Some embodiments provide a method for a managed first forwarding element executing on a first data compute node (DCN) that operates on a first host machine within a public datacenter. The managed first forwarding element is configured to implement a logical network. The method receives a data packet from an application, executing on the first data compute node, that sends and receives data packets through the logical network. When the data packet has a destination address that is not associated with the logical network, the method sends the packet directly to a second forwarding element configured by an administrator of the datacenter. When the data packet has a destination address associated with the logical network, the method sends the packet to a managed third forwarding element configured to implement the logical network. The managed third forwarding element executes on a second DCN on a second host machine within the datacenter.

Some embodiments provide a method for a first data compute node (DCN) operating in a public datacenter. The method receives an encryption rule from a centralized network controller. The method determines that the network encryption rule requires encryption of packets between second and third DCNs operating in the public datacenter. The method requests a first key from a secure key storage. Upon receipt of the first key, the method uses the first key and additional parameters to generate second and third keys. The method distributes the second key to the second DCN and the third key to the third DCN in the public datacenter.

Some embodiments provide a method for a first data compute node (DCN) operating in a public datacenter. The method receives an encryption rule from a centralized network controller. The method determines that the network encryption rule requires encryption of packets between second and third DCNs operating in the public datacenter. The method requests a first key from a secure key storage. Upon receipt of the first key, the method uses the first key and additional parameters to generate second and third keys. The method distributes the second key to the second DCN and the third key to the third DCN in the public datacenter.

An apparatus and method provide personal networks to tenants on a multiple dwelling unit (MDU) network. Virtual Local Area Networks (VLANs) are assigned to a plurality of tenants to define a plurality of personal networks on the MDU network such that each of the personal networks is for a different tenant and is assigned a different VLAN. Onboarding requests are received from a plurality of client devices of a tenant for access to a personal network assigned to the tenant such that, when provisioned onto the personal network, intercommunication between the client devices of the tenant across the MDU network within the personal network is provided while access thereto by client devices of other tenants is blocked.

A method implemented by a sending host entity comprises sending, by the sending host entity, a data packet to a receiving host entity, a source identifier field of the data packet comprising an anonymized identifier of the sending host entity, the anonymized identifier being a temporary identifier of the sending host entity, and sending, by the sending host entity to a distributed mapping system, a request for the distributed mapping system to send information identifying the sending host entity to the receiving host entity.

A server-side technique to detect and mitigate client-side content filtering, such as ad blocking. In operation, the technique operates on a server-side of a client-server communication path to provide real-time detect the existence of a client filter (e.g., an ad blocker plug-in) through transparent request exchanges, and then to mitigate (defeat) that filter through one or operations designed to modify the HTML response body or otherwise obscure URLs. Preferably, the publisher (the CDN customer) defines one or more criteria of the page resources being served by the overlay (CDN) and that need to be protected against the client-side filtering.

Some embodiments provide a method for a network controller. The method configures a first data compute node (DCN), operating within a public first datacenter that includes forwarding elements to which the network controller does not have access, to operate as a gateway forwarding element between (i) other DCNs in the first datacenter on which forwarding elements are configured by the network controller and (ii) forwarding elements in a second datacenter. The method configures the forwarding elements executing on the other DCNs in the public datacenter to implement a logical switch to which the other DCNs attach. The method configures the forwarding elements in the second datacenter to implement the logical switch. DCNs in the second datacenter also attach to the same logical switch.

In a method for providing access to a service provided by a physical server in a cloud computing system, a cloud platform allocates to the service a publishing IP address and a publishing port, and sends a NAT rule to an access network element associated with the virtual machine. Upon receiving a service access request from the virtual machine for accessing the service, the access network element modifies, according to the NAT rule, a destination address of the service access request into the IP address and the port of the physical server that provides the service, and routes the modified service access request to the physical server.

A privatized link between an origin server and a content delivery network is provided. A privatized link can be a direct connection that does not route over the internet. Another privatized link is one that rotates IP addresses. An origin server may be assigned to use a set of multiple IP addresses for communication with the content delivery network. However, at any given time, the origin server is only using a small number of IP addresses. When one of the IP addresses being used to communicate with the content delivery network comes under attack, the origin server switches to another IP address in the set in order to continue serving content to the content delivery network via an IP address that is not under attack.

A method of providing infrastructure protection for a server of a network organization, the method including announcing an internet protocol (IP) address range associated with the network organization using a border gateway protocol (BGP) on an edge server of a distributed network of edge servers. The method further including receiving an incoming network packet intended for the server of the network organization identified using a public IP address within the IP address range, the public IP address serving as a first anycast address for a distributed network of edge servers. The method further including determining, by the distributed network, whether the incoming network packet is legitimate. The method further including responsive to determining that the incoming network packet is legitimate, routing, by a processor using generic routing encapsulation (GRE), the incoming network packet to the server at a private IP address.