Scalable port address translations
First Claim
1. A system for performing address translation for packets, the system comprising:
- connection tracking data comprising associations between assignable public IP addresses and ports with internal IP addresses and ports;
a packet forwarding device located at an edge of a network, the packet forwarding device configured to;
receive a packet from an external network, the packet comprising a destination address and a source address, the destination address comprising an assignable public IP address and port associated with the network;
determine a forwarding rule for the packet based at least partly on the destination address of the packet, the forwarding rule identifying a relationship between the assignable public address and port associated with the network with a first internal address for a computing node of the network; and
based at least partly on the forwarding rule, communicate the packet to the computing node;
wherein the packet forwarding device does not translate the destination address of the packet to an internal address and port; and
a translation manager with access to the connection tracking data, the translation manager located on the computing node, the computing node remote from the packet forwarding device, the translation manager configured to;
access the connection tracking data and select an entry identifying an association of the first internal IP address and port with the assignable public IP address and port of the destination address of the packet;
determine a second internal IP address and port based at least partly on the entry, wherein the second internal IP address is associated with a virtual machine instance;
modify the packet by changing the destination address of the packet to the second internal IP address and port with the assignable public IP address and port; and
communicate the packet to the destination node.
1 Assignment
0 Petitions
Accused Products
Abstract
A system and method for performing address translation for packets entering or leaving a network. In some embodiments, a private network that may be fully or partially virtualized can use a stateless tunneling mechanism to communicate with external networks, such as the Internet, without using an external IP address for every host on the private network. For example, a packet forwarding device using a stateless Port Address Translation (PAT) implementation can route the packets subject to PAT by using forwarding rules rather than by storing connection-tracking state. Connection state information can be maintained at the hosts rather than at the packet forwarding device.
-
Citations
30 Claims
-
1. A system for performing address translation for packets, the system comprising:
-
connection tracking data comprising associations between assignable public IP addresses and ports with internal IP addresses and ports; a packet forwarding device located at an edge of a network, the packet forwarding device configured to; receive a packet from an external network, the packet comprising a destination address and a source address, the destination address comprising an assignable public IP address and port associated with the network; determine a forwarding rule for the packet based at least partly on the destination address of the packet, the forwarding rule identifying a relationship between the assignable public address and port associated with the network with a first internal address for a computing node of the network; and based at least partly on the forwarding rule, communicate the packet to the computing node; wherein the packet forwarding device does not translate the destination address of the packet to an internal address and port; and a translation manager with access to the connection tracking data, the translation manager located on the computing node, the computing node remote from the packet forwarding device, the translation manager configured to; access the connection tracking data and select an entry identifying an association of the first internal IP address and port with the assignable public IP address and port of the destination address of the packet; determine a second internal IP address and port based at least partly on the entry, wherein the second internal IP address is associated with a virtual machine instance; modify the packet by changing the destination address of the packet to the second internal IP address and port with the assignable public IP address and port; and communicate the packet to the destination node. - View Dependent Claims (2, 3, 4)
-
-
5. A system for performing address translation for packets, the system comprising:
-
a packet forwarding device located at an edge of a network, the packet forwarding device configured to; receive a packet associated with the network, the packet sent to or received from an external network, the packet comprising an assignable public address and port associated with the network, the packet comprising a destination address and a source address; determine a forwarding rule for the packet based at least partly on the source address or destination address of the packet, the forwarding rule identifying a relationship between the public address and port associated with the network and an internal address on the network; and based at least partly on the forwarding rule, communicate the packet to a first computing node, the assignable public address and port of the packet untranslated by the packet forwarding device; and a translation manager in communication with the packet forwarding device, the translation manager remote from the packet forwarding device, the translation manager configured to; determine the assignable public address and port by accessing a data store providing associations between assignable public IP addresses and ports with internal IP addresses and ports; modify the packet by changing the destination address or source address of the packet to the assignable public address and port; and communicate the packet to a second computing node. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12)
-
-
13. A method for performing address translation, the method comprising:
-
receiving an outgoing packet from a virtual machine instance on an internal network, the outgoing packet having a source address and a destination address, the destination address corresponding to an external network; determining an assignable public IP address and port associated with the virtual machine instance; modifying the outgoing packet by changing the source address of the outgoing packet to the assignable public IP address and port, the outgoing packet modified remotely from an edge of the internal network; and communicating the outgoing packet to an edge device of the network, the edge device configured to forward the packet to the destination address, wherein at least said modifying is performed by a computing system comprising computer hardware. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
-
-
24. Non-transitory physical computer storage having stored thereon instructions that, when executed, direct a computing system to perform operations, the operations comprising:
-
receiving an incoming packet from an edge device located on an edge of a private network, the incoming packet having a source address and a destination address, the destination address comprising a public IP address and port associated with the private network; determining a computing node on the private network associated with the public IP address and port, wherein the computing node is a virtual machine instance executing on the computing system; determine a private IP address and port associated with the computing node; and modifying the incoming packet by changing the destination address of the packet to the private IP address and port associated with the computing node, the incoming packet modified by the computing system remotely from an edge of the internal network. - View Dependent Claims (25, 26, 27, 28, 29, 30)
-
Specification