Abstract: For a network including multiple computers acting as tunnel endpoints in a network, some embodiments provide a method for processing data messages in parallel using multiple processors (e.g., cores) of each computer. Each computer in some embodiments has a set of interfaces configured as tunnel endpoints connecting to multiple tunnels. In some embodiments, the multiple processors encrypt data messages according to a set of encryption parameters or multiple sets of encryption parameters that specify an encryption policy for data messages requiring encryption, an encryption algorithm, an encryption key, a destination network address, and an encryption-parameter-set identifier.

Abstract: Some embodiments of the invention provide novel methods for providing a stateful service at a network edge device (e.g., an NSX edge) that has a plurality of north-facing interfaces (e.g., interfaces to an external network) and a plurality of corresponding south-facing interfaces (e.g., interfaces to a logical network). A set of interfaces on each side of the network edge device for a set of equal cost paths, in some embodiments, are bonded together in the network edge device to correspond to a single interface on either side of a logical bridge including at least one logical switch providing a stateful service implemented by the network edge device. The bond is implemented, in some embodiments, by a bonding module executing on the network edge device that maintains a mapping between ingress and egress interfaces to allow deterministic forwarding through the network edge device in the presence of bonded interfaces.

Abstract: In some embodiments, a method instantiates a proxy that stores first state information for first workloads running on a first computing device. The first computing device receives a migrated workload from a second computing device and second state information for a session associated with the migrated workload. The second state information is generated by a proxy on the second computing device that processed one or more packets for the migrated workload on the second computing device. The method stories the second state information for the proxy on the first computing device and resumes the session associated with the migrated workload using the proxy on the first computing device.

Abstract: For a network including multiple computers acting as tunnel endpoints in a network, some embodiments provide a method for processing data messages in parallel using multiple processors (e.g., cores) of each computer. Each computer in some embodiments has a set of interfaces configured as tunnel endpoints connecting to multiple tunnels. In some embodiments, the multiple processors encrypt data messages according to a set of encryption parameters or multiple sets of encryption parameters that specify an encryption policy for data messages requiring encryption, an encryption algorithm, an encryption key, a destination network address, and an encryption-parameter-set identifier.

Abstract: For a network including multiple computers acting as tunnel endpoints in a network, some embodiments provide a method for processing data messages in parallel using multiple processors (e.g., cores) of each computer. Each computer in some embodiments has a set of interfaces configured as tunnel endpoints connecting to multiple tunnels. In some embodiments, the multiple processors encrypt data messages according to a set of encryption parameters or multiple sets of encryption parameters that specify an encryption policy for data messages requiring encryption, an encryption algorithm, an encryption key, a destination network address, and an encryption-parameter-set identifier.

Abstract: Some embodiments of the invention provide novel methods for providing a stateful service at a network edge device (e.g., an NSX edge) that has a plurality of north-facing interfaces (e.g., interfaces to an external network) and a plurality of corresponding south-facing interfaces (e.g., interfaces to a logical network). In some embodiments, each interface associated with a different bridge calls a service engine based on identifiers included in data messages received at the interface. Each data message flow is associated with a particular identifier that is associated with a particular service engine instance that provides the stateful service. In some embodiments, the interface that receives a data message identifies a service engine to provide the stateful service and provides the data message to the identified service engine. After processing the data message, the service engine provides the data message to the egress interface associated with the ingress interface.

Abstract: In order to enable dynamic scaling of network services at the edge, novel systems and methods are provided to enable addition of add new nodes or removal of existing nodes while retaining the affinity of the flows through the stateful services. The methods provide a cluster of network nodes that can be dynamically resized to handle and process network traffic that utilizes stateful network services. The existing traffic flows through the edge continue to function during and after the changes to membership of the cluster. All nodes in the cluster operate in active-active mode, i.e., they are receiving and processing traffic flows, thereby maximizing the utilization of the available processing power.

Abstract: Some embodiments of the invention provide novel methods for providing a stateful service at a network edge device (e.g., an NSX edge) that has a plurality of north-facing interfaces (e.g., interfaces to an external network) and a plurality of corresponding south-facing interfaces (e.g., interfaces to a logical network). In some embodiments, each interface associated with a different bridge calls a service engine based on identifiers included in data messages received at the interface. Each data message flow is associated with a particular identifier that is associated with a particular service engine instance that provides the stateful service. In some embodiments, the interface that receives a data message identifies a service engine to provide the stateful service and provides the data message to the identified service engine. After processing the data message, the service engine provides the data message to the egress interface associated with the ingress interface.

Abstract: In order to enable dynamic scaling of network services at the edge, novel systems and methods are provided to enable addition of add new nodes or removal of existing nodes while retaining the affinity of the flows through the stateful services. The methods provide a cluster of network nodes that can be dynamically resized to handle and process network traffic that utilizes stateful network services. The existing traffic flows through the edge continue to function during and after the changes to membership of the cluster. All nodes in the cluster operate in active-active mode, i.e., they are receiving and processing traffic flows, thereby maximizing the utilization of the available processing power.

Abstract: Some embodiments of the invention provide novel methods for providing a stateful service at a network edge device (e.g., an NSX edge) that has a plurality of north-facing interfaces (e.g., interfaces to an external network) and a plurality of corresponding south-facing interfaces (e.g., interfaces to a logical network). A set of interfaces on each side of the network edge device for a set of equal cost paths, in some embodiments, are bonded together in the network edge device to correspond to a single interface on either side of a logical bridge including at least one logical switch providing a stateful service implemented by the network edge device. The bond is implemented, in some embodiments, by a bonding module executing on the network edge device that maintains a mapping between ingress and egress interfaces to allow deterministic forwarding through the network edge device in the presence of bonded interfaces.

Abstract: In some embodiments, a method instantiates a proxy that stores first state information for first workloads running on a first computing device. The first computing device receives a migrated workload from a second computing device and second state information for a session associated with the migrated workload. The second state information is generated by a proxy on the second computing device that processed one or more packets for the migrated workload on the second computing device. The method stories the second state information for the proxy on the first computing device and resumes the session associated with the migrated workoad using the proxy on the first computing device.

Abstract: Some embodiments of the invention provide novel methods for providing a stateful service at a network edge device (e.g., an NSX edge) that has a plurality of north-facing interfaces (e.g., interfaces to an external network) and a plurality of corresponding south-facing interfaces (e.g., interfaces to a logical network). A set of interfaces on each side of the network edge device for a set of equal cost paths, in some embodiments, are bonded together in the network edge device to correspond to a single interface on either side of a logical bridge including at least one logical switch providing a stateful service implemented by the network edge device. The bond is implemented, in some embodiments, by a bonding module executing on the network edge device that maintains a mapping between ingress and egress interfaces to allow deterministic forwarding through the network edge device in the presence of bonded interfaces.

Abstract: In some embodiments, a method instantiates a proxy that stores first state information for first workloads running on a first computing device. The first computing device receives a migrated workload from a second computing device and second state information for a session associated with the migrated workload. The second state information is generated by a proxy on the second computing device that processed one or more packets for the migrated workload on the second computing device. The method stories the second state information for the proxy on the first computing device and resumes the session associated with the migrated workload using the proxy on the first computing device.

Abstract: For a multi-tenant environment, some embodiments of the invention provide a novel method for (1) embedding a specific path for a tenant's data message flow through a network in tunnel headers encapsulating the data message flow, and then (2) using the embedded path information to direct the data message flow through the network. In some embodiments, the method selects the specific path from two or more viable such paths through the network for the data message flow.

Abstract: For a network including multiple computers acting as tunnel endpoints in a network, some embodiments provide a method for processing data messages in parallel using multiple processors (e.g., cores) of each computer. Each computer in some embodiments has a set of interfaces configured as tunnel endpoints connecting to multiple tunnels. In some embodiments, the multiple processors encrypt data messages according to a set of encryption parameters or multiple sets of encryption parameters that specify an encryption policy for data messages requiring encryption, an encryption algorithm, an encryption key, a destination network address, and an encryption-parameter-set identifier.

Abstract: For a network including multiple computers acting as tunnel endpoints in a network, some embodiments provide a method for processing data messages in parallel using multiple processors (e.g., cores) of each computer. Each computer in some embodiments has a set of interfaces configured as tunnel endpoints connecting to multiple tunnels. In some embodiments, the multiple processors encrypt data messages according to a set of encryption parameters or multiple sets of encryption parameters that specify an encryption policy for data messages requiring encryption, an encryption algorithm, an encryption key, a destination network address, and an encryption-parameter-set identifier.

Abstract: For a network including multiple computers acting as tunnel endpoints in a network, some embodiments provide a method for distributing data messages among processors of a destination computer that receives encrypted data messages from a source computer. Each computer in some embodiments has a set of interfaces configured as tunnel endpoints connecting to multiple tunnels. The encrypted data messages are received at multiple interfaces of the destination computer and in some embodiments, include an identifier for a set of encryption parameters (e.g., a security parameter index). The encryption-parameter-set identifier is used to distribute encrypted data messages among processors of the destination computer.

Abstract: Some embodiments of the invention provide novel methods for providing a stateful service at a network edge device (e.g., an NSX edge) that has a plurality of north-facing interfaces (e.g., interfaces to an external network) and a plurality of corresponding south-facing interfaces (e.g., interfaces to a logical network). A set of interfaces on each side of the network edge device for a set of equal cost paths, in some embodiments, are bonded together in the network edge device to correspond to a single interface on either side of a logical bridge including at least one logical switch providing a stateful service implemented by the network edge device. The bond is implemented, in some embodiments, by a bonding module executing on the network edge device that maintains a mapping between ingress and egress interfaces to allow deterministic forwarding through the network edge device in the presence of bonded interfaces.

Abstract: Some embodiments of the invention provide novel methods for providing a stateful service at a network edge device (e.g., an NSX edge) that has a plurality of north-facing interfaces (e.g., interfaces to an external network) and a plurality of corresponding south-facing interfaces (e.g., interfaces to a logical network). In some embodiments, each interface associated with a different bridge calls a service engine based on identifiers included in data messages received at the interface. Each data message flow is associated with a particular identifier that is associated with a particular service engine instance that provides the stateful service. In some embodiments, the interface that receives a data message identifies a service engine to provide the stateful service and provides the data message to the identified service engine. After processing the data message, the service engine provides the data message to the egress interface associated with the ingress interface.

Abstract: Some embodiments of the invention provide novel methods for providing a stateful service at a network edge device (e.g., an NSX edge) that has a plurality of north-facing interfaces (e.g., interfaces to an external network) and a plurality of corresponding south-facing interfaces (e.g., interfaces to a logical network). In some embodiments, the network edge device receives data messages from a first gateway device from a logical network, provides the stateful network service to the data message, and forwards the data message towards the destination through a corresponding interface connected to a physical network.