Virtual firewalls for multi-tenant distributed services
First Claim
1. A computer-implemented method for firewalling in a multi-tenant distributed service, comprising:
- under control of one or more computer systems configured with executable instructions,provisioning a plurality of computing resources to a plurality of tenants of the multi-tenant distributed service responsive to user interaction with a provisioning user interface of the multi-tenant distributed service, the plurality of provisioned computing resources being maintained by the multi-tenant distributed service with a plurality of server computers of the multi-tenant distributed service;
maintaining, with a firewalling component in a supervisory layer of the multi-tenant distributed service, a plurality of virtual firewalls that enforce a plurality of computing resource policy sets with respect to the plurality of provisioned computing resources, the plurality of computing resource policy sets that include firewalling policies established by a plurality of service users authorized by the plurality of tenants, the firewalling component being distinct from the plurality of provisioned computing resources;
receiving, at a resource user interface of the multi-tenant distributed service, a first request targeting a distinguished computing resource of the plurality of provisioned computing resources;
identifying, with the firewalling component in the supervisory layer of the multi-tenant distributed service, a distinguished virtual firewall of the plurality of virtual firewalls that enforces a distinguished policy set of the plurality of computing resource policy sets with respect to the distinguished computing resource;
checking whether an update of the distinguished policy set is required based at least in part on information associated with the first request; and
submitting a second request targeting the distinguished computing resource, with the firewalling component in the supervisory layer of the multi-tenant distributed service, to the distinguished virtual firewall to obtain enforcement of the distinguished policy set, the second request based at least in part on the first request.
1 Assignment
0 Petitions
Accused Products
Abstract
Virtual firewalls may be established that enforce sets of policies with respect to computing resources maintained by multi-tenant distributed services. Particular subsets of computing resources may be associated with particular tenants of a multi-tenant distributed service. A tenant may establish a firewalling policy set enforced by a virtual firewall for an associated subset of computing resources without affecting other tenants of the multi-tenant distributed service. Virtual firewalls enforcing multiple firewalling policy sets may be maintained by a common firewalling component of the multi-tenant distributed service. Firewalling policy sets may be distributed at multiple locations throughout the multi-tenant distributed service. For a request targeting a particular computing resource, the common firewalling component may identify the associated virtual firewall, and submit the request to the virtual firewall for evaluation in accordance with the corresponding firewalling policy set.
-
Citations
27 Claims
-
1. A computer-implemented method for firewalling in a multi-tenant distributed service, comprising:
under control of one or more computer systems configured with executable instructions, provisioning a plurality of computing resources to a plurality of tenants of the multi-tenant distributed service responsive to user interaction with a provisioning user interface of the multi-tenant distributed service, the plurality of provisioned computing resources being maintained by the multi-tenant distributed service with a plurality of server computers of the multi-tenant distributed service; maintaining, with a firewalling component in a supervisory layer of the multi-tenant distributed service, a plurality of virtual firewalls that enforce a plurality of computing resource policy sets with respect to the plurality of provisioned computing resources, the plurality of computing resource policy sets that include firewalling policies established by a plurality of service users authorized by the plurality of tenants, the firewalling component being distinct from the plurality of provisioned computing resources; receiving, at a resource user interface of the multi-tenant distributed service, a first request targeting a distinguished computing resource of the plurality of provisioned computing resources; identifying, with the firewalling component in the supervisory layer of the multi-tenant distributed service, a distinguished virtual firewall of the plurality of virtual firewalls that enforces a distinguished policy set of the plurality of computing resource policy sets with respect to the distinguished computing resource; checking whether an update of the distinguished policy set is required based at least in part on information associated with the first request; and submitting a second request targeting the distinguished computing resource, with the firewalling component in the supervisory layer of the multi-tenant distributed service, to the distinguished virtual firewall to obtain enforcement of the distinguished policy set, the second request based at least in part on the first request. - View Dependent Claims (2, 3, 24, 25, 26)
-
4. A computer-implemented method for firewalling in a multi-tenant distributed service, comprising:
under control of one or more computer systems configured with executable instructions, maintaining, with a firewalling component of the multi-tenant distributed service, a plurality of virtual firewalls implementing a plurality of policy sets that include firewalling policies established by a plurality of service users with respect to a plurality of provisioned resources of the multi-tenant distributed service, the plurality of provisioned resources being maintained by the multi-tenant distributed service with a plurality of server computers of the multi-tenant distributed service and the plurality of provisioned resources being distinct from the firewalling component, a policy set of the plurality of policy sets corresponding to a tenant of the multi-tenant distributed service, and the tenant authorizing one or more of the plurality of service users to establish the policy set with respect to the provisioned resources; receiving a first request with respect to a provisioned resource of the plurality of provisioned resources; identifying, with the firewalling component, a virtual firewall of the plurality of virtual firewalls that implements the policy set of the plurality of policy sets, the policy set including at least one policy with respect to the provisioned resource; and submitting a second request, with the firewalling component, to the virtual firewall to implement the policy set, the second request based at least in part on the first request. - View Dependent Claims (5, 6, 7, 27)
-
8. A computer-implemented method for firewalling in a multi-tenant distributed service, comprising:
under control of one or more computer systems configured with executable instructions, maintaining a plurality of firewalling policy sets with respect to a plurality of provisioned resources of the multi-tenant distributed service, the plurality of provisioned resources being maintained by the multi-tenant distributed service with a plurality of server computers of the multi-tenant distributed service, the plurality of firewalling policy sets established by a plurality of service users authorized by a plurality of tenants of the multi-tenant distributed service, a policy set of the plurality of firewalling policy sets corresponding to a tenant of the multi-tenant distributed service, and the tenant authorizing one or more of the plurality of service users to establish the policy set with respect to the plurality of provisioned resources; receiving a first request with respect to a provisioned resource of the plurality of provisioned resources; submitting a second request targeting the provisioned resource to a common firewalling component of the multi-tenant distributed service, the second request based at least in part on the first request; identifying, with the common firewalling component, an individual policy set of the plurality of firewalling policy sets that includes at least one firewalling policy with respect to the provisioned resource; and evaluating the second request with respect to the individual policy set. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
-
19. A computerized system facilitating a multi-tenant distributed service, comprising:
-
a plurality of resource server computers configured at least to maintain a plurality of provisioned resources of the multi-tenant distributed service, the plurality of provisioned resources associated with a plurality of firewalling policy sets established by a plurality of service users authorized by a plurality of tenants of the multi-tenant distributed service, a policy set of the plurality of firewalling policy sets corresponding to a tenant of the multi-tenant distributed service, and the tenant authorizing one or more of the plurality of service users to establish the policy set with respect to the plurality of provisioned resources; at least one interface server computer configured at least to receive requests with respect to the plurality of provisioned resources, the plurality of provisioned resources being maintained by the multi-tenant distributed service with the plurality of resource server computers; a firewalling component configured to, at least; identify an individual policy set of the plurality of firewalling policy sets that is associated with a request submitted by said at least one interface server computer; evaluate the request with respect to the individual policy set; and provide information corresponding to the evaluation to said at least one interface server computer in response to the submission; and one or more processors collectively facilitating at least the plurality of resource server computers, said at least one interface server computer, and the firewalling component. - View Dependent Claims (20)
-
-
21. One or more non-transitory computer-readable media having collectively thereon computer-executable instructions that, when executed by one or more computers, cause the one or more computers to collectively, at least:
-
maintain a plurality of firewalling policy sets established by a plurality of service users with respect to a plurality of provisioned resources of a multi-tenant distributed service at a plurality of locations within the multi-tenant distributed service, the plurality of provisioned resources being maintained by the multi-tenant distributed service with a plurality of server computers of the multi-tenant distributed service, a policy set of the plurality of firewalling policy sets corresponding to a tenant of the multi-tenant distributed service, and the tenant authorizing one or more of the plurality of service users to establish the policy set with respect to the plurality of provisioned resources; receive a first request with respect to a provisioned resource of the plurality of provisioned resources and submit a second request targeting the provisioned resource to a common firewalling component of the multi-tenant distributed service, the second request based at least in part on the first request; identify, with the common firewalling component, an individual policy set of the plurality of firewalling policy sets that includes at least one firewalling policy with respect to the provisioned resource; obtain, at the common firewalling component, an up-to-date version of the individual policy set based at least in part on the plurality of firewalling policy sets maintained at the plurality of locations; and evaluate the second request with respect to the up-to-date version of the individual policy set. - View Dependent Claims (22, 23)
-
Specification