A system, method and program product for provisioning a large scale network address translation (LSN) system. A system is disclosed that processes packets between a router and a TCP/IP network. The system includes a plurality of LSN appliances and a flow processor embedded in each of the plurality of LSN appliances. Each flow processor includes: a hash function that determines an owner appliance from the plurality of LSN appliances for a request received from the router based on a private IP address of the request; a look-up table that that determines the owner appliance from the plurality of LSN appliances for a response received from the TCP/IP network based on a public IP address of the response; and a packet routing system that routes a received request or a received response to the owner appliance.

A technology for job processing using a public service network. A method may include identifying processing availability at a public service network for processing a job submitted to a private service network. Available network bandwidth may be determined between the private service network and the public service network used to communicate between the private service network and the public service network and to transfer the job to the public service network for processing. Rules for transferring the job to the public service network may be identified. A determination may then be made that the processing availability at the public service network, the available network bandwidth between the private service network and the public service network, and the rules for transferring the job to the public service network allow the job to be transferred to the public service network for processing.

A network apparatus includes: a plurality of network interfaces; a first communication unit configured to communicate with an input and output apparatus in a first network with which a first network interface of the plurality of network interfaces is coupled; a second communication unit configured to communicate with a first device in a second network with which a second network interface of the plurality of network interfaces is coupled; and a third communication unit configured to communicate with a second device in a third network with which a third network interface of the plurality of network interfaces is coupled. When the second communication unit receives data from the second network, the data is transmitted to the first network through the first communication unit without being transmitted to the third network. When the third communication unit receives data from the third network, the data is transmitted to the first network through the first communication unit without being transmitted to the second network.

Systems, methods, and network topology for network address translation (NAT) are disclosed. In some embodiments, a cluster of NAT devices shares at least one backup NAT device configured to back up all or some of the NAT devices in the cluster. Each NAT device, including the backup NAT device, advertises its status at a regular interval to a router. If the router determines that an active NAT device is no longer advertising its status, the router can send data to the backup NAT. In some embodiments, the router routes traffic to active and backup devices based on networking protocols such as Border Gateway Protocol (BGP) and/or Open Shortest Path First (OSPF). The router can also route data to NAT devices using a round-robin algorithm.

Methods, system, and computer program product for implementing an address translation service that uses nondenominational address handles instead of IP addresses between private cloud domain and public cloud domains. The address translation service can be implemented to enable a data-center running in a private cloud domain to communicate with the public cloud domain data-center over load balancers. In addition, the address translation service ensures that all services that need to communicate across data-centers can be reached over load balancers. As such, to avoid conflicting subnets used by a data center from the private cloud domain and the public cloud domain, services in the public cloud domain use a private cloud load balancer to connect with the services in a private cloud domain. Similarly, a public cloud load balancer is used to connect with services in the private cloud domain.

A network apparatus includes: a plurality of network interfaces; a first communication unit configured to communicate with an input and output apparatus in a first network with which a first network interface of the plurality of network interfaces is coupled; a second communication unit configured to communicate with a first device in a second network with which a second network interface of the plurality of network interfaces is coupled; and a third communication unit configured to communicate with a second device in a third network with which a third network interface of the plurality of network interfaces is coupled. When the second communication unit receives data from the second network, the data is transmitted to the first network through the first communication unit without being transmitted to the third network. When the third communication unit receives data from the third network, the data is transmitted to the first network through the first communication unit without being transmitted to the second network.

Some embodiments of the invention provide a novel network architecture for providing edge services of a virtual private cloud (VPC) at host computers hosting machines of the VPC. The host computers in the novel network architecture are reachable from external networks through a gateway router of an availability zone (AZ). The gateway router receives a data message from the external network addressed to one or more data compute nodes (DCNs) in the VPC and forwards the data message to a particular host computer identified as providing a distributed edge service for the VPC. The particular host computer, upon receiving the forwarded data message, performs the distributed edge service and provides the serviced data message to a destination DCN.

Network traffic flows can be processed by routers, switches, or service nodes. Service nodes may be ASICs that can provide the functionality of a switch or a router. Service nodes can be configured in a circular replication chain, thereby providing benefits such as high reliability. The service nodes can implement methods that include receiving a first packet that includes a source address in a source address field and that includes a destination address in a destination address field. The first packet can be routed to a selected service node that is in the replication chain that includes a plurality of service nodes that are configured for chain replication of a service state information. A service node configured for NAT or some other service can use the first packet to produce a translated packet that can be transmitted toward a destination indicated by the destination address.

Examples include a computing system having a plurality of processing cores and a memory coupled to the plurality of processing cores. The memory has instructions stored thereon that, in response to execution by a selected one of the plurality of processing cores, cause the following actions. The selected processing core to receive a packet and get an original tuple from the packet. When no state information for a packet flow of the packet exists in a state table, select a new network address as a new source address for the packet, get a reverse tuple for a reverse direction, select a port for the packet from an entry in a mapping table based on a hash procedure using the reverse tuple, and save the new network address and selected port. Translate the packet's network address and port and transmit the packet.

Methods, systems, and computer programs are presented for distributing network address translation (NAT) operations to a plurality of network devices on a network. One method includes an operation for identifying, by a controller that controls a network fabric, a plurality of switches in the network fabric, each switch having a module for NAT and being configured to forward packets received at the switch. The controller identifies hosts having at least one internal Internet Protocol (IP) address, and for each of the hosts, the controller selects one of the switches from the plurality of switches for performing the NAT for the host. Further, the controller configures the network fabric to cause the selected switch to perform the NAT for the host to enable the host to communicate with an external network. In case of switch failure, the system reallocates NAT loads to other switches for high availability.