Abstract: Some embodiments provide a method for a network controller that manages a first logical router of a logical network that is implemented across several managed network elements. The method receives input data specifying a first route for a second logical router. Based on a connection between the first logical router and a second logical router in the logical network, the method dynamically generates a second route for the first logical router based on the first route. The method distributes data to implement the first logical router, including the second route, to a set of the managed network elements.

Abstract: Some embodiments provide a network system. The network system includes a first set of host machines hosting virtual machines that connect to each other through a logical network. The network system includes a second set of host machines hosting virtualized containers that operate as gateways to process packets entering the logical network from external sources. Each of the virtualized containers advertises itself to an external router as a next hop for packets entering the logical network such that the external router uses equal-cost multi-path forwarding to distribute the packets across the virtualized containers on the second set of host machines.

Abstract: Some embodiments provide a network system. The network system includes a first set of host machines for hosting virtual machines that connect to each other through a logical network. The first set of host machines includes managed forwarding elements for forwarding data between the host machines. The network system includes a second set of host machines for hosting virtualized containers that operate as gateways for forwarding data between the virtual machines and an external network. At least one of the virtualized containers peers with at least one physical router in the external network in order to advertise addresses of the virtual machines to the physical router.

Abstract: Some embodiments provide a method for a network controller. The method receives configuration data, for a logical router managed by the network controller, that specifies at least one logical port for the logical router. The method automatically generates connected routes for the logical router based on network address ranges specified for the logical ports of the logical router. The method receives a manually input static route for the logical router. The method generates data tuples, for distribution to several managed network elements, based on the connected and static routes for the logical router in order for the several managed network elements to implement the logical router.

Abstract: Some embodiments provide a network controller for managing a logical network implemented across several managed network elements. The logical network includes at least one logical router. The network controller includes an input interface for receiving configuration state for the logical router. The network controller includes a table mapping engine for generating data tuples for distribution to the managed network elements in order for the managed network elements to implement the logical router. The network controller includes a route processing engine for receiving a set of input routes from the table mapping engine based on the configuration state for the logical router, performing a recursive route traversal process to generate a set of output routes, and returning the set of output routes to the table mapping engine. The table mapping engine uses the set of output routes to generate the data tuples for distribution to the plurality of managed network elements.

Abstract: A network control system for interconnecting several separate networks. The system includes i) several interconnection switching elements, each of which is for connecting one of the separate networks to a common interconnecting network, ii) a first set of network controllers for managing a first set of the interconnection switching elements at a first set of separate networks in order for machines at different networks within the first set to communicate with each other, iii) a second set of network controllers for managing a second set of interconnection switching elements at a second set of separate networks in order for machines at different networks within the second set to communicate with each other, and iv) a third set of network controllers for managing the first and second sets of network controllers in order for machines at networks in the first set to communicate with machines at networks in the second set.

Abstract: Some embodiments provide a network control system for generating physical control plane data for managing first and second managed forwarding elements that implement forwarding operations associated with a first logical datapath set. The system includes a first controller instance for converting logical control plane data for the first logical datapath set to universal physical control plane (UPCP) data. The system includes a second controller instance for converting UPCP data to customized physical control plane (CPCP) data for the first managed forwarding element but not the second managed forwarding element. Each controller instance includes a network information base (NIB) storage for storing data and exchanging data with the other controller instance.

Abstract: Some embodiments provide a method for a first managed forwarding element that implements logical forwarding elements of a logical network. The method receives a first packet from a second managed forwarding element. The first packet includes context information that indicates a logical network destination that maps to a physical destination connected to the first managed forwarding element. At the first managed forwarding element, the method dynamically generates a flow entry for processing subsequent packets received by the first managed forwarding element from the physical destination and sent to a source of the first packet. The method processes a second packet received by the first managed forwarding element from the physical destination with the dynamically generated flow entry. The dynamically generated flow entry specifies to send the second packet to the second managed forwarding element before logically forwarding the second packet through the logical network.

Abstract: Some embodiments provide a method for configuring a logical firewall in a hosting system that includes a set of nodes. The logical firewall is part of a logical network that includes a set of logical forwarding elements. The method receives a configuration for the firewall that specifies packet processing rules for the firewall. The method identifies several of the nodes on which to implement the logical forwarding elements. The method distributes the firewall configuration for implementation on the identified nodes. At a node, the firewall of some embodiments receives a a packet, from a managed switching element within the node, through a software port between the managed switching element and the distributed firewall application. The firewall determines whether to allow the packet based on the received configuration. When the packet is allowed, the firewall the packet back to the managed switching element through the software port.

Abstract: A non-transitory machine readable medium storing a program that configures a managed forwarding element to perform logical L2 switching and L3 routing is described. The program generates a first set of flow entries for configuring the first managed forwarding element to perform (1) a first logical L2 processing for a first logical L2 domain, (2) a logical L3 processing, (3) a load balancing processing to select a second managed forwarding element from a plurality of managed forwarding elements to which to forward packets and (4) a logical ingress L2 processing for a second logical L2 domain on the packets. The program generates a second set of flow entries for configuring the second managed forwarding element to perform a second logical L2 processing for a second logical L2 domain on the packets.

Abstract: Some embodiments provide a system for implementing a logical network that includes a set of end machines, a first logical middlebox, and a second logical middlebox connected by a set of logical forwarding elements. The system includes a set of nodes. Each of several nodes includes (i) a virtual machine for implementing an end machine of the logical network, (ii) a managed switching element for implementing the set of logical forwarding elements of the logical network, and (iii) a middlebox element for implementing the first logical middlebox of the logical network. The system includes a physical middlebox appliance for implementing the second logical middlebox.

Abstract: Some embodiments provide a method for configuring a logical middlebox in a hosting system that includes a set of nodes. The logical middlebox is part of a logical network that includes a set of logical forwarding elements that connect a set of end machines. The method receives a set of configuration data for the logical middlebox. The method uses a stored set of tables describing physical locations of the end machines to identify a set of nodes at which to implement the logical middlebox. The method provides the logical middlebox configuration for distribution to the identified nodes.

Abstract: Some embodiments provide a method for a first managed forwarding element that implements a logical network. The method receives a packet from a second managed forwarding element. The first packet has an initial set of characteristics defining a first connection between a source machine connected to the second managed forwarding element and a destination machine connected to the first managed forwarding element. The method determines whether a second connection exists with the initial set of characteristics between a different machine connected to a third managed forwarding element and the destination machine. When a second connection exists with the initial set of characteristics, the method modifies at least one characteristic of the packet such that the modified packet does not have the same set of characteristics. The method delivers the modified packet to the destination machine.

Abstract: Some embodiments provide a method for a first managed forwarding element that implements logical forwarding elements of a logical network. The method receives a first packet from a second managed forwarding element. The first packet includes context information that indicates a logical network destination that maps to a physical destination connected to the first managed forwarding element. At the first managed forwarding element, the method dynamically generates a flow entry for processing subsequent packets received by the first managed forwarding element from the physical destination and sent to a source of the first packet. The method processes a second packet received by the first managed forwarding element from the physical destination with the dynamically generated flow entry. The dynamically generated flow entry specifies to send the second packet to the second managed forwarding element before logically forwarding the second packet through the logical network.

Abstract: Some embodiments provide a method for configuring a logical firewall in a hosting system that includes a set of nodes. The logical firewall is part of a logical network that includes a set of logical forwarding elements. The method receives a configuration for the firewall that specifies packet processing rules for the firewall. The method identifies several of the nodes on which to implement the logical forwarding elements. The method distributes the firewall configuration for implementation on the identified nodes. At a node, the firewall of some embodiments receives a packet, from a managed switching element within the node, through a software port between the managed switching element and the distributed firewall application. The firewall determines whether to allow the packet based on the received configuration. When the packet is allowed, the firewall the packet back to the managed switching element through the software port.

Abstract: Some embodiments provide a system that allows for the use of direct host return ports (abbreviated “DHR ports”) on managed forwarding elements to bypass gateways in managed networks. The DHR ports provide a direct connection from certain managed forwarding elements in the managed network to remote destinations that are external to the managed network. Managed networks can include both a logical abstraction layer and physical machine layer. At the logical abstraction layer, the DHR port is treated as a port on certain logical forwarding elements. The DHR port transmits the packet to the routing tables of the physical layer machine that hosts the logical forwarding element without any intervening transmission to other logical forwarding elements. The routing tables of the physical layer machine then strip any logical context associated with a packet and forwarding the packet to the remote destination without any intervening forwarding to a physical gateway provider.

Abstract: A controller of a network control system for configuring several middlebox instances is described. The middlebox instances implement a middlebox in a distributed manner in several hosts. The controller assigns a first set of identifiers to a first middlebox instance that associates an identifier in the first set with a first packet. The controller assigns a second set of identifiers to a second middlebox instance that associates an identifier in the second set with a second packet.

Abstract: A controller of a network control system for configuring several middlebox instances is described. The middlebox instances implement a middlebox in a distributed manner in several hosts. The controller assigns a first set of identifiers to a first middlebox instance that associates an identifier in the first set with a first packet. The controller assigns a second set of identifiers to a second middlebox instance that associates an identifier in the second set with a second packet.

Abstract: Some embodiments provide a system for implementing a logical network that includes a set of end machines, a first logical middlebox, and a second logical middlebox connected by a set of logical forwarding elements. The system includes a set of nodes. Each of several nodes includes (i) a virtual machine for implementing an end machine of the logical network, (ii) a managed switching element for implementing the set of logical forwarding elements of the logical network, and (iii) a middlebox element for implementing the first logical middlebox of the logical network. The system includes a physical middlebox appliance for implementing the second logical middlebox.

Abstract: Some embodiments provide a method for configuring a logical middlebox in a hosting system that includes a set of nodes. The logical middlebox is part of a logical network that includes a set of logical forwarding elements that connect a set of end machines. The method receives a set of configuration data for the logical middlebox. The method uses a stored set of tables describing physical locations of the end machines to identify a set of nodes at which to implement the logical middlebox. The method provides the logical middlebox configuration for distribution to the identified nodes.