Policy management system for heterogeneous cloud services

US 10,129,100 B2
Filed: 09/30/2014
Issued: 11/13/2018
Est. Priority Date: 08/22/2014
Status: Active Grant

First Claim

Patent Images

1. A method to enforce a policy for a network, the method comprising:

storing, by executing an instruction using a processor, a first set of network state data and a second set of network state data in a single, unified data format, the first set of network state data from a first cloud management application that manages a first aspect of the network and stores its network state data in a first format, the second set of network state data from a second cloud management application that manages a second aspect of the network and stores its network state data in a second format;

detecting, by executing an instruction using the processor, addition of a virtual machine to a cloud environment;

in response to detecting the addition of the virtual machine, determining, by executing an instruction using the processor, whether the virtual machine violates a network policy based on a first owner of the virtual machine and the first and second sets of network state data stored in the single, unified data format; and

when the virtual machine violates the network policy;

creating a new membership group;

adding the first owner to the membership group; and

adding a second owner of the network to the membership group, wherein the first owner and the second owner being part of the same membership group removes the violation.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Some embodiments provide a method for a system that enforces policy for a network. The method receives (i) a first set of network state data from a first cloud management application that manages a first aspect of the network and stores its network state data in a first format and (ii) a second set of network state data from a second cloud management application that manages a second aspect of the network and stores its network state data in a second format. The method stores the first and second sets of network state data in a single, unified data format. The method monitors the stored sets of network state data to determine whether the network state violates one or more network policies that constrain the network state received from the first and second cloud management applications.

Citations

22 Claims

1. A method to enforce a policy for a network, the method comprising:
- storing, by executing an instruction using a processor, a first set of network state data and a second set of network state data in a single, unified data format, the first set of network state data from a first cloud management application that manages a first aspect of the network and stores its network state data in a first format, the second set of network state data from a second cloud management application that manages a second aspect of the network and stores its network state data in a second format;
  
  detecting, by executing an instruction using the processor, addition of a virtual machine to a cloud environment;
  
  in response to detecting the addition of the virtual machine, determining, by executing an instruction using the processor, whether the virtual machine violates a network policy based on a first owner of the virtual machine and the first and second sets of network state data stored in the single, unified data format; and
  
  when the virtual machine violates the network policy;
  
  creating a new membership group;
  
  adding the first owner to the membership group; and
  
  adding a second owner of the network to the membership group, wherein the first owner and the second owner being part of the same membership group removes the violation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein the single, unified data format includes a set of relational database tables.
  - 3. The method of claim 2, wherein the first set of network state data is stored in a first plurality of tables and the second set of network state data is stored in a second plurality of tables.
  - 4. The method of claim 3, wherein the set of relational database tables includes a third plurality of tables that stores data from both the first and second cloud management applications.
  - 5. The method of claim 4, wherein the third plurality of tables includes tables defined by network policies.
  - 6. The method of claim 1, wherein the first cloud management application is a network virtualization manager that manages logical networks for the network and the second cloud management application is a compute virtualization manager that manages virtual machines in the network.
  - 7. The method of claim 1, wherein the first and second cloud management applications include two of a compute virtualization manager, a network virtualization manager, a storage virtualization manager, a firewall manager, an antivirus manager, and a group directory.
  - 8. The method of claim 1, wherein receiving the first and second sets of network state data includes receiving sets of network state data from a plurality of cloud management applications that manage different aspects of the network and store network state data in a plurality of different formats.
  - 9. The method of claim 8, wherein the plurality of cloud management applications include a compute virtualization manager, a network virtualization manager, a storage virtualization manager, an antivirus manager, a firewall manager, and a group directory.
  - 10. The method of claim 1, wherein the sets of network state data are received as updates that reflect changes made to the network state by the first and second cloud management applications.
  - 11. The method of claim 10, wherein at least one of the updates includes a command to (A) insert a new record or (B) delete a record for a data entity in the stored network state data.
  - 12. The method of claim 1, wherein monitoring the stored sets of network state data includes comparing the stored sets of network data to states defined by network policies as violations of policy to determine whether the stored network state violates any policies.
  - 13. The method of claim 1, further including simulating the modification of the at least one of the first or second cloud management applications to identify how the modifying will affect the network state.
  - 14. The method of claim 1, further including storing a violation type corresponding to the violation with modification data in short-term memory, the modification data including indicating the modification of the first or second cloud management applications were modified to remove the violation.

15. A system to enforce a policy for a network, the system comprising:
- a machine readable storage to store network state data from at least two cloud management applications in a single, unified data format, the network state data from at least two cloud management applications that each manage different aspects of the network and store their network state data in different formats; and
  
  a processor to;
  
  detect addition of a virtual machine to a cloud environment, in response to detecting the addition of the virtual machine, determine if the virtual machine violates a network policy based on a first owner of the virtual machine and the first and second sets of network state data stored in the single, unified data format, and, when the virtual machine violates the network policy;
  
  create a new membership group;
  
  add the first owner to the membership group; and
  
  add a second owner of the network to the membership group, wherein the first owner and the second owner being part of the same membership group removes the violation.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22)
- - 16. The system of claim 15, wherein the single, unified data format includes a set of relational database tables.
  - 17. The system of claim 16, wherein the network state data from the different cloud management applications are stored in different sets of tables.
  - 18. The system of claim 17, wherein the network state data further includes tables defined by network policies.
  - 19. The system of claim 16, wherein the set of relational database tables includes a table for storing violations of network policies.
  - 20. The system of claim 15, wherein the cloud management applications include at least two of a compute virtualization manager, a network virtualization manager, a storage virtualization manager, a firewall manager, an antivirus manager, and a group directory.
  - 21. The system of claim 15, wherein the processor receives the network state data as updates that reflect changes made to the network state by the cloud management applications.
  - 22. The system of claim 15, wherein the processor is to compare the stored sets of network data to states defined by network policies as violations of policy to determine whether the stored network state violates any policies.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vmware LLC (Broadcom, Inc.)
Original Assignee
VMware, Inc. (Broadcom, Inc.)
Inventors
Hinrichs, Timothy, Balland, III, Peter J., Casado, Martin, Ettori, Pierre-Emmanuel
Primary Examiner(s)
Cheema, Umar
Assistant Examiner(s)
Rotolo, Anthony T

Application Number

US14/503,103
Publication Number

US 20160057027A1
Time in Patent Office

1,505 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 15/173   using an interconnection ne...

G06F 16/2379   Updates performed during on...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/0895   Configuration of virtualise...

H04L 41/145   involving simulating, desig...

H04L 41/5009   Determining service level p...

H04L 41/5022   by giving priorities, e.g. ...

H04L 41/5025   by proactively reacting to ...

H04L 43/062   related to network traffic

H04L 47/70   Admission control; Resource...

Policy management system for heterogeneous cloud services

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Policy management system for heterogeneous cloud services

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links