In the example shown, traffic received on a physical port of a server (e.g., a communications interface such as Ethernet port 215) is sent to a virtual switch (e.g., 212). In some embodiments, the virtual switch is configured, using an API provided by the hypervisor, to intercept incoming traffic designated for the application(s) in an inline mode and send the traffic to an appropriate service engine. In inline mode, packets are forwarded on without being replicated. As shown, the virtual switch passes the traffic to a service engine in the distributed network service layer (e.g., service engine 214 on the same physical device), which may drop packets, transform packets if needed, and redirect packets to the appropriate application. The service engine, based on factors such as configured rules and operating conditions, may redirect traffic to an appropriate application executing in a VM on a server.

Controller 290 is configured to control, monitor, program, and/or provision the distributed network services and virtual machines. For example, controller 290 may be monitor traffic through the network and determine whether to add to or reduce a number of service engines. The controller can be implemented as software, hardware, firmware, or any combination thereof. In some embodiments, the controller is implemented on a system such as 100. In some cases, the controller is implemented as a single entity logically, but multiple instances of the controller are installed and executed on multiple physical devices to provide high availability and increased capacity. In embodiments implementing multiple controllers, known techniques such as those used in distributed databases are applied to synchronize and maintain coherency of data among the controller instances.