Techniques for migrating worker nodes within clusters to a new manager instance. One technique includes receiving a request to migrate or update a configuration of a cluster within a container system, where the migration or update includes switching from a first communication pathway to a second communication pathway between worker nodes and a manager instance; creating a component and associated IP address for the second communication pathway; communicating a pod specification that includes the IP address for the second communication pathway to the manager instance, where the pod specification will cause a container tool to update each of the worker nodes with the IP address for the second communication pathway; receiving a notification that all worker nodes have been updated with the IP address; and removing a component and associated IP address for the first communication pathway from the cluster.

Techniques for migrating worker nodes within clusters to a new manager instance. One technique includes receiving a request to migrate or update a configuration of a cluster within a container system, where the migration or update includes switching from a first communication pathway to a second communication pathway between worker nodes and a manager instance; creating a component and associated IP address for the second communication pathway; communicating a pod specification that includes the IP address for the second communication pathway to the manager instance, where the pod specification will cause a container tool to update each of the worker nodes with the IP address for the second communication pathway; receiving a notification that all worker nodes have been updated with the IP address; and removing a component and associated IP address for the first communication pathway from the cluster.

Automated, intelligent selection of regions for cloud-based firewall deployment and scaling of firewalls down to as few as zero in a cloud region is described herein. The service collects and evaluates Usage metrics pertaining to firewalls deployed in each region are collected and evaluated to determine whether to scale firewalls in a region up or down. Scaling down of firewalls to zero is conditioned on at least one other region having a firewall(s) available for traffic inspection such that the number of total firewalls available for inspection of network traffic is at least one at any given time. When scaling up through deployment of additional firewalls, if endpoint devices located near a region in which a firewall is not available contribute substantially to firewall usage in another region, the region nearest to those endpoint devices is determined and selected for deployment of the additional firewalls.

Systems and methods are provided for distributing a domain name service (DNS) response cache in a DNS resolving system on a network. The systems and methods described herein may improve response times for client queries and also protect the DNS resolving system from DNS related cyber attacks

Systems and methods are provided for distributing a domain name service (DNS) response cache in a DNS resolving system on a network. The systems and methods described herein may improve response times for client queries and also protect the DNS resolving system from DNS related cyber attacks

Techniques for providing a feedback mechanism to enforce a security policy are provided. In some embodiments, dynamic resolution of Fully Qualified Domain Name (FQDN) address objects in policy definitions includes receiving a security policy that includes a domain name (e.g., the network policy can include a network security rule that is based on the domain name); and periodically updating Internet Protocol (IP) address information associated with the domain name based on a feedback mechanism that utilizes network logs (e.g., implemented using a learning process for FQDN to IP address mappings) to facilitate a more effective security policy enforcement. For example, a security device (e.g., a firewall or other network gateway) can perform a learning process for FQDN to IP address mappings that utilizes past successful sessions or trusted information sources to be used as an authorized IP range, and then the security policy can be enriched with the layer 3 information (e.g., IP addresses) and matching the FQDN address objects (e.g., web addresses, such as Uniform Resource Locations). As such, the security device can then be configured to block all connection attempts at layer 3 (e.g., using IP addresses), which improves network security by reducing the opportunity for attackers to, for example, send/download malicious traffic prior to enforcement based on layer 7 information.

There is provided a method, computer program, and an apparatus for a network function that causes the network function to: receive, from a service consumer, event subscription information comprising an intra-domain address and an inter-domain address for signalling event subscription notification information from a service producer to the service consumer; determine whether a first service producer is located in the same domain as the service consumer; select at least one of the inter-domain address and the intra-domain address to signal to the first service producer in dependence on said determining; and signal the selected at least one address to the first service producer.

There is provided a method, computer program, and an apparatus for a network function that causes the network function to: receive, from a service consumer, event subscription information comprising an intra-domain address and an inter-domain address for signalling event subscription notification information from a service producer to the service consumer; determine whether a first service producer is located in the same domain as the service consumer; select at least one of the inter-domain address and the intra-domain address to signal to the first service producer in dependence on said determining; and signal the selected at least one address to the first service producer.

System and methods are described to register FQDN-based IP service endpoints at network attachment points. One embodiment takes the form of a method comprising: receiving, at a server-side network access point (sNAP) in an information-centric network (ICN), a registration request including a first fully qualified domain name (FQDN), a port, a transport protocol, and a service name of an IP server; publishing, at the sNAP, the port, the transport protocol, and the service name to a first content identifier (CID); and subscribing, at the sNAP, to a second CID that is based on the FQDN.

System and methods are described to register FQDN-based IP service endpoints at network attachment points. One embodiment takes the form of a method comprising: receiving, at a server-side network access point (sNAP) in an information-centric network (ICN), a registration request including a first fully qualified domain name (FQDN), a port, a transport protocol, and a service name of an IP server; publishing, at the sNAP, the port, the transport protocol, and the service name to a first content identifier (CID); and subscribing, at the sNAP, to a second CID that is based on the FQDN.