Abstract: The disclosed technology is generally directed to virtual machines. In one example of the technology, a network change from a first virtual network to a second virtual network is reconfigured for a first virtual machine that is executing on a first virtual machine host. The reconfiguring includes the following. In the first virtual machine host, a mapping change from the first virtual network to the second virtual network is configured by reprogramming drivers in the first virtual machine host for route mapping for the second virtual network. A Dynamic Host Configuration Protocol (DHCP) retrigger is caused without rebooting the first virtual machine. A configuration file is provided to the first virtual machine. The configuration file includes user-specific networking settings. The first virtual machine is reconfigured in accordance with the user-specific networking settings.

Abstract: Systems and methods for enabling access to dedicated resources in a virtual network using top of rack switches are disclosed. A method includes a virtual filtering platform encapsulating at least one packet, received from a virtual machine, to generate at least one encapsulated packet comprising a virtual network identifier (VNI). The method further includes a TOR switch: (1) receiving the at least one encapsulated packet and decapsulating the at least one encapsulated packet to create at least one decapsulated packet, (2) using the VNI to identify a virtual routing and forwarding artifact to determine a virtual local area network interface associated with the dedicated hardware portion, and (3) transmitting the at least one decapsulated packet to the dedicated hardware portion based on at least one policy provided by a controller, where the at least one policy comprises information related to a customer of the service provider.

Abstract: A virtual network interface controller (NIC) associated with a virtual machine in a cloud computing network is configured to support one or more network containers that encapsulate networking configuration data and policies that are applicable to a specific discrete computing workload to thereby enable the virtual machine to simultaneously belong to multiple virtual networks using the single NIC. The network containers supported by the NIC can be associated with a single tenant to enable additional flexibility such quickly switching between virtual networks and support pre-provisioning of additional computing resources with associated networking policies for rapid deployment. The network containers can also be respectively associated with different tenants so that the single NIC can support multi-tenant services on the same virtual machine.

Abstract: The disclosed system implements techniques to secure communications for injecting a workload (e.g., a container) into a virtual network hosted by a cloud-based platform. Based on a delegation instruction received from a tenant, a virtual network of the tenant can connect to and execute a workload via a virtual machine that is part of a virtual network that belongs to a resource provider. To secure calls and authorize access to the tenant's virtual network, authentication information provided with a call from the virtual network of the resource provider may need to match authorization information made available via a publication service of the cloud-based platform. Additionally or alternatively, an identifier of a NIC used to make a call may need to correspond to a registered name of the resource provider for the call to be authorized. These checks provide increased security by preventing unauthorized calls to the tenant's virtual network.

Abstract: A system includes reception of an instruction to send a message to a computer server, determination of a plurality of segments of the message, determination, for each of the plurality of segments, of a network path from a plurality of network paths to the computer server based on performance-related characteristics of the plurality of network paths, and assignment, for each of the plurality of segments, of the segment to a transmission queue associated with the network path determined for the segment.

Abstract: Techniques of network virtualization of containers in cloud-based system are disclosed herein. In one embodiment, a method includes receiving a selection of a host in the computer system to instantiate a container in response to a request from a user. In response to the received selection, the method includes identifying parameters of network operations on the selected host to instantiate the requested container and assigning a network address to the container to be instantiated on the selected host in the computer system, the assigned network address is addressable from outside of the selected host without network name translation. The method can then include transmitting an instruction to the selected host to instantiate the requested container based on the assigned network address.

Abstract: A network endpoint receiver controls packet flow from a transmitter. Packets are received via a network in packet traffic according to a push mode, where the transmitter controls pacing of transmitting the packets. Characteristics related to the packet traffic are monitored at the receiver. The monitored characteristics are compared to reception performance parameters, and based on the comparison, a decision is made to switch from the push mode to a pull mode for controlling the packet flow. The receiver transmits a pull mode request packet to the transmitter, where the pull mode request packet indicates a pacing of subsequent packets transmitted by the transmitter to the receiver in accordance with the pull mode. Pacing of further transmitted packets may be controlled by subsequent pull mode request packets sent over time to the transmitter by the receiver. Similarly, the receiver may control additional transmitters to transmit at equal or different rates.

Abstract: A network endpoint receiver controls packet flow from a transmitter. Packets are received via a network in packet traffic according to a push mode, where the transmitter controls pacing of transmitting the packets. Characteristics related to the packet traffic are monitored at the receiver. The monitored characteristics are compared to reception performance parameters, and based on the comparison, a decision is made to switch from the push mode to a pull mode for controlling the packet flow. The receiver transmits a pull mode request packet to the transmitter, where the pull mode request packet indicates a pacing of subsequent packets transmitted by the transmitter to the receiver in accordance with the pull mode. Pacing of further transmitted packets may be controlled by subsequent pull mode request packets sent over time to the transmitter by the receiver. Similarly, the receiver may control additional transmitters to transmit at equal or different rates.

Abstract: The disclosed system implements techniques to enable a tenant of a cloud-based platform to effectively and efficiently apply a policy that copies data packets communicated to or from a virtual machine in the tenant's own virtual network. When applied, the policy mirrors data traffic associated with a workload executing on a virtual machine in the tenant's virtual network. To mirror the data traffic, a copy of a data packet is streamed to another virtual machine so that network analytics can be performed (e.g., performance analytics, security analytics, etc.). In various examples, the policy can be a role-based mirroring policy that defines a plurality of roles in association with a role-based access model that scales operations and that provides improved security for a tenant's virtual network.

Abstract: Systems and methods for enabling access to dedicated resources in a virtual network using top of rack switches are disclosed. A method includes a virtual filtering platform encapsulating at least one packet, received from a virtual machine, to generate at least one encapsulated packet comprising a virtual network identifier (VNI). The method further includes a TOR switch: (1) receiving the at least one encapsulated packet and decapsulating the at least one encapsulated packet to create at least one decapsulated packet, (2) using the VNI to identify a virtual routing and forwarding artifact to determine a virtual local area network interface associated with the dedicated hardware portion, and (3) transmitting the at least one decapsulated packet to the dedicated hardware portion based on at least one policy provided by a controller, where the at least one policy comprises information related to a customer of the service provider.

Abstract: A virtual network interface controller (NIC) associated with a virtual machine in a cloud computing network is configured to support one or more network containers that encapsulate networking configuration data and policies that are applicable to a specific discrete computing workload to thereby enable the virtual machine to simultaneously belong to multiple virtual networks using the single NIC. The network containers supported by the NIC can be associated with a single tenant to enable additional flexibility such quickly switching between virtual networks and support pre-provisioning of additional computing resources with associated networking policies for rapid deployment. The network containers can also be respectively associated with different tenants so that the single NIC can support multi-tenant services on the same virtual machine.

Abstract: The disclosed system implements techniques to secure communications for injecting a workload (e.g., a container) into a virtual network hosted by a cloud-based platform. Based on a delegation instruction received from a tenant, a virtual network of the tenant can connect to and execute a workload via a virtual machine that is part of a virtual network that belongs to a resource provider. To secure calls and authorize access to the tenant's virtual network, authentication information provided with a call from the virtual network of the resource provider may need to match authorization information made available via a publication service of the cloud-based platform. Additionally or alternatively, an identifier of a NIC used to make a call may need to correspond to a registered name of the resource provider for the call to be authorized. These checks provide increased security by preventing unauthorized calls to the tenant's virtual network.

Abstract: Systems and methods for enabling access to dedicated resources in a virtual network using top of rack switches are disclosed. A method includes a virtual filtering platform encapsulating at least one packet, received from a virtual machine, to generate at least one encapsulated packet comprising a virtual network identifier (VNI). The method further includes a TOR switch: (1) receiving the at least one encapsulated packet and decapsulating the at least one encapsulated packet to create at least one decapsulated packet, (2) using the VNI to identify a virtual routing and forwarding artifact to determine a virtual local area network interface associated with the dedicated hardware portion, and (3) transmitting the at least one decapsulated packet to the dedicated hardware portion based on at least one policy provided by a controller, where the at least one policy comprises information related to a customer of the service provider.

Abstract: Virtual networks located in different regions of cloud provider are peered using unique regional identifiers for the virtual networks. The regional identifiers and other information are pushed down a network management stack to implement the peering.

Abstract: The disclosed technology is generally directed to virtual machines. In one example of the technology, a network change from a first virtual network to a second virtual network is reconfigured for a first virtual machine that is executing on a first virtual machine host. The reconfiguring includes the following. In the first virtual machine host, a mapping change from the first virtual network to the second virtual network is configured by reprogramming drivers in the first virtual machine host for route mapping for the second virtual network. A Dynamic Host Configuration Protocol (DHCP) retrigger is caused without rebooting the first virtual machine. A configuration file is provided to the first virtual machine. The configuration file includes user-specific networking settings. The first virtual machine is reconfigured in accordance with the user-specific networking settings.

Abstract: The disclosed technology is generally directed to virtual machines. In one example of the technology, a network change from a first virtual network to a second virtual network is reconfigured for a first virtual machine that is executing on a first virtual machine host. The reconfiguring includes the following. In the first virtual machine host, a mapping change from the first virtual network to the second virtual network is configured by reprogramming drivers in the first virtual machine host for route mapping for the second virtual network. A Dynamic Host Configuration Protocol (DHCP) retrigger is caused without rebooting the first virtual machine. A configuration file is provided to the first virtual machine. The configuration file includes user-specific networking settings. The first virtual machine is reconfigured in accordance with the user-specific networking settings.

Abstract: The disclosed system implements techniques to secure communications for injecting a workload (e.g., a container) into a virtual network hosted by a cloud-based platform. Based on a delegation instruction received from a tenant, a virtual network of the tenant can connect to and execute a workload via a virtual machine that is part of a virtual network that belongs to a resource provider. To secure calls and authorize access to the tenant's virtual network, authentication information provided in association with a call from the virtual network of the resource provider may need to match authorization information made available via a publication service of the cloud-based platform. Moreover, an identifier of a NIC used to make a call may need to correspond to a registered name of the resource provider for the call to be authorized. These checks provide increased security by preventing unauthorized calls from accessing the tenant's virtual network.

Abstract: A virtual network interface controller (NIC) associated with a virtual machine in a cloud computing network is configured to support one or more network containers that encapsulate networking configuration data and policies that are applicable to a specific discrete computing workload to thereby enable the virtual machine to simultaneously belong to multiple virtual networks using the single NIC. The network containers supported by the NIC can be associated with a single tenant to enable additional flexibility such quickly switching between virtual networks and support pre-provisioning of additional computing resources with associated networking policies for rapid deployment. The network containers can also be respectively associated with different tenants so that the single NIC can support multi-tenant services on the same virtual machine.

Abstract: The disclosed technology is generally directed to virtual machines. In one example of the technology, generic virtual machine artifacts are created. The generic virtual machine artifacts include at least one generic compute artifact and at least one generic network artifact. A first virtual machine is composed and booted with the generic virtual machine artifacts. The first virtual machine is caused to enter a state in which the first virtual machine is polling for a configuration with user-specific compute settings, user-specific networking settings, and user-specific storage settings.

Abstract: Systems and methods for enabling access to dedicated resources in a virtual network using top of rack switches are disclosed. A method includes a virtual filtering platform encapsulating at least one packet, received from a virtual machine, to generate at least one encapsulated packet comprising a virtual network identifier (VNI). The method further includes a TOR switch: (1) receiving the at least one encapsulated packet and decapsulating the at least one encapsulated packet to create at least one decapsulated packet, (2) using the VNI to identify a virtual routing and forwarding artifact to determine a virtual local area network interface associated with the dedicated hardware portion, and (3) transmitting the at least one decapsulated packet to the dedicated hardware portion based on at least one policy provided by a controller, where the at least one policy comprises information related to a customer of the service provider.