Abstract: A cloud computing system retrieves routing entries associated with a particular tenant of the cloud computing system and are a subset of a routing table of the entire cloud computing system. The routing entries are loaded into a networking switch, which is configured to route network packets using the loaded subset of routing entries, using a general-purpose processor rather than a costly dedicated ASIC.

Abstract: A centralized namespace controller allocates addresses in a distributed cloud infrastructure on-demand. Upon receiving a request to allocate addresses for a network to be provisioned by a cloud computing system included in the distributed cloud infrastructure, the centralized namespace controller allocates a network address that is unique within the distributed cloud infrastructure. Further, the centralized namespace controller allocates a range of virtual network interface cards (NIC) addresses that are unique within the network. The centralized namespace controller then allocates addresses from the range of virtual NIC addresses on an as-requested basis—when a virtual NIC is being created by the first cloud computing system on the network.

Abstract: A fleet manager within a cloud computing system utilizes a registration framework with one or more cloud infrastructure managers having corresponding infrastructure data plane nodes, which may be in use by different tenants. Instead of having the infrastructure managers communicate directly with its corresponding infrastructure data plane nodes via a management network or domain, the fleet manager communicates with infrastructure managers and relay commands, instructions, and other payloads to the infrastructure data plane nodes using a virtual machine (VM) communication backchannel.

Abstract: Techniques leveraging CPU flow affinity to increase throughput of a layer 2 (L2) extension network are disclosed. In one embodiment, an L2 concentrator appliance, which bridges a local area network (LAN) and a wide area network (WAN) in a stretched network, is configured such that multiple Internet Protocol Security (IPsec) tunnels are pinned to respective CPUs or cores, which each process traffic flows for one of the IPsec tunnels. Such parallelism can increase the throughput of the stretched network. Further, an L2 concentrator appliance that receives FOU packets is configured to distribute the received FOU packets across receive queues based a deeper inspection of inner headers of such packets.

Abstract: An approach is disclosed for steering network traffic away from congestion hot-spots to achieve better throughput and latency. In one embodiment, multiple Foo-over-UDP (FOU) tunnels, each having a distinct source port, are created between two endpoints. As a result of the distinct source ports, routers that compute hashes of packet fields in order to distribute traffic flows across network paths will compute distinct hash values for the FOU tunnels that may be associated with different paths. Probes are scheduled to measure network metrics, such as latency and liveliness, of each of the FOU tunnels. In turn, the network metrics are used to select particular FOU tunnel(s) to send traffic over so as to avoid congestion and high-latency hotspots in the network.

Abstract: Techniques for upgrading virtual appliances in a hybrid cloud computing system are provided. In one embodiment, virtual appliances are upgraded by deploying the upgraded appliances in both a data center and a cloud, configuring the upgraded appliances to have the same IP addresses as original appliances, and disconnecting the original appliances from networks to which they are connected and connecting the upgraded appliances to those networks via the same ports previously used by the original appliances. In another embodiment, upgraded appliances are deployed in the data center and the cloud, but configured with new IP addresses that are different from those of the original appliances, and connections are switched from those of the original appliances to new connections with the new IP addresses. Embodiments disclosed herein permit virtual appliances to be upgraded or replaced with relatively little downtime so as to help minimize disruptions to existing traffic flows.

Abstract: A method of migrating a virtualized computing instance between source and destination virtualized computing systems includes executing a first migration workflow in the source virtualized computing system between a source host computer and a first mobility agent simulating a destination host, executing a second migration workflow in the destination virtualized computing system between a second mobility agent simulating a source host and a destination host computer, sending, as part of the first migration workflow, a configuration of the migrated virtualized computing instance to the destination virtualized computing system, translating, as part of the second migration workflow, infrastructure-dependent information in the configuration of the migrated virtualized computing instance, and transferring, during execution of the first and second migration workflows, migration data including the virtualized computing instance between the source host and the destination host over a network.

Abstract: Techniques disclosed herein permit logical topologies of datacenters to be automatically learned and re-created in the cloud. In one embodiment, a datacenter landscape is determined based on numbers of hops from nodes in a datacenter to a wide area network (WAN)-facing node. Such a datacenter landscape may then be re-created in the cloud. In another embodiment, virtual appliances are deployed using templates with user-tunable parameters. What would have been set up manually in a physical datacenter, such as connecting a new router to other devices, is then simplified to adjusting parameters of the template to specify, e.g., that the router is a routed hop rather than a bump in the wire, with the router then being automatically deployed in the specified manner.

Abstract: Techniques for stateful connection optimization over stretched networks are disclosed. In one embodiment, traffic of virtual machines (VMs) that are live-migrated from a data center to a cloud is temporarily tromboned back to the data center to preserve active sessions. In such a case, a stretched network is created that includes a network in the data center and two stub networks in the cloud, one of which is route optimized such that traffic does not trombone back to the data center and the other which is not so optimized. A VM that is live migrated to the cloud is first attached to the unoptimized network so that traffic tromboning occurs. Thereafter, when the VM is powered off (e.g., during a reboot), in a maintenance mode, or in a quiet period, the VM is switched to the route optimized network.

Abstract: Techniques for creating layer 2 (L2) extension networks are disclosed. One embodiment permits an L2 extension network to be created by deploying, configuring, and connecting a pair of virtual appliances in the data center and the cloud so that the appliances communicate via secure tunnels and bridge networks in the data center and the cloud. A pair of virtual appliances are first deployed in the data center and the cloud, and secure tunnels are then created between the virtual appliances. Thereafter, a stretched network is created by connecting a network interface in each of the virtual appliances to a respective local network, configuring virtual switch ports to which the virtual appliances are connected as sink ports that receive traffic with non-local destinations, and configuring each of the virtual appliances to bridge the network interface therein that is connected to the local network and tunnels between the pair of virtual appliances.

Abstract: Techniques for stateful connection optimization over stretched networks are disclosed. In one embodiment, hypervisor filtering modules in a cloud computing system are configured to modify packets sent by virtual computing instances (e.g., virtual machines (VMs)) in the cloud to local destinations in the cloud such that those packets have the destination Media Access Control (MAC) address of a local router that is also in the cloud. Doing so prevents tromboning traffic flows in which packets sent by virtual computing instances in the cloud to location destinations are routed to a stretched network's default gateway that is not in the cloud.

Abstract: Techniques for stateful connection optimization over stretched networks are disclosed. Such stretched networks may extend across both a data center and a cloud. In one embodiment, configuration changes are made to cloud layer 2 (L2) concentrators used by extended networks and a cloud router such that the L2 concentrators block packets with the cloud router's source MAC address and block address resolution protocol (ARP) requests for a gateway IP address from/to cloud networks that are part of the extended networks. Further, the cloud router is configured with the same gateway IP address as that of a default gateway router in the data center and responds to ARP requests for the gateway IP address with its own MAC address. In addition, specific prefix routes (e.g., /32 routes) for virtual computing instances on route optimized networks in the cloud are injected into the cloud router and propagating to a data center router.

Abstract: Some embodiments provide a central firewall management system that can be used to manage different firewall devices from a single management interface. This management interface provides a uniform interface for defining different firewall rule sets and deploying these rules sets on different firewall devices (e.g., port-linked firewall engines, firewall service VMs, network-perimeter firewall devices, etc.). Also, this interface allows the location and/or behavior of the firewall rule sets to be dynamically modified. The management interface in some embodiments also provides controls for filtering and debugging firewall rules.

Abstract: A method for managing an application executing in a computing system is disclosed as including a private cloud operated by a first organization and a multi-tenant public cloud of which the first organization is one of the tenants. The method comprises instantiating a first virtual object in the private cloud and instantiating a second virtual object in the public cloud for executing the application cooperatively with the first virtual object. Mapping associated with the first virtual object is generated, wherein the mapping comprises a first identifier having a context of the private cloud and a second identifier having a context of the public cloud. The method further includes detecting migration of the first or second virtual object such that both of the first and second virtual objects are instantiated in a single one of the private and public clouds and updating the mapping to reflect the migration.

Abstract: A centralized namespace controller allocates addresses in a distributed cloud infrastructure on-demand. Upon receiving a request to allocate addresses for a network to be provisioned by a cloud computing system included in the distributed cloud infrastructure, the centralized namespace controller allocates a network address that is unique within the distributed cloud infrastructure. Further, the centralized namespace controller allocates a range of virtual network interface cards (NIC) addresses that are unique within the network. The centralized namespace controller then allocates addresses from the range of virtual NIC addresses on an as-requested basis—when a virtual NIC is being created by the first cloud computing system on the network.

Abstract: The disclosure herein describes an edge device of a network for distributed policy enforcement. During operation, the edge device receives an initial packet for an outgoing traffic flow, and identifies a policy being triggered by the initial packet. The edge device performs a reverse lookup to identify at least an intermediate node that is previously traversed by the initial packet and traffic parameters associated with the initial packet at the identified intermediate node. The edge device translates the policy based on the traffic parameters at the intermediate node, and forwards the translated policy to the intermediate node, thus facilitating the intermediate node in applying the policy to the traffic flow.

Abstract: Some embodiments provide a central firewall management system that can be used to manage different firewall devices from a single management interface. This management interface provides a uniform interface for defining different firewall rule sets and deploying these rules sets on different firewall devices (e.g., port-linked firewall engines, firewall service VMs, network-perimeter firewall devices, etc.). Also, this interface allows the location and/or behavior of the firewall rule sets to be dynamically modified. The management interface in some embodiments also provides controls for filtering and debugging firewall rules.

Abstract: Some embodiments provide a novel method for load balancing data messages that are sent by a source compute node (SCN) to one or more different groups of destination compute nodes (DCNs). In some embodiments, the method deploys a load balancer in the source compute node's egress datapath. This load balancer receives each data message sent from the source compute node, and determines whether the data message is addressed to one of the DCN groups for which the load balancer spreads the data traffic to balance the load across (e.g., data traffic directed to) the DCNs in the group. When the received data message is not addressed to one of the load balanced DCN groups, the load balancer forwards the received data message to its addressed destination. On the other hand, when the received data message is addressed to one of load balancer's DCN groups, the load balancer identifies a DCN in the addressed DCN group that should receive the data message, and directs the data message to the identified DCN.

Abstract: A hybrid cloud computing system having a private data center and a public cloud computing system is discussed. The private data center is managed by a first organization. The public cloud computing system is managed by a second organization, and the first organization is a tenant in the public cloud computing system. The hybrid cloud computing system is configured to generate a mapping that contextualizes virtual objects migrated between the private data center and the public cloud computing system based on the objects' location. Such a mapping is maintained to expose the true hybridity of the hybrid cloud rather than present two distinct views of a private data center (or private cloud) and a public cloud.

Abstract: Exemplary methods, apparatuses, and systems configure a first set of ports of a host device to be included within a link aggregation group (LAG) with a switch coupled to the first set of one or more ports. A second set of one or more ports of a second host device is also included within the LAG. The configuration of the LAG includes the switch performing load balancing between ports within the LAG. The first host device receives, via the LAG, a packet to be processed by a service implemented by each of one or more virtual machines running on the first host device. The first host device receives the packet as a result of the switch selecting a port within the first and second sets of ports based upon the load balancing between uplinks to the ports within the LAG.