Datapath processing of service rules with qualifiers defined in terms of template identifiers and/or template matching criteria
First Claim
1. A method of performing a service on a data message having a set of attributes, the method comprising:
- selecting a service rule comprising (i) a rule identifier for matching against the set of attributes of the data message, the rule identifier defined by reference to a first template identifier that identifies a template for instantiating a multi-tier application deployment in a network, and (ii) a service parameter for performing a service on data messages, wherein an instantiation of the template comprises instantiating multiple data compute nodes (DCNs) with different DCNs implementing different applications in the multi-tier application deployment;
determining that the selected service rule is applicable to the data message, said determining comprising determining that (i) at least a second template identifier associated with the data message is associated with a particular DCN, (ii) the first template identifier and second template identifiers match, and (iii) the particular DCN was deployed by using the template; and
in response to the determination, performing the service on the data message based on the service parameter.
1 Assignment
0 Petitions
Accused Products
Abstract
Some embodiments of the invention introduce cloud template awareness in the service policy framework. Some embodiments provide one or more service rule processing engines that natively support (1) template-specific dynamic groups and template-specific rules, and (2) dynamic security tag concepts. A service rule processing engine of some embodiments natively supports template-specific dynamic groups and rules as it can directly process service rules that are defined in terms of dynamic component groups, template identifiers, template instance identifiers, and/or template match criteria. Examples of such services can include any kind of middlebox services, such as firewalls, load balancers, network address translators, intrusion detection systems, intrusion prevention systems, etc.
26 Citations
19 Claims
-
1. A method of performing a service on a data message having a set of attributes, the method comprising:
-
selecting a service rule comprising (i) a rule identifier for matching against the set of attributes of the data message, the rule identifier defined by reference to a first template identifier that identifies a template for instantiating a multi-tier application deployment in a network, and (ii) a service parameter for performing a service on data messages, wherein an instantiation of the template comprises instantiating multiple data compute nodes (DCNs) with different DCNs implementing different applications in the multi-tier application deployment; determining that the selected service rule is applicable to the data message, said determining comprising determining that (i) at least a second template identifier associated with the data message is associated with a particular DCN, (ii) the first template identifier and second template identifiers match, and (iii) the particular DCN was deployed by using the template; and in response to the determination, performing the service on the data message based on the service parameter. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 19)
-
-
10. A non-transitory machine readable medium storing a program for performing a service on a data message having a set of attributes, the program comprising sets of instructions for:
-
selecting a service rule including (1) a service parameter for performing a service on data messages, and (2) a rule identifier for matching to the data message attribute set, said rule identifier defined by reference to at least a first template identifier that specifies a template for instantiating multi-tier applications in a datacenter, wherein an instantiation of the template comprises instantiating (i) a first DCN executing on a first host computer and implementing a first application in the multi-tier application, and (ii) a second DCN executing on a second host computer and implementing a second application in the multi-tier application; determining whether the data message'"'"'s attribute set matches the rule identifier, said determining comprising determining whether (i) a second template identifier associated with the data message is associated with a particular DCN, (ii) the first template identifier matches the second template identifier, and (iii) the particular DCN was deployed by using the template specified by the template identifier; and when the data message'"'"'s attribute set matches the rule'"'"'s identifier, performing the service on the data message based on the service parameter. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
Specification