Client-premise resource control via provider-defined interfaces

US 9,686,121 B2
Filed: 09/23/2013
Issued: 06/20/2017
Est. Priority Date: 09/23/2013
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

one or more computing devices comprising at least a processor and memory, wherein the one or more computing devices are configured to;

implement a first set of programmatic interfaces enabling a client to request a control operation associated with resources of one or more network-accessible services of a provider network;

implement a second set of programmatic interfaces enabling a client to transmit a resource registration request from the client to the provider network, wherein the resource registration request indicates one or more resources located at a data center external to the provider network as candidate targets for a category of control operation requests received via the first set of programmatic interfaces, wherein the category of control operation requests are associated with at least a particular network-accessible service of the one or more network-accessible services;

receive a particular resource registration request via the second set of programmatic interfaces, indicating a particular resource located at the data center external to the provider network;

verify functionality of one or more modules of a management software stack installed at the particular resource;

establish a secure network connection between a particular module of the one or more modules at the particular resource, and an administrative resource located within a data center of the provider network; and

in response to a particular control operation request of the category of control operation requests received via a programmatic interface of the first set, transmit a control command from the administrative resource located within the data center of the provider network to the particular resource located at the data center external to the provider network via the secure network connection.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus for client-premise resource control using provider-defined interfaces are described. A set of programmatic interfaces enabling clients to submit registration requests is implemented. A registration request indicates resources located at a data center external to a provider network as candidate targets for control operation requests issued via a different set of programmatic interfaces associated with a service of the provider network. A network connection is established between a particular resource indicated in a registration request, and an administrative resource located within a data center of the provider network. In response to a particular control operation request received via a programmatic interface of the different set, a control command is transmitted from the administrative resource to the particular resource via the network connection.

57 Citations

View as Search Results

20 Claims

1. A system, comprising:
- one or more computing devices comprising at least a processor and memory, wherein the one or more computing devices are configured to;
  
  implement a first set of programmatic interfaces enabling a client to request a control operation associated with resources of one or more network-accessible services of a provider network;
  
  implement a second set of programmatic interfaces enabling a client to transmit a resource registration request from the client to the provider network, wherein the resource registration request indicates one or more resources located at a data center external to the provider network as candidate targets for a category of control operation requests received via the first set of programmatic interfaces, wherein the category of control operation requests are associated with at least a particular network-accessible service of the one or more network-accessible services;
  
  receive a particular resource registration request via the second set of programmatic interfaces, indicating a particular resource located at the data center external to the provider network;
  
  verify functionality of one or more modules of a management software stack installed at the particular resource;
  
  establish a secure network connection between a particular module of the one or more modules at the particular resource, and an administrative resource located within a data center of the provider network; and
  
  in response to a particular control operation request of the category of control operation requests received via a programmatic interface of the first set, transmit a control command from the administrative resource located within the data center of the provider network to the particular resource located at the data center external to the provider network via the secure network connection.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The system as recited in claim 1, wherein the particular network-accessible service comprises one of:
    - a virtualized compute service, a block-level storage service, a storage service implementing a web-services interface for client operations, a database service, a batch-processing parallel computing service, or a load-balancing service.
  - 3. The system as recited in claim 1, wherein the provider network comprises a plurality of availability containers including a first availability container and a second availability container with respective sets of infrastructure components and respective availability profiles, wherein the particular resource registration request comprises a request to designate a collection of resources, including the particular resource and another resource at the data center external to the provider network, as a different availability container than the first and second availability containers.
  - 4. The system as recited in claim 1, wherein the one or more computing devices are further configured to:
    - transmit the control command to the particular resource via a network path that comprises a particular physical network link; and
      
      in response to a data transfer operation request directed at the particular resource, transfer data from the particular resource using a different network path that comprises the particular physical network link.
  - 5. The system as recited in claim 4, wherein the one or more computing devices are further configured to:
    - establish a virtual private network (VPN) dedicated to traffic associated with control commands between the provider network and the data center external to the provider network.

6. A method, comprising:
- performing, by one or more computing devices;
  
  implementing a first set of programmatic interfaces enabling clients to request control operations associated with resources of one or more network-accessible services of a provider network;
  
  implementing a second set of programmatic interfaces enabling a particular client to transmit a registration request from the particular client to the provider network, wherein the registration request indicates one or more resources located at a data center external to the provider network as candidate targets for a category of control operation requests issued via the first set of programmatic interfaces, wherein the category of control operation requests pertain to a particular network-accessible service of the one or more network-accessible services;
  
  receiving a particular registration request via a programmatic interface of the second set of programmatic interfaces, indicating a particular resource of the one or more resources located at the data center external to the provider network;
  
  establishing a network connection between the particular resource and an administrative resource located within a data center of the provider network; and
  
  in response to a particular control operation request of the category of control operation requests received via a programmatic interface of the first set, transmitting a control command from the administrative resource located within the data center of the provider network to the particular resource located at the data center external to the provider network via the network connection.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 7. The method as recited in claim 6, wherein the particular network-accessible service comprises one of:
    - a virtualized compute service, a block-level storage service, an object storage service implementing a web-services interface for client operations, a database service, a batch-processing parallel computing service, or a load-balancing service.
  - 8. The method as recited in claim 6, wherein the provider network comprises a plurality of availability containers including a first availability container and a second availability container with respective sets of infrastructure components and respective availability profiles, wherein the particular controlled external resource group request comprises a request to designate a collection of resources at the data center external to the provider network as a different availability container.
  - 9. The method as recited in claim 6, further comprising performing, by the one or more computing devices:
    - transmitting the control command to the particular resource via a network path that comprises a particular physical network link; and
      
      in response to receiving a data transfer operation request directed at the particular resource, transferring data from the particular resource using a different network path that comprises the particular physical network link.
  - 10. The method as recited in claim 9, further comprising performing, by the one or more computing devices:
    - establishing a first virtual private network (VPN) dedicated to traffic associated with control commands between the provider network and the data center external to the provider network.
  - 11. The method as recited in claim 6, further comprising performing, by the one or more computing devices:
    - establishing the network connection using a virtual private gateway established on behalf of the particular client.
  - 12. The method as recited in claim 6, further comprising performing, by the one or more computing devices:
    - securing the network connection using one of;
      
      IPSec (Internet Protocol Security), TLS (Transport Layer Security), or SSL (Secure Sockets Layer).
  - 13. The method as recited in claim 6, further comprising performing, by the one or more computing devices:
    - transmitting, to a destination device at the data center external to the provider network, an installable version of one or more modules of a software stack to be installed at the particular resource; and
      
      establishing the network connection from the administrative resource to a particular module of the one or more modules.
  - 14. The method as recited in claim 6, further comprising performing, by the one or more computing devices:
    - quiescing, in response to one or more control operation requests received from the particular client, an execution of a particular virtualized compute instance at the particular resource; and
      
      re-instantiating the quiesced virtualized compute instance at a different resource within the provider network.
  - 15. The method as recited in claim 6, further comprising performing, by the one or more computing devices:
    - receiving, at a configuration service node within the provider network, an application stack configuration request, comprising an indication of a first component and a second component of a particular application to be configured on behalf of the particular client, wherein the first component is to utilize a first resource located within the provider network, and the second component is to utilize a second resource located at the data center external to the provider network;
      
      issuing respective configuration commands, in accordance with the application stack configuration request, from the configuration service node to the first resource and the second resource.

16. A non-transitory computer-accessible storage medium storing program instructions that when executed on one or more processors:
- implement a first set of programmatic interfaces enabling a client to transmit a registration request from the client to a provider network, wherein the registration request indicates one or more resources located at a data center external to the provider network as candidate targets for a category of control operation requests issued via a different set of programmatic interfaces associated with a network-accessible service of the provider network;
  
  establish a network connection between a particular resource indicated in a particular registration request, and an administrative resource located within a data center of the provider network; and
  
  in response to a particular control operation request of the category of control operation requests received via a programmatic interface of the different set, transmit a control command from the administrative resource located within the data center of the provider network to the particular resource located at the data center external to the provider network via the network connection.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The non-transitory computer-accessible storage medium as recited in claim 16, wherein the network-accessible service comprises one of:
    - a virtualized compute service, a block-level storage service, an object storage service implementing a web-services interface for client operations, a database service, a batch-processing parallel computing service, or a load-balancing service.
  - 18. The non-transitory computer-accessible storage medium as recited in claim 16, wherein the provider network comprises a plurality of availability containers including a first availability container and a second availability container with respective sets of infrastructure components and respective availability profiles, wherein the particular registration request comprises a request to designate a collection of resources at the data center external to the provider network as a different availability container.
  - 19. The non-transitory computer-accessible storage medium as recited in claim 16, wherein the instructions when executed on the one or more processors:
    - establish a virtual private network (VPN) dedicated to traffic associated with control commands between the provider network and the data center external to the provider network.
  - 20. The non-transitory computer-accessible storage medium as recited in claim 16, wherein the particular resource comprises at least one of:
    - a virtualized compute resource host, a storage appliance, or a load-balancing appliance.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Stickle, Thomas Charles, Wise, Terrence Patrick, Moses, Carl Jay
Primary Examiner(s)
Mejia, Anthony

Application Number

US14/034,325
Publication Number

US 20150089034A1
Time in Patent Office

1,366 Days
Field of Search

709223
US Class Current
CPC Class Codes

H04L 41/00   Arrangements for maintenanc...

H04L 41/18   Delegation of network manag...

H04L 41/28   Restricting access to netwo...

H04L 41/40   using virtualisation of net...

Client-premise resource control via provider-defined interfaces

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

57 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Client-premise resource control via provider-defined interfaces

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

57 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links