DEPLOYING FIREWALL FOR VIRTUAL NETWORK DEFINED OVER PUBLIC CLOUD INFRASTRUCTURE

US 20190104109A1
Filed: 05/04/2018
Published: 04/04/2019
Est. Priority Date: 10/02/2017
Status: Active Grant

First Claim

Patent Images

1. A method of processing a data message that is sent by a first machine to a second machine through a virtual network that is defined over a plurality of public cloud datacenters, the method comprising:

at a firewall service machine that is deployed at a first public cloud datacenter,using a set of attributes associated with the data message to identify a firewall rule that is applicable to the data message; and

performing a firewall action specified by the identified firewall rule on the data message, said performing comprising;

dropping the data message when the firewall action specifies that the data message should be dropped; and

allowing the data message to pass through the virtual network when the firewall action specifies that the data message should be allowed to pass through.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Some embodiments establish for an entity a virtual network over several public clouds of several public cloud providers and/or in several regions. In some embodiments, the virtual network is an overlay network that spans across several public clouds to interconnect one or more private networks (e.g., networks within branches, divisions, departments of the entity or their associated datacenters), mobile users, and SaaS (Software as a Service) provider machines, and other web applications of the entity. The virtual network in some embodiments can be configured to optimize the routing of the entity'"'"'s data messages to their destinations for best end-to-end performance, reliability and security, while trying to minimize the routing of this traffic through the Internet. Also, the virtual network in some embodiments can be configured to optimize the layer 4 processing of the data message flows passing through the network.

86 Citations

View as Search Results

18 Claims

1. A method of processing a data message that is sent by a first machine to a second machine through a virtual network that is defined over a plurality of public cloud datacenters, the method comprising:
- at a firewall service machine that is deployed at a first public cloud datacenter,using a set of attributes associated with the data message to identify a firewall rule that is applicable to the data message; and
  
  performing a firewall action specified by the identified firewall rule on the data message, said performing comprising;
  
  dropping the data message when the firewall action specifies that the data message should be dropped; and
  
  allowing the data message to pass through the virtual network when the firewall action specifies that the data message should be allowed to pass through.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method of claim 1, wherein allowing the data message comprises forwarding the data message from the firewall service machine to a first forwarding element that is deployed in the first public cloud datacenter for the first forwarding element to forward the data message to the second machine.
  - 3. The method of claim 1, wherein the first forwarding element forwards the data message to a second forwarding element that is deployed in a second public cloud datacenter for the second forwarding element to forward the data message to the second machine, said first and second forwarding elements configured to implement the virtual network over the first and second public cloud datacenters.
  - 4. The method of claim 3, whereinfor the data message, the first forwarding element is an ingress forwarding element of the virtual network while the second forwarding element is an egress forwarding element of the virtual network,the ingress forwarding element being an initial forwarding element of the virtual network to process the data message, and the egress forwarding element being a final forwarding element of the virtual network to process the data message.
  - 5. The method of claim 3, whereinthe firewall service machine and the first and second forwarding elements are machines deployed on host computers at the first and second public cloud datacenters, andeach machine deployed on each host computer is one of a virtual machine or a container.
  - 6. The method of claim 3, whereinfor the data message, the first forwarding element is an ingress forwarding element of the virtual network and the second forwarding element is an intermediate forwarding element of the virtual network,the ingress forwarding element being an initial forwarding element of the virtual network to process the data message, while the intermediate forwarding element being a forwarding element of the virtual network that forwards the data message to a third forwarding element in a third public cloud datacenter over which the virtual network is defined.
  - 7. The method of claim 1, whereinallowing the data message comprises forwarding the data message from the firewall service machine to a first forwarding element that is deployed in the first public cloud datacenter for the first forwarding element to forward the data message to a public network to forward the data message to the second machine, andthe first forwarding element is an egress forwarding element of the virtual network through which the data message leaves the virtual network.
  - 8. The method of claim 7 further comprising receiving the data message at the first forwarding element from a second forwarding element, whereinthe first and second forwarding elements are configured to implement the virtual network over the first and second public cloud datacenters, and for the data message, the second forwarding element is an ingress forwarding element of the virtual network or an intermediate forwarding element of the virtual network.
  - 9. The method of claim 1, wherein the first and second machines are machines in two private datacenters.
  - 10. The method of claim 1, wherein the first machine is a machine in an office while the second machine is a machine in a private datacenter.
  - 11. The method of claim 1, wherein the first machine is a remote user machine that is outside of a private network of an office or datacenter, while the second machine is a machine in a private network of a private datacenter or an office.
  - 12. The method of claim 1, wherein the set of attributes comprises a set of header values in the data message header.
  - 13. The method of claim 12, wherein the set of header values comprise at least one layer 2, layer 3 or layer 4 value.
  - 14. The method of claim 1, whereinthe virtual network is defined for a particular tenant of a multi-tenant virtual network system, andthe set of attributes comprises a tenant identifier that the system associated with the particular tenant.
  - 15. The method of claim 1, wherein the set of attributes comprises a location identifier associated with a location at which the first machine or the second machine resides.
  - 16. The method of claim 1, wherein using a set of attributes comprises comparing the set of attributes associated with the data message to rule identifiers of a plurality of firewall rules stored in a firewall rule storage to identify a firewall rule that has a rule identifier that matches the set of attributes.
  - 17. The method of claim 16, whereinthe firewall rules have an associated priority, andwhen two firewall rules have rule identifiers that match the set of attributes associated with the data message, the firewall rule with a higher priority is identified as the matching firewall rule over the firewall rule with lower priority.
  - 18. The method of claim 1, wherein the public cloud datacenters comprise a plurality of multi-tenant public cloud datacenters.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vmware LLC (Broadcom, Inc.)
Original Assignee
Nicira Incorporated (Broadcom, Inc.)
Inventors
Cidon, Israel, Dar, Chen, Venugopal, Prashanth, Zohar, Eyal, Markuze, Alex

Granted Patent

US 11,855,805 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 12/14   Charging , metering or bill...

H04L 12/1403   Architecture for metering, ...

H04L 12/1428   Invoice generation, e.g. cu...

H04L 12/2854   Wide area networks, e.g. pu...

H04L 12/2859   Point-to-point connection b...

H04L 12/4633   Interconnection of networks...

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 2101/35   containing special prefixes

H04L 2212/00   Encapsulation of packets

H04L 41/046   comprising network manageme...

H04L 41/0803   Configuration setting

H04L 41/0895   Configuration of virtualise...

H04L 41/40   using virtualisation of net...

H04L 43/08   Monitoring or testing based...

H04L 43/0829   Packet loss

H04L 43/0852   Delays

H04L 43/0888   Throughput

H04L 45/04   Interdomain routing, e.g. h...

H04L 45/12   Shortest path evaluation

H04L 45/14   Routing performance; Theore...

H04L 45/64 : using an overlay routing layer

H04L 45/74 : Address processing for routing

H04L 45/745 : Address table lookup; Addre...

H04L 61/25 : of the same type

H04L 61/2514 : between local and global IP...

H04L 61/255 : Maintenance or indexing of ...

H04L 61/4511 : using domain name system [DNS]

H04L 63/0245 : Filtering by information in...

H04L 63/0263 : Rule management

H04L 63/0272 : Virtual private networks

H04L 63/0281 : Proxies

H04L 63/20 : for managing network securi...

H04L 67/10 : in which an application is ...

H04M 15/00 : Arrangements for metering, ...

H04M 15/51 : for resellers, retailers or...

View All

DEPLOYING FIREWALL FOR VIRTUAL NETWORK DEFINED OVER PUBLIC CLOUD INFRASTRUCTURE

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

86 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

DEPLOYING FIREWALL FOR VIRTUAL NETWORK DEFINED OVER PUBLIC CLOUD INFRASTRUCTURE

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

86 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links