Abstract: Some embodiments provide a method of operating several logical networks over a network virtualization infrastructure. The method defines a managed physical switching element (MPSE) that includes several ports for forwarding packets to and from a plurality of virtual machines. Each port is associated with a unique media access control (MAC) address. The method defines several managed physical routing elements (MPREs) for the several different logical networks. Each MPRE is for receiving data packets from a same port of the MPSE. Each MPRE is defined for a different logical network and for routing data packets between different segments of the logical network. The method provides the defined MPSE and the defined plurality of MPREs to a plurality of host machines as configuration data.

Abstract: Described herein are systems, methods, and software to enhance flow operations on a host computing system. In one implementation, a virtual switch on a host identifies a packet from a virtual node. In response to identifying the packet, the virtual switch determines whether the packet corresponds to a cached result action based on traits of the packet. If the packet corresponds to a cached result action, then the virtual switch may process the packet in accordance with the cached result action. In contrast, if the packet does not correspond to a cached result action, then the virtual switch may process the packet in accordance with first flow operations to determine a result action, and cache the result action for use with future packets.

Abstract: Some embodiments provide a method for a first data compute node (DCN) operating in a public datacenter. The method receives an encryption rule from a centralized network controller. The method determines that the network encryption rule requires encryption of packets between second and third DCNs operating in the public datacenter. The method requests a first key from a secure key storage. Upon receipt of the first key, the method uses the first key and additional parameters to generate second and third keys. The method distributes the second key to the second DCN and the third key to the third DCN in the public datacenter.

Abstract: Embodiments described herein involve learning and distributing associations between groups and addresses. Embodiments include receiving, by a first route server associated with a first central control plane (CCP) of a first data center, a definition of a first group. Embodiments include learning, by the first route server, a first association between the first group and one or more addresses based on the definition of the first group. Embodiments include transmitting, by the first route server, the first association to a second route server in a second CCP of a second data center. Embodiments include receiving, by the first route server, from the second route server, a second association between the first group and one or more additional addresses. Embodiments include storing, by the first route server, the first association and the second association in a table and programming, by the first central control plane, the hypervisor based on the table.

Abstract: For a managed network including multiple host machines implementing multiple logical networks, some embodiments provide a method that reduces the memory and traffic load required to implement the multiple logical networks. The method generates configuration data for each of multiple host machines including (i) data to configure a host machine to implement a set of logical forwarding elements that belong to a set of routing domains and (ii) identifiers for each routing domain in the set of routing domains. The method then receives data regarding tunnels endpoints operating on each of the host machines and an association with the routing identifiers sent to the host machines. The method then generates a routing domain tunnel endpoint list for each routing domain based on the data received from each of the host machines including a list of the tunnel endpoints associated with the routing domain which the host machines can use to facilitate packet processing.

Abstract: In some embodiments, a method receives a selection of a logical router in the first computing device in a first site of a plurality of sites as a preferred egress point to an external network for the logical router. The logical router is instantiated on computing devices in the plurality of sites and a single site in the sites is the preferred egress point for the logical router. The method stores identification information for the logical router in a routing table that stores identification information for multiple logical routers. The identification information is unique among multiple logical routers. The method advertises via a routing instance in a control plane to other computing devices in other sites the identification information for the logical router to indicate the logical router in the first computing device in the first site is the preferred egress point.

Abstract: A system and method for managing a trusted connection within a public cloud comprises transmitting a first token and a second token from a cloud service manager to a public cloud controller, initializing a public cloud manager in response to receipt of the first token and the second token, and generate a cloud certificate, and transmitting the cloud certificate and the second token from the public cloud manager to a management plane. The method further comprises establishing a trusted connection between the public cloud controller and the management plane in response to receipt of the cloud certificate and the second token by the management plane.

Abstract: For a managed network implementing at least one logical router having centralized and distributed components, some embodiments provide a method for configuring a managed forwarding element (MFE) executing on a first host machine to implement a distributed multicast logical router and multiple logical switches logically connected to the logical router in conjunction with a set of additional MFEs executing on additional host machines to process multicast data messages. The method receives a multicast group report from a data compute node (DCN) that executes on the first host, sends a summarized multicast group report indicating multicast groups joined by DCNs executing on the first host to a set of central controllers, receives data based on an aggregated multicast group report from the set of central controllers, and uses the data based on the aggregated multicast group report to configure the MFE to implement the distributed multicast logical router.

Abstract: Some embodiments provide a method for a managed first forwarding element executing on a first data compute node (DCN) that operates on a first host machine within a public datacenter. The managed first forwarding element is configured to implement a logical network. The method receives a data packet from an application, executing on the first data compute node, that sends and receives data packets through the logical network. When the data packet has a destination address that is not associated with the logical network, the method sends the packet directly to a second forwarding element configured by an administrator of the datacenter. When the data packet has a destination address associated with the logical network, the method sends the packet to a managed third forwarding element configured to implement the logical network. The managed third forwarding element executes on a second DCN on a second host machine within the datacenter.

Abstract: For an encryption management module of a host that executes one or more data compute nodes (DCNs), some embodiments of the invention provide a method of providing key management and encryption services. The method initially receives an encryption key ticket at an encryption management module to be used to retrieve an encryption key identified by the ticket from a key manager. When the encryption key has been retrieved, the method uses the encryption key to encrypt a message sent by a data compute node executing on the host requiring encryption according to an encryption rule. The encryption key ticket, in some embodiments, is generated for an encryption management module to implement the principle of least privilege. The ticket acts as a security token in retrieving encryption keys from a key manager. Ticket distribution and encryption rule distribution are independent of each other in some embodiments.

Abstract: Techniques are disclosed herein for providing an agent for implementing layer 2 (L2) communication on a layer 3 (L3) underlay network. In one embodiment, an agent in virtualization software determines a newly available network address of a VM, configures a network interface of the L3 network to be associated with the network address such that network traffic for the network address is directed to the network interface, adds a route to a virtual router in the virtualization software indicating the VM is local, and adds a router to an address resolution table to associate the network address with a MAC address. This permits a packet sent from one VM to another VM to be processed by the virtual router based on routes therein and forwarded to the other VM either internally or using the L3 underlay network.

Abstract: The present disclosure generally relates to deploying a proxy control plane and/or north-south data plane in a control virtual private cloud of a logical network implemented on a software-defined datacenter. The control virtual private cloud is shared by a plurality of compute virtual private clouds of the network. In some embodiments, a proxy control plane is deployed on the control virtual private cloud and disseminates policies directly to endpoints of the logical network. In some embodiments, a north-south data plane is deployed on the control virtual private cloud and directly manages north-south network traffic from endpoints of the logical network. In some embodiments, a proxy control plane and a north-south network data plane are deployed on the control virtual private cloud.

Abstract: Some embodiments provide a method for determining a realization status of one or more logical entities of a logical network. The method, each time a particular event occurs, increments the value of a realization number and publishes the incremented value to a set of controllers of the logical network. Upon receiving data that specifies the state of a logical entity of the logical network, the method publishes the logical entity state's data to the set of controllers. In some embodiments, the method queries the set of controllers for a realization status of the state data for a set of logical entities that is published to the set of controllers up to a particular point of time. The submitted query, in some embodiments, includes a particular value of the realization number associated with the particular point of time.

Abstract: Embodiments described herein involve learning and distributing associations between groups and addresses. Embodiments include receiving, by a first route server associated with a first central control plane (CCP) of a first data center, a definition of a first group. Embodiments include learning, by the first route server, a first association between the first group and one or more addresses based on the definition of the first group. Embodiments include transmitting, by the first route server, the first association to a second route server in a second CCP of a second data center. Embodiments include receiving, by the first route server, from the second route server, a second association between the first group and one or more additional addresses. Embodiments include storing, by the first route server, the first association and the second association in a table and programming, by the first central control plane, the hypervisor based on the table.

Abstract: In some embodiments, a method receives a selection of a logical router in the first computing device in a first site of a plurality of sites as a preferred egress point to an external network for the logical router. The logical router is instantiated on computing devices in the plurality of sites and a single site in the sites is the preferred egress point for the logical router. The method stores identification information for the logical router in a routing table that stores identification information for multiple logical routers. The identification information is unique among multiple logical routers. The method advertises via a routing instance in a control plane to other computing devices in other sites the identification information for the logical router to indicate the logical router in the first computing device in the first site is the preferred egress point.

Abstract: Some embodiments provide a method for a network controller that manages a logical network spanning multiple physical locations. For each physical location hosting data compute nodes (DCNs) belonging to the logical network, the method defines a centralized routing component for processing data messages between the DCNs hosted at the physical location and networks external to the logical network, assigns an active instance of the centralized routing component to operate at the physical location, and assigns a standby instance of the centralized routing component to operate at one of the other physical locations.

Abstract: The present disclosure generally relates to applying global unified security policies across a plurality of virtual private clouds of a logical network. The logical network is deployed on a software-defined datacenter that constitute one or more private and/or public datacenters. The plurality of virtual private clouds of the logical network may have one or more overlapping internet protocol address blocks, with each virtual private cloud deploying one or more virtual machines and/or containers. A global unified security policy is disseminated to endpoints throughout the logical network using logical ports of the virtual machines and/or containers.

Abstract: Some embodiments provide a method for a network controller. The method configures a first data compute node (DCN), operating within a public first datacenter that includes forwarding elements to which the network controller does not have access, to operate as a gateway forwarding element between (i) other DCNs in the first datacenter on which forwarding elements are configured by the network controller and (ii) forwarding elements in a second datacenter. The method configures the forwarding elements executing on the other DCNs in the public datacenter to implement a logical switch to which the other DCNs attach. The method configures the forwarding elements in the second datacenter to implement the logical switch. DCNs in the second datacenter also attach to the same logical switch.

Abstract: Some embodiments provide a method for a public cloud manager that interacts with a management system of a public datacenter. The method receives a notification from a network controller that a second data compute node is compromised. The second data compute node operates on a host machine in the public datacenter and executes a forwarding element managed by network controller. The method interacts with application programming interfaces (APIs) of the public datacenter to quarantine the data compute node.

Abstract: For an encryption management module of a host that executes one or more data compute nodes (DCNs), some embodiments of the invention provide a method of providing key management and encryption services. The method initially receives an encryption key ticket at an encryption management module to be used to retrieve an encryption key identified by the ticket from a key manager. When the encryption key has been retrieved, the method uses the encryption key to encrypt a message sent by a data compute node executing on the host requiring encryption according to an encryption rule. The encryption key ticket, in some embodiments, is generated for an encryption management module to implement the principle of least privilege. The ticket acts as a security token in retrieving encryption keys from a key manager. Ticket distribution and encryption rule distribution are independent of each other in some embodiments.