Abstract: Techniques for tracking compute capacity of a scalable application service platform to perform dynamic bandwidth allocation for data flows associated with applications hosted by the service platform are disclosed. Some of the techniques may include allocating a first amount of bandwidth of a physical underlay of a network for data flows associated with an application. The techniques may also include receiving, from a scalable application service hosting the application, an indication of an amount of computing resources of the scalable application service that are allocated to host the application. Based at least in part on the indications, a second amount of bandwidth of the physical underlay to allocate for the data flows may be determined. The techniques may also include allocating the second amount of bandwidth of the physical underlay of the network for the data flows associated with the application.

Abstract: Techniques for using application network requirements and/or telemetry information from a first networking technology to enhance operation of a second networking technology and optimize wide area network traffic are described herein. The techniques may include establishing a communication network for use by applications of a scalable application service platform, the communication network including a first networking technology and a second networking technology. In this way, a request to establish a connection for use by an application may be received by the first networking technology. The request may include an indication of a threshold service level of the connection. In response to the request, the first networking technology may determine whether the second networking technology is capable of hosting the connection.

Abstract: Techniques for using proxies with overprovisioned IP addresses to demultiplex data flows, which may otherwise look the same at L7, into multiple subflows for L3 policy enforcement without having to modify an underlying L3 network. The techniques may include establishing a subflow through a network between a first proxy and a second proxy, the subflow associated with a specific policy. In some examples, the first proxy node may receive an encrypted packet that is to be sent through the network and determine, based at least in part on accessing an encrypted application layer of the packet, a specific application to which the packet is to be sent. The first proxy node may then alter an IP address included in the packet to cause the packet to be sent through the network via the subflow such that the packet is handled according to the specific policy.

Abstract: Techniques for automating traffic optimizations for egress traffic of an application orchestration system that is being sent over a network to a remote service. In examples, the techniques may include receiving, at a controller of the network, an egress traffic definition associated with egress traffic of an application hosted on the application orchestration system, the egress traffic definition indicating that the egress traffic is to be sent to the remote service. Based at least in part on the egress traffic definition, the controller may determine a networking path through the network or outside of the network that is optimized for sending the egress traffic to the remote service. The controller may also cause the egress traffic to be sent to the remote service via the optimized networking path.

Abstract: In one embodiment, a device of a software-defined wide area network (SD-WAN) receives, from a cloud-native application, contextual data for the cloud-native application that identifies microservices of the cloud-native application. The device translates the contextual data for the cloud-native application into a network policy for traffic in the SD-WAN associated with the cloud-native application. The device applies the network policy to a traffic flow in the SD-WAN between an endpoint and a particular microservice of the cloud-native application.

Abstract: In one embodiment, a device of a software-defined wide area network (SD-WAN) receives, from a cloud-native application, contextual data for the cloud-native application that identifies microservices of the cloud-native application. The device translates the contextual data for the cloud-native application into a network policy for traffic in the SD-WAN associated with the cloud-native application. The device applies the network policy to a traffic flow in the SD-WAN between an endpoint and a particular microservice of the cloud-native application.

Abstract: A method includes generating, by an internal segmentation orchestrator, a key to cipher/decipher a cryptographic segmentation tag used by an untrusted device, transmitting the key to an external segmentation orchestrator, transmitting the cryptographic segmentation tag to the external segmentation orchestrator and provisioning a trusted network edge with the key and optionally the cryptographic segmentation tag. The method can also include onboarding, based on the key and the cryptographic segmentation tag, the untrusted device, wherein the untrusted device receives the cryptographic segmentation tag from the external segmentation orchestrator.

Abstract: Techniques for using application network requirements and/or telemetry information from a first networking technology to enhance operation of a second networking technology and optimize wide area network traffic are described herein. The techniques may include establishing a communication network for use by applications of a scalable application service platform, the communication network including a first networking technology and a second networking technology. In this way, a request to establish a connection for use by an application may be received by the first networking technology. The request may include an indication of a threshold service level of the connection. In response to the request, the first networking technology may determine whether the second networking technology is capable of hosting the connection.

Abstract: Techniques for tracking compute capacity of a scalable application service platform to perform dynamic bandwidth allocation for data flows associated with applications hosted by the service platform are disclosed. Some of the techniques may include allocating a first amount of bandwidth of a physical underlay of a network for data flows associated with an application. The techniques may also include receiving, from a scalable application service hosting the application, an indication of an amount of computing resources of the scalable application service that are allocated to host the application. Based at least in part on the indications, a second amount of bandwidth of the physical underlay to allocate for the data flows may be determined. The techniques may also include allocating the second amount of bandwidth of the physical underlay of the network for the data flows associated with the application.

Abstract: The present technology pertains to a system and method for extending enterprise networks' trusted policy frameworks to cloud-native applications. The present technology comprises sending, by an enterprise network controller, a first communication to a service mesh orchestrator for a service mesh, wherein the first communication informs the service mesh orchestrator of traffic segmentation policies to be applied to traffic originating at an enterprise network and of layer 7 extension headers which correspond to the enterprise network traffic segmentation policies.

Abstract: In one embodiment, a device of a software-defined wide area network (SD-WAN) receives, from a cloud-native application, contextual data for the cloud-native application that identifies microservices of the cloud-native application. The device translates the contextual data for the cloud-native application into a network policy for traffic in the SD-WAN associated with the cloud-native application. The device applies the network policy to a traffic flow in the SD-WAN between an endpoint and a particular microservice of the cloud-native application.

Abstract: A method includes generating, by an internal segmentation orchestrator, a key to cipher/decipher a cryptographic segmentation tag used by an untrusted device, transmitting the key to an external segmentation orchestrator, transmitting the cryptographic segmentation tag to the external segmentation orchestrator and provisioning a trusted network edge with the key and optionally the cryptographic segmentation tag. The method can also include onboarding, based on the key and the cryptographic segmentation tag, the untrusted device, wherein the untrusted device receives the cryptographic segmentation tag from the external segmentation orchestrator.

Abstract: The present technology pertains to a system and method for extending enterprise networks' trusted policy frameworks to cloud-native applications. The present technology comprises sending, by an enterprise network controller, a first communication to a service mesh orchestrator for a service mesh, wherein the first communication informs the service mesh orchestrator of traffic segmentation policies to be applied to traffic originating at an enterprise network and of layer 7 extension headers which correspond to the enterprise network traffic segmentation policies.

Abstract: Techniques are provided for a network mapping server device in a network to receive a connection upgrade message comprising information to establish a first data flow from a first endpoint that does not support multiple subflows for the first data flow according to a multipath protocol, where multiple subflows subdivide the first data flow across two or more network paths. The information in the connection upgrade message is analyzed in order to resolve network connectivity to determine potential network connections for at least two subflows of the first data flow to a second endpoint. A response message is sent comprising information configured to establish at least two subflows for the first data flow between the first endpoint and the second endpoint.

Abstract: Techniques are provided for a network mapping server device in a network to receive a connection upgrade message comprising information to establish a first data flow from a first endpoint that does not support multiple subflows for the first data flow according to a multipath protocol, where multiple subflows subdivide the first data flow across two or more network paths. The information in the connection upgrade message is analyzed in order to resolve network connectivity to determine potential network connections for at least two subflows of the first data flow to a second endpoint. A response message is sent comprising information configured to establish at least two subflows for the first data flow between the first endpoint and the second endpoint.