Abstract: Some embodiments provide a method for a network controller. The method receives network configuration data including an association of an entity configuration profile to a logical entity group that references at least two logical network entities. The entity configuration profile includes a set of configuration settings to apply to logical network entities with which the entity configuration profile is associated. The method associates the entity configuration profile with the logical network entities referenced by the logical entity group. Based on the associations of the entity configuration profile with the logical network entities, the method determines multiple host machines that require the configuration data for the entity configuration profile. The method distributes the entity configuration profile to the host machines.

Abstract: Certain embodiments described herein are generally directed to consistent processing of transport node network configuration data in a physical sharding architecture. For example, in some embodiments a first central control plane (CCP) node of a plurality of CCP nodes determines a sharding table, which is shared by the plurality of CCP nodes. In certain embodiments, the first CCP node determines a connection establishment between a first transport node and the first CCP node. In some embodiments, if the first CCP node determines, based on the sharding table, that it is a physical master of the first transport node, the first CCP node receives network configuration data from the first transport node, stores at least a portion of the network configuration data, and transmits a data update comprising at least a portion of the network configuration data to a shared data store accessible by the plurality of CCP nodes.

Abstract: Some embodiments provide a method for configuring a logical middlebox in a hosting system that includes a set of nodes. The logical middlebox is part of a logical network that includes a set of logical forwarding elements that connect a set of end machines. The method receives a set of configuration data for the logical middlebox. The method uses a stored set of tables describing physical locations of the end machines to identify a set of nodes at which to implement the logical middlebox. The method provides the logical middlebox configuration for distribution to the identified nodes.

Abstract: Some embodiments provide a method for a network controller in a network control system that manages a plurality of logical networks. The method receives a specification of a logical network that comprises a logical router with a logical port that connects to an external network. The method selects several host machines to host a L3 gateway that implements the connection to the external network for the logical router from a set of host machines designated for hosting logical routers. The method generates data tuples for provisioning a set of managed forwarding elements that implement the logical network to send data packets that require processing by the L3 gateway to the selected host machines. The data tuples specify for the managed forwarding elements to distribute the data packets across the selected host machines.

Abstract: For a managed network including multiple host machines implementing multiple logical networks, some embodiments provide a method that reduces the memory and traffic load required to implement the multiple logical networks. The method generates configuration data for each of multiple host machines including (i) data to configure a host machine to implement a set of logical forwarding elements that belong to a set of routing domains and (ii) identifiers for each routing domain in the set of routing domains. The method then receives data regarding tunnels endpoints operating on each of the host machines and an association with the routing identifiers sent to the host machines. The method then generates a routing domain tunnel endpoint list for each routing domain based on the data received from each of the host machines including a list of the tunnel endpoints associated with the routing domain which the host machines can use to facilitate packet processing.

Abstract: The present disclosure generally relates to applying global unified security policies across a plurality of virtual private clouds of a logical network. The logical network is deployed on a software-defined datacenter that constitute one or more private and/or public datacenters. The plurality of virtual private clouds of the logical network may have one or more overlapping internet protocol address blocks, with each virtual private cloud deploying one or more virtual machines and/or containers. A global unified security policy is disseminated to endpoints throughout the logical network using logical ports of the virtual machines and/or containers.

Abstract: Some embodiments provide a method for determining a realization status of one or more logical entities of a logical network. The method, each time a particular event occurs, increments the value of a realization number and publishes the incremented value to a set of controllers of the logical network. Upon receiving data that specifies the state of a logical entity of the logical network, the method publishes the logical entity state's data to the set of controllers. In some embodiments, the method queries the set of controllers for a realization status of the state data for a set of logical entities that is published to the set of controllers up to a particular point of time. The submitted query, in some embodiments, includes a particular value of the realization number associated with the particular point of time.

Abstract: Some embodiments provide an ARP-offload service node for several managed hardware forwarding elements (MHFEs) in a datacenter in order to offload ARP query processing by the MHFEs. The MHFEs are managed elements because one or more network controllers (e.g., one or more management servers) send configuration data to the MHFEs to configure their operations. In some of these embodiments, the network controllers configure the MHFEs to create logical forwarding elements (e.g., logical switches, logical routers, etc.) each of which can span two or more managed forwarding elements.

Abstract: A method is provided for a coordinator to manage cluster membership. In a stable state, the coordinator provides a member list to all the nodes in a node list. The member list includes nodes that are cluster members. The node list includes nodes that are or wish to be members of the cluster. When the node list differs from the member list, the coordinator advances to a reconfiguration state to change the membership of the cluster. In the reconfiguration state, the coordinator sends a reconfiguration request to all the nodes in the node list. When reconfiguration acknowledgements are received from all the nodes within a timeout period, the coordinator updates the member list to be equal to the node list, persists the updated member list, sends a reconfiguration confirmation including the updated member list to all the nodes in the node list, and returns to the stable state.

Abstract: A method for a node to become a member of a cluster includes, when the node is in an initialization state, refraining from starting any service for the cluster, rejecting any reconfiguration request from a coordinator of the cluster, and determining if a local copy of a member list is out-of-date. When the local member list is up-to-date, the method includes advancing to an observer state or a participant state depending on if the node is in the member list. When the local copy of the member list is out-of-date, the method includes waiting to receive the member list, updating the local member list to be equal to the member list, persisting the local member list, recording the local member list as up-to-date, and advancing to an observer state or a participant state depending if the node is in the member list.

Abstract: Some embodiments of the invention provide a novel method for interfacing between a first tuple-based controller and a second controller using a message-based protocol. The method of some embodiments identifies a set of changed tuples stored in a set of output tables, generates a set of messages based on the changed tuples, and sends the generated set of messages to a second controller. In some embodiments, the first and second controllers are parts of a network control system that manages forwarding elements to implement a logical network.

Abstract: A network control system for managing a plurality of switching elements that implement a plurality of logical datapath sets. The network control system includes first and second controllers for generating requests for modifications to first and second logical datapath sets. The first controller is further for determining whether to make modifications to the first logical datapath set. The second controller is further for determining whether to make modifications to the second logical datapath set. Each controller is further for receiving logical control plane data that specifies logical datapath sets and for converting the logical control plane data to physical control plane data for propagating to the switching elements.

Abstract: A network controller for managing several managed switching elements that forward data in a network that includes the managed switching elements. The network controller is further for creating a logical switching element to be implemented in a set of managed switching elements. The network controller includes a set of modules for receiving input data specifying a logical switching element and for creating, based on the received input data, a set of logical switch constructs for the logical switching element by performing a set of database join operations. At least one of the logical switch constructs is for facilitating non-forwarding behavior of the logical switching element.

Abstract: Some embodiments provide a method for configuring a logical middlebox in a hosting system that includes a set of nodes. The logical middlebox is part of a logical network that includes a set of logical forwarding elements that connect a set of end machines. The method receives a set of configuration data for the logical middlebox. The method uses a stored set of tables describing physical locations of the end machines to identify a set of nodes at which to implement the logical middlebox. The method provides the logical middlebox configuration for distribution to the identified nodes.

Abstract: A network system that includes a first set of network hosts in a first domain and a second set of network hosts in a second domain. Within each of the domains, the system includes several edge switching elements (SEs) that each couple to the network hosts and forward network data to and from the set of network hosts. Within the first domain, the system includes (i) an interior SE that couples to a particular edge SE in order to receive network data for forwarding from the edge SE when the edge SE does not recognize a destination location of the network data and (ii) an interconnection SE that couples to the interior SE, the edge SE, and the second domain through an external network. When the edge SE receives network data with a destination address in the second domain, it forwards the network data directly to the interconnection SE.

Abstract: Some embodiments provide a system for implementing a logical network that includes a set of end machines, a first logical middlebox, and a second logical middlebox connected by a set of logical forwarding elements. The system includes a set of nodes. Each of several nodes includes (i) a virtual machine for implementing an end machine of the logical network, (ii) a managed switching element for implementing the set of logical forwarding elements of the logical network, and (iii) a middlebox element for implementing the first logical middlebox of the logical network. The system includes a physical middlebox appliance for implementing the second logical middlebox.

Abstract: Some embodiments provide a method for a first network controller that manages a set of logical forwarding elements implemented in several managed forwarding elements. The method receives a request to trace a specified packet having a particular source on a logical forwarding element. The method generates the packet according to the packet specification. The generated packet includes an indicator that the packet is for a trace operation. The method sends the packet to a second network controller that manages a managed forwarding element associated with the particular source. The method receives a first set of messages regarding operations performed on the packet from a set of network controllers that receives a second set of messages regarding operations performed on the packet from a set of managed forwarding elements that process the packet.

Abstract: For a network control system that receives, from a user, logical datapath sets that logically express desired forwarding behaviors that are to be implemented by a set of managed switching elements, a controller for managing several managed switching elements that forward data in a network that includes the managed switching elements is described. The controller includes a set of modules for detecting a change in one or more managed switching elements and for updating logical datapath set based on the detected change. The logical datapath set is for subsequent translation into a set of physical forwarding behaviors of the managed switching elements.

Abstract: Some embodiments provide an ARP-offload service node for several managed hardware forwarding elements (MHFEs) in a datacenter in order to offload ARP query processing by the MHFEs. The MHFEs are managed elements because one or more network controllers (e.g., one or more management servers) send configuration data to the MHFEs to configure their operations. In some of these embodiments, the network controllers configure the MHFEs to create logical forwarding elements (e.g., logical switches, logical routers, etc.) each of which can span two or more managed forwarding elements.

Abstract: Some embodiments provide a method for determining a realization status of one or more logical entities of a logical network. The method, each time a particular event occurs, increments the value of a realization number and publishes the incremented value to a set of controllers of the logical network. Upon receiving data that specifies the state of a logical entity of the logical network, the method publishes the logical entity state's data to the set of controllers. In some embodiments, the method queries the set of controllers for a realization status of the state data for a set of logical entities that is published to the set of controllers up to a particular point of time. The submitted query, in some embodiments, includes a particular value of the realization number associated with the particular point of time.