Network-access partitioning using virtual machines
First Claim
1. One or more non-transitory computer-readable storage mediums storing one or more sequences of instructions for partitioning network resources among virtual machines, which when executed by one or more processors, cause:
- upon a device receiving, from a first virtual machine executing on the device, a first request for network resources located over said one or more networks from said storage mediums, consulting policy data to determine how to service the first request;
the device processing the first request by providing the first virtual machine with access to a first portion of the network resources, wherein the first virtual machine cannot access any of the network resources other than the first portion;
upon the device receiving, from a second virtual machine executing on the device, a second request for network resources located over said one or more networks from said storage mediums, consulting the policy data to determine how to service the second request; and
the device processing the second request by providing the second virtual machine with access to a second portion of the network resources, wherein the second virtual machine cannot access any of the network resources other than the second portion, andwherein the first portion is not coextensive with the second portion, andwherein the policy data is implemented by a module that decides which activities can be executed within said first virtual machine and said second virtual machine, including one or more of access control, determination of available resources, resource servicing, and creation or elimination of said first virtual machine or said second virtual machine.
2 Assignments
0 Petitions
Accused Products
Abstract
Approaches for handling network resources in a virtualized computing environment. A first request for network resources is received from a first virtual machine. Policy data is consulted to determine how to service the first request. The first request is processed by providing the first virtual machine with access to only a first portion of network resources. A second request for network resources is received from a second virtual machine. Policy data is consulted to determine how to service the second request. The second request is processed by providing the second virtual machine with access to only a second portion of network resources that is not coextensive with the first portion. In this way, virtual machines may have access to particular resources and/or specific bounded areas of a network.
185 Citations
33 Claims
-
1. One or more non-transitory computer-readable storage mediums storing one or more sequences of instructions for partitioning network resources among virtual machines, which when executed by one or more processors, cause:
-
upon a device receiving, from a first virtual machine executing on the device, a first request for network resources located over said one or more networks from said storage mediums, consulting policy data to determine how to service the first request; the device processing the first request by providing the first virtual machine with access to a first portion of the network resources, wherein the first virtual machine cannot access any of the network resources other than the first portion; upon the device receiving, from a second virtual machine executing on the device, a second request for network resources located over said one or more networks from said storage mediums, consulting the policy data to determine how to service the second request; and the device processing the second request by providing the second virtual machine with access to a second portion of the network resources, wherein the second virtual machine cannot access any of the network resources other than the second portion, and wherein the first portion is not coextensive with the second portion, and wherein the policy data is implemented by a module that decides which activities can be executed within said first virtual machine and said second virtual machine, including one or more of access control, determination of available resources, resource servicing, and creation or elimination of said first virtual machine or said second virtual machine. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. One or more non-transitory computer-readable storage mediums storing one or more sequences of instructions for partitioning network resources available to a virtualized environment, which when executed by one or more processors, cause:
-
in response to receiving a first request from a first virtual machine for access to a first network resource on said one or more networks, accessing policy data to identify a network section to which the first request for access is directed; and based on the identifying, determining whether the first virtual machine may access the first network resource, wherein the policy data is implemented by a module that decides which activities can be executed within said first virtual machine, including one or more of access control, determination of available resources, resource servicing, and creation or elimination of said first virtual machine. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
-
-
26. A client, comprising:
-
one or more processors; one or more storage mediums storing one or more sequences of instructions for partitioning network resources among virtual machines, which when executed by the one or more processors, causes; upon a device receiving, from a first virtual machine executing on the device, a first request for network resources, consulting policy data to determine how to service the first request; the device processing the first request by providing the first virtual machine with access to a first portion of the network resources, wherein the first virtual machine cannot access any of the network resources other than the first portion; upon the device receiving, from a second virtual machine, a second request for network resources, consulting the policy data to determine how to service the second request; and the device processing the second request by providing the second virtual machine with access to a second portion of the network resources, wherein the second virtual machine cannot access any of the network resources other than the second portion, and wherein the first portion is not coextensive with the second portion, and wherein the policy data is implemented by a module that decides which activities can be executed within said first virtual machine and said second virtual machine, including one or more of access control, determination of available resources, resource servicing, and creation or elimination of said first virtual machine or said second virtual machine.
-
-
27. A client, comprising:
-
one or more processors; one or more storage mediums storing one or more sequences of instructions for partitioning network resources available to a virtualized environment, which when executed by the one or more processors, causes; in response to receiving a first request from a first virtual machine for access to a first network resource on said one or more networks, accessing policy data to identify a network section to which the first request for access is directed; and based on the identification, determining whether the first virtual machine may access the first network resource, and wherein the policy data is implemented by a module that decides which activities can be executed within said first virtual machine, including one or more of access control, determination of available resources, resource servicing, and creation or elimination of said first virtual machine.
-
-
28. A method for partitioning network resources among virtual machines, comprising:
-
upon a device receiving, from a first virtual machine executing on the device, a first request for network resources, consulting policy data to determine how to service the first request; the device processing the first request by providing the first virtual machine with access to a first portion of the network resources, wherein the first virtual machine cannot access any of the network resources other than the first portion; upon the device receiving, from a second virtual machine, a second request for network resources, consulting the policy data to determine how to service the second request; and the device processing the second request by providing the second virtual machine with access to a second portion of the network resources, wherein the second virtual machine cannot access any of the network resources other than the second portion, and wherein the first portion is not coextensive with the second portion, and wherein the policy data is implemented by a module that decides which activities can be executed within said first virtual machine and said second virtual machine, including one or more of access control, determination of available resources, resource servicing, and creation or elimination of said first virtual machine or said second virtual machine.
-
-
29. A method for partitioning network resources available to a virtualized environment, comprising:
-
in response to receiving a first request from a first virtual machine for access to a first network resource on a network, accessing policy data to identify a network section to which the first request for access is directed; and based on the identification, determining whether the first virtual machine may access the first network resource, wherein the policy data is implemented by a module that decides which activities can be executed within said first virtual machine, including one or more of access control, determination of available resources, resource servicing, and creation or elimination of said first virtual machine.
-
-
30. One or more non-transitory computer-readable storage mediums storing one or more sequences of instructions for partitioning network resources available to a virtualized environment, which when executed by one or more processors, cause:
-
in response to receiving a request from a virtual machine for access to a network resource on a network, wherein the request comprises an IP address, causing a domain name server (DNS) query on the IP address to be performed; in response to the DNS query being resolved by a trusted DNS server, consulting policy data to determine how to service the request, wherein said trusted DNS server is a DNS server that is deemed trustworthy by policy data; and in response to the determination, granting or denying the request, wherein the policy data is implemented by a module that decides which activities can be executed within said virtual machine, including one or more of access control, determination of available resources, resource servicing, and creation or elimination of said virtual machine.
-
-
31. One or more non-transitory computer-readable storage mediums storing one or more sequences of instructions for partitioning network resources available to a virtualized environment, which when executed by one or more processors, cause:
-
in response to receiving a request from a virtual machine for access to a network resource, determining whether the source of the request executing in the virtual machine is trusted or untrusted; if the source of the request is untrusted, then accessing policy data defining access rules for a first section and second section of the network; identifying whether the requested network resource corresponds to the first section or second section; and in response to the identification, determining whether to allow the request based on the policy data, wherein the policy data is implemented by a module that decides which activities can be executed within said virtual machine, including one or more of access control, determination of available resources, resource servicing, and creation or elimination of said virtual machine. - View Dependent Claims (32, 33)
-
Specification