Virtual firewalls for multi-tenant distributed services

US 8,904,511 B1
Filed: 08/23/2010
Issued: 12/02/2014
Est. Priority Date: 08/23/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for firewalling in a multi-tenant distributed service, comprising:

under control of one or more computer systems configured with executable instructions,provisioning a plurality of computing resources to a plurality of tenants of the multi-tenant distributed service responsive to user interaction with a provisioning user interface of the multi-tenant distributed service, the plurality of provisioned computing resources being maintained by the multi-tenant distributed service with a plurality of server computers of the multi-tenant distributed service;

maintaining, with a firewalling component in a supervisory layer of the multi-tenant distributed service, a plurality of virtual firewalls that enforce a plurality of computing resource policy sets with respect to the plurality of provisioned computing resources, the plurality of computing resource policy sets that include firewalling policies established by a plurality of service users authorized by the plurality of tenants, the firewalling component being distinct from the plurality of provisioned computing resources;

receiving, at a resource user interface of the multi-tenant distributed service, a first request targeting a distinguished computing resource of the plurality of provisioned computing resources;

identifying, with the firewalling component in the supervisory layer of the multi-tenant distributed service, a distinguished virtual firewall of the plurality of virtual firewalls that enforces a distinguished policy set of the plurality of computing resource policy sets with respect to the distinguished computing resource;

checking whether an update of the distinguished policy set is required based at least in part on information associated with the first request; and

submitting a second request targeting the distinguished computing resource, with the firewalling component in the supervisory layer of the multi-tenant distributed service, to the distinguished virtual firewall to obtain enforcement of the distinguished policy set, the second request based at least in part on the first request.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Virtual firewalls may be established that enforce sets of policies with respect to computing resources maintained by multi-tenant distributed services. Particular subsets of computing resources may be associated with particular tenants of a multi-tenant distributed service. A tenant may establish a firewalling policy set enforced by a virtual firewall for an associated subset of computing resources without affecting other tenants of the multi-tenant distributed service. Virtual firewalls enforcing multiple firewalling policy sets may be maintained by a common firewalling component of the multi-tenant distributed service. Firewalling policy sets may be distributed at multiple locations throughout the multi-tenant distributed service. For a request targeting a particular computing resource, the common firewalling component may identify the associated virtual firewall, and submit the request to the virtual firewall for evaluation in accordance with the corresponding firewalling policy set.

Citations

27 Claims

1. A computer-implemented method for firewalling in a multi-tenant distributed service, comprising:
- under control of one or more computer systems configured with executable instructions,provisioning a plurality of computing resources to a plurality of tenants of the multi-tenant distributed service responsive to user interaction with a provisioning user interface of the multi-tenant distributed service, the plurality of provisioned computing resources being maintained by the multi-tenant distributed service with a plurality of server computers of the multi-tenant distributed service;
  
  maintaining, with a firewalling component in a supervisory layer of the multi-tenant distributed service, a plurality of virtual firewalls that enforce a plurality of computing resource policy sets with respect to the plurality of provisioned computing resources, the plurality of computing resource policy sets that include firewalling policies established by a plurality of service users authorized by the plurality of tenants, the firewalling component being distinct from the plurality of provisioned computing resources;
  
  receiving, at a resource user interface of the multi-tenant distributed service, a first request targeting a distinguished computing resource of the plurality of provisioned computing resources;
  
  identifying, with the firewalling component in the supervisory layer of the multi-tenant distributed service, a distinguished virtual firewall of the plurality of virtual firewalls that enforces a distinguished policy set of the plurality of computing resource policy sets with respect to the distinguished computing resource;
  
  checking whether an update of the distinguished policy set is required based at least in part on information associated with the first request; and
  
  submitting a second request targeting the distinguished computing resource, with the firewalling component in the supervisory layer of the multi-tenant distributed service, to the distinguished virtual firewall to obtain enforcement of the distinguished policy set, the second request based at least in part on the first request.
- View Dependent Claims (2, 3, 24, 25, 26)
- - 2. A computer-implemented method according to claim 1, wherein the plurality of provisioned computing resources include a plurality of data object storage accounts maintained by the multi-tenant distributed service and the plurality of data object storage accounts correspond to the plurality of tenants of the multi-tenant distributed service.
  - 3. A computer-implemented method according to claim 1, wherein each of the plurality of computing resource policy sets corresponds to one of the plurality of tenants and each tenant authorizes one or more of the plurality of service users to specify, at least in part, the corresponding computing resource policy set.
  - 24. A method according to claim 1, wherein the plurality of provisioned computing resources being maintained by the multi-tenant distributed service are maintained within the multi-tenant distributed service and the first request targeting the distinguished computing resource of the plurality of provisioned computing resources originates from outside the multi-tenant distributed service.
  - 25. A method according to claim 1, wherein the plurality of provisioned computing resources includes a plurality of types of provisioned computing resource, access to each type of provisioned resource is provided with a corresponding user interface maintained by a set of interface server computers, and the set of interface server computers further collectively maintain the firewalling component.
  - 26. A method according to claim 25, wherein access to each type of provisioned resource is provided with a corresponding subset of the interface server computers and, for each type of provisioned resource, the firewalling component caches policies that reference the type of provisioned resource at the corresponding subset of the interface server computers.

4. A computer-implemented method for firewalling in a multi-tenant distributed service, comprising:
- under control of one or more computer systems configured with executable instructions,maintaining, with a firewalling component of the multi-tenant distributed service, a plurality of virtual firewalls implementing a plurality of policy sets that include firewalling policies established by a plurality of service users with respect to a plurality of provisioned resources of the multi-tenant distributed service, the plurality of provisioned resources being maintained by the multi-tenant distributed service with a plurality of server computers of the multi-tenant distributed service and the plurality of provisioned resources being distinct from the firewalling component, a policy set of the plurality of policy sets corresponding to a tenant of the multi-tenant distributed service, and the tenant authorizing one or more of the plurality of service users to establish the policy set with respect to the provisioned resources;
  
  receiving a first request with respect to a provisioned resource of the plurality of provisioned resources;
  
  identifying, with the firewalling component, a virtual firewall of the plurality of virtual firewalls that implements the policy set of the plurality of policy sets, the policy set including at least one policy with respect to the provisioned resource; and
  
  submitting a second request, with the firewalling component, to the virtual firewall to implement the policy set, the second request based at least in part on the first request.
- View Dependent Claims (5, 6, 7, 27)
- - 5. A computer-implemented method according to claim 4, wherein submitting the second request to the virtual firewall comprises evaluating the request with respect to the policy set.
  - 6. A computer-implemented method according to claim 5, wherein identifying the virtual firewall comprises identifying the policy set based at least in part on a unique identifier associated with the provisioned resource.
  - 7. A computer-implemented method according to claim 4, wherein the first request comprises at least one of:
    - a request to update the provisioned resource or a request to delete the provisioned resource.
  - 27. A method according to claim 6, wherein the unique identifier associated with the provisioned resource is independent of a network address of the provisioned resource.

8. A computer-implemented method for firewalling in a multi-tenant distributed service, comprising:
- under control of one or more computer systems configured with executable instructions,maintaining a plurality of firewalling policy sets with respect to a plurality of provisioned resources of the multi-tenant distributed service, the plurality of provisioned resources being maintained by the multi-tenant distributed service with a plurality of server computers of the multi-tenant distributed service, the plurality of firewalling policy sets established by a plurality of service users authorized by a plurality of tenants of the multi-tenant distributed service, a policy set of the plurality of firewalling policy sets corresponding to a tenant of the multi-tenant distributed service, and the tenant authorizing one or more of the plurality of service users to establish the policy set with respect to the plurality of provisioned resources;
  
  receiving a first request with respect to a provisioned resource of the plurality of provisioned resources;
  
  submitting a second request targeting the provisioned resource to a common firewalling component of the multi-tenant distributed service, the second request based at least in part on the first request;
  
  identifying, with the common firewalling component, an individual policy set of the plurality of firewalling policy sets that includes at least one firewalling policy with respect to the provisioned resource; and
  
  evaluating the second request with respect to the individual policy set.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 9. A computer-implemented method according to claim 8, wherein the individual policy set includes at least one firewalling policy that conditions success of the second request based at least in part on at least one of:
    - a physical layer communication parameter associated with the second request, a data link layer communication parameter associated with the second request, a network layer communication parameter associated with the second request, a transport layer communication parameter associated with the second request, a session layer communication parameter associated with the second request, a presentation layer communication parameter associated with the second request, or an application layer communication parameter associated with the second request.
  - 10. A computer-implemented method according to claim 8, wherein the individual policy set includes at least one firewalling policy that conditions success of the second request based at least in part on a geographical location associated with the first request.
  - 11. A computer-implemented method according to claim 8, wherein:
    - the plurality of provisioned resources of the multi-tenant distributed service includes a plurality of provisioned resource types; and
      
      the individual policy set includes at least one firewalling policy that conditions success of the second request based at least in part on a set of the provisioned resource types associated with the first request.
  - 12. A computer-implemented method according to claim 8, wherein:
    - each of the plurality of tenants of the multi-tenant distributed service corresponds to a set of the plurality of provisioned resources; and
      
      the individual policy set includes at least one firewalling policy that conditions success of the second request based at least in part on at least one tenant associated with the first request.
  - 13. A computer-implemented method according to claim 8, wherein the individual policy set includes at least one firewalling policy that conditions success of the second request based at least in part on an operating environment parameter.
  - 14. A computer-implemented method according to claim 8, further comprising obtaining firewalling policies in the individual policy set from a plurality of network locations within the multi-tenant distributed service including at least one remote network location with respect to the common firewalling component.
  - 15. A computer-implemented method according to claim 14, wherein firewalling polices obtained from said at least one remote network location are cached locally with respect to the common firewalling component.
  - 16. A computer-implemented method according to claim 14, wherein firewalling policies in the individual policy set are selected based at least in part on the second request.
  - 17. A computer-implemented method according to claim 14, wherein obtaining firewalling policies in the individual policy set comprises obtaining at least one firewalling policy from the second request and cryptographically authenticating said at least one firewalling policy.
  - 18. A computer-implemented method according to claim 8, wherein the plurality of firewalling policy sets includes at least one firewalling policy set with respect to provisioning at least one of the plurality of provisioned resources of the multi-tenant distributed service.

19. A computerized system facilitating a multi-tenant distributed service, comprising:
- a plurality of resource server computers configured at least to maintain a plurality of provisioned resources of the multi-tenant distributed service, the plurality of provisioned resources associated with a plurality of firewalling policy sets established by a plurality of service users authorized by a plurality of tenants of the multi-tenant distributed service, a policy set of the plurality of firewalling policy sets corresponding to a tenant of the multi-tenant distributed service, and the tenant authorizing one or more of the plurality of service users to establish the policy set with respect to the plurality of provisioned resources;
  
  at least one interface server computer configured at least to receive requests with respect to the plurality of provisioned resources, the plurality of provisioned resources being maintained by the multi-tenant distributed service with the plurality of resource server computers;
  
  a firewalling component configured to, at least;
  
  identify an individual policy set of the plurality of firewalling policy sets that is associated with a request submitted by said at least one interface server computer;
  
  evaluate the request with respect to the individual policy set; and
  
  provide information corresponding to the evaluation to said at least one interface server computer in response to the submission; and
  
  one or more processors collectively facilitating at least the plurality of resource server computers, said at least one interface server computer, and the firewalling component.
- View Dependent Claims (20)
- - 20. A computerized system according to claim 19, wherein said at least one interface server computer includes at least one Web-based interface server computer, and the requests include requests in accordance with a Web-based protocol.

21. One or more non-transitory computer-readable media having collectively thereon computer-executable instructions that, when executed by one or more computers, cause the one or more computers to collectively, at least:
- maintain a plurality of firewalling policy sets established by a plurality of service users with respect to a plurality of provisioned resources of a multi-tenant distributed service at a plurality of locations within the multi-tenant distributed service, the plurality of provisioned resources being maintained by the multi-tenant distributed service with a plurality of server computers of the multi-tenant distributed service, a policy set of the plurality of firewalling policy sets corresponding to a tenant of the multi-tenant distributed service, and the tenant authorizing one or more of the plurality of service users to establish the policy set with respect to the plurality of provisioned resources;
  
  receive a first request with respect to a provisioned resource of the plurality of provisioned resources and submit a second request targeting the provisioned resource to a common firewalling component of the multi-tenant distributed service, the second request based at least in part on the first request;
  
  identify, with the common firewalling component, an individual policy set of the plurality of firewalling policy sets that includes at least one firewalling policy with respect to the provisioned resource;
  
  obtain, at the common firewalling component, an up-to-date version of the individual policy set based at least in part on the plurality of firewalling policy sets maintained at the plurality of locations; and
  
  evaluate the second request with respect to the up-to-date version of the individual policy set.
- View Dependent Claims (22, 23)
- - 22. One or more computer-readable media according to claim 21, wherein:
    - the plurality of provisioned resources includes disjoint sets of provisioned resources corresponding to tenant boundaries, each tenant boundary corresponds to one of the plurality of firewalling policy sets including the individual policy set; and
      
      the individual policy set includes at least one firewalling policy that conditions success of the second request based at least in part on whether the first request would cause data from the provisioned resource to cross the corresponding tenant boundary.
  - 23. One or more computer-readable media according to claim 21, wherein:
    - the plurality of provisioned resources includes sets of provisioned resources corresponding to geographic boundaries; and
      
      the individual policy set includes at least one firewalling policy that conditions success of the second request based at least in part on whether the second request would cause data from the provisioned resource to cross one of the geographic boundaries.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
O'Neill, Kevin Ross, Cavage, Mark Joseph, Fitch, Nathan R., Samuelsson, Anders, Pratt, Brian Irl, Behm, Bradley Jeffery, Scharf, James E. Jr., Xiao, Yunong Jeff
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
Plotkin, Jason

Application Number

US12/861,692
Time in Patent Office

1,562 Days
Field of Search

None
US Class Current

726/11
CPC Class Codes

H04L 41/28   Restricting access to netwo...

H04L 63/0263   Rule management

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

H04L 67/00   Network arrangements or pro...

Virtual firewalls for multi-tenant distributed services

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Virtual firewalls for multi-tenant distributed services

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links