SECURE VIRTUAL NETWORK PLATFORM FOR ENTERPRISE HYBRID CLOUD COMPUTING ENVIRONMENTS
First Claim
Patent Images
1. A method comprising:
- receiving at a first end point in a first network domain a request to make a connection to a second end point;
determining if the connection should be provided through a virtual network connecting the first network domain with a second network domain, separate from the first network domain;
if the connection should be provided through the virtual network, establishing a virtual network connection between the first end point and the second end point, the second end point being in the second network domain; and
if the connection should not be provided through the virtual network, passing the request outside the virtual network.
1 Assignment
0 Petitions
Accused Products
Abstract
A secure virtual network platform connects two or more different or separate network domains. When a data packet is received at an end point in one network domain, a determination is made as to whether the data packet should be forwarded outside the virtual network platform, or transmitted via the virtual network to a destination in another network domain connected by the virtual network platform.
250 Citations
20 Claims
-
1. A method comprising:
-
receiving at a first end point in a first network domain a request to make a connection to a second end point; determining if the connection should be provided through a virtual network connecting the first network domain with a second network domain, separate from the first network domain; if the connection should be provided through the virtual network, establishing a virtual network connection between the first end point and the second end point, the second end point being in the second network domain; and if the connection should not be provided through the virtual network, passing the request outside the virtual network.
-
-
2. The method of claim 1 wherein the passing the request outside the virtual network comprises:
forwarding the request to a local TCP/IP network inside the first network domain.
-
3. The method of claim 1 wherein the passing the request outside the virtual network comprises:
forwarding the request to a physical networking device inside the first network domain.
-
4. The method of claim 1 wherein the determining if the connection should be provided through a virtual network connection comprises:
-
comparing one or more than one Internet Protocol (IP) addresses associated with the second end point against a list of IP addresses stored at the first end point, wherein when the one or more than one IP addresses associated with the second end point are not listed in the list of IP addresses, the connection should not be provided through the virtual network.
-
-
5. The method of claim 1 wherein the virtual network comprises:
-
a first control daemon and a first virtual network proxy at the first end point in the first network domain; a second control daemon and a second virtual network proxy at the second end point in the second network domain; a virtual network switch coupled between the first and second network domains; and a controller coupled to the virtual network switch, and the first and second control daemons, wherein the controller upon approving the virtual network connection instructs the first virtual network proxy via the first control daemon to establish a first connection of the virtual network connection to the virtual network switch, instructs the second virtual network proxy via the second control daemon to establish a second connection of the virtual network connection to the virtual network switch, and instructs the virtual network switch to allow the first connection from the first virtual network proxy, and to allow the second connection from the second virtual network proxy.
-
-
6. The method of claim 1 wherein the first end point, second end point, or both comprises at least one of a physical server, a virtual machine (VM), or a virtual network edge gateway.
-
7. The method of claim 1 wherein the first end point comprises a client component of an application program that issues the request, the second end point comprises a server component of the application program, and the method comprises:
-
computing an identifier of the application program; comparing the identifier with a predetermined identifier associated with a specific version of the application program; and if the identifier does not match the predetermined identifier associated with the specific version of the application program, determining that the connection should not be provided through the virtual network.
-
-
8. The method of claim 1 wherein the first network domain is coupled to the second network domain via the Internet.
-
9. The method of claim 1 comprising:
-
storing a list identifying one or more specific application programs authorized to use the virtual network; determining that the request is from one of the one or more specific application programs authorized to use the virtual network; after the determination that the request is from a specific application program authorized to use the virtual network, seeking permission from a controller for the establishment of the virtual network connection; and receiving an indication that the connection should not be provided through the virtual network, the permission thereby being denied by the controller.
-
-
10. The method of claim 1 wherein the establishing a virtual network connection between the first end point and the second end point comprises:
-
creating at the first end point a first dynamic routing table having first routing information, the first routing information comprising a first session identifier for the virtual network connection; and forwarding the first routing information to a virtual network switch between the first and second network domains, wherein the virtual network switch consults a second dynamic virtual routing table having second routing information, the second routing information comprising a second session identifier, wherein when the second session identifier matches the first session identifier, the virtual network switch forwards a payload of a data packet from the first end point to the second end point according to the second routing information.
-
-
11. A method comprising:
-
storing a list identifying one or more specific application programs that are allowed to use a virtual network connecting a first network domain with a second network domain, different from the first network domain; receiving at a first end point in the first network domain a request from a client component of an application program to make a connection to a server component of the application program; determining from the list if the application program is one of the one or more specific application programs that are allowed to use the virtual network; if allowed, establishing for the application program a virtual network connection between the first end point and a second end point in the second network domain, the server component of the application program being at the second end point in the second network domain; and if not allowed, not establishing the virtual network connection.
-
-
12. The method of claim 11 wherein one of the first or second network domains comprises a private network domain, and another of the first or second network domains comprises a public network domain.
-
13. The method of claim 11 wherein the one or more specific application programs comprises at least one of a GDB Debug Application, a VNC Access and Collaboration Application, or a Zshell Secure Access Application.
-
14. The method of claim 11 wherein the virtual network comprises a virtual network switch coupled between the first and second network domains, and a virtual routing table,
wherein the virtual network switch receives a data packet from the first end point, and based on the virtual routing table, forwards a payload in the data packet to the second end point in the second network domain.
-
15. The method of claim 11 comprising:
-
comparing an identifier associated with the application program to the list identifying the one or more specific application programs are allowed to use the virtual network; if the identifier associated with the application program matches an identifier in the list, determining that the application program is one of the one or more specific application programs that are allowed to use the virtual network; and if the identifier associated with the application program does not match an identifier in the list, determining that the application program is not one of the one or more specific application programs that are allowed to use the virtual network, and passing the request to a local TCP/IP network inside the first network domain.
-
-
16. The method of claim 11 wherein the establishing for the application program a virtual network connection comprises:
-
creating at the first end point a first dynamic routing table having first routing information, the first routing information comprising a first session identifier for the virtual network connection; and forwarding the first routing information to a virtual network switch between the first and second network domains, wherein the virtual network switch consults a second dynamic virtual routing table having second routing information, the second routing information comprising a second session identifier, wherein when the second session identifier corresponds to the first session identifier, the virtual network switch forwards a payload of a data packet from the client component to the server component according to the second routing information.
-
-
17. A method comprising:
-
storing at a first end point in a first network domain a static routing table comprising a list of virtual destination Internet Protocol (IP) addresses; receiving at the first end point a request from a client to connect to a destination; scanning the static routing table to determine whether an IP address of the destination is listed in the static routing table; if the IP address is not listed, passing the request to a TCP/IP network that is local to the first network domain; if the IP address is listed, seeking permission to use a virtual network connecting the first network domain to a second network domain, different from the second network domain, the destination being in the second network domain; and upon a determination that use of the virtual network is permitted, establishing for the client a virtual network connection between the first end point and the destination.
-
-
18. The method of claim 17 comprising upon the determination that use of the virtual network is permitted, creating at the first end point a first dynamic routing table having first routing information, the first routing information comprising a first identifier that identifies the virtual network connection;
- and
forwarding the first routing information to a virtual network switch between the first and second network domains, wherein the virtual network switch consults a second dynamic virtual routing table having second routing information, the second routing information comprising a second identifier, wherein when the second identifier corresponds to the first identifier, the virtual network switch forwards a payload of a data packet from the client to the destination according to the second routing information.
- and
-
19. The method of claim 18 wherein the second dynamic virtual routing table is provisioned by a controller after the controller determines that use of the virtual network is permitted.
-
20. The method of claim 17 wherein the virtual network comprises a controller that grants or denies permission to use the virtual network,
wherein when the controller grants permission to use the virtual network, the controller provisions an entry in a dynamic virtual routing table at a virtual network switch between the first and second network domains, and wherein the entry comprises a virtual IP address associated with the client, a virtual IP address associated with the destination, and a session identifier for the virtual network connection.
Specification