System and method for providing key-encrypted storage in a cloud computing environment
First Claim
1. A method, comprising:
- routing a request to a cloud resource from a plurality of cloud resources within a cloud, wherein the request is directed to a single Internet Protocol (IP) address for the cloud, wherein routing further includes performing network address translation on a port portion of the IP address by translating the IP address to a subnet IP address comprising a range of IP addresses that are assigned to a plurality of instances of servers within the cloud resource within the cloud and distinguishing the cloud resource from the plurality of cloud resources;
selecting a particular instance of the plurality of instance of servers to service the request based on processing loads associated with the instances and based on the performing network address translation on the port portion of the IP address that identifies the subnet IP address range for the instances;
initiating the particular instance to service the request;
providing a secure encrypted storage within the cloud that is shared between the cloud resources; and
managing each cloud resource'"'"'s access to a decryption key for decrypting the secure encrypted storage during access by the cloud resources to the secure encrypted storage.
2 Assignments
0 Petitions
Accused Products
Abstract
System and method for providing cloud computing services are described. In one embodiment, the system comprises a cloud computing environment comprising resources for supporting cloud workloads, each cloud workload having associated therewith an internal cloud address; and a routing system disposed between external workloads of an external computing environment and the cloud workloads, the routing system for directing traffic from an external address to the internal cloud addresses of the cloud workloads. A designated one of the cloud workloads obtains one key of a first pair of cryptographic keys, the first pair of cryptographic keys for decrypting encrypted storage hosted within the cloud computing environment.
70 Citations
20 Claims
-
1. A method, comprising:
-
routing a request to a cloud resource from a plurality of cloud resources within a cloud, wherein the request is directed to a single Internet Protocol (IP) address for the cloud, wherein routing further includes performing network address translation on a port portion of the IP address by translating the IP address to a subnet IP address comprising a range of IP addresses that are assigned to a plurality of instances of servers within the cloud resource within the cloud and distinguishing the cloud resource from the plurality of cloud resources; selecting a particular instance of the plurality of instance of servers to service the request based on processing loads associated with the instances and based on the performing network address translation on the port portion of the IP address that identifies the subnet IP address range for the instances; initiating the particular instance to service the request; providing a secure encrypted storage within the cloud that is shared between the cloud resources; and managing each cloud resource'"'"'s access to a decryption key for decrypting the secure encrypted storage during access by the cloud resources to the secure encrypted storage. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A non-transitory computer-readable storage device with computer-executable instructions stored thereon that, when executed by one or more computer processors, cause the one or more computer processors to perform operations comprising:
-
maintaining a plurality of executing instances of a cloud resource within a plurality of cloud resources within a secure cloud; receiving a request for an executing instance that utilizes a single Internet Protocol (IP) address shared by each of the executing instances, wherein maintaining further includes managing the single IP address for access to all of the instances; performing network address translation on a port portion of the single IP address by translating the single IP address to a subnet IP address comprising a range of IP addresses that are assigned to the plurality of executing instances of the cloud resource within the secure cloud and distinguishing the cloud resource from the plurality of cloud resources; selecting a particular instance to service the request based on processing loads associated with the instances and based on the performing network address translation on the port portion of the single IP address that identifies the subnet IP address range for the instances; initiating the particular instance to service the request; and managing data access for each of the instances from an encrypted storage within the cloud during processing of the instances with each instance having access to the encrypted storage through a unique encryption and decryption key pair. - View Dependent Claims (15, 16, 17, 18)
-
-
19. A system, comprising:
-
a cloud comprising a plurality of cloud resources, the plurality of cloud resources comprising a plurality of executing instances of a cloud resource; an encrypted data storage; and a cloud router configured to;
i) manage the plurality of executing instances of the cloud resource through a single port of a single Internet Protocol (IP) address that is provided for accessing any of the executing instances, ii) perform network address translation on the single port of the single IP address by translating the single IP address to a subnet IP address comprising a range of IP addresses that are assigned to the plurality of executing instances of the cloud resource within the cloud and distinguishing the cloud resource from the plurality of cloud resources, iii) select particular executing instances of the plurality of executing instances to service external requests for the cloud resource based on processing loads for the instances and based on the performing network address translation on the single port of the single IP address that identifies the subnet IP address range for the executing instances within a subnet, iv) select the particular instances from the single IP address based on the private IP addresses being within a port range included as part of the single IP address, v) provide a unique key pair for accessing the encrypted data storage to each of the instances, and vi) provide a first key of the unique key pair to each of the instances during a secure communication session that utilizes a different key pair. - View Dependent Claims (20)
-
Specification