SECURE VIRTUAL NETWORK PLATFORM FOR ENTERPRISE HYBRID CLOUD COMPUTING ENVIRONMENTS
0 Assignments
0 Petitions
Accused Products
Abstract
Clusters of virtual network switches (VNS) and controllers are provided. The controller cluster is connected to the VNS cluster which is between first and second network domains. A request is received at a first end point in the first network domain to connect to a second end point in the second network domain. If the connection should be through a virtual network connecting the network domains, a virtual network connection is established as allowed by a controller of the controller cluster. The establishment includes initiating first outbound traffic from the first end point to a VNS of the VNS cluster and initiating second outbound traffic from the second end point to the VNS. The VNS places a payload from the first outbound traffic into a reply to the second outbound traffic
-
Citations
40 Claims
-
1-20. -20. (canceled)
-
21. A method comprising:
-
providing a cluster of virtual network switches, the cluster of virtual network switches being coupled between a first network domain and a second network domain, wherein the cluster of virtual network switches is separate from the first and second network domains, and the second network domain is separate from the first network domain; providing a cluster of controllers coupled to the cluster of virtual network switches, the first network domain, and the second network domain; receiving at a first end point in the first network domain a request to make a connection to a second end point in the second network domain; determining if the connection should be provided through a virtual network connecting the first network domain with the second network domain; and if the connection should be provided through the virtual network, establishing a virtual network connection between the first end point and the second end point to transmit a payload from the first network domain to the second network domain, wherein the establishing comprises; initiating by the first end point, as allowed by a controller of the cluster of controllers, first traffic from the first network domain to a virtual network switch of the cluster of virtual network switches, the first traffic being allowed through a first firewall of the first network domain because the first traffic is outbound from the first network domain to the virtual network switch, the first traffic thereby being first outbound traffic; initiating by the second end point, as allowed by the controller, second traffic from the second network domain to the virtual network switch, the second traffic being allowed through a second firewall of the second network domain because the second traffic is outbound from the second network domain to the virtual network switch, the second traffic thereby being second outbound traffic; and placing by the virtual network switch the payload from the first outbound traffic established by the first end point into a reply to the second outbound traffic established by the second end point residing in the second network domain.
-
-
22. The method of claim 21 wherein the first end point, second end point, or both comprises an isolated virtual environment.
-
23. The method of claim 21 wherein the determining if the connection should be provided through the virtual network comprises:
-
determining whether a destination address for the payload is listed in a static virtual routing table stored at the first end point, the static virtual routing table comprising a list of addresses for the second network domain; and if the destination address is listed in the static virtual routing table, seeking approval of the controller for the virtual network connection.
-
-
24. The method of claim 23 comprising:
if the destination address is not listed in the static virtual routing table, forwarding the request to a local TCP/IP network inside the first network domain.
-
25. The method of claim 21 comprising:
storing at the first end point a static virtual routing table comprising a list of destination addresses for the second network domain that the first end point is allowed to connect to through the virtual network.
-
26. The method of claim 25 comprising:
-
upon discovery of a new end point, updating the static virtual routing table to include the new end point; and distributing the updated static virtual routing table to the first end point.
-
-
27. The method of claim 25 comprising:
-
upon discovery of a deletion of an end point, updating the static virtual routing table to remove the deleted end point; and distributing the updated static virtual routing table to the first end point.
-
-
28. The method of claim 21 wherein the determining if the connection should be provided through the virtual network comprises:
-
computing an identifier associated with an application program that is running in the first end point; comparing the identifier to a white list of authorized identifiers; and if the identifier is in the white list, determining that the connection is allowed to be provided through the virtual network.
-
-
29. The method of claim 21 wherein the determining if the connection should be provided through the virtual network comprises:
-
computing an identifier associated with an application program that is running in the first end point; comparing the identifier to a black list of identifiers; and if the identifier is not in the black list, determining that the connection is allowed to be provided through the virtual network.
-
-
30. The method of claim 21 comprising:
if the connection should not be provided through the virtual network, dropping the request.
-
31. The method of claim 21 wherein one of the first or second network domains comprises a private network domain, and another of the first or second network domains comprises a public network domain.
-
32. A method comprising:
-
providing a cluster of virtual network switches, the cluster of virtual network switches being coupled between a first network domain and a second network domain, wherein the cluster of virtual network switches is separate from the first and second network domains, and the second network domain is separate from the first network domain; providing a cluster of controllers coupled to the cluster of virtual network switches, the first network domain, and the second network domain; storing a list identifying one or more specific application programs that are not allowed to use a virtual network connecting the first network domain with the second network domain; receiving at a first end point in the first network domain a request from a client component of an application program to make a connection to a server component of the application program, the server component of the application program being at a second end point in the second network domain; determining from the list if the application program is one of the one or more specific application programs that are not allowed to use the virtual network; if allowed, establishing for the application program a virtual network connection between the first end point and the second end point to transmit a payload from the first network domain to the second network domain, wherein the establishing comprises; initiating by the first end point, as allowed by a controller of the cluster of controllers, first traffic from the first network domain to a virtual network switch of the cluster of virtual network switches, the first traffic thereby being first outbound traffic from the first network domain; initiating by the second end point, as allowed by the controller, second traffic from the second network domain to the virtual network switch, the second traffic thereby being second outbound traffic from the second network domain; and placing the payload of the first outbound traffic coming from the first network domain into a reply to the second outbound traffic from the second network domain; and if not allowed, not establishing the virtual network connection.
-
-
33. The method of claim 32 wherein the first end point, second end point, or both comprises an isolated virtual environment.
-
34. The method of claim 32 comprising:
if not allowed, dropping the request.
-
35. The method of claim 32 wherein one of the first or second network domains comprises a private network domain, and another of the first or second network domains comprises a public network domain.
-
36. A method comprising:
-
providing a cluster of virtual network switches, the cluster of virtual network switches being coupled to a first network domain and a second network domain, wherein the cluster of virtual network switches is separate from the first and second network domains, and the second network domain is separate from the first network domain; providing a cluster of controllers coupled to the cluster of virtual network switches, the first network domain, and the second network domain; storing at a first end point in the first network domain a static routing table comprising a list of virtual destination Internet Protocol (IP) addresses; receiving at the first end point a request from a client to connect to a destination; scanning the static routing table to determine whether an IP address of the destination is listed in the static routing table; if the IP address is listed, seeking permission to use a virtual network connecting the first network domain to the second network domain, the destination being in the second network domain; and upon a determination that use of the virtual network is permitted, establishing for the client a virtual network connection between the first end point and the destination to transmit a payload of the client from the first network domain to the second network domain, wherein the establishing comprises; initiating by the first end point, as allowed by a controller of the cluster of controllers, first traffic from the first network domain to a virtual network switch of the cluster of virtual network switches, the first traffic thereby being first outbound traffic from the first network domain; initiating by the destination, as allowed by the controller, second traffic from the second network domain to the virtual network switch, the second traffic thereby being second outbound traffic from the second network domain; and placing the payload from the first network domain into a reply to the second outbound traffic from the second network domain.
-
-
37. The method of claim 36 comprising:
if the IP address is not listed, dropping the request.
-
38. The method of claim 36 comprising:
-
updating the static routing table; and distributing the updated static routing table to the first end point.
-
-
39. The method of claim 36 comprising:
-
discovering a new end point; based on the discovery, updating the static routing table to include a virtual destination IP address associated with the new end point; and distributing the updated static routing table to first end point.
-
-
40. The method of claim 36 comprising:
-
discovering a deletion of an end point; based on the discovery, updating the static routing table to remove a virtual destination IP address associated with the deleted end point; and distributing the updated static routing table to the first end point.
-
Specification