Abstract: Some embodiments provide a method for generating microsegmentation recommendations, performed by a network monitoring service implemented in a public cloud to monitor data flows for a group of datacenters. The method receives a selection of a set of logical network compute nodes (LNCNs) located at a particular datacenter for which to generate recommended rules. The method analyzes flows collected by the network monitoring service in order to generate a set of recommended rules relating to the set of LNCNs. The method provides the set of rules to a local manager at the particular datacenter for the local manager to configure network elements at the particular datacenter to enforce the set of rules. The rules use compute node identifiers for LNCNs located at the particular datacenter and network addresses for LNCNs located at other datacenters as the local manager does not store data regarding compute nodes located at the other datacenters.

Abstract: Some embodiments provide a method for providing a visualization of data flows for a logical network spanning a group of datacenters. The method receives a selection of a particular datacenter in the group of datacenters for which to display a flow visualization. The method generates a flow visualization for the particular datacenter including (i) representations of data flows between pairs of logical network compute nodes located within the particular datacenter, (ii) representations of data flows between logical network compute nodes located within the particular datacenter and logical network compute nodes at other datacenters in the group of datacenters, and (iii) representations of data flows between logical network compute nodes located within the particular datacenter and endpoints external to the group of datacenters. The method displays the generated flow visualization within a graphical user interface (GUI).

Abstract: Some embodiments provide a method for modifying a set of firewall rules for implementation in a network. The method receives (i) a set of existing firewall rules and (ii) a set of flows observed in the network that do not match the firewall rules in the set. The method identifies an optimized set of modifications to the set of existing firewall rules to generate a set of modified firewall rules such that (i) the set of flows match firewall rules in the set of modified firewall rules and (ii) any flows that matched firewall rules in the set of existing firewall rules also match firewall rules in the set of modified firewall rules.

Abstract: Some embodiments provide a method for modifying a firewall rule of a security policy implemented in a network. The method identifies a set of compute machines to be added to a match condition for the firewall rule. The match condition is expressed using one or more groups of compute machines. The method selects a set of groups for the identified set of compute machines from a plurality of existing groups of compute machines based on a user-specified threshold indicating tolerance for inclusion of compute machines that are not in the identified set of compute machines in the selected groups. The method uses the selected set of groups for the match condition of the firewall rule.

Abstract: A novel method for managing firewall configuration of a software defined data center is provided. Such a firewall configuration is divided into multiple sections that each contains a set of firewall rules. Each tenant of the software defined data center has a corresponding set of sections in the firewall configuration. The method allows each tenant to independently access and update/manage its own corresponding set of sections. Multiple tenants or users are allowed to make changes to the firewall configuration simultaneously.

Abstract: Some embodiments provide a novel method for collecting and reporting attributes of data flows associated with machines executing on a plurality of host computers to an analysis appliance and providing visual representations of the data to a user. Some embodiments provide a visual representation of the collected data that allows a user to select a set of machines and flows and initiate recommendation generation based on the selected machines and flows. The recommendation generation, in some embodiments, includes identifying flows for which rules have not been defined and filtering the identified rules to remove flows for which rules should not be defined. Some embodiments use the identified rues to identify services and groups associated with the rules and generate recommendations for rules, groups and services based on the identified flows, groups and services. The recommendations, in some embodiments, are implemented as a single PATCH API.

Abstract: A novel method for managing firewall configuration of a software defined data center is provided. Such a firewall configuration is divided into multiple sections that each contains a set of firewall rules. Each tenant of the software defined data center has a corresponding set of sections in the firewall configuration. The method allows each tenant to independently access and update/manage its own corresponding set of sections. Multiple tenants or users are allowed to make changes to the firewall configuration simultaneously.

Abstract: Some embodiments provide a novel method for collecting and reporting attributes of data flows associated with machines executing on a plurality of host computers to an analysis appliance and providing visual representations of the data to a user. Some embodiments provide a visual representation of the collected data that allows a user to select a set of machines and flows and initiate recommendation generation based on the selected machines and flows. The recommendation generation, in some embodiments, includes identifying flows for which rules have not been defined and filtering the identified rules to remove flows for which rules should not be defined. Some embodiments use the identified rues to identify services and groups associated with the rules and generate recommendations for rules, groups and services based on the identified flows, groups and services. The recommendations, in some embodiments, are implemented as a single PATCH API.

Abstract: A novel method for managing firewall configuration of a software defined data center is provided. Such a firewall configuration is divided into multiple sections that each contains a set of firewall rules. Each tenant of the software defined data center has a corresponding set of sections in the firewall configuration. The method allows each tenant to independently access and update/manage its own corresponding set of sections. Multiple tenants or users are allowed to make changes to the firewall configuration simultaneously.

Abstract: A novel method for managing firewall configuration of a software defined data center is provided. Such a firewall configuration is divided into multiple sections that each contains a set of firewall rules. Each tenant of the software defined data center has a corresponding set of sections in the firewall configuration. The method allows each tenant to independently access and update/manage its own corresponding set of sections. Multiple tenants or users are allowed to make changes to the firewall configuration simultaneously.

Abstract: A user management construct, referred to as a persona, is provided to enable a flexible mechanism that grants elevated or administrative privileges to users, such as application developers. Developers may utilize the privileges bestowed by a persona to execute tasks that normally requires access by traditional information (IT) roles, such as IT administrators, to deploy applications in a cloud computing environment. The tasks may include the provisioning of virtual or physical computing resources and/or the configuration of compute, storage, and networking resources.

Abstract: A user management construct, referred to as a persona, is provided to enable a flexible mechanism that grants elevated or administrative privileges to users, such as application developers. Developers may utilize the privileges bestowed by a persona to execute tasks that normally requires access by traditional information (IT) roles, such as IT administrators, to deploy applications in a cloud computing environment. The tasks may include the provisioning of virtual or physical computing resources and/or the configuration of compute, storage, and networking resources.