Abstract: In one embodiment, a method includes identifying a problematic event between a first interest point and a second interest point of a network and activating, in response to identifying the problematic event between the first interest point and the second interest point, a first endpoint associated with the first interest point and a second endpoint associated with the second interest point. The method also includes receiving, from the first endpoint and the second endpoint, telemetry data associated with a problematic path between the first interest point and the second interest point. The method further includes determining the problematic path between the first interest point and the second interest point using the telemetry data received from the first endpoint and the second endpoint.

Abstract: An embodiment of the present disclosure is directed a set of data centers and associated controls in which the data centers include network fabric comprises network routing devices configured to route bi-directional traffic symmetrically through insertable service, e.g., via the associated inter-site and intra-site controls, for a given set of policies or contracts using an ASIC or circuit-assisted arithmetic logic, enforcing such policies at the local network devices, to deterministically select the insertable services.

Abstract: Techniques for using more-specific routing to perform scalable Layer-2 (L2) stretching of subnets across hybrid-cloud environments. Routing tables in a public cloud may allow for routes that are more specific than the default local route, and the more-specific routes may be used to send all traffic to a dedicated, cloud router. The more-specific routes are set up for a VPC where a subnet resides such that the more specific-routes cover at least a portion of subnet range. The next hop for the more-specific routes point to the cloud router which is capable of doing host routing and segmentation extension. Thus, traffic originating from endpoints in a VPC is routed to the cloud router, and the cloud router determines whether the traffic is to be re-routed back to a destination endpoint in the VPC (or another cloud location), or sent to a destination endpoint residing in the on-premises site.

Abstract: This disclosure describes techniques for adaptive disaster recovery of applications running on network devices. The techniques include generating an application template and an application template clone that include application attributes usable to deploy an application stack at an application site. The techniques also include sending the application template clone to a disaster recovery site group to await deployment instructions. In some examples, an observer may determine that a health metric of the application site indicates that a disaster recovery process be triggered. A disaster recovery site of the disaster recovery site group may be selected based at least in part on a performance metric. The application stack may be deployed at the disaster recovery site utilizing the application template clone.

Abstract: Systems, methods, and computer-readable media for elastic policy scaling in multi-cloud fabrics. A method can involve deploying a cluster of policy agents on a hub virtual private cloud (VPC) that interconnects spoke VPCs in a cloud associated with a multi-cloud fabric, and mapping endpoints in the spoke VPCs to the policy agents. The method can involve distributing groups of policies for the endpoints across the policy agents based on the mapping of endpoints to policy agents, and advertising, by each policy agent to a respective first set of virtual gateways in the spoke VPCs, routes associated with endpoints mapped to the policy agent and preventing the policy agent from advertising routes associated with a second set of virtual gateways in the spoke VPCs. The method can involve applying, via the policy agent, a group of policies on the policy agent to traffic received by the policy agent.

Abstract: This disclosure describes techniques for integrating an existing cloud network into a new cloud network. The techniques may include inventorying network resources of an existing cloud network in a multi-cloud network environment. The techniques may also include creating logical resources to represent the network resources of the existing cloud network in a cloud-agnostic network configuration model. In some examples, a target cloud network may be provisioned using the cloud-agnostic network configuration model.

Abstract: This disclosure describes techniques for integrating an existing cloud network into a new cloud network. The techniques may include inventorying network resources of an existing cloud network in a multi-cloud network environment. The techniques may also include creating logical resources to represent the network resources of the existing cloud network in a cloud-agnostic network configuration model. In some examples, a target cloud network may be provisioned using the cloud-agnostic network configuration model.

Abstract: This disclosure describes techniques for adaptive disaster recovery of applications running on network devices. The techniques include generating an application template and an application template clone that include application attributes usable to deploy an application stack at an application site. The techniques also include sending the application template clone to a disaster recovery site group to await deployment instructions. In some examples, an observer may determine that a health metric of the application site indicates that a disaster recovery process be triggered. A disaster recovery site of the disaster recovery site group may be selected based at least in part on a performance metric. The application stack may be deployed at the disaster recovery site utilizing the application template clone.

Abstract: This disclosure describes dynamically monitoring the flow of traffic along a path that can include points across different cloud service provider networks/regions and/or different private networks. Flow monitoring may be started in response to different triggering events. For instance, flow monitoring of network traffic along one or more network paths may be started in response to performance metrics associate with an application within the multi-cloud environment, current/projected network conditions associated with one or more networks within the multi-cloud environment, and the like. In other examples, a user may specify when to perform flow monitoring for one or more network paths.

Abstract: In one embodiment, a method comprises determining, by a first networking device, that a first subflow of a multipath transmission control protocol (MPTCP) connection has been established between a first internet protocol (IP) address of a first computing device and an IP address of a second computing device, wherein the first computing device is multihomed to the first networking device and a second networking device. The method also includes determining, by the first or second networking device, a request to establish a second subflow of the MPTCP connection between a second IP address of the first computing and the IP address of the second computing device. In addition, the method includes advertising, by the first networking device, a primary IP address (PIP) of the first networking device for the first subflow and advertising, by the second networking device, a PIP of the second networking device for the second subflow.

Abstract: This disclosure describes techniques for adaptive disaster recovery of applications running on network devices. The techniques include generating an application template and an application template clone that include application attributes usable to deploy an application stack at an application site. The techniques also include sending the application template clone to a disaster recovery site group to await deployment instructions. In some examples, an observer may determine that a health metric of the application site indicates that a disaster recovery process be triggered. A disaster recovery site of the disaster recovery site group may be selected based at least in part on a performance metric. The application stack may be deployed at the disaster recovery site utilizing the application template clone.

Abstract: Technologies for multi-cloud routing and policy interconnectivity are provided. An example method can include assigning different sets of data plane routers to data plane traffic associated with different address spaces in a cloud site of a multi-cloud fabric to yield a distributed mapping of data plane traffic and data plane routers. The method can further include providing, to an on-premises site in the multi-cloud fabric, routing entries from a control plane router on the cloud site, the routing entries reflecting the distributed mapping and identifying, for each address space, which data plane router handles data plane traffic for that address space; and when a data plane router is deployed at the cloud site, providing, to the on-premises site, updated routing information from the control plane router, the updated routing information identifying the data plane router as a next hop for data plane traffic associated with a respective address space.

Abstract: In one embodiment, a method includes identifying a problematic event between a first interest point and a second interest point of a network and activating, in response to identifying the problematic event between the first interest point and the second interest point, a first endpoint associated with the first interest point and a second endpoint associated with the second interest point. The method also includes receiving, from the first endpoint and the second endpoint, telemetry data associated with a problematic path between the first interest point and the second interest point. The method further includes determining the problematic path between the first interest point and the second interest point using the telemetry data received from the first endpoint and the second endpoint.

Abstract: Techniques are described for dynamically establishing and scaling IPSec tunnels to connect hundreds of sites of a network by making use of the user intent of connecting certain applications for applying security policies and translating it dynamically based on the location and needs of the workloads to set up the network on demand. The techniques involve a tight loop between the network controller of a site (e.g., a cloud Application Policy Infrastructure Controller) and the inter-site or multi-cloud inter-connect controller, stitched through services that enable security and network automation at scale. In particular, to control the number of IPSec tunnels, IPSec tunnels are established only when required. Additionally, IPSec tunnels may be eliminated when no longer required. Thus, resources of a network may be used in a measured way that is necessary and sufficient to meet network traffic demand.

Abstract: The present technology pertains to a system, method, and non-transitory computer-readable medium for orchestrating policies across multiple networking domains. The technology can receive, at a provider domain from a consumer domain, a data request; receive, at the provider domain from the consumer domain, at least one access policy for the consumer domain; translate, at the provider domain, the at least one access policy for the consumer domain into at least one translated access policy understood by the provider domain; apply, at the provider domain, the at least one translated access policy understood by the provider domain to the data request; and send, at the provider domain to the consumer domain, a response to the data request.

Abstract: Technologies for multi-cloud routing and policy interconnectivity are provided. An example method can include assigning different sets of data plane routers to data plane traffic associated with different address spaces in a cloud site of a multi-cloud fabric to yield a distributed mapping of data plane traffic and data plane routers. The method can further include providing, to an on-premises site in the multi-cloud fabric, routing entries from a control plane router on the cloud site, the routing entries reflecting the distributed mapping and identifying, for each address space, which data plane router handles data plane traffic for that address space; and when a data plane router is deployed at the cloud site, providing, to the on-premises site, updated routing information from the control plane router, the updated routing information identifying the data plane router as a next hop for data plane traffic associated with a respective address space.

Abstract: Techniques for routing data packets through service chains within and between public cloud networks of multi-cloud fabrics. A router in a network, e.g., a public cloud network, receives data packets from nodes in the network through segments of the network. Based at least in part on (i) a source address of the data packet, (ii) a destination address of the data packet, and (iii) an identity of the segments of the network from which the data packets are received, the router determines a next node in the network to which the data packet is to be forwarded. The router may then forward the data packet through another segment of the network to the next node and then receive the data packet from the next node through the another segment.

Abstract: Technologies for multi-cloud routing and policy interconnectivity are provided. An example method can include assigning different sets of data plane routers to data plane traffic associated with different address spaces in a cloud site of a multi-cloud fabric to yield a distributed mapping of data plane traffic and data plane routers. The method can further include providing, to an on-premises site in the multi-cloud fabric, routing entries from a control plane router on the cloud site, the routing entries reflecting the distributed mapping and identifying, for each address space, which data plane router handles data plane traffic for that address space; and when a data plane router is deployed at the cloud site, providing, to the on-premises site, updated routing information from the control plane router, the updated routing information identifying the data plane router as a next hop for data plane traffic associated with a respective address space.

Abstract: Systems, methods, and computer-readable media for elastic policy scaling in multi-cloud fabrics. A method can involve deploying a cluster of policy agents on a hub virtual private cloud (VPC) that interconnects spoke VPCs in a cloud associated with a multi-cloud fabric, and mapping endpoints in the spoke VPCs to the policy agents. The method can involve distributing groups of policies for the endpoints across the policy agents based on the mapping of endpoints to policy agents, and advertising, by each policy agent to a respective first set of virtual gateways in the spoke VPCs, routes associated with endpoints mapped to the policy agent and preventing the policy agent from advertising routes associated with a second set of virtual gateways in the spoke VPCs. The method can involve applying, via the policy agent, a group of policies on the policy agent to traffic received by the policy agent.

Abstract: Disclosed is a method that includes calculating, at a collector receiving a data flow and via a hashing algorithm, all possible hashes associated with at least one virtual attribute associated with the data flow to yield resultant hash values. Based on the resultant hash values, the method includes computing a multicast address group and multicasting the data flow to n leafs based on the multicast address group. At respective other collectors, the method includes filtering received sub-flows of the data flow based on the resultant hashes, wherein if a respective hash is owned by a collector, the respective collector accepts and saves the sub-flow in a local switch collector database. A scalable, distributed netflow is possible with the ability to respond to queries for fabric-level netflow statistics even on virtual constructs.