Virtual communication endpoint services

US 9,444,800 B1
Filed: 11/20/2012
Issued: 09/13/2016
Est. Priority Date: 11/20/2012
Status: Active Grant

First Claim

Patent Images

1. A system for managing requests for a customer service, comprising:

at least one processor; and

a memory storing instructions that, when executed by the at least one processor, cause the system to;

receive, via an interface layer configured to communicate with a customer of the multi-tenant environment, a request to define a virtual endpoint for at least performing authentication of requests directed to the customer service, wherein the customer service is offered by the customer of the multi-tenant environment using one or more resources of the multi-tenant environment, and wherein the request includes application information associated with an endpoint interface used to enable access to the customer service via the virtual endpoint; and

define the virtual endpoint for the customer service in response to receiving the request; and

enable access to the endpoint interface for the customer service by a virtual load balancer of the multi-tenant environment, the virtual load balancer configured to;

receive a communication that is originated from a computing device of a caller and sent to the virtual endpoint via a communication network connection, the communication including a signature generated using at least one security credential;

determine whether the signature is a valid signature associated with the caller;

determine identity information for the caller associated with the communication;

determine one or more policies to be evaluated for the communication based at least in part upon the identity information;

determine whether the communication satisfies the one or more policies including whether the caller has agreed to pay relevant charges; and

forward, to the endpoint interface for the customer service, the communication that was received at the virtual endpoint, wherein the endpoint interface processes the communication after the signature is determined to be valid and after the communication is determined to be allowed according to the one or more policies.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Customers can utilize resources of a multi-tenant environment to provide one or more services available to various users. In order to simplify the process for these customers, the multi-tenant environment can include an infrastructure wherein a portion of the resources provide an authentication and/or authorization service that can be leveraged by the customer services. These resources can logically sit in front of the resources used to provide the customer services, such that a user request must pass through the authorization and authentication service before being directed to the customer service. Such resources can provide other functionality as well, such as load balancing and metering.

52 Citations

View as Search Results

19 Claims

1. A system for managing requests for a customer service, comprising:
- at least one processor; and
  
  a memory storing instructions that, when executed by the at least one processor, cause the system to;
  
  receive, via an interface layer configured to communicate with a customer of the multi-tenant environment, a request to define a virtual endpoint for at least performing authentication of requests directed to the customer service, wherein the customer service is offered by the customer of the multi-tenant environment using one or more resources of the multi-tenant environment, and wherein the request includes application information associated with an endpoint interface used to enable access to the customer service via the virtual endpoint; and
  
  define the virtual endpoint for the customer service in response to receiving the request; and
  
  enable access to the endpoint interface for the customer service by a virtual load balancer of the multi-tenant environment, the virtual load balancer configured to;
  
  receive a communication that is originated from a computing device of a caller and sent to the virtual endpoint via a communication network connection, the communication including a signature generated using at least one security credential;
  
  determine whether the signature is a valid signature associated with the caller;
  
  determine identity information for the caller associated with the communication;
  
  determine one or more policies to be evaluated for the communication based at least in part upon the identity information;
  
  determine whether the communication satisfies the one or more policies including whether the caller has agreed to pay relevant charges; and
  
  forward, to the endpoint interface for the customer service, the communication that was received at the virtual endpoint, wherein the endpoint interface processes the communication after the signature is determined to be valid and after the communication is determined to be allowed according to the one or more policies.
- View Dependent Claims (2, 3, 4)
- - 2. The system of claim 1, wherein the virtual endpoint is offered through a request management service, the request management service being provided using one or more resources external to the multi-tenant environment.
  - 3. The system of claim 1, wherein the caller has an account with the multi-tenant environment, and wherein the determining whether the signature is the valid signature includes determining whether the signature was generated using a credential associated with at least one of the caller, the customer, or the account with multi-tenant environment.
  - 4. The system of claim 1, wherein the endpoint interface is an application programming interface (API), and wherein the application information associated with the endpoint interface includes a name of the API and configuration information for the API.

5. A computer-implemented method, comprising:
- receiving, by a virtual load balancer of a multi-tenant environment, a communication that is originated from a computing device of a caller and sent via a communication network connection to a virtual endpoint for at least performing authentication of requests directed to a customer service, the communication including a signature generated using at least one security credential, the customer service being offered by a customer of the multi-tenant environment using one or more resources of the multi-tenant environment, the customer service being associated with an endpoint interface that is provided through at least one resource of the multi-tenant environment, wherein the virtual endpoint was defined by the multi-tenant environment in response to receiving a request to define the virtual endpoint from the customer of the multi-tenant environment, and wherein the request to define the virtual endpoint includes application information associated with the endpoint interface used to enable access to the customer service via the virtual endpoint;
  
  determining, by the virtual load balancer of the multi-tenant environment, one or more policies to be evaluated for the communication based upon identity information for the caller associated with the communication;
  
  determining, by the virtual load balancer of the multi-tenant environment, that (i) the communication is allowed according to the one or more policies including whether the caller has agreed to pay relevant charges and (ii) that the signature is a valid signature associated with the caller; and
  
  forwarding, by the virtual load balancer of the multi-tenant environment, to the endpoint interface for the customer service, the communication that was received at the virtual endpoint, wherein the communication is processed by the endpoint interface after the signature is determined to be valid and after the communication is determined to be allowed according to the one or more policies.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13)
- - 6. The computer-implemented method of claim 5, further comprising:
    - adding the identity information to the communication before forwarding the communication to the endpoint interface.
  - 7. The computer-implemented method of claim 5, wherein the communication is a Web service request and the endpoint interface is an application programming interface (API) associated with the one or more resources.
  - 8. The computer-implemented method of claim 5, wherein the virtual endpoint corresponds to a virtual API.
  - 9. The computer-implemented method of claim 5, further comprising:
    - parsing the communication; and
      
      building an authorization context in order to determine whether the communication is allowed for the customer service.
  - 10. The computer-implemented method of claim 5, further comprising:
    - writing information, about whether the communication was forwarded or rejected, to an audit log.
  - 11. The computer-implemented method of claim 10, further comprising:
    - determining one or more trends for rejected requests using the audit log; and
      
      rejecting one or more subsequent requests based at least in part upon the one or more trends.
  - 12. The computer-implemented method of claim 5, further comprising:
    - charging the caller for a portion of resources consumed in processing requests allowed for the caller.
  - 13. The computer-implemented method of claim 12, wherein the resources consumed include at least one of bandwidth, processor time, I/O operations, database operations, or additional requests resulting from the requests allowed for the caller.

14. A non-transitory computer-readable storage medium including instructions that, when executed by at least one processor of a computer system, cause the computer system to:
- receive, by a virtual load balancer of a multi-tenant environment, a communication that is originated from a computing device of a caller and sent via a communication network connection to a virtual endpoint for at least performing authentication of requests directed to a customer service, the communication including a signature generated using at least one security credential, the customer service being offered by a customer of a multi-tenant environment using one or more resources of the multi-tenant environment, the customer service being associated with an endpoint interface that is provided through at least one resource of the multi-tenant environment, wherein the virtual endpoint was defined by the multi-tenant environment in response to receiving a request to define the virtual endpoint from the customer of the multi-tenant environment, and wherein the request to define the virtual endpoint includes application information associated with the endpoint interface used to enable access to the customer service via the virtual endpoint;
  
  determine, by the virtual load balancer of the multi-tenant environment, one or more policies to be evaluated for the communication based upon identity information for the caller associated with the communication;
  
  determine, by the virtual load balancer of the multi-tenant environment, that (i) the communication is allowed according to the one or more policies including whether the caller has agreed to pay relevant charges and (ii) that the signature is a valid signature associated with the caller; and
  
  forward, by the virtual load balancer of the multi-tenant environment, to the endpoint interface for the customer service, the communication that was received at the virtual endpoint, wherein the communication is processed by the endpoint interface after the signature is determined to be valid and after the communication is determined to be allowed according to the one or more policies.
- View Dependent Claims (15, 16, 17)
- - 15. The non-transitory computer-readable storage medium of claim 14, wherein the instructions when executed further cause the computer system to:
    - receive at least one policy for the service;
      
      remove information from the at least one policy that is non-applicable to the service; and
      
      convert the at least one policy to a language supported by a policy evaluation engine associated with the service.
  - 16. The non-transitory computer-readable storage medium of claim 14, wherein the virtual endpoint has a format compatible with a provider of the multi-tenant environment.
  - 17. The non-transitory computer-readable storage medium of claim 14, wherein the request forwarded to the endpoint interface includes one or more credentials enabling the service to perform one or more actions on behalf of the caller, the one or more credentials associated with the customer.

18. A system for managing requests, comprising:
- at least one processor; and
  
  memory storing instructions that, when executed by the at least one processor, cause the system to;
  
  receive, via an interface layer configured to communicate with a customer of the multi-tenant environment, a request to define a virtual endpoint for at least performing authentication of requests directed to a service, the service being provided by the customer of the multi-tenant environment using one or more resources of the multi-tenant environment, the request including application information associated with an endpoint interface used to enable access to the service via the virtual endpoint;
  
  define the virtual endpoint for the service in response to receiving the request; and
  
  enable access to the endpoint interface for the service by a virtual load balancer of the multi-tenant environment, the virtual load balancer configured to;
  
  receive a communication that is originated from a computing device of a caller to the virtual endpoint, the communication including a signature generated using at least one security credential;
  
  determine whether the signature is a valid signature associated with the caller;
  
  determine identity information for the caller associated with the communication;
  
  determine one or more policies to be evaluated for the communication based at least in part upon the identity information;
  
  determine whether the communication satisfies the one or more policies including whether the caller has agreed to pay relevant charges; and
  
  forward, to the endpoint interface for the service, the communication that was received at the virtual endpoint, wherein the endpoint interface processes the communication after the signature is determined to be valid and after the communication is determined to be allowed according to the one or more policies.
- View Dependent Claims (19)
- - 19. The system of claim 18, wherein endpoint interface is an application programming interface (API), and wherein the application information associated with the endpoint interface includes a name of the API and configuration information for the API.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Roth, Gregory Branchek, Baer, Graeme David, Brandwine, Eric Jason
Primary Examiner(s)
ZHAO, DON GORDON

Application Number

US13/682,248
Time in Patent Office

1,393 Days
Field of Search

726 1- 21
US Class Current

1/1
CPC Class Codes

G06F 21/6218   to a system of files or obj...

H04L 63/0218   Distributed architectures, ...

H04L 63/0272   Virtual private networks

H04L 63/08   for authentication of entit...

H04L 63/083   using passwords cryptograph...

H04L 63/0861   using biometrical features,...

H04L 63/10   for controlling access to d...

H04L 63/123   received data contents, e.g...

H04L 63/1458   Denial of Service

H04L 63/168   above the transport layer

H04L 63/205   involving negotiation or de...

H04L 67/10   in which an application is ...

H04L 67/1001   for accessing one among a p...

Virtual communication endpoint services

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

52 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Virtual communication endpoint services

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

52 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links