Dynamically defined virtual private network tunnels in hybrid cloud environments

US 10,142,293 B2
Filed: 12/15/2015
Issued: 11/27/2018
Est. Priority Date: 12/15/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

in a first virtual private network (VPN) agent, managing a first VPN tunnel in a plurality of VPN tunnels, wherein the first VPN tunnel provides communication for traffic between a first node in a first cloud and a second node in a second cloud in a hybrid cloud environment;

receiving a request from a VPN manager, the request including a first set of requirements for a first cloud application for the first VPN tunnel in the plurality of VPN tunnels;

creating the first VPN tunnel according to the first set of requirements;

receiving a modification request from the VPN manager containing a second set of requirements for a second cloud application wherein a second VPN tunnel provides communication for the second cloud application; and

tuning the first VPN tunnel according to the second set of requirements, wherein the tuning includes merging the second VPN tunnel with the first VPN tunnel, wherein the modification request is based on a determination that the first and second sets of requirements are compatible, wherein the first VPN tunnel after merging continues to provide communication between the first node and the second node.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, apparatus and computer program product manage a plurality of VPN tunnels between a first cloud and a second cloud in a hybrid cloud environment. A method in a first VPN agent manages a first VPN tunnel in a plurality of VPN tunnels between a first cloud and a second cloud in a hybrid cloud environment. The VPN agent receives a request from a VPN manager. The request includes a first set of requirements for the first VPN tunnel in the plurality of VPN tunnels. The VPN agent creates the first VPN tunnel according to the first set of requirements. The VPN agent tunes the first VPN tunnel according to a second set of requirements. The tuning of the first VPN tunnel can include merging the first VPN tunnel with a second VPN tunnel, or splitting the first VPN tunnel into a first and second VPN tunnel.

Citations

20 Claims

1. A method comprising:
- in a first virtual private network (VPN) agent, managing a first VPN tunnel in a plurality of VPN tunnels, wherein the first VPN tunnel provides communication for traffic between a first node in a first cloud and a second node in a second cloud in a hybrid cloud environment;
  
  receiving a request from a VPN manager, the request including a first set of requirements for a first cloud application for the first VPN tunnel in the plurality of VPN tunnels;
  
  creating the first VPN tunnel according to the first set of requirements;
  
  receiving a modification request from the VPN manager containing a second set of requirements for a second cloud application wherein a second VPN tunnel provides communication for the second cloud application; and
  
  tuning the first VPN tunnel according to the second set of requirements, wherein the tuning includes merging the second VPN tunnel with the first VPN tunnel, wherein the modification request is based on a determination that the first and second sets of requirements are compatible, wherein the first VPN tunnel after merging continues to provide communication between the first node and the second node.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method as recited in claim 1, further comprising:
    - monitoring for events occurring in the first VPN tunnel;
      
      detecting a first event occurring in the first VPN tunnel; and
      
      sending the first event to the VPN manager.
  - 3. The method as recited in claim 1, wherein the first set of requirements include a set of security requirements.
  - 4. The method as recited in claim 2 wherein the first event is selected from the group consisting of detecting a change in traffic bandwidth in the first VPN tunnel, a network topology change for the first cloud and a modification request from the first or second cloud application for a change in security requirements for a VPN tunnel.
  - 5. The method as recited in claim 1, further comprising:
    - receiving a second modification request from the VPN manager, the second modification request including a third set of requirements for the first VPN tunnel;
      
      modifying the first VPN tunnel according to the third set of requirements, wherein the first set of requirements is for traffic from the first cloud application and the second set of requirements is for traffic from the second cloud application;
      
      tuning the first VPN tunnel according to the third set of requirements, wherein the tuning comprises splitting the first VPN tunnel into the first VPN tunnel to accommodate traffic from the first cloud application and a third VPN tunnel to accommodate traffic from the second cloud application, wherein the first and the third VPN tunnels provide communication between the first and second node and wherein the second modification request is based on a determination that the first and third sets of requirements are incompatible.
  - 6. The method as recited in claim 1, further comprising:
    - receiving a selected VPN agent from the VPN manager;
      
      installing the selected VPN agent in a first system; and
      
      wherein the VPN agent is selected based on the first set of requirements.

7. Apparatus, comprising:
- a processor;
  
  computer memory holding computer program instructions executed by the processor to manage a first virtual private network (VPN) tunnel of a plurality of VPN tunnels, wherein the first VPN tunnel provides communication for traffic between a first node in a first cloud and a second node in a second cloud in a hybrid cloud environment, the computer program instructions comprising;
  
  program code, which causes the processor to receive a first request from a VPN manager, the request including a first set of requirements for the first VPN tunnel in the plurality of VPN tunnels;
  
  program code, which causes the processor to create the first VPN tunnel according to the first set of requirements;
  
  program code, which causes the processor to receive a second request from the VPN manager, the second request including a second set of requirements for a second VPN tunnel in the plurality of VPN tunnels;
  
  program code, which causes the processor to create the second VPN tunnel according to the second set of requirements;
  
  program code, which causes the processor to receive a merge request to merge the second VPN tunnel into the first VPN tunnel, wherein the merge request is based on a determination that the first and second set of requirements are compatible;
  
  program code, which causes the processor to merge the second VPN tunnel into the first VPN tunnel; and
  
  program code, which causes the processor to tune the first VPN tunnel according to the second set of requirements after the merge of the second and first VPN tunnels, wherein the first VPN tunnel after merging continues to provide communication between the first node and the second node.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14)
- - 8. The apparatus as recited in claim 7, further comprising:
    - program code which causes the processor to monitor events in the first VPN tunnel;
      
      program code which causes the processor to receive requests from applications using the first VPN tunnel; and
      
      program code which causes the processor to communicate requests and information concerning the management of the first VPN tunnel to the VPN manager.
  - 9. The apparatus as recited in claim 7, wherein the first set of requirements include a first set of security requirements and the second set of requirements include a second set of security requirements and the apparatus further comprises program code which causes the processor to determine whether the first and the second sets of security requirements are compatible prior to merging the first VPN tunnel and the second VPN tunnel.
  - 10. The apparatus as recited in claim 8, wherein the event is a detected change in traffic bandwidth in the first VPN tunnel detected by the VPN agent.
  - 11. The apparatus as recited in claim 8, further comprising:
    - a set of specialized VPN agents; and
      
      program code which causes the processor to select a selected VPN agent among the specialized VPN agents according to the first set of requirements.
  - 12. The apparatus as recited in claim 8, wherein the event is detecting an application lifecycle change of the first cloud application.
  - 13. The apparatus as recited in claim 10, wherein the program code operative to monitor events in the first VPN tunnel further comprises:
    - program code which causes the processor to determine whether a lower threshold of traffic bandwidth has been crossed in the first VPN tunnel;
      
      program code which causes the processor to determine whether an upper threshold of traffic bandwidth has been crossed in the first VPN tunnel; and
      
      program code, responsive to a determination that a threshold has been crossed which causes the processor to send a message to the VPN manager.
  - 14. The apparatus as recited in claim 8, further comprising:
    - program code which causes the processor to receive a split request from the VPN manager to split the first VPN tunnel into a third VPN tunnel and the first VPN tunnel, wherein the split request is based on a determination that the first and a third sets of requirements are incompatible, the first set of requirements is for a first cloud application and the third set of requirements is for a second cloud application; and
      
      program code which causes the processor to split the first tunnel into the first VPN tunnel and the third VPN tunnel, wherein both the first and the third VPN tunnel provide communication between the first node and the second node.

15. A computer program product in a non-transitory computer readable medium for use in a data processing system, the computer program product holding computer program instructions executed by the processor to manage a first virtual private network (VPN) tunnel of a plurality of VPN tunnels, wherein the first VPN tunnel provides communication between a first node in a first cloud and second node in a second cloud in a hybrid cloud environment, the computer program instructions comprising:
- program code, which causes the processor to receive a first request from a VPN manager, the first request including a first set of requirements for a first VPN tunnel in the plurality of VPN tunnels;
  
  program code, which causes the processor to create the first VPN tunnel according to the first set of requirements;
  
  program code, which causes the processor to receive a second request from the VPN manager, the second request including a second set of requirements for a VPN tunnel in the plurality of VPN tunnels;
  
  program code, which causes the processor to modify the first VPN tunnel according to the second set of requirements, wherein the first set of requirements is for traffic from a first cloud application and the second set of requirements is for traffic from a second cloud application and the first VPN tunnel carries traffic from first and second cloud applications;
  
  program code, which causes the processor to receive a split request for the first VPN tunnel, wherein the split request is based on a determination that the first and second set of requirements are incompatible; and
  
  program code, which causes the processor to split the first VPN tunnel into the first VPN tunnel and a second VPN tunnel wherein the first and the second VPN tunnel provide communication between the first and second nodes, wherein the VPN agent tunes the first VPN tunnel according to the first set of requirements for traffic for the first cloud application and tunes the second VPN tunnel according to the second set of requirements for traffic for the second cloud application.
- View Dependent Claims (16, 17, 18)
- - 16. The computer program product as recited in claim 15, further comprising:
    - program code which causes the processor to monitor events in the first VPN tunnel;
      
      program code which causes the processor to receive requests from applications using the first VPN tunnel; and
      
      program code which causes the processor to communicate requests and information concerning the management of the first VPN tunnel to the VPN manager.
  - 17. The computer program product as recited in claim 15, wherein a change in security requirements for the first cloud application causes the split request to be issued for the first VPN tunnel.
  - 18. The computer program product as recited in claim 15, further comprising program code which causes the processor to remove the first VPN tunnel at an end of a first cloud application lifecycle.

19. A method comprising:
- in a first virtual private network (VPN) agent, managing a first VPN tunnel of a plurality of VPN tunnels, wherein the first VPN tunnel provides communication between a first node in a first cloud and a second node in a second cloud in a hybrid cloud environment;
  
  receiving a first request from a VPN manager, the first request including a first set of requirements for a first VPN tunnel in the plurality of VPN tunnels;
  
  creating the first VPN tunnel according to the first set of requirements;
  
  receiving a second request from the VPN manager, the second request including a second set of requirements for a VPN tunnel in the plurality of VPN tunnels;
  
  modifying the first VPN tunnel according to the second set of requirements, wherein the first set of requirements is for traffic from a first cloud application and the second set of requirements is for traffic from a second cloud application and the first VPN tunnel carries traffic from first and second cloud applications;
  
  splitting the first VPN tunnel based on a determination that the first and second set of requirements are incompatible, wherein the first VPN tunnel is split into the first VPN tunnel and a second VPN tunnel wherein the first and the second VPN tunnel provide communication between the first and second nodes, wherein the VPN agent tunes the first VPN tunnel according to the first set of requirements for traffic for the first cloud application and tunes the second VPN tunnel according to the second set of requirements for traffic for the second cloud application.

20. A computer program product in a non-transitory computer readable medium for use in a data processing system, the computer program instructions comprising:
- computer memory holding computer program instructions executed by the processor to manage a first virtual private network (VPN) tunnel of a plurality of VPN tunnels, wherein the first VPN tunnel provides communication for traffic between a first node in a first cloud and a second node in a second cloud in a hybrid cloud environment, the computer program instructions comprising;
  
  program code which causes the processor to receive a first request from a VPN manager, the request including a first set of requirements for the first VPN tunnel in the plurality of VPN tunnels;
  
  program code which causes the processor to create the first VPN tunnel according to the first set of requirements;
  
  program code which causes the processor to receive a second request from the VPN manager, the second request including a second set of requirements for a second VPN tunnel in the plurality of VPN tunnels;
  
  program code which causes the processor to create the second VPN tunnel according to the second set of requirements;
  
  program code which causes the processor to receive a merge request to merge the second VPN tunnel into the first VPN tunnel, wherein the merge request is based on a determination that the first and second set of requirements are compatible;
  
  program code which causes the processor to merge the second VPN tunnel into the first VPN tunnel; and
  
  program code which causes the processor to tune the first VPN tunnel according to the second set of requirements after the merge of the second and first VPN tunnels, wherein the first VPN tunnel after merging continues to provide communication between the first node and the second node.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Hoy, Jeffrey Robert, Iyer, Sreekanth Ramakrishna, Kapadia, Kaushal Kiran, Muthukrishnan, Ravi Krishnan, Nagaratnam, Nataraj
Primary Examiner(s)
Shiferaw, Eleni A
Assistant Examiner(s)
Steinle, Andrew J

Application Number

US14/970,507
Publication Number

US 20170171158A1
Time in Patent Office

1,078 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/102   Entity profiles

H04L 63/1408   by monitoring network traff...

H04L 63/164   at the network layer

Dynamically defined virtual private network tunnels in hybrid cloud environments

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamically defined virtual private network tunnels in hybrid cloud environments

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links