Authorizing communications between computing nodes
First Claim
1. A computer-implemented method comprising:
- storing, on a computer system, mapping information that associates a virtual Internet Protocol (IP) address of a first node with a substrate IP address of the first node, wherein the computer system provides a second node that is part of a virtual computer network overlaid on a substrate network, and wherein the substrate IP address is for use within the substrate network;
modifying, by a second computer system that provides the first node and for an outgoing communication from the first node to the second node that includes the virtual IP address for the first node, the outgoing communication to include the substrate IP address of the first node by using mapping information stored on the second computer system, wherein the modifying is performed before forwarding the modified outgoing communication over the substrate network;
retrieving, by the computer system and from information included in a received communication after the communication is forwarded over the substrate network from the first node to the second node, the virtual IP address for the first node and the substrate IP address for the first node, wherein the received communication is the modified outgoing communication;
determining, by the computer system, that the received communication is authorized for the second node by using the stored mapping information to match the retrieved virtual IP address for the first node with the retrieved substrate IP address for the first node; and
initiating, by the computer system and based on the determining that the received communication is authorized, providing of the received communication to the second node.
1 Assignment
0 Petitions
Accused Products
Abstract
Techniques are described for managing communications between multiple computing nodes, such as computing nodes that are separated by one or more physical networks. In some situations, the techniques may be used to provide a virtual network between multiple computing nodes that are separated by one or more intermediate physical networks, such as from the edge of the one or more intermediate physical networks by modifying communications that enter and/or leave the intermediate physical networks. In some situations, the computing nodes may include virtual machine nodes hosted on one or more physical computing machines or systems, such as by or on behalf of one or more users (e.g., users of a program execution service). The managing of the communications may include determining whether communications sent to managed computing nodes are authorized, and providing the communications to the computing nodes only if they are determined to be authorized.
-
Citations
30 Claims
-
1. A computer-implemented method comprising:
-
storing, on a computer system, mapping information that associates a virtual Internet Protocol (IP) address of a first node with a substrate IP address of the first node, wherein the computer system provides a second node that is part of a virtual computer network overlaid on a substrate network, and wherein the substrate IP address is for use within the substrate network; modifying, by a second computer system that provides the first node and for an outgoing communication from the first node to the second node that includes the virtual IP address for the first node, the outgoing communication to include the substrate IP address of the first node by using mapping information stored on the second computer system, wherein the modifying is performed before forwarding the modified outgoing communication over the substrate network; retrieving, by the computer system and from information included in a received communication after the communication is forwarded over the substrate network from the first node to the second node, the virtual IP address for the first node and the substrate IP address for the first node, wherein the received communication is the modified outgoing communication; determining, by the computer system, that the received communication is authorized for the second node by using the stored mapping information to match the retrieved virtual IP address for the first node with the retrieved substrate IP address for the first node; and initiating, by the computer system and based on the determining that the received communication is authorized, providing of the received communication to the second node. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A non-transitory computer-readable medium having stored contents that cause first and second computer systems to:
-
store, on the first computer system and on the second computer system, mapping information that is for a virtual computer network and that associates a virtual Internet Protocol (IP) address of a first node in the virtual computer network with a substrate IP address of the first node for use within a substrate network on which the virtual computer network is overlaid, wherein the first computer system provides the first node and the virtual IP address is for use within the virtual computer network, and wherein the second computer system provides a second node for the virtual computer network; modify, by the first computer system and for an outgoing communication that is from the first node to the second node and that includes the virtual IP address of the first node as a source IP address for the outgoing communication, the outgoing communication by adding, as a source IP address for the modified outgoing communication in a header of the modified outgoing communication, the substrate IP address of the first node from the mapping information stored on the first computer system; forward, over the substrate network, the modified outgoing communication from the first computer system to the second computer system; receive, by the second computer system, the forwarded modified outgoing communication as an incoming communication for the second node; retrieve, by the second computer system and from information included in the received incoming communication, the virtual IP address for the first node and the substrate IP address for the first node; determine, by the second computer system, that the received incoming communication is authorized for the second node based on the virtual IP address for the first node matching the substrate IP address for the first node in the mapping information stored on the second computer system; and initiate, by the second computer system and based on the determining that the received incoming communication is authorized, providing of the received incoming communication to the second node. - View Dependent Claims (17, 18, 19, 20)
-
-
21. A system, comprising:
-
one or more hardware processors; and one or more memories including instructions that, upon execution by at least one of the one or more hardware processors, cause the system to; store, on a first computer system that provides a first node for a virtual computer network and on a second computer system that provides a second node, mapping information that associates a virtual Internet Protocol (IP) address of the first node with a substrate IP address of the first node, wherein the virtual IP address is for use within the virtual computer network, and wherein the substrate IP address is for use within a substrate network on which the virtual computer network is overlaid; modify, by the first computer system and based on the mapping information stored on the first computer system, an outgoing communication that is from the first node to the second node to cause the modified outgoing communication to include both the virtual IP address for the first node and the substrate IP address of the first node; retrieve, by the second computer system and after the modified outgoing communication is forwarded over the substrate network from the first computer system, the virtual IP address for the first node and the substrate IP address for the first node from information included in the forwarded communication; determine, by the second computer system, that the forwarded communication is authorized for the second node based on using the mapping information stored on the second computer system to match the retrieved virtual IP address for the first node with the retrieved substrate IP address for the first node; and cause, by the second computer system and based on the determining that the forwarded communication is authorized, the forwarded communication to be provided to the second node. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
-
Specification