Abstract: A network system that includes a first set of network hosts in a first domain and a second set of network hosts in a second domain. Within each of the domains, the system includes several edge switching elements (SEs) that each couple to the network hosts and forward network data to and from the set of network hosts. Within the first domain, the system includes (i) an interior SE that couples to a particular edge SE in order to receive network data for forwarding from the edge SE when the edge SE does not recognize a destination location of the network data and (ii) an interconnection SE that couples to the interior SE, the edge SE, and the second domain through an external network. When the edge SE receives network data with a destination address in the second domain, it forwards the network data directly to the interconnection SE.

Abstract: Some embodiments provide a method for configuring a logical middlebox in a hosting system that includes a set of nodes. The logical middlebox is part of a logical network that includes a set of logical forwarding elements that connect a set of end machines. The method receives a set of configuration data for the logical middlebox. The method uses a stored set of tables describing physical locations of the end machines to identify a set of nodes at which to implement the logical middlebox. The method provides the logical middlebox configuration for distribution to the identified nodes.

Abstract: In an embodiment, a computer-implemented method for dynamically exchanging runtime state data between datacenters using a controller bridge is disclosed. In an embodiment, the method comprises: requesting, and receiving, one or more first runtime state data from one or more logical sharding central control planes (“CCPs”) controlling one or more logical sharding hosts; requesting, and receiving, one or more second runtime state data from one or more physical sharding CCPs controlling one or more physical sharding hosts; aggregating, to aggregated runtime state data, the one or more first runtime state data and the one or more second runtime state data; determining updated runtime state data based on the aggregated runtime state data, the one or more first runtime state data, and the one or more second runtime state data; and transmitting the updated runtime state data to the logical sharding CCPs and physical sharding CCPs.

Abstract: In an embodiment, a computer-implemented method for dynamically exchanging runtime state data between datacenters with a gateway using a controller bridge is disclosed. In an embodiment, the method comprises: receiving one or more first runtime state data from one or more logical sharding central control planes (“CCPs”) controlling one or more logical sharding hosts; receiving one or more second runtime state data from a gateway that is controlled by a CCP that also controls one or more physical sharding hosts; aggregating to aggregated runtime state data, the one or more first runtime state data received from the one or more logical sharding CCPs and the one or more second runtime state data received from the gateway; determining updated runtime state data based on the aggregated runtime state data, the one or more first runtime state data, and the one or more second runtime state data; and transmitting the updated runtime state data to at least one of the one or more logical sharding CCPs and the gateway.

Abstract: Some embodiments provide a system for implementing a logical network that includes a set of end machines, a first logical middlebox, and a second logical middlebox connected by a set of logical forwarding elements. The system includes a set of nodes. Each of several nodes includes (i) a virtual machine for implementing an end machine of the logical network, (ii) a managed switching element for implementing the set of logical forwarding elements of the logical network, and (iii) a middlebox element for implementing the first logical middlebox of the logical network. The system includes a physical middlebox appliance for implementing the second logical middlebox.

Abstract: Some embodiments provide a method for determining a realization status of one or more logical entities of a logical network. The method, each time a particular event occurs, increments the value of a realization number and publishes the incremented value to a set of controllers of the logical network. Upon receiving data that specifies the state of a logical entity of the logical network, the method publishes the logical entity state's data to the set of controllers. In some embodiments, the method queries the set of controllers for a realization status of the state data for a set of logical entities that is published to the set of controllers up to a particular point of time. The submitted query, in some embodiments, includes a particular value of the realization number associated with the particular point of time.

Abstract: Some embodiments provide a system that includes a set of network controllers for receiving definitions of first and second logical switching elements. The system includes several managed switching elements. The set of network controllers configure the several managed switching elements to implement the defined first and second logical switching elements. The system includes several network hosts that are each (1) communicatively coupled to one of the several managed switching elements and (2) associated with one of the first and second logical switching elements. Network data communicated between network hosts associated with the first logical switching element are isolated from network data communicated between network hosts associated with the second logical switching element.

Abstract: For a network controller for managing hosts in a network, a method for configuring a host to resolve network addresses is described. The method configures an address resolution module in a host to resolve a network address. The method configures a managed forwarding element in the host to (1) avoid sending a request to resolve the network address to another host by using the address resolution module to resolve the network address and (2) forward packets using the resolved network address.

Abstract: Example methods are provided for assigning a routing domain identifier in a logical network environment that includes one or more logical distributed routers and one or more logical switches. In one example, the method may comprise obtaining network topology information specifying how the one or more logical distributed routers are connected with the one or more logical switches; and selecting, from the one or more logical switches, a particular logical switch for which routing domain identifier assignment is required. The method may also comprise: identifying a particular logical distributed router that is connected with the particular logical switch based on the network topology information; assigning the particular logical switch with the routing domain identifier that is associated with the particular logical distributed router; and using the routing domain identifier in a communication between a management entity and a host.

Abstract: The present disclosure generally relates to applying global unified security policies across a plurality of virtual private clouds of a logical network. The logical network is deployed on a software-defined datacenter that constitute one or more private and/or public datacenters. The plurality of virtual private clouds of the logical network may have one or more overlapping internet protocol address blocks, with each virtual private cloud deploying one or more virtual machines and/or containers. A global unified security policy is disseminated to endpoints throughout the logical network using logical ports of the virtual machines and/or containers.

Abstract: A method for configuring a managed forwarding element (MFE) to perform logical routing operations in a logical network on behalf of a hardware switch is described. The method of some embodiments receives data that defines a logical router that logically connects several different end machines operating on several different host machines to different physical machines that are connected to the hardware switch. The method, based on the received data, defines a number of routing components for the logical router. In some embodiments, the method then configures the MFE to implement the routing components in order to enable the MFE to perform logical routing operations on behalf of the hardware switch.

Abstract: Some embodiments provide a method for a network controller that manages several logical networks. The method receives a specification of a logical network that includes at least one logical forwarding element attached to a logical service (e.g., DHCP). The method selects at least one host machine to host the specified logical service from several host machines designated for hosting logical services. The method generates logical service configuration information for distribution to the selected host machine. In some embodiments, the method selects a master host machine and a backup host machine for hosting logical service. In some embodiments, a particular one of the designated host machines hosts at least two DHCP services for two different logical networks as separate processes operating on the particular host machine.

Abstract: Some embodiments provide a method for a managed forwarding element (MFE). At the MFE, the method receives a first packet from a particular tunnel endpoint. The first packet originates from a particular data compute node associated with multiple tunnel endpoints including the particular tunnel endpoint. Based on the first packet, the method stores an association of the particular tunnel endpoint with the particular data compute node. The method uses the stored association to encapsulate subsequent packets received at the MFE and having the particular data compute node as a destination address with the particular tunnel endpoint as a destination tunnel endpoint.

Abstract: A method for configuring a managed forwarding element (MFE) to perform logical routing operations in a logical network on behalf of a hardware switch is described. The method of some embodiments receives data that defines a logical router that logically connects several different end machines operating on several different host machines to different physical machines that are connected to the hardware switch. The method, based on the received data, defines a number of routing components for the logical router. In some embodiments, the method then configures the MFE to implement the routing components in order to enable the MFE to perform logical routing operations on behalf of the hardware switch.

Abstract: A method of suppressing ARP packets in a logical network comprising a set of data compute nodes (DCNs). The DCNs are hosted on a set of physical hosts. Each DCN has a protocol address and is connected to a forwarding elements (FE) on the corresponding host. Each FE has a set of flows that specifies a set of conditions to match a set of fields of each received packet and a set of actions to take on a packet that matches the set of conditions. An FE on a physical host receives a packet sent by a first DCN on the physical host and determines that the received packet is an ARP request packet by matching a set of fields in the packet with a set of conditions of a particular flow. The ARP request packet identifies a protocol address of a second DCN on the logical network.

Abstract: A method of diagnosing a software-defined network is provided. The method determines an observed plurality of network control events from a set of network control event messages. Each network control event message includes a unique identifier and is used for configuring a network configuration entity on a network component. The method, from a description of an expected configuration of the network, determines an expected plurality of network control events. The method backtraces the observed control events from the current configuration of the network to determine whether the expected network control events have occurred. The method identifies a network component as the source of fault when the network component receives an input set of network control events that matches a set of expected network events but does not produce a set of output network control events that match a set of network control events.

Abstract: Some embodiments provide a method for a first network controller that manages a set of logical forwarding elements implemented in several managed forwarding elements. The method receives a request to trace a specified packet having a particular source on a logical forwarding element. The method generates the packet according to the packet specification. The generated packet includes an indicator that the packet is for a trace operation. The method sends the packet to a second network controller that manages a managed forwarding element associated with the particular source. The method receives a first set of messages regarding operations performed on the packet from a set of network controllers that receives a second set of messages regarding operations performed on the packet from a set of managed forwarding elements that process the packet.

Abstract: Some embodiments provide a method for a network controller that manages several logical networks. The method receives a specification of a logical network that includes at least one logical forwarding element attached to a logical service (e.g., DHCP). The method selects at least one host machine to host the specified logical service from several host machines designated for hosting logical services. The method generates logical service configuration information for distribution to the selected host machine. In some embodiments, the method selects a master host machine and a backup host machine for hosting logical service. In some embodiments, a particular one of the designated host machines hosts at least two DHCP services for two different logical networks as separate processes operating on the particular host machine.

Abstract: Systems and methods of communicating between a plurality of hosts comprising one or more first hosts controlled by a first control plane and one or more second hosts controlled by a second control plane are disclosed herein. Each of the one or more first hosts runs at least one tunneling endpoint of one or more first tunneling endpoints, and each of the one or more second hosts runs at least one tunneling endpoint of one or more second tunneling endpoint. The method includes storing, at each of the one or more first hosts, a global list identifying at least the one or more second tunneling endpoints. The method further includes receiving a packet at one of the one or more first tunneling endpoints. The method further includes replicating, encapsulating, and transmitting the packet to each of the one or more second tunneling endpoints based on the global list.

Abstract: Example methods are provided for assigning a routing domain identifier in a logical network environment that includes one or more logical distributed routers and one or more logical switches. In one example, the method may comprise obtaining network topology information specifying how the one or more logical distributed routers are connected with the one or more logical switches; and selecting, from the one or more logical switches, a particular logical switch for which routing domain identifier assignment is required. The method may also comprise: identifying a particular logical distributed router that is connected with the particular logical switch based on the network topology information; assigning the particular logical switch with the routing domain identifier that is associated with the particular logical distributed router; and using the routing domain identifier in a communication between a management entity and a host.