Dynamically defined virtual private network tunnels in hybrid cloud environments

US 10,505,904 B2
Filed: 10/14/2018
Issued: 12/10/2019
Est. Priority Date: 12/15/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

in a first virtual private network (VPN) agent, managing a first VPN tunnel in a plurality of VPN tunnels, wherein the first VPN tunnel provides communication for traffic between a first node in a first cloud and a second node in a second cloud in a hybrid cloud environment;

receiving a request from a VPN manager, the request including a first set of requirements for a first cloud application for the first VPN tunnel in the plurality of VPN tunnels;

creating the first VPN tunnel according to the first set of requirements;

receiving a modification request from the VPN manager containing a second set of requirements for a second cloud application; and

wherein the modification request comprises a selected one of either tuning the first VPN tunnel according to both the first and second set of requirements if the first and second requirements are compatible or creating a second VPN tunnel between the first node and the second node if the first and second requirements are not compatible, the second VPN tunnel managed by the VPN agent.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, apparatus and computer program product manage a plurality of VPN tunnels between a first cloud and a second cloud in a hybrid cloud environment is described. A first virtual private network (VPN) agent manages a first VPN tunnel in a plurality of VPN tunnels. The first VPN tunnel provides communication for traffic between a first node in a first cloud and a second node in a second cloud in a hybrid cloud environment. The agent receives a request from a VPN manager which includes a first set of requirements for a first cloud application for the first VPN tunnel in the plurality of VPN tunnels. The agent creates the first VPN tunnel according to the first set of requirements. Next, the agent receives a modification request from the VPN manager containing a second set of requirements for a second cloud application. The modification request comprises a request either to tune the first VPN tunnel according to both the first and second set of requirements if the first and second requirements are compatible. Alternatively, the request may include creating a second VPN tunnel between the first node and the second node if the first and second requirements are not compatible. The second VPN tunnel is managed by the VPN agent.

28 Citations

View as Search Results

20 Claims

1. A method comprising:
- in a first virtual private network (VPN) agent, managing a first VPN tunnel in a plurality of VPN tunnels, wherein the first VPN tunnel provides communication for traffic between a first node in a first cloud and a second node in a second cloud in a hybrid cloud environment;
  
  receiving a request from a VPN manager, the request including a first set of requirements for a first cloud application for the first VPN tunnel in the plurality of VPN tunnels;
  
  creating the first VPN tunnel according to the first set of requirements;
  
  receiving a modification request from the VPN manager containing a second set of requirements for a second cloud application; and
  
  wherein the modification request comprises a selected one of either tuning the first VPN tunnel according to both the first and second set of requirements if the first and second requirements are compatible or creating a second VPN tunnel between the first node and the second node if the first and second requirements are not compatible, the second VPN tunnel managed by the VPN agent.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method as recited in claim 1, further comprising:
    - monitoring for events occurring in the first VPN tunnel;
      
      detecting a first event occurring in the first VPN tunnel; and
      
      sending the first event to the VPN manager.
  - 3. The method as recited in claim 1, wherein the first and second sets of requirements include respective sets of security requirements.
  - 4. The method as recited in claim 2, wherein the first event is selected from the group consisting of receiving a modification request from an application using the first VPN tunnel which includes a second set of requirements for the first VPN tunnel, detecting a change in traffic bandwidth in the first VPN tunnel, a network topology change for the first cloud and a modification request from an application for a change in security requirements for the first VPN tunnel.
  - 5. The method as recited in claim 1, wherein the first and second requirements were compatible, further comprising:
    - receiving a request from the VPN manager, the request including a modification of the second set of requirements for the first VPN tunnel, wherein the first and modified second sets of requirements are not compatible;
      
      modifying the first VPN tunnel according to the modified second set of requirements, wherein the first set of requirements is for traffic from the first cloud application and the modified second set of requirements is for traffic from the second cloud application;
      
      wherein tuning the first VPN tunnel in response to the event comprises splitting the first VPN tunnel into the first VPN tunnel to accommodate traffic from the first cloud application and a second VPN tunnel to accommodate traffic from the second cloud application, andwherein the first cloud is a private cloud and the second cloud is a public cloud within the hybrid cloud environment.
  - 6. The method as recited in claim 1, wherein the first and second requirements were not compatible, further comprising:
    - receiving a request from the VPN manager, the request including a modification of the second set of requirements for the first VPN tunnel, wherein the first and modified second sets of requirements are compatible;
      
      merging the second VPN tunnel created according to the second set of requirements with the first VPN tunnel; and
      
      modifying first VPN tunnel according to the first and second set of requirements.
  - 7. The method as recited in claim 1, further comprising:
    - receiving a selected VPN agent from the VPN manager;
      
      installing the selected VPN agent in a first system; and
      
      wherein the VPN agent is selected based on the first set of requirements.

8. Apparatus, comprising:
- a processor;
  
  computer memory holding computer program instructions executed by the processor for a virtual private network (VPN) agent to manage a first VPN tunnel of a plurality of VPN tunnels between a first node in a first cloud and a second node in a second cloud in a hybrid cloud environment, the computer program instructions comprising;
  
  program code, operative to receive a first request from a VPN manager, the request including a first set of requirements for a first cloud application for the first VPN tunnel in the plurality of VPN tunnels, program code, operative to create the first VPN tunnel according to the first set of requirements;
  
  program code, operative to receive a second request from the VPN manager, the second request including a second set of requirements for a second cloud application; and
  
  program code operative to perform a selected one of either tuning the first VPN tunnel according to both the first and second set of requirements if the first and second requirements are compatible or creating a second VPN tunnel between the first node and the second node if the first and second requirements are not compatible, the second VPN tunnel managed by the VPN agent.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
- - 9. The apparatus as recited in claim 8, further comprising:
    - program code, operative to monitor events in the first VPN tunnel;
      
      program code, operative to receive requests from applications using the first VPN tunnel; and
      
      program code, operative to communicate requests and information concerning the management of the first VPN tunnel to the VPN manager.
  - 10. The apparatus as recited in claim 8, wherein the first set of requirements include a first set of security requirements and the second set of requirements include a second set of security requirements and the apparatus further comprises program code operative to determine whether the first and the second sets of security requirements are compatible.
  - 11. The apparatus as recited in claim 9, wherein the event is a detected change in traffic bandwidth in the first VPN tunnel detected by the VPN agent.
  - 12. The apparatus as recited in claim 9, further comprising:
    - a set of specialized VPN agents; and
      
      program code operative to select a selected VPN agent among the specialized VPN agents according to the first set of requirements.
  - 13. The apparatus as recited in claim 9, wherein the event is detecting an application lifecycle change of the first cloud application.
  - 14. The apparatus as recited in claim 11, wherein the program code operative to monitor events in the first VPN tunnel further comprises:
    - program code, operative to determine whether a lower threshold of traffic bandwidth has been crossed in the first VPN tunnel;
      
      program code, operative to determine whether an upper threshold of traffic bandwidth has been crossed in the first VPN tunnel; and
      
      program code, responsive to a determination that a threshold has been crossed to send a message to the VPN manager.
  - 15. The apparatus as recited in claim 9, further comprising:
    - program code, operative to receive a split request from the VPN manager to split the first VPN tunnel into a third VPN tunnel and the first VPN tunnel; and
      
      program code, operative to split the first tunnel into the first VPN tunnel and the third VPN tunnel.

16. A computer program product in a non-transitory computer readable medium for use in a data processing system, the computer program product holding computer program instructions executed by the processor to manage a first VPN tunnel of a plurality of VPN tunnels between a first node in a first cloud and a second node in a second cloud in a hybrid cloud environment, the computer program instructions comprising:
- program code, operative to instruct a virtual private network (VPN) agent to manage a first VPN tunnel of a plurality of VPN tunnels between a first node in a first cloud and a second node in a second cloud in a hybrid cloud environment, the computer program instructions comprising;
  
  program code, operative to receive a first request from a VPN manager, the request including a first set of requirements for a first cloud application for the first VPN tunnel in the plurality of VPN tunnels, program code, operative to create the first VPN tunnel according to the first set of requirements;
  
  program code, operative to receive a second request from the VPN manager, the second request including a second set of requirements for a second cloud application; and
  
  program code operative to perform a selected one of either tuning the first VPN tunnel according to both the first and second set of requirements if the first and second requirements are compatible or creating a second VPN tunnel between the first node and the second node if the first and second requirements are not compatible, the second VPN tunnel managed by the VPN agent.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The computer program product as recited in claim 16, further comprising:
    - program code, operative to monitor events in the first VPN tunnel;
      
      program code, operative to receive requests from applications using the first VPN tunnel; and
      
      program code, operative to communicate requests and information concerning the management of the first VPN tunnel to the VPN manager.
  - 18. The computer program product as recited in claim 16, wherein a change in security requirements for the first cloud application causes a split request for the first VPN tunnel.
  - 19. The computer program product as recited in claim 16, wherein a subset of the events is selected from the group consisting of receiving a modification request from an application using the first VPN tunnel which includes a second set of requirements for the first VPN tunnel, detecting a change in traffic bandwidth in the first VPN tunnel, a network topology change for the first cloud and a modification request from an application for a change in security requirements for the first VPN tunnel.
  - 20. The computer program product as recited in claim 16, further comprising program code operative to remove the first VPN tunnel at an end of a first cloud application lifecycle.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Hoy, Jeffrey R, Iyer, Sreekanth R, Kapadia, Kaushal K, Muthukrishnan, Ravi K, Nagaratnam, Nataraj
Primary Examiner(s)
Steinle, Andrew J

Application Number

US16/159,678
Publication Number

US 20190052601A1
Time in Patent Office

422 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/102   Entity profiles

H04L 63/1408   by monitoring network traff...

H04L 63/164   at the network layer

Dynamically defined virtual private network tunnels in hybrid cloud environments

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

28 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamically defined virtual private network tunnels in hybrid cloud environments

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links