IDENTITY AND ACCESS MANAGEMENT-BASED ACCESS CONTROL IN VIRTUAL NETWORKS
First Claim
1. A provider network, comprising;
- a network substrate;
one or more computing devices implementing an access control service configured to manage and evaluate policies on the provider network; and
a plurality of host devices, wherein each host device implements one or more resource instances;
wherein one or more of the host devices are each configured to;
obtain a network packet from a resource instance on the respective host device;
communicate with the access control service to determine whether the resource instance is or is not allowed to open a connection to a target indicated by the network packet according to an evaluation of a policy associated with the resource instance performed by the service;
if the resource instance is allowed to open a connection to a target indicated by the network packet according to the policy, send one or more network packets from the resource instance to the target via an overlay network path over the network substrate; and
if the resource instance is not allowed to open a connection to a target indicated by the network packet according to the policy, discard the network packet without sending the network packet to the target.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods and apparatus for providing identity and access management-based access control for connections between entities in virtual (overlay) network environments. At the encapsulation layer of the overlay network, an out-of-band connection creation process may be leveraged to enforce access control and thus allow or deny overlay network connections between sources and targets according to policies. For example, resources may be given identities, identified resources may assume roles, and policies may be defined for the roles that include permissions regarding establishing connections to other resources. When a given resource (the source) attempts to establish a connection to another resource (the target), role(s) may be determined, policies for the role(s) may be identified, and permission(s) checked to determine if a connection from the source to the target over the overlay network is to be allowed or denied.
-
Citations
20 Claims
-
1. A provider network, comprising;
-
a network substrate; one or more computing devices implementing an access control service configured to manage and evaluate policies on the provider network; and a plurality of host devices, wherein each host device implements one or more resource instances; wherein one or more of the host devices are each configured to; obtain a network packet from a resource instance on the respective host device; communicate with the access control service to determine whether the resource instance is or is not allowed to open a connection to a target indicated by the network packet according to an evaluation of a policy associated with the resource instance performed by the service; if the resource instance is allowed to open a connection to a target indicated by the network packet according to the policy, send one or more network packets from the resource instance to the target via an overlay network path over the network substrate; and if the resource instance is not allowed to open a connection to a target indicated by the network packet according to the policy, discard the network packet without sending the network packet to the target. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method, comprising:
-
obtaining, by an encapsulation layer process implemented on a host device in a provider network, a network packet from one of one or more resource instances implemented on the host device, wherein the network packet is directed to a target endpoint; determining that the resource instance is identified as a principal according to an identity and access management environment on the provider network; determining that the principal is allowed to open a connection to the target endpoint according an evaluation of a policy associated with the principal; and in response to said determining that the principal is allowed to open a connection to the target endpoint; encapsulating one or more network packets from the resource instance and directed to the target endpoint according to an encapsulation protocol to generate one or more encapsulation packets; and sending the one or more encapsulation packets onto a network substrate of the provider network to be routed to the target endpoint according to routing information in the encapsulation packets. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A non-transitory computer-accessible storage medium storing program instructions computer-executable to implement an encapsulation layer process on a device in a provider network, the encapsulation layer process configured to:
-
obtain a network packet from a source endpoint, wherein the network packet is directed to a target endpoint; determine a resource identifier for the source endpoint and a resource identifier for the target endpoint; determine a policy associated with the resource identifier for the source endpoint and a policy associated with the resource identifier for the target endpoint; determine that the source endpoint is allowed to open a connection to the target endpoint according to an evaluation of one or both of the policy associated with the resource identifier for the source endpoint and the policy associated with the resource identifier for the target endpoint; and in response to said determining that the source endpoint is allowed to open a connection to the target endpoint; tag one or more network packets from the source endpoint and directed to the target endpoint with encapsulation metadata according to an encapsulation protocol to generate one or more encapsulation packets; and send the encapsulation packets onto a network substrate of the provider network to be routed to the target endpoint according to the encapsulation metadata in the encapsulation packets. - View Dependent Claims (18, 19, 20)
-
Specification