Policy enforcement in a virtualized environment
First Claim
Patent Images
1. A system, comprising:
- a processor configured to;
receive a rule to be applied to network traffic associated with members of a dynamic address group;
receive virtual machine information associated with a first virtual machine instance executing on a host machine;
determine, based at least in part on at least a portion of the received virtual machine information, that the first virtual machine instance belongs to the dynamic address group;
in response to the determination, apply the rule to network traffic associated with the first virtual machine instance;
at a time subsequent to applying the rule to network traffic associated with the first virtual machine instance, determine that the rule should be recompiled into a recompiled rule, at least in part based on a change to membership in the dynamic address group, wherein the change to membership includes at least one of;
(1) an addition of an additional virtual machine instance to the dynamic address group; and
(2) a removal of the first virtual machine instance from the dynamic address group; and
in the event the change to the membership in the dynamic address group includes the addition of the additional virtual machine instance to the dynamic address group, applying the recompiled rule to network traffic associated with additional virtual machine instance; and
in the event the change to the membership in the dynamic address group includes removal of the first virtual machine instance from the dynamic address group, not applying the recompiled rule to network traffic associated with the first virtual machine instance; and
a memory coupled to the processor and configured to provide the processor with instructions.
0 Assignments
0 Petitions
Accused Products
Abstract
Policy enforcement in an environment that includes virtualized systems is disclosed. Virtual machine information associated with a first virtual machine instance executing on a host machine is received. The information can be received from a variety of sources, including an agent, a log server, and a management infrastructure associated with the host machine. A policy is applied based at least in part on the received virtual machine information.
-
Citations
19 Claims
-
1. A system, comprising:
-
a processor configured to; receive a rule to be applied to network traffic associated with members of a dynamic address group; receive virtual machine information associated with a first virtual machine instance executing on a host machine; determine, based at least in part on at least a portion of the received virtual machine information, that the first virtual machine instance belongs to the dynamic address group; in response to the determination, apply the rule to network traffic associated with the first virtual machine instance; at a time subsequent to applying the rule to network traffic associated with the first virtual machine instance, determine that the rule should be recompiled into a recompiled rule, at least in part based on a change to membership in the dynamic address group, wherein the change to membership includes at least one of; (1) an addition of an additional virtual machine instance to the dynamic address group; and (2) a removal of the first virtual machine instance from the dynamic address group; and in the event the change to the membership in the dynamic address group includes the addition of the additional virtual machine instance to the dynamic address group, applying the recompiled rule to network traffic associated with additional virtual machine instance; and in the event the change to the membership in the dynamic address group includes removal of the first virtual machine instance from the dynamic address group, not applying the recompiled rule to network traffic associated with the first virtual machine instance; and a memory coupled to the processor and configured to provide the processor with instructions. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A method, comprising:
-
receiving a rule to be applied to network traffic associated with members of a dynamic address object group; receiving virtual machine information associated with a first virtual machine instance executing on a host machine; determining, based at least in part on at least a portion of the received virtual machine information, that the first virtual machine instance belongs to the dynamic address group; in response to the determination, applying the rule to network traffic associated with the first virtual machine instance; at a time subsequent to applying the rule to network traffic associated with the first virtual machine instance, determining that the rule should be recompiled into a recompiled rule, at least in part based on a change to membership in the dynamic address group, wherein the change to membership includes at least one of; (1) an addition of an additional virtual machine instance to the dynamic address group; and (2) a removal of the first virtual machine instance from the dynamic address group; and in the event the change to the membership in the dynamic address group includes the addition of the additional virtual machine instance to the dynamic address group, applying the recompiled rule to network traffic associated with additional virtual machine instance; and in the event the change to the membership in the dynamic address group includes removal of the first virtual machine instance from the dynamic address group, not applying the recompiled rule to network traffic associated with the first virtual machine instance. - View Dependent Claims (15, 16, 17, 18)
-
-
19. A computer program product embodied in a non-transitory tangible computer readable storage medium and comprising computer instructions for:
-
receiving a rule to be applied to network traffic associated with members of a dynamic address object group; receiving virtual machine information associated with a first virtual machine instance executing on a host machine; determining, based at least in part on at least a portion of the received virtual machine information, that the first virtual machine instance belongs to the dynamic address group; and in response to the determination, applying the rule to network traffic associated with the first virtual machine instance; at a time subsequent to applying the rule to network traffic associated with the first virtual machine instance, determining that the rule should be recompiled into a recompiled rule, at least in part based on a change to membership in the dynamic address group, wherein the change to membership includes at least one of; (1) an addition of an additional virtual machine instance to the dynamic address group; and (2) a removal of the first virtual machine instance from the dynamic address group; and in the event the change to the membership in the dynamic address group includes the addition of the additional virtual machine instance to the dynamic address group, applying the recompiled rule to network traffic associated with additional virtual machine instance; and in the event the change to the membership in the dynamic address group includes removal of the first virtual machine instance from the dynamic address group, not applying the recompiled rule to network traffic associated with the first virtual machine instance.
-
Specification