Abstract: A novel method for managing firewall configuration of a software defined data center is provided. Such a firewall configuration is divided into multiple sections that each contains a set of firewall rules. Each tenant of the software defined data center has a corresponding set of sections in the firewall configuration. The method allows each tenant to independently access and update/manage its own corresponding set of sections. Multiple tenants or users are allowed to make changes to the firewall configuration simultaneously.

Abstract: Some embodiments provide a method for identifying a realization status of one or more logical entities of a logical network. In some embodiments the method is implemented by a controller that controls network data communications in a logical network. The method receives a request for realization status of a set of logical entities at a particular point of time that is associated with a particular value of a realization number. The method determines whether configuration data up to the particular point of time for each logical entity in the set has been processed and distributed to a set of local controllers that operates on a set of host machines. The method returns a realization reply that includes a successful realization message when the configuration data up to the particular point in time for each logical entity in the set has been processed and distributed to the set of local controllers.

Abstract: Some embodiments provide a method for determining a realization status of one or more logical entities of a logical network. The method, each time a particular event occurs, increments the value of a realization number and publishes the incremented value to a set of controllers of the logical network. Upon receiving data that specifies the state of a logical entity of the logical network, the method publishes the logical entity state's data to the set of controllers. In some embodiments, the method queries the set of controllers for a realization status of the state data for a set of logical entities that is published to the set of controllers up to a particular point of time. The submitted query, in some embodiments, includes a particular value of the realization number associated with the particular point of time.

Abstract: A multi-layer policy framework for monitoring and enforcing policy is provided. The multi-layer policy framework receives the desired state of the policy at each layer and translates the desired state into a realized state for the layer. The desired state specifies the intent of the user and the realized specifies the specific actions that have to be performed in order to reach the desired state. The realized state at each layer is sent to the next lower layer as the desired state for the lower layer. At the lowest layer, the desired state is converted into a realized state that includes a set of rules used to enforce the policy. The set of rules are then enforced at different enforcement points at the lowest layer.

Abstract: Some embodiments provide a novel method for distributing control-channel communication load between multiple controllers in a network control system. In some embodiments, the controllers manage physical forwarding elements that forward data between several computing devices (also called hosts or host computers), some or all of which execute one or more virtual machines (VMs). The method of some embodiments distributes a controller assignment list to the host computers. The host computers use this list to identify the controllers with which they need to interact to perform some of the forwarding operations of their associated logical forwarding elements. In some embodiments, agents executing on the host computers (1) review the controller assignment list to identify the appropriate controllers, and (2) establish control channel communications with these controllers to obtain the needed data for effectuating the forwarding operations of their associated physical forwarding elements.

Abstract: Some embodiments provide a network system that includes several host machines for hosting virtual machines, divided into several different domains. The network system includes several local domain management servers. A first local domain management server of a first domain is for (i) initiating creation of a set of distributed virtual switch ports associated with a particular logical network identifier on a host machine within its domain and (ii) attaching a first virtual machine on the host machine to a created port associated with the particular logical network identifier in order for the first virtual machine to send traffic over the logical network. The network system includes a second level management server for coordinating the use of logical network identifiers between multiple different logical domain management servers in order for the first virtual machine to communicate via the logical network with a second virtual machine in a second domain.

Abstract: Some embodiments provide a network system that includes several host machines for hosting virtual machines, divided into several different domains. The network system includes several local domain management servers. A first local domain management server of a first domain is for (i) initiating creation of a set of distributed virtual switch ports associated with a particular logical network identifier on a host machine within its domain and (ii) attaching a first virtual machine on the host machine to a created port associated with the particular logical network identifier in order for the first virtual machine to send traffic over the logical network. The network system includes a second level management server for coordinating the use of logical network identifiers between multiple different logical domain management servers in order for the first virtual machine to communicate via the logical network with a second virtual machine in a second domain.

Abstract: Some embodiments provide a novel method for distributing control-channel communication load between multiple controllers in a network control system. In some embodiments, the controllers manage physical forwarding elements that forward data between several computing devices (also called hosts or host computers), some or all of which execute one or more virtual machines (VMs). The method of some embodiments distributes a controller assignment list to the host computers. The host computers use this list to identify the controllers with which they need to interact to perform some of the forwarding operations of their associated logical forwarding elements. In some embodiments, agents executing on the host computers (1) review the controller assignment list to identify the appropriate controllers, and (2) establish control channel communications with these controllers to obtain the needed data for effectuating the forwarding operations of their associated physical forwarding elements.

Abstract: Some embodiments provide a novel method for distributing control-channel communication load between multiple controllers in a network control system. In some embodiments, the controllers manage physical forwarding elements that forward data between several computing devices (also called hosts or host computers), some or all of which execute one or more virtual machines (VMs). The method of some embodiments distributes a controller assignment list to the host computers. The host computers use this list to identify the controllers with which they need to interact to perform some of the forwarding operations of their associated logical forwarding elements. In some embodiments, agents executing on the host computers (1) review the controller assignment list to identify the appropriate controllers, and (2) establish control channel communications with these controllers to obtain the needed data for effectuating the forwarding operations of their associated physical forwarding elements.

Abstract: Some embodiments provide a network system that includes several host machines for hosting virtual machines, divided into several different domains. The network system includes several local domain management servers. A first local domain management server of a first domain is for (i) initiating creation of a set of distributed virtual switch ports associated with a particular logical network identifier on a host machine within its domain and (ii) attaching a first virtual machine on the host machine to a created port associated with the particular logical network identifier in order for the first virtual machine to send traffic over the logical network. The network system includes a second level management server for coordinating the use of logical network identifiers between multiple different logical domain management servers in order for the first virtual machine to communicate via the logical network with a second virtual machine in a second domain.