Some embodiments provide a novel method for deploying different virtual networks over several public cloud datacenters for different entities. For each entity, the method (1) identifies a set of public cloud datacenters of one or more public cloud providers to connect a set of machines of the entity, (2) deploys managed forwarding nodes (MFNs) for the entity in the identified set of public cloud datacenters, and then (3) configures the MFNs to implement a virtual network that connects the entity's set of machines across its identified set of public cloud datacenters. In some embodiments, the method identifies the set of public cloud datacenters for an entity by receiving input from the entity's network administrator. In some embodiments, this input specifies the public cloud providers to use and/or the public cloud regions in which the virtual network should be defined. Conjunctively, or alternatively, this input in some embodiments specifies actual public cloud datacenters to use.

Some embodiments of the invention provide a method for cloning a set of one or more applications implemented by a first set of machines connected through a first logical network that defines a virtual private cloud (VPC) in a set of one or more datacenters. The method detects that the first logical network does not have sufficient resources to process a set of network traffic destined for the set of one or more applications implemented by the first set of machines. Based on said detecting, the method uses a set of network configuration data that configures a set of logical forwarding elements (LFEs) of the first logical network to define a cloned, second logical network for connecting a cloned, second set of machines that implement a second set of one or more applications. The method uses the cloned, second logical network to process at least a subset of the network traffic destined to the set of applications.

An information processing apparatus includes an obtaining unit, a trying unit, a specifying unit, and a connecting unit. The obtaining unit obtains addresses of individual devices in a network from the devices. The trying unit tries to communicate to the addresses of the devices via the network and stores trying results. The specifying unit specifies a device as a connecting device from among the devices. The connecting unit connects to the connecting device by using a connecting method which is specified based on the trying result concerning the connecting device.

A unified network service that connects multiple disparate private networks and end user client devices operating on separate networks is described. The multiple disparate private networks and end user client devices connect to a distributed cloud computing network that provides routing services, security services, and performance services, and that can be controlled consistently regardless of the connection type. The unified network service provides uniform access control at the L3 layer (e.g., at the IP layer) or at a higher layer using user identity information (e.g., a zero-trust model). The disparate private networks are run on top of the distributed cloud computing network. The virtual routing layer of the distributed cloud computing network allows customers of the service to have private resources visible only to client devices (e.g., user devices of the customer and/or server devices of the customer) of the organization while using address space that potentially overlaps with other customers of the distributed cloud computing network.

Some embodiments provide a novel method for deploying different virtual networks over several public cloud datacenters for different entities. For each entity, the method (1) identifies a set of public cloud datacenters of one or more public cloud providers to connect a set of machines of the entity, (2) deploys managed forwarding nodes (MFNs) for the entity in the identified set of public cloud datacenters, and then (3) configures the MFNs to implement a virtual network that connects the entity's set of machines across its identified set of public cloud datacenters. In some embodiments, the method identifies the set of public cloud datacenters for an entity by receiving input from the entity's network administrator. In some embodiments, this input specifies the public cloud providers to use and/or the public cloud regions in which the virtual network should be defined. Conjunctively, or alternatively, this input in some embodiments specifies actual public cloud datacenters to use.

A multi-cloud service system establishes tunnels and network overlays across multiple CSPs while meeting a criterion for a latency threshold. The system conducts a latency benchmarking evaluation across each cloud region for multiple CSPs and based on the latency bench marking evaluation results, the system may identify a group of cloud regions that satisfy a criterion such as predetermined maximum latency threshold or geographical restriction. The system may provision the group of cloud regions by provisioning a tunnel between nodes of the multiple CSPs. The system further establishes an overlay network on top of the tunnel by encapsulating packets using encapsulation end point such as VTEP (VXLAN tunnel end point) over VXLAN (Virtual Extension Local Area Network), which may help to ensure reliable transmission of packets from pod to pod. The system may inject user data into each node to initiate operations across the provisioned nodes using injected user data.

Embodiments of the invention relate to overlay network address management. One embodiment includes an overlay gateway including an overlay network manager associated with a physical network. The overlay network manager prevents duplicate address assignment for overlay domains having a first sharing status and performs address translation for overlay domains having a second sharing status. Address translation is avoided for overlay domains having the first sharing status.

A method for a host machine that hosts at least one tenant virtual machine (VM) of a particular tenant logical network that accesses service VMs of a particular service logical network. The method, prior to a packet being received at a PFE on the host, intercepts the packet that sent by the tenant VM to one of the service VMs based on a set of forwarding rules. The packet includes a source IP address and a source port number of the tenant VM. The method, prior to the packet leaving the PFE in the host, replaces the source IP address and source port number with a replacement IP address and port number pair from a set of replacement IP address and port number pairs allocated to the host for accessing service VMs. The method sends the modified packet to the PFE to forward the modified packet to the service VM.

An address allocation method, a carrier grade network address translation (CGN) device, and a CGN dual-active system, where a second CGN device receives a first to-be-sent packet sent by a network address translation (NAT) device, searches a recorded correspondence between a private network address, a public network address, and a port range for a source address of the first to-be-sent packet, sends an address allocation request used to request a public network address and a port range of the source address to a first CGN device when a search result indicating that no source address of the first to-be-sent packet is found. The first CGN device allocates a public network address and a port range to the source address of the first to-be-sent packet, records the network address and the port range, and synchronies the allocated public network address and the allocated port range to the second CGN device.

Methods and apparatus for controlling the communication between a first network and a second network. The method comprises: creating a data path between the first network and the second network; building a translation table which translate a local legacy address of a device in the first network to a local virtual address of a device in the second network; and transmitting a flow rule created based on the translation table to the Network Address Translation (NAT) function of the created data path between the first network and the second network.