Abstract: Methods are provided in which a domain name system (DNS) service obtains a lookup request for information about a source of a traffic flow being transmitted to a network resource external of a service cluster and performs, based on the lookup request, a lookup operation for a microservice that is the source of the traffic flow, among a plurality of microservices of the service cluster registered with the DNS service. The methods further include providing information about the microservice based on the lookup operation. The information includes at least a name of the microservice for visibility of the microservice external of the service cluster.

Abstract: In one embodiment, an access policy enforcement service receives a user authentication request from an end-user device. The access policy enforcement service identifies a telemetry collection intent from the user authentication request. The access policy enforcement service determines a monitoring policy based on the telemetry collection intent identified from the user authentication request. The access policy enforcement service configures, according to the monitoring policy, one or more telemetry collection agents to collect telemetry for traffic associated with the end-user device.

Abstract: Techniques for a low Earth orbit (LEO) satellite to route data through optimal satellite paths based on latency thresholds (and/or other QoS thresholds) for the application generating the data. The LEO satellite may identify the latency threshold from a data packet, where the latency threshold indicates an amount of time for the data packet to be relayed back down to a destination ground device. The LEO satellite determines available satellite paths through which data packets may be routed to destination ground stations. Further, the LEO satellite may determine latencies for transmitting traffic over the available satellite paths. The LEO satellite may compare the latency threshold for the data packet with the latencies of the available satellite paths, and select a satellite path that is optimal for transmitting the data packet. In this way, LEO satellites intelligently route data through satellite paths based on the type of traffic being transmitted.

Abstract: Provided herein are techniques to facilitate enhanced cloud access security broker (CASB) functionality via in-band application observability in which a CASB can be implemented in-line between the client device and an embedded application security service. In one instance, a method may include, obtaining, by a CASB from a client device, a first message for an application transaction involving an application operating via the client device. The first message can be augmented to include first security metadata and can be forwarded to trigger one or more actions by an embedded application security service associated with the application. The CASB may obtain a second message from the embedded application security service that includes second security metadata, and one or more actions can be triggered at the CASB based, at least in part, on the second security metadata included in the second message.

Abstract: A network controller deploys a first component and a second component to run concurrently on a network device. The second component is an upgraded version of the first component. The first component receives a first instance of a packet routed to the network device and has a timestamp and a first ID, and the second component receives a second instance of the packet routed to the network device and has the timestamp and a second ID. The network controller receives first functionality data for the first component and second functionality data for the second component from the network device. Based on the first functionality data and the second functionality data, the network controller determines whether to continue operating the first component or the second component on the network device.

Abstract: This disclosure describes techniques for predicting and accommodating for outages in a satellite network using crowdsourced data. An example method includes receiving outage data indicating first outages experienced by first endpoints in a first geographical region. The first outages, for instance, include interruptions in communication between first satellites and the first endpoints. The example method further includes predicting, based on the outage data, a second outage comprising an interruption in communication between at least one second satellite and a second endpoint in a second geographical region. Further, the example method includes causing the second endpoint to transmit user data over a secondary network in advance of the second outage.

Abstract: This disclosure describes techniques for tracking aircraft using a satellite network. An example method includes receiving ADS-B messages from multiple aircraft; determining that at least one of the ADS-B messages satisfies at least one condition; and in response to determining that at least one of the ADS-B messages satisfies the at least one condition, transmitting an alert. In some cases, a system transmits an instruction to perform the example method to at least one satellite and receives the alert.

Abstract: This disclosure describes techniques for complying with a data sovereignty policy of data routed through a satellite network. An example method includes identifying data comprising a data sovereignty label indicating a first geographical region; determining that a coverage region of a satellite includes a first ground station in the first geographical region; determining that coverage region excludes a second ground station in a second geographical region; and based on determining that the coverage area includes the first ground station and excludes the second ground station, transmitting the data to the satellite.

Abstract: Techniques for a TCP proxy to communicate over a LEO satellite network on behalf of a client device by selecting a TCP congestion-control algorithm that is optimal for the LEO satellite network based on the time of day and/or location of the TCP proxy. Based on the locations of satellites during the day as they traverse predefined and patterned orbital paths, different TCP congestion-control algorithms may be more optimized to communicate data through the LEO satellite network. However, client devices generally use a single TCP congestion-control algorithm to communicate over WAN networks. Accordingly, a TCP proxy may be inserted on, for example, a router to communicate with the client device using a TCP congestion-control algorithm that the client device is configured to use, but then communicate over the LEO satellite network using a different TCP congestion-control algorithm that is optimal based on the time of day and/or other factors.

Abstract: A method, computer system, and computer program product are provided for network risk analysis. A plurality of risk reports relating to a network device in a network are obtained, wherein each risk report is associated with a particular dimension of a plurality of dimensions of risk for the network device in the network. A count of the plurality of risk reports is determined for each dimension of the plurality of dimensions of risk. A regression model is applied to determine a risk value for the network device in the network based on the count of the plurality of risk reports for each dimension and based a role of the network device in the network.

Abstract: A network device has a first OS component, a second OS component is added to run concurrently with the first. The first OS component transmits routing information to the second OS component where it is stored in memory. The second OS component registers with a routing infrastructure to receive packets that are routed to the first OS component. A timestamp and a first ID are added to a first instance of a packet and transmitted to the first OS component. The timestamp and a second ID are added to a second instance of the packet and transmitted to the second OS component. First functionality data for the first OS component is transmitted to a controller. Second functionality data for the second OS component is transmitted to the controller. The first and second functionality data are compared to determine whether to replace the first OS component with the second OS component.

Abstract: In one embodiment, a method herein may comprise: determining, by a process, a disruptive activity within a particular computer network of a plurality of computer networks; determining, by the process, telemetry data for the particular computer network, the telemetry data being time-relevant to the disruptive activity; determining, by the process, a set of expected reactions that the particular computer network is expected to experience due to the disruptive activity in correlation to the telemetry data for the particular computer network; and sharing, from the process, the set of expected reactions with a management device of the particular computer network to cause the management device to distinguish between the set of expected reactions and any unexpected events during the disruptive activity.

Abstract: Methods are provided in which a domain name system (DNS) service obtains a lookup request for information about a source of a traffic flow being transmitted to a network resource external of a service cluster and performs, based on the lookup request, a lookup operation for a microservice that is the source of the traffic flow, among a plurality of microservices of the service cluster registered with the DNS service. The methods further include providing information about the microservice based on the lookup operation. The information includes at least a name of the microservice for visibility of the microservice external of the service cluster.

Abstract: Technologies for testing resiliency of a data network with real-world accuracy without affecting the flow of production data through the network. A method according to the technologies may include receiving a production data packet and determining a preferred data route toward a destination node for the production data packet based on a first routing information base, wherein the first routing information base includes a database where routes and route metadata are stored according to a routing protocol. The method may also include, receiving a test data packet, and determining an alternate data route toward the destination node for the test data packet based on a second routing information base, wherein the second routing information base simulates an error in the preferred data route. The method may include sending the production data packet to the preferred data route and sending the test data packet to the alternate data route.

Abstract: Techniques are provided for an “on demand” or event-triggered end user monitoring/remote user monitoring (EUM/RUM) solution that is activated when the user has requested it, or an event (conditions of which are set by a user) occurs that triggers activation of the EUM/RUM solution. This EUM/RUM may be completely integrated into an enterprise IT Help Desk system, whereby support “tickets” are automatically generated when the monitoring solution is instantiated.

Abstract: Systems, methods, and computer-readable media are disclosed for proactively and adaptively rerouting data to a healthier path through network, as part of flow provisioning, based on environmental variables associated with devices in the network. The present technology includes identifying a routing path for forwarding traffic flows in a network, receiving diagnostic data of a routing device on the routing path. The diagnostic data include one or more environmental parameters associated with internal state and surroundings of the routing device. Further, the present technology includes comparing the diagnostic data of the routing device with a predetermined threshold and modifying, prior to a failure of the routing device, the routing path to bypass the routing device for at least a portion of the traffic flows based on the comparison between the diagnostic data of the routing device and the predetermined threshold.

Abstract: Techniques for a TCP proxy to communicate over a LEO satellite network on behalf of a client device by selecting a TCP congestion-control algorithm that is optimal for the LEO satellite network based on the time of day and/or location of the TCP proxy. Based on the locations of satellites during the day as they traverse predefined and patterned orbital paths, different TCP congestion-control algorithms may be more optimized to communicate data through the LEO satellite network. However, client devices generally use a single TCP congestion-control algorithm to communicate over WAN networks. Accordingly, a TCP proxy may be inserted on, for example, a router to communicate with the client device using a TCP congestion-control algorithm that the client device is configured to use, but then communicate over the LEO satellite network using a different TCP congestion-control algorithm that is optimal based on the time of day and/or other factors.

Abstract: Methods and apparatuses for prioritizing transactions are disclosed. An example method of an application performance monitor (APM) comprises intercepting a first packet being transmitted in a network that is monitored by the APM; determining that the first packet is associated with a transaction of the web application that is to be provided with an alternate level of service; modifying a field in the first packet to include metadata interpretable by at least one network device in the network to cause the at least one network device to provide the alternate level of service; and injecting the first packet into the network. The APM may cause network devices to prioritize a specific transaction of an application based on importance.

Abstract: A method is provided that is performed using an application performance management agent running on an application and/or application microservices. The method comprises detecting a request to the application and/or application microservices for data, and inserting data compliance metadata into packet headers of packets that are to be sent in response to the request by the application and/or application microservices. The data compliance metadata comprises data-compliance markings associated with the data based on user/operator-defined data compliance requirements. The method further includes causing the packets to be sent into a network so that one or more network devices or services in the network can read the data compliance metadata and apply packet handling policies.

Abstract: Methods are provided to perform a name resolution triggered monitoring agent selection for full stack observability. The methods involve obtaining a name resolution request for an enterprise service to be accessed by an endpoint device. A plurality of service instances are configured to provide the enterprise service. The methods further involve determining, based on the name resolution request, a monitoring agent from a plurality of monitoring agents of a monitoring service that monitors performance of the enterprise service and selecting a service instance, from the plurality of service instances, that is associated with the monitoring agent in a name resolution record. The methods further involve providing, to the endpoint device, location information for accessing the service instance and provisioning the monitoring agent to monitor the performance of the enterprise service executed by the service instance for the endpoint device.