Managed forwarding element executing in public cloud data compute node with different internal and external network addresses

US 10,484,302 B2
Filed: 08/31/2016
Issued: 11/19/2019
Est. Priority Date: 08/27/2016
Status: Active Grant

First Claim

Patent Images

1. A method for a network controller that manages a logical network implemented in a datacenter comprising forwarding elements to which the network controller does not have access, the method comprising:

identifying a data compute node, that operates on a host machine in the datacenter, to attach to the logical network, the data compute node having a network interface with a first network address provided by a management system of the datacenter, wherein the data compute node executes (i) a workload application and (ii) a managed forwarding element, wherein the host machine executes a forwarding element, to which the network controller does not have access, outside of the data compute node; and

distributing configuration data for configuring the managed forwarding element to receive data packets sent from the workload application on the data compute node and perform network security and forwarding processing on the data packets, wherein the data packets sent by the workload application have a second network address as a source address when received by the managed forwarding element and are encapsulated by the managed forwarding element using the first network address provided by the management system of the datacenter before being transmitted from the data compute node to the forwarding element executing on the host machine to which the network controller does not have access.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Some embodiments provide a method for a network controller that manages a logical network implemented in a datacenter comprising forwarding elements to which the network controller does not have access. The method identifies a data compute node (DCN), that operates on a host machine in the datacenter, to attach to the logical network. The DCN has a network interface with a first network address provided by a management system of the datacenter, and executes (i) a workload application and (ii) a managed forwarding element (MFE). The method distributes configuration data for configuring the MFE to receive data packets sent from the workload application on the DCN and perform network security and forwarding processing on the data packets. The data packets sent by the workload application have a second network address as a source address when received by the MFE and are encapsulated by the MFE using the first network address.

118 Citations

21 Claims

1. A method for a network controller that manages a logical network implemented in a datacenter comprising forwarding elements to which the network controller does not have access, the method comprising:
- identifying a data compute node, that operates on a host machine in the datacenter, to attach to the logical network, the data compute node having a network interface with a first network address provided by a management system of the datacenter, wherein the data compute node executes (i) a workload application and (ii) a managed forwarding element, wherein the host machine executes a forwarding element, to which the network controller does not have access, outside of the data compute node; and
  
  distributing configuration data for configuring the managed forwarding element to receive data packets sent from the workload application on the data compute node and perform network security and forwarding processing on the data packets, wherein the data packets sent by the workload application have a second network address as a source address when received by the managed forwarding element and are encapsulated by the managed forwarding element using the first network address provided by the management system of the datacenter before being transmitted from the data compute node to the forwarding element executing on the host machine to which the network controller does not have access.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein the second network address is mapped to a logical port of a logical switch to which the data compute node is logically attached, wherein the logical switch is one of a plurality of logical forwarding elements of the logical network.
  - 3. The method of claim 1, wherein the managed forwarding element is a flow-based software forwarding element.
  - 4. The method of claim 1, wherein the managed forwarding element comprises a first bridge that connects via an internal port to the workload application and a second bridge that connects to the network interface of the data compute node, wherein the first bridge is configured to perform network security processing and logical forwarding on data packets sent to and from the workload application.
  - 5. The method of claim 4, wherein the logical forwarding comprises:
    - applying forwarding rules for at least one logical switch to identify a logical egress port for each data packet; and
      
      applying forwarding rules for a logical router.
  - 6. The method of claim 1, wherein the managed forwarding element comprises a first bridge that connects via an internal port to the workload application and a second bridge that connects to the network interface of the data compute node, wherein the first bridge is configured to receive a data packet from the workload application, identify a logical egress port for the data packet, encapsulate the data packet and send the encapsulated data packet to a virtual tunnel endpoint (VTEP) of the second bridge.
  - 7. The method of claim 6, wherein the data packet is received from the workload application via a first network stack associated with the second network address, wherein the first network address is used as the source network address for an encapsulation header applied by the first bridge, wherein the encapsulated data packet is sent to the VTEP of the second bridge via a second network stack associated with the first network address.
  - 8. The method of claim 6, wherein the second bridge is configured to send incoming packets encapsulated with the first network address as a destination address to an overlay port of the first bridge via the VTEP, wherein the first bridge is configured to decapsulate the incoming packets received via the overlay port.
  - 9. The method of claim 8, wherein the incoming packets encapsulated with the first network address as a destination address are received by the data compute node from the forwarding element executing on the host machine to which the network controller does not have access.
  - 10. The method of claim 1, wherein the workload application is a first workload application and the data compute node is a first data compute node, wherein data packets sent by the workload application to a second workload application executing on a second data compute node in the datacenter are encapsulated and transmitted out of the data compute node network interface to the forwarding element executing on the host machine to which the network controller does not have access, wherein the forwarding element executing on the host machine to which the network controller does not have access is controlled by the datacenter management system, wherein the forwarding element controlled by the datacenter management system encapsulates the outgoing data packets a second time using a third network address associated with a physical network interface of a host machine on which the data compute node operates.
  - 11. The method of claim 1, wherein the network controller is a first network controller and the data compute node is a first data compute node, wherein identifying the first data compute node comprises receiving an attachment request from a second network controller operating on a second data compute node in the datacenter.
  - 12. The method of claim 11, wherein the attachment request is forwarded by the second network controller after receiving an attachment request from the first data compute node.
  - 13. The method of claim 11, wherein distributing the configuration data comprises distributing the configuration data to the second network controller, wherein the second network controller distributes the configuration data to the second data compute node.

14. A non-transitory machine readable medium storing a program which when executed by at least one processing unit implements a network controller that manages a logical network implemented in a datacenter comprising forwarding elements to which the network controller does not have access, the program comprising sets of instructions for:
- identifying a data compute node, that operates on a host machine in the datacenter, to attach to the logical network, the data compute node having a network interface with a first network address provided by a management system of the datacenter, wherein the data compute node executes (i) a workload application and (ii) a managed forwarding element, wherein the host machine executes a forwarding element, to which the network controller does not have access, outside of the data compute node; and
  
  distributing configuration data for configuring the managed forwarding element to receive data packets sent from the workload application on the data compute node and perform network security and forwarding processing on the data packets, wherein the data packets sent by the workload application have a second network address as a source address when received by the managed forwarding element and are encapsulated by the managed forwarding element using the first network address provided by the management system of the datacenter before being transmitted from the data compute node to the forwarding element executing on the host machine to which the network controller does not have access.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
- - 15. The non-transitory machine readable medium of claim 14, wherein the managed forwarding element comprises a first bridge that connects via an internal port to the workload application and a second bridge that connects to the network interface of the data compute node.
  - 16. The non-transitory machine readable medium of claim 15, wherein the first bridge is configured to perform network security processing and logical forwarding on data packets sent to and from the workload application, wherein the network security processing comprises application of distributed firewall rules and the logical forwarding comprises applying forwarding rules for at least one logical switch to identify a logical egress port for each data packet.
  - 17. The non-transitory machine readable medium of claim 15, wherein the first bridge is configured to receive a data packet from the workload application, identify a logical egress port for the data packet, encapsulate the data packet and send the encapsulated data packet to a virtual tunnel endpoint (VTEP) of the second bridge.
  - 18. The non-transitory machine readable medium of claim 17, wherein the data packet is received from the workload application via a first network stack associated with the second network address, wherein the encapsulated data packet is sent to the VTEP of the second bridge via a second network stack associated with the first network address, wherein the first network address is used as the source network address for an encapsulation header applied by the first bridge.
  - 19. The non-transitory machine readable medium of claim 17, wherein the second bridge is configured to send incoming packets encapsulated with the first network address as a destination address to an overlay port of the first bridge via the VTEP, wherein the first bridge is configured to decapsulate the incoming packets received via the overlay port.
  - 20. The non-transitory machine readable medium of claim 14, wherein the workload application is a first workload application and the data compute node is a first data compute node, wherein data packets sent by the workload application to a second workload application executing on a second data compute node in the datacenter are encapsulated and transmitted out of the data compute node network interface to the forwarding element executing on the host machine to which the network controller does not have access, wherein the forwarding element executing on the host machine to which the network controller does not have access is controlled by the datacenter management system, wherein the forwarding element controlled by the datacenter management system encapsulates the outgoing data packets a second time using a third network address associated with a physical network interface of a host machine on which the data compute node operates.
  - 21. The non-transitory machine readable medium of claim 14, wherein the network controller is a first network controller and the data compute node is a first data compute node, wherein the set of instructions for identifying the first data compute node comprises a set of instructions for receiving an attachment request from a second network controller operating on a second data compute node in the datacenter, wherein the attachment request is forwarded by the second network controller after receiving an attachment request from the first data compute node.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nicira Incorporated (Broadcom, Inc.)
Original Assignee
Nicira Incorporated (Broadcom, Inc.)
Inventors
Hira, Mukesh, Shah, Saurabh, Wang, Su, Yu, Jia
Primary Examiner(s)
Shah, Saumit

Application Number

US15/253,833
Publication Number

US 20180062933A1
Time in Patent Office

1,175 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 11/008   Reliability or availability...

G06F 11/07   Responding to the occurrenc...

G06F 11/0709   in a distributed system con...

G06F 11/0793   Remedial or corrective acti...

G06F 11/1438   Restarting or rejuvenating

G06F 11/1482   by means of middleware or O...

G06F 11/2035   without idle spare hardware

G06F 11/3433   for load management allocat...

G06F 15/177   Initialisation or configura...

G06F 2009/4557   Distribution of virtual mac...

G06F 2009/45595   Network integration; Enabli...

G06F 9/45533   Hypervisors; Virtual machin...

G06F 9/45558   Hypervisor-specific managem...

G06F 9/5072   Grid computing

H04L 12/4633   Interconnection of networks...

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 12/66   Arrangements for connecting...

H04L 2209/24   Key scheduling, i.e. genera...

H04L 2212/00   Encapsulation of packets

H04L 41/044   comprising hierarchical man...

H04L 41/0806 : for initial configuration o...

H04L 41/0895 : Configuration of virtualise...

H04L 41/12 : Discovery or management of ...

H04L 41/20 : Network management software...

H04L 41/40 : using virtualisation of net...

H04L 45/38 : Flow based routing

H04L 45/72 : Routing based on the source...

H04L 45/74 : Address processing for routing

H04L 47/125 : by balancing the load, e.g....

H04L 47/32 : by discarding or delaying d...

H04L 49/15 : Interconnection of switchin...

H04L 49/25 : Routing or path finding in ...

H04L 49/70 : Virtual switches

H04L 61/2514 : between local and global IP...

H04L 61/2521 : Translation architectures o...

H04L 61/2539 : Hiding addresses; Keeping a...

H04L 61/256 : NAT traversal

H04L 61/2592 : using tunnelling or encapsu...

H04L 61/5014 : using dynamic host configur...

H04L 63/0209 : Architectural arrangements,...

H04L 63/0236 : Filtering by address, proto...

H04L 63/0263 : Rule management

H04L 63/0272 : Virtual private networks

H04L 63/029 : Firewall traversal, e.g. tu...

H04L 63/0428 : wherein the data content is...

H04L 63/062 : for key distribution, e.g. ...

H04L 63/20 : for managing network securi...

H04L 67/10 : in which an application is ...

H04L 67/1097 : for distributed storage of ...

H04L 9/0819 : Key transport or distributi...

H04L 9/3213 : using tickets or tokens, e....

View All

Managed forwarding element executing in public cloud data compute node with different internal and external network addresses

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

118 Citations

21 Claims

Specification

Use Cases

Quick Links

Others

Managed forwarding element executing in public cloud data compute node with different internal and external network addresses

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

118 Citations

21 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others