CREATING AND DISTRIBUTING TEMPLATE BASED SERVICE RULES
First Claim
1. A method of specifying service rules, the method comprising:
- specifying a set of service rules that each includes (1) a service parameter for performing a service on data messages, and (2) a rule identifier for matching to data message attribute sets, each rule identifier comprising at least one template identifier for identifying one template, each template for deploying a multi-tier application in a datacenter; and
distributing the set of service rules to a service node in the datacenter, the service node comparing the rule identifiers of the service rules with the data message attribute sets in order to identify service rules that match the data messages that the service node processes, the service node comparing the rule identifiers and attribute sets by comparing the template identifiers of the rules with the template identifiers associated with the data messages.
1 Assignment
0 Petitions
Accused Products
Abstract
Some embodiments of the invention introduce cloud template awareness in the service policy framework. Some embodiments provide one or more service rule processing engines that natively support (1) template-specific dynamic groups and template-specific rules, and (2) dynamic security tag concepts. A service rule processing engine of some embodiments natively supports template-specific dynamic groups and rules as it can directly process service rules that are defined in terms of dynamic component groups, template identifiers, template instance identifiers, and/or template match criteria. Examples of such services can include any kind of middlebox services, such as firewalls, load balancers, network address translators, intrusion detection systems, intrusion prevention systems, etc.
30 Citations
19 Claims
-
1. A method of specifying service rules, the method comprising:
-
specifying a set of service rules that each includes (1) a service parameter for performing a service on data messages, and (2) a rule identifier for matching to data message attribute sets, each rule identifier comprising at least one template identifier for identifying one template, each template for deploying a multi-tier application in a datacenter; and distributing the set of service rules to a service node in the datacenter, the service node comparing the rule identifiers of the service rules with the data message attribute sets in order to identify service rules that match the data messages that the service node processes, the service node comparing the rule identifiers and attribute sets by comparing the template identifiers of the rules with the template identifiers associated with the data messages. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A non-transitory machine readable medium storing a program for specifying a firewall rule, the program comprising sets of instructions for:
-
receiving a set of rule-identifying tuples for the service rule, the set of tuples for matching with a set of attributes of a message, the set of tuples comprising a template identifier that specifies a template for deploying a multi-tier application in a datacenter; receiving a service parameter for a service to perform when a message'"'"'s set of attributes matches the set of tuples of the service rule; specifying the service rule based on the received set of rule-identifying tuples and the received service parameter; and distributing the specified service rule to a plurality of service devices in the datacenter, wherein the distributed service rule includes the template identifier in the rule-identifying tuples.
-
Specification