Abstract: Techniques for providing, to a resource on a private network of a service provider, access to a resource on a private network of a customer. Service to customer (S2C) resources deployed on a cloud infrastructure to facilitate the access. Whereas IP address ranges may overlap between private networks and/or private IP addresses may be used in one or more of the private networks, the S2C resources enable the data exchange between the private networks. For example, the S2C resources translate between IP addresses such that data within each private network uses IP addresses that can be properly processed by the private network.

Abstract: Techniques for disintermediating a network path between a source and a destination are described. In an example, the source sends a first packet destined to a destination. A network node on the network path between the source and the destination performs a network operation on this packet and generates a set of instructions indicating the network operation and parameters used for performing the network operations. This set of instructions is sent to the source as a flow update. When the source needs to send a second packet to the destination, the source applies the instructions to the second packet. As such, a similar network operation is performed on the second packet at the source, thereby avoiding the need to send the second packet on the same network path that includes the network node. Accordingly, the second packet is sent on a different network path that bypasses the network node.

Abstract: Techniques for disintermediating a network path between a source and a destination are described. In an example, the source sends a first packet destined to a destination. A network node on the network path between the source and the destination performs a network operation on this packet and generates a set of instructions indicating the network operation and parameters used for performing the network operations. This set of instructions is sent to the source as a flow update. When the source needs to send a second packet to the destination, the source applies the instructions to the second packet. As such, a similar network operation is performed on the second packet at the source, thereby avoiding the need to send the second packet on the same network path that includes the network node. Accordingly, the second packet is sent on a different network path that bypasses the network node.

Abstract: Techniques for disintermediating a network path between a source and a destination are described. In an example, the source sends a first packet destined to a destination. A network node on the network path between the source and the destination performs a network operation on this packet and generates a set of instructions indicating the network operation and parameters used for performing the network operations. This set of instructions is sent to the source as a flow update. When the source needs to send a second packet to the destination, the source applies the instructions to the second packet. As such, a similar network operation is performed on the second packet at the source, thereby avoiding the need to send the second packet on the same network path that includes the network node. Accordingly, the second packet is sent on a different network path that bypasses the network node.

Abstract: Techniques for loop prevention while allowing multipath in a virtual L2 network are described. In an example, a network virtualization device can generate a first L2 bridge protocol data unit by applying a first loop detection protocol specific to only the first port and the first host machine. The network virtualization device can transmit, to the first compute instance via the first port, a first frame that includes the first L2 BPDU. The network virtualization device can receive, from the first compute instance via the first port, a second frame. The network virtualization device can determine that the second frame comprises the first L2 BPDU. The network virtualization device can determine that a loop exists between the network virtualization device and the first compute instance based on the first loop detection protocol and the first L2 BPDU of the second frame.

Abstract: Techniques are disclosed for a smart network interface card (smartNIC) performing a unified logging process. In one example, an accelerator transmits a packet to a programming data plane of the smart network interface card. The programming data plane determines whether the packet is to be forwarded. In accordance with a determination that the packet is not be forwarded, the programming data plane modifies the packet to include an instruction that instructs the accelerator to log the packet and to not forward the packet. The programming data plane transmits the modified packet to the accelerator. The accelerator logs data associated with the modified packet to a unified log based at least in part on the instruction.

Abstract: Techniques are disclosed for scaling an IP address in overlay networks without using load balancers. In certain implementations, an overlay IP address can be attached to multiple compute instances via virtual network interface cards (VNICs) associated with the multiple compute instances. Traffic directed to the multi-attached IP address is distributed across the multiple compute instances. In some other implementations, ECMP techniques in overlay networks are used to scale an overlay IP address. In forwarding tables used for routing packets, the IP address being scaled is associated with multiple next hop paths to multiple network virtualization devices (NVDs) associated with the multiple compute instances. When a particular packet directed to the overlay IP address is to be routed, one of the multiple next hop paths is selected for routing the packet. This enables packets directed to the IP address to be distributed across the multiple compute instances.

Abstract: A novel overlay network DDOS mitigation system (ONDMS) is described for performing DDOS attack mitigation in a virtual network environment. Network traffic received by network resources in overlay networks is monitored. When a potential DDOS attack is detected, ONDMS may initiate a protected mode for a network resource. This may involve creating one or more shadow VNICs for the network resource being protected. While in protected mode, as a result of the one or more shadow VNICs, packets that would otherwise be received by the network resource being protected are instead redirected to one or more alternative destinations (e.g., to a DDOS scrubber system within ONDMS) that are configured to filter and analyze the packets and take appropriate mitigation actions, as needed. This protects the network resource being protected from the potential DDOS attack.

Abstract: Techniques are disclosed for a smart network interface card (smartNIC) performing a unified logging process. In one example, an accelerator of the smartNIC receives a packet that is a candidate for rejection, whereby the accelerator is configured to log traffic for authorized flows that are forwarded by the accelerator to another device. The accelerator transmits the packet to a programming data plane of the smartNIC for further processing. The programming data plane determines that the packet should not be forwarded by the smartNIC, and modifies the packet to include an instruction that instructs the accelerator to log the packet. The programming data plane then transmits the modified packet to the accelerator. Upon receiving the modified packet, the accelerator logs the packet to the unified log based on the instruction.

Abstract: Systems and methods for geometric based flow programming are disclosed herein. The method can include receiving at least one compiled rule at a first Network Virtualization Device (“NVD”), each of the at least one compiled rules can be applicable to a class of packets received by the first NVD for delivery to a Virtualized Network Interface Card (“VNIC”). The method can include receiving a first packet at the first NVD for delivery to a first VNIC, determining with the first NVD that a first rule of the at least one compiled rule is applicable to the first packet, and processing with the first NVD the first packet according to the first rule.

Abstract: Techniques are disclosed for providing high performant packets processing capabilities in a virtualized cloud environment that enhance the scalability and high availability of the packets processing infrastructure. In certain embodiments disclosed herein, the VNICs functionality performed by network virtualization devices (NVDs) is offloaded from the NVDs to a fleet of computers, referred to as VNIC-as-a-Service System (or VNICaaS system). VNICaaS system is configured to provide Virtual Network Interface Cards (VNICs)-related functionality or service for multiple compute instances belonging to multiple tenants or customers of the CSPI. The VNICaaS system is capable of hosting multiple VNICs to process and transmit traffic in a distributed virtualized cloud networks environment. A single VNIC executed by the VNICaaS system can be used to process packets received from multiple compute instances.

Abstract: Techniques for providing, to a resource on a private network of a service provider, access to a resource on a private network of a customer. Service to customer (S2C) resources deployed on a cloud infrastructure to facilitate the access. Whereas IP address ranges may overlap between private networks and/or private IP addresses may be used in one or more of the private networks, the S2C resources enable the data exchange between the private networks. For example, the S2C resources translate between IP addresses such that data within each private network uses IP addresses that can be properly processed by the private network.

Abstract: Techniques are disclosed for scaling an IP address in overlay networks without using load balancers. In certain implementations, an overlay IP address can be attached to multiple compute instances via virtual network interface cards (VNICs) associated with the multiple compute instances. Traffic directed to the multi-attached IP address is distributed across the multiple compute instances. In some other implementations, ECMP techniques in overlay networks are used to scale an overlay IP address. In forwarding tables used for routing packets, the IP address being scaled is associated with multiple next hop paths to multiple network virtualization devices (NVDs) associated with the multiple compute instances. When a particular packet directed to the overlay IP address is to be routed, one of the multiple next hop paths is selected for routing the packet. This enables packets directed to the IP address to be distributed across the multiple compute instances.

Abstract: Techniques for providing, to a resource on a private network of a service provider, access to a resource on a private network of a customer. Service to customer (S2C) resources deployed on a cloud infrastructure to facilitate the access. Whereas IP address ranges may overlap between private networks and/or private IP addresses may be used in one or more of the private networks, the S2C resources enable the data exchange between the private networks. For example, the S2C resources translate between IP addresses such that data within each private network uses IP addresses that can be properly processed by the private network.

Abstract: Techniques are disclosed for providing high performant packets processing capabilities in a virtualized cloud environment that enhance the scalability and high availability of the packets processing infrastructure. In certain embodiments disclosed herein, the VNICs functionality performed by network virtualization devices (NVDs) is offloaded from the NVDs to a fleet of computers, referred to as VNIC-as-a-Service System (or VNICaaS system). VNICaaS system is configured to provide Virtual Network Interface Cards (VNICs)-related functionality or service for multiple compute instances belonging to multiple tenants or customers of the CSPI. The VNICaaS system is capable of hosting multiple VNICs to process and transmit traffic in a distributed virtualized cloud networks environment. A single VNIC executed by the VNICaaS system can be used to process packets received from multiple compute instances.

Abstract: Techniques for loop prevention while allowing multipath in a virtual L2 network are described. In an example, a network virtualization device can generate a first L2 bridge protocol data unit by applying a first loop detection protocol specific to only the first port and the first host machine. The network virtualization device can transmit, to the first compute instance via the first port, a first frame that includes the first L2 BPDU. The network virtualization device can receive, from the first compute instance via the first port, a second frame. The network virtualization device can determine that the second frame comprises the first L2 BPDU. The network virtualization device can determine that a loop exists between the network virtualization device and the first compute instance based on the first loop detection protocol and the first L2 BPDU of the second frame.

Abstract: Techniques are disclosed for scaling an IP address in overlay networks without using load balancers. In certain implementations, an overlay IP address can be attached to multiple compute instances via virtual network interface cards (VNICs) associated with the multiple compute instances. Traffic directed to the multi-attached IP address is distributed across the multiple compute instances. In some other implementations, ECMP techniques in overlay networks are used to scale an overlay IP address. In forwarding tables used for routing packets, the IP address being scaled is associated with multiple next hop paths to multiple network virtualization devices (NVDs) associated with the multiple compute instances. When a particular packet directed to the overlay IP address is to be routed, one of the multiple next hop paths is selected for routing the packet. This enables packets directed to the IP address to be distributed across the multiple compute instances.

Abstract: Techniques for managing the distribution of configuration information that supports the flow of packets in a cloud environment are described. In an example, a virtual network interface card (VNIC) hosted on a network virtualization device NVD receives a first packet from a compute instance associated with the VNIC. The VNIC determines that flow information to send the first packet on a virtual network is unavailable from a memory of the NVD. The VNIC sends, via the NVD, the first packet to a network interface service, where the network interface service maintains configuration information to send packets on the substrate network and is configured to send the first packet on the substrate network based on the configuration information. The NVD receives the flow information from the network interface service, where the flow information is a subset of the configuration information. The NVD stores the flow information in the memory.

Abstract: Techniques for loop prevention while allowing multipath in a virtual Layer 2 (L2) network are described. In an example, a network interface card (NIC) supports the virtual L2 network. The NIC is configured to receive, via a first port of the NIC, an L2 frame that includes a source media access control (MAC) address and a destination MAC address. Based on a loop prevention rule, the NIC transmits the L2 frame via its ports except the first port. In an additional example, the NIC is further configured to send an L2 frame to a host via the first port of the NIC. The L2 frame can be a bridge protocol data unit (BPDU). Upon receiving a BPDU from the host via the first port, the NIC determines that the BPDU is looped back and disables the first port.

Abstract: Techniques are disclosed for providing high performant packets processing capabilities in a virtualized cloud environment that enhance the scalability and high availability of the packets processing infrastructure. In certain embodiments disclosed herein, the VNICs functionality performed by network virtualization devices (NVDs) is offloaded from the NVDs to a fleet of computers, referred to as VNIC-as-a-Service System (or VNICaaS system). VNICaaS system is configured to provide Virtual Network Interface Cards (VNICs)-related functionality or service for multiple compute instances belonging to multiple tenants or customers of the CSPI. The VNICaaS system is capable of hosting multiple VNICs to process and transmit traffic in a distributed virtualized cloud networks environment. A single VNIC executed by the VNICaaS system can be used to process packets received from multiple compute instances.