Infrastructure-agnostic network-level visibility and policy enforcement for containers
US-10476745-B1 · Nov 12, 2019 · US
Allocating enforcement of a segmentation policy between host and network devices
US10785115B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10785115-B2 |
| Application number | US-201816172630-A |
| Country | US |
| Kind code | B2 |
| Filing date | Oct 26, 2018 |
| Priority date | Oct 26, 2018 |
| Publication date | Sep 22, 2020 |
| Grant date | Sep 22, 2020 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A segmentation server configures enforcement of a segmentation policy by allocating enforcement of management instructions between network devices and hosts. The segmentation policy comprises rules that control communications between workloads. For a particular workload, the segmentation server generates management instructions for controlling communications to and from the particular workload in accordance with the rules. The segmentation server determines an allocation of management instructions between enforcement on a host on which the particular workload executes and enforcement on a network device upstream from the workload. The segmentation server sends configuration information to at least one of the host and the network device in accordance with the allocation to enable enforcement of the management instructions.
First claim
Opening claim text (preview).
The invention claimed is: 1. A method for configuring enforcement of a segmentation policy, the method comprising: obtaining a segmentation policy comprising a plurality of rules controlling communications between workloads; generating, for a particular workload, a plurality of management instructions for enforcing the rules of the segmentation policy controlling communications to and from the particular workload; obtaining, for the particular workload, a connectivity configuration indicating a network device upstream from the particular workload; determining an allocation of the plurality of management instructions between enforcement on a host of a computing device on which the particular workload executes and enforcement on the network device upstream from the workload, comprising: detecting that the particular workload is an unmanaged workload that does not have an enforcement module installed for enforcing the plurality of management instructions; and responsive to detecting that the particular workload is the unmanaged workload, allocating the plurality of management instructions for enforcement by the network device; and sending configuration information based on the plurality of management instructions to at least one of the host and the network device in accordance with the allocation to enable enforcement of the plurality of management instructions. 2. The method of claim 1 , further comprising: generating, for a second workload, a second plurality of management instructions for enforcing the rules of the segmentation policy controlling communications to and from the second workload; obtaining, for the second workload, a second connectivity configuration indicating a network device upstream from the second workload; determining an allocation of the second plurality of management instructions between enforcement on a host of a computing device on which the second workload executes and enforcement on the network device upstream from the second workload, comprising: detecting that the second workload provides or consumes one or more latency sensitive services; and allocating a subset of the second plurality of management instructions pertaining to the one or more latency sensitive services for enforcement by the network device. 3. The method of claim 1 , further comprising: generating, for a second workload, a second plurality of management instructions for enforcing the rules of the segmentation policy controlling communications to and from the second workload; obtaining, for the second workload, a second connectivity configuration indicating a network device upstream from the second workload; determining an allocation of the second plurality of management instructions between enforcement on a host of a computing device on which the second workload executes and enforcement on the network device upstream from the second workload, comprising: detecting a limit to a number of the second plurality of management instructions enforceable on the network device upstream from the second workload; allocating for enforcement by the network device upstream from the second workload, a first set of the second plurality of management instructions corresponding to the limit; and allocating for enforcement by the host of the computing device on which the second workload executes, a second set of the second plurality of management instructions over the limit. 4. A method for configuring enforcement of a segmentation policy, the method comprising: obtaining a segmentation policy comprising a plurality of rules controlling communications between workloads; generating, for a particular workload, a plurality of management instructions for enforcing the rules of the segmentation policy controlling communications to and from the particular workload; obtaining, for the particular workload, a connectivity configuration indicating a network device upstream from the particular workload; determining an allocation of the plurality of management instructions between enforcement on a host of a computing device on which the particular workload executes and enforcement on the network device upstream from the particular workload, comprising: detecting that the particular workload provides or consumes one or more latency sensitive services; and allocating a subset of the plurality of management instructions pertaining to the one or more latency sensitive services for enforcement by the network device. 5. A method for configuring enforcement of a segmentation policy, the method comprising: obtaining a segmentation policy comprising a plurality of rules controlling communications between workloads; generating, for a particular workload, a plurality of management instructions for enforcing the rules of the segmentation policy controlling communications to and from the particular workload; obtaining, for the particular workload, a connectivity configuration indicating a network device upstream from the particular workload; determining an allocation of the plurality of management instructions between enforcement on a host of a computing device on which the particular workload executes and enforcement on the network device upstream from the particular workload, comprising: detecting a limit to a number of the plurality of management instructions enforceable on the network device upstream from the particular workload; allocating for enforcement by the network device upstream from the particular workload, a first set of the plurality of management instructions corresponding to the limit; and allocating for enforcement by the host of the computing device on which the particular workload executes, a second set of the plurality of management instructions over the limit. 6. A method for configuring enforcement of a segmentation policy, the method comprising: obtaining a segmentation policy comprising a plurality of rules controlling communications between workloads; generating, for a particular workload, a plurality of management instructions for enforcing the rules of the segmentation policy controlling communications to and from the particular workload; obtaining, for the particular workload, a connectivity configuration indicating a network device upstream from the particular workload; determining an allocation of the plurality of management instructions between enforcement on a host of a computing device on which the particular workload executes and enforcement on the network device upstream from the particular workload, comprising: generating, from the plurality of management instructions, one or more coarse rules that coarsely filter communications with the particular workload; generating, from the plurality of management instructions, one or more fine rules that finely filter communications with the particular workload; allocating the coarse rules for enforcement by the network device upstream from the particular workload; and allocating the fine rules for enforcement by the host of the computing device on which the particular workload executes. 7. A method for configuring enforcement of a segmentation policy, the method comprising: obtaining a segmentation policy comprising a plurality of rules controlling communications between workloads; generating, for a particular workload, a plurality of management instructions for enforcing the rules of the segmentation policy controlling communications to and from the particular workload; obtaining, for the particular workload, a connectivity configuration indicating a network device upstream from the particular workload; determining an allocation of the plurality of management instructions between enforcement on a host of a computing device on which the particular workload executes and enforcement on the netwo
Assignees
Inventors
Classifications
Policy-based network configuration management · CPC title
- H04L41/0893Primary
Assignment of logical groups to network elements · CPC title
- H04L63/0263Primary
Rule management · CPC title
comprising network management agents or mobile agents therefor · CPC title
Filtering by address, protocol, port number or service, e.g. IP-address or URL · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10785115B2 cover?
- A segmentation server configures enforcement of a segmentation policy by allocating enforcement of management instructions between network devices and hosts. The segmentation policy comprises rules that control communications between workloads. For a particular workload, the segmentation server generates management instructions for controlling communications to and from the particular workload …
- Who is the assignee on this patent?
- Illumio Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L41/0893. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Sep 22 2020 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 6 related publications on this page (citations in our corpus or others sharing the same primary CPC).