Secure tunnel infrastructure between hosts in a hybrid network environment
First Claim
1. A non-transitory computer-readable storage medium having computer-executable instructions stored thereon that, when executed by a computer, cause the computer to:
- assign a first unused substrate IP address from a first network to an endpoint of a first network tunnel at the first network, the first network tunnel comprising a contained substrate-level tunnel between a first border device in the first network and a second border device in the second network;
assign a second unused substrate IP address from the second network to the endpoint of the first network tunnel at the second network;
establish a second network tunnel between a first host computer in the first network and the first border device in the first network; and
establish a third network tunnel between a second host computer in the second host network and the second border device in the second network,wherein network packets destined for the first unused substrate IP address from the first host computer are configured to be sent to the first border device through the second network tunnel and are further configured to be sent through the first network tunnel to the second border device, the network packets being used for a migration of a virtual machine from the first host computer to the second host computer, andwherein the network packets received at the second border device are configured to be forwarded to the second host computer using the third network tunnel.
1 Assignment
0 Petitions
Accused Products
Abstract
Technologies are described herein for establishing a secure tunnel infrastructure between host computers in a hybrid network environment. A first network tunnel is established between a border device in a first network and a border device in a second network. A second network tunnel is established between a first host computer in the first network and the border device in the first network. Similarly, a third network tunnel is established between the border device in the second network and a second host computer in the second network. The networking infrastructures of the first and second networks are then configured so that network packets from the first host computer arriving at the border device in the first network through the second network tunnel are sent through the first network tunnel to the border device in the second network, and then through the third network tunnel to the second host computer.
-
Citations
18 Claims
-
1. A non-transitory computer-readable storage medium having computer-executable instructions stored thereon that, when executed by a computer, cause the computer to:
-
assign a first unused substrate IP address from a first network to an endpoint of a first network tunnel at the first network, the first network tunnel comprising a contained substrate-level tunnel between a first border device in the first network and a second border device in the second network; assign a second unused substrate IP address from the second network to the endpoint of the first network tunnel at the second network; establish a second network tunnel between a first host computer in the first network and the first border device in the first network; and establish a third network tunnel between a second host computer in the second host network and the second border device in the second network, wherein network packets destined for the first unused substrate IP address from the first host computer are configured to be sent to the first border device through the second network tunnel and are further configured to be sent through the first network tunnel to the second border device, the network packets being used for a migration of a virtual machine from the first host computer to the second host computer, and wherein the network packets received at the second border device are configured to be forwarded to the second host computer using the third network tunnel. - View Dependent Claims (2, 3, 4)
-
-
5. A computer-implemented method of establishing a secure tunnel infrastructure between a first host computer in a private network and a second host computer in a virtual private network, the method comprising executing instructions in a computer system to perform the operations of:
-
selecting a first unused overlay IP address from an overlay address space of the private network, a networking infrastructure of the private network configured to map the first unused overlay IP address to the first host computer; selecting a second unused overlay IP address from an overlay address space of the virtual private network, a networking infrastructure of the virtual private network configured to map the second unused overlay IP address to the second host computer; establishing a first network tunnel between a first border device in the private network and a second border device in the virtual private network; establishing a second network tunnel between the first host computer and the first border device; and establishing a third network tunnel between the second border device and the second host computer, wherein network packets from the first host computer are configured to be sent to the first border device through the second network tunnel and are further configured to be sent through the first network tunnel to the second border device, the network packets being used for a migration of a virtual machine from the first host computer to the second host computer, and wherein the network packets received at the second border device are forwarded to the second host computer using the third network tunnel. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A system comprising:
-
one or more processors; and a main memory coupled to the one or more processors and configured with one or more software modules that cause the one or more processors to establish a network tunnel between a first border device in a first network and a second border device in a second network, wherein the first border device is configured to forward network packets destined for an overlay address space of the second network to the second border device in the second network, configuring a networking infrastructure of the first network to map a first overlay IP address from the overlay address space of the first network to a first host computer in the first network, and configuring a networking infrastructure of the second network to map a second overlay IP address from an overlay address space of the second network to a second host computer in the second network, wherein the networking infrastructure of the first network is configured so that network packets destined for the second overlay IP address from the first host computer are sent directly to the first border device, through the first network tunnel to the second border device, the network packets being used for a migration of a virtual machine from the first host computer to the second host computer, wherein the network packets received at the second border device are configured to be forwarded to the second host computer using a second network tunnel established between the second host computer and the second border device, and wherein the networking infrastructures of the first network and the second network are further configured to disable firewall rules regarding the first overlay IP address and the second overlay IP address. - View Dependent Claims (15, 16, 17, 18)
-
Specification