Abstract: Some embodiments of the invention provide a method for deploying network elements for a set of machines in a set of one or more datacenters. The datacenter set is part of one availability zone in some embodiments. The method receives intent-based API (Application Programming Interface) requests, and parses these API requests to identify a set of network elements to connect and/or perform services for the set of machines. In some embodiments, the API is a hierarchical document that can specify multiple different compute and/or network elements at different levels of compute and/or network element hierarchy. The method performs automated processes to define a virtual private cloud (VPC) to connect the set of machines to a logical network that segregates the set of machines from other machines in the datacenter set. In some embodiments, the set of machines include virtual machines and containers, the VPC is defined with a supervisor cluster namespace, and the API requests are provided as YAML files.

Abstract: The method of some embodiments allocates a secondary network interface for a pod, which has a primary network interface, in a container network operating on an underlying logical network. The method receives an ND that designates a network segment. The method receives the pod, wherein the pod includes an identifier of the ND. The method then creates a secondary network interface for the pod and connects the secondary network interface to the network segment. In some embodiments, the pods include multiple ND identifiers that each identify a network segment. The method of such embodiments creates multiple secondary network interfaces and attaches the multiple network segments to the multiple secondary network interfaces.

Abstract: In an embodiment, a computer-implemented method for DHCP-communications monitoring by a network controller in software defined networks is disclosed. A method comprises detecting that a virtualized compute instance is instantiated on a host computer; generating, and transmitting to a port manager executing on the host computer, instructions to set a BLOCK-EXCEPT-DHCP status on a port assigned to the virtualized compute instance; determining whether an IP address has been assigned to the port by a DHCP service; and if it has: generating, and transmitting to the port manager, instructions to set a NORMAL status on the port; generating, and transmitting to the port manager, a SpoofGuard configured with the IP address assigned to the port; based on notifications received from the SpoofGuard, determining whether the IP address assigned to the port of the virtualized compute instance has been misused, expired or spoofed; and if it has, transmitting instructions to set the BLOCK-EXCEPT-DHCP status on the port.

Abstract: Some embodiments of the invention provide a method for deploying network elements for a set of machines in a set of one or more datacenters. The datacenter set is part of one availability zone in some embodiments. The method receives intent-based API (Application Programming Interface) requests, and parses these API requests to identify a set of network elements to connect and/or perform services for the set of machines. In some embodiments, the API is a hierarchical document that can specify multiple different compute and/or network elements at different levels of compute and/or network element hierarchy. The method performs automated processes to define a virtual private cloud (VPC) to connect the set of machines to a logical network that segregates the set of machines from other machines in the datacenter set. In some embodiments, the set of machines include virtual machines and containers, the VPC is defined with a supervisor cluster namespace, and the API requests are provided as YAML files.

Abstract: Example methods and systems for authentication for logical overlay network traffic are described. In one example, a first computer system may detect an inner packet and generate authentication information associated with the inner packet based on control information from a management entity. The authentication information may indicate that the inner packet originates from a trusted zone. The first computer system may further generate an encapsulated packet by encapsulating the inner packet with an outer header that specifies the authentication information, and send the encapsulated packet towards the second virtualized computing instance to cause a second computer system to verify that the inner packet originates from the trusted zone based on the authentication information.

Abstract: Some embodiments provide a method of tracking errors in a container cluster network overlaying a software defined network (SDN), sometimes referred to as a virtual network. The method sends a request to instantiate a container cluster network object to an SDN manager of the SDN. The method then receives an identifier of a network resource of the SDN for instantiating the container cluster network object. The method associates the identified network resource with the container cluster network object. The method then receives an error message regarding the network resource from the SDN manager. The method identifies the error message as applying to the container cluster network object. The error message, in some embodiments, indicates a failure to initialize the network resource. The container cluster network object may be a namespace, a pod of containers, or a service.

Abstract: Some embodiments provide a local network controller that manages a first managed forwarding element (MFE) operating to forward traffic on a host machine for several logical networks and configures the first MFE to forward traffic for a set of containers operating within a container virtual machine (VM) that connects to the first MFE. The local network controller receives, from a centralized network controller, logical network configuration information for a logical network to which the set of containers logically connect. The local network controller receives, from the container VM, a mapping of a tag value used by a second MFE operating on the container VM to a logical forwarding element of the logical network to which the set of containers connect. The local network controller configures the first MFE to apply the logical network configuration information to data messages received from the container VM that are tagged with the tag value.

Abstract: The disclosure provides an approach for providing an extendable system health management framework in a network. Embodiments include receiving, by a manager, a system health plugin. Embodiments include determining, by the manager, an association between the system health plugin and a host in the network based on the host satisfying one or more conditions. Embodiments include providing, by the manager, the system health plugin to the host for installation in a system health agent on the host. Embodiments include receiving, by the manager, from the host, status information for the system health plugin.

Abstract: Some embodiments of the invention provide a method for identifying network resources related to an intent-based Application Programming Interface (API) request for a service to be implemented for a network. The method, in some embodiments, is performed by an API server (e.g., executing on a master node) in a Kubernetes network. The API server receives sets of criteria for identifying network resources related to the requested service and sets of instructions for retrieving information associated with network resources identified by the sets of criteria. The sets of criteria and sets of instructions are based on an API request for a resource selector object. The resource selector object, in some embodiments, is a custom resource that is used to define the sets of criteria and the sets of instructions and is based on a custom resource definition (CRD) provided by a user.

Abstract: Example methods and systems for a network management entity to perform adaptive packet flow monitoring. One example method may comprise receiving a request to monitor a packet flow between a first virtualized computing instance supported by a first host and a second virtualized computing instance supported by a second host. The method may also comprise activating a first set of checkpoints by instructing the first host and/or the second host to monitor the packet flow using the first set of checkpoints. The method may further comprise: in response to detecting a predetermined event based on first performance metric information associated with the packet flow, activating a second set of checkpoints by instructing the first host and/or the second host to monitor the packet flow using the second set of checkpoints.

Abstract: Example methods and systems for flow-based latency measurement for logical overlay network traffic are described. In one example, in response to detecting a first inner data packet associated with a packet flow, a first computer system may generate and send a first encapsulated packet via a logical overlay tunnel towards a second computer system. The first encapsulated packet may be generated by encapsulating the first inner data packet with a first outer header that includes first time information associated with the first inner data packet at the first computer system. In response to detecting a second encapsulated packet from the second computer system via the logical overlay tunnel, the first computer system may determine a flow-based latency measurement associated with the packet flow based on the first time information, and second time information identified from a second outer header of the second encapsulated packet.

Abstract: Some embodiments provide a local network controller that manages a first managed forwarding element (MFE) operating to forward traffic on a host machine for several logical networks and configures the first MFE to forward traffic for a set of containers operating within a container virtual machine (VM) that connects to the first MFE. The local network controller receives, from a centralized network controller, logical network configuration information for a logical network to which the set of containers logically connect. The local network controller receives, from the container VM, a mapping of a tag value used by a second MFE operating on the container VM to a logical forwarding element of the logical network to which the set of containers connect. The local network controller configures the first MFE to apply the logical network configuration information to data messages received from the container VM that are tagged with the tag value.

Abstract: The disclosure provides an approach for providing an extendable system health management framework in a network. Embodiments include receiving, by a manager, a system health plugin. Embodiments include determining, by the manager, an association between the system health plugin and a host in the network based on the host satisfying one or more conditions. Embodiments include providing, by the manager, the system health plugin to the host for installation in a system health agent on the host. Embodiments include receiving, by the manager, from the host, status information for the system health plugin.

Abstract: Example methods and systems for flow-based latency measurement for logical overlay network traffic are described. In one example, in response to detecting a first inner data packet associated with a packet flow, a first computer system may generate and send a first encapsulated packet via a logical overlay tunnel towards a second computer system. The first encapsulated packet may be generated by encapsulating the first inner data packet with a first outer header that includes first time information associated with the first inner data packet at the first computer system. In response to detecting a second encapsulated packet from the second computer system via the logical overlay tunnel, the first computer system may determine a flow-based latency measurement associated with the packet flow based on the first time information, and second time information identified from a second outer header of the second encapsulated packet.

Abstract: Example methods are provided for a host to perform packet handling based on a microprocessor architecture configuration that includes a first node and a second node. One example method may comprise detecting, from a virtualized computing instance supported by the host, an egress packet for transmission to a destination via one of multiple physical network interface controllers (PNICs) of the host. The method may also comprise: identifying the first node assigned to the virtualized computing instance and selecting a first PNIC associated with the first node assigned to the virtualized computing instance. The multiple PNICs may include the first PNIC, and a second PNIC associated with the second node. The method may further comprise sending the egress packet to the destination via the first PNIC associated with the first node.

Abstract: Techniques for measuring the memory usage of Java programs are provided. In one set of embodiments, a Java agent can detect that a Java Virtual Machine (JVM) is loading a Java class used by a Java program. The Java agent can further determine a class name of the Java class and determine that the class name matches an entry in a first list included in a user-defined configuration file. The Java agent can then dynamically insert bytecode into a constructor of the Java class, where the inserted bytecode includes logic for registering a memory reference to an object created via the constructor.

Abstract: Example methods and systems are provided for location-aware service request handling. The method may comprise: generating and sending location information associated with virtualized computing instance to a service node or a management entity for transmission to the service node. The location information may identify logical element(s) to which the virtualized computing instance is connected. The method may further comprise: in response to detecting, from the virtualized computing instance, a service request for a service from the service node, generating a modified service request by modifying the service request to include the location information associated with the virtualized computing instance; and sending the modified service request towards the service node.

Abstract: A method of creating containers in a physical host that includes a managed forwarding element (MFE) configured to forward packets to and from a set of data compute nodes (DCNs) hosted by the physical host. The method creates a container DCN in the host. The container DCN includes a virtual network interface card (VNIC) configured to exchange packets with the MFE. The method creates a plurality of containers in the container DCN. The method, for each container in the container DCN, creates a corresponding port on the MFE. The method sends packets addressed to each of the plurality of containers from the corresponding MFE port to the VNIC of the container DCN.

Abstract: The disclosure provides an approach for providing an extendable system health management framework in a network. Embodiments include receiving, by a manager, a system health plugin. Embodiments include determining, by the manager, an association between the system health plugin and a host in the network based on the host satisfying one or more conditions. Embodiments include providing, by the manager, the system health plugin to the host for installation in a system health agent on the host. Embodiments include receiving, by the manager, from the host, status information for the system health plugin.

Abstract: Example methods and systems for intent-based network virtualization design are disclosed. One example may comprise: obtaining configuration information and traffic information associated with multiple virtualized computing instances, processing the configuration information and traffic information to identify network connectivity intents and mapping the network connectivity intents to a logical network topology template. Based on a switching intent, a first group may be assigned to a logical network domain and the logical network topology template modified to include a logical switching element. Based on a routing intent, the logical network topology template may be modified to include a logical routing element. A logical network may be configured based on the modified logical network topology template to satisfy the switching intent and routing intent.