TREA

Systems and methods for scaling down cloud-based servers handling secure connections

Follow

Information

  • Patent Grant
  • 10904322
  • Patent Number
    10,904,322
  • Date Filed
    Friday, June 15, 2018
    6 years ago
  • Date Issued
    Tuesday, January 26, 2021
    3 years ago
Information
Abstract
The disclosed technology relates to systems and methods for automatically scaling down network resources, such as servers or gateway instances, based on predetermined thresholds. A system is configured to detect a reduction in one or more network metrics related to a first server, and instruct the first server to issue a rekey request to a plurality of devices connected to the first server. The system is further configured to instruct a load balancer to route to at least one other server responses from the plurality of devices to the rekey request, and determine a number of connections remaining between the first server and the plurality of devices. The system may be further configured to instruct the load balancer to terminate the first server based on the detected number of connections remaining between the first server and the plurality of devices.
Description
TECHNICAL FIELD

This present disclosure relates in general to the field of computer networks, and more specifically to systems and methods for scaling down cloud-based servers handling secure connections.


BACKGROUND

In a cloud-managed network or cloud-based system, such as an enterprise private network or a data center network, devices such as endpoint machines, access points, routers, switches, servers, firewalls, gateways, other computing devices, virtual machines, containers (an instance of container-based virtualization), or resources (e.g., applications, endpoint groups, etc.) may connect to the cloud-based system over a secure connection, such as by a TLS, DTLS or IPSEC connection.


Cloud-based systems may utilize a virtual machine to serve as a scalable security gateway to manage secure connections between devices and cloud-based servers. Additional instances of the security gateway (e.g., TLS GW, IPSEC GW) may be spun up based on increased network traffic. Cloud-based systems, however, may not be capable of scaling down network resources due to the presence of secure connections that prevent termination of a network resource (e.g., security gateway instance or server) without disconnecting from connected devices.





BRIEF DESCRIPTION OF THE DRAWINGS

In order to describe the manner in which the above-recited and other advantages and features of the disclosure can be obtained, a more particular description of the principles briefly described above will be rendered by reference to specific embodiments that are illustrated in the appended drawings. Understanding that these drawings depict only embodiments of the disclosure and are not therefore to be considered to be limiting of its scope, the principles herein are described and explained with additional specificity and detail through the use of the accompanying drawings in which:



FIG. 1 is a conceptual block diagram illustrating an example network environment, in accordance with various aspects of the subject technology.



FIG. 2 depicts a sequence diagram showing the communications between devices, a load balancer, servers, and a monitoring module, in accordance with various aspects of the subject technology.



FIG. 3 depicts an example method for scaling down a resource in a network environment, in accordance with various aspects of the subject technology.



FIG. 4 illustrates an example of a system in accordance with some aspects.





DESCRIPTION OF EXAMPLE EMBODIMENTS

The detailed description set forth below is intended as a description of various configurations of embodiments and is not intended to represent the only configurations in which the subject matter of this disclosure can be practiced. The appended drawings are incorporated herein and constitute a part of the detailed description. The detailed description includes specific details for the purpose of providing a more thorough understanding of the subject matter of this disclosure. However, it will be clear and apparent that the subject matter of this disclosure is not limited to the specific details set forth herein and may be practiced without these details. In some instances, structures and components are shown in block diagram form in order to avoid obscuring the concepts of the subject matter of this disclosure.


A cloud-managed network or cloud-based system may utilize secure connection protocols, such as by Transport Layer Security (TLS), Datagram Transport Layer Security (DTLS) or Internet Protocol Security (IPSEC), to connect devices to gateways (GW) or servers. Cloud-based systems may utilize a virtual machine or container to serve as a scalable security gateway to manage secure connections or tunnels between devices and GW instances. Additional GW instances (e.g., TLS GW, IPSEC GW) may be spun up based on increased network traffic.


During non-peak network traffic periods, connections to minimally loaded GW instances cannot be terminated without affecting secure tunnel sessions between the GW instance and connected devices. For example, if a single tunnel remains active on a minimally loaded GW instance, then the minimally loaded GW instance remains active until such time the connection is terminated by the connected device. In particular, where a tunnel is running over a TCP connection, the connection to the minimally loaded GW instance cannot be transitioned to another GW instance without disconnecting or otherwise negatively affecting the tunnel.


In addition, conventional hardware, such as on-premises data gateways, cannot be utilized to scale down GW instances in a cloud-based system because GW instances in a cloud-based system may be located in different clusters, regions, or data centers. Further, scaling down network resources using conventional on-premises data gateways require a central backup of a state of a connection, as well as information about the connection, and thereby require additional overhead.


Accordingly, there is a need in the art for certain embodiments of an intelligent and dynamically down-scalable cloud-based system to address these and/or other issues. Aspects of the subject technology relate to systems and methods for automatically scaling down network resources, such as servers or security GW instances, based on predetermined thresholds, without negatively affecting connectivity. Various embodiments of the disclosure are discussed in detail below. While specific implementations are discussed, it should be understood that this is done for illustrative purposes only. A person skilled in the relevant art will recognize that other components and configurations may be used without departing from the spirit and scope of the disclosure.



FIG. 1 illustrates a conceptual block diagram illustrating an example network environment 100, in accordance with various aspects of the subject technology. Various aspects are discussed with respect to a general wide area network for illustrative purposes, however, these aspects and others may be applied to other types of networks. For example, the network environment 100 may be implemented by any type of network and may include, for example, any one or more of an enterprise private network (EPN), cellular network, a satellite network, a personal area network (PAN), a local area network (LAN), a broadband network (BBN), the Internet, and the like. The network can be a public network, a private network, or a combination thereof. The network environment 100 may be implemented using any number of communications links associated with one or more service providers, including one or more wired communication links, one or more wireless communication links, or any combination thereof. Additionally, the network environment 100 can be configured to support the transmission of data formatted using any number of protocols (e.g., TLS, DTLS, IPSEC).


The network environment 100 may comprise a cloud-managed network or cloud-based system that includes one or more devices 110A-N. A device 110A-N may include machines (e.g., servers, personal computers, laptops), virtual machines, containers, mobile devices (e.g., tablets or smart phones), smart devices (e.g., set top boxes, smart appliances, smart televisions, internet-of-things devices), or network equipment, servers, containers, among other computing devices.


Each device 110A-N is configured to communicate with one or more servers 140A-N via a load balancer 120. For example, devices 110A-N may utilize software applications, browsers, or computer programs that are running on a device such as a desktop computer, laptop computer, tablet computer, server computer, smartphone, or any other apparatus on which an application (e.g., client application) is running that at some point in time, involves a user accessing a service or data provided by the server 140A-N. Devices 110A-N may operate pursuant to the TLS, DTLS, or IPSEC protocol to control how data (e.g., packets) are handled to provide for the data flow of content to the devices 110A-N. Other protocols for provisioning data flow to the devices 110A-N by the load balancer 120 and/or servers 140A-N may also be used.


The load balancer 120 may be configured to manage network traffic to the GW instances or servers 140A-N. In some aspects, an “instance” may refer to a virtual server in a cloud network, such as, for example, servers 140A-N. In cloud deployment of servers 140A-N (e.g., security GW instances), the servers 140A-N may be front-ended by the load balancer 120, which is configured to distribute secure tunnel sessions from devices 110A-N across available servers 140A-N according to one or more distribution schemes. The distribution schemes may, for example, comprise a round-robin distribution, weighted distribution, random distribution, or a combination of load balancing distribution schemes. The distribution schemes may also define a minimal number of instances required for creating a group, and may also define network conditions requiring additional instances to be added to existing groups. Network conditions that may trigger additional instances may include, for example, CPU usage, memory utilization on current instances reaching certain threshold limits, or a number of tunnels or connections reaching certain threshold limits.


The network environment 100 includes a monitoring module 130 connected to the load balancer 120 and servers 140A-N. The network environment 100 may also include additional components, fewer components, or alternative components, such as additional service providers, additional servers, different networks for different devices, and/or additional third-party servers. The network environment 100 may include additional components, such as routers, firewalls, or servers. The load balancer 120 and/or the monitoring module 130 may be implemented as a single machine or distributed across a number of machines in the network, and may comprise one or more servers. In some embodiments, the monitoring module 130 may be implemented as a part or component of another entity such as the load balancer 120 or a network controller.


The network devices (e.g., devices 110A-N, load balancer 120, monitoring module 130, and servers 140A-N) may be connected over links through ports. Any number of ports and links may be used. The ports and links may use the same or different media for communications. Wireless, microwave, wired, Ethernet, digital subscriber lines (DSL), telephone lines, T1 lines, T3 lines, satellite, fiber optics, cable and/or other links may be used.


According to the subject technology disclosed herein, the monitoring module 130 may be configured to scale down or automatically shrink a number of servers 140A-N (e.g., security GW instances) in a cloud-based deployment during non-peak network traffic periods without impacting existing secure connections or tunnels from the devices 110A-N. The monitoring module 130 may be configured to request or detect a number of secure tunnels or connections to a GW instance or server 140A-N, CPU usage, bandwidth utilization, response time, memory utilization, and/or usage of other computing resources. For example, the monitoring module 130 may request from each server 140A-N a number of active connections or tunnels to devices 110A-N. If the number of connections or tunnels for a particular server 140A-N is equal to or less than a predetermined threshold, the monitoring module 130 may run a scaling down or automatic shrink routine, as discussed further below. In another example, the monitoring module 130 may request from each server 140A-N CPU usage, memory usage, and/or other computing resource usage. If CPU or resource usage for a particular server 140A-N is equal to or less than a predetermined threshold, the monitoring module 130 may run a scaling down or automatic shrink routine, as discussed further below.


In some aspects, a number of servers 140A-N (e.g., security GW instances) may be scaled down by transferring secure connections or tunnels to servers 140A-N having connections, tunnel sessions, CPU usage, bandwidth utilization, response time, memory utilization, and/or usage of other computing resources that exceed lower limits of predetermined thresholds (e.g., minimally loaded security GW instances), to other available servers 140A-N (e.g., security GW instances). In one aspect, transfer of secure connections or tunnels may be accomplished without impacting tunnel connectivity by initiating a rekey routine. A rekey routine may refer to a process of changing a session key (e.g., encryption key of an ongoing communication) in order to limit the amount of data encrypted with the same key. A rekey routine may be run after a pre-set volume of data has been transmitted, a given period of time has passed, and/or a command is issued to force new key exchange. For example, the monitoring module 130 may be configured to instruct servers 140A-N (e.g., minimally loaded security GW instances) to initiate a rekey routine to all connected devices 110A-N with secure connections or tunnel sessions. In response, servers 140A-N (e.g., minimally loaded security GW instances) may transmit rekey requests to the connected devices 140A-N. Responses from connected devices 110A-N to the rekey requests may be routed by the load balancer 120 to other available servers 140A-N (e.g., security GW instances) to establish a new secure connection or tunnel session with a different server 140A-N, and thereby replace all secure connections or tunnel sessions to minimally loaded security GW instances. In some aspects, the monitoring module 130 may be configured to instruct the load balancer 120 to route all responses to the rekey requests from devices 110A-N to one or more servers 140A-N, other than minimally loaded servers or security GW instances. After the new secure connections or tunnel sessions are established, the minimally loaded security GW instances may be disconnected from the network thereby scaling down the number of servers 140A-N on the network. In one aspect, by establishing new secure connections or tunnel sessions with other available servers 140A-N (e.g., security GW instances) before terminating the secure connections or tunnel sessions to the minimally loaded servers or security GW instances, transfer of secure connections or tunnel sessions may occur without affecting tunnel connectivity with devices 110A-N.



FIG. 2 depicts a sequence diagram 200 showing the communications between devices 110A-N, load balancer 120, servers 140A-C, and monitoring module 130, in accordance with various aspects of the subject technology. The sequence diagram of FIG. 2 is performed by the devices shown. Devices 110A-N perform acts 205, 230, 245, 250, 260 and 265. The load balancer 120 performs act 235. The server 140A performs acts 240, 255 and 260. The server 140C performs acts 205 and 225. The monitoring module performs acts 210, 215 and 220. Other devices may perform any one or more of the acts, such as a different server. Any of the acts may involve operations by more than one component, such as the determination that threshold limits are met in act 210 by the monitoring module 130, or instruction to not send new session requests to server 140C in act 220 by the monitoring module 130.


Additional, different, or fewer acts may be provided. For example, acts for any one of the devices (e.g., devices 110A-N, load balancer 120, server 140A-C, and monitoring module 130) are performed with or without the other devices performing acts. In yet another example, instruction transmission, rekey processes, routing, or other networking acts are performed in addition to the acts shown in FIG. 2. The acts may be performed in the order shown. The order is listed in numerical sequence and/or from top to bottom in FIG. 2. In alternative aspects, the acts may be performed in other orders.


In act 205, a secure connection or tunnel session (e.g., TLS, DTLS, or IPSEC) is established between each device 110A-N and the server 140C (e.g., security GW instance) to provide for the data flow of content to the devices 110A-N. The monitoring module 130 is configured to carry out policies for detecting network conditions for scaling down servers 140A-C (e.g., containers, virtual machines, security GW instances, etc.). For example, monitoring module 130 may be configured to monitor network metrics, such as number of secure tunnels or connections, CPU usage, bandwidth utilization, response time, memory utilization, and/or usage of other computing resources, and compare values of the metrics with predetermined thresholds to determine whether lower limits of the predetermined thresholds are met or exceeded. By way of example, the monitoring module 130 may be configured to monitor the number of connections or tunnel sessions to all of the security GW instances. In act 210, if the monitoring module 130 determines that the number of tunnel sessions to server 140C is equal to or less than a predetermined threshold (e.g., 10, 100 or 1,000 tunnel sessions), the monitoring module 130 runs a scaling down or auto-shrink routine to transfer all connections or tunnel sessions from server 140C (e.g., minimally loaded security GW instance) to other available servers (e.g., security GW instances), and thereby allow server 140C to be subsequently terminated without negatively affecting secure connections or tunnel sessions from devices 110A-N.


In act 215, the monitoring module 130 instructs the server 140C (e.g., minimally loaded security GW instance) to initiate a rekey request to all secure connections or tunnel sessions connected to the server 140C. In act 220, the monitoring module 130 instructs the load balancer 120 to not send any new secure tunnel session requests (e.g., TCP handshake) to server 140C. In some aspects, the monitoring module 130 may update data associated with the load balancer 120 to cause the load balancer 120 to forward any new secure tunnel session requests (e.g., TCP handshake) to available servers 140A, B (e.g., security GW instances), other than server 140C.


In act 225, in response to the instruction from the monitoring module 130 in act 215, the server 140C transmits a rekey request to all connected devices 110A-N to initiate, for example, a TCP handshake. In act 230, devices 110A-N connected to server 140C that received the rekey request in act 225, transmit a response to the rekey request to initiate a new secure connection (e.g., Security Association (SA)). The response to the rekey request is received by the load balancer 120 and in act 235, routed, distributed or assigned to other available security GW instances, such as server 140A, based on the instruction from the monitoring module in act 220. Devices 110A-N and server 140A may engage in a handshake to negotiate and establish a new secure connection or tunnel session (e.g., TCP handshake) between the devices 110A-N and the server 140A. For example, in act 230, the devices 110A-N may transmit a TCP SYN message that is routed, distributed or assigned to server 140A in act 235 by the load balancer 120. In response, in act 240, the server 140A may transmit a TCP SYN ACK message to the devices 110A-N. In response, in act 245, the devices 110A-N may transmit a TCP ACK message to the server 140A.


In act 250, the devices 110A-N may transmit a “Hello” message to the server 140A and in act 255, the server 140A may respond with a “Hello” message back to the devices 110A-N. In act 260, a secure connection or tunnel session (e.g., TLS, DTLS, or IPSEC) is established between each device 110A-N and the server 140A (e.g., security GW instance) to provide for the data flow of content to the devices 110A-N. In one aspect, the secure connection established in act 205 between each device 110A-N and server 140C remains active and provides the data flow of content to each respective device 110A-N until the new secure connection of act 260 is established with the respective device 110A-N. Once the new secure connection of act 260 is established between the respective device 110A-N and the server 140C, in act 265 the secure connection established in act 205 between the respective device 110A-N and the server 140C may be terminated. In one aspect, because the secure connections established in act 205 between the devices 110A-N and the server 140C are terminated after the new secure connections are established in act 260 between the devices 110A-N and the server 140C, data flow of content to the devices 110A-N is not negatively impacted.


In some aspects, the monitoring module 130 may be further configured to communicate with the server 140C to confirm that there are no active secure connections or tunnel sessions. Once confirmed, the monitoring module 130 may instruct the load balancer 120 to disconnect server 140C to scale down the number of servers 140A-C active in the cloud-based network.


In other aspects, acts 225-265 occur on all connections or tunnel sessions associated with server 140C and may result in transfer of all connections or tunnel sessions from server 140C to server 140A within a timeframe of a few minutes.



FIG. 3 shows an example method 300 for scaling down network resources in a cloud-based network environment. It should be understood that, for any process discussed herein, there can be additional, fewer, or alternative steps performed in similar or alternative orders, or in parallel, within the scope of the various aspects unless otherwise stated. The method 300 can be performed by a network (e.g., the network environment 100 of FIG. 1) or similar system. For example, the method 300 may be performed by monitoring module 130 of FIG. 1.


At operation 302, a determination is made by the monitoring module 130 of FIG. 1 regarding whether one or more network metrics associated with a first server (e.g. first security GW instance) equals or exceeds a predetermined threshold. In other aspects, the determination may be based on detected number of connections or tunnel sessions associated with the first server, CPU usage, bandwidth utilization, response time, memory utilization, and/or usage of other computing resources, as discussed above. If the detected number of connections or tunnel sessions associated with the first sever (e.g. first security GW instance) equals or exceeds the predetermined threshold, an automatic-shrink or scale down routine is commenced indicating that there is excess capacity of security GW instances in a cloud-based network as may be the case during off-peak hours where the network may experience less demand and traffic.


At operation 304, the monitoring module 130 of FIG. 1 instructs the first server to initiate or issue a rekey request or procedure for all connections associated with the first server. In response, the first server may issue a rekey request from the first server to a plurality of devices connected to the first server. In response, the plurality of devices connected to the first server and receiving data via a secure connection or tunnel session from the first server (e.g., first security GW instance), transmit a rekey request (e.g., TCP handshake) to a load balancer.


At operation 306, the monitoring module 130 of FIG. 1 instructs the load balancer 120 of FIG. 1 to not send any subsequent rekey requests (e.g., TCP handshakes) to the first server. In one aspect, the load balancer may be instructed to send, route, or otherwise distribute any subsequent rekey requests (e.g., TCP handshakes) to a second server (e.g., second security GW instance). The load balancer may be configured to manage, distribute, or assign rekey requests received from a plurality of devices to a plurality of servers, including the first server (e.g., first security GW instance) and the second server (e.g., second security GW instance).


At operation 308, rekey requests from the plurality of devices are routed by the load balancer 120 of FIG. 1 to the second server, according to the instruction received at operation 306.


The rekey request forwarded, routed, or otherwise assigned to the second server is received by the second server. A secure connection (e.g., TLS, DTLS, IPSEC) between the second server and each of the plurality of devices may then be established to provide data flow to each of the plurality of devices. After a connection is established between the second server and a respective device of the plurality of devices, the secure connection (e.g., TLS, DTLS, IPSEC) between the respective device and the first server may be terminated, thereby relying solely on the secure connection between the second server and the respective device to provide data flow to the respective device. After each device of the plurality of devices establishes a secure connection with the second server, the connection to the first server may be terminated by the load balancer 120.


At operation 310, the monitoring module 130 of FIG. 1 may be configured to ping or query the first server to obtain information relating to the number of active connections or tunnel sessions associated with the first server. If the monitoring module 130 determines that there are no active connections or tunnel sessions to the first server, the monitoring module 130 may instruct the load balancer 120 to terminate the first server. At operation 312, after all devices of the plurality of devices establish respective secure connections with the second server, the first server may be disconnected from the cloud-based network or otherwise terminated, thereby reducing the number of servers (e.g., security GW instances) on the network.


In some aspects, the method 300 provides a method for scaling down security GW instances without compromising or otherwise negatively impacting data flow to devices. Encrypted application data may flow through existing secure tunnel sessions until after new secure tunnel sessions are established. As such, transitioning encrypted data or traffic from existing tunnel sessions to newly established tunnel sessions is seamless and does not negatively affect any application or data flow.



FIG. 4 depicts an example of a computing system 400 in which the components of the system are in communication with each other using connection 405. Connection 405 can be a physical connection via a bus, or a direct connection into processor 410, such as in a chipset architecture. Connection 405 can also be a virtual connection, networked connection, or logical connection.


In some embodiments, computing system 400 is a distributed system in which the functions described in this disclosure can be distributed within a datacenter, multiple datacenters, a peer network, etc. In some embodiments, one or more of the described system components represents many such components each performing some or all of the function for which the component is described. In some embodiments, the components can be physical or virtual devices.


System 400 includes at least one processing unit (CPU or processor) 410 and connection 405 that couples various system components including system memory 415, such as read only memory (ROM) 420 and random access memory (RAM) 425 to processor 410. Computing system 400 can include a cache 412 of high-speed memory connected directly with, in close proximity to, or integrated as part of processor 410.


Processor 410 can include any general purpose processor and a hardware service or software service, such as services 432, 434, and 436 stored in storage device 430, configured to control processor 410 as well as a special-purpose processor where software instructions are incorporated into the actual processor design. Processor 410 may essentially be a completely self-contained computing system, containing multiple cores or processors, a bus, memory controller, cache, etc. A multi-core processor may be symmetric or asymmetric.


To enable user interaction, computing system 400 includes an input device 445, which can represent any number of input mechanisms, such as a microphone for speech, a touch-sensitive screen for gesture or graphical input, keyboard, mouse, motion input, speech, etc. Computing system 400 can also include output device 435, which can be one or more of a number of output mechanisms known to those of skill in the art. In some instances, multimodal systems can enable a user to provide multiple types of input/output to communicate with computing system 400. Computing system 400 can include communications interface 440, which can generally govern and manage the user input and system output. There is no restriction on operating on any particular hardware arrangement and therefore the basic features here may easily be substituted for improved hardware or firmware arrangements as they are developed.


Storage device 430 can be a non-volatile memory device and can be a hard disk or other types of computer readable media which can store data that are accessible by a computer, such as magnetic cassettes, flash memory cards, solid state memory devices, digital versatile disks, cartridges, random access memories (RAMs), read only memory (ROM), and/or some combination of these devices.


The storage device 430 can include software services, servers, services, etc., that when the code that defines such software is executed by the processor 410, it causes the system to perform a function. In some embodiments, a hardware service that performs a particular function can include the software component stored in a computer-readable medium in connection with the necessary hardware components, such as processor 410, connection 405, output device 435, etc., to carry out the function.


It will be appreciated that computing system 400 can have more than one processor 410, or be part of a group or cluster of computing devices networked together to provide greater processing capability.


For clarity of explanation, in some instances the various embodiments may be presented as including individual functional blocks including functional blocks comprising devices, device components, steps or routines in a method embodied in software, or combinations of hardware and software.


In some aspects the computer-readable storage devices, mediums, and memories can include a cable or wireless signal containing a bit stream and the like. However, when mentioned, non-transitory computer-readable storage media expressly exclude media such as energy, carrier signals, electromagnetic waves, and signals per se.


Methods according to the above-described examples can be implemented using computer-executable instructions that are stored or otherwise available from computer readable media. Such instructions can comprise, for example, instructions and data which cause or otherwise configure a general purpose computer, special purpose computer, or special purpose processing device to perform a certain function or group of functions. Portions of computer resources used can be accessible over a network. The computer executable instructions may be, for example, binaries, intermediate format instructions such as assembly language, firmware, or source code. Examples of computer-readable media that may be used to store instructions, information used, and/or information created during methods according to described examples include magnetic or optical disks, flash memory, USB devices provided with non-volatile memory, networked storage devices, and so on.


Devices implementing methods according to these disclosures can comprise hardware, firmware and/or software, and can take any of a variety of form factors. Typical examples of such form factors include laptops, smart phones, small form factor personal computers, personal digital assistants, rackmount devices, standalone devices, and so on. Functionality described herein also can be embodied in peripherals or add-in cards. Such functionality can also be implemented on a circuit board among different chips or different processes executing in a single device, by way of further example.


The instructions, media for conveying such instructions, computing resources for executing them, and other structures for supporting such computing resources are means for providing the functions described in these disclosures.


Although a variety of examples and other information was used to explain aspects within the scope of the appended claims, no limitation of the claims should be implied based on particular features or arrangements in such examples, as one of ordinary skill would be able to use these examples to derive a wide variety of implementations. Further and although some subject matter may have been described in language specific to examples of structural features and/or method steps, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to these described features or acts. For example, such functionality can be distributed differently or performed in components other than those identified herein. Rather, the described features and steps are disclosed as examples of components of systems and methods within the scope of the appended claims.

Claims
  • 1. A computer-implemented method, comprising: detecting a reduction in one or more network metrics related to a first server;instructing the first server to issue a rekey request to a plurality of devices connected to the first server in response to the detected reduction in the one or more network metrics related to the first server, wherein the rekey request is part of a rekey routine for changing one or more session keys of an ongoing communication with the plurality of devices;instructing, in response to the detected reduction in the one or more network metrics, a load balancer to route responses from the plurality of devices to the rekey request to at least one other server to connect the plurality of devices to at least one of the at least one other server in response to the rekey request;determining a number of connections remaining between the first server and the plurality of devices; andinstructing the load balancer to terminate the first server based on the determined number of connections remaining between the first server and the plurality of devices,wherein instructing the load balancer to route the responses from the plurality of devices to the at least one other server comprises instructing the load balancer to not send responses from the plurality of devices to the first server.
  • 2. The computer-implemented method of claim 1, wherein the one or more network metrics comprises at least one of a number of connections to the first server, CPU usage of the first server, and memory utilization of the first server.
  • 3. The computer-implemented method of claim 1, wherein the determining the number of connections remaining comprises transmitting a query to the first server to solicit a response indicating a number of active connections between the first server and the plurality of devices.
  • 4. The computer-implemented method of claim 1, wherein the load balancer is instructed to terminate the first server when the determined number of connections remaining between the first server and the plurality of devices is zero.
  • 5. The computer-implemented method of claim 1, wherein the connections comprise at least one of a TLS, DTLS, and IPSEC connection.
  • 6. The computer-implemented method of claim 1, wherein the first server comprises a first security gateway instance, and wherein the second server comprises a second security gateway instance.
  • 7. A non-transitory computer-readable medium comprising instructions, the instructions, when executed by a computing system, cause the computing system to: detect a reduction in one or more network metrics related to a first server;instruct the first server to issue a rekey request to a plurality of devices connected to the first server in response to the detected reduction in the one or more network metrics related to the first server, wherein the rekey request is part of a rekey routine for changing one or more session keys of an ongoing communication with the plurality of devices;instruct, in response to the detected reduction in the one or more network metrics, a load balancer to route responses from the plurality of devices to the rekey request to at least one other server to connect the plurality of devices to at least one of the at least one other server in response to the rekey request;determine a number of connections remaining between the first server and the plurality of devices; andinstruct the load balancer to terminate the first server based on the determined number of connections remaining between the first server and the plurality of devices,wherein instructing the load balancer to route the responses from the plurality of devices to the at least one other server comprises instructing the load balancer to not send responses from the plurality of devices to the first server.
  • 8. The non-transitory computer-readable medium of claim 7, wherein the one or more network metrics comprises at least one of a number of connections to the first server, CPU usage of the first server, and memory utilization of the first server.
  • 9. The non-transitory computer-readable medium of claim 7, wherein the determining the number of connections remaining comprises transmitting a query to the first server to solicit a response indicating a number of active connections between the first server and the plurality of devices.
  • 10. The non-transitory computer-readable medium of claim 7, wherein the load balancer is instructed to terminate the first server when the determined number of connections remaining between the first server and the plurality of devices is zero.
  • 11. The non-transitory computer-readable medium of claim 7, wherein the connections comprise at least one of a TLS, DTLS, and IPSEC connection.
  • 12. The non-transitory computer-readable medium of claim 7, wherein the first server comprises a first security gateway instance, and wherein the second server comprises a second security gateway instance.
  • 13. A system comprising: a processor; anda non-transitory computer-readable medium storing instructions that, when executed by the system, cause the system to: detect a reduction in one or more network metrics related to a first server;instruct the first server to issue a rekey request to a plurality of devices connected to the first server in response to the detected reduction in the one or more network metrics related to the first server, wherein the rekey request is part of a rekey routine for changing one or more session keys of an ongoing communication with the plurality of devices;instruct, in response to the detected reduction in the one or more network metrics, a load balancer to route responses from the plurality of devices to the rekey request to at least one other server to connect the plurality of devices to at least one of the at least one other server in response to the rekey request;determine a number of connections remaining between the first server and the plurality of devices; andinstruct the load balancer to terminate the first server based on the determined number of connections remaining between the first server and the plurality of devices,wherein instructing the load balancer to route the responses from the plurality of devices to the at least one other server comprises instructing the load balancer to not send responses from the plurality of devices to the first server.
  • 14. The system of claim 13, wherein the one or more network metrics comprises at least one of a number of connections to the first server, CPU usage of the first server, and memory utilization of the first server.
  • 15. The system of claim 13, wherein the determining the number of connections remaining comprises transmitting a query to the first server to solicit a response indicating a number of active connections between the first server and the plurality of devices.
  • 16. The system of claim 13, wherein the connections comprise at least one of a TLS, DTLS, and IPSEC connection.
  • 17. The system of claim 13, wherein the first server comprises a first security gateway instance, and wherein the second server comprises a second security gateway instance.
US Referenced Citations (435)
Number Name Date Kind
5812773 Norin Sep 1998 A
5889896 Meshinsky et al. Mar 1999 A
6108782 Fletcher et al. Aug 2000 A
6178453 Mattaway et al. Jan 2001 B1
6298153 Oishi Oct 2001 B1
6343290 Cossins et al. Jan 2002 B1
6643260 Kloth et al. Nov 2003 B1
6683873 Kwok et al. Jan 2004 B1
6721804 Rubin et al. Apr 2004 B1
6733449 Krishnamurthy et al. May 2004 B1
6735631 Oehrke et al. May 2004 B1
6996615 McGuire Feb 2006 B1
7054930 Cheriton May 2006 B1
7058706 Lyer et al. Jun 2006 B1
7062571 Dale et al. Jun 2006 B1
7111177 Chauvel et al. Sep 2006 B1
7212490 Kao et al. May 2007 B1
7277948 Igarashi et al. Oct 2007 B2
7313667 Pullela et al. Dec 2007 B1
7379846 Williams et al. May 2008 B1
7480672 Hahn et al. Jan 2009 B2
7496043 Leong et al. Feb 2009 B1
7536476 Alleyne May 2009 B1
7567504 Darling et al. Jul 2009 B2
7583665 Duncan et al. Sep 2009 B1
7606147 Luft et al. Oct 2009 B2
7644437 Volpano Jan 2010 B2
7647594 Togawa Jan 2010 B2
7773510 Back et al. Aug 2010 B2
7808897 Mehta et al. Oct 2010 B1
7881957 Cohen et al. Feb 2011 B1
7917647 Cooper et al. Mar 2011 B2
7926098 Chinitz et al. Apr 2011 B2
8010598 Tanimoto Aug 2011 B2
8028071 Mahalingam et al. Sep 2011 B1
8041714 Aymeloglu et al. Oct 2011 B2
8104081 Khanna et al. Jan 2012 B2
8121117 Amdahl et al. Feb 2012 B1
8171415 Appleyard et al. May 2012 B2
8234377 Cohn Jul 2012 B2
8244559 Horvitz et al. Aug 2012 B2
8250215 Stienhans et al. Aug 2012 B2
8280880 Aymeloglu et al. Oct 2012 B1
8284664 Aybay et al. Oct 2012 B1
8301746 Head et al. Oct 2012 B2
8345692 Smith Jan 2013 B2
8406141 Couturier et al. Mar 2013 B1
8407413 Yucel et al. Mar 2013 B1
8448171 Donnellan et al. May 2013 B2
8477610 Zuo et al. Jul 2013 B2
8495356 Ashok et al. Jul 2013 B2
8495725 Ahn Jul 2013 B2
8510469 Portolani Aug 2013 B2
8514868 Hill Aug 2013 B2
8532108 Li et al. Sep 2013 B2
8533687 Greifeneder et al. Sep 2013 B1
8547974 Guruswamy et al. Oct 2013 B1
8560639 Murphy et al. Oct 2013 B2
8560663 Baucke et al. Oct 2013 B2
8589543 Dutta et al. Nov 2013 B2
8590050 Nagpal et al. Nov 2013 B2
8611356 Yu et al. Dec 2013 B2
8612625 Andreis et al. Dec 2013 B2
8630291 Shaffer et al. Jan 2014 B2
8639787 Lagergren et al. Jan 2014 B2
8656024 Krishnan et al. Feb 2014 B2
8660129 Brendel et al. Feb 2014 B1
8719804 Jain May 2014 B2
8775576 Hebert et al. Jul 2014 B2
8797867 Chen et al. Aug 2014 B1
8805951 Faibish et al. Aug 2014 B1
8850002 Dickinson et al. Sep 2014 B1
8850182 Fritz et al. Sep 2014 B1
8856339 Mestery et al. Oct 2014 B2
8909928 Ahmad et al. Dec 2014 B2
8918510 Gmach et al. Dec 2014 B2
8924720 Raghuram et al. Dec 2014 B2
8930747 Levijarvi et al. Jan 2015 B2
8938775 Roth et al. Jan 2015 B1
8959526 Kansal et al. Feb 2015 B2
8977754 Curry, Jr. et al. Mar 2015 B2
8984114 Shieh et al. Mar 2015 B2
9009697 Breiter et al. Apr 2015 B2
9015324 Jackson Apr 2015 B2
9043439 Bicket et al. May 2015 B2
9049115 Rajendran et al. Jun 2015 B2
9063789 Beaty et al. Jun 2015 B2
9065727 Liu et al. Jun 2015 B1
9075649 Bushman et al. Jul 2015 B1
9130846 Szabo et al. Sep 2015 B1
9164795 Vincent Oct 2015 B1
9167050 Durazzo et al. Oct 2015 B2
9201701 Boldyrev et al. Dec 2015 B2
9201704 Chang et al. Dec 2015 B2
9203784 Chang et al. Dec 2015 B2
9223634 Chang et al. Dec 2015 B2
9244776 Koza et al. Jan 2016 B2
9251114 Ancin et al. Feb 2016 B1
9264478 Hon et al. Feb 2016 B2
9294408 Dickinson et al. Mar 2016 B1
9313048 Chang et al. Apr 2016 B2
9361192 Smith et al. Jun 2016 B2
9379982 Krishna et al. Jun 2016 B1
9380075 He et al. Jun 2016 B2
9432245 Sorenson, III et al. Aug 2016 B1
9432294 Sharma et al. Aug 2016 B1
9444744 Sharma et al. Sep 2016 B1
9473365 Melander et al. Oct 2016 B2
9503530 Niedzielski Nov 2016 B1
9558078 Farlee et al. Jan 2017 B2
9571570 Mutnuru Feb 2017 B1
9613078 Vermeulen et al. Apr 2017 B2
9628471 Sundaram et al. Apr 2017 B1
9658876 Chang et al. May 2017 B2
9692802 Bicket et al. Jun 2017 B2
9755858 Bagepalli et al. Sep 2017 B2
10419447 Chao Sep 2019 B2
20010055303 Horton et al. Dec 2001 A1
20020073337 Ioele et al. Jun 2002 A1
20020120743 Shabtay Aug 2002 A1
20020143928 Maltz et al. Oct 2002 A1
20020166117 Abrams et al. Nov 2002 A1
20020174216 Shorey et al. Nov 2002 A1
20030018591 Komisky Jan 2003 A1
20030056001 Mate et al. Mar 2003 A1
20030228585 Inoko et al. Dec 2003 A1
20040004941 Malan et al. Jan 2004 A1
20040034702 He Feb 2004 A1
20040088542 Daude et al. May 2004 A1
20040095237 Chen et al. May 2004 A1
20040131059 Ayyakad et al. Jul 2004 A1
20040197079 Latvala et al. Oct 2004 A1
20040264481 Darling et al. Dec 2004 A1
20050060418 Sorokopud Mar 2005 A1
20050125424 Herriott et al. Jun 2005 A1
20060062187 Rune Mar 2006 A1
20060104286 Cheriton May 2006 A1
20060126665 Ward et al. Jun 2006 A1
20060146825 Hofstaedter et al. Jul 2006 A1
20060155875 Cheriton Jul 2006 A1
20060168338 Bruegl et al. Jul 2006 A1
20060233106 Achlioptas et al. Oct 2006 A1
20070174663 Crawford et al. Jul 2007 A1
20070223487 Kajekar et al. Sep 2007 A1
20070242830 Conrado et al. Oct 2007 A1
20080005293 Bhargava et al. Jan 2008 A1
20080080524 Tsushima et al. Apr 2008 A1
20080084880 Dharwadkar Apr 2008 A1
20080165778 Ertemalp Jul 2008 A1
20080198752 Fan et al. Aug 2008 A1
20080198858 Townsley et al. Aug 2008 A1
20080201711 Amir Husain Aug 2008 A1
20080235755 Blaisdell et al. Sep 2008 A1
20090006527 Gingell, Jr. et al. Jan 2009 A1
20090019367 Cavagnari et al. Jan 2009 A1
20090031312 Mausolf et al. Jan 2009 A1
20090083183 Rao et al. Mar 2009 A1
20090138763 Arnold May 2009 A1
20090177775 Radia et al. Jul 2009 A1
20090178058 Stillwell, III et al. Jul 2009 A1
20090182874 Morford et al. Jul 2009 A1
20090265468 Annambhotla et al. Oct 2009 A1
20090265753 Anderson et al. Oct 2009 A1
20090293056 Ferris Nov 2009 A1
20090300608 Ferris et al. Dec 2009 A1
20090313562 Appleyard et al. Dec 2009 A1
20090323706 Germain et al. Dec 2009 A1
20090328031 Pouyadou et al. Dec 2009 A1
20100036903 Ahmad et al. Feb 2010 A1
20100042720 Stienhans et al. Feb 2010 A1
20100061250 Nugent Mar 2010 A1
20100115341 Baker et al. May 2010 A1
20100131765 Bromley et al. May 2010 A1
20100149966 Achlioptas et al. Jun 2010 A1
20100191783 Mason et al. Jul 2010 A1
20100192157 Jackson et al. Jul 2010 A1
20100205601 Abbas et al. Aug 2010 A1
20100211782 Auradkar et al. Aug 2010 A1
20100293270 Augenstein et al. Nov 2010 A1
20100318605 Weis Dec 2010 A1
20100318609 Lahiri et al. Dec 2010 A1
20100325199 Park et al. Dec 2010 A1
20100325441 Laurie et al. Dec 2010 A1
20100333116 Prahlad et al. Dec 2010 A1
20110016214 Jackson Jan 2011 A1
20110035754 Srinivasan Feb 2011 A1
20110055396 Dehaan Mar 2011 A1
20110055398 Dehaan et al. Mar 2011 A1
20110055470 Portolani Mar 2011 A1
20110072489 Parann-Nissany Mar 2011 A1
20110075667 Li et al. Mar 2011 A1
20110110382 Jabr et al. May 2011 A1
20110116443 Yu et al. May 2011 A1
20110126099 Anderson et al. May 2011 A1
20110138055 Daly et al. Jun 2011 A1
20110145413 Dawson et al. Jun 2011 A1
20110145657 Bishop et al. Jun 2011 A1
20110173303 Rider Jul 2011 A1
20110185063 Head et al. Jul 2011 A1
20110185065 Stanisic et al. Jul 2011 A1
20110206052 Tan et al. Aug 2011 A1
20110213966 Fu et al. Sep 2011 A1
20110219434 Betz et al. Sep 2011 A1
20110231715 Kunii et al. Sep 2011 A1
20110231899 Pulier et al. Sep 2011 A1
20110239039 Dieffenbach et al. Sep 2011 A1
20110252327 Awasthi et al. Oct 2011 A1
20110261811 Battestilli et al. Oct 2011 A1
20110261828 Smith Oct 2011 A1
20110276675 Singh et al. Nov 2011 A1
20110276951 Jain Nov 2011 A1
20110283013 Grosser et al. Nov 2011 A1
20110295998 Ferris et al. Dec 2011 A1
20110305149 Scott et al. Dec 2011 A1
20110307531 Gaponenko et al. Dec 2011 A1
20110320870 Kenigsberg et al. Dec 2011 A1
20120005724 Lee Jan 2012 A1
20120036234 Staats et al. Feb 2012 A1
20120054367 Ramakrishnan et al. Mar 2012 A1
20120072318 Akiyama et al. Mar 2012 A1
20120072578 Alam Mar 2012 A1
20120072581 Tung et al. Mar 2012 A1
20120072985 Davne et al. Mar 2012 A1
20120072992 Arasaratnam et al. Mar 2012 A1
20120084445 Brock et al. Apr 2012 A1
20120084782 Chou et al. Apr 2012 A1
20120096134 Suit Apr 2012 A1
20120096269 McAlister Apr 2012 A1
20120102193 Rathore et al. Apr 2012 A1
20120102199 Hopmann et al. Apr 2012 A1
20120131174 Ferris et al. May 2012 A1
20120137215 Kawara May 2012 A1
20120158967 Sedayao et al. Jun 2012 A1
20120159097 Jennas, II et al. Jun 2012 A1
20120167094 Suit Jun 2012 A1
20120173710 Rodriguez Jul 2012 A1
20120179909 Sagi et al. Jul 2012 A1
20120180044 Donnellan et al. Jul 2012 A1
20120182891 Lee et al. Jul 2012 A1
20120185913 Martinez et al. Jul 2012 A1
20120192016 Gotesdyner et al. Jul 2012 A1
20120192075 Ebtekar et al. Jul 2012 A1
20120201135 Ding et al. Aug 2012 A1
20120214506 Skaaksrud et al. Aug 2012 A1
20120222106 Kuehl Aug 2012 A1
20120236716 Anbazhagan et al. Sep 2012 A1
20120240113 Hur Sep 2012 A1
20120265976 Spiers et al. Oct 2012 A1
20120272025 Park et al. Oct 2012 A1
20120281706 Agarwal et al. Nov 2012 A1
20120281708 Chauhan et al. Nov 2012 A1
20120290647 Ellison et al. Nov 2012 A1
20120297238 Watson et al. Nov 2012 A1
20120311106 Morgan Dec 2012 A1
20120311568 Jansen Dec 2012 A1
20120324092 Brown et al. Dec 2012 A1
20120324114 Dutta et al. Dec 2012 A1
20130003567 Gallant et al. Jan 2013 A1
20130013248 Brugler et al. Jan 2013 A1
20130036213 Hasan et al. Feb 2013 A1
20130044636 Koponen et al. Feb 2013 A1
20130066940 Shao Mar 2013 A1
20130080509 Wang Mar 2013 A1
20130080624 Nagai et al. Mar 2013 A1
20130091557 Gurrapu Apr 2013 A1
20130097601 Podvratnik et al. Apr 2013 A1
20130104140 Meng et al. Apr 2013 A1
20130111540 Sabin May 2013 A1
20130117337 Dunham May 2013 A1
20130124712 Parker May 2013 A1
20130125124 Kempf et al. May 2013 A1
20130138816 Kuo et al. May 2013 A1
20130144978 Jain et al. Jun 2013 A1
20130152076 Patel Jun 2013 A1
20130152175 Hromoko et al. Jun 2013 A1
20130159097 Schory et al. Jun 2013 A1
20130159496 Hamilton et al. Jun 2013 A1
20130160008 Cawlfield et al. Jun 2013 A1
20130162753 Hendrickson et al. Jun 2013 A1
20130169666 Pacheco et al. Jul 2013 A1
20130179941 McGloin et al. Jul 2013 A1
20130182712 Aguayo et al. Jul 2013 A1
20130185433 Zhu et al. Jul 2013 A1
20130191106 Kephart et al. Jul 2013 A1
20130198374 Zalmanovitch et al. Aug 2013 A1
20130201989 Hu et al. Aug 2013 A1
20130204849 Chacko Aug 2013 A1
20130232491 Radhakrishnan et al. Sep 2013 A1
20130246588 Borowicz et al. Sep 2013 A1
20130250770 Zou et al. Sep 2013 A1
20130254415 Fullen et al. Sep 2013 A1
20130262347 Dodson Oct 2013 A1
20130283364 Chang Oct 2013 A1
20130297769 Chang et al. Nov 2013 A1
20130318240 Hebert et al. Nov 2013 A1
20130318546 Kothuri et al. Nov 2013 A1
20130339949 Spiers et al. Dec 2013 A1
20140006481 Frey et al. Jan 2014 A1
20140006535 Reddy Jan 2014 A1
20140006585 Dunbar et al. Jan 2014 A1
20140040473 Ho et al. Feb 2014 A1
20140040883 Tompkins Feb 2014 A1
20140052877 Mao Feb 2014 A1
20140056146 Hu et al. Feb 2014 A1
20140059310 Du et al. Feb 2014 A1
20140074850 Noel et al. Mar 2014 A1
20140075048 Yuksel et al. Mar 2014 A1
20140075108 Dong et al. Mar 2014 A1
20140075357 Flores et al. Mar 2014 A1
20140075501 Srinivasan et al. Mar 2014 A1
20140089727 Cherkasova et al. Mar 2014 A1
20140098762 Ghai et al. Apr 2014 A1
20140108985 Scott et al. Apr 2014 A1
20140122560 Ramey et al. May 2014 A1
20140136779 Guha et al. May 2014 A1
20140140211 Chandrasekaran et al. May 2014 A1
20140141720 Princen et al. May 2014 A1
20140156557 Zeng et al. Jun 2014 A1
20140164486 Ravichandran et al. Jun 2014 A1
20140188825 Muthukkaruppan et al. Jul 2014 A1
20140189095 Lindberg et al. Jul 2014 A1
20140189125 Amies et al. Jul 2014 A1
20140215471 Cherkasova Jul 2014 A1
20140222953 Karve et al. Aug 2014 A1
20140244851 Lee Aug 2014 A1
20140245298 Zhou et al. Aug 2014 A1
20140281173 Im et al. Sep 2014 A1
20140282536 Dave et al. Sep 2014 A1
20140282611 Campbell et al. Sep 2014 A1
20140282889 Ishaya et al. Sep 2014 A1
20140289200 Kato Sep 2014 A1
20140295831 Karra et al. Oct 2014 A1
20140297569 Clark et al. Oct 2014 A1
20140297835 Buys Oct 2014 A1
20140310391 Sorensen, III et al. Oct 2014 A1
20140310417 Sorensen, III et al. Oct 2014 A1
20140310418 Sorensen, III et al. Oct 2014 A1
20140314078 Jilani Oct 2014 A1
20140317261 Shatzkamer et al. Oct 2014 A1
20140321278 Cafarelli et al. Oct 2014 A1
20140330976 van Bemmel Nov 2014 A1
20140330977 van Bemmel Nov 2014 A1
20140334488 Guichard et al. Nov 2014 A1
20140362682 Guichard et al. Dec 2014 A1
20140365680 van Bemmel Dec 2014 A1
20140366155 Chang et al. Dec 2014 A1
20140369204 Anand et al. Dec 2014 A1
20140372567 Ganesh et al. Dec 2014 A1
20140379938 Bosch et al. Dec 2014 A1
20150033086 Sasturkar et al. Jan 2015 A1
20150043576 Dixon et al. Feb 2015 A1
20150052247 Threefoot et al. Feb 2015 A1
20150052517 Raghu et al. Feb 2015 A1
20150058382 St Laurent et al. Feb 2015 A1
20150058459 Amendjian et al. Feb 2015 A1
20150071285 Kumar et al. Mar 2015 A1
20150085870 Narasimha et al. Mar 2015 A1
20150089082 Patwardhan et al. Mar 2015 A1
20150100471 Curry, Jr. et al. Apr 2015 A1
20150100826 Vujic Apr 2015 A1
20150103827 Quinn et al. Apr 2015 A1
20150106802 Ivanov et al. Apr 2015 A1
20150106805 Melander et al. Apr 2015 A1
20150117199 Chinnaiah Sankaran et al. Apr 2015 A1
20150117458 Gurkan et al. Apr 2015 A1
20150120914 Wada et al. Apr 2015 A1
20150124622 Kovvali et al. May 2015 A1
20150138973 Kumar et al. May 2015 A1
20150178133 Phelan et al. Jun 2015 A1
20150189009 van Bemmel Jul 2015 A1
20150215819 Bosch et al. Jul 2015 A1
20150227405 Jan et al. Aug 2015 A1
20150242204 Hassine et al. Aug 2015 A1
20150249709 Teng et al. Sep 2015 A1
20150263901 Kumar et al. Sep 2015 A1
20150280980 Bitar Oct 2015 A1
20150281067 Wu Oct 2015 A1
20150281113 Siciliano et al. Oct 2015 A1
20150309908 Pearson et al. Oct 2015 A1
20150319063 Zourzouvillys et al. Nov 2015 A1
20150326524 Tankala et al. Nov 2015 A1
20150339210 Kopp et al. Nov 2015 A1
20150358850 La Roche, Jr. et al. Dec 2015 A1
20150365324 Kumar et al. Dec 2015 A1
20150373048 Siddiqui Dec 2015 A1
20150373108 Fleming et al. Dec 2015 A1
20160011925 Kulkarni et al. Jan 2016 A1
20160013990 Kulkarni et al. Jan 2016 A1
20160021698 Zhao et al. Jan 2016 A1
20160026684 Mukherjee et al. Jan 2016 A1
20160062786 Meng et al. Mar 2016 A1
20160080259 Biancaniello Mar 2016 A1
20160094389 Jain et al. Mar 2016 A1
20160094398 Choudhury et al. Mar 2016 A1
20160094453 Jain et al. Mar 2016 A1
20160094454 Jain et al. Mar 2016 A1
20160094455 Jain et al. Mar 2016 A1
20160094456 Jain et al. Mar 2016 A1
20160094480 Kulkarni et al. Mar 2016 A1
20160094643 Jain et al. Mar 2016 A1
20160099847 Melander et al. Apr 2016 A1
20160099853 Nedeltchev et al. Apr 2016 A1
20160099864 Akiya et al. Apr 2016 A1
20160105393 Thakkar et al. Apr 2016 A1
20160127184 Bursell May 2016 A1
20160134557 Steinder et al. May 2016 A1
20160156708 Jalan et al. Jun 2016 A1
20160164780 Timmons et al. Jun 2016 A1
20160164914 Madhav et al. Jun 2016 A1
20160182378 Basavaraja et al. Jun 2016 A1
20160188527 Cherian et al. Jun 2016 A1
20160234071 Nambiar et al. Aug 2016 A1
20160239399 Babu et al. Aug 2016 A1
20160253078 Ebtekar et al. Sep 2016 A1
20160254968 Ebtekar et al. Sep 2016 A1
20160261564 Foxhoven et al. Sep 2016 A1
20160277368 Narayanaswamy et al. Sep 2016 A1
20170005948 Melander et al. Jan 2017 A1
20170024260 Chandrasekaran et al. Jan 2017 A1
20170026294 Basavaraja et al. Jan 2017 A1
20170026470 Bhargava et al. Jan 2017 A1
20170041342 Efremov et al. Feb 2017 A1
20170054659 Ergin et al. Feb 2017 A1
20170097841 Chang et al. Apr 2017 A1
20170099188 Chang et al. Apr 2017 A1
20170104755 Arregoces et al. Apr 2017 A1
20170141916 Zhang May 2017 A1
20170147297 Krishnamurthy et al. May 2017 A1
20170149810 Keshet May 2017 A1
20170149878 Mutnuru May 2017 A1
20170163531 Kumar et al. Jun 2017 A1
20170171158 Hoy et al. Jun 2017 A1
20170264663 Bicket et al. Sep 2017 A1
20170339070 Chang et al. Nov 2017 A1
20190026234 Harnik Jan 2019 A1
Foreign Referenced Citations (13)
Number Date Country
101719930 Jun 2010 CN
101394360 Jul 2011 CN
102164091 Aug 2011 CN
104320342 Jan 2015 CN
105740084 Jul 2016 CN
2228719 Sep 2010 EP
2439637 Apr 2012 EP
2645253 Nov 2014 EP
10-2015-0070676 May 2015 KR
M394537 Dec 2010 TW
WO 2009155574 Dec 2009 WO
WO 2010030915 Mar 2010 WO
WO 2013158707 Oct 2013 WO
Non-Patent Literature Citations (66)
Entry
Amedro, Brian, et al., “An Efficient Framework for Running Applications on Clusters, Grids and Cloud,” 2010, 17 pages.
Author Unknown, “5 Benefits of a Storage Gateway in the Cloud,” Blog, TwinStrata, Inc., Jul. 25, 2012, XP055141645, 4 pages, https://web.archive.org/web/20120725092619/http://blog.twinstrata.com/2012/07/10//5-benefits-of-a-storage-gateway-in-the-cloud.
Author Unknown, “Joint Cisco and VMWare Solution for Optimizing Virtual Desktop Delivery: Data Center 3.0: Solutions to Accelerate Data Center Virtualization,” Cisco Systems, Inc. and VMware, Inc., Sep. 2008, 10 pages.
Author Unknown, “A Look at DeltaCloud: The Multi-Cloud API,” Feb. 17, 2012, 4 pages.
Author Unknown, “About Deltacloud,” Apache Software Foundation, Aug. 18, 2013, 1 page.
Author Unknown, “Architecture for Managing Clouds, A White Paper from the Open Cloud Standards Incubator,” Version 1.0.0, Document No. DSP-IS0102, Jun. 18, 2010, 57 pages.
Author Unknown, “Cloud Infrastructure Management Interface—Common Information Model (CIMI-CIM),” Document No. DSP0264, Version 1.0.0, Dec. 14, 2012, 21 pages.
Author Unknown, “Cloud Infrastructure Management Interface (CIMI) Primer,” Document No. DSP2027, Version 1.0.1, Sep. 12, 2012, 30 pages.
Author Unknown, “cloudControl Documentation,” Aug. 25, 2013, 14 pages.
Author Unknown, “Interoperable Clouds, A White Paper from the Open Cloud Standards Incubator,” Version 1.0.0, Document No. DSP-IS0101, Nov. 11, 2009, 21 pages.
Author Unknown, “Microsoft Cloud Edge Gateway (MCE) Series Appliance,” Iron Networks, Inc., 2014, 4 pages.
Author Unknown, “Open Data Center Alliance Usage: Virtual Machine (VM) Interoperability in a Hybrid Cloud Environment Rev. 1.2,” Open Data Center Alliance, Inc., 2013, 18 pages.
Author Unknown, “Real-Time Performance Monitoring on Juniper Networks Devices, Tips and Tools for Assessing and Analyzing Network Efficiency,” Juniper Networks, Inc., May 2010, 35 pages.
Author Unknown, “Use Cases and Interactions for Managing Clouds, A White Paper from the Open Cloud Standards Incubator,” Version 1.0.0, Document No. DSP-ISO0103, Jun. 16, 2010, 75 pages.
Author Unknown, “Apache Ambari Meetup What's New,” Hortonworks Inc., Sep. 2013, 28 pages.
Author Unknown, “Introduction,” Apache Ambari project, Apache Software Foundation, 2014, 1 page.
Baker, F., “Requirements for IP Version 4 Routers,” Jun. 1995, 175 pages, Network Working Group, Cisco Systems.
Beyer, Steffen, “Module “Data::Locations”,” YAPC::Europe, London, UK,ICA, Sep. 22-24, 2000, XP002742700, 15 pages.
Blanchet, M., “A Flexible Method for Managing the Assignment of Bits of an IPv6 Address Block,” Apr. 2003, 8 pages, Network Working Group, Viagnie.
Borovick, Lucinda, et al., “Architecting the Network for the Cloud,” IDC White Paper, Jan. 2011, 8 pages.
Bosch, Greg, “Virtualization,” last modified Apr. 2012 by B. Davison, 33 pages.
Broadcasters Audience Research Board, “What's Next,” http://lwww.barb.co.uk/whats-next, accessed Jul. 22, 2015, 2 pages.
Cisco Systems, Inc. “Best Practices in Deploying Cisco Nexus 1000V Series Switches on Cisco UCS B and C Series Cisco UCS Manager Servers,” Cisco White Paper, Apr. 2011, 36 pages, http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9902/white_paper_c11-558242.pdf.
Cisco Systems, Inc., “Cisco Unified Network Services: Overcome Obstacles to Cloud-Ready Deployments,” Cisco White Paper, Jan. 2011, 6 pages.
Cisco Systems, Inc., “Cisco Intercloud Fabric: Hybrid Cloud with Choice, Consistency, Control and Compliance,” Dec. 10, 2014, 22 pages.
Cisco Technology, Inc., “Cisco Expands Videoscape TV Platform Into the Cloud,” Jan. 6, 2014, Las Vegas, Nevada, Press Release, 3 pages.
Citrix, “Citrix StoreFront 2.0” White Paper, Proof of Concept Implementation Guide, Citrix Systems, Inc., 2013, 48 pages.
Citrix, “CloudBridge for Microsoft Azure Deployment Guide,” 30 pages.
Citrix, “Deployment Practices and Guidelines for NetScaler 10.5 on Amazon Web Services,” White Paper, citrix.com, 2014, 14 pages.
CSS Corp, “Enterprise Cloud Gateway (ECG)—Policy driven framework for managing multi-cloud environments,” original published on or about Feb. 11, 2012; 1 page; http://www.css-cloud.com/platform/enterprise-cloud-gateway.php.
Fang K., “LISP MAC-EID-TO-RLOC Mapping (LISP based L2VPN),” Network Working Group, Internet Draft, Cisco Systems, Jan. 2012, 12 pages.
Ford, Bryan, et al., Peer-to-Peer Communication Across Network Address Translators, in USENIX Annual Technical Conference, 2005, pp. 179-192.
Gedymin, Adam, “Cloud Computing with an emphasis on Google App Engine,” Sep. 2011, 146 pages.
Good, Nathan A., “Use Apache Deltacloud to administer multiple instances with a single API,” Dec. 17, 2012, 7 pages.
Herry, William, “Keep It Simple, Stupid: OpenStack nova-scheduler and its algorithm”, May 12, 2012, IBM, 18 pages.
Hewlett-Packard Company, “Virtual context management on network devices”, Research Disclosure, vol. 564, No. 60, Apr. 1, 2011, Mason Publications, Hampshire, GB, Apr. 1, 2011, 524.
Juniper Networks, Inc., “Recreating Real Application Traffic in Junosphere Lab,” Solution Brief, Dec. 2011, 3 pages.
Kenhui, “Musings on Cloud Computing and IT-as-a-Service: [Updated for Havana] Openstack Computer for VSphere Admins, Part 2: Nova-Scheduler and DRS”, Jun. 26, 2013, Cloud Architect Musings, 12 pages.
Kolyshkin, Kirill, “Virtualization in Linux,” Sep. 1, 2006, XP055141648, 5 pages, https://web.archive.org/web/20070120205111/http://download.openvz.org/doc/openvz-intro.pdf.
Kumar, S., et al., “Infrastructure Service Forwarding for NSH”Service Function Chaining Internet Draft, draft-kumar-sfc-nsh-forwarding-00, Dec. 5, 2015, 17 pages.
Kunz, Thomas, et al., “OmniCloud—The Secure and Flexible Use of Cloud Storage Services,” 2014, 30 pages.
Lerach, S.R.O., “Golem,” http://www.lerach.cz/en/products/golem, accessed Jul. 22, 2015, 2 pages.
Linthicum, David, “VM Import could be a game changer for hybrid clouds”, InfoWorld, Dec. 23, 2010, 4 pages.
Logan, Marcus, “Hybrid Cloud Application Architecture for Elastic Java-Based Web Applications,” F5 Deployment Guide Version 1.1, 2016, 65 pages.
Lynch, Sean, “Monitoring cache with Claspin” Facebook Engineering, Sep. 19, 2012, 5 pages.
Meireles, Fernando Miguel Dias, “Integrated Management of Cloud Computing Resources,” 2013-2014, 286 pages.
Meraki, “meraki releases industry's first cloud-managed routers,” Jan. 13, 2011, 2 pages.
Mu, Shuai, et al., “uLibCloud: Providing High Available and Uniform Accessing to Multiple Cloud Storages,” 2012 IEEE, 8 pages.
Naik, Vijay K., et al., “Harmony: A Desktop Grid for Delivering Enterprise Computations,” Grid Computing, 2003, Fourth International Workshop on Proceedings, Nov. 17, 2003, pp. 1-11.
Nair, Srijith K. et al., “Towards Secure Cloud Bursting, Brokerage and Aggregation,” 2012, 8 pages, www.flexiant.com.
Nielsen, “SimMetry Audience Measurement—Technology” http://www.nielsen-admosphere.eu/products-and-services/simmetry-audience-measurement-technology/, accessed Jul. 22, 2015, 6 pages.
Nielsen, “Television,” http://www.nielsen.com/us/en/solutions/measurement/television.html, accessed Jul. 22, 2015, 4 pages.
Open Stack, “Filter Scheduler,” updated Dec. 17, 2017, 5 pages, accessed on Dec. 18, 2017, https://docs.openstack.org/nova/latest/user/filter-scheduler.html.
Quinn, P., et al., “Network Service Header,” Internet Engineering Task Force Draft, Jul. 3, 2014, 27 pages.
Quinn, P., et al., “Service Function Chaining (SFC) Architecture,” Network Working Group, Internet Draft, draft-quinn-sfc-arch-03.txt, Jan. 22, 2014, 21 pages.
Rabadan, J., et al., “Operational Aspects of Proxy-ARP/ND in EVPN Networks,” BESS Worksgroup Internet Draft, draft-snr-bess-evpn-proxy-arp-nd-02, Oct. 6, 2015, 22 pages.
Saidi, Ali, et al., “Performance Validation of Network-Intensive Workloads on a Full-System Simulator,” Interaction between Operating System and Computer Architecture Workshop, (IOSCA 2005), Austin, Texas, Oct. 2005, 10 pages.
Shunra, “Shunra for HP Software; Enabling Confidence in Application Performance Before Deployment,” 2010, 2 pages.
Son, Jungmin, “Automatic decision system for efficient resource selection and allocation in inter-clouds,” Jun. 2013, 35 pages.
Sun, Aobing, et al., “IaaS Public Cloud Computing Platform Scheduling Model and Optimization Analysis,” Int. J. Communications, Network and System Sciences, 2011, 4, 803-811, 9 pages.
Szymaniak, Michal, et al., “Latency-Driven Replica Placement”, vol. 47 No. 8, IPSJ Journal, Aug. 2006, 12 pages.
Toews, Everett, “Introduction to Apache jclouds,” Apr. 7, 2014, 23 pages.
Von Laszewski, Gregor, et al., “Design of a Dynamic Provisioning System for a Federated Cloud and Bare-metal Environment,” 2012, 8 pages.
Wikipedia, “Filter (software)”, Wikipedia, Feb. 8, 2014, 2 pages, https://en.wikipedia.org/w/index.php?title=Filter_%28software%29&oldid=594544359.
Wikipedia; “Pipeline (Unix)”, Wikipedia, May 4, 2014, 4 pages, https://en.wikipedia.org/w/index.php?title=Pipeline2/028Unix%29&oldid=606980114.
Ye, Xianglong, et al., “A Novel Blocks Placement Strategy for Hadoop,” 2012 IEEE/ACTS 11th International Conference on Computer and Information Science, 2012 IEEE, 5 pages.
Related Publications (1)
Number Date Country
20190387049 A1 Dec 2019 US