Abstract: Some embodiments of the invention provide a method for forwarding packets through an SD-WAN. To facilitate the forwarding of packets between first and second regions of the SD-WAN, said first and second regions having respective first and second hub routers forwarding packets between respective first and second sets of edge routers of respective first and second sets of sites of the first and second regions, the method directs (1) the first set of edge routers to establish connections to the first and second hub routers, and to use the first hub router as a next-hop to initiate communications with the second set of edge routers, and (2) the second set of edge routers to establish connections to the first and second hub routers, and to use the second hub router as a next-hop to initiate communications with the first set of edge routers.

Abstract: Some embodiments provide a method for performing deep packet inspection (DPI) for an SD-WAN (software defined, wide area network) established for an entity by a plurality of edge nodes and a set of one or more cloud gateways. At a particular edge node, the method uses local and remote deep packet inspectors to perform DPI for a packet flow. Specifically, the method initially uses the local deep packet inspector to perform a first DPI operation on a set of packets of a first packet flow to generate a set of DPI parameters for the first packet flow. The method then forwards a copy of the set of packets to the remote deep packet inspector to perform a second DPI operation to generate a second set of DPI parameters. In some embodiments, the remote deep packet inspector is accessible by a controller cluster that configures the edge nodes and the gateways.

Abstract: Some embodiments provide a method for dynamically deploying a managed forwarding element (MFE) in a software-defined wide-area network (SD-WAN) for a particular geographic region across which multiple SaaS applications is distributed. The method determines, based on flow patterns for multiple flows destined for the multiple SaaS applications distributed across the particular geographic region, that an additional MFE is needed for the particular geographic region. The method configures the additional MFE to deploy at a particular location in the particular geographic region for forwarding the multiple flows to the multiple SaaS applications. The method provides, to a particular set of MFEs that connect a set of branch sites to the SD-WAN, a set of forwarding rules to direct the particular set of MFEs to use the additional MFE for forwarding subsequent data messages belonging to the multiple flows to the multiple SaaS applications.

Abstract: Some embodiments of the invention provide a method for implementing an SD-WAN connecting multiple sites at multiple physical locations. The method is performed at a first hub router of the SD-WAN. The method establishes, with a first edge router located at a first site in a first region, a new connection for the first hub router to use to connect the first edge router to a second edge router of a second site in the first region. The method determines that a peer-connection notification regarding a set of other routers of which the first hub router has been notified has to be sent to the first edge router. The method sends the peer-connection notification to the first edge router for the first edge router to analyze in order to determine whether the first edge router needs to obtain routes associated with each other router in the set of other routers.

Abstract: Some embodiments of the invention provide a method for forwarding packets through an SD-WAN. To facilitate the forwarding of packets between first and second regions of the SD-WAN, said first and second regions having respective first and second hub routers forwarding packets between respective first and second sets of edge routers of respective first and second sets of sites of the first and second regions, the method directs (1) the first set of edge routers to establish connections to the first and second hub routers, and to use the first hub router as a next-hop to initiate communications with the second set of edge routers, and (2) the second set of edge routers to establish connections to the first and second hub routers, and to use the second hub router as a next-hop to initiate communications with the first set of edge routers.

Abstract: Some embodiments of the invention provide a method for using route filtering to relay routes between members of hub router clusters in an SD-WAN to reduce redundant route notifications to route reflectors (RRs) that advertise routes to hub routers in multiple regions connected by the SD-WAN and multiple edge routers at sites across the multiple regions. The method is performed at a first hub router of a first cluster. From a first edge router at a first site in a first region, the method receives routes of the first edge router. The method distributes the routes of the first edge router to a particular RR directly connected to the first cluster. The method distributes, to each other hub router of the first cluster, the routes of the first edge router along with an identifier that indicates that the routes should not be redistributed to the particular RR.

Abstract: Some embodiments of the invention provide a method for providing asymmetric route resolutions in an SD-WAN. The method is performed at a first edge router at a first site in a first region connected by the SD-WAN. From a first hub router of a first cluster, the method receives a flow sent by a second edge router at a second site in a second region via a first route that points to a next-hop second hub router of a second cluster. The method identifies a default second route from the first edge router to the second edge router pointing to a next-hop third hub router of the second cluster. When the first route includes secure overlay tunnels, and source addresses of the first packet flow and the first route match, the method uses the first route to send a return flow to the second edge router to ensure symmetric routing.

Abstract: Some embodiments of the invention provide a method of detecting and remediating anomalies in an SD-WAN implemented by multiple forwarding elements (FEs) located at multiple sites connected by the SD-WAN. The method receives, from the multiple FEs, multiple sets of flow data associated with application traffic that traverses the multiple FEs. The method uses a first set of machine-trained processes to analyze the multiple sets of flow data in order to identify at least one anomaly associated with at least one particular FE in the multiple FEs. The method uses a second set of machine-trained processes to identify at least one remedial action for remediating the identified anomaly. The method implements the identified remedial action by directing an SD-WAN controller deployed in the SD-WAN to implement the identified remedial action.

Abstract: Some embodiments of the invention provide a method for interconnecting hub router clusters in an SD-WAN. The method is performed for each hub router of a first cluster and located in a first of multiple regions connected by the SD-WAN. The method establishes a connection with a respective hub router of a second cluster and located in a second of the multiple regions. The method sends, to a route reflector for the first region connected to the first cluster, a first peer-connection notification identifying the hub router as a next-hop for reaching the respective hub router. For each other hub router of the first cluster, the method receives from the route reflector a second peer-connection notification identifying the other hub router as a next-hop for reaching the other hub router's respective second cluster hub router for use in reaching edge routers connected to each other hub router's respective hub router.

Abstract: Some embodiments of the invention provide a method for providing dynamic edge-to-edge support across multi-hops in an SD-WAN connecting multiple regions. The method is performed at a first route reflector for a first of the multiple regions. The method receives, from a first edge router at a first site of the first region, a first request for endpoint information associated with a second edge router at a second site of a second region. After determining that the first route reflector does not have a direct connection to the second edge router, the method identifies a next-hop hub router for reaching the second edge router. The method sends a second request to the identified next-hop hub router to request the identified next-hop hub router to forward endpoint information for the second edge router to the first edge router for use in establishing a dynamic edge-to-edge connection with the second edge router.

Abstract: Some embodiments of the invention provide a method for forwarding packets through an SD-WAN. The method is performed at a route reflector that advertises routes to facilitate forwarding of packets between first and second regions of the SD-WAN. The method advertises (1) to a first set of edge routers in the first region, a first route identifying a next-hop first hub router for initiating communications with a second set of edge routers in the second region, and (2) to the second set of edge routers, a second route identifying a next-hop second hub router for initiating communications with the first set of edge routers. When the second hub router loses connectivity to a first edge router of the first set of edge routers, the method advertises to the second set of edge routers a third route identifying the next-hop first hub router for initiating communications with the first edge router.

Abstract: Some embodiments of the invention provide a method for implementing an SD-WAN connecting multiple sites at multiple physical locations. The method is performed at a first route reflector for a first region of the SD-WAN. The method receives, from a hub router of the first region, a peer-connection notification regarding a newly connected first edge router located at a first site in a second region. The method determines that a routing table maintained by the first route reflector does not include routes of the first edge router and that the first route reflector does not have a direct connection to the first edge router. Based on said determining, the method requests routes of the first edge router from the hub router. After receiving from the hub router the requested routes of the first edge router, the method updates the routing table to include the routes of the first edge router.

Abstract: Some embodiments provide a method of selecting data links for an application in a network. The method receives, from a machine implementing the application, a set of identifiers of required link characteristics. Based on at least one of the identifiers, the method selects a transport group that includes a set of optional links matching the identifiers. From the selected transport group, the method selects a link matching the set of identifiers.

Abstract: Some embodiments of the invention provide a method for network-aware load balancing for data messages traversing a software-defined wide area network (SD-WAN) (e.g., a virtual network) including multiple connection links between different elements of the SD-WAN. The method includes receiving, at a load balancer in a multi-machine site, link state data relating to a set of SD-WAN datapaths including connection links of the multiple connection links. The load balancer, in some embodiments, provides load balancing for data messages sent from a machine in the multi-machine site to a set of destination machines (e.g., web servers, database servers, etc.) connected to the load balancer over the set of SD-WAN datapaths. The load balancer selects, for the data message, a particular destination machine (e.g., a frontend machine for a set of backend servers) in the set of destination machines by performing a load balancing operation based on the received link state data.

Abstract: Some embodiments provide a method for performing deep packet inspection (DPI) for an SD-WAN (software defined, wide area network) established for an entity by a plurality of edge nodes and a set of one or more cloud gateways. At a particular edge node, the method uses local and remote deep packet inspectors to perform DPI for a packet flow. Specifically, the method initially uses the local deep packet inspector to perform a first DPI operation on a set of packets of a first packet flow to generate a set of DPI parameters for the first packet flow. The method then forwards a copy of the set of packets to the remote deep packet inspector to perform a second DPI operation to generate a second set of DPI parameters. In some embodiments, the remote deep packet inspector is accessible by a controller cluster that configures the edge nodes and the gateways.

Abstract: Some embodiments of the invention provide a method of sending data messages from an edge router at a first location of an enterprise network to a SaaS (software as a service) application server provided by a third-party at a second location. The method receives, from a DNS (domain name system) first server, a resolution for a particular destination network address for the SaaS application server at the second location. From a second server, the method obtains an identifier for a first cloud gateway from multiple cloud gateways at multiple locations through which the particular destination address for the SaaS application server can be reached, the first cloud gateway farther from the first location than a second cloud gateway in the multiple cloud gateways but closer to the second location than the second cloud gateway. The method uses an optimized SD-WAN connection to the first cloud gateway to forward data messages for the first cloud gateway to the SaaS application at the second location.

Abstract: The method of some embodiments selects a set of links to forward packets of a data flow from an application running on a machine connected to an SD-WAN that has multiple exits. The method, based on computed sets of attributes for a first set of links and a second set of links, selects between the first set of links and the second set of links. At least the first set of links has multiple links and at least one attribute of the first set of links is an attribute that is computed by aggregating an attribute of each of the links in the first set of links. The method uses the selected set of links to forward the packets of the data flow of the application to an egress managed forwarding element of the SD-WAN.

Abstract: Some embodiments provide a method of transmitting data in a logical network that includes multiple hubs in a hub cluster and multiple branches. Each branch connects to a hub of the cluster through a virtual private network (VPN) tunnel. The method is performed by a network controller. The method assigns one of the hubs as a master hub. The method then sends a command to each of the other hubs in the hub cluster to establish a VPN tunnel between the other hub and the master hub. The method then advertises, to the other hubs, routes between the other hubs through the master hub. Each branch, in some embodiments is connected to only one hub in the hub cluster.

Abstract: Some embodiments of the invention provide a method of dynamically scaling a hub cluster in a software-defined wide area network (SD-WAN) based on particular traffic statistics, the hub cluster being located in a datacenter of the SD-WAN and allowing branch sites of the SD-WAN to access resource of the datacenter by connecting to the hub cluster. A controller of the SD-WAN receives, from the hub cluster, traffic statistics centrally captured at the hub cluster. The controller then analyzes these statistics to identify traffic load fluctuations, and determines that a number of hubs in the hub cluster should be adjusted based on the identified fluctuations. The controller adjusts the number of hubs in the hub cluster based on the determination.

Abstract: Some embodiments of the invention provide a method for enabling inter-gateway connectivity in an SD-WAN (software-defined wide area network) that connects multiple sites. The method deploys to the SD-WAN a floating hub gateway router that that (1) connects to multiple gateway routers each of which is deployed in a cloud and connects to at least one edge router in at least one site, and (2) does not connect to edge routers at any site. The method provides a network address associated with the floating hub gateway router to the multiple gateway routers deployed in one or more clouds for the SD-WAN. The method configures the floating hub gateway router to establish a tunnel with each gateway router in the multiple gateway routers to enable inter-gateway connectivity between the multiple gateway routers.