ALLOCATING ENFORCEMENT OF A SEGMENTATION POLICY BETWEEN HOST AND NETWORK DEVICES

US 20200136910A1
Filed: 10/26/2018
Published: 04/30/2020
Est. Priority Date: 10/26/2018
Status: Active Grant

First Claim

Patent Images

1. A method for configuring enforcement of a segmentation policy, the method comprising:

obtaining a segmentation policy comprising a plurality of rules controlling communications between workloads;

generating, for a particular workload, a plurality of management instructions for enforcing the rules of the segmentation policy controlling communications to and from the particular workload;

obtaining, for the particular workload, a connectivity configuration indicating a network device upstream from the particular workload;

determining an allocation of the plurality of management instructions between enforcement on a host of a computing device on which the particular workload executes and enforcement on the network device upstream from the workload; and

sending configuration information based on the plurality of management instructions to at least one of the host and the network device in accordance with the allocation to enable enforcement of the plurality of management instructions.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A segmentation server configures enforcement of a segmentation policy by allocating enforcement of management instructions between network devices and hosts. The segmentation policy comprises rules that control communications between workloads. For a particular workload, the segmentation server generates management instructions for controlling communications to and from the particular workload in accordance with the rules. The segmentation server determines an allocation of management instructions between enforcement on a host on which the particular workload executes and enforcement on a network device upstream from the workload. The segmentation server sends configuration information to at least one of the host and the network device in accordance with the allocation to enable enforcement of the management instructions.

1 Citation

20 Claims

1. A method for configuring enforcement of a segmentation policy, the method comprising:
- obtaining a segmentation policy comprising a plurality of rules controlling communications between workloads;
  
  generating, for a particular workload, a plurality of management instructions for enforcing the rules of the segmentation policy controlling communications to and from the particular workload;
  
  obtaining, for the particular workload, a connectivity configuration indicating a network device upstream from the particular workload;
  
  determining an allocation of the plurality of management instructions between enforcement on a host of a computing device on which the particular workload executes and enforcement on the network device upstream from the workload; and
  
  sending configuration information based on the plurality of management instructions to at least one of the host and the network device in accordance with the allocation to enable enforcement of the plurality of management instructions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein determining the allocation comprises:
    - detecting that the particular workload is an unmanaged workload that does not have an enforcement module installed for enforcing the plurality of management instructions; and
      
      responsive to detecting that the particular workload is the unmanaged workload, allocating the plurality of management instructions for enforcement by the network device.
  - 3. The method of claim 1, wherein determining the allocation comprises:
    - detecting that the particular workload provides or consumes one or more latency sensitive services; and
      
      allocating a subset of the plurality of management instructions pertaining to the one or more latency sensitive services for enforcement by the network device.
  - 4. The method of claim 1, wherein determining the allocation comprises:
    - detecting a limit to a number of the plurality of management instructions enforceable on the network device;
      
      allocating for enforcement by the network device, a first set of the plurality of management instructions corresponding to the limit; and
      
      allocating for enforcement by the host, a second set of the plurality of management instructions over the limit.
  - 5. The method of claim 1, wherein determining the allocation comprises:
    - generating, from the plurality of management instructions, one or more coarse rules that coarsely filter communications with the particular workload;
      
      generating, from the plurality of management instructions, one or more fine rules that finely filter communications with the particular workload;
      
      allocating the coarse rules for enforcement by the network device; and
      
      allocating the fine rules for enforcement by the host.
  - 6. The method of claim 1, wherein determining the allocation comprises:
    - detecting a first set of the plurality of management instructions applicable to communications of the particular workload using a stateless protocol;
      
      detecting a second set of the plurality of management instructions applicable to communications of the particular workload using a stateful protocol; and
      
      allocating the first set of the plurality of management instructions for enforcement by the network device; and
      
      allocating the second set of the plurality of management instructions for enforcement by the host.
  - 7. The method of claim 1, wherein determining the allocation comprises:
    - identifying a first set of the plurality of management instructions disallowing communications of the particular workload according to a black list of other workloads;
      
      identifying a second set of the plurality of management instructions permitting communications of the particular workload according to a white list of other workloads;
      
      allocating the first set of the plurality of management instructions for enforcement by the network device; and
      
      allocating the second set of management instructions for enforcement by the host.
  - 8. The method of claim 1, wherein determining the enforcement allocation comprises:
    - identifying a first set of the plurality of management instructions applicable to communications of the particular workload with one or more other workloads identified in the first set of the plurality of management instructions by respective IP addresses associated with the one or more other workloads;
      
      identifying a second set of the plurality of management instructions applicable to communications of the particular workload with a group of other workloads identified in the second set of the plurality of management instructions by labels associated with the group of other workloads;
      
      allocating the first set of the plurality of management instructions for enforcement by the network device; and
      
      allocating the second set of the plurality of management instructions for enforcement by the host.
  - 9. The method of claim 1, wherein determining the allocation comprises:
    - determining an initial allocation according to initial allocation criteria that allocates for enforcement by the network device, a first set of the plurality of management instructions applicable to communications involving a first service having a first priority and a second set of the plurality of management instructions applicable to communications involving a second service having a second priority lower than the first priority;
      
      detecting that the initial allocation of the management instructions for enforcement by the network device exceeds a resource capability of the network device; and
      
      determining an adjusted allocation by re-allocating for enforcement by the host, at least a portion of the second set of the plurality of management instructions applicable to the second service having the second priority.

10. A non-transitory computer-readable storage medium storing instructions for configuring enforcement of a segmentation policy, the instructions when executed by a processor cause the processor to perform steps including:
- obtaining a segmentation policy comprising a plurality of rules controlling communications between workloads;
  
  generating, for a particular workload, a plurality of management instructions for enforcing the rules of the segmentation policy controlling communications to and from the particular workload;
  
  obtaining, for the particular workload, a connectivity configuration indicating a network device upstream from the particular workload;
  
  determining an allocation of the plurality of management instructions between enforcement on a host of a computing device on which the particular workload executes and enforcement on the network device upstream from the workload; and
  
  sending configuration information based on the plurality of management instructions to at least one of the host and the network device in accordance with the allocation to enable enforcement of the plurality of management instructions.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The non-transitory computer-readable storage medium of claim 10, wherein determining the allocation comprises:
    - detecting that the particular workload is an unmanaged workload that does not have an enforcement module installed for enforcing the plurality of management instructions; and
      
      responsive to detecting that the particular workload is the unmanaged workload, allocating the plurality of management instructions for enforcement by the network device.
  - 12. The non-transitory computer-readable storage medium of claim 10, wherein determining the allocation comprises:
    - detecting that the particular workload provides or consumes one or more latency sensitive services; and
      
      allocating a subset of the plurality of management instructions pertaining to the one or more latency sensitive services for enforcement by the network device.
  - 13. The non-transitory computer-readable storage medium of claim 10, wherein determining the allocation comprises:
    - detecting a limit to a number of the plurality of management instructions enforceable on the network device;
      
      allocating for enforcement by the network device, a first set of the plurality of management instructions corresponding to the limit; and
      
      allocating for enforcement by the host, a second set of the plurality of management instructions over the limit.
  - 14. The non-transitory computer-readable storage medium of claim 10, wherein determining the allocation comprises:
    - generating, from the plurality of management instructions, one or more coarse rules that coarsely filter communications with the particular workload;
      
      generating, from the plurality of management instructions, one or more fine rules that finely filter communications with the particular workload;
      
      allocating the coarse rules for enforcement by the network device; and
      
      allocating the fine rules for enforcement by the host.
  - 15. The non-transitory computer-readable storage medium of claim 10, wherein determining the allocation comprises:
    - detecting a first set of the plurality of management instructions applicable to communications of the particular workload using a stateless protocol;
      
      detecting a second set of the plurality of management instructions applicable to communications of the particular workload using a stateful protocol; and
      
      allocating the first set of the plurality of management instructions for enforcement by the network device; and
      
      allocating the second set of the plurality of management instructions for enforcement by the host.
  - 16. The non-transitory computer-readable storage medium of claim 10, wherein determining the allocation comprises:
    - identifying a first set of the plurality of management instructions disallowing communications of the particular workload according to a black list of other workloads;
      
      identifying a second set of the plurality of management instructions permitting communications of the particular workload according to a white list of other workloads;
      
      allocating the first set of the plurality of management instructions for enforcement by the network device; and
      
      allocating the second set of management instructions for enforcement by the host.
  - 17. The non-transitory computer-readable storage medium of claim 10, wherein determining the enforcement allocation comprises:
    - identifying a first set of the plurality of management instructions applicable to communications of the particular workload with one or more other workloads identified in the first set of the plurality of management instructions by respective IP addresses associated with the one or more other workloads;
      
      identifying a second set of the plurality of management instructions applicable to communications of the particular workload with a group of other workloads identified in the second set of the plurality of management instructions by labels associated with the group of other workloads;
      
      allocating the first set of the plurality of management instructions for enforcement by the network device; and
      
      allocating the second set of the plurality of management instructions for enforcement by the host.
  - 18. The non-transitory computer-readable storage medium of claim 10, wherein determining the allocation comprises:
    - determining an initial allocation according to initial allocation criteria that allocates for enforcement by the network device, a first set of the plurality of management instructions applicable to communications involving a first service having a first priority and a second set of the plurality of management instructions applicable to communications involving a second service having a second priority lower than the first priority;
      
      detecting that the initial allocation of the management instructions for enforcement by the network device exceeds a resource capability of the network device; and
      
      determining an adjusted allocation by re-allocating for enforcement by the host, at least a portion of the second set of the plurality of management instructions applicable to the second service having the second priority.

19. A computing system comprising:
- a processor; and
  
  a non-transitory computer-readable storage medium storing instructions for configuring enforcement of a segmentation policy, the instructions when executed by the processor cause the processor to perform steps including;
  
  obtaining a segmentation policy comprising a plurality of rules controlling communications between workloads;
  
  generating, for a particular workload, a plurality of management instructions for enforcing the rules of the segmentation policy controlling communications to and from the particular workload;
  
  obtaining, for the particular workload, a connectivity configuration indicating a network device upstream from the particular workload;
  
  determining an allocation of the plurality of management instructions between enforcement on a host of a computing device on which the particular workload executes and enforcement on the network device upstream from the workload; and
  
  sending configuration information based on the plurality of management instructions to at least one of the host and the network device in accordance with the allocation to enable enforcement of the plurality of management instructions.
- View Dependent Claims (20)
- - 20. The non-transitory computer-readable storage medium of claim 19, wherein determining the allocation comprises:
    - detecting that the particular workload is an unmanaged workload that does not have an enforcement module installed for enforcing the plurality of management instructions; and
      
      responsive to detecting that the particular workload is the unmanaged workload, allocating the plurality of management instructions for enforcement by the network device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Illumio, Inc.
Original Assignee
Illumio, Inc.
Inventors
Mishra, Rupesh Kumar, Kirner, Paul James, Glenn, Matthew Kirby

Granted Patent

US 10,785,115 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 41/046   comprising network manageme...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/5022   by giving priorities, e.g. ...

H04L 47/74   measures in reaction to res...

H04L 47/76   using dynamic resource allo...

H04L 47/805   QOS or priority aware

H04L 63/0236   Filtering by address, proto...

H04L 63/0263   Rule management

H04L 63/101   Access control lists [ACL]

ALLOCATING ENFORCEMENT OF A SEGMENTATION POLICY BETWEEN HOST AND NETWORK DEVICES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

1 Citation

20 Claims

Specification

Solutions

Use Cases

Quick Links

ALLOCATING ENFORCEMENT OF A SEGMENTATION POLICY BETWEEN HOST AND NETWORK DEVICES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

1 Citation

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links