Abstract: The present disclosure generally relates to deploying a proxy control plane and/or north-south data plane in a control virtual private cloud of a logical network implemented on a software-defined datacenter. The control virtual private cloud is shared by a plurality of compute virtual private clouds of the network. In some embodiments, a proxy control plane is deployed on the control virtual private cloud and disseminates policies directly to endpoints of the logical network. In some embodiments, a north-south data plane is deployed on the control virtual private cloud and directly manages north-south network traffic from endpoints of the logical network. In some embodiments, a proxy control plane and a north-south network data plane are deployed on the control virtual private cloud.

Abstract: Some embodiments provide a method for a first network controller that manages a logical network implemented in a datacenter including forwarding elements to which the first network controller does not have access. The method identifies a first data compute node (DCN) in the datacenter configured to execute a second network controller. The method distributes configuration data defining the logical network to the first DCN. The second network controller distributes sets of the configuration data to local agents executing on additional DCNs in the datacenter that send and receive messages through the logical network. Both managed forwarding elements and the local agents execute on each of the additional DCNs. Each local agent on a particular DCN is for receiving a set of configuration data from the second network controller and configuring the managed forwarding element on the particular DCN to implement the logical network according to the set of configuration data.

Abstract: Example methods are provided a first node to perform data center network topology discovery in a data center network. One example method may comprise the first node receiving multiple probe packets that include a first probe packet and a second probe packet in response to a probing process initiated by a second node. The method may also comprise extracting, from the first probe packet, first metadata that is added by a first subset of multiple intermediate network devices and extracting, from the second probe packet, second metadata that is added by a second subset of the multiple intermediate network devices. The method may further comprise processing the first metadata and the second metadata to identify respective first forwarding path and second forwarding path from the second node to the first node.

Abstract: Some embodiments provide a method for a public cloud manager that interacts with a management system of a public datacenter. The method receives a notification from a network controller that a second data compute node is compromised. The second data compute node operates on a host machine in the public datacenter and executes a forwarding element managed by network controller. The method interacts with application programming interfaces (APIs) of the public datacenter to quarantine the data compute node.

Abstract: Some embodiments provide a method for a public cloud manager operating within a first data compute node of a public cloud. The method receives, through a set of public cloud provider APIs, information regarding a new second data compute node created within the public cloud. The information includes a set of tags entered by a user when creating the data compute node. Based on the tags, the method notifies a network control system that manages a forwarding element operating in the data compute node regarding (i) the creation of the data compute node, (ii) a logical switch to which to attach the data compute node and (iii) a security group to which the data compute node belongs.

Abstract: A novel method for performing replication of messages in a network that bridges one or more physical networks to an overlay logical network is provided. A physical gateway provides bridging between network nodes of a physical network and virtual machines in the overlay logical network by serving as an endpoint of the overlay logical network. The physical gateway does not replicate messages from the bridged physical network to destination endpoints in the overlay logical network directly, but instead tunnels the message-to-be-replicated to a designated tunnel endpoint in the overlay logical network. The designated tunnel endpoint in turn replicates the message that was tunneled to it to other endpoints in the overlay logical network.

Abstract: Example methods are provided for a source virtual tunnel endpoint (VTEP) to perform congestion-aware load balancing in a data center network. The method may comprise the source VTEP learning congestion state information associated with multiple paths provided by respective multiple intermediate switches connecting the source VTEP with a destination VTEP. The method may also comprise the source VTEP receiving second packets that are sent by a source endpoint and destined for a destination endpoint; and selecting a particular path from multiple paths based on the congestion state information. The method may further comprise the source VTEP generating encapsulated second packets by encapsulating each of the second packets with header information that includes a set of tuples associated with the particular path; and sending the encapsulated second packets to the destination endpoint.

Abstract: Some embodiments provide a method for a network controller that manages a logical network spanning multiple physical locations. For each physical location hosting data compute nodes (DCNs) belonging to the logical network, the method defines a centralized routing component for processing data messages between the DCNs hosted at the physical location and networks external to the logical network, assigns an active instance of the centralized routing component to operate at the physical location, and assigns a standby instance of the centralized routing component to operate at one of the other physical locations.

Abstract: Some embodiments provide a method for a first DCN operating in a first datacenter as a logical network gateway that processes messages between other DCNs of the logical network and external entities, which address the logical network gateway using a first address. The first DCN has an interface with a second address for use in the first datacenter. The method stores a mapping between the second address and a third address. A second DCN operates the logical network gateway in a second datacenter and has an interface with the third address for use in the second datacenter. From the second DCN, the method receives connection state data, describing connections between the external entities and the DCNs of the logical network, that uses the third address. The method replaces the third address with the second address in the connection state data using the stored mapping and stores the connection state data.

Abstract: A data compute node executes (i) a set of tenant applications connected to a third party overlay network, (ii) a set of network manager applications, and (iii) a managed forwarding element that includes a pair of overlay and underlay network virtual adapters. A packet that is received from a network manager application and addressed to an underlay network destination is sent to the underlay network destination address through a physical NIC of the host without network address translation or encapsulation. A packet that is received from a tenant application and addressed to an underlay network destination is subject to SNAT and is sent to the underlay network destination address. A packet that is received from a tenant application and is addressed an overlay destination address is encapsulated with the header of the overlay network and is sent to the overlay network destination address through the underlay virtual adapter.

Abstract: A physical host machine of a public cloud system includes a set of processing units for executing instructions stored in non-transitory machine readable media. The physical host machine also includes a physical network interface cars (PNIC) and a non-transitory machine readable medium that stores a data compute node (DCN). The DCN includes first and second applications, first and second logical interfaces, a network stack, and a managed forwarding element (MFE). The first application is connected to the pNIC through the network stack, the first logical interface, and the MFE. The second application is connected to the PNIC through the network stack, the second logical interface, and the MFE.

Abstract: Some embodiments provide a novel way to insert a service (e.g., a third party service) in the path of a data message flow, between two machines (e.g., two VMs, two containers, etc.) in a public cloud environment. For a particular tenant of the public cloud, some embodiments create an overlay logical network with a logical overlay address space. To perform a service on data messages of a flow between two machines, the logical overlay network passes to the public cloud's underlay network the data messages with their destination address (e.g., destination IP addresses) defined in the logical overlay network. The underlay network (e.g., an underlay default downlink gateway) is configured to pass data messages with such destination addresses (e.g., with logical overlay destination addresses) to a set of one or more service machines. The underlay network (e.g.

Abstract: Described herein are systems, methods, and software to enhance connectivity between cloud computing service endpoints and virtual machines. In one implementation, a method of managing data packet addressing in a first namespace includes receiving a data packet at a first interface for the first namespace, wherein the first interface is paired with a second interface of a second namespace. The method also includes identifying if the packet is destined for a service node in an underlay network outside of an overlay network for the second namespace, and if destined for a service node outside of an overlay network for the second namespace, modifying addressing in the data packet to support the underlay network and transferring the data packet over a virtual network interface for the virtual machine.

Abstract: Certain embodiments presented herein relate to load balancing of data transmissions among a plurality of paths between endpoints (EPs) coupled to virtual switches. In particular, between the virtual switches there may be a number of physical paths for the data to be communicated between the EPs. Each path may have a different congestion level. Certain embodiments relate to selecting a path of the plurality of paths between EPs to communicate data between the EPs based on the congestion levels associated with each of the plurality of paths. In certain embodiments, a virtual switch determines a congestion level of each of the plurality of paths, selects a path of the plurality of paths based on the determined congestion level, and sets source port information of network packets to correspond to the selected path so that the network packets are communicated along the selected path.

Abstract: Some embodiments provide a method for a network controller that manages a logical network implemented in a datacenter having forwarding elements to which the network controller does not have access. The method identifies a data compute node (DCN), that operates on a host machine in the datacenter, to attach to the logical network. The DCN has a network interface with a network address provided by a management system of the datacenter. The DCN executes (i) a workload application and (ii) a managed forwarding element (MFE). The method distributes configuration data for configuring the MFE to receive data packets sent from the workload application on the DCN and perform network security processing on the data packets without performing logical forwarding operations. The data packets sent by the workload application have the provided network address as a source address when received by the MFE and are not encapsulated by the MFE.

Abstract: Some embodiments provide a method for a managed forwarding element (MFE). The method receives a packet from a data compute node for which the MFE performs first-hop processing. The data compute node is associated with multiple tunnel endpoints of the MFE. The method determines a destination tunnel endpoint for the packet. The method uses a load balancing algorithm to select one of the multiple tunnel endpoints of the MFE as a source tunnel endpoint for the packet. The method encapsulates the packet in a tunnel using the source and destination tunnel endpoints.

Abstract: A novel method that uses the source port field in the transport or connection layer (L4) header to encode control plane information is provided. Specifically, the method encodes control plane information in UDP or TCP source port field of data plane tunnels in an overlay network such as VXLAN. Network virtualization is implemented by a network controller over an overlay network on the physical fabric. The network controller provides a mapping table to the data plane hosts for mapping the encoded bits in the source port field to semantically richer information. The data plane hosts in turn uses the encoded source bits and the mapping table to infer this semantically richer information. This semantically richer information is used to allow receivers of proxied traffic to learn the address of the original sender. The semantically richer information can also be used to enable ECMP for the transmitted packets.

Abstract: Some embodiments provide a method for a controller for mapping and sharing up to date configuration information for a logical network comprising managed forwarding elements having multiple tunnel endpoints. The method identifies a data compute node for operation on a host machine that includes a managed forwarding element (MFE) having multiple tunnel endpoints. The data compute node belongs to a particular logical network. The method identifies multiple other data compute nodes belonging to the particular logical network. The method distributes to the MFE (i) a mapping of each data compute node of the other data compute nodes to an identifier for a group of tunnel endpoints associated with the data compute node and (ii) a mapping of each of the identifiers to a list of tunnel endpoints. The MFE uses the mappings to encapsulate packets sent from the data compute node for transmission to other MFEs.

Abstract: Certain embodiments presented herein relate to load balancing of data transmissions among a plurality of paths between endpoints (EPs) coupled to virtual switches. In particular, between the virtual switches there may be a number of physical paths for the data to be communicated between the EPs. Each path may have a different congestion level. Certain embodiments relate to selecting a path of the plurality of paths between EPs to communicate data between the EPs based on the congestion levels associated with each of the plurality of paths. In certain embodiments, a virtual switch determines a congestion level of each of the plurality of paths, selects a path of the plurality of paths based on the determined congestion level, and sets source port information of network packets to correspond to the selected path so that the network packets are communicated along the selected path.

Abstract: Some embodiments provide a method for a first managed forwarding element (MFE). The method receives a packet from a data compute node that connects to the MFE. The packet has a destination address that corresponds to a data compute node in a remote network. The method determines (i) a group of MFEs that form a bridge cluster for sending packets to the remote network and (ii) multiple tunnel endpoints for the group of MFEs, wherein each MFE in the group has at least one of the plurality of tunnel endpoints. The method selects one of the plurality of tunnel endpoints as a destination tunnel endpoint for the packet. The method encapsulates the packet with a source tunnel endpoint associated with the first MFE and the selected destination tunnel endpoint.