A computer network provides connectivity among a set of nodes. The set of nodes are connected by a set of links. The nodes may be local to and/or remote from each other. A subset of nodes implements the computer network. Examples of such nodes include a switch, a router, a firewall, and a network address translator (NAT). Another subset of nodes uses the computer network. Such nodes (also referred to as “hosts”) may execute a client process and/or a server process. A client process makes a request for a computing service (such as, execution of a particular application, and/or storage of a particular amount of data). A server process responds by executing the requested service and/or returning corresponding data.
A computer network may provide connectivity between clients and network resources. Network resources include hardware and/or software configured to execute server processes. Examples of network resources include a processor, a data storage, a virtual machine, a container, and/or a software application. Network resources are shared amongst multiple clients. Clients request computing services from a computer network independently of each other. Network resources are dynamically assigned to the requests and/or clients on an on-demand basis. Such a computer network may be referred to as a “cloud network.”
A virtual private network (VPN) is a private network that extends across a public network, such as the Internet. Nodes of the VPN may transmit data across the public network as if directly connected to a private network. A direct virtual connection is implemented through a tunneling technique. On the transmission side of a VPN tunnel, data packets are encapsulated using an additional header and/or additional tail. The encapsulated data packets are transmitted via the underlying public network. Nodes of the underlying public network route the encapsulated data packets based on the additional header and/or additional tail. Nodes of the underlying public network may be but are not necessarily aware of the contents of the original data packet. On the receiving side of the VPN tunnel, the encapsulated data packets are decapsulated. The additional header and/or additional tail are removed to obtain the original data packet.
The approaches described in this section are approaches that could be pursued, but not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated, it should not be assumed that any of the approaches described in this section qualify as prior art merely by virtue of their inclusion in this section.