System and method for isolated virtual image and appliance communication within a cloud environment

US 8,954,964 B2
Filed: 02/27/2012
Issued: 02/10/2015
Est. Priority Date: 02/27/2012
Status: Active Grant

First Claim

Patent Images

1. A method to provide isolated virtual image communication in a virtual computing environment, the method executed by a processor configured to perform a plurality of operations comprising:

isolating a guest virtual machine within a virtual network in a virtual computing environment such that the guest virtual machine is unreachable from outside the virtual network;

formulating, on the guest virtual machine, a service request addressed to a predetermined address that comprises a non-existent address for the service;

attempting to send the service request to the predetermined address, whereupon the service request is transmitted to a resource shared with a security appliance machine in the virtual computing environment, wherein the resource is not located at the predetermined address;

forwarding the service request from the resource to the security appliance machine;

formulating a reply to the service request at the security appliance machine;

transmitting the reply from the security appliance machine to the resource; and

transmitting the reply from the resource to the guest virtual machine.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided herein are systems and methods for providing isolated virtual image communication in a virtual computing environment. Initially, a guest virtual machine that is activated in a virtual computing environment may be isolated into a private network. A service request may then be formulated at the guest virtual machine and addressed to a predetermined non-existent address. The request is then ostensibly sent to the predetermined address, whereupon the service request is actually transmitted to a shared resource with a security appliance machine in the virtual computing environment. The request is then forwarded to the security appliance machine and a reply formulated. The reply is sent back to the guest virtual machine via the shared resource.

65 Citations

View as Search Results

33 Claims

1. A method to provide isolated virtual image communication in a virtual computing environment, the method executed by a processor configured to perform a plurality of operations comprising:
- isolating a guest virtual machine within a virtual network in a virtual computing environment such that the guest virtual machine is unreachable from outside the virtual network;
  
  formulating, on the guest virtual machine, a service request addressed to a predetermined address that comprises a non-existent address for the service;
  
  attempting to send the service request to the predetermined address, whereupon the service request is transmitted to a resource shared with a security appliance machine in the virtual computing environment, wherein the resource is not located at the predetermined address;
  
  forwarding the service request from the resource to the security appliance machine;
  
  formulating a reply to the service request at the security appliance machine;
  
  transmitting the reply from the security appliance machine to the resource; and
  
  transmitting the reply from the resource to the guest virtual machine.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the non-existent address is stored at the guest virtual machine.
  - 3. The method of claim 1, wherein the resource shared with the security appliance machine is a network filter.
  - 4. The method of claim 1, wherein the resource shared with the security appliance machine runs on a hypervisor that supports the guest virtual machine and the security appliance machine.
  - 5. The method of claim 1, wherein the service request is formulated using information from the security appliance machine.
  - 6. The method of claim 1, wherein the service request is formulated using information from a further resource within the virtual computing environment.
  - 7. The method of claim 1, wherein the service request is formulated using information from a resource outside of the virtual computing environment.
  - 8. The method of claim 1, wherein formulating a reply to the service request further comprises determining, at the security appliance machine, that the predetermined address indicates that the guest virtual machine is isolated within the virtual network.
  - 9. The method of claim 1, wherein formulating a reply to the service request further comprises determining, at the security appliance machine, what resources are needed to service the request by inspecting an information content of the request.
  - 10. The method of claim 1, wherein formulating a service request is performed because the guest virtual machine has been moved from a first host to a second host, and wherein the service request relates to verification of the second host.
  - 11. The method of claim 1, wherein the service request relates to a software update.

12. A system to provide isolated virtual image communication in a virtual computing environment, the system comprising:
- a processor configured to;
  
  isolate a guest virtual machine within a virtual network in a virtual computing environment such that the guest virtual machine is unreachable from outside the virtual network,formulate, on the guest virtual machine, a service request addressed to a predetermined address that comprises a non-existent address for the service,attempt to send the service request to the predetermined address, whereupon the service request is transmitted to a resource shared with a security appliance machine in the virtual computing environment, wherein the resource is not located at the predetermined address,forward the service request from the resource to the security appliance machine,formulate a reply to the service request at the security appliance machine,transmit the reply from the security appliance machine to the resource, andtransmit the reply from the resource to the guest virtual machine.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The system of claim 12, wherein the predetermined address is a non-existent address stored at the guest virtual machine.
  - 14. The system of claim 12, wherein the resource shared with the security appliance machine is a network filter.
  - 15. The system of claim 12, wherein the resource shared with the security appliance machine runs on a hypervisor that supports the guest virtual machine and the security appliance machine.
  - 16. The system of claim 12, wherein the service request is formulated using information from the security appliance machine.
  - 17. The system of claim 12, wherein the service request is formulated using information from a further resource within the virtual computing environment.
  - 18. The system of claim 12, wherein the service request is formulated using information from a resource outside of the virtual computing environment.
  - 19. The system of claim 12, wherein the processor configured to formulate a reply to the service request is further configured to determine, at the security appliance machine, that the predetermined address indicates that the guest virtual machine is isolated within the virtual network.
  - 20. The system of claim 12, wherein the processor configured to formulate a reply to the service request is further configured to determine, at the security appliance machine, what resources are needed to service the request by inspection of an information content of the request.
  - 21. The system of claim 12, wherein formulation of a service request is performed because the guest virtual machine has been moved from a first host to a second host, and wherein the service request relates to verification of the second host.
  - 22. The system of claim 12, wherein the service request relates to a software update.

23. A non-transitory computer-readable medium having computer-executable instructions thereon, to provide isolated virtual image communication in a virtual computing environment, the computer-executable instructions, when executed by a processor cause the processor to perform a plurality of operations comprising:
- isolate a guest virtual machine within a virtual network in a virtual computing environment such that the guest virtual machine is unreachable from outside the virtual network;
  
  formulate, on the guest virtual machine, a service request addressed to a predetermined address that comprises a non-existent address for the service;
  
  attempt to send the service request to the predetermined address, whereupon the service request is transmitted to a resource shared with a security appliance machine in the virtual computing environment, wherein the resource is not located at the predetermined address;
  
  forward the service request from the resource to the security appliance machine;
  
  formulate a reply to the service request at the security appliance machine;
  
  transmit the reply from the security appliance machine to the resource; and
  
  transmit the reply from the resource to the guest virtual machine.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 24. The computer-readable medium of claim 23, wherein the non-existent address is stored at the guest virtual machine.
  - 25. The computer-readable medium of claim 23, wherein the resource shared with the security appliance machine is a network filter.
  - 26. The computer-readable medium of claim 23, wherein the resource shared with the security appliance machine runs on a hypervisor that supports the guest virtual machine and the security appliance machine.
  - 27. The computer-readable medium of claim 23, wherein the service request is formulated using information from the security appliance machine.
  - 28. The computer-readable medium of claim 23, wherein the service request is formulated using information from a further resource within the virtual computing environment.
  - 29. The computer-readable medium of claim 23, wherein the service request is formulated using information from a resource outside of the virtual computing environment.
  - 30. The computer-readable medium of claim 23, wherein the computer-executable instructions that cause the processor to formulate a reply to the service request further cause the processor to determine, at the security appliance machine, that the predetermined address indicates that the guest virtual machine is isolated within the virtual network.
  - 31. The computer-readable medium of claim 23, wherein the computer-executable instructions that cause the processor to formulate a reply to the service request further cause the processor to determine, at the security appliance machine, what resources are needed to service the request by inspection of an information content of the request.
  - 32. The computer-readable medium of claim 23, wherein formulation of a service request is performed because the guest virtual machine has been moved from a first host to a second host, and wherein the service request relates to verification of the second host.
  - 33. The computer-readable medium of claim 23, wherein the service request relates to a software update.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Inventors
Weinstein, Igal, Barak, Nir
Primary Examiner(s)
Puente, Emerson
Assistant Examiner(s)
Sun, Charlie

Application Number

US13/406,088
Publication Number

US 20130227550A1
Time in Patent Office

1,079 Days
Field of Search

726/15, 718/1
US Class Current

718/1
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45595   Network integration; Enabli...

G06F 9/45558   Hypervisor-specific managem...

System and method for isolated virtual image and appliance communication within a cloud environment

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

65 Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for isolated virtual image and appliance communication within a cloud environment

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

65 Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links