Managing communications between computing nodes

US 9,426,181 B2
Filed: 07/08/2013
Issued: 08/23/2016
Est. Priority Date: 03/31/2006
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

obtaining, by one or more configured computing devices of an application execution service, information indicating an access policy for use with a first computing node, the indicated access policy specifying one or more criteria regarding communications allowed to be at least one of sent by or received by the first computing node;

initiating, by the one or more configured computing devices, execution of the first computing node as a virtual machine hosted by a physical computing system of the application execution service; and

configuring, by the one or more configured computing devices, one or more software components executing on the physical computing system to manage at least communications for virtual machines hosted by the physical computing system, the configuring including storing information on the physical computing system about the access policy for use by the one or more software components in managing communications for the first computing node in accordance with the one or more specified criteria.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are described for managing communications between multiple intercommunicating computing nodes, such as multiple virtual machine nodes hosted on one or more physical computing machines or systems. In some situations, users may specify groups of computing nodes and optionally associated access policies for use in the managing of the communications for those groups, such as by specifying which source nodes are allowed to transmit data to particular destinations nodes. In addition, determinations of whether initiated data transmissions from source nodes to destination nodes are authorized may be dynamically negotiated for and recorded for later use in automatically authorizing future such data transmissions without negotiation. This abstract is provided to comply with rules requiring an abstract, and it is submitted with the intention that it will not be used to interpret or limit the scope or meaning of the claims.

23 Citations

View as Search Results

25 Claims

1. A computer-implemented method comprising:
- obtaining, by one or more configured computing devices of an application execution service, information indicating an access policy for use with a first computing node, the indicated access policy specifying one or more criteria regarding communications allowed to be at least one of sent by or received by the first computing node;
  
  initiating, by the one or more configured computing devices, execution of the first computing node as a virtual machine hosted by a physical computing system of the application execution service; and
  
  configuring, by the one or more configured computing devices, one or more software components executing on the physical computing system to manage at least communications for virtual machines hosted by the physical computing system, the configuring including storing information on the physical computing system about the access policy for use by the one or more software components in managing communications for the first computing node in accordance with the one or more specified criteria.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The computer-implemented method of claim 1, further comprising:
    - receiving a communication for which the first computing node is a source of the communication or is a destination of the communication;
      
      determining, by the configured one or more software components, whether the communication is in accordance with the one or more specified criteria; and
      
      forwarding the communication to the destination of the communication only if the communication is determined to be in accordance with the one or more criteria.
  - 3. The computer-implemented method of claim 1 wherein the one or more specified criteria include access rights for communications using one or more Indicated port numbers.
  - 4. The computer-implemented method of claim 1, wherein the one or more specified criteria include access rights for communications using one or more indicated communication protocols.
  - 5. The computer-implemented method of claim 1, wherein the one or more specified criteria include access rights associated with one or more users that are allowed access to the first computing node.
  - 6. The computer-implemented method of claim 1 wherein the obtaining of the information indicating the access policy includes receiving the access policy from a user, and wherein the method further comprises providing the user with access to the virtual machine hosted by the physical computing system.
  - 7. The computer-implemented method of claim 6, wherein the application execution service provides a programmatic interface for users, and wherein the access policy is received from the user via the provided programmatic interface.
  - 8. The computer-implemented method of claim 1 wherein the access policy specifies a group of multiple computing nodes to which the first computing node belongs.
  - 9. The computer-implemented method of claim 1 wherein the access policy is one of a plurality of access policies maintained by the application execution service, and wherein the configuring of the one or more software components includes sending information about the access policy to the physical computing system in response to the initiating of the execution of the first computing node as the virtual machine.
  - 10. The computer-implemented method of claim 1 further comprising:
    - initiating execution of a second computing node as a distinct second virtual machine hosted by the physical computing system, andresponsive to the initiating of the execution of the second computing node, receiving, by the configured one or more software components, information about a second access policy for use in managing communications for the second computing node.
  - 11. The computer-implemented method of claim 1 further comprising, by the one or more configured computing devices and after the configuring of the one or more software components:
    - managing one or more communications for the first computing node in accordance with the one or more specified criteria of the access policy;
      
      receiving an indication of a modification to the access policy for use with the first computing node, andstoring information on the physical computing system about the modified access policy for use by the one or more software components in managing subsequent communications for the first computing node.
  - 12. The computer-implemented method of claim 1 wherein the first computing node is provided by the application execution service for a user, wherein the application execution service further provides one or more additional computing nodes for the user as virtual machines hosted on one or more other second physical computing systems of the application execution service, and wherein the access policy is further used by additional software components executing on the second physical computing systems to manage communications for the additional computing nodes.

13. A non-transitory computer-readable medium having stored contents that configure a computing device to:
- receive, by the configured computing device, information specifying an access policy for use with a first virtual machine hosted on a physical computing system, the specified access policy including one or more criteria regarding communications allowed to be at least one of sent by or received by the first virtual machine;
  
  configure, by the configured computing device, a transmission manager component to manage communications for the first virtual machine in accordance with the specified access policy, the transmission manager component being executed by the physical computing system to manage hosted virtual machines that include the first virtual machine; and
  
  manage, by the transmission manager component, at least one of communications sent to or received by the first virtual machine using the one or more criteria.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The non-transitory computer-readable medium of claim 13, wherein the stored contents include software instructions that, when executed, further configure the computing device to initiate execution of software on the first virtual machine in response to a request from a first user, and wherein the configuring of the transmission manager component is performed in response to the request from the first user.
  - 15. The non-transitory computer-readable medium of claim 13 wherein the physical computing system is one of a plurality of physical computing systems provided by an application execution service, and wherein the information specifying the access policy for use with the first virtual machine is generated by one or more interactions of a user of the application execution service with a programmatic interface provided by the application execution service.
  - 16. The non-transitory computer-readable medium of claim 13 wherein the one or more criteria of the specified access policy are based at least in part on one or more of:
    - one or more indicated port numbers for communications;
      
      one or more indicated communication protocols for communications;
      
      oraccess rights associated with one or more indicated users.
  - 17. The non-transitory computer-readable medium of claim 13 wherein the physical computing system is provided by an application execution service, wherein data representing the specified access policy is stored on a server of the application execution service that is communicatively coupled to the configured computing device, and wherein the information specifying the access policy is received from the server.
  - 18. The non-transitory computer-readable medium of claim 13, wherein the stored contents further configure the computing device to, after the configuring of the transmission manager component:
    - manage one or more communications for the first virtual machine in accordance with the access policy;
      
      receive additional information specifying a modification to the access policy for use with the first virtual machine, andconfigure the transmission manager component to manage subsequent communications for the first virtual machine in accordance with the modified access policy.

19. A computing system, comprising:
- one or more processors; and
  
  a memory storing instructions that, upon execution by at least one of the one or more processors, cause the computing system to;
  
  host multiple virtual machines that are each configurable to execute at least one application program in a portion of the memory allocated to that virtual machine;
  
  receive configuration instructions that configure a transmission manager component executing on the computing system to manage communications of one of the multiple virtual machines in accordance with an indicated access policy that specifies one or more criteria regarding communications allowed to be at least one of sent to or from the one virtual machine; and
  
  manage, by the executing transmission manager component and using the one or more criteria, the communications of the one virtual machine by;
  
  receiving a first communication from or to the one virtual machine;
  
  determining whether the first communication is authorized by the indicated access policy; and
  
  if the first communication is authorized by the indicated access policy, forwarding the first communication to a specified destination, and otherwise preventing the forwarding of the first communication.
- View Dependent Claims (20, 21, 22, 23, 24, 25)
- - 20. The computing system of claim 19 wherein the instructions stored in the memory further cause the computing system to execute software on the one virtual machine on behalf of a user, and to provide the user with access to the one virtual machine.
  - 21. The computing system of claim 19 wherein the one virtual machine is associated with a user, and wherein the access policy is indicated by interactions of the user with a programmatic interface of an application execution service that provides the computing system.
  - 22. The computing system of claim 19 wherein the one or more criteria of the Indicated access policy are based at least in part on one or more of port numbers for communications, of communication protocols for communications, or of access rights associated with one or more users.
  - 23. The computing system of claim 19 wherein the indicated access policy is stored on a server that is provided by an application execution service and that is communicatively coupled to the computing system, and wherein the received configuration instructions are sent by the application execution service and include at least a portion of the stored access policy.
  - 24. The computing system of claim 19 wherein the instructions stored in the memory further cause the computing system to execute software in the one virtual machine on behalf of a user, and wherein the configuration instructions are received in response to the executing of the software.
  - 25. The computing system of claim 19 wherein the instructions stored in the memory further cause the computing system to, after the receiving of the first communication, receive additional configuration instructions that configure the transmission manager component to manage subsequent communications of the one virtual machine in accordance with one or more modifications to the indicated access policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Hoole, Quinton R., Pinkham, Christopher C., Paterson-Jones, Roland, van Biljon, Willem R.
Primary Examiner(s)
Zhao, Wei

Application Number

US13/937,032
Publication Number

US 20130298191A1
Time in Patent Office

1,142 Days
Field of Search

370/389
US Class Current

1/1
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45595   Network integration; Enabli...

G06F 9/45558   Hypervisor-specific managem...

H04L 12/1439   time-based

H04L 12/1442   at network operator level

H04L 41/0813   characterised by the condit...

H04L 41/22   comprising specially adapte...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

H04L 67/01   Protocols

H04L 67/10   in which an application is ...

H04L 67/1097   for distributed storage of ...

Managing communications between computing nodes

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

23 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Managing communications between computing nodes

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

23 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links