Abstract: Techniques for an application watcher system that includes a plurality of watchers that obtain various types of application configurations and/or state data which is used to make networking decisions and drive networking operations. The watchers of the application watcher system may each be configured to communicate with an application orchestration system that manages the application and obtain different types of application configurations and/or state data. In some instances, the application watcher system may run on a network orchestrator of the network, or be in communication with the network orchestrator, and provide application configurations and/or state data to the network orchestrator to make networking decisions.

Abstract: According to some embodiments, a method is performed by a software defined wide area network (SD-WAN) edge router in a hierarchical SD-WAN network comprising a plurality of edge routers and a plurality of border routers. The method comprises: originating a SD-WAN system route for advertising reachability to the edge router, the system route comprising an encryption key associated with the edge router; and transmitting the system route to one or more SD-WAN border routers. The method may further comprise: receiving a packet destined for the edge router from one of the one or more SD-WAN border routers, wherein the packet is at least partially encrypted with the encryption key associated with the edge router; and decrypting the received packet.

Abstract: A logical routing element (LRE) having multiple designated instances for routing packets from physical hosts (PH) to a logical network is provided. A PH in a network segment with multiple designated instances can choose among the multiple designated instances for sending network traffic to other network nodes in the logical network according to a load balancing algorithm. Each logical interface (LIF) of an LRE is defined to be addressable by multiple identifiers or addresses, and each LIF identifier or address is assigned to a different designated instance.

Abstract: According to some embodiments, a method is performed by a software defined wide area network (SD-WAN) edge router in a hierarchical SD-WAN network comprising a plurality of edge routers and a plurality of border routers. The method comprises: originating a SD-WAN system route for advertising reachability to the edge router, the system route comprising an encryption key associated with the edge router; and transmitting the system route to one or more SD-WAN border routers. The method may further comprise: receiving a packet destined for the edge router from one of the one or more SD-WAN border routers, wherein the packet is at least partially encrypted with the encryption key associated with the edge router; and decrypting the received packet.

Abstract: A LRE (logical routing element) that have LIFs that are active in all host machines spanned by the LRE as well as LIFs that are active in only a subset of those spanned host machines is provided. A host machine having an active LIF for a particular L2 segment would perform the L3 routing operations for network traffic related to that L2 segment. A host machine having an inactive LIF for the particular L2 segment would not perform L3 routing operations for the network traffic of the L2 segment.

Abstract: Techniques for extending application-aware routing (AAR) policies to enable intelligent routing decisions based on device security posture. The techniques may include receiving, from a client device, traffic that is to be sent over a network to an application and determining a security score associated with the traffic. The security score may be based on a security posture associated with the client device, a security level associated with a connectivity network used by the client device, and the like. The techniques may also include determining, based at least in part on the security score and based at least in part on an application-aware routing policy, a path for sending the traffic to the application.

Abstract: Some embodiments provide a method of operating several logical networks over a network virtualization infrastructure. The method defines a managed physical switching element (MPSE) that includes several ports for forwarding packets to and from a plurality of virtual machines. Each port is associated with a unique media access control (MAC) address. The method defines several managed physical routing elements (MPREs) for the several different logical networks. Each MPRE is for receiving data packets from a same port of the MPSE. Each MPRE is defined for a different logical network and for routing data packets between different segments of the logical network. The method provides the defined MPSE and the defined plurality of MPREs to a plurality of host machines as configuration data.

Abstract: Systems and methods are provided for receiving bandwidth metrics from a plurality of routers on respective link routes in a network, compiling a link database including the bandwidth metrics of each respective link route in the network, selecting a first designated link path from the link database between a first router and a second router based on an application routing policy, the application routing policy being based on a routing metric, providing a first multiprotocol label switching label based on the first designated link path to the first router of the plurality of routers in the network, and restricting network traffic of the first router to the first designated link path provided in the first multiprotocol label switching label.

Abstract: Some embodiments provide a method of operating several logical networks over a network virtualization infrastructure. The method defines a managed physical switching element (MPSE) that includes several ports for forwarding packets to and from a plurality of virtual machines. Each port is associated with a unique media access control (MAC) address. The metho defines several managed physical routing elements (MPREs) for the several different logical networks. Each MPRE is for receiving data packets from a same port of the MPSE. Each MPRE is defined for a different logical network and for routing data packets between different segments of the logical network. The method provides the defined MPSE and the defined plurality of MPREs to a plurality of host machines as configuration data.

Abstract: An application monitoring system for collecting, utilizing, and/or exchanging state information (e.g., application state and network state), configuration information, and/or other information to make network optimizations for applications orchestrated by an application orchestration system. The application monitoring system may include an application orchestrator discovery component that is configured to determine a presence of an application orchestration system for orchestrating applications. The application monitoring system may also include one or more application watch components for monitoring, among other things, application state, application configuration, and/or application replicas. The application monitoring system may further include a network state propagation component configured to provide network state information to the orchestration system.

Abstract: A novel method for performing replication of messages in a network that bridges one or more physical networks to an overlay logical network is provided. A physical gateway provides bridging between network nodes of a physical network and virtual machines in the overlay logical network by serving as an endpoint of the overlay logical network. The physical gateway does not replicate messages from the bridged physical network to destination endpoints in the overlay logical network directly, but instead tunnels the message-to-be-replicated to a designated tunnel endpoint in the overlay logical network. The designated tunnel endpoint in turn replicates the message that was tunneled to it to other endpoints in the overlay logical network.

Abstract: A novel method for performing replication of messages in a network that bridges one or more physical networks to an overlay logical network is provided. A physical gateway provides bridging between network nodes of a physical network and virtual machines in the overlay logical network by serving as an endpoint of the overlay logical network. The physical gateway does not replicate messages from the bridged physical network to destination endpoints in the overlay logical network directly, but instead tunnels the message-to-be-replicated to a designated tunnel endpoint in the overlay logical network. The designated tunnel endpoint in turn replicates the message that was tunneled to it to other endpoints in the overlay logical network.

Abstract: Techniques for providing a standardized interface that is configured to provide application developers with ways for interacting with different wide area network controllers. A standardized interface may include an application programming interface (API) server that can receive a connectivity request associated with an application that is to be hosted on an application orchestration system. The API server may determine, based at least in part on the connectivity request, a vendor network to be used by the application to send traffic to a remote service. Based at least in part on determining the vendor network, the API server may translate the connectivity request into a first format that is understandable by a controller of the vendor network. The API server may also provide the connectivity request in the first format to the controller of the vendor network such that a path through the vendor network can be determined.

Abstract: Systems and methods are provided for receiving bandwidth metrics from a plurality of routers on respective link routes in a network, compiling a link database including the bandwidth metrics of each respective link route in the network, selecting a first designated link path from the link database between a first router and a second router based on an application routing policy, the application routing policy being based on a routing metric, providing a first multiprotocol label switching label based on the first designated link path to the first router of the plurality of routers in the network, and restricting network traffic of the first router to the first designated link path provided in the first multiprotocol label switching label.

Abstract: A system of one embodiment that provides stateless symmetric forwarding of packets in a computer network. The system includes a memory and a processor. The system is operable to determine a cluster state of a plurality of border routers in a cluster. The system is operable to communicate the cluster state to at least one branch node in the computer network. The system is operable to generate a network level consistent hash based on the cluster state. The system is operable to route a first packet through a first border router of the plurality of border routers in the cluster using the network level consistent hash. After the first packet is sent through a first border router, the system is further operable to route a second packet through the first border router of the plurality of border routers in the cluster using the network level consistent hash.

Abstract: A LRE (logical routing element) that have LIFs that are active in all host machines spanned by the LRE as well as LIFs that are active in only a subset of those spanned host machines is provided. A host machine having an active LIF for a particular L2 segment would perform the L3 routing operations for network traffic related to that L2 segment. A host machine having an inactive LIF for the particular L2 segment would not perform L3 routing operations for the network traffic of the L2 segment.

Abstract: A logical routing element (LRE) having multiple designated instances for routing packets from physical hosts (PH) to a logical network is provided. A PH in a network segment with multiple designated instances can choose among the multiple designated instances for sending network traffic to other network nodes in the logical network according to a load balancing algorithm. Each logical interface (LIF) of an LRE is defined to be addressable by multiple identifiers or addresses, and each LIF identifier or address is assigned to a different designated instance.

Abstract: According to some embodiments, a method is performed by a software defined wide area network (SD-WAN) edge router in a hierarchical SD-WAN network comprising a plurality of edge routers and a plurality of border routers. The method comprises: originating a SD-WAN system route for advertising reachability to the edge router, the system route comprising an encryption key associated with the edge router; and transmitting the system route to one or more SD-WAN border routers. The method may further comprise: receiving a packet destined for the edge router from one of the one or more SD-WAN border routers, wherein the packet is at least partially encrypted with the encryption key associated with the edge router; and decrypting the received packet.

Abstract: A LRE (logical routing element) that have LIFs that are active in all host machines spanned by the LRE as well as LIFs that are active in only a subset of those spanned host machines is provided. A host machine having an active LIF for a particular L2 segment would perform the L3 routing operations for network traffic related to that L2 segment. A host machine having an inactive LIF for the particular L2 segment would not perform L3 routing operations for the network traffic of the L2 segment.

Abstract: Systems and methods are provided for receiving bandwidth metrics from a plurality of routers on respective link routes in a network, compiling a link database including the bandwidth metrics of each respective link route in the network, selecting a first designated link path from the link database between a first router and a second router based on an application routing policy, the application routing policy being based on a routing metric, providing a first multiprotocol label switching label based on the first designated link path to the first router of the plurality of routers in the network, and restricting network traffic of the first router to the first designated link path provided in the first multiprotocol label switching label.