Providing access to configurable private computer networks

US 9,521,037 B2
Filed: 10/21/2013
Issued: 12/13/2016
Est. Priority Date: 12/10/2008
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

receiving, by one or more computing systems configured to provide a network service, configuration information for a virtual network having multiple computing nodes, the configuration information being received via a programmatic interface of the network service;

configuring, by the one or more configured computing systems and based on the received configuration information, a virtual border router to control access of the multiple computing nodes to external nodes that are not part of the virtual network, the configuring of the virtual border router including establishing a private virtual connection between the multiple computing nodes and one or more first external nodes that are part of an indicated remote private computer network; and

providing, by the one or more configured computing systems, emulated functionality of the configured virtual border router to manage communications of the multiple computing nodes in accordance with the received configuration information.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are described for providing users with access to computer networks, such as to enable users to interact with a remote configurable network service in order to create and configure computer networks that are provided by the configurable network service for use by the users. Computer networks provided by the configurable network service may be configured to be private computer networks that are accessible only by the users who create them, and may each be created and configured by a client of the configurable network service to be an extension to an existing computer network of the client, such as a private computer network extension to an existing private computer network of the client. If so, secure private access between an existing computer network and new computer network extension that is being provided may be enabled using one or more VPN connections or other private access mechanisms.

96 Citations

27 Claims

1. A computer-implemented method comprising:
- receiving, by one or more computing systems configured to provide a network service, configuration information for a virtual network having multiple computing nodes, the configuration information being received via a programmatic interface of the network service;
  
  configuring, by the one or more configured computing systems and based on the received configuration information, a virtual border router to control access of the multiple computing nodes to external nodes that are not part of the virtual network, the configuring of the virtual border router including establishing a private virtual connection between the multiple computing nodes and one or more first external nodes that are part of an indicated remote private computer network; and
  
  providing, by the one or more configured computing systems, emulated functionality of the configured virtual border router to manage communications of the multiple computing nodes in accordance with the received configuration information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The computer-implemented method of claim 1 wherein the received configuration information specifies one or more access policies for use with the virtual network, and wherein the managing of the communications of the multiple computing nodes includes, in accordance with the one or more specified access policies, preventing communications between the multiple computing nodes and second external nodes that are not part of the virtual network and not part of the remote private computer network.
  - 3. The computer-implemented method of claim 1 wherein the received configuration information further specifies that the virtual network is to be used as a private network extension of the remote private computer network, and wherein the method further comprises forwarding, via the established private virtual connection, one or more communications between the virtual network and the remote private computer network.
  - 4. The computer-implemented method of claim 1 wherein at least one of the specified access policies includes an indication to allow communications between the at least one computing node of the provided virtual network and one or more second external nodes specified by the at least one access policy, and wherein the managing of the communications in accordance with the specified access policies further includes allowing the at least one computing node to send and/or receive communications with the one or more specified second external nodes.
  - 5. The computer-implemented method of claim 1 wherein the received configuration information further specifies one or more virtual network addresses for nodes of the virtual network, and wherein the method further comprises assigning, by the one or more configured computing systems, one or more of the specified virtual network addresses to the multiple computing nodes for use in the virtual network.
  - 6. The computer-implemented method of claim 1 further comprising:
    - receiving, with the one or more configured computing systems, a request to connect the provided virtual network to one or more public networks; and
      
      in response to the received request, further configuring the virtual border router to connect the virtual network to the one or more public networks.
  - 7. The computer-implemented method of claim 1 wherein the received configuration information further includes a specified network topology to use for the virtual network, and wherein the method further comprises configuring the virtual network to have the specified network topology.
  - 8. The computer-implemented method of claim 7 wherein configuring the virtual network to have the specified network topology includes configuring one or more virtual network subnets as part of the provided virtual network.
  - 9. The computer-implemented method of claim 8 wherein a first of the virtual network subnets is provided using a first group of the multiple computing nodes located at a first geographical location, wherein a second of the virtual network subnets is provided using a distinct second group of the multiple computing nodes located at a second geographical location, and wherein the configuring of the virtual network further includes interconnecting the first and second virtual network subnets using one or more virtual networking devices.
  - 10. The computer-implemented method of claim 9 wherein the one or more virtual networking devices include the configured virtual border router.
  - 11. The computer-implemented method of claim 1 wherein the remote private computer network is associated with a client of the network service, and wherein the method further includes providing access from the nodes of the remote private computer network to the multiple computing nodes of the virtual network, the providing of the access including providing authentication credentials to the client for the virtual network.
  - 12. The computer-implemented method of claim 1 wherein at least some of the configuration information is received by the one or more configured computing systems via one or more API calls to the programmatic interface of the network service.
  - 13. The computer-implemented method of claim 1 wherein the multiple computing nodes of the provided virtual network are overlaid on a distinct substrate network interconnecting multiple physical computing systems that each host one or more of the multiple computing nodes.

14. A non-transitory computer-readable medium having stored contents that configure a computing device to perform a method, the method comprising:
- configuring, by the configured computing device, one or more physical computing systems to provide multiple virtual computing nodes as at least part of a virtual network in accordance with configuration information received from a client via an interface; and
  
  emulating, by the configured computing device and based at least in part on the configuration information, functionality of a virtual border router to control access of the multiple virtual computing nodes to one or more computing nodes that are not part of the virtual network and are in a remote private computer network associated with the client, including establishing a private virtual connection between the multiple virtual computing nodes of the virtual network and the one or more computing nodes of the remote private computer network.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 15. The non-transitory computer-readable medium of claim 14 wherein the received configuration information includes an indication of one or more virtual network addresses to use for the virtual network, and wherein the configuring of the physical computing systems to provide the multiple virtual computing nodes includes assigning the indicated virtual network addresses to at least some of the multiple virtual computing nodes.
  - 16. The non-transitory computer-readable medium of claim 15 wherein the one or more indicated virtual network addresses are network addresses of the remote private computer network, and wherein the stored contents further configure the computing device to configure the virtual network as an extension of the remote private computer network.
  - 17. The non-transitory computer-readable medium of claim 14 wherein the client is a first client, wherein the virtual network is overlaid on a distinct substrate network that interconnects multiple physical computing systems, each of at least some of the multiple physical computing systems hosting multiple virtual machines operating as nodes of one or more distinct virtual networks, and wherein at least one of the physical computing systems concurrently hosts a first virtual machine node of the virtual network for the first client and a second virtual machine node of a distinct second virtual network provided to a distinct second client.
  - 18. The non-transitory computer-readable medium of claim 14 wherein the virtual network is overlaid on a distinct substrate network that interconnects multiple physical computing systems hosting the provided virtual computing nodes, and wherein the one or more computing nodes in the remote private computer network are distinct external computing systems that are accessible by at least some of the multiple physical computing systems via one or more intervening computer networks between the at least some physical computing system and the external computing systems.
  - 19. The non-transitory computer-readable medium of claim 14 wherein the received configuration information further specifies a network topology to use for the virtual network, and wherein the virtual network is provided for the client in accordance with the specified network topology.
  - 20. The non-transitory computer-readable medium of claim 19 wherein providing the virtual network in accordance with the specified network topology includes configuring a plurality of virtual network subnets, a first of the virtual network subnets being provided using a first group of the multiple virtual computing nodes at a first geographical location and a second of the virtual network subnets being provided using a distinct second group of the multiple virtual computing nodes at a second geographical location, and wherein the stored contents further include software instructions that, when executed, further configure the computing device to configure the virtual network by interconnecting the first and second virtual network subnets using one or more virtual networking devices specified in the network topology.
  - 21. The non-transitory computer-readable medium of claim 19 wherein the stored contents further configure the computing device to emulate functionality of the one or more virtual networking devices.
  - 22. The non-transitory computer-readable medium of claim 14 wherein the emulating of the functionality includes, in accordance with one or more access policies indicated by the received configuration information, managing communications for the multiple virtual computing nodes of the virtual network, including preventing communications between the multiple virtual computing nodes and other computing systems that are external to both the virtual network and the remote private computer network.
  - 23. The non-transitory computer-readable medium of claim 22 wherein the indicated access policies specify one or more external computing systems with which communications are to be allowed, and wherein the managing of the communications includes allowing communications between at least some of the virtual computing nodes of the virtual network and the specified one or more external computing systems.

24. A system, comprising:
- one or more processors; and
  
  a memory including instructions that, upon execution by at least one of the one or more processors, cause the system to;
  
  configure at least one of multiple virtual computing nodes of a virtual network for a client in accordance with configuration information received from the client via an interface; and
  
  emulate, based at least in part on the configuration information, functionality of a virtual border router to provide access between the at least one virtual computing node and a remote computer network of the client having one or more nodes that are not part of the virtual network, including establishing a private virtual connection between the at least one virtual computing node of the virtual network and the one or more nodes of the remote computer network, and managing communications between the at least one virtual computing node and the one or more nodes of the remote computer network.
- View Dependent Claims (25, 26, 27)
- - 25. The system of claim 24 wherein the configuring of the at least one virtual computing node including assigning one or more virtual network addresses specified by the configuration information to the at least one virtual computing node.
  - 26. The system of claim 24 wherein the providing of the access includes providing one or more access parameters to the client, the provided access parameters including authentication credentials for accessing the virtual network.
  - 27. The system of claim 24 wherein the multiple virtual computing nodes are configured as part of the virtual network for the client, and wherein the virtual network is overlaid on a distinct substrate network interconnecting multiple physical computing systems that each host one or more virtual machines operating as virtual machine nodes of one or more distinct virtual networks.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Brandwine, Eric Jason, Brandwine, Clarissa Loree Cook, Cohn, Daniel T., Doane, Andrew J., Moses, Carl J., Schmidt, Stephen E.
Primary Examiner(s)
RECEK, JASON D

Application Number

US14/059,236
Publication Number

US 20140047082A1
Time in Patent Office

1,149 Days
Field of Search

709220-222
US Class Current

1/1
CPC Class Codes

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 41/0803   Configuration setting

H04L 45/586   of virtual routers

H04L 63/0272   Virtual private networks

Providing access to configurable private computer networks

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

96 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Providing access to configurable private computer networks

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

96 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links