Managing communications between computing nodes
First Claim
1. A computer-implemented method comprising:
- obtaining, by one or more configured computing devices of an application execution service, information indicating an access policy for use with a first computing node;
initiating, by the one or more configured computing devices, execution of the first computing node as a virtual machine hosted by a physical computing system of the application execution service; and
configuring by the one or more configured computing devices, a software component executing on the physical computing system to manage communications for virtual machines hosted by the physical computing system, wherein the configuring includes storing information on the physical computing system about the access policy for use by the software component in managing communications for the first computing node, and wherein the software component is configured to;
intercept a first communication addressed to the first computing node;
determine whether the first communication is in accordance with the access policy;
if the first communication is in accordance with the access policy, forward the first communication to the first computing node;
receive another communication indicating the first computing node as a source of the other communication;
determine whether the other communication is in accordance with the access policy; and
if the other communication is in accordance with the access policy, forward the other communication to a destination of the other communication.
0 Assignments
0 Petitions
Accused Products
Abstract
Techniques are described for managing communications between multiple intercommunicating computing nodes, such as multiple virtual machine nodes hosted on one or more physical computing machines or systems. In some situations, users may specify groups of computing nodes and optionally associated access policies for use in the managing of the communications for those groups, such as by specifying which source nodes are allowed to transmit data to particular destinations nodes. In addition, determinations of whether initiated data transmissions from source nodes to destination nodes are authorized may be dynamically negotiated for and recorded for later use in automatically authorizing future such data transmissions without negotiation. This abstract is provided to comply with rules requiring an abstract, and it is submitted with the intention that it will not be used to interpret or limit the scope or meaning of the claims.
22 Citations
19 Claims
-
1. A computer-implemented method comprising:
-
obtaining, by one or more configured computing devices of an application execution service, information indicating an access policy for use with a first computing node; initiating, by the one or more configured computing devices, execution of the first computing node as a virtual machine hosted by a physical computing system of the application execution service; and configuring by the one or more configured computing devices, a software component executing on the physical computing system to manage communications for virtual machines hosted by the physical computing system, wherein the configuring includes storing information on the physical computing system about the access policy for use by the software component in managing communications for the first computing node, and wherein the software component is configured to; intercept a first communication addressed to the first computing node; determine whether the first communication is in accordance with the access policy; if the first communication is in accordance with the access policy, forward the first communication to the first computing node; receive another communication indicating the first computing node as a source of the other communication; determine whether the other communication is in accordance with the access policy; and if the other communication is in accordance with the access policy, forward the other communication to a destination of the other communication. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A non-transitory computer-readable medium having stored contents that configure a computing device to:
-
receive, by a configured computing device, information specifying an access policy for use with a first virtual machine hosted on a physical computing system; configure, by the configured computing device, a transmission manager component to manage communications for the first virtual machine in accordance with the specified access policy, wherein the transmission manager component is executed by the physical computing system to manage communications for hosted virtual machines that include the first virtual machine, and wherein the transmission manager component is configured to; intercept a first communication addressed to the first virtual machine; determine whether the first communication is in accordance with the specified access policy; if the first communication is in accordance with the specified access policy, forward the first communication to the first virtual machine; receive another communication indicating the first virtual machine as a source of the other communication; determine whether the other communication is in accordance with the access policy; and if the other communication is in accordance with the access policy, forward the other communication to a destination of the other communication; and provide access to the first virtual machine. - View Dependent Claims (14, 15, 16, 17, 18)
-
-
19. A computing system, comprising:
-
one or more processors; and a memory storing instructions that, upon execution by at least one of the one or more processors, cause the computing system to; host at least one virtual machine configured to execute at least one application program in a portion of the memory allocated to the virtual machine; receive configuration instructions that configure a transmission manager component executing on the computing system to manage communications of the virtual machine in accordance with an indicated access policy; and manage, by the executing transmission manager component, the communications of the virtual machine by; receiving a first communication from or to the virtual machine; determining whether the first communication is authorized by the indicated access policy; and if the first communication is authorized by the indicated access policy, forwarding the first communication to a specified destination, and otherwise preventing the forwarding of the first communication.
-
Specification