Abstract: A network controller in an overlay network maintains collective sets of identity-based policies and identity mappings for onboarded users of the network for informed distribution to network elements across the network. As new users are onboarded, the controller identifies a site of the network at which the user was onboarded and determines identity mappings of the user and applicable policies for distribution to a network element at the identified site. The controller assigns index values to each identity and communicates the indices to network elements with the corresponding identity mappings and policies. The network elements encapsulate cross-site traffic with the index values corresponding to senders so recipient network elements can obtain the index value from encapsulation header formats, query the controller for the corresponding identity mappings, and apply policies to the traffic that are determined to be pertinent based on the sender's identity mappings obtained from the controller.

Abstract: A network controller in an overlay network maintains collective sets of identity-based policies and identity mappings for onboarded users of the network for informed distribution to network elements across the network. As new users are onboarded, the controller identifies a site of the network at which the user was onboarded and determines identity mappings of the user and applicable policies for distribution to a network element at the identified site. The controller assigns index values to each identity and communicates the indices to network elements with the corresponding identity mappings and policies. The network elements encapsulate cross-site traffic with the index values corresponding to senders so recipient network elements can obtain the index value from encapsulation header formats, query the controller for the corresponding identity mappings, and apply policies to the traffic that are determined to be pertinent based on the sender's identity mappings obtained from the controller.

Abstract: Many hybrid cloud topologies require virtual machines in a public cloud to use a router in a private cloud, even when the virtual machine is transmitting to another virtual machine in the public cloud. Routing data through an enterprise router on the private cloud via the internet is generally inefficient. This problem can be overcome by placing a router within the public cloud that mirrors much of the routing functionality of the enterprise router. A switch configured to intercept address resolution protocol (ARP) request for the enterprise router's address and fabricate a response using the MAC address of the router in the public cloud.

Abstract: An example method for a programmable infrastructure gateway for enabling hybrid cloud services in a network environment is provided and includes receiving an instruction from a hybrid cloud application executing in a private cloud, interpreting the instruction according to a hybrid cloud application programming interface, and executing the interpreted instruction in a public cloud using a cloud adapter. The method is generally executed in the infrastructure gateway including a programmable integration framework allowing generation of various cloud adapters using a cloud adapter software development kit, the cloud adapter being generated and programmed to be compatible with a specific public cloud platform of the public cloud.

Abstract: In one embodiment, a request may be received from a first cloud network of a hybrid cloud environment to transmit data to a second cloud network of the hybrid cloud environment, wherein the request can include a security profile related to the data. The security profile may be automatically analyzed to determine access permissions related to the data. Based at least in part on the access permissions, data can be allowed to access to the second cloud network.

Abstract: In one embodiment, a request may be received from a first cloud network of a hybrid cloud environment to transmit data to a second cloud network of the hybrid cloud environment, wherein the request can include a security profile related to the data. The security profile may be automatically analyzed to determine access permissions related to the data. Based at least in part on the access permissions, data can be allowed to access to the second cloud network.

Abstract: An example method for a programmable infrastructure gateway for enabling hybrid cloud services in a network environment is provided and includes receiving an instruction from a hybrid cloud application executing in a private cloud, interpreting the instruction according to a hybrid cloud application programming interface, and executing the interpreted instruction in a public cloud using a cloud adapter. The method is generally executed in the infrastructure gateway including a programmable integration framework allowing generation of various cloud adapters using a cloud adapter software development kit, the cloud adapter being generated and programmed to be compatible with a specific public cloud platform of the public cloud.

Abstract: Many hybrid cloud topologies require virtual machines in a public cloud to use a router in a private cloud, even when the virtual machine is transmitting to another virtual machine in the public cloud. Routing data through an enterprise router on the private cloud via the internet is generally inefficient. This problem can be overcome by placing a router within the public cloud that mirrors much of the routing functionality of the enterprise router. A switch configured to intercept address resolution protocol (ARP) request for the enterprise router's address and fabricate a response using the MAC address of the router in the public cloud.

Abstract: Many hybrid cloud topologies require virtual machines in a public cloud to use a router in a private cloud, even when the virtual machine is transmitting to another virtual machine in the public cloud. Routing data through an enterprise router on the private cloud via the internet is generally inefficient. This problem can be overcome by placing a router within the public cloud that mirrors much of the routing functionality of the enterprise router. A switch configured to intercept address resolution protocol (ARP) request for the enterprise router's address and fabricate a response using the MAC address of the router in the public cloud.

Abstract: Network policies can be used to optimize the flow of network traffic between virtual machines (VMs) in a hybrid cloud environment. In an example embodiment, one or more policies can drive a virtual switch controller, a hybrid cloud manager, a hypervisor manager, a virtual switch, or other orchestrator to create one or more direct tunnels that can be utilized by a respective pair of VMs to bypass the virtual switch and enable direct communication between the VMs. The virtual switch can send the VMs network and security policies to ensure that these policies are enforced. The VMs can exchange security credentials in order to establish the direct tunnel. The direct tunnel can be used by the VMs to bypass the virtual switch and allow the VMs to communicate with each other directly.

Abstract: An example method for a programmable infrastructure gateway for enabling hybrid cloud services in a network environment is provided and includes receiving an instruction from a hybrid cloud application executing in a private cloud, interpreting the instruction according to a hybrid cloud application programming interface, and executing the interpreted instruction in a public cloud using a cloud adapter. The method is generally executed in the infrastructure gateway including a programmable integration framework allowing generation of various cloud adapters using a cloud adapter software development kit, the cloud adapter being generated and programmed to be compatible with a specific public cloud platform of the public cloud.

Abstract: Many hybrid cloud topologies require virtual machines in a public cloud to use a router in a private cloud, even when the virtual machine is transmitting to another virtual machine in the public cloud. Routing data through an enterprise router on the private cloud via the internet is generally inefficient. This problem can be overcome by placing a router within the public cloud that mirrors much of the routing functionality of the enterprise router. A switch configured to intercept address resolution protocol (ARP) request for the enterprise router's address and fabricate a response using the MAC address of the router in the public cloud.

Abstract: Aspects of the instant disclosure relate to methods for facilitating intercloud resource migration. In some embodiments, a method of the subject technology can include steps for instantiating a first intercloud fabric provider platform (ICFPP) at a first cloud datacenter, instantiating a second ICFPP at a second cloud datacenter, and receiving a migration request at the first ICFPP, the migration request including a request to migrate a virtual machine (VM) workload from the first cloud datacenter to the second cloud datacenter. In some aspects, the method may further include steps for initiating, by the first ICFPP, a migration of the VM workload via the second ICFPP in response to the migration request. Systems and machine readable media are also provided.

Abstract: Many hybrid cloud topologies require virtual machines in a public cloud to use a router in a private cloud, even when the virtual machine is transmitting to another virtual machine in the public cloud. Routing data through an enterprise router on the private cloud via the internet is generally inefficient. This problem can be overcome by placing a router within the public cloud that mirrors much of the routing functionality of the enterprise router. A switch configured to intercept address resolution protocol (ARP) request for the enterprise router's address and fabricate a response using the MAC address of the router in the public cloud.

Abstract: In one embodiment, a request may be received from a first cloud network of a hybrid cloud environment to transmit data to a second cloud network of the hybrid cloud environment, wherein the request can include a security profile related to the data. The security profile may be automatically analyzed to determine access permissions related to the data. Based at least in part on the access permissions, data can be allowed to access to the second cloud network.

Abstract: An example method for a programmable infrastructure gateway for enabling hybrid cloud services in a network environment is provided and includes receiving an instruction from a hybrid cloud application executing in a private cloud, interpreting the instruction according to a hybrid cloud application programming interface, and executing the interpreted instruction in a public cloud using a cloud adapter. The method is generally executed in the infrastructure gateway including a programmable integration framework allowing generation of various cloud adapters using a cloud adapter software development kit, the cloud adapter being generated and programmed to be compatible with a specific public cloud platform of the public cloud.

Abstract: An example method for a programmable infrastructure gateway for enabling hybrid cloud services in a network environment is provided and includes receiving an instruction from a hybrid cloud application executing in a private cloud, interpreting the instruction according to a hybrid cloud application programming interface, and executing the interpreted instruction in a public cloud using a cloud adapter. The method is generally executed in the infrastructure gateway including a programmable integration framework allowing generation of various cloud adapters using a cloud adapter software development kit, the cloud adapter being generated and programmed to be compatible with a specific public cloud platform of the public cloud.

Abstract: According to one aspect, a method includes an Intercloud Fabric Switch (ICS) included in a public cloud and an ICS cluster obtaining a packet, and determining if the packet is obtained from a site-to-site link that links the ICS to an enterprise datacenter. If the packet is obtained from the site-to-site link, it is determined whether the packet is an unknown unicast packet. If the packet is an unknown unicast packet, the packet is dropped, and if not, the packet is provided to an access link that links the ICS to a virtual machine. If the packet is not obtained from the site-to-site link, it is determined whether the packet is obtained from an inter-ICS link that allows the ICS to communicate with the ICS cluster. If the packet is obtained from the inter-ICS link, the packet is dropped if it is an unknown unicast packet.

Abstract: In one embodiment, a request may be received from a first cloud network of a hybrid cloud environment to transmit data to a second cloud network of the hybrid cloud environment, wherein the request can include a security profile related to the data. The security profile may be automatically analyzed to determine access permissions related to the data. Based at least in part on the access permissions, data can be allowed to access to the second cloud network.

Abstract: An example method for distributed service chaining is provided and includes receiving a packet belonging to a service chain in a distributed virtual switch (DVS) network environment, the packet includes a network service header (NSH) indicating a service path identifier identifying the service chain. The packet is provided to a virtual Ethernet module (VEM) connected to an agentless service node (SN) providing an edge service such as a server load balancer (SLB). The VEM associates a service path identifier corresponding to the service chain with a local identifier such as a virtual local area network (VLAN). The agentless SN returns the packet to the VEM for forwarding on the VLAN. Because the VLAN corresponds exactly to the service path and service chain, the packet is forwarded directly to the next node in the service chain. This can enable agentless SNs to efficiently provide a service chain for network traffic.