Abstract: The present disclosure generally relates to deploying a proxy control plane and/or north-south data plane in a control virtual private cloud of a logical network implemented on a software-defined datacenter. The control virtual private cloud is shared by a plurality of compute virtual private clouds of the network. In some embodiments, a proxy control plane is deployed on the control virtual private cloud and disseminates policies directly to endpoints of the logical network. In some embodiments, a north-south data plane is deployed on the control virtual private cloud and directly manages north-south network traffic from endpoints of the logical network. In some embodiments, a proxy control plane and a north-south network data plane are deployed on the control virtual private cloud.

Abstract: Some embodiments provide a method for a first network controller that manages a logical network implemented in a datacenter including forwarding elements to which the first network controller does not have access. The method identifies a first data compute node (DCN) in the datacenter configured to execute a second network controller. The method distributes configuration data defining the logical network to the first DCN. The second network controller distributes sets of the configuration data to local agents executing on additional DCNs in the datacenter that send and receive messages through the logical network. Both managed forwarding elements and the local agents execute on each of the additional DCNs. Each local agent on a particular DCN is for receiving a set of configuration data from the second network controller and configuring the managed forwarding element on the particular DCN to implement the logical network according to the set of configuration data.

Abstract: A LRE (logical routing element) that have LIFs that are active in all host machines spanned by the LRE as well as LIFs that are active in only a subset of those spanned host machines is provided. A host machine having an active LIF for a particular L2 segment would perform the L3 routing operations for network traffic related to that L2 segment. A host machine having an inactive LIF for the particular L2 segment would not perform L3 routing operations for the network traffic of the L2 segment.

Abstract: Some embodiments provide a method for determining a realization status of one or more logical entities of a logical network. The method, each time a particular event occurs, increments the value of a realization number and publishes the incremented value to a set of controllers of the logical network. Upon receiving data that specifies the state of a logical entity of the logical network, the method publishes the logical entity state's data to the set of controllers. In some embodiments, the method queries the set of controllers for a realization status of the state data for a set of logical entities that is published to the set of controllers up to a particular point of time. The submitted query, in some embodiments, includes a particular value of the realization number associated with the particular point of time.

Abstract: A LRE (logical routing element) that have LIFs that are active in all host machines spanned by the LRE as well as LIFs that are active in only a subset of those spanned host machines is provided. A host machine having an active LIF for a particular L2 segment would perform the L3 routing operations for network traffic related to that L2 segment. A host machine having an inactive LIF for the particular L2 segment would not perform L3 routing operations for the network traffic of the L2 segment.

Abstract: A system for network virtualization in which physical network resources in different physical contexts are configured to implement one or more distributed logical network elements, at least some of the physical network resources implementing the distributed logical network elements configured according the physical context of those network resources. The local configuration of a physical locale is a version of the logical configuration that is modified specifically for the physical locale. Such modification is based on locale identifiers that are assigned to the physical locales. Some systems use locale-specific information to modify next-hop preference. Some system use locally modified configurations to determine the placement of VMs.

Abstract: A system provisions global logical entities that facilitate the operation of logical networks that span two or more datacenters. These global logical entities include global logical switches that provide L2 switching as well as global routers that provide L3 routing among network nodes in multiple datacenters. The global logical entities operate along side local logical entities that are for operating logical networks that are local within a datacenter.

Abstract: Some embodiments provide a method for a public cloud manager that interacts with a management system of a public datacenter. The method receives a notification from a network controller that a second data compute node is compromised. The second data compute node operates on a host machine in the public datacenter and executes a forwarding element managed by network controller. The method interacts with application programming interfaces (APIs) of the public datacenter to quarantine the data compute node.

Abstract: Certain embodiments described herein are generally directed to processing domain objects in a distributed system using logical sharding. In some embodiments, a central control plane (CCP) node receives a domain object. In some embodiments, if the CCP node determines that the domain object is not already present in a shared data store and that the CCP node is the logical master of the domain object, the CCP node generates a status based on the domain object, and stores the status and domain object in the shared data store. In some embodiments, the shared data store notifies the plurality of CCP nodes of the stored status and domain object.

Abstract: Some embodiments provide a method for a public cloud manager operating within a first data compute node of a public cloud. The method receives, through a set of public cloud provider APIs, information regarding a new second data compute node created within the public cloud. The information includes a set of tags entered by a user when creating the data compute node. Based on the tags, the method notifies a network control system that manages a forwarding element operating in the data compute node regarding (i) the creation of the data compute node, (ii) a logical switch to which to attach the data compute node and (iii) a security group to which the data compute node belongs.

Abstract: For a managed network implementing at least one logical router having centralized and distributed components, some embodiments provide a method for configuring a managed forwarding element (MFE) executing on a first host machine to implement a distributed multicast logical router and multiple logical switches logically connected to the logical router in conjunction with a set of additional MFEs executing on additional host machines to process multicast data messages. The method receives a multicast group report from a data compute node (DCN) that executes on the first host, sends a summarized multicast group report indicating multicast groups joined by DCNs executing on the first host to a set of central controllers, receives data based on an aggregated multicast group report from the set of central controllers, and uses the data based on the aggregated multicast group report to configure the MFE to implement the distributed multicast logical router.

Abstract: Some embodiments provide a method for a network controller that manages a logical network spanning multiple physical locations. For each physical location hosting data compute nodes (DCNs) belonging to the logical network, the method defines a centralized routing component for processing data messages between the DCNs hosted at the physical location and networks external to the logical network, assigns an active instance of the centralized routing component to operate at the physical location, and assigns a standby instance of the centralized routing component to operate at one of the other physical locations.

Abstract: Some embodiments provide a method for employing the management and control system of a network to dynamically recover from a split-brain condition in the edge nodes of the network. The method of some embodiments takes a corrective action to automatically recover from a split-brain failure occurred at a pair of high availability (HA) edge nodes of the network. The HA edge nodes include an active machine and a standby machine. The active edge node actively passes through the network traffic (e.g., north-south traffic for a logical network), while the standby edge node is synchronized and ready to transition to the active state, should a failure occur. Both HA nodes share the same configuration settings and only one is active until a path, link, or system failure occurs. The active edge node also provides stateful services (e.g., stateful firewall, load balancing, etc.) to the data compute nodes of the network.

Abstract: Some embodiments provide a method for a first DCN operating in a first datacenter as a logical network gateway that processes messages between other DCNs of the logical network and external entities, which address the logical network gateway using a first address. The first DCN has an interface with a second address for use in the first datacenter. The method stores a mapping between the second address and a third address. A second DCN operates the logical network gateway in a second datacenter and has an interface with the third address for use in the second datacenter. From the second DCN, the method receives connection state data, describing connections between the external entities and the DCNs of the logical network, that uses the third address. The method replaces the third address with the second address in the connection state data using the stored mapping and stores the connection state data.

Abstract: Some embodiments provide a method for a set of central controllers that manages forwarding elements operating in a plurality of datacenters. The method receives a configuration for a bridge between (i) a logical L2 network that spans at least two datacenters and (ii) a physical L2 network. The configuration specifies a particular one of the datacenters for implementation of the bridge. The method identifies multiple managed forwarding elements that implement the logical L2 network and are operating in the particular datacenter. The method selects one of the identified managed forwarding elements to implement the bridge. The method distributes bridge configuration data to the selected managed forwarding element.

Abstract: A system for network virtualization in which physical network resources in different physical contexts are configured to implement one or more distributed logical network elements, at least some of the physical network resources implementing the distributed logical network elements configured according the physical context of those network resources. The local configuration of a physical locale is a version of the logical configuration that is modified specifically for the physical locale. Such modification is based on locale identifiers that are assigned to the physical locales. Some systems use locale-specific information to modify next-hop preference. Some system use locally modified configurations to determine the placement of VMs.

Abstract: For a managed network including multiple host machines implementing multiple logical networks, some embodiments provide a method that reduces the memory and traffic load required to implement the multiple logical networks. The method generates configuration data for each of multiple host machines including (i) data to configure a host machine to implement a set of logical forwarding elements that belong to a set of routing domains and (ii) identifiers for each routing domain in the set of routing domains. The method then receives data regarding tunnels endpoints operating on each of the host machines and an association with the routing identifiers sent to the host machines. The method then generates a routing domain tunnel endpoint list for each routing domain based on the data received from each of the host machines including a list of the tunnel endpoints associated with the routing domain which the host machines can use to facilitate packet processing.

Abstract: Some embodiments provide a method for determining a realization status of one or more logical entities of a logical network. The method, each time a particular event occurs, increments the value of a realization number and publishes the incremented value to a set of controllers of the logical network. Upon receiving data that specifies the state of a logical entity of the logical network, the method publishes the logical entity state's data to the set of controllers. In some embodiments, the method queries the set of controllers for a realization status of the state data for a set of logical entities that is published to the set of controllers up to a particular point of time. The submitted query, in some embodiments, includes a particular value of the realization number associated with the particular point of time.

Abstract: A system provisions global logical entities that facilitate the operation of logical networks that span two or more datacenters. These global logical entities include global logical switches that provide L2 switching as well as global routers that provide L3 routing among network nodes in multiple datacenters. The global logical entities operate along side local logical entities that are for operating logical networks that are local within a datacenter.

Abstract: Some embodiments provide a method for identifying a realization status of one or more logical entities of a logical network. In some embodiments the method is implemented by a controller that controls network data communications in a logical network. The method receives a request for realization status of a set of logical entities at a particular point of time that is associated with a particular value of a realization number. The method determines whether configuration data up to the particular point of time for each logical entity in the set has been processed and distributed to a set of local controllers that operates on a set of host machines. The method returns a realization reply that includes a successful realization message when the configuration data up to the particular point in time for each logical entity in the set has been processed and distributed to the set of local controllers.