Abstract: Described herein is a system and method for managing network flow state for ongoing flows (connectionless protocol flows and connection-based protocol flows) between client device(s) and a virtual machine using a flow collection data structure (e.g. hash table) having a predefined maximum quantity of ongoing flows that can be managed. When it is determined that the flow collection data structure is managing greater than an acceptable threshold of connectionless protocol flows, at a dynamically adjustable frequency, flow state for more connectionless protocol flow(s) having an unexpired time-to-live are expired. The frequency can be adjusted based upon a rate at which new flows are being created and/or a rate at which flows are being deleted. Also described herein is a system and method in which, at a particular frequency, only a portion of the flows in the flow collection data structure are evaluated in order to minimize impact on packet processing.

Abstract: Described herein is a system and method for flow state save/restore of a virtual filtering platform. A first instance of a driver manages policy and flow state for ongoing flows between client device(s) and virtual machine(s). The virtual filtering platform is transitioned from the first instance of a driver to a second instance of the driver by serializing the policy and state for the ongoing flows on the first instance of the driver using a one pass algorithm. The serialized policy and state for the ongoing flows can be de-serialized with the ongoing flows re-established and/or reconciled on the second instance of the driver in accordance with the de-serialized policy and state for the plurality of ongoing flows. In some embodiments, a memory management technique can use a single operating system memory allocation call to allocate memory for the transition, with the technique managing utilization of the allocation memory.

Abstract: Described herein are systems and methods for supporting multicast for virtual networks. In some embodiments, a native multicast approach can utilized in which packet replication is performed on a host node of a virtual machine (VM) with a multicast data packet encapsulated in uniquely address unicast packets. In some embodiments, a network virtual appliance can be utilized. A multicast packet sent from the VM can be unicasted to the network virtual appliance. The multicast appliance can then replicate the packet into multiple copies and send the packets to the receivers in the virtual network as unicast data packets encapsulating the multicast packet.

Abstract: An overlay network refers to a network that is implemented as various different virtual resources on a physical network referred to as an underlay network. Diagnostics are performed on the overlay network by injecting diagnostic packets from a source endpoint targeting a target endpoint. These endpoints can be in the overlay network, on-premises with the other endpoint but in a different overlay network, or off-premises form the other endpoint. The diagnostic packets include a data packet encapsulated with a diagnostic encapsulation header that can be removed by a network element in the underlay network to allow processing of the data packet, and then added back on. The network element maintains trace information that is a record of receipt of the diagnostic packet and operations performed on the diagnostic packet. A tracing service collects and analyzes this trace information from the various network elements.

Abstract: Techniques are disclosed for communicating data in a virtualized environment comprising virtual machines executing on one or more computing devices. An underlying physical destination address of a virtual machine executing on a virtual network is changed from a first physical address to a second physical address. A traffic forwarder function is executed on a virtual switch within the virtual network. The traffic forwarder function is executed during a time threshold determined based on a reprogramming time for network devices in the virtualized environment to update the underlying physical destination address. A data packet addressed to the first physical address is by the traffic forwarder function on a network external to the virtual network. A destination address of the data packet is updated from the first physical address to the second physical address. The data packet is forwarded to the updated destination address.

Abstract: A DHCP server implementation includes transmission of a DHCP packet from a virtual machine executing on a server node to a node agent executing on the server node, generation, by the node agent, of a DHCP response packet based on the DHCP packet and on DHCP information previously stored in a local memory of the server node, and transmission of the DHCP response packet from the node agent to the virtual machine. Neither the DHCP packet transmitted by the virtual machine nor the DHCP response packet are transmitted out of the server node.

Abstract: The techniques described herein enable a private connectivity solution between a virtual network of a service consumer and a virtual network of a service provider in a cloud-based platform. The techniques map a service (e.g., one or more workloads or containers) executing in the virtual network of the service provider into the virtual network of the service consumer. The mapping uses network address translation (NAT) that is performed by the cloud-based infrastructure. As a result of the techniques described herein, a public Internet Protocol (IP) address does not need to be used to establish a connection thereby alleviating privacy and/or security concerns for the virtual networks of the service provider and/or the service consumer that are hosted by the cloud-based platform.

Abstract: The disclosed system implements techniques to enable a tenant of a cloud-based platform to effectively and efficiently apply a policy that copies data packets communicated to or from a virtual machine in the tenant's own virtual network. When applied, the policy mirrors data traffic associated with a workload executing on a virtual machine in the tenant's virtual network. To mirror the data traffic, a copy of a data packet is streamed to another virtual machine so that network analytics can be performed (e.g., performance analytics, security analytics, etc.). In various examples, the policy can be a role-based mirroring policy that defines a plurality of roles in association with a role-based access model that scales operations and that provides improved security for a tenant's virtual network.

Abstract: A DHCP server implementation includes transmission of a DHCP packet from a virtual machine executing on a server node to a node agent executing on the server node, generation, by the node agent, of a DHCP response packet based on the DHCP packet and on DHCP information previously stored in a local memory of the server node, and transmission of the DHCP response packet from the node agent to the virtual machine. Neither the DHCP packet transmitted by the virtual machine nor the DHCP response packet are transmitted out of the server node.

Abstract: Techniques are described herein that are capable of monitoring connectivity and latency of network links in virtual networks. For instance, a ping agent injects first ping packets into network traffic on behalf of hosts in the virtual network. The ping agent monitors incoming packets to identify first ping response packets, which are in response to the first ping packets, among the incoming packets. A ping responder rule that is included in inbound packet filter rules for a port in a virtual switch intercepts second ping packets in the network traffic. The ping responder rule converts the second ping packets into second ping response packets and injects the second ping response packets into outbound packet filter rules to be transferred to sources from which the second ping packets are received.

Abstract: Techniques for allowing access to shared cloud resource using private network addresses are disclosed herein. In one embodiment, a connection packet representing a connection request to a shared cloud resource in the cloud computing system can be intercepted. In response, the connection packet can be encapsulated with data representing one or more of a VNET ID, a VNET source address, or a VNET destination address of a virtual network from which the connection packet is received. The encapsulated connection packet can then be forwarded to the shared cloud resource while retaining the data representing one or more of the VNET ID, the VNET source address, or the VNET destination address for access control at the shared cloud resource.

Abstract: A DHCP server implementation includes transmission of a DHCP packet from a virtual machine executing on a server node to a node agent executing on the server node, generation, by the node agent, of a DHCP response packet based on the DHCP packet and on DHCP information previously stored in a local memory of the server node, and transmission of the DHCP response packet from the node agent to the virtual machine. Neither the DHCP packet transmitted by the virtual machine nor the DHCP response packet are transmitted out of the server node.

Abstract: Virtual networks located in different regions of cloud provider are peered using unique regional identifiers for the virtual networks. The regional identifiers and other information are pushed down a network management stack to implement the peering.

Abstract: A system is provided and includes a processor and a non-transitory computer-readable medium configured to store instructions for execution by the processor. The instructions include: accessing a resource via a first machine in a cloud-based network, where the first machine is a virtual machine; converting at the first machine an IPv4 packet to a IPv6 packet; while converting the IPv4 packet, embedding metadata in the IPv6 packet, where the metadata includes information identifying the first machine or a virtual network of the first machine; and transmitting the IPv6 packet to a second machine to limit access to the resource based on the information identifying the the first machine or the virtual network of the first machine. The second machine limits access to the resource based on the information identifying the at least one of the first machine or the virtual network of the first machine.

Abstract: An overlay network refers to a network that is implemented as various different virtual resources on a physical network referred to as an underlay network. Diagnostics are performed on the overlay network by injecting diagnostic packets from a source endpoint targeting a target endpoint. These endpoints can be in the overlay network, on-premises with the other endpoint but in a different overlay network, or off-premises form the other endpoint. The diagnostic packets include a data packet encapsulated with a diagnostic encapsulation header that can be removed by a network element in the underlay network to allow processing of the data packet, and then added back on. The network element maintains trace information that is a record of receipt of the diagnostic packet and operations performed on the diagnostic packet. A tracing service collects and analyzes this trace information from the various network elements.