Multiple virtual network interface support for virtual execution elements
US-2020073692-A1 · Mar 5, 2020 · US
Multi-tenant support on virtual machines in cloud computing networks
US11599380B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11599380-B2 |
| Application number | US-202117241963-A |
| Country | US |
| Kind code | B2 |
| Filing date | Apr 27, 2021 |
| Priority date | Sep 25, 2018 |
| Publication date | Mar 7, 2023 |
| Grant date | Mar 7, 2023 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A virtual network interface controller (NIC) associated with a virtual machine in a cloud computing network is configured to support one or more network containers that encapsulate networking configuration data and policies that are applicable to a specific discrete computing workload to thereby enable the virtual machine to simultaneously belong to multiple virtual networks using the single NIC. The network containers supported by the NIC can be associated with a single tenant to enable additional flexibility such quickly switching between virtual networks and support pre-provisioning of additional computing resources with associated networking policies for rapid deployment. The network containers can also be respectively associated with different tenants so that the single NIC can support multi-tenant services on the same virtual machine.
First claim
Opening claim text (preview).
What is claimed is: 1. A computing system, comprising: one or more processors; and at least one hardware-based non-transitory computer-readable memory having computer-executable instructions stored thereon which, when executed by the one or more processors, cause the computing system to: implement a virtual machine on which a plurality of network containers is instantiated, each of the network containers encapsulating networking policies applicable to computing workloads hosted on the virtual machine, in which the computing workloads are mapped to respective network containers; associate each of the plurality of network containers with a single network interface controller (NIC) on the virtual machine, the NIC being configured to interface with a network switch; and at the network switch, process the computing workloads for each network container to enforce the networking policies using independent datapaths on the virtual machine, the processing including matching data packets in the computing workloads to one or more rules that express the networking policies, wherein the network containers are associated with a single tenant of the virtual machine, and each network container is mapped to a different virtual network, wherein the tenant is switched between virtual networks by processing the computing workloads associated with a respective mapped network container. 2. The computing system of claim 1 in which each network container is associated with a different virtual network so that the virtual machine can belong to multiple virtual networks using the single NIC, and wherein the network containers may utilize overlapping Internet Protocol (IP) addresses. 3. The computing system of claim 1 in which the network containers are associated with a plurality of tenants of the virtual machine to thereby implement multi-tenancy on the virtual machine, wherein each of the independent datapaths is associated with a respective different tenant. 4. The computing system of claim 1 in which at least one of the network containers is utilized for a current virtual network, and at least one of the network containers is utilized as a pre-provisioned virtual network. 5. The computing system of claim 1 in which networking policy is tied to discrete computing workloads that are processed by the network switch for the virtual machine, in which the network switch is a virtual switch that includes programmatically managed extensible capabilities, and which connects to the plurality of network containers and to underlying physical network infrastructure, the extensible capabilities at least including a virtual filtering platform that performs the processing using one or more match action tables. 6. The computing system of claim 1 in which the processing comprises evaluating a state of data packets in the computing workloads to enforce networking policies per network container rather than per virtual machine, in which the networking policies are expressed using one or more rules for one of access control, metering, routing, tunneling, filtering, address translation, encryption, decryption, encapsulation, de-encapsulation, or quality of service. 7. A method, comprising: implementing a virtual machine on which a plurality of network containers is instantiated, each of the network containers encapsulating networking policies applicable to computing workloads hosted on the virtual machine, in which the computing workloads are mapped to respective network containers; associating each of the plurality of network containers with a single network interface controller (NIC) on the virtual machine, the NIC being configured to interface with a network switch; and at the network switch, processing the computing workloads for each network container to enforce the networking policies using independent datapaths on the virtual machine, the processing including matching data packets in the computing workloads to one or more rules that express the networking policies, wherein the network containers are associated with a single tenant of the virtual machine, and each network container is mapped to a different virtual network, wherein the tenant is switched between virtual networks by processing the computing workloads associated with a respective mapped network container. 8. The method of claim 7 in which each network container is associated with a different virtual network so that the virtual machine can belong to multiple virtual networks using the single NIC, and wherein the network containers may utilize overlapping Internet Protocol (IP) addresses. 9. The method of claim 7 in which the network containers are associated with a plurality of tenants of the virtual machine to thereby implement multi-tenancy on the virtual machine, wherein each of the independent datapaths is associated with a respective different tenant. 10. The method of claim 7 in which at least one of the network containers is utilized for a current virtual network, and at least one of the network containers is utilized as a pre-provisioned virtual network. 11. The method of claim 7 in which networking policy is tied to discrete computing workloads that are processed by the network switch for the virtual machine, in which the network switch is a virtual switch that includes programmatically managed extensible capabilities, and which connects to the plurality of network containers and to underlying physical network infrastructure, the extensible capabilities at least including a virtual filtering platform that performs the processing using one or more match action tables. 12. The method of claim 7 in which the processing comprises evaluating a state of data packets in the computing workloads to enforce networking policies per network container rather than per virtual machine, in which the networking policies are expressed using one or more rules for one of access control, metering, routing, tunneling, filtering, address translation, encryption, decryption, encapsulation, de-encapsulation, or quality of service. 13. One or more hardware-based non-transitory computer readable memory devices storing computer-executable instructions which, upon execution by one or more processors in a computer server, cause the server to: implement a virtual machine on which a plurality of network containers is instantiated, each of the network containers encapsulating networking policies applicable to computing workloads hosted on the virtual machine, in which the computing workloads are mapped to respective network containers; associate each of the plurality of network containers with a single network interface controller (NIC) on the virtual machine, the NIC being configured to interface with a network switch; and at the network switch, process the computing workloads for each network container to enforce the networking policies using independent datapaths on the virtual machine, the processing including matching data packets in the computing workloads to one or more rules that express the networking policies, wherein the network containers are associated with a single tenant of the virtual machine, and each network container is mapped to a different virtual network, wherein the tenant is switched between virtual networks by processing the computing workloads associated with a respective mapped network container. 14. The one or more hardware-based non-transitory computer readable memory devices of claim 13 in which each network container is associated with a different virtual network so that the virtual machine can belong to multiple virtual networks using the single NIC, and wherein the network containers may utilize over
Assignees
Inventors
Classifications
Service provisioning or reconfiguring · CPC title
Encapsulation of packets · CPC title
Logical partitioning of resources; Management or configuration of virtualized resources (specific details on emulation or internal functioning of virtual machines G06F9/455) · CPC title
Isolation or security of virtual machine instances · CPC title
for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11599380B2 cover?
- A virtual network interface controller (NIC) associated with a virtual machine in a cloud computing network is configured to support one or more network containers that encapsulate networking configuration data and policies that are applicable to a specific discrete computing workload to thereby enable the virtual machine to simultaneously belong to multiple virtual networks using the single NI…
- Who is the assignee on this patent?
- Microsoft Technology Licensing Llc
- What technology area does this patent fall under?
- Primary CPC classification G06F9/45558. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Mar 07 2023 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 4 related publications on this page (citations in our corpus or others sharing the same primary CPC).