Abstract: In an embodiment, a computer-implemented method for dynamically exchanging runtime state data between datacenters with a gateway using a controller bridge is disclosed. In an embodiment, the method comprises: receiving one or more first runtime state data from one or more logical sharding central control planes (“CCPs”) controlling one or more logical sharding hosts; receiving one or more second runtime state data from a gateway that is controlled by a CCP that also controls one or more physical sharding hosts; aggregating to aggregated runtime state data, the one or more first runtime state data received from the one or more logical sharding CCPs and the one or more second runtime state data received from the gateway; determining updated runtime state data based on the aggregated runtime state data, the one or more first runtime state data, and the one or more second runtime state data; and transmitting the updated runtime state data to at least one of the one or more logical sharding CCPs and the gateway.

Abstract: In an embodiment, a computer-implemented method for dynamically exchanging runtime state data between datacenters using a controller bridge is disclosed. In an embodiment, the method comprises: requesting, and receiving, one or more first runtime state data from one or more logical sharding central control planes (“CCPs”) controlling one or more logical sharding hosts; requesting, and receiving, one or more second runtime state data from one or more physical sharding CCPs controlling one or more physical sharding hosts; aggregating, to aggregated runtime state data, the one or more first runtime state data and the one or more second runtime state data; determining updated runtime state data based on the aggregated runtime state data, the one or more first runtime state data, and the one or more second runtime state data; and transmitting the updated runtime state data to the logical sharding CCPs and physical sharding CCPs.

Abstract: Some embodiments provide a method for a first managed forwarding element operating within a first data compute node (DCN) that executes on a host machine. From the first DCN, the method receives a packet destined for a second DCN that is logically connected to the first DCN through a set of logical forwarding elements of a logical network. The method performs forwarding processing on the packet in order to (i) identify a particular logical forwarding element in the set of logical forwarding elements, a logical port of which is coupled to the second DCN, and (ii) identify a second managed forwarding element that implements the logical port of the particular logical forwarding element. The method forwards the packet to the second managed forwarding element.

Abstract: Some embodiments provide a method for providing a continuous mirroring session between a monitored data compute node (DCN) and a monitoring DCN. The method provides such uninterrupted mirroring session regardless of relocations of the DCNs during the mirroring session. In some embodiments, the method dynamically switches between local mirroring and remote mirroring based on the positions of the monitored DCN and the monitoring DCN. Upon receiving a data message from a port of a forwarding element (i.e., a monitored port), to which a monitored DCN is coupled, the method duplicates the data message. The method then sends the duplicated data message either to a monitoring DCN that executes on the same host machine, or adds particular tunneling data to the duplicated data message and tunnels the duplicated data message to a remote host machine, on which the monitoring DCN executes.

Abstract: A method of mirroring packets in a network. The method assigns an Internet protocol (IP) multicast address to an overlay network for transmitting mirrored packets. The method connects a set of monitoring data compute nodes (DCNs) to the overlay network for receiving the mirrored packets. The method adds the monitoring DCNs to an IP multicast group for the overlay network. The method associates a port of a mirrored DCN to the overlay network for packet mirroring. The method duplicates each packet received or transmitted at the port as a mirrored packet. The method encapsulates each mirrored packet with the IP multicast address of the overlay network. The method transmits each encapsulated packet on the overlay network.

Abstract: Example methods and systems are provided for location-aware service request handling. The method may comprise: generating and sending location information associated with virtualized computing instance to a service node or a management entity for transmission to the service node. The location information may identify logical element(s) to which the virtualized computing instance is connected. The method may further comprise: in response to detecting, from the virtualized computing instance, a service request for a service from the service node, generating a modified service request by modifying the service request to include the location information associated with the virtualized computing instance; and sending the modified service request towards the service node.

Abstract: Certain embodiments described herein are generally directed to configuring a generic channel for exchanging information between a hypervisor and a virtual machine run by the hypervisor that resides on a host machine. In some embodiments, the generic channel represents a network or communication path enabled by a logical switch that connects a HyperBus running on the hypervisor and a node agent running on the virtual machine. In some embodiments, network traffic handled by the generic channel is isolated from incoming and outgoing network traffic between the virtual machine and one or more other virtual machines or hosts.

Abstract: Some embodiments provide a method for diagnosing a logical network that includes several logical forwarding elements (LFEs) that logically connects a number of data compute nodes (DCNs) to each other. The method identifies a set of LFEs that logically connects a first DCN of the several DCNs to a second DCN. The method also identifies a transport node that couples to the first DCN and implements the set of LFEs. The method then, for each LFE in the set of LFEs (i) receives a first state of the LFE from the transport node, (ii) compares the first state of the LFE with a second state of the LFE that is received from a controller of the LFE, and (iii) reports the LFE as a problematic LFE along with the transport node and the controller of the LFE when the first and second states of the LFE do not match.

Abstract: Example methods are provided for a firewall controller to implement a distributed firewall in a virtualized computing environment that includes a source host and a destination host. The method may comprise retrieving a first firewall rule that is applicable at the destination host to an ingress packet destined for a destination virtualized computing instance supported by the destination host; and based on the first firewall rule, generating a second firewall rule that is applicable at the source host to an egress packet destined for the destination virtualized computing instance. The method may further comprise instructing the source host to apply the second firewall rule to, in response to determination that the egress packet is blocked by the second firewall rule, drop the egress packet such that the egress packet is not sent from the source host to the destination host.

Abstract: Some embodiments provide a method for a managed forwarding element (MFE) operating within a first data compute node (DCN) that executes on a first host machine. The MFE is for implementing a logical network that logically connects the first DCN to a plurality of other DCNs. At the MFE, the method receives several packets generated within the first DCN to be forwarded to a second DCN that is logically connected to the first DCN. The method determines whether the second DCN executes on the first host machine or on a second, different host machine. When the second DCN executes on the first host machine, the method stores the packets in a memory space of the first host machine that is shared between the first and second DCNs.

Abstract: Example methods and systems for packet handling in a software-defined networking (SDN) environment are disclosed. One example method may comprise detecting an egress application-layer message from a first logical endpoint supported by a first host; and identifying a second logical endpoint supported by the second host for which the egress application-layer message is destined. The method may also comprise generating an egress packet that includes the egress application-layer message and metadata associated with the second logical endpoint, but omits one or more headers that are addressed from the first logical endpoint to the second logical endpoint. The method may further comprise sending the egress packet to the second host to cause the second host to identify the second logical endpoint based on the metadata, and to send the egress application-layer message to the second logical endpoint.

Abstract: Example methods are provided for assigning a routing domain identifier in a logical network environment that includes one or more logical distributed routers and one or more logical switches. In one example, the method may comprise obtaining network topology information specifying how the one or more logical distributed routers are connected with the one or more logical switches; and selecting, from the one or more logical switches, a particular logical switch for which routing domain identifier assignment is required. The method may also comprise: identifying a particular logical distributed router that is connected with the particular logical switch based on the network topology information; assigning the particular logical switch with the routing domain identifier that is associated with the particular logical distributed router; and using the routing domain identifier in a communication between a management entity and a host.

Abstract: In an embodiment, a computer-implemented method for DHCP-communications monitoring by a network controller in software defined networks is disclosed. A method comprises detecting that a virtualized compute instance is instantiated on a host computer; generating, and transmitting to a port manager executing on the host computer, instructions to set a BLOCK-EXCEPT-DHCP status on a port assigned to the virtualized compute instance; determining whether an IP address has been assigned to the port by a DHCP service; and if it has: generating, and transmitting to the port manager, instructions to set a NORMAL status on the port; generating, and transmitting to the port manager, a SpoofGuard configured with the IP address assigned to the port; based on notifications received from the SpoofGuard, determining whether the IP address assigned to the port of the virtualized compute instance has been misused, expired or spoofed; and if it has, transmitting instructions to set the BLOCK-EXCEPT-DHCP status on the port.

Abstract: Example methods are provided for filter-based control information query in a software-defined networking (SDN) environment that includes a host and a network management entity. One example method may comprise identifying a first query key for the host to query for control information associated with the first query key from the network management entity; and applying a set membership filter to determine whether the first query key is possibly a member of a set of second query keys that are known to the network management entity. The method may also comprise, in response to determination that the first query key is possibly a member of the set of second query keys, generating and sending a query message to the network management entity over a control-plane channel to query for the control information associated with the first query key.

Abstract: A novel centralized troubleshooting tool that enables user to troubleshoot a distributed virtual network with a single consistent user interface is provided. The distributed virtual network being monitored or debugged by the centralized troubleshooting tool includes different types of logical resources (LRs) that placed or distributed across different physical endpoints (PEs). The centralized troubleshooting tool provides functions that allow the user to invoke commands on different physical endpoints in order to collect information about the logical resources running in those physical endpoints. This allows the user to compare and analyze the information from different PEs for a same LR.

Abstract: Some embodiments provide a local network controller that manages a first managed forwarding element (MFE) operating to forward traffic on a host machine for several logical networks and configures the first MFE to forward traffic for a set of containers operating within a container virtual machine (VM) that connects to the first MFE. The local network controller receives, from a centralized network controller, logical network configuration information for a logical network to which the set of containers logically connect. The local network controller receives, from the container VM, a mapping of a tag value used by a second MFE operating on the container VM to a logical forwarding element of the logical network to which the set of containers connect. The local network controller configures the first MFE to apply the logical network configuration information to data messages received from the container VM that are tagged with the tag value.

Abstract: Systems and methods of communicating between a plurality of hosts comprising one or more first hosts controlled by a first control plane and one or more second hosts controlled by a second control plane are disclosed herein. Each of the one or more first hosts runs at least one tunneling endpoint of one or more first tunneling endpoints, and each of the one or more second hosts runs at least one tunneling endpoint of one or more second tunneling endpoint. The method includes storing, at each of the one or more first hosts, a global list identifying at least the one or more second tunneling endpoints. The method further includes receiving a packet at one of the one or more first tunneling endpoints. The method further includes replicating, encapsulating, and transmitting the packet to each of the one or more second tunneling endpoints based on the global list.

Abstract: Example methods are provided for assigning a routing domain identifier in a logical network environment that includes one or more logical distributed routers and one or more logical switches. In one example, the method may comprise obtaining network topology information specifying how the one or more logical distributed routers are connected with the one or more logical switches; and selecting, from the one or more logical switches, a particular logical switch for which routing domain identifier assignment is required. The method may also comprise: identifying a particular logical distributed router that is connected with the particular logical switch based on the network topology information; assigning the particular logical switch with the routing domain identifier that is associated with the particular logical distributed router; and using the routing domain identifier in a communication between a management entity and a host.

Abstract: Some embodiments provide a method for a network controller that manages multiple logical networks implemented by multiple managed forwarding elements (MFEs) operating on multiple host machines. The method receives a notification from a particular MFE that an interface corresponding to a logical port of a logical forwarding element has connected to the particular MFE and has a particular logical network address. The method assigns a unique physical network address to the interface. Each of multiple interfaces connected to the particular MFE is assigned a different physical network address. The method provides the assigned unique physical network address to the particular MFE for the particular MFE to convert data messages sent from the particular logical network address to have the unique physical network address.

Abstract: Some embodiments provide a method for a network controller. The method receives network configuration data including an association of an entity configuration profile set with a logical network entity. The entity configuration profile set is a group of at least two entity configuration profiles for different types of settings to apply to logical network entities with which the entity configuration profile set is associated. The method identifies a host machine at which the logical network entity is implemented. The method distributes the entity configuration profile set and each of the at least two entity configuration profiles to the identified host machine.