Abstract: This disclosure describes methods and systems to externally manage network-to-network interconnect configuration data in conjunction with a centralized database subsystem. An example of the methods includes receiving and storing, in the centralized database subsystem, data indicative of user intent to interconnect at least a first network and a second network. The example method further includes, based at least in part on the data indicative of user intent, determining and storing, in the centralized database subsystem, a network intent that corresponds to the user intent. The example method further includes providing data indicative of the network intent from the centralized database subsystem to a first data plane adaptor, associated with the first network, and a second data plane adaptor, associated with the second network.

Abstract: Techniques for a hub node to, provisioned in a network site of a hub and spoke overlay network, to receive a network advertisement from the spoke, decode network routing requirements from a border gateway protocol (BGP) large community associated with the network advertisement, and store the network routing requirements in association with a route associated with the spoke. The routing requirements may indicate one or more service(s) to be applied to the packet, a trust level associated with the spoke, and/or a trust zone associated with the spoke. The hub node may receive a packet from the spoke to be transmitted to destination spoke. The hub node may then route the packet to the destination spoke, drop the packet, or send the packet to a service node configured to apply the one or more services to the packet based on the routing requirements.

Abstract: This disclosure describes methods and systems to externally manage network-to-network interconnect configuration data in conjunction with a centralized database subsystem. An example of the methods includes receiving and storing, in the centralized database subsystem, data indicative of user intent to interconnect at least a first network and a second network. The example method further includes, based at least in part on the data indicative of user intent, determining and storing, in the centralized database subsystem, a network intent that corresponds to the user intent. The example method further includes providing data indicative of the network intent from the centralized database subsystem to a first data plane adaptor, associated with the first network, and a second data plane adaptor, associated with the second network.

Abstract: Load aware load balancing may be provided. Flow duration data associated with a plurality of flows associated with a plurality of servers may be obtained. Then a plurality of queue lengths respectively associated with the plurality of servers may be obtained. Next, a Shortest Expected Delay (SED) score may be determined for each of the plurality of servers based on the flow duration data and the plurality of queue lengths. A flow may then be assigned to a one of the plurality of servers having the lowest SED score.

Abstract: This disclosure describes techniques for providing a distributed scalable architecture for Network Address Translation (NAT) systems with high availability and mitigations for flow breakage during failover events. The NAT servers may include functionality to serve as fast-path servers and/or slow-path servers. A fast-path server may include a NAT worker that includes a cache of NAT mappings to perform stateful network address translation and to forward packets with minimal latency. A slow-path server may include a mapping server that creates new NAT mappings, depreciates old ones, and answers NAT worker state requests. The NAT system may use virtual mapping servers (VMSs) running on primary physical servers with state duplicated VMSs on different physical failover servers.

Abstract: The present disclosure is directed to network traffic management and load balancing at a cloud-based secure access service accessible to remotely connected user devices. In one example, a cloud-based secure service system includes a network controller configured to receive network traffic from one or more user devices remotely connected to the controller; parse the network traffic into flow data and contextual information associated with the network traffic; determine that the network traffic is to be serviced by a target firewall service at the cloud-based secure service system based on the flow data and the contextual information; and direct the network traffic to the target firewall service to be serviced.

Abstract: The present disclosure is directed to managing network traffic in a cloud-based secure access service. In one aspect, a method includes determining, by a controller of a cloud-based secure access service, that data packets from a user device should be dropped, a plurality of user devices, including the user device, being remotely connected to the controller for access to the cloud-based secure access service; determining, by the controller, a type of remote connection through which the user device is connected to the controller, each type of remote connection having a corresponding communication prototype; and transmitting a message, by the controller, to the user device, over a control protocol corresponding to the type of remote connection through which the user device is connected to the controller, the message providing a signal to the user device to drop packets at the user device prior to sending the packets to the controller.

Abstract: This disclosure describes methods and systems to externally manage network-to-network interconnect configuration data in conjunction with a centralized database subsystem. An example of the methods includes receiving and storing, in the centralized database subsystem, data indicative of user intent to interconnect at least a first network and a second network. The example method further includes, based at least in part on the data indicative of user intent, determining and storing, in the centralized database subsystem, a network intent that corresponds to the user intent. The example method further includes providing data indicative of the network intent from the centralized database subsystem to a first data plane adaptor, associated with the first network, and a second data plane adaptor, associated with the second network.

Abstract: A method is provided in one example embodiment and includes, for each of a plurality of individual storage units collectively comprising a virtual storage unit, mapping an internal address of the storage unit to a unique IP address, wherein each of the storage units comprises a block of storage on one of a plurality of physical storage devices and wherein the IP address includes a virtual storage unit number identifying the virtual storage unit; receiving from a client a request to perform an operation on at least one of the data storage units, wherein the request identifies the internal address of the at least one of the data storage units; translating the internal address of the at least one of the data storage unit to the unique IP address of the at least one of the data storage units; and performing the requested operation on the at least one of the data storage units.

Abstract: This disclosure describes methods and systems to externally manage network-to-network interconnect configuration data in conjunction with a centralized database subsystem. An example of the methods includes receiving and storing, in the centralized database subsystem, data indicative of user intent to interconnect at least a first network and a second network. The example method further includes, based at least in part on the data indicative of user intent, determining and storing, in the centralized database subsystem, a network intent that corresponds to the user intent. The example method further includes providing data indicative of the network intent from the centralized database subsystem to a first data plane adaptor, associated with the first network, and a second data plane adaptor, associated with the second network.

Abstract: This disclosure describes techniques for providing a distributed scalable architecture for Network Address Translation (NAT) systems with high availability and mitigations for flow breakage during failover events. The NAT servers may include functionality to serve as fast-path servers and/or slow-path servers. A fast-path server may include a NAT worker that includes a cache of NAT mappings to perform stateful network address translation and to forward packets with minimal latency. A slow-path server may include a mapping server that creates new NAT mappings, depreciates old ones, and answers NAT worker state requests. The NAT system may use virtual mapping servers (VMSs) running on primary physical servers with state duplicated VMSs on different physical failover servers.

Abstract: The present technology provides a system, method and computer readable medium for steering a content request among plurality of cache servers based on multi-level assessment of content popularity. In some embodiments a three levels of popularity may be determined comprising popular, semi-popular and unpopular designations for the queried content. The processing of the query and delivery of the requested content depends on the aforementioned popularity level designation and comprises a acceptance of the query at the edge cache server to which the query was originally directed, rejection of the query and re-direction to a second edge cache server or redirection of the query to origin server to thereby deliver the requested content. The proposed technology results in higher hit ratio for edge cache clusters by steering requests for semi-popular content to one or more additional cache servers while forwarding request for unpopular content to origin server.

Abstract: This disclosure describes techniques for providing a distributed scalable architecture for Network Address Translation (NAT) systems with high availability and mitigations for flow breakage during failover events. The NAT servers may include functionality to serve as fast-path servers and/or slow-path servers. A fast-path server may include a NAT worker that includes a cache of NAT mappings to perform stateful network address translation and to forward packets with minimal latency. A slow-path server may include a mapping server that creates new NAT mappings, depreciates old ones, and answers NAT worker state requests. The NAT system may use virtual mapping servers (VMSs) running on primary physical servers with state duplicated VMSs on different physical failover servers.

Abstract: This disclosure describes methods and systems to externally manage network-to-network interconnect configuration data in conjunction with a centralized database subsystem. An example of the methods includes receiving and storing, in the centralized database subsystem, data indicative of user intent to interconnect at least a first network and a second network. The example method further includes, based at least in part on the data indicative of user intent, determining and storing, in the centralized database subsystem, a network intent that corresponds to the user intent. The example method further includes providing data indicative of the network intent from the centralized database subsystem to a first data plane adaptor, associated with the first network, and a second data plane adaptor, associated with the second network.

Abstract: This disclosure describes methods and systems to externally manage network-to-network interconnect configuration data in conjunction with a centralized database subsystem. An example of the methods includes receiving and storing, in the centralized database subsystem, data indicative of user intent to interconnect at least a first network and a second network. The example method further includes, based at least in part on the data indicative of user intent, determining and storing, in the centralized database subsystem, a network intent that corresponds to the user intent. The example method further includes providing data indicative of the network intent from the centralized database subsystem to a first data plane adaptor, associated with the first network, and a second data plane adaptor, associated with the second network.

Abstract: Systems and methods provide for segment routing (SR) with fast reroute in a container network. An SR ingress can receive a packet from a first container destined for a container service. The ingress can generate an SR packet including a segment list comprising a first segment to a first container service host, a second segment to a second service host, and a third segment to the service. The ingress can forward the SR packet to a first SR egress corresponding to the first host using the first segment. The first egress can determine whether the first service and/or host is reachable. If so, the first egress can forward the SR packet to the first host or the packet to the service. If not, the first egress can perform a fast reroute and forward the SR packet to a second SR egress corresponding to the second host using the second segment.

Abstract: According to one aspect, a method includes obtaining a segment routing (SR) packet from an endpoint via a first router at a first server along a path, the SR packet including an SR list and a last address, the last address being an address of a requested service. The method also includes determining, at the first server, whether the requested service is available from the first server, wherein determining whether the requested service is available from the first server includes opening the SR packet, parsing an SR header of the SR packet, and performing a lookup in a service table. Finally, the method includes modifying the SR packet at the first server when it is determined that the requested service is not available from the first server; and forwarding the SR packet along the path.

Abstract: A method of routing a packet in a network is described. The network includes a plurality of nodes implementing Information Centric Networking (ICN) routing or content centric networking and routing. The method includes receiving the packet at a node implementing ICN routing, the packet comprising an Internet Protocol (IP) header and a packet payload, wherein the packet comprises a request packet for requesting content from the network. The method further includes extracting from the packet payload a content identifier for the requested content and forwarding the packet to a next hop node in the network based on the content identifier extracted from the packet payload.

Abstract: Aspects of the subject technology provide state-less load-balancing using sequence numbers to identify traffic flows. In some implementations, a process of the technology can include steps for receiving, by a load-balancer, a first packet from a source device including a request to access the service provided by a server coupled to the load-balancer, determining a load for each of the servers, wherein each server is associated with a unique set of sequence numbers, and forwarding the request to a target server selected based on its corresponding load, and wherein the request is configured to cause the target server to issue a reply to the source device. Systems and machine-readable media are also provided.

Abstract: A first node in a service mesh is configured to perform one or more services on network traffic obtained from an upstream network element via a pre-existing Transmission Control Protocol (TCP) session and provide the network traffic obtained from the upstream network element via the pre-existing TCP session to a downstream network element. The first node determines that the first node should no longer obtain the network traffic from the upstream network element via the pre-existing TCP session. In response, the first node provides state information for the pre-existing TCP session to the downstream network element. The downstream network element is configured to establish a new TCP session having the state information for the pre-existing TCP session with the upstream network element and to obtain further network traffic from the upstream network element via the new TCP session. The first node terminates the pre-existing TCP session.