Authorizing communications between computing nodes

US 8,429,739 B2
Filed: 03/31/2008
Issued: 04/23/2013
Est. Priority Date: 03/31/2008
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for authorizing communications between computing nodes, the method comprising:

receiving, by one or more configured computing systems associated with a destination computing node, an incoming communication sent from a sending computing node that is intended for the destination computing node, the sending computing node being one of a plurality of computing nodes of a virtual network and being communicatively connected to the destination computing node via at least one intermediate network and having a source location within the at least one intermediate network, the communication having an indicated source address for the sending computing node, the source address including a representation of a virtual network address and including an indication of the source location, wherein the virtual network address is specified in accordance with the virtual network and is not based on the at least one intermediate network;

before providing the incoming communication to the destination computing node,determining, by the one or more configured computing systems, the source location within the at least one intermediate network from the indication included in the source address of the incoming communication;

identifying, by the one or more configured computing systems, one or more computing nodes that are located at the determined source location within the at least one intermediate network;

determining, by the one or more configured computing systems, one of the plurality of computing nodes of the virtual network to which the virtual network address represented in the source address is assigned; and

determining, by the one or more configured computing systems, that the incoming communication is authorized for the destination computing node if the determined one computing node is one of the identified one or more computing nodes, and otherwise determining that the incoming communication is not authorized for the destination computing node; and

if the incoming communication is determined to be authorized for the destination computing node, initiating forwarding, by the one or more configured computing systems, of the incoming communication to the destination computing node, and otherwise not initiating the forwarding of the incoming communication to the destination computing node.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are described for managing communications between multiple computing nodes, such as computing nodes that are separated by one or more physical networks. In some situations, the techniques may be used to provide a virtual network between multiple computing nodes that are separated by one or more intermediate physical networks, such as from the edge of the one or more intermediate physical networks by modifying communications that enter and/or leave the intermediate physical networks. In some situations, the computing nodes may include virtual machine nodes hosted on one or more physical computing machines or systems, such as by or on behalf of one or more users (e.g., users of a program execution service). The managing of the communications may include determining whether communications sent to managed computing nodes are authorized, and providing the communications to the computing nodes only if they are determined to be authorized.

25 Citations

View as Search Results

21 Claims

1. A computer-implemented method for authorizing communications between computing nodes, the method comprising:
- receiving, by one or more configured computing systems associated with a destination computing node, an incoming communication sent from a sending computing node that is intended for the destination computing node, the sending computing node being one of a plurality of computing nodes of a virtual network and being communicatively connected to the destination computing node via at least one intermediate network and having a source location within the at least one intermediate network, the communication having an indicated source address for the sending computing node, the source address including a representation of a virtual network address and including an indication of the source location, wherein the virtual network address is specified in accordance with the virtual network and is not based on the at least one intermediate network;
  
  before providing the incoming communication to the destination computing node,determining, by the one or more configured computing systems, the source location within the at least one intermediate network from the indication included in the source address of the incoming communication;
  
  identifying, by the one or more configured computing systems, one or more computing nodes that are located at the determined source location within the at least one intermediate network;
  
  determining, by the one or more configured computing systems, one of the plurality of computing nodes of the virtual network to which the virtual network address represented in the source address is assigned; and
  
  determining, by the one or more configured computing systems, that the incoming communication is authorized for the destination computing node if the determined one computing node is one of the identified one or more computing nodes, and otherwise determining that the incoming communication is not authorized for the destination computing node; and
  
  if the incoming communication is determined to be authorized for the destination computing node, initiating forwarding, by the one or more configured computing systems, of the incoming communication to the destination computing node, and otherwise not initiating the forwarding of the incoming communication to the destination computing node.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1 further comprising verifying that the sending computing node is authorized to send the incoming communication to the destination computing node based at least in part on the destination computing node being part of the virtual network to which the sending computing node belongs.
  - 3. The method of claim 1 wherein the sending computing node is executing one or more programs on behalf of a first entity, wherein the destination computing node is executing one or more programs on behalf of a second entity, and wherein the determining that the incoming communication is authorized for the destination computing node further includes verifying that the first entity is authorized to send communications to the second entity.
  - 4. The method of claim 1 wherein the incoming communication is determined to be of a first type, and wherein the determining that the incoming communication is authorized for the destination computing node further includes verifying that the destination computing node is authorized to receive communications of the first type.
  - 5. The method of claim 1 wherein the indication of the location within the at least one intermediate network is a partial source network address stored within the indicated source address that reflects a physical sub-network within a topology of the at least one intermediate network.
  - 6. The method of claim 1 wherein the one or more configured computing systems are executing a first communication manager module that manages communications for one or more computing nodes that include the destination computing node, wherein a remote second communication manager module manages communications for multiple other computing nodes that include the sending computing node, wherein the incoming communication is sent over the at least one intermediate network from the second communication manager module to the first communication manager module, and wherein the forwarding of the incoming communication to the destination computing node includes providing the incoming communication to the destination computing node without using the at least one intermediate network.
  - 7. The method of claim 1 wherein the determining that the incoming communication is authorized for the destination computing node prevents the sending computing node from spoofing its identity in the indicated source address.
  - 8. The method of claim 1 wherein the determining that the incoming communication is authorized for the destination computing node includes interacting with a remote system manager module that maintains information about multiple virtual networks that each include multiple computing nodes, the maintained information including information about computing nodes to which virtual network addresses for the multiple virtual networks are assigned.
  - 9. The method of claim 1 wherein the one or more configured computing systems are executing a first communication manager module that manages communications for one or more computing nodes that include the destination computing node, and wherein the method further comprises, under control of a second communication manager module that manages communications for one or more computing nodes that include the sending computing node, determining whether to provide addressing information to the sending computing node that corresponds to the destination computing node to enable the sending computing node to send the incoming communication to the destination computing node.
  - 10. The method of claim 1 further comprising, under control of a communication manager module that manages communications for one or more computing nodes that include the sending computing node:
    - determining that the sending computing node is authorized to send the incoming communication to the destination computing node; and
      
      forwarding the incoming communication to the destination computing node over the at least one intermediate network.
  - 11. The method of claim 1 wherein the one or more configured computing systems are executing a first communication manager module that manages communications for one or more computing nodes that include the sending computing node, and wherein the initiating of the forwarding of the incoming communication to the destination computing node includes sending the incoming communication over the at least one intermediate network to a second communication manager module that manages communications for one or more computing nodes that include the destination computing node.
  - 12. The method of claim 1 wherein the destination computing node is one of multiple virtual machines hosted by the one or more configured computing systems that are used by a program execution service to execute programs on behalf of customers, and wherein the method is performed by a virtual machine manager module that executes on the one or more configured computing systems to manage communications by the multiple hosted virtual machines on behalf of the program execution service.

13. A non-transitory computer-readable medium whose contents configure a computing system to perform a method, the method comprising:
- receiving a communication sent by a sending node to a destination node via one or more networks, the communication indicating a source network address for the sending node for use in responding to the communication over the one or more networks, the indicated source address including a partial source network address for the sending node that corresponds to a source location of one or more nodes within the one or more networks and including a representation of a virtual network address, wherein the sending node is one of a plurality of nodes of a virtual network, and wherein the virtual network address is specified in accordance with the virtual network and is not based on the one or more networks;
  
  determining, by the configured computing system, that the communication is authorized based at least in part on the indicated source address for the communication, the determining including;
  
  identifying the one or more nodes to which the source location of the partial source network address corresponds;
  
  determining one of the plurality of nodes to which the virtual network address represented in the indicated source address is assigned; and
  
  determining that the determined one node is one of the identified one or more nodes; and
  
  facilitating providing of the communication to the destination node based at least in part on the determining that the communication is authorized.
- View Dependent Claims (14, 15, 16)
- - 14. The non-transitory computer-readable medium of claim 13 wherein the determining that the communication is authorized includes identifying a communication manager module that manages communications for the determined one node and verifying that the received communication was forwarded over the one or more networks by the identified communication manager module.
  - 15. The non-transitory computer-readable medium of claim 13 wherein the computer-readable medium is a memory of the configured computing system.
  - 16. The non-transitory computer-readable medium of claim 13 wherein the contents are instructions that when executed program the configured computing system to perform the method.

17. A system configured to authorize communications between computing nodes, comprising:
- one or more memories of one or more computing systems; and
  
  a communication manager module that is associated with a group of one or more computing nodes and is configured to manage communications for the group, by, after a sending computing node that is not a member of the group initiates a communication over one or more networks to a destination computing node that is a member of the group;
  
  determining whether the initiated communication is authorized based at least in part on information about the sending computing node that is included with the initiated communication, the determining includingidentifying one or more computing nodes that correspond to a source location indicated within the initiated communication, the indicated source location identifying a portion of the one or more networks that is a source of the initiated communication;
  
  determining a computing node to which a virtual network address in the included information is assigned, wherein the determined computing node is one of a plurality of computing nodes of a virtual network, and wherein the virtual network address is specified in accordance with the virtual network and is not based on the one or more networks;
  
  verifying that the determined computing node corresponds to at least one of the identified one or more computing nodes; and
  
  facilitating providing of the initiated communication to the destination computing node if the initiated communication is determined to be authorized.
- View Dependent Claims (18, 19, 20, 21)
- - 18. The system of claim 17 wherein the virtual network address in the included information for the initiated communication is part of a source network address for the initiated communication, and wherein the determining whether the initiated communication is authorized includes interacting with a remote system manager module that maintains information about the associated group of computing nodes to verify that the virtual network address matches the sending computing node.
  - 19. The system of claim 17 further comprising a computing system configured to provide the communication manager module and to host one or more virtual machines that each provides one of the computing nodes of the group.
  - 20. The system of claim 17 wherein the communication manager module includes software instructions for execution in memory of the one or more computing systems.
  - 21. The system of claim 17 wherein the communication manager module consists of a means for performing the managing of the communications for the group.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Cohn, Daniel T.
Primary Examiner(s)
Gelagay, Shewaye
Assistant Examiner(s)
SIMS, JING F

Application Number

US12/060,099
Publication Number

US 20090249473A1
Time in Patent Office

1,849 Days
Field of Search

726/27, 726/28, 726/29, 726/30, 726 2- 4, 726/9, 726/11, 726 14- 15, 709/237, 709/245
US Class Current

726/15
CPC Class Codes

H04L 2101/604   Address structures or formats

H04L 41/00   Arrangements for maintenanc...

H04L 41/28   Restricting access to netwo...

H04L 45/586   of virtual routers

H04L 61/103   across network layers, e.g....

H04L 61/251   between different IP versions

H04L 61/5007   Internet protocol [IP] addr...

H04L 63/0236   Filtering by address, proto...

H04L 63/20   for managing network securi...

H04W 12/06   Authentication

Authorizing communications between computing nodes

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

25 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Authorizing communications between computing nodes

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

25 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links