Abstract: Some embodiments provide a method for configuring a gateway machine in a datacenter. The method receives a definition of a logical network for implementation in the datacenter. The logical network includes at least one logical switch to which logical network endpoints attach and a logical router for handling data traffic between the logical network endpoints in the datacenter and an external network. The method receives configuration data attaching a third-party service to at least one interface of the logical router via an additional logical switch designated for service attachments. The third-party service is for performing non-forwarding processing on the data traffic between the logical network endpoints and the external network. The method configures the gateway machine in the datacenter to implement the logical router and redirect at least a subset of the data traffic between the logical network endpoints and the external network to the attached third-party service.

Abstract: Some embodiments provide a method for forwarding a data message. The method performs a lookup to map a set of header fields of the data message to an identifier corresponding to a service that performs non-forwarding processing on data messages. The method uses a dynamically-updated data structure for the identifier to retrieve instructions for forwarding data messages to the service. The method forwards the data message according to the retrieved instructions from the data structure for the identifier.

Abstract: A novel method for dynamic network service allocation that maps generic services into specific configurations of service resources in a network is provided. An application that is assigned to be performed by computing resources in the network is associated with a set of generic services, and the method maps the set of generic services to the service resources based on the assignment of the application to the computing resources. The mapping of generic services is further based on a level of service that is chosen for the application, where the set of generic services are mapped to different sets of network resources according to different levels of services.

Abstract: Example methods are provided for packet handling during service virtualized computing instance migration in a software-defined networking (SDN) environment. The method may comprise configuring first reachability information to associate a first service virtualized computing instance with an active role, and second reachability information to associate a second service virtualized computing instance with a standby role. In response to determination that a switchover is required to facilitate a migration of the first service virtualized computing instance, the first reachability information may be updated to associate the first service virtualized computing instance with the standby role, and the second reachability information to associate the second service virtualized computing instance with the active role.

Abstract: Example methods are provided for configuring traffic flow monitoring in a virtualized computing environment. The method may comprise identifying a first logical entity and a second logical entity for which traffic flow monitoring is required and determining a span associated with the first logical entity and the second logical entity. The span may include a first host supporting the first logical entity and a second host supporting the second logical entity. The method may also comprise, based on the span, configuring the first host to monitor a first traffic flow travelling through the first logical entity at the first host, and the second host to monitor a second traffic flow travelling through the second logical entity at the second host.

Abstract: Some embodiments provide novel inline switches that distribute data messages from source compute nodes (SCNs) to different groups of destination service compute nodes (DSCNs). In some embodiments, the inline switches are deployed in the source compute nodes datapaths (e.g., egress datapath). The inline switches in some embodiments are service switches that (1) receive data messages from the SCNs, (2) identify service nodes in a service-node cluster for processing the data messages based on service policies that the switches implement, and (3) use tunnels to send the received data messages to their identified service nodes. Alternatively, or conjunctively, the inline service switches of some embodiments (1) identify service-nodes cluster for processing the data messages based on service policies that the switches implement, and (2) use tunnels to send the received data messages to the identified service-node clusters.

Abstract: Some embodiments provide a method for efficient data message transfer across a hypervisor, service DCN, and containers implementing partner network services. The method allocates memory to a service DCN that operates a set of containers for providing partner network services for data messages received by the service DCN. The service DCN and the containers share the allocated memory and the method stores data messages received by the service DCN in the allocated memory. The method then accesses the data message stored in the shared memory from a set of partner network service containers to perform the partner network services. In some embodiments, the host machine or a process of the host machine on which the service DCN executes also shares the allocated memory. The host machine process, in some embodiments is a kernel process.

Abstract: Some embodiments provide a novel method for configuring a service data compute node (DCN) executing on a host computer to perform network services (e.g., firewall, load balancing, intrusion detection, network address translation (NAT), other middlebox services, etc.) for several DCNs executing on the host computer. The method receives, at the service DCN, an identification of a set of container specifications that will be implemented (e.g., will be executed by) the service DCN. The method then retrieves the identified set of container specifications (e.g., container images) from a container repository storing multiple received container specifications. In some embodiments, the container specifications include container images generated by a third party service partner for providing a particular service or set of services and stored in a container repository. The method then instantiates the retrieved containers to provide the identified network services to data messages received at the service DCN.

Abstract: A method for managing service resources of a group of host machines is provided. Each host machine provides services for a corresponding set of data compute nodes (DCNs). The method receives service distribution configuration for a set of entities comprising at least one of a tenant, a service, and a provider. The method identifies a set of host machines on which a set of DCNs for the set of entities operate. The method determines an amount of resources to be assigned to each entity of the set of entities. The method communicates with the set of host machines to modify a set of resource pools available on each host machine.

Abstract: A method of enhancing log packets with context metadata is provided. The method at a redirecting filter on a host in a datacenter, intercepts a packet from a data compute node (DCN) of a datacenter tenant. The method determines that the intercepted packet is a log packet. The method forwards the log packet and a first set of associated context metadata to a proxy logging server. The first set of context metadata is associated with the log packet based on the DCN that generated the packet. The method, at the proxy logging server, associates a second set of context metadata with the log packet. The second set of context metadata is received from a compute manager of the datacenter. The method sending the log packet and the first and second sets of context metadata from the proxy logging server to a central logging server associated with the tenant.

Abstract: Some embodiments provide a method for troubleshooting a virtual network that is implemented across a plurality of computing devices. The method provides a command line interface (CLI) for receiving and executing commands for debugging and monitoring the virtual network. Each command is for communicating with a set of the computing devices in order to monitor a network service being provided by the set of computing devices. The CLI operates in multiple different contexts for monitoring multiple different types of network services. While the CLI is operating in a particular context for a particular type of network service, the method receives a command comprising a set of identifiers. The method determines the validity of the received command under the particular context. When the received command is valid under the particular context, the method transmits data to a computing device identified by the received command.

Abstract: A novel centralized troubleshooting tool that enables user to troubleshoot a distributed virtual network with a single consistent user interface is provided. The distributed virtual network being monitored or debugged by the centralized troubleshooting tool includes different types of logical resources (LRs) that placed or distributed across different physical endpoints (PEs). The centralized troubleshooting tool provides functions that allow the user to invoke commands on different physical endpoints in order to collect information about the logical resources running in those physical endpoints. This allows the user to compare and analyze the information from different PEs for a same LR.

Abstract: Methods, computer-readable storage medium and systems described herein facilitate registering and consuming network services on a virtual network. A virtual machine management server (VMMS) is configured to receive a service definition associated with a network service. The VMMS creates one or more service profiles based on the service definition. The VMMS configures a plurality of hosts based on the one or more service profiles such that the network service is usable, via a virtual network, by one or more virtual machines within the plurality of hosts.

Abstract: Some embodiments provide a method for troubleshooting a virtual network that is implemented across a plurality of computing devices. The method provides a command line interface (CLI) for receiving and executing commands for debugging and monitoring the virtual network. Each command is for communicating with a set of the computing devices in order to monitor a network service being provided by the set of computing devices. The CLI operates in multiple different contexts for monitoring multiple different types of network services. While the CLI is operating in a particular context for a particular type of network service, the method receives a command comprising a set of identifiers. The method determines the validity of the received command under the particular context. When the received command is valid under the particular context, the method transmits data to a computing device identified by the received command.

Abstract: Some embodiments provide a method for troubleshooting a virtual network that is implemented over multiple computing devices, which include first and second host machines that host virtual machines (VMs). Each VM interfaces the virtual network through a set of virtual network interface controllers (VNICs). The method provides a command line interface (CLI) for debugging and monitoring the virtual network. In response to receiving a first command at the CLI that identifies a first VNIC, the method retrieves from the first host machine a first set of network service status data associated with the first VNIC. In response to receiving a second command at the CLI that identifies a second VNIC, the method retrieves from the second host machine a second set of network service status data associated with a second VNIC. The method presents the retrieved first and second sets of network service status data through the CLI.

Abstract: For a network including multiple host machines that together implement at least one logical network including a firewall, some embodiments provide a method for collecting traffic flow data that includes identifiers for firewall rules applied to the traffic flow and a logical entity identifier. In some embodiments, the host machines receive traffic monitoring configuration data for a logical network. The traffic monitoring configuration data in some embodiments indicates a set of logical entities of the logical network for which to collect traffic flow data and a set of traffic flow data collectors associated with the set of logical entities. The indicated logical entities may be logical forwarding elements (logical switches, routers, etc.) or logical ports of logical forwarding elements.

Abstract: A novel centralized troubleshooting tool that enables user to troubleshoot a distributed virtual network with a single consistent user interface is provided. The distributed virtual network being monitored or debugged by the centralized troubleshooting tool includes different types of logical resources (LRs) that placed or distributed across different physical endpoints (PEs). The centralized troubleshooting tool provides functions that allow the user to invoke commands on different physical endpoints in order to collect information about the logical resources running in those physical endpoints. This allows the user to compare and analyze the information from different PEs for a same LR.

Abstract: Example methods are provided for configuring traffic flow monitoring in a virtualized computing environment. The method may comprise identifying a first logical entity and a second logical entity for which traffic flow monitoring is required and determining a span associated with the first logical entity and the second logical entity. The span may include a first host supporting the first logical entity and a second host supporting the second logical entity. The method may also comprise, based on the span, configuring the first host to monitor a first traffic flow travelling through the first logical entity at the first host, and the second host to monitor a second traffic flow travelling through the second logical entity at the second host.

Abstract: Methods, computer-readable storage medium, and systems described herein facilitate registering and consuming network services on a virtual network. A virtual machine management server (VMMS) is configured to receive a service definition associated with a network service. The VMMS creates one or more service profiles based on the service definition. The VMMS configures a plurality of hosts based on the one or more service profiles such that the network service is usable, via a virtual network, by one or more virtual machines within the plurality of hosts.

Abstract: Some embodiments provide novel inline switches that distribute data messages from source compute nodes (SCNs) to different groups of destination service compute nodes (DSCNs). In some embodiments, the inline switches are deployed in the source compute nodes datapaths (e.g., egress datapath). The inline switches in some embodiments are service switches that (1) receive data messages from the SCNs, (2) identify service nodes in a service-node cluster for processing the data messages based on service policies that the switches implement, and (3) use tunnels to send the received data messages to their identified service nodes. Alternatively, or conjunctively, the inline service switches of some embodiments (1) identify service-nodes cluster for processing the data messages based on service policies that the switches implement, and (2) use tunnels to send the received data messages to the identified service-node clusters.