A method includes: receiving communications from first and second tenants of a multi-tenant computing environment over first and second dedicated networks, respectively, the communications being transmitted to a first globally unique IP address in first and second dedicated environments, respectively; NATing the first globally unique IP address, to which the communication from the first tenant was transmitted, to a first non-globally unique IP address that is locally unique in the service provider environment; NATing the first globally unique IP address, to which the communication from the second tenant was transmitted, to a second non-globally unique IP address that is locally unique in the service provider environment; providing the communication from the first tenant and the communication from the second tenant access to a shared resource in the service provider environment using the first and second non-globally unique IP addresses, respectively.

A NAT method, apparatus and device are provided. According to the method, a target IP address and its reference port are obtained from a NAT resource pool, the reference port being a port in a corresponding consecutive port range. A first five-tuple is generated based on the target IP address, the reference port and an original five-tuple of the packet, and a second five-tuple is obtained by masking first-class bits of the reference port of the first five-tuple. Based on a hash result of the second five-tuple, a target bit indicating a non-conflicting state is determined from a pre-constructed bitmap. The state indicated by the target bit is set to be a conflicting state, and a target five-tuple is generated based on the target bit. The target five-tuple and the original five-tuple are recorded in a session table, and the packet is NAT-processed based on the target five-tuple.

In secure and seamless remote access to enterprise applications with zero user intervention, a first set of policies is generated at a controller based on a user role. A user device associated with the user role is in an enterprise network. The first set of policies is pushed to the security agent in the user device associated with a user, an enterprise server, and a secure remote access gateway from the controller. Upon determining that the user device moves to a remote network, a secure connection is initiated by the security agent from the user device to the secure remote access gateway. Upon determining by the controller that the user is authenticated for the secure connection, a second set of policies is generated by the controller for the user device, the enterprise server and the secure remote access gateway. The second set of policies is pushed to the devices.

Systems and methods for detecting Internet services by a network policy controller are provided. According to one embodiment, a network controller maintains an Internet service database (ISDB) in which multiple Internet services and corresponding protocols, port numbers, Internet Protocol (IP) address ranges and singularity levels of the IP ranges are stored. The network policy controller intercepts network traffic and detects the Internet service of the network traffic. If an IP address of the network traffic falls in an IP range with highest singularity level and the protocol type, port number of the network traffic are matched in the ISDB, the corresponding Internet service is identified as the Internet service of the network traffic. The network policy controller further controls transmission of the network traffic based on the Internet service.

The method for a virtual machine to use a port and loopback IP addresses allocation scheme for full-mesh communications with transparent transport layer security tunnels is presented. In an embodiment, the method comprises detecting, at a redirect agent implemented in a first machine, a packet that is sent from a client application executing on the first machine toward a server application executing on a second machine; and determining, by the redirect agent, whether a first redirect rule matches the packet. In response to determining that the first redirect rule matches the packet, the redirect agent applies the first redirect rule to the packet to translate the packet into a translated packet, and provides the translated packet to a client agent implemented in the first machine to cause the client agent to transmit the translated packet to a server agent implemented in the second machine.

In one embodiment, a method includes receiving a packet comprising a destination address in a destination address field of the packet, where the destination address including at least a first global identifier and a second global identifier, determining that the first global identifier corresponds to the first network apparatus, determining that a local identifier in the destination address is associated with the first global identifier, identifying one or more instructions associated with the local identifier, performing one or more functions instructed by the one or more instructions, updating the destination address in the destination field of the packet to an updated destination address, determining a forwarding rule associated with the packet, and forwarding the packet with the updated destination address based on the forwarding rule.

A Network Address Translation (NAT) method, apparatus and device are provided. Based on the method, a target IP address and its reference port are obtained from a NAT resource pool, wherein the reference port is a port in a consecutive port range of the target IP address; a first five-tuple corresponding to a packet is generated based on the target IP address, the reference port and an original five-tuple of the packet, and a second five-tuple is obtained by masking first-class bits of two classes of ports of the first five-tuple respectively; a target five-tuple is determined in a plurality of consecutive hash buckets of a hash table based on a hash result of the second five-tuple; and the target five-tuple and the original five-tuple are recorded in the hash table and a corresponding result table, and the packet is NAT-processed based on the target five-tuple.

Example methods and systems are provided for location-aware service request handling. The method may comprise: generating and sending location information associated with virtualized computing instance to a service node or a management entity for transmission to the service node. The location information may identify logical element(s) to which the virtualized computing instance is connected. The method may further comprise: in response to detecting, from the virtualized computing instance, a service request for a service from the service node, generating a modified service request by modifying the service request to include the location information associated with the virtualized computing instance; and sending the modified service request towards the service node.

A network device may receive an IPv6 packet that includes an IPv6 source address and an IPv6 destination address. The network device may determine, based on the IPv6 packet including an extension header that includes an address prefix option, whether to translate the IPv6 packet into an IPv4 packet. Additionally, based on a determination to translate the IPv6 packet into the IPv4 packet, the network device generates an IPv4 packet that includes an IPv4 source address and an IPv4 destination address. Because the PLAT unit may make the determination whether to translate the IPv6 packet into an IPv4 packet based on the IPv6 packet including the address prefix option instead of based on the IPv6 source address including a customer-translation (CLAT) source prefix, it may be unnecessary to distribute the CLAT source prefix to the network device.

System and method for managing public internet protocol (IP) addresses for a group of virtual data centers utilize a virtual overlay network to route communications between the virtual data centers and a public network through a virtual edge router of one of the virtual data centers using a public IP address assigned to that virtual edge router.