Abstract: Example implementations include a method, apparatus, and computer-readable medium configured for generating a network configuration using a large language model (LLM). The apparatus receives, at an interface between a user and LLM, a natural language intent for a network configuration. The apparatus requests the large language model to update the network configuration to an updated network configuration that satisfies the natural language intent in a declarative network configuration language. The apparatus verifies whether the updated network configuration satisfies a configuration syntax of the declarative network configuration language to detect an error. The apparatus requests the large language model to update the updated network configuration to correct the error. The apparatus deploys the updated network configuration to a user network.

Abstract: Described are examples for providing a system for managing configuration and policies for a virtualized wide area network (vWAN) support on a wide area network (WAN). The vWAN includes a plurality of virtual network entities associated with geographic locations including the physical computing resources of the WAN and virtual connections between the virtual network entities. The system includes a network safety component for managing configurations and policies of the vWAN on the WAN. The network safety component receives a change to a policy or configuration of the vWAN from an operator of a network connected to the vWAN. The network safety component evaluates a set of safety rules for the operator based on the change and a network state of a physical WAN underlying the vWAN. The network safety component generates an error message in response to at least one of the set of safety rules failing the evaluation.

Abstract: A computing device is provided, including a processor that receives a network graph. The processor further receives a specification of a network traffic control heuristic for a network traffic routing problem over the network graph. The processor further constructs a gap maximization problem that has, as a maximization target, a difference between an exact solution to the network traffic routing problem and a heuristic solution generated using the network traffic control heuristic. The processor further generates a Lagrange multiplier formulation of the gap maximization problem. At a convex solver, the processor further computes an estimated maximum gap as an estimated solution to the Lagrange multiplier formulation of the gap maximization problem. The processor further performs a network traffic control action based at least in part on the estimated maximum gap.

Abstract: The present application relates to a system for ingress traffic management. The system includes a collection system within a network configured to collect traffic arrival information for peering links of the network. The system includes a training system configured to train a model based on the traffic arrival information to predict a probability of a traffic flow arriving on a peering link. The system includes a congestion mitigation system configured to predict based on the model, for traffic flows arriving on one or more peering links, other peering links to which the traffic flows would be shifted due to a condition affecting the one or more peering links. The congestion mitigation system may determine, in response to the condition, a set of prefixes to withdraw based on the other peering links to which traffic would be shifted.

Abstract: Techniques of network configuration verification are disclosed herein. One example process includes, upon receiving a query to determine whether a packet from a first endpoint is reachable to a second endpoint in a virtual network, identifying a network path between the first endpoint to the second endpoint in a network graph. The network graph has nodes representing corresponding enforcement points of network policies in the virtual network and edges connecting pairs of the nodes. The example process can also include generating compound function representing conjoined individual constraints of the network policies at each of the nodes in the network graph along the identified network path, compiling the generated compound function into a Boolean formula, and solving the compiled Boolean formula to determine whether an assignment of values to packet fields of the packet exists such that all the conjoined individual constraints of the compound function can be satisfied.

Abstract: Techniques of network configuration verification are disclosed herein. One example process includes, upon receiving a query to determine whether a packet from a first endpoint is reachable to a second endpoint in a virtual network, identifying a network path between the first endpoint to the second endpoint in a network graph. The network graph has nodes representing corresponding enforcement points of network policies in the virtual network and edges connecting pairs of the nodes. The example process can also include generating compound function representing conjoined individual constraints of the network policies at each of the nodes in the network graph along the identified network path, compiling the generated compound function into a Boolean formula, and solving the compiled Boolean formula to determine whether an assignment of values to packet fields of the packet exists such that all the conjoined individual constraints of the compound function can be satisfied.

Abstract: Described are examples for providing management of a virtual wide area network (vWAN) based on operator policies. A network orchestrator presents, to a network operator, a representation of the vWAN including virtual network entities associated with respective geographic locations and virtual connections between the virtual network entities. The network orchestrator receives a policy for the virtual wide area network from the network operator via the representation, the policy to be implemented at one or more of the virtual connections. The network orchestrator translates the policy for the virtual wide area network into a configuration of an underlying wide area network (WAN). The underlying WAN a plurality of geographically distributed physical computing resources in geographic regions corresponding to the virtual network entities and connections there between.

Abstract: A network verification system uses general-purpose programming language to create network verification tests. A test orchestrator builds a model of the network only using data from the network verification test. An optimization testing manager creates symbolic packets for verification tests using assertions based on a packet library embedded into the testing manager and the general-purpose programming language.

Abstract: The present application relates to communications between a partner network and a wide area network (WAN) via the Internet. Although Internet service providers may act as autonomous systems, the WAN may control routing from the partner network by advertising unicast border gateway protocol (BGP) address prefixes for a plurality of front-end devices in the WAN. An agent in the partner network measures a plurality of paths to a service within the WAN. Each of the plurality of paths is associated with one of the plurality of front-end devices and a respective unicast BGP address prefix. The WAN selects a path within the WAN for the service. The WAN exports a routing rule to the agent. The agent forwards data packets for the service to the respective BGP address prefix via the Internet. The WAN receives data packets for the service of the partner network at the selected device.

Abstract: Ghost routing is a network verification technique that uses a portion of a production network itself to verify the impact of potential network changes. Ghost routing logically partitions the production network into a main network and a ghost network. The main network handles live traffic while the ghost network handles traffic generated for diagnostic purposes. The ghost network may have a network topology identical to the production network and may use the same hardware and software as the production network. An operator may implement a network configuration change on the ghost network and then use verification tools to verify that the network configuration change on the ghost network does not result in bugs. Verifying on the ghost network may not affect the main network. If the network operator verifies the network configuration change on the ghost network, the network operator may implement the network configuration change on the main network.

Abstract: Described are examples for providing a system for managing configuration and policies for a virtualized wide area network (vWAN) support on a wide area network (WAN). The vWAN includes a plurality of virtual network entities associated with geographic locations including the physical computing resources of the WAN and virtual connections between the virtual network entities. The system includes a network safety component for managing configurations and policies of the vWAN on the WAN. The network safety component receives a change to a policy or configuration of the vWAN from an operator of a network connected to the vWAN. The network safety component evaluates a set of safety rules for the operator based on the change and a network state of a physical WAN underlying the vWAN. The network safety component generates an error message in response to at least one of the set of safety rules failing the evaluation.

Abstract: Ghost routing is a network verification technique that uses a portion of a production network itself to verify the impact of potential network changes. Ghost routing logically partitions the production network into a main network and a ghost network. The main network handles live traffic while the ghost network handles traffic generated for diagnostic purposes. The ghost network may have a network topology identical to the production network and may use the same hardware and software as the production network. An operator may implement a network configuration change on the ghost network and then use verification tools to verify that the network configuration change on the ghost network does not result in bugs. Verifying on the ghost network may not affect the main network. If the network operator verifies the network configuration change on the ghost network, the network operator may implement the network configuration change on the main network.

Abstract: Techniques of network configuration verification are disclosed herein. One example process includes, upon receiving a query to determine whether a packet from a first endpoint is reachable to a second endpoint in a virtual network, identifying a network path between the first endpoint to the second endpoint in a network graph. The network graph has nodes representing corresponding enforcement points of network policies in the virtual network and edges connecting pairs of the nodes. The example process can also include generating compound function representing conjoined individual constraints of the network policies at each of the nodes in the network graph along the identified network path, compiling the generated compound function into a Boolean formula, and solving the compiled Boolean formula to determine whether an assignment of values to packet fields of the packet exists such that all the conjoined individual constraints of the compound function can be satisfied.

Abstract: The system disclosed herein implements an improved end-to-end network performance for data transmissions that span multiple networks operated by different organizations. The improvements are achieved as a result of exchanging routing information. For instance, the exchanged routing information can be representative of network performance factors. When different operators of different networks agree to exchange routing information, an optimal end-to-end path between two endpoint devices can be identified and selected for data transmission. This benefits both network operators as the users served by the networks are more likely to be satisfied with the user experience (e.g., faster download and upload of data).

Abstract: The present application relates to communications between a partner network and a wide area network (WAN). The partner network and WAN may exchange representations of the respective networks including a delay profile for the partner network. The WAN receives a network delay profile for multiple virtual network entities within the partner network. The multiple virtual network entities include at least a plurality of peering locations with the WAN. The WAN determines a path from the partner network through the WAN via a selected peering location of the plurality of peering locations with the WAN to a destination based on at least the network delay profile. The WAN deploys a policy for an agent within the partner network. The policy identifies traffic for the destination to route through the WAN via the selected peering location. The WAN routes traffic from the selected peering location to the destination along the path.

Abstract: Network capacity is provisioned in a computing environment comprising a computing service provider and an edge computing network. A cost function is applied to usage data for a number of user endpoints at the edge computing network, a number and type of workloads at the edge computing network, offload capability of the edge computing network, and resource capacities at the edge computing network. An estimated network capacity is determined, where the workloads are dynamic, and the cost function is usable to optimize the network capacity with respect to one or more criteria.

Abstract: Described are examples for providing a system for managing configuration and policies for a virtualized wide area network (vWAN) support on a wide area network (WAN). The vWAN includes a plurality of virtual network entities associated with geographic locations including the physical computing resources of the WAN and virtual connections between the virtual network entities. The system includes a network safety component for managing configurations and policies of the vWAN on the WAN. The network safety component receives a change to a policy or configuration of the vWAN from an operator of a network connected to the vWAN. The network safety component evaluates a set of safety rules for the operator based on the change and a network state of a physical WAN underlying the vWAN. The network safety component generates an error message in response to at least one of the set of safety rules failing the evaluation.

Abstract: Network capacity is provisioned in a computing environment comprising a computing service provider and an edge computing network. A cost function is applied to usage data for a number of user endpoints at the edge computing network, a number and type of workloads at the edge computing network, offload capability of the edge computing network, and resource capacities at the edge computing network. An estimated network capacity is determined, where the workloads are dynamic, and the cost function is usable to optimize the network capacity with respect to one or more criteria.

Abstract: The system disclosed herein implements an improved end-to-end network performance for data transmissions that span multiple networks operated by different organizations. The improvements are achieved as a result of exchanging routing information. For instance, the exchanged routing information can be representative of network performance factors. When different operators of different networks agree to exchange routing information, an optimal end-to-end path between two endpoint devices can be identified and selected for data transmission. This benefits both network operators as the users served by the networks are more likely to be satisfied with the user experience (e.g., faster download and upload of data).

Abstract: The present application relates to egressing traffic from a public cloud network. An egress traffic manager configures routing at hosts and edge routers within the public cloud network. The egress traffic manager determines, for an edge router, a plurality of current border gateway protocol (BGP) sessions with external networks. The egress traffic manager configures a virtual router hosted on the edge router to route a portion of egress traffic to a selected one of the external networks via one of the BGP sessions. A host is configured to route the portion of egress traffic within the public cloud network to the edge router. An edge router configured to route, by the virtual router, the portion of egress traffic from the edge router to the selected one of the external networks.