Abstract: Some embodiments provide a network system. The network system includes a first set of host machines for hosting virtual machines that connect to each other through a logical network. The first set of host machines includes managed forwarding elements for forwarding data between the host machines. The network system includes a second set of host machines for hosting virtualized containers that operate as gateways for forwarding data between the virtual machines and an external network. At least one of the virtualized containers peers with at least one physical router in the external network in order to advertise addresses of the virtual machines to the physical router.

Abstract: A method of transferring a virtual machine between a virtualized computing system and a cloud computing system includes determining that a virtual machine is to be transferred from a virtualized computing system to a cloud computing system and determining a connection between a first resource in the virtualized computing system and a second resource in the cloud computing system. Files that enable implementation of the virtual machine at the virtualized computing system and identified, as are file portions of the files for transfer from the virtualized computing system to the cloud computing system. At least one compliance check is executed on each of the file portions using at least one compliance checker. Each of the file portions that fails a compliance check is blocked from being maintained in the cloud computing system.

Abstract: Some embodiments provide a network system. The network system includes a first set of host machines for hosting virtual machines that connect to each other through a logical network. The first set of host machines includes managed forwarding elements for forwarding data between the host machines. The network system includes a second set of host machines for hosting virtualized containers that operate as gateways for forwarding data between the virtual machines and an external network. At least one of the virtualized containers peers with at least one physical router in the external network in order to advertise addresses of the virtual machines to the physical router.

Abstract: A hybrid computing system includes an on-premise data center and a cloud computing system. To connect between an organization's multiple data centers, a gateway may instead utilize the connections between the private data center and the cloud computing system rather than a direct connection to the other of the organizations' data centers.

Abstract: Connectivity between data centers in a hybrid cloud system is optimized by pre-loading a wide area network (WAN) optimization appliance in a first data center with data to initialize at least one WAN optimization of application. The first data center is managed by a first organization and a second data center managed by a second organization, the first organization being a tenant in the second data center. The described technique includes receiving application packets having the application data generated by an application executing in the first data center at the WAN optimization appliance from a first gateway in the first data center, and performing the at least one WAN optimization on the application packets using the pre-loaded data to initialize the at least one WAN optimization.

Abstract: Techniques for executing jobs in a hybrid cloud computing system. A job defines multiple states and tasks for transitioning between states. Jobs are passed between systems that execute different tasks via a message bus, so that the different tasks may be executed. A job manager controls execution flow of jobs based on a job descriptor that describes the job.

Abstract: Connectivity between data centers in a hybrid cloud system having a first data center managed by a first organization and a second data center managed by a second organization, the first organization being a tenant in the second data center, is optimized. According to the described technique, a path-optimized connection is established through a wide area network (WAN) between a first gateway of a first data center and a second gateway of a second data center for an application executing in the first data center based on performance of paths across a set of Internet Protocol (IP) flows. Application packets received from the application at the first gateway are forwarded to a WAN optimization appliance in the first data center. WAN optimized application packets received from the WAN optimization appliance at the first gateway are then sent to the second gateway over the path-optimized connection.

Abstract: A cloud computing system retrieves routing entries associated with a particular tenant of the cloud computing system and are a subset of a routing table of the entire cloud computing system. The routing entries are loaded into a networking switch, which is configured to route network packets using the loaded subset of routing entries, using a general-purpose processor rather than a costly dedicated ASIC.

Abstract: An example method of optimizing connectivity between data centers in a hybrid cloud system having a first data center managed by a first organization and a second data center managed by a second organization, the first organization being a tenant in the second data center. The method includes probing a wide area network (WAN) with test packets by varying an internet protocol (IP) flow tuple of the test packets across a set of IP flows. The method includes identifying a plurality of paths between a gateway of the first data center and another gateway of the second data center associated with the set of IP flows. The method further includes selecting an IP flow from the set of IP flows for an application executing in the first data center. The method further includes establishing a path-optimized connection between the gateway and the other gateway through the WAN having the selected IP flow for use by the application.

Abstract: A cloud computing system may include multiple cloud data centers. A gateway may establish connections between a cloud providers' multiple data centers using knowledge about the types of applications workloads executing within the cloud computing system, and may be further based on determines policies indicating priorities for routing traffic for the application workloads.

Abstract: Techniques are disclosed for deploying and maintaining appliances in a hybrid cloud computing system which includes an on-premise data center and a public cloud computing system configured to provide a common platform for managing and executing virtual workloads. Appliances to be deployed may include those required (or useful) for hybrid operations, including a cloud gateway appliance, a wide area network (WAN) optimizer, a layer 2 (L2) concentrator, and a mobility agent that handles virtual machine (VM) migration traffic. Such appliances are deployed first on the on-premise data center, and remote jobs are then sent to the public cloud to deploy the same appliances thereon. After deployment, the appliances deployed on the on-premise data center and corresponding appliances on the public cloud share configuration states and may further be wired together to communicate via secure encrypted tunnels.

Abstract: One or more examples provide a method of transferring a virtual machine between a virtualized computing system and a cloud computing system that includes: establishing connection between a first resource in the virtualized computing system and a second resource in the cloud computing system to transfer files that implement the virtual machine from the first resource to the second resource; accessing, for transmission over the connection, data blocks on a storage device in the virtualized computing system that include the files; executing at least one compliance check on each of the data blocks using at least one compliance checker; and preventing each of the data blocks that fails a compliance check from being maintained in the cloud computing system.

Abstract: Some embodiments provide a central firewall management system that can be used to manage different firewall devices from a single management interface. This management interface provides a uniform interface for defining different firewall rule sets and deploying these rules sets on different firewall devices (e.g., port-linked firewall engines, firewall service VMs, network-perimeter firewall devices, etc.). Also, this interface allows the location and/or behavior of the firewall rule sets to be dynamically modified. The management interface in some embodiments also provides controls for filtering and debugging firewall rules.

Abstract: Exemplary methods, apparatuses, and systems include a first host device determining that a first packet from a first virtual machine (VM) within the first host device is to be transmitted to a second VM on a second host device and that the first host device and the second host device each transmit or receive packets via ports within a first link aggregation group (LAG). In response to determining that the first host device and the second host device each transmit or receive packets via ports within the first LAG, the first host device transmits the first packet from a first synchronization port of the first host device to a second synchronization port of the second host device. The first and second synchronization ports are excluded from sharing a common LAG with any ports of another host device.

Abstract: The disclosure herein describes an edge device of a network for distributed policy enforcement. During operation, the edge device receives an initial packet for an outgoing traffic flow, and identifies a policy being triggered by the initial packet. The edge device performs a reverse lookup to identify at least an intermediate node that is previously traversed by the initial packet and traffic parameters associated with the initial packet at the identified intermediate node. The edge device translates the policy based on the traffic parameters at the intermediate node, and forwards the translated policy to the intermediate node, thus facilitating the intermediate node in applying the policy to the traffic flow.

Abstract: Some embodiments of the invention provide a novel method for specifying firewall rules. In some embodiments, the method provides the ability to specify for a particular firewall rule, a set of network nodes (also called a set of enforcement points below) at which the particular firewall should be enforced. To provide this ability, the method of some embodiments adds an extra tuple (referred to below as the AppliedTo tuple) to a firewall rule. This added AppliedTo tuple lists the set of enforcement points at which the firewall rule has to be applied (i.e., enforced).

Abstract: Exemplary methods, apparatuses, and systems configure a first set of ports of a first host device and a second set of ports to be included within a first link aggregation group (LAG). The first and second host devices further configure, respectively, a first synchronization port that does not share a common LAG with the second host device and a second synchronization port that does not share a common LAG with the first host device. The first host device receives a first packet destined for a virtual machine running on the second host device, the first packet including source and destination information. The first host device determines from the source or destination information that the first packet is destined for a virtual machine running on another host device. In response, the first host device forwards the packet via the first synchronization port to the second host device.

Abstract: A fleet manager within a cloud computing system utilizes a registration framework with one or more cloud infrastructure managers having corresponding infrastructure data plane nodes, which may be in use by different tenants. Instead of having the infrastructure managers communicate directly with its corresponding infrastructure data plane nodes via a management network or domain, the fleet manager communicates with infrastructure managers and relay commands, instructions, and other payloads to the infrastructure data plane nodes using a virtual machine (VM) communication backchannel.

Abstract: A hybrid cloud computing system having a private data center and a public cloud computing system is discussed. The private data center is managed by a first organization. The public cloud computing system is managed by a second organization, and the first organization is a tenant in the public cloud computing system. The hybrid cloud computing system is configured to generate a mapping that contextualizes virtual objects migrated between the private data center and the public cloud computing system based on the objects' location. Such a mapping is maintained to expose the true hybridity of the hybrid cloud rather than present two distinct views of a private data center (or private cloud) and a public cloud.

Abstract: A centralized namespace controller allocates addresses in a distributed cloud infrastructure on-demand. Upon receiving a request to allocate addresses for a network to be provisioned by a cloud computing system included in the distributed cloud infrastructure, the centralized namespace controller allocates a network address that is unique within the distributed cloud infrastructure. Further, the centralized namespace controller allocates a range of virtual network interface cards (NIC) addresses that are unique within the network. The centralized namespace controller then allocates addresses from the range of virtual NIC addresses on an as-requested basis—when a virtual NIC is being created by the first cloud computing system on the network.