Authorizing communications between computing nodes

US 9,705,792 B2
Filed: 11/30/2012
Issued: 07/11/2017
Est. Priority Date: 03/31/2008
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

storing, on a computer system, mapping information that associates a virtual Internet Protocol (IP) address of a first node with a substrate IP address of the first node, wherein the computer system provides a second node that is part of a virtual computer network overlaid on a substrate network, and wherein the substrate IP address is for use within the substrate network;

modifying, by a second computer system that provides the first node and for an outgoing communication from the first node to the second node that includes the virtual IP address for the first node, the outgoing communication to include the substrate IP address of the first node by using mapping information stored on the second computer system, wherein the modifying is performed before forwarding the modified outgoing communication over the substrate network;

retrieving, by the computer system and from information included in a received communication after the communication is forwarded over the substrate network from the first node to the second node, the virtual IP address for the first node and the substrate IP address for the first node, wherein the received communication is the modified outgoing communication;

determining, by the computer system, that the received communication is authorized for the second node by using the stored mapping information to match the retrieved virtual IP address for the first node with the retrieved substrate IP address for the first node; and

initiating, by the computer system and based on the determining that the received communication is authorized, providing of the received communication to the second node.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are described for managing communications between multiple computing nodes, such as computing nodes that are separated by one or more physical networks. In some situations, the techniques may be used to provide a virtual network between multiple computing nodes that are separated by one or more intermediate physical networks, such as from the edge of the one or more intermediate physical networks by modifying communications that enter and/or leave the intermediate physical networks. In some situations, the computing nodes may include virtual machine nodes hosted on one or more physical computing machines or systems, such as by or on behalf of one or more users (e.g., users of a program execution service). The managing of the communications may include determining whether communications sent to managed computing nodes are authorized, and providing the communications to the computing nodes only if they are determined to be authorized.

Citations

30 Claims

1. A computer-implemented method comprising:
- storing, on a computer system, mapping information that associates a virtual Internet Protocol (IP) address of a first node with a substrate IP address of the first node, wherein the computer system provides a second node that is part of a virtual computer network overlaid on a substrate network, and wherein the substrate IP address is for use within the substrate network;
  
  modifying, by a second computer system that provides the first node and for an outgoing communication from the first node to the second node that includes the virtual IP address for the first node, the outgoing communication to include the substrate IP address of the first node by using mapping information stored on the second computer system, wherein the modifying is performed before forwarding the modified outgoing communication over the substrate network;
  
  retrieving, by the computer system and from information included in a received communication after the communication is forwarded over the substrate network from the first node to the second node, the virtual IP address for the first node and the substrate IP address for the first node, wherein the received communication is the modified outgoing communication;
  
  determining, by the computer system, that the received communication is authorized for the second node by using the stored mapping information to match the retrieved virtual IP address for the first node with the retrieved substrate IP address for the first node; and
  
  initiating, by the computer system and based on the determining that the received communication is authorized, providing of the received communication to the second node.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The computer-implemented method of claim 1 further comprising:
    - receiving, by the computer system, the communication forwarded over the substrate network in a format for transmission over the substrate network; and
      
      modifying, by the computer system, the received communication to be formatted for the virtual computer network,and wherein the communication provided to the second node is the modified communication.
  - 3. The computer-implemented method of claim 2 wherein the first node is further part of the virtual computer network, wherein the received communication forwarded over the substrate network includes the substrate IP address of the first node as a specified source of the received communication, and wherein the modifying of the received communication includes specifying a source of the modified communication to be the virtual IP address of the first node.
  - 4. The computer-implemented method of claim 2 further comprising executing, by the computer system, a destination communication manager module that assists in implementing the virtual computer network, and wherein the determining that the received communication is authorized is performed by the executing destination communication manager module.
  - 5. The computer-implemented method of claim 1 wherein the virtual IP address of the first node is stored in a header of the received communication forwarded over the substrate network, and wherein the retrieving of the virtual IP address from the information included in the received communication includes extracting the stored virtual IP address from the header.
  - 6. The computer-implemented method of claim 5 wherein the communication forwarded over the substrate network uses the substrate IP address of the first node as a source IP address for the forwarded communication, wherein the virtual IP address is a subset of and included within the substrate IP address, and wherein the extracting of the stored virtual IP address from the header includes extracting the stored virtual IP address from within the substrate IP address.
  - 7. The computer-implemented method of claim 1 further comprising:
    - storing, on the second computer system and before the modifying of the outgoing communication, the mapping information to associate the virtual IP address of the first node with the substrate IP address of the first node.
  - 8. The computer-implemented method of claim 7 wherein the second computer system execute a source communication manager module that assists in implementing the virtual computer network by managing communications for the first node, wherein the computer system executes a destination communication manager module that assists in implementing the virtual computer network by managing communications for the second node, and wherein the storing of the mapping information on the computer system and on the second computer system further includes interacting with a remote system manager module that maintains information about virtual IP addresses assigned to multiple computing nodes of the virtual computer network and about substrate IP addresses associated with the multiple computing nodes.
  - 9. The computer-implemented method of claim 1 wherein the determining that the received communication is authorized includes determining a location in the substrate network corresponding to the first node, and verifying that the received communication was forwarded over the substrate network from the determined location.
  - 10. The computer-implemented method of claim 1 wherein the determining that the received communication is authorized includes determining that the virtual IP address for the first node is assigned for the virtual computer network to one of multiple computing nodes of the virtual computer network.
  - 11. The computer-implemented method of claim 8 wherein the determining that the received communication is authorized includes identifying the source communication manager module associated with the first node, and verifying that the received communication was forwarded over the substrate network from the identified source communication manager module.
  - 12. The computer-implemented method of claim 11 wherein the storing of the mapping information by the computer system is performed before the communication is forwarded over the substrate network.
  - 13. The computer-implemented method of claim 1 wherein the storing of the mapping information includes obtaining, by the computer system and before the receiving of the communication, the mapping information from a system manager module that further assists in implementing the virtual computer network.
  - 14. The method of claim 1 wherein the virtual computer network is implemented using the IPv4 (“
    - Internet Protocol version 4”
      
      ) networking protocol.
  - 15. The method of claim 1 wherein the substrate network is implemented using the IPv4 (“
    - Internet Protocol version 4”
      
      ) networking protocol.

16. A non-transitory computer-readable medium having stored contents that cause first and second computer systems to:
- store, on the first computer system and on the second computer system, mapping information that is for a virtual computer network and that associates a virtual Internet Protocol (IP) address of a first node in the virtual computer network with a substrate IP address of the first node for use within a substrate network on which the virtual computer network is overlaid, wherein the first computer system provides the first node and the virtual IP address is for use within the virtual computer network, and wherein the second computer system provides a second node for the virtual computer network;
  
  modify, by the first computer system and for an outgoing communication that is from the first node to the second node and that includes the virtual IP address of the first node as a source IP address for the outgoing communication, the outgoing communication by adding, as a source IP address for the modified outgoing communication in a header of the modified outgoing communication, the substrate IP address of the first node from the mapping information stored on the first computer system;
  
  forward, over the substrate network, the modified outgoing communication from the first computer system to the second computer system;
  
  receive, by the second computer system, the forwarded modified outgoing communication as an incoming communication for the second node;
  
  retrieve, by the second computer system and from information included in the received incoming communication, the virtual IP address for the first node and the substrate IP address for the first node;
  
  determine, by the second computer system, that the received incoming communication is authorized for the second node based on the virtual IP address for the first node matching the substrate IP address for the first node in the mapping information stored on the second computer system; and
  
  initiate, by the second computer system and based on the determining that the received incoming communication is authorized, providing of the received incoming communication to the second node.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The non-transitory computer-readable medium of claim 16 wherein the stored contents include software instructions that, when executed, further cause the second computer system to modify the received incoming communication to format the received incoming communication for the virtual computer network, and wherein the communication provided to the second node is the modified received incoming communication.
  - 18. The non-transitory computer-readable medium of claim 16 wherein the determining by the second computer system that the received incoming communication is authorized includes determining a location in the substrate network corresponding to the first node, and includes verifying that the received incoming communication was forwarded to the second computer system over the substrate network from the determined location.
  - 19. The non-transitory computer-readable medium of claim 16 wherein the stored contents further cause the first computer system and the second computer system to each execute a communication manager module that assists in implementing the virtual computer network by managing communications between multiple nodes of the virtual computer network.
  - 20. The non-transitory computer-readable medium of claim 16 wherein at least one of the virtual computer network or the substrate network is implemented using IPv4 (“
    - Internet Protocol version 4”
      
      ) networking protocol.

21. A system, comprising:
- one or more hardware processors; and
  
  one or more memories including instructions that, upon execution by at least one of the one or more hardware processors, cause the system to;
  
  store, on a first computer system that provides a first node for a virtual computer network and on a second computer system that provides a second node, mapping information that associates a virtual Internet Protocol (IP) address of the first node with a substrate IP address of the first node, wherein the virtual IP address is for use within the virtual computer network, and wherein the substrate IP address is for use within a substrate network on which the virtual computer network is overlaid;
  
  modify, by the first computer system and based on the mapping information stored on the first computer system, an outgoing communication that is from the first node to the second node to cause the modified outgoing communication to include both the virtual IP address for the first node and the substrate IP address of the first node;
  
  retrieve, by the second computer system and after the modified outgoing communication is forwarded over the substrate network from the first computer system, the virtual IP address for the first node and the substrate IP address for the first node from information included in the forwarded communication;
  
  determine, by the second computer system, that the forwarded communication is authorized for the second node based on using the mapping information stored on the second computer system to match the retrieved virtual IP address for the first node with the retrieved substrate IP address for the first node; and
  
  cause, by the second computer system and based on the determining that the forwarded communication is authorized, the forwarded communication to be provided to the second node.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The system of claim 21 wherein the instructions further cause the second computer system to receive the forwarded modified outgoing communication, and to further modify the received communication to be formatted for the virtual computer network, and wherein the communication provided to the second node is the further modified communication.
  - 23. The system of claim 21 wherein the determining by the second computer system that the forwarded communication is authorized includes determining a location in the substrate network corresponding to the first node, and verifying that the forwarded communication was forwarded to the second computer system over the substrate network from the determined location.
  - 24. The system of claim 21 wherein the instructions further cause the first computer system and the second computer system to each execute a communication manager module that assists in implementing the virtual computer network by managing communications between multiple nodes of one or more virtual computer networks.
  - 25. The system of claim 21 wherein at least one of the virtual computer network or the substrate network is implemented using IPv4 (“
    - Internet Protocol version 4”
      
      ) networking protocol.
  - 26. The system of claim 21 further comprising the first computer system and the second computer system and multiple virtual machines hosted on the first and second computer systems that each use a subset of the one or more memories, and wherein the first node and the second node are each one of the multiple hosted virtual machines.
  - 27. The system of claim 21 wherein the first node is associated with a first entity identifier for an entity that controls the first node, wherein the second node is associated with a second entity identifier for an entity that controls the second node, and wherein the determining that the forwarded communication is authorized for the second node includes determining that the first and second entity identifiers match.
  - 28. The system of claim 21 wherein the first node is associated with a first entity identifier for an entity that controls the first node, wherein the second node is associated with a second entity identifier for an entity that controls the second node, and wherein the determining that the received communication is authorized for the second node includes determining that the first entity identifier is authorized to send communications to the second node.
  - 29. The system of claim 21 wherein the virtual computer network is one of multiple virtual computer networks provided by an online service on behalf of multiple customers, and wherein the first node and the second node are provided by the online service.
  - 30. The system of claim 29 wherein the first node is part of a first provided virtual computer network of the multiple virtual computer networks, and wherein the second node is part of a distinct second provided virtual computer network of the multiple virtual computer networks.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Cohn, Daniel T.
Primary Examiner(s)
Pyzocha, Michael

Application Number

US13/691,497
Publication Number

US 20130132577A1
Time in Patent Office

1,684 Days
Field of Search

726 15, 726 27, 726 28, 726 29, 726 30, 709237, 709245
US Class Current
CPC Class Codes

H04L 2101/604   Address structures or formats

H04L 41/00   Arrangements for maintenanc...

H04L 41/28   Restricting access to netwo...

H04L 45/586   of virtual routers

H04L 61/103   across network layers, e.g....

H04L 61/251   between different IP versions

H04L 61/5007   Internet protocol [IP] addr...

H04L 63/0236   Filtering by address, proto...

H04L 63/20   for managing network securi...

H04W 12/06   Authentication

Authorizing communications between computing nodes

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Authorizing communications between computing nodes

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links