Abstract: According to one aspect, a method includes an Intercloud Fabric Switch (ICS) included in a public cloud and an ICS cluster obtaining a packet, and determining if the packet is obtained from a site-to-site link that links the ICS to an enterprise datacenter. If the packet is obtained from the site-to-site link, it is determined whether the packet is an unknown unicast packet. If the packet is an unknown unicast packet, the packet is dropped, and if not, the packet is provided to an access link that links the ICS to a virtual machine. If the packet is not obtained from the site-to-site link, it is determined whether the packet is obtained from an inter-ICS link that allows the ICS to communicate with the ICS cluster. If the packet is obtained from the inter-ICS link, the packet is dropped if it is an unknown unicast packet.

Abstract: A sense of location is provided for distributed virtual switch components into the service provisioning scheme to reduce latency observed in conducting policy evaluations across a network in a hybrid cloud environment. A management application in a first virtual network subscribes to virtual network services provided by a first virtual service node in the first virtual network. A second virtual network receives the subscription to the virtual network services and starts a virtual switch that switches network traffic for one or more virtual machines in the second virtual network that are configured to extend services provided by the first virtual network into the second virtual network. The second virtual network starts a second virtual service node in the second virtual network that provides network traffic services for the one or more virtual machines.

Abstract: According to one aspect, a method includes an Intercloud Fabric Switch (ICS) included in a public cloud and an ICS cluster obtaining a packet, and determining if the packet is obtained from a site-to-site link that links the ICS to an enterprise datacenter. If the packet is obtained from the site-to-site link, it is determined whether the packet is an unknown unicast packet. If the packet is an unknown unicast packet, the packet is dropped, and if not, the packet is provided to an access link that links the ICS to a virtual machine. If the packet is not obtained from the site-to-site link, it is determined whether the packet is obtained from an inter-ICS link that allows the ICS to communicate with the ICS cluster. If the packet is obtained from the inter-ICS link, the packet is dropped if it is an unknown unicast packet.

Abstract: Techniques are provided for implementing a zone-based firewall policy. At a virtual network device, information is defined and stored that represents a security management zone for a virtual firewall policy comprising one or more common attributes of applications associated with the security zone. Information representing a firewall rule for the security zone is defined and comprises first conditions for matching common attributes of applications associated with the security zone and an action to be performed on application traffic. Parameters associated with the application traffic are received that are associated with properly provisioned virtual machines. A determination is made whether the application traffic parameters satisfy the conditions of the firewall rule and in response to determining that the conditions are satisfied, the action is performed.

Abstract: An example method for distributed service chaining is provided and includes receiving a packet belonging to a service chain in a distributed virtual switch (DVS) network environment, the packet includes a network service header (NSH) indicating a service path identifier identifying the service chain. The packet is provided to a virtual Ethernet module (VEM) connected to an agentless service node (SN) providing an edge service such as a server load balancer (SLB). The VEM associates a service path identifier corresponding to the service chain with a local identifier such as a virtual local area network (VLAN). The agentless SN returns the packet to the VEM for forwarding on the VLAN. Because the VLAN corresponds exactly to the service path and service chain, the packet is forwarded directly to the next node in the service chain. This can enable agentless SNs to efficiently provide a service chain for network traffic.

Abstract: An example method for a programmable infrastructure gateway for enabling hybrid cloud services in a network environment is provided and includes receiving an instruction from a hybrid cloud application executing in a private cloud, interpreting the instruction according to a hybrid cloud application programming interface, and executing the interpreted instruction in a public cloud using a cloud adapter. The method is generally executed in the infrastructure gateway including a programmable integration framework allowing generation of various cloud adapters using a cloud adapter software development kit, the cloud adapter being generated and programmed to be compatible with a specific public cloud platform of the public cloud.

Abstract: An example method for distributed service chaining is provided and includes receiving a packet belonging to a service chain in a distributed virtual switch (DVS) network environment, the packet includes a network service header (NSH) indicating a service path identifier identifying the service chain. The packet is provided to a virtual Ethernet module (VEM) connected to an agentless service node (SN) providing an edge service such as a server load balancer (SLB). The VEM associates a service path identifier corresponding to the service chain with a local identifier such as a virtual local area network (VLAN). The agentless SN returns the packet to the VEM for forwarding on the VLAN. Because the VLAN corresponds exactly to the service path and service chain, the packet is forwarded directly to the next node in the service chain. This can enable agentless SNs to efficiently provide a service chain for network traffic.

Abstract: An example method for a programmable infrastructure gateway for enabling hybrid cloud services in a network environment is provided and includes receiving an instruction from a hybrid cloud application executing in a private cloud, interpreting the instruction according to a hybrid cloud application programming interface, and executing the interpreted instruction in a public cloud using a cloud adapter. The method is generally executed in the infrastructure gateway including a programmable integration framework allowing generation of various cloud adapters using a cloud adapter software development kit, the cloud adapter being generated and programmed to be compatible with a specific public cloud platform of the public cloud.

Abstract: A sense of location is provided for distributed virtual switch components into the service provisioning scheme to reduce latency observed in conducting policy evaluations across a network in a hybrid cloud environment. A management application in a first virtual network subscribes to virtual network services provided by a first virtual service node in the first virtual network. A second virtual network receives the subscription to the virtual network services and starts a virtual switch that switches network traffic for one or more virtual machines in the second virtual network that are configured to extend services provided by the first virtual network into the second virtual network. The second virtual network starts a second virtual service node in the second virtual network that provides network traffic services for the one or more virtual machines.

Abstract: A sense of location is provided for distributed virtual switch components into the service provisioning scheme to reduce latency observed in conducting policy evaluations across a network in a hybrid cloud environment. A management application in a first virtual network subscribes to virtual network services provided by a second virtual network. A first message is sent to the second virtual network, the first message comprising information configured to start a virtual switch in the second virtual network that switches network traffic for one or more virtual machines in the second virtual network that are configured to extend services provided by the first virtual network into the second virtual network. A second message is sent to the second virtual network, the second message comprising information configured to start a virtual service node in the second virtual network that provides network traffic services for the one or more virtual machines.

Abstract: In one embodiment, a request may be received from a first cloud network of a hybrid cloud environment to transmit data to a second cloud network of the hybrid cloud environment, wherein the request can include a security profile related to the data. The security profile may be automatically analyzed to determine access permissions related to the data. Based at least in part on the access permissions, data can be allowed to access to the second cloud network.

Abstract: Network policies can be used to optimize the flow of network traffic between virtual machines (VMs) in a hybrid cloud environment. In an example embodiment, one or more policies can drive a virtual switch controller, a hybrid cloud manager, a hypervisor manager, a virtual switch, or other orchestrator to create one or more direct tunnels that can be utilized by a respective pair of VMs to bypass the virtual switch and enable direct communication between the VMs. The virtual switch can send the VMs network and security policies to ensure that these policies are enforced. The VMs can exchange security credentials in order to establish the direct tunnel. The direct tunnel can be used by the VMs to bypass the virtual switch and allow the VMs to communicate with each other directly.

Abstract: Presented herein are service-function chaining techniques. In one example, a service controller in a network comprising a plurality of service nodes receives one is configured to identify one or more service-functions hosted by each of the service nodes. The service controller defines a service-function chain in terms of service-functions to be applied to traffic in the network and provides information descriptive of the service-function chain to a classifier node.

Abstract: An example method for service node originated service chains in a network environment is provided and includes receiving a packet at a service node in a network environment that includes a plurality of service nodes and a central classifier, analyzing the packet for a service chain modification or a service chain initiation, classifying the packet at the service node to a new service chain based on the analysis, initiating the new service chain at the service node if the analysis indicates service chain initiation, and modifying an existing service chain for the packet to the new service chain if the analysis indicates service chain modification. In specific embodiments, the analysis includes applying classification logic specific to the service node. Some embodiments, service node attributes and order of service nodes in substantially all service chains configured in the network may be received from a central controller.

Abstract: A method is provided in one embodiment and includes receiving at a network element a flow offload decision for a first service node that includes a portion of a service chain for processing a flow; recording the flow offload decision against the first service node at the network element; and propagating the flow offload decision backward on a service path to which the flow belongs if the first service node is hosted at the network element. Embodiments may also include propagating the flow offload decision backward on a service path to which the flow belongs if the flow offload decision is a propagated flow offload decision and the network element hosts a second service node that immediately precedes the service node on behalf of which the propagated flow offload decision was received and a flow offload decision has already been received by the network element from the second service node.

Abstract: Techniques are provided for implementing a zone-based firewall policy. At a virtual network device, information is defined and stored that represents a security management zone for a virtual firewall policy comprising one or more common attributes of applications associated with the security zone. Information representing a firewall rule for the security zone is defined and comprises first conditions for matching common attributes of applications associated with the security zone and an action to be performed on application traffic. Parameters associated with the application traffic are received that are associated with properly provisioned virtual machines. A determination is made whether the application traffic parameters satisfy the conditions of the firewall rule and in response to determining that the conditions are satisfied, the action is performed.

Abstract: According to one aspect, a method includes an Intercloud Fabric Switch (ICS) included in a public cloud and an ICS cluster obtaining a packet, and determining if the packet is obtained from a site-to-site link that links the ICS to an enterprise datacenter. If the packet is obtained from the site-to-site link, it is determined whether the packet is an unknown unicast packet. If the packet is an unknown unicast packet, the packet is dropped, and if not, the packet is provided to an access link that links the ICS to a virtual machine. If the packet is not obtained from the site-to-site link, it is determined whether the packet is obtained from an inter-ICS link that allows the ICS to communicate with the ICS cluster. If the packet is obtained from the inter-ICS link, the packet is dropped if it is an unknown unicast packet.

Abstract: Many hybrid cloud topologies require virtual machines in a public cloud to use a router in a private cloud, even when the virtual machine is transmitting to another virtual machine in the public cloud. Routing data through an enterprise router on the private cloud via the internet is generally inefficient. This problem can be overcome by placing a router within the public cloud that mirrors much of the routing functionality of the enterprise router. A switch configured to intercept address resolution protocol (ARP) request for the enterprise router's address and fabricate a response using the MAC address of the router in the public cloud.

Abstract: A highly scalable application network appliance is described herein. According to one embodiment, a network element includes a switch fabric, a first service module coupled to the switch fabric, and a second service module coupled to the first service module over the switch fabric. In response to packets of a network transaction received from a client over a first network to access a server of a data center having multiple servers over a second network, the first service module is configured to perform a first portion of OSI (open system interconnection) compatible layers of network processes on the packets while the second service module is configured to perform a second portion of the OSI compatible layers of network processes on the packets. The first portion includes at least one OSI compatible layer that is not included in the second portion. Other methods and apparatuses are also describe.

Abstract: Presented herein are elastic service chain techniques. In one example, a network element receives data traffic to be processed by a service chain that specifies an ordered sequence of service pools including a first service pool and second service pool, wherein each service pool comprises a plurality of network services. A network service is determined from the first service pool to be applied to the data traffic, and data traffic is forwarded to the network service in the first service pool.