Abstract: An example method of migrating a firewall policy between a first virtual data center and a second virtual data center includes: generating a static firewall from a firewall document at a first firewall server in the first virtual data center, the firewall document defining polices applied to groups of objects in the first virtual data center, the static firewall including firewall rule tuples; sending the static firewall from the first firewall server to a second firewall server in the second virtual data center; migrating a plurality of virtual machines (VMs) from the first virtual data center to the second virtual data center; and importing the firewall document from the first firewall server to the second firewall server by mapping the policies of the first firewall to groups of objects in an inventory of the second virtual data center.

Abstract: An example method of provisioning a network service in a cloud computing system includes: defining, at an orchestrator, the network service to include a plurality of network functions; defining, at the orchestrator, network connectivity among the plurality of network functions; identifying a plurality of vendor device managers (VDMs) configured to provision virtual network functions that implement the plurality of network functions; and instructing, by the orchestrator, the VDMs to deploy the virtual network functions having the defined network connectivity.

Abstract: Techniques for stateful connection optimization over stretched networks are disclosed. In one embodiment, hypervisor filtering modules in a cloud computing system are configured to modify packets sent by virtual computing instances (e.g., virtual machines (VMs)) in the cloud to local destinations in the cloud such that those packets have the destination Media Access Control (MAC) address of a local router that is also in the cloud. Doing so prevents tromboning traffic flows in which packets sent by virtual computing instances in the cloud to location destinations are routed to a stretched network's default gateway that is not in the cloud.

Abstract: Some embodiments provide a network system. The network system includes a first set of host machines for hosting virtual machines that connect to each other through a logical network. The first set of host machines includes managed forwarding elements for forwarding data between the host machines. The network system includes a second set of host machines for hosting virtualized containers that operate as gateways for forwarding data between the virtual machines and an external network. At least one of the virtualized containers peers with at least one physical router in the external network in order to advertise addresses of the virtual machines to the physical router.

Abstract: A cloud computing system may include multiple cloud data centers. A gateway may establish connections between a cloud providers' multiple data centers using knowledge about the types of applications workloads executing within the cloud computing system, and may be further based on determines policies indicating priorities for routing traffic for the application workloads.

Abstract: A method is provide for managing a migration of a virtual machine from a private data center managed by a first organization to a public cloud computing system by a second organization and where the first organization is a tenant. The configurations of physical infrastructure of the private data center that underlies the virtual machine are determined, along with a corresponding match preference indicating a level of criticality for some corresponding configuration at the public cloud system. The configurations and match preferences generated as part of a migration package. The public cloud computing system instantiates a corresponding VM based on the determined configurations and corresponding match preferences.

Abstract: Techniques disclosed herein permit logical topologies of datacenters to be automatically learned and re-created in the cloud. In one embodiment, a datacenter landscape is determined based on numbers of hops from nodes in a datacenter to a wide area network (WAN)-facing node. Such a datacenter landscape may then be re-created in the cloud. In another embodiment, virtual appliances are deployed using templates with user-tunable parameters. What would have been set up manually in a physical datacenter, such as connecting a new router to other devices, is then simplified to adjusting parameters of the template to specify, e.g., that the router is a routed hop rather than a bump in the wire, with the router then being automatically deployed in the specified manner.

Abstract: Techniques disclosed herein relate to migrating virtual computing instances such as virtual machines (VMs). In one embodiment, VMs are migrated across different virtual infrastructure platforms by, among other things, translating between resource models used by virtual infrastructure managers (VIMs) that manage the different virtual infrastructure platforms. VM migrations may also be validated prior to being performed, including based on resource policies that define what is and/or is not allowed to migrate, thereby providing compliance and controls for borderless data centers. In addition, an agent-based technique may be used to migrate VMs and physical servers to virtual infrastructure, without requiring access to an underlying hypervisor layer.

Abstract: Techniques disclosed herein relate to migrating virtual computing instances such as virtual machines (VMs). In one embodiment, VMs are migrated across different virtual infrastructure platforms by, among other things, translating between resource models used by virtual infrastructure managers (VIMs) that manage the different virtual infrastructure platforms. VM migrations may also be validated prior to being performed, including based on resource policies that define what is and/or is not allowed to migrate, thereby providing compliance and controls for borderless data centers. In addition, an agent-based technique may be used to migrate VMs and physical servers to virtual infrastructure, without requiring access to an underlying hypervisor layer.

Abstract: Techniques disclosed herein relate to migrating virtual computing instances such as virtual machines (VMs). In one embodiment, VMs are migrated across different virtual infrastructure platforms by, among other things, translating between resource models used by virtual infrastructure managers (VIMs) that manage the different virtual infrastructure platforms. VM migrations may also be validated prior to being performed, including based on resource policies that define what is and/or is not allowed to migrate, thereby providing compliance and controls for borderless data centers. In addition, an agent-based technique may be used to migrate VMs and physical servers to virtual infrastructure, without requiring access to an underlying hypervisor layer.

Abstract: A hybrid cloud computing system having a private data center and a public cloud computing system is discussed. The private data center is managed by a first organization. The public cloud computing system is managed by a second organization, and the first organization is a tenant in the public cloud computing system. The hybrid cloud computing system is configured to generate a mapping that contextualizes virtual objects migrated between the private data center and the public cloud computing system based on the objects' location. Such a mapping is maintained to expose the true hybridity of the hybrid cloud rather than present two distinct views of a private data center (or private cloud) and a public cloud.

Abstract: A method of migrating a virtualized computing instance between source and destination virtualized computing systems includes executing a first migration workflow in the source virtualized computing system between a source host computer and a first mobility agent simulating a destination host, executing a second migration workflow in the destination virtualized computing system between a second mobility agent simulating a source host and a destination host computer, sending, as part of the first migration workflow, a configuration of the migrated virtualized computing instance to the destination virtualized computing system, translating, as part of the second migration workflow, infrastructure-dependent information in the configuration of the migrated virtualized computing instance, and transferring, during execution of the first and second migration workflows, migration data including the virtualized computing instance between the source host and the destination host over a network.

Abstract: Some embodiments provide a novel method for load balancing data messages that are sent by a source compute node (SCN) to one or more different groups of destination compute nodes (DCNs). In some embodiments, the method deploys a load balancer in the source compute node's egress datapath. This load balancer receives each data message sent from the source compute node, and determines whether the data message is addressed to one of the DCN groups for which the load balancer spreads the data traffic to balance the load across (e.g., data traffic directed to) the DCNs in the group. When the received data message is not addressed to one of the load balanced DCN groups, the load balancer forwards the received data message to its addressed destination. On the other hand, when the received data message is addressed to one of load balancer's DCN groups, the load balancer identifies a DCN in the addressed DCN group that should receive the data message, and directs the data message to the identified DCN.

Abstract: Techniques for stateful connection optimization over stretched networks are disclosed. Such stretched networks may extend across both a data center and a cloud. In one embodiment, configuration changes are made to cloud layer 2 (L2) concentrators used by extended networks and a cloud router such that the L2 concentrators block packets with the cloud router's source MAC address and block address resolution protocol (ARP) requests for a gateway IP address from/to cloud networks that are part of the extended networks. Further, the cloud router is configured with the same gateway IP address as that of a default gateway router in the data center and responds to ARP requests for the gateway IP address with its own MAC address. In addition, specific prefix routes (e.g., /32 routes) for virtual computing instances on route optimized networks in the cloud are injected into the cloud router and propagating to a data center router.

Abstract: Techniques for stateful connection optimization over stretched networks are disclosed. In one embodiment, traffic of virtual machines (VMs) that are live-migrated from a data center to a cloud is temporarily tromboned back to the data center to preserve active sessions. In such a case, a stretched network is created that includes a network in the data center and two stub networks in the cloud, one of which is route optimized such that traffic does not trombone back to the data center and the other which is not so optimized. A VM that is live migrated to the cloud is first attached to the unoptimized network so that traffic tromboning occurs. Thereafter, when the VM is powered off (e.g., during a reboot), in a maintenance mode, or in a quiet period, the VM is switched to the route optimized network.

Abstract: A method for managing an application executing in a computing system is disclosed as including a private cloud operated by a first organization and a multi-tenant public cloud of which the first organization is one of the tenants. The method comprises instantiating a first virtual object in the private cloud and instantiating a second virtual object in the public cloud for executing the application cooperatively with the first virtual object. Mapping associated with the first virtual object is generated, wherein the mapping comprises a first identifier having a context of the private cloud and a second identifier having a context of the public cloud. The method further includes detecting migration of the first or second virtual object such that both of the first and second virtual objects are instantiated in a single one of the private and public clouds and updating the mapping to reflect the migration.

Abstract: Techniques for upgrading virtual appliances in a hybrid cloud computing system are provided. In one embodiment, virtual appliances are upgraded by deploying the upgraded appliances in both a data center and a cloud, configuring the upgraded appliances to have the same IP addresses as original appliances, and disconnecting the original appliances from networks to which they are connected and connecting the upgraded appliances to those networks via the same ports previously used by the original appliances. In another embodiment, upgraded appliances are deployed in the data center and the cloud, but configured with new IP addresses that are different from those of the original appliances, and connections are switched from those of the original appliances to new connections with the new IP addresses. Embodiments disclosed herein permit virtual appliances to be upgraded or replaced with relatively little downtime so as to help minimize disruptions to existing traffic flows.

Abstract: A cloud computing system retrieves routing entries associated with a particular tenant of the cloud computing system and a subset of a routing table of the entire cloud computing system. The routing entries are loaded into a networking switch, which is configured to route network packets using the loaded subset of routing entries, using a general-purpose processor rather than a costly dedicated ASIC.

Abstract: Some embodiments of the invention provide a novel method for specifying firewall rules. In some embodiments, the method provides the ability to specify for a particular firewall rule, a set of network nodes (also called a set of enforcement points below) at which the particular firewall should be enforced. To provide this ability, the method of some embodiments adds an extra tuple (referred to below as the AppliedTo tuple) to a firewall rule. This added AppliedTo tuple lists the set of enforcement points at which the firewall rule has to be applied (i.e., enforced).

Abstract: Some embodiments provide a novel method for load balancing data messages that are sent by a source compute node (SCN) to one or more different groups of destination compute nodes (DCNs). In some embodiments, the method deploys a load balancer in the source compute node's egress datapath. This load balancer receives each data message sent from the source compute node, and determines whether the data message is addressed to one of the DCN groups for which the load balancer spreads the data traffic to balance the load across (e.g., data traffic directed to) the DCNs in the group. When the received data message is not addressed to one of the load balanced DCN groups, the load balancer forwards the received data message to its addressed destination. On the other hand, when the received data message is addressed to one of load balancer's DCN groups, the load balancer identifies a DCN in the addressed DCN group that should receive the data message, and directs the data message to the identified DCN.