Application assessment and visibility for micro-segmentation of a network deployment
US-2018176102-A1 · Jun 21, 2018 · US
Application attachment based firewall management
US11070521B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11070521-B2 |
| Application number | US-201715591538-A |
| Country | US |
| Kind code | B2 |
| Filing date | May 10, 2017 |
| Priority date | May 10, 2017 |
| Publication date | Jul 20, 2021 |
| Grant date | Jul 20, 2021 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Described herein are systems, methods, and software to enhance network traffic management for virtual machines. In one implementation, a network policy controller may maintain firewall rules at one or more hosts of a computing environment, wherein the firewall rules define network packet forwarding policies for application groups available to virtual machines in the environment. The network policy controller further identifies an application group for attachment to one or more virtual machines, and in response to the identification, adds the one or more virtual machines to a security group for a firewall wall rule corresponding to the application group.
First claim
Opening claim text (preview).
What is claimed is: 1. A method of managing firewall rules for virtual machines in a computing environment, the method comprising: maintaining firewall rules for application groups available for attachment to the virtual machines on one or more host computing systems, wherein each firewall rule of the firewall rules defines network packet forwarding policies corresponding to an application group of the application groups, wherein each of the application groups comprises at least one application available for attachment, and wherein at least one of the application groups comprises two or more applications available for attachment; identifying an application group of the application groups for attachment to one or more virtual machines of the virtual machines, wherein the attachment of the application group comprises mounting one or more storage volumes that store the application group to the one or more virtual machines and overlaying contents of the one or more storage volumes to appear in a local disk for each of the one or more virtual machines to make the application group executable by the one or more virtual machines, and wherein the one or more storage volumes comprise one or more virtual disks; and in response to identifying the application group for attachment, adding the one or more virtual machines to a security group for a firewall rule of the firewall rules associated with the application group to apply network packet forwarding polices corresponding to the application group to communications associated with the one or more virtual machines. 2. The method of claim 1 , wherein identifying the application group for attachment to the one or more virtual machines comprises receiving a notification from an application attach service that indicates the application group for attachment to the one or more virtual machines. 3. The method of claim 2 further comprising transferring a request to the application attach service for an application attachment update and wherein the notification is provided in response to the request. 4. The method of claim 1 , wherein each of the application groups is stored in one or more storage volumes available for mounting to the virtual machines. 5. The method of claim 1 , wherein each network packet forwarding policy comprises a source security group, a destination address, a service, and an action. 6. The method of claim 1 further comprising receiving user input defining the one or more firewall rules. 7. A computing apparatus comprising: one or more non-transitory computer readable storage media; a processing system operatively coupled to the one or more non-transitory computer readable storage media; and program instructions stored on the one or more non-transitory computer readable storage media to manage firewall rules for virtual machines in a computing environment that, when read and executed by the processing system, direct the processing system to at least: maintain firewall rules for application groups available for attachment to the virtual machines on one or more host computing systems, wherein each firewall rule of the firewall rules defines network packet forwarding policies corresponding to an application group of the application groups, wherein each of the application groups comprises at least one application available for attachment, and wherein at least one of the application groups comprises two or more applications available for attachment; identify an application group of the application groups for attachment to one or more virtual machines of the virtual machines, wherein the attachment of the application group comprises mounting one or more storage volumes that store the application group to the one or more virtual machines and overlaying contents of the one or more storage volumes to appear in a local disk for each of the one or more virtual machines to make the application group executable by the one or more virtual machines, and wherein the one or more storage volumes comprise one or more virtual disks; and in response to identifying the application group for attachment, add the one or more virtual machines to a security group for a firewall rule of the firewall rules associated with the application group to apply network packet forwarding polices corresponding to the application group to communications associated with the one or more virtual machines. 8. The computing apparatus of claim 7 , wherein the program instructions to identify the application group for attachment to the one or more virtual machines direct the processing system to receive a notification from an application attach service that indicates the application group for attachment to the one or more virtual machines. 9. The computing apparatus of claim 8 , wherein the program instructions further direct the processing system to transfer a request to the application attach service for an application attachment update, wherein the notification is provided in response to the request. 10. The computing apparatus of claim 7 , wherein each of the application groups is stored in one or more storage volumes available for mounting to the virtual machines. 11. The computing apparatus of claim 7 , wherein each network packet forwarding policy comprises a source security group, a destination address, a service, and an action. 12. The computing apparatus of claim 7 , wherein the program instructions further direct the processing system to receive user input defining the one or more firewall rules. 13. An apparatus comprising: one or more non-transitory computer readable storage media; program instructions stored on the one or more non-transitory computer readable storage media to manage firewall rules for virtual machines in a computing environment that, when read and executed by a processing system, direct the processing system to at least: maintain firewall rules for application groups available for attachment to the virtual machines on one or more host computing systems, wherein each firewall rule of the firewall rules defines network packet forwarding policies corresponding to an application group of the application groups, wherein each of the application groups comprises at least one application available for attachment, and wherein at least one of the application groups comprises two or more applications available for attachment; identify an application group of the application groups for attachment to one or more virtual machines of the virtual machines, wherein the attachment of the application group comprises mounting one or more storage volumes that store the application group to the one or more virtual machines and overlaying contents of the one or more storage volumes to appear in a local disk for each of the one or more virtual machines to make the application group executable by the one or more virtual machines, and wherein the one or more storage volumes comprise one or more virtual disks; and in response to identifying the application group for attachment, add the one or more virtual machines to a security group for a firewall rule of the firewall rules associated with the application group to apply network packet forwarding polices corresponding to the application group to communications associated with the one or more virtual machines. 14. The apparatus of claim 13 , wherein each of the application groups is stored in one or more storage volumes available for mounting to the virtual machines. 15. The method of claim 1 , wherein overlaying the contents of the one or more storage volumes in the one or more virtual machines to make the application group executable by the one or more v
Assignees
Inventors
Classifications
- H04L63/0263Primary
Rule management · CPC title
Grouping of entities · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11070521B2 cover?
- Described herein are systems, methods, and software to enhance network traffic management for virtual machines. In one implementation, a network policy controller may maintain firewall rules at one or more hosts of a computing environment, wherein the firewall rules define network packet forwarding policies for application groups available to virtual machines in the environment. The network pol…
- Who is the assignee on this patent?
- Vmware Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/0263. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Jul 20 2021 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 4 related publications on this page (citations in our corpus or others sharing the same primary CPC).