Private service endpoints in isolated virtual networks

US 10,021,196 B1
Filed: 06/22/2015
Issued: 07/10/2018
Est. Priority Date: 06/22/2015
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

one or more computing devices comprising one or more respective hardware processors and memory to implement one or more control-plane components of a provider network at one or more computing devices, wherein the provider network comprises a first isolated virtual network established on behalf of a first client and a second isolated virtual network established on behalf of a second client;

wherein the one or more control-plane components are configured to;

insert, in response to receiving a first request from the first client, a first service in a registry of privately-accessible services, wherein the first service implements a web services interface, wherein access to the first service is to be provided using at least a first resource of the first isolated virtual network, and wherein access to the first service is to be provided via one or more private network pathways which are not accessible from the public Internet;

transmit, in response to a service discovery query from the second client for a service to be accessed from the second isolated virtual network, an indication of at least the first service;

perform, in response to a request to enable access to the first service from the second isolated virtual network, one or more configuration changes to enable service requests generated at the second isolated virtual network to be transmitted to the first resource via a private network pathway within the provider network without using a public network pathway external to the provider network, wherein a particular configuration change of the one or more configuration changes includes assigning a particular network address to a virtual network interface configured for the service, wherein the particular private network address is included in a network address range of the second isolated virtual network;

collect one or more metrics corresponding to the service requests; and

provide the one or more metrics to one or more of the first client and the second client.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A service implemented at a first isolated virtual network of a provider network is added to a database of privately-accessible services. Configuration changes that enable network packets to flow between the first isolated virtual network and a second isolated virtual network without utilizing a network address accessible from the public Internet are implemented. Service requests originating at the second isolated virtual network are transmitted to the first isolated virtual network via private pathways of the provider network. Metrics corresponding to service requests directed from the second isolated network to the service are collected and provided to the respective owners of one or both isolated virtual networks.

109 Citations

View as Search Results

20 Claims

1. A system, comprising:
- one or more computing devices comprising one or more respective hardware processors and memory to implement one or more control-plane components of a provider network at one or more computing devices, wherein the provider network comprises a first isolated virtual network established on behalf of a first client and a second isolated virtual network established on behalf of a second client;
  
  wherein the one or more control-plane components are configured to;
  
  insert, in response to receiving a first request from the first client, a first service in a registry of privately-accessible services, wherein the first service implements a web services interface, wherein access to the first service is to be provided using at least a first resource of the first isolated virtual network, and wherein access to the first service is to be provided via one or more private network pathways which are not accessible from the public Internet;
  
  transmit, in response to a service discovery query from the second client for a service to be accessed from the second isolated virtual network, an indication of at least the first service;
  
  perform, in response to a request to enable access to the first service from the second isolated virtual network, one or more configuration changes to enable service requests generated at the second isolated virtual network to be transmitted to the first resource via a private network pathway within the provider network without using a public network pathway external to the provider network, wherein a particular configuration change of the one or more configuration changes includes assigning a particular network address to a virtual network interface configured for the service, wherein the particular private network address is included in a network address range of the second isolated virtual network;
  
  collect one or more metrics corresponding to the service requests; and
  
  provide the one or more metrics to one or more of the first client and the second client.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The system as recited in claim 1, wherein the one or more control-plane components are configured to:
    - implement one or more programmatic interfaces of a marketplace of privately-accessible services; and
      
      include the first service in a listing of services provided via a particular programmatic interface of the one or more programmatic interfaces.
  - 3. The system as recited in claim 1, wherein the one or more control-plane components are configured to:
    - determine, based on an analysis of network metrics collected from the second isolated virtual network, that at least one service request has been directed from the second isolated virtual network to a second service via a public network address of the second service, wherein the second service is indicated in the registry of privately-accessible services; and
      
      provide, to the second client, an indication that the second service is accessible via a private pathway;
      
      receive, from the second client, a request to enable connectivity to the second service from the second isolated virtual network via a private pathway; and
      
      implement one or more configuration operations to enable traffic to flow from the second isolated virtual network to a selected network address of the second service.
  - 4. The system as recited in claim 1, wherein the virtual network interface is programmatically attached to a load balancer configured for the service.
  - 5. The system as recited in claim 1, wherein the one or more control-plane components are configured to:
    - receive, from the first client, an indication that access to information pertaining to a second privately-accessible service is to be restricted to a specified set of entities, wherein the specified set includes the second client and excludes a third client;
      
      provide, to the second client in response to a service discovery query, an indication that the second service is accessible via a private network address; and
      
      exclude an indication of the second service from a response provided to a service discovery query from the third client.

6. A method, comprising:
- performing, by one or more computing devices of a provider network that comprise one or more respective hardware processors and memory, wherein the provider network comprises a first isolated virtual network established on behalf of a first client and a second isolated virtual network established on behalf of a second client,inserting, in response to receiving a first request from the first client, a first service in a registry of privately-accessible services, wherein the first service implements a web services interface, wherein access to the first service is to be provided using at least a first resource of the first isolated virtual network, and wherein access to the first service is to be provided via one or more private network pathways which are not accessible from the public Internet;
  
  transmitting, in response to a service discovery query from the second client for a service to be accessed from the second isolated virtual network, an indication of at least the first service;
  
  performing, in response to a request to enable access to the first service from the second isolated virtual network, one or more configuration changes to enable service requests generated at the second isolated virtual network to be transmitted to the first resource via a private network pathway within the provider network without using a public network pathway external to the provider network, wherein a particular configuration change of the one or more configuration changes includes assigning a particular network address to a virtual network interface configured for the service, wherein the particular private network address is included in a network address range of the second isolated virtual network;
  
  collecting one or more metrics corresponding to the service requests; and
  
  providing the one or more metrics to one or more of the first client and the second client.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 7. The method as recited in claim 6, further comprising performing, by the one or more computing devices:
    - implementing one or more programmatic interfaces of a marketplace of privately-accessible services; and
      
      including the first service in a listing of services provided via a particular programmatic interface of the one or more programmatic interfaces.
  - 8. The method as recited in claim 6, further comprising performing, by the one or more computing devices:
    - receiving the service discovery query via a programmatic interface, wherein the service discovery query indicates at least one targeted attribute value of the service.
  - 9. The method as recited in claim 8, wherein the at least one targeted attribute value includes a value of one or more of:
    - (a) a service name, (b) a service category, (c) a service pricing policy, (d) a service owner name, (e) a quality of service (QOS) metric.
  - 10. The method as recited in claim 6, further comprising performing, by the one or more computing devices:
    - determining, based on an analysis of network metrics collected from the second isolated virtual network, that at least one service request has been directed from the second isolated virtual network to a second service via a public network address of the second service, wherein the second service is indicated in the registry of privately-accessible services; and
      
      providing, to the second client, an indication that the second service is accessible via a private pathway.
  - 11. The method as recited in claim 6, further comprising performing, by the one or more computing devices:
    - receiving, from the first client, an indication that access to information pertaining to a second privately-accessible service is to be restricted to a specified set of entities, wherein the specified set includes the second client and excludes a third client;
      
      providing, to the second client in response to a service discovery query, an indication that the second service is accessible via a private network address; and
      
      excluding an indication of the second service from a response provided to a service discovery query from the third client.
  - 12. The method as recited in claim 6, wherein the first service is implemented at least in part at a particular computing device located outside the first isolated virtual network.
  - 13. The method as recited in claim 12, wherein the particular computing device is located at a computing facility of the first client, and wherein the computing facility is connected to the first isolated virtual network by a dedicated private network link.
  - 14. The method as recited in claim 12, wherein the particular computing device is connected to the first isolated virtual network via at least one link of the public Internet.
  - 15. The method as recited in claim 6, wherein said implementing the one or more configuration changes comprises:
    - assigning a particular IP (Internet Protocol) address to a virtual network interface of a load balancer associated with the first service, wherein the particular IP address is included within an IP address range accessible from the second isolated virtual network.
  - 16. The method as recited in claim 6, wherein said implementing the one or more configuration changes comprises:
    - modifying a security setting of one or more of;
      
      the first isolated virtual network, or the second isolated virtual network.

17. A non-transitory computer-accessible storage medium storing program instructions that when executed on one or more hardware processors of a provider network, wherein the provider network comprises a first isolated virtual network established on behalf of a first client and a second isolated virtual network established on behalf of a second client:
- insert, in response to receiving a first request from the first client, a first service in a registry of privately-accessible services, wherein the first service implements a web services interface, wherein access to the first service is to be provided using at least a first resource of the first isolated virtual network, and wherein access to the first service is to be provided via one or more private network pathways which are not accessible from the public Internet;
  
  transmit, in response to a service discovery query from the second client for a service to be accessed from the second isolated virtual network, an indication of at least the first service;
  
  perform, in response to a request to enable access to the first service from the second isolated virtual network, one or more configuration changes to enable service requests generated at the second isolated virtual network to be transmitted to the first resource via a private network pathway within the provider network without using a public network pathway external to the provider network, wherein a particular configuration change of the one or more configuration changes includes assigning a particular network address to a virtual network interface configured for the service, wherein the particular private network address is included in a network address range of the second isolated virtual network;
  
  collect one or more metrics corresponding to the service requests; and
  
  provide the one or more metrics to one or more of the first client and the second client.
- View Dependent Claims (18, 19, 20)
- - 18. The non-transitory computer-accessible storage medium as recited in claim 17, wherein the instructions when executed on the one or more processors:
    - implement one or more programmatic interfaces of a marketplace of privately-accessible services; and
      
      include the first service in a listing of services provided via a particular programmatic interface of the one or more programmatic interfaces.
  - 19. The non-transitory computer-accessible storage medium as recited in claim 17, wherein the instructions when executed on the one or more processors:
    - determine, based on an analysis of network metrics collected from the second isolated virtual network, that at least one service request has been directed from the second isolated virtual network to a second service via a public network address of the second service, wherein the second service is indicated in the registry of privately-accessible services; and
      
      provide, to the second client, an indication that the second service is accessible via a private network pathway.
  - 20. The non-transitory computer-accessible storage medium as recited in claim 17, wherein the instructions when executed on the one or more processors:
    - receive the service discovery query via a programmatic interface, wherein the service discovery query indicates at least one targeted attribute value of the service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Akers, Kyle Tailor, Voegele, Michael Siaosi, Miller, Kevin Christopher, Yuan, Chao, Lennon, David Brian, Stephenson, Patrick
Primary Examiner(s)
Coulter, Kenneth R

Application Number

US14/746,519
Time in Patent Office

1,114 Days
Field of Search

709249, 709238, 709245, 709220-222, 709227, 709228
US Class Current
CPC Class Codes

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 63/0272   Virtual private networks

H04L 67/10   in which an application is ...

H04L 67/51   Discovery or management the...

Private service endpoints in isolated virtual networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

109 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Private service endpoints in isolated virtual networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

109 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others