Replicating firewall policy across multiple data centers

US 9,755,903 B2
Filed: 07/28/2015
Issued: 09/05/2017
Est. Priority Date: 06/30/2015
Status: Active Grant

First Claim

Patent Images

1. A method of replicating firewall rules across a plurality of data centers, each data center comprising a set of hosts and a network manager, each host configured to host a set of data compute nodes (DCNs), the method comprising:

identifying a first DCN on a host in a primary data center, the first DCN associated with a set of global firewall rules utilizing unique identifiers recognized by the network manager of each data center;

allocating storage for a second DCN on a host in a secondary data center to replicate the first DCN;

prior to the second DCN being powered on, replicating the set of global firewall rules associated with the first DCN into the storage allocated for the second DCN; and

in response to receiving an indication that the second DCN is powered on, and enforcing the set of global firewall rules for the second DCN using the replicated set of global firewall rules.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of replicating firewall rules across a group of data centers. Each data center includes a set of hosts and a network manager. Each host is configured to host a set of data compute nodes (DCNs). The method identifies a first DCN on a host in a primary data center. The first DCN is associated with a set of global firewall rules utilizing unique identifiers recognized by the network manager of each data center. The method allocates storage for a second DCN on a host in a secondary data center to replicate the first DCN. The method replicates the set of global firewall rules associated with the first DCN into the storage allocated for the second DCN. The method receives an indication that the second DCN is powered on. The method enforces the set of global firewall rules for the second DCN by using the replicated global firewall rules.

Citations

22 Claims

1. A method of replicating firewall rules across a plurality of data centers, each data center comprising a set of hosts and a network manager, each host configured to host a set of data compute nodes (DCNs), the method comprising:
- identifying a first DCN on a host in a primary data center, the first DCN associated with a set of global firewall rules utilizing unique identifiers recognized by the network manager of each data center;
  
  allocating storage for a second DCN on a host in a secondary data center to replicate the first DCN;
  
  prior to the second DCN being powered on, replicating the set of global firewall rules associated with the first DCN into the storage allocated for the second DCN; and
  
  in response to receiving an indication that the second DCN is powered on, and enforcing the set of global firewall rules for the second DCN using the replicated set of global firewall rules.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the second DCN is utilized as a recovery DCN, wherein the second DCN is powered on after the first DCN is powered down.
  - 3. The method of claim 1, wherein the set of global firewall rules is a first set of global firewall rules, the method further comprising:
    - receiving a second set of global firewall rules associated with the first DCN prior to the second DCN being powered on; and
      
      prior to the second DCN being powered on, replicating the second set of global firewall rules associated with the first DCN into the storage allocated for the second DCN.
  - 4. The method of claim 1, wherein each global firewall rule includes (i) a set of n-tuples for comparing with a set of attributes of a packet to determine whether a firewall rule is applicable to the packet, and (ii) an action identifier that specifies an action to perform on the packet when the firewall rule is applicable to the packet.
  - 5. The method of claim 4, wherein each global firewall rule further includes an enforcement-node tuple.
  - 6. The method of claim 1, wherein the set of global firewall rules are utilized as read-only rules in the secondary data center.
  - 7. The method of claim 1, wherein a DCN is a virtual machine.

8. A non-transitory machine readable medium storing a program that when executed by at least one processing unit replicates firewall rules across a plurality of data centers, each data center comprising a set of hosts and a network manager, each host configured to host a set of data compute nodes (DCNs), the program comprising sets of instructions for:
- identifying a first DCN on a host in a primary data center, the first DCN associated with a set of global firewall rules utilizing unique identifiers recognized by the network manager of each data center;
  
  allocating storage for a second DCN on a host in a secondary data center to replicate the first DCN;
  
  replicating, prior to the second DCN being powered on, the set of global firewall rules associated with the first DCN into the storage allocated for the second DCN; and
  
  enforcing, in response to receiving an indication that the second DCN is powered on, the set of global firewall rules for the second DCN using the replicated set of global firewall rules.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The non-transitory machine readable medium of claim 8, wherein the second DCN is utilized as a recovery DCN, wherein the second DCN is powered on after the first DCN is powered down.
  - 10. The non-transitory machine readable medium of claim 8, wherein the set of global firewall rules is a first set of global firewall rules, the program further comprising sets of instructions for:
    - receiving a second set of global firewall rules associated with the first DCN prior to the second DCN being powered on; and
      
      replicating, prior to the second DCN being powered on, the second set of global firewall rules associated with the first DCN into the storage allocated for the second DCN.
  - 11. The non-transitory machine readable medium of claim 8, wherein each global firewall rule includes (i) a set of n-tuples for comparing with a set of attributes of a packet to determine whether a firewall rule is applicable to the packet, and (ii) an action identifier that specifies an action to perform on the packet when the firewall rule is applicable to the packet.
  - 12. The non-transitory machine readable medium of claim 11, wherein each global firewall rule further includes an enforcement-node tuple.
  - 13. The non-transitory machine readable medium of claim 8, wherein the set of global firewall rules are utilized as read-only rules in the secondary data center.
  - 14. The non-transitory machine readable medium of claim 8, wherein a DCN is a virtual machine.

15. A system comprising:
- a plurality of data centers, each data center comprising;
  
  a network manager;
  
  a set of hosts configured to host a set of data compute nodes (DCN); and
  
  a site recovery manager configured to;
  
  identify a first DCN on a host in a primary data center, the first DCN associated with a set of global firewall rules utilizing unique identifiers recognized by the network manager of each data center;
  
  allocate storage for a second DCN on a host in a secondary data center to replicate the first DCN;
  
  replicate, prior to powering on the second DCN, the set of global firewall rules associated with the first DCN into the storage allocated for the second DCN; and
  
  enforce, in response to receiving an indication that the second DCN is powered on, the set of global firewall rules for the second DCN using the replicated set of global firewall rules.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22)
- - 16. The system of claim 15, wherein enforcing the set of global firewall rules comprises enforcing the set of global firewall rules through the network manager of the secondary data center.
  - 17. The system of claim 15, wherein the second DCN is utilized as a recovery DCN, wherein the second DCN is powered on after the first DCN is powered down.
  - 18. The system of claim 15, wherein the set of global firewall rules is a first set of global firewall rules, the site recovery manager further configured to:
    - receive a second set of global firewall rules associated with the first DCN prior to the second DCN being powered on; and
      
      replicate, prior to the second DCN being powered on, the second set of global firewall rules associated with the first DCN into the storage allocated for the second DCN.
  - 19. The system of claim 15, wherein each global firewall rule includes (i) a set of n-tuples for comparing with a set of attributes of a packet to determine whether a firewall rule is applicable to the packet, and (ii) an action identifier that specifies an action to perform on the packet when the firewall rule is applicable to the packet.
  - 20. The system of claim 19, wherein each global firewall rule further includes an enforcement-node tuple.
  - 21. The system of claim 15, wherein the set of global firewall rules are utilized as read-only rules in the secondary data center.
  - 22. The system of claim 15, wherein a DCN is a virtual machine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nicira Incorporated (Broadcom, Inc.)
Original Assignee
Nicira Incorporated (Broadcom, Inc.)
Inventors
Masurekar, Uday, Bansal, Kaushal
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
MURPHY, JOSEPH B

Application Number

US14/811,382
Publication Number

US 20170004192A1
Time in Patent Office

770 Days
Field of Search
US Class Current
CPC Class Codes

G06F 12/0813   with a network or matrix co...

G06F 16/25   Integrating or interfacing ...

G06F 16/27   Replication, distribution o...

G06F 2009/4557   Distribution of virtual mac...

G06F 2212/154   Networked environment

G06F 2212/60   Details of cache memory

G06F 2212/62   Details of cache specific t...

G06F 9/445   Program loading or initiati...

G06F 9/455   Emulation; Interpretation; ...

G06F 9/45533   Hypervisors; Virtual machin...

G06F 9/45558   Hypervisor-specific managem...

H04L 41/0846   based on copy from other el...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 63/0218   Distributed architectures, ...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0263   Rule management

H04L 63/20   for managing network securi...

H04L 67/1001   for accessing one among a p...

H04L 67/1095   Replication or mirroring of...

H04L 67/5682 : Policies or rules for updat...

View All

Replicating firewall policy across multiple data centers

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Replicating firewall policy across multiple data centers

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links