Abstract: A virtual network provider system supports a virtual network including virtual machines that are each assigned to an underlay address of an underlay addressing scheme. The virtual network provider system further includes multiple routing domains each defined to include a different subset of the virtual machines. Each of the routing domains is assigned to a range of overlay addresses of an overlay addressing scheme. For each routing domain, the assigned range of overlay addresses is allocated among the subset of the virtual machines in the routing domain. The system further includes a virtual network host configured to use addresses of the overlay addressing scheme to selectively route messages between endpoints on select pairs of the virtual machines assigned to a same routing domain of the plurality of routing domains.

Abstract: The disclosed technology is generally directed to virtual machines. In one example of the technology, a network change from a first virtual network to a second virtual network is reconfigured for a first virtual machine that is executing on a first virtual machine host. The reconfiguring includes the following. In the first virtual machine host, a mapping change from the first virtual network to the second virtual network is configured by reprogramming drivers in the first virtual machine host for route mapping for the second virtual network. A Dynamic Host Configuration Protocol (DHCP) retrigger is caused without rebooting the first virtual machine. A configuration file is provided to the first virtual machine. The configuration file includes user-specific networking settings. The first virtual machine is reconfigured in accordance with the user-specific networking settings.

Abstract: Described herein are systems and methods for supporting multicast for virtual networks. In some embodiments, a native multicast approach can utilized in which packet replication is performed on a host node of a virtual machine (VM) with a multicast data packet encapsulated in uniquely address unicast packets. In some embodiments, a network virtual appliance can be utilized. A multicast packet sent from the VM can be unicasted to the network virtual appliance. The multicast appliance can then replicate the packet into multiple copies and send the packets to the receivers in the virtual network as unicast data packets encapsulating the multicast packet.

Abstract: A virtual network manager and associated user interface/portal provide customers with simplified centralized management of virtual networks to implement logical groupings of network resources at scale. The virtual network manager enables network segmentation using names or tags, connectivity configuration to create different virtual network topologies, security configuration to provide enforcement of organizational rules without being overwritten and Network Security Group (NSG) management in a simple and scalable manner, safe deployment of network configurations to designated regions on a fix and roll forward basis, and virtual network (VNet) level monitoring.

Abstract: Transmission Control Protocol (TCP) states of an active device are replicated at a backup device configured to track connections in a software defined network (SDN). The backup device receives, from the active device, a TCP packet with a TCP flag including one or more of SYN, SYN-ACK, ACK, FIN, FIN-ACK, ACK, or RESET. When the TCP packet has a SYN flag, the backup device adds a connection record to a connection table. Otherwise, the backup device derives an updated connection state for the connection record using a TCP state machine. The connection state is updated as future packets are received by the backup device.

Abstract: Data flows in a virtualized computing environment are efficiently updated by a hardware-based networking device configured to disaggregate processing of data packets of the data flows from hosts of the virtualized computing environment. A connection table is accessed that defines connection flows for data packets having a source from an endpoint in a virtual network of the virtualized computing environment or a destination to the endpoint in the virtual network of the virtualized computing environment. The hardware-based networking device re-simulates full packet processing paths for each of the flows in the connection table and updates the flows in the connection table to ensure that the flows in the connection table implement policies of the virtualized computing environment that were updated after corresponding flows in the connection table were added to the connection table.

Abstract: Techniques are disclosed for processing data packets and implementing policies in a software defined network (SDN) of a virtual computing environment. At least two SDN appliances are configured to disaggregate enforcement of policies of the SDN from hosts of the virtual computing environment. The hosts are implemented on servers communicatively coupled to network interfaces of the SDN appliance. The servers host a plurality of virtual machines. The servers are communicatively coupled to network interfaces of at least two top-of-rack switches (ToRs). The SDN appliance comprises a plurality of smart network interface cards (sNICs) configured to implement functionality of the SDN appliance. The sNICs have a floating network interface configured to provide a virtual port connection to an endpoint within a virtual network of the virtual computing environment.

Abstract: Techniques are disclosed for processing data packets by a hardware-based networking device configured to disaggregate processing of data packets from hosts of a virtualized computing environment. The hardware-based networking device includes a hardware-based component implementing a plurality of behavioral models indicative of packet processing graphs for data flows in the virtualized computing environment. A data packet having a source from or destination to an endpoint in a virtual network of the virtualized computing environment is received. Based on determining that the data packet is a first packet of a data flow to or from the endpoint, one of the behavioral models is mapped to the data flow. The packet is modified in accordance with the mapped behavioral model. A state of the data flow is stored. Subsequent data packets of the data flow are processed based on the stored state.

Abstract: Techniques are disclosed for processing data packets and implementing policies in a software defined network (SDN) of a virtual computing environment. At least one SDN appliance is configured to disaggregate enforcement of policies of the SDN from hosts of the virtual computing environment. The servers are communicatively coupled to network interfaces of the SDN appliance. The servers host a plurality of virtual machines The SDN appliance comprises a plurality of smart network interface cards (sNICs) configured to implement functionality of the SDN appliance.

Abstract: Techniques are disclosed for processing data packets and implementing policies in a software defined network (SDN) of a virtual computing environment. At least two SDN appliances are configured to disaggregate enforcement of policies of the SDN from hosts of the virtual computing environment. The hosts are implemented on servers communicatively coupled to network interfaces of the SDN appliance. The servers host a plurality of virtual machines. The servers are communicatively coupled to network interfaces of at least two top-of-rack switches (ToRs). The SDN appliance comprises a plurality of smart network interface cards (sNICs) configured to implement functionality of the SDN appliance. The sNICs have a floating network interface configured to provide a virtual port connection to an endpoint within a virtual network of the virtual computing environment.

Abstract: Techniques are disclosed for processing data packets and implementing policies in a software defined network (SDN) of a virtual computing environment. At least two SDN appliances are configured to disaggregate enforcement of policies of the SDN from hosts of the virtual computing environment. The hosts are implemented on servers communicatively coupled to network interfaces of the SDN appliance. The servers host a plurality of virtual machines. The servers are communicatively coupled to network interfaces of at least two top-of-rack switches (ToRs). The SDN appliance comprises a plurality of smart network interface cards (sNICs) configured to implement functionality of the SDN appliance. The sNICs have a floating network interface configured to provide a virtual port connection to an endpoint within a virtual network of the virtual computing environment.

Abstract: A virtual network manager and associated user interface/portal provide customers with simplified centralized management of virtual networks to implement logical groupings of network resources at scale. The virtual network manager enables network segmentation using names or tags, connectivity configuration to create different virtual network topologies, security configuration to provide enforcement of organizational rules without being overwritten and Network Security Group (NSG) management in a simple and scalable manner, safe deployment of network configurations to designated regions on a fix and roll forward basis, and virtual network (VNet) level monitoring.

Abstract: Systems and methods for enabling access to dedicated resources in a virtual network using top of rack switches are disclosed. A method includes a virtual filtering platform encapsulating at least one packet, received from a virtual machine, to generate at least one encapsulated packet comprising a virtual network identifier (VNI). The method further includes a TOR switch: (1) receiving the at least one encapsulated packet and decapsulating the at least one encapsulated packet to create at least one decapsulated packet, (2) using the VNI to identify a virtual routing and forwarding artifact to determine a virtual local area network interface associated with the dedicated hardware portion, and (3) transmitting the at least one decapsulated packet to the dedicated hardware portion based on at least one policy provided by a controller, where the at least one policy comprises information related to a customer of the service provider.

Abstract: Distributed computing systems, devices, and associated methods of packet processing are disclosed herein. One example method includes receiving a packet having a header with a protocol field, a source address field, a source port field, a destination address field, and a destination port field individually containing a corresponding value. The method also includes extracting the values of the protocol field, the source address field, the source port field, the destination field, and the destination port field, determining whether a first match action table (“MAT”) contains an entry indexed to the extracted values, and in response to determining that the first MAT does not contain an entry indexed to the extracted values, using a subset of the extracted values to identify an entry in a second MAT.

Abstract: A virtual network interface controller (NIC) associated with a virtual machine in a cloud computing network is configured to support one or more network containers that encapsulate networking configuration data and policies that are applicable to a specific discrete computing workload to thereby enable the virtual machine to simultaneously belong to multiple virtual networks using the single NIC. The network containers supported by the NIC can be associated with a single tenant to enable additional flexibility such quickly switching between virtual networks and support pre-provisioning of additional computing resources with associated networking policies for rapid deployment. The network containers can also be respectively associated with different tenants so that the single NIC can support multi-tenant services on the same virtual machine.

Abstract: Techniques are disclosed for processing data packets and implementing policies in a software defined network (SDN) of a virtual computing environment. At least two SDN appliances are configured to disaggregate enforcement of policies of the SDN from hosts of the virtual computing environment. The hosts are implemented on servers communicatively coupled to network interfaces of the SDN appliance. The servers host a plurality of virtual machines. The servers are communicatively coupled to network interfaces of at least two top-of-rack switches (ToRs). The SDN appliance comprises a plurality of smart network interface cards (sNICs) configured to implement functionality of the SDN appliance. The sNICs have a floating network interface configured to provide a virtual port connection to an endpoint within a virtual network of the virtual computing environment.

Abstract: The disclosed system implements techniques to secure communications for injecting a workload (e.g., a container) into a virtual network hosted by a cloud-based platform. Based on a delegation instruction received from a tenant, a virtual network of the tenant can connect to and execute a workload via a virtual machine that is part of a virtual network that belongs to a resource provider. To secure calls and authorize access to the tenant's virtual network, authentication information provided with a call from the virtual network of the resource provider may need to match authorization information made available via a publication service of the cloud-based platform. Additionally or alternatively, an identifier of a NIC used to make a call may need to correspond to a registered name of the resource provider for the call to be authorized. These checks provide increased security by preventing unauthorized calls to the tenant's virtual network.

Abstract: Techniques are disclosed for processing data packets by a hardware-based networking device configured to disaggregate processing of data packets from hosts of a virtualized computing environment. The hardware-based networking device includes a hardware-based component implementing a plurality of behavioral models indicative of packet processing graphs for data flows in the virtualized computing environment. A data packet having a source from or destination to an endpoint in a virtual network of the virtualized computing environment is received. Based on determining that the data packet is a first packet of a data flow to or from the endpoint, one of the behavioral models is mapped to the data flow. The packet is modified in accordance with the mapped behavioral model. A state of the data flow is stored. Subsequent data packets of the data flow are processed based on the stored state.

Abstract: Techniques are disclosed for processing data packets and implementing policies in a software defined network (SDN) of a virtual computing environment. At least two SDN appliances are configured to disaggregate enforcement of policies of the SDN from hosts of the virtual computing environment. The hosts are implemented on servers communicatively coupled to network interfaces of the SDN appliance. The servers host a plurality of virtual machines. The servers are communicatively coupled to network interfaces of at least two top-of-rack switches (ToRs). The SDN appliance comprises a plurality of smart network interface cards (sNICs) configured to implement functionality of the SDN appliance. The sNICs have a floating network interface configured to provide a virtual port connection to an endpoint within a virtual network of the virtual computing environment.

Abstract: Techniques are disclosed for processing data packets and implementing policies in a software defined network (SDN) of a virtual computing environment. At least one SDN appliance is configured to disaggregate enforcement of policies of the SDN from hosts of the virtual computing environment. The servers are communicatively coupled to network interfaces of the SDN appliance. The servers host a plurality of virtual machines The SDN appliance comprises a plurality of smart network interface cards (sNICs) configured to implement functionality of the SDN appliance.