Virtual network pairs
First Claim
1. A method implemented by data processing apparatus, the method comprising:
- maintaining, by a virtual machine registry service, a distinct secret key for each of a plurality of virtual machines executing on a plurality of host machines, wherein the secret key for each of the virtual machines (i) is known to a communication process that executes on the same host machine as the virtual machine and that manages network communication for the virtual machine, (ii) is not known to any of the plurality of virtual machines, and (iii) is used by the virtual machine registry service to authorize pairwise communications between the virtual machine and other virtual machines of the plurality of virtual machines;
maintaining, by the virtual machine registry service, data identifying pairs of virtual machines that are allowed to communicate with one another;
receiving, by the virtual machine registry service, a plurality of requests, each request being received from a respective source communication process that manages network communication for a respective source virtual machine, and each request being a request for a token that authenticates the respective source virtual machine as being authorized to communicate with a respective destination virtual machine to a respective destination communication process that manages network communication for the respective destination virtual machine;
for each request of the plurality of requests;
determining, by the virtual machine registry service, that the respective source virtual machine is authorized to communicate with the respective destination virtual machine by consulting the data identifying pairs of virtual machines that are allowed to communicate with one another;
determining, by the virtual machine registry service, a host machine network address for the respective destination virtual machine;
generating, by the virtual machine registry service, a token based at least partly on the host machine network address and the secret key of the respective destination virtual machine; and
sending, by the virtual machine registry service, the selected host machine network address and generated token to the respective source communication process for the respective source virtual machine for transmission to the respective destination communication process as evidence that the respective source virtual machine is authorized to communicate with the respective destination virtual machine.
2 Assignments
0 Petitions
Accused Products
Abstract
Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for implementing virtual network pairs between virtual machines and other devices. In one aspect, a method includes associating each of a plurality of different virtual machine network addresses with a respective host machine network address; receiving, from a sender, a request for a source virtual machine to communicate with a destination virtual machine; determining that the source virtual machine is authorized to communicate with the destination virtual machine; selecting, from the associations, a host machine network address for the destination virtual machine; generating a token based at least partly on the selected host machine network address and on a secret key of the destination virtual machine, wherein the secret key is not known by the source virtual machine; and sending the selected host machine network address and generated token to the sender.
-
Citations
30 Claims
-
1. A method implemented by data processing apparatus, the method comprising:
-
maintaining, by a virtual machine registry service, a distinct secret key for each of a plurality of virtual machines executing on a plurality of host machines, wherein the secret key for each of the virtual machines (i) is known to a communication process that executes on the same host machine as the virtual machine and that manages network communication for the virtual machine, (ii) is not known to any of the plurality of virtual machines, and (iii) is used by the virtual machine registry service to authorize pairwise communications between the virtual machine and other virtual machines of the plurality of virtual machines; maintaining, by the virtual machine registry service, data identifying pairs of virtual machines that are allowed to communicate with one another; receiving, by the virtual machine registry service, a plurality of requests, each request being received from a respective source communication process that manages network communication for a respective source virtual machine, and each request being a request for a token that authenticates the respective source virtual machine as being authorized to communicate with a respective destination virtual machine to a respective destination communication process that manages network communication for the respective destination virtual machine; for each request of the plurality of requests; determining, by the virtual machine registry service, that the respective source virtual machine is authorized to communicate with the respective destination virtual machine by consulting the data identifying pairs of virtual machines that are allowed to communicate with one another; determining, by the virtual machine registry service, a host machine network address for the respective destination virtual machine; generating, by the virtual machine registry service, a token based at least partly on the host machine network address and the secret key of the respective destination virtual machine; and sending, by the virtual machine registry service, the selected host machine network address and generated token to the respective source communication process for the respective source virtual machine for transmission to the respective destination communication process as evidence that the respective source virtual machine is authorized to communicate with the respective destination virtual machine. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system comprising:
-
one or more computers and one or more storage devices storing instructions that when executed by the one or more computers cause the one or more computers to perform operations comprising; maintaining, by a virtual machine registry service, a distinct secret key for each of a plurality of virtual machines executing on a plurality of host machines, wherein the secret key for each of the virtual machines (i) is known to a communication process that executes on the same host machine as the virtual machine and that manages network communication for the virtual machine, (ii) is not known to any of the plurality of virtual machines, and (iii) is used by the virtual machine registry service to authorize pairwise communications between the virtual machine and other virtual machines of the plurality of virtual machines; maintaining, by the virtual machine registry service, data identifying pairs of virtual machines that are allowed to communicate with one another; receiving, by the virtual machine registry service, a plurality of requests, each request being received from a respective source communication process that manages network communication for a respective source virtual machine, and each request being a request for a token that authenticates the respective source virtual machine as being authorized to communicate with a respective destination virtual machine to a respective destination communication process that manages network communication for the respective destination virtual machine; for each request of the plurality of requests; determining, by the virtual machine registry service, that the respective source virtual machine is authorized to communicate with the respective destination virtual machine by consulting the data identifying pairs of virtual machines that are allowed to communicate with one another; determining, by the virtual machine registry service, a host machine network address for the respective destination virtual machine; generating, by the virtual machine registry service, a token based at least partly on the host machine network address and the secret key of the respective destination virtual machine; and sending, by the virtual machine registry service, the selected host machine network address and generated token to the respective source communication process for the respective source virtual machine for transmission to the respective destination communication process as evidence that the respective source virtual machine is authorized to communicate with the respective destination virtual machine. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A non-transitory computer storage medium encoded with a computer program, the program comprising instructions that when executed by data processing apparatus cause the data processing apparatus to perform operations comprising:
-
one or more computers and one or more storage devices storing instructions that when executed by the one or more computers cause the one or more computers to perform operations comprising; maintaining, by a virtual machine registry service, a distinct secret key for each of a plurality of virtual machines executing on a plurality of host machines, wherein the secret key for each of the virtual machines (i) is known to a communication process that executes on the same host machine as the virtual machine and that manages network communication for the virtual machine, (ii) is not known to any of the plurality of virtual machines, and (iii) is used by the virtual machine registry service to authorize pairwise communications between the virtual machine and other virtual machines of the plurality of virtual machines; maintaining, by the virtual machine registry service, data identifying pairs of virtual machines that are allowed to communicate with one another; receiving, by the virtual machine registry service, a plurality of requests, each request being received from a respective source communication process that manages network communication for a respective source virtual machine, and each request being a request for a token that authenticates the respective source virtual machine as being authorized to communicate with a respective destination virtual machine to a respective destination communication process that manages network communication for the respective destination virtual machine; for each request of the plurality of requests; determining, by the virtual machine registry service, that the respective source virtual machine is authorized to communicate with the respective destination virtual machine by consulting the data identifying pairs of virtual machines that are allowed to communicate with one another; determining, by the virtual machine registry service, a host machine network address for the respective destination virtual machine; generating, by the virtual machine registry service, a token based at least partly on the host machine network address and the secret key of the respective destination virtual machine; and sending, by the virtual machine registry service, the selected host machine network address and generated token to the respective source communication process for the respective source virtual machine for transmission to the respective destination communication process as evidence that the respective source virtual machine is authorized to communicate with the respective destination virtual machine. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
-
Specification