公开(公告)号：US11882196B2

公开(公告)日：2024-01-23

申请号：US17874127

申请日：2022-07-26

Applicant: VMware, Inc.

Inventor： Jayant Jain ,  Rick Lund ,  Mike Parsa ,  Brenden Blanco ,  Anirban Sengupta

IPC: H04L67/56 ,  H04L15/16 ,  H04L67/143 ,  H04L67/01 ,  H04L67/1001 ,  G06F9/455 ,  H04L29/06 ,  H04L29/08

CPC classification number: H04L67/56 ,  G06F9/45558 ,  H04L67/01 ,  H04L67/1001 ,  H04L67/143 ,  G06F2009/45595

Abstract: In some embodiments, a method instantiates a proxy that stores first state information for first workloads running on a first computing device. The first computing device receives a migrated workload from a second computing device and second state information for a session associated with the migrated workload. The second state information is generated by a proxy on the second computing device that processed one or more packets for the migrated workload on the second computing device. The method stories the second state information for the proxy on the first computing device and resumes the session associated with the migrated workload using the proxy on the first computing device.

公开(公告)号：US20230179564A1

公开(公告)日：2023-06-08

申请号：US18102697

申请日：2023-01-28

Applicant: VMware, Inc.

Inventor： Sami Boutros ,  Mani Kancherla ,  Jayant Jain ,  Anirban Sengupta

IPC: H04L61/256 ,  H04L61/2592 ,  H04L45/745 ,  H04L12/66 ,  H04L61/5007

CPC classification number: H04L61/256 ,  H04L12/66 ,  H04L45/745 ,  H04L61/2592 ,  H04L61/5007 ,  H04L2101/659

Abstract: Some embodiments of the invention provide novel methods for facilitating a distributed SNAT (dSNAT) middlebox service operation for a first network at a host computer in the first network on which the dSNAT middlebox service operation is performed and a gateway device between the first network and a second network. The novel methods enable dSNAT that provides stateful SNAT at multiple host computers, thus avoiding the bottleneck problem associated with providing stateful SNAT at gateways and also significantly reduces the need to redirect packets received at the wrong host by using a capacity of off-the-shelf gateway devices to perform IPv6 encapsulation for IPv4 packets and assigning locally unique IPv6 addresses to each host executing a dSNAT middlebox service instance that are used by the gateway device.

公开(公告)号：US11616755B2

公开(公告)日：2023-03-28

申请号：US16931196

申请日：2020-07-16

Applicant: VMware, Inc.

Inventor： Sami Boutros ,  Mani Kancherla ,  Jayant Jain ,  Anirban Sengupta

IPC: H04L61/256 ,  H04L61/2592 ,  H04L45/745 ,  H04L12/66 ,  H04L61/5007 ,  H04L101/659

Abstract: Some embodiments of the invention provide novel methods for facilitating a distributed SNAT (dSNAT) middlebox service operation for a first network at a host computer in the first network on which the dSNAT middlebox service operation is performed and a gateway device between the first network and a second network. The novel methods enable dSNAT that provides stateful SNAT at multiple host computers, thus avoiding the bottleneck problem associated with providing stateful SNAT at gateways and also significantly reduces the need to redirect packets received at the wrong host by using a capacity of off-the-shelf gateway devices to perform IPv6 encapsulation for IPv4 packets and assigning locally unique IPv6 addresses to each host executing a dSNAT middlebox service instance that are used by the gateway device.

公开(公告)号：US20220360643A1

公开(公告)日：2022-11-10

申请号：US17874127

申请日：2022-07-26

Applicant: VMware, Inc.

Inventor： Jayant Jain ,  Rick Lund ,  Mike Parsa ,  Brenden Blanco ,  Anirban Sengupta

IPC: H04L67/56 ,  H04L67/143 ,  G06F9/455 ,  H04L67/01 ,  H04L67/1001

Abstract: In some embodiments, a method instantiates a proxy that stores first state information for first workloads running on a first computing device. The first computing device receives a migrated workload from a second computing device and second state information for a session associated with the migrated workload. The second state information is generated by a proxy on the second computing device that processed one or more packets for the migrated workload on the second computing device. The method stories the second state information for the proxy on the first computing device and resumes the session associated with the migrated workoad using the proxy on the first computing device.

公开(公告)号：US20220188140A1

公开(公告)日：2022-06-16

申请号：US17122192

申请日：2020-12-15

Applicant: VMware, Inc.

Inventor： Jayant Jain ,  Anirban Sengupta ,  Rick Lund

IPC: G06F9/455 ,  G06F9/445

Abstract: Some embodiments provide a method for performing services on a host computer that executes several machines in a datacenter. The method configures a first set of one or more service containers for a first machine executing on the host computer, and a second set of one or more service containers for a second machine executing on the host computer. Each configured service container performs a service operation (e.g., a middlebox service operation, such as firewall, load balancing, encryption, etc.) on data messages associated with a particular machine (e.g., on ingress and/or egress data messages to and/or from the particular machine). For each particular machine, the method also configures a module along the particular machine's datapath to identify a subset of service operations to perform on a set of data messages associated with the particular machine, and to direct the set of data messages to a set of service containers configured for the particular machine to perform the identified set of service operations on the set of data messages. In some embodiments, the first and second machines are part of one logical network or one virtual private cloud that is deployed over a common physical network in the datacenter.

公开(公告)号：US20220103521A1

公开(公告)日：2022-03-31

申请号：US17103706

申请日：2020-11-24

Applicant: VMware, Inc.

Inventor： Sachin Mohan Vaidya ,  Kausum Kumar ,  Jayant Jain ,  Shadab Shah ,  Anirban Sengupta

IPC: H04L29/06 ,  H04L12/713 ,  H04L12/717 ,  H04L12/66 ,  G06F9/455

Abstract: Some embodiments provide a method for a network management and control system that manages a virtual infrastructure deployed across a set of datacenters. The method receives a definition of an application to be deployed in the virtual infrastructure. The application definition specifies a requirement that the application receive data traffic from sources external to the virtual infrastructure. Based on the application definition, the method defines a first set of firewall rules for the application that indicate conditions for allowing data traffic from sources external to the virtual infrastructure. For an existing second set of higher-level firewall rules for data traffic entering and exiting the virtual infrastructure, the method specifies a new firewall rule that directs a network element implementing the sets of firewall rules to apply the first set of firewall rules to any data traffic that is from sources external to the virtual infrastructure and directed to the application.

公开(公告)号：US20220038309A1

公开(公告)日：2022-02-03

申请号：US16941467

申请日：2020-07-28

Applicant: VMware, Inc.

Inventor： Sami Boutros ,  Anirban Sengupta ,  Mani Kancherla ,  Jerome Catrouillet ,  Sri Mohana Singamsetty

IPC: H04L12/46 ,  H04L29/08 ,  H04L12/713 ,  H04L12/715 ,  H04L29/12 ,  H04L12/66 ,  H04L29/06

Abstract: Some embodiments of the invention provide a novel network architecture for advertising routes in an availability zone (AZ). The novel network architecture includes a set of route servers for receiving advertisements of network addresses as being available in the AZ from different routers in the AZ. The novel network architecture also includes multiple host computers that each execute a router that (i) identifies network addresses available on the host computer, (ii) sends advertisements of the identified network addresses to the set of route servers, and (iii) receives advertisements from the set of route servers regarding network addresses available on other host computers. The identified network addresses, in some embodiments, include at least one of network addresses associated with data compute nodes (DCNs) and network addresses associated with services available at the host computer. The route servers advertise the received network addresses to other routers in the AZ.

公开(公告)号：US20220021645A1

公开(公告)日：2022-01-20

申请号：US16931196

申请日：2020-07-16

Applicant: VMware, Inc.

Inventor： Sami Boutros ,  Mani Kancherla ,  Jayant Jain ,  Anirban Sengupta

IPC: H04L29/12 ,  H04L12/66 ,  H04L12/741

Abstract: Some embodiments of the invention provide novel methods for facilitating a distributed SNAT (dSNAT) middlebox service operation for a first network at a host computer in the first network on which the dSNAT middlebox service operation is performed and a gateway device between the first network and a second network. The novel methods enable dSNAT that provides stateful SNAT at multiple host computers, thus avoiding the bottleneck problem associated with providing stateful SNAT at gateways and also significantly reduces the need to redirect packets received at the wrong host by using a capacity of off-the-shelf gateway devices to perform IPv6 encapsulation for IPv4 packets and assigning locally unique IPv6 addresses to each host executing a dSNAT middlebox service instance that are used by the gateway device.

公开(公告)号：US20210081461A1

公开(公告)日：2021-03-18

申请号：US16569015

申请日：2019-09-12

Applicant: VMware, Inc.

Inventor： Jingmin Zhou ,  Subrahmanyam Manuguri ,  Jayant Jain ,  Anirban Sengupta

IPC: G06F16/903 ,  G06N5/02 ,  G06F17/27 ,  G06K9/00

Abstract: In some embodiments, a method stores a plurality of identifiers for a plurality of rules. The plurality of rules each include a set of patterns, and a rule and a pattern combination is associated with an identifier in the plurality of identifiers. Information being sent on a network is scanned and the method determines when a pattern in the information matches a pattern for a rule. The method identifies an identifier for the pattern where the identifier identifies a rule and a pattern combination. Then, the method identifies the rule and the pattern combination based on the identifier. The set of patterns for the rule is found in the information based on determining that the rule and the pattern combinations for the rule have been found in the information.

公开(公告)号：US10938594B1

公开(公告)日：2021-03-02

申请号：US16742685

申请日：2020-01-14

Applicant: VMware, Inc.

Inventor： Jayant Jain ,  Mike Parsa ,  Xinhua Hong ,  Subrahmanyam Manuguri ,  Anirban Sengupta

IPC: H04L12/28 ,  H04L29/06 ,  H04L12/46

Abstract: Some embodiments of the invention provide novel methods for providing a stateful service at a network edge device (e.g., an NSX edge) that has a plurality of north-facing interfaces (e.g., interfaces to an external network) and a plurality of corresponding south-facing interfaces (e.g., interfaces to a logical network). In some embodiments, the network edge device receives data messages from a first gateway device from a logical network, provides the stateful network service to the data message, and forwards the data message towards the destination through a corresponding interface connected to a physical network.