Abstract: Policy-based routing of internet protocol (IP) packets using flow context. A system intercepts an event associated with creation of a network connection by an operating system (OS). The system identifies a flow context, including a flow tuple, associated with the network connection. Based on the flow context, and based on a flow-based routing policy, the system determines a provider associated with the network connection. The system records, in a state database, an association between the flow tuple and the provider, and instructs the OS to initiate the network connection. After the creation of the network connection, the system intercepts an IP packet associated with the network connection. Based on a header of the IP packet, the system identifies the flow tuple and, based on a result of querying the state database for the flow tuple, and initiates a provider-based action for the IP packet.

Abstract: A network interface controller (NIC) associated with a virtual machine (VM) in a cloud computing network is configured to be flexibly attached and detached from a parent NIC to thereby enable the virtual machine to simultaneously be attached to multiple different virtual networks (VNets) and/or subnets that are associated with the same or different subscriptions. The inventive NIC, referred to herein as a flexibly extensible NIC (eNIC), enables a service provider to inject compute instances into an existing VNet using a multi-homing configuration in which the data plane uses a dedicated network interface to connect the customer's VNet, while another dedicated network interface provides management plane connectivity to the service provider. Such multi-VNet homing advantageously provides data plane isolation for the customer's VNet to comply with applicable security policies without disrupting management traffic between the injected resources and the service provider.

Abstract: Policy-based routing of internet protocol (IP) packets using flow context. A system intercepts an event associated with creation of a network connection by an operating system (OS). The system identifies a flow context, including a flow tuple, associated with the network connection. Based on the flow context, and based on a flow-based routing policy, the system determines a provider associated with the network connection. The system records, in a state database, an association between the flow tuple and the provider, and instructs the OS to initiate the network connection. After the creation of the network connection, the system intercepts an IP packet associated with the network connection. Based on a header of the IP packet, the system identifies the flow tuple and, based on a result of querying the state database for the flow tuple, and initiates a provider-based action for the IP packet.

Abstract: The techniques described herein enable the establishment of two simultaneous virtual private network (VPN) connections for a VPN client operating on a remote computing device. The VPN client can establish first VPN connection with a first VPN server instance of a VPN gateway and a second VPN connection with a second VPN server instance of the VPN gateway. To establish two simultaneous VPN connections, the VPN client is configured to create and/or use two Transmission Control Protocol (TCP) sockets. In one example, a first VPN connection can be a primary VPN connection and a second VPN connection can be a dormant VPN connection configured as a backup in case of a service interruption with the first VPN connection. In another example, a data flow can be split across the first and second VPN connections, or alternate between using the first and second VPN connections, based on performance parameters.

Abstract: The techniques described herein enable the establishment of two simultaneous virtual private network (VPN) connections between a VPN gateway and a VPN client. The system is configured to update a routing table advertised to network resources when a VPN server instance fails and/or is taken offline. When a first VPN server instance fails and/or is taken offline, the first VPN server instance releases a claim of ownership on its range of IP addresses. After this release occurs, the second VPN server instance is configured to claim ownership of the range of IP addresses that used to be owned by the first VPN server instance. This updated claim of ownership is captured in an updated routing table that can then be advertised to the network resources. Consequently, the network resources use this updated routing table to correctly determine which VPN server instance to send data intended for the VPN client.

Abstract: The techniques described herein increase the throughput of a single VPN connection by creating multiple outbound and/or inbound Security Associations (SAs). For instance, two or more different SAs can encrypt outbound data packets to be sent over the VPN connection to a remote device. Moreover, two or more different SAs can decrypt inbound data packets received over the VPN connection from the remote device. Each of the SAs can be bound to a different processing core via the use of a Security Parameter Index (SPI) identifier. Consequently, inbound data packets communicated over a single VPN connection from a remote device to a physical host in a VPN gateway can be distributed amongst multiple processing cores for decryption purposes. Further, outbound data packets to be communicated over the single VPN connection from the physical host to the remote device can be distributed amongst multiple processing cores for encryption purposes.

Abstract: The techniques described herein enable a virtual private network (VPN) gateway to select a VPN connection, from multiple VPN connections established between a network VPN gateway and a remote VPN gateway, based on performance factors such as throughput. A system may measure throughput in megabytes per second (Mbps). More specifically, a VPN gateway (e.g., a remote VPN gateway or a network VPN gateway) can configure a routing preference that selects a VPN connection that is more performant based on a cryptographic algorithm that is used for the VPN connection. The VPN gateway can update the routing preference to select an alternative VPN connection when the performance of the VPN connection suffers.

Abstract: The techniques described herein enable the establishment of two simultaneous virtual private network (VPN) connections between a VPN gateway and a VPN client. The system is configured to update a routing table advertised to network resources when a VPN server instance fails and/or is taken offline. When a first VPN server instance fails and/or is taken offline, the first VPN server instance releases a claim of ownership on its range of IP addresses. After this release occurs, the second VPN server instance is configured to claim ownership of the range of IP addresses that used to be owned by the first VPN server instance. This updated claim of ownership is captured in an updated routing table that can then be advertised to the network resources. Consequently, the network resources use this updated routing table to correctly determine which VPN server instance to send data intended for the VPN client.

Abstract: The techniques described herein enable the establishment of two simultaneous virtual private network (VPN) connections for a VPN client operating on a remote computing device. The VPN client can establish first VPN connection with a first VPN server instance of a VPN gateway and a second VPN connection with a second VPN server instance of the VPN gateway. To establish two simultaneous VPN connections, the VPN client is configured to create and/or use two Transmission Control Protocol (TCP) sockets. In one example, a first VPN connection can be a primary VPN connection and a second VPN connection can be a dormant VPN connection configured as a backup in case of a service interruption with the first VPN connection. In another example, a data flow can be split across the first and second VPN connections, or alternate between using the first and second VPN connections, based on performance parameters.

Abstract: The techniques described herein increase the throughput of a single VPN connection by creating multiple outbound and/or inbound Security Associations (SAs). For instance, two or more different SAs can encrypt outbound data packets to be sent over the VPN connection to a remote device. Moreover, two or more different SAs can decrypt inbound data packets received over the VPN connection from the remote device. Each of the SAs can be bound to a different processing core via the use of a Security Parameter Index (SPI) identifier. Consequently, inbound data packets communicated over a single VPN connection from a remote device to a physical host in a VPN gateway can be distributed amongst multiple processing cores for decryption purposes. Further, outbound data packets to be communicated over the single VPN connection from the physical host to the remote device can be distributed amongst multiple processing cores for encryption purposes.

Abstract: Techniques of partition abstraction in a wide area network are disclosed herein. In one example, a method includes receiving, at a partition of the wide area network, a request to perform a computing task with a computing resource in the wide area network, the computing resource having a resource identifier. In response to receiving the request, the method also includes determining whether the resource identifier of the computing resource includes a partition embedded globally unique identifier (PEGUID) and in response to determining that the resource identifier includes a PEGUID, extracting the PEGUID from the resource identifier and decoding the PEGUID to identify a partition corresponding to the computing resource.

Abstract: A network interface controller (NIC) associated with a virtual machine (VM) in a cloud computing network is configured to be flexibly attached and detached from a parent NIC to thereby enable the virtual machine to simultaneously be attached to multiple different virtual networks (VNets) and/or subnets that are associated with the same or different subscriptions. The inventive NIC, referred to herein as a flexibly extensible NIC (eNIC), enables a service provider to inject compute instances into an existing VNet using a multi-homing configuration in which the data plane uses a dedicated network interface to connect the customer's VNet, while another dedicated network interface provides management plane connectivity to the service provider. Such multi-VNet homing advantageously provides data plane isolation for the customer's VNet to comply with applicable security policies without disrupting management traffic between the injected resources and the service provider.

Abstract: Techniques are disclosed for live migrating an existing connection between a local gateway in a virtualized computing environment and a remote gateway. The existing IKE and IPSec connection are frozen. MMSA and QMSA data for the IKE and IPSec connection are saved. Data for the existing IKE and IPSec connection is cleared at the local gateway without sending a message to the remote gateway. The saved MMSA and QMSA data are transferred to a new local gateway. Using the saved MMSA and QMSA data, a state for the existing IKE and IPSec connection is reconstructed at the new local gateway. The existing IKE and IPSec connection is enabled.

Abstract: Techniques are disclosed for managing gateway switchovers. An indication is received that a primary gateway will be switched to a backup gateway. In response to the indication, a response is made to a periodic health probe that a gateway switchover has been initiated. Incoming data traffic is forwarded from the primary gateway to the backup gateway. Subsequent to an elapsed time delay, a response is made to the periodic health probe that the primary gateway will no longer accept incoming data traffic. The time delay may be based at least in part on one or more of a time interval of the periodic poll and a time to effect the gateway switchover. The forwarding of the incoming data traffic from the primary gateway to the backup gateway is terminated.

Abstract: Techniques for intelligently managing a virtual private network (VPN) gateway in a cloud computing system are disclosed herein. In one embodiment, an instance of a VPN gateway can query whether a logic lock on a network address is maintained by another instance via periodic renewal. In response to receiving a query result indicating that a logic lock on the network address is lost by the another instance, the instance can migrate a VPN connection originally handled by the another instance from the another instance to the instance such that a private network is connected to the instance via the migrated VPN connection to reduce downtime for accessing computing resources in the cloud computing system.

Abstract: Network services may include data associated with one or more entities. An aggregator service may host respective application programming interfaces (APIs) of the services at a single endpoint of the network such that the entities, including associations and relationships between entities, may be federated. For example, the services may register the entities of which the data of each of the services is associated with through a declarative entity model to establish an API schema for each of the services, which may be published at the aggregator service. In response to receipt of a request for entity related data from a client, the aggregator service may employ the declarative entity model to determine which of the services are associated with the entity related data such that a query may be submitted to the services, and how to aggregate responses to the query received from the services for transmission to the client.

Abstract: Techniques are disclosed for managing gateway switchovers. An indication is received that a primary gateway will be switched to a backup gateway. In response to the indication, a response is made to a periodic health probe that a gateway switchover has been initiated. Incoming data traffic is forwarded from the primary gateway to the backup gateway. Subsequent to an elapsed time delay, a response is made to the periodic health probe that the primary gateway will no longer accept incoming data traffic. The time delay may be based at least in part on one or more of a time interval of the periodic poll and a time to effect the gateway switchover. The forwarding of the incoming data traffic from the primary gateway to the backup gateway is terminated.

Abstract: Methods and devices for load balancing of connections may include receiving, at a management component on a container host on a computer device, at least one data packet based on a destination IP address of the data packet that corresponds to a plurality of container hosts. The methods and devices may include selecting a destination container from at least one container host on the computer device and other computer devices in communication with the computer device over a virtual network to balance a data load and translating the source IP address of the at least one data packet to a local IP address of the container host. The methods and devices may include changing the destination IP address of the at least one data packet to a virtual IP address of the selected destination container so that the at least one data packet is transformed to a proxy data packet.

Abstract: Techniques for intelligently managing a virtual private network (VPN) gateway in a cloud computing system are disclosed herein. In one embodiment, an instance of a VPN gateway can query whether a logic lock on a network address is maintained by another instance via periodic renewal. In response to receiving a query result indicating that a logic lock on the network address is lost by the another instance, the instance can migrate a VPN connection originally handled by the another instance from the another instance to the instance such that a private network is connected to the instance via the migrated VPN connection to reduce downtime for accessing computing resources in the cloud computing system.

Abstract: Methods and devices for load balancing of connections may include receiving, at a management component on a container host on a computer device, at least one data packet based on a destination IP address of the data packet that corresponds to a plurality of container hosts. The methods and devices may include selecting a destination container from at least one container host on the computer device and other computer devices in communication with the computer device over a virtual network to balance a data load and translating the source IP address of the at least one data packet to a local IP address of the container host. The methods and devices may include changing the destination IP address of the at least one data packet to a virtual IP address of the selected destination container so that the at least one data packet is transformed to a proxy data packet.