Providing access to configurable private computer networks

US 8,230,050 B1
Filed: 12/10/2008
Issued: 07/24/2012
Est. Priority Date: 12/10/2008
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for providing access to private computer networks, the method comprising:

receiving, by a configurable network service implemented by one or more configured computing systems, configuration information including user-specified network topology information for a private network extension to a remote private computer network, multiple user-specified network addresses for use by the private network extension, and an indication of a remote resource service that is external to the remote private computer network and external to the private network extension and that is separated from the remote private computer network and from the private network extension by one or more intervening networks;

creating, by the configurable network service, the private network extension in accordance with the received configuration information, the creating including configuring the private network extension to provide private access between the private network extension and the remote private computer network in accordance with the specified network topology information;

generating, by the configurable network service, a unique identifier for the private network extension to represent a first namespace within the remote resource service, the first namespace to include one or more computing-related resources provided by the remote resource service that are accessible only from the private network extension;

configuring, by the configurable network service, a local access mechanism that is part of the private network extension and that enables the private network extension to access the one or more computing-related resources within the first namespace, the configuring of the local access mechanism including assigning one of the multiple user-specified network addresses to represent the remote resource service and associating the unique identifier with the assigned network address, so that communications sent from the remote private computer network or from the private network extension to the assigned network address are modified to include the unique identifier to enable the remote resource service to identify the first namespace and are forwarded to the remote resource service over the one or more intervening networks; and

providing, by the configurable network service, the private access between the private network extension and the remote private computer network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are described for providing users with access to computer networks, such as to enable users to interact with a remote configurable network service in order to create and configure computer networks that are provided by the configurable network service for use by the users. Computer networks provided by the configurable network service may be configured to be private computer networks that are accessible only by the users who create them, and may each be created and configured by a client of the configurable network service to be an extension to an existing computer network of the client, such as a private computer network extension to an existing private computer network of the client. If so, secure private access between an existing computer network and new computer network extension that is being provided may be enabled using one or more VPN connections or other private access mechanisms.

Citations

29 Claims

1. A computer-implemented method for providing access to private computer networks, the method comprising:
- receiving, by a configurable network service implemented by one or more configured computing systems, configuration information including user-specified network topology information for a private network extension to a remote private computer network, multiple user-specified network addresses for use by the private network extension, and an indication of a remote resource service that is external to the remote private computer network and external to the private network extension and that is separated from the remote private computer network and from the private network extension by one or more intervening networks;
  
  creating, by the configurable network service, the private network extension in accordance with the received configuration information, the creating including configuring the private network extension to provide private access between the private network extension and the remote private computer network in accordance with the specified network topology information;
  
  generating, by the configurable network service, a unique identifier for the private network extension to represent a first namespace within the remote resource service, the first namespace to include one or more computing-related resources provided by the remote resource service that are accessible only from the private network extension;
  
  configuring, by the configurable network service, a local access mechanism that is part of the private network extension and that enables the private network extension to access the one or more computing-related resources within the first namespace, the configuring of the local access mechanism including assigning one of the multiple user-specified network addresses to represent the remote resource service and associating the unique identifier with the assigned network address, so that communications sent from the remote private computer network or from the private network extension to the assigned network address are modified to include the unique identifier to enable the remote resource service to identify the first namespace and are forwarded to the remote resource service over the one or more intervening networks; and
  
  providing, by the configurable network service, the private access between the private network extension and the remote private computer network.
- View Dependent Claims (2, 3)
- - 2. The method of claim 1 wherein, the network topology information in the received configuration information specifies one or more networking devices to separate multiple computing systems of the private network extension into different groups having different inter-communication characteristics, the received configuration information further includes an indication that the multiple computing systems of the private network extension are not allowed to access computing systems having network addresses that are not part of the multiple user-specified network addresses, and the providing of the private access between the private network extension and the remote private computer network includes creating virtual devices to simulate the specified one or more networking devices.
  - 3. The method of claim 2 wherein the configurable network service is a fee-based service that is accessible to multiple remote users via public networks.

4. A computer-implemented method for providing access to private computer networks, the method comprising:
- receiving, by one or more computer systems implementing a configurable network service, information from a first client that specifies multiple network addresses for use with a first private computer network for the first client;
  
  configuring, by the one or more computer systems, the first private computer network to includes multiple computing nodes provided by the configurable network service, the configuring of the first private computer network including associating each of the multiple computing nodes with at least one of the multiple network addresses;
  
  configuring, by the one or more computer systems, a local access mechanism as part of the first private computer network to enable access from the first private computer network to a remote resource service in a manner that represents accessing a namespace within the remote resource service, the remote resource service being external to the first private computer network and the namespace including a subset of computing-related resources of the remote resource service, the configuring of the local access mechanism including selecting an indicated one of the multiple network addresses to represent the remote resource service within the first private computer network and associating the indicated one network address with an obtained identifier that enables the remote resource service to identify the namespace;
  
  modifying, by the one or more computer systems, communications sent by the multiple computing nodes to the indicated one network address to include an indication of the identifier to enable the remote resource service to identify the namespace, and forwarding the modified communications to the remote resource service over one or more intervening networks; and
  
  initiating, by the one or more computer systems, availability of access to the first private computer network from one or more remote computing systems of the first client.
- View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 5. The method of claim 4 wherein the first private computer network is configured to be an extension of a remote private computer network of the first client that includes multiple computing systems, wherein the specified multiple network addresses are a subset of a plurality of private network addresses used with the remote private computer network, and wherein the configuring of the first private computer network is further to enable private access between the multiple computing systems of the remote private computer network of the first client and the multiple computing nodes of the first private computer network.
  - 6. The method of claim 5 wherein the initiating of the availability of the access to the first private computer network from the one or more remote computing systems of the first client includes establishing a secure connection between the remote private computer network and the first private computer network so as to provide the enabled private access.
  - 7. The method of claim 5 wherein the multiple computing nodes are a subset of a plurality of computing nodes provided by the configurable network service, wherein the first private computer network is provided by the configurable network service as a virtual network overlaid on one or more physical substrate networks of the configurable network service that interconnect the plurality of computing nodes, and wherein the specified multiple network addresses are virtual network addresses.
  - 8. The method of claim 4 further comprising configuring the first private computer network to allow and to block communications between the multiple computing nodes in accordance with additional information specified by the first client.
  - 9. The method of claim 8 wherein the specified additional information includes network topology information that indicates at least one of one or more networking devices that are part of the first private computer network and one or more subgroups of the multiple computing nodes that share common intercommunication characteristics, wherein the configuring of the first private computer network includes, if the network topology information indicates the one or more networking devices, configuring one or more modules of the configurable network service to simulate presence of the one or more networking devices, and wherein the configuring of the first private computer network includes, if the network topology information indicates the one or more subgroups, configuring one or more modules of the configurable network service to simulate presence of the one or more subgroups.
  - 10. The method of claim 4 further comprising:
    - receiving additional information specified by the first client for use in configuring the first private computer network, the additional information including one or more of a quantity of the multiple computing nodes for the first private computer network, of one or more geographical locations at which at least some of the multiple computing nodes are located, and of one or more network access constraints to control communications between the multiple computing nodes of the first private computer network and other computing systems external to the first private computer network;
      
      selecting the multiple computing nodes for the first private computer network based on the specified additional information; and
      
      automatically configuring the first private computer network in accordance with the specified additional information.
  - 11. The method of claim 4 wherein the information received from the first client includes the identifier for the namespace, wherein at least some of the subset of computing-related resources exist at the remote resource service within the namespace before receiving the information, and wherein the communications sent from one or more of the multiple computing nodes to the indicated network address access one or more of the existing at least some computing-related resources from the remote resource service.
  - 12. The method of claim 4 further comprising interacting, by the one or more computer systems, with the remote resource service to create the namespace for use with the first private computer network, the creating of the namespace including determining the identifier for the namespace, and wherein the one or more communications sent from one or more of the multiple computing nodes to the indicated network address create one or more new computing-related resources from the remote resource service.
  - 13. The method of claim 4 wherein the one or more intervening networks are public networks, and wherein the configuring of the local access mechanism includes configuring one or more modules of the configurable network service to forward communications sent to the indicated network address to the remote resource service over the one or more public networks.
  - 14. The method of claim 4 further comprising obtaining additional information from the first client to configure access from the first private computer network to a distinct second subset of computing-related resources that are associated with a distinct second namespace within the remote resource service, the additional information including a distinct second identifier associated with the second namespace within the remote resource service, and automatically configuring a second local access mechanism as part of the first private computer network to enable access from the multiple computing nodes to the second subset of computing-related resources by associating the second identifier with a second one of the multiple network addresses, so that communications sent from one or more of the multiple computing nodes to the second network address are modified to include an indication of the second identifier for use by the remote resource service in identifying the second namespace and are forwarded to the remote resource service over the one or more intervening networks.
  - 15. The method of claim 4 wherein the computing-related resources associated with the namespace within the remote resource service include resources for at least one of data storage services and of program execution services and of asynchronous message passing services, and wherein the method further comprises, under control of the remote resource service:
    - receiving communications sent from the multiple computing nodes of the first private computer network via the indicated network address to access at least some of the subset of computing-related resources, the received communications including the indication of the identifier; and
      
      providing access to the at least some of the subset of computing-related resources from the namespace associated with the indicated identifier.
  - 16. The method of claim 4 wherein the multiple computing nodes are each a virtual machine hosted on one of multiple physical computing systems of the configurable network service, and wherein the configuring of the first private computer network includes configuring one or more virtual machine communication manager modules that execute on one or more of the physical computing systems to manage communications for the hosted virtual machines.
  - 17. The method of claim 4 wherein the configurable network service provides a programmatic interface for use by multiple clients to configure private computer networks for use by the multiple clients, wherein the private computer networks configured by the multiple clients include one or more configured private computer networks other than the first private computer network for one or more clients other than the first client that have one or more network addresses specified by the one or more other clients that are the same as at least one of the multiple network addresses specified for use with the first private computer network, and wherein the configurable network service further manages those same network addresses such that, for each of those same network addresses, each of the other private computer networks has a computing node corresponding to the network address that is distinct from a computing node corresponding to the network address for the first private computer network.
  - 18. The method of claim 4 further comprising permitting the first client to select any network address for the multiple network addresses specified in the received information.
  - 19. The method of claim 4 wherein the information received from the first client is based on one or more interactions of the first client with a graphical user interface displayed to the first client on a computing device of the first client.

20. A non-transitory computer-readable medium whose contents configure a computing system of a configurable network service to provide access to private computer networks, by performing a method comprising:
- receiving one or more requests from a remote customer to create a network extension to a remote private network of the customer, the one or more requests specifying configuration information for the network extension, the configuration information including network topology information for the network extension;
  
  selecting multiple computing nodes for use as part of the network extension, the multiple computing nodes being a subset of a plurality of computing nodes provided by the configurable network service and being selected based at least in part on the configuration information specified by the customer;
  
  configuring an access mechanism as part of the network extension, the access mechanism enabling access from the selected computing nodes to one or more computing-related resources provided by a resource service that is external to the network extension and that is external to the private network of the customer, the configuring of the access mechanism including assigning one of multiple network addresses for the network extension to represent the resource service within the network extension to the selected computing nodes, such that one or more communications sent from one or more of the selected computing nodes to the assigned network address are forwarded to the resource service;
  
  configuring the network extension to provide private access of the customer to the network extension to enable access from the multiple computing nodes of the network extension to the one or more computing-related resources provided by the resource service, the private access enabling intercommunications between the multiple computing nodes and one or more computing systems of the remote private network of the customer, the intercommunications being routed via the created network extension in accordance with the network topology information; and
  
  initiating the providing of the private access of the remote customer to the network extension.
- View Dependent Claims (21, 22, 23, 24, 25)
- - 21. The non-transitory computer-readable medium of claim 20 wherein the customer is one of multiple remote customers of the configurable network service, wherein the configurable network service provides a programmatic interface for use by the multiple remote customers to supply requests, wherein the one or more requests are provided via the programmatic interface, and wherein the network topology information specified by the customer includes an indication of multiple network addresses for use with the network extension for the customer, the configuring of the network extension including associating each of the multiple computing nodes with one of the indicated network addresses.
  - 22. The non-transitory computer-readable medium of claim 21 wherein a first network address is specified by the customer and by each of at least some other of the multiple customers, and wherein the automatic configuring of the network extension includes managing the first network address for the network extension in a manner that is distinct from the managing of the first network address for the at least some other customers whereby created network extensions for each of the customer and of the at least some other customers has a distinct computing node that is part of that created network extension to which the first network address is assigned.
  - 23. The non-transitory computer-readable medium of claim 20 wherein the one or more requests are received based on one or more interactions of the customer with a graphical user interface displayed to the customer, and wherein the method further comprises, for each of at least one other of multiple remote customers of the configurable network service, receiving one or more requests that are made programmatically and are received from software executing on a computing device of the other customer that programmatically invokes a programmatic interface of the configurable network service.
  - 24. The non-transitory computer-readable medium of claim 20 wherein the configuring of the access mechanism includes associating a namespace identification with the access mechanism such that the one or more communications sent to the assigned network address are automatically modified to include an indication of the namespace identification for use by the resource service.
  - 25. The non-transitory computer-readable medium of claim 20 wherein the computer-readable medium is a memory of the configured computing system that stores the contents, and wherein the contents are instructions that when executed program the configured computing system to perform the method.

26. A computing system configured to provide access to private computer networks, comprising:
- one or more memories; and
  
  a configurable network service manager module that is configured to automatically provide computer networks by, for each of multiple remote clients;
  
  receiving configuration information from the client that includes an indication of multiple network addresses to associate with multiple computing nodes to be provided as part of a created computer network for the client;
  
  configuring multiple computing nodes in accordance with the received configuration information, the configuring including associating at least one of the multiple network addresses with each of the multiple computing nodes;
  
  configuring an access mechanism as part of the created computer network for the client that enables access to one or more resources provided by a network-accessible remote resource service that is not part of the created computer network for the client, the configuring of the access mechanism including assigning one of the multiple network addresses to represent the remote resource service, and associating an identifier with the assigned network address for use in accessing the one or more resources;
  
  providing access from the multiple computing nodes to the one or more resources provided by the resource service via the configured access mechanism by modifying communications sent to the assigned network address from the created private network to include an indication of the identifier and by forwarding the modified communications to the remote resource service; and
  
  providing to the client access to the multiple computing nodes of the created computer network.
- View Dependent Claims (27, 28, 29)
- - 27. The computing system of claim 26 wherein the configurable network service manager module is part of a configurable network service and provides a programmatic interface for use by the multiple remote clients to configure the computer networks created for the clients, wherein the multiple computing nodes of each of the created computer networks are a subset of a plurality of computing nodes provided by the configurable network service, and wherein, for each of at least some of the multiple clients, the configuration information further provides network topology information for the created computer network being configured for the client, the created computer network is a private computer network extension to a remote private computer network of the client and is further configured in accordance with the provided network topology information, and the configuring of the multiple computing nodes of the created computer network enables private access between the remote private computer network and the multiple computing nodes of the private computer network extension.
  - 28. The computing system of claim 26 wherein, for each of at least some of the multiple clients, the identifier is a unique identifier associated with a namespace for the client within the remote resource service and the one or more resources that are to be accessed from the created computer network for the client are stored within the associated namespace for the client.
  - 29. The computing system of claim 26 wherein the configurable network service manager module includes software instructions for execution by the computing system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Brandwine, Eric Jason, Cohn, Daniel T., Doane, Andrew J., Brandwine, Clarissa Loree Cook, Moses, Carl J., Schmidt, Stephen E.
Primary Examiner(s)
RECEK, JASON D

Application Number

US12/332,214
Time in Patent Office

1,322 Days
Field of Search

709220-221, 709/227, 709/229
US Class Current

709/220
CPC Class Codes

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 41/0803   Configuration setting

H04L 45/586   of virtual routers

H04L 63/0272   Virtual private networks

Providing access to configurable private computer networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Providing access to configurable private computer networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links