Managing communications between computing nodes
First Claim
1. A computer-implemented method comprising:
- obtaining, by one or more computing devices of an execution service, information from a client that specifies an access policy for use with a first computing node, wherein the access policy includes one or more rules for use in managing communications involving network addresses from an indicated range;
providing, by the execution service, the first computing node for the client using a virtual machine hosted by a computer system of the execution service; and
configuring the computer system to manage communications for the hosted virtual machine providing the first computing node, including storing at least a portion of the one or more rules on the computer system, to cause the computer system to use the one or more rules to implement the access policy and determine to allow or prevent a communication to or from the first computing node.
0 Assignments
0 Petitions
Accused Products
Abstract
Techniques are described for managing communications between multiple intercommunicating computing nodes, such as multiple virtual machine nodes hosted on one or more physical computing machines or systems. In some situations, users may specify groups of computing nodes and optionally associated access policies for use in the managing of the communications for those groups, such as by specifying which source nodes are allowed to transmit data to particular destinations nodes. In addition, determinations of whether initiated data transmissions from source nodes to destination nodes are authorized may be dynamically negotiated for and recorded for later use in automatically authorizing future such data transmissions without negotiation. This abstract is provided to comply with rules requiring an abstract, and it is submitted with the intention that it will not be used to interpret or limit the scope or meaning of the claims.
22 Citations
25 Claims
-
1. A computer-implemented method comprising:
-
obtaining, by one or more computing devices of an execution service, information from a client that specifies an access policy for use with a first computing node, wherein the access policy includes one or more rules for use in managing communications involving network addresses from an indicated range; providing, by the execution service, the first computing node for the client using a virtual machine hosted by a computer system of the execution service; and configuring the computer system to manage communications for the hosted virtual machine providing the first computing node, including storing at least a portion of the one or more rules on the computer system, to cause the computer system to use the one or more rules to implement the access policy and determine to allow or prevent a communication to or from the first computing node. - View Dependent Claims (2, 3, 4, 5, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
-
-
6. A non-transitory computer-readable medium having stored contents that cause a computing device of an execution service to:
-
receive, by the computing device of the execution service, information from a client of the execution service that specifies an access policy for use with a group of multiple computing nodes that is provided by the execution service for the client and that includes a first virtual machine hosted on a computer system of the execution service, wherein the access policy indicates multiple network addresses and includes one or more rules for use in managing communications involving the multiple network addresses; provide, by the execution service, the multiple computing nodes to the client, including providing the first virtual machine hosted on the computer system; and manage, by the computing device of the execution service and based on the access policy, a communication that is to or from the first virtual machine and that uses at least one network address from the multiple network addresses, including using the one or more rules to allow or prevent the communication. - View Dependent Claims (7, 8, 12, 13, 14, 15)
-
-
9. A computing system, comprising:
-
one or more hardware processors; and one or more memories with stored instructions that, upon execution by at least one hardware processor of the one or more hardware processors, cause the computing system to; provide a group of multiple computing nodes for use by a client, including a hosted virtual machine; receive instructions from the client that specify an access policy for use with the group of multiple computing nodes, wherein the access policy includes one or more rules for use in managing communications that satisfy one or more specified criteria involving at least one network address; and manage, based on the access policy, a communication that is to or from the virtual machine and that satisfies the one or more specified criteria, including using the one or more rules to allow or prevent forwarding of the communication, and wherein the virtual machine executes at least one application program for the client in memory allocated to the virtual machine. - View Dependent Claims (10, 11)
-
Specification