Abstract: Techniques are disclosed for securing traffic flowing across multi-tenant virtualized infrastructures using group key-based encryption. In one embodiment, an encryption module of a virtual machine (VM) host intercepts layer 2 (L2) frames sent via a virtual NIC (vNIC). The encryption module determines whether the vNIC is connected to a “secure wire,” and invokes an API exposed by a key management module to encrypt the frames using a group key associated with the secure wire, if any. Encryption may be performed for all frames from the vNIC, or according to a policy. In one embodiment, the encryption module may be located at a layer farthest from the vNIC, and encryption may be transparent to both the VM and a virtual switch. Unauthorized network entities which lack the group key cannot decipher the data of encrypted frames, even if they gain access to such frames.

Abstract: Some embodiments of the invention provide a novel method for specifying firewall rules. In some embodiments, the method provides the ability to specify for a particular firewall rule, a set of network nodes (also called a set of enforcement points below) at which the particular firewall should be enforced. To provide this ability, the method of some embodiments adds an extra tuple (referred to below as the AppliedTo tuple) to a firewall rule. This added AppliedTo tuple lists the set of enforcement points at which the firewall rule has to be applied (i.e., enforced).

Abstract: Some embodiments provide a method for providing dynamic host configuration protocol (DHCP) services to different data compute nodes (e.g., virtual machines) that belong to different logical networks (e.g., for different tenants in a datacenter). In some embodiments, the method inserts a logical network identifier (LNI) value to each DHCP packet and forwards the packet to a DHCP server module for processing the DHCP request. Based on the LNI value, the DHCP server of some embodiments identifies the logical network from which the DHCP packet is received. The DHCP server then provides the requested DHCP service (e.g., assigning an IP address to a data compute node that has originated the DHCP packet, assigning a domain name, etc.) according to a DHCP service configuration for the identified logical network.

Abstract: Techniques are disclosed for securing traffic flowing across multi-tenant virtualized infrastructures using group key-based encryption. In one embodiment, an encryption module of a virtual machine (VM) host intercepts layer 2 (L2) frames sent via a virtual NIC (vNIC). The encryption module determines whether the vNIC is connected to a “secure wire,” and invokes an API exposed by a key management module to encrypt the frames using a group key associated with the secure wire, if any. Encryption may be performed for all frames from the vNIC, or according to a policy. In one embodiment, the encryption module may be located at a layer farthest from the vNIC, and encryption may be transparent to both the VM and a virtual switch. Unauthorized network entities which lack the group key cannot decipher the data of encrypted frames, even if they gain access to such frames.

Abstract: A method for visualizing network flows of a network is provided. The method monitors network flows between a group of machines in a network. The method associates identifiers with the monitored network flows. The method aggregates the monitored network flows into a set of groups based on the associated identifiers. The method displays a set of flow records for the each group of the set of groups.

Abstract: Techniques are disclosed for securing traffic flowing across multi-tenant virtualized infrastructures using group key-based encryption. In one embodiment, an encryption module of a virtual machine (VM) host intercepts layer 2 (L2) frames sent via a virtual NIC (vNIC). The encryption module determines whether the vNIC is connected to a “secure wire,” and invokes an API exposed by a key management module to encrypt the frames using a group key associated with the secure wire, if any. Encryption may be performed for all frames from the vNIC, or according to a policy. In one embodiment, the encryption module may be located at a layer farthest from the vNIC, and encryption may be transparent to both the VM and a virtual switch. Unauthorized network entities which lack the group key cannot decipher the data of encrypted frames, even if they gain access to such frames.

Abstract: Some embodiments provide a method for implementing a logical router in a logical network. In some embodiments, the method receives a configuration of a static route for the logical router, which includes several routing components with separate routing tables. The method identifies which of the routing components require addition of a route to a corresponding routing table to implement the configuration of the static route. The method adds the routes to the corresponding separate routing tables of the identified routing components.

Abstract: Techniques are disclosed for securing traffic flowing across multi-tenant virtualized infrastructures using group key-based encryption. In one embodiment, an encryption module of a virtual machine (VM) host intercepts layer 2 (L2) frames sent via a virtual NIC (vNIC). The encryption module determines whether the vNIC is connected to a “secure wire,” and invokes an API exposed by a key management module to encrypt the frames using a group key associated with the secure wire, if any. Encryption may be performed for all frames from the vNIC, or according to a policy. In one embodiment, the encryption module may be located at a layer farthest from the vNIC, and encryption may be transparent to both the VM and a virtual switch. Unauthorized network entities which lack the group key cannot decipher the data of encrypted frames, even if they gain access to such frames.

Abstract: Some embodiments provide a method or tool for automatically configuring a logical router on one or more edge nodes of an edge cluster (e.g., in a hosting system such as a datacenter). The method of some embodiments configures the logical router on the edge nodes based on a configuration policy that dictates the selection method of the edge nodes. In some embodiments, an edge cluster includes several edge nodes (e.g., gateway machines), through which one or more logical networks connect to external networks (e.g., external logical and/or physical networks). In some embodiments, the configured logical router connects a logical network to an external network through the edge nodes.

Abstract: A novel method of providing virtual private access to a software defined data center (SDDC) is provided. The SDDC uses distributed VPN tunneling to allow external access to application services hosted in the SDDC. The SDDC includes host machines for providing computing and networking resources and a VPN gateway for providing external access to those resources. The host machines that host the VMs running the applications that VPN clients are interested in connecting performs the VPN encryption and decryption. The VPN gateway does not perform any encryption and decryption operations. The packet structure is such that the VPN gateway can read the IP address of the VM without decrypting the packet.

Abstract: A method of configuring networking, security, and operational parameters of workloads deployed in a virtualized computing environment includes the steps of: storing multiple policies, each defining one of networking, security, or operational parameters, and associating tags to each of the multiple policies, independent of deployment of a virtual computing instance in the virtual computing environment; responsive to a request to perform configuration of a virtual computing instance being deployed, retrieving policies among the stored multiple policies that are associated with same tags as tags contained in the request; generating configuration parameters for data path components in a host machine of the virtual computing instance and for data path components of the virtual computing instance based on the retrieved policies; and transmitting the generated configuration parameters to the host machine for the host machine to configure the networking, security, or operational parameters the virtual computing insta

Abstract: Systems, methods, and software to enhance the management of software defined networks. A controller is configured to maintain a data plane configuration for a virtual machine environment based on forwarding rules. The controller is further configured to identify a virtual machine group to be deployed in the computing environment, and identify tags associated with each virtual machine in the virtual machine group. Once the tags are identified, the controller may update the data plane forwarding configuration based on the identified tags and the forwarding rules.

Abstract: Some embodiments provide a method for configuring a set of logical routers in a logical network. The method receives a configuration of an advertised route for a first logical router and a set of allowable routes for a second logical router to which the first logical router connects. The method determines whether the set of allowable routes for the second logical router includes the advertised route as an allowed route from the first logical router. Only when the advertised route is an allowed route from the first logical router, the method adds the advertised route to a routing table for at least one component of the second logical router.

Abstract: Techniques are disclosed for securing traffic flowing across multi-tenant virtualized infrastructures using group key-based encryption. In one embodiment, an encryption module of a virtual machine (VM) host intercepts layer 2 (L2) frames sent via a virtual NIC (vNIC). The encryption module determines whether the vNIC is connected to a “secure wire,” and invokes an API exposed by a key management module to encrypt the frames using a group key associated with the secure wire, if any. Encryption may be performed for all frames from the vNIC, or according to a policy. In one embodiment, the encryption module may be located at a layer farthest from the vNIC, and encryption may be transparent to both the VM and a virtual switch. Unauthorized network entities which lack the group key cannot decipher the data of encrypted frames, even if they gain access to such frames.

Abstract: A novel method of providing virtual private access to a software defined data center (SDDC) is provided. The SDDC uses distributed VPN tunneling to allow external access to application services hosted in the SDDC. The SDDC includes host machines for providing computing and networking resources and a VPN gateway for providing external access to those resources. The host machines that host the VMs running the applications that VPN clients are interested in connecting performs the VPN encryption and decryption. The VPN gateway does not perform any encryption and decryption operations. The packet structure is such that the VPN gateway can read the IP address of the VM without decrypting the packet.

Abstract: A method for visualizing network flows of a network is provided. The method monitors network flows between a group of machines in a network. The method associates identifiers with the monitored network flows. The method aggregates the monitored network flows into a set of groups based on the associated identifiers. The method displays a set of flow records for the each group of the set of groups.

Abstract: Example methods are provided to perform traffic forwarding between geographically dispersed first site and second site and to support traffic forwarding via a trunk interface. In one example, the method may include receiving, by a first edge device at the first site, network traffic having a plurality of packets via a trunk interface of the first edge device from a virtual tunnel endpoint, the virtual tunnel endpoint having decapsulated the packets prior to communicating the packets through the trunk interface. The method may further include reading an overlay network identifier from each of the packets to identify a source overlay network of the received network traffic from the multiple overlay networks; modifying each of the packets to include a virtual local area network (VLAN) identifier; and forwarding modified network traffic to a second edge device at the second site to identify the destination network based on the VLAN identifier.

Abstract: A novel method for managing firewall configuration of a software defined data center is provided. Such a firewall configuration is divided into multiple sections that each contains a set of firewall rules. Each tenant of the software defined data center has a corresponding set of sections in the firewall configuration. The method allows each tenant to independently access and update/manage its own corresponding set of sections. Multiple tenants or users are allowed to make changes to the firewall configuration simultaneously.

Abstract: A method for visualizing network flows of a network is provided. The method monitors network flows between a group of machines in a network. The method associates identifiers with the monitored network flows. The method aggregates the monitored network flows into a set of groups based on the associated identifiers. The method displays a set of flow records for the each group of the set of groups.

Abstract: One or more examples provide techniques for providing a multi-site wide area network in a cloud computing system. In an example, a method of providing a multi-site wide area network (WAN) in a cloud computing system includes: creating a plurality of sites; creating a compute profile in each of the plurality of sites, each compute profile having a compute cluster of virtual machines (VMs); creating a service mesh having the compute profile of each of the plurality of sites; and deploying an application to the service mesh.