Cloud computing is a type of computing in which dynamically scalable and typically virtualized resources are provided as services via the Internet. As a result, users need not, and typically do not, possess knowledge of, expertise in, or control over the technology and/or infrastructure implemented in the cloud. Cloud computing generally incorporates infrastructure as a service (“IaaS”), platform as a service (“PaaS”), and/or software as a service (“SaaS”). In a typical embodiment, cloud computing services provide common applications online, which applications are accessed using a web browser and the software and data for which are stored on servers comprising the cloud.
Cloud computing customers typically do not own or possess the physical infrastructure that hosts their software platform; rather, the infrastructure is leased in some manner from a third-party provider. Cloud computing customers can avoid capital expenditures by paying a provider for only what they use on a utility, or resources consumed, basis or a subscription, or time-based, basis, for example. Sharing computing power and/or storage capacity among multiple lessees has many advantages, including improved utilization rates and an increase in overall computer usage.
With the advent of cloud computing and cloud storage, a challenge exists with respect to IP address usage and the sharing of cryptographic keys between a known and trusted location and the computing cloud.
One embodiment is a system for providing cloud computing services. The system comprises a cloud computing environment comprising resources for supporting cloud workloads, each cloud workload having associated therewith an internal cloud address; and a routing system disposed between external workloads of an external computing environment and the cloud workloads, the routing system for directing traffic from an external address to the internal cloud addresses of the cloud workloads. A designated one of the cloud workloads obtains one key of a first pair of cryptographic keys, the first pair of cryptographic keys for decrypting encrypted storage hosted within the cloud computing environment.
To better illustrate the advantages and features of the embodiments, a particular description of several embodiments will be provided with reference to the attached drawings. These drawings, and other embodiments described herein, only illustrate selected aspects of the embodiments and are not intended to limit the scope thereof. Further, despite reference to specific features illustrated in the example embodiments, it will nevertheless be understood that these features are not essential to all embodiments and no limitation of the scope thereof is thereby intended. Any alterations and further modifications in the described embodiments, and any further applications of the principles of the embodiments as described herein are contemplated as would normally occur to one skilled in the art. Furthermore, some items are shown in a simplified form, and inherently include components that are well known in the art. Further still, some items are illustrated as being in direct connection for the sake of simplicity and clarity. Despite the apparent direct connection, it is understood that such illustration does not preclude the existence of intermediate components not otherwise illustrated.
The embodiments described herein provide a mechanism for providing reduced cloud IP address utilization. To this end, one or more embodiments described herein provide a method and mechanism to enable the use of a single IP address to address many instances within a cloud infrastructure. Additionally, one or more such embodiments provide a method and mechanism to provide the keys necessary to secure traffic and storage in the cloud.
Enterprises using the cloud are represented by virtualization processes and storage shown as workloads 112. These processes are typically started by an enterprise via a cloud portal or API utilized by administrative personnel or processes running at the enterprise or in the cloud. A typical cloud services provider may be using standard ITIL practices and may utilize a configuration management database (“CMDB”) 114, which affects the entire cloud infrastructure and which describes the practice and policies used for instantiating virtualized workloads and storage.
In the embodiment illustrated in
As a result, because the secure bridge 208 and virtual router 210 possess mutually shared keys or mutually shared parts of key pairs, a secured connection can be created between the applications 202A-202C and the virtual router 210 via the secure bridge 208 as described in detail in U.S. patent application Ser. No. 12/612,841, which has been incorporated by reference in its entirety. In the embodiment shown in
As previously noted, the virtual router 210 lies within the infrastructure of the cloud services provider and acts as a Network Address Translator (“NAT”) to workloads within a specific domain. In a representative embodiment, the IP address is a private addresses, such as a 10-net, so that only the single external address 212 is necessary to access the cloud processes, as will be described. In such a case, as shown in
In one embodiment, the distributor 214 maintains all port mappings in a distributor registry 226 so that requests from applications 202A-202C can be sent to the appropriate one of the workloads 218A-218D. Information may be split between the distributor registry 226 and the secure bridge 208 and further information, such as tokens from a Representational State Transfer (“REST”) call can be maintained with the port mapping such that better information can be provided during the mapping process.
In the embodiment shown in
Once the secure connection between the applications 202A-202C and the distributor 214 is established based on attestation by the virtual router 210 to the fact that the distributor has not changed and therefore may be trusted in its process model, cryptographic keys may be transmitted from the applications across to the distributor so that a process can receive keys, as represented in
It will be recognized that, as illustrated in
The distributor 214 also provides configuration information to the workloads 218A-218D so that configuration information can be normalized and provided to new workloads that are being brought up as a result of load expansion or contraction. Additionally, the configuration described hereinabove is provided external to the cloud 206 via the same mechanism as was discussed with key distribution. This mechanism provides for a simpler method of keeping the workloads 218A-218D up to date and the startup or boot configuration normalized.
One embodiment is implemented using one or more embodiments described in U.S. patent application Ser. No. 12/197,833 (hereinafter the “'833 application), incorporated by reference hereinabove to find, analyze, and qualify clouds, such as the cloud 206, so that the required infrastructure for allowing the deployment of everything within the cloud 206 will function correctly. The embodiment described in the '833 application also keeps track of reputation of all clouds so that the best price, performance, stability, etc., can be selected for a deployment within the cloud.
In an alternative embodiment, the distributor 214 can reside external to the cloud 206 or in a different cloud. In this case, the virtual router 210 must attest to the validity of the workloads 218A-218D so that it is attested that no changes have been made. In the illustrated embodiment, each of the workloads 218A-218D has a secure connection through the virtual router 210 to the applications 202A-202C so that the annexation is still valid. It will be recognized, however, that this embodiment requires more traffic over the network.
In one embodiment, additional virtual routers, such as a virtual router 232, may be added. In this embodiment, an L4 switch or some other load-balancing mechanism (not shown) may be provided in a known manner to distribute traffic between the external addresses connected to the virtual routers 210, 232. In another embodiment, the information from the distributor registry 226 is available to the workloads 218A-218D such that the information provided by the distributor registry provides the workloads with information necessary to perform clustering, remedial clustering, and/or other types of cooperative computing and storage management.
In one embodiment, the secure bridge 208 may be replaced by a secure connection implemented using a pair of cryptographic keys held by both the trusted environment/enterprise 204 and the cloud 206.
It will be recognized that various ones of the elements and/or modules described herein may be implemented using one or more general purpose computers or portions thereof executing software applications designed to perform the functions described or using one or more special purpose computers or portions thereof configured to perform the functions described. The software applications may comprise computer-executable instructions stored on computer-readable media. Additionally, repositories described herein may be implemented using databases or other appropriate storage media.
While the preceding description shows and describes one or more embodiments, it will be understood by those skilled in the art that various changes in form and detail may be made therein without departing from the spirit and scope of the present disclosure. For example, various steps of the described methods may be executed in a different order or executed sequentially, combined, further divided, replaced with alternate steps, or removed entirely. In addition, various functions illustrated in the methods or described elsewhere in the disclosure may be combined to provide additional and/or alternate functions. Therefore, the claims should be interpreted in a broad manner, consistent with the present disclosure.
This application is a continuation of U.S. patent application Ser. No. 12/613,098, filed Nov. 5, 2009, now issued as U.S. Pat. No. 9,658,891, which claims the benefit under Title 35, United States Code § 119(e) of U.S. Provisional Patent Application No. 61/160,030 filed on Mar. 13, 2009, the disclosure of which is incorporated herein by reference in its entirety. This application is related to the following commonly-assigned, co-pending applications, each of which is also incorporated herein by reference in its entirety: 1. U.S. patent application Ser. No. 12/612,807; 2. U.S. patent application Ser. No. 12/612,818; 3. U.S. patent application Ser. No. 12/612,834; 4. U.S. patent application Ser. No. 12/612,841; 5. U.S. patent application Ser. No. 12/612,882; 6. U.S. patent application Ser. No. 12/612,895; 7. U.S. patent application Ser. No. 12/612,903; 8. U.S. patent application Ser. No. 12/612,925; 9. U.S. patent application Ser. No. 12/613,077; 10. U.S. patent application Ser. No. 12/613,112; and 11. U.S. patent application Ser. No. 12/197,833
Number | Name | Date | Kind |
---|---|---|---|
5428738 | Carter et al. | Jun 1995 | A |
5608903 | Prasad et al. | Mar 1997 | A |
5677851 | Kingdon et al. | Oct 1997 | A |
5758344 | Prasad et al. | May 1998 | A |
5784560 | Kingdon et al. | Jul 1998 | A |
5787175 | Carter | Jul 1998 | A |
5832275 | Olds | Nov 1998 | A |
5832487 | Olds et al. | Nov 1998 | A |
5870564 | Jensen et al. | Feb 1999 | A |
5878415 | Olds | Mar 1999 | A |
5878419 | Carter | Mar 1999 | A |
5956718 | Prasad et al. | Sep 1999 | A |
6067572 | Jensen et al. | May 2000 | A |
6108619 | Carter et al. | Aug 2000 | A |
6119230 | Carter | Sep 2000 | A |
6185612 | Jensen et al. | Feb 2001 | B1 |
6219652 | Carter et al. | Apr 2001 | B1 |
6275819 | Carter | Aug 2001 | B1 |
6405199 | Carter et al. | Jun 2002 | B1 |
6459809 | Jensen et al. | Oct 2002 | B1 |
6519610 | Ireland et al. | Feb 2003 | B1 |
6539381 | Prasad et al. | Mar 2003 | B1 |
6601171 | Carter et al. | Jul 2003 | B1 |
6647408 | Ricart et al. | Nov 2003 | B1 |
6650777 | Jensen et al. | Nov 2003 | B1 |
6697497 | Jensen et al. | Feb 2004 | B1 |
6738907 | Carter | May 2004 | B1 |
6742035 | Zayas et al. | May 2004 | B1 |
6742114 | Carter et al. | May 2004 | B1 |
6760843 | Carter | Jul 2004 | B1 |
6772214 | McClain et al. | Aug 2004 | B1 |
6826557 | Carter et al. | Nov 2004 | B1 |
6862606 | Major et al. | Mar 2005 | B1 |
6993508 | Major et al. | Jan 2006 | B1 |
7043555 | McClain et al. | May 2006 | B1 |
7107538 | Hinckley et al. | Sep 2006 | B1 |
7152031 | Jensen et al. | Dec 2006 | B1 |
7177922 | Carter et al. | Feb 2007 | B1 |
7185047 | Bate et al. | Feb 2007 | B1 |
7197451 | Carter et al. | Mar 2007 | B1 |
7286977 | Carter et al. | Oct 2007 | B1 |
7290060 | Kong | Oct 2007 | B2 |
7299493 | Burch et al. | Nov 2007 | B1 |
7316027 | Burch et al. | Jan 2008 | B2 |
7334257 | Ebrahimi et al. | Feb 2008 | B1 |
7356819 | Ricart et al. | Apr 2008 | B1 |
7363577 | Kinser et al. | Apr 2008 | B2 |
7376134 | Carter et al. | May 2008 | B2 |
7386514 | Major et al. | Jun 2008 | B2 |
7389225 | Jensen et al. | Jun 2008 | B1 |
7426516 | Ackerman et al. | Sep 2008 | B1 |
7467415 | Carter | Dec 2008 | B2 |
7475008 | Jensen et al. | Jan 2009 | B2 |
7505972 | Wootton et al. | Mar 2009 | B1 |
7506055 | McClain et al. | Mar 2009 | B2 |
7552468 | Burch et al. | Jun 2009 | B2 |
7562011 | Carter et al. | Jul 2009 | B2 |
8327017 | Trost | Dec 2012 | B1 |
20020152307 | Doyle et al. | Oct 2002 | A1 |
20030165121 | Leung et al. | Sep 2003 | A1 |
20070019540 | Biswas | Jan 2007 | A1 |
20090046728 | Matthews | Feb 2009 | A1 |
20090232138 | Gobara | Sep 2009 | A1 |
20090300719 | Ferris | Dec 2009 | A1 |
20100125903 | Devarajan et al. | May 2010 | A1 |
20100161926 | Li et al. | Jun 2010 | A1 |
20100169497 | Klimentiev | Jul 2010 | A1 |
20100180335 | Smithson | Jul 2010 | A1 |
20100228819 | Wei | Sep 2010 | A1 |
20100235630 | Carter et al. | Sep 2010 | A1 |
Entry |
---|
U.S. Appl. No. 12/613,098, filed Nov. 5, 2009 System and Method for Providing Key-Encrypted Storage in a Cloud Computing Environment. |
U.S. Appl. No. 12/613,098, Non Final Office Action dated May 25, 2012, 15 pgs. |
U.S. Appl. No. 12/613,098, Response filed Aug. 27, 2012 to Non Final Office Action dated May 25, 2012, 7 pgs. |
U.S. Appl. No. 12/613,098, Final Office Action dated Dec. 5, 2012, 15 pgs. |
U.S. Appl. No. 12/613,098, Response filed Feb. 5, 2013 to Final Office Action dated Dec. 5, 2012, 7 pgs. |
U.S. Appl. No. 12/613,098, Advisory Action dated Feb. 12, 2013, 3 pgs. |
U.S. Appl. No. 12/613,098, Non Final Office Action dated Apr. 23, 2014, 15 pgs. |
U.S. Appl. No. 12/613,098, Response filed Jul. 23, 2014 to Non Final Office Action dated Apr. 23, 2014, 7 pgs. |
U.S. Appl. No. 12/613,098, Final Office Action dated Nov. 7, 2014, 18 pgs. |
U.S. Appl. No. 12/613,098, Response filed Jan. 7, 2015 to Final Office Action dated Nov. 7, 2014, 8 pgs. |
U.S. Appl. No. 12/613,098, Advisory Action dated Jan. 27, 2015, 3 pgs. |
U.S. Appl. No. 12/613,098, Non Final Office Action dated Jul. 16, 2015, 19 pgs. |
U.S. Appl. No. 12/613,098, Response filed Oct. 16, 2015 to Non Final Office Action dated Jul. 16, 2015, 8 pgs. |
U.S. Appl. No. 12/613,098, Final Office Action dated Jan. 29, 2016, 18 pgs. |
U.S. Appl. No. 12/613,098, Response filed Mar. 29, 2016 to Final Office Action dated Jan. 29, 2016, 9 pgs. |
U.S. Appl. No. 12/613,098, Advisory Action dated May 10, 2016, 3 pgs. |
U.S. Appl. No. 12/613,098, Notice of Allowance dated Feb. 3, 2017, 14 pgs. |
Number | Date | Country | |
---|---|---|---|
20170214669 A1 | Jul 2017 | US |
Number | Date | Country | |
---|---|---|---|
61160030 | Mar 2009 | US |
Number | Date | Country | |
---|---|---|---|
Parent | 12613098 | Nov 2009 | US |
Child | 15483810 | US |