Abstract: Some embodiments provide a method that allows a first data compute node (DCN) to forward outgoing traffic to a second DCN directly in spite of receiving the incoming traffic from the second DCN through a load balancer. That is, the return traffic's network path from the first DCN (e.g., a server machine) to the second DCN (e.g., a client machine) bypasses the load balancer, even though a request that initiated the return traffic is received through the load balancer. The load balancer receives a connection session request from a client machine to connect to a server. It identifies a set of parameters for the connection session and after selecting a server for the connection, passes the identified set of parameters to a host machine that executes the server. The server establishes the connection session directly with the client machine based on the identified set of parameters.

Abstract: For a managed network implementing at least one logical router having centralized and distributed components, some embodiments provide a method that better supports the provision of certain network applications and/or services. The method receives at a host implementing (1) a distributed logical router and (2) a plurality of logical switches of a logical network along with other hosts, a message from a first data compute node (DCN) executing on the host. The host logically forwards the message to the distributed logical router that uses a particular anycast internet protocol (IP) address using a first media access control (MAC) address. The distributed router determines that the message requires processing by a centralized logical router (e.g., a service router, edge node, etc.) executing on an edge node host and forwards the message to the centralized logical router using the same anycast IP address and a second, unique MAC address.

Abstract: For a network including multiple host machines that each execute a number of network functions some embodiments provide a method for the network functions to advertise the availability of the network function and network addresses (e.g., internet protocol (IP) addresses) associated with the network functions to the other network functions using application programming interfaces (APIs). In some embodiments, non-routing network functions advertise their availability and/or network addresses associated with the network function to a routing network function (e.g., a routing network function that is part of a service router) for the routing network function to advertise to other network elements (e.g. other routing elements or other network functions that need to reach the advertising network function). These advertisements, in some embodiments, are part of participation in a dynamic routing protocol.

Abstract: Some embodiments provide a method for providing metadata proxy services to different data compute nodes that are associated with different logical networks (e.g., for different tenants of a datacenter). When a data compute node (DCN) is instantiated (i.e., starts executing) in a host machine, the DCN requests for metadata associated with the DCN from a metadata server. The requested metadata includes identification and configuration data (e.g., name and description, amount of virtual memory, number of allocated virtual CPUs, etc.) for the DCN. Each DCN generates and sends out a metadata request packet after an IP address is assigned to the DCN (e.g., by a DHCP server). In some embodiments, a metadata proxy server (1) receives the metadata request packets that are sent by different DCNs associated with different logical networks, (2) adds logical network identification data to the packets, and (3) forwards the packets to a metadata server.

Abstract: For a managed network implementing at least one logical router having centralized and distributed components, some embodiments provide a method that better supports the provision of certain network applications and/or services. The method receives at a host implementing (1) a distributed logical router and (2) a plurality of logical switches of a logical network along with other hosts, a message from a first data compute node (DCN) executing on the host. The host logically forwards the message to the distributed logical router that uses a particular anycast internet protocol (IP) address using a first media access control (MAC) address. The distributed router determines that the message requires processing by a centralized logical router (e.g., a service router, edge node, etc.) executing on an edge node host and forwards the message to the centralized logical router using the same anycast IP address and a second, unique MAC address.

Abstract: For a network including multiple host machines that each execute a number of network functions some embodiments provide a method for the network functions to advertise the availability of the network function and network addresses (e.g., internet protocol (IP) addresses) associated with the network functions to the other network functions using application programming interfaces (APIs). In some embodiments, non-routing network functions advertise their availability and/or network addresses associated with the network function to a routing network function (e.g., a routing network function that is part of a service router) for the routing network function to advertise to other network elements (e.g. other routing elements or other network functions that need to reach the advertising network function). These advertisements, in some embodiments, are part of participation in a dynamic routing protocol.

Abstract: For a managed network implementing at least one logical router having centralized and distributed components, some embodiments provide a method that better supports the provision of certain network applications and/or services. The method receives at a host implementing (1) a distributed logical router and (2) a plurality of logical switches of a logical network along with other hosts, a message from a first data compute node (DCN) executing on the host. The host logically forwards the message to the distributed logical router that uses a particular anycast internet protocol (IP) address using a first media access control (MAC) address. The distributed router determines that the message requires processing by a centralized logical router (e.g., a service router, edge node, etc.) executing on an edge node host and forwards the message to the centralized logical router using the same anycast IP address and a second, unique MAC address.

Abstract: Some embodiments provide a method that allows a first data compute node (DCN) to forward outgoing traffic to a second DCN directly in spite of receiving the incoming traffic from the second DCN through a load balancer. That is, the return traffic's network path from the first DCN to the second DCN bypasses the load balancer, even though a request that initiated the return traffic is received through the load balancer. The method receives a first data message from a load balancer to be sent to a DCN. After identifying a particular address embedded in the data message by the load balancer, the method generates a table entry, based on source and destination addresses of the data message and the identified address. This entry is used for modifying a source address of a subsequent data message received from the DCN in response to the data message.

Abstract: For a managed network, some embodiments provide a method for a set of service nodes in an active-active service node cluster in conjunction with a host computer hosting a destination data compute node (DCN) to improve the efficiency of directing a data message to a service node storing state information for the flow to which the data message belongs. a first service node receives a data message in a particular data message flow for which it does not maintain state information. The first service node then identifies a second service node to process the data message and forwards the data message to the second service node. The second service node sends state information for the particular data message flow to the first service node, for the first service node to use to process subsequent data messages in the particular data message flow.

Abstract: For a managed network, some embodiments provide a method for a set of service nodes in an active-active service node cluster in conjunction with a host computer hosting a destination data compute node (DCN) to improve the efficiency of directing a return data message to a service node storing state information for the flow to which the data message belongs. A primary service node in some embodiments receives a data message in a particular data message flow addressed to a destination DCN, performs a service on the data message and forwards the data message, along with information identifying the primary service node, to a host computer on which the destination DCN executes. The host computer generates an entry in a reverse forwarding table including identifying information for the particular data message flow and the primary service node to use to forward data messages in the particular data message flow to the primary service node.

Abstract: For a managed network, some embodiments provide a method for a set of service nodes in an active-active service node cluster in conjunction with a host computer hosting a destination data compute node (DCN) to improve the efficiency of directing a data message to a service node storing state information for the flow to which the data message belongs. a first service node receives a data message in a particular data message flow for which it does not maintain state information. The first service node then identifies a second service node to process the data message and forwards the data message to the second service node. The second service node sends state information for the particular data message flow to the first service node, for the first service node to use to process subsequent data messages in the particular data message flow.

Abstract: For a managed network implementing at least one logical router having centralized and distributed components, some embodiments provide a method that better supports the provision of certain network applications and/or services. The method receives at a host implementing (1) a distributed logical router and (2) a plurality of logical switches of a logical network along with other hosts, a message from a first data compute node (DCN) executing on the host. The host logically forwards the message to the distributed logical router that uses a particular anycast internet protocol (IP) address using a first media access control (MAC) address. The distributed router determines that the message requires processing by a centralized logical router (e.g., a service router, edge node, etc.) executing on an edge node host and forwards the message to the centralized logical router using the same anycast IP address and a second, unique MAC address.

Abstract: For a managed network implementing at least one logical router having centralized and distributed components, some embodiments provide a method that better supports the provision of certain network applications and/or services. The method receives at a host implementing (1) a distributed logical router and (2) a plurality of logical switches of a logical network along with other hosts, a message from a first data compute node (DCN) executing on the host. The host logically forwards the message to the distributed logical router that uses a particular anycast internet protocol (IP) address using a first media access control (MAC) address. The distributed router determines that the message requires processing by a centralized logical router (e.g., a service router, edge node, etc.) executing on an edge node host and forwards the message to the centralized logical router using the same anycast IP address and a second, unique MAC address.

Abstract: The technology disclosed herein enables a dynamic chain of virtual service functions for processing network traffic in a virtual computing environment. In a particular embodiment, a method includes providing a service chain policy to a virtual routing element connecting the respective service functions and determining an initial classification of a network packet entering the dynamic service chain. The initial classification indicates at least a first service function in a sequence of the service functions for processing the network packet. The method further includes providing a service chain policy to a virtual routing element connecting the respective service functions.

Abstract: Some embodiments provide a method that allows a first data compute node (DCN) to forward outgoing traffic to a second DCN directly in spite of receiving the incoming traffic from the second DCN through a load balancer. That is, the return traffic's network path from the first DCN to the second DCN bypasses the load balancer, even though a request that initiated the return traffic is received through the load balancer. The method receives a first data message from a load balancer to be sent to a DCN. After identifying a particular address embedded in the data message by the load balancer, the method generates a table entry, based on source and destination addresses of the data message and the identified address. This entry is used for modifying a source address of a subsequent data message received from the DCN in response to the data message.

Abstract: Some embodiments provide a method that allows a first data compute node (DCN) to forward outgoing traffic to a second DCN directly in spite of receiving the incoming traffic from the second DCN through a load balancer. That is, the return traffic's network path from the first DCN (e.g., a server machine) to the second DCN (e.g., a client machine) bypasses the load balancer, even though a request that initiated the return traffic is received through the load balancer. The load balancer receives a connection session request from a client machine to connect to a server. It identifies a set of parameters for the connection session and after selecting a server for the connection, passes the identified set of parameters to a host machine that executes the server. The server establishes the connection session directly with the client machine based on the identified set of parameters.

Abstract: Some embodiments provide a method for providing dynamic host configuration protocol (DHCP) services to different data compute nodes (e.g., virtual machines) that belong to different logical networks (e.g., for different tenants in a datacenter). In some embodiments, the method inserts a logical network identifier (LNI) value to each DHCP packet and forwards the packet to a DHCP server module for processing the DHCP request. Based on the LNI value, the DHCP server of some embodiments identifies the logical network from which the DHCP packet is received. The DHCP server then provides the requested DHCP service (e.g., assigning an IP address to a data compute node that has originated the DHCP packet, assigning a domain name, etc.) according to a DHCP service configuration for the identified logical network.

Abstract: Some embodiments provide a method for providing metadata proxy services to different data compute nodes that are associated with different logical networks (e.g., for different tenants of a datacenter). When a data compute node (DCN) is instantiated (i.e., starts executing) in a host machine, the DCN requests for metadata associated with the DCN from a metadata server. The requested metadata includes identification and configuration data (e.g., name and description, amount of virtual memory, number of allocated virtual CPUs, etc.) for the DCN. Each DCN generates and sends out a metadata request packet after an IP address is assigned to the DCN (e.g., by a DHCP server). In some embodiments, a metadata proxy server (1) receives the metadata request packets that are sent by different DCNs associated with different logical networks, (2) adds logical network identification data to the packets, and (3) forwards the packets to a metadata server.

Abstract: Techniques for protecting against denial of service attacks are provided. In one embodiment, a network device can extract one or more values from a Transmission Control Protocol (TCP) ACK packet sent by a client device, where the one or more values encode TCP option information. The network device can further decode the one or more values to determine the TCP option information and embed the TCP option information into the TCP ACK packet. The network device can then forward the TCP ACK packet with the embedded TCP option information to a server.

Abstract: A network device includes a plurality of blades, each having a plurality of CPU cores that process requests received by the network device. Each blade further includes an accumulator circuit. Each accumulator circuit periodically aggregates the local counter values of the CPU cores of the corresponding blade. One accumulator circuit is designated as a master, and the other accumulator circuit(s) are designated as slave(s). The slave accumulator circuits transmit their aggregated local counter values to the master accumulator circuit. The master accumulator circuit aggregates the sets of aggregated local counter values to create a set of global counter values. The master accumulator circuit transmits the global counter values to a management processor (for display), to the CPU cores located on its corresponding blade, and to each of the slave accumulator circuits. Each slave accumulator circuit then transmits the global counter values to the CPU cores located on its corresponding blade.