An address allocation method, a carrier grade network address translation (CGN) device, and a CGN dual-active system, where a second CGN device receives a first to-be-sent packet sent by a network address translation (NAT) device, searches a recorded correspondence between a private network address, a public network address, and a port range for a source address of the first to-be-sent packet, sends an address allocation request used to request a public network address and a port range of the source address to a first CGN device when a search result indicating that no source address of the first to-be-sent packet is found. The first CGN device allocates a public network address and a port range to the source address of the first to-be-sent packet, records the network address and the port range, and synchronies the allocated public network address and the allocated port range to the second CGN device.

A technology for job processing using a public service network. A method may include identifying processing availability at a public service network for processing a job submitted to a private service network. Available network bandwidth may be determined between the private service network and the public service network used to communicate between the private service network and the public service network and to transfer the job to the public service network for processing. Rules for transferring the job to the public service network may be identified. A determination may then be made that the processing availability at the public service network, the available network bandwidth between the private service network and the public service network, and the rules for transferring the job to the public service network allow the job to be transferred to the public service network for processing.

A method for coordinating distributed network address translation (NAT) in a network within which several logical networks are implemented. The logical networks include several tenant logical networks and at least one service logical network that include service virtual machines (VMs) that are accessed by VMs of the tenant logical networks. The method defines a group of replacement IP address and port number pairs. Each pair is used to uniquely identify a VM across all tenant logical networks. The method sends to at least one host that is hosting a VM of a particular tenant logical network, a set of replacement IP address and port number pairs. Each replacement IP address and port number pair can be used by the host to replace a source IP address and a source port number in a packet that is destined from the particular VM to a VM of the particular service logical network.

A method or system for dynamic network security control. The system discovers multiple external network addresses (ENAs) associated with multiple services in a trusted public cloud environment (TPCE), and records the discovered ENAs in a first storage. The system also accesses multiple network security policies stored in the TPCE. The system then maps the ENAs to the network security policies based on contextual relationships therebetween, and stores mappings between the ENAs and the network security policies in the TPCE. The system causes a network access control list to be update based in part on the mappings. The network access control list contains rules that specify which entities are granted or denied access to the ENAs associated with the services.

Systems, methods, and network topology for network address translation (NAT) are disclosed. In some embodiments, a cluster of NAT devices shares at least one backup NAT device configured to back up all or some of the NAT devices in the cluster. Each NAT device, including the backup NAT device, advertises its status at a regular interval to a router. If the router determines that an active NAT device is no longer advertising its status, the router can send data to the backup NAT. In some embodiments, the router routes traffic to active and backup devices based on networking protocols such as Border Gateway Protocol (BGP) and/or Open Shortest Path First (OSPF). The router can also route data to NAT devices using a round-robin algorithm.

Described herein are systems, methods, and software to manage internet protocol (IP) address allocation for tenants in a computing environment. In one implementation, a logical router associated with a tenant in the computing environment requests a public IP address for a new segment instance from a controller. In response to the request, the controller may select a public IP address from a pool of available IP addresses and update networking address translation (NAT) on the logical router to associate the public IP address with a private IP address allocated to the new segment instance.

Symmetric networking techniques disclosed herein can be applied by gateway routers in cloud networks. The techniques can ensure that both outbound traffic received at a cloud from a branch device and return traffic directed from the cloud back to the branch device are processed by a same gateway router. The gateway router can use network address translation to insert IP addresses from an inside pool and an outside pool assigned to the router.

Systems, methods, and network topology for network address translation (NAT) are disclosed. In some embodiments, a cluster of NAT devices shares at least one backup NAT device configured to back up all or some of the NAT devices in the cluster. Each NAT device, including the backup NAT device, advertises its status at a regular interval to a router. If the router determines that an active NAT device is no longer advertising its status, the router can send data to the backup NAT. In some embodiments, the router routes traffic to active and backup devices based on networking protocols such as Border Gateway Protocol (BGP) and/or Open Shortest Path First (OSPF). The router can also route data to NAT devices using a round-robin algorithm.

Network address translation of messages transported over an autonomous system between multiple network elements is contemplated. The network address translation may be performed by instructing one network element to translate upstream messages for a particular messaging paths and a different network element to translate downstream messages for the same messaging path, thereby providing split network address translation.

Techniques for Network Address Translation (NAT)-based steering of traffic in cloud-based networks. The techniques may include establishing, by a frontend node of a network, a connection with a client device. The frontend node may receive, via the connection, a packet including an indication of an identity of a service hosted on a backend node of the network. Based at least in part on the indication, the frontend node may establish a second connection with the backend node. Additionally, the frontend node may store a mapping indicating that packets received from the client device are to be sent to the backend node. The techniques may also include receiving another packet at the frontend node or another frontend node of the network. Based at least in part on the mapping, the frontend node or other frontend node may alter one or more network addresses of the other packet and forward it to the backend node.