Abstract: In an example, a validation system comprises processing circuitry having access to a storage device and is configured to obtain flow records indicative of packet flows among workloads deployed to a cluster of one or more computing devices configured with a network policy, wherein each flow record of the flow records indicates a corresponding packet flow was allowed or denied by the cluster; receive an updated network policy; determine whether a corresponding packet flow for a flow record of the flow records has a discrepancy with the updated network policy; and in response to determining the corresponding packet flow for the flow record of the flow records has a discrepancy with the updated network policy, output an indication of an error.

Abstract: In general, techniques are described for performing network segmentation for container orchestration platforms. A network controller comprising a memory and processing circuitry may be configured to perform the techniques. The memory may be configured to store a request, conforming to a container orchestration platform, to configure a new pod of a plurality of pods with a primary interface to communicate on a virtual network to segment a network formed by the plurality of pods. The processing circuitry may be configured to configure, responsive to the request, the new pod with the primary interface to enable communications via the virtual network.

Abstract: In an example, a method comprises obtaining, by a policy controller from a first SDN architecture system, flow metadata for packet flows exchanged among workloads of a distributed application deployed to the first SDN architecture system; identifying, using flow metadata for a packet flow of the packet flows, a source endpoint workload and a destination endpoint workload of the packet flow; generating a network policy rule to allow packet flows from the source endpoint workload to the destination endpoint workload of the packet flow; and adding the network policy rule to a configuration repository as configuration data for a second SDN architecture system to cause a deployment system to configure the second SDN architecture system with the network policy rule to allow packet flows from the source endpoint workload to the destination endpoint workload when the distributed application is deployed to the second SDN architecture system.

Abstract: A network controller for a software-defined networking (SDN) architecture system may receive a request to generate an access control policy for a role in a container orchestration system, where the request specifies a plurality of functions. The network controller may execute the plurality of functions and may log execution of the plurality of functions in an audit log. The network controller may parse the audit log to determine a plurality of resources of the container orchestration system accessed from executing the plurality of functions and, for each resource of the plurality of resources, a respective one or more types of operations performed on the respective resource. The network controller may create, based at least in part on the parsed audit log, the access control policy for the role that permits a role to perform, on each of the plurality of resources, the respective one or more types of operations.

Abstract: Techniques are described for learning an unknown virtual network information, such as an virtual Internet Protocol (IP) address, of a pod in a virtual network. In some examples, a virtual router executing at a computing device may receive an Address Resolution Protocol (ARP) packet from a virtual execution element in the virtual network, the virtual execution element executing at the computing device. The virtual router may determine, based at least in part on the ARP packet, whether virtual network information for the virtual execution element in a virtual network is known to the virtual router. The virtual router may, in response to determining that the virtual network information of the virtual execution element in the virtual network is not known to the virtual router, perform learning of the virtual network information for the virtual execution element.

Abstract: In some examples, an access control policy controller in a computer network may receive a request to create an access control policy that permits a role to perform one or more functions in the computer network. The access control policy controller may determine one or more operations performed on one or more objects in the computer network to perform the one or more functions based at least in part on tracking performance of the one or more functions in the computer network. The access control policy controller may create the access control policy for the role that permits the role to perform the one or more operations on the one or more objects in the computer network.

Abstract: A method includes subscribing, by an agent, to telemetry flow data from each network device of a plurality of network devices and receiving, by the agent, a plurality of streams of telemetry flow data from the plurality of the network devices. Each of the plurality of streams corresponds to a different one of the plurality of network devices. The method further includes aggregating, by the agent, data from at least one stream of the plurality of streams of the telemetry flow data received over a period of time and, at the end of the period of time and/or when the data from the at least one stream exceeds a data threshold, sending, by the agent, the aggregated telemetry flow data to a network analyzer device.

Abstract: In some examples, an access control policy controller in a computer network may receive a request to create an access control policy that permits a role to perform one or more functions in the computer network. The access control policy controller may determine one or more operations performed on one or more objects in the computer network to perform the one or more functions based at least in part on tracking performance of the one or more functions in the computer network. The access control policy controller may create the access control policy for the role that permits the role to perform the one or more operations on the one or more objects in the computer network.

Abstract: In an example, a validation system comprises processing circuitry having access to a storage device and is configured to obtain flow records indicative of packet flows among workloads deployed to a cluster of one or more computing devices configured with a network policy, wherein each flow record of the flow records indicates a corresponding packet flow was allowed or denied by the cluster; receive an updated network policy; determine whether a corresponding packet flow for a flow record of the flow records has a discrepancy with the updated network policy; and in response to determining the corresponding packet flow for the flow record of the flow records has a discrepancy with the updated network policy, output an indication of an error.

Abstract: In general, techniques are described for performing network segmentation for container orchestration platforms. A network controller comprising a memory and processing circuitry may be configured to perform the techniques. The memory may be configured to store a request, conforming to a container orchestration platform, to configure a new pod of a plurality of pods with a primary interface to communicate on a virtual network to segment a network formed by the plurality of pods. The processing circuitry may be configured to configure, responsive to the request, the new pod with the primary interface to enable communications via the virtual network.

Abstract: A plurality of switches may be arranged according to a spine and leaf topology in which each spine switch is connected to all leaf switches. A leaf switch includes a memory configured to store a plurality of policies, each of the plurality of policies being associated with a respective source identifier value and a respective destination address; a network interface communicatively coupled to one of the spine switches; and a processor implemented in circuitry and configured to: receive a packet from the spine switch via the network interface, the packet being encapsulated with a Virtual Extensible Local Area Network (VXLAN) header; extract a source identifier value from the VXLAN header; determine a destination address for the packet; determine a policy of the plurality of policies to apply to the packet according to the source identifier value and the destination address; and apply the policy to the packet.

Abstract: A network controller for a software-defined networking (SDN) architecture system may receive a request to generate an access control policy for a role in a container orchestration system, where the request specifies a plurality of functions. The network controller may execute the plurality of functions and may log execution of the plurality of functions in an audit log. The network controller may parse the audit log to determine a plurality of resources of the container orchestration system accessed from executing the plurality of functions and, for each resource of the plurality of resources, a respective one or more types of operations performed on the respective resource. The network controller may create, based at least in part on the parsed audit log, the access control policy for the role that permits a role to perform, on each of the plurality of resources, the respective one or more types of operations.

Abstract: In general, techniques are described that provide an analysis system for analyzing a software-defined networking (SDN) architecture system. The analysis system comprising the processing circuitry configured to obtain operational data representative of one or more of configuration, operation, and maintenance of the SDN architecture system. The processing circuitry may identify dependencies between the operational data that identify dependencies between objects representative of the configuration, operation, and maintenance of the SDN architecture system. The processing circuitry may perform, while traversing the dependences between the operational data, analysis with respect to the operational data in order to identify potential issues in the SDN architecture system, and output the potential issues in the SDN architecture system.

Abstract: In general, techniques are described for a creating a virtual network router within a software defined network (SDN) architecture. A network controller for the SDN architecture system may include processing circuitry that is configured to execute a configuration node and a control node. The configuration node may process a request by which to create a virtual network router (VNR), where the virtual network router may cause the network controller to interconnect a first virtual network (VN) and a second VN. The VNR may represent a logical abstraction of one or more policies that cause import and/or export of routing information between the first VN and the second VN. The control node configures the first VN and the second VN according to the one or more policies to enable the import and/or the export of routing information between the first VN and the second VN via the VNR.

Abstract: In an example, a validation system comprises processing circuitry having access to a storage device and is configured to obtain flow records indicative of packet flows among workloads deployed to a cluster of one or more computing devices configured with a network policy, wherein each flow record of the flow records indicates a corresponding packet flow was allowed or denied by the cluster; receive an updated network policy; determine whether a corresponding packet flow for a flow record of the flow records has a discrepancy with the updated network policy; and in response to determining the corresponding packet flow for the flow record of the flow records has a discrepancy with the updated network policy, output an indication of an error.

Abstract: In general, techniques are described that provide an analysis system for analyzing a software-defined networking (SDN) architecture system. The analysis system comprising the processing circuitry configured to obtain operational data representative of one or more of configuration, operation, and maintenance of the SDN architecture system. The processing circuitry may identify dependencies between the operational data that identify dependencies between objects representative of the configuration, operation, and maintenance of the SDN architecture system. The processing circuitry may perform, while traversing the dependences between the operational data, analysis with respect to the operational data in order to identify potential issues in the SDN architecture system, and output the potential issues in the SDN architecture system.

Abstract: A plurality of switches may be arranged according to a spine and leaf topology in which each spine switch is connected to all leaf switches. A leaf switch includes a memory configured to store a plurality of policies, each of the plurality of policies being associated with a respective source identifier value and a respective destination address; a network interface communicatively coupled to one of the spine switches; and a processor implemented in circuitry and configured to: receive a packet from the spine switch via the network interface, the packet being encapsulated with a Virtual Extensible Local Area Network (VXLAN) header; extract a source identifier value from the VXLAN header; determine a destination address for the packet; determine a policy of the plurality of policies to apply to the packet according to the source identifier value and the destination address; and apply the policy to the packet.

Abstract: An example system for performing root cause analysis for a plurality of network devices includes one or more processors implemented in circuitry and configured to: receive telemetry data from the plurality of network devices; apply an artificial intelligence (AI) anomaly detection model, trained on historical telemetry data to detect anomalies in the historical telemetry data, to the received telemetry data to detect one or more anomalies in the received telemetry data; and apply an AI root cause analysis mode, trained on historical data, to the anomalies to determine a root cause of an issue causing the one or more anomalies.

Abstract: An example application programming interface (API) server device that distributes configuration data to managed network devices includes one or more processing units implemented in circuitry and configured to receive configuration data to be deployed to at least one of the managed network devices; store the configuration data to a configuration database; and send the configuration data to the at least one of the managed network devices. In this manner, the configuration data can be archived for later retrieval and analysis, e.g., to perform root cause analysis in the event of an error.

Abstract: In general, techniques are described for performing network segmentation for container orchestration platforms. A network controller comprising a memory and processing circuitry may be configured to perform the techniques. The memory may be configured to store a request, conforming to a container orchestration platform, to configure a new pod of a plurality of pods with a primary interface to communicate on a virtual network to segment a network formed by the plurality of pods. The processing circuitry may be configured to configure, responsive to the request, the new pod with the primary interface to enable communications via the virtual network.