Managed forwarding element executing in separate namespace of public cloud data compute node than workload application

US 10,397,136 B2
Filed: 08/31/2016
Issued: 08/27/2019
Est. Priority Date: 08/27/2016
Status: Active Grant

First Claim

Patent Images

1. For a network controller that manages a logical network implemented in a datacenter comprising forwarding elements to which the network controller does not have access, a method comprising:

identifying a virtual machine, that operates on a host machine in the datacenter, to attach to the logical network, the virtual machine having a network interface with a network address provided by a management system of the datacenter, wherein a workload application executes in a first namespace of the virtual machine; and

distributing configuration data for configuring a managed forwarding element executing in a second namespace of the virtual machine (i) to receive data packets sent from the workload application via an interface pairing between the first and second namespaces and (ii) to perform network security and forwarding processing on the data packets, wherein the data packets sent by the workload application have the provided network address as a source address when received by the managed forwarding element and are encapsulated by the managed forwarding element using the same provided network address as a source address for the encapsulation when sent from the virtual machine.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Some embodiments provide a method for a network controller that manages a logical network implemented in a datacenter having forwarding elements to which the network controller does not have access. The method identifies a data compute node (DCN) operating on a host machine in the datacenter, to attach to the logical network. The DCN has a network interface with an address provided by a datacenter management system. A workload application executes in a first namespace of the DCN. The method distributes configuration data for configuring a managed forwarding element (MFE) executing in a second namespace of the DCN to receive data packets sent from the application via an interface pairing between the first and second namespaces. The data packets sent by the application have the provided address as a source address when received by the MFE and are encapsulated by the MFE using the provided address as a source address.

Citations

20 Claims

1. For a network controller that manages a logical network implemented in a datacenter comprising forwarding elements to which the network controller does not have access, a method comprising:
- identifying a virtual machine, that operates on a host machine in the datacenter, to attach to the logical network, the virtual machine having a network interface with a network address provided by a management system of the datacenter, wherein a workload application executes in a first namespace of the virtual machine; and
  
  distributing configuration data for configuring a managed forwarding element executing in a second namespace of the virtual machine (i) to receive data packets sent from the workload application via an interface pairing between the first and second namespaces and (ii) to perform network security and forwarding processing on the data packets, wherein the data packets sent by the workload application have the provided network address as a source address when received by the managed forwarding element and are encapsulated by the managed forwarding element using the same provided network address as a source address for the encapsulation when sent from the virtual machine.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the network address is mapped to a logical port of a logical switch to which the virtual machine is attached, wherein the logical switch is one of a plurality of logical forwarding elements of the logical network.
  - 3. The method of claim 1, wherein the managed forwarding element comprises a first bridge that connects to an internal interface of the second namespace and a second bridge that connects to the network interface of the virtual machine.
  - 4. The method of claim 3, wherein the internal interface of the second namespace is part of a veth pair with an interface of the first namespace, wherein the workload application connects to the interface of the first namespace via a first network stack associated with the network address provided by the management system of the datacenter, wherein the first bridge connects to the second bridge via a second network stack associated with the network address provided by the management system of the datacenter.
  - 5. The method of claim 3, wherein the first bridge is configured to perform network security processing and logical forwarding on data packets sent to and from the workload application, wherein the network security processing comprises application of distributed firewall rules, wherein the logical forwarding comprises applying forwarding rules for at least one logical switch to identify a logical egress port for each data packet.
  - 6. The method of claim 3, wherein the first bridge is configured to receive a data packet from the workload application via the interface pairing, identify a logical egress port for the data packet, encapsulate the data packet using the network address as the source network address for an encapsulation header, and send the encapsulated data packet to a virtual tunnel endpoint (VTEP) of the second bridge,wherein the data packet is sent to the interface pairing via a first network stack in the first namespace, the first network stack associated with the network address, wherein the data packet is sent to the VTEP of the second bridge via a second network stack associated with the network address.
  - 7. The method of claim 3, wherein the first bridge is configured to receive a data packet from the workload application via the interface pairing, identify a logical egress port for the data packet, encapsulate the data packet, and send the encapsulated data packet to a virtual tunnel endpoint (VTEP) of the second bridge, wherein the second bridge is configured to send incoming packets encapsulated with the network address as a destination address to an overlay port of the first bridge via the VTEP.
  - 8. The method of claim 1, wherein the virtual machine further executes a local control agent for directly configuring the managed forwarding element according to the distributed configuration data.
  - 9. The method of claim 1, wherein the workload application is a first workload application and the virtual machine is a first virtual machine, wherein data packets sent by the workload application to a second workload application executing on a second virtual machine in the datacenter are encapsulated and transmitted out of the virtual machine network interface to a forwarding element controlled by the datacenter management system, wherein the forwarding element controlled by the datacenter management system encapsulates the outgoing data packets a second time using a third network address associated with a physical network interface of a host machine on which the virtual machine operates.
  - 10. The method of claim 1, wherein the network controller is a first network controller and the virtual machine is a first virtual machine, wherein identifying the first virtual machine comprises receiving an attachment request from a second network controller operating on a second virtual machine in the datacenter, wherein the attachment request is forwarded by the second network controller after receiving an attachment request from the first virtual machine.

11. A non-transitory machine readable medium storing a program which when executed by at least one processing unit implements a network controller that manages a logical network implemented in a datacenter comprising forwarding elements to which the network controller does not have access, the program comprising sets of instructions for:
- identifying a virtual machine, that operates on a host machine in the datacenter, to attach to the logical network, the virtual machine having a network interface with a network address provided by a management system of the datacenter, wherein a workload application executes in a first namespace of the virtual machine; and
  
  distributing configuration data for configuring a managed forwarding element executing in a second namespace of the virtual machine (i) to receive data packets sent from the workload application via an interface pairing between the first and second namespaces and (ii) to perform network security and forwarding processing on the data packets, wherein the data packets sent by the workload application have the provided network address as a source address when received by the managed forwarding element and are encapsulated by the managed forwarding element using the same provided network address as a source address for the encapsulation when sent from the virtual machine.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The non-transitory machine readable medium of claim 11, wherein the managed forwarding element comprises a first bridge that connects to an internal interface of the second namespace and a second bridge that connects to the network interface of the virtual machine.
  - 13. The non-transitory machine readable medium of claim 12, wherein the internal interface of the second namespace is part of a veth pair with an interface of the first namespace, wherein the workload application connects to the interface of the first namespace via a first network stack associated with the network address provided by the management system of the datacenter, wherein the first bridge connects to the second bridge via a second network stack associated with the network address provided by the management system of the datacenter.
  - 14. The non-transitory machine readable medium of claim 12, wherein the first bridge is configured to perform network security processing and logical forwarding on data packets sent to and from the workload application, wherein the network security processing comprises application of distributed firewall rules and the logical forwarding comprises applying forwarding rules for at least one logical switch to identify a logical egress port for each data packet.
  - 15. The non-transitory machine readable medium of claim 12, wherein the first bridge is configured to receive a data packet from the workload application via the interface pairing, identify a logical egress port for the data packet, encapsulate the data packet and send the encapsulated data packet to a virtual tunnel endpoint (VTEP) of the second bridge.
  - 16. The non-transitory machine readable medium of claim 15, wherein the data packet is sent to the interface pairing via a first network stack in the first namespace, the first network stack associated with the network address, wherein the data packet is sent to the VTEP of the second bridge via a second network stack associated with the network address, wherein the network address is used as the source network address for an encapsulation header applied by the first bridge.
  - 17. The non-transitory machine readable medium of claim 15, wherein the second bridge is configured to send incoming packets encapsulated with the network address as a destination address to an overlay port of the first bridge via the VTEP, wherein the first bridge is configured to decapsulate the incoming packets received via the overlay port.
  - 18. The non-transitory machine readable medium of claim 11, wherein the workload application is a first workload application and the virtual machine is a first virtual machine, wherein data packets sent by the workload application to a second workload application executing on a second virtual machine in the datacenter are encapsulated and transmitted out of the virtual machine network interface to a forwarding element controlled by the datacenter management system, wherein the forwarding element controlled by the datacenter management system encapsulates the outgoing data packets a second time using a third network address associated with a physical network interface of a host machine on which the virtual machine operates.
  - 19. The non-transitory machine readable medium of claim 11, wherein the network controller is a first network controller and the virtual machine is a first virtual machine, wherein the set of instructions for identifying the first virtual machine comprises a set of instructions for receiving an attachment request from a second network controller operating on a second virtual machine in the datacenter, wherein the attachment request is forwarded by the second network controller after receiving an attachment request from the first virtual machine.
  - 20. The non-transitory machine readable medium of claim 19, wherein the set of instructions for distributing the configuration data comprises a set of instructions for distributing the configuration data to the second network controller, wherein the second network controller distributes the configuration data to the second virtual machine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nicira Incorporated (Broadcom, Inc.)
Original Assignee
Nicira Incorporated (Broadcom, Inc.)
Inventors
Hira, Mukesh, Shah, Saurabh, Wang, Su
Primary Examiner(s)
Potratz, Daniel B
Assistant Examiner(s)
Tran, Vu V

Application Number

US15/253,834
Publication Number

US 20180063087A1
Time in Patent Office

1,091 Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/008   Reliability or availability...

G06F 11/07   Responding to the occurrenc...

G06F 11/0709   in a distributed system con...

G06F 11/0793   Remedial or corrective acti...

G06F 11/1438   Restarting or rejuvenating

G06F 11/1482   by means of middleware or O...

G06F 11/2035   without idle spare hardware

G06F 11/3433   for load management allocat...

G06F 15/177   Initialisation or configura...

G06F 2009/4557   Distribution of virtual mac...

G06F 2009/45595   Network integration; Enabli...

G06F 9/45533   Hypervisors; Virtual machin...

G06F 9/45558   Hypervisor-specific managem...

G06F 9/5072   Grid computing

H04L 12/4633   Interconnection of networks...

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 12/66   Arrangements for connecting...

H04L 2209/24   Key scheduling, i.e. genera...

H04L 2212/00   Encapsulation of packets

H04L 41/044   comprising hierarchical man...

H04L 41/0806 : for initial configuration o...

H04L 41/0895 : Configuration of virtualise...

H04L 41/12 : Discovery or management of ...

H04L 41/20 : Network management software...

H04L 41/40 : using virtualisation of net...

H04L 45/38 : Flow based routing

H04L 45/72 : Routing based on the source...

H04L 45/74 : Address processing for routing

H04L 47/125 : by balancing the load, e.g....

H04L 47/32 : by discarding or delaying d...

H04L 49/15 : Interconnection of switchin...

H04L 49/25 : Routing or path finding in ...

H04L 49/70 : Virtual switches

H04L 61/2514 : between local and global IP...

H04L 61/2521 : Translation architectures o...

H04L 61/2539 : Hiding addresses; Keeping a...

H04L 61/256 : NAT traversal

H04L 61/2592 : using tunnelling or encapsu...

H04L 61/5014 : using dynamic host configur...

H04L 63/0209 : Architectural arrangements,...

H04L 63/0236 : Filtering by address, proto...

H04L 63/0263 : Rule management

H04L 63/0272 : Virtual private networks

H04L 63/029 : Firewall traversal, e.g. tu...

H04L 63/0428 : wherein the data content is...

H04L 63/062 : for key distribution, e.g. ...

H04L 63/20 : for managing network securi...

H04L 67/10 : in which an application is ...

H04L 67/1097 : for distributed storage of ...

H04L 9/0819 : Key transport or distributi...

H04L 9/3213 : using tickets or tokens, e....

View All

Managed forwarding element executing in separate namespace of public cloud data compute node than workload application

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Managed forwarding element executing in separate namespace of public cloud data compute node than workload application

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links