Some embodiments provide a method that receives (i) definition of a group of virtual datacenters and (ii) addition of at least two virtual datacenters to the group. Each virtual datacenter is defined in a public cloud and includes a set of network management components and a set of network endpoints connected by a logical network that is managed by the network management components of the virtual datacenter. Based on the definition of the group, the method configures a gateway router to which each of the virtual datacenters of the group connect. The gateway router is for routing traffic between the virtual datacenters of the group. The method also configures, at each respective virtual datacenter, a respective router to route data traffic between the respective virtual datacenter and the other virtual datacenters to route traffic for the other virtual datacenters to the gateway router.

Some embodiments provide a method that receives (i) definition of a group of virtual datacenters and (ii) addition of at least two virtual datacenters to the group. Each virtual datacenter is defined in a public cloud and includes a set of network management components and a set of network endpoints connected by a logical network that is managed by the network management components of the virtual datacenter. Based on the definition of the group, the method configures a gateway router to which each of the virtual datacenters of the group connect. The gateway router is for routing traffic between the virtual datacenters of the group. The method also configures, at each respective virtual datacenter, a respective router to route data traffic between the respective virtual datacenter and the other virtual datacenters to route traffic for the other virtual datacenters to the gateway router.

In one example, a processor may receive network traffic from a demultiplexer via a first network interface card and place portions of the network traffic into a plurality of hash buckets. The processor may further process a first portion of the portions of the network traffic in at least a first hash bucket of the plurality of hash buckets and forward a second portion of the portions of the network traffic in at least a second hash bucket of the plurality of hash buckets to a switch via a second network interface card. In one example, the switch distributes the second portion of the network traffic to one of a plurality of overflow probes. In one example, the plurality of overflow probes comprises a network function virtualization infrastructure for processing the second portion of the network traffic.

In one example, a processor may receive network traffic from a demultiplexer via a first network interface card and place portions of the network traffic into a plurality of hash buckets. The processor may further process a first portion of the portions of the network traffic in at least a first hash bucket of the plurality of hash buckets and forward a second portion of the portions of the network traffic in at least a second hash bucket of the plurality of hash buckets to a switch via a second network interface card. In one example, the switch distributes the second portion of the network traffic to one of a plurality of overflow probes. In one example, the plurality of overflow probes comprises a network function virtualization infrastructure for processing the second portion of the network traffic.

This disclosure describes techniques for providing customer isolation of time synchronization traffic using virtualization. For example, a method includes receiving, by a computing device, an Internet protocol (IP) address of a customer network of a plurality of customer networks connected to a cloud exchange executed by the computing device; configuring, by the computing device, a time synchronization server connected to the cloud exchange with a Virtualized Local Area Network (VLAN) associated with the IP address of the customer network, the time synchronization server comprising a plurality of instances that provide a time synchronization service; and configuring, by the computing device, the time synchronization server with a Virtual Routing and Forwarding (VRF) or network namespace for the VLAN, wherein the VRF or network namespace includes a route to send time synchronization traffic between the customer network and a particular instance of the plurality of instances that provide the time synchronization service.

This disclosure describes techniques for providing customer isolation of time synchronization traffic using virtualization. For example, a method includes receiving, by a computing device, an Internet protocol (IP) address of a customer network of a plurality of customer networks connected to a cloud exchange executed by the computing device; configuring, by the computing device, a time synchronization server connected to the cloud exchange with a Virtualized Local Area Network (VLAN) associated with the IP address of the customer network, the time synchronization server comprising a plurality of instances that provide a time synchronization service; and configuring, by the computing device, the time synchronization server with a Virtual Routing and Forwarding (VRF) or network namespace for the VLAN, wherein the VRF or network namespace includes a route to send time synchronization traffic between the customer network and a particular instance of the plurality of instances that provide the time synchronization service.

A software-defined wide area network (SD-WAN) environment that leverages network virtualization management deployment is provided. Edge security services managed by the network virtualization management deployment are made available in the SD-WAN environment. Cloud gateways forward SD-WAN traffic to managed service nodes to apply security services. Network traffic is encapsulated with corresponding metadata to ensure that services can be performed according to the desired policy. Point-to-point tunnels are established between cloud gateways and the managed service nodes to transport the metadata to the managed service nodes using an overlay logical network. Virtual network identifiers (VNIs) in the metadata are used by the managed service nodes to identify tenants/policies. A managed service node receiving a packet uses provider service routers (T0-SR) and tenant service routers (T1-SRs) based on the VNI to apply the prescribed services for the tenant, and the resulting traffic is returned to the cloud gateway that originated the traffic.

A software-defined wide area network (SD-WAN) environment that leverages network virtualization management deployment is provided. Edge security services managed by the network virtualization management deployment are made available in the SD-WAN environment. Cloud gateways forward SD-WAN traffic to managed service nodes to apply security services. Network traffic is encapsulated with corresponding metadata to ensure that services can be performed according to the desired policy. Point-to-point tunnels are established between cloud gateways and the managed service nodes to transport the metadata to the managed service nodes using an overlay logical network. Virtual network identifiers (VNIs) in the metadata are used by the managed service nodes to identify tenants/policies. A managed service node receiving a packet uses provider service routers (T0-SR) and tenant service routers (T1-SRs) based on the VNI to apply the prescribed services for the tenant, and the resulting traffic is returned to the cloud gateway that originated the traffic.

A software-defined wide area network (SD-WAN) environment that leverages network virtualization management deployment is provided. Edge security services managed by the network virtualization management deployment are made available in the SD-WAN environment. Cloud gateways forward SD-WAN traffic to managed service nodes to apply security services. Network traffic is encapsulated with corresponding metadata to ensure that services can be performed according to the desired policy. Point-to-point tunnels are established between cloud gateways and the managed service nodes to transport the metadata to the managed service nodes using an overlay logical network. Virtual network identifiers (VNIs) in the metadata are used by the managed service nodes to identify tenants/policies. A managed service node receiving a packet uses provider service routers (T0-SR) and tenant service routers (T1-SRs) based on the VNI to apply the prescribed services for the tenant, and the resulting traffic is returned to the cloud gateway that originated the traffic.

The disclosure provides an approach for an overlay broadcast network for management traffic. Techniques are provided for updating an underlay network route for a virtual computing instance (VCI) on a new host. After activating the VCI on the new host, a routing table on the old host is reprogrammed to associate an Internet protocol (IP) address of the VCI to an overlay broadcast network IP address and a routing table on the new host is reprogramed to associate the first IP address to a local route on the new host. The VCI sends a message to an application programming interface (API) endpoint to initiate reprogramming of an underlay network route to associate the first IP address to the new host. When a response packet is received at the old host, via the underlay network, the old host broadcasts the packet to the overlay broadcast network.