Multi-spoke connectivity of private data centers to the cloud

We claim: 1. A method of providing connectivity between data centers in a hybrid cloud system, the method comprising: transmitting and receiving first test packets including an Internet Protocol (IP) flow tuple between a gateway of a first data center managed by a first organization and a gateway of a second data center managed by the first organization, wherein the IP flow tuple includes a source IP address, source port, destination IP address, and destination port; determining a first latency between the first and second data centers managed by the first organization based on the first test packets; transmitting and receiving second test packets including an IP flow tuple between the gateway of the first data center and a gateway of a cloud computing system managed by a second organization; determining a second latency between the first data center and the cloud computing system managed by the second organization based on the second test packets, the first organization being a tenant in the cloud computing system; and establishing a path-optimized connection between the first and second data centers based on the first latency and the second latency, wherein the path-optimized connection travels between the gateway of the first data center through the gateway of the cloud computing system and to the gateway of the second data center. 2. The method of claim 1 , wherein the cloud computing system comprises a first cloud data center communicatively coupled to the first data center and a second cloud data center communicatively coupled to the second data center, wherein the first and second cloud data centers are communicatively coupled together. 3. The method of claim 2 , wherein the path-optimized connection through the gateway of the cloud computing system comprises a path-optimized connection through a gateway of the first cloud data center to a gateway of the second cloud data center. 4. The method of claim 1 , wherein the path-optimized connection between the first and second data centers is established responsive to determining that the second latency is less than the first latency. 5. The method of claim 1 , wherein transmitting and receiving the second test packets including the IP flow tuple between the first data centers and the cloud computing system comprises: probing a wide area network (WAN) with the second test packets by varying the IP flow tuple of the second test packets across a set of IP flows; identifying a plurality of paths between the gateway of the first data center and a gateway of the cloud computing system associated with the set of IP flows; and selecting an IP flow from the set of IP flows for an application executing in the first data center. 6. The method of claim 1 , wherein the step of establishing the path-optimized connection comprises: establishing a secure channel between the gateway of the first data center and the gateway of the cloud computing system; encapsulating application packets from the application within path-optimized packets according to the selected IP flow; and encrypting the path-optimized packets for transmission over the secure channel. 7. The method of claim 6 , wherein the step of establishing the secure channel comprises sending an IP flow tuple for the selected IP flow from the gateway of the first data center to the gateway of the cloud computing system. 8. A non-transitory computer-readable storage medium comprising instructions that, when executed in a computing device, provide connectivity between data centers in a hybrid cloud system, by performing the steps of: transmitting and receiving first test packets including an Internet Protocol (IP) flow tuple between a gateway of a first data center managed by a first organization and a gateway of a second data center managed by the first organization, wherein the IP flow tuple includes a source IP address, source port, destination IP address, and destination port; determining a first latency between the first and second data centers managed by the first organization based on the first test packets; transmitting and receiving second test packets including an IP flow tuple between the gateway of the first data center and a gateway of a cloud computing system managed by a second organization; determining a second latency between the first data center and the cloud computing system managed by the second organization based on the second test packets, the first organization being a tenant in the cloud computing system; and establishing a path-optimized connection between the first and second data centers based on the first latency and the second latency, wherein the path-optimized connection travels between the gateway of the first data center through the gateway of the cloud computing system and to the gateway of the second data center. 9. The non-transitory computer-readable storage medium of claim 8 , wherein the cloud computing system comprises a first cloud data center communicatively coupled to the first data center and a second cloud data center communicatively coupled to the second data center, wherein the first and second cloud data centers are communicatively coupled together. 10. The non-transitory computer-readable storage medium of claim 9 , wherein the path-optimized connection through the gateway of the cloud computing system comprises a path-optimized connection through a gateway of the first cloud data center to a gateway of the second cloud data center. 11. The non-transitory computer-readable storage medium of claim 8 , wherein the path-optimized connection between the first and second data centers is established responsive to determining that the second latency is less than the first latency. 12. The non-transitory computer-readable storage medium of claim 8 , wherein transmitting and receiving the second test packets including the IP flow tuple between the first data centers and the cloud computing system comprises: probing a wide area network (WAN) with the second test packets by varying the IP flow tuple of the second test packets across a set of IP flows; identifying a plurality of paths between the gateway of the first data center and a gateway of the cloud computing system associated with the set of IP flows; and selecting an IP flow from the set of IP flows for an application executing in the first data center. 13. The non-transitory computer-readable storage medium of claim 8 , wherein the step of establishing the path-optimized connection comprises: establishing a secure channel between the gateway of the first data center and the gateway of the cloud computing system; encapsulating application packets from the application within path-optimized packets according to the selected IP flow; and encrypting the path-optimized packets for transmission over the secure channel. 14. The non-transitory computer-readable storage medium of claim 13 , wherein the step of establishing the secure channel comprises sending an IP flow tuple for the selected IP flow from the gateway of the first data center to the gateway of the cloud computing system. 15. A computer system for provide connectivity between data centers in a hybrid cloud system, the computer system comprising a system memory and a processor programmed to: transmit and receive first test packets including an Internet Protocol (IP) flow tuple between a gateway of a first data center managed by a first organization and a gateway of a second data center managed by the first organization, wherein the IP flow tuple includes a source IP address, source port, destination IP address, and destination port; determine a first laten