Abstract: Some embodiments provide a method for a managed forwarding element (MFE) executing on a data compute node (DCN) that operates on a host computer in a public datacenter. The MFE implements a logical network that connects multiple DCNs within the public datacenter. The method receives a packet, directed to the DCN, that (i) has a first logical network source address and (ii) is encapsulated with a second source address associated with an underlying public datacenter network. The method determines whether the first logical network source address is a valid source address for the packet based on a mapping table that maps logical network addresses to underlying public datacenter network addresses. When the first source address is not a valid source address for the packet, the method drops the packet.

Abstract: Some embodiments provide a centralized overlay-network cloud gateway and a set of centralized services in a transit virtual cloud network (VCN) connected to multiple other compute VCNs hosting compute nodes (VMs, containers, etc.) that are part of (belong to) the overlay network. The centralized overlay-network cloud gateway provides connectivity between compute nodes of the overlay network (e.g., a logical network spanning multiple VCNs) and compute nodes in external networks. Some embodiments use the centralized overlay-network cloud gateway to provide transitive routing (e.g., routing through a transit VCN) in the absence of direct peering between source and destination VCNs. The overlay network, of some embodiments, uses the same subnetting and default gateway address for each compute node as the cloud provider network provided by the virtual private cloud provider.

Abstract: Described herein are systems, methods, and software to enhance connectivity between cloud computing service endpoints and virtual machines. In one implementation, a method of managing data packet addressing in a first namespace includes receiving a data packet at a first interface for the first namespace, wherein the first interface is paired with a second interface of a second namespace. The method also includes identifying if the packet is destined for a service node in an underlay network outside of an overlay network for the second namespace, and if destined for a service node outside of an overlay network for the second namespace, modifying addressing in the data packet to support the underlay network and transferring the data packet over a virtual network interface for the virtual machine.

Abstract: An example method of data protection in a virtualized computing system, the virtualized computing system including a host cluster, a virtualization management server connected, and a network manager coupled to a physical network, the host cluster having hosts and a virtualization layer executing on hardware platforms of the hosts, is described. The method includes: receiving a backup request; executing, in response to the backup request, a coupled backup of the virtualization management server and the network manager, including: creating a backup of a first database in the virtualization management server, the first database storing first configuration data for a virtual infrastructure (VI) control plane of the host cluster; creating a backup of a second database in the network manager, the second database storing second configuration data for a logical network deployed in the host cluster; and storing the coupled backup in remote storage.

Abstract: An example method of data protection in a virtualized computing system, which includes host clusters, a virtualization management server, and a network manager coupled to a physical network, each host cluster having hosts and a virtualization layer executing on hardware platforms of the hosts, is described. The method includes receiving, at the virtualization management server, a restore request; executing, at the virtualization management server in response to the restore request, restoration of a coupled backup of the virtualization management server and the network manager, the coupled backup including a backup of a first database of the virtualization management server and a backup of a second database of the network manager, the restoration including: restoring at least one of the first database and the second database from the coupled backup; repairing runtime state of at least one of the host clusters to make the runtime state consistent with the restoration.

Abstract: Some embodiments provide a method for a managed forwarding element (MFE) executing on a data compute node (DCN) that operates on a host computer in a public datacenter. The MFE implements a logical network that connects multiple DCNs within the public datacenter. The method receives a packet, directed to the DCN, that (i) has a first logical network source address and (ii) is encapsulated with a second source address associated with an underlying public datacenter network. The method determines whether the first logical network source address is a valid source address for the packet based on a mapping table that maps logical network addresses to underlying public datacenter network addresses. When the first source address is not a valid source address for the packet, the method drops the packet.

Abstract: Example methods are provided a first host to perform packet flow monitoring in a software-defined networking (SDN) environment. One example may comprise the first host receiving a request to monitor a packet flow and triggering a telemetry process based on a predetermined event associated with the packet flow. The method may also comprise: in response to the triggered telemetry process and detecting an egress packet associated with the packet flow, generating an encapsulated packet by encapsulating the egress packet with an outer header; configuring a telemetry instruction in the outer header; and sending the encapsulated packet with the telemetry instruction to the second host via one or more intermediate network devices. The telemetry instruction may be configured to cause the one or more intermediate network devices to add, to the encapsulated packet, metadata associated with a network state experienced by the encapsulated packet.

Abstract: A system and method for connecting virtual computer networks in a public cloud computing environment using a transit virtual computer network uses a cloud gateway device in the transit virtual computer network that includes a first-tier logical router and a plurality of second-tier logical routers connected to the virtual computer networks. A source Internet Protocol (IP) address of outgoing data packets from a particular virtual computer network is translated at a particular second-tier logical router of the cloud gateway device from an IP address of the particular virtual computer network to an internal IP address from a particular pool of IP addresses. The outgoing data packets are then routed to the first-tier logical router of the cloud gateway device, where the outgoing data packets are transmitted a destination network from a particular interface of the first-tier logical router of the cloud gateway device.

Abstract: In an embodiment, a computer-implemented method for highly-scalable, in-network multicasting of statistics data is disclosed. In an embodiment, a method comprises: receiving, from an underlay controller, a match-and-action table that is indexed using one or more multicast (“MC”) group identifiers and includes one or more special MC headers; detecting a packet carrying statistics data; determining whether the packet includes an MC group identifier; in response to determining that the packet includes the MC group identifier: using the MC group identifier, retrieving a special MC header, of the one or more special MC headers, from the match-and-action table; generating an encapsulated packet by encapsulating the packet with the special MC header; and providing the encapsulated packet to an interface controller for transmitting the encapsulated packet to one or more physical switches.

Abstract: System and computer-implemented method for secure hybrid cloud connectivity between an application in a public cloud service and an on-premises service supported by an on-premises appliance includes launching a public cloud gateway appliance in the public cloud service. The public cloud gateway appliance is configured with security information associated with the on-premises appliance. The on-premises appliance is provided with contact information associated with the public cloud gateway appliance. A communication channel is established, using an outbound port, from the on-premises appliance to the public cloud gateway appliance that is secured based on the security information associated with the on-premises appliance and the contact information associated with the public cloud gateway appliance.

Abstract: A system and method for using private native security groups and private native firewall policy rules for a private cloud computing environment and a public cloud computing environment uses a public cloud gateway for routing data traffic between at least a cloud network created in the public cloud computing environment and the private cloud computing environment. For each of some private native firewall policy rules that has any of newly created private native security groups as one of source and destination, a cloud native security group (CNSG) rule object with an CNSG outbound rule object and an CNSG inbound rule object for the public cloud is created and at least one of the CNSG outbound rule object and the CNSG inbound rule object is updated so that the private native firewall policy rule can be used in the cloud network.

Abstract: Some embodiments provide a centralized overlay-network cloud gateway and a set of centralized services in a transit virtual private cloud (VPC) connected to multiple other compute VPCs hosting compute nodes (VMs, containers, etc.) that are part of (belong to) the overlay network. The centralized overlay-network cloud gateway provides connectivity between compute nodes of the overlay network (e.g., a logical network spanning multiple VPCs) and compute nodes in external networks. Some embodiments use the centralized overlay-network cloud gateway to provide transitive routing (e.g., routing through a transit VPC) in the absence of direct peering between source and destination VPCs. The overlay network, of some embodiments, uses the same subnetting and default gateway address for each compute node as the cloud provider network provided by the virtual private cloud provider.

Abstract: In an embodiment, a computer-implemented method for highly-scalable, in-network multicasting of statistics data is disclosed. In an embodiment, a method comprises: receiving, from an underlay controller, a match-and-action table that is indexed using one or more multicast (“MC”) group identifiers and includes one or more special MC headers; detecting a packet carrying statistics data; determining whether the packet includes an MC group identifier; in response to determining that the packet includes the MC group identifier: using the MC group identifier, retrieving a special MC header, of the one or more special MC headers, from the match-and-action table; generating an encapsulated packet by encapsulating the packet with the special MC header; and providing the encapsulated packet to an interface controller for transmitting the encapsulated packet to one or more physical switches.

Abstract: A system and method for connecting virtual computer networks in a public cloud computing environment using a transit virtual computer network uses a cloud gateway device in the transit virtual computer network that includes a first-tier logical router and a plurality of second-tier logical routers connected to the virtual computer networks. A source Internet Protocol (IP) address of outgoing data packets from a particular virtual computer network is translated at a particular second-tier logical router of the cloud gateway device from an IP address of the particular virtual computer network to an internal IP address from a particular pool of IP addresses. The outgoing data packets are then routed to the first-tier logical router of the cloud gateway device, where the outgoing data packets are transmitted a destination network from a particular interface of the first-tier logical router of the cloud gateway device.

Abstract: A physical host machine of a public cloud system includes a set of processing units for executing instructions stored in non-transitory machine readable media. The physical host machine also includes a physical network interface cars (PNIC) and a non-transitory machine readable medium that stores a data compute node (DCN). The DCN includes first and second applications, first and second logical interfaces, a network stack, and a managed forwarding element (MFE). The first application is connected to the pNIC through the network stack, the first logical interface, and the MFE. The second application is connected to the PNIC through the network stack, the second logical interface, and the MFE.

Abstract: Some embodiments provide a method for a first data compute node (DCN) operating in a public datacenter. The method receives an encryption rule from a centralized network controller. The method determines that the network encryption rule requires encryption of packets between second and third DCNs operating in the public datacenter. The method requests a first key from a secure key storage. Upon receipt of the first key, the method uses the first key and additional parameters to generate second and third keys. The method distributes the second key to the second DCN and the third key to the third DCN in the public datacenter.

Abstract: A novel method for performing replication of messages in a network that bridges one or more physical networks to an overlay logical network is provided. A physical gateway provides bridging between network nodes of a physical network and virtual machines in the overlay logical network by serving as an endpoint of the overlay logical network. The physical gateway does not replicate messages from the bridged physical network to destination endpoints in the overlay logical network directly, but instead tunnels the message-to-be-replicated to a designated tunnel endpoint in the overlay logical network. The designated tunnel endpoint in turn replicates the message that was tunneled to it to other endpoints in the overlay logical network.

Abstract: The disclosure provides an approach for load balancing packets within a data center. The approach leverages dynamically collected and up-to-date health information on each virtual computing instance located within the data center. In one embodiment, health monitoring modules, located within hypervisors of each host computer, collect health statistics on local virtual computing instances. Each health monitoring module shares its locally collected health statistics with every other health monitoring module. Each health monitoring module provides the shared health statistics, on all virtual computing instances within the data center, to a local load balancing module located within the hypervisor of each host computer. Each load balancing module uses health statistics of all virtual computing instances to load balance packets within the data center.

Abstract: Example methods and systems are provided a network device to perform tunnel-based service insertion in a public cloud environment. An example method may comprise establishing a tunnel between the network device and a service path. The method may also comprise: in response to receiving a first encapsulated packet, identifying the service path specified by a service insertion rule; generating and sending a second encapsulated packet over the tunnel to cause the service path to process an inner packet according to one or more services. The method may further comprise: in response to receiving, from the service path via the tunnel, a third encapsulated packet that includes the inner packet processed by the service path, sending the inner packet processed by the service path, or a fourth encapsulated packet, towards a destination address of the inner packet.

Abstract: Example methods and computer systems are provided for east-west service insertion in a public cloud environment. An example method may comprise detecting an egress packet that is destined for a second endpoint located in the same virtual network as a first endpoint. The method may also comprise: in response to determination that service insertion is required, identifying a service path based on a service insertion rule; generating an encapsulated packet by encapsulating the egress packet with an outer header that is addressed from the first endpoint to a network device; and sending the encapsulated packet to cause the network device to send the egress packet towards the service path, thereby steering the egress packet towards the service path for processing.