Virtual private networks distributed across multiple cloud-computing facilities

US 9,391,801 B2
Filed: 03/12/2014
Issued: 07/12/2016
Est. Priority Date: 08/13/2013
Status: Active Grant

First Claim

Patent Images

1. A cloud-connector subsystem that provides a virtual private cloud operation for creating virtual private clouds distributed across a first and a second cloud-computing facility, the cloud- connector subsystem comprising:

cloud-connector nodes associated with each of the first and second cloud-computing facilities; and

a cloud-connector server that includes one or more processors, one or more memories, one or more data-storage devices, and computer instructions that, when executed on the one or more processors, control the cloud-connector server to provide, in cooperation with the cloud- connector nodes, a virtual-private-cloud-creation operation thatsecurely interconnects a first organization edge appliance associated with a first virtual organization network within the first cloud-computing facility to a second organization edge appliance associated with a second virtual organization network within the second cloud-computing facility using an Internet-protocol-secure tunnel or a secure-socket-layer secure tunnel between the first and second organization edge appliances, each of the first and second organization edge appliances perform the steps of;

receiving virtual-private-network IP addresses and virtual-private-network configuration information, rules, and policies from the cloud-connector server;

internally storing the received virtual-private-network IP addresses in routing tables;

distributing a portion of the virtual-private-network IP addresses and virtual-private-network configuration information, rules, and policies received from the cloud-connector server to additional edge appliances connected to the virtual organization network with which the organization edge appliance is associated; and

providing a firewall that isolates a sub-network within each respective cloud-computing facility from a network external to each respective cloud-computing facility;

distributes internal IP virtual-private-network addresses to the first and second cloud-computing facilities for use by two or more virtual-private-cloud members that execute within the first and second cloud-computing facilities to communicate over the virtual private network; and

configures organization-edge appliances and edge appliances associated with virtual appliances within the first and second cloud-computing facilities to route packets transmitted by the two or more virtual-private-cloud members through the virtual private network.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The current document discloses methods and systems for extending an internal network within a first cloud-computing facility to a second cloud-computing facility and using the extended internal network as a basis for creating virtual private clouds distributed across multiple cloud-computing facilities. In one implementation, a pool of IP addresses is allocated and distributed to end appliances of the first and second cloud-computing facilities. In this implementation, the internal network is extended via a secure tunnel between end appliances in the first and second cloud-computing facilities and the end appliances of the extended internal network are configured to route messages transmitted by a first member of the virtual private cloud executing on a first cloud-computing facility to a second member of the virtual private cloud executing on a second cloud-computing facility through the secure tunnel.

22 Citations

View as Search Results

16 Claims

1. A cloud-connector subsystem that provides a virtual private cloud operation for creating virtual private clouds distributed across a first and a second cloud-computing facility, the cloud- connector subsystem comprising:
- cloud-connector nodes associated with each of the first and second cloud-computing facilities; and
  
  a cloud-connector server that includes one or more processors, one or more memories, one or more data-storage devices, and computer instructions that, when executed on the one or more processors, control the cloud-connector server to provide, in cooperation with the cloud- connector nodes, a virtual-private-cloud-creation operation thatsecurely interconnects a first organization edge appliance associated with a first virtual organization network within the first cloud-computing facility to a second organization edge appliance associated with a second virtual organization network within the second cloud-computing facility using an Internet-protocol-secure tunnel or a secure-socket-layer secure tunnel between the first and second organization edge appliances, each of the first and second organization edge appliances perform the steps of;
  
  receiving virtual-private-network IP addresses and virtual-private-network configuration information, rules, and policies from the cloud-connector server;
  
  internally storing the received virtual-private-network IP addresses in routing tables;
  
  distributing a portion of the virtual-private-network IP addresses and virtual-private-network configuration information, rules, and policies received from the cloud-connector server to additional edge appliances connected to the virtual organization network with which the organization edge appliance is associated; and
  
  providing a firewall that isolates a sub-network within each respective cloud-computing facility from a network external to each respective cloud-computing facility;
  
  distributes internal IP virtual-private-network addresses to the first and second cloud-computing facilities for use by two or more virtual-private-cloud members that execute within the first and second cloud-computing facilities to communicate over the virtual private network; and
  
  configures organization-edge appliances and edge appliances associated with virtual appliances within the first and second cloud-computing facilities to route packets transmitted by the two or more virtual-private-cloud members through the virtual private network.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The cloud-connector subsystem of claim 1 wherein a virtual-private-cloud member is one of:
    - a virtual machine; and
      
      a virtual application.
  - 3. The cloud-connector subsystem of claim 1 wherein the virtual-private-cloud-creation operation configures the organization-edge appliances and the edge appliances associated with the virtual appliances within the first and second cloud-computing facilities with rules and policies to control packet transmission within the virtual private network.
  - 4. The cloud-connector subsystem of claim 1 wherein the virtual-private-cloud-creation operation creates a virtual private cloud distributed across three or more cloud-computing facilities by:
    - securely interconnecting the first virtual organization network within the first cloud-computing facility to each of the other two or more of the three or more cloud-computing facilities;
      
      distributing internal IP virtual-private-network addresses to the three or more cloud-computing facilities for use by virtual-private-cloud members that execute within organization virtual data centers to communicate over the virtual private network; and
      
      configuring organization-edge appliances and edge appliances associated with virtual appliances within the organization virtual data centers to route packets transmitted by virtual-private-cloud members through the virtual private network.
  - 5. The cloud-connector subsystem of claim 4wherein the virtual-private-cloud-creation operation securely interconnects the first virtual organization network within the first cloud-computing facility to the other two or more of the three or more cloud-computing facilities by interconnecting each pair of organization-edge appliances in different cloud-computing facilities with a secure tunnel.
  - 6. The cloud-connector subsystem of claim 4wherein the virtual-private-cloud-creation operation securely interconnects the first virtual organization network within the first cloud-computing facility to the other two or more of the three or more cloud-computing facilities by interconnecting each of a set of organization-edge appliances in different cloud-computing facilities into a tree or graph of organization-edge appliances with secure tunnels interconnecting pairs of organization-edge appliances.
  - 7. The cloud-connector subsystem of claim 4wherein the virtual-private-cloud-creation operation securely interconnects the first virtual organization network within the first cloud-computing facility to the other two or more of the three or more cloud-computing facilities by interconnecting the first virtual organization network with each of a set of organization-edge appliances in different cloud-computing facilities as a star topology with secure tunnels that each interconnects the first virtual organization network with another the set of organization-edge appliances.

8. A method that creates a virtual private cloud distributed across a first and a second cloud- computing facility that include cloud-connector nodes associated with each of the first and second cloud-computing facilities and a cloud-connector server that includes one or more processors, one or more memories, one or more data-storage devices, and computer instructions that are executed on the one or more processors control the cloud-connector server to provide, in cooperation with the cloud-connector nodes, a virtual-private-cloud-creation operation, the method comprising:
- securely interconnecting a first organization edge appliance associated with a first virtual organization network within the first cloud-computing facility to a second organization edge appliance associated with a second virtual organization network within the second cloud-computing facility using an Internet-protocol-secure tunnel or a secure-socket-layer secure tunnel between the first and second organization edge appliances, each of the first and second organization edge appliances perform the steps of;
  
  receiving virtual-private-network IP addresses and virtual-private-network configuration information, rules, and policies from the cloud-connector server;
  
  internally storing the received virtual-private-network IP addresses in routing labels;
  
  distributing a portion of the virtual-private-network IP addresses and virtual-private-network configuration information, rules, and policies received from the cloud-connector server to additional edge appliances connected to the virtual or organization network with which the organization edge appliance is associated; and
  
  providing a firewall that isolates a sub-network within each respective cloud-computing facility from a network external to each respective cloud-computing facility;
  
  distributing internal IP virtual-private-network addresses to the first and second cloud-computing facilities for use by two or more virtual-private-cloud members that execute within the first and second cloud-computing facilities to communicate over the virtual private network; and
  
  configuring organization-edge appliances and edge appliances associated with virtual appliances within the first and second cloud-computing facilities to route packets transmitted by virtual-private-cloud members through the virtual private network.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8 wherein a virtual-private-cloud member is one of:
    - a virtual machine; and
      
      a virtual application.
  - 10. The method of claim 8 wherein the virtual-private-cloud-creation operation configures the organization-edge appliances and the edge appliances associated with the virtual appliances within the first and second cloud-computing facilities with rules and policies to control packet transmission within the virtual private network.
  - 11. The method of claim 8 wherein the virtual-private-cloud-creation operation creates a virtual private cloud distributed across three or more cloud-computing facilities by:
    - securely interconnecting the first virtual organization network within the first cloud-computing facility to each of the other two or more of the three or more cloud-computing facilities;
      
      distributing internal IP virtual-private-network addresses to the three or more cloud-computing facilities for use by virtual-private-cloud members that execute within organization virtual data centers to communicate over the virtual private network; and
      
      configuring organization-edge appliances and edge appliances associated with virtual appliances within the organization virtual data centers to route packets transmitted by virtual-private-cloud members through the virtual private network.
  - 12. The method of claim 11wherein the virtual-private-cloud-creation operation securely interconnects the first virtual organization network within the first cloud-computing facility to the other two or more of the three or more cloud-computing facilities by interconnecting each pair of organization-edge appliances in different cloud-computing facilities with a secure tunnel.
  - 13. The method of claim 11wherein the virtual-private-cloud-creation operation securely interconnects the first virtual organization network within the first cloud-computing facility to the other two or more of the three or more cloud-computing facilities by interconnecting each of a set of organization-edge appliances in different cloud-computing facilities into a tree or graph of organization-edge appliances with secure tunnels interconnecting pairs of organization-edge appliances.
  - 14. The method of claim 11wherein the virtual-private-cloud-creation operation securely interconnects the first virtual organization network within the first cloud-computing facility to the other two or more of the three or more cloud-computing facilities by interconnecting the first virtual organization network with each of a set of organization-edge appliances in different cloud-computing facilities as a star topology with secure tunnels that each interconnects the first virtual organization network with another the set of organization-edge appliances.

15. Computer instructions stored on a memory device that, when executed one or more processors of a cloud-connector server that includes the one or more processors, one or more memories, and one or more data-storage devices that include the physical data-storage device, control the cloud-connector server to create a virtual private cloud distributed across a first and a second cloud-computing facility, carried out in a cloud-connector subsystem that includes cloud-connector nodes associated with each of the first and second cloud-computing facilities and the cloud-connector server, by:
- securely interconnecting a first organization edge appliance associated with a first virtual organization network within the first cloud-computing facility to a second organization edge appliance associated with a second virtual organization network within the second cloud-computing facility using an Internet-protocol-secure tunnel or a secure-socket-layer secure tunnel between the first and second organization edge appliances, each of the first and second organization edge appliances perform the steps of;
  
  receiving virtual-private-network IP addresses and virtual-private-network configuration information, rules, and policies from the cloud-connector server;
  
  internally storing the received virtual-private-network IP addresses in routing tables;
  
  distributing a portion of the virtual-private-network IP addresses and virtual-private-network configuration information, rules, and policies received from the cloud-connector server to additional edge appliances connected to the virtual organization network with which the organization edge appliance is associated; and
  
  providing a firewall that isolates a sub-network within each respective cloud-computing facility from a network external to each respective cloud-computing facility;
  
  distributing internal IP virtual-private-network addresses to the first and second cloud-computing facilities for use by two or more virtual-private-cloud members that execute within the first and second cloud-computing facilities to communicate over the virtual private network; and
  
  configuring organization-edge appliances and edge appliances associated with virtual appliances within the first and second cloud-computing facilities to route packets transmitted by the two or more virtual-private-cloud members through the virtual private network.
- View Dependent Claims (16)
- - 16. The computer instructions of claim 15 wherein a virtual-private-cloud member is one of a virtual machine and a virtual application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vmware LLC (Broadcom, Inc.)
Original Assignee
VMware, Inc. (Broadcom, Inc.)
Inventors
Raghu, Jagannath N.
Primary Examiner(s)
Bullock, Jr., Lewis A
Assistant Examiner(s)
Dascomb, Jacob

Application Number

US14/205,930
Publication Number

US 20150052525A1
Time in Patent Office

853 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 9/455   Emulation; Interpretation; ...

G06F 9/45533   Hypervisors; Virtual machin...

H04L 12/4633   Interconnection of networks...

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 67/10   in which an application is ...

Virtual private networks distributed across multiple cloud-computing facilities

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

22 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Virtual private networks distributed across multiple cloud-computing facilities

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links