公开(公告)号：US20250071021A1

公开(公告)日：2025-02-27

申请号：US18378759

申请日：2023-10-11

Applicant: VMware, LLC

Inventor： Minjal Agarwal ,  Abhishek Goliya ,  Yong Wang

IPC: H04L41/0894 ,  H04L41/0816 ,  H04L41/0895

Abstract: Some embodiments provide a novel method for configuring components of a software-defined network (SDN) to automatically deploy and monitor a logical edge router for a user. The method configures a policy parser to parse an intent-based Application Programming Interface (API) request to identify a set of attributes for the logical edge router. The method also configures a set of multi-cloud edge orchestrators (1) to use the set of attributes to derive an edge deployment plan specifying a set of two or more edge instances to implement the logical edge router, and (2) to deploy the set of edge instances in a set of two or more clouds based on the edge deployment plan.

公开(公告)号：US20250071019A1

公开(公告)日：2025-02-27

申请号：US18378754

申请日：2023-10-11

Applicant: VMware LLC

Inventor： Minjal Agarwal ,  Abhishek Goliya ,  Yong Wang

IPC: H04L41/0816 ,  H04L41/0893 ,  H04L43/16

Abstract: Some embodiments provide a novel method for automatically deploying and monitoring logical forwarding elements (LFEs) for network administrators. To represent an LFE that a network administrator wants to implement, the method defines an edge object based on a first set of attributes provided by the network administrator for the LFE. The method analyzes a second set of attributes of the edge object to derive an edge deployment plan that specifies a set of two or more edge instances that implements the LFE in a set of one or more clouds. The method deploys the set of edge instances in the set of clouds. The method collects metrics associated with each edge instance in the set of two or more edge instances. The method analyzes the collected metrics to modify the edge deployment plan and revise the set of edge instances based on the modified edge deployment plan.

公开(公告)号：US12231407B2

公开(公告)日：2025-02-18

申请号：US17564274

申请日：2021-12-29

Applicant: VMware LLC

Inventor： Deepika Solanki ,  Yong Wang ,  Sarthak Ray

IPC: H04L9/40

Abstract: The disclosure provides an approach for logical switch level load balancing of Layer 2 virtual private network (L2VPN) traffic. A method of securing communications with a peer gateway generally includes establishing, at a virtual tunnel interface of a local gateway, a plurality of security tunnels with the peer gateway. Each of the plurality of security tunnels is associated with a different set of one or more layer 2 segments and with one or more security associations (SAs) with the peer gateway. The method generally includes receiving a packet, at the local gateway, via a first L2 segment. The method generally includes selecting one of the plurality of security tunnels and an SA associated with the selected security tunnel based on the L2 segment via which the packet was received. The method generally includes encrypting and encapsulating the packet based on the selected security tunnel and SA.

公开(公告)号：US20250039088A1

公开(公告)日：2025-01-30

申请号：US18225559

申请日：2023-07-24

Applicant: VMware LLC

Inventor： Yu Ying ,  Yong Wang ,  Pankaj Gupta ,  Sreeram Kumar Ravinoothala

IPC: H04L45/76 ,  H04L45/586 ,  H04L47/125

Abstract: Some embodiments provide a method for implementing a logical router of a logical network at a first Pod executing on a first node of a Kubernetes cluster to implement data message forwarding for the logical router. The method receives a data message for processing by the logical router. The method determines that the data message requires layer 7 (L7) service processing at the logical router. The method selects a second Pod from multiple Pods that perform L7 service for the logical router. Each of the Pods executes on a different node of the cluster. The method forwards the data message to the second Pod via a layer 2 (L2) construct that connects the first and second Pods.

公开(公告)号：US12126598B2

公开(公告)日：2024-10-22

申请号：US17715993

申请日：2022-04-08

Applicant: VMware LLC

Inventor： Yong Wang ,  Awan Kumar Sharma ,  Abhishek Goliya ,  Xinhua Hong ,  Bhargav Puvvada

IPC: H04L12/66 ,  H04L9/40 ,  H04L61/2592

CPC classification number: H04L63/0272 ,  H04L12/66 ,  H04L61/2592 ,  H04L63/0485

Abstract: Described herein are systems, methods, and software to manage secure tunnel communications in multi-edge gateway computing environments. In one implementation, a control system identifies an edge gateway from a plurality of edge gateways to support a private network tunnel. The control system further identifies addressing attributes associated with communications directed over the private network tunnel and configures the plurality of edge gateways to forward packets associated with the addressing attributes to the identified edge gateway, wherein the edge gateway can process and forward the packets over the private network tunnel.

公开(公告)号：US12107834B2

公开(公告)日：2024-10-01

申请号：US17570363

申请日：2022-01-06

Applicant: VMware LLC

Inventor： Yong Wang ,  Awan Kumar Sharma ,  Sourabh Bhattacharya ,  Deepika Solanki ,  Sarthak Ray

IPC: G06F9/00 ,  H04L9/40 ,  H04L29/06 ,  H04L45/12 ,  H04L45/24 ,  H04L45/42 ,  H04L47/125

CPC classification number: H04L63/029 ,  H04L45/123 ,  H04L45/24 ,  H04L45/42 ,  H04L47/125 ,  H04L63/0435 ,  H04L63/20

Abstract: Some embodiments provide a method that collects metrics for one or more paths of a first tunnel implementing a first security association (SA) and for one or more paths of a second tunnel implementing a second SA. The method selects a path based on the collected metrics of the paths of the first and second tunnels. When the selected path belongs to the first tunnel, the method encrypts data transmitted as encrypted payload of the first SA and transmits the encrypted payload in the first tunnel. When the selected path belongs to the second tunnel, the method encrypts data to be transmitted as encrypted payload of the second SA and transmits the encrypted payload in the second tunnel.

公开(公告)号：US12095736B2

公开(公告)日：2024-09-17

申请号：US17213321

申请日：2021-03-26

Applicant: VMware LLC

Inventor： Awan Kumar Sharma ,  Yong Wang ,  Sourabh Bhattacharya ,  Bhargav Puvvada ,  Sarthak Ray ,  Mayur Katke

IPC: H04L9/40 ,  H04L45/00 ,  H04L45/586

CPC classification number: H04L63/0272 ,  H04L45/38 ,  H04L45/586 ,  H04L63/029 ,  H04L63/0485

Abstract: A method for IPSec communication between a source machine and a destination machine is provided. The method includes receiving, at the destination machine, first and second packets from the source machine through first and second VPN tunnels established between a first VTI of the source machine and a second VTI of the destination machine; determining the first packet corresponds to a first SA and the second packet corresponds to a second SA; processing, by a first processing core, the first packet based on the first SA, and processing, by a second processing core, the second packet based on the second SA; and updating, at the second VTI, states of one or more flows based on the first and second packets, the second VTI providing one or more stateful services for the one or more packet flows based on the one or more states.

公开(公告)号：US11962493B2

公开(公告)日：2024-04-16

申请号：US17845716

申请日：2022-06-21

Applicant: VMware LLC

Inventor： Yong Wang ,  Jayant Jain ,  Ganesh Sadasivan ,  Abhishek Goliya

IPC: H04L45/00 ,  H04L61/256 ,  H04L61/2596

CPC classification number: H04L45/38 ,  H04L61/256 ,  H04L61/2596

Abstract: Some embodiments provide a method for forwarding data messages at multiple edge gateways of a logical network that process data messages between the logical network and an external network. At a first edge gateway, the method receives a data message, having an external address as a destination address, from the logical network. Based on the destination address, the method applies a default route to the data message that routes the data message to a second edge gateway and specifies a first output interface of the first edge gateway for the data message. After routing the data message, the method applies a stored NAT entry that (i) modifies a source address of the data message to be a public NAT address associated with the first edge gateway and (ii) redirects the modified data message to a second output interface of the first edge gateway instead of the first output interface.

公开(公告)号：US20250097102A1

公开(公告)日：2025-03-20

申请号：US18962856

申请日：2024-11-27

Applicant: VMware LLC

Inventor： Yong Wang ,  Cheng-Chun Tu ,  Sreeram Kumar Ravinoothala ,  Yu Ying

IPC: H04L41/0816

Abstract: Some embodiments of the invention provide a method for implementing an edge device that handles data traffic between a logical network and an external network. The method monitors resource usage of a node pool that includes multiple nodes that each executes a respective set of pods. Each of the pods is for performing a respective set of data message processing operations for at least one of multiple logical routers. The method determines that a particular node in the node pool has insufficient resources for the particular node's respective set of pods to adequately perform their respective sets of data message processing operations. Based on the determination, the method automatically provides additional resources to the node pool by instantiating at least one additional node in the node pool.

公开(公告)号：US11962564B2

公开(公告)日：2024-04-16

申请号：US17672190

申请日：2022-02-15

Applicant: VMware LLC

Inventor： Yong Wang ,  Xinhua Hong ,  Kai-Wei Fan

IPC: H04L61/256 ,  G06F9/455 ,  H04L45/24 ,  H04L61/103 ,  H04L61/2517 ,  H04L101/622

CPC classification number: H04L61/256 ,  G06F9/45558 ,  H04L45/24 ,  H04L61/103 ,  H04L61/2517 ,  G06F2009/45595 ,  H04L2101/622

Abstract: Some embodiments provide a method for forwarding data messages at multiple edge nodes of a logical network that process data messages between a logical network and an external network. At a particular one of the edge nodes, the method receives a data message sent from a source machine in the logical network. The method performs network address translation to translate a source network address of the data message corresponding to the source machine into an anycast network address that is shared among the edge nodes. The method sends the data message with the anycast network address as a source network address to the external network. Each edge node receives data messages from source machines in the logical network and translates the source addresses of the data messages into the same anycast public network address prior to sending the data messages to the external network.