Abstract: The technology disclosed herein enables micro-segmentation of virtual computing elements. In a particular embodiment, a method provides identifying one or more multi-tier applications comprising a plurality of virtual machines. Each application tier of the one or more multi-tier applications comprises at least one of the plurality of virtual machines. The method further provides maintaining information about the one or more multi-tier applications. The information at least indicates a security group for each virtual machine of the plurality of virtual machines. Additionally, the method provides identifying communication traffic flows between virtual machines of the plurality of virtual machines and identifying one or more removable traffic flows of the communication traffic flows based, at least in part, on the information. The method then provides blocking the one or more removable traffic flows.

Abstract: Methods and apparatus for application and/or context-based management of virtual networks using customizable workflows are disclosed. An example apparatus includes a context engine to monitor data traffic from a virtual machine in a data plane of a virtual network to capture context information to identify an application executing on the virtual machine; and a policy manager to receive the context information to instantiate an application entity corresponding to the application in a policy plane of the virtual network and to generate a policy associated with the application entity in the policy plane of the virtual network, the policy and the application entity enabling monitoring and management of the application via the policy plane.

Abstract: The technology disclosed herein enables micro-segmentation of virtual computing elements. In a particular embodiment, a method provides identifying one or more multi-tier applications comprising a plurality of virtual machines. Each application tier of the one or more multi-tier applications comprises at least one of the plurality of virtual machines. The method further provides maintaining information about the one or more multi-tier applications. The information at least indicates a security group for each virtual machine of the plurality of virtual machines. Additionally, the method provides identifying communication traffic flows between virtual machines of the plurality of virtual machines and identifying one or more removable traffic flows of the communication traffic flows based, at least in part, on the information. The method then provides blocking the one or more removable traffic flows.

Abstract: The technology disclosed herein enables micro-segmentation of virtual computing elements. In a particular embodiment, a method provides identifying one or more multi-tier applications comprising a plurality of virtual machines. Each application tier of the one or more multi-tier applications comprises at least one of the plurality of virtual machines. The method further provides maintaining information about the one or more multi-tier applications. The information at least indicates a security group for each virtual machine of the plurality of virtual machines. Additionally, the method provides identifying communication traffic flows between virtual machines of the plurality of virtual machines and identifying one or more removable traffic flows of the communication traffic flows based, at least in part, on the information. The method then provides blocking the one or more removable traffic flows.

Abstract: Methods and apparatus for application and/or context-based management of virtual networks using customizable workflows are disclosed. An example apparatus includes a context engine to monitor data traffic from a virtual machine in a data plane of a virtual network to capture context information to identify an application executing on the virtual machine; and a policy manager to receive the context information to instantiate an application entity corresponding to the application in a policy plane of the virtual network and to generate a policy associated with the application entity in the policy plane of the virtual network, the policy and the application entity enabling monitoring and management of the application via the policy plane.

Abstract: Some embodiments provide a novel method for configuring a set of service one or more nodes on a host to perform context-rich, attribute-based services on the host computer, which executes several data compute nodes (DCNs) in addition to the set of service nodes. The method uses a context-filtering node on the host to collect a first set of attributes associated with service rules processed by the set of service nodes on the host computer. The context filter also collects a second set of attributes associated with at least one data message flow of a DCN (e.g., of a virtual machine (VM) or container) executing on the host. After collecting the first and second sets of attributes, the context filtering node on the host compares the first and second sets of attributes to generate a service tag to represent a subset of the first set of attributes associated with the data message flow. The method associates this service tag with the data message flow.

Abstract: Methods and apparatus for application and/or context-based management of virtual networks using customizable workflows are disclosed. An example apparatus includes a context engine to monitor data traffic from a virtual machine in a data plane of a virtual network to capture context information to identify an application executing on the virtual machine; and a policy manager to receive the context information to instantiate an application entity corresponding to the application in a policy plane of the virtual network and to generate a policy associated with the application entity in the policy plane of the virtual network, the policy and the application entity enabling monitoring and management of the application via the policy plane.

Abstract: A method of providing security for containers executing on a physical host machine is provided. The method receives a notification of a file access request. The notification includes a path in a file system of the host machine being accessed by a process. From the path, the method determines whether the file access event is for accessing a location in the file system to which container file systems are mapped. The method identifies a namespace of the process using the identification of the process included in the file path. The method determines the process is a container when the namespace belongs to a service that is used to implement containers on the host machine. The method sends the identifier of the container, the identification of a VM executing the container, and the file path to a set of security applications to determine whether the file access request to be allowed.

Abstract: Some embodiments provide a novel method for performing a service at a host computer that executes data compute nodes (DCNs). For a data message, the method identifies a service tag and a set of attributes associated with the service tag. The method then uses the identified set of attributes to identify a service rule, and performs a service on the data message based on the identified service rule.

Abstract: The technology disclosed herein enables identification of multi-tiered applications in virtual computing elements. In a particular embodiment, a method provides identifying a plurality of guest elements executing on one or more host computing systems for a virtual computing environment and categorizing each of the plurality of guest elements into a tier group of a plurality of tier groups. The method further provides monitoring communication traffic between the plurality of guest elements and determining a multi-tiered application for each of the plurality of guest elements based on the communication traffic.

Abstract: The technology disclosed herein enables identification of multi-tiered applications in virtual computing elements. In a particular embodiment, a method provides identifying a plurality of guest elements executing on one or more host computing systems for a virtual computing environment and categorizing each of the plurality of guest elements into a tier group of a plurality of tier groups. The method further provides monitoring communication traffic between the plurality of guest elements and determining a multi-tiered application for each of the plurality of guest elements based on the communication traffic.

Abstract: A method of providing security for containers executing on a physical host machine is provided. The method receives a notification of a file access request. The notification includes a path in a file system of the host machine being accessed by a process. From the path, the method determines whether the file access event is for accessing a location in the file system to which container file systems are mapped. The method identifies a namespace of the process using the identification of the process included in the file path. The method determines the process is a container when the namespace belongs to a service that is used to implement containers on the host machine. The method sends the identifier of the container, the identification of a VM executing the container, and the file path to a set of security applications to determine whether the file access request to be allowed.

Abstract: Methods and apparatus for application and/or context-based management of virtual networks using customizable workflows are disclosed. An example apparatus includes a context engine to monitor data traffic from a virtual machine in a data plane of a virtual network to capture context information to identify an application executing on the virtual machine; and a policy manager to receive the context information to instantiate an application entity corresponding to the application in a policy plane of the virtual network and to generate a policy associated with the application entity in the policy plane of the virtual network, the policy and the application entity enabling monitoring and management of the application via the policy plane.

Abstract: The technology disclosed herein enables micro-segmentation of virtual computing elements. In a particular embodiment, a method provides identifying one or more multi-tier applications comprising a plurality of virtual machines. Each application tier of the one or more multi-tier applications comprises at least one of the plurality of virtual machines. The method further provides maintaining information about the one or more multi-tier applications. The information at least indicates a security group for each virtual machine of the plurality of virtual machines. Additionally, the method provides identifying communication traffic flows between virtual machines of the plurality of virtual machines and identifying one or more removable traffic flows of the communication traffic flows based, at least in part, on the information. The method then provides blocking the one or more removable traffic flows.

Abstract: Some embodiments provide a novel method for configuring a set of service one or more nodes on a host to perform context-rich, attribute-based services on the host computer, which executes several data compute nodes (DCNs) in addition to the set of service nodes. The method uses a context-filtering node on the host to collect a first set of attributes associated with service rules processed by the set of service nodes on the host computer. The context filter also collects a second set of attributes associated with at least one data message flow of a DCN (e.g., of a virtual machine (VM) or container) executing on the host. After collecting the first and second sets of attributes, the context filtering node on the host compares the first and second sets of attributes to generate a service tag to represent a subset of the first set of attributes associated with the data message flow. The method associates this service tag with the data message flow.

Abstract: Some embodiments provide a novel method for performing a service at a host computer that executes data compute nodes (DCNs). For a data message, the method identifies a service tag and a set of attributes associated with the service tag. The method then uses the identified set of attributes to identify a service rule, and performs a service on the data message based on the identified service rule.

Abstract: A computer-implemented method for selecting file-recall modes based on environmental properties may include (1) intercepting a request to recall a file from a secondary storage system to a primary storage system, (2) identifying a value of a dynamic environmental property associated with the file that may negatively impact performance of a mode of recalling the file from the secondary storage system to the primary storage system, (3) identifying a policy that comprises criteria for selecting an appropriate recall mode for recalling the file from the secondary storage system to the primary storage system, (4) adaptively selecting, by applying the policy to the value of the dynamic environmental property, a recall mode for recalling the file, and (5) recalling the file from the secondary storage system to the primary storage system using the selected recall mode. Various additional methods, systems, and configured computer-readable-storage media are also disclosed.

Abstract: A computer-implemented method may include establishing a proxy file system that facilitates file archiving for a primary file system that does not support file archiving. The computer-implemented method may also include identifying a request to archive a file stored in a primary file system and copying the file to an archive file system such that a reference to the file is created in the proxy file system. The computer-implemented method may further include replacing the file in the primary file system with a symbolic link that identifies the reference in the proxy file system. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for selecting file-recall modes based on environmental properties may include: 1) identifying a request to recall a file from a secondary storage system to a primary storage system, 2) identifying at least one environmental property associated with the file, 3) selecting, based at least in part on the identified environmental property, a recall mode for recalling the file, and then 4) recalling the file from the secondary storage system to the primary storage system using the selected recall mode. Various additional methods, systems, and configured computer-readable-storage media are also disclosed.

Abstract: A computer-implemented method for using data archiving to expedite server migration may include: 1) archiving data from at least one source computing system to an archiving system in accordance with an archiving policy, 2) altering metadata associated with the archived data on the archiving system so that the metadata references a desired target computing system instead of the source computing system, and then, upon bringing the target computing system online, 3) restoring at least a portion of the archived data from the archiving system to the target computing system. Various other methods, systems, and configured computer-readable media are also disclosed.