Managing communications between computing nodes
First Claim
1. A computer-implemented method for managing data transmissions between a plurality of virtual machine nodes hosted on a network of multiple computing systems such that each of the computing systems hosts multiple of the virtual machine nodes, the method comprising:
- receiving definitions of multiple groups of nodes such that each group has multiple members that are each authorized to communicate with the other members of the node group, the multiple members of each group being multiple related virtual machine nodes from the plurality of virtual machine nodes; and
for each of multiple source virtual machine nodes that each initiate a transmission of data to a remote destination virtual machine node, and under control of the computing system hosting the source virtual machine node, permitting the transmission only if authorized by, receiving an indication from the source node to transmit data to the remote destination node;
determining if authorization for current transmissions from the source node to the destination node already exists based on negotiations from any prior transmissions from the source node to the destination node;
if authorization for current transmissions from the source node to the destination node is determined to already exist, transmitting the data to the destination node; and
if authorization for current transmissions from the source node to the destination node is not determined to already exist, communicating with a distinct computing system hosting the destination node to negotiate for authorization from the distinct computing system for the source node to transmit to the destination node, authorization for a source node to transmit to a destination node being based at least in part on the source node and the destination node each being members of a common node group; and
if the negotiated authorization is obtained from the distinct computing system, transmitting the data to the destination node on behalf of the source node, and storing an indication of the obtained authorization for use in authorizing future transmissions of data from the source node to the destination node without negotiation.
2 Assignments
0 Petitions
Accused Products
Abstract
Techniques are described for managing communications between multiple intercommunicating computing nodes, such as multiple virtual machine nodes hosted on one or more physical computing machines or systems. In some situations, users may specify groups of computing nodes and optionally associated access policies for use in the managing of the communications for those groups, such as by specifying which source nodes are allowed to transmit data to particular destinations nodes. In addition, determinations of whether initiated data transmissions from source nodes to destination nodes are authorized may be dynamically negotiated for and recorded for later use in automatically authorizing future such data transmissions without negotiation. This abstract is provided to comply with rules requiring an abstract, and it is submitted with the intention that it will not be used to interpret or limit the scope or meaning of the claims.
-
Citations
58 Claims
-
1. A computer-implemented method for managing data transmissions between a plurality of virtual machine nodes hosted on a network of multiple computing systems such that each of the computing systems hosts multiple of the virtual machine nodes, the method comprising:
-
receiving definitions of multiple groups of nodes such that each group has multiple members that are each authorized to communicate with the other members of the node group, the multiple members of each group being multiple related virtual machine nodes from the plurality of virtual machine nodes; and
for each of multiple source virtual machine nodes that each initiate a transmission of data to a remote destination virtual machine node, and under control of the computing system hosting the source virtual machine node, permitting the transmission only if authorized by, receiving an indication from the source node to transmit data to the remote destination node;
determining if authorization for current transmissions from the source node to the destination node already exists based on negotiations from any prior transmissions from the source node to the destination node;
if authorization for current transmissions from the source node to the destination node is determined to already exist, transmitting the data to the destination node; and
if authorization for current transmissions from the source node to the destination node is not determined to already exist, communicating with a distinct computing system hosting the destination node to negotiate for authorization from the distinct computing system for the source node to transmit to the destination node, authorization for a source node to transmit to a destination node being based at least in part on the source node and the destination node each being members of a common node group; and
if the negotiated authorization is obtained from the distinct computing system, transmitting the data to the destination node on behalf of the source node, and storing an indication of the obtained authorization for use in authorizing future transmissions of data from the source node to the destination node without negotiation. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A computer-implemented method for managing outgoing data transmissions from multiple virtual machine nodes, the method comprising:
-
receiving multiple indications of outgoing transmissions of data being initiated by multiple source nodes that are each one of multiple virtual machines hosted by a host computing system, each indicated data transmission being from one of the source nodes to a remote destination node; and
for each initiated outgoing transmission of data from a source node to a remote destination node, determining if authorization already exists for transmissions from the source node to the destination node;
if authorization does not already exist for transmissions from the source node to the destination node, attempting to obtain authorization by automatically initiating a negotiation for authorization to transmit to the destination node, the initiating including sending a request with information regarding the source node to a recipient associated with the destination node; and
if the authorization is obtained from the negotiation, transmitting the data to the destination node on behalf of the source node and storing an indication of the obtained authorization for use in authorizing future transmissions of data from the source node to the destination node without negotiation. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46)
-
-
47. A computer-readable medium whose contents enable a computing device to manage data transmissions for a node, by performing a method comprising:
-
receiving an indication of a transmission of data initiated from a sending node to a remote destination node;
preventing the data from being transmitted to the destination node while determining whether the data transmission is authorized, the determining including initiating a negotiation for authorization with another computing device associated with the remote destination node; and
if the negotiated authorization is obtained, allowing data to be transmitted to the destination node. - View Dependent Claims (48, 49, 50, 51, 52)
-
-
53. A computing system configured to manage data transmissions from multiple computing nodes, the computing system comprising:
-
a memory; and
multiple hosted virtual machines that each act as an independent computing node and execute at least one application program in a portion of the memory allocated to that virtual machine, one of the hosted virtual machine computing nodes being configured to manage data transmissions from the other hosted virtual machine computing nodes by;
detecting indications of transmissions of data sent from the other hosted virtual machine computing nodes to other destination computing nodes that are not hosted by the computing system;
for each detected indication of a data transmission sent by one of the other hosted virtual machine computing nodes to a destination computing node, preventing the data transmission until authorization is obtained for the one other hosted virtual machine computing node to send the indicated data transmission to the destination computing node;
sending a request to the destination computing node for the authorization; and
after receiving a reply indicating the authorization, allowing one or more data transmissions to be sent to the destination computing node from the one other hosted virtual machine computing node. - View Dependent Claims (54, 55, 56, 57, 58)
-
Specification