Providing private access to network-accessible services

US 8,843,600 B1
Filed: 09/30/2010
Issued: 09/23/2014
Est. Priority Date: 09/30/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

receiving, by one or more programmed computing systems of a configurable network service that provides private computer networks to remote clients, information from a first client regarding a first virtual computer network having multiple computing nodes, the received information indicating a plurality of virtual network addresses for the first virtual computer network and including information about use by the first virtual computer network of a network-accessible Lightweight Directory Access Protocol (“

LDAP”

) service made available by the configurable network service, wherein the LDAP service is external to the first virtual computer network and includes a pool of multiple LDAP computer servers for use by the first virtual computer network;

assigning, by the one or more programmed computing systems, one of the plurality of virtual network addresses to represent the LDAP service within the first virtual computer network, and associating other of the plurality of virtual network addresses with the multiple computing nodes;

encoding, by the one or more programmed computing systems, and for a first communication sent by one of the multiple computing nodes to a virtual network address associated with another of the multiple computing nodes, the first communication in a manner specific to a substrate network on which the first virtual computer network is overlaid, and forwarding the encoded first communication over the substrate network to a location of the another computing node within the substrate network; and

for a second communication sent by one of the multiple computing nodes to the one virtual network address assigned to represent the LDAP service,selecting, by the one or more programmed computing systems, one of the multiple LDAP computer servers of the pool to use for the second communication based at least in part on whether the second communication is of a type that corresponds to a data write request or a data read request; and

initiating, by the one or more programmed computing systems, providing functionality of the LDAP service to the first virtual computer network by encoding the second communication in a manner specific to the substrate network, and forwarding the encoded second communication over the substrate network to the selected one LDAP computer server.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are described for managing communications for a managed virtual computer network overlaid on a distinct substrate computer network. The techniques may be used in situations in which a configurable network service provides managed virtual computer networks for clients and also provides one or more network-accessible services that are available to the managed virtual computer networks, with particular managed virtual computer networks being configured to provide local private access to at least one of the provided network-accessible services, despite those provided network-accessible services being located externally to the particular managed virtual computer networks. In some situations, a Lightweight Directory Access Protocol (“LDAP”) network-accessible service is provided, and a logical endpoint for the LDAP service is created within a managed virtual computer network to enable the multiple computing nodes of the managed virtual computer network to communicate with one or more LDAP computer servers from the LDAP service.

Citations

23 Claims

1. A computer-implemented method comprising:
- receiving, by one or more programmed computing systems of a configurable network service that provides private computer networks to remote clients, information from a first client regarding a first virtual computer network having multiple computing nodes, the received information indicating a plurality of virtual network addresses for the first virtual computer network and including information about use by the first virtual computer network of a network-accessible Lightweight Directory Access Protocol (“
  
  LDAP”
  
  ) service made available by the configurable network service, wherein the LDAP service is external to the first virtual computer network and includes a pool of multiple LDAP computer servers for use by the first virtual computer network;
  
  assigning, by the one or more programmed computing systems, one of the plurality of virtual network addresses to represent the LDAP service within the first virtual computer network, and associating other of the plurality of virtual network addresses with the multiple computing nodes;
  
  encoding, by the one or more programmed computing systems, and for a first communication sent by one of the multiple computing nodes to a virtual network address associated with another of the multiple computing nodes, the first communication in a manner specific to a substrate network on which the first virtual computer network is overlaid, and forwarding the encoded first communication over the substrate network to a location of the another computing node within the substrate network; and
  
  for a second communication sent by one of the multiple computing nodes to the one virtual network address assigned to represent the LDAP service,selecting, by the one or more programmed computing systems, one of the multiple LDAP computer servers of the pool to use for the second communication based at least in part on whether the second communication is of a type that corresponds to a data write request or a data read request; and
  
  initiating, by the one or more programmed computing systems, providing functionality of the LDAP service to the first virtual computer network by encoding the second communication in a manner specific to the substrate network, and forwarding the encoded second communication over the substrate network to the selected one LDAP computer server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1 wherein the LDAP service includes a plurality of computer servers, and wherein the method further comprises selecting the pool of multiple LDAP computer servers from the plurality of computer servers.
  - 3. The method of claim 2 wherein the configurable network service further provides multiple other virtual computer networks to multiple other clients, wherein one or more of the multiple other virtual computer networks each integrate the LDAP service within that virtual computer network, and wherein the method further comprises selecting a pool of one or more of the plurality of computer servers for use with each of the one or more other virtual computer networks, the selected pools for the one or more other virtual computer networks and for the first virtual computer network having distinct computer servers of the LDAP service.
  - 4. The method of claim 1 wherein the multiple LDAP computer servers of the pool are each connected to the substrate network and are distinct from the multiple computing nodes of the first virtual computer network.
  - 5. The method of claim 2 wherein the selecting of the one LDAP computer server is further based in part on a location of the selected one LDAP computer server.
  - 6. The method of claim 1 wherein the multiple LDAP computer servers of the pool include a computer server that is designated as a master server and one or more other computer servers that are designated to be replica servers that are copies of the master server, and wherein the selecting of the one LDAP computer server of the pool to which the encoded second communication is forwarded includes selecting between the master server and one of the replica servers based at least in part on the type of the second communication.
  - 7. The method of claim 1 wherein the multiple LDAP computer servers are alternatives, and wherein the selecting of the one LDAP computer server of the pool to which the encoded second communication is forwarded is further based in part on a computing load of one or more of the multiple LDAP computer servers to enable load balancing capabilities to be provided for the multiple LDAP computer servers.
  - 8. The method of claim 2 wherein the LDAP service made available by the configurable network service is provided by the configurable network service, and wherein the method further comprises determining one of the multiple LDAP computer servers of the pool to operate as a master server that has one or more replica servers by using a consensus algorithm to enable the multiple LDAP computer servers of the pool to determine the master server in a distributed manner.
  - 9. The method of claim 8 wherein the determining of the one LDAP computer server of the pool to operate as the master server is performed in response to an automated modification of the LDAP computer servers that are included in the pool.
  - 10. The method of claim 9 wherein the automated modification of the LDAP computer servers that are included in the pool includes replacing at least one of the LDAP computer servers in the pool with another LDAP computer server in response to the at least one replaced LDAP computer servers becoming unavailable.
  - 11. The method of claim 8 further comprising, under control of the selected one LDAP computer server of the pool, receiving the forwarded encoded second communication, modifying information stored for the first virtual computer network by the master server in response to the received forwarded encoded second communication, and updating the one or more replica servers to include the modified stored information in order to maintain the one or more replica servers as copies of the master server.
  - 12. The method of claim 2 further comprising scaling a quantity of the LDAP computer servers that are included in the pool while the first virtual computer network is in use based at least in part on use of the LDAP service by the first virtual computer network.
  - 13. The method of claim 1 wherein the one or more programmed computing systems of the configurable network service provide multiple other virtual computer networks to multiple other clients, wherein the configurable network service provides a plurality of computing nodes for use by the first virtual computer network and by the multiple other virtual computer networks, and wherein communications sent between the multiple computing nodes of the first virtual computer network are transmitted on the substrate network in an encoded form that uses information specific to the substrate network and that uses a specified destination substrate network address for forwarding over the substrate network.
  - 14. The method of claim 1 further comprising dynamically modifying one or more of the multiple LDAP computer servers of the pool while the first virtual computer network is operational and without stopping communications being sent to the LDAP service.

15. A non-transitory computer-readable medium having stored contents that configure a computing system of a configurable network service to perform a method, the method comprising:
- obtaining, by the configured computing system, information regarding a first virtual computer network that has multiple computing nodes and that has a plurality of associated virtual network addresses, the obtained information indicating a virtual network address of the plurality that is associated with a network-accessible Lightweight Directory Access Protocol (“
  
  LDAP”
  
  ) service provided by the configurable network service for use by the multiple computing nodes, wherein the LDAP service is external to the first virtual computer network and includes a pool of multiple LDAP computer servers for use by the first virtual computer network;
  
  encoding, by the configured computing system and for a first communication sent to a destination that is one of the multiple computing nodes, the first communication in a manner specific to a substrate network on which the first virtual computer network is overlaid, and forwarding the encoded first communication over the substrate network to the destination; and
  
  for a second communication sent to the indicated virtual network address associated with the LDAP service,selecting, by the configured computing system, one of the multiple LDAP computer servers of the pool to use for the second communication based at least in part on whether the second communication is of a type that corresponds to a data write request or a data read request; and
  
  initiating, by the configured computing system, providing functionality of the LDAP service to the first virtual computer network by encoding the second communication in a manner specific to the substrate network, and forwarding the encoded second communication over the substrate network toward the selected one LDAP computer server.
- View Dependent Claims (16, 17, 18)
- - 16. The non-transitory computer-readable medium of claim 15 wherein the pool of multiple LDAP computer servers includes a master LDAP computer server and one or more other replica LDAP computer servers, and wherein the selected one LDAP computer server is the master LDAP computer server if the second communication is a data write request and is one of the replica LDAP computer servers if the second communication is a data read request.
  - 17. The non-transitory computer-readable medium of claim 15 wherein the obtained information is specified by a first client of the configurable network service and includes a specified network topology for the first virtual computer network and includes information regarding use of the LDAP service by the first virtual computer network, and wherein the first virtual computer network is overlaid on the substrate network for the first client without physically implementing the specified network topology for the first virtual computer network.
  - 18. The non-transitory computer-readable medium of claim 15 wherein the computer-readable medium is a memory of the configured computing system, and wherein the contents are instructions that when executed program the computing system to perform the method.

19. A system, comprising:
- one or more processors of one or more computing systems; and
  
  one or more modules that are configured to, when executed by at least one of the one or more processors, provide networking functionality for a first virtual computer network that is overlaid on a distinct second network and that has a plurality of virtual network addresses for use with multiple computing nodes of the first virtual computer network, the providing of the networking functionality including;
  
  receiving a first network communication directed to a destination that is one of the multiple computing nodes and is specified using one of the plurality of virtual network addresses;
  
  encoding the first network communication in a manner specific to the second network, and sending the encoded network communication to the second network for forwarding to the destination;
  
  receiving a second network communication directed to an indicated virtual network address of the plurality of virtual network addresses, wherein the indicated virtual network address is associated with multiple Lightweight Directory Access Protocol (“
  
  LDAP”
  
  ) computer servers that are external to the first virtual computer network and are available to the first virtual computer network;
  
  selecting one of the multiple LDAP computer servers to use for the second network communication based at least in part on whether the second network communication is of a type that corresponds to a data write request or to a data read request; and
  
  initiating sending the second network communication to the selected one LDAP computer server to enable LDAP functionality to be provided to the first virtual computer network.
- View Dependent Claims (20, 21, 22, 23)
- - 20. The system of claim 19 wherein the first virtual computer network is provided for a first client who specifies information for use of the LDAP functionality by the first virtual computer network.
  - 21. The system of claim 20 wherein the first virtual computer network is one of multiple virtual computer networks provided for multiple clients by a configurable network service, and wherein the multiple LDAP computer servers are part of an LDAP service provided by the configurable network service.
  - 22. The system of claim 19 wherein the multiple LDAP computer servers are part of a pool for use by the first virtual computer network and include a master LDAP computer server and one or more other replica LDAP computer servers, wherein the selected one LDAP computer server is the master LDAP computer server if the second network communication is a data write request and is one of the replica LDAP computer servers if the second network communication is a data read request, and wherein the one or more modules each includes software instructions for execution by the one or more processors of the system.
  - 23. The system of claim 19 wherein the one or more modules consist of one or more means for performing the providing of the networking functionality for the first virtual computer network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Gabrielson, Jacob, Hansen, Zachary J., Lye, Diane N.
Primary Examiner(s)
KIM, EDWARD J

Application Number

US12/895,399
Time in Patent Office

1,454 Days
Field of Search

709/245, 709/250, 709220-222, 709223-229, 709/230, 709/238, 709/240, 709242-244, 709/248
US Class Current

709/220
CPC Class Codes

G06F 16/1824   implemented using Network-a...

G06F 16/282   Hierarchical databases, e.g...

H04L 12/6418   Hybrid transport

H04L 41/0806   for initial configuration o...

H04L 41/5051   Service on demand, e.g. def...

H04L 41/5096   wherein the managed service...

H04L 67/10   in which an application is ...

Providing private access to network-accessible services

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Providing private access to network-accessible services

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links