Technologies for multi-cloud routing and policy interconnectivity are provided. An example method can include assigning different sets of data plane routers to data plane traffic associated with different address spaces in a cloud site of a multi-cloud fabric to yield a distributed mapping of data plane traffic and data plane routers. The method can further include providing, to an on-premises site in the multi-cloud fabric, routing entries from a control plane router on the cloud site, the routing entries reflecting the distributed mapping and identifying, for each address space, which data plane router handles data plane traffic for that address space; and when a data plane router is deployed at the cloud site, providing, to the on-premises site, updated routing information from the control plane router, the updated routing information identifying the data plane router as a next hop for data plane traffic associated with a respective address space.

A method includes: When receiving at least one policy, a first network device sends one or more policies in the at least one policy to a second network device based on filtering information. The filtering information includes a policy address family identifier and a device identifier of the second network device.

Packet routers route data packets based on existing topology files. The packet routers hash the existing topology files into content-addressed objects and exchange the content-addressed objects. One of the routers modifies its topology file into a new topology file, hashes the new topology file into a new content-addressed object, and transfers the new content-addressed object to the other packet routers. The packet routers exchange the content-addressed objects, and in response, exchange the topology files. The routers establish a consensus on the new topology file based on the existing topology files. The one packet router routes additional data packets based on the new topology file in response to the consensus. In some examples, the content-addressed objects comprise Inter-Planetary File System (IPFS) objects.

A network device may receive an instruction to update a data structure implemented by the network device and update the data structure based on receiving the instruction. The data structure may include a routing instruction to direct the network device to provide a data flow to a server device for processing. The network device may receive the data flow destined for a destination device; determine the routing instruction based on at least a portion of an internet protocol (IP) address associated with the data flow and based on the data structure; execute the routing instruction to provide the data flow to the server device and to cause the data flow to be processed by the server device to form a processed data flow; and receive the processed data flow and provide the processed data flow towards the destination device.

Techniques are described for automatic discovery of two or more virtual service instances configured to apply a given service to a packet in a software-defined networking (SDN)/network functions virtualization (NFV) environment. Virtual service instances may be deployed as virtual entities hosted on one or more physical devices to offer individual services or chains of services from a service provider. The use of virtual service instances enables automatic scaling of the services on-demand. The techniques of this disclosure enable automatic discovery by a gateway network device of virtual service instances for a given service as load balancing entities. According to the techniques, the gateway network device automatically updates a load balancing group for the given service to include the discovered virtual service instances on which to load balance traffic for the service. In this way, the disclosed techniques provide auto-scaling and auto-discovery of services in an SDN/NFV environment.

A Software Defined Wide Area Network (SD-WAN) edge node is disclosed. The SD-WAN edge node includes edge node SD-WAN ports coupled to untrusted underlay networks. The SD-WAN edge node transmits a first Border Gateway Protocol (BGP) update message advertising WAN (Wide Area Network) properties of the edge node SD-WAN ports to a local controller via an encrypted channel over the untrusted underlay network. The SD-WAN edge node receives a second BGP update message from the local controller, the second BGP update message advertising WAN properties of peer node SD-WAN ports of a peer node. The SD-WAN edge node establishes a security association with the peer node over the untrusted underlay networks based on the WAN properties of the edge node SD-WAN ports and the WAN properties of the peer node SD-WAN ports.

A routing system can provide a Dynamic-Hybrid Forwarding Information Base (DHFIB). A control component of the routing system can build a routing table that includes routing information (e.g., prefixes, addresses, etc.) for use by a first routing component. The routing table can be ordered or ranked based on traffic information from the first routing component. Then, the control component can create the DHFIB from the routing table, wherein the DHFIB is a portion of the routing table and related to the first routing component. As such, the portion of the routing table selected for the DHFIB can be the set of prefixes in the routing table that represent the most frequently routed or most important prefixes in the routing table. Finally, the control component can forward the DHFIB to the first routing component to allow the routing component to route communications.

A network device obtains Border Gateway Protocol (BGP) flow specification (FlowSpec) information, and generates, based on the BGP FlowSpec information, a first forwarding information base (FIB) table entry including a first prefix and an action, where the BGP FlowSpec information indicates to perform an action on traffic matching a filter condition, where the filter condition includes an attribute of a destination address, where the first FIB table entry indicates the network device to perform the action on the traffic matching the first prefix, and where an attribute of the first prefix is the same as the attribute of the destination address in the filter condition.

A method for synchronizing topology information in a service function chain (SFC) network, where the SFC network includes at least one classifier (CF) and at least one service function forwarder (SFF). The method includes that a first network element in the at least two routing network elements establishes a Border Gateway Protocol (BGP) connection to at least one second network element other than the first network element in the at least two routing network elements, where the first network element is any one of the at least two routing network elements, and the first network element sends a first BGP update message to the at least one second network element, where the first BGP update message includes topology information of the first network element such that the at least one second network element obtains the topology information of the first network element.

A novel design of a gateway that handles traffic in and out of a network by using a datapath pipeline is provided. The datapath pipeline includes multiple stages for performing various data-plane packet-processing operations at the edge of the network. The processing stages include centralized routing stages and distributed routing stages. The processing stages can include service-providing stages such as NAT and firewall. The gateway caches the result previous packet operations and reapplies the result to subsequent packets that meet certain criteria. For packets that do not have applicable or valid result from previous packet processing operations, the gateway datapath daemon executes the pipelined packet processing stages and records a set of data from each stage of the pipeline and synthesizes those data into a cache entry for subsequent packets.