Managing communications between computing nodes
First Claim
1. A computer-implemented method for managing data transmissions between a plurality of virtual machine nodes hosted on a network of multiple computing systems such that each of the computing systems hosts multiple of the virtual machine nodes, the method comprising:
- receiving definitions of multiple groups of nodes such that each group has multiple members that are each authorized to communicate with the other members of the node group, the multiple members of each group being multiple related virtual machine nodes from the plurality of virtual machine nodes;
for each of multiple source virtual machine nodes that each initiate a transmission of data to a remote destination virtual machine node, and under control of the computing system hosting the source virtual machine node, permitting the transmission only if authorized by,receiving an indication from the source node to transmit data to the remote destination node;
determining if authorization for current transmissions from the source node to the destination node already exists based on negotiations from any prior transmissions from the source node to the destination node;
if authorization for current transmissions from the source node to the destination node is determined to already exist, transmitting the data to the destination node; and
if authorization for current transmissions from the source node to the destination node is not determined to already exist,communicating with a distinct computing system hosting the destination node to negotiate for authorization from the distinct computing system for the source node to transmit to the destination node, authorization for a source node to transmit to a destination node being based at least in part on the source node and the destination node each being members of a common node group; and
if the negotiated authorization is obtained from the distinct computing system, transmitting the data to the destination node on behalf of the source node, and storing an indication of the obtained authorization for use in authorizing future transmissions of data from the source node to the destination node without negotiation; and
for each of multiple destination virtual machine nodes to which a transmission of data is initiated from a remote source virtual machine node, and under control of the computing system hosting the destination virtual machine node, determining whether to authorize the transmission by;
receiving a request from the computing system hosting the source node for authorization to transmit data to the destination node;
determining a first set of one or more node groups of which the source node is a member;
determining a second set of one or more node groups of which the destination node is a member;
determining whether the source node is authorized to communicate with the destination node based at least in part on whether at least one group of the first set is also a group of the second set; and
sending a response to the computing system hosting the source node that indicates whether authorization is provided for the source node to communicate with the destination node,and wherein each of the computing systems hosts a single privileged virtual machine node that executes a data transmission manager program to control transmissions to and from all other virtual machine nodes hosted by the computing system by intercepting those transmissions and by forwarding those transmissions to intended recipients only if those transmissions are determined to be authorized, such that the permitting of an initiated transmission from a source virtual machine node under the control of the computing system hosting the source virtual machine node is performed by the data transmission manager program for that computing system, and such that the determining whether to authorize an initiated transmission to a destination virtual machine node under the control of the computing system hosting the destination virtual machine node is performed by the data transmission manager program for that computing system.
2 Assignments
0 Petitions
Accused Products
Abstract
Techniques are described for managing communications between multiple intercommunicating computing nodes, such as multiple virtual machine nodes hosted on one or more physical computing machines or systems. In some situations, users may specify groups of computing nodes and optionally associated access policies for use in the managing of the communications for those groups, such as by specifying which source nodes are allowed to transmit data to particular destinations nodes. In addition, determinations of whether initiated data transmissions from source nodes to destination nodes are authorized may be dynamically negotiated for and recorded for later use in automatically authorizing future such data transmissions without negotiation. This abstract is provided to comply with rules requiring an abstract, and it is submitted with the intention that it will not be used to interpret or limit the scope or meaning of the claims.
65 Citations
53 Claims
-
1. A computer-implemented method for managing data transmissions between a plurality of virtual machine nodes hosted on a network of multiple computing systems such that each of the computing systems hosts multiple of the virtual machine nodes, the method comprising:
-
receiving definitions of multiple groups of nodes such that each group has multiple members that are each authorized to communicate with the other members of the node group, the multiple members of each group being multiple related virtual machine nodes from the plurality of virtual machine nodes; for each of multiple source virtual machine nodes that each initiate a transmission of data to a remote destination virtual machine node, and under control of the computing system hosting the source virtual machine node, permitting the transmission only if authorized by, receiving an indication from the source node to transmit data to the remote destination node; determining if authorization for current transmissions from the source node to the destination node already exists based on negotiations from any prior transmissions from the source node to the destination node; if authorization for current transmissions from the source node to the destination node is determined to already exist, transmitting the data to the destination node; and if authorization for current transmissions from the source node to the destination node is not determined to already exist, communicating with a distinct computing system hosting the destination node to negotiate for authorization from the distinct computing system for the source node to transmit to the destination node, authorization for a source node to transmit to a destination node being based at least in part on the source node and the destination node each being members of a common node group; and if the negotiated authorization is obtained from the distinct computing system, transmitting the data to the destination node on behalf of the source node, and storing an indication of the obtained authorization for use in authorizing future transmissions of data from the source node to the destination node without negotiation; and for each of multiple destination virtual machine nodes to which a transmission of data is initiated from a remote source virtual machine node, and under control of the computing system hosting the destination virtual machine node, determining whether to authorize the transmission by; receiving a request from the computing system hosting the source node for authorization to transmit data to the destination node; determining a first set of one or more node groups of which the source node is a member; determining a second set of one or more node groups of which the destination node is a member; determining whether the source node is authorized to communicate with the destination node based at least in part on whether at least one group of the first set is also a group of the second set; and sending a response to the computing system hosting the source node that indicates whether authorization is provided for the source node to communicate with the destination node, and wherein each of the computing systems hosts a single privileged virtual machine node that executes a data transmission manager program to control transmissions to and from all other virtual machine nodes hosted by the computing system by intercepting those transmissions and by forwarding those transmissions to intended recipients only if those transmissions are determined to be authorized, such that the permitting of an initiated transmission from a source virtual machine node under the control of the computing system hosting the source virtual machine node is performed by the data transmission manager program for that computing system, and such that the determining whether to authorize an initiated transmission to a destination virtual machine node under the control of the computing system hosting the destination virtual machine node is performed by the data transmission manager program for that computing system.
-
-
2. A computer-implemented method for managing outgoing data transmissions from multiple virtual machine nodes, the method comprising:
-
receiving multiple indications of outgoing transmissions of data being initiated by multiple source nodes that are each one of multiple virtual machines hosted by a host computing system, each indicated data transmission being from one of the source nodes to a remote destination node; and for each initiated outgoing transmission of data from a source node to a remote destination node, determining if authorization already exists for transmissions from the source node to the destination node; if authorization does not already exist for transmissions from the source node to the destination node, attempting to obtain authorization by automatically initiating a negotiation for authorization to transmit to the destination node, the initiating including sending a request with information regarding the source node to a recipient associated with the destination node; and if the authorization is obtained from the negotiation, transmitting the data to the destination node on behalf of the source node and storing an indication of the obtained authorization for use in authorizing future transmissions of data from the source node to the destination node without negotiation, and wherein, for each of one or more of the initiated outgoing transmissions of data from a source node to a remote destination node, the sent request that initiates the negotiation for authorization includes an indication of a transmission protocol to be used for the transmission, and the authorization for the transmission is based at least in part on the indicated transmission protocol. - View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
-
-
12. A computer-implemented method for managing outgoing data transmissions from multiple virtual machine nodes, the method comprising:
-
receiving multiple indications of outgoing transmissions of data being initiated by multiple source nodes that are each one of multiple virtual machines hosted by a host computing system, each indicated data transmission being from one of the source nodes to a remote destination node; and for each initiated outgoing transmission of data from a source node to a remote destination node, determining if authorization already exists for transmissions from the source node to the destination node; if authorization does not already exist for transmissions from the source node to the destination node, attempting to obtain authorization by automatically initiating a negotiation for authorization to transmit to the destination node, the initiating including sending a request with information regarding the source node to a recipient associated with the destination node; and if the authorization is obtained from the negotiation, transmitting the data to the destination node on behalf of the source node and storing an indication of the obtained authorization for use in authorizing future transmissions of data from the source node to the destination node without negotiation, and wherein, for each of one or more of the initiated outgoing transmissions of data from a source node to a remote destination node, the sent request that initiates the negotiation for authorization includes an indication of one or more transmission properties of the initiated outgoing transmission, and authorization for the transmission is based at least in part on at least one of the indicated one or more transmission properties. - View Dependent Claims (39, 40, 41, 42, 43, 44, 45, 46, 47)
-
-
48. A computing system configured to manage outgoing data transmissions from multiple virtual machine nodes, the computing system comprising:
-
a memory; and multiple hosted virtual machines that each act as an independent computing node and each execute at least one application program in a portion of the memory allocated to that virtual machine, one of the hosted virtual machine computing nodes being configured to manage data transmissions from the other hosted virtual machine computing nodes by; receiving an indication of an outgoing transmission of data initiated from a source one of the other hosted virtual machine computing nodes, the indicated data transmission being intended for a remote destination node; and managing the initiated outgoing transmission of data to the remote destination node by, determining if authorization already exists for transmissions from the source virtual machine computing node to the destination node; if authorization does not already exist for transmissions from the source virtual machine computing node to the destination node, attempting to obtain authorization by initiating a negotiation for authorization to transmit to the destination node, the initiating including sending a request with information regarding the source virtual machine computing node to a recipient associated with the destination node, the sent request including an indication of a transmission protocol to be used for the transmission; and if the authorization is obtained from the negotiation, transmitting the data to the destination node on behalf of the source virtual machine computing node and storing an indication of the obtained authorization for use in authorizing future transmissions of data from the source virtual machine computing node to the destination node without negotiation, the authorization for the transmission being based at least in part on the indicated transmission protocol in the sent request. - View Dependent Claims (49, 50, 51, 52, 53)
-
Specification