A method includes determining a delivery performance of a data flow being transmitted from a first network equipment to a second network equipment over a network; determining whether the network is congested based on the determined delivery performance of the data flow being transmitted to the second network equipment; and pacing delivery of the data flow to the second network equipment by reducing a rate at which the data flow is delivered to the second network equipment when the network is determined to be congested.

The present technology is directed to a system and method for using cloud based processing to co-locate one or more tunnel end points, associated with mobile user generated traffic traversing a Core network, with the serving machine located on application provider network. The describe system/method involves early stage identification of traffic flow (i.e., at the Packet Data network Gateway device using Application Detection and Control function) and dynamically instantiating an end point for the aforementioned traffic flow at the server where the application request is being served. The traffic is then directly tunneled to the endpoint thus avoiding decapsulated mobile traffic from traversing across provider network.

The present technology is directed to a system and method for using cloud based processing to co-locate one or more tunnel end points, associated with mobile user generated traffic traversing a Core network, with the serving machine located on application provider network. The describe system/method involves early stage identification of traffic flow (i.e., at the Packet Data network Gateway device using Application Detection and Control function) and dynamically instantiating an end point for the aforementioned traffic flow at the server where the application request is being served. The traffic is then directly tunneled to the endpoint thus avoiding decapsulated mobile traffic from traversing across provider network.

Systems and methods directed to an application gateway for security and privacy that supports security and compliance monitoring between production environments and virtual private clouds are described. In examples, the application gateway for security and privacy supports security and compliance logging making such information available to administrators and auditors; accordingly, the administrators and auditors can determine how the application gateway for security and privacy is behaving in a very detailed way. For example, by providing access to security and compliance logs, administrators and auditors can verify that the application gateway is not behaving in a malicious manner, such as but not limited communicating with an unauthorized host. In addition to including a user-friendly management interface that allows a user access to modify existing configurations in real-time, the application gateway for security and privacy may scale in a secure manner to support increasing and decreasing traffic demands.

Systems and methods directed to an application gateway for security and privacy that supports security and compliance monitoring between production environments and virtual private clouds are described. In examples, the application gateway for security and privacy supports security and compliance logging making such information available to administrators and auditors; accordingly, the administrators and auditors can determine how the application gateway for security and privacy is behaving in a very detailed way. For example, by providing access to security and compliance logs, administrators and auditors can verify that the application gateway is not behaving in a malicious manner, such as but not limited communicating with an unauthorized host. In addition to including a user-friendly management interface that allows a user access to modify existing configurations in real-time, the application gateway for security and privacy may scale in a secure manner to support increasing and decreasing traffic demands.

A method for analyzing a pair of domain name system (DNS) packets, the method comprising: extracting a portion of a request DNS packet to obtain extracted request DNS information, wherein the extracted request DNS information comprises a first timestamp generated by the edge network device, obtaining a response DNS packet, extracting at least a portion of the response DNS packet to obtain extracted response DNS information, wherein the extracted response DNS information comprises a second timestamp generated by the edge network device, after the obtaining, processing the extracted request DNS information and extracted response DNS information to obtain processed information, wherein the processed information comprises a roundtrip time derived from the first timestamp and the second timestamp, and transmitting the processed information to a monitoring system, wherein the pair of DNS packets are not transmitted to the monitoring system.

A network address assigned to a virtual network interface of a packet transformation node of a flow management service is identified. A packet of a particular network flow associated with an application implemented at an isolated virtual network is sent to the network address. Using a rewrite directive generated at a rewriting decisions node of the service and cached at the packet transformation node, a transformed packet corresponding to a packet received at the packet transformation node is generated and transmitted to a destination.

A network address assigned to a virtual network interface of a packet transformation node of a flow management service is identified. A packet of a particular network flow associated with an application implemented at an isolated virtual network is sent to the network address. Using a rewrite directive generated at a rewriting decisions node of the service and cached at the packet transformation node, a transformed packet corresponding to a packet received at the packet transformation node is generated and transmitted to a destination.

Some embodiments provide novel methods for performing services for machines operating in one or more datacenters. For instance, for a group of related guest machines (e.g., a group of tenant machines), some embodiments define two different forwarding planes: (1) a guest forwarding plane and (2) a service forwarding plane. The guest forwarding plane connects to the machines in the group and performs L2 and/or L3 forwarding for these machines. The service forwarding plane (1) connects to the service nodes that perform services on data messages sent to and from these machines, and (2) forwards these data messages to the service nodes. In some embodiments, the guest machines do not connect directly with the service forwarding plane. For instance, in some embodiments, each forwarding plane connects to a machine or service node through a port that receives data messages from, or supplies data messages to, the machine or service node. In such embodiments, the service forwarding plane does not have a port that directly receives data messages from, or supplies data messages to, any guest machine. Instead, in some such embodiments, data associated with a guest machine is routed to a port proxy module executing on the same host computer, and this other module has a service plane port. This port proxy module in some embodiments indirectly can connect more than one guest machine on the same host to the service plane (i.e., can serve as the port proxy module for more than one guest machine on the same host).

Some embodiments provide novel methods for performing services for machines operating in one or more datacenters. For instance, for a group of related guest machines (e.g., a group of tenant machines), some embodiments define two different forwarding planes: (1) a guest forwarding plane and (2) a service forwarding plane. The guest forwarding plane connects to the machines in the group and performs L2 and/or L3 forwarding for these machines. The service forwarding plane (1) connects to the service nodes that perform services on data messages sent to and from these machines, and (2) forwards these data messages to the service nodes. In some embodiments, the guest machines do not connect directly with the service forwarding plane. For instance, in some embodiments, each forwarding plane connects to a machine or service node through a port that receives data messages from, or supplies data messages to, the machine or service node. In such embodiments, the service forwarding plane does not have a port that directly receives data messages from, or supplies data messages to, any guest machine. Instead, in some such embodiments, data associated with a guest machine is routed to a port proxy module executing on the same host computer, and this other module has a service plane port. This port proxy module in some embodiments indirectly can connect more than one guest machine on the same host to the service plane (i.e., can serve as the port proxy module for more than one guest machine on the same host).