Abstract: Embodiments of the present disclosure relate to enforcing universal security policies across data centers. Embodiments include receiving, from a user, a first universal security policy (USP) related to a first universal policy group. Embodiments include identifying a first data center as an enforcement point for the first USP. Embodiments include automatically generating, at the first data center, a first local security policy based on the first USP. Embodiments include deploying a workload associated with the first universal policy group to the first data center. The first USP is enforced for the workload via the first local security policy.

Abstract: A simplified mechanism to deploy and control a multi-segmented application by using application-based manifests that express how application segments of the multi-segment application are to be defined or modified, and how the communication profiles between these segments. These manifests are application specific. Also, in some cases, deployment managers in a software defined datacenter (SDDC) provide these manifests as templates to administrators, who can use these templates to express their intent when they are deploying multi-segment applications in the datacenter. Application-based manifests can also be used to control previously deployed multi-segmented applications in the SDDC. Using such manifests would enable the administrators to be able to manage fine grained micro-segmentation rules based on endpoint and network attributes.

Abstract: Some embodiments provide a novel method for collecting and reporting attributes of data flows associated with machines executing on a plurality of host computers to an analysis appliance. Some embodiments collect, each time a request for a new data message flow is initiated, a set of contextual attributes (i.e., context data) associated with the requested new data message flow. The method, in some embodiments, generates a correlation data set and provides the correlation data set to be included in flow data regarding the requested data message flow to be used by the analysis appliance to correlate context data and flow data received as separate data sets from multiple host computers.

Abstract: Some embodiments of the invention provide a novel architecture for capturing contextual attributes on host computers that execute one or more machines and providing the captured contextual attributes to middlebox service engines executing at the edge of a physical datacenter. In some embodiments, the middlebox service engines run in an edge host (e.g., an NSX Edge) that provides routing services and connectivity to external networks (e.g., networks external to an NSX-T deployment). Some embodiments execute a context header insertion processor that receives contextual attributes relating to network events and/or process events on the machines collected using a guest-introspection (GI) agent on each machine. In some embodiments, the context header insertion processor uses these contextual attributes to generate a header including data regarding the contextual attributes (a “context header”) that is used to encapsulate a data message that is processed by the SFE.

Abstract: Some embodiments provide a novel method for collecting and reporting attributes of data flows associated with machines executing on a plurality of host computers to an analysis appliance and providing visual representations of the data to a user. Some embodiments provide a visual representation of the collected data that allows a user to select a set of machines and flows and initiate recommendation generation based on the selected machines and flows. The recommendation generation, in some embodiments, includes identifying flows for which rules have not been defined and filtering the identified rules to remove flows for which rules should not be defined. Some embodiments use the identified rues to identify services and groups associated with the rules and generate recommendations for rules, groups and services based on the identified flows, groups and services. The recommendations, in some embodiments, are implemented as a single PATCH API.

Abstract: Some embodiments provide a novel method for collecting and reporting attributes of data flows associated with machines executing on a plurality of host computers to an analysis appliance and providing visual representations of the data to a user. Some embodiments provide a visual representation of the collected data that allows a user to select a set of machines and flows and initiate recommendation generation based on the selected machines and flows. The recommendation generation, in some embodiments, includes identifying flows for which rules have not been defined and filtering the identified rules to remove flows for which rules should not be defined. Some embodiments use the identified rues to identify services and groups associated with the rules and generate recommendations for rules, groups and services based on the identified flows, groups and services. The recommendations, in some embodiments, are implemented as a single PATCH API.

Abstract: Embodiments of the present disclosure relate to enforcing universal security policies across data centers. Embodiments include receiving, from a user, a first universal security policy (USP) related to a first universal policy group. Embodiments include identifying a first data center as an enforcement point for the first USP. Embodiments include automatically generating, at the first data center, a first local security policy based on the first USP. Embodiments include deploying a workload associated with the first universal policy group to the first data center. The first USP is enforced for the workload via the first local security policy.

Abstract: Techniques for providing application-independent access control in a cloud-services computing environment are provided. In one embodiment, a method for providing application-independent access control is provided. The method includes obtaining a user identity for accessing the cloud-services computing environment and receiving a user request to perform a task using an application. The method further includes collecting process-related data for performing the task using the application and obtaining one or more network routing addresses. The method further includes determining, based on the user identity, the process-related data, and the one or more network routing addresses, whether the task is to be performed. If that the task is to be performed, the task is caused to be performed using the application; and if the task is not to be performed, the user request is denied.

Abstract: Some embodiments provide a simplified mechanism to deploy and control a multi-segmented application by using application-based manifests that express how application segments of the multi-segment application are to be defined or modified, and how the communication profiles between these segments. In some embodiments, these manifests are application specific. Also, in some embodiments, deployment managers in a software defined datacenter (SDDC) provide these manifests as templates to administrators, who can use these templates to express their intent when they are deploying multi-segment applications in the datacenter. Application-based manifests can also be used to control previously deployed multi-segmented applications in the SDDC. Using such manifests would enable the administrators to be able to manage fine grained micro-segmentation rules based on endpoint and network attributes.

Abstract: Some embodiments provide a simplified mechanism to deploy and control a multi-segmented application by using application-based manifests that express how application segments of the multi-segment application are to be defined or modified, and how the communication profiles between these segments. In some embodiments, these manifests are application specific. Also, in some embodiments, deployment managers in a software defined datacenter (SDDC) provide these manifests as templates to administrators, who can use these templates to express their intent when they are deploying multi-segment applications in the datacenter. Application-based manifests can also be used to control previously deployed multi-segmented applications in the SDDC. Using such manifests would enable the administrators to be able to manage fine grained micro-segmentation rules based on endpoint and network attributes.

Abstract: Some embodiments provide a simplified mechanism to deploy and control a multi-segmented application by using application-based manifests that express how application segments of the multi-segment application are to be defined or modified, and how the communication profiles between these segments. In some embodiments, these manifests are application specific. Also, in some embodiments, deployment managers in a software defined datacenter (SDDC) provide these manifests as templates to administrators, who can use these templates to express their intent when they are deploying multi-segment applications in the datacenter. Application-based manifests can also be used to control previously deployed multi-segmented applications in the SDDC. Using such manifests would enable the administrators to be able to manage fine grained micro-segmentation rules based on endpoint and network attributes.

Abstract: Some embodiments of the invention provide a novel architecture for capturing contextual attributes on host computers that execute one or more machines and providing the captured contextual attributes to middlebox service engines executing at the edge of a physical datacenter. In some embodiments, the middlebox service engines run in an edge host (e.g., an NSX Edge) that provides routing services and connectivity to external networks (e.g., networks external to an NSX-T deployment). Some embodiments execute a context header insertion processor that receives contextual attributes relating to network events and/or process events on the machines collected using a guest-introspection (GI) agent on each machine. In some embodiments, the context header insertion processor uses these contextual attributes to generate a header including data regarding the contextual attributes (a “context header”) that is used to encapsulate a data message that is processed by the SFE.

Abstract: Some embodiments of the invention provide a novel architecture for providing context-aware middlebox services at the edge of a physical datacenter. In some embodiments, the middlebox service engines run in an edge host (e.g., an NSX Edge) that provides routing services and connectivity to external networks (e.g., networks external to an NSX-T deployment). Some embodiments use a novel architecture for capturing contextual attributes on host computers that execute one or more machines and providing the captured contextual attributes to context-aware middlebox service engines providing the context-aware middlebox services. In some embodiments, a context header insertion processor uses contextual attributes to generate a header including data regarding the contextual attributes (a “context header”) that is used to encapsulate a data message that is processed by the SFE and sent to the context-aware middlebox service engine.

Abstract: Some embodiments provide a method for monitoring a distributed application. The method receives a request to perform data collection for the distributed application. The method identifies data compute nodes (DCNs) that implement the distributed application. The method sends commands to host machines on which the identified DCNs operate to detect events related to the DCNs and provide data regarding the detected events. The method uses the data regarding the detected events to generate a user interface (UI) display of the topology of the distributed application.

Abstract: A computer system provides a method for context-based packet scanning in a computing environment. The method includes the steps of receiving a packet from a virtual machine, determining if a network flow associated with the packet exists in a context data structure, and upon determining that a context entry associated with the network flow exists in the context data structure, tagging the packet with context information included in the context entry, comparing the context information and network flow information to context and network flow criteria in one or more packet capture policies, and recording contents of the packet when the context information and network flow information match one of the one or more packet capture policies.

Abstract: A computer system provides a method for context-based packet scanning in a computing environment. The method includes the steps of receiving a packet from a virtual machine, determining if a network flow associated with the packet exists in a context data structure, and upon determining that a context entry associated with the network flow exists in the context data structure, tagging the packet with context information included in the context entry, comparing the context information and network flow information to context and network flow criteria in one or more packet capture policies, and recording contents of the packet when the context information and network flow information match one of the one or more packet capture policies.

Abstract: A multi-layer policy framework for monitoring and enforcing policy is provided. The multi-layer policy framework receives the desired state of the policy at each layer and translates the desired state into a realized state for the layer. The desired state specifies the intent of the user and the realized specifies the specific actions that have to be performed in order to reach the desired state. The realized state at each layer is sent to the next lower layer as the desired state for the lower layer. At the lowest layer, the desired state is converted into a realized state that includes a set of rules used to enforce the policy. The set of rules are then enforced at different enforcement points at the lowest layer.

Abstract: Methods, apparatuses and systems directed to an adaptive network traffic monitoring and measurement system. In one implementation, the present invention provides a measurement engine that monitors data flows on the packet processing path of a network device and executes measurement policy that control the granularity with which measurement data is recorded. In one implementation, the present invention provides a filtering and aggregation mechanism that can seamlessly adapt to changes in measurement policy configuration.

Abstract: An exemplary embodiment provides for a method for recording network traffic data that can be used in a network device operably disposed in a network, wherein the network device comprises a measurement data structure including at least one entry and a corresponding measurement key and wherein the at least one entry comprises at least one measurement attribute. The method includes receiving a packet and matching the packet to a data flow. A measurement policy for the data flow is identified, wherein the measurement policy comprises one or more measurement axes corresponding to respective data flow attributes, and a rule set relating to at least one of the one or more measurement axes. The rule set is applied to dynamically select one or more of the measurement axes in the measurement policy to be applied to the data flow. A measurement key is created based on the selected one or more measurement axes and attributes of the data flow corresponding to the selected one or more measurement axes.