Authorizing communications between computing nodes

US 9,577,926 B2
Filed: 03/14/2013
Issued: 02/21/2017
Est. Priority Date: 03/31/2008
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

instantiating, by one or more computing systems implementing a program execution service that has a plurality of server devices for use with customers of the program execution service, a first virtual network for a first customer of the program execution service;

configuring, by the one or more computing systems and for a first server device of the plurality that hosts at least a first virtual machine, a communication manager of the program execution service on the first server device to associate the first virtual machine with the first virtual network, the configuring including storing mapping information on the first server device for the first virtual network that includes information about a second virtual machines in the first virtual network, wherein the second virtual machine is hosted by a second server device of the plurality;

receiving, by the communication manager of the first server device, an outgoing communication sent from the first virtual machine to a destination virtual machine that is the second virtual machine, wherein the outgoing communication has an indicated virtual network address for the destination virtual machine, and wherein the first server device has connectivity to a second network that is a physical network including the second server device;

verifying, by the communication manager of the first server device, that the received outgoing communication is authorized based at least in part on the first virtual machine being allowed to communicate with the destination virtual machine;

modifying, by the communication manager of the first server device and based at least in part on the stored mapping information, the outgoing communication by adding to the outgoing communication a destination network address for the second network that is associated with the second server device; and

initiating, by the communication manager of the first server device and based at least in part on the verifying that the received outgoing communication is authorized, sending of the modified outgoing communication to the second server device via the second network based on the destination network address for the second network.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are described for managing communications between multiple computing nodes, such as computing nodes that are separated by one or more physical networks. In some situations, the techniques may be used to provide a virtual network between multiple computing nodes that are separated by one or more intermediate physical networks, such as from the edge of the one or more intermediate physical networks by modifying communications that enter and/or leave the intermediate physical networks. In some situations, the computing nodes may include virtual machine nodes hosted on one or more physical computing machines or systems, such as by or on behalf of one or more users (e.g., users of a program execution service). The managing of the communications may include determining whether communications sent to managed computing nodes are authorized, and providing the communications to the computing nodes only if they are determined to be authorized.

62 Citations

View as Search Results

21 Claims

1. A computer-implemented method comprising:
- instantiating, by one or more computing systems implementing a program execution service that has a plurality of server devices for use with customers of the program execution service, a first virtual network for a first customer of the program execution service;
  
  configuring, by the one or more computing systems and for a first server device of the plurality that hosts at least a first virtual machine, a communication manager of the program execution service on the first server device to associate the first virtual machine with the first virtual network, the configuring including storing mapping information on the first server device for the first virtual network that includes information about a second virtual machines in the first virtual network, wherein the second virtual machine is hosted by a second server device of the plurality;
  
  receiving, by the communication manager of the first server device, an outgoing communication sent from the first virtual machine to a destination virtual machine that is the second virtual machine, wherein the outgoing communication has an indicated virtual network address for the destination virtual machine, and wherein the first server device has connectivity to a second network that is a physical network including the second server device;
  
  verifying, by the communication manager of the first server device, that the received outgoing communication is authorized based at least in part on the first virtual machine being allowed to communicate with the destination virtual machine;
  
  modifying, by the communication manager of the first server device and based at least in part on the stored mapping information, the outgoing communication by adding to the outgoing communication a destination network address for the second network that is associated with the second server device; and
  
  initiating, by the communication manager of the first server device and based at least in part on the verifying that the received outgoing communication is authorized, sending of the modified outgoing communication to the second server device via the second network based on the destination network address for the second network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The computer-implemented method of claim 1 further comprising:
    - after the sending of the modified outgoing communication via the second network, receiving, by the second server device, the modified outgoing communication;
      
      determining the virtual network address for the destination virtual machine from the modified outgoing communication; and
      
      using the determined virtual networking address to provide the outgoing communication to the destination virtual machine.
  - 3. The computer-implemented method of claim 2 wherein the determining of the virtual network address for the destination virtual machine includes retrieving a representation of the virtual network address for the destination virtual machine from within the destination network address.
  - 4. The computer-implemented method of claim 1 wherein the received outgoing communication further includes a source network address associated with the first server device, and wherein the verifying that the received outgoing communication is authorized is further based at least in part on the stored mapping information and on the source network address.
  - 5. The computer-implemented method of claim 1 wherein the modifying of the outgoing communication further includes adding an identifier for the first virtual network to the outgoing communication to distinguish the outgoing communication from outgoing communications for other virtual networks overlaid on the second network.
  - 6. The computer-implemented method of claim 1 further comprising obtaining the mapping information to be stored from a remote server.
  - 7. The computer-implemented method of claim 1 further comprising:
    - sending a query that includes the indicated virtual network address for the destination virtual machine to a mapping server that maintains the mapping information;
      
      receiving the destination network address for the second network from the mapping server; and
      
      updating the stored mapping information to associate the destination network address with the indicated virtual network address.
  - 8. The computer-implemented method of claim 1 wherein the modifying of the outgoing communication further includes constructing the destination network address for the second network to include an identifier corresponding to an entity associated with the first virtual machine and with the destination virtual machine.
  - 9. The computer-implemented method of claim 1 wherein a first network addressing protocol associated with the first virtual network and a second network addressing protocol associated with the second network are each one of Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6).
  - 10. The computer-implemented method of claim 1 wherein the storing of the mapping information on the first server device is performed before the receiving of the outgoing communication.
  - 11. The computer-implemented method of claim 1 further comprising:
    - after the sending of the modified outgoing communication, receiving, by the second server device, the modified outgoing communication;
      
      determining, by the second server device and from mapping information stored on the second server device, that the first server device is hosting a virtual machine authorized to communicate with the destination virtual machine; and
      
      providing, based at least in part on the determining that the first server device is hosting the virtual machine authorized to communicate with the destination virtual machine, the outgoing communication to the destination virtual machine.
  - 12. The computer-implemented method of claim 1 wherein the second network is a substrate network operated by the program execution service, and wherein the instantiating of the first virtual network for the first customer further includes receiving configuration information for the first virtual network from the first customer and using the configuration information to implement the first virtual network.

13. A non-transitory computer-readable medium having stored contents that cause a computing system of a program execution service to:
- instantiate, by the computing system of the program execution service, a first virtual network for a first customer of the program execution service, including using a first virtual machine hosted by a first computing system that is provided by the program execution service in the first virtual network;
  
  configure a communication manager executing on the first computing system to associate the first virtual machine with the first virtual network, including storing mapping information on the first computing system for the first virtual network that includes information about a second virtual machine of the first virtual network that is hosted by a second computing system;
  
  receive, by the communication manager of the first computing system, an outgoing communication sent by the first virtual machine to a destination node of the first virtual network that is the second virtual machine, wherein the outgoing communication includes a first destination network address used with the first virtual network;
  
  determine, by the communication manager of the first computing system and based at least in part on the stored mapping information, a second destination network address that is used for the second computing system by a second network that is a physical network connecting the first and second computing systems;
  
  modify, by the communication manager of the first computing system, the outgoing communication to include the determined second destination network address for the second network; and
  
  send, by using the determined second destination network address, the modified outgoing communication over the second network to the destination node via the second computing system.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The non-transitory computer-readable medium of claim 13 wherein the first virtual machine and other virtual machines of the first virtual network are communicatively connected via an overlay of the first virtual network on the second network, and wherein the modifying of the outgoing communication further includes modifying information in the outgoing communication based on the overlay.
  - 15. The non-transitory computer-readable medium of claim 13 wherein a first network addressing protocol associated with the first virtual network and a second network addressing protocol associated with the second network are each one of Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6).
  - 16. The non-transitory computer-readable medium of claim 13 wherein the stored contents include software instructions that, when executed, further configure the computing system to retrieve the mapping information to be stored from a system manager computing system that manages communications for the first virtual network, and to configure the communication manager of the first computing system to use the mapping information to verify that the received outgoing communication is authorized based at least in part on the first virtual machine being allowed to communicate with the destination node.
  - 17. The non-transitory computer-readable medium of claim 13 wherein the second destination network address includes a representation of the first destination network address.

18. A system comprising:
- one or more processors of a computing system of a program execution service; and
  
  at least one memory with stored instructions for the program execution service that, upon execution by at least one of the one or more processors, cause the system to;
  
  instantiate, for a first customer of the program execution service, a first overlay network that includes a first virtual machine hosted by the computing system;
  
  configure the computing system to associate the first virtual machine with the first overlay network, including storing mapping information on the computing system for the first overlay network that includes information about a second virtual machines included in the first overlay network that is hosted by a second computing system;
  
  receive an outgoing communication from the first virtual machine to a destination node of the first overlay network that is the second virtual machine, wherein the outgoing communication has a first destination network address for the destination node that is specified in accordance with the first overlay network;
  
  modify the outgoing communication in accordance with a second network that supports the first overlay network, the modifying being based at least in part on the stored mapping information and including adding a second destination network address for the second computing system that is specified in accordance with the second network; and
  
  send, over the second network and by using the second destination network address, the modified outgoing communication to the destination node via the second computing system.
- View Dependent Claims (19, 20, 21)
- - 19. The system of claim 18 wherein the stored instructions further cause the system to retrieve the mapping information to be stored from a remote system manager that manages communications for the first overlay network.
  - 20. The system of claim 18 wherein a first network addressing protocol associated with the first overlay network and a second network addressing protocol associated with the second network are each one of Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6).
  - 21. The system of claim 18 wherein modifying the outgoing communication is further based at least in part on the stored mapping information and includes adding an identifier for the first overlay network to the outgoing communication to distinguish the outgoing communication from other outgoing communications for other overlay networks supported by the second network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Cohn, Daniel Todd
Primary Examiner(s)
Pyzocha, Michael

Application Number

US13/829,578
Publication Number

US 20130205042A1
Time in Patent Office

1,440 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 2101/604   Address structures or formats

H04L 41/00   Arrangements for maintenanc...

H04L 41/28   Restricting access to netwo...

H04L 45/586   of virtual routers

H04L 61/103   across network layers, e.g....

H04L 61/251   between different IP versions

H04L 61/5007   Internet protocol [IP] addr...

H04L 63/0236   Filtering by address, proto...

H04L 63/20   for managing network securi...

H04W 12/06   Authentication

Authorizing communications between computing nodes

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

62 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Authorizing communications between computing nodes

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

62 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links