Managing communications between computing nodes

US 8,509,231 B2
Filed: 08/18/2010
Issued: 08/13/2013
Est. Priority Date: 03/31/2006
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for managing outgoing data transmissions, the method comprising:

receiving, by a transmission manager associated with a host computing system, an indication of an outgoing transmissions of data being initiated by a virtual machines hosted by the host computing system, the outgoing transmission of data indicating a destination node;

determining, by the transmission manager, if authorization already exists for transmissions from the virtual machine to the destination node;

if authorization does not already exist for transmissions from the virtual machine to the destination node, initiating, by the transmission manager, a negotiation for authorization to transmit to the destination node, the initiating including sending a request with information regarding the virtual machine to a recipient associated with the destination node; and

if the authorization is obtained, transmitting the data to the destination node on behalf of the virtual machine and storing an indication of the obtained authorization for use in authorizing future transmissions of data from the virtual machine to the destination node.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are described for managing communications between multiple intercommunicating computing nodes, such as multiple virtual machine nodes hosted on one or more physical computing machines or systems. In some situations, users may specify groups of computing nodes and optionally associated access policies for use in the managing of the communications for those groups, such as by specifying which source nodes are allowed to transmit data to particular destinations nodes. In addition, determinations of whether initiated data transmissions from source nodes to destination nodes are authorized may be dynamically negotiated for and recorded for later use in automatically authorizing future such data transmissions without negotiation. This abstract is provided to comply with rules requiring an abstract, and it is submitted with the intention that it will not be used to interpret or limit the scope or meaning of the claims.

35 Citations

View as Search Results

46 Claims

1. A computer-implemented method for managing outgoing data transmissions, the method comprising:
- receiving, by a transmission manager associated with a host computing system, an indication of an outgoing transmissions of data being initiated by a virtual machines hosted by the host computing system, the outgoing transmission of data indicating a destination node;
  
  determining, by the transmission manager, if authorization already exists for transmissions from the virtual machine to the destination node;
  
  if authorization does not already exist for transmissions from the virtual machine to the destination node, initiating, by the transmission manager, a negotiation for authorization to transmit to the destination node, the initiating including sending a request with information regarding the virtual machine to a recipient associated with the destination node; and
  
  if the authorization is obtained, transmitting the data to the destination node on behalf of the virtual machine and storing an indication of the obtained authorization for use in authorizing future transmissions of data from the virtual machine to the destination node.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
- - 2. The method of claim 1 further comprising:
    - if authorization is not obtained, preventing transmitting of the data to the destination node and storing an indication of a lack of authorization for use in preventing authorization for future transmissions of data from the virtual machine to the destination node.
  - 3. The method of claim 2 wherein the determining if authorization already exists for transmissions from the virtual machine to the destination node includes determining that authorization does not already exist if no stored indications exist from a prior initiated transmission from the virtual machine to the destination node, and further comprising:
    - preventing transmitting of the data to the destination node if it is determined that a stored indication from a prior initiated transmission indicates a lack of authorization for transmissions from the virtual machine to the destination node.
  - 4. The method of claim 2 wherein the stored indication of a lack of authorization includes a created transmission management rule that indicates that future transmissions of data from the virtual machine to the destination node are not authorized.
  - 5. The method of claim 1 wherein the stored indication of obtained authorization includes a created transmission management rule that indicates that future transmissions of data from the virtual machine to the destination node are authorized.
  - 6. The method of claim 5 wherein the stored transmission management rule has an associated expiration time after which the rule is no longer used to determine whether transmissions are authorized.
  - 7. The method of claim 1 wherein the stored indication of the obtained authorization includes an indication that future transmissions of response data from the destination node to the virtual machine are authorized.
  - 8. The method of claim 1 further comprising:
    - after the authorization is obtained for an initiated transmission of data from the virtual machine to the destination node, receiving an indication of one or more additional transmissions of data from the virtual machine to the destination node and allowing the additional transmissions to occur based on the obtained authorization.
  - 9. The method of claim 8 further comprising:
    - after the authorization is obtained for an initiated transmission of data from the virtual machine to the destination node, receiving an indication of an additional transmission of data from the virtual machine to a second destination nodes and preventing the additional transmissions of data from being sent to the second destination nodes while initiating a request to attempt to obtain authorization for the additional transmissions.
  - 10. The method of claim 1 wherein the sent request that initiates the negotiation for authorization includes an indication of a network address of the virtual machine, and wherein authorization for the transmission is based at least in part on the indicated network address being permitted to communicate with the destination node.
  - 11. The method of claim 1 wherein the sent request includes an indication of a group of which the virtual machine is a member.
  - 12. The method of claim 11 wherein the group includes multiple virtual machine node members that are each authorized to communicate with the other members of the group.
  - 13. The method of claim 11 wherein the group includes multiple virtual machine node members that are all authorized to communicate with one or more other virtual machine nodes.
  - 14. The method of claim 11 further comprising:
    - receiving an indication that the virtual machine is a member of a node group.
  - 15. The method of claim 14 further comprising:
    - receiving a request with information regarding a remote node that has initiated a transmission to the virtual machine, and responding with an indication of whether the transmission to the virtual machine is authorized based at least in part on the node group of which the virtual machine node is a member.
  - 16. The method of claim 15 further comprising:
    - if the transmission to the virtual machine from the remote node is authorized, storing an indication for use in automatically authorizing future transmissions of data from the remote node to the virtual machine.
  - 17. The method of claim 1 wherein the virtual machine is one of a plurality of virtual machines, the method further comprising:
    - partitioning at least some of the plurality of virtual machines into at least a first node group and a second node group, each group having multiple virtual machine members such that none of the virtual machine members of the first node group are also members of the second node group.
  - 18. The method of claim 17 wherein the multiple virtual machine members of the first node group are used for one of software development, software testing, or software deployment, and wherein the multiple virtual machine members of the second node group are used for another of software development, software testing, or software deployment.
  - 19. The method of claim 17 wherein the multiple virtual machine members of the first node group are used to provide a first type of application and the multiple virtual machine members of the second node group are used to provide a distinct second type of application, and wherein the members of the first node group interoperate with the members of the second node group to provide a multi-tiered business application.
  - 20. The method of claim 17 wherein the multiple virtual machine members of the first node group are utilized by a first structural subset of an organization and the multiple virtual machine members of the second node group are utilized by a distinct second structural subset of the organization.
  - 21. The method of claim 1 further comprising receiving one or more definitions of groups from a service that provides use of one or more applications to multiple customers, and wherein the service assigns a distinct group to each of its multiple customers.
  - 22. The method of claim 1 wherein the virtual machine is one of multiple virtual machines, wherein at least some of the multiple virtual machines each belong to one or more groups of nodes, wherein the negotiation for authorization is based at least in part on groups to which the virtual machine and the destination node belong, and wherein the method further comprises:
    - modifying the groups of nodes based on one or more received indications of group management operations, each indicated group management operation being one of an instruction to create a new group, an instruction to delete an existing group, or an instruction to change the members of an existing group.
  - 23. The method of claim 11 wherein the negotiation for authorization is further based at least in part on access policies associated with the groups to which the virtual machine and destination node belong, and wherein the method further comprises:
    - modifying access policies associated with groups based on one or more received indications of access policies, each indicated access policy including a specification of conditions under which members of a first group are authorized to communicate with members of a second group.
  - 24. The method of claim 1 wherein the sent request includes an indication of one or more groups of nodes with which the virtual machine is authorized to communicate.
  - 25. The method of claim 1 wherein the received indication of the outgoing data transmission includes one or more data packets addressed to the destination node that are sent from the virtual machine.
  - 26. The method of claim 25 wherein the receiving of the indication of the outgoing data transmission includes intercepting the data packets sent by the virtual machine and discarding the data packets if authorization does not already exist for transmissions from the virtual machine to the destination node.
  - 27. The method of claim 25 wherein the receiving of the indication of the outgoing data transmission includes intercepting the data packets sent by the virtual machine, and wherein the method further comprises queuing the data packets during the initiated negotiation for authorization.
  - 28. The method of claim 1 wherein the request that initiates negotiation is sent to a computing system that hosts the destination node.
  - 29. The method of claim 28 wherein the request sent to the computing system that hosts the destination node is addressed to the destination node and is intercepted by the computing system that hosts the destination node.
  - 30. The method of claim 1 wherein the data transmission includes a request to access a network service provided by the destination node.
  - 31. The method of claim 1 wherein the virtual machine initiating the outgoing data transmission is a first virtual machine, and wherein the method is performed by a traffic manager program executing on a distinct second virtual machine hosted by the host computing system.
  - 32. The method of claim 31 wherein the distinct second virtual machine is a privileged virtual machine via which transmissions pass to and from the first virtual machine.
  - 33. The method of claim 31 wherein request that initiates negotiation is received by a second traffic manager program executing as part of a hosted distinct third virtual machine hosted by a computing system that also hosts the destination node, and further comprising:
    - under control of the traffic manager program that receives the request,determining whether the first virtual machine is authorized to perform the transmission of data to the destination node, andsending a reply indicating that authorization is provided if the first virtual machine is determined to be authorized.
  - 34. The method of claim 1 further comprising:
    - in response to receiving an indication that the virtual machine has been terminated, removing all stored indications of authorizations for the virtual machine.
  - 35. The method of claim 1 further comprising:
    - storing an indication that disallows transmission of data from the virtual machine if a volume of data transmitted by the virtual machine exceeds a predetermined threshold.

36. A non-transitory computer-readable medium whose contents configure a computing device to manage data transmissions for a node, by performing a method comprising:
- receiving an indication of an outgoing transmission of data being initiated by a virtual machine hosted by the computing device, the outgoing transmission of data indicating a destination node;
  
  determining if authorization already exists for transmissions from the virtual machine to the destination node;
  
  if authorization does not already exist for transmissions from the virtual machine to the destination node, initiating a negotiation for authorization to transmit to the destination node, the initiating including sending a request with information regarding the virtual machine to a recipient associated with the destination node; and
  
  if the authorization is obtained, transmitting the data to the destination node on behalf of the virtual machine and storing an indication of the obtained authorization for use in authorizing future transmissions of data from the virtual machine to the destination node.
- View Dependent Claims (37, 38, 39, 40)
- - 37. The non-transitory computer-readable medium of claim 36 wherein the virtual machine initiating the outgoing transmission is a first virtual machine, wherein the method is performed by a first node on the configured computing device that is distinct from the first virtual machine and distinct from the destination node and that is associated with multiple nodes including the first virtual machine, wherein the destination node is a second virtual machine hosted by another computing device that is associated with multiple nodes including the destination node, and wherein the method further comprises, if the negotiated authorization is obtained, storing a transmission management rule that will allow future transmission of data from the first virtual machine to the destination node without negotiation, and if the negotiated authorization is not obtained, continuing to prevent the data from being transmitted to the destination node.
  - 38. The non-transitory computer-readable medium of claim 36 wherein the configured computing device is a host computing system on which multiple virtual machine nodes execute, wherein the virtual machine initiating the outgoing transmission is a first of the multiple virtual machine nodes, wherein the destination node is one of multiple other virtual machines executing on another host computing system, and wherein the receiving of the indication of the data transmission and the preventing of the data from being transmitted to the destination node includes intercepting the data transmission to the destination node.
  - 39. The non-transitory computer-readable medium of claim 36 wherein the computer-readable medium is a memory of the configured computing device.
  - 40. The non-transitory computer-readable medium of claim 36 wherein the contents are instructions that when executed program the configured computing device to perform the method.

41. A computing system comprising:
- a processor; and
  
  a memory including instructions that upon execution cause the computer system tohost multiple virtual machines that are each configured to execute at least one application program in a portion of the memory allocated to that virtual machine; and
  
  execute, on a first of the multiple virtual machines, a transmission manager that is configured to manage data transmissions from the other of the hosted virtual machines, the managing of the data transmissions including;
  
  detecting an indication of a data transmission sent from one of the other hosted virtual machines to a destination computing node;
  
  preventing the data transmission until authorization is obtained for the one other hosted virtual machine to send the indicated data transmission to the destination computing node;
  
  sending a request to the destination computing node for the authorization; and
  
  after receiving a reply indicating the authorization, allowing the data transmission to be sent to the destination computing node from the one other hosted virtual machine.
- View Dependent Claims (42, 43, 44, 45, 46)
- - 42. The computing system of claim 41 wherein the transmission manager is further configured to:
    - after receiving the reply indicating the authorization for the one other hosted virtual machine, store a transmission management rule to authorize future transmissions of data from the one other hosted virtual machine the destination computing node, andafter receiving a reply indicating a denial of authorization for a second other hosted virtual machine to send a data transmission to a second destination computing node, store a transmission management rule to indicate a lack of authorization for future transmission of data from the second other hosted virtual machine to the second destination node.
  - 43. The computing system of claim 41 wherein the destination computing node is a virtual machine hosted on a remote host computing system, and wherein the request for authorization sent to the destination computing node is intercepted by another virtual machine computing node hosted on the remote host computing system to manage data transmissions involving the destination computing node, the another virtual machine computing node being configured to reply to intercepted requests for authorization on behalf of the destination computing node.
  - 44. The computing system of claim 41 wherein the first virtual machine is a data transmission manager.
  - 45. The computing system of claim 41 wherein each of the multiple virtual machines hosted on the computing system has a distinct network address.
  - 46. The computing system of claim 41 wherein the first virtual machine is configured to manage data transmissions from the other hosted virtual machines by detecting indications of transmissions of data sent from the other hosted virtual machines to destination computing nodes that are not hosted by the computing system, and by, for each detected indication of a data transmission sent by one of the other hosted virtual machines to a destination computing node, preventing the data transmission until authorization is obtained for the one other hosted virtual machine to send the indicated data transmission to the destination computing node, sending a request to the destination computing node for the authorization, and allowing one or more data transmissions to be sent to the destination computing node from the one other hosted virtual machine after receiving a reply indicating the authorization.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Hoole, Quinton R., Pinkham, Christopher C., Paterson-Jones, Roland, Van Biljon, Willem R.
Primary Examiner(s)
Zhao, Wei

Application Number

US12/859,098
Publication Number

US 20100318645A1
Time in Patent Office

1,091 Days
Field of Search

370/389, 709/245
US Class Current

370/389
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45595   Network integration; Enabli...

G06F 9/45558   Hypervisor-specific managem...

H04L 12/1439   time-based

H04L 12/1442   at network operator level

H04L 41/0813   characterised by the condit...

H04L 41/22   comprising specially adapte...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

H04L 67/01   Protocols

H04L 67/10   in which an application is ...

H04L 67/1097   for distributed storage of ...

Managing communications between computing nodes

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

35 Citations

46 Claims

Specification

Use Cases

Quick Links

Others

Managing communications between computing nodes

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

35 Citations

46 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others