TREA

Hybrid cloud security groups

Follow

Information

  • Patent Grant
  • 11218483
  • Patent Number
    11,218,483
  • Date Filed
    Tuesday, September 24, 2019
    5 years ago
  • Date Issued
    Tuesday, January 4, 2022
    3 years ago
Information
Abstract
In one embodiment, a request may be received from a first cloud network of a hybrid cloud environment to transmit data to a second cloud network of the hybrid cloud environment, wherein the request can include a security profile related to the data. The security profile may be automatically analyzed to determine access permissions related to the data. Based at least in part on the access permissions, data can be allowed to access to the second cloud network.
Description
TECHNICAL FIELD

The present technology pertains to computer-based networking, and more specifically, to security groups in a hybrid cloud environment.


BACKGROUND

Recent industry-wide shifts toward cloud-based service delivery and data consumption present new challenges for service providers to route and deliver data while providing security for data stored in private cloud databases. For example, cloud-based providers may employ various real-time adjustment models to efficiently adapt and allocate network resources based on changing security needs. Furthermore, a hybrid cloud computing and storage environment can present added challenges for network security as some portions of a hybrid cloud computing and storage environment may be accessible to a public forum and other portions of a hybrid cloud may be designated for a private forum.


A hybrid cloud computing environment can be a target for unauthorized access to data stored in the hybrid cloud as potential security threats may attempt to penetrate vulnerabilities that can be associated with a hybrid cloud computing and storage environment. Emerging computer-based threats are accelerating a need for increasingly flexible and secure network operations. As data, software, services, applications, and databases are increasingly tied to cloud-based networks, added security functionality and flexibility is desired in cloud-based computing environments, including hybrid cloud computing and storage environments.





BRIEF DESCRIPTION OF THE DRAWINGS

In order to describe the manner in which the above-recited features and other advantages of the disclosure can be obtained, a more particular description of the principles briefly described above will be rendered by reference to specific embodiments thereof which are illustrated in the appended drawings. Understanding that these drawings depict only exemplary embodiments of the disclosure and are not therefore to be considered to be limiting its scope, the principles herein are described and explained with additional specificity and detail through the use of the accompanying drawings in which:



FIG. 1 illustrates an example hybrid cloud environment;



FIG. 2 illustrates an example of migrating a virtual machine in a hybrid cloud environment;



FIG. 3 illustrates an example hybrid cloud environment with multiple cloud networks;



FIG. 4 illustrates an example hybrid cloud environment utilizing cloud security groups;



FIG. 5 illustrates an example hybrid cloud environment utilizing cloud security groups;



FIG. 6 illustrates an example hybrid cloud environment utilizing cloud security groups;



FIG. 7 illustrates an example hybrid cloud environment utilizing cloud security groups;



FIG. 8 illustrates an example hybrid cloud environment utilizing cloud security groups;



FIG. 9 illustrates an example process of the present technology; and



FIG. 10 illustrates an example architecture of the present technology.





A component or a feature that is common to more than one drawing is indicated with the same reference number in each of the drawings.


DESCRIPTION OF EXAMPLE EMBODIMENTS

Various embodiments of the disclosure are discussed in detail below. While specific implementations are discussed, it should be understood that this is done for illustration purposes only. A person skilled in the relevant art will recognize that other components and configurations may be used without parting from the spirit and scope of the disclosure.


Overview


In some embodiments, the present technology may receive a request from a first cloud network of a hybrid cloud environment to transmit data to a second cloud network of the hybrid cloud environment, wherein the request may include a security profile related to the data. The security profile can be automatically analyzed to determine access permissions related to the data. Moreover, based at least in part on the access permissions, the data may be allowed to access to the second cloud network.


DESCRIPTION

A communication network can include a system of hardware, software, protocols, and transmission components that collectively allow separate devices to communicate, share data, and access resources, such as software applications. More specifically, a computer network may be a geographically distributed collection of nodes interconnected by communication links and segments for transporting data between end points, such as personal computers, portable devices, and workstations. Many types of networks are available, ranging from local area networks (LANs) and wide area networks (WANs) to overlay and software-defined networks, such as virtual extensible local area networks (VXLANs), and virtual networks such as virtual LANs (VLANs) and virtual private networks (VPNs).


LANs may connect nodes over dedicated private communications links located in the same general physical location, such as a building or campus. WANs, on the other hand, may connect geographically dispersed nodes over long-distance communications links, such as common carrier telephone lines, optical lightpaths, synchronous optical networks (SONET), or synchronous digital hierarchy (SDH) links. LANs and WANs can include layer 2 (L2) and/or layer 3 (L3) networks and devices.


The Internet is an example of a public WAN that connects disparate networks throughout the world, providing global communication between nodes on various networks. The nodes can communicate over the network by exchanging discrete frames or packets of data according to predefined protocols, such as the Transmission Control Protocol/Internet Protocol (TCP/IP). In this context, a protocol can refer to a set of rules defining how the nodes interact with each other. Computer networks may be further interconnected by intermediate network nodes, such as routers, switches, hubs, or access points, which can effectively extend the size or footprint of the network.


Networks can be segmented into sub-networks to provide a hierarchical, multilevel routing structure. For example, a network can be segmented into VLAN sub-networks using subnet addressing to create network segments. This way, a network can allocate various groups of IP addresses to specific network segments and divide the network into multiple logical networks. In a hybrid cloud environment, different sub-networks may be allocated to different parts of the hybrid cloud environment. For example, one or more VLAN sub-networks may be allocated to a private cloud network of the hybrid cloud environment and a public cloud network of the hybrid cloud environment based on security permissions associated with the one or more VLAN sub-networks.


Other networks, such as virtual networks (e.g., VLANs) are also available. For example, one or more LANs can be logically segmented to form a VLAN and allow a group of machines to communicate as if they were in the same physical network, regardless of their actual physical location. Thus, machines located on different physical LANs can communicate as if they were located on the same physical LAN. Interconnections between networks and devices can also be created using routers and tunnels, such as VPN tunnels, as is appreciated by those skilled in the art. In a hybrid cloud computing environment, such a tunnel may include encryption and/or firewalls at either end of the tunnel to serve as a gatekeeper for data transmitted between a private data center (DC)/private cloud network and a public cloud network such as a cloud network provided by a commercial entity. Example public cloud networks are the Microsoft Azure® Cloud, Amazon Web Services®, Oracle® Cloud, and the like.


The various networks can include various hardware or software appliances or nodes to support data communications, security, and provision services. For example, networks can include routers, hubs, switches, APs, firewalls, repeaters, intrusion detectors, servers, VMs, load balancers, application delivery controllers (ADCs), and other hardware or software appliances. Such appliances can be distributed or deployed over one or more physical, overlay, or logical networks. Moreover, appliances can be deployed as clusters, which can be formed using layer 2 (L2) and layer 3 (L3) technologies. Clusters can provide high availability, redundancy, and load balancing for flows associated with specific appliances or nodes. A flow can include packets that have the same source and destination information. Thus, packets originating from device A to service node B can all be part of the same flow.


Appliances or nodes, as well as clusters, can be implemented in cloud deployments. Cloud deployments can be provided in one or more networks to provision computing services using shared resources. Cloud computing can generally include Internet-based computing in which computing resources are dynamically provisioned and allocated to client or user computers or other devices on-demand, from a collection of resources available via the network (e.g., “the cloud”). Cloud computing resources, for example, can include any type of resource, such as computing, storage, network devices, applications, virtual machines (VMs), services, and so forth. For instance, resources may include service devices (firewalls, deep packet inspectors, traffic monitors, load balancers, etc.), compute/processing devices (servers, CPU's, memory, brute force processing capability), storage devices (e.g., network attached storages, storage area network devices), etc. In addition, such resources may be used to support virtual networks, virtual machines (VM), databases, applications (Apps), etc. Also, services may include various types of services, such as monitoring services, management services, communication services, data services, bandwidth services, routing services, configuration services, wireless services, architecture services, etc.


Cloud controllers and/or other cloud devices can be configured for cloud management. These devices can be pre-configured (i.e., come “out of the box”) with centralized management, layer 7 (L7) device and application visibility, real time web-based diagnostics, monitoring, reporting, management, and so forth. As such, in some embodiments, the cloud can provide centralized management, visibility, monitoring, diagnostics, reporting, configuration (e.g., wireless, network, device, or protocol configuration), traffic distribution or redistribution, backup, disaster recovery, control, and any other service. In some cases, this can be done without the cost and complexity of specific appliances or overlay management software.


The present technology may address a need in the art for added security in hybrid cloud computing and storage environments (“hybrid cloud”). A hybrid cloud can refer to a cloud network architecture comprised of two or more cloud networks that communicate and/or share data. A hybrid cloud can be an interaction between private and public clouds where a private cloud connects to a public cloud and utilizes public cloud resources in a secure and scalable way. The hybrid cloud model can provide advantages over other cloud models. For example, the hybrid cloud model allows enterprises to protect their existing investment, maintain control of their sensitive data and applications, and maintain control of their network, processing, and storage resources. Additionally, hybrid clouds may allow enterprises to scale their environment as their demand for processing resources and storage increase or decrease. This scaling up or down can occur with minimal to no effect on existing physical network resources such as on-site, physical servers.


While some applications are suitable for traditional physical enterprise data centers/private networks, there are others whose dynamic compute requirements make them ideal for cloud-based deployment. For such applications, a goal is to take advantage of the computing elasticity and economics of cloud computing without sacrificing the security that data assets (e.g., databases, directories, repositories) gain from being located on site within an enterprise's data center. To be a viable hybrid cloud solution, data should be kept secure, applications should not need to be redesigned, and cloud networks should be readily mobile.



FIG. 1 illustrates an example hybrid cloud computing and storage network illustratively comprising a plurality of cloud networks or “clouds,” including a private cloud 105 (e.g., enterprise data centers) and a public cloud 110 which may be utilized in a publicly-accessible network such as the Internet (not shown). Although current terminology refers to a hybrid cloud comprising a private cloud and a public cloud, it should be understood that many aspects of this disclosure can be practiced in various multi-cloud configurations (e.g., two clouds hosted by third party providers or two enterprise clouds in different locations). The private data center/private cloud 105 and public cloud 110 can be connected via a communication link 170 between private cloud gateway 125 and public cloud gateway 135. Data packets and traffic can be exchanged among the devices of the hybrid cloud network using predefined network communication protocols as will be understood by those skilled in the art.


As depicted in FIG. 1, each cloud network can have a cloud gateway such as private cloud gateway 125 and public cloud gateway 135. Each cloud network may also contain at least one virtual machine (VM) and/or nested VM containers. For example, FIG. 1 illustrates VM1150 and VM2152 in private cloud 105 and VM3154 in public cloud 110. Private cloud gateway 125 can be configured as a VM-based gateway running in private cloud 105 that may be responsible for establishing communication link 170 for communication and data transfer between private cloud 105 and public cloud 110. Moreover, public cloud gateway 135 may be configured as a VM-based gateway running in public cloud 110 that can be responsible for establishing communication link 170 for communication and data transfer between private cloud 105 and public cloud 110.


Moreover, security group tags associated with private cloud gateway 125 and public cloud gateway 135 can enhance hybrid cloud network security by preventing data from reaching unauthorized areas of the hybrid cloud or preventing data from leaving areas of the hybrid cloud which the data is restricted to. In some embodiments, private cloud gateway 125 can screen requests for data stored in private cloud 105 destined for public cloud 110 by utilizing security group tags associated with, for example, sub-net VLANs from public cloud 110 that are authorized to receive data from private cloud 105 by virtue of access permissions associated with the sub-net VLANs from public cloud 110. This can prevent unauthorized data from leaving private cloud 105 by denying a request for data in private cloud 105 if, for example, the sub-net VLAN from public cloud 110 that makes the request does not have a security tag with access permissions to the requested data in private cloud 105.


Likewise, in some embodiments, public cloud gateway 135 can screen requests for data stored in public cloud 110 destined for private cloud 105 by utilizing security group tags associated with, for example, sub-net VLANs from public cloud 110 that are authorized to receive data from private cloud 105 by virtue of access permissions associated with the sub-net VLANs from public cloud 110. This can prevent unauthorized data from leaving public cloud 110 by not allowing the requested data from public cloud 110 to leave public cloud 110 if, for example, the sub-net VLAN from public cloud 110 related to the requested data does not have a security tag with access permissions to private cloud 105.


In some embodiments, one or more firewalls may be used in conjunction with private cloud gateway 125 and public cloud gateway 135 to facilitate screening of requests for entry and exit from private cloud 105 and public cloud 110. For example, private cloud gateway 125 and public cloud gateway 135 may complement each other by preventing entry of unauthorized data into their respective cloud networks and also preventing data from leaving their respective cloud networks if that data was not authorized to leave the cloud network due to insufficient access permissions for an intended destination (for example, a different cloud network of the hybrid cloud environment). In some embodiments, private cloud gateway 125 and public cloud gateway 135 may only prevent entry of unauthorized data into their cloud networks. In other embodiments, private cloud gateway 125 and public cloud gateway 135 may only prevent unauthorized data from leaving their respective cloud networks.



FIG. 1 also illustrates a hybrid cloud manager 175 within the private cloud 105 which can be a management plane VM for auto-provisioning resources within the hybrid cloud environment. Specifically, the hybrid cloud manager 175 may be a management platform (which could be a VM) operating in private cloud 105 or public cloud 110 (not shown), and may be generally responsible for providing the hybrid cloud environment operations, translating between private cloud network and public cloud network interfaces, management of cloud resources, dynamic instantiating of cloud gateways and cloud VM components (for example, VM3154 in public cloud 110) through, for example, the private virtualization platform and public cloud provider APIs. It may also health-monitor the components of the hybrid cloud environment (e.g., the cloud gateways, the one or more private application VMs, and the communication link 170, and provide high availability of those components.



FIG. 1 also illustrates a virtual supervisor module 130 (for example, the Nexus 1000V Switch by Cisco Systems, Inc.), a hypervisor 140 (also called a virtual machine manager) and one or more VM 150, 152. The virtual supervisor module 130 in the private cloud 105 can be used to create VMs in the public cloud 110 or private cloud 105, such as VM1150, VM2152, and VM3154. Each VM can host a private application, even VM3154 in the public cloud 110 can host a private application such that VM3154 in the public cloud 110 executes as if it were within the private cloud 105. The hypervisor 140 can be configured by the virtual supervisor module 130 and may provide an operating system for one or more VMs.



FIG. 1 also illustrates communication link 170. Communication link 170 can take several forms to include a type of virtual private network (VPN) or a tunnel. Specifically, some embodiments may utilize an open VPN overlay or else an IP security (IPSec) VPN based L3 network extension to provide communication link 170. While offering secure transport connections in a cloud environment, a VPN may not provide a switch infrastructure for providing features such as switching network traffic locally at the cloud, providing consistent enterprise network polices, allowing insertion of various network services (e.g., load balancers, firewalls, etc.), and construction of a sophisticated network topology (e.g., the current systems are connected through a router and multiple VLANs). While IPsec-VPN-based technology can provide customers inter-datacenter network connectivity and relatively sophisticated network topologies, it can only extend the enterprise network at the network layer (Layer 3 or “L3” of the illustrative and well-known OSI model). This implies that the overlay networks created at the cloud datacenter (public cloud 110) can be a set of new subnets, where VMs in the public cloud are assigned with new network identities (e.g., IP and MAC addresses). Because of this, many enterprise infrastructures (e.g., access control lists, firewall policies, domain name services, etc.) can be modified in order for the newly attached VM systems to be able to work with rest of the enterprise systems. For example, the IPSec VPN tunnel may prevent penetration of corporate firewalls and Network Address Translation (NAT) devices deep within the enterprise data center (for example, private cloud 105).


Some hybrid cloud technologies, such as embodiments of the presently described technology, can utilize a secure transport layer (e.g., Layer 4 or “L4”) tunnel as the communication link 170 between a first cloud gateway 125 in a private cloud 105 and a second cloud gateway 135 in a public cloud 110, where the secure transport layer tunnel is configured to provide a link layer 170 (e.g., Layer 2 or “L2”) network extension between the private cloud and the public cloud. By establishing a secure transport layer (L4) tunnel 170 (e.g., transport layer security (TLS), datagram TLS (DTLS), secure socket layer (SSL), etc.) over the public cloud network 110, the techniques herein may build a secure L2 switch overlay that interconnects cloud resources (public cloud 110) with private cloud 105 (e.g., enterprise network backbones). In other words, the secure transport layer tunnel 170 can provide a link layer network extension between the private cloud 105 and the public cloud 110.


As noted, the cloud gateway 125 deployed at the private cloud 105 can use an L4 Secure Tunnel to connect to the cloud resources allocated at public cloud 110. The L4 secure tunnel is well-suited for use with corporate firewalls and NAT devices due to the nature of the transport level protocols (e.g., UDP/TCP) and the transport layer ports opened for HTTP/HTTPS in the firewall. The L2 network may extend and connect to each of the cloud VMs, e.g., VM1150, VM2152, VM3154 through the cloud gateway 135 deployed at the public cloud 110. With an L2 network overlay, all instances of a particular private application VM, e.g, VM3154 can be seamlessly migrated to the overlay network dynamically created at the public cloud, without any impacts to the existing corporate infrastructure.


As a general practice, a public cloud service provider offers only a limited number of network attachments for each of the cloud VMs, e.g., VM3154, and network broadcasting capability. This can prevent enterprise customers from migrating their multi-VLAN network architectural environment into the public cloud datacenter. However, building an L2 network overlay on top of L4 tunnels as described herein reduces the network attachments requirements for cloud VMs and may provide cloud VMs with network broadcasting ability. The techniques herein can allow enterprise customers to deploy consistent enterprise-wide network architectures, even in a hybrid cloud network environment.



FIG. 2 illustrates a hybrid cloud environment as illustrated in FIG. 1 being used to migrate a VM from private cloud 105 to public cloud 110. In some embodiments, a VM on the private cloud may need to be scaled beyond the current resources of the private cloud or the private cloud may need to be taken off line for a period of time. In some embodiments, it can be desirable to migrate an application on the private cloud 105 to the public cloud 110 or from public cloud 110 to private cloud 105 (not shown). FIG. 2 illustrates VM1150 on private cloud 105 being migrated to public cloud 110. Migration can be managed using virtual supervisor module 130 to take VM1150 offline, and may be migrated using hybrid cloud manager 175 to copy the VM1150 disk image to public cloud 110, and instantiate it in the public cloud 110.



FIG. 3 illustrates an example hybrid cloud environment. In FIG. 3, a public cloud 114 can be running, for example, an application or service in VM4156. The application or service can be shared by the enterprise private cloud 105 and partner private cloud 112. In some embodiments, private cloud 114 can act as an intermediary that provides limited access to the enterprise and the partner. It should be understood that many other hybrid cloud network architectures may be utilized besides the example architecture of FIG. 3. In some embodiments, a hybrid cloud network may include one or more enterprise private clouds, one or more physical enterprise servers, one or more public clouds, one or more physical public network servers, or any combination of such clouds and servers. In addition, embodiments of the present technology can provide for the secure migration of data, virtual machines, etc. among all of the different cloud networks (public and private) and physical servers in a hybrid cloud computing environment. For example, VM4156 may be migrated to enterprise private cloud 105 and/or partner private cloud 112. Likewise, some embodiments can provide for the migration of, for example, VM3 to enterprise private cloud 105 and/or public cloud 114.



FIG. 4 illustrates an example hybrid cloud environment. Data Center (DC)/private cloud 402 may be connected to provider/public cloud 412 via secure communication link 418. Private cloud 402 can be a cloud-based network designated for a particular enterprise. Private cloud 402 may contain sensitive data that is not intended to be shared outside of private cloud 402 without authorized access. Provider cloud 412 may be a publicly-accessible cloud-based network that is provided by a third party commercial vendor such as Oracle, Amazon®, Microsoft®, etc. Item 404 represents one of many sub-nets, VLAN sub-nets, virtual machines, or other data that can be stored in data center/private cloud 402. Likewise, item 414 represents one of many sub-nets, VLAN sub-nets, virtual machines, or other data that can be stored in provider cloud 412. Items 406 and 416 can represent enforcements points for security policies/hybrid cloud security groups which may dictate the entry and exit of data/applications/VMs from private cloud 402 and provider/public cloud 412.


For example, items 406 and 416 may be gateways which are utilized to enforce hybrid cloud security groups/security policies. Hybrid cloud security groups can be automatically applied to data/applications/VMs that appear in the hybrid cloud network so that the data/applications/VMs are grouped according to authorized hybrid cloud access locations. For instance, an application represented by item 404 may be requested for migration to provider cloud 412. If VM 404 does not have the appropriate security group tag to exit private cloud 402 and enter provider cloud 412, gateway 406 can prevent VM 404 from leaving private cloud 402.


If VM 404 does have the appropriate security group tag to exit private cloud 402 and enter provider cloud 412, gateway 406 can allow VM 404 to leave private cloud 402 via secure link/tunnel 418. VM 404 may also have its data copied and instantiated in provider/public cloud 412 in some embodiments. Gateway 416 can act as a gatekeeper, in some embodiments only permitting data from an authorized security group to enter provider/public cloud 412. Secure link 418 may be secured with cryptography such that the communications between private cloud 402 and public cloud 412 are not detectable to outside parties. Furthermore, in some embodiments, secure link/secure tunnel 418 may not allow access to or from the Internet in order to enhance security by transmitting all sensitive data/applications/VMs via secure link 418 only.


Hybrid cloud security groups may be configured manually by an administrator of the private cloud 402 and/or public cloud 412. For instance, an administrator of private cloud 402 may configure the present technology to automatically apply security group tags to data/applications/VMs on the basis of, for example, origin IP address, type, author, date created, etc. Upon instantiation of an embodiment of the present technology, all or some of the data/applications/VMs may be assigned to one or more cloud security groups. For example, some data/applications/VMs can be authorized for use by the private cloud, the public cloud only, or both the private and public clouds. This can allow for greater flexibility of movement of data inside a particular cloud environment while preserving security because all data that has a cloud security group tag should only be permitted in authorized areas associated with their respective cloud security group(s).



FIG. 5 illustrates an example hybrid cloud environment. As in FIG. 4, the example embodiment of FIG. 5 can include data center/private cloud 402, provider/public cloud 412, and secure link/tunnel 418. FIG. 5 illustrates an example application of hybrid cloud security groups wherein data/applications/VMs (not shown) are requesting exit from private cloud 402 in order to enter provider/public cloud 412. As discussed with respect to FIG. 4, private cloud gateway 406 can verify that any data, applications, VMs, etc. attempting to exit the private cloud 402 are authorized to leave private cloud 402.


For example, programming code 520 may provide private cloud gateway 406 with parameters for authorized entry/exit from private cloud 402. It is understood that programming code 520 may be implemented in many other forms besides that shown in FIG. 5. Moreover, embodiments of the present technology may utilize one or more programming languages to determine parameters for different hybrid cloud security groups. In some embodiments, programming code 520 may provide for entry parameters and/or exit parameters of private cloud 402. FIG. 5 illustrates that, in some embodiments, data may not be permitted to leave private cloud 402 if the hybrid cloud security group tag associated with the data, based on parameters that may be defined by an administrator, does not authorize exit from private cloud 402. For example, if an application from private cloud 402 is not a part of a selected subnet that has a security group tag allowing for exit from private cloud 402, the application will be denied exit from private cloud 402 as shown at private cloud gateway 406.


In other embodiments, if data requested from private cloud 402 has a security group tag authorizing exit from private cloud 402, based on an allowed subnet, said data may be transmitted to provider public cloud 412 via secure tunnel 418. Some embodiments may provide for similar screening of transmitted data at provider public gateway 416 in order to ensure that the data is part of an authorized security group for access into provider public cloud 412. It is understood that a request for data from private cloud 402 may come from within private cloud 402, within provider public cloud 412, or from a third party/parties.



FIG. 6 illustrates an example hybrid cloud environment. As in FIG. 4, the example embodiment of FIG. 6 can include data center/private cloud 402, provider/public cloud 412, and secure link/tunnel 418. FIG. 6 illustrates an example application of hybrid cloud security groups wherein data/applications/VMs (not shown) are requesting exit from provider public cloud 412 in order to enter private cloud 402. As discussed with respect to FIG. 4, public cloud gateway 416 can verify that any data, applications, VMs, etc. attempting to exit the public cloud 412 are authorized to leave public cloud 412.


For example, programming code 620 may provide public cloud gateway 416 with parameters for authorized entry/exit from public cloud 412. It is understood that programming code 620 may be implemented in many other forms besides that shown in FIG. 6. Moreover, embodiments of the present technology may utilize one or more programming languages to determine parameters for different hybrid cloud security groups. In some embodiments, programming code 620 may provide for entry parameters and/or exit parameters of public cloud 412. FIG. 6 illustrates that, in some embodiments, data may not be permitted to leave public cloud 412 if the hybrid cloud security group tag associated with the data, based on parameters that may be defined by an administrator, does not authorize exit from public cloud 412. For example, if an application from public cloud 412 is not a part of an extended VLAN that has a security group tag allowing for entry into private cloud 402 from public cloud 412, the application will be denied exit from public cloud 412 as shown at public cloud gateway 416.


In other embodiments, if data requested from public cloud 412 has a security group tag authorizing exit from public cloud 412, based on an allowed extended VLAN, said data may be transmitted to private cloud 402 via secure tunnel 418. Some embodiments may provide for similar screening of transmitted data at private gateway 406 in order to ensure that the data is part of an authorized security group for access into private cloud 402. It is understood that a request for data from provider public cloud 412 may come from within provider public cloud 412, within private cloud 402, or from a third party/parties.



FIG. 7 illustrates an example hybrid cloud environment. As in FIG. 4, the example embodiment of FIG. 7 can include data center/private cloud 402, provider/public cloud 412, and secure link/tunnel 418. FIG. 7 illustrates an example application of hybrid cloud security groups wherein an instance (not shown) of the hybrid cloud environment is screened for authorization based on the security group associated with the instance. For example, FIG. 7 shows instance 702 attempting access to provider public cloud 412. Instance 702 does not have a security group tag authorized for entry into provider public cloud 412. Thus, public cloud gateway 416 denies access to instance 702 such that instance 702 is not allowed to reach hybrid VM 712. On the other hand, if an instance from private cloud 402 has a security group tag authorizing exit from private cloud 402 and entry into public cloud 412, the instance may be transmitted to provider public cloud 412 via secure tunnel 418.


In some embodiments, the present technology can utilize the security structure of the provider public cloud in order to enhance security. For example, if the provider public cloud has its own security parameters/security groups for data entering the public cloud (e.g., Amazon AWS® security groups), embodiments of the present technology may apply those security parameters in place of or in addition to the security parameters of the hybrid cloud security group associated with the data requesting entry into the public cloud.


For example, FIG. 8 illustrates an example hybrid cloud environment utilizing security parameters/security group settings of a provider public cloud 412. As in FIG. 4, the example embodiment of FIG. 8 can include data center/private cloud 402, provider/public cloud 412, secure link/tunnel 418, and gateways 406 and 416. FIG. 8 illustrates example security parameters/security group settings 802. For example, security group settings 802 may be provided by Amazon AWS® and may complement the security features provided by the private cloud 402 security group settings by providing additional security requirements for entities requesting access to the provider public cloud 412. It is understood that many other security settings may be used besides what is shown in FIG. 8.



FIG. 9 illustrates an example process 900 of the present technology. Process 900 begins at 902 where a request is received from a first cloud network of a hybrid cloud environment to transmit data to a second cloud network of the hybrid cloud environment. Process 900 continues at 904 where a security profile of the request is automatically analyzed to determine access permissions. Example process 900 concludes at 906 where, based at least in part on the access permissions, the data is allowed to access the second cloud network of the hybrid cloud environment. It is understood that embodiments of the present technology may include fewer or more steps than process 900.



FIG. 10 illustrates an example computer system 1050 having a chipset architecture that can be used in executing embodiments of the present technology and generating and displaying a graphical user interface (GUI). Computer system 1050 is an example of computer hardware, software, and firmware that can be used to implement embodiments of the disclosed technology. System 1050 can include a processor 1055, representative of any number of physically and/or logically distinct resources capable of executing software and/or firmware, and utilizing hardware configured to perform identified computations. Processor 1055 can communicate with a chipset 1060 that can control input to and output from processor 1055. In some embodiments, chipset 1060 outputs information to output 1065 (for example, a display) and can read and write information to storage device 1070 (for example, magnetic media and solid state media). Chipset 1060 can also read data from and write data to RAM 1075. In some embodiments, a bridge 1080 may be utilized by chipset 1060 for interfacing with a variety of user interface components 1085. Such user interface components 1085 can include a keyboard, a microphone, touch detection and processing circuitry, a pointing device, such as a mouse, and the like. In general, inputs to system 1050 can come from any of a variety of sources, machine generated and/or human generated.


Chipset 1060 can also interface with one or more communication interfaces 1090 that can have different physical interfaces. Such communication interfaces can include interfaces for wired and wireless local area networks, for broadband wireless networks, as well as personal area networks. Some applications of the methods for generating, displaying, and using the GUI disclosed herein can include receiving ordered datasets over the physical interface or be generated by the system itself by processor 1055 analyzing data stored in storage 1070 or 1075. Further, the system can receive inputs from a user via user interface components 1085 and execute appropriate functions, such as browsing functions by interpreting these inputs using processor 1055.


It can be appreciated that example system 1050 can have more than one processor 1055 or be part of a group or cluster of computing devices networked together to provide greater processing and/or storage capabilities.


For clarity of explanation, in some instances the present technology may be presented as including individual functional blocks including functional blocks comprising devices, device components, steps or routines in a method embodied in software, or combinations of hardware and software.


In some embodiments the computer-readable storage devices, mediums, and memories can include a cable or wireless signal containing a bit stream and the like. However, when mentioned, non-transitory computer-readable storage media expressly exclude media such as energy, carrier signals, electromagnetic waves, and signals per se.


Methods according to the above-described examples can be implemented using computer-executable instructions that are stored or otherwise available from computer readable media. Such instructions can comprise, for example, instructions and data which cause or otherwise configure a general purpose computer, special purpose computer, or special purpose processing device to perform a certain function or group of functions. Portions of computer resources used can be accessible over a network. The computer executable instructions may be, for example, binaries, intermediate format instructions such as assembly language, firmware, or source code. Examples of computer-readable media that may be used to store instructions, information used, and/or information created during methods according to described examples include magnetic or optical disks, flash memory, USB devices provided with non-volatile memory, networked storage devices, and the like.


Devices implementing methods according to these disclosures can comprise hardware, firmware, and/or software, and can use a variety of arrangements or form factors. Typical examples of such form factors include laptops, smart phones, small form factor personal computers, personal digital assistants, rackmount devices, standalone devices, and the like. Functionality described herein also can be embodied in peripherals or add-in cards. Such functionality can also be implemented on a circuit board among different chips or different processes executing in a single device, by way of further example.


The instructions, media for conveying such instructions, computing resources for executing them, and other structures for supporting such computing resources are means for providing the functions described in these disclosures.


Although a variety of examples and other information was used to explain aspects within the scope of the appended claims, no limitation of the claims should be implied based on particular features or arrangements in such examples, as one of ordinary skill would be able to use these examples to derive a wide variety of implementations. Further and although some subject matter may have been described in language specific to examples of structural features and/or method steps, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to these described features or acts. For example, such functionality can be distributed differently or performed in components other than those identified herein. Rather, the described features and steps are disclosed as examples of components of systems and methods within the scope of the appended claims. Moreover, claim language reciting “at least one of” a set indicates that one member of the set or multiple members of the set satisfy the claim.


The techniques disclosed herein can provide increased security with respect to network resources and data in a hybrid cloud environment. Embodiments of the present technology can prevent harmful and/or unauthorized entities from entering the hybrid cloud network environment, which may result in more efficient network routing and high availability of network applications and systems, which in turn may result in fewer processor cycles required to route signals and thus improved efficiency and extended service life of the network processors used to implement some embodiments of the present technology. Thus, the present technology may improve related hardware used in its implementation.


Further, although the foregoing description has been directed to specific embodiments, it will be apparent that other variations and modifications may be made to the described embodiments, with the attainment of some or all of their advantages. For instance, it is expressly contemplated that the components and/or elements described herein can be implemented as software being stored on a tangible (non-transitory) computer-readable medium, devices, and memories (e.g., disks/CDs/RAM/EEPROM/etc.) having program instructions executing on a computer, hardware, firmware, or a combination thereof. Further, methods describing the various functions and techniques described herein can be implemented using computer-executable instructions that are stored or otherwise available from computer readable media. Such instructions can comprise, for example, instructions and data which cause or otherwise configure a general purpose computer, special purpose computer, or special purpose processing device to perform a certain function or group of functions. Portions of computer resources used can be accessible over a network. The computer executable instructions may be, for example, binaries, intermediate format instructions such as assembly language, firmware, or source code. Examples of computer-readable media that may be used to store instructions, information used, and/or information created during methods according to described examples include cloud-based media, magnetic or optical disks, flash memory, USB devices provided with non-volatile memory, networked storage devices, and the like. In addition, devices implementing methods according to these disclosures can comprise hardware, firmware and/or software, and can take any of a variety of form factors. Typical examples of such form factors include laptops, smart phones, tablets, wearable devices, small form factor personal computers, personal digital assistants, and the like. Functionality described herein also can be embodied in peripherals or add-in cards. Such functionality can also be implemented on a circuit board among different chips or different processes executing in a single device, by way of further example. Instructions, media for conveying such instructions, computing resources for executing them, and other structures for supporting such computing resources are means for providing the functions described in these disclosures. Accordingly this description is to be taken only by way of example and not to otherwise limit the scope of the embodiments herein. Therefore, it is the object of the appended claims to cover all such variations and modifications as come within the true spirit and scope of the embodiments herein.

Claims
  • 1. A method comprising: receiving, at a network device of a first cloud network of a hybrid cloud environment and from a second cloud network of the hybrid cloud environment, a request to transmit data from the first cloud network to the second cloud network of the hybrid cloud environment, wherein the first cloud network and the second cloud network are connected by a secure communication link;determining, at the network device of the first cloud network, whether a security tag associated with the data includes any access permissions indicating whether the data is allowed to exit the first cloud network; andwhen the security tag includes an access permission indicating that the data is allowed to exit the first cloud network, allowing the data to exit the first cloud network via the network device using the secure communication link to the second cloud network of the hybrid cloud environment.
  • 2. The method of claim 1, wherein the hybrid cloud environment is configured to prevent unauthorized access to the hybrid cloud environment while providing scalability to accommodate increases and decreases in demand for one or more computing resources, the one or more computing resources including one or more processing devices.
  • 3. The method of claim 1, further comprising: screening the request via a firewall of the first cloud network; andbased at least in part on a determination that an additional security tag associated with additional data includes an additional access permission indicating that the additional data is not permitted to exit the first cloud network, denying an additional request to transmit the data from the first cloud network to an external location.
  • 4. The method of claim 1, further comprising: transmitting the data from the first cloud network via the secure communication link, the secure communication link utilized for secure communications between the first cloud network and the second cloud network, wherein the secure communication link does not allow connection to the Internet.
  • 5. The method of claim 1, wherein the security tag is automatically applied to at least one of data associated with applications initialized in the hybrid cloud environment and the applications initialized in the hybrid cloud environment.
  • 6. The method of claim 1, further comprising: receiving a second request for a virtual machine in the hybrid cloud environment;determining that the second request originates from an address of a private cloud network of the hybrid cloud environment; andproviding the virtual machine in the hybrid cloud environment.
  • 7. The method of claim 1, further comprising: receiving a second request for access to a private cloud network of the hybrid cloud environment from a public cloud network of the hybrid cloud environment;determining that the second request for access to the private cloud network is from an entity with permission to operate in the private cloud network; andbased at least in part on the permission, allowing access to the private cloud network.
  • 8. The method of claim 1, further comprising: receiving a second request for access to a public cloud network of the hybrid cloud environment from a private cloud network of the hybrid cloud environment;determining that the second request for access to the public cloud network is from an entity with permission to operate in the public cloud network; andbased at least in part on the permission, allowing access to the public cloud network.
  • 9. A system comprising: one or more processors; andat least one memory having stored therein instructions which, when executed by the one or more processors, cause the one or more processors to: receive, at a first cloud network of a hybrid cloud environment and from a second cloud network of the hybrid cloud environment, a request to transmit data from the first cloud network to the second cloud network of the hybrid cloud environment, wherein the first cloud network and the second cloud network are connected by a secure communication link;determine whether a security tag associated with the data includes any access permissions indicating whether the data is allowed to exit the first cloud network; andwhen the security tag an access permission indicating that the data is allowed to exit the first cloud network, allow the data to exit the first cloud network via a network device associated with the first cloud network to the second cloud network of the hybrid cloud environment.
  • 10. The system of claim 9, the at least one memory having stored therein instructions which, when executed by the one or more processors, cause the one or more processors to: based at least in part on a determination that an additional security tag associated with additional data includes an additional access permission indicating that the additional data is not permitted to exit the first cloud network, deny an additional request to transmit the data from the first cloud network to an external location.
  • 11. The system of claim 9, the at least one memory having stored therein instructions which, when executed by the one or more processors, cause the one or more processors to: transmit the data from the first cloud network via the secure communication link, the secure communication link utilized for secure communications between the first cloud network and the second cloud network, wherein the secure communication link does not allow connection to the Internet.
  • 12. The system of claim 9, the at least one memory having stored therein instructions which, when executed by the one or more processors, cause the one or more processors to: receive a second request for a virtual machine in the hybrid cloud environment;determine that the second request originates from an address of a private cloud network of the hybrid cloud environment; andprovide the virtual machine in the hybrid cloud environment.
  • 13. The system of claim 9, the at least one memory having stored therein instructions which, when executed by the one or more processors, cause the one or more processors to: receive a second request for access to a private cloud network of the hybrid cloud environment from a public cloud network of the hybrid cloud environment;determine that the second request for access to the private cloud network is from an entity with permission to operate in the private cloud network; andbased at least in part on the permission, allow access to the private cloud network.
  • 14. The system of claim 9, the at least one memory having stored therein instructions which, when executed by the one or more processors, cause the one or more processors to: receive a second request for access to a public cloud network of the hybrid cloud environment from a private cloud network of the hybrid cloud environment;determine that the second request for access to the public cloud network is from an entity with permission to operate in the public cloud network; andbased at least in part on the permission, allow access to the public cloud network.
  • 15. A non-transitory computer-readable medium having stored therein instructions which, when executed by one or more processors, cause the one or more processors to: receive, at a first cloud network of a hybrid cloud environment and from a second cloud network of the hybrid cloud environment, a request to transmit data from the first cloud network to the second cloud network of the hybrid cloud environment, wherein the first cloud network and the second cloud network are connected by a secure communication link;determine whether a security tag associated with the data includes any access permissions indicating whether the data is allowed to exit the first cloud network; andwhen the security tag an access permission indicating that the data is allowed to exit the first cloud network, allow the data to exit the first cloud network via a network device associated with the first cloud network to the second cloud network of the hybrid cloud environment.
  • 16. The non-transitory computer-readable medium of claim 15, storing additional instructions which, when executed by one or more processors, cause the one or more processors to: based at least in part on a determination that an additional security tag associated with additional data includes an additional access permission indicating that the additional data is not permitted to exit the first cloud network, deny an additional request to transmit the data from the first cloud network to an external location.
  • 17. The non-transitory computer-readable medium of claim 14, wherein the security tag is automatically applied to applications initialized in the hybrid cloud environment.
  • 18. The non-transitory computer-readable medium of claim 14, storing additional instructions which, when executed by one or more processors, cause the one or more processors to: receive a second request for a virtual machine in the hybrid cloud environment;determine that the second request originates from an address of a private cloud network of the hybrid cloud environment; andprovide the virtual machine in the hybrid cloud environment.
  • 19. The non-transitory computer-readable medium of claim 14, storing additional instructions which, when executed by one or more processors, cause the one or more processors to: receive a second request for access to a private cloud network of the hybrid cloud environment from a public cloud network of the hybrid cloud environment;determine that the second request for access to the private cloud network is from an entity with permission to operate in the private cloud network; andbased at least in part on the permission, allow access to the private cloud network.
  • 20. The non-transitory computer-readable medium of claim 14, storing additional instructions which, when executed by one or more processors, cause the one or more processors to: receive a second request for access to a public cloud network of the hybrid cloud environment from a private cloud network of the hybrid cloud environment;determine that the second request for access to the public cloud network is from an entity with permission to operate in the public cloud network; andbased at least in part on the permission, allow access to the public cloud network.
CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. application Ser. No. 14/881,649, filed on Apr. 13, 2018, the content of which is incorporated herein by reference in its entirety.

US Referenced Citations (363)
Number Name Date Kind
5812773 Norin Sep 1998 A
5889896 Meshinsky et al. Mar 1999 A
6108782 Fletcher et al. Aug 2000 A
6178453 Mattaway et al. Jan 2001 B1
6298153 Oishi Oct 2001 B1
6343290 Cossins et al. Jan 2002 B1
6643260 Kloth et al. Nov 2003 B1
6683873 Kwok et al. Jan 2004 B1
6721804 Rubin et al. Apr 2004 B1
6733449 Krishnamurthy et al. May 2004 B1
6735631 Oehrke et al. May 2004 B1
6996615 McGuire Feb 2006 B1
7054930 Cheriton May 2006 B1
7058706 Lyer et al. Jun 2006 B1
7062571 Dale et al. Jun 2006 B1
7111177 Chauvel et al. Sep 2006 B1
7212490 Kao et al. May 2007 B1
7277948 Igarashi et al. Oct 2007 B2
7313667 Pullela et al. Dec 2007 B1
7379846 Williams et al. May 2008 B1
7480672 Hahn et al. Jan 2009 B2
7496043 Leong et al. Feb 2009 B1
7536476 Alleyne May 2009 B1
7567504 Darling et al. Jul 2009 B2
7606147 Luft et al. Oct 2009 B2
7647594 Togawa Jan 2010 B2
7773510 Back et al. Aug 2010 B2
7808897 Mehta et al. Oct 2010 B1
7881957 Cohen et al. Feb 2011 B1
7917647 Cooper et al. Mar 2011 B2
8010598 Tanimoto Aug 2011 B2
8028071 Mahalingam et al. Sep 2011 B1
8041714 Aymeloglu et al. Oct 2011 B2
8121117 Amdahl et al. Feb 2012 B1
8171415 Appleyard et al. May 2012 B2
8234377 Cohn Jul 2012 B2
8244559 Horvitz et al. Aug 2012 B2
8250215 Stienhans et al. Aug 2012 B2
8280880 Aymeloglu et al. Oct 2012 B1
8284664 Aybay et al. Oct 2012 B1
8301746 Head et al. Oct 2012 B2
8345692 Smith Jan 2013 B2
8406141 Couturier et al. Mar 2013 B1
8407413 Yucel et al. Mar 2013 B1
8448171 Donnellan et al. May 2013 B2
8477610 Zuo et al. Jul 2013 B2
8495356 Ashok et al. Jul 2013 B2
8510469 Portolani Aug 2013 B2
8514868 Hill Aug 2013 B2
8532108 Li et al. Sep 2013 B2
8533687 Greifeneder et al. Sep 2013 B1
8547974 Guruswamy et al. Oct 2013 B1
8560639 Murphy et al. Oct 2013 B2
8560663 Baucke et al. Oct 2013 B2
8589543 Dutta et al. Nov 2013 B2
8590050 Nagpal et al. Nov 2013 B2
8611356 Yu et al. Dec 2013 B2
8612625 Andreis et al. Dec 2013 B2
8630291 Shaffer et al. Jan 2014 B2
8639787 Lagergren et al. Jan 2014 B2
8656024 Krishnan et al. Feb 2014 B2
8660129 Brendel et al. Feb 2014 B1
8700891 Qi Apr 2014 B2
8719804 Jain May 2014 B2
8775576 Hebert et al. Jul 2014 B2
8797867 Chen et al. Aug 2014 B1
8805951 Faibish et al. Aug 2014 B1
8850182 Fritz et al. Sep 2014 B1
8856339 Mestery et al. Oct 2014 B2
8909928 Ahmad et al. Dec 2014 B2
8918510 Gmach et al. Dec 2014 B2
8924720 Raghuram et al. Dec 2014 B2
8930747 Levijarvi et al. Jan 2015 B2
8938775 Roth et al. Jan 2015 B1
8959526 Kansal et al. Feb 2015 B2
8977754 Curry, Jr. et al. Mar 2015 B2
9009697 Breiter et al. Apr 2015 B2
9015324 Jackson Apr 2015 B2
9043439 Bicket et al. May 2015 B2
9049115 Rajendran et al. Jun 2015 B2
9063789 Beaty et al. Jun 2015 B2
9065727 Liu et al. Jun 2015 B1
9075649 Bushman et al. Jul 2015 B1
9164795 Vincent Oct 2015 B1
9167050 Durazzo et al. Oct 2015 B2
9201701 Boldyrev et al. Dec 2015 B2
9201704 Chang et al. Dec 2015 B2
9203784 Chang et al. Dec 2015 B2
9223634 Chang et al. Dec 2015 B2
9244776 Koza et al. Jan 2016 B2
9251114 Ancin et al. Feb 2016 B1
9264478 Hon et al. Feb 2016 B2
9313048 Chang et al. Apr 2016 B2
9361192 Smith et al. Jun 2016 B2
9380075 He et al. Jun 2016 B2
9432294 Sharma et al. Aug 2016 B1
9444744 Sharma et al. Sep 2016 B1
9473365 Melander et al. Oct 2016 B2
9503530 Niedzielski Nov 2016 B1
9558078 Farlee et al. Jan 2017 B2
9613078 Vermeulen et al. Apr 2017 B2
9628471 Sundaram et al. Apr 2017 B1
9658876 Chang et al. May 2017 B2
9692802 Bicket et al. Jun 2017 B2
9755858 Bagepalli et al. Sep 2017 B2
20020073337 Ioele et al. Jun 2002 A1
20020143928 Maltz et al. Oct 2002 A1
20020166117 Abrams et al. Nov 2002 A1
20020174216 Shorey et al. Nov 2002 A1
20030018591 Komisky Jan 2003 A1
20030056001 Mate et al. Mar 2003 A1
20030228585 Inoko et al. Dec 2003 A1
20040004941 Malan et al. Jan 2004 A1
20040095237 Chen et al. May 2004 A1
20040131059 Ayyakad et al. Jul 2004 A1
20040264481 Darling et al. Dec 2004 A1
20050060418 Sorokopud Mar 2005 A1
20050125424 Herriott et al. Jun 2005 A1
20060104286 Cheriton May 2006 A1
20060126665 Ward et al. Jun 2006 A1
20060146825 Hofstaedter et al. Jul 2006 A1
20060155875 Cheriton Jul 2006 A1
20060168338 Bruegl et al. Jul 2006 A1
20070174663 Crawford et al. Jul 2007 A1
20070223487 Kajekar et al. Sep 2007 A1
20070242830 Conrado et al. Oct 2007 A1
20080005293 Bhargava et al. Jan 2008 A1
20080084880 Dharwadkar Apr 2008 A1
20080165778 Ertemalp Jul 2008 A1
20080198752 Fan et al. Aug 2008 A1
20080201711 Amir Husain Aug 2008 A1
20080235755 Blaisdell et al. Sep 2008 A1
20090006527 Gingell, Jr. et al. Jan 2009 A1
20090019367 Cavagnari et al. Jan 2009 A1
20090031312 Mausolf et al. Jan 2009 A1
20090083183 Rao et al. Mar 2009 A1
20090138763 Arnold May 2009 A1
20090177775 Radia et al. Jul 2009 A1
20090178058 Stillwell, III et al. Jul 2009 A1
20090182874 Morford et al. Jul 2009 A1
20090265468 Annambhotla et al. Oct 2009 A1
20090265753 Anderson et al. Oct 2009 A1
20090293056 Ferris Nov 2009 A1
20090300608 Ferris et al. Dec 2009 A1
20090313562 Appleyard et al. Dec 2009 A1
20090323706 Germain et al. Dec 2009 A1
20090328031 Pouyadou et al. Dec 2009 A1
20100042720 Stienhans et al. Feb 2010 A1
20100061250 Nugent Mar 2010 A1
20100115341 Baker et al. May 2010 A1
20100131765 Bromley et al. May 2010 A1
20100191783 Mason et al. Jul 2010 A1
20100192157 Jackson et al. Jul 2010 A1
20100205601 Abbas et al. Aug 2010 A1
20100211782 Auradkar, V et al. Aug 2010 A1
20100293270 Augenstein et al. Nov 2010 A1
20100318609 Lahiri et al. Dec 2010 A1
20100325199 Park et al. Dec 2010 A1
20100325441 Laurie et al. Dec 2010 A1
20100333116 Prahlad et al. Dec 2010 A1
20110016214 Jackson Jan 2011 A1
20110035754 Srinivasan Feb 2011 A1
20110055396 Dehaan Mar 2011 A1
20110055398 Dehaan et al. Mar 2011 A1
20110055470 Portolani Mar 2011 A1
20110072489 Parann-Nissany Mar 2011 A1
20110075667 Li et al. Mar 2011 A1
20110110382 Jabr et al. May 2011 A1
20110116443 Yu et al. May 2011 A1
20110126099 Anderson et al. May 2011 A1
20110138055 Daly et al. Jun 2011 A1
20110145413 Dawson et al. Jun 2011 A1
20110145657 Bishop et al. Jun 2011 A1
20110173303 Rider Jul 2011 A1
20110185063 Head et al. Jul 2011 A1
20110213966 Fu et al. Sep 2011 A1
20110219434 Betz et al. Sep 2011 A1
20110231715 Kunii et al. Sep 2011 A1
20110231899 Pulier et al. Sep 2011 A1
20110239039 Dieffenbach et al. Sep 2011 A1
20110252327 Awasthi et al. Oct 2011 A1
20110261811 Battestilli et al. Oct 2011 A1
20110261828 Smith Oct 2011 A1
20110276675 Singh et al. Nov 2011 A1
20110276951 Jain Nov 2011 A1
20110295998 Ferris et al. Dec 2011 A1
20110305149 Scott et al. Dec 2011 A1
20110307531 Gaponenko et al. Dec 2011 A1
20110320870 Kenigsberg et al. Dec 2011 A1
20120005724 Lee Jan 2012 A1
20120054367 Ramakrishnan et al. Mar 2012 A1
20120072318 Akiyama et al. Mar 2012 A1
20120072578 Alam Mar 2012 A1
20120072581 Tung et al. Mar 2012 A1
20120072985 Davne et al. Mar 2012 A1
20120072992 Arasaratnam et al. Mar 2012 A1
20120084445 Brock et al. Apr 2012 A1
20120084782 Chou et al. Apr 2012 A1
20120096134 Suit Apr 2012 A1
20120102193 Rathore et al. Apr 2012 A1
20120102199 Hopmann et al. Apr 2012 A1
20120131174 Ferris et al. May 2012 A1
20120137215 Kawara May 2012 A1
20120158967 Sedayao et al. Jun 2012 A1
20120159097 Jennas, II et al. Jun 2012 A1
20120167094 Suit Jun 2012 A1
20120173710 Rodriguez Jul 2012 A1
20120179909 Sagi et al. Jul 2012 A1
20120180044 Donnellan et al. Jul 2012 A1
20120182891 Lee et al. Jul 2012 A1
20120185913 Martinez et al. Jul 2012 A1
20120192016 Gotesdyner et al. Jul 2012 A1
20120192075 Ebtekar et al. Jul 2012 A1
20120201135 Ding et al. Aug 2012 A1
20120214506 Skaaksrud et al. Aug 2012 A1
20120222106 Kuehl Aug 2012 A1
20120236716 Anbazhagan et al. Sep 2012 A1
20120240113 Hur Sep 2012 A1
20120265976 Spiers et al. Oct 2012 A1
20120272025 Park et al. Oct 2012 A1
20120281706 Agarwal et al. Nov 2012 A1
20120281708 Chauhan et al. Nov 2012 A1
20120290647 Ellison et al. Nov 2012 A1
20120297238 Watson et al. Nov 2012 A1
20120311106 Morgan Dec 2012 A1
20120311568 Jansen Dec 2012 A1
20120324092 Brown et al. Dec 2012 A1
20120324114 Dutta et al. Dec 2012 A1
20130003567 Gallant et al. Jan 2013 A1
20130013248 Brugler et al. Jan 2013 A1
20130036213 Hasan et al. Feb 2013 A1
20130044636 Koponen et al. Feb 2013 A1
20130066940 Shao Mar 2013 A1
20130080509 Wang Mar 2013 A1
20130080624 Nagai et al. Mar 2013 A1
20130091557 Gurrapu Apr 2013 A1
20130097601 Podvratnik et al. Apr 2013 A1
20130104140 Meng et al. Apr 2013 A1
20130111540 Sabin May 2013 A1
20130117337 Dunham May 2013 A1
20130124712 Parker May 2013 A1
20130125124 Kempf et al. May 2013 A1
20130138816 Kuo et al. May 2013 A1
20130144978 Jain et al. Jun 2013 A1
20130152076 Patel Jun 2013 A1
20130152175 Hromoko et al. Jun 2013 A1
20130159097 Schory et al. Jun 2013 A1
20130159496 Hamilton et al. Jun 2013 A1
20130160008 Cawlfield et al. Jun 2013 A1
20130162753 Hendrickson et al. Jun 2013 A1
20130169666 Pacheco et al. Jul 2013 A1
20130179941 McGloin et al. Jul 2013 A1
20130182712 Aguayo et al. Jul 2013 A1
20130185433 Zhu et al. Jul 2013 A1
20130191106 Kephart et al. Jul 2013 A1
20130198374 Zalmanovitch et al. Aug 2013 A1
20130204849 Chacko Aug 2013 A1
20130211546 Lawson Aug 2013 A1
20130232491 Radhakrishnan et al. Sep 2013 A1
20130246588 Borowicz et al. Sep 2013 A1
20130250770 Zou et al. Sep 2013 A1
20130254415 Fullen et al. Sep 2013 A1
20130262347 Dodson Oct 2013 A1
20130283364 Chang et al. Oct 2013 A1
20130297769 Chang et al. Nov 2013 A1
20130318240 Hebert et al. Nov 2013 A1
20130318546 Kothuri et al. Nov 2013 A1
20130339949 Spiers et al. Dec 2013 A1
20140006481 Frey et al. Jan 2014 A1
20140006535 Reddy Jan 2014 A1
20140006585 Dunbar et al. Jan 2014 A1
20140040473 Ho et al. Feb 2014 A1
20140040883 Tompkins Feb 2014 A1
20140052877 Mao Feb 2014 A1
20140059310 Du et al. Feb 2014 A1
20140074850 Noel et al. Mar 2014 A1
20140075048 Yuksel et al. Mar 2014 A1
20140075108 Dong et al. Mar 2014 A1
20140075357 Flores et al. Mar 2014 A1
20140075501 Srinivasan et al. Mar 2014 A1
20140089727 Cherkasova et al. Mar 2014 A1
20140098762 Ghai et al. Apr 2014 A1
20140108985 Scott et al. Apr 2014 A1
20140122560 Ramey et al. May 2014 A1
20140136779 Guha et al. May 2014 A1
20140140211 Chandrasekaran et al. May 2014 A1
20140141720 Princen et al. May 2014 A1
20140156557 Zeng et al. Jun 2014 A1
20140164486 Ravichandran et al. Jun 2014 A1
20140188825 Muthukkaruppan et al. Jul 2014 A1
20140189095 Lindberg et al. Jul 2014 A1
20140189125 Amies et al. Jul 2014 A1
20140215471 Cherkasova Jul 2014 A1
20140222953 Karve et al. Aug 2014 A1
20140244851 Lee Aug 2014 A1
20140245298 Zhou et al. Aug 2014 A1
20140282536 Dave et al. Sep 2014 A1
20140282611 Campbell et al. Sep 2014 A1
20140282889 Ishaya et al. Sep 2014 A1
20140289200 Kato Sep 2014 A1
20140297569 Clark et al. Oct 2014 A1
20140297835 Buys Oct 2014 A1
20140314078 Jilani Oct 2014 A1
20140317261 Shatzkamer et al. Oct 2014 A1
20140331300 Sinn Nov 2014 A1
20140366155 Chang et al. Dec 2014 A1
20140372567 Ganesh et al. Dec 2014 A1
20150033086 Sasturkar et al. Jan 2015 A1
20150043576 Dixon et al. Feb 2015 A1
20150052247 Threefoot et al. Feb 2015 A1
20150052517 Raghu et al. Feb 2015 A1
20150058382 St. Laurent et al. Feb 2015 A1
20150058459 Amendjian et al. Feb 2015 A1
20150071285 Kumar et al. Mar 2015 A1
20150100471 Curry, Jr. et al. Apr 2015 A1
20150106802 Ivanov et al. Apr 2015 A1
20150106805 Melander et al. Apr 2015 A1
20150117199 Chinnaiah Sankaran et al. Apr 2015 A1
20150117458 Gurkan et al. Apr 2015 A1
20150120914 Wada et al. Apr 2015 A1
20150178133 Phelan et al. Jun 2015 A1
20150215819 Bosch et al. Jul 2015 A1
20150227405 Jan et al. Aug 2015 A1
20150242204 Hassine et al. Aug 2015 A1
20150249709 Teng et al. Sep 2015 A1
20150280980 Bitar Oct 2015 A1
20150281067 Wu Oct 2015 A1
20150281113 Siciliano et al. Oct 2015 A1
20150309908 Pearson et al. Oct 2015 A1
20150319063 Zourzouvillys et al. Nov 2015 A1
20150326524 Tankala et al. Nov 2015 A1
20150339210 Kopp et al. Nov 2015 A1
20150373108 Fleming et al. Dec 2015 A1
20160011925 Kulkarni et al. Jan 2016 A1
20160013990 Kulkarni et al. Jan 2016 A1
20160057107 Call Feb 2016 A1
20160062786 Meng et al. Mar 2016 A1
20160094398 Choudhury et al. Mar 2016 A1
20160094480 Kulkarni et al. Mar 2016 A1
20160094643 Jain et al. Mar 2016 A1
20160099847 Melander et al. Apr 2016 A1
20160105393 Thakkar et al. Apr 2016 A1
20160127184 Bursell May 2016 A1
20160134557 Steinder et al. May 2016 A1
20160164914 Madhav et al. Jun 2016 A1
20160188527 Cherian et al. Jun 2016 A1
20160234071 Nambiar et al. Aug 2016 A1
20160239399 Babu et al. Aug 2016 A1
20160253078 Ebtekar et al. Sep 2016 A1
20160254968 Ebtekar et al. Sep 2016 A1
20160261564 Foxhoven et al. Sep 2016 A1
20160277368 Narayanaswamy et al. Sep 2016 A1
20170005948 Melander et al. Jan 2017 A1
20170024260 Chandrasekaran et al. Jan 2017 A1
20170026470 Bhargava et al. Jan 2017 A1
20170041342 Efremov et al. Feb 2017 A1
20170054659 Ergin et al. Feb 2017 A1
20170097841 Chang et al. Apr 2017 A1
20170099188 Chang et al. Apr 2017 A1
20170147297 Krishnamurthy et al. May 2017 A1
20170171158 Hoy et al. Jun 2017 A1
20170264663 Bicket et al. Sep 2017 A1
20170339070 Chang et al. Nov 2017 A1
Foreign Referenced Citations (13)
Number Date Country
101719930 Jun 2010 CN
101394360 Jul 2011 CN
102164091 Aug 2011 CN
104320342 Jan 2015 CN
105740084 Jul 2016 CN
2228719 Sep 2010 EP
2439637 Apr 2012 EP
2645253 Nov 2014 EP
10-2015-0070676 May 2015 KR
M394537 Dec 2010 TW
WO 2009155574 Dec 2009 WO
WO 2010030915 Mar 2010 WO
WO 2013158707 Oct 2013 WO
Non-Patent Literature Citations (60)
Entry
International Search Report and Written Opinion, dated Dec. 9, 2016, for corresponding PCT Application No. PCT/US2016/056648.
Amedro, Brian, et al., “An Efficient Framework for Running Applications on Clusters, Grids and Cloud,” 2010, 17 pages.
Author Unknown, “5 Benefits of a Storage Gateway in the Cloud,” Blog, TwinStrata, Inc., Jul. 25, 2012, XP055141645, 4 pages, https://web.archive.org/web/20120725092619/http://blog.twinstrata.com/2012/07/10//5-benefits-of-a-storage-gateway-in-the-cloud.
Author Unknown, “Joint Cisco and VMWare Solution for Optimizing Virtual Desktop Delivery: Data Center 3.0: Solutions to Accelerate Data Center Virtualization,” Cisco Systems, Inc. and VMware, Inc., Sep. 2008, 10 pages.
Author Unknown, “A Look at DeltaCloud: The Multi-Cloud API,” Feb. 17, 2012, 4 pages.
Author Unknown, “About Deltacloud,” Apache Software Foundation, Aug. 18, 2013, 1 page.
Author Unknown, “Architecture for Managing Clouds, A White Paper from the Open Cloud Standards Incubator,” Version 1.0.0, Document No. DSP-IS0102, Jun. 18, 2010, 57 pages.
Author Unknown, “Cloud Infrastructure Management Interface—Common Information Model (CIMI-CIM),” Document No. DSP0264, Version 1.0.0, Dec. 14, 2012, 21 pages.
Author Unknown, “Cloud Infrastructure Management Interface (CIMI) Primer,” Document No. DSP2027, Version 1.0.1, Sep. 12, 2012, 30 pages.
Author Unknown, “cloudControl Documentation,” Aug. 25, 2013, 14 pages.
Author Unknown, “Interoperable Clouds, A White Paper from the Open Cloud Standards Incubator,” Version 1.0.0, Document No. DSP-IS0101, Nov. 11, 2009, 21 pages.
Author Unknown, “Microsoft Cloud Edge Gateway (MCE) Series Appliance,” Iron Networks, Inc., 2014, 4 pages.
Author Unknown, “Open Data Center Alliance Usage: Virtual Machine (VM) Interoperability in a Hybrid Cloud Environment Rev. 1.2,” Open Data Center Alliance, Inc., 2013, 18 pages.
Author Unknown, “Real-Time Performance Monitoring On Juniper Networks Devices, Tips and Tools for Assessing and Analyzing Network Efficiency,” Juniper Networks, Inc., May 2010, 35 pages.
Author Unknown, “Use Cases and Interactions for Managing Clouds, A White Paper from the Open Cloud Standards Incubator,” Version 1.0.0, Document No. DSP-ISO0103, Jun. 16, 2010, 75 pages.
Author Unknown, “Apache Ambari Meetup What's New,” Hortonworks Inc., Sep. 2013, 28 pages.
Author Unknown, “Introduction,” Apache Ambari project, Apache Software Foundation, 2014, 1 page.
Beyer, Steffen, “Module “Data::Locations?!”,” YAPC::Europe, London, UK,ICA, Sep. 22-24, 2000, XP002742700, 15 pages.
Borovick, Lucinda, et al., “Architecting the Network for the Cloud,” IDC White Paper, Jan. 2011, 8 pages.
Bosch, Greg, “Virtualization,” last modified Apr. 2012 by B. Davison, 33 pages.
Broadcasters Audience Research Board, “What's Next,” http://lwww.barb.co.uk/whats-next, accessed Jul. 22, 2015, 2 pages.
Cisco Systems, Inc. “Best Practices in Deploying Cisco Nexus 1000V Series Switches on Cisco UCS B and C Series Cisco UCS Manager Servers,” Cisco White Paper, Apr. 2011, 36 pages, http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9902/white_paper_c11-558242.pdf.
Cisco Systems, Inc., “Cisco Unified Network Services: Overcome Obstacles to Cloud-Ready Deployments,” Cisco White Paper, Jan. 2011, 6 pages.
Cisco Systems, Inc., “Cisco Intercloud Fabric: Hybrid Cloud with Choice, Consistency, Control and Compliance,” Dec. 10, 2014, 22 pages.
Cisco Technology, Inc., “Cisco Expands Videoscape TV Platform Into the Cloud,” Jan. 6, 2014, Las Vegas, Nevada, Press Release, 3 pages.
Citrix, “Citrix StoreFront 2.0” White Paper, Proof of Concept Implementation Guide, Citrix Systems, Inc., 2013, 48 pages.
Citrix, “CloudBridge for Microsoft Azure Deployment Guide,” 30 pages.
Citrix, “Deployment Practices and Guidelines for NetScaler 10.5 on Amazon Web Services,” White Paper, citrix.com, 2014, 14 pages.
CSS Corp, “Enterprise Cloud Gateway (ECG)—Policy driven framework for managing multi-cloud environments,” original published on or about Feb. 11, 2012; 1 page; http://www.css-cloud.com/platform/enterprise-cloud-gateway.php.
Fang K., “LISP MAC-EID-TO-RLOC Mapping (LISP based L2VPN),” Network Working Group, Internet Draft, CISCO Systems, Jan. 2012, 12 pages.
Gedymin, Adam, “Cloud Computing with an emphasis on Google App Engine,” Sep. 2011, 146 pages.
Good, Nathan A., “Use Apache Deltacloud to administer multiple instances with a single API,” Dec. 17, 2012, 7 pages.
Herry, William, “Keep It Simple, Stupid: OpenStack nova-scheduler and its algorithm”, May 12, 2012, IBM, 12 pages.
Hewlett-Packard Company, “Virtual context management on network devices”, Research Disclosure, vol. 564, No. 60, Apr. 1, 2011, Mason Publications, Hampshire, GB, Apr. 1, 2011, 524.
Juniper Networks, Inc., “Recreating Real Application Traffic in Junosphere Lab,” Solution Brief, Dec. 2011, 3 pages.
Kenhui, “Musings On Cloud Computing and IT-as-a-Service: [Updated for Havana] Openstack Computer for VSphere Admins, Part 2: Nova-Scheduler and DRS”, Jun. 26, 2013, Cloud Architect Musings, 12 pages.
Kolyshkin, Kirill, “Virtualization in Linux,” Sep. 1, 2006, XP055141648, 5 pages, https://web.archive.org/web/20070120205111/http://download.openvz.org/doc/openvz-intro.pdf.
Kunz, Thomas, et al., “OmniCloud—The Secure and Flexible Use of Cloud Storage Services,” 2014, 30 pages.
Lerach, S.R.O., “Golem,” http://www.lerach.cz/en/products/golem, accessed Jul. 22, 2015, 2 pages.
Linthicum, David, “VM Import could be a game changer for hybrid clouds”, InfoWorld, Dec. 23, 2010, 4 pages.
Logan, Marcus, “Hybrid Cloud Application Architecture for Elastic Java-Based Web Applications,” F5 Deployment Guide Version 1.1, 2016, 65 pages.
Lynch, Sean, “Monitoring cache with Claspin” Facebook Engineering, Sep. 19, 2012, 5 pages.
Meireles, Fernando Miguel Dias, “Integrated Management of Cloud Computing Resources,” 2013-2014, 286 pages.
Mu, Shuai, et al., “uLibCloud: Providing High Available and Uniform Accessing to Multiple Cloud Storages,” 2012 IEEE, 8 pages.
Naik, Vijay K., et al., “Harmony: A Desktop Grid for Delivering Enterprise Computations,” Grid Computing, 2003, Fourth International Workshop on Proceedings, Nov. 17, 2003, pp. 1-11.
Nair, Srijith K. et al., “Towards Secure Cloud Bursting, Brokerage and Aggregation,” 2012, 8 pages, www.flexiant.com.
Nielsen, “SimMetry Audience Measurement—Technology,” http://www.nielsen-admosphere.eu/products-and-services/simmetry-audience-measurement-technology/, accessed Jul. 22, 2015, 6 pages.
Nielsen, “Television,” http://www.nielsen.com/us/en/solutions/measurement/television.html, accessed Jul. 22, 2015, 4 pages.
Open Stack, “Filter Scheduler,” updated Dec. 17, 2017, 5 pages, accessed on Dec. 18, 2017, https://docs.openstack.org/nova/latest/user/filter-scheduler.html.
Rabadan, J., et al., “Operational Aspects of Proxy-ARP/ND in EVPN Networks,” BESS Worksgroup Internet Draft, draft-snr-bess-evpn-proxy-arp-nd-02, Oct. 6, 2015, 22 pages.
Saidi, Ali, et al., “Performance Validation of Network-Intensive Workloads on a Full-System Simulator,” Interaction between Operating System and Computer Architecture Workshop, (IOSCA 2005), Austin, Texas, Oct. 2005, 10 pages.
Shunra, “Shunra for HP Software; Enabling Confidence in Application Performance Before Deployment,” 2010, 2 pages.
Son, Jungmin, “Automatic decision system for efficient resource selection and allocation in inter-clouds,” Jun. 2013, 35 pages.
Sun, Aobing, et al., “IaaS Public Cloud Computing Platform Scheduling Model and Optimization Analysis,” Int. J. Communications, Network and System Sciences, 2011, 4, 803-811, 9 pages.
Szymaniak, Michal, et al., “Latency-Driven Replica Placement”, vol. 47 No. 8, IPSJ Journal, Aug. 2006, 12 pages.
Toews, Everett, “Introduction to Apache jclouds,” Apr. 7, 2014, 23 pages.
Von Laszewski, Gregor, et al., “Design of a Dynamic Provisioning System for a Federated Cloud and Bare-metal Environment,” 2012, 8 pages.
Wikipedia, “Filter (software)”, Wikipedia, Feb. 8, 2014, 2 pages, https://en.wikipedia.org/w/index.php?title=Filter_%28software%29&oldid=594544359.
Wikipedia; “Pipeline (Unix)”, Wikipedia, May 4, 2014, 4 pages, https://en.wikipedia.org/w/index.php?title=Pipeline2/028Unix%29&oldid=606980114.
Ye, Xianglong, et al., “A Novel Blocks Placement Strategy for Hadoop,” 2012 IEEE/ACTS 11th International Conference on Computer and Information Science, 2012 IEEE, 5 pages.
Related Publications (1)
Number Date Country
20200021594 A1 Jan 2020 US
Continuations (1)
Number Date Country
Parent 14881649 Oct 2015 US
Child 16581601 US