Abstract: Exemplary methods, apparatuses, and systems include a central controller receiving a request to generate a new encryption key for a security group to replace a current encryption key for the security group. The security group includes a plurality of hosts that each encrypt and decrypt communications using the current encryption key. In response to receiving the request, the central controller determines that a threshold period following generation of the current encryption key has not expired. In response to determining that the threshold period has not expired, the central controller delays execution of the request until the expiration of the threshold period. In response to the expiration of the threshold period, the central controller executes the request by generating the new encryption key, storing a time of creation of the new encryption key, and transmitting the new encryption key to the plurality of hosts.

Abstract: A system and method for using private native security groups and private native firewall policy rules for a private cloud computing environment and a public cloud computing environment uses a public cloud gateway for routing data traffic between at least a cloud network created in the public cloud computing environment and the private cloud computing environment. For each of some private native firewall policy rules that has any of newly created private native security groups as one of source and destination, a cloud native security group (CNSG) rule object with an CNSG outbound rule object and an CNSG inbound rule object for the public cloud is created and at least one of the CNSG outbound rule object and the CNSG inbound rule object is updated so that the private native firewall policy rule can be used in the cloud network.

Abstract: Some embodiments provide a method for handling failure at one of several peer centralized components of a logical router. At a first one of the peer centralized components of the logical router, the method detects that a second one of the peer centralized components has failed. In response to the detection, the method automatically identifies a network layer address of the failed second peer. The method assumes responsibility for data traffic to the failed peer by broadcasting a message on a logical switch that connects all of the peer centralized components and a distributed component of the logical router. The message instructs recipients to associate the identified network layer address with a data link layer address of the first peer centralized component.

Abstract: A LRE (logical routing element) that have LIFs that are active in all host machines spanned by the LRE as well as LIFs that are active in only a subset of those spanned host machines is provided. A host machine having an active LIF for a particular L2 segment would perform the L3 routing operations for network traffic related to that L2 segment. A host machine having an inactive LIF for the particular L2 segment would not perform L3 routing operations for the network traffic of the L2 segment.

Abstract: Some embodiments provide a method for distributing a service rule that is to be enforced across a first set of sites and that is defined by reference to a group identifier that identifies a group of machines. The method distributes the service rule to each site in the first set of sites. The method identifies at least one site in the first set of sites that is not in a second set of sites that has already received a definition of the group. The method distributes the group definition to each identified site in the first set of sites that has not already received the definition of the group.

Abstract: Exemplary methods, apparatuses, and systems include a central controller receiving a request to generate a new encryption key for a security group to replace a current encryption key for the security group. The security group includes a plurality of hosts that each encrypt and decrypt communications using the current encryption key. In response to receiving the request, the central controller determines that a threshold period following generation of the current encryption key has not expired. In response to determining that the threshold period has not expired, the central controller delays execution of the request until the expiration of the threshold period. In response to the expiration of the threshold period, the central controller executes the request by generating the new encryption key, storing a time of creation of the new encryption key, and transmitting the new encryption key to the plurality of hosts.

Abstract: A logical routing element (LRE) having multiple designated instances for routing packets from physical hosts (PH) to a logical network is provided. A PH in a network segment with multiple designated instances can choose among the multiple designated instances for sending network traffic to other network nodes in the logical network according to a load balancing algorithm. Each logical interface (LIF) of an LRE is defined to be addressable by multiple identifiers or addresses, and each LIF identifier or address is assigned to a different designated instance.

Abstract: For a managed network including multiple host machines implementing multiple logical networks, some embodiments provide a method that reduces the memory and traffic load required to implement the multiple logical networks. The method generates configuration data for each of multiple host machines including (i) data to configure a host machine to implement a set of logical forwarding elements that belong to a set of routing domains and (ii) identifiers for each routing domain in the set of routing domains. The method then receives data regarding tunnels endpoints operating on each of the host machines and an association with the routing identifiers sent to the host machines. The method then generates a routing domain tunnel endpoint list for each routing domain based on the data received from each of the host machines including a list of the tunnel endpoints associated with the routing domain which the host machines can use to facilitate packet processing.

Abstract: Some embodiments provide a method for a computing device that implements a first logical network gateway in a first datacenter to process data messages between data compute nodes (DCNs) belonging to the logical network and operating in the first datacenter and DCNs belonging to the logical network and operating in a second datacenter. From a host computer in the first datacenter, the method receives a logical network data message encapsulated with a first tunnel header including a first virtual network identifier corresponding to a logical forwarding element of the logical network. The method removes the first tunnel header and encapsulates the logical network data message with a second tunnel header include a second virtual network identifier corresponding to the logical forwarding element. The method transmits the logical network data message encapsulated with the second tunnel header to a second logical network gateway in the second datacenter.

Abstract: For an encryption management module of a host that executes one or more data compute nodes (DCNs), some embodiments of the invention provide a method of providing key management and encryption services. The method initially receives an encryption key ticket at an encryption management module to be used to retrieve an encryption key identified by the ticket from a key manager. When the encryption key has been retrieved, the method uses the encryption key to encrypt a message sent by a data compute node executing on the host requiring encryption according to an encryption rule. The encryption key ticket, in some embodiments, is generated for an encryption management module to implement the principle of least privilege. The ticket acts as a security token in retrieving encryption keys from a key manager. Ticket distribution and encryption rule distribution are independent of each other in some embodiments.

Abstract: Some embodiments provide a method for implementing a logical network across multiple datacenters. The method receives a configuration for a logical router that handles data traffic between the logical network implemented in the plurality of datacenters and networks external to the logical network. The method, for each datacenter defines (i) an active centralized routing component of the logical router in the datacenter and (ii) a standby centralized routing component of the logical router in the datacenter. The centralized routing components for a particular datacenter handle the data traffic between the logical network in the particular datacenter and the external networks. The active and standby centralized routing components are each assigned to edge computing devices in the datacenter that implement the centralized routing components.

Abstract: Some embodiments provide a method for a global manager that manages a logical network configuration for multiple datacenters that each have a local manager for managing the logical network configuration within the datacenter. Based on detecting that a connection to a particular local manager of a particular datacenter has been restored after a period of unavailability, the method identifies a portion of the logical network configuration that is relevant to the particular datacenter. In a series of transactions, the method transfers the identified portion of the logical network configuration to the particular local manager. During the series of transactions, the method identifies modifications to the identified portion of the logical network configuration to be included in the series of transactions. Upon completion of the series of transactions, the method transfers a notification to the particular local manager indicating completion of the series of transactions.

Abstract: Described herein are systems, methods, and software to enhance network traffic management. In one implementation, a first host identifies a packet to be transferred from a first virtual machine on the first host to a second virtual machine on a second host. In response to identifying the packet, the first host identifies a source logical port for the first virtual machine, and transferring a communication to the second host, wherein the communication encapsulates the data packet and the source logical port. Once the packet is received by the second host, the second host may use the source logical port to determine a forwarding action for the packet.

Abstract: Some embodiments provide a method for proxying ARP requests. At an MFE that executes on a host computer operating at a first site to implement a distributed router along with at least one additional MFE at the first site, the method receives, from a router at a remote second site, an ARP request for an IP address associated with a logical switch that spans the first site and the remote second site, and to which both the distributed router and the router at the remote second site connect. The method determines whether a table that includes IP addresses for a set of DCNs that use the distributed router as a default gateway includes the IP address. When the IP address is in the table, the method proxies the request at the host computer. When the particular IP address is not in the table, the MFE does not proxy the request.

Abstract: A system provisions global logical entities that facilitate the operation of logical networks that span two or more datacenters. These global logical entities include global logical switches that provide L2 switching as well as global routers that provide L3 routing among network nodes in multiple datacenters. The global logical entities operate along side local logical entities that are for operating logical networks that are local within a datacenter.

Abstract: Virtualization software that includes a VDRB (virtual distributed router/bridge) module for performing L3 routing and/or bridging operations is provided. At least some of the VDRBs are configured as VDBs (virtual distributed bridge) for performing bridging operations between different network segments in a distributed manner. The bridging tasks of a network are partitioned among several VDBs of the network based on MAC addresses. MAC addresses of VMs or other types of network nodes belonging to an overlay logical network are partitioned into several shards, each shard of MAC addresses assigned to a VDB in the network. Each VDB assigned a shard of MAC addresses performs bridging when it receives a packet bearing a MAC address belonging to its assigned shard. A VDB does not perform bridging on packets that do not have MAC address that falls within the VDB's shard of MAC addresses.

Abstract: Some embodiments provide a centralized overlay-network cloud gateway and a set of centralized services in a transit virtual cloud network (VCN) connected to multiple other compute VCNs hosting compute nodes (VMs, containers, etc.) that are part of (belong to) the overlay network. The centralized overlay-network cloud gateway provides connectivity between compute nodes of the overlay network (e.g., a logical network spanning multiple VCNs) and compute nodes in external networks. Some embodiments use the centralized overlay-network cloud gateway to provide transitive routing (e.g., routing through a transit VCN) in the absence of direct peering between source and destination VCNs. The overlay network, of some embodiments, uses the same subnetting and default gateway address for each compute node as the cloud provider network provided by the virtual private cloud provider.

Abstract: Some embodiments provide a method for providing a user interface (UI) for a network management application. The method provides a first UI for accessing a global network manager through the network management application to configure a global logical network spanning multiple physical sites. For each respective site, the method provides an additional UI for accessing a respective local network manager for the site (i) to modify the global logical network at the respective site and (ii) to configure a local logical network at the respective site. The method provides a UI item for toggling between the first UI and the additional UIs. Multiple UI items available in the first UI are also available in the additional UIs.

Abstract: Described herein are systems, methods, and software to enhance network traffic management. In one implementation, a first host identifies a packet to be transferred from a first virtual machine on the first host to a second virtual machine on a second host. In response to identifying the packet, the first host identifies a source logical port for the first virtual machine, and transferring a communication to the second host, wherein the communication encapsulates the data packet and the source logical port. Once the packet is received by the second host, the second host may use the source logical port to determine a forwarding action for the packet.

Abstract: A system for network virtualization in which physical network resources in different physical contexts are configured to implement one or more distributed logical network elements, at least some of the physical network resources implementing the distributed logical network elements configured according the physical context of those network resources. The local configuration of a physical locale is a version of the logical configuration that is modified specifically for the physical locale. Such modification is based on locale identifiers that are assigned to the physical locales. Some systems use locale-specific information to modify next-hop preference. Some system use locally modified configurations to determine the placement of VMs.