Many companies and other organizations operate computer networks that interconnect numerous computing systems to support their operations, such as with the computing systems being co-located (e.g., as part of a local network) or instead located in multiple distinct geographical locations (e.g., connected via one or more private or public intermediate networks). For example, data centers housing significant numbers of interconnected computing systems have become commonplace, such as private data centers that are operated by and on behalf of a single organization, and public data centers that are operated by entities as businesses to provide computing resources to customers.
A number of applications that are run in such networked environments may require high-performance processing or analysis of network packets, e.g., to detect possible intrusions or attacks, perform various types of address translations, implement encapsulation protocols, enforce firewall rules and the like. Traditionally, many such sub-application-layer packet processing tasks (which may also be referred to as network processing tasks) have been performed using expensive customized hardware devices or appliances. In some cases, such hardware devices may implement special instruction sets designed specifically for packet analysis and transformations, and may not be usable for other purposes. Some special-purpose packet processing appliances may have to be placed in close physical proximity to network components, which may present substantial logistical problems in large networks.
As more and more applications are moved to distributed or networked environments, and as the workload levels that have to be sustained by the applications increase, the demand for efficient packet processing increases as well. Acquiring a sufficient number of expensive custom packet processing devices and deploying them across numerous data centers may become unsustainable for at least some application owners. Many application owners have migrated their applications to inexpensive cloud computing environments, and deploying and maintaining inflexible specialized network processing hardware may become impractical for the cloud computing providers as well.
While embodiments are described herein by way of example for several embodiments and illustrative drawings, those skilled in the art will recognize that embodiments are not limited to the embodiments or drawings described. It should be understood, that the drawings and detailed description thereto are not intended to limit embodiments to the particular form disclosed, but on the contrary, the intention is to cover all modifications, equivalents and alternatives falling within the spirit and scope as defined by the appended claims. The headings used herein are for organizational purposes only and are not meant to be used to limit the scope of the description or the claims. As used throughout this application, the word “may” is used in a permissive sense (i.e., meaning having the potential to), rather than the mandatory sense (i.e., meaning must). Similarly, the words “include,” “including,” and “includes” mean including, but not limited to.