Interconnecting external networks with overlay networks in a shared computing environment

US 10,348,689 B2
Filed: 11/27/2017
Issued: 07/09/2019
Est. Priority Date: 09/10/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

obtaining, by one or more processors, data from a network connection to a remote resource of a remote network of a first tenant, a first tenant identifier for the network connection of the first tenant, additional data from a network connection to a remote resource of a remote network of a second tenant, and a second tenant identifier for the network connection of the second tenant, wherein the network connection to the remote resource of the remote network of the first tenant and the network connection to the remote resource of the remote network of the second tenant comprise a shared virtual private network tunnel over a public Internet connection, wherein the virtual private network tunnel is coupled to remote networks of at least two tenants of at least two virtual networks;

based on the first tenant identifier for the network connection of the first tenant, setting, by the one or more processors, an identifier of the first tenant in metadata associated with the data;

based on the second tenant identifier for the network connection of the second tenant, setting, by the one or more processors, an identifier of the second tenant in metadata associated with the additional data;

obtaining, by the one or more processors, the data and the identifier in the metadata associated with the data and matching the tenant identifier to the first tenant of the shared computing environment;

based on identifying the first tenant of the shared computing environment, inserting, by the one or more processors, the data into an access virtual network of the first tenant of the shared computing environment, wherein the access virtual network of the first tenant of the shared computing environment is associated with one virtual network of the at least two virtual networks in the shared computing environment, and wherein the at least two virtual networks overlay a physical network, and wherein each virtual network of the at least two virtual networks is a virtual network of a tenant;

obtaining, by the one or more processors, the additional data and the identifier in the metadata associated with the additional data and matching the tenant identifier to the second tenant of the shared computing environment; and

based on identifying the second tenant of the shared computing environment, inserting, by the one or more processors, the data into an access virtual network of the second tenant of the shared computing environment, wherein the access virtual network of the second tenant of the shared computing environment is associated with another virtual network of the at least two virtual networks in the shared computing environment.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method includes obtaining, by one or more processor, data from a virtual network of a tenant and an identifier of the tenant, where the virtual network of the tenant is one of at least two virtual networks in a shared computing environment where the at least two virtual networks overlay a physical network. Based on obtaining the identifier of the tenant, the method includes setting, by one or more processor, the identifier in metadata of the data and based on the identifier in the metadata, identifying, by the one or more processor, a network connection associated with the tenant. The method also includes identifying, by the one or more processor, a policy of the network connection and processing the data with the policy to create processed data and transmitting, by the one or more processor, the processed data through the network connection.

26 Citations

View as Search Results

16 Claims

1. A computer-implemented method comprising:
- obtaining, by one or more processors, data from a network connection to a remote resource of a remote network of a first tenant, a first tenant identifier for the network connection of the first tenant, additional data from a network connection to a remote resource of a remote network of a second tenant, and a second tenant identifier for the network connection of the second tenant, wherein the network connection to the remote resource of the remote network of the first tenant and the network connection to the remote resource of the remote network of the second tenant comprise a shared virtual private network tunnel over a public Internet connection, wherein the virtual private network tunnel is coupled to remote networks of at least two tenants of at least two virtual networks;
  
  based on the first tenant identifier for the network connection of the first tenant, setting, by the one or more processors, an identifier of the first tenant in metadata associated with the data;
  
  based on the second tenant identifier for the network connection of the second tenant, setting, by the one or more processors, an identifier of the second tenant in metadata associated with the additional data;
  
  obtaining, by the one or more processors, the data and the identifier in the metadata associated with the data and matching the tenant identifier to the first tenant of the shared computing environment;
  
  based on identifying the first tenant of the shared computing environment, inserting, by the one or more processors, the data into an access virtual network of the first tenant of the shared computing environment, wherein the access virtual network of the first tenant of the shared computing environment is associated with one virtual network of the at least two virtual networks in the shared computing environment, and wherein the at least two virtual networks overlay a physical network, and wherein each virtual network of the at least two virtual networks is a virtual network of a tenant;
  
  obtaining, by the one or more processors, the additional data and the identifier in the metadata associated with the additional data and matching the tenant identifier to the second tenant of the shared computing environment; and
  
  based on identifying the second tenant of the shared computing environment, inserting, by the one or more processors, the data into an access virtual network of the second tenant of the shared computing environment, wherein the access virtual network of the second tenant of the shared computing environment is associated with another virtual network of the at least two virtual networks in the shared computing environment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer-implemented method of claim 1, wherein the inserting comprises:
    - inserting, by the one or more processors, the data into the access virtual network of the first tenant through a logical connection point on a network virtualization edge coupled to the one virtual network.
  - 3. The computer-implemented method of claim 1, wherein obtaining the data from the network connection to a remote resource of the first tenant and the tenant identifier for the network connection of the first tenant, comprises:
    - contemporaneously to obtaining the data, in a packet, enforcing, by the one or more processors, a security policy to decrypt the packet.
  - 4. The computer-implemented method of claim 1, wherein matching the tenant identifier to the first tenant of the shared computing environment comprises locating the first tenant in an entry in a tenant table of the shared computing environment.
  - 5. The computer-implemented method of claim 1, wherein inserting, the data into the access virtual network of the first tenant comprises inserting a frame into the access virtual network of the first tenant.
  - 6. The computer-implemented method of claim 5, wherein obtaining the data and the identifier in the metadata and matching the tenant identifier to the tenant of a shared computing environment further comprises:
    - obtaining, by the one or more processors, the data as a packet; and
      
      reconstructing, the one or more processors, a header of the packet to create the frame.
  - 7. The computer-implemented method of claim 6, the reconstructing comprising:
    - utilizing, by the one or more processors, the identifier in the metadata to set a next hop media access control (MAC) address as a destination MAC address and a pseudo MAC address as a source MAC address.
  - 8. The computer-implemented method of claim 7, the inserting comprising:
    - based on setting the destination MAC address and the source MAC address, inserting, by the one or more processors, the frame into the access virtual network through a corresponding logical connection point on a network virtualization edge, for connecting the remote resource of a tenant to the one virtual network.

9. A computer program product comprising:
- a computer readable storage medium readable by one or more processors and storing instructions for execution by the one or more processors for performing a method comprising;
  
  obtaining, by the one or more processors, data from a network connection to a remote resource of a remote network of a first tenant, a first tenant identifier for the network connection of the first tenant, additional data from a network connection to a remote resource of a remote network of a second tenant, and a second tenant identifier for the network connection of the second tenant, wherein the network connection to the remote resource of the remote network of the first tenant and the network connection to the remote resource of the remote network of the second tenant comprise a shared virtual private network tunnel over a public Internet connection, wherein the virtual private network tunnel is coupled to remote networks of at least two tenants of at least two virtual networks;
  
  based on the first tenant identifier for the network connection of the first tenant, setting, by the one or more processors, an identifier of the first tenant in metadata associated with the data;
  
  based on the second tenant identifier for the network connection of the second tenant, setting, by the one or more processors, an identifier of the second tenant in metadata associated with the additional data;
  
  obtaining, by the one or more processors, the data and the identifier in the metadata associated with the data and matching the tenant identifier to the first tenant of the shared computing environment;
  
  based on identifying the first tenant of the shared computing environment, inserting, by the one or more processors, the data into an access virtual network of the first tenant of the shared computing environment, wherein the access virtual network of the first tenant of the shared computing environment is associated with one virtual network of the at least two virtual networks in the shared computing environment, and wherein the at least two virtual networks overlay a physical network, and wherein each virtual network of the at least two virtual networks is a virtual network of a tenant;
  
  obtaining, by the one or more processors, the additional data and the identifier in the metadata associated with the additional data and matching the tenant identifier to the second tenant of the shared computing environment; and
  
  based on identifying the second tenant of the shared computing environment, inserting, by the one or more processors, the data into an access virtual network of the second tenant of the shared computing environment, wherein the access virtual network of the second tenant of the shared computing environment is associated with another virtual network of the at least two virtual networks in the shared computing environment.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The computer program product of claim 9, wherein the inserting comprises:
    - inserting, by the one or more processors, the data into the access virtual network of the first tenant through a logical connection point on a network virtualization edge coupled to the one virtual network.
  - 11. The computer program product of claim 9, wherein obtaining the data from the network connection to a remote resource of the tenant and the tenant identifier for the network connection of the first tenant, comprises:
    - contemporaneously to obtaining the data, in a packet, enforcing, by the one or more processors, a security policy to decrypt the packet.
  - 12. The computer program product of claim 9, wherein matching the tenant identifier to the first tenant of the shared computing environment comprises locating the first tenant in an entry in a tenant table of the shared computing environment.
  - 13. The computer program product of claim 9, wherein inserting, the data into the access virtual network of the first tenant comprises inserting a frame into the access virtual network of the first tenant.
  - 14. The computer program product of claim 13, wherein obtaining the data and the identifier in the metadata and matching the tenant identifier to the tenant of a shared computing environment further comprises:
    - obtaining, by the one or more processors, the data as a packet; and
      
      reconstructing, the one or more processors, a header of the packet to create the frame.
  - 15. The computer program product of claim 14, the reconstructing comprising:
    - utilizing, by the one or more processors, the identifier in the metadata to set a next hop media access control (MAC) address as a destination MAC address and a pseudo MAC address as a source MAC address.

16. A system comprising:
- a memory;
  
  one or more processors in communication with the memory; and
  
  program instructions executable by the one or more processors via the memory to perform a method, the method comprising;
  
  obtaining, by the one or more processors, data from a network connection to a remote resource of a remote network of a first tenant, a first tenant identifier for the network connection of the first tenant, additional data from a network connection to a remote resource of a remote network of a second tenant, and a second tenant identifier for the network connection of the second tenant, wherein the network connection to the remote resource of the remote network of the first tenant and the network connection to the remote resource of the remote network of the second tenant comprise a shared virtual private network tunnel over a public Internet connection, wherein the virtual private network tunnel is coupled to remote networks of at least two tenants of at least two virtual networks;
  
  based on the first tenant identifier for the network connection of the first tenant, setting, by the one or more processors, an identifier of the first tenant in metadata associated with the data;
  
  based on the second tenant identifier for the network connection of the second tenant, setting, by the one or more processors, an identifier of the second tenant in metadata associated with the additional data;
  
  obtaining, by the one or more processors, the data and the identifier in the metadata associated with the data and matching the tenant identifier to the first tenant of the shared computing environment;
  
  based on identifying the first tenant of the shared computing environment, inserting, by the one or more processors, the data into an access virtual network of the first tenant of the shared computing environment, wherein the access virtual network of the first tenant of the shared computing environment is associated with one virtual network of the at least two virtual networks in the shared computing environment, and wherein the at least two virtual networks overlay a physical network, and wherein each virtual network of the at least two virtual networks is a virtual network of a tenant;
  
  obtaining, by the one or more processors, the additional data and the identifier in the metadata associated with the additional data and matching the tenant identifier to the second tenant of the shared computing environment; and
  
  based on identifying the second tenant of the shared computing environment, inserting, by the one or more processors, the data into an access virtual network of the second tenant of the shared computing environment, wherein the access virtual network of the second tenant of the shared computing environment is associated with another virtual network of the at least two virtual networks in the shared computing environment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kyndryl Incorporated
Original Assignee
International Business Machines Corporation
Inventors
Bian, Guo Chun, Lin, Jin Jing, Rong, Liang, Tang, Gang, Xian, Ming Shuang
Primary Examiner(s)
Song, Hosuk
Assistant Examiner(s)
Murphy, J. Brant

Application Number

US15/823,099
Publication Number

US 20180083923A1
Time in Patent Office

589 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/20   for managing network securi...

H04L 67/141   Setup of application sessio...

Interconnecting external networks with overlay networks in a shared computing environment

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

26 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Interconnecting external networks with overlay networks in a shared computing environment

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

26 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links