Scalable port address translations

US 8,725,898 B1
Filed: 03/17/2011
Issued: 05/13/2014
Est. Priority Date: 03/17/2011
Status: Active Grant

First Claim

Patent Images

1. A system for performing address translation for packets, the system comprising:

connection tracking data comprising associations between assignable public IP addresses and ports with internal IP addresses and ports;

a packet forwarding device located at an edge of a network, the packet forwarding device configured to;

receive a packet from an external network, the packet comprising a destination address and a source address, the destination address comprising an assignable public IP address and port associated with the network;

determine a forwarding rule for the packet based at least partly on the destination address of the packet, the forwarding rule identifying a relationship between the assignable public address and port associated with the network with a first internal address for a computing node of the network; and

based at least partly on the forwarding rule, communicate the packet to the computing node;

wherein the packet forwarding device does not translate the destination address of the packet to an internal address and port; and

a translation manager with access to the connection tracking data, the translation manager located on the computing node, the computing node remote from the packet forwarding device, the translation manager configured to;

access the connection tracking data and select an entry identifying an association of the first internal IP address and port with the assignable public IP address and port of the destination address of the packet;

determine a second internal IP address and port based at least partly on the entry, wherein the second internal IP address is associated with a virtual machine instance;

modify the packet by changing the destination address of the packet to the second internal IP address and port with the assignable public IP address and port; and

communicate the packet to the destination node.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for performing address translation for packets entering or leaving a network. In some embodiments, a private network that may be fully or partially virtualized can use a stateless tunneling mechanism to communicate with external networks, such as the Internet, without using an external IP address for every host on the private network. For example, a packet forwarding device using a stateless Port Address Translation (PAT) implementation can route the packets subject to PAT by using forwarding rules rather than by storing connection-tracking state. Connection state information can be maintained at the hosts rather than at the packet forwarding device.

Citations

30 Claims

1. A system for performing address translation for packets, the system comprising:
- connection tracking data comprising associations between assignable public IP addresses and ports with internal IP addresses and ports;
  
  a packet forwarding device located at an edge of a network, the packet forwarding device configured to;
  
  receive a packet from an external network, the packet comprising a destination address and a source address, the destination address comprising an assignable public IP address and port associated with the network;
  
  determine a forwarding rule for the packet based at least partly on the destination address of the packet, the forwarding rule identifying a relationship between the assignable public address and port associated with the network with a first internal address for a computing node of the network; and
  
  based at least partly on the forwarding rule, communicate the packet to the computing node;
  
  wherein the packet forwarding device does not translate the destination address of the packet to an internal address and port; and
  
  a translation manager with access to the connection tracking data, the translation manager located on the computing node, the computing node remote from the packet forwarding device, the translation manager configured to;
  
  access the connection tracking data and select an entry identifying an association of the first internal IP address and port with the assignable public IP address and port of the destination address of the packet;
  
  determine a second internal IP address and port based at least partly on the entry, wherein the second internal IP address is associated with a virtual machine instance;
  
  modify the packet by changing the destination address of the packet to the second internal IP address and port with the assignable public IP address and port; and
  
  communicate the packet to the destination node.
- View Dependent Claims (2, 3, 4)
- - 2. The system of claim 1, wherein the destination node comprises the virtual machine instance operating on the computing node.
  - 3. The system of claim 1, wherein the destination node comprises a program operating on the computing node.
  - 4. The system of claim 1, wherein the external network is the Internet.

5. A system for performing address translation for packets, the system comprising:
- a packet forwarding device located at an edge of a network, the packet forwarding device configured to;
  
  receive a packet associated with the network, the packet sent to or received from an external network, the packet comprising an assignable public address and port associated with the network, the packet comprising a destination address and a source address;
  
  determine a forwarding rule for the packet based at least partly on the source address or destination address of the packet, the forwarding rule identifying a relationship between the public address and port associated with the network and an internal address on the network; and
  
  based at least partly on the forwarding rule, communicate the packet to a first computing node, the assignable public address and port of the packet untranslated by the packet forwarding device; and
  
  a translation manager in communication with the packet forwarding device, the translation manager remote from the packet forwarding device, the translation manager configured to;
  
  determine the assignable public address and port by accessing a data store providing associations between assignable public IP addresses and ports with internal IP addresses and ports;
  
  modify the packet by changing the destination address or source address of the packet to the assignable public address and port; and
  
  communicate the packet to a second computing node.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12)
- - 6. The system of claim 5, wherein the first computing node is an external computing node located on the external network.
  - 7. The system of claim 6, wherein the second computing node is the packet forwarding device.
  - 8. The system of claim 5, wherein the first computing node is a node associated with the internal address on the network identified by the forwarding rule.
  - 9. The system of claim 5, wherein the first computing node comprises the translation manager.
  - 10. The system of claim 9, wherein the second computing node is a virtual machine instance.
  - 11. The system of claim 5, further comprising:
    - an address translation service comprising a pool of assignable public addresses, the address translation service configured to allocate the assignable public addresses to one or more computing nodes of the network;
      
      wherein the translation manager requests an assignable public address from the address translation service when the translation manager initializes a connection.
  - 12. The system of claim 11, wherein the one or more computing nodes of the networks comprise one or more virtual machine instances.

13. A method for performing address translation, the method comprising:
- receiving an outgoing packet from a virtual machine instance on an internal network, the outgoing packet having a source address and a destination address, the destination address corresponding to an external network;
  
  determining an assignable public IP address and port associated with the virtual machine instance;
  
  modifying the outgoing packet by changing the source address of the outgoing packet to the assignable public IP address and port, the outgoing packet modified remotely from an edge of the internal network; and
  
  communicating the outgoing packet to an edge device of the network, the edge device configured to forward the packet to the destination address,wherein at least said modifying is performed by a computing system comprising computer hardware.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 14. The method of claim 13, wherein said modifying the outgoing packet comprises setting a flag in the packet to indicate that the port address translation has been performed on the packet.
  - 15. The method of claim 13, wherein said determining an assignable public IP address and port comprises:
    - accessing a data store comprising entries of associations between assignable public IP addresses and ports with virtual machine instances;
      
      selecting an entry associated with the virtual machine instance; and
      
      determining the assignable IP address and port based at least partly on the entry.
  - 16. The method of claim 13, wherein said determining an assignable public IP address and port comprises requesting the assignable public IP address from an assignable address service.
  - 17. The method of claim 13, wherein said determining an assignable IP address and port comprises:
    - accessing a data store comprising entries of associations between assignable public IP addresses and ports with virtual machine instances; and
      
      storing an entry in the data store, the entry identifying an association between the virtual machine instance and the assignable public IP address.
  - 18. The method of claim 13, wherein said communicating the outgoing packet to an edge device of the network comprises selecting the edge device from a plurality of edge devices.
  - 19. The method of claim 18, wherein the edge device is selected using a hash function.
  - 20. The method of claim 18, wherein the edge device is selected using a load balancer, the edge device selected based at least partly on the respective loads of the plurality of edge devices.
  - 21. The method of claim 13, wherein said modifying the outgoing packet is performed remotely from the edge of the internal network at a host device having no direct connection to an external network.
  - 22. The method of claim 13, further comprising encapsulating the packet with a packet header having a virtual network address associated with the edge device of the network.
  - 23. The method of claim 13, wherein the computing system comprise a plurality of computing devices.

24. Non-transitory physical computer storage having stored thereon instructions that, when executed, direct a computing system to perform operations, the operations comprising:
- receiving an incoming packet from an edge device located on an edge of a private network, the incoming packet having a source address and a destination address, the destination address comprising a public IP address and port associated with the private network;
  
  determining a computing node on the private network associated with the public IP address and port, wherein the computing node is a virtual machine instance executing on the computing system;
  
  determine a private IP address and port associated with the computing node; and
  
  modifying the incoming packet by changing the destination address of the packet to the private IP address and port associated with the computing node, the incoming packet modified by the computing system remotely from an edge of the internal network.
- View Dependent Claims (25, 26, 27, 28, 29, 30)
- - 25. The non-transitory physical computer storage of claim 24, wherein the operations further comprise communicating the outgoing packet to the computing node.
  - 26. The non-transitory physical computer storage of claim 24, wherein said determining a computing node comprises:
    - accessing a data store comprising entries of associations between public IP addresses and ports with computing nodes;
      
      selecting an entry associated with the public IP address and port of the destination address; and
      
      determining the computing nodes associated with the public IP address.
  - 27. The non-transitory physical computer storage of claim 24, the operations comprising decapsulating the packet to remove a packet header having a virtual network address associated with the computing system.
  - 28. The non-transitory physical computer storage of claim 24, wherein the computing system does not have a direct connection to an external network.
  - 29. The non-transitory physical computer storage of claim 24, in combination with a physical computer system configured to implement the operations.
  - 30. The non-transitory physical computer storage of claim 24, wherein the computing device comprises a plurality of virtual machine instances.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Vincent, Pradeep
Primary Examiner(s)
Wasel, Mohamed

Application Number

US13/050,853
Time in Patent Office

1,153 Days
Field of Search

709/238, 709/245, 709/246
US Class Current

709/245
CPC Class Codes

H04L 61/25   of the same type

H04L 61/2514   between local and global IP...

H04L 61/2517   using port numbers

H04L 61/5007   Internet protocol [IP] addr...

H04L 61/5061   Pools of addresses

H04L 61/5076   Update or notification mech...

Scalable port address translations

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Scalable port address translations

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links