Managing communications between computing nodes

US 10,367,850 B2
Filed: 10/04/2017
Issued: 07/30/2019
Est. Priority Date: 03/31/2006
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

obtaining, by one or more configured computing devices of an application execution service, information indicating an access policy for use with a first computing node;

initiating, by the one or more configured computing devices, execution of the first computing node as a virtual machine hosted by a physical computing system of the application execution service; and

configuring by the one or more configured computing devices, a software component executing on the physical computing system to manage communications for virtual machines hosted by the physical computing system, wherein the configuring includes storing information on the physical computing system about the access policy for use by the software component in managing communications for the first computing node, and wherein the software component is configured to;

intercept a first communication addressed to the first computing node;

determine whether the first communication is in accordance with the access policy;

if the first communication is in accordance with the access policy, forward the first communication to the first computing node;

receive another communication indicating the first computing node as a source of the other communication;

determine whether the other communication is in accordance with the access policy; and

if the other communication is in accordance with the access policy, forward the other communication to a destination of the other communication.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are described for managing communications between multiple intercommunicating computing nodes, such as multiple virtual machine nodes hosted on one or more physical computing machines or systems. In some situations, users may specify groups of computing nodes and optionally associated access policies for use in the managing of the communications for those groups, such as by specifying which source nodes are allowed to transmit data to particular destinations nodes. In addition, determinations of whether initiated data transmissions from source nodes to destination nodes are authorized may be dynamically negotiated for and recorded for later use in automatically authorizing future such data transmissions without negotiation. This abstract is provided to comply with rules requiring an abstract, and it is submitted with the intention that it will not be used to interpret or limit the scope or meaning of the claims.

22 Citations

View as Search Results

19 Claims

1. A computer-implemented method comprising:
- obtaining, by one or more configured computing devices of an application execution service, information indicating an access policy for use with a first computing node;
  
  initiating, by the one or more configured computing devices, execution of the first computing node as a virtual machine hosted by a physical computing system of the application execution service; and
  
  configuring by the one or more configured computing devices, a software component executing on the physical computing system to manage communications for virtual machines hosted by the physical computing system, wherein the configuring includes storing information on the physical computing system about the access policy for use by the software component in managing communications for the first computing node, and wherein the software component is configured to;
  
  intercept a first communication addressed to the first computing node;
  
  determine whether the first communication is in accordance with the access policy;
  
  if the first communication is in accordance with the access policy, forward the first communication to the first computing node;
  
  receive another communication indicating the first computing node as a source of the other communication;
  
  determine whether the other communication is in accordance with the access policy; and
  
  if the other communication is in accordance with the access policy, forward the other communication to a destination of the other communication.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The computer-implemented method of claim 1, wherein the access policy specifies one or more rules for inbound and outbound traffic for a group of virtual machines including the first computing node.
  - 3. The computer-implemented method of claim 1 wherein the access policy specifies access rights for communications using one or more indicated port numbers.
  - 4. The computer-implemented method of claim 1 wherein the access policy specifies access rights for communications using one or more indicated communication protocols.
  - 5. The computer-implemented method of claim 1 wherein the access policy specifies access rights associated with one or more users that are allowed access to the first computing node.
  - 6. The computer-implemented method of claim 1 wherein the obtaining of the information indicating the access policy includes receiving the access policy from a user, and wherein the method further comprises providing the user with access to the virtual machine hosted by the physical computing system.
  - 7. The computer-implemented method of claim 6 wherein the application execution service provides a programmatic interface for users, and wherein the access policy is received from the user via the provided programmatic interface.
  - 8. The computer-implemented method of claim 1 wherein the access policy specifies a group of multiple computing nodes to which the first computing node belongs.
  - 9. The computer-implemented method of claim 1 wherein the access policy is one of a plurality of access policies maintained by the application execution service, and wherein the configuring of the software component includes sending information about the access policy to the physical computing system in response to the initiating of the execution of the first computing node as the virtual machine.
  - 10. The computer-implemented method of claim 1 wherein the method further comprises:
    - initiating execution of a second computing node as a distinct second virtual machine hosted by the physical computing system, andresponsive to the initiating of the execution of the second computing node, receiving, by the configured software component, information about a second access policy for use in managing communications for the second computing node.
  - 11. The computer-implemented method of claim 1 further comprising, by the one or more configured computing devices and after the configuring of the software component:
    - managing one or more communications for the first computing node in accordance with the access policy;
      
      receiving an indication of a modification to the access policy for use with the first computing node, andstoring information on the physical computing system about the modified access policy for use by the software component in managing subsequent communications for the first computing node.
  - 12. The computer-implemented method of claim 1 wherein the first computing node is provided by the application execution service for a user, wherein the application execution service further provides one or more additional computing nodes for the user as virtual machines hosted on one or more other second physical computing systems of the application execution service, and wherein the access policy is further used by additional software components executing on the second physical computing systems to manage communications for the additional computing nodes.

13. A non-transitory computer-readable medium having stored contents that configure a computing device to:
- receive, by a configured computing device, information specifying an access policy for use with a first virtual machine hosted on a physical computing system;
  
  configure, by the configured computing device, a transmission manager component to manage communications for the first virtual machine in accordance with the specified access policy, wherein the transmission manager component is executed by the physical computing system to manage communications for hosted virtual machines that include the first virtual machine, and wherein the transmission manager component is configured to;
  
  intercept a first communication addressed to the first virtual machine;
  
  determine whether the first communication is in accordance with the specified access policy;
  
  if the first communication is in accordance with the specified access policy, forward the first communication to the first virtual machine;
  
  receive another communication indicating the first virtual machine as a source of the other communication;
  
  determine whether the other communication is in accordance with the access policy; and
  
  if the other communication is in accordance with the access policy, forward the other communication to a destination of the other communication; and
  
  provide access to the first virtual machine.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The non-transitory computer-readable medium of claim 13, wherein the stored contents include software instructions that, when executed, further configure the computing device to initiate execution of software on the first virtual machine in response to a request from a first user, and wherein the configuring of the transmission manager component is performed in response to the request from the first user.
  - 15. The non-transitory computer-readable medium of claim 13 wherein the physical computing system is one of a plurality of physical computing systems provided by an application execution service, and wherein the information specifying the access policy for use with the first virtual machine is generated by one or more interactions of a user of the application execution service with a programmatic interface provided by the application execution service.
  - 16. The non-transitory computer-readable medium of claim 13 wherein the specified access policy is based at least in part on one or more of:
    - one or more indicated port numbers for communications;
      
      one or more indicated communication protocols for communications;
      
      or access rights associated with one or more indicated users.
  - 17. The non-transitory computer-readable medium of claim 13 wherein the physical computing system is provided by an application execution service, wherein data representing the specified access policy is stored on a server of the application execution service that is communicatively coupled to the configured computing device, and wherein the information specifying the access policy is received from the server.
  - 18. The non-transitory computer-readable medium of claim 13, wherein the stored contents further configure the computing device to, after the configuring of the transmission manager component:
    - manage one or more communications for the first virtual machine in accordance with the access policy;
      
      receive additional information specifying a modification to the access policy for use with the first virtual machine, andconfigure the transmission manager component to manage subsequent communications for the first virtual machine in accordance with the modified access policy.

19. A computing system, comprising:
- one or more processors; and
  
  a memory storing instructions that, upon execution by at least one of the one or more processors, cause the computing system to;
  
  host at least one virtual machine configured to execute at least one application program in a portion of the memory allocated to the virtual machine;
  
  receive configuration instructions that configure a transmission manager component executing on the computing system to manage communications of the virtual machine in accordance with an indicated access policy; and
  
  manage, by the executing transmission manager component, the communications of the virtual machine by;
  
  receiving a first communication from or to the virtual machine;
  
  determining whether the first communication is authorized by the indicated access policy; and
  
  if the first communication is authorized by the indicated access policy, forwarding the first communication to a specified destination, and otherwise preventing the forwarding of the first communication.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Hoole, Quinton R., Pinkham, Christopher C., Paterson-Jones, Roland, van Biljon, Willem R.
Primary Examiner(s)
Zhao, Wei

Application Number

US15/725,169
Publication Number

US 20180048675A1
Time in Patent Office

664 Days
Field of Search
US Class Current
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45595   Network integration; Enabli...

G06F 9/45558   Hypervisor-specific managem...

H04L 12/1439   time-based

H04L 12/1442   at network operator level

H04L 41/0813   characterised by the condit...

H04L 41/22   comprising specially adapte...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

H04L 67/01   Protocols

H04L 67/10   in which an application is ...

H04L 67/1097   for distributed storage of ...

Managing communications between computing nodes

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

22 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Managing communications between computing nodes

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links