A label switch router (LSR) in a label-switched path (LSP) may receive, from an ingress edge LSR, a Multi-Protocol Label Switching (MPLS) echo request, where the LSP includes a tunnel having details that are hidden by a Nil Forward Equivalency Class (FEC). The LSR may determine whether the LSR is an egress node for the tunnel in the LSP based at least in part on one or more labels in the MPLS echo request. The LSR may, in response to determining that the LSR is the egress node for the tunnel in the LSP, send an MPLS echo reply that indicates the LSR as being the egress node for the tunnel in the LSP.

A non-transitory machine readable medium storing a program that configures managed forwarding elements to establish tunnels between the managed forwarding elements is described. From a particular managed forwarding element, the program receives information regarding coupling of a network element to the first managed forwarding element. Upon receiving the information, the program generates a set of universal flow entries for configuring another managed forwarding element to establish a tunnel to the particular managed forwarding element.

A cloud extension agent can be provided on a customer premise for interfacing, via an outbound secure connection, cloud based services.

A cloud extension agent can be provided on a customer premise for interfacing, via an outbound secure connection, cloud based services.

Systems and methods for managing a global virtual network connection between an endpoint device and an access point server are disclosed. In one embodiment the network system may include an endpoint device, an access point server, and a control server. The endpoint device and the access point server may be connected with a first tunnel. The access point server and the control server may be connected with a second tunnel.

A secure private network connectivity system (SNCS) within a cloud service provider infrastructure (CSPI) is described that provides secure private network connectivity between external resources residing in a customer's on-premise environment and the customer's resources residing in the cloud. Secure access to an external resource is enabled by the SNCS by creating an external resource representation (i.e., a computing instance) for the external resource in the customer's virtual cloud network (VCN) in the cloud and creating a virtual network interface card for the external resource representation. Using the SNCS, the customer can securely access the external resource residing in their on-premise network from within their VCN by connecting to the virtual IP address assigned to the VNIC without requiring to set up elaborate site-to-site networking, without making changes to their on-premise routing configuration or without making any changes to the configuration of the external resource.

A SOAM virtualization system for a network having at least first and second maintenance entities coupled to each other comprises a network controller coupled to at least one of the first and second maintenance entities through a tunnel for virtualizing a SOAM network function on the at least one of the first and second maintenance entities to which the network controller is coupled. The network controller may be coupled to the first and second maintenance entities through first and second tunnels, respectively. The first maintenance entity may an originator device, and the second maintenance entity may be a destination device, with the network controller virtualizing the SOAM network function on both devices. The network controller may send a packet containing a tunnel header and a SOAM frame via the first tunnel to the originator device, which then sends the packet containing the SOAM frame to the destination device.

Systems and methods for managing a global virtual network connection between an endpoint device and an access point server are disclosed. In one embodiment the network system may include an endpoint device, an access point server, and a control server. The endpoint device and the access point server may be connected with a first tunnel. The access point server and the control server may be connected with a second tunnel.

Some embodiments provide a method for a managed forwarding element (MFE). At the MFE, the method receives a first packet from a particular tunnel endpoint. The first packet originates from a particular data compute node associated with multiple tunnel endpoints including the particular tunnel endpoint. Based on the first packet, the method stores an association of the particular tunnel endpoint with the particular data compute node. The method uses the stored association to encapsulate subsequent packets received at the MFE and having the particular data compute node as a destination address with the particular tunnel endpoint as a destination tunnel endpoint.

Various techniques for dynamic path selection and data flow forwarding are disclosed. For example, various systems, processes, and computer program products for dynamic path selection and data flow forwarding are disclosed for providing dynamic path selection and data flow forwarding that can facilitate preserving/enforcing symmetry in data flows as disclosed with respect to various embodiments.