Employing Overlays for Securing Connections Across Networks

US 20110110377A1
Filed: 11/06/2009
Published: 05/12/2011
Est. Priority Date: 11/06/2009
Status: Abandoned Application

First Claim

Patent Images

1. One or more computer-readable media having computer-executable instructions embodied thereon that, when executed, perform a method for communicating across a virtual network overlay between a plurality of endpoints residing in distinct locations within a physical network, the method comprising:

identifying a first endpoint residing in a data center of a cloud computing platform, wherein the first endpoint is reachable by a first physical internet protocol (IP) address;

identifying a second endpoint residing in a resource of an enterprise private network, wherein the second endpoint is reachable by a second physical IP address; and

instantiating virtual presences of the first endpoint and the second endpoint within the virtual network overlay established for a service application, wherein instantiating comprises;

(a) assigning the first endpoint a first virtual IP address;

(b) maintaining in a map an association between the first physical IP address and the first virtual IP address;

(c) assigning the second endpoint a second virtual IP address; and

(d) maintaining in the map an association between the second physical IP address and the second virtual IP address, wherein the map instructs where to route packets between the first endpoint and the second endpoint based on communications exchanged within the virtual network overlay.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Computerized methods, systems, and computer-storage media for establishing and managing a virtual network overlay (“overlay”) are provided. The overlay spans between a data center and a private enterprise network and includes endpoints, of a service application, that reside in each location. The service-application endpoints residing in the data center and in the enterprise private network are reachable by data packets at physical IP addresses. Virtual presences of the service-application endpoints are instantiated within the overlay by assigning the service-application endpoints respective virtual IP addresses and maintaining an association between the virtual IP addresses and the physical IP addresses. This association facilitates routing the data packets between the service-application endpoints, based on communications exchanged between their virtual presences within the overlay. Also, the association secures a connection between the service-application endpoints within the overlay that blocks communications from other endpoints without a virtual presence in the overlay.

Citations

20 Claims

1. One or more computer-readable media having computer-executable instructions embodied thereon that, when executed, perform a method for communicating across a virtual network overlay between a plurality of endpoints residing in distinct locations within a physical network, the method comprising:
- identifying a first endpoint residing in a data center of a cloud computing platform, wherein the first endpoint is reachable by a first physical internet protocol (IP) address;
  
  identifying a second endpoint residing in a resource of an enterprise private network, wherein the second endpoint is reachable by a second physical IP address; and
  
  instantiating virtual presences of the first endpoint and the second endpoint within the virtual network overlay established for a service application, wherein instantiating comprises;
  
  (a) assigning the first endpoint a first virtual IP address;
  
  (b) maintaining in a map an association between the first physical IP address and the first virtual IP address;
  
  (c) assigning the second endpoint a second virtual IP address; and
  
  (d) maintaining in the map an association between the second physical IP address and the second virtual IP address, wherein the map instructs where to route packets between the first endpoint and the second endpoint based on communications exchanged within the virtual network overlay.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The one or more computer-readable media of claim 1, wherein identifying a first endpoint comprises:
    - inspecting a service model associated with the service application, wherein the service model governs which virtual machines are allocated to support operations of the service application;
      
      allocating a virtual machine within the data center of the cloud computing platform in accordance with the service model; and
      
      deploying the first endpoint on the virtual machine.
  - 3. The one or more computer-readable media of claim 1, the method further comprising assigning the virtual network overlay a range of virtual IP addresses, wherein the first virtual IP address and the second virtual IP address are selected from the assigned range.
  - 4. The one or more computer-readable media of claim 3, wherein the virtual IP addresses in the range do not overlap physical IP addresses in ranges utilized by either the cloud computing platform or the enterprise private network.
  - 5. The one or more computer-readable media of claim 3, wherein, when the enterprise private network is provisioned with IP version 4 (IPv4) addresses, the range of virtual IP addresses corresponds to a set of public IP addresses carved out of the IPv4 addresses.
  - 6. The one or more computer-readable media of claim 1, the method further comprising:
    - joining the first endpoint and the second endpoint as members of a group that supports operations of a service application; and
      
      instantiating a virtual presence of the members of the group within the virtual network overlay established for the service application.

7. A computer system for instantiating in a virtual network overlay a virtual presence of a candidate endpoint residing in a physical network, the computer system comprising:
- a data center within a cloud computing platform that hosts the candidate endpoint having a physical IP address; and
  
  a hosting name server that identifies a range of virtual IP addresses assigned to the virtual network overlay, that assigns to the candidate endpoint a virtual IP address that is selected from the range, and that maintains in a map the assigned virtual IP address in association with the physical IP address of the candidate endpoint.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 8. The computer system of claim 7, wherein the hosting name server accesses the map for ascertaining identities of a group of endpoints employed by a service application to support operations thereof.
  - 9. The computer system of claim 7, wherein the hosting name server assigns to the candidate endpoint the virtual IP address upon receiving a request from a service application that the candidate endpoint join the group of endpoints.
  - 10. The computer system of claim 7, wherein the data center includes a plurality of virtual machines that host the candidate endpoint, and wherein a client agent runs on one or more of the plurality of virtual machines.
  - 11. The computer system of claim 7, wherein a client agent negotiates with the hosting name server to retrieve one or more of the identities of the group of endpoints upon the candidate endpoint initiating conveyance of a packet.
  - 12. The computer system of claim 11, further comprising a resource within an enterprise private network that hosts a member endpoint having a physical IP address.
  - 13. The computer system of claim 12, wherein the member endpoint is allocated as a member of the group of endpoints employed by a service application, wherein the member endpoint is assigned a virtual IP address that is selected from the range of virtual IP addresses, and wherein the virtual IP address assigned to the member endpoint is distinct from the virtual IP address assigned to the candidate endpoint.
  - 14. The computer system of claim 13, wherein the virtual IP address assigned to the candidate endpoint is connected through the virtual network overlay to the virtual IP address assigned to the member endpoint.
  - 15. The computer system of claim 14, wherein, upon the candidate endpoint sending a communication to the member endpoint across the connection, the client agent retrieves the physical IP address of the member endpoint from the hosting name server.
  - 16. The computer system of claim 15, wherein the client agent utilizes the physical IP address of the member endpoint to route the packet through a topology of a physical network, wherein the physical network includes the cloud computing platform and the enterprise private network.
  - 17. The computer system of claim 16, wherein the hosting name server is provisioned with end-to-end rules that govern relationships between members of the group of endpoints, wherein the end-to-end rules selectively restrict connectivity of the candidate endpoint to the members of the group of endpoints through the virtual network overlay.

18. A computerized method for facilitating communication between a source endpoint and a destination endpoint across a virtual network overlay, the method comprising:
- binding a source virtual IP address to a source physical IP address in a map, wherein the source physical IP address indicates a location of the source endpoint within a data center of a cloud computing platform;
  
  binding a destination virtual IP address to a destination physical IP address in the map, wherein the destination physical IP address indicates a location of the destination endpoint within a resource of an enterprise private network;
  
  sending a packet from the source endpoint to the destination endpoint utilizing the virtual network overlay, wherein the source virtual IP address and the destination virtual IP address indicate a virtual presence of the source endpoint and the destination endpoint, respectively, in the virtual network overlay, and wherein sending the packet comprises;
  
  (a) identifying the packet that is designated to be delivered to the destination virtual IP address;
  
  (b) employing the map to adjust the designation from the destination virtual IP address to the destination physical IP address; and
  
  (c) based on the destination physical IP address, routing the packet to the destination endpoint within the resource.
- View Dependent Claims (19, 20)
- - 19. The computerized method of claim 18, further comprising:
    - moving the source endpoint from the data center of the cloud computing platform, having the source physical IP address, to a resource within a third-party network, having a remote physical address; and
      
      automatically maintaining the virtual presence of the source endpoint in the virtual network overlay.
  - 20. The computerized method of claim 18, further comprising, upon recognizing that the source endpoint has moved, automatically binding the source virtual IP address to the remote physical IP address in the map.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Alkhatib, Hasan, Bansal, Deepak

Application Number

US12/614,007
Publication Number

US 20110110377A1
Time in Patent Office

Days
Field of Search
US Class Current

370/395.53
CPC Class Codes

H04L 45/64   using an overlay routing layer

H04L 61/2503   Translation of Internet pro...

H04L 63/0272   Virtual private networks

Employing Overlays for Securing Connections Across Networks

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Employing Overlays for Securing Connections Across Networks

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links