Secure tunnel infrastructure between hosts in a hybrid network environment

US 9,164,795 B1
Filed: 03/30/2012
Issued: 10/20/2015
Est. Priority Date: 03/30/2012
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer-readable storage medium having computer-executable instructions stored thereon that, when executed by a computer, cause the computer to:

assign a first unused substrate IP address from a first network to an endpoint of a first network tunnel at the first network, the first network tunnel comprising a contained substrate-level tunnel between a first border device in the first network and a second border device in the second network;

assign a second unused substrate IP address from the second network to the endpoint of the first network tunnel at the second network;

establish a second network tunnel between a first host computer in the first network and the first border device in the first network; and

establish a third network tunnel between a second host computer in the second host network and the second border device in the second network,wherein network packets destined for the first unused substrate IP address from the first host computer are configured to be sent to the first border device through the second network tunnel and are further configured to be sent through the first network tunnel to the second border device, the network packets being used for a migration of a virtual machine from the first host computer to the second host computer, andwherein the network packets received at the second border device are configured to be forwarded to the second host computer using the third network tunnel.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Technologies are described herein for establishing a secure tunnel infrastructure between host computers in a hybrid network environment. A first network tunnel is established between a border device in a first network and a border device in a second network. A second network tunnel is established between a first host computer in the first network and the border device in the first network. Similarly, a third network tunnel is established between the border device in the second network and a second host computer in the second network. The networking infrastructures of the first and second networks are then configured so that network packets from the first host computer arriving at the border device in the first network through the second network tunnel are sent through the first network tunnel to the border device in the second network, and then through the third network tunnel to the second host computer.

Citations

18 Claims

1. A non-transitory computer-readable storage medium having computer-executable instructions stored thereon that, when executed by a computer, cause the computer to:
- assign a first unused substrate IP address from a first network to an endpoint of a first network tunnel at the first network, the first network tunnel comprising a contained substrate-level tunnel between a first border device in the first network and a second border device in the second network;
  
  assign a second unused substrate IP address from the second network to the endpoint of the first network tunnel at the second network;
  
  establish a second network tunnel between a first host computer in the first network and the first border device in the first network; and
  
  establish a third network tunnel between a second host computer in the second host network and the second border device in the second network,wherein network packets destined for the first unused substrate IP address from the first host computer are configured to be sent to the first border device through the second network tunnel and are further configured to be sent through the first network tunnel to the second border device, the network packets being used for a migration of a virtual machine from the first host computer to the second host computer, andwherein the network packets received at the second border device are configured to be forwarded to the second host computer using the third network tunnel.
- View Dependent Claims (2, 3, 4)
- - 2. The computer-readable storage medium of claim 1, wherein the first network tunnel is established through a public network.
  - 3. The computer-readable storage medium of claim 1, wherein the first network comprises a private network and the second network comprises a virtual private network.
  - 4. The computer-readable storage medium of claim 1, wherein a secure communication channel is established through the first, second, and third network tunnels for the migration of a virtual machine from the first host computer to the second host computer.

5. A computer-implemented method of establishing a secure tunnel infrastructure between a first host computer in a private network and a second host computer in a virtual private network, the method comprising executing instructions in a computer system to perform the operations of:
- selecting a first unused overlay IP address from an overlay address space of the private network, a networking infrastructure of the private network configured to map the first unused overlay IP address to the first host computer;
  
  selecting a second unused overlay IP address from an overlay address space of the virtual private network, a networking infrastructure of the virtual private network configured to map the second unused overlay IP address to the second host computer;
  
  establishing a first network tunnel between a first border device in the private network and a second border device in the virtual private network;
  
  establishing a second network tunnel between the first host computer and the first border device; and
  
  establishing a third network tunnel between the second border device and the second host computer,wherein network packets from the first host computer are configured to be sent to the first border device through the second network tunnel and are further configured to be sent through the first network tunnel to the second border device, the network packets being used for a migration of a virtual machine from the first host computer to the second host computer, andwherein the network packets received at the second border device are forwarded to the second host computer using the third network tunnel.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13)
- - 6. The computer-implemented method of claim 5, wherein the first network tunnel comprises a contained substrate-level tunnel such that network packets arriving at the second border device through the first network tunnel are forwarded by the second border device through the third network tunnel to the second host computer and not allowed to enter a substrate network of the second network.
  - 7. The computer-implemented method of claim 5, wherein the address space of the private network and the address space of the virtual private network overlap.
  - 8. The computer-implemented method of claim 5, wherein the first border device is configured to forward network packets destined for the overlay address space of the virtual private network through the first network tunnel and to the second border device in the virtual private network.
  - 9. The computer-implemented method of claim 8, wherein the first unused overlay IP address and the second unused overlay IP address comprise portal IP addresses used specifically for a migration of a virtual machine, and wherein the networking infrastructures of the private network and the virtual private network are further configured to block the first overlay IP address and the second overlay IP address for further use until the migration is complete.
  - 10. The computer-implemented method of claim 8, wherein the networking infrastructures of the private network and the virtual private network are further configured to disable firewall rules regarding the first overlay IP address and the second overlay IP address.
  - 11. The computer-implemented method of claim 5, wherein the first network tunnel is established through a public network.
  - 12. The computer-implemented method of claim 5, wherein a secure communication channel is established through the first, second, and third network tunnels for a migration of a virtual machine from the first host computer to the second host computer.
  - 13. The computer-implemented method of claim 12, wherein the third network tunnel is terminated at a virtual machine manager of the second host computer and packets arriving through the third network tunnel at the virtual machine manager are forwarded to a replication engine on the second host computer responsible for the migration of the virtual machine.

14. A system comprising:
- one or more processors; and
  
  a main memory coupled to the one or more processors and configured with one or more software modules that cause the one or more processors toestablish a network tunnel between a first border device in a first network and a second border device in a second network, wherein the first border device is configured to forward network packets destined for an overlay address space of the second network to the second border device in the second network,configuring a networking infrastructure of the first network to map a first overlay IP address from the overlay address space of the first network to a first host computer in the first network, andconfiguring a networking infrastructure of the second network to map a second overlay IP address from an overlay address space of the second network to a second host computer in the second network,wherein the networking infrastructure of the first network is configured so that network packets destined for the second overlay IP address from the first host computer are sent directly to the first border device, through the first network tunnel to the second border device, the network packets being used for a migration of a virtual machine from the first host computer to the second host computer,wherein the network packets received at the second border device are configured to be forwarded to the second host computer using a second network tunnel established between the second host computer and the second border device, andwherein the networking infrastructures of the first network and the second network are further configured to disable firewall rules regarding the first overlay IP address and the second overlay IP address.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The system of claim 14, wherein the network packets destined for the second overlay IP address arriving at the second host computer are received by a virtual machine manager of the second host computer and forwarded to a replication engine on the second host computer performing a migration of a virtual machine from the first host computer to the second host computer.
  - 16. The system of claim 14, wherein the first network comprises a private network and the second network comprises a virtual private network.
  - 17. The system of claim 14, wherein the network tunnel is established through a public network.
  - 18. The system of claim 14, wherein the first overlay IP address and the second overlay IP address comprise portal IP addresses that are specifically used for a migration of a virtual machine, and wherein the networking infrastructures of the first network and the second network are further configured to block the first overlay IP address and the second overlay IP address for further use until the migration is complete.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Vincent, Pradeep
Primary Examiner(s)
Wasel, Mohamed
Assistant Examiner(s)
WU, TSUNG YIN

Application Number

US13/435,257
Time in Patent Office

1,299 Days
Field of Search

709226-229, 709/220, 709/223, 709/245
US Class Current

1/1
CPC Class Codes

G06F 9/4856 resumption being on a diffe...

H04L 12/4633 Interconnection of networks...

Secure tunnel infrastructure between hosts in a hybrid network environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Secure tunnel infrastructure between hosts in a hybrid network environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links