Abstract: A virtual network manager and associated user interface/portal provide customers with simplified centralized management of virtual networks to implement logical groupings of network resources at scale. The virtual network manager enables network segmentation using names or tags, connectivity configuration to create different virtual network topologies, security configuration to provide enforcement of organizational rules without being overwritten and Network Security Group (NSG) management in a simple and scalable manner, safe deployment of network configurations to designated regions on a fix and roll forward basis, and virtual network (VNet) level monitoring.

Abstract: A virtual network interface controller (NIC) associated with a virtual machine in a cloud computing network is configured to support one or more network containers that encapsulate networking configuration data and policies that are applicable to a specific discrete computing workload to thereby enable the virtual machine to simultaneously belong to multiple virtual networks using the single NIC. The network containers supported by the NIC can be associated with a single tenant to enable additional flexibility such quickly switching between virtual networks and support pre-provisioning of additional computing resources with associated networking policies for rapid deployment. The network containers can also be respectively associated with different tenants so that the single NIC can support multi-tenant services on the same virtual machine.

Abstract: The disclosed system implements techniques to secure communications for injecting a workload (e.g., a container) into a virtual network hosted by a cloud-based platform. Based on a delegation instruction received from a tenant, a virtual network of the tenant can connect to and execute a workload via a virtual machine that is part of a virtual network that belongs to a resource provider. To secure calls and authorize access to the tenant's virtual network, authentication information provided with a call from the virtual network of the resource provider may need to match authorization information made available via a publication service of the cloud-based platform. Additionally or alternatively, an identifier of a NIC used to make a call may need to correspond to a registered name of the resource provider for the call to be authorized. These checks provide increased security by preventing unauthorized calls to the tenant's virtual network.

Abstract: A distributed resource may be mapped into a virtual network, where the resource is distributed across a large number of nodes that are uniquely addressable within the distributed resource service's address space. The resource can be represented using a relatively small number of private VIP addresses within the virtual network, while still enabling access to all of the nodes that are uniquely addressable within the address space of the distributed resource service. A resource map may be created that relates the distributed resource service's address space to the virtual network's address space. The resource map may be used by a gateway that facilitates access to a distributed resource by clients. The resource map may also be used to translate packets that are sent from clients within a virtual network into the distributed resource service's address space.

Abstract: A virtual network interface controller (NIC) associated with a virtual machine in a cloud computing network is configured to support one or more network containers that encapsulate networking configuration data and policies that are applicable to a specific discrete computing workload to thereby enable the virtual machine to simultaneously belong to multiple virtual networks using the single NIC. The network containers supported by the NIC can be associated with a single tenant to enable additional flexibility such quickly switching between virtual networks and support pre-provisioning of additional computing resources with associated networking policies for rapid deployment. The network containers can also be respectively associated with different tenants so that the single NIC can support multi-tenant services on the same virtual machine.

Abstract: A distributed resource may be mapped into a virtual network, where the resource is distributed across a large number of nodes that are uniquely addressable within the distributed resource service's address space. The resource can be represented using a relatively small number of private VIP addresses within the virtual network, while still enabling access to all of the nodes that are uniquely addressable within the address space of the distributed resource service. A resource map may be created that relates the distributed resource service's address space to the virtual network's address space. The resource map may be used by a gateway that facilitates access to a distributed resource by clients. The resource map may also be used to translate packets that are sent from clients within a virtual network into the distributed resource service's address space.

Abstract: The disclosed system implements techniques to secure communications for injecting a workload (e.g., a container) into a virtual network hosted by a cloud-based platform. Based on a delegation instruction received from a tenant, a virtual network of the tenant can connect to and execute a workload via a virtual machine that is part of a virtual network that belongs to a resource provider. To secure calls and authorize access to the tenant's virtual network, authentication information provided with a call from the virtual network of the resource provider may need to match authorization information made available via a publication service of the cloud-based platform. Additionally or alternatively, an identifier of a NIC used to make a call may need to correspond to a registered name of the resource provider for the call to be authorized. These checks provide increased security by preventing unauthorized calls to the tenant's virtual network.

Abstract: Techniques are described herein that are capable of monitoring connectivity and latency of network links in virtual networks. For instance, a ping agent injects first ping packets into network traffic on behalf of hosts in the virtual network. The ping agent monitors incoming packets to identify first ping response packets, which are in response to the first ping packets, among the incoming packets. A ping responder rule that is included in inbound packet filter rules for a port in a virtual switch intercepts second ping packets in the network traffic. The ping responder rule converts the second ping packets into second ping response packets and injects the second ping response packets into outbound packet filter rules to be transferred to sources from which the second ping packets are received.

Abstract: The disclosed system implements techniques to secure communications for injecting a workload (e.g., a container) into a virtual network hosted by a cloud-based platform. Based on a delegation instruction received from a tenant, a virtual network of the tenant can connect to and execute a workload via a virtual machine that is part of a virtual network that belongs to a resource provider. To secure calls and authorize access to the tenant's virtual network, authentication information provided in association with a call from the virtual network of the resource provider may need to match authorization information made available via a publication service of the cloud-based platform. Moreover, an identifier of a NIC used to make a call may need to correspond to a registered name of the resource provider for the call to be authorized. These checks provide increased security by preventing unauthorized calls from accessing the tenant's virtual network.

Abstract: The techniques described herein enable a private connectivity solution between a virtual network of a service consumer and a virtual network of a service provider in a cloud-based platform. The techniques map a service (e.g., one or more workloads or containers) executing in the virtual network of the service provider into the virtual network of the service consumer. The mapping uses network address translation (NAT) that is performed by the cloud-based infrastructure. As a result of the techniques described herein, a public Internet Protocol (IP) address does not need to be used to establish a connection thereby alleviating privacy and/or security concerns for the virtual networks of the service provider and/or the service consumer that are hosted by the cloud-based platform.

Abstract: A virtual network interface controller (NIC) associated with a virtual machine in a cloud computing network is configured to support one or more network containers that encapsulate networking configuration data and policies that are applicable to a specific discrete computing workload to thereby enable the virtual machine to simultaneously belong to multiple virtual networks using the single NIC. The network containers supported by the NIC can be associated with a single tenant to enable additional flexibility such quickly switching between virtual networks and support pre-provisioning of additional computing resources with associated networking policies for rapid deployment. The network containers can also be respectively associated with different tenants so that the single NIC can support multi-tenant services on the same virtual machine.

Abstract: A distributed resource may be mapped into a virtual network, where the resource is distributed across a large number of nodes that are uniquely addressable within the distributed resource service's address space. The resource can be represented using a relatively small number of private VIP addresses within the virtual network, while still enabling access to all of the nodes that are uniquely addressable within the address space of the distributed resource service. A resource map may be created that relates the distributed resource service's address space to the virtual network's address space. The resource map may be used by a gateway that facilitates access to a distributed resource by clients. The resource map may also be used to translate packets that are sent from clients within a virtual network into the distributed resource service's address space.

Abstract: Techniques for allowing access to shared cloud resource using private network addresses are disclosed herein. In one embodiment, a connection packet representing a connection request to a shared cloud resource in the cloud computing system can be intercepted. In response, the connection packet can be encapsulated with data representing one or more of a VNET ID, a VNET source address, or a VNET destination address of a virtual network from which the connection packet is received. The encapsulated connection packet can then be forwarded to the shared cloud resource while retaining the data representing one or more of the VNET ID, the VNET source address, or the VNET destination address for access control at the shared cloud resource.

Abstract: Examples described herein generally relate to determining a current network state of the set of virtual networks, detecting, based at least in part on obtaining at least a portion of a high-level virtual network policy, an indicated change to the current network state, compiling, based on detecting the indicated change, at least a portion of the high-level virtual network policy to generate a set of low-level intermediate representation instructions to implement the indicated change to the high-level virtual network policy, and applying the set of low-level intermediate representation instructions in a network configuration for managing the set of virtual networks.

Abstract: A hybrid state for a virtual machine (VM) in a cloud computing system enables a VM to communicate with other VMs that belong to a virtual network (VNET VMs) while maintaining connectivity with other VMs that do not belong to the virtual network (non-VNET VMs). A non-VNET VM can be transitioned to a hybrid VM that operates in a hybrid state. The hybrid VM can be assigned a private virtual IP address (VNET address) for communication with other VNET VMs. The hybrid VM can continue to use a physical IP address to communicate with other non-VNET VMs. In this way, the hybrid VM is able to maintain connectivity with other non-VNET VMs during and after migration to the VNET. A network stack can be configured to process data packets that are destined for non-VNET VMs differently from data packets that are destined for VNET VMs.

Abstract: The techniques described herein enable a private connectivity solution between a virtual network of a service consumer and a virtual network of a service provider in a cloud-based platform. The techniques map a service (e.g., one or more workloads or containers) executing in the virtual network of the service provider into the virtual network of the service consumer. The mapping uses network address translation (NAT) that is performed by the cloud-based infrastructure. As a result of the techniques described herein, a public Internet Protocol (IP) address does not need to be used to establish a connection thereby alleviating privacy and/or security concerns for the virtual networks of the service provider and/or the service consumer that are hosted by the cloud-based platform.

Abstract: A virtual network interface controller (NIC) associated with a virtual machine in a cloud computing network is configured to support one or more network containers that encapsulate networking configuration data and policies that are applicable to a specific discrete computing workload to thereby enable the virtual machine to simultaneously belong to multiple virtual networks using the single NIC. The network containers supported by the NIC can be associated with a single tenant to enable additional flexibility such quickly switching between virtual networks and support pre-provisioning of additional computing resources with associated networking policies for rapid deployment. The network containers can also be respectively associated with different tenants so that the single NIC can support multi-tenant services on the same virtual machine.

Abstract: The disclosed system implements techniques to secure communications for injecting a workload (e.g., a container) into a virtual network hosted by a cloud-based platform. Based on a delegation instruction received from a tenant, a virtual network of the tenant can connect to and execute a workload via a virtual machine that is part of a virtual network that belongs to a resource provider. To secure calls and authorize access to the tenant's virtual network, authentication information provided in association with a call from the virtual network of the resource provider may need to match authorization information made available via a publication service of the cloud-based platform. Moreover, an identifier of a NIC used to make a call may need to correspond to a registered name of the resource provider for the call to be authorized. These checks provide increased security by preventing unauthorized calls from accessing the tenant's virtual network.

Abstract: Techniques are described herein that are capable of monitoring connectivity and latency of network links in virtual networks. For instance, a ping agent injects first ping packets into network traffic on behalf of hosts in the virtual network. The ping agent monitors incoming packets to identify first ping response packets, which are in response to the first ping packets, among the incoming packets. A ping responder rule that is included in inbound packet filter rules for a port in a virtual switch intercepts second ping packets in the network traffic. The ping responder rule converts the second ping packets into second ping response packets and injects the second ping response packets into outbound packet filter rules to be transferred to sources from which the second ping packets are received.

Abstract: Techniques for allowing access to shared cloud resource using private network addresses are disclosed herein. In one embodiment, a connection packet representing a connection request to a shared cloud resource in the cloud computing system can be intercepted. In response, the connection packet can be encapsulated with data representing one or more of a VNET ID, a VNET source address, or a VNET destination address of a virtual network from which the connection packet is received. The encapsulated connection packet can then be forwarded to the shared cloud resource while retaining the data representing one or more of the VNET ID, the VNET source address, or the VNET destination address for access control at the shared cloud resource.