Creating and distributing template based service rules
First Claim
1. A method of specifying service rules, the method comprising:
- specifying a first set of service rules for a first template and a second set of service rules for a second template with each service rule in each of the first and second sets including (1) a service parameter for performing a service on data messages, and (2) a rule identifier for matching to data message attribute sets, each rule identifier of each rule comprising at least a template identifier for identifying the template associated with the rule, each template for deploying a multi-tier application in a datacenter; and
distributing the first set of service rules to a first service node in the datacenter, and the second set of service rules to a second service node in the datacenter, each of the first and second service nodes comparing the rule identifiers of the service rules with the data message attribute sets in order to identify service rules that match the data messages that the first or second service node processes, each of the first and second service nodes comparing the rule identifiers and attribute sets by comparing the template identifiers of the rules with the template identifiers associated with the data messages.
1 Assignment
0 Petitions
Accused Products
Abstract
Some embodiments of the invention introduce cloud template awareness in the service policy framework. Some embodiments provide one or more service rule processing engines that natively support (1) template-specific dynamic groups and template-specific rules, and (2) dynamic security tag concepts. A service rule processing engine of some embodiments natively supports template-specific dynamic groups and rules as it can directly process service rules that are defined in terms of dynamic component groups, template identifiers, template instance identifiers, and/or template match criteria. Examples of such services can include any kind of middlebox services, such as firewalls, load balancers, network address translators, intrusion detection systems, intrusion prevention systems, etc.
24 Citations
19 Claims
-
1. A method of specifying service rules, the method comprising:
-
specifying a first set of service rules for a first template and a second set of service rules for a second template with each service rule in each of the first and second sets including (1) a service parameter for performing a service on data messages, and (2) a rule identifier for matching to data message attribute sets, each rule identifier of each rule comprising at least a template identifier for identifying the template associated with the rule, each template for deploying a multi-tier application in a datacenter; and distributing the first set of service rules to a first service node in the datacenter, and the second set of service rules to a second service node in the datacenter, each of the first and second service nodes comparing the rule identifiers of the service rules with the data message attribute sets in order to identify service rules that match the data messages that the first or second service node processes, each of the first and second service nodes comparing the rule identifiers and attribute sets by comparing the template identifiers of the rules with the template identifiers associated with the data messages. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A non-transitory machine readable medium storing a program for specifying service rules, the program comprising sets of instructions for:
-
specifying a first set of service rules for a first template and a second set of service rules for a second template with each service rule in each of the first and second sets including (1) a service parameter for performing a service on data messages, and (2) a rule identifier for matching to data message attribute sets, each rule identifier of each rule comprising at least a template identifier for identifying the template associated with the rule, each template for deploying a multi-tier application in a datacenter; and distributing the first set of service rules to a first service node in the datacenter, and the second set of service rules to a second service node in the datacenter, each of the first and second service nodes comparing the rule identifiers of the service rules with the data message attribute sets in order to identify service rules that match the data messages that the first or second service node processes, each of the first and second service nodes comparing the rule identifiers and attribute sets by comparing the template identifiers of the rules with the template identifiers associated with the data messages. - View Dependent Claims (19)
-
Specification