Managing communications between computing nodes

US 20070239987A1
Filed: 03/31/2006
Published: 10/11/2007
Est. Priority Date: 03/31/2006
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for managing data transmissions between a plurality of virtual machine nodes hosted on a network of multiple computing systems such that each of the computing systems hosts multiple of the virtual machine nodes, the method comprising:

receiving definitions of multiple groups of nodes such that each group has multiple members that are each authorized to communicate with the other members of the node group, the multiple members of each group being multiple related virtual machine nodes from the plurality of virtual machine nodes; and

for each of multiple source virtual machine nodes that each initiate a transmission of data to a remote destination virtual machine node, and under control of the computing system hosting the source virtual machine node, permitting the transmission only if authorized by, receiving an indication from the source node to transmit data to the remote destination node;

determining if authorization for current transmissions from the source node to the destination node already exists based on negotiations from any prior transmissions from the source node to the destination node;

if authorization for current transmissions from the source node to the destination node is determined to already exist, transmitting the data to the destination node; and

if authorization for current transmissions from the source node to the destination node is not determined to already exist, communicating with a distinct computing system hosting the destination node to negotiate for authorization from the distinct computing system for the source node to transmit to the destination node, authorization for a source node to transmit to a destination node being based at least in part on the source node and the destination node each being members of a common node group; and

if the negotiated authorization is obtained from the distinct computing system, transmitting the data to the destination node on behalf of the source node, and storing an indication of the obtained authorization for use in authorizing future transmissions of data from the source node to the destination node without negotiation.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are described for managing communications between multiple intercommunicating computing nodes, such as multiple virtual machine nodes hosted on one or more physical computing machines or systems. In some situations, users may specify groups of computing nodes and optionally associated access policies for use in the managing of the communications for those groups, such as by specifying which source nodes are allowed to transmit data to particular destinations nodes. In addition, determinations of whether initiated data transmissions from source nodes to destination nodes are authorized may be dynamically negotiated for and recorded for later use in automatically authorizing future such data transmissions without negotiation. This abstract is provided to comply with rules requiring an abstract, and it is submitted with the intention that it will not be used to interpret or limit the scope or meaning of the claims.

290 Citations

58 Claims

1. A computer-implemented method for managing data transmissions between a plurality of virtual machine nodes hosted on a network of multiple computing systems such that each of the computing systems hosts multiple of the virtual machine nodes, the method comprising:
- receiving definitions of multiple groups of nodes such that each group has multiple members that are each authorized to communicate with the other members of the node group, the multiple members of each group being multiple related virtual machine nodes from the plurality of virtual machine nodes; and
  
  for each of multiple source virtual machine nodes that each initiate a transmission of data to a remote destination virtual machine node, and under control of the computing system hosting the source virtual machine node, permitting the transmission only if authorized by, receiving an indication from the source node to transmit data to the remote destination node;
  
  determining if authorization for current transmissions from the source node to the destination node already exists based on negotiations from any prior transmissions from the source node to the destination node;
  
  if authorization for current transmissions from the source node to the destination node is determined to already exist, transmitting the data to the destination node; and
  
  if authorization for current transmissions from the source node to the destination node is not determined to already exist, communicating with a distinct computing system hosting the destination node to negotiate for authorization from the distinct computing system for the source node to transmit to the destination node, authorization for a source node to transmit to a destination node being based at least in part on the source node and the destination node each being members of a common node group; and
  
  if the negotiated authorization is obtained from the distinct computing system, transmitting the data to the destination node on behalf of the source node, and storing an indication of the obtained authorization for use in authorizing future transmissions of data from the source node to the destination node without negotiation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 further comprising, for each of multiple destination virtual machine nodes to which a transmission of data is initiated from a remote source virtual machine node, and under control of the computing system hosting the destination virtual machine node, determining whether to authorize the transmission by:
    - receiving a request from the computing system hosting the source node for authorization to transmit data to the destination node;
      
      determining a first set of one or more node groups of which the source node is a member;
      
      determining a second set of one or more node groups of which the destination node is a member;
      
      determining whether the source node is authorized to communicate with the destination node based at least in part on whether at least one group of the first set is also a group of the second set; and
      
      sending a response to the computing system hosting the source node that indicates whether authorization is provided for the source node to communicate with the destination node.
  - 3. The method of claim 2 wherein each request received by a computing system hosting a destination node from a computing system hosting a source node for authorization is sent by the computing system hosting the source node as part of communicating to negotiate for authorization and includes a negotiation request with an indication of a network address of the source node and an indication of the first set of one or more node groups for that source node.
  - 4. The method of claim 3 wherein each negotiation request for an initiated transmission from a source node to a destination node further includes an indication of a transmission protocol to be used for the transmission and/or an indication of a type of data to be transmitted, and wherein the determining of whether the source node is authorized to communicate with the destination node is further based at least in part on the indicated transmission protocol and/or the indicated data type.
  - 5. The method of claim 2 wherein each of the computing systems hosts a single privileged virtual machine node that executes a data transmission manager program to control transmissions to and from all other virtual machine nodes hosted by the computing system by intercepting those transmissions and by forwarding those transmissions to intended recipients only if those transmissions are determined to be authorized, such that the permitting of an initiated transmission from a source virtual machine node under the control of the computing system hosting the source virtual machine node is performed by the data transmission manager program for that computing system, and such that the determining whether to authorize an initiated transmission to a destination virtual machine node under the control of the computing system hosting the destination virtual machine node is performed by the data transmission manager program for that computing system.
  - 6. The method of claim 5 wherein at least some of the hosted virtual machine nodes other than the privileged virtual machine nodes each include firewall capabilities configured for that virtual machine node to restrict communications received from others.
  - 7. The method of claim 1 wherein the storing by a computing system hosting a source node of an indication of obtained authorization for the source node to transmit to a destination node includes creating a stored transmission management rule that indicates authorization for future transmissions of data from the source node to the destination node, wherein the determining by a computing system hosting a source node if authorization for current transmissions from the source node to a destination node already exists includes determining whether a stored transmission management rule exists that indicates authorization for future transmissions, and further comprising, for each of the multiple source nodes, if negotiated authorization is not obtained from a distinct computing system hosting the destination node to which the source node initiates a transmission of data, creating a stored transmission management rule that indicates a lack of authorization for future transmissions of data from the source node to the destination node, and preventing the transmission of the data from the source node to the destination node.
  - 8. The method of claim 1 further comprising, for each initiated transmission of data from a source virtual machine node to a destination virtual machine node, if authorization for current transmissions from the source node to the destination node is not determined to already exist, discarding the transmission of the data from the computing system hosting the source virtual machine node.
  - 9. The method of claim 1 wherein the network of multiple computing systems are part of a distributed service for executing programs of customers, and wherein at least some of the groups of nodes are each created by a customer to include multiple instances of a program being executed for the customer on multiple distinct virtual machine nodes hosted by multiple of the computing systems, so that communications between multiple executing instances of a customer'"'"'s program are permitted but communications from programs of other customers to the multiple executing instances are not permitted.

10. A computer-implemented method for managing outgoing data transmissions from multiple virtual machine nodes, the method comprising:
- receiving multiple indications of outgoing transmissions of data being initiated by multiple source nodes that are each one of multiple virtual machines hosted by a host computing system, each indicated data transmission being from one of the source nodes to a remote destination node; and
  
  for each initiated outgoing transmission of data from a source node to a remote destination node, determining if authorization already exists for transmissions from the source node to the destination node;
  
  if authorization does not already exist for transmissions from the source node to the destination node, attempting to obtain authorization by automatically initiating a negotiation for authorization to transmit to the destination node, the initiating including sending a request with information regarding the source node to a recipient associated with the destination node; and
  
  if the authorization is obtained from the negotiation, transmitting the data to the destination node on behalf of the source node and storing an indication of the obtained authorization for use in authorizing future transmissions of data from the source node to the destination node without negotiation.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46)
- - 11. The method of claim 10 further comprising, for each of one or more of the initiated outgoing transmissions of data from a source node to a remote destination node, if authorization is not obtained from an initiated negotiation, preventing transmitting of the data to the destination node and storing an indication of a lack of authorization for use in preventing authorization for future transmissions of data from the source node to the destination node.
  - 12. The method of claim 11 wherein, for each of one or more of the initiated outgoing transmissions of data from a source node to a remote destination node, the determining if authorization already exists for transmissions from the source node to the destination node includes determining that authorization does not already exist if no stored indications exist from a prior initiated transmission from the source node to the remote destination node so as to indicate authorization or lack of authorization for future transmissions from the source node to the destination node, and further comprising preventing transmitting of the data to the destination node if it is determined that a stored indication from a prior initiated transmission indicates a lack of authorization for transmissions from the source node to the destination node.
  - 13. The method of claim 11 wherein each stored indication of a lack of authorization from an initiated outgoing transmission of data from a source node to a remote destination node includes a created transmission management rule that indicates that future transmissions of data from the source node to the destination node are not authorized.
  - 14. The method of claim 13 wherein each stored indication of obtained authorization from an initiated outgoing transmission of data from a source node to a remote destination node includes a created transmission management rule that indicates that future transmissions of data from the source node to the destination node are authorized.
  - 15. The method of claim 14 wherein at least some of the stored transmission management rules each have an associated expiration time after which the rule is no longer used to determine whether transmissions are authorized.
  - 16. The method of claim 10 wherein, for each of one or more of the initiated outgoing transmissions of data from a source node to a remote destination node, the stored indication of the obtained authorization includes an indication that future transmissions of response data from the destination node to the source node are authorized.
  - 17. The method of claim 10 further comprising, for each of one or more of the multiple source nodes that initiated the outgoing transmissions of data, and after authorization is obtained for an initiated transmission of data from the source node to a remote destination node, receiving indications of one or more additional transmissions of data from the source node to the destination node and allowing the additional transmissions to occur without additional negotiation based on the obtained authorization.
  - 18. The method of claim 17 further comprising, for each of one or more of the multiple source nodes that initiated the outgoing transmissions of data, and after authorization is obtained for an initiated transmission of data from the source node to a remote destination node, receiving indications of one or more additional transmissions of data from the source node to other remote destination nodes and preventing the additional transmissions of data from being sent to the other remote destination nodes while initiating negotiations to attempt to obtain authorization for the additional transmissions.
  - 19. The method of claim 10 wherein, for each of one or more of the initiated outgoing transmissions of data from a source node to a remote destination node, the sent request that initiates the negotiation for authorization includes an indication of a network address of the source node, and wherein authorization for the transmission is based at least in part on the indicated network address being permitted to communicate with the destination node.
  - 20. The method of claim 10 wherein, for each of one or more of the initiated outgoing transmissions of data from a source node to a remote destination node, the sent request that initiates the negotiation for authorization includes an indication of a transmission protocol to be used for the transmission, and wherein authorization for the transmission is based at least in part on the indicated transmission protocol.
  - 21. The method of claim 10 wherein, for each of one or more of the initiated outgoing transmissions of data from a source node to a remote destination node, the sent request that initiates the negotiation for authorization includes an indication of one or more transmission properties of the initiated outgoing transmission, and wherein authorization for the transmission is based at least in part on at least one of the indicated one or more transmission properties.
  - 22. The method of claim 10 wherein, for each of one or more of the initiated outgoing transmissions of data from a source node to a remote destination node, the sent request that initiates the negotiation for authorization includes an indication of one or more groups of which the source node is a member.
  - 23. The method of claim 22 wherein each of the groups include multiple virtual machine node members that are each authorized to communicate with the other members of the group.
  - 24. The method of claim 22 wherein each of the groups include multiple virtual machine node members that are all authorized to communicate with one or more other virtual machine nodes.
  - 25. The method of claim 22 further comprising, for each of one or more of the multiple virtual machine nodes from which outgoing data transmissions are managed, receiving an indication that the virtual machine node is a member of one or more of multiple defined node groups.
  - 26. The method of claim 25 further comprising, for each of the one or more virtual machine nodes, receiving a request with information regarding a remote node that has initiated a transmission to the virtual machine node, and responding with an indication of whether the transmission to the virtual machine node is authorized based at least in part on the one or more defined node groups of which the virtual machine node is a member.
  - 27. The method of claim 26 further comprising, for each of the one or more virtual machine nodes, if the transmission to the virtual machine node from the remote node is authorized, storing an indication for use in automatically authorizing future transmissions of data from the remote node to the virtual machine node.
  - 28. The method of claim 10 further comprising partitioning at least some of the multiple virtual machine nodes into at least a first node group and a second node group each having multiple virtual machine node members such that none of the virtual machine node members of the first node group are also members of the second node group.
  - 29. The method of claim 28 wherein the multiple virtual machine node members of the first node group are used for one of software development, software testing, and software deployment, and wherein the multiple virtual machine node members of the second node group are used for another of software development, software testing, and software deployment.
  - 30. The method of claim 28 wherein the multiple virtual machine node members of the first node group are used to provide a first type of application and the multiple virtual machine node members of the second node group are used to provide a distinct second type of application, and wherein the members of the first node group interoperate with the members of the second node group to provide a multi-tiered business application.
  - 31. The method of claim 28 wherein the multiple virtual machine node members of the first node group are utilized by a first structural subset of an organization and the multiple virtual machine node members of the second node group are utilized by a distinct second structural subset of the organization.
  - 32. The method of claim 10 further comprising receiving one or more definitions of groups from a service that provides use of one or more applications to multiple customers, and wherein the service assigns a distinct group to each of its multiple customers.
  - 33. The method of claim 10 wherein at least some of the multiple virtual machine nodes each belong to one or more groups of nodes, wherein negotiations for authorization for source nodes to transmit to destination nodes are based at least in part on groups to which the source and destination nodes belong, and wherein the method further comprises modifying the groups of nodes based on one or more received indications of group management operations, each indicated group management operation being one of an instruction to create a new group, an instruction to delete an existing group, and an instruction to change the virtual machine nodes that belong to an existing group.
  - 34. The method of claim 33 wherein the negotiations for authorization for source nodes to transmit to destination nodes are further based at least in part on access policies associated with the groups to which the source and destination nodes belong, and wherein the method further comprises modifying access policies associated with groups based on one or more received indications of access policies, each indicated access policy including a specification of conditions under which a first group of one or more source nodes are authorized to communicate with members of a second group of destination nodes.
  - 35. The method of claim 10 wherein, for each of one or more of the initiated outgoing transmissions of data from a source node to a remote destination node, the sent request that initiates the negotiation for authorization includes an indication of one or more groups with which the source node is authorized to communicate.
  - 36. The method of claim 10 wherein, for each of one or more of the initiated outgoing transmissions of data from a source node to a remote destination node, the received indication of the data transmission includes one or more data packets addressed to the remote destination node that are sent from the source node.
  - 37. The method of claim 36 wherein, for each of the one or more initiated outgoing data transmissions, the receiving of the indication of the data transmission includes intercepting the data packets sent by the source node and discarding the data packets if authorization does not already exist for transmissions from the source node to the destination node.
  - 38. The method of claim 36 wherein, for each of the one or more initiated outgoing data transmissions, the receiving of the indication of the data transmission includes intercepting the data packets sent by the source node, and further comprising queuing the data packets during negotiation for authorization to transmit the data packets to the destination node for the data packets.
  - 39. The method of claim 10 wherein, for each of one or more of the initiated outgoing transmissions of data from a source node to a remote destination node, the request that initiates negotiation is sent to a computing system that hosts the destination node.
  - 40. The method of claim 39 wherein, for each of one or more of the initiated outgoing transmissions of data from a source node to a remote destination node, the request sent to the computing system that hosts the destination node is addressed to the destination node and is intercepted by the computing system that hosts the destination node.
  - 41. The method of claim 10 wherein, for each of one or more of the initiated outgoing transmissions of data from a source node to a remote destination node, the data transmission includes a request to access a network service provided by the destination node.
  - 42. The method of claim 10 wherein the method is performed by a traffic manager program executing on a virtual machine hosted by the host computing system that is distinct from the multiple hosted virtual machines that are the multiple source nodes.
  - 43. The method of claim 42 wherein the distinct hosted virtual machine is a privileged virtual machine via which transmissions to and from the multiple hosted virtual machines pass.
  - 44. The method of claim 42 wherein, for each of one or more of the initiated outgoing transmissions of data from a source node to a remote destination node, the request that initiates negotiation is received by a traffic manager program executing as part of a hosted virtual machine on a computing system that hosts the destination node as a distinct virtual machine, and further comprising, under control of the traffic manager program that receives the request, determining whether the source node is authorized to perform the transmission of data to the destination node and sending a reply indicating that authorization is provided if the source node is determined to be authorized.
  - 45. The method of claim 10 further comprising, for each of one or more of the multiple source nodes, in response to receiving an indication that the virtual machine source node has been terminated, removing all stored indications of authorizations for the source node.
  - 46. The method of claim 10 further comprising, for one or more of the multiple source nodes, storing an indication that disallows transmission of data from the source node if a volume of data transmitted by the source node exceeds a pre-determined threshold.

47. A computer-readable medium whose contents enable a computing device to manage data transmissions for a node, by performing a method comprising:
- receiving an indication of a transmission of data initiated from a sending node to a remote destination node;
  
  preventing the data from being transmitted to the destination node while determining whether the data transmission is authorized, the determining including initiating a negotiation for authorization with another computing device associated with the remote destination node; and
  
  if the negotiated authorization is obtained, allowing data to be transmitted to the destination node.
- View Dependent Claims (48, 49, 50, 51, 52)
- - 48. The computer-readable medium of claim 47 wherein the method is performed by a node on the computing device that is distinct from the sending node and from the destination node and that is associated with multiple nodes including the sending node, wherein the another computing device includes another node that is distinct from the sending node and from the destination node and that is associated with multiple nodes including the destination node, and wherein the method further comprises, if the negotiated authorization is obtained, storing a transmission management rule that will allow future transmission of data from the sending node to the destination node without negotiation, and if the negotiated authorization is not obtained, continuing to prevent the data from being transmitted to the destination node.
  - 49. The computer-readable medium of claim 48 wherein the sending node is one of multiple virtual machines nodes executing on a host computing system, wherein the destination node is one of multiple other virtual machines executing on another host computing system, and wherein the receiving of the indication of the data transmission and the preventing of the data from being transmitted to the destination node includes intercepting the data transmission to the destination node.
  - 50. The computer-readable medium of claim 47 wherein the computer-readable medium is a memory of a computing device.
  - 51. The computer-readable medium of claim 47 wherein the computer-readable medium is a data transmission medium transmitting a generated data signal containing the contents.
  - 52. The computer-readable medium of claim 47 wherein the contents are instructions that when executed cause the computing device to perform the method.

53. A computing system configured to manage data transmissions from multiple computing nodes, the computing system comprising:
- a memory; and
  
  multiple hosted virtual machines that each act as an independent computing node and execute at least one application program in a portion of the memory allocated to that virtual machine, one of the hosted virtual machine computing nodes being configured to manage data transmissions from the other hosted virtual machine computing nodes by;
  
  detecting indications of transmissions of data sent from the other hosted virtual machine computing nodes to other destination computing nodes that are not hosted by the computing system;
  
  for each detected indication of a data transmission sent by one of the other hosted virtual machine computing nodes to a destination computing node, preventing the data transmission until authorization is obtained for the one other hosted virtual machine computing node to send the indicated data transmission to the destination computing node;
  
  sending a request to the destination computing node for the authorization; and
  
  after receiving a reply indicating the authorization, allowing one or more data transmissions to be sent to the destination computing node from the one other hosted virtual machine computing node.
- View Dependent Claims (54, 55, 56, 57, 58)
- - 54. The computing system of claim 53 wherein the one hosted virtual machine computing node is further configured to, after receiving a reply indicating authorization for one of the other hosted virtual machine computing nodes to send a data transmission to a destination computing node, store a transmission management rule to authorize future transmissions of data from that one other hosted virtual machine computing node to that destination computing node without request, and to, after receiving a reply indicating a denial of authorization for one of the other hosted virtual machine computing nodes to send a data transmission to a destination computing node, store a transmission management rule to indicate a lack of authorization for future transmission of data from that one other hosted virtual machine computing node to that destination node.
  - 55. The computing system of claim 53 wherein, for each of the detected transmissions of data to a destination computing node, the destination computing node is a virtual machine hosted on a remote host computing system, and wherein the request for authorization sent to the destination computing node is intercepted by another virtual machine computing node hosted on the remote host computing system to manage data transmissions involving the destination computing node, the another virtual machine computing node being configured to reply to the intercepted requests for authorization on behalf of the destination computing node.
  - 56. The computing system of claim 53 wherein the one hosted virtual machine computing node is a data transmission manager.
  - 57. The computing system of claim 53 wherein each of the multiple virtual machines hosted on the computing system has a distinct network address.
  - 58. The computing system of claim 53 wherein the one hosted virtual machine computing node consists of means for managing data transmissions from the other hosted virtual machine computing nodes by detecting indications of transmissions of data sent from the other hosted virtual machine computing nodes to other destination computing nodes that are not hosted by the computing system, and by, for each detected indication of a data transmission sent by one of the other hosted virtual machine computing nodes to a destination computing node, preventing the data transmission until authorization is obtained for the one other hosted virtual machine computing node to send the indicated data transmission to the destination computing node, sending a request to the destination computing node for the authorization, and allowing one or more data transmissions to be sent to the destination computing node from the one other hosted virtual machine computing node after receiving a reply indicating the authorization.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Paterson-Jones, Roland, Hoole, Quinton, Pinkham, Christopher, Van Biljon, Willem

Granted Patent

US 7,801,128 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/169
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45595   Network integration; Enabli...

G06F 9/45558   Hypervisor-specific managem...

H04L 12/1439   time-based

H04L 12/1442   at network operator level

H04L 41/0813   characterised by the condit...

H04L 41/22   comprising specially adapte...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

H04L 67/01   Protocols

H04L 67/10   in which an application is ...

H04L 67/1097   for distributed storage of ...

Managing communications between computing nodes

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

290 Citations

58 Claims

Specification

Solutions

Use Cases

Quick Links

Managing communications between computing nodes

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

290 Citations

58 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links