Directing data traffic between intra-server virtual machines

US 10,191,758 B2
Filed: 12/09/2015
Issued: 01/29/2019
Est. Priority Date: 12/09/2015
Status: Active Grant

First Claim

Patent Images

1. A system for improving data communications between intra-server virtual machines, the system comprising:

network interfaces;

at least one hardware processor communicatively coupled to the network interfaces;

an intra-server routing module implemented by the at least one hardware processor; and

a memory communicatively coupled to the at least one hardware processor, the memory storing instructions which are executable by the at least one hardware processor to perform a method comprising;

receiving, by the intra-server routing module, a first data packet from a first virtual machine directed to a second virtual machine, the first virtual machine and the second virtual machine being associated with the same server;

without inspection from the intra-server routing module, providing to an inline device the first data packet, the inline device forwarding the first data packet to an external routing environment;

receiving, by the intra-server routing module, the first data packet from the external routing environment being allowed for delivery to the second virtual machine based on a predetermined policy;

determining, by a tap sensor, that a data flow associated with the first data packet is allowed between the first virtual machine and the second virtual machine using the receipt of the first data packet, the data flow including data packets from the first virtual machine directed to the second virtual machine and data packets from the second virtual machine directed to the first virtual machine;

using the determination, replacing, by the intra-server routing module, in second data packets of the allowed data flow, a unique identifier of the first virtual machine with a first unique identifier, and replacing a unique identifier of the second virtual machine with a second unique identifier, the first unique identifier and the second unique identifier being associated with the network interfaces of the intra-server routing module; and

directing, by the intra-server routing module, the allowed data flow between the first virtual machine and the second virtual machine using the first unique identifier and the second unique identifier associated with the intra-server routing module, the allowed data flow being directed internally within the server.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for improving data communications between intra-server virtual machines are described herein. An example method may commence with receiving, from a first virtual machine, a data packet directed to a second virtual machine, routing the data packet via an external routing environment, and receiving the data packet allowed for delivery to the second virtual machine. Based on the receipt, it may be determined that a data flow associated with the data packet is allowed, and a unique identifier of the first virtual machine may be replaced with a first unique identifier and a unique identifier of the second virtual machine may be replaced with a second unique identifier. The first and second unique identifiers may be associated with corresponding interfaces of the intra-server routing module and used to direct the data flow internally within the server between the first virtual machine and the second virtual machine.

246 Citations

15 Claims

1. A system for improving data communications between intra-server virtual machines, the system comprising:
- network interfaces;
  
  at least one hardware processor communicatively coupled to the network interfaces;
  
  an intra-server routing module implemented by the at least one hardware processor; and
  
  a memory communicatively coupled to the at least one hardware processor, the memory storing instructions which are executable by the at least one hardware processor to perform a method comprising;
  
  receiving, by the intra-server routing module, a first data packet from a first virtual machine directed to a second virtual machine, the first virtual machine and the second virtual machine being associated with the same server;
  
  without inspection from the intra-server routing module, providing to an inline device the first data packet, the inline device forwarding the first data packet to an external routing environment;
  
  receiving, by the intra-server routing module, the first data packet from the external routing environment being allowed for delivery to the second virtual machine based on a predetermined policy;
  
  determining, by a tap sensor, that a data flow associated with the first data packet is allowed between the first virtual machine and the second virtual machine using the receipt of the first data packet, the data flow including data packets from the first virtual machine directed to the second virtual machine and data packets from the second virtual machine directed to the first virtual machine;
  
  using the determination, replacing, by the intra-server routing module, in second data packets of the allowed data flow, a unique identifier of the first virtual machine with a first unique identifier, and replacing a unique identifier of the second virtual machine with a second unique identifier, the first unique identifier and the second unique identifier being associated with the network interfaces of the intra-server routing module; and
  
  directing, by the intra-server routing module, the allowed data flow between the first virtual machine and the second virtual machine using the first unique identifier and the second unique identifier associated with the intra-server routing module, the allowed data flow being directed internally within the server.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, wherein the unique identifier associated with the first virtual machine includes a Media Access Control (MAC) address of the first virtual machine, the unique identifier associated with the second virtual machine includes a MAC address of the second virtual machine, and the first unique identifier and the second unique identifier include MAC addresses of the intra-server routing module.
  - 3. The system of claim 1, wherein the external routing environment includes at least one of:
    - a virtual routing environment and a physical routing environment.
  - 4. The system of claim 1, wherein the method further comprises:
    - receiving instructions, from a tap sensor built into the inline device, to replace the unique identifier of the first virtual machine with the first unique identifier and replace the unique identifier of the second virtual machine with the second unique identifier, the tap sensor inspecting data communications within the server and determining the second data packets are associated with the first data packet being allowed using the inspection.
  - 5. The system of claim 1, wherein the unique identifier of the first virtual machine and the unique identifier of the second virtual machine are replaced in one or more routing tables associated with the intra-server routing module.
  - 6. The system of claim 1, wherein the external routing environment includes one or more of the following:
    - a Firewall, an intrusion prevention system, and an intrusion detection system.
  - 7. The system of claim 1, wherein the first virtual machine is associated with a first network and the second virtual machine is associated with a second network.

8. A method by an intra-server routing module for data communications between intra-server virtual machines comprising:
- receiving, by the intra-server routing module, a first data packet from a first virtual machine directed to a second virtual machine, the first virtual machine and the second virtual machine being associated with the same server;
  
  without inspection from the intra-server routing module, providing to an inline device the first data packet, the inline device forwarding the first data packet to an external routing environment;
  
  receiving, by the intra-server routing module, the first data packet from the external routing environment being allowed for delivery to the second virtual machine based on a predetermined policy;
  
  determining, by a tap sensor, that a data flow associated with the first data packet is allowed between the first virtual machine and the second virtual machine using the receipt of the first data packet, the data flow including data packets from the first virtual machine directed to the second virtual machine and data packets from the second virtual machine directed to the first virtual machine;
  
  using the determination, replacing, by the intra-server routing module, in second data packets of the allowed data flow, a unique identifier of the first virtual machine with a first unique identifier, and replacing a unique identifier of the second virtual machine with a second unique identifier, the first unique identifier and the second unique identifier being associated with network interfaces of the intra-server routing module; and
  
  directing, by the intra-server routing module, the allowed data flow between the first virtual machine and the second virtual machine using the first unique identifier and the second unique identifier associated with the intra-server routing module, the allowed data flow being directed internally within the server.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
- - 9. The method of claim 8, wherein the unique identifier associated with the first virtual machine includes a MAC address of the first virtual machine, the unique identifier associated with the second virtual machine includes a MAC address of the second virtual machine, and the first unique identifier and the second unique identifier include MAC addresses of the intra-server routing module.
  - 10. The method of claim 8, wherein the external routing environment includes at least one of:
    - a virtual routing environment and a physical routing environment.
  - 11. The method of claim 8, further comprising:
    - receiving instructions, from a tap sensor built into the inline device, to replace the unique identifier of the first virtual machine with the first unique identifier and replace the unique identifier of the second virtual machine with the second unique identifier, the tap sensor inspecting data communications within the server and determining the second data packets are associated with the first data packet being allowed using the inspection.
  - 12. The method of claim 11, wherein the first virtual machine and the second virtual machine are associated with at least one virtual host or at least one container, the at least one virtual host and the at least one container being associated with the server.
  - 13. The method of claim 8, wherein the unique identifier of the first virtual machine and the unique identifier of the second virtual machine are replaced in one or more routing tables associated with the intra-server routing module.
  - 14. The method of claim 8, wherein the external routing environment includes one or more of the following:
    - a Firewall, an intrusion prevention system, and an intrusion detection system.
  - 15. The method of claim 8, wherein the first virtual machine is associated with a first network and the second virtual machine is associated with a second network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
vArmour Networks Inc
Original Assignee
vArmour Networks Inc
Inventors
Ross, Colin, Shieh, Choung-Yaw
Primary Examiner(s)
Wai, Eric C
Assistant Examiner(s)
Joy-Davila, Jorge A Chu

Application Number

US14/964,318
Publication Number

US 20170168864A1
Time in Patent Office

1,147 Days
Field of Search
US Class Current
CPC Class Codes

G06F 2009/4557   Distribution of virtual mac...

G06F 2009/45595   Network integration; Enabli...

G06F 9/45558   Hypervisor-specific managem...

H04L 2101/622   Layer-2 addresses, e.g. med...

H04L 45/021   Ensuring consistency of rou...

H04L 45/586   of virtual routers

H04L 45/74   Address processing for routing

Directing data traffic between intra-server virtual machines

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

246 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Directing data traffic between intra-server virtual machines

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

246 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links