A system and method for connecting virtual computer networks in a public cloud computing environment using a transit virtual computer network uses a cloud gateway device in the transit virtual computer network that includes a first-tier logical router and a plurality of second-tier logical routers connected to the virtual computer networks. A source Internet Protocol (IP) address of outgoing data packets from a particular virtual computer network is translated at a particular second-tier logical router of the cloud gateway device from an IP address of the particular virtual computer network to an internal IP address from a particular pool of IP addresses. The outgoing data packets are then routed to the first-tier logical router of the cloud gateway device, where the outgoing data packets are transmitted a destination network from a particular interface of the first-tier logical router of the cloud gateway device.

Some embodiments provide a novel method for deploying different virtual networks over several public cloud datacenters for different entities. For each entity, the method (1) identifies a set of public cloud datacenters of one or more public cloud providers to connect a set of machines of the entity, (2) deploys managed forwarding nodes (MFNs) for the entity in the identified set of public cloud datacenters, and then (3) configures the MFNs to implement a virtual network that connects the entity's set of machines across its identified set of public cloud datacenters. In some embodiments, the method identifies the set of public cloud datacenters for an entity by receiving input from the entity's network administrator. In some embodiments, this input specifies the public cloud providers to use and/or the public cloud regions in which the virtual network should be defined. Conjunctively, or alternatively, this input in some embodiments specifies actual public cloud datacenters to use.

A data transmission method includes determining that a first network address segment overlaps with a second network address segment, and creating at least two subnets on a virtual private cloud (VPC). The first network address segment is a network address segment of a subnet in which a target server is located, and configured to run on the VPC. The first network address segment belongs to a network address segment of the VPC. The second network address segment is a network address segment of a subnet in which a first electronic device is located. A network address segment of one of the at least two subnets on the VPC does not overlap with the first or second network address segment. Network interfaces in the at least two subnets are configured to sequentially forward a data packet being transmitted between the target server and the first electronic device at least two times.

Virtual networks may be launched in a provider network with an initial IP address space (e.g., an IPv4 CIDR block). Methods are described that allow additional IP address spaces to be added to a virtual network. A new IP address space for a virtual network may be specified via an API. The specified space may be checked to insure that it does not overlap with IP spaces that are associated with the virtual network. If there are no overlaps, the space is added to the network, for example by adding the space to the network's route tables.

The technology disclosed relates to detection and resolution of conflicts between requested internet services and package of internet services associated with a domain. The method disclosed includes receiving a request from a client to add a requested internet service to a package of internet services. The method includes searching a domain name system (DNS) database for DNS records or a DNS server for external domains having attribute fields indicating attributes of the internet services in the package of internet services. The method includes comparing attributes of the requested internet service to attribute fields for the internet services in the package of internet services using a set of conflict definitions to identify attributes of the internet service requested conflicting with attributes of the package of internet services. When conflicting attributes are identified, the method includes invoking a resolution process to resolve the conflict.

Some embodiments of the invention provide a method for processing data messages for routable subnets of a logical network, the logical network implemented by a software-defined network (SDN) and connecting multiple machines. The method receives an inbound data message. The method performs a DNAT (destination network address translation) operation on the received data message to identify a record associated with a destination IP (Internet protocol) address of the data message. From the record, the method identifies a VLAN (virtual local area network) identifier, an LNI (logical network identifier), and a destination host computer IP address for the data message. The method encapsulates the data message with an outer header containing the destination host computer IP address and the VLAN identifier. The method forwards the encapsulated data message to the destination host computer.

A data transmission method includes determining that a first network address segment overlaps with a second network address segment, and creating at least two subnets on a virtual private cloud (VPC). The first network address segment is a network address segment of a subnet in which a target server is located, and configured to run on the VPC. The first network address segment belongs to a network address segment of the VPC. The second network address segment is a network address segment of a subnet in which a first electronic device is located. A network address segment of one of the at least two subnets on the VPC does not overlap with the first or second network address segment. Network interfaces in the at least two subnets are configured to sequentially forward a data packet being transmitted between the target server and the first electronic device at least two times.

A communication system including a first address notification apparatus provided in a first communication network, and a second address notification apparatus provided in a second communication network, wherein the first address notification apparatus includes means that receives an address request from a terminal that can communicate with the first address notification apparatus and with the second address notification apparatus, obtains a source address from the address request, and transmits a response including the source address to the terminal, and the second address notification apparatus includes means that receives an address request from the terminal, obtains a source address from the address request, and transmits a response including the source address to the terminal.

A unified network service that connects multiple disparate private networks and end user client devices operating on separate networks is described. The multiple disparate private networks and end user client devices connect to a distributed cloud computing network that provides routing services, security services, and performance services, and that can be controlled consistently regardless of the connection type. The unified network service provides uniform access control at the L3 layer (e.g., at the IP layer) or at a higher layer using user identity information (e.g., a zero-trust model). The disparate private networks are run on top of the distributed cloud computing network. The virtual routing layer of the distributed cloud computing network allows customers of the service to have private resources visible only to client devices (e.g., user devices of the customer and/or server devices of the customer) of the organization while using address space that potentially overlaps with other customers of the distributed cloud computing network.

Techniques are disclosed for generating a combined visual representation of subsets of devices associated with corresponding sub-networks of a private network, where at least two devices in corresponding sub-networks share a same private internet protocol (IP) address. The system generates a separate profile for each device using a combination of elements including at least (a) a private IP address corresponding to the device and (b) a network identifier corresponding to a sub-network associated with the device. These sub-networks and their constituent devices may be visually represented in corresponding user interface elements.