Abstract: The technology disclosed herein enables segregation of network traffic on an application basis. In a particular embodiment, a method is performed in a virtual network interface for a first guest Operating System (OS) executing on a host and includes receiving guest data packets from the first guest OS. The method further includes associating the guest data packets with respective ones of a plurality of applications executing within the first guest OS and separating the guest data packets into respective ones of a plurality of application port interfaces each corresponding to at least one of the plurality of applications. The method also includes passing the guest data packets to a host network interface using the plurality of application port interfaces.

Abstract: Example methods are provided for flow-based forwarding element configuration in a network environment. An example method may comprise obtaining a set of security policies associated with the group of workloads; and based on the set of security policies, identifying an allowed forwarding path between a destination and a first workload. The method may also comprise configuring a whitelist set of flow entries and sending configuration information to the flow-based forwarding element to cause the flow-based forwarding element to apply the whitelist set. The whitelist set may include a first flow entry specifying match fields and a first action to allow communication over the allowed forwarding path, but excludes a second flow entry specifying a second action to block communication over a forbidden forwarding path between the destination and the second workload. The match fields may include transport layer information and network layer information.

Abstract: An example method is provided for a first edge device to perform traffic forwarding in a network with geographically dispersed first site and second site. The method may comprise reconfiguring, for a workload migrated from the second site to the first site, the first edge device located at the first site as a default gateway of the workload from the second edge device located at the second site by causing the workload to learn an association between a default gateway Internet Protocol (IP) address associated with the second edge device to a Media Access Control (MAC) address associated with the first edge device. The method may further comprise receiving, from the workload, traffic for forwarding to a destination, and in response to determination that the destination is not within the second site, forwarding the received traffic to the destination without using the second edge device.