCN. The method also identifies a transport node that couples to the first DCN and implements the set of LFEs. The method then, for each LFE in the set of LFEs (i) receives a first state of the LFE from the transport node, (ii) compares the first state of the LFE with a second state of the LFE that is received from a controller of the LFE, and (iii) reports the LFE as a problematic LFE along with the transport node and the controller of the LFE when the first and second states of the LFE do not match.

Abstract: A method of allocating network bandwidth in a network that includes several tenant virtual machines (VMs). The method calculates a first bandwidth reservation for a flow between a source VM and a destination VM that are hosted on two different host machines. The source VM sends packets to a first set of VMs that includes the destination VM. The destination VM receives packets from a second set of VMs that includes the source VM. The method receives a second bandwidth reservation for the flow calculated at the destination. The method sets the bandwidth reservation for the flow as a minimum of the first and second bandwidth reservations.

Abstract: Some embodiments provide a method for a first managed forwarding element operating within a first data compute node (DCN) that executes on a host machine. From the first DCN, the method receives a packet destined for a second DCN that is logically connected to the first DCN through a set of logical forwarding elements of a logical network. The method performs forwarding processing on the packet in order to (i) identify a particular logical forwarding element in the set of logical forwarding elements, a logical port of which is coupled to the second DCN, and (ii) identify a second managed forwarding element that implements the logical port of the particular logical forwarding element. The method forwards the packet to the second managed forwarding element.

Abstract: Some embodiments provide a method for securing a managed forwarding element (MFE) that operates within a data compute node (DCN) executing in a host machine. The method receives, from the MFE, a message to increase a local counter value by a first number when the MFE sends the first number of packets to a network interface controller (NIC). The method receives, from the NIC, a second number that indicates a total number of packets that the NIC has received from the MFE. The method compares the received second number with the local counter value after increasing the local counter value by the first number. The method determines that the DCN is under a malicious attack when the local counter value does not match the second number.

Abstract: Some embodiments provide a method for a managed forwarding element (MFE) operating within a first data compute node (DCN) that executes on a first host machine. The MFE is for implementing a logical network that logically connects the first DCN to a plurality of other DCNs. At the MFE, the method receives several packets generated within the first DCN to be forwarded to a second DCN that is logically connected to the first DCN. The method determines whether the second DCN executes on the first host machine or on a second, different host machine. When the second DCN executes on the first host machine, the method stores the packets in a memory space of the first host machine that is shared between the first and second DCNs.

Abstract: Some embodiments provide a method for securing a managed forwarding element (MFE) that operates in a data compute node (DCN) executing in a host machine. The method receives a notification that the MFE is loaded on the DCN. The MFE is for implementing a set of logical forwarding elements of a logical network that logically connects the DCN to several other DCNs. The method secures the MFE by isolating, in a physical memory of the host machine, executable code and data of the MFE from executable code and data of other applications that execute in the DCN.

Abstract: A method of defining a virtual network across a plurality of physical hosts is provided. At least two hosts utilize network virtualization software provided by two different vendors. Each host hosts a set of data compute nodes (DCNs) for one or more tenants. The method, at an agent at a host, receives a command from a network controller, the command includes (i) an identification a resource on a tenant logical network and (ii) an action to perform on the identified resource. The method, at the agent, determines the network virtualization software utilized by the host. The method, at the agent, translates the received action into a set of configuration commands compatible with the network virtualization software utilized by the host. The method sends the configuration commands to a network configuration interface on the host to perform the action on the identified resource.

Abstract: A novel centralized troubleshooting tool that enables user to troubleshoot a distributed virtual network with a single consistent user interface is provided. The distributed virtual network being monitored or debugged by the centralized troubleshooting tool includes different types of logical resources (LRs) that placed or distributed across different physical endpoints (PEs). The centralized troubleshooting tool provides functions that allow the user to invoke commands on different physical endpoints in order to collect information about the logical resources running in those physical endpoints. This allows the user to compare and analyze the information from different PEs for a same LR.

Abstract: A novel centralized troubleshooting tool that enables user to troubleshoot a distributed virtual network with a single consistent user interface is provided. The distributed virtual network being monitored or debugged by the centralized troubleshooting tool includes different types of logical resources (LRs) that placed or distributed across different physical endpoints (PEs). The centralized troubleshooting tool provides functions that allow the user to invoke commands on different physical endpoints in order to collect information about the logical resources running in those physical endpoints. This allows the user to compare and analyze the information from different PEs for a same LR.

Abstract: A novel centralized troubleshooting tool that enables user to troubleshoot a distributed virtual network with a single consistent user interface is provided. The distributed virtual network being monitored or debugged by the centralized troubleshooting tool includes different types of logical resources (LRs) that placed or distributed across different physical endpoints (PEs). The centralized troubleshooting tool provides functions that allow the user to invoke commands on different physical endpoints in order to collect information about the logical resources running in those physical endpoints. This allows the user to compare and analyze the information from different PEs for a same LR.

Abstract: A method of allocating network bandwidth in a network that includes several tenant virtual machines (VMs). The method calculates a first bandwidth reservation for a flow between a source VM and a destination VM that are hosted on two different host machines. The source VM sends packets to a first set of VMs that includes the destination VM. The destination VM receives packets from a second set of VMs that includes the source VM. The method receives a second bandwidth reservation for the flow calculated at the destination. The method sets the bandwidth reservation for the flow as a minimum of the first and second bandwidth reservations.

Abstract: Some embodiments provide a method for a first managed forwarding element (MFE). The method receives a data message that includes a logical context tag that identifies a logical port of a particular logical forwarding element. Based on the logical context tag, the method adds a local tag to the data message. The local tag is associated with the particular logical forwarding element, which is one of several logical forwarding elements to which one or more containers operating on a container virtual machine (VM) belong. The container VM connects to the first MFE. The method delivers the data message to the container VM without any logical context. A second MFE operating on the container VM uses the local tag to forward the data message to a correct container of several containers operating on the container VM.

Abstract: Some embodiments use proxies on host devices to suppress broadcast traffic in a network. Each host in some embodiments executes one or more virtual machines (VMs). In some embodiments, a proxy operates on each host between each VM and the underlying network. For instance, in some of these embodiments, a VM's proxy operates between the VM and a physical forwarding element executing on the VM's host. The proxy monitors the VM's traffic, and intercepts broadcast packets when it knows how to deal with them. The proxy connects to a set of one or more controllers that provides a directory service that collects and maintains global information of the network. By connecting to the controller cluster, the proxy can obtain information that it can use to resolve broadcast requests. In some embodiments, the connection between the proxy and the controller cluster is encrypted and authenticated, to enhance the security.

Abstract: A physical computing device that operates in a network. The device includes a group of tenant virtual machines (VMs). Each VM is hosted on a host machine that includes a virtualization software. The device receives network bandwidth allocation policies for the group of VMs. The device determines a set of potential communication peers for each VM. The device sends the network bandwidth allocation policy of each VM to the virtualization software of the host machines of each potential communication peer of the VM.

Abstract: Some embodiments use proxies on host devices to suppress broadcast traffic in a network. Each host in some embodiments executes one or more virtual machines (VMs). In some embodiments, a proxy operates on each host between each VM and the underlying network. For instance, in some of these embodiments, a VM's proxy operates between the VM and a physical forwarding element executing on the VM's host. The proxy monitors the VM's traffic, and intercepts broadcast packets when it knows how to deal with them. The proxy connects to a set of one or more controllers that provides a directory service that collects and maintains global information of the network. By connecting to the controller cluster, the proxy can obtain information that it can use to resolve broadcast requests. In some embodiments, the connection between the proxy and the controller cluster is encrypted and authenticated, to enhance the security.