Interconnecting external networks with overlay networks in a shared computing environment

US 9,860,214 B2
Filed: 09/10/2015
Issued: 01/02/2018
Est. Priority Date: 09/10/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

obtaining, by one or more processors, data from a first virtual network of a first tenant, a first identifier identifying the first tenant, data from a second virtual network of a second tenant, and a second identifier identifying the second tenant, wherein the first virtual network of the first tenant and the second virtual network of the second tenant are two of two or more virtual networks in a shared computing environment wherein the two or more virtual networks overlay a physical network, wherein each virtual network of the two or more virtual networks is a virtual network of a tenant;

based on obtaining the first identifier, setting, by the one or more processors, the first identifier in metadata of the data from the first virtual network;

based on obtaining the second identifier, setting, by the one or more processors, the second identifier in metadata of the data from the second virtual network;

based on the first identifier in the metadata, identifying, by the one or more processors, a network connection associated with the first tenant, and based on the second identifier in the metadata of the data from the second virtual network, identifying, by the one or more processors, the network connection associated with the second tenant, wherein the network connection associated with the first tenant and the network connection associated with the second tenant comprise a shared virtual private network tunnel over a public Internet connection, wherein the virtual private network tunnel is coupled to remote networks of at least two tenants of the two or more virtual networks, the remote networks of at least two tenants comprising a remote network of the first tenant and the remote network of the second tenant;

identifying, by the one or more processors, a policy of the network connection relevant to the first tenant and processing the data with the policy to create processed data from the first virtual network;

identifying, by the one or more processors, a policy of the network connection relevant to the second tenant and processing the data with the policy relevant to the second tenant to create processed data from the second virtual network; and

transmitting, by the one or more processors, the processed data from the first virtual network through the network connection to the remote network of the first tenant and the processed data from the second virtual network through the network connection to the remote network of the second tenant.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method includes obtaining, by one or more processor, data from a virtual network of a tenant and an identifier of the tenant, where the virtual network of the tenant is one of at least two virtual networks in a shared computing environment where the at least two virtual networks overlay a physical network. Based on obtaining the identifier of the tenant, the method includes setting, by one or more processor, the identifier in metadata of the data and based on the identifier in the metadata, identifying, by the one or more processor, a network connection associated with the tenant. The method also includes identifying, by the one or more processor, a policy of the network connection and processing the data with the policy to create processed data and transmitting, by the one or more processor, the processed data through the network connection.

23 Citations

View as Search Results

20 Claims

1. A computer-implemented method comprising:
- obtaining, by one or more processors, data from a first virtual network of a first tenant, a first identifier identifying the first tenant, data from a second virtual network of a second tenant, and a second identifier identifying the second tenant, wherein the first virtual network of the first tenant and the second virtual network of the second tenant are two of two or more virtual networks in a shared computing environment wherein the two or more virtual networks overlay a physical network, wherein each virtual network of the two or more virtual networks is a virtual network of a tenant;
  
  based on obtaining the first identifier, setting, by the one or more processors, the first identifier in metadata of the data from the first virtual network;
  
  based on obtaining the second identifier, setting, by the one or more processors, the second identifier in metadata of the data from the second virtual network;
  
  based on the first identifier in the metadata, identifying, by the one or more processors, a network connection associated with the first tenant, and based on the second identifier in the metadata of the data from the second virtual network, identifying, by the one or more processors, the network connection associated with the second tenant, wherein the network connection associated with the first tenant and the network connection associated with the second tenant comprise a shared virtual private network tunnel over a public Internet connection, wherein the virtual private network tunnel is coupled to remote networks of at least two tenants of the two or more virtual networks, the remote networks of at least two tenants comprising a remote network of the first tenant and the remote network of the second tenant;
  
  identifying, by the one or more processors, a policy of the network connection relevant to the first tenant and processing the data with the policy to create processed data from the first virtual network;
  
  identifying, by the one or more processors, a policy of the network connection relevant to the second tenant and processing the data with the policy relevant to the second tenant to create processed data from the second virtual network; and
  
  transmitting, by the one or more processors, the processed data from the first virtual network through the network connection to the remote network of the first tenant and the processed data from the second virtual network through the network connection to the remote network of the second tenant.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computer-implemented method of claim 1, wherein the data from the first virtual network of the first tenant comprises a frame,wherein the obtaining data from the first virtual network further comprises removing the outer header of the frame leaving a packet as the data from the first virtual network of the first tenant, andwherein the setting the first identifier in the metadata of the data from the first virtual network comprises setting the first identifier in the metadata of the packet.
  - 3. The computer-implemented method of claim 1, wherein the first identifier is an identifier for a port from which the one or more processors obtained the data from the first virtual network of the first tenant, the port comprising a logical connection point between the physical network and the first virtual network.
  - 4. The computer-implemented method of claim 1, wherein the identifying the network connection associated with the first tenant further comprises utilizing at least one field in the data from the first virtual network of the first tenant with the first identifier to identify the network connection.
  - 5. The computer-implemented method of claim 1, further comprising:
    - obtaining, by the one or more processors, additional data from the network connection, via the remote network of the first tenant;
      
      setting, by the one or more processors, a network connection identifier in metadata of the additional data;
      
      obtaining, by the one or more processors, the additional data and the network connection identifier and based on the network connection identifier, identifying the first tenant, wherein the first tenant is a tenant of the shared computing environment; and
      
      based on identifying the first tenant, inserting, by the one or more processors, the additional data into an access of the first virtual network.
  - 6. The computer-implemented method of claim 5, wherein the obtaining additional data from the network connection comprises decrypting the additional data by enforcing a security policy of the network connection.
  - 7. The computer-implemented method of claim 5, wherein the network connection is a virtual private network tunnel.
  - 8. The computer-implemented method of claim 5, wherein the additional data comprises a packet and the identifying the first tenant comprises:
    - reconstructing, by the one or more processors, the header of the packet to convert the packet to a frame, wherein the reconstructing comprises utilizing the network connection identifier in the metadata to set a next hop media access control address as a destination media access control address and a pseudo media access control as a source media access control address.
  - 9. The computer-implemented method of claim 8, wherein the inserting the additional data into the access comprises:
    - based on setting the destination media access control address and the source media access control address, inserting the frame into the access through a logical connection point between the physical network and the first virtual network.
  - 10. The computer-implemented method of claim 1, further comprising:
    - obtaining, by the one or more processors, data from a third virtual network of a third tenant and an identifier of the third tenant, wherein the third virtual network of the third tenant is one of the two or more virtual networks in the shared computing environment wherein the two or more virtual networks overlay a physical network, wherein each virtual network of the two or more virtual networks is a virtual network of the third tenant;
      
      based on obtaining the identifier of the third tenant, setting, by the one or more processors, the identifier of the third tenant in metadata of the data from the third virtual network;
      
      based on the identifier in the metadata of the data from the third virtual network, identifying, by the one or more processors, the network connection associated with the third tenant, wherein the network connection comprises the shared virtual private network tunnel and the remote networks of the at least two tenants further comprise a remote network of the third tenant;
      
      identifying, by the one or more processors, a policy of the network connection relevant to the third tenant and processing the data from the third virtual network with the policy to create processed data from the third virtual network; and
      
      transmitting, by the one or more processors, the processed data from the third virtual network through the network connection to the remote network of the third tenant.

11. A computer program product comprising:
- a computer readable storage medium readable by one or more processors and storing instructions for execution by the one or more processors for performing a method comprising;
  
  obtaining, by the one or more processors, data from a first virtual network of a first tenant, a first identifier identifying the first tenant, data from a second virtual network of a second tenant, and a second identifier identifying the second tenant, wherein the first virtual network of the first tenant and the second virtual network of the second tenant are two of two or more virtual networks in a shared computing environment wherein the two or more virtual networks overlay a physical network, wherein each virtual network of the two or more virtual networks is a virtual network of a tenant;
  
  based on obtaining the first identifier, setting, by the one or more processors, the first identifier in metadata of the data from the first virtual network;
  
  based on obtaining the second identifier, setting, by the one or more processors, the second identifier in metadata of the data from the second virtual network;
  
  based on the first identifier in the metadata, identifying, by the one or more processors, a network connection associated with the first tenant, and based on the second identifier in the metadata of the data from the second virtual network, identifying, by the one or more processors, the network connection associated with the second tenant, wherein the network connection associated with the first tenant and the network connection associated with the second tenant comprise a shared virtual private network tunnel over a public Internet connection, wherein the virtual private network tunnel is coupled to remote networks of at least two tenants of the two or more virtual networks, the remote networks of at least two tenants comprising a remote network of the first tenant and the remote network of the second tenant;
  
  identifying, by the one or more processors, a policy of the network connection relevant to the first tenant and processing the data with the policy to create processed data from the first virtual network;
  
  identifying, by the one or more processors, a policy of the network connection relevant to the second tenant and processing the data with the policy relevant to the second tenant to create processed data from the second virtual network; and
  
  transmitting, by the one or more processors, the processed data from the first virtual network through the network connection to the remote network of the first tenant and the processed data from the second virtual network through the network connection to the remote network of the second tenant.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The computer program product of claim 11, wherein the data from the first virtual network of the first tenant comprises a frame,wherein the obtaining data from the first virtual network further comprises removing the outer header of the frame leaving a packet as the data from the first virtual network of the first tenant, andwherein the setting the first identifier in the metadata of the data from the first virtual network comprises setting the first identifier in the metadata of the packet.
  - 13. The computer program product of claim 11, wherein the first identifier is an identifier for a port from which the one or more processors obtained the data from the first virtual network of the first tenant, the port comprising a logical connection point between the physical network and the first virtual network.
  - 14. The computer program product of claim 11, wherein the identifying the network connection associated with the first tenant further comprises utilizing at least one field in the data from the first virtual network of the first tenant with the first identifier to identify the network connection.
  - 15. The computer program product of claim 11, the method further comprising:
    - obtaining, by the one or more processors, additional data from the network connection, via the remote network of the first tenant;
      
      setting, by the one or more processors, a network connection identifier in metadata of the additional data;
      
      obtaining, by the one or more processors, the additional data and the network connection identifier and based on the network connection identifier, identifying the first tenant, wherein the first tenant is a tenant of the shared computing environment; and
      
      based on identifying the first tenant, inserting, by the one or more processors, the additional data into an access of the first virtual network.
  - 16. The computer program product of claim 15, wherein the obtaining, additional data from the network connection comprises decrypting the additional data by enforcing a security policy of the network connection.
  - 17. The computer program product of claim 15, wherein the additional data comprises a packet and the identifying the first tenant comprises:
    - reconstructing, by the one or more processors, the header of the packet to convert the packet to a frame, wherein the reconstructing comprises utilizing the network connection identifier in the metadata to set a next hop media access control address as a destination media access control address and a pseudo media access control as a source media access control address.
  - 18. The computer program product of claim 11, the method further comprising:
    - obtaining, by the one or more processors, data from a third virtual network of a third tenant and an identifier of the third tenant, wherein the third virtual network of the third tenant is one of the two or more virtual networks in the shared computing environment wherein the two or more virtual networks overlay a physical network, wherein each virtual network of the two or more virtual networks is a virtual network of the third tenant;
      
      based on obtaining the identifier of the third tenant, setting, by the one or more processors, the identifier of the third tenant in metadata of the data from the third virtual network;
      
      based on the identifier in the metadata of the data from the third virtual network, identifying, by the one or more processors, the network connection associated with the third tenant, wherein the network connection comprises the shared virtual private network tunnel and the remote networks of the at least two tenants further comprise a remote network of the third tenant;
      
      identifying, by the one or more processors, a policy of the network connection relevant to the third tenant and processing the data from the third virtual network with the policy to create processed data from the third virtual network; and
      
      transmitting, by the one or more processors, the processed data from the third virtual network through the network connection to the remote network of the third tenant.

19. A system comprising:
- a memory;
  
  one or more processors in communication with the memory; and
  
  program instructions executable by the one or more processors via the memory to perform a method, the method comprising;
  
  obtaining, by the one or more processors, data from a first virtual network of a first tenant, a first identifier identifying the first tenant, data from a second virtual network of a second tenant, and a second identifier identifying the second tenant, wherein the first virtual network of the first tenant and the second virtual network of the second tenant are two of two or more virtual networks in a shared computing environment wherein the two or more virtual networks overlay a physical network, wherein each virtual network of the two or more virtual networks is a virtual network of a tenant;
  
  based on obtaining the first identifier, setting, by the one or more processors, the first identifier in metadata of the data from the first virtual network;
  
  based on obtaining the second identifier, setting, by the one or more processors, the second identifier in metadata of the data from the second virtual network;
  
  based on the first identifier in the metadata, identifying, by the one or more processors, a network connection associated with the first tenant, and based on the second identifier in the metadata of the data from the second virtual network, identifying, by the one or more processors, the network connection associated with the second tenant, wherein the network connection associated with the first tenant and the network connection associated with the second tenant comprise a shared virtual private network tunnel over a public Internet connection, wherein the virtual private network tunnel is coupled to remote networks of at least two tenants of the two or more virtual networks, the remote networks of at least two tenants comprising a remote network of the first tenant and the remote network of the second tenant;
  
  identifying, by the one or more processors, a policy of the network connection relevant to the first tenant and processing the data with the policy to create processed data from the first virtual network;
  
  identifying, by the one or more processors, a policy of the network connection relevant to the second tenant and processing the data with the policy relevant to the second tenant to create processed data from the second virtual network; and
  
  transmitting, by the one or more processors, the processed data from the first virtual network through the network connection to the remote network of the first tenant and the processed data from the second virtual network through the network connection to the remote network of the second tenant.
- View Dependent Claims (20)
- - 20. The system of claim 19, the method further comprising:
    - obtaining, by the one or more processors, additional data from the network connection, via the remote network of the first tenant;
      
      setting, by the one or more processors, a network connection identifier in metadata of the additional data;
      
      obtaining, by the one or more processors, the additional data and the network connection identifier and based on the network connection identifier, identifying the first tenant, wherein the first tenant is a tenant of the shared computing environment; and
      
      based on identifying the first tenant, inserting, by the one or more processors, the additional data into an access of the first virtual network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kyndryl Incorporated
Original Assignee
International Business Machines Corporation
Inventors
Bian, Guo Chun, Lin, Jin Jing, Rong, Liang, Tang, Gang, Xian, Ming Shuang
Primary Examiner(s)
Song, Hosuk
Assistant Examiner(s)
MURPHY, JOSEPH B

Application Number

US14/850,460
Publication Number

US 20170078248A1
Time in Patent Office

845 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/20   for managing network securi...

H04L 67/141   Setup of application sessio...

Interconnecting external networks with overlay networks in a shared computing environment

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

23 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Interconnecting external networks with overlay networks in a shared computing environment

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

23 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links