Abstract: The disclosure provides an approach for gateway optimization. Embodiments include receiving, at a first gateway associated with a first tenant within a data center, a packet directed to a first public network address of an endpoint associated with a second tenant within the data center. Embodiments include performing, by the first gateway, network address translation (NAT) to translate the first public network address to a private network address of the endpoint. Embodiments include forwarding, by the first gateway, the packet to an edge gateway of the data center. Embodiments include forwarding, by the edge gateway, the packet to a second gateway associated with the second tenant within the data center without sending the packet to a public interface of the edge gateway. Embodiments include forwarding, by the second gateway, the packet to the endpoint.

Abstract: Some embodiments provide a novel method for configuring edge routers in a first network. The method configures on a first compute node of the first network (1) a first higher-level edge router and (2) a set of lower-level edge routers. Each lower-level edge router is configured for a different set of subnetworks defined in the first network and is connected to an external second network through the first higher-level edge router. The method detects a condition that requires a particular lower-level edge router for a particular subnetwork to be moved to another compute node. The method configures the particular lower-level edge router to operate on a second compute node below a second higher-level edge router operating on the second compute node to connect the particular lower-level edge router to the external second network.

Abstract: Example methods and systems for connectivity service provisioning for a software-defined data center (SDDC) group are described. In one example, a computer system may detect an event that affects a first connectivity service connecting multiple members of the SDDC group. The computer system may obtain first routing information that is applicable in a first SDDC; and second routing information that is applicable in a second SDDC. In response to the event, the computer system may generate and send a first instruction towards the first SDDC and a second instruction towards the second SDDC to cause: (a) the first SDDC and second SDDC to establish a second connectivity service; (b) the first SDDC to update the first routing information to associate a first flow with the second connectivity service; and (c) the second SDDC to update the second routing information to associate a second flow with the second connectivity service.

Abstract: Some embodiments provide a novel method for dynamically deploying gateways for a first network connecting machines. The first network includes segments, routers, and a first gateway that connects to an external network. The method identifies a set of two or more segments that consumes more than a threshold amount of bandwidth of the first gateway. The identified set includes at least first and second segments. The method identifies one or more segment groups by aggregating two or more segments in the identified set. A first segment group includes the first and second segments and a third segment that is not in the identified set of two or more segments. The method configures a second gateway to process flows associated with each identified group including the first group. The method configures a set of routers to forward flows from machines of each segment of each identified group to the second gateway.

Abstract: The disclosure provides an approach for processing communications between connected data centers. Embodiments include receiving, at a first gateway of a first data center from a second gateway of a second data center, one or more policies associated with traffic attributes. Embodiments include programming priority routes between the first gateway and the second gateway over a virtual private network (VPN) tunnel based on the one or more policies, wherein each of the priority routes is associated with a traffic attribute of the traffic attributes. Embodiments include providing the one or more policies to a central controller of the first data center and programming, by the central controller, one or more tables associated with a centrally-managed virtual switch based on the one or more policies. Embodiments include updating a database associated with each of a plurality of hosts based on the programming of the one or more tables.

Abstract: Example methods and systems for health check as a service are described. One example may involve a computer system receiving a request to perform a health check for a network environment that includes a set of multiple flows. The computer system may select a subset that includes (a) a first flow between a first pair of endpoints and (b) a second flow between a second pair of endpoints. The health check may be initiated for the first flow and the second flow by generating and sending (a) a first instruction to cause injection of a first health check packet, and (b) a second instruction to cause injection of a second health check packet. The computer system may determine health status information associated with the subset based on (a) first observation information triggered by the first health check packet, and (b) second observation information triggered by the second health check packet.

Abstract: Example methods and systems for adaptive traffic forwarding are described. In one example, a first computer system may monitor metric information associated with at least a first connectivity service from multiple connectivity services that are connecting (a) the first computer system and a second computer system. In response to determination that a condition for scaling up is satisfied based on the metric information, the first computer system may select, from a set of multiple flows associated with the first connectivity service, a subset that includes at least a first flow. Routing information may be updated to associate the subset with a second connectivity service. In response to detecting egress packets associated with the first flow from the first endpoint, the first computer system may forward the egress packets towards the second computer system using the second connectivity service based on the updated routing information.

Abstract: Example methods and systems for health check as a service are described. One example may involve a computer system receiving a request to perform a health check for a network environment that includes a set of multiple flows. The computer system may select a subset that includes (a) a first flow between a first pair of endpoints and (b) a second flow between a second pair of endpoints. The health check may be initiated for the first flow and the second flow by generating and sending (a) a first instruction to cause injection of a first health check packet, and (b) a second instruction to cause injection of a second health check packet. The computer system may determine health status information associated with the subset based on (a) first observation information triggered by the first health check packet, and (b) second observation information triggered by the second health check packet.

Abstract: Some embodiments provide a novel method for deploying cloud gateways between a set of cloud machines in a first network and a set of on-premises machines in an external network. The method collects a set of statistics for a first cloud gateway used to connect the set of cloud machines and the set of on-premises machines. The method analyzes the set of statistics to determine that a second cloud gateway is needed to connect the set of cloud machines and the set of on-premises machines. The method identifies a subset of the set of cloud machines. The method distributes a set of one or more forwarding rules to the subset of cloud machines to forward a set of data message flows from the subset of cloud machines to the set of on-premises machines through the second cloud gateway.

Abstract: Some embodiments provide a novel method for dynamically deploying gateways for a first network connecting machines. The first network includes segments, routers, and a first gateway that connects to an external network. The method identifies a set of two or more segments that consumes more than a threshold amount of bandwidth of the first gateway. The identified set includes at least first and second segments. The method identifies one or more segment groups by aggregating two or more segments in the identified set. A first segment group includes the first and second segments and a third segment that is not in the identified set of two or more segments. The method configures a second gateway to process flows associated with each identified group including the first group. The method configures a set of routers to forward flows from machines of each segment of each identified group to the second gateway.

Abstract: Some embodiments provide a novel method for preemptively deploying gateways in a first network to one or more external networks. The first network of some embodiments includes a first gateway connecting to the one or more external networks. The method collects a set of statistics for the first gateway associated with bandwidth usage of the first gateway. The method determines that a second gateway needs to be deployed in the first network (1) by using the collected set of statistics to perform predictive modeling computations to predict a future load on the first gateway, and (2) by determining that the predicted future load exceeds a particular threshold. The method distributes a set of one or more forwarding rules to forward data message flows from a subset of machines in the first network to a particular external network through the second gateway.

Abstract: Some embodiments provide a novel method for reducing load on a first virtual private network (VPN) gateway of a first datacenter by using a second VPN gateway to perform data message encryption needed for VPN communication with a second datacenter. The second gateway performs encryption for machines executing on several host computers of the first datacenter. The first gateway establishes a VPN session with a third gateway of the second datacenter and establishes a tunnel. The first gateway provides, to the second gateway, state information specifying that the second gateway is to perform encryption for a set of data messages exchanged along the tunnel. The first gateway receives, from the second gateway, an encrypted data message to be sent to a destination machine in the second datacenter. The first gateway forwards the encrypted data message to the third gateway for the third gateway to forward to the destination machine.

Abstract: Some embodiments provide a novel method for dynamically performing data message encryption for machines of a first network at several gateways. The encryption is needed for VPN communication with a second network. The method receives, through a user interface, a VPN policy associated with a first segment set of the first network. The method uses a first gateway to establish VPN sessions for a first machine set associated with the first segment set, uses a second gateway to perform encryption operations for the first machine set, and uses the first gateway to perform encryption operations for a second machine set associated with a second segment set of the first network. The method monitors load on the first or second gateways. Based on the monitored load, the method uses a third gateway to perform encryption operations for a third machine set associated with a third segment set of the first network.

Abstract: Described herein are systems, methods, and software to manage prefixes for a route table in a gateway according to an implementation. In one implementation, a management service monitors a quantity of prefix routes associated with a route table in a gateway and determines when the quantity satisfies one or more criteria. When the capacity satisfies the one or more criteria, the management service determines one or more supernets that each represent a subset of the prefix routes and adds the one or more supernets to the route table to replaces the subset of the prefix routes.

Abstract: Some embodiments provide a method for automatically configuring VPN gateways. The method receives a first configuration for a first VPN gateway located at a first datacenter. The configuration includes configuration data for a first set of VPNs connecting a first set of networks at the first datacenter to other networks at other datacenters. The method automatically modifies the configuration data to generate a second configuration for a second VPN gateway. The method configures the second VPN gateway using the second configuration to setup a second set of VPNs connecting a second set of networks to the other networks at the other datacenters.

Abstract: The disclosure provides an approach for processing communications between connected data centers. Embodiments include receiving, at a first gateway of a first data center from a second gateway of a second data center, one or more policies associated with traffic attributes. Embodiments include programming priority routes between the first gateway and the second gateway over a virtual private network (VPN) tunnel based on the one or more policies, wherein each of the priority routes is associated with a traffic attribute of the traffic attributes. Embodiments include providing the one or more policies to a central controller of the first data center and programming, by the central controller, one or more tables associated with a centrally-managed virtual switch based on the one or more policies. Embodiments include updating a database associated with each of a plurality of hosts based on the programming of the one or more tables.

Abstract: An example method of identifying an equal cost multipath (ECMP)-enabled route-based virtual private networks (RBVPN) in a virtualized computing system, comprises: obtaining, at a telemetry agent executing in an edge server of a data center, learned routes; identifying, by the telemetry agent from the routes, a destination network and a plurality of next hops associated therewith and a plurality of virtual tunnel interfaces (VTIs); identifying, by the telemetry agent for each of the plurality of VTIs, an associated VPN session; grouping, by the telemetry agent, the VPN sessions identified as associated with the plurality of VTIs into an ECMP-enabled RBVPN; adding, by the telemetry agent, a description of the ECMP-enabled RBVPN to telemetry data; and sending, by the telemetry agent, the telemetry data to a telemetry service.

Abstract: An example method of identifying an equal cost multipath (ECMP)-enabled route-based virtual private networks (RBVPN) in a virtualized computing system, comprises: obtaining, at a telemetry agent executing in an edge server of a data center, learned routes; identifying, by the telemetry agent from the routes, a destination network and a plurality of next hops associated therewith and a plurality of virtual tunnel interfaces (VTIs); identifying, by the telemetry agent for each of the plurality of VTIs, an associated VPN session; grouping, by the telemetry agent, the VPN sessions identified as associated with the plurality of VTIs into an ECMP-enabled RBVPN; adding, by the telemetry agent, a description of the ECMP-enabled RBVPN to telemetry data; and sending, by the telemetry agent, the telemetry data to a telemetry service.

Abstract: Some embodiments provide a method for automatically configuring VPN gateways. The method receives a first configuration for a first VPN gateway located at a first datacenter. The configuration includes configuration data for a first set of VPNs connecting a first set of networks at the first datacenter to other networks at other datacenters. The method automatically modifies the configuration data to generate a second configuration for a second VPN gateway. The method configures the second VPN gateway using the second configuration to setup a second set of VPNs connecting a second set of networks to the other networks at the other datacenters.

Abstract: Embodiments described herein relate to load balancing using multiple CPUs. A method for tunnel creation according to a security protocol at a source tunnel endpoint (TEP) includes exchanging messages with a destination TEP to create a security association (SA) for the tunnel creation; sending a message to the destination TEP, wherein the message is an encrypted message based on the first message exchange, and the message includes a traffic selector of the source TEP and a number of available CPUs of the source TEP; receiving a message from the destination TEP, wherein the message is an encrypted message based on the first message exchange, and the message includes a traffic selector of the destination TEP and a number of available CPUs of the destination TEP; and determining a number of SAs to create with the destination TEP, wherein the determination is based on the traffic selectors and the number of available CPUs.