Configure interconnections between networks hosted in datacenters

US 9,306,949 B1
Filed: 03/12/2013
Issued: 04/05/2016
Est. Priority Date: 03/12/2013
Status: Active Grant

First Claim

Patent Images

1. A system for configuring communication between virtualized private networks, the system comprising:

one or more datacenters comprising one or more computing devices configured to communicate with each other over network connections within the one or more datacenters;

the one or more computing devices further configured to host a first virtualized private network comprising a first compute instance hosted on the one or more computing devices, the first virtualized private network being associated with a first entity;

the one or more computing devices further configured to host a second virtualized private network comprising a second compute instance hosted on the one or more computing devices, the second virtualized private network associated with a second entity, wherein the second virtualized private network is isolated from the first virtualized private network and wherein the first entity is different from the second entity; and

one or more memories having stored therein computer-readable instructions that, upon execution on the system, cause the system to at least;

determine that the first entity has authorized the second entity to access the first compute instance;

provide the second compute instance with a network address associated with the first virtualized private network via the network connections; and

route a communication that is addressed with the network address from the second compute instance to the first compute instance via the network connections.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods and computer-readable media are described for connecting private networks that may otherwise be isolated. More particularly, the private networks may include private clouds that may be operated on a plurality of datacenters. A determination may be made as to whether network connections between the private clouds may be established and as to what compute resources of the private clouds may be exposed to the network connections. This determination may be used to generate virtual network paths that may be configured to route traffic between the private clouds.

139 Citations

23 Claims

1. A system for configuring communication between virtualized private networks, the system comprising:
- one or more datacenters comprising one or more computing devices configured to communicate with each other over network connections within the one or more datacenters;
  
  the one or more computing devices further configured to host a first virtualized private network comprising a first compute instance hosted on the one or more computing devices, the first virtualized private network being associated with a first entity;
  
  the one or more computing devices further configured to host a second virtualized private network comprising a second compute instance hosted on the one or more computing devices, the second virtualized private network associated with a second entity, wherein the second virtualized private network is isolated from the first virtualized private network and wherein the first entity is different from the second entity; and
  
  one or more memories having stored therein computer-readable instructions that, upon execution on the system, cause the system to at least;
  
  determine that the first entity has authorized the second entity to access the first compute instance;
  
  provide the second compute instance with a network address associated with the first virtualized private network via the network connections; and
  
  route a communication that is addressed with the network address from the second compute instance to the first compute instance via the network connections.
- View Dependent Claims (2, 3)
- - 2. The system of claim 1, wherein the communication comprises a packet, and wherein the instructions that, upon execution on the system, cause the system to at least route the communication further cause the system to at least:
    - encapsulate the packet with an identifier associated with the first virtualized network and an address associated with a computing device from the one or more computing devices, the first compute instance being instantiated on the computing device.
  - 3. The system of claim 1, wherein the first and second virtualized networks are further configured to communicate with a public network.

4. A method for connecting two or more networks hosted on a private network, the method comprising:
- verifying that a second network has permission to access a first network by receiving information indicative of an authorization to access the first network from a computing node associated with a second entity, wherein the authorization is provided to the second entity from a first entity, the first and second entities being different from each other, the first network being associated with the first entity, the second network being associated with the second entity, and the first network and the second network being isolated from each other, wherein the first network is inaccessible to the second network except by way of the address of the first computing node;
  
  identifying a first computing node of the first network associated with the permission; and
  
  generating a network path between the first network and the second network by way of the private network, the network path being based at least in part on an address of the first computing node.
- View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12)
- - 5. The method of claim 4, wherein the first network is a first virtualized private network, wherein the second network is a second virtualized private network.
  - 6. The method of claim 4, wherein the verifying that the second network has permission to access the first network comprises receiving information indicative of the permission from a computing node associated with the first entity.
  - 7. The method of claim 4, wherein the verifying that the second network has permission to access the first network comprises a first verification that the access is permitted and a second verification that the access is permitted, wherein the first verification is associated with verifying the first entity, and wherein the second verification is associated with verifying the second entity.
  - 8. The method of claim 4, wherein the identifying the first computing node of the first network comprises receiving the address of the first computing node.
  - 9. The method of claim 8, wherein the address is an internet protocol (IP) address.
  - 10. The method of claim 9, wherein the IP address is a public IP address of a router that is configured to route traffic to the first computing node, wherein the first network includes the router.
  - 11. The method of claim 4, wherein generating the network path comprises:
    - generating a routing table associated with the address of the first computing node; and
      
      providing the routing table to a router of the private network, wherein the first network and the second network do not include the router.
  - 12. The method of claim 4, further comprising:
    - verifying that the first network has permission to access the second network;
      
      identifying a second computing node of the second network associated with the permission; and
      
      providing an address of the second computing node to the first network.

13. A non-transitory computer-readable medium comprising instructions that, upon execution on a system of a private network comprising a plurality of computing nodes, cause the system to perform operations comprising:
- determining that a first entity associated with a first computing node of the plurality of computing nodes has allowed a second entity associated with a second computing node of the plurality of computing nodes to access the first computing node by way of the private network, wherein the first computing node is on a virtualized network that is isolated from the second computing node and wherein the first entity is different from the second entity, and wherein the virtualized network is inaccessible to the second computing node except by way of the address of the first computing node, the first computing node being previously inaccessible by the second computing node;
  
  identifying a compute resource of the first computing node that the first entity has allowed the second entity to access by way of the second computing node; and
  
  generating a network connection between the second computing node and the compute resource based at least in part on the identification of the compute resource, the network connection comprising a third computing node of the plurality of computing nodes.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 14. The non-transitory computer-readable medium of claim 13, wherein determining that the first entity has allowed the second entity to access the first computing node by way of the private network comprises:
    - transmitting first data to a computing device associated with the first entity; and
      
      verifying that second data matches the first data, wherein the second data is received from a computing device associated with the second entity.
  - 15. The non-transitory computer-readable medium of claim 13, wherein identifying the compute resource comprises generating an interface configured for use by the first entity and a receipt by way of the interface an address or a description of the compute resource.
  - 16. The non-transitory computer-readable medium of claim 13, wherein the first computing node is a first virtual computing node, wherein the second computing node is a second virtual computing node, and wherein the compute resource is a compute instance.
  - 17. The non-transitory computer-readable medium of claim 16, wherein the network connection comprises a virtual network path between the first virtual computing node and the second virtual computing node.
  - 18. The non-transitory computer-readable medium of claim 17, wherein the virtual network path comprises a first virtual edge that is instantiated at the first virtual computing node, a second virtual edge that is instantiated at the second virtual computing node, a third virtual edge and a fourth virtual edge that are instantiated at the private network and outside of the first virtual computing node and the second virtual computing node, and wherein the first virtual edge, the second virtual edge, the third virtual edge, and the fourth edge are configured to route traffic between the first virtual computing node and the second virtual computing node.
  - 19. The non-transitory computer-readable medium of claim 18, wherein the first virtual edge, the second virtual edge, the third virtual edge, and the fourth edge are associated with a plurality of virtual routing tables, wherein at least one virtual routing table of the plurality of virtual routing comprises addresses of compute instances, and wherein at least a second virtual routing table of the plurality of virtual routing table comprise addresses of compute instances and addresses of physical compute resources.
  - 20. The non-transitory computer-readable medium of claim 19, further comprising instructions that, upon execution on the system, cause the system to perform operations comprising:
    - determining that the first entity has allowed a third entity to access the first computing node by way of the second computing node.
  - 21. The non-transitory computer-readable medium of claim 20, further comprising instructions that, upon execution on the system, cause the system to perform operations comprising:
    - configuring an instance at the second computing node for routing data between the first computing node and a computing node of the plurality of computing nodes associated with the third entity.
  - 22. The non-transitory computer-readable medium of claim 20, further comprising instructions that, upon execution on the system, cause the system to perform operations comprising:
    - determining that the second entity has allowed a fourth entity to access the second computing node by way of the first computing node; and
      
      generating a virtual network path between a computing node associated with the third entity and a computing node associated with the fourth entity.
  - 23. The non-transitory computer-readable medium of claim 19, further comprising instructions that, upon execution on the system, cause the system to perform operations comprising:
    - determining that the first entity has allowed a third entity to access the second computing node by way of the first computing node.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Richard, Jacques Joshua, Hill, Peter John
Primary Examiner(s)
Mehedi, Morshed
Assistant Examiner(s)
Naghdali, Khalil

Application Number

US13/795,402
Time in Patent Office

1,120 Days
Field of Search

726/1, 726/15
US Class Current

1/1
CPC Class Codes

H04L 12/2859   Point-to-point connection b...

H04L 63/0272   Virtual private networks

H04L 63/10   for controlling access to d...

Configure interconnections between networks hosted in datacenters

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

139 Citations

23 Claims

Specification

Use Cases

Quick Links

Others

Configure interconnections between networks hosted in datacenters

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

139 Citations

23 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others