Abstract: Some embodiments provide a method for a first managed forwarding element (MFE). The method receives a packet from a data compute node that connects to the MFE. The packet has a destination address that corresponds to a data compute node in a remote network. The method determines (i) a group of MFEs that form a bridge cluster for sending packets to the remote network and (ii) multiple tunnel endpoints for the group of MFEs, wherein each MFE in the group has at least one of the plurality of tunnel endpoints. The method selects one of the plurality of tunnel endpoints as a destination tunnel endpoint for the packet. The method encapsulates the packet with a source tunnel endpoint associated with the first MFE and the selected destination tunnel endpoint.

Abstract: Some embodiments provide a method for a network controller that manages a logical network implemented in a datacenter having forwarding elements to which the network controller does not have access. The method identifies a data compute node (DCN), that operates on a host machine in the datacenter, to attach to the logical network. The DCN has a network interface with a network address provided by a management system of the datacenter. The DCN executes (i) a workload application and (ii) a managed forwarding element (MFE). The method distributes configuration data for configuring the MFE to receive data packets sent from the workload application on the DCN and perform network security processing on the data packets without performing logical forwarding operations. The data packets sent by the workload application have the provided network address as a source address when received by the MFE and are not encapsulated by the MFE.

Abstract: Some embodiments provide a method for a network controller that manages a logical network implemented in a datacenter comprising forwarding elements to which the network controller does not have access. The method identifies a data compute node (DCN), that operates on a host machine in the datacenter, to attach to the logical network. The DCN has a network interface with a first network address provided by a management system of the datacenter, and executes (i) a workload application and (ii) a managed forwarding element (MFE). The method distributes configuration data for configuring the MFE to receive data packets sent from the workload application on the DCN and perform network security and forwarding processing on the data packets. The data packets sent by the workload application have a second network address as a source address when received by the MFE and are encapsulated by the MFE using the first network address.

Abstract: Some embodiments provide a method for a managed first forwarding element executing on a first data compute node (DCN) that operates on a first host machine within a public datacenter. The managed first forwarding element is configured to implement a logical network. The method receives a data packet from an application, executing on the first data compute node, that sends and receives data packets through the logical network. When the data packet has a destination address that is not associated with the logical network, the method sends the packet directly to a second forwarding element configured by an administrator of the datacenter. When the data packet has a destination address associated with the logical network, the method sends the packet to a managed third forwarding element configured to implement the logical network. The managed third forwarding element executes on a second DCN on a second host machine within the datacenter.

Abstract: Some embodiments provide a method for a network controller that manages a logical network implemented in a datacenter having forwarding elements to which the network controller does not have access. The method identifies a data compute node (DCN) operating on a host machine in the datacenter, to attach to the logical network. The DCN has a network interface with an address provided by a datacenter management system. A workload application executes in a first namespace of the DCN. The method distributes configuration data for configuring a managed forwarding element (MFE) executing in a second namespace of the DCN to receive data packets sent from the application via an interface pairing between the first and second namespaces. The data packets sent by the application have the provided address as a source address when received by the MFE and are encapsulated by the MFE using the provided address as a source address.

Abstract: Some embodiments provide a method for a first network controller that manages a logical network implemented in a datacenter including forwarding elements to which the first network controller does not have access. The method identifies a first data compute node (DCN) in the datacenter configured to execute a second network controller. The method distributes configuration data defining the logical network to the first DCN. The second network controller distributes sets of the configuration data to local agents executing on additional DCNs in the datacenter that send and receive messages through the logical network. Both managed forwarding elements and the local agents execute on each of the additional DCNs. Each local agent on a particular DCN is for receiving a set of configuration data from the second network controller and configuring the managed forwarding element on the particular DCN to implement the logical network according to the set of configuration data.

Abstract: Some embodiments provide a method for a public cloud manager operating within a first data compute node of a public cloud. The method receives, through a set of public cloud provider APIs, information regarding a new second data compute node created within the public cloud. The information includes a set of tags entered by a user when creating the data compute node. Based on the tags, the method notifies a network control system that manages a forwarding element operating in the data compute node regarding (i) the creation of the data compute node, (ii) a logical switch to which to attach the data compute node and (iii) a security group to which the data compute node belongs.

Abstract: Some embodiments provide a method for a public cloud manager that interacts with a management system of a public datacenter. The method receives a notification from a network controller that a second data compute node is compromised. The second data compute node operates on a host machine in the public datacenter and executes a forwarding element managed by network controller. The method interacts with application programming interfaces (APIs) of the public datacenter to quarantine the data compute node.

Abstract: Some embodiments provide a method for a network controller. The method configures a first data compute node (DCN), operating within a public first datacenter that includes forwarding elements to which the network controller does not have access, to operate as a gateway forwarding element between (i) other DCNs in the first datacenter on which forwarding elements are configured by the network controller and (ii) forwarding elements in a second datacenter. The method configures the forwarding elements executing on the other DCNs in the public datacenter to implement a logical switch to which the other DCNs attach. The method configures the forwarding elements in the second datacenter to implement the logical switch. DCNs in the second datacenter also attach to the same logical switch.

Abstract: Some embodiments provide a method for a first data compute node (DCN) operating in a public datacenter. The method receives an encryption rule from a centralized network controller. The method determines that the network encryption rule requires encryption of packets between second and third DCNs operating in the public datacenter. The method requests a first key from a secure key storage. Upon receipt of the first key, the method uses the first key and additional parameters to generate second and third keys. The method distributes the second key to the second DCN and the third key to the third DCN in the public datacenter.

Abstract: A novel method for performing replication of messages in a network that bridges one or more physical networks to an overlay logical network is provided. A physical gateway provides bridging between network nodes of a physical network and virtual machines in the overlay logical network by serving as an endpoint of the overlay logical network. The physical gateway does not replicate messages from the bridged physical network to destination endpoints in the overlay logical network directly, but instead tunnels the message-to-be-replicated to a designated tunnel endpoint in the overlay logical network. The designated tunnel endpoint in turn replicates the message that was tunneled to it to other endpoints in the overlay logical network.

Abstract: A novel method for performing replication of messages in a network that bridges one or more physical networks to an overlay logical network is provided. A physical gateway provides bridging between network nodes of a physical network and virtual machines in the overlay logical network by serving as an endpoint of the overlay logical network. The physical gateway does not replicate messages from the bridged physical network to destination endpoints in the overlay logical network directly, but instead tunnels the message-to-be-replicated to a designated tunnel endpoint in the overlay logical network. The designated tunnel endpoint in turn replicates the message that was tunneled to it to other endpoints in the overlay logical network.

Abstract: Example methods are provided for a first switch to perform congestion-aware load balancing in a data center network. The method may comprise: receiving probe packets from multiple next-hop second switches that connect the first switch with a third switch via multiple paths. The method may also comprise: processing congestion state information in each probe packet to select a selected next-hop second switch from the multiple next-hop second switches, the selected next-hop second switch being associated with a least congested path from the first switch to the third switch. The method may further comprise: in response to receiving data packets from a fourth switch that are destined for a destination connected with the third switch, sending the data packets to the selected next-hop second switch such that the data packets travel to the third switch along the least congested path.

Abstract: Example methods are provided for a source virtual tunnel endpoint (VTEP) to perform congestion-aware load balancing in a data center network. The method may comprise the source VTEP learning congestion state information associated with multiple paths provided by respective multiple intermediate switches connecting the source VTEP with a destination VTEP. The method may also comprise the source VTEP receiving second packets that are sent by a source endpoint and destined for a destination endpoint; and selecting a particular path from multiple paths based on the congestion state information. The method may further comprise the source VTEP generating encapsulated second packets by encapsulating each of the second packets with header information that includes a set of tuples associated with the particular path; and sending the encapsulated second packets to the destination endpoint.

Abstract: Some embodiments provide a method for a network controller. The method identifies a data compute node for operation on a host machine that includes a managed forwarding element (MFE) having multiple tunnel endpoints. The data compute node belongs to a particular logical network. The method identifies multiple other data compute nodes belonging to the particular logical network. The method distributes, to the MFE, (i) a mapping of each data compute node of the other data compute nodes to an identifier for a group of tunnel endpoints associated with the data compute node and (ii) a mapping of each of the identifiers to a list of tunnel endpoints. the MFE uses the mappings to encapsulate packets sent from the data compute node for transmission to other MFEs.

Abstract: Some embodiments provide a method for a first managed forwarding element (MFE). The method receives a packet from a data compute node that connects to the MFE. The packet has a destination address that corresponds to a data compute node in a remote network. The method determines (i) a group of MFEs that form a bridge cluster for sending packets to the remote network and (ii) multiple tunnel endpoints for the group of MFEs, wherein each MFE in the group has at least one of the plurality of tunnel endpoints. The method selects one of the plurality of tunnel endpoints as a destination tunnel endpoint for the packet. The method encpasulates the packet with a source tunnel endpoint associated with the first MFE and the selected destination tunnel endpoint.

Abstract: Some embodiments provide a method for a managed forwarding element (MFE). At the MFE, the method receives a first packet from a particular tunnel endpoint. The first packet originates from a particular data compute node associated with multiple tunnel endpoints including the particular tunnel endpoint. Based on the first packet, the method stores an association of the particular tunnel endpoint with the particular data compute node. The method uses the stored association to encapsulate subsequent packets received at the MFE and having the particular data compute node as a destination address with the particular tunnel endpoint as a destination tunnel endpoint.

Abstract: Some embodiments provide a method for a managed forwarding element (MFE). The method receives a packet from a data compute node for which the MFE performs first-hop processing. The data compute node is associated with multiple tunnel endpoints of the MFE. The method determines a destination tunnel endpoint for the packet. The method uses a load balancing algorithm to select one of the multiple tunnel endpoints of the MFE as a source tunnel endpoint for the packet. The method encapsulates the packet in a tunnel using the source and destination tunnel endpoints.

Abstract: A novel method that uses the source port field in the transport or connection layer (L4) header to encode control plane information is provided. Specifically, the method encodes control plane information in UDP or TCP source port field of data plane tunnels in an overlay network such as VXLAN. Network virtualization is implemented by a network controller over an overlay network on the physical fabric. The network controller provides a mapping table to the data plane hosts for mapping the encoded bits in the source port field to semantically richer information. The data plane hosts in turn uses the encoded source bits and the mapping table to infer this semantically richer information. This semantically richer information is used to allow receivers of proxied traffic to learn the address of the original sender. The semantically richer information can also be used to enable ECMP for the transmitted packets.

Abstract: A novel method that uses the source port field in the transport or connection layer (L4) header to encode control plane information is provided. Specifically, the method encodes control plane information in UDP or TCP source port field of data plane tunnels in an overlay network such as VXLAN. Network virtualization is implemented by a network controller over an overlay network on the physical fabric. The network controller provides a mapping table to the data plane hosts for mapping the encoded bits in the source port field to semantically richer information. The data plane hosts in turn uses the encoded source bits and the mapping table to infer this semantically richer information. This semantically richer information is used to allow receivers of proxied traffic to learn the address of the original sender. The semantically richer information can also be used to enable ECMP for the transmitted packets.