Authorizing communications between computing nodes
First Claim
1. A computer-implemented method comprising:
- instantiating, by one or more computing systems implementing a program execution service that has a plurality of server devices for use with customers of the program execution service, a first virtual network for a first customer of the program execution service;
configuring, by the one or more computing systems and for a first server device of the plurality that hosts at least a first virtual machine, a communication manager of the program execution service on the first server device to associate the first virtual machine with the first virtual network, the configuring including storing mapping information on the first server device for the first virtual network that includes information about a second virtual machines in the first virtual network, wherein the second virtual machine is hosted by a second server device of the plurality;
receiving, by the communication manager of the first server device, an outgoing communication sent from the first virtual machine to a destination virtual machine that is the second virtual machine, wherein the outgoing communication has an indicated virtual network address for the destination virtual machine, and wherein the first server device has connectivity to a second network that is a physical network including the second server device;
verifying, by the communication manager of the first server device, that the received outgoing communication is authorized based at least in part on the first virtual machine being allowed to communicate with the destination virtual machine;
modifying, by the communication manager of the first server device and based at least in part on the stored mapping information, the outgoing communication by adding to the outgoing communication a destination network address for the second network that is associated with the second server device; and
initiating, by the communication manager of the first server device and based at least in part on the verifying that the received outgoing communication is authorized, sending of the modified outgoing communication to the second server device via the second network based on the destination network address for the second network.
0 Assignments
0 Petitions
Accused Products
Abstract
Techniques are described for managing communications between multiple computing nodes, such as computing nodes that are separated by one or more physical networks. In some situations, the techniques may be used to provide a virtual network between multiple computing nodes that are separated by one or more intermediate physical networks, such as from the edge of the one or more intermediate physical networks by modifying communications that enter and/or leave the intermediate physical networks. In some situations, the computing nodes may include virtual machine nodes hosted on one or more physical computing machines or systems, such as by or on behalf of one or more users (e.g., users of a program execution service). The managing of the communications may include determining whether communications sent to managed computing nodes are authorized, and providing the communications to the computing nodes only if they are determined to be authorized.
-
Citations
21 Claims
-
1. A computer-implemented method comprising:
-
instantiating, by one or more computing systems implementing a program execution service that has a plurality of server devices for use with customers of the program execution service, a first virtual network for a first customer of the program execution service; configuring, by the one or more computing systems and for a first server device of the plurality that hosts at least a first virtual machine, a communication manager of the program execution service on the first server device to associate the first virtual machine with the first virtual network, the configuring including storing mapping information on the first server device for the first virtual network that includes information about a second virtual machines in the first virtual network, wherein the second virtual machine is hosted by a second server device of the plurality; receiving, by the communication manager of the first server device, an outgoing communication sent from the first virtual machine to a destination virtual machine that is the second virtual machine, wherein the outgoing communication has an indicated virtual network address for the destination virtual machine, and wherein the first server device has connectivity to a second network that is a physical network including the second server device; verifying, by the communication manager of the first server device, that the received outgoing communication is authorized based at least in part on the first virtual machine being allowed to communicate with the destination virtual machine; modifying, by the communication manager of the first server device and based at least in part on the stored mapping information, the outgoing communication by adding to the outgoing communication a destination network address for the second network that is associated with the second server device; and initiating, by the communication manager of the first server device and based at least in part on the verifying that the received outgoing communication is authorized, sending of the modified outgoing communication to the second server device via the second network based on the destination network address for the second network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A non-transitory computer-readable medium having stored contents that cause a computing system of a program execution service to:
-
instantiate, by the computing system of the program execution service, a first virtual network for a first customer of the program execution service, including using a first virtual machine hosted by a first computing system that is provided by the program execution service in the first virtual network; configure a communication manager executing on the first computing system to associate the first virtual machine with the first virtual network, including storing mapping information on the first computing system for the first virtual network that includes information about a second virtual machine of the first virtual network that is hosted by a second computing system; receive, by the communication manager of the first computing system, an outgoing communication sent by the first virtual machine to a destination node of the first virtual network that is the second virtual machine, wherein the outgoing communication includes a first destination network address used with the first virtual network; determine, by the communication manager of the first computing system and based at least in part on the stored mapping information, a second destination network address that is used for the second computing system by a second network that is a physical network connecting the first and second computing systems; modify, by the communication manager of the first computing system, the outgoing communication to include the determined second destination network address for the second network; and send, by using the determined second destination network address, the modified outgoing communication over the second network to the destination node via the second computing system. - View Dependent Claims (14, 15, 16, 17)
-
-
18. A system comprising:
-
one or more processors of a computing system of a program execution service; and at least one memory with stored instructions for the program execution service that, upon execution by at least one of the one or more processors, cause the system to; instantiate, for a first customer of the program execution service, a first overlay network that includes a first virtual machine hosted by the computing system; configure the computing system to associate the first virtual machine with the first overlay network, including storing mapping information on the computing system for the first overlay network that includes information about a second virtual machines included in the first overlay network that is hosted by a second computing system; receive an outgoing communication from the first virtual machine to a destination node of the first overlay network that is the second virtual machine, wherein the outgoing communication has a first destination network address for the destination node that is specified in accordance with the first overlay network; modify the outgoing communication in accordance with a second network that supports the first overlay network, the modifying being based at least in part on the stored mapping information and including adding a second destination network address for the second computing system that is specified in accordance with the second network; and send, over the second network and by using the second destination network address, the modified outgoing communication to the destination node via the second computing system. - View Dependent Claims (19, 20, 21)
-
Specification