Authorizing communications between computing nodes

US 10,218,613 B2
Filed: 02/16/2017
Issued: 02/26/2019
Est. Priority Date: 03/31/2008
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a hardware processor of a first server computing system that hosts a first virtual machine associated with a first virtual network address of a virtual network; and

at least one memory of the first server computing system having stored instructions that, upon execution by the hardware processor, cause the first server computing system to;

receive a first communication from the first virtual machine that is addressed to a second virtual network address for a destination of the first communication;

determine that the first virtual machine is authorized to send at least the first communication to the second virtual network address based at least in part on mapping information for the virtual network that maps the second virtual network address to an associated substrate network address of a second server computing system managing communications for the destination; and

send, based at least in part on determining that the first virtual machine is authorized, a modified communication to the associated substrate network address of the second server computing system, wherein the modified communication includes at least a portion of the first communication and is addressed to the associated substrate network address of the second server computing system.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are described for managing communications between multiple computing nodes, such as computing nodes that are separated by one or more physical networks. In some situations, the techniques may be used to provide a virtual network between multiple computing nodes that are separated by one or more intermediate physical networks, such as from the edge of the one or more intermediate physical networks by modifying communications that enter and/or leave the intermediate physical networks. In some situations, the computing nodes may include virtual machine nodes hosted on one or more physical computing machines or systems, such as by or on behalf of one or more users (e.g., users of a program execution service). The managing of the communications may include determining whether communications sent to managed computing nodes are authorized, and providing the communications to the computing nodes only if they are determined to be authorized.

73 Citations

View as Search Results

20 Claims

1. A system comprising:
- a hardware processor of a first server computing system that hosts a first virtual machine associated with a first virtual network address of a virtual network; and
  
  at least one memory of the first server computing system having stored instructions that, upon execution by the hardware processor, cause the first server computing system to;
  
  receive a first communication from the first virtual machine that is addressed to a second virtual network address for a destination of the first communication;
  
  determine that the first virtual machine is authorized to send at least the first communication to the second virtual network address based at least in part on mapping information for the virtual network that maps the second virtual network address to an associated substrate network address of a second server computing system managing communications for the destination; and
  
  send, based at least in part on determining that the first virtual machine is authorized, a modified communication to the associated substrate network address of the second server computing system, wherein the modified communication includes at least a portion of the first communication and is addressed to the associated substrate network address of the second server computing system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1 wherein the first server computing system is part of an online service that provides the virtual network for a customer of the online service, and wherein the stored instructions further cause the first server computing system to obtain and store the mapping information for the virtual network from the online service before sending the modified communication.
  - 3. The system of claim 2 further comprising one or more additional computing systems that implement a system manager for the online service, and whether the obtaining of the mapping information by the first server computing system includes receiving, over one or more computer networks, the mapping information from the one or more additional computing systems.
  - 4. The system of claim 2 further comprising a substrate network that is provided by the online service and on which the virtual network is implemented, and wherein sending of the modified communication includes forwarding the modified communication from the first server computing system to the second server computing system over the substrate network.
  - 5. The system of claim 2 further comprising the second server computing system, wherein the second server computing system is further part of the online service, and wherein the second server computing system hosts a second virtual machine that is the destination of the first communication and provides the sent modified communication to the second virtual machine.
  - 6. The system of claim 5 wherein a memory of the second server computing system has additional stored instructions that cause the second server computing system to receive the sent modified communication and to use at least some of the mapping information for the virtual network to determine that the second virtual machine is authorized to receive the first communication from the first virtual machine.
  - 7. The system of claim 2 wherein the online service further provides a substrate network on which the virtual network is implemented, wherein the second server computing system is part of a computer network of the customer that is separated from the substrate network by one or more intervening public networks, and wherein sending of the modified communication to the associated substrate network address of the second server computing system includes forwarding the modified communication over the substrate network to an edge router that connects the substrate network to the one or more intervening public networks.
  - 8. The system of claim 1 further comprising the second server computing system, and wherein a memory of the second server computing system has additional stored instructions that cause the second server computing system to receive the sent modified communication and to use at least some of the mapping information for the virtual network to determine that the first virtual machine is authorized to send the first communication to the destination.
  - 9. The system of claim 1 further comprising the second server computing system, and wherein a memory of the second server computing system has additional stored instructions that cause the second server computing system to receive the sent modified communication and to perform further automated operations to provide the first communication to the destination.

10. A non-transitory computer-readable medium having stored contents that cause, for a server computing system hosting a virtual machine associated with a virtual network address of a virtual network, the server computing system to:
- receive, from a sending node in the virtual network, a first communication that is sent to the server computing system using a substrate network address for the server computing system and that indicates a planned destination of the first communication using the virtual network address for the virtual machine;
  
  determine that the virtual machine is authorized to receive at least the first communication from the sending node based at least in part on mapping information for the virtual network that maps an additional virtual network address for the sending node to an additional substrate network address from which the first communication is received; and
  
  provide, based at least in part on determining that the first virtual machine is authorized, a modified communication to the virtual machine, wherein the modified communication is at least a portion of the first communication and is addressed to the virtual network address.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The non-transitory computer-readable medium of claim 10 wherein the server computing system is part of an online service that provides the virtual network for a customer of the online service, and wherein the stored contents include software instructions that, when executed, further cause the server computing system to obtain and store the mapping information for the virtual network from the online service before providing the modified communication to the virtual machine.
  - 12. The non-transitory computer-readable medium of claim 11 wherein a second server computing system is further part of the online service and is associated with the additional substrate network address, and wherein the second server computing systems hosts a second virtual machine that is the sending node for the first communication and receives the first communication from the second virtual machine before sending the first communication to the server computing system.
  - 13. The non-transitory computer-readable medium of claim 12 wherein a memory of the second server computing system has additional stored instructions that cause the second server computing system to use at least some of the mapping information for the virtual network to determine that the second virtual machine is authorized to send the first communication to the virtual machine.
  - 14. The non-transitory computer-readable medium of claim 11 wherein the online service further provides a substrate network on which the virtual network is implemented, wherein the sending node is part of a computer network of the customer that is separated from the substrate network by one or more intervening public networks, and wherein the first communication is received by the server computing system over the substrate network from an edge router that connects the substrate network to the one or more intervening public networks.
  - 15. The non-transitory computer-readable medium of claim 10 wherein the stored contents further cause the server computing system to store the mapping information for the virtual network before receiving of the first communication, and to determine that the sending node is authorized to send at least the first communication to the virtual machine based at least in part on the stored mapping information.

16. A computer-implemented method comprising:
- selecting, by one or more computing systems implementing an online service that has a plurality of server devices for use with customers of the online service, a server device of the plurality to host a first computing node for use in a virtual network provided by the online service for a customer of the online service;
  
  storing, by the one or more computing systems and on the server device, mapping information for the virtual network that includes virtual Internet Protocol (IP) addresses of other computing nodes in the virtual network and that includes associated substrate IP addresses for a substrate network on which the virtual network is overlaid, the other computing nodes including a second computing node hosted on a second server device, to enable the server device to use the mapping information to modify communications for the virtual network involving the first computing node; and
  
  determining, by the server device and based at least in part on the stored mapping information, that the first computing node is authorized to send an outgoing communication to the second computing node.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The computer-implemented method of claim 16 wherein the first computing node is a virtual machine hosted by the server device, and wherein the method further comprises:
    - modifying, by the server device and based at least in part on the stored mapping information, an outgoing communication from the first computing node to the second computing node that indicates the virtual IP address of the second computing node as a destination, the modifying including adding the associated substrate IP address for the included virtual IP address as a new destination of the modified outgoing communication; and
      
      sending the modified outgoing communication over the substrate network to the second server device based at least in part on the added associated substrate IP address.
  - 18. The computer-implemented method of claim 16 wherein the first computing node is a virtual machine hosted by the server device, and wherein the method further comprises:
    - sending over the substrate network to the second server device, based at least in part on the determining that the first computing node is authorized to send an outgoing communication to the second computing node, information that includes the outgoing communication.
  - 19. The computer-implemented method of claim 16 wherein the first computing node is a virtual machine hosted by the server device, and wherein the method further comprises:
    - receiving, by the server device, an incoming communication from the second computing node that indicates the virtual IP address of the first computing node as a destination; and
      
      providing, by the server device, information to the first computing node that includes at least a portion of the incoming communication and that is modified based at least in part on the stored mapping information.
  - 20. The computer-implemented method of claim 19 further comprising, before the providing of the information to the first computing node and based at least in part on the stored mapping information, determining that the first computing node is authorized to receive the incoming communication from the second computing node.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Cohn, Daniel Todd
Primary Examiner(s)
Pyzocha, Michael

Application Number

US15/435,138
Publication Number

US 20170163528A1
Time in Patent Office

740 Days
Field of Search
US Class Current
CPC Class Codes

H04L 2101/604   Address structures or formats

H04L 41/00   Arrangements for maintenanc...

H04L 41/28   Restricting access to netwo...

H04L 45/586   of virtual routers

H04L 61/103   across network layers, e.g....

H04L 61/251   between different IP versions

H04L 61/5007   Internet protocol [IP] addr...

H04L 63/0236   Filtering by address, proto...

H04L 63/20   for managing network securi...

H04W 12/06   Authentication

Authorizing communications between computing nodes

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

73 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Authorizing communications between computing nodes

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

73 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links