Authorizing communications between computing nodes
First Claim
1. A computer-implemented method for authorizing communications between computing nodes, the method comprising:
- receiving, by one or more configured computing systems associated with a destination computing node, an incoming communication sent from a sending computing node that is intended for the destination computing node, the sending computing node being one of a plurality of computing nodes of a virtual network and being communicatively connected to the destination computing node via at least one intermediate network and having a source location within the at least one intermediate network, the communication having an indicated source address for the sending computing node, the source address including a representation of a virtual network address and including an indication of the source location, wherein the virtual network address is specified in accordance with the virtual network and is not based on the at least one intermediate network;
before providing the incoming communication to the destination computing node,determining, by the one or more configured computing systems, the source location within the at least one intermediate network from the indication included in the source address of the incoming communication;
identifying, by the one or more configured computing systems, one or more computing nodes that are located at the determined source location within the at least one intermediate network;
determining, by the one or more configured computing systems, one of the plurality of computing nodes of the virtual network to which the virtual network address represented in the source address is assigned; and
determining, by the one or more configured computing systems, that the incoming communication is authorized for the destination computing node if the determined one computing node is one of the identified one or more computing nodes, and otherwise determining that the incoming communication is not authorized for the destination computing node; and
if the incoming communication is determined to be authorized for the destination computing node, initiating forwarding, by the one or more configured computing systems, of the incoming communication to the destination computing node, and otherwise not initiating the forwarding of the incoming communication to the destination computing node.
1 Assignment
0 Petitions
Accused Products
Abstract
Techniques are described for managing communications between multiple computing nodes, such as computing nodes that are separated by one or more physical networks. In some situations, the techniques may be used to provide a virtual network between multiple computing nodes that are separated by one or more intermediate physical networks, such as from the edge of the one or more intermediate physical networks by modifying communications that enter and/or leave the intermediate physical networks. In some situations, the computing nodes may include virtual machine nodes hosted on one or more physical computing machines or systems, such as by or on behalf of one or more users (e.g., users of a program execution service). The managing of the communications may include determining whether communications sent to managed computing nodes are authorized, and providing the communications to the computing nodes only if they are determined to be authorized.
25 Citations
21 Claims
-
1. A computer-implemented method for authorizing communications between computing nodes, the method comprising:
-
receiving, by one or more configured computing systems associated with a destination computing node, an incoming communication sent from a sending computing node that is intended for the destination computing node, the sending computing node being one of a plurality of computing nodes of a virtual network and being communicatively connected to the destination computing node via at least one intermediate network and having a source location within the at least one intermediate network, the communication having an indicated source address for the sending computing node, the source address including a representation of a virtual network address and including an indication of the source location, wherein the virtual network address is specified in accordance with the virtual network and is not based on the at least one intermediate network; before providing the incoming communication to the destination computing node, determining, by the one or more configured computing systems, the source location within the at least one intermediate network from the indication included in the source address of the incoming communication; identifying, by the one or more configured computing systems, one or more computing nodes that are located at the determined source location within the at least one intermediate network; determining, by the one or more configured computing systems, one of the plurality of computing nodes of the virtual network to which the virtual network address represented in the source address is assigned; and determining, by the one or more configured computing systems, that the incoming communication is authorized for the destination computing node if the determined one computing node is one of the identified one or more computing nodes, and otherwise determining that the incoming communication is not authorized for the destination computing node; and if the incoming communication is determined to be authorized for the destination computing node, initiating forwarding, by the one or more configured computing systems, of the incoming communication to the destination computing node, and otherwise not initiating the forwarding of the incoming communication to the destination computing node. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A non-transitory computer-readable medium whose contents configure a computing system to perform a method, the method comprising:
-
receiving a communication sent by a sending node to a destination node via one or more networks, the communication indicating a source network address for the sending node for use in responding to the communication over the one or more networks, the indicated source address including a partial source network address for the sending node that corresponds to a source location of one or more nodes within the one or more networks and including a representation of a virtual network address, wherein the sending node is one of a plurality of nodes of a virtual network, and wherein the virtual network address is specified in accordance with the virtual network and is not based on the one or more networks; determining, by the configured computing system, that the communication is authorized based at least in part on the indicated source address for the communication, the determining including; identifying the one or more nodes to which the source location of the partial source network address corresponds; determining one of the plurality of nodes to which the virtual network address represented in the indicated source address is assigned; and determining that the determined one node is one of the identified one or more nodes; and facilitating providing of the communication to the destination node based at least in part on the determining that the communication is authorized. - View Dependent Claims (14, 15, 16)
-
-
17. A system configured to authorize communications between computing nodes, comprising:
-
one or more memories of one or more computing systems; and a communication manager module that is associated with a group of one or more computing nodes and is configured to manage communications for the group, by, after a sending computing node that is not a member of the group initiates a communication over one or more networks to a destination computing node that is a member of the group; determining whether the initiated communication is authorized based at least in part on information about the sending computing node that is included with the initiated communication, the determining including identifying one or more computing nodes that correspond to a source location indicated within the initiated communication, the indicated source location identifying a portion of the one or more networks that is a source of the initiated communication; determining a computing node to which a virtual network address in the included information is assigned, wherein the determined computing node is one of a plurality of computing nodes of a virtual network, and wherein the virtual network address is specified in accordance with the virtual network and is not based on the one or more networks; verifying that the determined computing node corresponds to at least one of the identified one or more computing nodes; and facilitating providing of the initiated communication to the destination computing node if the initiated communication is determined to be authorized. - View Dependent Claims (18, 19, 20, 21)
-
Specification