Abstract: Some embodiments of the invention provide a novel network architecture for providing edge services of a virtual private cloud (VPC) at host computers hosting machines of the VPC. The host computers in the novel network architecture are reachable from external networks through a gateway router of an availability zone (AZ). The gateway router receives a data message from the external network addressed to one or more data compute nodes (DCNs) in the VPC and forwards the data message to a particular host computer identified as providing a distributed edge service for the VPC. The particular host computer, upon receiving the forwarded data message, performs the distributed edge service and provides the serviced data message to a destination DCN.

Abstract: In some embodiments, a method inserts, by a first computing device, a first value for a capability in a first message that is used in a process to automatically exchange capability values with a second computing device. The first value for the capability indicates the first computing device requires a default route to reach the second computing device as a next hop for sending a packet to a destination. The first computing device sends the first message to the second computing device; and receives a second value for the capability in a second message from the second computing device. The second value indicating the second computing device will send the default route to reach the second computing device. When the default route is received from the second computing device, the first computing device stores the default route from the second computing device in a route table.

Abstract: A network system that implements quality of service (QoS) by rate limiting at a logical network entity is provided. The logical network entity includes multiple transport nodes for transporting network traffic in and out of the logical network entity. The system monitors traffic loads of the multiple transport nodes of the logical network entity. The system allocates a local CR and a local BS to each of the multiple transport nodes. The allocated local CR and the local BS are determined based on the CR and BS parameters of the logical network entity and based on the monitored traffic loads. Each transport node of the logical network entity in turn controls an amount of data being processed by the transport node based on a token bucket value that is computed based on the local CR and the local BS of the transport node.

Abstract: Some embodiments provide a method for configuring a set of MFEs to implement a distributed multicast logical router and multiple logical switches to process the multicast data messages. The method sends, from a managed forwarding element (MFE) implementing the distributed multicast logical router, a multicast group query to a set of data compute nodes (DCNs) that are logically connected to one of several logical switches and that execute on the same host machine as the managed forwarding element. The method receives multicast group reports from a subset of the set of DCNs and at least one of the multicast group reports specifies a multicast group of interest. The method distributes, to a set of MFEs executing on other host machines, a summarized multicast group report specifying a set of multicast groups of interest to the first MFE (i.e., multicast groups that the first MFE participates in).

Abstract: In some embodiments, a method inserts, by a first computing device, a first value for a capability in a first message that is used in a process to automatically exchange capability values with a second computing device. The first value for the capability indicates the first computing device requires a default route to reach the second computing device as a next hop for sending a packet to a destination. The first computing device sends the first message to the second computing device; and receives a second value for the capability in a second message from the second computing device. The second value indicating the second computing device will send the default route to reach the second computing device. When the default route is received from the second computing device, the first computing device stores the default route from the second computing device in a route table.

Abstract: A network system that implements quality of service (QoS) by rate limiting at a logical network entity is provided. The logical network entity includes multiple transport nodes for transporting network traffic in and out of the logical network entity. The system monitors traffic loads of the multiple transport nodes of the logical network entity. The system allocates a local CR and a local BS to each of the multiple transport nodes. The allocated local CR and the local BS are determined based on the CR and BS parameters of the logical network entity and based on the monitored traffic loads. Each transport node of the logical network entity in turn controls an amount of data being processed by the transport node based on a token bucket value that is computed based on the local CR and the local BS of the transport node.

Abstract: Some embodiments provide a method for a gateway datapath that executes on a gateway device to implement logical routers for a set of logical networks and process traffic between the logical networks and an external network. The method receives a data message at the gateway device. To process the data message, the method executes a set of processing stages that includes a processing stage for a particular logical router. As part of the processing stage for the particular logical router, the method (i) uses an access control list (ACL) table to determine whether the data message is subject to rate limiting controls defined for the particular logical router and (ii) only when the data message is subject to rate limiting controls, determines whether to allow the data message according to a rate limiting mechanism for the particular logical router.

Abstract: Some embodiments provide a method for providing redundancy and fast convergence for modules operating in a network. The method configures modules to use a same anycast inner IP address, anycast MAC address, and to associate with a same anycast VTEP IP address. In some embodiments, the modules are operating in an active-active mode and all nodes running modules advertise the anycast VTEP IP addresses with equal local preference. In some embodiments, modules are operating in active-standby mode and the node running the active module advertises the anycast VTEP IP address with higher local preference.

Abstract: The present disclosure provides an approach for scaling the number of VNFs in a data center without scaling the number of control sessions between VNFs and a data center gateway. The approach includes opening a session between a VNF and a route server, rather than between the VNF and the gateway, when the VNF needs to send its connectivity information to the gateway. The VNF sends its connectivity information to the route server, and the route server forwards the connectivity information to the gateway. The gateway receives connectivity information of a plurality of VNFs in the data center from the route server rather than from each of the VNFs individually. The connectivity information is then used to send packets, by the gateway to a VNF, for processing. The packets are sent using three layers of networking: an underlay physical network, an overlay logical network, and a second overlay logical network.

Abstract: Example methods and systems for uplink-aware logical overlay tunnel monitoring are described. In one example, a first computer system may establish a logical overlay tunnel with a second computer system. The first computer system may generate and send, over the logical overlay tunnel via the first uplink, a first encapsulated monitoring packet identifying the first uplink. Based on a first reply, first performance metric information associated with the first uplink may be determined. The first computer system may generate and send, over the logical overlay tunnel via the second uplink, a second encapsulated monitoring packet identifying the second uplink. Based on a second reply, second performance metric information associated with the second uplink may be determined. Based on the first performance metric information and the second performance metric information, the first uplink or the second uplink may be selected to send encapsulated data packet(s) over the logical overlay tunnel.

Abstract: Some embodiments provide a method for providing redundancy and fast convergence for modules operating in a network. The method configures modules to use a same anycast inner IP address, anycast MAC address, and to associate with a same anycast VTEP IP address. In some embodiments, the modules are operating in an active-active mode and all nodes running modules advertise the anycast VTEP IP addresses with equal local preference. In some embodiments, modules are operating in active-standby mode and the node running the active module advertises the anycast VTEP IP address with higher local preference.

Abstract: Some embodiments provide a method for a gateway datapath that executes on a gateway device to implement logical routers for a set of logical networks and process traffic between the logical networks and an external network. The method receives a data message at the gateway device. To process the data message, the method executes a set of processing stages that includes a processing stage for a particular logical router. As part of the processing stage for the particular logical router, the method (i) uses an access control list (ACL) table to determine whether the data message is subject to rate limiting controls defined for the particular logical router and (ii) only when the data message is subject to rate limiting controls, determines whether to allow the data message according to a rate limiting mechanism for the particular logical router.

Abstract: The present disclosure provides an approach for scaling the number of VNFs in a data center without scaling the number of control sessions between VNFs and a data center gateway. The approach includes opening a session between a VNF and a route server, rather than between the VNF and the gateway, when the VNF needs to send its connectivity information to the gateway. The VNF sends its connectivity information to the route server, and the route server forwards the connectivity information to the gateway. The gateway receives connectivity information of a plurality of VNFs in the data center from the route server rather than from each of the VNFs individually. The connectivity information is then used to send packets, by the gateway to a VNF, for processing. The packets are sent using three layers of networking: an underlay physical network, an overlay logical network, and a second overlay logical network.

Abstract: A network system that implements quality of service (QoS) by rate limiting at a logical network entity is provided. The logical network entity includes multiple transport nodes for transporting network traffic in and out of the logical network entity. The system monitors traffic loads of the multiple transport nodes of the logical network entity. The system allocates a local CR and a local BS to each of the multiple transport nodes. The allocated local CR and the local BS are determined based on the CR and BS parameters of the logical network entity and based on the monitored traffic loads. Each transport node of the logical network entity in turn controls an amount of data being processed by the transport node based on a token bucket value that is computed based on the local CR and the local BS of the transport node.

Abstract: Some embodiments of the invention provide a novel network architecture for advertising routes in an availability zone (AZ). The novel network architecture includes a set of route servers for receiving advertisements of network addresses as being available in the AZ from different routers in the AZ. The novel network architecture also includes multiple host computers that each execute a router that (i) identifies network addresses available on the host computer, (ii) sends advertisements of the identified network addresses to the set of route servers, and (iii) receives advertisements from the set of route servers regarding network addresses available on other host computers. The identified network addresses, in some embodiments, include at least one of network addresses associated with data compute nodes (DCNs) and network addresses associated with services available at the host computer. The route servers advertise the received network addresses to other routers in the AZ.

Abstract: The technology disclosed herein enables remote gateways to quickly re-learn MAC addresses of workloads for a gateway that has taken over for another gateway. In a particular embodiment, a method provides determining that a backup gateway should begin handling communications exchanged with one or more workloads of an active gateway for a logical network. The method further provides transferring a control message to one or more remote gateways in communication with the backup gateway. The control message instructs the remote gateways to change MAC addresses learned from, and associated with, the active gateway to being associated with the backup gateway. The method also provides, in the backup gateway, receiving network communications directed to one or more of the workloads from one or more of the remote gateways.

Abstract: In some embodiments, a method inserts, by a first computing device, a first value for a capability in a first message that is used in a process to automatically exchange capability values with a second computing device. The first value for the capability indicates the first computing device requires a default route to reach the second computing device as a next hop for sending a packet to a destination. The first computing device sends the first message to the second computing device; and receives a second value for the capability in a second message from the second computing device. The second value indicating the second computing device will send the default route to reach the second computing device. When the default route is received from the second computing device, the first computing device stores the default route from the second computing device in a route table.

Abstract: Some embodiments provide a method for a gateway datapath that executes on a gateway device to implement logical routers for a set of logical networks and process traffic between the logical networks and an external network. The method receives a data message at the gateway device. To process the data message, the method executes a set of processing stages that includes a processing stage for a particular logical router. As part of the processing stage for the particular logical router, the method (i) uses an access control list (ACL) table to determine whether the data message is subject to rate limiting controls defined for the particular logical router and (ii) only when the data message is subject to rate limiting controls, determines whether to allow the data message according to a rate limiting mechanism for the particular logical router.

Abstract: In some embodiments, a method inserts, by a first computing device, a first value for a capability in a first message that is used in a process to automatically exchange capability values with a second computing device. The first value for the capability indicates the first computing device requires a default route to reach the second computing device as a next hop for sending a packet to a destination. The first computing device sends the first message to the second computing device; and receives a second value for the capability in a second message from the second computing device. The second value indicating the second computing device will send the default route to reach the second computing device. When the default route is received from the second computing device, the first computing device stores the default route from the second computing device in a route table.

Abstract: Some embodiments of the invention provide a novel network architecture for advertising routes in an availability zone (e.g., a datacenter providing a set of hardware resources). The novel network architecture, in some embodiments, also provides a set of distributed services at the edge of a virtual private cloud (VPC) implemented in the availability zone (e.g., using the hardware resources of a datacenter) at a set of host computers in the AZ. The novel network architecture includes a set of route servers for receiving advertisements of network addresses (e.g., internet protocol (IP) addresses) as being available in the availability zone (AZ) from different routers in the AZ. The route servers also advertise the received network addresses to other routers in the AZ. In some embodiments, the other routers include routers executing on host computers in the AZ and gateway devices of the availability zone.