A method is disclosed including establishing a browser session in response to receiving a request from a browser application in a public network. The browser session is assigned to a dedicated network service running in a dedicated network name space. Requests received from the browser application are proxied to a dedicated network service. A local web session in the dedicated network service authenticates a user of the browser application for access to at least one private webservice. A security client in the dedicated network service establishes a networking tunnel between the proxy and a remote gateway to the private network, thereby obtaining network access to the private webservice from the dedicated network name space. Within the dedicated network name space, proxied requests addressing the private webservice are forwarded over the networking tunnel to the private network.

Techniques for management of traffic in a network. The techniques provide application awareness in a Network Address Translation (NAT) system. In some examples, a first traffic is received at a first switch in a network from a first application hosted behind the first switch. The first switch identifies a first resource tag associated with the application from the first traffic. Further, the first switch identifies a first rule from the first resource tag indicating that the first traffic is to be routed through an intermediate device that performs network address translation. Moreover, the first switch transmits the traffic to an intermediate device, which perform NAT to translate the source IP address of the first traffic to a second IP address. Finally, the intermediate device sends the traffic to a destination device indicated by the first traffic.

Techniques are described herein that are capable of load-balancing establishment of connections among groups of connector servers in a public computer network by performing operations that include receiving a connection request from a connector client in a private computer network, requesting establishment of a connection between the connector client and one of the connector servers in the public computer network. A number of connections between the private computer network and each group is determined. An identified group is selected from the groups based at least in part on a number of connections between the private computer network and the identified group being less than or equal to a number of connections between the private computer network and each other group. The connection request is provided toward the identified group, which enables establishment of the connection between the connector client and a connector server in the identified group.

A system and method for optimizing processing of keyboard/video/mouse (KVM) data in an internet protocol (IP) network environment receives via public interface access requests from users directed to KVM targets. The system includes a public and private virtual local area network (VLAN) linked by a bonded interface and general-purpose and optimized application containers. The general-purpose container initiates a KVM session and creates a network address translation (NAT) route (associated with an IP address visible to the user) and a dedicated interface via which the user may send KVM data directly and through the optimized application container, which prioritizes KVM data so it can pass without preemption through the private VLAN and to its intended KVM target in real-time or near real-time. The NAT route and external IP address may be reused for multiple access sessions to different KVM targets from the same user.

A method of setting a user-defined virtual network is disclosed. A method of setting a virtual network includes configuring a virtual network including a controller, at least one network address translation (NAT) and at least one edge node, checking an operation type of the at least one edge node, setting a tunnel between the at least one edge node based on the operation type, and performing data transmission between the at least one edge node through the set tunnel.

Techniques are described for sharing prepopulated container image caches among container execution environments to improve the performance of container launches. The container images used to prepopulate such a cache at a computing device supporting one or more container execution environments can include various container images that are used as the basis for a wide range of user-created containers such as, for example, container images representing popular operating system distributions, database servers, web-application frameworks, and so forth. Existing systems typically obtain these container images as needed at runtime when launching containers (for example, from a container registry or other external source), often incurring significant overhead in the container launch process. The use of a prepopulated container image cache can significantly improve the performance of container launches by making such commonly used container images available to container execution environments running at a computing device ahead of time.

A system is disclosed for acquiring and managing data regarding external IP (EIP) addresses of services offered in a trusted public cloud environment. The system monitors an application program interface of a service executing in a trusted public cloud environment for occurrence of an event that is related to an EIP of the service. When an event is detected, the system extract EIP related data and metadata of the service, generates a message with the extracted EIP data, and posts the message to a central message queue. The system monitors the message queue for the presence of a new message. Upon detecting a new message, the system processes the message, extracts EIP related data. metadata, and identifies an action. A central database that stores EIP related information of services executing in the trusted public cloud environment is updated based on the identified action.

In selected embodiments, on-premises equipment of a cellular network provides local breakout functionality so that user plane data packets (PDNs/PDUs) are routed between the home/enterprise network and the Internet directly, bypassing a cloud-based core of the cellular network. The UE's control traffic is still routed to/from the core. The core may be an Evolved Packet Core (EPC) in a 4G LTE network, or a 5G Core (5GC) in a 5G network. The UE's IP addresses may be assigned by the core, or locally, by the on-premises equipment. Providing the IP context from the on-premises network allows the UE to connect to local devices, e.g., printers, disc raids, gaming and streaming nodes, and other local devices. The local IP context also pushes the complexity of the EPC core deployment to the cloud while reducing the overhead of cloud processing that comes with user plane data processing.

Systems and methods for determining network topology by implementing the security parameter index (“SPI”) to map network nodes that are behind a network address translation (“NAT”) address are disclosed.

Techniques for utilizing dual-stack network addressing for compute instances hosted in an edge location of a cloud provider network along with communications service provider (CSP) network addresses are described. A first network address is assigned to the compute instance from a pool of network addresses of the cloud provider network, and a second network address is associated with the compute instance that is provided by the CSP network. A gateway of the edge location is updated to direct packets addressed to the second network address to the compute instance via use of the first network address.