Abstract: Some embodiments of the invention provide a method of dynamically scaling a hub cluster in a software-defined wide area network (SD-WAN) based on particular traffic statistics, the hub cluster being located in a datacenter of the SD-WAN and allowing branch sites of the SD-WAN to access resource of the datacenter by connecting to the hub cluster. A controller of the SD-WAN receives, from the hub cluster, traffic statistics centrally captured at the hub cluster. The controller then analyzes these statistics to identify traffic load fluctuations, and determines that a number of hubs in the hub cluster should be adjusted based on the identified fluctuations. The controller adjusts the number of hubs in the hub cluster based on the determination.

Abstract: Some embodiments of the invention provide a method for enabling inter-gateway connectivity in an SD-WAN (software-defined wide area network) that connects multiple sites. The method deploys to the SD-WAN a floating hub gateway router that that (1) connects to multiple gateway routers each of which is deployed in a cloud and connects to at least one edge router in at least one site, and (2) does not connect to edge routers at any site. The method provides a network address associated with the floating hub gateway router to the multiple gateway routers deployed in one or more clouds for the SD-WAN. The method configures the floating hub gateway router to establish a tunnel with each gateway router in the multiple gateway routers to enable inter-gateway connectivity between the multiple gateway routers.

Abstract: Some embodiments provide a method for modifying an SD-WAN (software-defined wide-area network). The method collects, from a set of managed forwarding elements (MFEs), multiple metrics associated with multiple data message flows sent between the set of MFEs. The method analyzes the collected multiple metrics to group the data message flows according to multiple types and to identify a ranking of the multiple groups of data message flows according to traffic throughput. The method uses the ranking to identify a set of one or more groups of data message flows. The method modifies the SD-WAN to improve forwarding through the SD-WAN for the identified set of one or more groups of data message flows.

Abstract: Some embodiments provide a method for dynamically deploying a managed forwarding element (MFE) in a software-defined wide-area network (SD-WAN) for a particular geographic region across which multiple SaaS applications is distributed. The method determines, based on flow patterns for multiple flows destined for the multiple SaaS applications distributed across the particular geographic region, that an additional MFE is needed for the particular geographic region. The method configures the additional MFE to deploy at a particular location in the particular geographic region for forwarding the multiple flows to the multiple SaaS applications. The method provides, to a particular set of MFEs that connect a set of branch sites to the SD-WAN, a set of forwarding rules to direct the particular set of MFEs to use the additional MFE for forwarding subsequent data messages belonging to the multiple flows to the multiple SaaS applications.

Abstract: Some embodiments provide a method for using a heat map to modify an SD-WAN (software-defined wide-area network) deployed for a set of geographic locations. From a set of managed forwarding elements (MFEs) that forward multiple data message flows through the SD-WAN to a set of destination clusters, the method collects multiple metrics associated with the multiple data message flows. Based on the collected multiple metrics, the method generates a heat map that accounts for (1) the multiple data message flows, (2) locations of the set of MFEs, and (3) locations of the one or more destination clusters. The method uses the generated heat map to identify at least one modification to make to the SD-WAN to improve forwarding of the multiple data message flows.

Abstract: Some embodiments of the invention provide a method of sending data messages from an edge router at a first location of an enterprise network to a SaaS (software as a service) application server provided by a third-party at a second location. The method receives, from a DNS (domain name system) first server, a resolution for a particular destination network address for the SaaS application server at the second location. From a second server, the method obtains an identifier for a first cloud gateway from multiple cloud gateways at multiple locations through which the particular destination address for the SaaS application server can be reached, the first cloud gateway farther from the first location than a second cloud gateway in the multiple cloud gateways but closer to the second location than the second cloud gateway. The method uses an optimized SD-WAN connection to the first cloud gateway to forward data messages for the first cloud gateway to the SaaS application at the second location.

Abstract: Some embodiments of the invention provide a method of routing data message traffic from an edge router at a first location and a SaaS (software as a service) application server provided by a third-party at a second location. The method queries a (global server load balancing) GSLB-aware DNS (domain name system) server for a cloud gateway from multiple cloud gateways at multiple locations through which a particular destination network address for the SaaS application server can be reached. The method receives from the GSLB-aware DNS server an identifier for a first cloud gateway that is farther from the first location than a second cloud gateway in the multiple cloud gateways but closer to the second location than the second cloud gateway. The method uses an optimized SD-WAN (software-defined wide-area network) connection to the first cloud gateway to forward data messages for the first cloud gateway to the SaaS application at the second location.

Abstract: Described herein are systems, methods, and software to manage communication path configurations between edge gateways in a computing environment. In at least one implementation, a controller monitors network characteristics associated with routes from a first edge gateway to a second edge gateway and determines whether a first route configuration for the first edge gateway to communicate with the second edge gateway fails to satisfy criteria based on the network characteristics. If the first route configuration fails to satisfy the criteria, the controller determines a second route configuration and applies the second route configuration for the first edge gateway to communicate with the second edge gateway.

Abstract: Described herein are systems, methods, and software to manage communication path configurations between edge gateways in a computing environment. In at least one implementation, a controller monitors network characteristics associated with routes from a first edge gateway to a second edge gateway and determines whether a first route configuration for the first edge gateway to communicate with the second edge gateway fails to satisfy criteria based on the network characteristics. If the first route configuration fails to satisfy the criteria, the controller determines a second route configuration and applies the second route configuration for the first edge gateway to communicate with the second edge gateway.

Abstract: Some embodiments provide a method for performing deep packet inspection (DPI) for an SD-WAN (software defined, wide area network) established for an entity by a plurality of edge nodes and a set of one or more cloud gateways. At a particular edge node, the method uses local and remote deep packet inspectors to perform DPI for a packet flow. Specifically, the method initially uses the local deep packet inspector to perform a first DPI operation on a set of packets of a first packet flow to generate a set of DPI parameters for the first packet flow. The method then forwards a copy of the set of packets to the remote deep packet inspector to perform a second DPI operation to generate a second set of DPI parameters. In some embodiments, the remote deep packet inspector is accessible by a controller cluster that configures the edge nodes and the gateways.

Abstract: Some embodiments provide a method of selecting data links for an application in a network. The method receives, from a machine implementing the application, a set of identifiers of required link characteristics. Based on at least one of the identifiers, the method selects a transport group that includes a set of optional links matching the identifiers. From the selected transport group, the method selects a link matching the set of identifiers.

Abstract: Some embodiments of the invention provide a method for network-aware load balancing for data messages traversing a software-defined wide area network (SD-WAN) (e.g., a virtual network) including multiple connection links between different elements of the SD-WAN. The method includes receiving, at a load balancer in a multi-machine site, link state data relating to a set of SD-WAN datapaths including connection links of the multiple connection links. The load balancer, in some embodiments, provides load balancing for data messages sent from a machine in the multi-machine site to a set of destination machines (e.g., web servers, database servers, etc.) connected to the load balancer over the set of SD-WAN datapaths. The load balancer selects, for the data message, a particular destination machine (e.g., a frontend machine for a set of backend servers) in the set of destination machines by performing a load balancing operation based on the received link state data.

Abstract: Some embodiments of the invention provide a method of facilitating routing through a software-defined wide area network (SD-WAN) defined for an entity. A first edge forwarding node located at a first multi-machine site of the entity, the first multi-machine site at a first physical location and including a first set of machines, serves as an edge forwarding node for the first set of machines by forwarding packets between the first set of machines and other machines associated with the entity via other forwarding nodes in the SD-WAN. The first edge forwarding node receives configuration data specifying for the first edge forwarding node to serve as a hub forwarding node for forwarding a set of packets from a second set of machines associated with the entity and operating at a second multi-machine site at a second physical location to a third set of machines associated with the entity and operating at a third multi-machine site at a third physical location.

Abstract: Some embodiments provide a method of selecting data links for an application in a network. The method receives, from a machine implementing the application, a set of identifiers of required link characteristics. Based on at least one of the identifiers, the method selects a transport group that includes a set of optional links matching the identifiers. From the selected transport group, the method selects a link matching the set of identifiers.

Abstract: Some embodiments provide a method for performing deep packet inspection (DPI) for an SD-WAN (software defined, wide area network) established for an entity by a plurality of edge nodes and a set of one or more cloud gateways. At a particular edge node, the method uses local and remote deep packet inspectors to perform DPI for a packet flow. Specifically, the method initially uses the local deep packet inspector to perform a first DPI operation on a set of packets of a first packet flow to generate a set of DPI parameters for the first packet flow. The method then forwards a copy of the set of packets to the remote deep packet inspector to perform a second DPI operation to generate a second set of DPI parameters. In some embodiments, the remote deep packet inspector is accessible by a controller cluster that configures the edge nodes and the gateways.

Abstract: Some embodiments provide a method of transmitting data in a logical network with multiple branches and a hub cluster with multiple hubs of a first category of hubs and multiple hubs of a second category of hubs. The method, for each of the multiple branches (1) assigns a first hub of the first category of hubs to the branch (2) assigns a second hub of the second category of hubs to the branch, and (3) provides a set of application based policies to the branch. The application based policies direct the branch to route different types of network traffic of the application through the first hub than through the second hub. Each hub of the first category of hubs, in some embodiments, includes a set of resources equivalent to a set of resources of each other hub of the first category of hubs.

Abstract: Some embodiments of the invention provide a method for detecting and remediating anomalies in an SD-WAN that includes a controller, an enterprise datacenter, and multiple branch sites each having at least one edge node that includes a set of packet processing stages. At the controller, the method receives from a particular node of a particular branch site a flow notification indicating detection of an anomaly on the particular node. Based on the anomaly, the method dynamically generates trace monitoring rules that specify one or more flows to be traced and provides the trace monitoring rules to the particular node and at least one other node of another branch site. From the particular node and the at least one other node, the method receives trace monitoring results collected in response to the provided trace monitoring rules, and analyzes the results to identify any anomalies and dynamic actions to correct the anomalies.

Abstract: Some embodiments of the invention provide a method of facilitating routing through a software-defined wide area network (SD-WAN) defined for an entity. A first edge forwarding node located at a first multi-machine site of the entity, the first multi-machine site at a first physical location and including a first set of machines, serves as an edge forwarding node for the first set of machines by forwarding packets between the first set of machines and other machines associated with the entity via other forwarding nodes in the SD-WAN. The first edge forwarding node receives configuration data specifying for the first edge forwarding node to serve as a hub forwarding node for forwarding a set of packets from a second set of machines associated with the entity and operating at a second multi-machine site at a second physical location to a third set of machines associated with the entity and operating at a third multi-machine site at a third physical location.

Abstract: Some embodiments provide a method for maintaining a virtual network that spans at least one cloud datacenter separate from multi-machine edge nodes of an entity. This method configures a gateway in the cloud datacenter to establish secure connections with several edge devices at several multi-machine edge nodes (e.g., branch offices, datacenters, etc.) in order to establish the virtual network. The method configures the gateway to assess quality of connection links with different edge devices, and to terminate a secure connection with a particular edge device for a duration of time after the assessed quality of the connection link to the particular edge device is worse than a threshold value. In some embodiments, the gateway is configured to distribute routes to edge devices at the edge nodes, and to forgo distributing any route to the particular edge device along the connection link for the duration of time when the assessed quality of the connection link is worse than (e.g., less than) a threshold value.

Abstract: Some embodiments provide a method for performing deep packet inspection (DPI) for an SD-WAN (software defined, wide area network) established for an entity by a plurality of edge nodes and a set of one or more cloud gateways. At a particular edge node, the method uses local and remote deep packet inspectors to perform DPI for a packet flow. Specifically, the method initially uses the local deep packet inspector to perform a first DPI operation on a set of packets of a first packet flow to generate a set of DPI parameters for the first packet flow. The method then forwards a copy of the set of packets to the remote deep packet inspector to perform a second DPI operation to generate a second set of DPI parameters. In some embodiments, the remote deep packet inspector is accessible by a controller cluster that configures the edge nodes and the gateways.