Tunnel-based service insertion in public cloud environments

    公开(公告)号:US12170616B2

    公开(公告)日:2024-12-17

    申请号:US18103366

    申请日:2023-01-30

    Applicant: VMware LLC

    Abstract: Example methods and systems are provided a network device to perform tunnel-based service insertion in a public cloud environment. An example method may comprise establishing a tunnel between the network device and a service path. The method may also comprise: in response to receiving a first encapsulated packet, identifying the service path specified by a service insertion rule; generating and sending a second encapsulated packet over the tunnel to cause the service path to process an inner packet according to one or more services. The method may further comprise: in response to receiving, from the service path via the tunnel, a third encapsulated packet that includes the inner packet processed by the service path, sending the inner packet processed by the service path, or a fourth encapsulated packet, towards a destination address of the inner packet.

    Network address translation in active-active edge cluster

    公开(公告)号:US11962493B2

    公开(公告)日:2024-04-16

    申请号:US17845716

    申请日:2022-06-21

    Applicant: VMware LLC

    CPC classification number: H04L45/38 H04L61/256 H04L61/2596

    Abstract: Some embodiments provide a method for forwarding data messages at multiple edge gateways of a logical network that process data messages between the logical network and an external network. At a first edge gateway, the method receives a data message, having an external address as a destination address, from the logical network. Based on the destination address, the method applies a default route to the data message that routes the data message to a second edge gateway and specifies a first output interface of the first edge gateway for the data message. After routing the data message, the method applies a stored NAT entry that (i) modifies a source address of the data message to be a public NAT address associated with the first edge gateway and (ii) redirects the modified data message to a second output interface of the first edge gateway instead of the first output interface.

    String pattern matching for multi-string pattern rules in intrusion detection

    公开(公告)号:US11954005B2

    公开(公告)日:2024-04-09

    申请号:US18196367

    申请日:2023-05-11

    Applicant: VMware LLC

    CPC classification number: G06F11/3072 G06F40/205 G06V10/955

    Abstract: In some embodiments, a method stores a plurality of identifiers for a plurality of rules. The plurality of rules each include a set of patterns, and a rule and a pattern combination is associated with an identifier in the plurality of identifiers. Information being sent on a network is scanned and the method determines when a pattern in the information matches a pattern for a rule. The method identifies an identifier for the pattern where the identifier identifies a rule and a pattern combination. Then, the method identifies the rule and the pattern combination based on the identifier. The set of patterns for the rule is found in the information based on determining that the rule and the pattern combinations for the rule have been found in the information.

    Provisioning network services in a software defined data center

    公开(公告)号:US12301475B2

    公开(公告)日:2025-05-13

    申请号:US18372627

    申请日:2023-09-25

    Applicant: VMware LLC

    Abstract: A novel method for dynamic network service allocation that maps generic services into specific configurations of service resources in a network is provided. An application that is assigned to be performed by computing resources in the network is associated with a set of generic services, and the method maps the set of generic services to the service resources based on the assignment of the application to the computing resources. The mapping of generic services is further based on a level of service that is chosen for the application, where the set of generic services are mapped to different sets of network resources according to different levels of services.

    NETWORK ADDRESS TRANSLATION IN ACTIVE-ACTIVE EDGE CLUSTER

    公开(公告)号:US20240250903A1

    公开(公告)日:2024-07-25

    申请号:US18605095

    申请日:2024-03-14

    Applicant: VMware LLC

    CPC classification number: H04L45/38 H04L61/256 H04L61/2596

    Abstract: Some embodiments provide a method for forwarding data messages at multiple edge gateways of a logical network that process data messages between the logical network and an external network. At a first edge gateway, the method receives a data message, having an external address as a destination address, from the logical network. Based on the destination address, the method applies a default route to the data message that routes the data message to a second edge gateway and specifies a first output interface of the first edge gateway for the data message. After routing the data message, the method applies a stored NAT entry that (i) modifies a source address of the data message to be a public NAT address associated with the first edge gateway and (ii) redirects the modified data message to a second output interface of the first edge gateway instead of the first output interface.

    Facilitating distributed SNAT service

    公开(公告)号:US12250194B2

    公开(公告)日:2025-03-11

    申请号:US18102697

    申请日:2023-01-28

    Applicant: VMware LLC

    Abstract: Some embodiments of the invention provide novel methods for facilitating a distributed SNAT (dSNAT) middlebox service operation for a first network at a host computer in the first network on which the dSNAT middlebox service operation is performed and a gateway device between the first network and a second network. The novel methods enable dSNAT that provides stateful SNAT at multiple host computers, thus avoiding the bottleneck problem associated with providing stateful SNAT at gateways and also significantly reduces the need to redirect packets received at the wrong host by using a capacity of off-the-shelf gateway devices to perform IPV6 encapsulation for IPv4 packets and assigning locally unique IPv6 addresses to each host executing a dSNAT middlebox service instance that are used by the gateway device.

    Service insertion at logical network gateway

    公开(公告)号:US12177067B2

    公开(公告)日:2024-12-24

    申请号:US18102684

    申请日:2023-01-28

    Applicant: VMware LLC

    Abstract: Some embodiments provide a method for configuring a gateway machine in a datacenter. The method receives a definition of a logical network for implementation in the datacenter. The logical network includes at least one logical switch to which logical network endpoints attach and a logical router for handling data traffic between the logical network endpoints in the datacenter and an external network. The method receives configuration data attaching a third-party service to at least one interface of the logical router via an additional logical switch designated for service attachments. The third-party service is for performing non-forwarding processing on the data traffic between the logical network endpoints and the external network. The method configures the gateway machine in the datacenter to implement the logical router and redirect at least a subset of the data traffic between the logical network endpoints and the external network to the attached third-party service.

    Port mapping for bonded interfaces of ECMP group

    公开(公告)号:US11909558B2

    公开(公告)日:2024-02-20

    申请号:US17880899

    申请日:2022-08-04

    Applicant: VMware LLC

    CPC classification number: H04L12/66 H04L45/24 H04L49/25 H04L63/0254

    Abstract: Some embodiments of the invention provide novel methods for providing a stateful service at a network edge device (e.g., an NSX edge) that has a plurality of north-facing interfaces (e.g., interfaces to an external network) and a plurality of corresponding south-facing interfaces (e.g., interfaces to a logical network). A set of interfaces on each side of the network edge device for a set of equal cost paths, in some embodiments, are bonded together in the network edge device to correspond to a single interface on either side of a logical bridge including at least one logical switch providing a stateful service implemented by the network edge device. The bond is implemented, in some embodiments, by a bonding module executing on the network edge device that maintains a mapping between ingress and egress interfaces to allow deterministic forwarding through the network edge device in the presence of bonded interfaces.

    Network management services in a virtual network

    公开(公告)号:US12267364B2

    公开(公告)日:2025-04-01

    申请号:US17384738

    申请日:2021-07-24

    Applicant: VMware LLC

    Abstract: A software-defined wide area network (SD-WAN) environment that leverages network virtualization management deployment is provided. Edge security services managed by the network virtualization management deployment are made available in the SD-WAN environment. Cloud gateways forward SD-WAN traffic to managed service nodes to apply security services. Network traffic is encapsulated with corresponding metadata to ensure that services can be performed according to the desired policy. Point-to-point tunnels are established between cloud gateways and the managed service nodes to transport the metadata to the managed service nodes using an overlay logical network. Virtual network identifiers (VNIs) in the metadata are used by the managed service nodes to identify tenants/policies. A managed service node receiving a packet uses provider service routers (T0-SR) and tenant service routers (T1-SRs) based on the VNI to apply the prescribed services for the tenant, and the resulting traffic is returned to the cloud gateway that originated the traffic.

Patent Agency Ranking