Abstract: Techniques are described for communications in an L2 virtual network. In an example, the L2 virtual network includes a plurality of L2 compute instances hosted on a set of host machines and a plurality of L2 virtual network interfaces and L2 virtual switches hosted on a set of network virtualization devices. An L2 virtual network interface emulates an L2 port of the L2 virtual network. Access control list (ACL) information applicable to the L2 port is sent to a network virtualization device that hosts the L2 virtual network interface.

Abstract: Techniques are described for communications in an L2 virtual network. In an example, the L2 virtual network includes a plurality of L2 compute instances hosted on a set of host machines and a plurality of L2 virtual network interfaces and L2 virtual switches hosted on a set of network virtualization devices. An L2 virtual network interface emulates an L2 port of the L2 virtual network. IGMP configuration is distributed to the L2 virtual switches. A control plane of the L2 virtual network coordinates IGMP configuration across the L2 virtual switches.

Abstract: A cloud infrastructure orchestration service may maintain a service plan and manifest (SPAM) corresponding to a service to be bootstrapped (e.g., provisioned and deployed) to a cloud computing environment (e.g., to a data center). The service plan may specify a deterministic order of releases for performing a process to fully bootstrap the service using one or more build milestones and one or more execution units, each execution unit specifying ordered steps for transitioning between build milestones Each step may reference one or more execution target checkpoint transitions, which in turn reference an alias of a configuration file that defines a release. A manifest may be used to identify the configuration files and artifacts to be used by the releases and to validate the service plan. A SPAM may be used to reduce/eliminate nondeterministic behavior of previous orchestration systems and to provide visualizations of the bootstrapping process at different granularities.

Abstract: A variety of testing environments and techniques are disclosed. An orchestrator control plane may generate a build plan comprising a plurality of ordered steps for bootstrapping one or more services. The build plan may be generated based at least in part on one or more service plans and manifests that individually specify a deterministic process for bootstrapping a service. The orchestrator control plan may instruct a region orchestrator executing within an isolated testing environment to execute a test build of the one or more services according to the build plan. The region orchestrator may execute, as part of executing the test build, a subset of steps from the plurality of ordered steps of the build plan utilizing resources of the isolated testing environment and in an order identified by the build plan. At any suitable time, the isolated testing environment may be reset to enable subsequent test build executions.

Abstract: A cloud infrastructure orchestration service (CIOS) may track build progress made by any suitable number of regional orchestrators. An orchestrator control plane may be configured to generate a region build plan for bootstrapping a plurality of services within a data center. The orchestrator control plane may instruct a region orchestrator to execute a build according to the build plan. The region orchestrator may be configured to update an execution state corresponding to the execution of the region build plan as it executes steps of the ordered steps of the region build plan. At any suitable time (e.g., when executing one of the steps fails), intervention data may be received with which a new region build plan may be generated. The new region build plan may be used for subsequent execution of the region build. This may enable run-time corrections to be made.

Abstract: A secure private network connectivity system (SNCS) within a cloud service provider infrastructure (CSPI) is described that provides secure private network connectivity between external resources residing in a customer's on-premise environment and the customer's resources residing in the cloud. The SNCS provides secure private bi-directional network connectivity between external resources residing in a customer's external site representation and resources and services residing in the customer's VCN in the cloud without a user (e.g., an administrator) of the enterprise having to explicitly configure the external resources, advertise routes or set up site-to-site network connectivity.

Abstract: Techniques are described for communications in an L2 virtual network of a customer. In an example, the L2 virtual network includes a plurality of L2 compute instances hosted on a set of host machines and a plurality of L2 virtual network interfaces and L2 virtual switches hosted on a set of network virtualization devices. An L2 virtual network interface emulates an L2 port of the L2 virtual network. Information associated with the L2 virtual switches is collected and provided to the customer.

Abstract: Techniques are disclosed for scaling an IP address in overlay networks without using load balancers. In certain implementations, an overlay IP address can be attached to multiple compute instances via virtual network interface cards (VNICs) associated with the multiple compute instances. Traffic directed to the multi-attached IP address is distributed across the multiple compute instances. In some other implementations, ECMP techniques in overlay networks are used to scale an overlay IP address. In forwarding tables used for routing packets, the IP address being scaled is associated with multiple next hop paths to multiple network virtualization devices (NVDs) associated with the multiple compute instances. When a particular packet directed to the overlay IP address is to be routed, one of the multiple next hop paths is selected for routing the packet. This enables packets directed to the IP address to be distributed across the multiple compute instances.

Abstract: For a communication channel having a first endpoint in a customer on-premise network and a second endpoint on a primary host machine in a cloud service provider infrastructure, the primary host machine determines a change in a state information of the communication channel and identifies a backup host machine for the communication channel. The primary host machine causes the change in the state information to be replicated to the backup host machine, wherein the replicated state information stored by the backup host machine is usable by the backup host machine after a failover causes the backup host machine to become the second endpoint of the communication channel.

Abstract: Systems and methods of interface-based ACLs in a virtual Layer-2 network. The method can include sending a packet from source compute instance in a virtual network to a destination compute instance via a destination virtual network interface card (destination VNIC) within a first virtual layer 2 network and evaluating an access control list (ACL) for the packet with a source virtual network interface card (source VNIC). ACL information relevant to the packet can be embedded in the packet. The VSRS can receive the packet and can identify the destination VNIC within the first virtual layer 2 network for delivery of the packet based on information received with the packet and mapping information contained within a mapping table. The VSRS can access ACL information from the packet and can apply the ACL information to the packet.

Abstract: A novel overlay network DDOS mitigation system (ONDMS) is described for performing DDOS attack mitigation in a virtual network environment. Network traffic received by network resources in overlay networks is monitored. When a potential DDOS attack is detected, ONDMS may initiate a protected mode for a network resource. This may involve creating one or more shadow VNICs for the network resource being protected. While in protected mode, as a result of the one or more shadow VNICs, packets that would otherwise be received by the network resource being protected are instead redirected to one or more alternative destinations (e.g., to a DDOS scrubber system within ONDMS) that are configured to filter and analyze the packets and take appropriate mitigation actions, as needed. This protects the network resource being protected from the potential DDOS attack.

Abstract: Techniques are described for communications in an L2 virtual network of a customer. In an example, the L2 virtual network includes a plurality of L2 compute instances hosted on a set of host machines and a plurality of L2 virtual network interfaces and L2 virtual switches hosted on a set of network virtualization devices. An L2 virtual network interface emulates an L2 port of the L2 virtual network. Information associated with the L2 virtual switches is collected and provided to the customer.

Abstract: A secure private network connectivity system (SNCS) within a cloud service provider infrastructure (CSPI) is described that provides secure private network connectivity between external resources residing in a customer's on-premise environment and the customer's resources residing in the cloud. The SNCS provides secure private bi-directional network connectivity between external resources residing in a customer's external site representation and resources and services residing in the customer's VCN in the cloud without a user (e.g., an administrator) of the enterprise having to explicitly configure the external resources, advertise routes or set up site-to-site network connectivity.

Abstract: For a communication channel having a first endpoint in a customer on-premise network and a second endpoint on a primary host machine in a cloud service provider infrastructure, the primary host machine determines a change in a state information of the communication channel and identifies a backup host machine for the communication channel. The primary host machine causes the change in the state information to be replicated to the backup host machine, wherein the replicated state information stored by the backup host machine is usable by the backup host machine after a failover causes the backup host machine to become the second endpoint of the communication channel.

Abstract: A secure private network connectivity system (SNCS) within a cloud service provider infrastructure (CSPI) is described that provides secure private network connectivity between external resources residing in a customer's on-premise environment and the customer's resources residing in the cloud. The SNCS provides secure private bi-directional network connectivity between external resources residing in a customer's external site representation and resources and services residing in the customer's VCN in the cloud without a user (e.g., an administrator) of the enterprise having to explicitly configure the external resources, advertise routes or set up site-to-site network connectivity.

Abstract: Techniques are described for communications in an L2 virtual network. In an example, the L2 virtual network includes a plurality of L2 compute instances hosted on a set of host machines and a plurality of L2 virtual network interfaces and L2 virtual switches hosted on a set of network virtualization devices. An L2 virtual network interface emulates an L2 port of the L2 virtual network. Access control list (ACL) information applicable to the L2 port is sent to a network virtualization device that hosts the L2 virtual network interface.

Abstract: A secure private network connectivity system (SNCS) within a cloud service provider infrastructure (CSPI) is described that provides secure private network connectivity between external resources residing in a customer's on-premise environment and the customer's resources residing in the cloud. The SNCS provides secure private bi-directional network connectivity between external resources residing in a customer's external site representation and resources and services residing in the customer's VCN in the cloud without a user (e.g., an administrator) of the enterprise having to explicitly configure the external resources, advertise routes or set up site-to-site network connectivity.

Abstract: Systems and methods for a VLAN switching and routing service (VSRS) are disclosed herein. A method can include generating a table for an instance of a VSRS, which VSRS couples a first virtual layer 2 network (VLAN) with a second network. The table can contain information identifying IP addresses, MAC addresses, and virtual interface identifiers for instances within the virtual layer 2 network. The method can include receiving with the VSRS a packet from a first instance designated for delivery to a second instance within the virtual layer 2 network, identifying with the VSRS the second instance within the virtual layer 2 network for delivery of the packet based on information received with the packet and information contained within the table, and delivering the packet to the identified second instance.

Abstract: Techniques are described for communications in an L2 virtual network. In an example, the L2 virtual network includes a plurality of L2 compute instances hosted on a set of host machines and a plurality of L2 virtual network interfaces and L2 virtual switches hosted on a set of network virtualization devices. An L2 virtual network interface emulates an L2 port of the L2 virtual network. Access control list (ACL) information applicable to the L2 port is sent to a network virtualization device that hosts the L2 virtual network interface.

Abstract: Techniques are described for communications in an L2 virtual network. In an example, the L2 virtual network includes a plurality of L2 compute instances hosted on a set of host machines and a plurality of L2 virtual network interfaces and L2 virtual switches hosted on a set of network virtualization devices. An L2 virtual network interface emulates an L2 port of the L2 virtual network. Span port information applicable to the L2 port is sent to a network virtualization device that hosts the L2 virtual network interface.