Abstract: Certain embodiments described herein are generally directed to enabling a group of host machines within a network to securely communicate an unknown unicast packet. In some embodiments, a key policy is defined exclusively for the secure communication of unknown unicast packets. The key policy is transmitted by a central controller to the group of host machines for negotiating session keys among each other when communicating unknown unicast packets.

Abstract: A novel method for fully utilizing the multicast or broadcast capability of a physical network is provided. The method identifies segments of the network within which broadcast traffic, multicast traffic, or traffic to unknown recipients (BUM traffic) is allowed or enabled. The identified segment encompasses parts of the network that the BUM traffic is able reach while excluding parts of the network nodes that the BUM traffic is unable to reach. Each identified segment includes network nodes that are interconnected by physical network hardware that supports BUM traffic. The method identifies multiple BUM traffic segments in a given network that each supports its own BUM traffic. The different BUM traffic segments are interconnected by physical network hardware that does not support BUM network traffic. Each identified segment is assigned an identifier that uniquely distinguishes the identified segment from other identified segments.

Abstract: Some embodiments provide a method for an edge computing device in a first datacenter that implements a logical network gateway for processing data traffic for a particular LFE between the first datacenter and multiple other datacenters. For each particular other datacenter, the method stores a record that maps logical network addresses for DCNs connected to the particular LFE and operating in the particular datacenter to a group of TEP addresses corresponding to logical network gateways that handle data traffic for the particular LFE between the particular datacenter and the other datacenters, including the first datacenter. Upon receiving a data message for the particular LFE from a host computer in the first datacenter, the method uses a destination address of the data message to identify one of the groups of TEP addresses. The method encapsulates the data message with one of the TEP addresses from the identified group of TEP addresses.

Abstract: Some embodiments provide a method for handling failure at one of several peer centralized components of a logical router. At a first one of the peer centralized components of the logical router, the method detects that a second one of the peer centralized components has failed. In response to the detection, the method automatically identifies a network layer address of the failed second peer. The method assumes responsibility for data traffic to the failed peer by broadcasting a message on a logical switch that connects all of the peer centralized components and a distributed component of the logical router. The message instructs recipients to associate the identified network layer address with a data link layer address of the first peer centralized component.

Abstract: A logical routing element (LRE) having multiple designated instances for routing packets from physical hosts (PH) to a logical network is provided. A PH in a network segment with multiple designated instances can choose among the multiple designated instances for sending network traffic to other network nodes in the logical network according to a load balancing algorithm. Each logical interface (LIF) of an LRE is defined to be addressable by multiple identifiers or addresses, and each LIF identifier or address is assigned to a different designated instance.

Abstract: In some embodiments, a first network device in a first site sets a first IP address for an interface of the first network device to a value of a second IP address of a second network device in a second site. Policies are added in a policy table to cover IP addresses used in the second site and a specific route for a third IP address associated with a first workload migrated from the second site to the first site is added into a routing table. The first workload is on a stretched network that is coupled via a layer 2 channel. The policy table configures the first network device to send a second packet from the first workload to a third workload in the second site via the layer 2 channel when an IP address for the third workload does not match an eligible route in the routing table.

Abstract: Some embodiments provide a method for a first network controller executing at a first site of multiple sites spanned by a logical network. Network controllers execute at each site. The method generates logical network state data for the first site based on (i) data received from computing devices that implement the logical network at the first site and (ii) logical network configuration data from a network manager at the first site. The method provides the logical network state data for the first site to a second network controller executing at a second site. The method provides logical network state data received from the second site to the computing devices that implement the logical network at the first site.

Abstract: A system for network virtualization in which physical network resources in different physical contexts are configured to implement one or more distributed logical network elements, at least some of the physical network resources implementing the distributed logical network elements configured according the physical context of those network resources. The local configuration of a physical locale is a version of the logical configuration that is modified specifically for the physical locale. Such modification is based on locale identifiers that are assigned to the physical locales. Some systems use locale-specific information to modify next-hop preference. Some system use locally modified configurations to determine the placement of VMs.

Abstract: In some embodiments, a method receives, by a first network device, a packet from a first workload that is located in first site. The first site includes stretched networks across a second site and a third site. The packet includes a destination IP address for a device in the second site. The method determines that the destination IP address does not match an eligible route in a routing table. The first workload was migrated from the second site to the first site and is located on a stretched network between the first site and the second site. A site identifier associated with the first workload is determined where the site identifier identifies the second site. The method selects a site policy based on the site identifier and uses the site policy to send the packet through a layer 2 channel to the second network device in the second site.

Abstract: A system and method for using private native security groups and private native firewall policy rules for a private cloud computing environment and a public cloud computing environment uses a public cloud gateway for routing data traffic between at least a cloud network created in the public cloud computing environment and the private cloud computing environment. For each of some private native firewall policy rules that has any of newly created private native security groups as one of source and destination, a cloud native security group (CNSG) rule object with an CNSG outbound rule object and an CNSG inbound rule object for the public cloud is created and at least one of the CNSG outbound rule object and the CNSG inbound rule object is updated so that the private native firewall policy rule can be used in the cloud network.

Abstract: Some embodiments provide a centralized overlay-network cloud gateway and a set of centralized services in a transit virtual private cloud (VPC) connected to multiple other compute VPCs hosting compute nodes (VMs, containers, etc.) that are part of (belong to) the overlay network. The centralized overlay-network cloud gateway provides connectivity between compute nodes of the overlay network (e.g., a logical network spanning multiple VPCs) and compute nodes in external networks. Some embodiments use the centralized overlay-network cloud gateway to provide transitive routing (e.g., routing through a transit VPC) in the absence of direct peering between source and destination VPCs. The overlay network, of some embodiments, uses the same subnetting and default gateway address for each compute node as the cloud provider network provided by the virtual private cloud provider.

Abstract: A logical routing element (LRE) having multiple designated instances for routing packets from physical hosts (PH) to a logical network is provided. A PH in a network segment with multiple designated instances can choose among the multiple designated instances for sending network traffic to other network nodes in the logical network according to a load balancing algorithm. Each logical interface (LIF) of an LRE is defined to be addressable by multiple identifiers or addresses, and each LIF identifier or address is assigned to a different designated instance.

Abstract: Some embodiments provide a method for a global manager that manages a logical network configuration for multiple datacenters that each have a local manager for managing the logical network configuration within the datacenter. Based on detecting that a connection to a particular local manager of a particular datacenter has been restored after a period of unavailability, the method identifies a portion of the logical network configuration that is relevant to the particular datacenter. In a series of transactions, the method transfers the identified portion of the logical network configuration to the particular local manager. During the series of transactions, the method identifies modifications to the identified portion of the logical network configuration to be included in the series of transactions. Upon completion of the series of transactions, the method transfers a notification to the particular local manager indicating completion of the series of transactions.

Abstract: A LRE (logical routing element) that have LIFs that are active in all host machines spanned by the LRE as well as LIFs that are active in only a subset of those spanned host machines is provided. A host machine having an active LIF for a particular L2 segment would perform the L3 routing operations for network traffic related to that L2 segment. A host machine having an inactive LIF for the particular L2 segment would not perform L3 routing operations for the network traffic of the L2 segment.

Abstract: Some embodiments provide a method for configuring a DCN migrated from a first host computer at a first site of multiple sites spanned by a logical network to a second host computer at a second site. At the second host, the method receives, from the first host, data for configuring the DCN and implementing the logical network on the second site. The data includes (i) data particular to the first site and (ii) a global identifier for a logical port to which the DCN attaches. The method provides the global identifier to a local logical network manager, which uses the global identifier to retrieve data regarding the logical port from a global network manager that manages the logical network across the sites. Based on data retrieved from the global network manager, the method modifies the data particular to the first site into data particular to the second site.

Abstract: Some embodiments provide a method for configuring a DCN migrated from a first host computer at a first site of multiple sites spanned by a logical network to a second host computer at a second site. At the second host, the method receives, from the first host, data for configuring the DCN and implementing the logical network on the second site. The data includes (i) data particular to the first site and (ii) a global identifier for a logical port to which the DCN attaches. The method provides the global identifier to a local logical network manager, which uses the global identifier to retrieve data regarding the logical port from a global network manager that manages the logical network across the sites. Based on data retrieved from the global network manager, the method modifies the data particular to the first site into data particular to the second site.

Abstract: In some embodiments, a first network device in a first site sets a first IP address for an interface of the first network device to a value of a second IP address of a second network device in a second site. Policies are added in a policy table to cover IP addresses used in the second site and a specific route for a third IP address associated with a first workload migrated from the second site to the first site is added into a routing table. The first workload is on a stretched network that is coupled via a layer 2 channel. The policy table configures the first network device to send a second packet from the first workload to a third workload in the second site via the layer 2 channel when an IP address for the third workload does not match an eligible route in the routing table.

Abstract: Some embodiments provide a method for an edge computing device in a first datacenter that implements a logical network gateway for processing data traffic for a particular LFE between the first datacenter and multiple other datacenters. For each particular other datacenter, the method stores a record that maps logical network addresses for DCNs connected to the particular LFE and operating in the particular datacenter to a group of TEP addresses corresponding to logical network gateways that handle data traffic for the particular LFE between the particular datacenter and the other datacenters, including the first datacenter. Upon receiving a data message for the particular LFE from a host computer in the first datacenter, the method uses a destination address of the data message to identify one of the groups of TEP addresses. The method encapsulates the data message with one of the TEP addresses from the identified group of TEP addresses.

Abstract: Some embodiments provide a method for distributing a service rule that is to be enforced across a first set of sites and that is defined by reference to a group identifier that identifies a group of machines. The method distributes the service rule to each site in the first set of sites. The method identifies at least one site in the first set of sites that is not in a second set of sites that has already received a definition of the group. The method distributes the group definition to each identified site in the first set of sites that has not already received the definition of the group.

Abstract: Some embodiments provide a method for a first edge device in a first datacenter that implements a centralized routing component of a logical router that spans multiple datacenters and handles data traffic between a logical network implemented across the multiple datacenters and external networks. From a second edge device in a second datacenter, the method receives via routing protocol a route having a particular routing protocol tag. When the first datacenter is a primary datacenter for the logical router such that all data traffic between the logical network and the external networks is handled by one or more centralized routing components implemented at the first datacenter, the method uses the routing protocol tag to determine whether to advertise the received route to the external networks.