Abstract: Techniques for virtualized network functions (VNFs) that provide for domain isolation of networks coupled to the VNF are described. A virtual network function (VNF) includes a cloud virtual domain coupling the VNF to a cloud service, a management virtual domain coupling the VNF to a management service, and an external virtual domain having a public Internet Protocol (IP) address. The external virtual domain receives an authentication request providing access credentials for a VNF customer from a cloud client device, provides the authentication request to the management service via the management virtual domain, receives an authentication response from the management service, and, in response to determining that the VNF customer access credentials are valid, initiates application of a policy that allows the cloud client device to configure the cloud virtual domain or the cloud service and disallows configuration of the external virtual domain and the management virtual domain.

Abstract: In general, techniques are described for a hierarchical, distributed DHCP system for managing IP address assignment among distributed networks of computing devices. For example, a system may include a central DHCP server configured to manage a plurality of distributed DHCP servers, each distributed DHCP server configured to perform DHCP using IP addresses allocated from a common prefix for a tenant associated with computing devices managed by multiple DHCP servers. The central DHCP server allocates IP addresses to the distributed DHCP servers, e.g., on an on-demand basis from the common pool and may handle concurrent requests for IP addresses from distributed DHCP servers. Each of the distributed DHCP servers may store records for IP addresses and media access control (MAC) addresses for computing devices managed by that distributed DHCP server, and the DHCP servers may send these records to the central DHCP server to facilitate IP assignment coherency.

Abstract: The techniques described in this disclosure provide resilient and reactive on-demand Distributed Denial-of-Service (DDoS) mitigation services using an exchange. For example, an exchange comprises a first virtual network for switching mixed traffic (including dirty (DDoS) traffic and clean (non-DDoS) traffic)) from one or more networks to one or more DDoS scrubbing centers; and a second virtual network for switching the clean traffic from the one or more DDoS scrubbing centers to the one or more networks, wherein the exchange is configured to receive the mixed traffic from the one or more networks and switch, using the first virtual network, the mixed traffic to a selected DDoS scrubbing center of the one or more DDoS scrubbing centers, and wherein the exchange is configured to receive the clean traffic from the selected DDoS scrubbing center and switch, using the second virtual network, the clean traffic to the one or more networks.

Abstract: In general, techniques are described for network connectivity for non-colocated customers of a cloud exchange. A programmable network platform for the cloud exchange comprises processing circuitry configured to: configure a virtual network device in the data center to run a network service for a customer; receive, from the customer, a request for a remote port and network information for a network service provider connectivity service for the customer; assign, in response to receiving the request for the remote port, a remote port of the cloud exchange to the customer; and configure, in response to receiving the request for the remote port using the network information, the cloud exchange to connect the network service provider connectivity service to the virtual network device via the remote port of the cloud exchange.

Abstract: Techniques for tenant-driven dynamic resource allocation in network functions virtualization infrastructure (NFVI). In one example, an orchestration system is operated by a data center provider for a data center and that orchestration system comprises processing circuitry coupled to a memory; logic stored in the memory and configured for execution by the processing circuitry, wherein the logic is operative to: compute an aggregate bandwidth for a plurality of flows associated with a tenant of the data center provider and processed by a virtual network function, assigned to the tenant, executing on a server of the data center; and modify, based on the aggregate bandwidth, an allocation of compute resources of the server executing the virtual network function.

Abstract: In one example, a method comprises receiving, by a computing device, configuration data defining: an external virtual domain for a network function, the external virtual domain connected to a public network and managed by a provider for the computing device; a virtual domain for the network function, the virtual domain separate from the external virtual domain, configured with a secure tunnel interface, connected to a customer network, and managed by a customer of the provider for the computing device; forwarding, by the external virtual domain implementing a route-based virtual private network, encrypted network traffic, received from the public network via a secure tunnel, to the secure tunnel interface configured in the virtual domain; decrypting, by the virtual domain, the encrypted network traffic to generate network traffic; and forwarding, by the virtual domain, the network traffic to the customer network.

Abstract: Techniques for virtualized network functions (VNFs) that provide for domain isolation of networks coupled to the VNF are described. A virtual network function (VNF) includes a cloud virtual domain coupling the VNF to a cloud service, a management virtual domain coupling the VNF to a management service, and an external virtual domain having a public Internet Protocol (IP) address. The external virtual domain receives an authentication request providing access credentials for a VNF customer from a cloud client device, provides the authentication request to the management service via the management virtual domain, receives an authentication response from the management service, and, in response to determining that the VNF customer access credentials are valid, initiates application of a policy that allows the cloud client device to configure the cloud virtual domain or the cloud service and disallows configuration of the external virtual domain and the management virtual domain.

Abstract: Techniques for tenant-driven dynamic resource allocation in network functions virtualization infrastructure (NFVI). In one example, an orchestration system is operated by a data center provider for a data center and that orchestration system comprises processing circuitry coupled to a memory; logic stored in the memory and configured for execution by the processing circuitry, wherein the logic is operative to: compute an aggregate bandwidth for a plurality of flows associated with a tenant of the data center provider and processed by a virtual network function, assigned to the tenant, executing on a server of the data center; and modify, based on the aggregate bandwidth, an allocation of compute resources of the server executing the virtual network function.

Abstract: In general, this disclosure describes a cloud exchange (or “cloud exchange”) that offers a cloud-to-cloud interface (CCI) for interconnecting cloud services to tenants within public clouds. As described herein, the cloud exchange may be configured with a cloud-to-cloud interface that enables tenant applications of a public cloud to subscribe to and communicate with cloud services, using an end-to-end layer 3 path, in some cases without requiring a separate routing protocol session with a public edge device for the public cloud. In some examples, the public cloud provides a virtual layer 2 connection from a tenant within a public cloud to a routing instance of the cloud exchange, and the cloud exchange uses the routing instance to route service traffic between the tenant and the cloud services.

Abstract: In general, this disclosure describes techniques for using virtual domains. In one example, a method comprises receiving, by a computing device, configuration data defining: an external virtual domain for a network function, the external virtual domain connected to a public network and managed by a provider for the computing device; a virtual domain for the network function, the virtual domain separate from the external virtual domain, configured with a secure tunnel interface, connected to a customer network, and managed by a customer of the provider for the computing device; forwarding, by the external virtual domain implementing a route-based virtual private network, encrypted network traffic, received from the public network via a secure tunnel, to the secure tunnel interface configured in the virtual domain; decrypting, by the virtual domain, the encrypted network traffic to generate network traffic; and forwarding, by the virtual domain, the network traffic to the customer network.

Abstract: Techniques for virtualized network functions (VNFs) that provide for domain isolation of networks coupled to the VNF are described. A virtual network function (VNF) includes a cloud virtual domain coupling the VNF to a cloud service, a management virtual domain coupling the VNF to a management service, and an external virtual domain having a public Internet Protocol (IP) address. The external virtual domain receives an authentication request providing access credentials for a VNF customer from a cloud client device, provides the authentication request to the management service via the management virtual domain, receives an authentication response from the management service, and, in response to determining that the VNF customer access credentials are valid, initiates application of a policy that allows the cloud client device to configure the cloud virtual domain or the cloud service and disallows configuration of the external virtual domain and the management virtual domain.

Abstract: In one example, a method comprises receiving, by a computing device, configuration data defining: an external virtual domain for a network function, the external virtual domain connected to a public network and managed by a provider for the computing device; a virtual domain for the network function, the virtual domain separate from the external virtual domain, configured with a secure tunnel interface, connected to a customer network, and managed by a customer of the provider for the computing device; forwarding, by the external virtual domain implementing a route-based virtual private network, encrypted network traffic, received from the public network via a secure tunnel, to the secure tunnel interface configured in the virtual domain; decrypting, by the virtual domain, the encrypted network traffic to generate network traffic; and forwarding, by the virtual domain, the network traffic to the customer network.

Abstract: An Application Programming Interface (API) exchange located within a data center is configured to receive, from a customer, a request for access to one or more APIs corresponding to respective service provider networks and to which the API exchange provides access. Based on the request for access, the API exchange bundles the one or more APIs into an API bundle, generates a unique subscription key for accessing the API bundle, and sends the unique subscription key to the customer. The API exchange receives, from the customer, a service request for invoking a requested API of the API bundle, the service request including the unique subscription key. Upon authorizing the service request to access the API bundle based on the unique subscription key, the API exchange sends the service request to the service provider network corresponding to the requested API.

Abstract: In general, techniques are described for network connectivity for non-colocated customers of a cloud exchange. A programmable network platform for the cloud exchange comprises processing circuitry configured to: configure a virtual network device in the data center to run a network service for a customer; receive, from the customer, a request for a remote port and network information for a network service provider connectivity service for the customer; assign, in response to receiving the request for the remote port, a remote port of the cloud exchange to the customer; and configure, in response to receiving the request for the remote port using the network information, the cloud exchange to connect the network service provider connectivity service to the virtual network device via the remote port of the cloud exchange.

Abstract: Techniques for tenant-driven dynamic resource allocation in network functions virtualization infrastructure (NFVI). In one example, an orchestration system is operated by a data center provider for a data center and that orchestration system comprises processing circuitry coupled to a memory; logic stored in the memory and configured for execution by the processing circuitry, wherein the logic is operative to: compute an aggregate bandwidth for a plurality of flows associated with a tenant of the data center provider and processed by a virtual network function, assigned to the tenant, executing on a server of the data center; and modify, based on the aggregate bandwidth, an allocation of compute resources of the server executing the virtual network function.

Abstract: In an example, a system includes a first cloud exchange network for a first cloud exchange, the first cloud exchange network located within a first data center and configured with a first dedicated virtual gateway, the first dedicated virtual gateway configured to interface with a first virtual connector to a customer network, with a second virtual connector to a first cloud service provider (CSP) network, and with a third virtual connector to a second CSP network. Network traffic among the customer network, the first CSP network, and the second CSP network is routed through the first dedicated virtual gateway. The first dedicated virtual gateway dynamically polices the network traffic based on an aggregate bandwidth subscription configured in the first cloud exchange network that limits a total bandwidth that may be used over the first cloud exchange network between the customer network, the first CSP network, and the second CSP network.

Abstract: The techniques described in this disclosure provide resilient and reactive on-demand Distributed Denial-of-Service (DDoS) mitigation services using an exchange. For example, an exchange comprises a first virtual network for switching mixed traffic (including dirty (DDoS) traffic and clean (non-DDoS) traffic)) from one or more networks to one or more DDoS scrubbing centers; and a second virtual network for switching the clean traffic from the one or more DDoS scrubbing centers to the one or more networks, wherein the exchange is configured to receive the mixed traffic from the one or more networks and switch, using the first virtual network, the mixed traffic to a selected DDoS scrubbing center of the one or more DDoS scrubbing centers, and wherein the exchange is configured to receive the clean traffic from the selected DDoS scrubbing center and switch, using the second virtual network, the clean traffic to the one or more networks.

Abstract: In one example, a method includes receiving, by a first network device via a routing protocol peering session with a peer router in a first autonomous system, a plurality of routing protocol routes to destination addresses, each routing protocol route specifying a network address prefix and an identifier of the autonomous system that originated the routing protocol route; receiving network address prefix ownership information from a distributed ledger storing a plurality of associations between respective network address prefixes and respective autonomous system identifiers of autonomous systems confirmed to own the respective network address prefixes; determining, based at least on the prefix ownership information, whether any of the plurality of routing protocol routes specifies an autonomous system identifier different than specified by the associations; and in response to determining that one of the routes specifies an autonomous system identifier different than specified by the plurality of associations,

Abstract: This disclosure describes techniques for securely, efficiently, and/or effectively providing cryptographic operations and key management services. Systems in accordance with one or more aspects of the present disclosure may provide secure management of cryptographic keys as service to a plurality of data center users or customers that contract for services provided by a data center. In one example, this disclosure describes a data center comprising a plurality of cloud service provider ports, a plurality of customer ports, network infrastructure coupling the plurality of cloud service provider ports to the plurality of customer ports, and a computing system including at least one hardware security module.

Abstract: One embodiment of the present invention provides a switch. The switch includes a fabric switch module and a learning module. The fabric switch module maintains a membership in a first fabric switch. A fabric switch includes a plurality of switches and operates as a single switch. The first fabric switch is in an extended fabric switch which further comprises a second fabric switch. The learning module identifies from a notification message from the second fabric switch a media access control (MAC) address learned at the second fabric switch. The learning module stores the MAC address in a local MAC table in association with an Internet Protocol (IP) address of the second fabric switch.