Techniques are disclosed for redirecting network traffic of virtualized application workload to a host-based firewall. For example, a system comprises a software defined networking (SDN) controller of a multi-tenant virtualized data center configured to: receive a security policy expressed as one or more tags to redirect traffic of a virtualized application workload to a host-based firewall (HBF) of the multi-tenant virtualized data center; configure network connectivity to the HBF in accordance with the security policy; a security controller that manages the HBF configured to: obtain the one or more tags from the SDN controller; receive one or more firewall policies expressed in terms of the one or more tags, wherein each of the one or more firewall policies specifies a function of the HBF; and configure the function of the HBF in accordance with the one or more firewall policies.

A method includes a first provider edge (PE) device sending, to a second PE device, a media access control (MAC) route learned from a customer edge (CE) device and a virtual local area network (VLAN) identifier, wherein the second PE device generates a MAC forwarding entry based on the MAC route and the VLAN identifier, where the MAC forwarding entry is used to directly forward, using the CE device, a packet whose destination MAC address is the CE device or a MAC address of a terminal device accessing the CE device. An outbound interface identifier included in the MAC forwarding entry is an identifier of an interface connected to the CE device.

Network interface provisioning of containerized instances based on tenant policies. A network interface assignment process (NIAP) receives a first request to assign a network interface to a first containerized instance comprising at least one container. The NIAP determines that a first tenant of a plurality of different tenants is associated with the first containerized instance. The NIAP accesses a first network assignment tenant policy (NATP) that corresponds to the first tenant. Based on the first NATP, the NIAP assigns, to the first containerized instance, a first network interface via which the first containerized instance can communicate with other containerized instances associated with the first tenant.

Aspects of the subject disclosure may include, for example, instantiating a virtual provider edge router (VPE) of a network operator on a layer 3 public cloud network operated by a cloud operator, establishing a virtual layer 2 bridging domain over the layer 3 public cloud network between a core network of the network operator and the VPE, wherein the virtual layer 2 bridging domain shields infrastructure addressing of the core network of the network operator, and establishing an Interior Gateway Protocol (IGP) of the network operator on top of the virtual layer 2 bridging domain for layer 2 communication between the core network of the network operator and the VPE over the layer 3 public cloud network. Other embodiments are disclosed.

A Wi-Fi controller identifies a mismatch between a first prefix of a first IPv6 address for a data packet corresponding to a first VLAN on which the data packet was sent from the station to the access point, and a prefix of a second IPv6 address for a second VLAN from which the data packet was transmitted from the access point to the Wi-Fi controller. Responsive to the VLAN mismatch identification, the Wi-Fi controller transmits a DHCP reconfiguration packet to the station using the first VLAN. The DHCP reconfiguration packet causes the station to transmit a rebind packet to the DHCP server. The rebind packet causes the DHCP server to transmit an ACK frame on the first VLAN setting the valid lifetime for the first IPv6 address to zero.

A Wi-Fi controller identifies a mismatch between a first prefix of a first IPv6 address for a data packet corresponding to a first VLAN on which the data packet was sent from the station to the access point, and a prefix of a second IPv6 address for a second VLAN from which the data packet was transmitted from the access point to the Wi-Fi controller. Responsive to the VLAN mismatch identification, the Wi-Fi controller transmits an RA to the station with a preferred lifetime of 0, wherein subsequent communications use the second IPv6 address.

Various example embodiments for supporting safe port removal are presented. Various example embodiments for supporting safe port removal may be configured to support safe port removal for a port of a virtual switch. Various example embodiments for supporting safe port removal for a port of a virtual switch may be configured to support safe removal of the port of the virtual switch such that the port is no longer available for use on the virtual switch. Various example embodiments for supporting safe port removal for a port of a virtual switch may be configured to support safe removal of the port of the virtual switch by performing separate logical and physical shutdowns of the port and performing one or more functions for the port (e.g., rejecting link discovery packets, continuing to handle data packets, and so forth) between the logical and physical shutdowns of the port.

Aspects of the subject disclosure may include, for example, instantiating a virtual provider edge router (VPE) of a network operator on a layer 3 public cloud network operated by a cloud operator, establishing a virtual layer 2 bridging domain over the layer 3 public cloud network between a core network of the network operator and the VPE, wherein the virtual layer 2 bridging domain shields infrastructure addressing of the core network of the network operator, and establishing an Interior Gateway Protocol (IGP) of the network operator on top of the virtual layer 2 bridging domain for layer 2 communication between the core network of the network operator and the VPE over the layer 3 public cloud network. Other embodiments are disclosed.

A method for performing virtual private cloud (VPC) routing across multiple public cloud environments. In an embodiment, the method creates a first virtual routing agent (VRA) for a first VPC of a first public cloud. The method sends a registration request to a VRA controller, wherein the registration request comprises a data structure that includes communication parameters of the first VRA. The method receives the communication parameters of other VRAs for other VPCs located in other public cloud environments from the VRA controller. The method uses the communication parameters of the other VRAs for overlay routing of data packets from the first VPC of the first public cloud to other VPCs of other public clouds via the other VRAs of the other VPCs.

The present application describes a method including a step of sending a request to a cloud provider to create a server on a cloud. The method also includes a step of receiving a notification from the cloud provider the server is available on the cloud. The method also includes a step of reviewing, via a graphical user interface (GUI), a continuously updated list of available servers provided by the cloud provider and another cloud provider. The method even also includes a step of reviewing, via the GUI, a continuously updated list of users in an enterprise to be matched with the available servers. The method further includes a step of determining, based on one of the users and the continuously updated list of available servers, one of the available servers to embed a virtual private network (VPN) service. The method even further includes a step of embedding the determined available server with the VPN service.