Providing local secure network access to remote services

US 9,137,209 B1
Filed: 12/10/2008
Issued: 09/15/2015
Est. Priority Date: 12/10/2008
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for providing private computer networks with local network access to remote network services, the method comprising:

creating, by a configurable network service running on one or more computer systems, a local private network extension of a remote private computer network, the local private network extension including a first group of multiple computing systems and the remote private computer network including a second group of multiple other computing systems;

receiving, by the configurable network service, configuration information via a provided programmatic interface for configuring the local private network extension, the received configuration information including multiple user-specified private network addresses of the remote private computer network and including information about an indicated remote resource service that is external to the remote private computer network and external to the local private network extension, the received configuration information further including network access constraint information to prevent access from the local private network extension to external computing systems that are not part of the first and second groups of computing systems and not associated with the remote resource service;

associating, by the configurable network service, each of the multiple computing systems of the first group with one of the user-specified private network addresses;

creating a local access mechanism within the local private network extension that represents the remote resource service and that enables interactions with the remote resource service by the multiple computing systems of the local private network extension, the creating of the local access mechanism including assigning, by the configurable network service, one of the user-specified private network addresses to represent the remote resource service within the local private network extension;

configuring, by the configurable network service, the local private network extension to prevent communications from being sent from the multiple computing systems of the first group to network addresses that are not part of the user-specified private network addresses; and

forwarding to the remote resource service, by the configurable network service, communications sent to the one network address assigned to represent the remote resource service, the forwarding occurring via one or more public networks external to the remote private computer network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are described for providing users with access to computer networks, such as to enable users to create computer networks that are provided by a remote configurable network service for use by the users. Such provided computer networks may be configured to be private computer networks accessible only by the users who create them, and may each be created and configured by a client of the configurable network service to be an extension to an existing computer network of the client, such as a private computer network extension to an existing private computer network of the client. In addition, access to remote resource services may be configured and provided from such computer networks in various manners, such as to include a local access mechanism as part of a provided computer network that is configured to forward communications sent to the access mechanism to a particular remote resource service.

Citations

21 Claims

1. A computer-implemented method for providing private computer networks with local network access to remote network services, the method comprising:
- creating, by a configurable network service running on one or more computer systems, a local private network extension of a remote private computer network, the local private network extension including a first group of multiple computing systems and the remote private computer network including a second group of multiple other computing systems;
  
  receiving, by the configurable network service, configuration information via a provided programmatic interface for configuring the local private network extension, the received configuration information including multiple user-specified private network addresses of the remote private computer network and including information about an indicated remote resource service that is external to the remote private computer network and external to the local private network extension, the received configuration information further including network access constraint information to prevent access from the local private network extension to external computing systems that are not part of the first and second groups of computing systems and not associated with the remote resource service;
  
  associating, by the configurable network service, each of the multiple computing systems of the first group with one of the user-specified private network addresses;
  
  creating a local access mechanism within the local private network extension that represents the remote resource service and that enables interactions with the remote resource service by the multiple computing systems of the local private network extension, the creating of the local access mechanism including assigning, by the configurable network service, one of the user-specified private network addresses to represent the remote resource service within the local private network extension;
  
  configuring, by the configurable network service, the local private network extension to prevent communications from being sent from the multiple computing systems of the first group to network addresses that are not part of the user-specified private network addresses; and
  
  forwarding to the remote resource service, by the configurable network service, communications sent to the one network address assigned to represent the remote resource service, the forwarding occurring via one or more public networks external to the remote private computer network.
- View Dependent Claims (2, 3)
- - 2. The method of claim 1 further comprising:
    - configuring, by the configurable network service, a virtual private network connection between the first group of computing systems of the local private network extension and the second group of other computing systems of the remote private computer network; and
      
      forwarding via the virtual private network connection, by the configurable network service, one or more additional communications between the first group of computing systems of the local private network extension and the second group of other computing systems of the remote private computer network.
  - 3. The method of claim 2 wherein the configurable network service is a fee-based service that is accessible to multiple remote users via public networks.

4. A computer-implemented method for providing local network access to remote network services, the method comprising:
- receiving, by one or more computing systems of a configurable network service, one or more requests to initiate creation of a first private computer network that includes multiple computing nodes;
  
  receiving, by the one or more computing systems, configuration information for the first private computer network, the configuration information including multiple specified network addresses for use with the first private computer network and including an indication of a resource service that provides computing-related resources and that is external to the first private computer network;
  
  associating, by the one or more computing systems, each of the multiple computing nodes with one of the specified network addresses;
  
  configuring, by the one or more computing systems, the first private computer network to enable local access from within the first private computer network to the indicated resource service, the configuring including assigning an indicated first one of the specified network addresses that is not associated with one of the multiple computing nodes to represent the indicated resource service within the first private computer network;
  
  configuring, by the one or more computing systems, the first private computer network to block communications from the multiple computing nodes to network addresses that are not part of the specified network addresses in accordance with specified network access constraint information; and
  
  forwarding to the indicated resource service, by the one or more computing systems, one or more communications sent to the first network address by using one or more networks that are external to the first private computer network.
- View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 5. The method of claim 4 wherein the network access constraint information is included in the configuration information and prohibits access of the multiple computing nodes of the first private computer network to computing systems that are not part of the first private computer network other than one or more computing systems of the indicated resource service, and wherein the method further comprises preventing any communications from being sent from the multiple computing nodes to network addresses that are not part of the specified network addresses.
  - 6. The method of claim 4 wherein the first private computer network is provided by the configurable network service as a virtual network overlaid on a substrate network of the configurable network service that interconnects a plurality of computing nodes provided by the configurable network service, wherein the multiple computing nodes of the first private computer network are a subset of the plurality of computing nodes, wherein the specified network addresses are virtual network addresses, and wherein the indicated resource service has a configured local access point that is part of the substrate network, such that the one or more communications sent to the network address representing the indicated resource service are provided to the configured local access point.
  - 7. The method of claim 6 wherein communications sent between the multiple computing nodes as part of the overlaid virtual network are transmitted on the substrate network and are encoded to use information specific to the substrate network during transmission, wherein the configurable network service provides multiple modules that modify outgoing communications from the multiple computing nodes to be encoded with the information specific to the substrate network before transmission over the substrate network and that modify incoming communications to the multiple computing nodes to remove the encoded information specific to the substrate network after the transmission over the substrate network, wherein the providing of the one or more communications to the configured local access point includes transmitting to the configured local access point the one or more communications via the substrate network using encoded information specific to the substrate network, and wherein the configured local access point of the indicated resource service is configured to manage communications transmitted on the substrate network that are encoded with the information specific to the substrate network.
  - 8. The method of claim 6 wherein the configured local access point of the indicated resource service is provided by a computing node provided by the configurable network service, wherein the one or more external networks are public networks, and wherein the configured local access point of the indicated resource service manages the forwarding of the one or more communications from the substrate network to the indicated resource service via the one or more external networks in a secure manner.
  - 9. The method of claim 6 wherein the one or more requests to initiate creation of the first private computer network are from a first remote customer that is one of multiple remote customers of the configurable network service, wherein the one or more computing systems of the configurable network service further configure and provide multiple private computer networks to the multiple remote customers, wherein at least some of the multiple private computer networks are configured to assign network addresses of those at least some private computer networks to the indicated resource service, and wherein the method further comprises managing communications for the at least some private computer networks by forwarding to the configured local access point of the indicated resource service other communications that are sent to the assigned network addresses for the at least some private computer networks.
  - 10. The method of claim 6 wherein the first private computer network is further configured to assign a distinct second one of the specified network addresses to represent a second resource service that is external to the first private computer network, wherein the second resource service has a configured second local access point that is part of the substrate network and that is distinct from the configured local access point of the indicated resource service, and wherein the method further comprises, for one or more other communications sent to the second network address by one or more of the multiple computing nodes, forwarding the one or more other communications to the second resource service by providing the one or more other communications to the configured second local access point.
  - 11. The method of claim 4 wherein the configurable network service provides multiple modules that manage communications between the multiple computing nodes, and wherein the configuring of the first private computer network to enable local access from within the first private computer network to the indicated resource service includes configuring the multiple modules of the configurable network service to forward communications sent to the first network address to the remote resource service over the one or more external networks.
  - 12. The method of claim 4 wherein the multiple computing nodes are a subset of a plurality of computing nodes provided by the configurable network service that are located at a single geographical location, wherein the first private computer network is provided by the configurable network service to a first customer of the configurable network service, wherein the one or more computing systems of the configurable network service further provide a second computer network to a second customer using multiple other of the plurality of computing nodes that are distinct from the multiple computing nodes of the first private computer network, wherein at least one of the multiple other computing nodes of the second computer network provides a network-accessible remote service that is accessible to computing nodes other than the multiple other computing nodes of the second computer network, and wherein the indicated resource service is the remote service provided by the at least one other computing nodes of the second computer network.
  - 13. The method of claim 12 wherein the first private computer network and the second computer network are provided by the configurable network service as distinct virtual networks overlaid on a physical substrate network of the configurable network service that interconnects the plurality of computing nodes, and wherein the forwarding of the one or more communications to the indicated resource service via the one or more external networks includes forwarding the one or more communications from the first private computer network via the substrate network to one or more of the at least one other computing nodes of the second computer network.
  - 14. The method of claim 4 wherein the first private computer network is configured to be an extension of a remote private computer network of a first remote customer, wherein the remote private computer network includes multiple computing systems, wherein the specified multiple network addresses are a subset of a plurality of private network addresses used with the remote private computer network, and wherein the configuring of the first private computer network is further to enable private access between the multiple computing systems of the remote private computer network of the first remote customer and the multiple computing nodes of the first private computer network.
  - 15. The method of claim 14 further comprising managing additional communications sent to the first private computer network from the multiple computing systems of the remote private computer network, the managing of the additional communications including, for one or more other communications sent to the first network address by one or more of the multiple computing systems, forwarding the one or more other communications to the indicated resource service via the one or more external networks.
  - 16. The method of claim 4 wherein the one or more received requests are programmatically made based on invocations of one or more programmatic interfaces provided by the configurable network service for use by multiple remote customers in configuring private computer networks being provided by the configurable network service, wherein the specified network access constraint information is part of the configuration information and is further to control communications between the multiple computing nodes of the first private computer network, and wherein the configuring of the first private computer network to block communications from the multiple computing nodes to network addresses that are not part of the specified network addresses further includes blocking some communications between the multiple computing nodes in accordance with the specified network access constraint information.
  - 17. The method of claim 4 further comprising, under control of the indicated resource service:
    - receiving communications sent from the multiple computing nodes of the first private computer network via the first network address to access at least some of the provided computing-related resources, the received communications including an indication of an identifier that is associated with the first private computer network and that is further associated with the at least some computing-related resources; and
      
      providing one or more of the multiple computing nodes of the first private computer network with access to the at least some computing-related resources associated with the indicated identifier.
  - 18. The method of claim 4 wherein the computing-related resources provided by the indicated resource service include resources for at least one of data storage services and of program execution services and of asynchronous message passing services, wherein the multiple computing nodes are each a virtual machine hosted on one of multiple physical computing systems of the configurable network service, and wherein the method further comprises configuring one or more virtual machine communication manager modules that execute on one or more of the physical computing systems to manage communications for the hosted virtual machines.
  - 19. The method of claim 4 wherein the configurable network service provides the first private computer network to a first remote customer, wherein the configurable network service provides one or more additional private computer networks other than the first private computer network for one or more customers other than the first remote customer, wherein the one or more additional private computer networks have one or more network addresses specified by the one or more other customers that are the same as at least one of the multiple network addresses specified for use with the first private computer network, and wherein the configurable network service further manages those same network addresses such that, for each of those same network addresses, each of the additional private computer networks has a computing node corresponding to that same network address that is distinct from a computing node corresponding to that same network address for the first private computer network.
  - 20. The method of claim 4 wherein the configuration information is received from a first customer of the configurable network service, and wherein the method further comprises permitting the first customer to select any network address for the specified multiple network addresses for use with the first private computer network.
  - 21. The method of claim 4 wherein the received one or more requests are initiated based on one or more interactions of a first remote customer with a graphical user interface displayed to the first remote customer on a computing device of the first remote customer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Brandwine, Eric Jason, Cohn, Daniel T., Doane, Andrew J.
Primary Examiner(s)
Woolcock, Madhu

Application Number

US12/332,216
Time in Patent Office

2,470 Days
Field of Search

709/201, 709/202, 709/217, 709/218, 709/219, 709/220, 709/221, 709/222, 709/225, 709/226, 709/228, 709/229, 709/249, 709/250, 709/245
US Class Current

1/1
CPC Class Codes

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 41/0806   for initial configuration o...

H04L 45/02   Topology update or discovery

H04L 45/586   of virtual routers

H04L 63/0272   Virtual private networks

H04L 67/02   based on web technology, e....

Providing local secure network access to remote services

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Providing local secure network access to remote services

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links