Architecture for implementing a virtualization environment and appliance
US-9772866-B1 · Sep 26, 2017 · US
Configuring interactions with a service virtual machine
US10735376B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10735376-B2 |
| Application number | US-201815899329-A |
| Country | US |
| Kind code | B2 |
| Filing date | Feb 19, 2018 |
| Priority date | Mar 31, 2014 |
| Publication date | Aug 4, 2020 |
| Grant date | Aug 4, 2020 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
For a host that executes one or more guest virtual machines (GVMs), some embodiments provide a novel virtualization architecture for utilizing a firewall service virtual machine (SVM) on the host to check the packets sent by and/or received for the GVMs. In some embodiments, the GVMs connect to a software forwarding element (e.g., a software switch) that executes on the host to connect to each other and to other devices operating outside of the host. Instead of connecting the firewall SVM to the host's software forwarding element that connects its GVMs, the virtualization architecture of some embodiments provides an SVM interface (SVMI) through which the firewall SVM can be accessed to check the packets sent by and/or received for the GVMs.
First claim
Opening claim text (preview).
We claim: 1. A host computer comprising: a set of processing units; and a non-transitory machine readable media storing, for execution by the set of processing units, a plurality of guest virtual machines (GVMs); a service virtual machine (SVM) to perform a service for at least a subset of the GVMs; and a hypervisor separate from the SVM, the hypervisor comprising: a physical forwarding element (PFE) to connect the GVMs to each other and to devices outside of the host computer, and to perform forwarding processing for packets sent to and from the GVMs; a service engine to direct the SVM to perform the service on a set of packets forwarded to the PFE; and an SVM interface (SVMI) through which the SVM provides a set of configuration data to the service engine in order to configure the service engine to identify the set of packets for which the SVM is to perform the service. 2. The host computer of claim 1 , wherein the SVM does not connect to the PFE. 3. The host computer of claim 1 , wherein to direct the SVM to perform the service on a packet, the service engine provides a set of attributes relating to the packet to the SVM via the SVMI. 4. The host computer of claim 3 , wherein the service engine receives the set of attributes from the PFE via a port of the PFE. 5. The host computer of claim 3 , wherein the set of attributes for a packet comprises (i) a source identifier, (ii) a destination identifier, (iii) a source port, (iv) a destination port, and (v) a protocol. 6. The host computer of claim 1 , wherein the SVM is a firewall SVM and the service engine is a firewall service engine. 7. The host computer of claim 1 , wherein the PFE is a software switch. 8. The host computer of claim 1 , wherein the configuration data further specifies the subset of GVMs for which the SVM is to perform the service. 9. The host computer of claim 1 , wherein the configuration data further specifies a set of operations that the service engine has to perform to gather connection state data of the SVM for a GVM that migrates to another host computer that has another SVM that provides the service for the migrating GVM. 10. A host computer comprising: a set of processing units; and a non-transitory machine readable medium storing, for execution by the set of processing units, a plurality of guest virtual machines (GVMs); a service virtual machine (SVM) to perform a service for at least a subset of the GVMs; and a hypervisor separate from the SVM, the hypervisor comprising: a physical forwarding element (PFE) to connect the GVMs to each other and to devices outside of the host computer, and to perform forwarding processing for packets sent to and from the GVMs; a service engine to determine whether the SVM or the service engine has to perform a service on packets exchanged between a GVM and the PFE, to perform the service on a first set of packets based on a determination that the service engine has to perform the service, and to direct the SVM to perform the service on a second set of packets based on a determination that the SVM has to perform the service; and an SVM interface (SVMI) through which the service engine directs the SVM to perform the service on the second set of packets. 11. The host computer of claim 10 , wherein the packets are incoming packets that are to be supplied to GVMs, and outgoing packets that are sent by the GVMs. 12. The host computer of claim 10 , wherein through the SVMI, the SVM provides configuration data to the service engine in order to configure the service engine to identify sets of packets for which the SVM is to perform the service. 13. The host computer of claim 12 , wherein said configuration data further specifies the subset of GVMs for which the SVM is to perform the service. 14. The host computer of claim 12 , wherein said configuration data specifies a set of operations that the service engine has to perform to gather service state data of the SVM for a GVM that migrates to another host computer that has another SVM to perform the service for the migrating GVM. 15. The host computer of claim 10 , wherein to direct the SVM to perform the service on a packet, the service engine provides a set of attributes relating to the packet to the SVM through the SVMI. 16. The host computer of claim 15 , wherein the SVM (i) uses the set of attributes to identify a rule having a matching attribute set and an action and (ii) returns to the service engine the action of the identified rule. 17. A first host computer comprising: a set of processing units; and a non-transitory machine readable medium storing, for execution by the set of processing units, a plurality of guest virtual machines (GVMs); a service virtual machine (SVM) to perform a service for at least a subset of the GVMs, and to store in a connection state data store connection-state data regarding the service that the SVM performs; and a first hypervisor separate from the SVM, the first hypervisor comprising: a physical forwarding element (PFE) to connect the GVMs to each other and to devices outside of the first host computer, and to perform forwarding processing for packets sent to and from the GVMs; a first service engine and an SVM interface (SVMI) through which the first service engine and the SVM communicate; the first service engine to direct the SVM to perform the service on a set of packets forwarded to the PFE and to request from the SVM connection state data that has to be provided to a second service engine of a second hypervisor that executes on a second host computer when a GVM is migrated from the first host computer to the second host computer. 18. The first host computer of claim 17 , wherein through the SVMI, the SVM provides configuration data to the service engine in order to configure the service engine to identify packets for which the SVM is to perform the service. 19. The first host computer of claim 17 , wherein to direct the SVM to perform the service on a packet, the service engine provides a set of attributes relating to the packet to the SVM via the SVMI. 20. The first host computer of claim 17 further comprising: a first GVM migration module through which the first service engine provides connection state data to the second service engine.
Assignees
Inventors
Classifications
Filtering by address, protocol, port number or service, e.g. IP-address or URL · CPC title
Rule management · CPC title
- H04L63/0227Primary
Filtering policies (mail message filtering H04L51/212) · CPC title
Network integration; Enabling network access in virtual machine instances · CPC title
Hypervisor-specific management and integration aspects · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10735376B2 cover?
- For a host that executes one or more guest virtual machines (GVMs), some embodiments provide a novel virtualization architecture for utilizing a firewall service virtual machine (SVM) on the host to check the packets sent by and/or received for the GVMs. In some embodiments, the GVMs connect to a software forwarding element (e.g., a software switch) that executes on the host to connect to each …
- Who is the assignee on this patent?
- Nicira Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/0227. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Aug 04 2020 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).