A NAT method, apparatus and device are provided. According to the method, a target IP address and its reference port are obtained from a NAT resource pool, the reference port being a port in a corresponding consecutive port range. A first five-tuple is generated based on the target IP address, the reference port and an original five-tuple of the packet, and a second five-tuple is obtained by masking first-class bits of the reference port of the first five-tuple. Based on a hash result of the second five-tuple, a target bit indicating a non-conflicting state is determined from a pre-constructed bitmap. The state indicated by the target bit is set to be a conflicting state, and a target five-tuple is generated based on the target bit. The target five-tuple and the original five-tuple are recorded in a session table, and the packet is NAT-processed based on the target five-tuple.

Some embodiments provide a novel method of tracking connections in a network. The method receives an identification of a first network endpoint and a second network endpoint. The method then determines that the first network endpoint cannot directly address a packet flow to the second network endpoint. The method identifies an address translation rule of a network device that translates an address of the second network endpoint into a translated address. The method then determines that the first network endpoint can directly address a packet flow to the translated address. The method then identifies a route from the first network endpoint to the second endpoint through the network device that translates the address and displays the route including an identifier of the network device.

In one embodiment, a method includes receiving a packet comprising a destination address in a destination address field of the packet, where the destination address including at least a first global identifier and a second global identifier, determining that the first global identifier corresponds to the first network apparatus, determining that a local identifier in the destination address is associated with the first global identifier, identifying one or more instructions associated with the local identifier, performing one or more functions instructed by the one or more instructions, updating the destination address in the destination field of the packet to an updated destination address, determining a forwarding rule associated with the packet, and forwarding the packet with the updated destination address based on the forwarding rule.

Systems and methods are for domain name system (DNS) resolutions in heterogeneous network environments including a virtual private cloud (VPC). An administrator of a virtual private cloud (VPC) specifies rules identifying sources for resolving DNS resolution requests. The rules may include routing a request to a source outside the VPC such as to an on-premises DNS resolver through an outbound IP endpoint.

Systems and methods are for domain name system (DNS) resolutions in heterogeneous network environments including a virtual private cloud (VPC). An administrator of a virtual private cloud (VPC) specifies rules identifying sources for resolving DNS resolution requests. The rules may include routing a request to a source outside the VPC such as to an on-premises DNS resolver through an outbound IP endpoint.

Described embodiments provide systems and methods for using unencrypted communication tunnels. A first device intermediary between a client and a server may maintain an encrypted tunnel and an unencrypted tunnel with a second device intermediary between the client and the server. The first device may communicate, with the second device, at least one network address translation (NAT) rule via the encrypted tunnel. The first device may translate address information of a first packet, using the at least one NAT rule. The first device may send the first packet with the translated address information via the unencrypted tunnel, to the second device to reverse the translation of the address information using the at least one NAT rule.

This disclosure describes techniques for implementing network address translation as a distributed service over the nodes of a logical network fabric, such as a software-defined network fabric. A method includes registering, by an edge node of a network, an IP address of a client device. The method further includes forwarding, by the edge node, the registered IP address to a control plane of the network. The method further includes checking, by the control plane, a network address translation policy. The method further includes recording, by the control plane, translations between the registered IP address and an allocated IP address in a translation table, each of the translations being related to the edge node. The method further includes returning, by the control plane, the translations between the registered IP address and the allocated IP address to the edge node.

This disclosure describes techniques for implementing network address translation as a distributed service over the nodes of a logical network fabric, such as a software-defined network fabric. A method includes registering, by an edge node of a network, an IP address of a client device. The method further includes forwarding, by the edge node, the registered IP address to a control plane of the network. The method further includes checking, by the control plane, a network address translation policy. The method further includes recording, by the control plane, translations between the registered IP address and an allocated IP address in a translation table, each of the translations being related to the edge node. The method further includes returning, by the control plane, the translations between the registered IP address and the allocated IP address to the edge node.

A network and method for connecting devices on a Local Area Network (“LAN”) to the Internet via a Network Address Translation (“NAT”) enabled gateway and server. The gateway includes an Internet address for enabling the gateway to be addressed by the server and the LAN. A plurality of ports on the gateway enables the gateway to receive and transmit data to and from the server and the LAN. A processor divides the ports on the gateway into at least a first range and a second range of port numbers. Classified traffic identified as suitable for a higher level of QoS is assigned to the first range of port numbers, and classified traffic identified as suitable for a lower level of QoS is assigned to the second range. The gateway provides devices on the LAN with a level of QoS depending upon the port numbers to which they are assigned.

Techniques for binding communication flows to unique addresses and/or ports, and configuring networking devices internal to a network to apply policy without the need to further introspect a given stream. Further, by creating mappings of unique addresses and/or ports to flows, the network devices are able to enforce policy without needing to coordinate with an edge node of the network at which the communication session terminates. Further, the techniques may include providing an SDN controller with a mapping between a unique address/port and a network flow, determining flow-specific policy to enforce on the flow, and programming one or more network devices to enforce the flow-specific policy in the network using the unique address/port.