Abstract: Some embodiments of the invention provide a method of implementing a virtualization software-based service mesh for a network that includes multiple host computers, each host computer including a set of virtualization software executing a set of application instances. For each host computer, the method deploys, to the set of virtualization software, an application service agent and an application service data plane that includes a set of data plane service mesh levels. The method configures the application service agent to apply policy rules defined for flows associated with the set of application instances to the flows on the application service data plane, and configures the application service data plane to forward the flows for the set of application instances to and from services provided at each data plane service mesh level in the set of data plane service mesh levels according to the policy rules applied by the application service agent.

Abstract: Some embodiments provide a method of implementing service rules for a container cluster that is configured by a first SDN controller cluster. The method registers for event notification from an application programming interface (API) server to receive notification regarding events associated with resources deployed in the container cluster. The method forwards to a second SDN controller cluster resource identifiers collected through the registration for resources of the container cluster. The second SDN controller cluster defines service policies that are not defined by the first SDN controller cluster. The method receives, from the second SDN controller cluster, service policies defined by the second SDN controller cluster based on the resource identifiers. The method distributes service rules defined based on the service policies to network elements in the container cluster to enforce on data messages associated with machines deployed in the container cluster configured by the first SDN controller cluster.

Abstract: Some embodiments provide a method for using a first SDN controller as a Network Controller as a Service (NCaaS). The first SDN controller receives a first set of network attributes regarding network elements in a first container cluster configured by a second SDN controller, and a second set of network attributes regarding network elements in a second container cluster configured by a third SDN controller. These container clusters do not have a controller for defining particular network policies. Based on the sets of network attributes, the first SDN controller defines the particular network policies to control forwarding data messages between the first and second container clusters. The first SDN controller distributes at least a subset of the particular network policies to the first container cluster in order for network elements at the first container cluster to enforce on data messages exchanged between the first and second container clusters.

Abstract: Some embodiments provide a method for using a first SDN controller as a Network Controller as a Service (NCaaS). The first SDN controller receives a first set of network attributes regarding network elements in a first container cluster configured by a second SDN controller, and a second set of network attributes regarding network elements in a second container cluster configured by a third SDN controller. These container clusters do not have a controller for defining particular network policies. Based on the sets of network attributes, the first SDN controller defines the particular network policies to control forwarding data messages between the first and second container clusters. The first SDN controller distributes at least a subset of the particular network policies to the first container cluster in order for network elements at the first container cluster to enforce on data messages exchanged between the first and second container clusters.

Abstract: Some embodiments of the invention provide a method for deploying network elements for a set of machines in a set of one or more datacenters. The datacenter set is part of one availability zone in some embodiments. The method receives intent-based API (Application Programming Interface) requests, and parses these API requests to identify a set of network elements to connect and/or perform services for the set of machines. In some embodiments, the API is a hierarchical document that can specify multiple different compute and/or network elements at different levels of compute and/or network element hierarchy. The method performs automated processes to define a virtual private cloud (VPC) to connect the set of machines to a logical network that segregates the set of machines from other machines in the datacenter set. In some embodiments, the set of machines include virtual machines and containers, the VPC is defined with a supervisor cluster namespace, and the API requests are provided as YAML files.

Abstract: Some embodiments of the invention provide a method for deploying network elements for a set of machines in a set of one or more datacenters. The datacenter set is part of one availability zone in some embodiments. The method receives intent-based API (Application Programming Interface) requests, and parses these API requests to identify a set of network elements to connect and/or perform services for the set of machines. In some embodiments, the API is a hierarchical document that can specify multiple different compute and/or network elements at different levels of compute and/or network element hierarchy. The method performs automated processes to define a virtual private cloud (VPC) to connect the set of machines to a logical network that segregates the set of machines from other machines in the datacenter set. In some embodiments, the set of machines include virtual machines and containers, the VPC is defined with a supervisor cluster namespace, and the API requests are provided as YAML files.

Abstract: Some embodiments provide a novel method for defining policies for a container cluster that is configured by a first software defined network (SDN) controller cluster. A second SDN controller cluster for defining service policies that are not defined by the first SDN controller cluster receives, from a set of one or more adapters deployed in the container cluster for the second SDN controller cluster, resource identifiers for several resources of the container cluster. The second SDN controller cluster uses the resource identifiers to define a set of service policies. Then, the second SDN controller cluster distributes the set of service policies to a set of network elements to enforce the set of service policies on data messages associated with machines deployed in the container cluster configured by the first SDN controller cluster.

Abstract: Some embodiments provide a method for using a first SDN controller as a Network Controller as a Service (NCaaS). The first SDN controller receives a first set of network attributes regarding network elements in a first container cluster configured by a second SDN controller, and a second set of network attributes regarding network elements in a second container cluster configured by a third SDN controller. These container clusters do not have a controller for defining particular network policies. Based on the sets of network attributes, the first SDN controller defines the particular network policies to control forwarding data messages between the first and second container clusters. The first SDN controller distributes at least a subset of the particular network policies to the first container cluster in order for network elements at the first container cluster to enforce on data messages exchanged between the first and second container clusters.

Abstract: Some embodiments provide a method of implementing service rules for a container cluster that is configured by a first SDN controller cluster. The method registers for event notification from an application programming interface (API) server to receive notification regarding events associated with resources deployed in the container cluster. The method forwards to a second SDN controller cluster resource identifiers collected through the registration for resources of the container cluster. The second SDN controller cluster defines service policies that are not defined by the first SDN controller cluster. The method receives, from the second SDN controller cluster, service policies defined by the second SDN controller cluster based on the resource identifiers. The method distributes service rules defined based on the service policies to network elements in the container cluster to enforce on data messages associated with machines deployed in the container cluster configured by the first SDN controller cluster.

Abstract: The disclosure provides an example method for live packet tracing. Some embodiments of the method include configuring a first network interface of a first pod to mark each of a plurality of packets, with a corresponding flow tag and a corresponding packet identifier, receiving, from one or more observation points, at least one of copies or metadata of the plurality of packets each marked with the corresponding flow tag and the corresponding packet identifier. In some embodiments, the method further includes displaying data indicative of the at least one of the copies or the metadata of the plurality of packets.

Abstract: A computer-implemented method for electing a leader in a computing system is provided. In one aspect, a method includes identifying a computing resource for multiple container groups that each include one or more containers. A determination is made, from applications running in containers of the container groups, of multiple election candidate applications. Each election candidate application has an instance deployed in a corresponding container in each container group. For each container group, an election runner process is established within the container group. For each instance of each of the election candidate applications, a corresponding election watcher process is established. A communication link is established between the election runner process and each election watcher process. A request for leader election is transmitted from the election runner process to the computing resource. A response received from the computing resource.

Abstract: Some embodiments of the invention provide a method for performing data traffic monitoring for a system that includes a set of heterogeneous networks that includes at least an overlay first network layer that is built on top of an underlay second network layer. The method is performed at a federation controller for the system. The method directs (1) a first set of components in the overlay first network layer to perform a first trace operation to trace a packet exchanged between two machines and passing through network components defined in the overlay first network layer and underlay second network layer and (2) a second set of components in the underlay second network layer to perform a second trace operation to trace the packet. The method receives, from the first and second sets of components, first and second sets of trace data collected during the first and second trace operations. The collected trace data includes correlation data for correlating the first and second sets of data.

Abstract: Some embodiments of the invention provide a method for performing data traffic monitoring for a system that includes a set of heterogeneous networks that includes at least an overlay first network layer that is built on top of an underlay second network layer. The method is performed at a federation controller for the system. The method directs (1) a first set of components in the overlay first network layer to perform a first trace operation to trace a packet exchanged between two machines and passing through network components defined in the overlay first network layer and underlay second network layer and (2) a second set of components in the underlay second network layer to perform a second trace operation to trace the packet. The method receives, from the first and second sets of components, first and second sets of trace data collected during the first and second trace operations. The collected trace data includes correlation data for correlating the first and second sets of data.

Abstract: Some embodiments provide a novel method for enforcing service policies at different container clusters configured by several SDN controller clusters. A first SDN controller cluster defines a particular service policy to be enforced for machines in first, second, and third container clusters. First, second, and third sets of network elements for the first, second, and third container clusters are managed by the first, a second, and a third SDN controller cluster respectively. For data message flows exchanged between machines in the first and second container clusters, the first SDN controller cluster distributes the particular service policy to service nodes only in the first container cluster. For data message flows exchanged between machines in the second and third container clusters, the first SDN controller cluster distributes the particular service policy to service nodes in at least one of the second and third container clusters.

Abstract: Some embodiments of the invention provide a method for deploying network elements for a set of machines in a set of one or more datacenters. The datacenter set is part of one availability zone in some embodiments. The method receives intent-based API (Application Programming Interface) requests, and parses these API requests to identify a set of network elements to connect and/or perform services for the set of machines. In some embodiments, the API is a hierarchical document that can specify multiple different compute and/or network elements at different levels of compute and/or network element hierarchy. The method performs automated processes to define a virtual private cloud (VPC) to connect the set of machines to a logical network that segregates the set of machines from other machines in the datacenter set. In some embodiments, the set of machines include virtual machines and containers, the VPC is defined with a supervisor cluster namespace, and the API requests are provided as YAML files.

Abstract: Some embodiments of the invention provide a method for deploying network elements for a set of machines in a set of one or more datacenters. The datacenter set is part of one availability zone in some embodiments. The method receives intent-based API (Application Programming Interface) requests, and parses these API requests to identify a set of network elements to connect and/or perform services for the set of machines. In some embodiments, the API is a hierarchical document that can specify multiple different compute and/or network elements at different levels of compute and/or network element hierarchy. The method performs automated processes to define a virtual private cloud (VPC) to connect the set of machines to a logical network that segregates the set of machines from other machines in the datacenter set. In some embodiments, the set of machines include virtual machines and containers, the VPC is defined with a supervisor cluster namespace, and the API requests are provided as YAML, files.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for managing access to network security policies. One of the methods includes determining, for a policy access request i) received from a device and ii) that requests access to a network security policy that defines a rule for controlling network traffic, whether there is an entitlement for the network security policy, wherein the entitlement indicates one or more types of operations that a subset of user accounts can perform on the network security policy; in response to determining that there is an entitlement, determining, using a mapping for the entitlement that identifies the subset of user accounts that have access to the network security policy, whether a user account for the device is included in the subset of user accounts; and selectively allowing or denying the policy access request using the entitlement and a result of the determination.

Abstract: Some embodiments of the invention provide a method for identifying network resources related to an intent-based Application Programming Interface (API) request for a service to be implemented for a network. The method, in some embodiments, is performed by an API server (e.g., executing on a master node) in a Kubernetes network. The API server receives sets of criteria for identifying network resources related to the requested service and sets of instructions for retrieving information associated with network resources identified by the sets of criteria. The sets of criteria and sets of instructions are based on an API request for a resource selector object. The resource selector object, in some embodiments, is a custom resource that is used to define the sets of criteria and the sets of instructions and is based on a custom resource definition (CRD) provided by a user.

Abstract: Some embodiments of the invention provide a method for deploying network elements for a set of machines in a set of one or more datacenters. The datacenter set is part of one availability zone in some embodiments. The method receives intent-based API (Application Programming Interface) requests, and parses these API requests to identify a set of network elements to connect and/or perform services for the set of machines. In some embodiments, the API is a hierarchical document that can specify multiple different compute and/or network elements at different levels of compute and/or network element hierarchy. The method performs automated processes to define a virtual private cloud (VPC) to connect the set of machines to a logical network that segregates the set of machines from other machines in the datacenter set. In some embodiments, the set of machines include virtual machines and containers, the VPC is defined with a supervisor cluster namespace, and the API requests are provided as YAML files.

Abstract: Some embodiments of the invention provide a method for deploying network elements for a set of machines in a set of one or more datacenters. The datacenter set is part of one availability zone in some embodiments. The method receives intent-based API (Application Programming Interface) requests, and parses these API requests to identify a set of network elements to connect and/or perform services for the set of machines. In some embodiments, the API is a hierarchical document that can specify multiple different compute and/or network elements at different levels of compute and/or network element hierarchy. The method performs automated processes to define a virtual private cloud (VPC) to connect the set of machines to a logical network that segregates the set of machines from other machines in the datacenter set. In some embodiments, the set of machines include virtual machines and containers, the VPC is defined with a supervisor cluster namespace, and the API requests are provided as YAML files.