Abstract: Example methods and systems for health check as a service are described. One example may involve a computer system receiving a request to perform a health check for a network environment that includes a set of multiple flows. The computer system may select a subset that includes (a) a first flow between a first pair of endpoints and (b) a second flow between a second pair of endpoints. The health check may be initiated for the first flow and the second flow by generating and sending (a) a first instruction to cause injection of a first health check packet, and (b) a second instruction to cause injection of a second health check packet. The computer system may determine health status information associated with the subset based on (a) first observation information triggered by the first health check packet, and (b) second observation information triggered by the second health check packet.

Abstract: The disclosure provides an approach for processing communications between connected data centers. Embodiments include receiving, at a first gateway of a first data center from a second gateway of a second data center, one or more policies associated with traffic attributes. Embodiments include programming priority routes between the first gateway and the second gateway over a virtual private network (VPN) tunnel based on the one or more policies, wherein each of the priority routes is associated with a traffic attribute of the traffic attributes. Embodiments include providing the one or more policies to a central controller of the first data center and programming, by the central controller, one or more tables associated with a centrally-managed virtual switch based on the one or more policies. Embodiments include updating a database associated with each of a plurality of hosts based on the programming of the one or more tables.

Abstract: Example methods and systems for health check as a service are described. One example may involve a computer system receiving a request to perform a health check for a network environment that includes a set of multiple flows. The computer system may select a subset that includes (a) a first flow between a first pair of endpoints and (b) a second flow between a second pair of endpoints. The health check may be initiated for the first flow and the second flow by generating and sending (a) a first instruction to cause injection of a first health check packet, and (b) a second instruction to cause injection of a second health check packet. The computer system may determine health status information associated with the subset based on (a) first observation information triggered by the first health check packet, and (b) second observation information triggered by the second health check packet.

Abstract: Some embodiments provide a novel method for reducing load on a first virtual private network (VPN) gateway of a first datacenter by using a second VPN gateway to perform data message encryption needed for VPN communication with a second datacenter. The second gateway performs encryption for machines executing on several host computers of the first datacenter. The first gateway establishes a VPN session with a third gateway of the second datacenter and establishes a tunnel. The first gateway provides, to the second gateway, state information specifying that the second gateway is to perform encryption for a set of data messages exchanged along the tunnel. The first gateway receives, from the second gateway, an encrypted data message to be sent to a destination machine in the second datacenter. The first gateway forwards the encrypted data message to the third gateway for the third gateway to forward to the destination machine.

Abstract: Some embodiments provide a novel method for dynamically performing data message encryption for machines of a first network at several gateways. The encryption is needed for VPN communication with a second network. The method receives, through a user interface, a VPN policy associated with a first segment set of the first network. The method uses a first gateway to establish VPN sessions for a first machine set associated with the first segment set, uses a second gateway to perform encryption operations for the first machine set, and uses the first gateway to perform encryption operations for a second machine set associated with a second segment set of the first network. The method monitors load on the first or second gateways. Based on the monitored load, the method uses a third gateway to perform encryption operations for a third machine set associated with a third segment set of the first network.

Abstract: The disclosure provides an approach for processing communications between connected data centers. Embodiments include receiving, at a first gateway of a first data center from a second gateway of a second data center, one or more policies associated with traffic attributes. Embodiments include programming priority routes between the first gateway and the second gateway over a virtual private network (VPN) tunnel based on the one or more policies, wherein each of the priority routes is associated with a traffic attribute of the traffic attributes. Embodiments include providing the one or more policies to a central controller of the first data center and programming, by the central controller, one or more tables associated with a centrally-managed virtual switch based on the one or more policies. Embodiments include updating a database associated with each of a plurality of hosts based on the programming of the one or more tables.

Abstract: An example method of identifying an equal cost multipath (ECMP)-enabled route-based virtual private networks (RBVPN) in a virtualized computing system, comprises: obtaining, at a telemetry agent executing in an edge server of a data center, learned routes; identifying, by the telemetry agent from the routes, a destination network and a plurality of next hops associated therewith and a plurality of virtual tunnel interfaces (VTIs); identifying, by the telemetry agent for each of the plurality of VTIs, an associated VPN session; grouping, by the telemetry agent, the VPN sessions identified as associated with the plurality of VTIs into an ECMP-enabled RBVPN; adding, by the telemetry agent, a description of the ECMP-enabled RBVPN to telemetry data; and sending, by the telemetry agent, the telemetry data to a telemetry service.

Abstract: An example method of identifying an equal cost multipath (ECMP)-enabled route-based virtual private networks (RBVPN) in a virtualized computing system, comprises: obtaining, at a telemetry agent executing in an edge server of a data center, learned routes; identifying, by the telemetry agent from the routes, a destination network and a plurality of next hops associated therewith and a plurality of virtual tunnel interfaces (VTIs); identifying, by the telemetry agent for each of the plurality of VTIs, an associated VPN session; grouping, by the telemetry agent, the VPN sessions identified as associated with the plurality of VTIs into an ECMP-enabled RBVPN; adding, by the telemetry agent, a description of the ECMP-enabled RBVPN to telemetry data; and sending, by the telemetry agent, the telemetry data to a telemetry service.

Abstract: A method for direct communication between a source endpoint executing in a first datacenter and a destination endpoint executing in a second datacenter. The method receives, at a gateway of the second datacenter, a packet sent by the source endpoint, the packet having a header that includes a source IP address corresponding to a public IP address of the first datacenter, a destination IP address corresponding to a public IP address of the second datacenter, and source and destination port numbers. The method performs a DNAT process on the packet to replace at least the destination IP address in the header with a private IP address of the destination endpoint. The DNAT process identifies the private IP address by mapping the source and destination port numbers to the private IP address of the destination endpoint. The method then transmits the packet to the destination endpoint in the second datacenter.

Abstract: The disclosure provides an approach for processing communications between connected data centers. Embodiments include receiving, at a first gateway of a first data center from a second gateway of a second data center, one or more policies associated with traffic attributes. Embodiments include programming priority routes between the first gateway and the second gateway over a virtual private network (VPN) tunnel based on the one or more policies, wherein each of the priority routes is associated with a traffic attribute of the traffic attributes. Embodiments include providing the one or more policies to a central controller of the first data center and programming, by the central controller, one or more tables associated with a centrally-managed virtual switch based on the one or more policies. Embodiments include updating a database associated with each of a plurality of hosts based on the programming of the one or more tables.

Abstract: A method for direct communication between a source endpoint executing in a first datacenter and a destination endpoint executing in a second datacenter. The method receives, at a gateway of the second datacenter, a packet sent by the source endpoint, the packet having a header that includes a source IP address corresponding to a public IP address of the first datacenter, a destination IP address corresponding to a public IP address of the second datacenter, and source and destination port numbers. The method performs a DNAT process on the packet to replace at least the destination IP address in the header with a private IP address of the destination endpoint. The DNAT process identifies the private IP address by mapping the source and destination port numbers to the private IP address of the destination endpoint. The method then transmits the packet to the destination endpoint in the second datacenter.

Abstract: Methods and systems for a virtual environment are provided. A method includes receiving a packet from a first virtual machine at a virtual switch; determining if the packet is destined to a second virtual machine by comparing a destination address to a mapping data structure maintained by the virtual switch; transferring the packet to a first virtual function of a device assigned to the first virtual machine by directly mapping the first virtual function to the first virtual machine; the first virtual function initiating a direct memory access (DMA) operation to transfer the packet to the second virtual machine based on a logical memory address of the second virtual machine that is received from a second virtual function; and using the DMA operation to transfer the packet to the second virtual machine.

Abstract: Methods and systems for a network device are provided. The network device includes a storage protocol controller having a port for interfacing with a storage area network (SAN) based storage device; a processor executing instructions for managing a local storage device that is configured to operate as a caching device for a computing device. The local storage device is used to store a recovery copy of an operating system of the computing device, where the recovery copy is accessible via a processor executable basic/input output (BIOS) utility.