Network policy implementation in a tag-based policy architecture
First Claim
1. A system comprising:
- one or more processors coupled to a network of a virtualized computing environment;
a control plane executable by at least one of the one or more processors, the control plane configured to implement a network policy of the virtualized computing environment by associating the network policy to a global firewall and apportioning the global firewall into one or more individual firewalls, the control plane further configured to translate the network policy associated with the global firewall into rules of an individual firewall; and
a packet filter module executable by at least one processor of a first computer node, the packet filter module configured to receive the rules from the control plane and implement the individual firewall to enforce the network policy on packets of network traffic as a respective portion of the global firewall, wherein the first computer node is configured to execute a hypervisor and a virtual machine instance (VMI), wherein the VMI is managed by the hypervisor, wherein a guest operating system and an intermediary manager run in the VMI, wherein the packet filter module is a component of the intermediary manager, wherein the packet filter module is configured to enforce the network policy on the packets when passed between the hypervisor and the guest operating system.
5 Assignments
0 Petitions
Accused Products
Abstract
A technique implements network policy deployed in a tag-based policy architecture of a virtualized computing environment. One or more virtual machine instances (VMIs) may be provided by a virtual data center (VDC) of the environment, wherein each VMI includes an intermediary manager of a computing cell that also includes a guest operating system (OS) and associated applications. The tag-based policy architecture may be configured to enforce the network policy in the virtualized computing environment using cryptographically-verifiable metadata to authenticate compute resources, such as the VMIs, coupled to a computer network and to authorize access to protected resources, such as virtualized network resources of the VDC.
-
Citations
20 Claims
-
1. A system comprising:
-
one or more processors coupled to a network of a virtualized computing environment; a control plane executable by at least one of the one or more processors, the control plane configured to implement a network policy of the virtualized computing environment by associating the network policy to a global firewall and apportioning the global firewall into one or more individual firewalls, the control plane further configured to translate the network policy associated with the global firewall into rules of an individual firewall; and a packet filter module executable by at least one processor of a first computer node, the packet filter module configured to receive the rules from the control plane and implement the individual firewall to enforce the network policy on packets of network traffic as a respective portion of the global firewall, wherein the first computer node is configured to execute a hypervisor and a virtual machine instance (VMI), wherein the VMI is managed by the hypervisor, wherein a guest operating system and an intermediary manager run in the VMI, wherein the packet filter module is a component of the intermediary manager, wherein the packet filter module is configured to enforce the network policy on the packets when passed between the hypervisor and the guest operating system. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A method comprising:
-
implementing a network policy of a virtualized computing environment by associating the network policy to a global firewall at a control plane coupled to a network of the virtualized computing environment; apportioning the global firewall into one or more individual firewalls; translating the network policy associated with the global firewall into rules of an individual firewall; receiving the rules from the control plane at a module executed on a first computer node coupled to the network; and implementing the individual firewall at the module to enforce the network policy on packets of network traffic as a respective portion of the global firewall, wherein the first computer node is configured to execute a hypervisor and a virtual machine instance (VMI), wherein the VMI is managed by the hypervisor, wherein a guest operating system and an intermediary manager run in the VMI, wherein the module is a component of the intermediary manager, wherein the module is configured to enforce the network policy on the packets when passed between the hypervisor and the guest operating system. - View Dependent Claims (18, 19)
-
-
20. A non-transitory computer readable media containing instructions for execution on a processor for a method comprising:
-
implementing a network policy of a virtualized computing environment by associating the network policy to a global firewall at a control plane coupled to a network of the virtualized computing environment; apportioning the global firewall into one or more individual firewalls; translating the network policy associated with the global firewall into rules of an individual firewall; receiving the rules from the control plane at a module executed on a first computer node coupled to the network; and implementing the individual firewall at the module to enforce the network policy on packets of network traffic as a respective portion of the global firewall, wherein the first computer node is configured to execute a hypervisor and a virtual machine instance (VMI), wherein the VMI is managed by the hypervisor, wherein a guest operating system and an intermediary manager run in the VMI, wherein the module is a component of the intermediary manager, wherein the module is configured to enforce the network policy on the packets when passed between the hypervisor and the guest operating system.
-
Specification