Multitenant data center providing virtual computing services

US 9,614,748 B1
Filed: 07/26/2011
Issued: 04/04/2017
Est. Priority Date: 04/15/2008
Status: Active Grant

First Claim

Patent Images

1. A computer system for supporting multiple enterprises, comprising:

a plurality of host machines, each host machine hosting a plurality of virtual desktops;

a server provider computer network interconnecting the plurality of host machines;

wherein each host machine is dynamically assigned to a single enterprise from among the multiple enterprises including a first host machine assigned to a first enterprise and a second host machine assigned to a second enterprise, and each virtual desktop in the plurality of virtual desktops hosted on the host machine is assigned a unique network address in a network address space of the single enterprise;

a virtual local area network for each enterprise of the multiple enterprises, each virtual local area network for an enterprise incorporating computer resources on an enterprise computer network of the enterprise and the virtual desktops for the enterprise on one or more of the plurality of host machines, wherein the virtual desktops for the enterprise are configured to access the computer resources for the enterprise on the enterprise computer network through the enterprise'"'"'s virtual local area network to which the virtual desktops are connected; and

wherein the enterprise computer networks have overlapping network address spaces and wherein the virtual desktops on the first host machine assigned to the first enterprise and the virtual desktops on the second host machine assigned to the second enterprise can have network addresses in the overlapping network address spaces;

a single router connected to the service provider computer network and the enterprise computer networks though a gateway node, wherein the single router comprises a plurality of virtual routers, each virtual router being associated with a corresponding enterprise of the multiple enterprises, wherein the virtual router for each enterprise includes a distinct routing table for the network address space of the enterprise, configured to route traffic between the virtual desktops hosted on the plurality of host machines and the computer resources on each of the enterprise computer networks;

the gateway node connected to a public access network, the public access network allowing communication with user devices;

wherein the gateway node, in response to requests from user devices for access to virtual desktops hosted on the host machines, is configured to establish, for each request associated with a user belonging to one of the enterprises, a connection between the user device making the request and one of the virtual desktops on one of the host machines assigned to the enterprise corresponding to the user associated with the request and wherein the gateway node establishes the connection using a temporary network address table (NAT) routing rule and, once the connection is established, generates an entry in a firewall state table that replaces the NAT routing rule, the firewall state table for controlling access to the gateway node, the generated entry defining an allowed connection between the user device address and the address of the virtual desktop.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A service provider network supports multiple tenants by having a virtual local area network for each enterprise, and a router connected to enterprise networks of the multiple tenants including a virtual router for each enterprise. The virtual router has a distinct routing table for each enterprise, for routing traffic between the desktops hosted on the plurality of host machines and the computer resources on the enterprise networks.

89 Citations

View as Search Results

17 Claims

1. A computer system for supporting multiple enterprises, comprising:
- a plurality of host machines, each host machine hosting a plurality of virtual desktops;
  
  a server provider computer network interconnecting the plurality of host machines;
  
  wherein each host machine is dynamically assigned to a single enterprise from among the multiple enterprises including a first host machine assigned to a first enterprise and a second host machine assigned to a second enterprise, and each virtual desktop in the plurality of virtual desktops hosted on the host machine is assigned a unique network address in a network address space of the single enterprise;
  
  a virtual local area network for each enterprise of the multiple enterprises, each virtual local area network for an enterprise incorporating computer resources on an enterprise computer network of the enterprise and the virtual desktops for the enterprise on one or more of the plurality of host machines, wherein the virtual desktops for the enterprise are configured to access the computer resources for the enterprise on the enterprise computer network through the enterprise'"'"'s virtual local area network to which the virtual desktops are connected; and
  
  wherein the enterprise computer networks have overlapping network address spaces and wherein the virtual desktops on the first host machine assigned to the first enterprise and the virtual desktops on the second host machine assigned to the second enterprise can have network addresses in the overlapping network address spaces;
  
  a single router connected to the service provider computer network and the enterprise computer networks though a gateway node, wherein the single router comprises a plurality of virtual routers, each virtual router being associated with a corresponding enterprise of the multiple enterprises, wherein the virtual router for each enterprise includes a distinct routing table for the network address space of the enterprise, configured to route traffic between the virtual desktops hosted on the plurality of host machines and the computer resources on each of the enterprise computer networks;
  
  the gateway node connected to a public access network, the public access network allowing communication with user devices;
  
  wherein the gateway node, in response to requests from user devices for access to virtual desktops hosted on the host machines, is configured to establish, for each request associated with a user belonging to one of the enterprises, a connection between the user device making the request and one of the virtual desktops on one of the host machines assigned to the enterprise corresponding to the user associated with the request and wherein the gateway node establishes the connection using a temporary network address table (NAT) routing rule and, once the connection is established, generates an entry in a firewall state table that replaces the NAT routing rule, the firewall state table for controlling access to the gateway node, the generated entry defining an allowed connection between the user device address and the address of the virtual desktop.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer system of claim 1, wherein the router implements multiprotocol label switching.
  - 3. The computer system of claim 2, wherein the distinct routing table for each enterprise includes a virtual private network routing and forwarding (VRF) table.
  - 4. The computer system of claim 1, wherein the temporary NAT routing rule is only valid for a specified time period.
  - 5. The computer system of claim 1, wherein the temporary NAT routing rule is removed after the specified time period.
  - 6. The computer system of claim 1, wherein the temporary NAT routing rule temporarily associates the virtual desktop to a port, of a dynamic range of ports, specified by the rule, and wherein after establishing the connection, the port number is no longer associated with the connection and can be re-used to establish additional connections.
  - 7. The computer system of claim 1, wherein the firewall state table takes routing precedent to the NAT routing rule such that once the connection is established the gateway node routes subsequent communication between the user device and the virtual desktop using the entry in the firewall state table until a session terminates.

8. A method of operation of a computer system to support multiple enterprises, the method comprising:
- providing, on each of a plurality of host machines connected to a service provider computer network, a plurality of virtual desktops;
  
  dynamically assigning each host machine to a single enterprise from among the multiple enterprises including a first host machine assigned to a first enterprise and a second host machine assigned to a second enterprise, and assigning, to each virtual desktop in the plurality of virtual desktops hosted on the host machine, a unique network address in a network address space of the single enterprise;
  
  providing a single router connected to the enterprise computer networks and the service provider computer network;
  
  establishing a virtual local area network for each enterprise of the multiple enterprises, each virtual local area network for an enterprise incorporating computer resources on an enterprise computer network of the enterprise and the virtual desktops assigned to the enterprise on one or more of the plurality of host machines, wherein the virtual desktops assigned to the enterprise are connected through the virtual local area network for the enterprise to access the computer resources for the enterprise on the enterprise computer network; and
  
  wherein the enterprise computer networks have overlapping network address spaces and wherein the virtual desktops on the first host machine assigned to the first enterprise and the virtual desktops the second host machine assigned to the second enterprise can have network addresses in the overlapping network address spaces;
  
  establishing a virtual router on the router for each enterprise of the multiple enterprises, wherein the virtual router for each enterprise includes a distinct routing table in the router for the network address space of the enterprise, configured to route traffic between the virtual desktops hosted on the plurality of host machines and the computer resources on each of the enterprise computer networks;
  
  wherein each host machine is dynamically assigned to only one virtual local area network for a single enterprise, such that the virtual desktops hosted on the host machine are assigned a network address in the network address space of that single enterprise;
  
  providing a gateway node connected to a public access network, the public access network allowing communication with user devices,the gateway node, in response to requests from user devices for access to virtual desktops hosted on the host machines, establishing, for each request associated with a user belonging to one of the enterprises, a connection between the user device making the request and one of the virtual desktops on one of the host machines assigned to the enterprise corresponding to the user associated with the request and wherein the gateway node establishes the connection using a temporary network address table (NAT) routing rule and, once the connection is established, generates an entry in a firewall state table that replaces the NAT routing rule, the firewall state table for controlling access to the gateway node, the generated entry defining an allowed connection between the user device address and the address of the virtual desktop.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8, wherein the distinct routing table for each enterprise includes a virtual private network routing and forwarding (VRF) table.
  - 10. The method of claim 8, wherein the router implements multiprotocol label switching.
  - 11. The method of claim 8, wherein the temporary NAT routing rule is only valid for a specified time period.
  - 12. The method of claim 8, wherein the temporary NAT routing rule is removed after the specified time period.
  - 13. The method of claim 8, wherein the temporary NAT routing rule temporarily associates the virtual desktop to a port, of a dynamic range of ports, specified by the rule, and wherein after establishing the connection, the port number is no longer associated with the connection and can be re-used to establish additional connections.
  - 14. The method of claim 8, wherein the firewall state table takes routing precedent to the NAT routing rule such that once the connection is established the gateway node routes subsequent communication between the user device and the virtual desktop using the entry in the firewall state table until a session terminates.

15. A computer program product comprising one or more computer storage devices having computer program instructions stored thereon that, when executed by one or more computers, configure a computer system to support multiple enterprises, the computer system comprising:
- on each of a plurality of host machines connected to a service provider computer network, a plurality of virtual desktops;
  
  wherein each host machine is dynamically assigned to a single enterprise from among the multiple enterprises including a first host machine assigned to a first enterprise and a second host machine assigned to a second enterprise, and each virtual desktop in the plurality of virtual desktops hosted on the host machine is assigned a unique network address in a network address space of the single enterprise;
  
  a virtual local area network for each enterprise of the multiple enterprises, each virtual local area network for an enterprise incorporating computer resources on an enterprise computer network of the enterprise and the virtual desktops assigned to the enterprise on one or more of the plurality of host machines, wherein the virtual desktops assigned to the enterprise are connected through the virtual local area network for the enterprise to access the computer resources for the enterprise on the enterprise computer network; and
  
  wherein the enterprise computer networks have overlapping network address spaces and wherein the virtual desktops on the first host machine assigned to the first enterprise and the virtual desktops on the second host machine assigned to the second enterprise can have network addresses in the overlapping network address spaces;
  
  a single router connected to the enterprise computer networks through a gateway node, wherein the single router comprises a plurality of virtual routers, each virtual router being associated with a corresponding enterprise of the multiple enterprises, wherein the virtual router for each enterprise includes a distinct routing table for the network address space for the enterprise, configured to route traffic between the virtual desktops hosted on the plurality of host machines and the computer resources on each of the enterprise computer networks;
  
  the gateway node connected to a public access network, the public access network allowing communication with user devices;
  
  wherein the gateway node, in response to requests from user devices for access to virtual desktops hosted on the host machines, is configured to establish, for each request associated with a user belonging to one of the enterprises, a connection between the user device making the request and one of the virtual desktops on one of the host machines assigned to the enterprise corresponding to the user associated with the request and wherein the gateway node establishes the connection using a temporary network address table (NAT) routing rule and, once the connection is established, generates an entry in a firewall state table that replaces the NAT routing rule, the firewall state table for controlling access to the gateway node, the generated entry defining an allowed connection between the user device address and the address of the virtual desktop.
- View Dependent Claims (16, 17)
- - 16. The computer program product of claim 15, wherein the distinct routing table for each enterprise includes a virtual private network routing and forwarding (VRF) table.
  - 17. The computer program product of claim 15, wherein the router implements multiprotocol label switching.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vmware LLC (Broadcom, Inc.)
Original Assignee
VMware, Inc. (Broadcom, Inc.)
Inventors
Battersby, Clinton, Snow, James, Hobgood, Andrew, Ringdahl, Kenneth
Primary Examiner(s)
Burgess, Glenton B
Assistant Examiner(s)
MOORAD, IMRAN

Application Number

US13/191,037
Time in Patent Office

2,079 Days
Field of Search

709242
US Class Current
CPC Class Codes

G06F 9/5061   Partitioning or combining o...

H04L 12/4654   wherein a VLAN tag represen...

H04L 45/02   Topology update or discovery

H04L 45/50   using label swapping, e.g. ...

H04L 47/70   Admission control; Resource...

H04L 49/70   Virtual switches

H04L 63/02   for separating internal fro...

H04L 63/0272   Virtual private networks

H04L 63/0281   Proxies

H04L 63/08   for authentication of entit...

H04L 63/0815   providing single-sign-on or...

H04L 63/10   for controlling access to d...

H04L 65/61   for supporting one-way stre...

H04L 65/70   Media network packetisation

H04L 65/762   at the source reformatting...

H04L 65/764   at the destination reforma...

H04L 67/08   specially adapted for termi...

H04N 21/41407   embedded in a portable devi...

H04N 21/4143   embedded in a Personal Comp...

Multitenant data center providing virtual computing services

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

89 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Multitenant data center providing virtual computing services

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

89 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links