Abstract: Some embodiments of the invention provide a system for defining, distributing and enforcing policies for authorizing API (Application Programming Interface) calls to applications executing on one or more sets of associated machines (e.g., virtual machines, containers, computers, etc.) in one or more datacenters. This system has servers that act as a logically centralized resource for defining and storing policies and parameters for evaluating these policies. The servers enforce these policies and distribute the policies and parameters to policy-enforcing local agents that execute near the applications that process the API calls. From an associated application, a local agent receives API-authorization requests to determine whether API calls received by the application are authorized. In response to such a request, the local agent uses one or more parameters associated with the API call to identify a policy stored in its local policy storage to evaluate whether the API call should be authorized.

Abstract: Some embodiments provide a forwarding element that detects and handles elephant flows. In detecting, the forwarding element of some embodiments monitors statistics or measurements relating to a data flow. In handling, the forwarding element marks each packet associated with a detected elephant flow in some manner to differentiate it from a packet associated with a mouse flow. Alternatively, the forwarding element of break elephant flows into a number mouse flow by facilitating in sending packets associated with the detected elephant flow along different paths.

Abstract: Some embodiments provide a method gaining insight into applicability of policies that authorize access to at least one service through application programming interface (API) calls by a plurality of users. The method receives an authentication policy that defines multiple users of a system providing the service, and also receives an authorization policy that defines access to the service by the users. The method generates an authorization policy for defining access to the service by authenticated users by combining the first and second policies. The method receives a query regarding access to the service from a particular set of one or more users, and uses the third policy to provide a response to the query that describes access to the service for the particular user set.

Abstract: Some embodiments of the invention provide a method for generating custom system templates to define new system types. For a particular system type, the method defines at least a manifest file that specifies a set of properties of the particular system type. The method compresses the defined manifest file to create a custom system template package for the particular system type. The method uploads the custom system template package to an authorization service in order to instantiate a new system of the particular system type.

Abstract: Some embodiments of the invention provide a system for defining, distributing and enforcing policies for authorizing API (Application Programming Interface) calls to applications executing on one or more sets of associated machines (e.g., virtual machines, containers, computers, etc.) in one or more datacenters. This system has a set of one or more servers that acts as a logically centralized resource for defining and storing policies and parameters for evaluating these policies. The server set in some embodiments also enforces these API-authorizing policies. Conjunctively, or alternatively, the server set in some embodiments distributes the defined policies and parameters to policy-enforcing local agents that execute near the applications that process the API calls. From an associated application, a local agent receives API-authorization requests to determine whether API calls received by the application are authorized.

Abstract: Some embodiments provide a method for authorizing application programming interface (API) calls on a host computer in a local cluster of computers. The method is performed in some embodiments by an API-authorizing agent executing on the host computer in the local computer cluster. From a remote cluster of computers, the method receives (1) a set of API-authorizing policies to evaluate in order to determine whether API calls to an application executing on the host computer are authorized, and (2) a set of parameters needed for evaluating the policies. With the remote cluster of computers, the method registers for notifications regarding updates to the set of parameters. The method then receives notifications, from the remote cluster, regarding an update to the set of parameters, and modifies the set of parameters based on the update.

Abstract: Some embodiments provide a method for enforcing policies for authorizing API (Application Programming Interface) calls to an application operating on a host machine. The method receives a request to authenticate a client attempting to gain access to the application, and authenticates the client based on a first set of parameters associated with the request. Using a second set of parameters associated with the request, the method evaluates a set of one or more policies associated with a set of one or more API calls to the application. Based on the evaluated policies, the method defines a third set of one or more authentication field parameters that control the API calls that the client is authorized to make to the application. The method sends an authentication reply message with the defined third set of authentication field parameters in order to control the API calls that the client is authorized to make.

Abstract: A novel design of a gateway that handles traffic in and out of a network by using a datapath pipeline is provided. The datapath pipeline includes multiple stages for performing various data-plane packet-processing operations at the edge of the network. The processing stages include centralized routing stages and distributed routing stages. The processing stages can include service-providing stages such as NAT and firewall. The gateway caches the result previous packet operations and reapplies the result to subsequent packets that meet certain criteria. For packets that do not have applicable or valid result from previous packet processing operations, the gateway datapath daemon executes the pipelined packet processing stages and records a set of data from each stage of the pipeline and synthesizes those data into a cache entry for subsequent packets.

Abstract: Some embodiments of the invention provide a novel method of tunneling data packets. The method establishes a tunnel between a first forwarding element and a second forwarding element. For each data packet directed to the second forwarding element from the first forwarding element, the method encapsulates the data packet with a header that includes a tunnel option. The method then sends the data packet from the first forwarding element to the second forwarding element through the established tunnel. In some embodiments, the data packet is encapsulated using a protocol that is adapted to change with different control plane implementations and the implementations' varying needs for metadata.

Abstract: Some embodiments provide a system that includes a set of network controllers for receiving definitions of first and second logical switching elements. The system includes several managed switching elements. The set of network controllers configure the several managed switching elements to implement the defined first and second logical switching elements. The system includes several network hosts that are each (1) communicatively coupled to one of the several managed switching elements and (2) associated with one of the first and second logical switching elements. Network data communicated between network hosts associated with the first logical switching element are isolated from network data communicated between network hosts associated with the second logical switching element.

Abstract: Some embodiments provide a method gaining insight into applicability of policies that authorize access to at least one service through application programming interface (API) calls by a plurality of users. The method receives an authentication policy that defines multiple users of a system providing the service, and also receives an authorization policy that defines access to the service by the users. The method generates an authorization policy for defining access to the service by authenticated users by combining the first and second policies. The method receives a query regarding access to the service from a particular set of one or more users, and uses the third policy to provide a response to the query that describes access to the service for the particular user set.

Abstract: Some embodiments provide a system for implementing a logical network that includes a set of end machines, a first logical middlebox, and a second logical middlebox connected by a set of logical forwarding elements. The system includes a set of nodes. Each of several nodes includes (i) a virtual machine for implementing an end machine of the logical network, (ii) a managed switching element for implementing the set of logical forwarding elements of the logical network, and (iii) a middlebox element for implementing the first logical middlebox of the logical network. The system includes a physical middlebox appliance for implementing the second logical middlebox.

Abstract: Some embodiments of the invention provide a method for generating custom system templates to define new system types. For a particular system type, the method defines at least a manifest file that specifies a set of properties of the particular system type. The method compresses the defined manifest file to create a custom system template package for the particular system type. The method uploads the custom system template package to an authorization service in order to instantiate a new system of the particular system type.

Abstract: A network control system for managing a plurality of switching elements that implement a plurality of logical datapath sets. The network control system includes first and second controllers for generating requests for modifications to first and second logical datapath sets. The first controller is further for determining whether to make modifications to the first logical datapath set. The second controller is further for determining whether to make modifications to the second logical datapath set. Each controller is further for receiving logical control plane data that specifies logical datapath sets and for converting the logical control plane data to physical control plane data for propagating to the switching elements.

Abstract: Some embodiments provide a method for evaluating a policy for authorizing an API (Application Programming Interface) call to an application. Based on a first set of parameters available before receiving the API call, the method evaluates only a portion of the policy to produce a partially evaluated policy. The method stores the partially evaluated policy in a cache. The method then receives an API call to authorize, and determines whether the API call should be authorized by fully evaluating the policy, using the partially evaluated policy retrieved from the cache first storage, and a second set of parameters associated with the API call. The method responds to the API call with a policy decision based on the fully evaluated authorization policy.

Abstract: A non-transitory machine readable medium storing a program that configures managed forwarding elements to establish tunnels between the managed forwarding elements is described. From a particular managed forwarding element, the program receives information regarding coupling of a network element to the first managed forwarding element. Upon receiving the information, the program generates a set of universal flow entries for configuring another managed forwarding element to establish a tunnel to the particular managed forwarding element.

Abstract: Some embodiments provide a method for authorizing application programming interface (API) calls on a host computer in a local cluster of computers. The method is performed in some embodiments by an API-authorizing agent executing on the host computer in the local computer cluster. From a remote cluster of computers, the method receives (1) a set of API-authorizing policies to evaluate in order to determine whether API calls to an application executing on the host computer are authorized, and (2) a set of parameters needed for evaluating the policies. With the remote cluster of computers, the method registers for notifications regarding updates to the set of parameters. The method then receives notifications, from the remote cluster, regarding an update to the set of parameters, and modifies the set of parameters based on the update.

Abstract: Some embodiments provide a method for configuring a logical middlebox in a hosting system that includes a set of nodes. The logical middlebox is part of a logical network that includes a set of logical forwarding elements that connect a set of end machines. The method receives a set of configuration data for the logical middlebox. The method uses a stored set of tables describing physical locations of the end machines to identify a set of nodes at which to implement the logical middlebox. The method provides the logical middlebox configuration for distribution to the identified nodes.

Abstract: For a network control system that receives, from a user, logical datapath sets that logically express desired forwarding behaviors that are to be implemented by a set of managed switching elements, a controller for managing several managed switching elements that forward data in a network that includes the managed switching elements is described. The controller includes a set of modules for detecting a change in one or more managed switching elements and for updating logical datapath set based on the detected change. The logical datapath set is for subsequent translation into a set of physical forwarding behaviors of the managed switching elements.

Abstract: A method for managing a managed forwarding element (MFE) that forwards data in a network. A network controller publishes, to the MFE, a first set of data for configuring the MFE to perform a set of forwarding operations. The network controller collects, from the MFE, a second set of data regarding current operational state of the MFE. The network controller identifies a difference between a desired operational state of the MFE maintained by the network controller and the collected current operational state of the MFE. Based on the identified difference, the network controller publishes a new third set of data for configuring the MFE to adjust the current operational state of the MFE to the desired state.