Abstract: Some embodiments provide a method for network management and control system that manages one or more logical networks. From a first user, the method receives a definition of one or more security zones for a logical network. Each security zone definition includes a set of security rules for data compute nodes (DCNs) assigned to the security zone. From a second user, the method receives a definition of an application to be deployed in the logical network. The application definition specifies a set of requirements. Based on the specified set of requirements, the method assigns DCNs implementing the application to one or more of the security zones for the logical network.

Abstract: Some embodiments provide a method for a network management and control system that manages a virtual infrastructure deployed across a plurality of sites. The method receives a definition of an application to be deployed in the virtual infrastructure. The application definition specifying a first set of the sites at which to deploy the application. Based on the definition of the application, the method assigns the application to a set of security zones defined for the virtual infrastructure. Each respective security zone is restricted to a respective set of the sites. The method deploys the application in a second set of sites based on the first set of sites and the sets of sites to which the set of security zones are restricted.

Abstract: Some embodiments provide a method for a network management and control system that manages a virtual infrastructure deployed across a set of datacenters. Based on input from a top-level user of the virtual infrastructure, the method deploys a first logical network within the virtual infrastructure and defines one or more second-level users of the virtual infrastructure. The method receives input from a second-level user of the virtual infrastructure to define a second logical network and connect the second logical network to the first logical network. The first and second logical networks use a same data model and the second-level users are restricted from viewing configuration of the first logical network.

Abstract: The disclosure provides an approach for collecting system state data relating to whether certain system states overload a processor assigned to a controller of the system. The approach further involves using the collected data to train a regression machine learning algorithm to predict whether indented or desired system states will result in processor overload. Depending on the prediction, the approach takes one of several steps to efficiently change system state.

Abstract: Some embodiments provide a method for a network management and control system that manages a virtual infrastructure deployed across a set of datacenters. The method receives a definition of an application to be deployed in the virtual infrastructure. The application definition specifies (i) a set of tiers of the application and (ii) a set of requirements for deploying the application. Based on the application definition, the method automatically defines a logical network architecture for connecting data compute nodes (DCNs) that implement the application tiers in the set of datacenters. The method configures a set of forwarding elements in the set of datacenters to implement the logical network architecture.

Abstract: Some embodiments provide a method for network management and control system that manages one or more logical networks. From a first user, the method receives a definition of one or more security zones for a logical network. Each security zone definition includes a set of security rules for data compute nodes (DCNs) assigned to the security zone. From a second user, the method receives a definition of an application to be deployed in the logical network. The application definition specifies a set of requirements. Based on the specified set of requirements, the method assigns DCNs implementing the application to one or more of the security zones for the logical network.

Abstract: Some embodiments provide a method for a network management and control system that manages a virtual infrastructure deployed across a plurality of sites. The method receives a definition of an application to be deployed in the virtual infrastructure. The application definition specifying a first set of the sites at which to deploy the application. Based on the definition of the application, the method assigns the application to a set of security zones defined for the virtual infrastructure. Each respective security zone is restricted to a respective set of the sites. The method deploys the application in a second set of sites based on the first set of sites and the sets of sites to which the set of security zones are restricted.

Abstract: Some embodiments provide a method for a network management and control system that manages a virtual infrastructure deployed across a set of datacenters. Based on input from a top-level user of the virtual infrastructure, the method deploys a first logical network within the virtual infrastructure and defines one or more second-level users of the virtual infrastructure. The method receives input from a second-level user of the virtual infrastructure to define a second logical network and connect the second logical network to the first logical network. The first and second logical networks use a same data model and the second-level users are restricted from viewing configuration of the first logical network.

Abstract: Methods, apparatus, systems and articles of manufacture are disclosed for assigning security in networked computing environments. An example apparatus includes a deep packet inspector to: analyze a network communication from a virtual machine in a software defined network environment to determine an identifier of an application; and determine an application type executing on the virtual machine; a security controller to determine if a security group exists for the application type; and a user interface to present a recommendation to create a security group for the application type when a security group does not exist for the application type. The example security controller is further to add the virtual machine to the security group when the security group for the application type exists.

Abstract: Techniques disclosed herein provide an approach for automated realization of hand-drawn topologies. In one embodiment, a topologizer application is configured to parse an image depicting a hand-drawn topology and identify shapes and relationships between the shapes in the image. The topologizer may convert the hand-drawn topology to polygons and then identify the polygons as being, e.g., particular shapes and arrows representing relationships between the shapes. The identified shapes and relationships are then output in a machine-readable format for consumption, in which the shapes are mapped to corresponding components of a computing system and deployed based on the mapping and the relationships indicated in the topologizer output.

Abstract: Techniques disclosed herein provide an approach for automated realization of hand-drawn topologies. In one embodiment, a topologizer application is configured to parse an image depicting a hand-drawn topology and identify shapes and relationships between the shapes in the image. The topologizer may convert the hand-drawn topology to polygons and then identify the polygons as being, e.g., particular shapes and arrows representing relationships between the shapes. The identified shapes and relationships are then output in a machine-readable format for consumption, in which the shapes are mapped to corresponding components of a computing system and deployed based on the mapping and the relationships indicated in the topologizer output.

Abstract: Techniques for grouping virtual machine (VM) objects for networking and security services in a virtualized computing system are described. In one example embodiment, VM attributes and identity attributes are obtained from a virtual center and an identity server, respectively. One or more desired security groups are then formed based on security requirements of the virtualized computing system. A user defined dynamic expression is then associated with the one or more security groups. One or more expression attributes are then determined by evaluating the user defined dynamic expression using the obtained VM attributes and identity attributes. VM objects are then grouped based on the determined one or more expression attributes. The grouped VM objects are then associated with the created one or more security groups for providing the networking and security services.

Abstract: Techniques for grouping virtual machine (VM) objects for networking and security services in a virtualized computing system are described. In one example embodiment. VM attributes and identity attributes are obtained from a virtual center and an identity server, respectively. One or more desired security groups are then formed based on security requirements of the virtualized computing system. A user defined dynamic expression is then associated with the one or more security groups. One or more expression attributes are then determined by evaluating the user defined dynamic expression using the obtained VM attributes and identity attributes. VM objects are then grouped based on the determined one or more expression attributes. The grouped VM objects are then associated with the created one or more security groups for providing the networking and security services.