Aspects of the disclosure provide for a proxyless NAT infrastructure with dynamic port allocation. A proxyless NAT infrastructure is configured to perform NAT between a network of virtual machines (VMs) and a device external to the network, without a device, such as a NAT server or a router, acting as a proxy. A system can include a control plane for provisioning VMs of a network, including configuring each VM to perform NAT and initially assigning a number of ports for communicating with other devices. The control plane maintains a feedback loop—receiving data characterizing port usage and network traffic at ports allocated to the various VMs and scaling the port allocation for each VM based on the received data. The control plane can allocate additional ports as determined to be needed by a VM, and later retrieve the ports to be reused for other VMs.

A network device having at least one processor and one or more non-transitory memories storing programming instructions that are associated with a steering decision function (SDF) in a network system and including instructions to obtain a carrier-grade network address translation (CGN) resource pool by receiving CGN resources reported by a plurality of user planes (UPs), where the network system includes the SDF, the plurality UPs, and a control plane (CP), receive a CGN instance obtaining request sent by the CP, the CGN instance obtaining request indicating to allocate a CGN instance to a user equipment, allocate a first CGN instance to the user equipment based on the CGN resource pool, the first CGN instance indicating a first UP, of the plurality of UPs, having an available CGN resource, and send the first CGN instance to the CP.

Techniques for NAT-based steering of traffic in cloud-based networks. The techniques may include establishing, by a frontend node of a network, a connection with a client device. The frontend node may receive, via the connection, a packet including an indication of an identity of a service hosted on a backend node of the network. Based at least in part on the indication, the frontend node may establish a second connection with the backend node. Additionally, the frontend node may store a mapping indicating that packets received from the client device are to be sent to the backend node. The techniques may also include receiving another packet at the frontend node or another frontend node of the network. Based at least in part on the mapping, the frontend node or other frontend node may alter one or more network addresses of the other packet and forward it to the backend node.

Examples include a computing system having a plurality of processing cores and a memory coupled to the plurality of processing cores. The memory has instructions stored thereon that, in response to execution by a selected one of the plurality of processing cores, cause the following actions. The selected processing core to receive a packet and get an original tuple from the packet. When no state information for a packet flow of the packet exists in a state table, select a new network address as a new source address for the packet, get a reverse tuple for a reverse direction, select a port for the packet from an entry in a mapping table based on a hash procedure using the reverse tuple, and save the new network address and selected port. Translate the packet's network address and port and transmit the packet.

Network traffic flows can be processed by routers, switches, or service nodes. Service nodes may be ASICs that can provide the functionality of a switch or a router. Service nodes can be configured in a circular replication chain, thereby providing benefits such as high reliability. The service nodes can implement methods that include receiving a first packet that includes a source address in a source address field and that includes a destination address in a destination address field. The first packet can be routed to a selected service node that is in the replication chain that includes a plurality of service nodes that are configured for chain replication of a service state information. A service node configured for NAT or some other service can use the first packet to produce a translated packet that can be transmitted toward a destination indicated by the destination address.

A method for coordinating distributed network address translation (NAT) in a network within which several logical networks are implemented. The logical networks include several tenant logical networks and at least one service logical network that include service virtual machines (VMs) that are accessed by VMs of the tenant logical networks. The method defines a group of replacement IP address and port number pairs. Each pair is used to uniquely identify a VM across all tenant logical networks. The method sends to at least one host that is hosting a VM of a particular tenant logical network, a set of replacement IP address and port number pairs. Each replacement IP address and port number pair can be used by the host to replace a source IP address and a source port number in a packet that is destined from the particular VM to a VM of the particular service logical network.

A method for a host machine that hosts at least one tenant virtual machine (VM) of a particular tenant logical network that accesses service VMs of a particular service logical network. The method, prior to a packet being received at a PFE on the host, intercepts the packet that sent by the tenant VM to one of the service VMs based on a set of forwarding rules. The packet includes a source IP address and a source port number of the tenant VM. The method, prior to the packet leaving the PFE in the host, replaces the source IP address and source port number with a replacement IP address and port number pair from a set of replacement IP address and port number pairs allocated to the host for accessing service VMs. The method sends the modified packet to the PFE to forward the modified packet to the service VM.

Technology for provision and use of inter service network communication optimization is provided. A method may include determining an available network bandwidth between a private service network and a public service network and determining processing availability at the private service network and at the public service network. Rules may be identified for transferring data between the private service network and the public service network. A determination of whether to transfer data between the private service network and public service network may be made based on the available network bandwidth, the processor availability and the bandwidth rules.

An address allocation method, a carrier grade network address translation (CGN) device, and a CGN dual-active system, where a second CGN device receives a first to-be-sent packet sent by a network address translation (NAT) device, searches a recorded correspondence between a private network address, a public network address, and a port range for a source address of the first to-be-sent packet, sends an address allocation request used to request a public network address and a port range of the source address to a first CGN device when a search result indicating that no source address of the first to-be-sent packet is found. The first CGN device allocates a public network address and a port range to the source address of the first to-be-sent packet, records the network address and the port range, and synchronies the allocated public network address and the allocated port range to the second CGN device.

A method for coordinating distributed network address translation (NAT) in a network within which several logical networks are implemented. The logical networks include several tenant logical networks and at least one service logical network that include service virtual machines (VMs) that are accessed by VMs of the tenant logical networks. The method defines a group of replacement IP address and port number pairs. Each pair is used to uniquely identify a VM across all tenant logical networks. The method sends to at least one host that is hosting a VM of a particular tenant logical network, a set of replacement IP address and port number pairs. Each replacement IP address and port number pair can be used by the host to replace a source IP address and a source port number in a packet that is destined from the particular VM to a VM of the particular service logical network.