What technology area does this patent fall under?

Primary CPC classification H04L43/0811. Mapped technology areas include Electricity.

When was this patent published?

Publication date Tue Dec 21 2021 00:00:00 GMT+0000 (Coordinated Universal Time) (B1). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).

Path analysis service for identifying network configuration settings that block paths in virtual private clouds (VPCs)

US11206175B1 · US · B1

Patent metadata
Field	Value
Publication number	US-11206175-B1
Application number	US-202017117930-A
Country	US
Kind code	B1
Filing date	Dec 10, 2020
Priority date	Dec 10, 2020
Publication date	Dec 21, 2021
Grant date	Dec 21, 2021

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

This disclosure describes techniques for identifying blocked paths and network configuration settings that block paths in networks, such as network paths in a virtual private cloud (VPC). The configuration of virtual networks depends on the correct configuration of many networking resources, such as firewalls, security groups, routing lists, access control lists (ACLs), and the like. In some cases, an analysis that uses formal methods can be performed to determine a network configuration of a virtual network. Using the network configuration information, network paths that are blocked and network configuration settings that may be blocking one or more of the network paths can be determined. The PAS can provide an explanation of what is blocking the network paths. For example, the PAS may identify that a configuration setting of a firewall, router, network gateway, an access control list (ACL), and the like may be blocking a network path.

First claim

Opening claim text (preview).

What is claimed is: 1. A system comprising: one or more processors; and one or more computer-readable media storing computer-executable instructions that, when executed by the one or more processors, cause the one or more processors to: receive, from a computing device of a customer of a service provider network, a request to analyze a virtual private cloud (VPC) hosted by the service provider network to identify blocked network paths between a first endpoint and a second endpoint; access network data generated by a network analysis service of the service provider network that identifies network elements within the VPC, and network paths among the network elements between the first endpoint and the second endpoint; identify a blocked network path of the network paths based at least in part on an analysis of the network data and network configuration settings associated with at least a portion of the network elements, wherein the blocked network path includes one or more first network elements that block a packet flow between the first endpoint and the second endpoint and one or more second network elements that allow the packet flow between the first endpoint and the second endpoint; identify one or more of the network configuration settings for the one or more first network elements that block the packet flow between the first endpoint and the second endpoint; generate blocked path explanation data that indicates one or more reasons as to why the blocked network path is blocked, wherein the one or more reasons include the one or more of the network configuration settings for the one or more first network elements that block the packet flow; and provide, for display on the computing device of the customer, the blocked path explanation data and path data indicating the one or more first network elements and the one or more second network elements. 2. The system of claim 1 , wherein the network data includes IP addresses assigned to the network elements, and permissions associated with the network elements, wherein the permissions include one or more rules that specify what packets are blocked, what packets are unblocked, and where packets are to be routed. 3. The system of claim 1 , wherein providing the blocked path explanation data comprises providing for display, to the computing device of the customer, a graphical user interface (GUI) that includes a network display area that depicts a graphical representation of the blocked network path of the VPC that indicates the one or more first network elements that are blocking the packet flow, and user interface (UI) elements that, upon selection, cause a network configuration setting for at least one of the one or more of the network configuration settings to be displayed via the GUI. 4. The system of claim 1 , wherein the instructions further cause the one or more processors to receive from the computing device of the customer, data that changes the one or more of the network configuration settings to unblock the blocked network path. 5. A computer-implemented method comprising: receiving, from a computing device of a user of a service provider network, a request to analyze a network hosted by the service provider network; accessing network data that identifies network elements within the network, and one or more network paths among the network elements between a first endpoint and a second endpoint; identifying one or more blocked network paths from the one or more network paths based, at least in part, on a programmatic analysis of the network data and network configuration settings associated with at least a portion of the network elements, wherein the one or more blocked network paths include one or more first network elements that block a packet flow between the first endpoint and the second endpoint and one or more second network elements that allow the packet flow between the first endpoint and the second endpoint; identifying one or more of the network configuration settings for the one or more first network elements that block the packet flow between the first endpoint and the second endpoint; generating data that indicates one or more reasons as to why the one or more blocked network paths are blocked; and causing at least a portion of the data to be available for use by the user. 6. The computer-implemented method of claim 5 , wherein generating the data comprises including the one or more of the network configuration settings for the one or more first network elements that block the packet flow between the first endpoint and the second endpoint. 7. The computer-implemented method of claim 5 , wherein accessing the network data generated comprises causing a network analysis service of the service provider network to generate the network data for one or more virtual private clouds (VPCs) associated with the user, wherein the network analysis service uses a static network analysis to identify network connectivity between different network elements of the network. 8. The computer-implemented method of claim 5 , further comprising receiving second data that changes at least one of the one or more of the network configuration settings that unblock the packet flow between the first endpoint and the second endpoint. 9. The computer-implemented method of claim 5 , wherein causing the at least the portion of the data to be available comprises: generating a graphical user interface (GUI) that includes a display area for indicating the one or more reasons and user interface (UI) elements that, upon selection, are configured for configuring one or more of the network configuration settings for the one or more network elements of the network; and providing the GUI to the computing device of the user. 10. The computer-implemented method of claim 9 , further comprising: generating a graphical representation of the one or more blocked network paths of the networks; and wherein the GUI includes the graphical representation. 11. The computer-implemented method of claim 5 , wherein the network data comprises one or more of data identifying instances of the network elements that are implemented in the network, first descriptions of the network elements in the network, second descriptions of relationships among the network elements in the network, or third descriptions of interfaces to entities external to the network. 12. The computer-implemented method of claim 5 , further comprising providing an application programming interface (API) that exposes functionality for analyzing the network, identifying the one or more blocked network paths, and receiving data to adjust the one or more of the network configuration settings. 13. A system comprising: one or more processors associated with a service provider network; and one or more computer-readable media storing computer-executable instructions that, when executed by the one or more processors, cause the one or more processors to: receive, from a computing device of a user, a request to analyze a network hosted at least in part by a service provider network; access network data that identifies network elements within the network, and one or more network paths among the network elements between a first endpoint and a second endpoint; identify one or more blocked network paths from the one or more network paths based, at least in part, on a programmatic analysis of the network data and network configuration settings associated with at least a portion of the network elements, wherein the one or more blocked network paths include one or more first network elements that block a packet flow between the first endpoint and the second endpoint and one or more secon

Assignees

Amazon Tech Inc

Inventors

Classifications

H04L41/12
Discovery or management of network topologies · CPC title
H04L41/0661
by reconfiguring faulty entities · CPC title
H04L43/0811Primary
by checking connectivity · CPC title
H04L41/0873
Checking configuration conflicts between network elements · CPC title
H04L43/0817
by checking functioning · CPC title

Patent family

Related publications grouped by family.

View patent family 78918394

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US11206175B1 cover?: This disclosure describes techniques for identifying blocked paths and network configuration settings that block paths in networks, such as network paths in a virtual private cloud (VPC). The configuration of virtual networks depends on the correct configuration of many networking resources, such as firewalls, security groups, routing lists, access control lists (ACLs), and the like. In some ca…
Who is the assignee on this patent?: Amazon Tech Inc
What technology area does this patent fall under?: Primary CPC classification H04L43/0811. Mapped technology areas include Electricity.
When was this patent published?: Publication date Tue Dec 21 2021 00:00:00 GMT+0000 (Coordinated Universal Time) (B1). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).