Abstract: Anycast addressing is utilized to support the connection of multiple application connectors fronting an application(s) to a network element and anycast routing of network traffic destined for the application(s). When an application is indicated for onboarding in a network fabric of a tenant, a network controller allocates virtual and anycast addresses to the application. Allocation of anycast addresses is per domain name and port/protocol combination. Upon determining that the application is available, the application connector(s) advertises reachability of the application via the anycast address. The network controller orchestrates configuration of a DNS entry that resolves the application name to its virtual IP address and destination NAT rules that translate the virtual IP address to the anycast address and the anycast address to the application's private IP address. Application network traffic can thus be forwarded to the application via any application connector that advertised the anycast address.

Abstract: A software-defined wide area network (SD-WAN) environment that leverages network virtualization management deployment is provided. Edge security services managed by the network virtualization management deployment are made available in the SD-WAN environment. Cloud gateways forward SD-WAN traffic to managed service nodes to apply security services. Network traffic is encapsulated with corresponding metadata to ensure that services can be performed according to the desired policy. Point-to-point tunnels are established between cloud gateways and the managed service nodes to transport the metadata to the managed service nodes using an overlay logical network. Virtual network identifiers (VNIs) in the metadata are used by the managed service nodes to identify tenants/policies.

Abstract: Some embodiments provide novel methods for performing services for machines operating in one or more datacenters. For instance, for a group of related guest machines (e.g., a group of tenant machines), some embodiments define two different forwarding planes: (I) a guest forwarding plane and (2) a service forwarding plane. The guest forwarding plane connects to the machines in the group and performs L2 and/or L3 forwarding for these machines. The service forwarding plane (1) connects to the service nodes that perform services on data messages sent to and from these machines, and (2) forwards these data messages to the service nodes. In some embodiments, the guest machines do not connect directly with the service forwarding plane.

Abstract: Some embodiments of the invention provide novel methods for facilitating a distributed SNAT (dSNAT) middlebox service operation for a first network at a host computer in the first network on which the dSNAT middlebox service operation is performed and a gateway device between the first network and a second network. The novel methods enable dSNAT that provides stateful SNAT at multiple host computers, thus avoiding the bottleneck problem associated with providing stateful SNAT at gateways and also significantly reduces the need to redirect packets received at the wrong host by using a capacity of off-the-shelf gateway devices to perform IPV6 encapsulation for IPv4 packets and assigning locally unique IPv6 addresses to each host executing a dSNAT middlebox service instance that are used by the gateway device.

Abstract: Some embodiments provide a method for configuring a gateway machine in a datacenter. The method receives a definition of a logical network for implementation in the datacenter. The logical network includes at least one logical switch to which logical network endpoints attach and a logical router for handling data traffic between the logical network endpoints in the datacenter and an external network. The method receives configuration data attaching a third-party service to at least one interface of the logical router via an additional logical switch designated for service attachments. The third-party service is for performing non-forwarding processing on the data traffic between the logical network endpoints and the external network. The method configures the gateway machine in the datacenter to implement the logical router and redirect at least a subset of the data traffic between the logical network endpoints and the external network to the attached third-party service.

Abstract: For a network including multiple computers acting as tunnel endpoints in a network, some embodiments provide a method for processing data messages in parallel using multiple processors (e.g., cores) of each computer. Each computer in some embodiments has a set of interfaces configured as tunnel endpoints connecting to multiple tunnels. In some embodiments, the multiple processors encrypt data messages according to a set of encryption parameters or multiple sets of encryption parameters that specify an encryption policy for data messages requiring encryption, an encryption algorithm, an encryption key, a destination network address, and an encryption-parameter-set identifier.

Abstract: A controller can securely publish an application of a tenant by securely extending a network fabric into the networks of the tenant with virtual private networks and NAT. After a tenant deploys an application into one or more networks of the tenant, the tenant can indicate select applications to publish. The network controller assigns a network address from the routable address space of the network fabric to the application and a network address aggregate to each application connector that will front an instance of the application, which securely extends the network fabric into the tenant network. The network controller configures NAT rules in the network fabric and on the application connector to create a route for traffic of the application through the network fabric to the application instance using a fully qualified domain name assigned to the application without exposing a private network address of the application instance and preserving security of other resource on the tenant network.

Abstract: Techniques for wildcard based private application access are disclosed. In some embodiments, a system, a process, and/or a computer program product for wildcard based private application access includes receiving a request for access to an application over a secure access service edge (SASE) network for a user associated with an enterprise; determining if the request for access to the application matches a wildcard (e.g., the wildcard can be configured by an administrator of the enterprise for matching a fully qualified domain name (FQDN) for the application); and automatically configuring access information (e.g., IP address, protocol, and destination port) for the application that matches the wildcard.

Abstract: Some embodiments provide a method for configuring a gateway machine in a datacenter. The method receives a definition of a logical network for implementation in the datacenter. The logical network includes at least one logical switch to which logical network endpoints attach and a logical router for handling data traffic between the logical network endpoints in the datacenter and an external network. The method receives configuration data attaching a third-party service to at least one interface of the logical router via an additional logical switch designated for service attachments. The third-party service is for performing non-forwarding processing on the data traffic between the logical network endpoints and the external network. The method configures the gateway machine in the datacenter to implement the logical router and redirect at least a subset of the data traffic between the logical network endpoints and the external network to the attached third-party service.

Abstract: A method of collecting health check metrics for a network is provided. The method, at a deep packet inspector on a physical host in a datacenter, receives a copy of a network packet from a load balancer. The packet includes a plurality of layers. Each layer corresponds to a communication protocol in a plurality of communication protocols. The method identifies an application referenced in the packet. The method analyzes the information in one or more layers of the packet to determine metrics for the source application. The method sends the determined metrics to the load balancer.

Abstract: Example methods and systems are provided a network device to perform tunnel-based service insertion in a public cloud environment. An example method may comprise establishing a tunnel between the network device and a service path. The method may also comprise: in response to receiving a first encapsulated packet, identifying the service path specified by a service insertion rule; generating and sending a second encapsulated packet over the tunnel to cause the service path to process an inner packet according to one or more services. The method may further comprise: in response to receiving, from the service path via the tunnel, a third encapsulated packet that includes the inner packet processed by the service path, sending the inner packet processed by the service path, or a fourth encapsulated packet, towards a destination address of the inner packet.

Abstract: Some embodiments of the invention provide a method for forwarding data messages between a client and a server (e.g., between client and server machines and/or applications). In some embodiments, the method receives a data message that a load balancer has directed from a particular client to a particular server after selecting the particular server from a set of several candidate servers for the received data message's flow. The method stores an association between an identifier associated with the load balancer and a flow identifier associated with the message flow, and then forwards the received data message to the particular server. The method subsequently uses the load balancer identifier in the stored association to forward to the particular load balancer a data message that is sent by the particular server. The method of some embodiments is implemented by an intervening forwarding element (e.g., a router) between the load balancer set and the server set.

Abstract: A method comprises: in response to detecting a new expression in a policy rule, updating a global version number to a new value; identifying a particular IP address that corresponds to an FQDN matching on the new expression; storing an entry comprising the particular IP address, the new expression, and an entry version number in a first data structure, the entry version number being assigned the new value; in response to detecting a new connection to a destination IP address: finding a matching entry in the first data structure corresponding to the destination IP address; determining whether the global version number matches the entry version number for the matching entry; and in response to determining that the global version number does not match the entry version number for the matching entry, sending update information to a slowpath process that associates an updated configuration information for the matching entry.

Abstract: A controller can securely publish an application of a tenant by securely extending a network fabric into the networks of the tenant with virtual private networks and NAT. After a tenant deploys an application into one or more networks of the tenant, the tenant can indicate select applications to publish. The network controller assigns a network address from the routable address space of the network fabric to the application and a network address aggregate to each application connector that will front an instance of the application, which securely extends the network fabric into the tenant network. The network controller configures NAT rules in the network fabric and on the application connector to create a route for traffic of the application through the network fabric to the application instance using a fully qualified domain name assigned to the application without exposing a private network address of the application instance and preserving security of other resource on the tenant network.

Abstract: A method of collecting health check metrics for a network is provided. The method, at a deep packet inspector on a physical host in a datacenter, receives a copy of a network packet from a load balancer. The packet includes a plurality of layers. Each layer corresponds to a communication protocol in a plurality of communication protocols. The method identifies an application referenced in the packet. The method analyzes the information in one or more layers of the packet to determine metrics for the source application. The method sends the determined metrics to the load balancer.

Abstract: Some embodiments provide a novel method for load balancing data messages that are sent by a source compute node (SCN) to one or more different groups of destination compute nodes (DCNs). In some embodiments, the method deploys a load balancer in the source compute node's egress datapath. This load balancer receives each data message sent from the source compute node, and determines whether the data message is addressed to one of the DCN groups for which the load balancer spreads the data traffic to balance the load across (e.g., data traffic directed to) the DCNs in the group. When the received data message is not addressed to one of the load balanced DCN groups, the load balancer forwards the received data message to its addressed destination. On the other hand, when the received data message is addressed to one of load balancer's DCN groups, the load balancer identifies a DCN in the addressed DCN group that should receive the data message, and directs the data message to the identified DCN.

Abstract: Some embodiments provide a method for forwarding data messages at multiple edge gateways of a logical network that process data messages between the logical network and an external network. At a first edge gateway, the method receives a data message, having an external address as a destination address, from the logical network. Based on the destination address, the method applies a default route to the data message that routes the data message to a second edge gateway and specifies a first output interface of the first edge gateway for the data message. After routing the data message, the method applies a stored NAT entry that (i) modifies a source address of the data message to be a public NAT address associated with the first edge gateway and (ii) redirects the modified data message to a second output interface of the first edge gateway instead of the first output interface.

Abstract: A method comprises: in response to detecting a new expression in a policy rule, updating a global version number to a new value; identifying a particular IP address that corresponds to an FQDN matching on the new expression; storing an entry comprising the particular IP address, the new expression, and an entry version number in a first data structure, the entry version number being assigned the new value; in response to detecting a new connection to a destination IP address: finding a matching entry in the first data structure corresponding to the destination IP address; determining whether the global version number matches the entry version number for the matching entry; and in response to determining that the global version number does not match the entry version number for the matching entry, sending update information to a slowpath process that associates an updated configuration information for the matching entry.

Abstract: A controller can securely publish an application of a tenant by securely extending a network fabric into the networks of the tenant with virtual private networks and NAT. After a tenant deploys an application into one or more networks of the tenant, the tenant can indicate select applications to publish. The network controller assigns a network address from the routable address space of the network fabric to the application and a network address aggregate to each application connector that will front an instance of the application, which securely extends the network fabric into the tenant network. The network controller configures NAT rules in the network fabric and on the application connector to create a route for traffic of the application through the network fabric to the application instance using a fully qualified domain name assigned to the application without exposing a private network address of the application instance and preserving security of other resource on the tenant network.

Abstract: Described herein are systems, methods, and software to enhance network traffic management. In one implementation, a first host identifies a packet to be transferred from a first virtual machine on the first host to a second virtual machine on a second host. In response to identifying the packet, the first host identifies a source logical port for the first virtual machine, and transferring a communication to the second host, wherein the communication encapsulates the data packet and the source logical port. Once the packet is received by the second host, the second host may use the source logical port to determine a forwarding action for the packet.