Providing location-specific network access to remote services

US 9,524,167 B1
Filed: 12/10/2008
Issued: 12/20/2016
Est. Priority Date: 12/10/2008
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

configuring, by one or more computing systems of a service provider, a first private virtual computer network that is provided by the service provider and includes multiple computing nodes, the configuring including associating the multiple computing nodes with multiple network addresses from a plurality of network addresses specified for use with the first private virtual computer network, and further including assigning one of the plurality of network addresses separate from the multiple network addresses to represent, within the first private virtual computer network, a remote resource service external to the first private virtual computer network;

restricting, by the one or more computing systems, communications sent by the multiple computing nodes to only destinations indicated by the plurality of network addresses;

associating, by the one or more computing systems and with the assigned network address, an identifier that represents a location of the first private virtual computer network, wherein the identifier is an indicator supplied by the service provider for use by the remote resource service in validating that communications are sent from the location of the first private virtual computer network;

modifying, by the one or more computing systems, a communication that is sent to the assigned network address by one of the multiple computing nodes to cause the modified communication to include the identifier; and

forwarding, by the one or more computing systems,the modified communication to the remote resource service via one or more networks external to the first private virtual computer network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are described for providing users with access to computer networks, such as to enable users to create and configure computer networks that are provided by a remote configurable network service for the users'"'"' use. Computer networks provided by the configurable network service may be configured to be private computer networks that are accessible only by the users who create them, and may each be created and configured by a client of the configurable network service to be an extension to an existing computer network of the client, such as a private computer network extension to an existing private computer network of the client. In addition, access to remote resource services may be configured and provided from such computer networks in various manners, such as to automatically include access control information to limit access to particular resources to computing nodes at the location of that provided computer network.

114 Citations

View as Search Results

26 Claims

1. A computer-implemented method comprising:
- configuring, by one or more computing systems of a service provider, a first private virtual computer network that is provided by the service provider and includes multiple computing nodes, the configuring including associating the multiple computing nodes with multiple network addresses from a plurality of network addresses specified for use with the first private virtual computer network, and further including assigning one of the plurality of network addresses separate from the multiple network addresses to represent, within the first private virtual computer network, a remote resource service external to the first private virtual computer network;
  
  restricting, by the one or more computing systems, communications sent by the multiple computing nodes to only destinations indicated by the plurality of network addresses;
  
  associating, by the one or more computing systems and with the assigned network address, an identifier that represents a location of the first private virtual computer network, wherein the identifier is an indicator supplied by the service provider for use by the remote resource service in validating that communications are sent from the location of the first private virtual computer network;
  
  modifying, by the one or more computing systems, a communication that is sent to the assigned network address by one of the multiple computing nodes to cause the modified communication to include the identifier; and
  
  forwarding, by the one or more computing systems,the modified communication to the remote resource service via one or more networks external to the first private virtual computer network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method of claim 1 wherein the forwarded modified communication relates to accessing one or more computing-related resources from the remote resource service, and wherein the method further comprises storing, by the remote resource service, information to enable later access to the one or more computing-related resources from a later communication only if the later communication includes the identifier.
  - 3. The method of claim 2 further comprising, under control of one or more additional computing systems of the remote resource service:
    - receiving the forwarded modified communication;
      
      determining that the identifier in the received forwarded modified communication corresponds to the location of the first private virtual computer network; and
      
      providing, in response to the determining, access to the one or more computing-related resources.
  - 4. The method of claim 3 further comprising, under the control of the one or more additional computing systems:
    - receiving one or more later communications that request access to at least one of the one or more computing-related resources;
      
      performing a determination of whether the one or more later communications include the identifier; and
      
      providing the requested access to the at least one of the one or more computing-related resources only if the performed determination indicated that the one or more later communications include the identifier.
  - 5. The method of claim 2 wherein the one or more computing-related resources are created by the remote resource service in response to the modified communication forwarded to the remote resource service.
  - 6. The method of claim 2 wherein the first private virtual computer network is provided by the service provider for use by a first customer of the service provider, and wherein the method further comprises preventing, based at least in part on not making the identifier available to the first customer, the first customer from later accessing the one or more computing-related resources from the remote resource service using a computing device that is not part of the first private virtual computer network.
  - 7. The method of claim 2 wherein the identifier is an indication of a geographical location of the multiple computing nodes of the first private virtual computer network.
  - 8. The method of claim 1 wherein the identifier is specific to the first private virtual computer network, and wherein the location of the first private virtual computer network is an indication of the first private virtual computer network.
  - 9. The method of claim 1 wherein the first private virtual computer network is provided by the service provider for use by a first customer of the service provider, and wherein the identifier is associated with the first customer by the service provider.
  - 10. The method of claim 1 further comprising associating the identifier with a distinct second network address of the plurality of network addresses that is assigned to represent a second remote resource service, and, for an additional communication sent to the distinct second network address by one or more of the multiple computing nodes, modifying the additional communication to include an indication of the identifier before forwarding the modified additional communication to the second remote resource service.
  - 11. The method of claim 1 wherein the one or more networks external to the first private virtual computer network are public networks external to the service provider.
  - 12. The method of claim 1 wherein the configuring of the first private virtual computer network is performed in response to one or more requests that are programmatically made based on invocations of one or more programmatic interfaces provided by the service provider for use in configuring private computer networks being provided by the service provider, andwherein the configuring of the first private virtual computer network includes restricting the multiple computing nodes of the first private virtual computer network from accessing computing systems that are not associated with any of the plurality of network addresses.
  - 13. The method of claim 1 wherein the first private virtual computer network is overlaid on a physical substrate network of the service provider that interconnects a plurality of computing nodes provided by the service provider, wherein the remote resource service has a configured local access point that is part of the physical substrate network, and wherein the forwarding of the modified communication sent to the assigned network address includes providing the modified communication to the configured local access point.
  - 14. The method of claim 1 wherein the remote resource service is a data storage service, a program execution service, or an asynchronous message passing service, and provides computing-related resources for clients of the remote resource service.
  - 15. The method of claim 1 wherein the forwarding of the modified communication further includes determining, by the one or more computing systems, that the one of the multiple computing nodes is authorized to send communications to the remote resource service.
  - 16. The method of claim 15 wherein the determining that the one of the multiple computing nodes is authorized includes using one or more configuration parameters specified for the first private virtual computer network.
  - 17. The method of claim 15 wherein the determining that the one of the multiple computing nodes is authorized includes using one or more configuration parameters specified for the one of the multiple computing nodes.
  - 18. The method of claim 1 wherein the remote resource service includes a web service operated by the service provider.

19. A non-transitory computer-readable medium having stored contents that cause a computing system of a service provider to:
- configure, by the computing system and based at least in part on configuration information received from a client of the service provider, a private virtual computer network that includes multiple computing nodes and is provided by the service provider for use by the client,the configuring including associating the multiple computing nodes with multiple network addresses from a plurality of network addresses specified by the client for use with the private virtual computer network, and further including assigning one of the plurality of network addresses separate from the multiple network addresses to represent, within the private virtual computer network, a remote resource service external to the private virtual computer network;
  
  associate, by the computing system and with the assigned network address representing the remote resource service, an identifier that represents a location of the private virtual computer network, wherein the identifier is an indicator supplied by the service provider for use by the remote resource service in validating that communications are sent from the location of the private virtual computer network;
  
  restrict, by the computing system, access by the multiple computing nodes to only destinations indicated by the plurality of network addresses;
  
  modify, by the computing system, a communication that is sent to the assigned network address by one of the multiple computing nodes so that the modified communication includes the identifier, to cause the remote resource service to associate the location represented by the identifier with the modified communication; and
  
  forward, by the computing system and over one or more networks separate from the private virtual computer network, the modified communication to the remote resource service.
- View Dependent Claims (20, 21, 22, 23)
- - 20. The non-transitory computer-readable medium of claim 19 wherein the configuring of the private virtual computer network further includes receiving information from the client indicating that the remote resource service is to be accessible from the private virtual computer network.
  - 21. The non-transitory computer-readable medium of claim 20 wherein the forwarding of the modified communication to the remote resource service includes forwarding the modified communication over one or more public networks external to the service provider.
  - 22. The non-transitory computer-readable medium of claim 19 wherein the stored contents include software instructions that, when executed, and before the forwarding of the modified communication, further cause the computing system to determine that the one of the multiple computing nodes from which the communication is sent is authorized to send communications to the remote resource service.
  - 23. The non-transitory computer-readable medium of claim 22 wherein determining that the one of the multiple computing node from which the communication is sent is authorized to send communications to the remote resource service includes using one or more configuration parameters specified by the client for the private virtual computer network.

24. A computing system comprising:
- one or more processors; and
  
  one or more memories with stored instructions that, when executed by at least one of the one or more processors, cause the at least one of the one or more processors to provide a computer network for a client from a service provider by;
  
  creating for the client a virtual computer network having multiple computing nodes;
  
  associating the multiple computing nodes with multiple network addresses from a plurality of network addresses specified for use with the created virtual computer network, and assigning one of the plurality of network addresses separate from the multiple network addresses to represent, within the created virtual computer network, a remote resource service external to the created virtual computer network;
  
  associating an identifier specific to a location of the created virtual computer network with the assigned network address representing the remote resource service, wherein the identifier is an indicator supplied by the service provider for use by the remote resource service in validating that communications are sent from the location of the created virtual computer network;
  
  restricting the multiple computing nodes of the virtual computer network from interacting with network addresses other than the plurality of network addresses;
  
  modifying a communication that is sent to the assigned network address by one of the multiple computing nodes, to cause the modified communication to include the identifier specific to the location of the created virtual computer network; and
  
  forwarding, over one or more networks separate from the created virtual computer network, the modified communication to the remote resource service, to cause the remote resource service to associate the modified communication with the created virtual computer network based at least in part on the included identifier specific to the location of the created virtual computer network.
- View Dependent Claims (25, 26)
- - 25. The computing system of claim 24 wherein the creating of the virtual computer network includes receiving and using configuration information from the client that includes indications of the plurality of network addresses for use with the created virtual computer network.
  - 26. The computing system of claim 24 wherein the stored instructions further cause the at least one processor to enable access from the multiple computing nodes of the created virtual computer network to a second remote service external to the created virtual computer network by assigning a second network address of the plurality of network addresses to represent the second remote service and by forwarding communications sent to the assigned second network address over the one or more networks separate from the created virtual computer network to the second remote service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Cohn, Daniel T., Brandwine, Eric Jason, Doane, Andrew J.
Primary Examiner(s)
Woolcock, Madhu

Application Number

US12/332,241
Time in Patent Office

2,932 Days
Field of Search

709/201, 709/202, 709/217, 709/218, 709/219, 709/220, 709/221, 709/222, 709/225, 709/226, 709/228, 709/229, 709/249, 709/250, 709/245
US Class Current

1/1
CPC Class Codes

G06F 2009/45595   Network integration; Enabli...

G06F 9/30098   Register arrangements

G06F 9/384   Register renaming

G06F 9/3842   Speculative instruction exe...

G06F 9/3863   using multiple copies of th...

G06F 9/3885   using a plurality of indepe...

H04L 12/4633   Interconnection of networks...

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 12/4675   Dynamic sharing of VLAN inf...

H04L 41/0886   Fully automatic configuration

H04L 61/5076   Update or notification mech...

H04L 63/0272   Virtual private networks

Providing location-specific network access to remote services

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

114 Citations

26 Claims

Specification

Use Cases

Quick Links

Others

Providing location-specific network access to remote services

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

114 Citations

26 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others