PRIVATE ALIAS ENDPOINTS FOR ISOLATED VIRTUAL NETWORKS
First Claim
1. A system, comprising:
- a configuration manager of a provider network;
a virtualization management component (VMC) of an instance host, wherein a first compute instance of a first isolated virtual network (IVN) established on behalf of a client is instantiated at the instance host, and wherein the first compute instance has a private network address selected by the client; and
a tunneling intermediary;
wherein the configuration manager is configured to store a first metadata entry representing a designation of a first private alias endpoint (PAE) as a routing target for packets originating at the first IVN and directed to a particular service, wherein the packets are to be delivered to the particular service without indicating a publicly-advertised network address as a source address;
wherein the VMC is configured to transmit to the tunneling intermediary, based at least part on an examination of the first metadata entry, a first encapsulation packet derived from a baseline packet intercepted at the VMC, wherein the baseline packet is generated at the first compute instance and directed to a publicly-advertised network address of the particular service; and
wherein the tunneling intermediary is configured to;
generate, in accordance with a tunneling protocol, a second encapsulation packet from the first encapsulation packet, wherein the second encapsulation packet includes a header component indicating the first IVN as a source IVN; and
transmit the second encapsulation packet to a first node of one or more nodes of the particular service, wherein the first node is configured to (a) determine, from the second encapsulation packet, an identifier of the first IVN and the private network address, and (b) initiate one or more operations to fulfill a service request indicated in the baseline packet.
1 Assignment
0 Petitions
Accused Products
Abstract
In accordance with a designation of a private alias endpoint as a routing target for traffic directed to a service from within an isolated virtual network of a provider network, a tunneling intermediary receives a baseline packet generated at a compute instance. The baseline packet indicates a public IP (Internet Protocol) address of the service as the destination, and a private IP address of the compute instance as the source. In accordance with a tunneling protocol, the tunneling intermediary generates an encapsulation packet comprising at least a portion of the baseline packet and a header indicating the isolated virtual network. The encapsulation packet is transmitted to a node of the service.
32 Citations
20 Claims
-
1. A system, comprising:
-
a configuration manager of a provider network; a virtualization management component (VMC) of an instance host, wherein a first compute instance of a first isolated virtual network (IVN) established on behalf of a client is instantiated at the instance host, and wherein the first compute instance has a private network address selected by the client; and a tunneling intermediary; wherein the configuration manager is configured to store a first metadata entry representing a designation of a first private alias endpoint (PAE) as a routing target for packets originating at the first IVN and directed to a particular service, wherein the packets are to be delivered to the particular service without indicating a publicly-advertised network address as a source address; wherein the VMC is configured to transmit to the tunneling intermediary, based at least part on an examination of the first metadata entry, a first encapsulation packet derived from a baseline packet intercepted at the VMC, wherein the baseline packet is generated at the first compute instance and directed to a publicly-advertised network address of the particular service; and wherein the tunneling intermediary is configured to; generate, in accordance with a tunneling protocol, a second encapsulation packet from the first encapsulation packet, wherein the second encapsulation packet includes a header component indicating the first IVN as a source IVN; and transmit the second encapsulation packet to a first node of one or more nodes of the particular service, wherein the first node is configured to (a) determine, from the second encapsulation packet, an identifier of the first IVN and the private network address, and (b) initiate one or more operations to fulfill a service request indicated in the baseline packet. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method, comprising:
-
determining, at a tunneling intermediary of a provider network, that a first private alias endpoint (PAE) has been designated as a routing target for traffic originating at a first isolated virtual network (IVN) established on behalf of a client, wherein the traffic is to be delivered to a particular publicly-accessible service; receiving, at the tunneling intermediary a baseline packet directed from a first compute instance of the first IVN to a publicly-advertised network address of the particular publicly-accessible service; and transmitting, by the tunneling intermediary to a first node of the particular service, an encapsulation packet comprising (a) contents of the baseline packet and (b) an indication of the first IVN as a source IVN. - View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A non-transitory computer-accessible storage medium storing program instructions that when executed on one or more processors implements a tunneling intermediary of a provider network, wherein the tunneling intermediary is configured to:
-
receive, in accordance with a designation of a first private alias endpoint (PAE) as a routing target for traffic directed to a particular service from a first isolated virtual network (IVN) established at the provider network on behalf of a client, a baseline packet generated at a first compute instance of the first IVN, wherein the baseline packet indicates a public IP (Internet Protocol) address of the particular service as its destination address; generate, in accordance with a selected tunneling protocol, an encapsulation packet comprising (a) at least a portion of contents of the baseline packet and (b) a header component indicating the first IVN as a source IVN; and transmit the encapsulation packet to a first node of the particular service. - View Dependent Claims (17, 18, 19, 20)
-
Specification