Service aware routing using network interface cards having processing units

This application claims the benefit of India Patent Application No. 202141029401, filed Jun. 30, 2021, and entitled “EDGE SERVICES USING NETWORK INTERFACE CARDS HAVING PROCESSING UNITS,” the entire content of which is incorporated by reference herein.

The disclosure relates to computer networks.

In a typical cloud data center environment, there is a large collection of interconnected servers that provide computing and/or storage capacity to run various applications. For example, a data center may comprise a facility that hosts applications and services for subscribers, i.e., customers of a data center provider. The data center may, for example, host all of the infrastructure equipment, such as networking and storage systems, redundant power supplies, and environmental controls. In a typical data center, clusters of storage servers and application servers (compute nodes) are interconnected via a high-speed switch fabric provided by one or more tiers of physical network switches and routers. More sophisticated data centers provide infrastructure spread throughout the world with subscriber support equipment located in various physical hosting facilities.

The connectivity between the server and the switch fabric occurs at a hardware module called the Network Interface Card (NIC). A conventional NIC includes an application-specific integrated circuit (ASIC) to perform packet forwarding, which includes some basic Layer 2/Layer 3 (L2/L3) functionality. In conventional NICs, the packet processing, policing and other advanced functionality, known as the “datapath,” is performed by the host CPU, i.e., the CPU of the server that includes the NIC. As a result, the CPU resources in the server are shared by applications running on that server and also by datapath processing. For example, in a 4 core x86 server, one of the cores may be reserved for the datapath, leaving 3 cores (or 75% of CPU) for applications and the host operating system.

Some NIC vendors have begun including an additional processing unit in the NIC itself to offload at least some of the datapath processing from the host CPU to the NIC. The processing unit in the NIC may be, e.g., a multi-core ARM processor with some hardware acceleration provided by a Data Processing Unit (DPU), Field Programmable Gate Array (FPGA), and/or an ASIC. NICs that include such augmented datapath processing capabilities are typically referred to as SmartNICs.

In general, techniques are described for an edge services platform that leverages processing units of NICs to augment the processing and networking functionality of a network of servers that include the NICs. Features provided by the edge services platform may include, e.g., orchestration of NICs; API driven deployment of services on NICs; NIC addition, deletion and replacement; monitoring of services and other resources on NICs; and management of connectivity between various services running on the NICs. More specifically, this disclosure describes techniques for dynamically deploying services on computing devices in a NIC fabric, techniques for dynamically generating virtual topologies in NIC fabrics, techniques for routing data packets in a NIC fabric based on applications, and techniques for extending the functionality of switch fabric using processor-equipped NICs.

In one example, this disclosure describes a method comprising: receiving, at an edge services controller that manages data packet routing in a network interface card (NIC) fabric comprising a plurality of NICs coupled by communication links in a NIC fabric topology, resource availability values from the plurality of NICs; determining, by the edge services controller, a data path for data packets of a flow transported using a protocol from a source NIC to a destination NIC via a NIC set that comprises at least one NIC, wherein: the plurality of NICs comprises the source NIC, the destination NIC, and the NIC set, and determining the data path comprises selecting the NIC set based on the resource availability values; and transmitting, by the edge services controller to the source NIC and to each NIC in the NIC set, data path data to cause the source NIC and each NIC in the NIC set to identify the data packets of the flow using an identifier of the protocol and to transmit the data packets of the flow from the source NIC to the destination NIC via the data path.

In another example, this disclosure describes a network interface card (NIC) comprising: a NIC port; a processor; and a memory comprising instructions that, when executed by the processor, cause the NIC to: transmit a resource availability value of the NIC to an edge services controller; receive, from the edge services controller, data path data associated with a data path for data packets of a flow transported using a protocol from a source NIC in a NIC fabric to a destination NIC in the NIC fabric, wherein the data path is computed using the resource availability value of the NIC and the data path data comprises a flow identifier of the flow mapped to a next-hop port identifier of the NIC port; receive a data packet of the flow; map, based on the data path data, the data packet to the flow identifier of the flow; and output, based on the data path data and the flow identifier of the flow, the data packet via the NIC port.

In another example, this disclosure describes a system comprising: a network interface card (NIC) fabric comprising a plurality of NICs coupled by communication links in a NIC fabric topology; and an edge services controller that manages data packet routing in the NIC fabric, the edge services controller configured to: receive resource availability values from the plurality of NICs; determine a data path for data packets of a flow transported using a protocol from a source NIC to a destination NIC via a NIC set that comprises at least one NIC, wherein: the plurality of NICs comprises the source NIC, the destination NIC, and the NIC set, and the edge services controller is configured to select the NIC set based on the resource availability values; and transmit, to the source NIC and to each NIC in the NIC set, data path data to cause the source NIC and each NIC in the NIC set to identify the data packets of the flow using an identifier of the protocol and to transmit the data packets of the flow from the source NIC to the destination NIC via the data path.

The details of one or more embodiments of this disclosure are set forth in the accompanying drawings and the description below. Other features, objects, and advantages will be apparent from the description and drawings, and from the claims.

Like reference characters denote like elements throughout the description and figures.

is a block diagram illustrating an example network systemhaving a data centerin which examples of the techniques described herein may be implemented. In general, data centerprovides an operating environment for applications and services for customer siteshaving one or more customer networks coupled to data centerby a service provider network. Data centermay, for example, host infrastructure equipment, such as networking and storage systems, redundant power supplies, and environmental controls. Service provider networkis coupled to a public network. Public networkmay represent one or more networks administered by other providers and may thus form part of a large-scale public network infrastructure, e.g., the Internet. For instance, public networkmay represent a local area network (LAN), a wide area network (WAN), the Internet, a virtual LAN (VLAN), an enterprise LAN, a layer 3 virtual private network (VPN), an Internet Protocol (IP) intranet operated by the service provider that operates service provider network, an enterprise IP network, or some combination thereof.

Although customer sitesand public networkare illustrated and described primarily as edge networks of service provider network, in some examples, one or more of customer sitesand public networkare tenant networks within data centeror another data center. For example, data centermay host multiple tenants (customers) each associated with one or more virtual private networks (VPNs). Each of the VPNs may implement one of customer sites.

Service provider networkoffers packet-based connectivity to attached customer sites, data center, and public network. Service provider networkmay represent a network that is operated (and potentially owned) by a service provider to interconnect a plurality of networks. Service provider networkmay implement Multi-Protocol Label Switching (MPLS) forwarding and, in such instances, may be referred to as an MPLS network or MPLS backbone. In some instances, service provider networkrepresents a plurality of interconnected autonomous systems, such as the Internet, that offers services from one or more service providers.

In some examples, data centermay represent one of many geographically distributed network data centers. As illustrated in the example of, data centermay be a facility that provides network services for customers. A customer of the service provider may be a collective entity such as enterprises and governments or individuals. For example, a network data center may host web services for several enterprises and end users. Other exemplary services may include data storage, virtual private networks, traffic engineering, file service, data mining, scientific- or super-computing, and so on. Although illustrated as a separate edge network of service provider network, elements of data centersuch as one or more physical network functions (PNFs) or virtualized network functions (VNFs) may be included within the service provider networkcore.

In this example, data centerincludes storage and/or compute servers interconnected via switch fabricprovided by one or more tiers of physical network switches and routers, with serversA-X (herein, “servers”) depicted as coupled to top-of-rack (TOR) switchesA-N. This disclosure may refer to TOR switchesA-N collectively, as “TOR switches.” TOR switchesmay be network devices that provide layer 2 (MAC) and/or layer 3 (e.g., IP) routing and/or switching functionality.

Serversmay also be referred to herein as “hosts” or “host devices.” Data centermay include many additional servers coupled to other TOR switchesof the data center. In the example of, serversA andX are directly coupled to TOR switches, and serversB,C, andD are not directly coupled to TOR switchesin the illustrated example. ServersB,C, andD may reach TOR switchesand IP fabricvia serversA orX, as described in further detail below.

Switch fabricin the illustrated example includes interconnected TOR switches(or other “leaf” switches) coupled to a distribution layer of chassis switchesA-M (collectively, “chassis switches”). Chassis switches may also be referred to as “spine” or “core” switches. Although not shown in the example of, data centermay also include one or more non-edge switches, routers, hubs, gateways, security devices such as firewalls, intrusion detection, and/or intrusion prevention devices, servers, computer terminals, laptops, printers, databases, wireless mobile devices such as cellular phones or personal digital assistants, wireless access points, bridges, cable modems, application accelerators, and/or other network devices.

In some examples, TOR switchesand chassis switchesprovide serverswith redundant (e.g., multi-homed) connectivity to IP fabricand service provider network. Chassis switchesaggregate traffic flows and provide connectivity between TOR switches. TOR switchesand chassis switchesmay each include one or more processors and a memory and can execute one or more software processes. Chassis switchesare coupled to IP fabric, which may perform layer 3 routing to route network traffic between data centerand customer sitesvia service provider network. The switching architecture of data centershown inis merely an example. Other switching architectures may have more or fewer switching layers, for instance. TOR switchesand chassis switchesmay each include physical network interfaces.

In this disclosure, the terms “packet flow,” “traffic flow,” or simply “flow” each refer to a set of packets originating from a particular source device or endpoint and sent to a particular destination device or endpoint. A single flow of packets may be identified by the 5-tuple: <source network address, destination network address, source port, destination port, protocol>, for example. This 5-tuple generally identifies a packet flow to which a received packet corresponds. An n-tuple refers to any n items drawn from the 5-tuple. For example, a 2-tuple for a packet may refer to the combination of <source network address, destination network address> or <source network address, source port> for the packet. The term “source port” refers to a transport layer (e.g., TCP/UDP) port. A “port” may refer to a physical network interface of a NIC.

Each of serversmay be a compute node, an application server, a storage server, or other type of server. For example, each of serversmay represent a computing device, such as an x86 processor-based server, configured to operate according to techniques described herein. Serversmay provide Network Function Virtualization Infrastructure (NFVI) for a Network Function Virtualization (NFV) architecture.

Serversmay host endpoints for one or more virtual networks that operate over the physical network represented inby IP fabricand switch fabric. Endpoints may include, e.g., virtual machines, containerized applications, or applications executing natively on the operating system or bare metal. Although described primarily with respect to a data center-based switching network, other physical networks, such as service provider network, may underlay the one or more virtual networks.

Each of serversincludes at least one network interface card (NIC) of NICsA-X (collectively, “NICs”). For example, serverA includes NICA. Each of NICsincludes at least one port. Each of NICsmay send and receive packets over one or more communication links coupled to the ports of the NIC.

In some examples, each of NICsprovides one or more virtual hardware components for virtualized input/output (I/O). A virtual hardware component for virtualized I/O may be a virtualization of a physical NIC(the “physical function”). For example, in Single Root I/O Virtualization (SR-IOV), which is described in the Peripheral Component Interface Special Interest Group SR-IOV specification, the Peripheral Component Interface (PCI) express (PCIe) Physical Function of the network interface card (or “network adapter”) is virtualized to present one or more virtual network interface cards as “virtual functions” for use by respective endpoints executing on the server. In this way, the virtual network endpoints may share the same PCIe physical hardware resources and the virtual functions are examples of virtual hardware components. As another example, one or more serversmay implement Virtio, a para-virtualization framework available, e.g., for the Linux Operating System, that provides emulated NIC functionality as a type of virtual hardware component. As another example, one or more serversmay implement Open vSwitch to perform distributed virtual multilayer switching between one or more virtual NICs (vNICs) for hosted virtual machines, where such vNICs may also represent a type of virtual hardware component. In some instances, the virtual hardware components are virtual I/O (e.g., NIC) components. In some instances, the virtual hardware components are SR-IOV virtual functions and may provide SR-IOV with Data Plane Development Kit (DPDK)-based direct process user space access.

In some examples, including the example of, one or more of NICsinclude multiple ports. NICsmay be connected to one another via ports of NICsand communications links to form a NIC fabrichaving a NIC fabric topology. NIC fabricis the collection of NICsconnected to at least one other of NICsand the communications links coupling NICsto one another.

NICsA-X include corresponding processing unitsA-X (collectively, “processing units”). Processing unitsto offload aspects of the datapath from CPUs of servers. One or more of processing unitsmay be a multi-core ARM processor with hardware acceleration provided by a Data Processing Unit (DPU), a Field Programmable Gate Array (FPGA), and/or an Application Specific Integrated Circuit (ASIC). Because NICsinclude processing units, NICsmay be referred to as “SmartNICs” or “GeniusNICs.”

In accordance with various aspects of the techniques of this disclosure, an edge services platform uses processing unitsof NICsto augment the processing and networking functionality of switch fabricand/or serversthat include NICs. In the example of, network systemincludes an edge services controller. This disclosure may also refer to an edge services controller, such as edge services controller, as an edge services platform controller.

Edge services controlmay manage the operations of the edge services platform within NICin part by orchestrating services performed by processing units; orchestrating API driven deployment of services on NICs; orchestrating NICaddition, deletion and replacement within the edge services platform; monitoring of services and other resources on NICs; and/or management of connectivity between various servicesrunning on the NICs. Edge services controllermay include one or more computing devices, such as server devices, personal computers, intermediate network devices, or the like.

Edge services controllermay communicate information describing services available on NICs, a topology of NIC fabric, or other information about the edge services platform to an orchestration system (not shown) or a controller. Example orchestration systems include OpenStack, vCenter by VMWARE, or System Center by Microsoft Corporation of Redmond, Washington. Example controllers include a controller for Contrail by JUNIPER NETWORKS or Tungsten Fabric. Controllermay be a network fabric manager. Additional information regarding a controlleroperating in conjunction with other devices of data centeror other software-defined network is found in International Application Number PCT/JS2013/044378, filed Jun. 5, 2013, and entitled “PHYSICAL PATH DETERMINATION FOR VIRTUAL NETWORK PACKET FLOWS;” and in U.S. Pat. No. 9,571,394, filed Mar. 26, 2014, and entitled “Tunneled Packet Aggregation for Virtual Networks,” each of which is incorporated by reference as if fully set forth herein.

In some examples, edge services controllerprograms processing unitsof NICsto route data packets along data paths through NIC fabric, e.g., based on applications (services) associated with the data packets. Routing data packets along data paths through NIC fabricmay avoid overloading individual NICs in NIC fabricwhen multiple services on a pair of hosts are communicating with each other. In accordance with an example of this disclosure, edge services controlmay manage data packet routing in NIC fabric. As shown in, NIC fabriccomprises a plurality of NICscoupled by communication links in a NIC fabric topology. In this example, edge services controllermay receive resource availability values from NICs. Edge services controllermay determine a data path for data packets of a flow transported using a protocol from a source NIC to a destination NIC via a NIC set that comprises at least one NIC. NICsinclude the source NIC, the destination NIC, and the NIC set. As part of determining the data path, edge services controllermay select the NIC set based on the resource availability values. Edge services controllermay transmit, to the source NIC and to each NIC in the NIC set, data path data to cause the source NIC and each NIC in the NIC set to identify the data packets of the flow using an identifier of the protocol and to transmit the data packets of the flow from the source NIC to the destination NIC via the data path. Edge services controllermay establish multiple data paths in this manner. Unlike in a conventional data center fabric, serversmay thus exchange packets to directly, rather than via a separate switching device (such as chassis switches). The above may be considered a form of service load balancing.

In a related example, one or more of NICsmay transmit a resource availability value of the NIC to edge services controller. The NIC may receive, from edge services controller, data path data associated with a data path for data packets of a flow transported using a protocol from a source NIC in NIC fabricto a destination NIC in NIC fabric. The data path may be computed using the resource availability value of the NIC. The data path data may comprise a flow identifier of the flow mapped to a next-hop port identifier of the NIC port. The NIC may receive a data packet of the flow and map, based on the data path data, the data packet to the flow identifier of the flow. The NIC may then output, based on the data path data and the flow identifier of the flow, the data packet via the NIC port.

In some examples, edge services controllercomputes, based on a physical topology of physical links that connect NICs, a virtual topology comprising a strict subset of the physical links. Edge services controllermay program the virtual topology into the respective processing units of the NICs to cause the processing units of the NICs to send data packets via physical links in the strict subset of the physical links. In this way, edge services controllermay dynamically generate a virtual topology that provides data paths between NICs, without necessarily traversing a TOR switch. This may reduce latency between services (applications) that communicate within a rack.

In some examples, edge services controllerprograms a processing unit of a NIC of a plurality of network interface cardsto receive, at a first network interface of the NIC, a data packet from a physical device. Edge services controllermay also program the processing unit of the NIC to modify, based on the data packet being received at the first network interface, the data packet to generate a modified data packet. Edge services controllermay also program the processing unit of the NIC to output the modified data packet to the physical device via a second network interface of the NIC. Programming the processing unit of the NIC in this way may enable offloading of the packet modification process from a TOR switch (e.g., one or more of TOR switches) or host computer to the NIC. Offloading modifications of data packets to NICs may relieve computations burdens on the TOR switch or host computer, or may extend the functionality of the TOR switch or host computer.

is a block diagram illustrating an example computing devicethat uses a NIChaving a separate processing unit, to perform services managed by an edge services platform according to techniques described herein. Computing deviceofmay represent a real or virtual server and may represent an example instance of any of serversof. In the example of, computing deviceincludes a busthat couples hardware components of the hardware environment of computing device. Specifically, in the example of, buscouples a Single Route Input/Output Virtualization (SR-IOV)-capable NIC, a storage disk, and a microprocessor. In some examples, a front-side bus couples microprocessorand memory device. In some examples, buscouples memory device, microprocessor, and NIC. Busmay represent a PCIe bus. In some examples, a direct memory access (DMA) controller may control DMA transfers among components coupled to bus. In some examples, components coupled to buscontrol DMA transfers among components coupled to bus.

Microprocessormay include one or more processors each including an independent execution unit (“processing core”) to perform instructions that conform to an instruction set architecture. Execution units may be implemented as separate integrated circuits (ICs) or may be combined within one or more multi-core processors (or “many-core” processors) that are each implemented using a single IC (i.e., a chip multiprocessor).

Diskrepresents computer readable storage media that includes volatile and/or non-volatile, removable and/or non-removable media implemented in any method or technology for storage of information such as processor-readable instructions, data structures, program modules, or other data. Computer readable storage media includes, but is not limited to, random access memory (RAM), read-only memory (ROM), EEPROM, flash memory, CD-ROM, digital versatile discs (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium that can be used to store the desired information and that can be accessed by microprocessor.

Memory deviceincludes one or more computer-readable storage media, which may include random-access memory (RAM) such as various forms of dynamic RAM (DRAM), e.g., DDR2/DDR3 SDRAM, or static RAM (SRAM), flash memory, or any other form of fixed or removable storage medium that can be used to carry or store desired program code and program data in the form of instructions or data structures and that can be accessed by a computer. Memory deviceprovides a physical address space composed of addressable memory locations.

Network interface card (NIC)includes one or more interfacesconfigured to exchange packets using links of an underlying physical network. Interfacesmay include a port interface card having one or more network ports. NICalso include an on-card memoryto, e.g., store packet data. Direct memory access transfers between NICand other devices coupled to busmay read/write from/to the memory.

Memory device, NIC, disk, and microprocessorprovide an operating environment for a software stack that executes a hypervisorand one or more virtual machinesmanaged by hypervisor. In general, a virtual machine provides a virtualized/guest operating system for executing applications in an isolated virtual environment. Because a virtual machine is virtualized from physical hardware of the host server, executing applications are isolated from both the hardware of the host and other virtual machines. Computing deviceexecutes hypervisorto manage virtual machines. Example hypervisors include Kernel-based Virtual Machine (KVM) for the Linux kernel, Xen, ESXi available from VMWARE, Windows Hyper-V available from MICROSOFT, and other open-source and proprietary hypervisors. Hypervisormay represent a virtual machine manager (VMM). Virtual machinesmay host one or more applications, such as virtual network function instances. In some examples, a virtual machinemay host one or more VNF instances, where each of the VNF instances is configured to apply a network function to packets.

An alternative to virtual machines is the virtualized container, such as those provided by the open-source DOCKER Container application. Like a virtual machine, each container is virtualized and may remain isolated from the host machine and other containers. However, unlike a virtual machine, each container may omit an individual operating system and provide only an application suite and application-specific libraries. A container is executed by the host machine as an isolated user-space instance and may share an operating system and common libraries with other containers executing on the host machine. Thus, containers may require less processing power, storage, and network resources than virtual machines. As used herein, containers may also be referred to as virtualization engines, virtual private servers, silos, or jails. In some instances, the techniques described herein with respect to containers and virtual machines or other virtualization components.

While virtual network endpoints inare illustrated and described with respect to virtual machines, other operating environments, such as containers (e.g., a DOCKER container) may implement virtual network endpoints. An operating system kernel (not shown in) may execute in kernel space and may include, for example, a Linux, Berkeley Software Distribution (BSD), another Unix-variant kernel, or a Windows server operating system kernel, available from MICROSOFT.

Hypervisorincludes a physical driverto use a physical function provided by NIC. In some cases, NICmay also implement SR-IOV to enable sharing the physical network function (I/O) among virtual machines. Each port of NICmay be associated with a different physical function. The shared virtual devices, also known as virtual functions, provide dedicated resources such that each of virtual machines(and corresponding guest operating systems) may access dedicated resources of NIC, which therefore appears to each of virtual machinesas a dedicated NIC. Virtual functions may be lightweight PCIe functions that share physical resources with the physical function and with other virtual functions. NICmay have thousands of available virtual functions according to the SR-IOV standard, but for I/O-intensive applications the number of configured virtual functions is typically much smaller.

Virtual machinesinclude respective virtual NICspresented directly into the virtual machineguest operating system, thereby offering direct communication between NICand virtual machinesvia bus, using the virtual function assigned for the virtual machine. This may reduce hypervisoroverhead involved with software-based, VIRTIO and/or vSwitch implementations in which a memory address space of hypervisorwithin memory devicestores packet data and because copying packet data from NICto the memory address space of hypervisorand from the memory address space of hypervisorto memory address spaces of virtual machinesconsumes cycles of microprocessor.

NICmay further include a hardware-based Ethernet bridge. Ethernet bridgemay be an example of an embedded switch. Ethernet bridgemay perform layer 2 forwarding between virtual functions and physical functions of NIC. Thus, in some cases, Ethernet bridgeprovides hardware acceleration, via bus, of inter-virtual machinepacket forwarding and hardware acceleration of packet forwarding between hypervisorand any of virtual machines. Hypervisormay access the physical function via physical driver. Ethernet bridgemay be physically separate from processing unit.

Computing devicemay be coupled to a physical network switch fabric that includes an overlay network that extends a switch fabric from physical switches to software or “virtual” routers of physical servers coupled to the switch fabric, including virtual router. Virtual routers may be processes or threads, or a component thereof, executed by the physical servers, e.g., serversof, that dynamically create and manage one or more virtual networks usable for communication between virtual network endpoints. In one example, virtual routers implement each virtual network using an overlay network, which provides the capability to decouple an endpoint's virtual address from a physical address (e.g., IP address) of the server on which the endpoint is executing. Each virtual network may use its own addressing and security scheme and may be viewed as orthogonal from the physical network and its addressing scheme. Various techniques may be used to transport packets within and across virtual networks over the physical network. At least some functions of the virtual router may be performed as one of servicesor fabric service. In the example of, virtual routerexecutes within hypervisorthat uses physical functionfor I/O, but virtual routermay execute within a hypervisor, a host operating system, a host application, one of virtual machines, and/or processing unitof NIC.

In general, each virtual machinemay be assigned a virtual address for use within a corresponding virtual network, where each of the virtual networks may be associated with a different virtual subnet provided by virtual router. A virtual machinemay be assigned its own virtual layer three (L3) IP address, for example, for sending and receiving communications but may be unaware of an IP address of the computing deviceon which the virtual machine is executing. In this way, a “virtual address” is an address for an application that differs from the logical address for the underlying, physical computer system, e.g., computing device.

In one implementation, computing deviceincludes a virtual network (VN) agent (not shown) that controls the overlay of virtual networks for computing deviceand that coordinates the routing of data packets within computing device. In general, a VN agent communicates with a virtual network controller for the multiple virtual networks, which generates commands to control routing of packets. A VN agent may operate as a proxy for control plane messages between virtual machinesand virtual network controller, such as controller(). For example, a virtual machine may request to send a message using its virtual address via the VN agent, and VN agent may in turn send the message and request that a response to the message be received for the virtual address of the virtual machine that originated the first message. In some cases, a virtual machinemay invoke a procedure or function call presented by an application programming interface of VN agent, and the VN agent may handle encapsulation of the message as well, including addressing.

In one example, network packets, e.g., layer three (L3) IP packets or layer two (L2) Ethernet packets generated or consumed by the instances of applications executed by virtual machinewithin the virtual network domain may be encapsulated in another packet (e.g., another IP or Ethernet packet) that is transported by the physical network. The packet transported in a virtual network may be referred to herein as an “inner packet” while the physical network packet may be referred to herein as an “outer packet” or a “tunnel packet.” Encapsulation and/or de-capsulation of virtual network packets within physical network packets may be performed by virtual router. This functionality is referred to herein as tunneling and may be used to create one or more overlay networks. Besides IPinIP, other example tunneling protocols that may be used include IP over Generic Route Encapsulation (GRE), Virtual Extensible Local Area Network (VXLAN), Multiprotocol Label Switching (MPLS) over GRE (MPLSoGRE), MPLS over User Datagram Protocol (UDP) (MPLSoUDP), etc.

As noted above, a virtual network controller may provide a logically centralized controller for facilitating operation of one or more virtual networks. The virtual network controller may, for example, maintain a routing information base, e.g., one or more routing tables that store routing information for the physical network as well as one or more overlay networks. Virtual routerof hypervisorimplements a network forwarding table (NFT)A-N for N virtual networks for which virtual routeroperates as a tunnel endpoint. In general, each NFTstores forwarding information for the corresponding virtual network and identifies where data packets are to be forwarded and whether the packets are to be encapsulated in a tunneling protocol, such as with a tunnel header that may include one or more headers for different layers of the virtual network protocol stack. Each of NFTsmay be an NFT for a different routing instance (not shown) implemented by virtual router.

In accordance with techniques of this disclosure, edge services controller() uses processing unitof NICto augment the processing and networking functionality of computing device. Processing unitincludes processing circuitryto execute services orchestrated by edge services controller. Processing circuitrymay represent any combination of processing cores, ASICs, FPGAs, or other integrated circuits and programmable hardware. In an example, processing circuitry may include a System-on-Chip (SoC) having, e.g., one or more cores, a network interface for high-speed packet processing, one or more acceleration engines for specialized functions (e.g., security/cryptography, machine learning, storage), programmable logic, integrated circuits, and so forth. Such SoCs may be referred to as data processing units (DPUs). DPUs may be examples of processing unit.