Authorizing communications between computing nodes
First Claim
1. A system comprising:
- a hardware processor of a first server computing system that hosts a first virtual machine associated with a first virtual network address of a virtual network; and
at least one memory of the first server computing system having stored instructions that, upon execution by the hardware processor, cause the first server computing system to;
receive a first communication from the first virtual machine that is addressed to a second virtual network address for a destination of the first communication;
determine that the first virtual machine is authorized to send at least the first communication to the second virtual network address based at least in part on mapping information for the virtual network that maps the second virtual network address to an associated substrate network address of a second server computing system managing communications for the destination; and
send, based at least in part on determining that the first virtual machine is authorized, a modified communication to the associated substrate network address of the second server computing system, wherein the modified communication includes at least a portion of the first communication and is addressed to the associated substrate network address of the second server computing system.
0 Assignments
0 Petitions
Accused Products
Abstract
Techniques are described for managing communications between multiple computing nodes, such as computing nodes that are separated by one or more physical networks. In some situations, the techniques may be used to provide a virtual network between multiple computing nodes that are separated by one or more intermediate physical networks, such as from the edge of the one or more intermediate physical networks by modifying communications that enter and/or leave the intermediate physical networks. In some situations, the computing nodes may include virtual machine nodes hosted on one or more physical computing machines or systems, such as by or on behalf of one or more users (e.g., users of a program execution service). The managing of the communications may include determining whether communications sent to managed computing nodes are authorized, and providing the communications to the computing nodes only if they are determined to be authorized.
73 Citations
20 Claims
-
1. A system comprising:
-
a hardware processor of a first server computing system that hosts a first virtual machine associated with a first virtual network address of a virtual network; and at least one memory of the first server computing system having stored instructions that, upon execution by the hardware processor, cause the first server computing system to; receive a first communication from the first virtual machine that is addressed to a second virtual network address for a destination of the first communication; determine that the first virtual machine is authorized to send at least the first communication to the second virtual network address based at least in part on mapping information for the virtual network that maps the second virtual network address to an associated substrate network address of a second server computing system managing communications for the destination; and send, based at least in part on determining that the first virtual machine is authorized, a modified communication to the associated substrate network address of the second server computing system, wherein the modified communication includes at least a portion of the first communication and is addressed to the associated substrate network address of the second server computing system. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A non-transitory computer-readable medium having stored contents that cause, for a server computing system hosting a virtual machine associated with a virtual network address of a virtual network, the server computing system to:
-
receive, from a sending node in the virtual network, a first communication that is sent to the server computing system using a substrate network address for the server computing system and that indicates a planned destination of the first communication using the virtual network address for the virtual machine; determine that the virtual machine is authorized to receive at least the first communication from the sending node based at least in part on mapping information for the virtual network that maps an additional virtual network address for the sending node to an additional substrate network address from which the first communication is received; and provide, based at least in part on determining that the first virtual machine is authorized, a modified communication to the virtual machine, wherein the modified communication is at least a portion of the first communication and is addressed to the virtual network address. - View Dependent Claims (11, 12, 13, 14, 15)
-
-
16. A computer-implemented method comprising:
-
selecting, by one or more computing systems implementing an online service that has a plurality of server devices for use with customers of the online service, a server device of the plurality to host a first computing node for use in a virtual network provided by the online service for a customer of the online service; storing, by the one or more computing systems and on the server device, mapping information for the virtual network that includes virtual Internet Protocol (IP) addresses of other computing nodes in the virtual network and that includes associated substrate IP addresses for a substrate network on which the virtual network is overlaid, the other computing nodes including a second computing node hosted on a second server device, to enable the server device to use the mapping information to modify communications for the virtual network involving the first computing node; and determining, by the server device and based at least in part on the stored mapping information, that the first computing node is authorized to send an outgoing communication to the second computing node. - View Dependent Claims (17, 18, 19, 20)
-
Specification