Abstract: In general, this disclosure describes techniques for enabling multiple Virtual Extensible LAN (VXLAN) Virtual Tunnel Endpoints (VTEPs) per compute node within a computing infrastructure. In one example, a computing device comprises a network interface controller (NIC) and processing circuitry having access to storage media encoded with instructions, the processing circuitry configured to receive, by a main packet processor, a packet from the NIC. The processing circuitry is further configured to send, by the main packet processor, based on a virtual extensible local area network (VXLAN) tunnel endpoint (VTEP) indicated by a packet, the packet to a tenant-specific packet processor associated with the VTEP. The processing circuitry is further configured to send, by the tenant-specific packet processor, at least a portion of the packet to a workload. The processing circuitry is further configured to process, by the workload, the at least a portion of the packet.

Abstract: In general, techniques are described for distributed route and packet flow evaluation within a cloud exchange fabric. In some examples, a routing engine is operative to: establish sessions between a first network and a second network to exchange message data identifying destinations in the second network; and verify routing information comprising routes from endpoints in the first network to the destinations based upon the message data, including, for each route of the routes: evaluating a source or a destination for indicia of illegitimate origination, and in response to detecting an illegitimate endpoint at the at least one of a source or a destination based upon identifying one or more of the indicia of illegitimate origination, dropping a corresponding route from the routing information.

Abstract: In one example, a method comprises receiving, by a computing device, configuration data defining: an external virtual domain for a network function, the external virtual domain connected to a public network and managed by a provider for the computing device; a virtual domain for the network function, the virtual domain separate from the external virtual domain, configured with a secure tunnel interface, connected to a customer network, and managed by a customer of the provider for the computing device; forwarding, by the external virtual domain implementing a route-based virtual private network, encrypted network traffic, received from the public network via a secure tunnel, to the secure tunnel interface configured in the virtual domain; decrypting, by the virtual domain, the encrypted network traffic to generate network traffic; and forwarding, by the virtual domain, the network traffic to the customer network.

Abstract: This disclosure describes techniques that include filtering or gating access to a network based on attributes or an evaluation of the network destination. In one example, this disclosure describes a method that includes receiving, by a computing system and from a client device, a request for information about a network destination; identifying, by the computing system and based on the request, an address associated with the network destination; evaluating, by the computing system, the address to determine whether the address passes a plurality of tests; responsive to determining that the address passes the plurality of tests, storing the address, by the computing system, as one of a plurality of scrutinized addresses; outputting, by the computing system and to the client device, the address.

Abstract: Techniques for virtualized network functions (VNFs) that provide for domain isolation of networks coupled to the VNF are described. A virtual network function (VNF) includes a cloud virtual domain coupling the VNF to a cloud service, a management virtual domain coupling the VNF to a management service, and an external virtual domain having a public Internet Protocol (IP) address. The external virtual domain receives an authentication request providing access credentials for a VNF customer from a cloud client device, provides the authentication request to the management service via the management virtual domain, receives an authentication response from the management service, and, in response to determining that the VNF customer access credentials are valid, initiates application of a policy that allows the cloud client device to configure the cloud virtual domain or the cloud service and disallows configuration of the external virtual domain and the management virtual domain.

Abstract: In general, techniques are described for a hierarchical, distributed DHCP system for managing IP address assignment among distributed networks of computing devices. For example, a system may include a central DHCP server configured to manage a plurality of distributed DHCP servers, each distributed DHCP server configured to perform DHCP using IP addresses allocated from a common prefix for a tenant associated with computing devices managed by multiple DHCP servers. The central DHCP server allocates IP addresses to the distributed DHCP servers, e.g., on an on-demand basis from the common pool and may handle concurrent requests for IP addresses from distributed DHCP servers. Each of the distributed DHCP servers may store records for IP addresses and media access control (MAC) addresses for computing devices managed by that distributed DHCP server, and the DHCP servers may send these records to the central DHCP server to facilitate IP assignment coherency.

Abstract: Techniques for tenant-driven dynamic resource allocation in network functions virtualization infrastructure (NFVI). In one example, an orchestration system is operated by a data center provider for a data center and that orchestration system comprises processing circuitry coupled to a memory; logic stored in the memory and configured for execution by the processing circuitry, wherein the logic is operative to: compute an aggregate bandwidth for a plurality of flows associated with a tenant of the data center provider and processed by a virtual network function, assigned to the tenant, executing on a server of the data center; and modify, based on the aggregate bandwidth, an allocation of compute resources of the server executing the virtual network function.

Abstract: In one example, a method comprises receiving, by a computing device, configuration data defining: an external virtual domain for a network function, the external virtual domain connected to a public network and managed by a provider for the computing device; a virtual domain for the network function, the virtual domain separate from the external virtual domain, configured with a secure tunnel interface, connected to a customer network, and managed by a customer of the provider for the computing device; forwarding, by the external virtual domain implementing a route-based virtual private network, encrypted network traffic, received from the public network via a secure tunnel, to the secure tunnel interface configured in the virtual domain; decrypting, by the virtual domain, the encrypted network traffic to generate network traffic; and forwarding, by the virtual domain, the network traffic to the customer network.

Abstract: Techniques for virtualized network functions (VNFs) that provide for domain isolation of networks coupled to the VNF are described. A virtual network function (VNF) includes a cloud virtual domain coupling the VNF to a cloud service, a management virtual domain coupling the VNF to a management service, and an external virtual domain having a public Internet Protocol (IP) address. The external virtual domain receives an authentication request providing access credentials for a VNF customer from a cloud client device, provides the authentication request to the management service via the management virtual domain, receives an authentication response from the management service, and, in response to determining that the VNF customer access credentials are valid, initiates application of a policy that allows the cloud client device to configure the cloud virtual domain or the cloud service and disallows configuration of the external virtual domain and the management virtual domain.

Abstract: Techniques for tenant-driven dynamic resource allocation in network functions virtualization infrastructure (NFVI). In one example, an orchestration system is operated by a data center provider for a data center and that orchestration system comprises processing circuitry coupled to a memory; logic stored in the memory and configured for execution by the processing circuitry, wherein the logic is operative to: compute an aggregate bandwidth for a plurality of flows associated with a tenant of the data center provider and processed by a virtual network function, assigned to the tenant, executing on a server of the data center; and modify, based on the aggregate bandwidth, an allocation of compute resources of the server executing the virtual network function.

Abstract: In general, this disclosure describes techniques for using virtual domains. In one example, a method comprises receiving, by a computing device, configuration data defining: an external virtual domain for a network function, the external virtual domain connected to a public network and managed by a provider for the computing device; a virtual domain for the network function, the virtual domain separate from the external virtual domain, configured with a secure tunnel interface, connected to a customer network, and managed by a customer of the provider for the computing device; forwarding, by the external virtual domain implementing a route-based virtual private network, encrypted network traffic, received from the public network via a secure tunnel, to the secure tunnel interface configured in the virtual domain; decrypting, by the virtual domain, the encrypted network traffic to generate network traffic; and forwarding, by the virtual domain, the network traffic to the customer network.

Abstract: Techniques for virtualized network functions (VNFs) that provide for domain isolation of networks coupled to the VNF are described. A virtual network function (VNF) includes a cloud virtual domain coupling the VNF to a cloud service, a management virtual domain coupling the VNF to a management service, and an external virtual domain having a public Internet Protocol (IP) address. The external virtual domain receives an authentication request providing access credentials for a VNF customer from a cloud client device, provides the authentication request to the management service via the management virtual domain, receives an authentication response from the management service, and, in response to determining that the VNF customer access credentials are valid, initiates application of a policy that allows the cloud client device to configure the cloud virtual domain or the cloud service and disallows configuration of the external virtual domain and the management virtual domain.

Abstract: In one example, a method comprises receiving, by a computing device, configuration data defining: an external virtual domain for a network function, the external virtual domain connected to a public network and managed by a provider for the computing device; a virtual domain for the network function, the virtual domain separate from the external virtual domain, configured with a secure tunnel interface, connected to a customer network, and managed by a customer of the provider for the computing device; forwarding, by the external virtual domain implementing a route-based virtual private network, encrypted network traffic, received from the public network via a secure tunnel, to the secure tunnel interface configured in the virtual domain; decrypting, by the virtual domain, the encrypted network traffic to generate network traffic; and forwarding, by the virtual domain, the network traffic to the customer network.

Abstract: Techniques for tenant-driven dynamic resource allocation in network functions virtualization infrastructure (NFVI). In one example, an orchestration system is operated by a data center provider for a data center and that orchestration system comprises processing circuitry coupled to a memory; logic stored in the memory and configured for execution by the processing circuitry, wherein the logic is operative to: compute an aggregate bandwidth for a plurality of flows associated with a tenant of the data center provider and processed by a virtual network function, assigned to the tenant, executing on a server of the data center; and modify, based on the aggregate bandwidth, an allocation of compute resources of the server executing the virtual network function.