PROCESSING DATA MESSAGES OF A VIRTUAL NETWORK THAT ARE SENT TO AND RECEIVED FROM EXTERNAL SERVICE MACHINES

US 20190104063A1
Filed: 05/04/2018
Published: 04/04/2019
Est. Priority Date: 10/02/2017
Status: Active Grant

First Claim

Patent Images

1. For a multi-tenant virtual network system, a method of processing a data message that is associated with a virtual network that is defined for a particular tenant over a plurality of public cloud datacenters, the method comprising:

determining that the data message is associated with an external service machine outside of the virtual network and the plurality of public cloud datacenters;

based on a tenant identifier (TID) for the particular tenant in the virtual network system, performing a first source network address translation (SNAT) operation to modify a first source network address of the data message to a modified second source network address;

performing a second SNAT operation to modify the modified second source network address of the data message to a modified third source network address; and

forwarding the data message, with the third modified source network address to the external service machine through an external network that is outside of the public cloud datacenters.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Some embodiments establish for an entity a virtual network over several public clouds of several public cloud providers and/or in several regions. In some embodiments, the virtual network is an overlay network that spans across several public clouds to interconnect one or more private networks (e.g., networks within branches, divisions, departments of the entity or their associated datacenters), mobile users, and SaaS (Software as a Service) provider machines, and other web applications of the entity. The virtual network in some embodiments can be configured to optimize the routing of the entity'"'"'s data messages to their destinations for best end-to-end performance, reliability and security, while trying to minimize the routing of this traffic through the Internet. Also, the virtual network in some embodiments can be configured to optimize the layer 4 processing of the data message flows passing through the network.

90 Citations

View as Search Results

20 Claims

1. For a multi-tenant virtual network system, a method of processing a data message that is associated with a virtual network that is defined for a particular tenant over a plurality of public cloud datacenters, the method comprising:
- determining that the data message is associated with an external service machine outside of the virtual network and the plurality of public cloud datacenters;
  
  based on a tenant identifier (TID) for the particular tenant in the virtual network system, performing a first source network address translation (SNAT) operation to modify a first source network address of the data message to a modified second source network address;
  
  performing a second SNAT operation to modify the modified second source network address of the data message to a modified third source network address; and
  
  forwarding the data message, with the third modified source network address to the external service machine through an external network that is outside of the public cloud datacenters.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1 further comprising performing the first and second SNAT operations for data messages of different tenants, whereinthe first SNAT operation for the data messages of each tenant is based on the TID that the virtual network system associates with each tenant, andthe first SNAT operations map the data messages of different tenants to different source network address spaces to ensure that even when a common network address space is used for two tenants, the modified second source network addresses of the different tenants do not overlap.
  - 3. The method of claim 1, wherein the first SNAT operation is performed in a stateless manner that does not create a record for a flow of the data message to use to process subsequent data messages that are part of the data message'"'"'s flow, while the second SNAT operation is performed in a stateful manner that creates a record for the data message to use the record to process subsequent data messages that are part of the data message'"'"'s flow as the particular data message.
  - 4. The method of claim 1 further comprising:
    - at a first router in a first public cloud datacenter that is used to define the virtual network along with at least one other router in at least one other public cloud datacenter, receiving the data message with an encapsulated tunnel header from the other router; and
      
      extracting the TID from the tunnel header.
  - 5. The method of claim 4, wherein the first router is an egress gateway for the data message to leave the virtual network that is defined over the plurality of public cloud datacenters.
  - 6. The method of claim 4, wherein determining that the data message is associated with an external service machine comprises:
    - extracting a destination network address from an original header of the data message that is encapsulated by the tunnel header; and
      
      using the extracted destination network address to determine that the data message'"'"'s destination address is associated with an interface connected to a machine outside of the public cloud datacenters.
  - 7. The method of claim 6, whereinthe external network is the Internet, andusing the extracted destination network address comprises performing a lookup operation in the public Internet context based on the extracted destination network address.
  - 8. The method of claim 1, wherein the first, second and third network addresses each comprises a layer 3 network address.
  - 9. The method of claim 1, whereinthe first, second and third network addresses each comprises a layer 3 network address and a layer 4 network address, andat least one of the first and second SNAT operations modifies both the layers 3 and 4 network addresses.
  - 10. The method of claim 1, wherein each of the first and second SNAT operations modifies both the layers 3 and 4 network addresses.
  - 11. The method of claim 1, wherein the external service machine is a machine of a SaaS (software as a service) provider, while a source of the data message is one of a machine in an office of the particular tenant, a machine in a private datacenter of the particular tenant, or a remote user machine of the particular tenant.
  - 12. The method of claim 11, wherein the service machine is in a private datacenter of the SaaS provider.
  - 13. The method of claim 1, wherein the modified second source network address is an address in the private network address space of a public cloud datacenter, while the third source network address is a public network address.
  - 14. The method of claim 1 further comprising creating at least one record for the first and second SNAT operations in order to use the record to perform at least one destination network address translation operation for a data message received from the external service machine.
  - 15. The method of claim 1, wherein the public cloud datacenters are multi-tenant public cloud datacenters.

16. For a multi-tenant virtual network system, a non-transitory machine readable medium of processing a data message that is associated with a virtual network that is defined for a particular tenant over a plurality of public cloud datacenters, the program for execution by at least one hardware processing unit, the program comprising sets of instructions for:
- determining that the data message is associated with an external service machine outside of the virtual network and the plurality of public cloud datacenters;
  
  based on a tenant identifier (TID) for the particular tenant in the virtual network system, performing a first source network address translation (SNAT) operation to modify a first source network address of the data message to a modified second source network address;
  
  performing a second SNAT operation to modify the modified second source network address of the data message to a modified third source network address; and
  
  forwarding the data message, with the third modified source network address to the external service machine through an external network that is outside of the public cloud datacenters.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The non-transitory machine readable medium of claim 16, wherein the program further comprises a set of instructions for performing the first and second SNAT operations for data messages of different tenants, whereinthe first SNAT operation for the data messages of each tenant is based on the TID that the virtual network system associates with each tenant, andthe first SNAT operations map the data messages of different tenants to different source network address spaces to ensure that even when a common network address space is used for two tenants, the modified second source network addresses of the different tenants do not overlap.
  - 18. The non-transitory machine readable medium of claim 16, wherein the first SNAT operation is performed in a stateless manner that does not create a record for a flow of the data message to use to process subsequent data messages that are part of the data message'"'"'s flow, while the second SNAT operation is performed in a stateful manner that creates a record for the data message to use the record to process subsequent data messages that are part of the data message'"'"'s flow as the particular data message.
  - 19. The non-transitory machine readable medium of claim 16, wherein the program further comprises sets of instructions forreceiving, at a first router in a first public cloud datacenter that is used to define the virtual network along with at least one other router in at least one other public cloud datacenter, =the data message with an encapsulated tunnel header from the other router;
    - andextracting the TID from the tunnel header.
  - 20. The non-transitory machine readable medium of claim 19, wherein the first router is an egress gateway for the data message to leave the virtual network that is defined over the plurality of public cloud datacenters.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vmware LLC (Broadcom, Inc.)
Original Assignee
Nicira Incorporated (Broadcom, Inc.)
Inventors
Cidon, Israel, Dar, Chen, Venugopal, Prashanth, Zohar, Eyal, Bergman, Aran, Markuze, Alex

Granted Patent

US 10,805,114 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 12/14   Charging , metering or bill...

H04L 12/1403   Architecture for metering, ...

H04L 12/1428   Invoice generation, e.g. cu...

H04L 12/2854   Wide area networks, e.g. pu...

H04L 12/2859   Point-to-point connection b...

H04L 12/4633   Interconnection of networks...

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 2101/35   containing special prefixes

H04L 2212/00   Encapsulation of packets

H04L 41/046   comprising network manageme...

H04L 41/0803   Configuration setting

H04L 41/0895   Configuration of virtualise...

H04L 41/40   using virtualisation of net...

H04L 43/08   Monitoring or testing based...

H04L 43/0829   Packet loss

H04L 43/0852   Delays

H04L 43/0888   Throughput

H04L 45/04   Interdomain routing, e.g. h...

H04L 45/12   Shortest path evaluation

H04L 45/14   Routing performance; Theore...

H04L 45/64 : using an overlay routing layer

H04L 45/74 : Address processing for routing

H04L 45/745 : Address table lookup; Addre...

H04L 61/25 : of the same type

H04L 61/2514 : between local and global IP...

H04L 61/255 : Maintenance or indexing of ...

H04L 61/4511 : using domain name system [DNS]

H04L 63/0245 : Filtering by information in...

H04L 63/0263 : Rule management

H04L 63/0272 : Virtual private networks

H04L 63/0281 : Proxies

H04L 63/20 : for managing network securi...

H04L 67/10 : in which an application is ...

H04M 15/00 : Arrangements for metering, ...

H04M 15/51 : for resellers, retailers or...

View All

PROCESSING DATA MESSAGES OF A VIRTUAL NETWORK THAT ARE SENT TO AND RECEIVED FROM EXTERNAL SERVICE MACHINES

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

90 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

PROCESSING DATA MESSAGES OF A VIRTUAL NETWORK THAT ARE SENT TO AND RECEIVED FROM EXTERNAL SERVICE MACHINES

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

90 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others