Some embodiments establish for an entity a virtual network over several public clouds of several public cloud providers and/or in several regions. In some embodiments, the virtual network is an overlay network that spans across several public clouds to interconnect one or more private networks (e.g., networks within branches, divisions, departments of the entity or their associated datacenters), mobile users, and SaaS (Software as a Service) provider machines, and other web applications of the entity. The virtual network in some embodiments can be configured to optimize the routing of the entity's data messages to their destinations for best end-to-end performance, reliability and security, while trying to minimize the routing of this traffic through the Internet. Also, the virtual network in some embodiments can be configured to optimize the layer 4 processing of the data message flows passing through the network.

An intelligent network address translation system and methods for intelligent network address translation. In one embodiment, a network packet is received from a host device, and a stored record associated with the host device is identified. The stored record includes information relating to connection parameters associated with the host device. Using the stored record, a processor determines whether the network packet should be assigned a dedicated address. If so, then the network packet is transmitted using communication parameters including a dedicated IP address. If the packet should not be assigned a dedicated address, then the packet is transmitted using connection parameters including a default public IP address and a port number.

Some embodiments provide a simplified mechanism to deploy and control a multi-segmented application by using application-based manifests that express how application segments of the multi-segment application are to be defined or modified, and how the communication profiles between these segments. In some embodiments, these manifests are application specific. Also, in some embodiments, deployment managers in a software defined datacenter (SDDC) provide these manifests as templates to administrators, who can use these templates to express their intent when they are deploying multi-segment applications in the datacenter. Application-based manifests can also be used to control previously deployed multi-segmented applications in the SDDC. Using such manifests would enable the administrators to be able to manage fine grained micro-segmentation rules based on endpoint and network attributes.

Systems and methods for mapping IP addresses to an entity include receiving at least one domain name associated with the entity. Embodiments may further include determining one or more variations of the at least one domain name based on analysis of domain name data collected from a plurality of domain name data sources that mention a variation of the at least one domain name. Some embodiments may also include identifying one or more IP addresses pointed to by the one or more variations of the entity's domain name based on analysis of IP address data collected from a plurality of IP address data sources. Additional embodiments include assigning weights to each of the identified one or more IP addresses and creating a mapping of IP addresses to associate with the entity based on analysis of the weighted one or more IP addresses.

A computer performs dynamic address isolation. The computer comprises an application associated with an application address, a network interface coupled to receive incoming data packets from and transmit outgoing data packets to an external network, a network address translation engine configured to translate between the application address and a public address, and a driver for automatically forwarding the outgoing data packets to the network address translation engine to translate the application address to the public address, and for automatically forwarding the incoming data packets to the network address translation engine to translate the public address to the application address. The computer may communicate with a firewall configured to handle both network-level security and application-level security.

A method for load balancing network traffic. First network address translation rules are executed with respect to a first data packet of the network traffic to translate initial address space data thereof, with respect to an initial destination network address and port identifier. An entry is generated with respect to the first data packet that includes data related to the translated destination network address and port identifier, and an initial source network address and port identifier. A second data packet is received from a client. The generated entry is identified and implemented in executing second network address translation rules with respect to the second data packet, to translate address space data thereof with respect to an initial destination network address and port identifier, for routing thereof to the host, and upon servicing, for routing thereof directly to the client.

A method, computer system, and computer program product for load balancing network traffic. First network address translation rules are executed with respect to a first data packet of the network traffic to translate initial address space data thereof, with respect to an initial destination network address and port identifier. An entry is generated with respect to the first data packet that includes data related to the translated destination network address and port identifier, and an initial source network address and port identifier. A second data packet is received from a client. The generated entry is identified and implemented in executing second network address translation rules with respect to the second data packet, to translate address space data thereof with respect to an initial destination network address and port identifier, for routing thereof to the host, and upon servicing, for routing thereof directly to the client.

An embodiment of the invention may include a method, computer program product, and system for data transfer management. The embodiment may include receiving a data packet, by a first server, from a load balancer. The received data packet is part of a data flow. The embodiment may include determining, by the first server, whether the received data packet is part of an existing data flow connection served by the first server. Based on determining that the received data packet is not part of an existing data flow served by the first server, the embodiment may include determining, by the first server, whether the received data packet is part of a new data flow connection. Based on determining that the received data packet is not part of a new data flow connection, the embodiment may include notifying, by the first server, the load balancer.

Systems and methods for mapping IP addresses to an entity include receiving at least one domain name associated with the entity. Embodiments may further include determining one or more variations of the at least one domain name based on analysis of domain name data collected from a plurality of domain name data sources that mention a variation of the at least one domain name. Some embodiments may also include identifying one or more IP addresses pointed to by the one or more variations of the entity's domain name based on analysis of IP address data collected from a plurality of IP address data sources. Additional embodiments include assigning weights to each of the identified one or more IP addresses and creating a mapping of IP addresses to associate with the entity based on analysis of the weighted one or more IP addresses.

Systems and methods for creating custom domain name links are provided. At least one server communicatively coupled to a network receives a request to create a custom domain name link to a third party service. The request identifies a custom domain name. The at least one server retrieves, from a third party service link database, an entry for the third party service specifying how to create the custom domain name link for the third party service and he at least one server creates the custom domain name link in accordance with the entry retrieved from the third party service link database.