Embodiments of the invention relate to overlay network address management. One embodiment includes an overlay gateway including an overlay network manager associated with a physical network. The overlay network manager prevents duplicate address assignment for overlay domains having a first sharing status and performs address translation for overlay domains having a second sharing status. Address translation is avoided for overlay domains having the first sharing status.

Connectivity is enabled between a first and second isolated network using a virtual traffic hub that includes a decision master node responsible for determining a routing action for a packet received at the hub. At the hub, a determination is made that a particular domain name system (DNS) message being directed to a first resource in the first isolated network is to include an indication of a second resource in the second isolated network. The second resource is assigned a network address within a private address range of the second isolated network, which overlaps with a private address range being used in the first isolated network. The hub causes a transformed version of the network address to be included in the DNS message delivered to the first resource.

Device scanning aspects are described. In certain aspects, the method includes configuring a port forwarding policy on a first device based on a network session information, performing a scan of a second device based on a port forwarding policy.

Metadata indicating that an action implementation node and a routing decision master node have been assigned to a virtual traffic hub programmatically associated with one or more isolated networks is stored. The routing decision master node determines a first action to be implemented for packets of a network flow using state information of the isolated networks, and provides a representation of a first action to the first action implementation node. Based on performing the first action at the action implementation node, contents of a data packet received from one isolated network are transmitted to another isolated network.

Example implementations relate to performing converged address translation for devices in a local area network. An example non-transitory computer-readable storage medium stores instructions for performing converged network address translation for devices within a network segmented into multiple VLANs. The instructions when executed by a processing resource of a computing device cause the device to create a local namespace for each VLAN in the network, each local namespace having a list of first level IP addresses unique across all of the created local namespaces. The instructions further cause the processing resource to, for each local namespace, associate a first level IP address from the local namespace's list of first level IP addresses with a static IP address of each device within the respective VLAN and store the associated IP addresses in a routing table for the local namespace. The instructions further cause the processing resource to create a single global namespace for all of the VLANs in the network, the global namespace having a list of second level IP addresses unique within the global namespace. The instructions further cause the processing resource to associate a second level IP address with each first level IP address used within the local namespaces and store the associated IP address in a routing table for the global namespace.

Systems, methods, and related technologies for device scanning are described. In certain aspects, a device is selected based on being a NAT device and information is accessed therefrom to determine a device communicatively coupled to the NAT device. The device communicatively coupled to the NAT device may then be scanned and the results stored.

Passive determination of reserved internet protocol (IP) conflicts on one or more hosted virtual private networks (VPNs) extracts configuration information for a plurality of hosting VPNs to build an aggregated list of IP addresses with mask and associated VPN information. A route table is extracted from a router directing traffic to an appropriate VPN host among the plurality of hosting VPNs, and a sorted list with host/network address, subnet mask, and associated VPN information is generated. The configuration information and the route table is used to expand and normalize a set of network entries.

Configuration operations to enable connectivity, using a virtual traffic hub, between a plurality of isolated networks including a first isolated network with a first private address range, are initiated. The hub includes a plurality of nodes including a decision master node responsible for determining routing actions for packets received at the hub. At the decision master node, a translation mapping is obtained for a second private address range of a second isolated network, which overlaps with the first private address range. At a particular node of the hub, using the mapping, a header of a network packet received from the second isolated network and directed to a destination outside the second isolated network is modified.

Techniques include systems, computerized methods and computer readable media for creating a private network for one or more execution environments inside of an existing network using a data center container, such that the private network can provide one or more services that are independent of identical services of the existing network. A private network is created in an existing network. A data center container provides a service in the private network that is identical to an existing service provided by the existing network. A data center container manager manages execution of one or more execution environments in the data center container using the service in the private network, such that the one or more execution environments can execute in the private network using the service without interfering with the operation of the existing service in the existing network.

Described herein are techniques for resolving overlapping IP addresses for subnets assigned to uplink interfaces of a network switching device. As an example, a network switching device may determine that an IP address range of a first assigned subnet to a first uplink interface overlaps an IP address range of a second assigned subnet to a second uplink interface. The network switching device may generate a first map between the first assigned subnet and a first intermediate subnet, and generate a second map between the second assigned subnet and a second intermediate subnet, wherein an IP address range of the first intermediate subnet and an IP address range of the second intermediate subnet are non-overlapping.