Account management services for load balancers
First Claim
1. A system for managing access to a plurality of resources in a multi-tenant computing environment, comprising:
- a plurality of resources, each resource of the plurality of resources capable of being accessed in association with an account of a customer of a provider of the plurality of resources;
a first interface enabling the customer to define one or more pools of accounts of the customer, each account of the one or more pools of accounts being associated with one or more users, each pool of accounts associated with a respective policy indicating one or more criteria for providing access to at least one resource of the plurality of resources;
a second interface enabling a request to be received to the multi-tenant computing environment, the request being initiated by a user; and
a load balancer configured to provide an account management service, the account management service being configured to;
determine that the user, corresponding to the received request, corresponds to a determined pool of the one or more pools of accounts of the customer;
determine whether the received request corresponds to an existing session associated with the user and one or more resources associated with the session; and
provide the request to the one or more resources associated with the session based on determining the received request corresponds to an existing session;
ordetermine that the received request does not correspond to an existing session;
examine the respective policy associated with the determined pool of accounts;
verify that the user, associated with the request, has been authenticated and is authorized, according to the respective policy associated with the determined pool of accounts, to obtain the access to the at least one resource;
determine, using at least one load balancing algorithm, at least one resource of the plurality of resources for processing the request; and
transmit information for the request to the determined at least one resource.
1 Assignment
0 Petitions
Accused Products
Abstract
A configurable load balancer can be utilized in a multi-tenant environment, where the load balancer can incorporate, or utilize, an account management service operable to perform security tasks such as authentication, authorization, and session management. Customers can utilize the load balancer to control access that users have to resources associated with those customers, without having to build and maintain a dedicated user management system. By implementing security functionality at the load balancer level, traffic can be managed before reaching the resources, which can help to reduce traffic and load on the resources, and can also help to prevent attacks and secure sensitive information. Visibility into the traffic through the load balancer also allows for behavior and usage monitoring, which is helpful for tasks such as billing and usage limit enforcement.
-
Citations
27 Claims
-
1. A system for managing access to a plurality of resources in a multi-tenant computing environment, comprising:
-
a plurality of resources, each resource of the plurality of resources capable of being accessed in association with an account of a customer of a provider of the plurality of resources; a first interface enabling the customer to define one or more pools of accounts of the customer, each account of the one or more pools of accounts being associated with one or more users, each pool of accounts associated with a respective policy indicating one or more criteria for providing access to at least one resource of the plurality of resources; a second interface enabling a request to be received to the multi-tenant computing environment, the request being initiated by a user; and a load balancer configured to provide an account management service, the account management service being configured to; determine that the user, corresponding to the received request, corresponds to a determined pool of the one or more pools of accounts of the customer; determine whether the received request corresponds to an existing session associated with the user and one or more resources associated with the session; and provide the request to the one or more resources associated with the session based on determining the received request corresponds to an existing session;
ordetermine that the received request does not correspond to an existing session; examine the respective policy associated with the determined pool of accounts; verify that the user, associated with the request, has been authenticated and is authorized, according to the respective policy associated with the determined pool of accounts, to obtain the access to the at least one resource; determine, using at least one load balancing algorithm, at least one resource of the plurality of resources for processing the request; and transmit information for the request to the determined at least one resource. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computer-implemented method, comprising:
-
receiving a request to a load balancing component of a multi-tenant resource environment, the request being initiated by a user, the multi-tenant resource environment including a plurality of resources associated with two or more customers of the multi-tenant resource environment; determining an account pool associated with the user, the account pool being determined from a set of account pools established by at least one customer of the multi-tenant resource environment, each account of the set of account pools being associated with one or more users; determining whether the request corresponds to an existing session in the multi-tenant resource environment; providing the request to a resource associated with the session based at least in part on determining the request corresponds to an existing session;
ordetermining the request does not correspond to an existing session; determining, via the load balancing component, a policy specified for the account pool, the policy indicating one or more criteria for processing the request using at least one resource of the plurality of resources; causing, by the load balancing component, the policy to be evaluated in order to determine that the request satisfies the one or more criteria; selecting at least one resource of the plurality of resources to process the request; and transmitting information for the request to the selected resource. - View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A non-transitory computer-readable storage medium including instructions that, when executed by at least one processor of a load balancer, cause the load balancer to:
-
receive a request associated with a user and at least one of a plurality of resources, the at least one resource being allocated to a customer of the multi-tenant environment, wherein the plurality of resources of the multi-tenant environment are associated with two or more customers of the multi-tenant environment; determine a pool of accounts associated with the user, the pool of accounts being configured by the customer, each account of the pool of accounts being associated with one or more users; determine whether the request corresponds to an existing session in the multi-tenant resource environment; forward the request to a resource associated with the existing session based at least in part on determining the request corresponds to an existing session;
ordetermine the resource does not correspond to an existing session; determine at least one policy associated with the determined pool of accounts, the at least one policy indicating one or more criteria for processing the request using the at least one resource, at least one of the one or more criteria being specified by at least one of the customer or a provider of the multi-tenant environment; evaluate the at least one policy to determine that the request satisfies the one or more criteria; select at least one resource of the plurality of resources to process the request; and transmit information for the request to the selected resource. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27)
-
Specification