Managing communications involving external nodes of provided computer networks

US 8,683,023 B1
Filed: 06/30/2010
Issued: 03/25/2014
Est. Priority Date: 06/30/2010
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer-readable storage medium having stored contents that configure a computing system to:

obtain information regarding a first virtual computer network overlaid on a distinct substrate network that interconnects multiple computing nodes of the first virtual computer network, and wherein the first virtual computer network further includes a first external node separated from the substrate network via a first external connection;

configure a first edge module that interconnects the substrate network and the first external connection to associate a first group of multiple virtual network addresses with a second computing node of the multiple computing nodes that is configured to act as an intermediate destination for at least some communications directed to the virtual network addresses of the first group, the virtual network addresses of the first group including a first virtual network address associated with a third computing node of the multiple computing nodes; and

under control of the first edge module,receive a first communication from the first external node via the first external connection that the first external node indicates to be sent to the third computing node by specifying the first virtual network address for the third computing node;

encode the first communication in a manner specific to the substrate network; and

forward the encoded first communication over the substrate network from the first edge module to the second computing node, to enable the second computing node to manage further forwarding of the encoded first communication to the third computing node.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are described for managing communications for a managed virtual computer network overlaid on a distinct substrate computer network, including for communications involving computing nodes of the managed virtual computer network connected to the substrate network and/or other external nodes of the managed virtual computer network that are not connected to the substrate network. The managed virtual computer network may have multiple associated virtual network addresses, and the managing of the communications may further include using one or more edge modules to direct all communication that have a destination virtual network address within a range or other group of multiple virtual network addresses assigned to one or more external nodes to be forwarded over the substrate network to an edge module associated with the one or more external nodes, including to route communications between different external nodes via the substrate network.

157 Citations

29 Claims

1. A non-transitory computer-readable storage medium having stored contents that configure a computing system to:
- obtain information regarding a first virtual computer network overlaid on a distinct substrate network that interconnects multiple computing nodes of the first virtual computer network, and wherein the first virtual computer network further includes a first external node separated from the substrate network via a first external connection;
  
  configure a first edge module that interconnects the substrate network and the first external connection to associate a first group of multiple virtual network addresses with a second computing node of the multiple computing nodes that is configured to act as an intermediate destination for at least some communications directed to the virtual network addresses of the first group, the virtual network addresses of the first group including a first virtual network address associated with a third computing node of the multiple computing nodes; and
  
  under control of the first edge module,receive a first communication from the first external node via the first external connection that the first external node indicates to be sent to the third computing node by specifying the first virtual network address for the third computing node;
  
  encode the first communication in a manner specific to the substrate network; and
  
  forward the encoded first communication over the substrate network from the first edge module to the second computing node, to enable the second computing node to manage further forwarding of the encoded first communication to the third computing node.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The non-transitory computer-readable storage medium of claim 1 wherein the obtained information is configuration information specified by a user on whose behalf the first virtual computer network is provided and includes a specified network topology for the first virtual computer network, and wherein the first virtual computer network is overlaid on the substrate network without physically implementing the specified network topology for the first virtual computer network.
  - 3. The non-transitory computer-readable storage medium of claim 1 wherein the first virtual computer network further includes multiple second external nodes that are distinct from the first external node and are separated from the substrate network via a second external connection distinct from the first external connection, wherein the first edge module is further configured to associate the multiple second external nodes with a second edge module, and wherein the stored contents further configure the computing system to:
    - under control of the first edge module,receive a second communication from the first external node via the first external connection that is directed to one of the multiple external nodes of the second group;
      
      encode the second communication in a manner specific to the substrate network; and
      
      forward the encoded second communication over the substrate network from the first edge module to the second edge module for further handling; and
      
      under control of the second edge module,receive the forwarded encoded second communication from the substrate network;
      
      decode the received forwarded second communication to remove information specific to the substrate network; and
      
      further forward the decoded second communication from the substrate network over the second external connection to the one external node of the second group.
  - 4. The non-transitory computer-readable storage medium of claim 1 wherein the first virtual computer network further includes a second external node separated from the substrate network via a second external connection that is accessible to the first edge module, and wherein the stored contents further configure the computing system to, under control of the first edge module:
    - receive a second communication from the first external node via the first external connection that is directed to the second external node; and
      
      without forwarding the second communication over the substrate network, forward the second communication from the first edge module via the second external connection to the second external node.
  - 5. The non-transitory computer-readable storage medium of claim 1 wherein the stored contents further configure the computing system to:
    - for each of one or more second communications sent by the multiple computing nodes to the first external node, encode the second communication in a manner specific to the substrate network, and forward the encoded second communication over the substrate network to the first edge module; and
      
      under control of the first edge module, for each of the second communications;
      
      receive the forwarded second communication from the substrate network;
      
      decode the received forwarded second communication to remove information specific to the substrate network; and
      
      further forward the decoded second communication from the substrate network over the first external connection toward the first external node.
  - 6. The non-transitory computer-readable storage medium of claim 1 wherein the stored contents further configure the computing system to, under control of the second computing node, receive the forwarded encoded first communication from the substrate network and further forward the received encoded first communication over the substrate network from the second computing node to the third computing node.
  - 7. The non-transitory computer-readable storage medium of claim 1 wherein the stored contents further configure the computing system to, for a second communication sent by one the multiple computing nodes to another of the multiple computing nodes, encode the second communication in a manner specific to the substrate network, and forward the encoded second communication over the substrate network directly to the another computing node without forwarding the encoded second communication to the second computing node, and wherein the stored contents are instructions that, when executed, program the computing system to perform the method.

8. A system, comprising:
- one or more hardware processors of one or more computing systems;
  
  a manager module that is configured to, when executed by at least one of the one or more hardware processors, manage a first communication for a virtual computer network that has multiple computing nodes interconnected by an underlying second network and that has one or more external nodes separated from the second network via one or more external connections, wherein the first communication is sent to a first destination virtual network address associated with a first computing node of the multiple computing nodes, and wherein the managing of the first communication includes;
  
  encoding the first communication in a manner specific to the second network; and
  
  initiating forwarding the encoded first communication to the first computing node over the second network without using the one or more external connections; and
  
  an edge module that interconnects the second network with the one or more external nodes via the one or more external connections and that is associated with one or more second virtual network addresses of the virtual computer network assigned to the one or more external nodes, the edge module being configured to, when executed by at least one of the one or more hardware processors, manage a second communication that is sent to one of the one or more second virtual network addresses, the managing of the second communication including;
  
  receiving the second communication; and
  
  initiating forwarding of the received second communication to at least one of the one or more external nodes via at least one of the one or more external connections.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The system of claim 8 wherein the one or more external nodes include one or more first external nodes separated from the second network via a first of the one or more external connections and include one or more second external nodes separated from the second network via a second of the one or more external connections, and wherein the second communication is sent to the edge module by one of the first external nodes over the first external connection and is forwarded by the edge module to one of the second external nodes over the second external connection.
  - 10. The system of claim 8 wherein the one or more external nodes include one or more first external nodes separated from the second network via a first external connection, wherein a second edge module interconnects the second network with one or more second external nodes via a second external connection, wherein the second communication is sent to the second edge module by one of the second external nodes over the second external connection, and wherein the second edge module is configured to, before the receiving of the second communication by the edge module:
    - encode the second communication in a manner specific to the second network; and
      
      forward the encoded second communication over the second network from the second edge module to the edge module.
  - 11. The system of claim 9 wherein the one or more first external nodes are at a first geographical location remote from the second network, wherein the one or more second external nodes are at a distinct second geographical location remote from the second network, and wherein the one or more second virtual network addresses are part of a range of multiple virtual network addresses assigned to the one or more second external nodes.
  - 12. The system of claim 8 wherein the manager module is one of multiple manager modules of a configurable network service that each includes software instructions for execution by the at least one hardware processors, and wherein the edge module is part of a hardware edge device.
  - 13. The system of claim 8 wherein the edge module consists of a means for performing the managing of the second communication.

14. A computer-implemented method comprising:
- receiving configuration information for a virtual computer network having multiple computing nodes and having one or more external nodes, the virtual computer network being overlaid on a distinct substrate network that interconnects the multiple computing nodes, the one or more external nodes being separated from the substrate network via an external connection;
  
  configuring a first edge module that interconnects the substrate network and the first external connection, the configuring including associating multiple virtual network addresses for the virtual computer network with a first computing node of the multiple computing nodes, the first computing node being configured to act as an intermediate destination for at least some communications directed to the multiple virtual network addresses;
  
  receiving, by the first edge module, a communication from one of the one or more external nodes via the external connection, the communication being directed via one of the multiple virtual network addresses to a second computing node of the multiple computing nodes, the first edge module executing on a configured device;
  
  encoding, by the executing first edge module, the communication in a manner specific to the substrate network; and
  
  forwarding, by the executing first edge module, the encoded communication over the substrate network from the first edge module to the first computing node based on the configuring, to enable the first computing node to act as the intermediate destination and manage further communication forwarding to the second computing node.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 15. The method of claim 14 wherein the one or more external nodes include a first external node separated from the substrate network via a first external connection, wherein the first edge module interconnects the substrate network and the first external connection, and wherein the communication is received from the first external node.
  - 16. The method of claim 15 wherein the one or more external nodes further include a second external node separated from the substrate network via a second external connection, and wherein a distinct second edge module interconnects the substrate network and the second external connection.
  - 17. The method of claim 16 further comprising, under control of the executing first edge module:
    - receiving a second communication from the first external node via the first external connection that is directed to the second external node;
      
      encoding the second communication to include information specific to the substrate network; and
      
      forwarding the encoded second communication over the substrate network from the first edge module to the second edge module for further handling.
  - 18. The method of claim 17 further comprising, under control of the second edge module:
    - receiving the forwarded encoded second communication;
      
      decoding the received forwarded encoded second communication to remove the included information specific to the substrate network; and
      
      further forwarding the decoded second communication over the second external connection toward the second external node.
  - 19. The method of claim 17 wherein the configuring of the first edge module further includes, before the receiving of the second communication, associating with the second edge module one or more additional virtual network addresses of the virtual computer network that are assigned to the second external node, and wherein the encoding of the second communication further includes selecting the second edge module as a recipient for the forwarding of the encoded second communication based on the second communication being directed to one of the one or more additional virtual network addresses.
  - 20. The method of claim 19 wherein the one or more additional virtual network addresses assigned to the second external node are a range of multiple virtual network addresses represented with a classless inter-domain routing (CIDR) block.
  - 21. The method of claim 17 wherein the multiple computing nodes and the first and second edge modules each has a distinct substrate network address that corresponds to a location in the substrate network, and wherein the forwarding of the encoded second communication over the substrate network from the first edge module to the second edge module uses the substrate network address for the second edge module.
  - 22. The method of claim 17 further comprising selecting the second edge module from a pool of multiple alternative edge modules associated with the second external connection before forwarding the encoded second communication over the substrate network from the first edge module to the second edge module.
  - 23. The method of claim 16 wherein the first external node is part of a first computer network of multiple nodes at a first geographical location remote from the substrate network, wherein the second external node is part of a second computer network of multiple other nodes at a distinct second geographical location remote from the substrate network, wherein the first external connection is a first virtual private network (VPN) connection between the substrate network and the first computer network, wherein the second external connection is a distinct second VPN connection between the substrate network and the second computer network, and wherein the first and second edge modules are each part of one of multiple edge devices connected to the substrate network.
  - 24. The method of claim 14 wherein the external connection is a multi-protocol label switching (MPLS) connection, a connection to a public network, or a dedicated private connection to a distinct location.
  - 25. The method of claim 14 wherein the received configuration information further indicates a specified network topology for the virtual computer network, and wherein the method further comprises providing the virtual computer network by overlaying the virtual computer network on the substrate network without physically implementing the specified network topology for the virtual computer network.
  - 26. The method of claim 14 wherein the received configuration information further indicates a plurality of virtual network addresses for use with the virtual computer network, and wherein the multiple virtual network addresses are a subset of the plurality of virtual network addresses.
  - 27. The method of claim 14 further comprising, before the receiving of the communication:
    - assigning the multiple virtual network addresses to the multiple computing nodes, the assigning including assigning, to the second computing node, the one virtual network address to which the communication is directed; and
      
      assigning a range of multiple additional virtual network addresses for the virtual computer network to the one or more external nodes, the multiple additional virtual network addresses of the range being distinct from the multiple virtual network addresses assigned to the multiple computing nodes.
  - 28. The method of claim 27 wherein the assigning of the range of multiple additional virtual network addresses to the one or more external nodes includes associating the range of multiple additional virtual network addresses with the first edge module for use with the external connection.
  - 29. The method of claim 14 further comprising, for each of one or more second communications sent between the multiple computing nodes, encoding the second communication in a manner specific to the substrate network, and forwarding the encoded second communication over the substrate network to a destination computing node without forwarding the encoded second communication to the first computing node.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Brandwine, Eric Jason, Dickinson, Andrew B.
Primary Examiner(s)
Kim, Hee Soo

Application Number

US12/828,060
Time in Patent Office

1,364 Days
Field of Search

709/222
US Class Current

709/222
CPC Class Codes

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 45/02   Topology update or discovery

H04L 45/586   of virtual routers

H04L 45/64   using an overlay routing layer

H04L 61/50   Address allocation

Managing communications involving external nodes of provided computer networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

157 Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Managing communications involving external nodes of provided computer networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

157 Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links