US20220191102A1 - Network Reachability Impact Analysis - Google Patents
Network Reachability Impact Analysis Download PDFInfo
- Publication number
- US20220191102A1 US20220191102A1 US17/117,376 US202017117376A US2022191102A1 US 20220191102 A1 US20220191102 A1 US 20220191102A1 US 202017117376 A US202017117376 A US 202017117376A US 2022191102 A1 US2022191102 A1 US 2022191102A1
- Authority
- US
- United States
- Prior art keywords
- network
- reachability
- network configuration
- graph
- configuration snapshot
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/145—Network analysis or design involving simulating, designing, planning or modelling of a network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/12—Discovery or management of network topologies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0803—Configuration setting
- H04L41/0813—Configuration setting characterised by the conditions triggering a change of settings
- H04L41/082—Configuration setting characterised by the conditions triggering a change of settings the condition being updates or upgrades of network functionality
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0803—Configuration setting
- H04L41/084—Configuration by using pre-existing information, e.g. using templates or copying from other elements
- H04L41/0846—Configuration by using pre-existing information, e.g. using templates or copying from other elements based on copy from other elements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/085—Retrieval of network configuration; Tracking network configuration history
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/085—Retrieval of network configuration; Tracking network configuration history
- H04L41/0853—Retrieval of network configuration; Tracking network configuration history by actively collecting configuration information or by backing up configuration information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/04—Processing captured monitoring data, e.g. for logfile generation
- H04L43/045—Processing captured monitoring data, e.g. for logfile generation for graphical visualisation of monitoring data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/70—Admission control; Resource allocation
- H04L47/82—Miscellaneous aspects
Definitions
- This disclosure relates to reachability impact analysis of a cloud network.
- a virtual private cloud is an on-demand configurable pool of shared computing resources allocated within a public cloud environment.
- the VPC provides isolation for a user from other cloud users.
- the VPC may execute one or more virtual machines (VMs) which may communication with the user's on-premises network or other remote resources via a virtual private network (VPN).
- VMs virtual machines
- VPN virtual private network Due to the potential scale and complexity of the VPC, which may include any number of VMs, network gateways, load balancers, etc., significant network configuration is often necessary to operate and maintain the VPC.
- the method includes receiving, at data processing hardware, a plurality of network configuration snapshots for a network.
- the method also include selecting, by the data processing hardware, a first network configuration snapshot of the network and a second network configuration snapshot of the network.
- the method further includes generating, by the data processing hardware, a first reachability graph representing packet reachability of the network for the first network configuration snapshot.
- the method also includes generating, by the data processing hardware, a second reachability graph representing packet reachability of the network for the second network configuration snapshot.
- the method also includes computing, by the data processing hardware, a reachability differentiation graph identifying a net change to reachability from the first reachability graph to the second reachability graph.
- the method further includes generating, by the data processing hardware, a reachability differentiation report including a human-interpretable output of the net change to reachability.
- Implementations of the disclosure may include one or more of the following optional features.
- generating the reachability differentiation report further includes translating, by the data processing hardware the reachability differentiation graph from a computer-interpretable format to the human-interpretable output.
- each of the plurality of network configuration snapshots includes a data plane model protocol taken at a respective time instance.
- selecting the first network configuration snapshot and the second network configuration snapshot may include comparing, by the data processing hardware, the data plane model protocols of consecutive network configuration snapshots
- selecting the first network configuration snapshot and the second network configuration snapshot includes, when a first data plane model protocol of a first one of the consecutive network configuration snapshots is different than a second data plane model protocol of a second one of the consecutive network configuration snapshots, selecting, by the data processing hardware, the first one of one of the consecutive network configuration snapshots as the first network configuration snapshot and the second one of the consecutive network configuration snapshots as the second network configuration snapshot.
- the method further includes computing, by the data processing hardware, one or more packet equivalence classes for the first network configuration snapshot and the second network configuration snapshot, each of the one or more packet equivalence classes including a set of packets having the same forwarding behavior.
- the method further includes assigning, by the data processing hardware, the one or more packet equivalence classes to the first reachability graph, and assigning, by the data processing hardware, the one or more packet equivalence classes to the second reachability graph.
- computing the reachability differentiation graph includes identifying a net change to network equivalence classes from the first reachability graph to the second reachability graph.
- the method includes generating the first reachability graph and the second reachability graph includes generating, by the data processing hardware, a directed graph including two or more nodes and one or more edges connecting each of the two or more nodes.
- generating the directed graph may include associating, by the data processing hardware, each of the two or more nodes to a network endpoint and associating each of the one or more edges to a network forwarding route from one network endpoint to another network endpoint.
- the system includes data processing hardware and memory hardware in communication with the data processing hardware.
- the memory hardware stores instructions that when executed on the data processing hardware cause the data processing hardware to perform operations.
- One operation includes receiving a plurality of network configuration snapshots for a network.
- Another operation includes selecting a first network configuration snapshot of the network and a second network configuration snapshot of the network.
- the operations further include generating a first reachability graph representing packet reachability of the network for the first network configuration snapshot.
- Another operation includes generating a second reachability graph representing packet reachability of the network for the second network configuration snapshot.
- the operations further include computing a reachability differentiation graph identifying a net change to reachability from the first reachability graph to the second reachability graph, and generating a reachability differentiation report including a human-interpretable output of the net change to reachability.
- generating the reachability differentiation report further includes translating the reachability differentiation graph from a computer-interpretable format to the human-interpretable output.
- each of the plurality of network configuration snapshots includes a data plane model protocol taken at a respective time instance.
- selecting the first network configuration snapshot and the second network configuration snapshot may further include comparing the data plane model protocols of consecutive network configuration snapshots.
- selecting the first network configuration snapshot and the second network configuration snapshot includes, when a first data plane model protocol of a first one of the consecutive network configuration snapshots is different than a second data plane model protocol of a second one of the consecutive network configuration snapshots, selecting the first one of one of the consecutive network configuration snapshots as the first network configuration snapshot and the second one of the consecutive network configuration snapshots as the second network configuration snapshot.
- the operations further include computing one or more packet equivalence classes for the first network configuration snapshot and the second network configuration snapshot, each of the one or more packet equivalence classes including a set of packets having the same forwarding behavior.
- the operations further include assigning the one or more packet equivalence classes to the first reachability graph and assigning the one or more packet equivalence classes to the second reachability graph.
- computing the reachability differentiation graph includes identifying a net change to network equivalence classes from the first reachability graph to the second reachability graph.
- generating the first reachability graph and the second reachability graph includes generating a directed graph including two or more nodes and one or more edges connecting each of the two or more nodes.
- generating the directed graph includes associating each of the two or more nodes to a network endpoint and associating each of the one or more edges to a network forwarding route from one network endpoint to another network endpoint.
- FIG. 1 is a schematic view of an example system for performing network reachability impact analysis.
- FIG. 2 is a schematic view of exemplary components of a virtual machine of the system of FIG. 1 .
- FIG. 3 is a schematic view of an example system for performing network reachability impact analysis.
- FIG. 4 is a schematic view of an example system for performing network reachability impact analysis.
- FIG. 5 is a flowchart of an example arrangement of operations for a method of performing cloud network reachability analysis.
- FIG. 6 is a schematic view of an example computing device that may be used to implement the systems and methods described herein.
- a virtual private cloud is an on-demand configurable pool of shared computing resources allocated within a public cloud environment to provide isolation for a user from other cloud users. This isolation may occur through allocation of private Internet Protocol (IP) subnets and/or virtual communication constructs.
- IP Internet Protocol
- the VPC may execute one or more virtual machines (VMs) which may communication with the user's on-premises network or other remote resources via a virtual private network (VPN) to ensure secure access to the VPC environment.
- VMs virtual machines
- VPN virtual private network
- Implementations herein are directed toward a cloud reachability impact analyzer that allows a user understand the impact that changes to the configuration of the network will have on packet reachability within the network.
- the cloud reachability impact analyzer generates directed graphs representing network reachability for two network configuration snapshots.
- the cloud reachability impact analyzer then performs a reachability analysis on the graphs to identify changes to reachability caused by the network configuration changes between the two network configuration snapshots.
- the cloud reachability impact analyzer allows the user to verify how a network configuration change will affect packet reachability relative to a previous network configuration.
- an example system 10 includes a user device 20 associated with a respective user 12 and in communication with a cloud network 200 via a network 30 (e.g., the Internet) and an on-premises network 40 (i.e., the local network that the user device 20 uses to connect to the network 30 ).
- the on-premises network 40 includes a network gateway 42 (e.g., a router) that serves as the forwarding host for the on-premises network 40 .
- the user device 20 may correspond to any computing device, such as a desktop workstation, a laptop workstation, or a mobile device (e.g., a smart phone or tablet).
- the user device 20 includes computing resources 22 (e.g., data processing hardware) and/or storage resources 24 (e.g., memory hardware).
- the cloud network 200 may be a single computer, multiple computers, or a distributed system (e.g., a cloud environment) having scalable/elastic resources 202 including computing resources 204 (e.g., data processing hardware) and/or storage resources 206 (e.g., memory hardware).
- a data store i.e., a remote storage device
- the cloud network 200 is configured to implement and execute one or more virtual machines (VMs) 250 , 250 a - n .
- VMs virtual machines
- One or more of the VMs execute securely in a virtual private cloud (VPC) environment or VPC 208 associated with or operated by the user 12 .
- the VPC 208 may include a variety of other network elements, such as load balancers, gateways, front ends, and back ends.
- the distributed system 200 includes a collection 210 of resources 110 (e.g., hardware resources 110 h ), a virtual machine monitor (VMM) 220 , a VM layer 240 executing one or more of the VMs 250 , and an application layer 260 .
- resources 110 e.g., hardware resources 110 h
- VMM virtual machine monitor
- Each hardware resource 110 h may include one or more physical central processing units (pCPU) 204 (“physical processor 204 ”) and memory hardware 206 . While each hardware resource 110 h is shown having a single physical processor 204 , any hardware resource 110 h may include multiple physical processors 204 .
- An operating system 212 may execute on the collection 210 of resources 110 .
- the VMM 220 corresponds to a hypervisor 220 (e.g., a Compute Engine) that includes at least one of software, firmware, or hardware configured to create and execute the VMs 250 .
- a computer i.e., data processing hardware 204
- the VMM 220 or hypervisor is configured to provide each VM 250 a corresponding guest operating system (OS) 212 g having a virtual operating platform and manage execution of the corresponding guest OS 212 g on the VM 250 .
- OS guest operating system
- each VM 250 may be referred to as an “instance” or a “VM instance”.
- multiple instances of a variety of operating systems may share virtualized resources. For instance, a first VM 250 of the Linux® operating system, a second VM 250 of the Windows® operating system, and a third VM 250 of the OS X® operating system may all run on a single physical x86 machine.
- the VM layer 240 includes one or more virtual machines 250 .
- the distributed system 200 enables the user 12 to launch VMs 250 on demand.
- a VM 250 emulates a real computer system and operates based on the computer architecture and functions of the real computer system or a hypothetical computer system, which may involve specialized hardware, software, or a combination thereof.
- the distributed system 200 authorizes and authenticates the user 12 before launching the one or more VMs 250 .
- An instance of software, or simply an instance refers to a VM 250 hosted on (executing on) the data processing hardware 204 of the distributed system 200 .
- Each VM 250 may include one or more virtual central processing units (vCPUs) 252 (“virtual processor”).
- vCPUs virtual central processing units
- a first virtual machine 250 a includes a first set 252 a of one or more virtual processors 252 and a second virtual machine 250 b includes a second set 252 b of one or more virtual processors 252 . While the second set 252 b is shown as only including one virtual processor 252 , any number of virtual processors 252 is possible.
- Each virtual processor 252 emulates one or more physical processors 204 .
- the application layer 260 includes software resources 110 s , 100 sa , 110 sb (software applications) that may execute on the virtual machine(s) 250 .
- each instance of software includes at least one virtual storage device 254 that provides volatile and non-volatile storage capacity for the service on the physical memory hardware 206 .
- the storage capacity on the physical memory hardware 206 can include persistent disks (PD) that store data for the user 12 across several physical disks (e.g., memory regions 620 ( FIG. 9 ) of the memory hardware 206 or random access memory (RAM) to provide volatile memory.
- PD persistent disks
- RAM random access memory
- each virtual storage device 254 of a corresponding VM 250 moves data in sequences of bytes or bits (blocks) to an associated physical block storage volume V on the memory hardware 206 to provide non-volatile storage.
- a virtual storage device 254 of a corresponding VM instance 250 provides a storage capacity that maps to corresponding physical block storage volumes V on the memory hardware 206 .
- the virtual storage devices 254 support random access to the data on the memory hardware 206 and generally use buffered I/O. Examples include hard disks, CD-ROM drives, and flash drives. Similarly, portions of volatile memory (e.g., RAM) of physical memory hardware 206 may be divided across the virtual storage devices 254 .
- a kernel is a computer program that is the core of the operating system with full access and control over the OS. That is, the kernel is an intermediary between applications 110 s and the hardware resources 110 h of the host machine. Most modern computing systems segregate virtual memory into protected kernel space and user space 216 g . The kernel typically remains in volatile memory within the protected kernel space and is isolated from user space 216 g . To increase safety and reliability, applications 110 s and other software services typically execute in the guest user space 216 g and lack the privileges necessary to interact with the protected kernel space.
- the cloud network 200 executes a cloud reachability impact analyzer 300 for analyzing network configuration snapshots 304 , 304 a - 304 n of the cloud network 200 to determine differences in packet reachability between two consecutive network configuration snapshots 304 , 304 a - 304 n .
- the cloud reachability impact analyzer 300 then generates a human-interpretable differentiation report 352 identifying the differences in packet reachability between the analyzed configuration snapshots 304 and presents the differentiation report 352 to the user 12 via the user device 20 .
- the analyzer 300 determines whether changes to the network 208 result in a policy violation that affects reachability, and localize a configuration stanza responsible for the policy violation.
- the cloud reachability impact analyzer 300 continuously receives or obtains the network configuration snapshots 304 , 304 a - 304 n from the cloud network 200 .
- the network configuration snapshots 304 are provided by the cloud network 200 in a format of a data plane model protocol 306 including network configuration information.
- the cloud network 200 may execute a data plane modeler 302 that obtains the network configuration information from network components of the VPC 208 and includes, for example, routes between network resources (e.g., VMs, load balances, network gateways, etc.) of the VPC 208 , subnets, firewall rules, and/or ports or interfaces for directing a data packet within the VPC 208 and/or between the VPC 208 and other networks (e.g., other VPCs and/or the on-premises network 40 ).
- network resources e.g., VMs, load balances, network gateways, etc.
- subnets e.g., firewall rules, and/or ports or interfaces for directing a data packet within the VPC 208 and/or between the VPC 208 and other networks (e.g., other VPCs and/or the on-premises network 40 ).
- the network configuration snapshots 304 include a first network configuration snapshot 304 a including a first data plane model protocol 306 a of the VPC 208 at a first time instance, a second network configuration snapshot 304 b including the first data plane model protocol 306 a of the VPC 208 at a second time instance immediately subsequent to the first time instance, a third network configuration snapshot 304 c including a second data plane model protocol 306 b of the VPC 208 at a third time instance immediately subsequent to the second time instance, and a plurality of subsequent configuration snapshots 304 n including data plane model protocols 306 n taken at time instances following the third time instance.
- Consecutive ones of the network configuration snapshots 304 may include the same data plane model protocol 306 when the network configuration is not changed from one time instance to the next.
- the first network configuration snapshot 304 a and the second network configuration snapshot 304 b include the same first data plane model protocol 306 a associated with an unchanged network configuration at the first and second time instances.
- subsequent ones of the network configuration snapshots 304 may include different data plane model protocols 306 when the network configuration is changed between time instances.
- a change 26 a , 26 b to a configuration or state of the VPC 208 is incorporated between the second network configuration snapshot 304 b associated with the second time instance and the third network configuration snapshot 304 c associated with the third time instance.
- the third network configuration snapshot 304 c has a different data plane model protocol 306 b than the data plane model protocol 306 a of the immediately preceding network configuration snapshot 304 b.
- Examples of network changes 26 a , 26 b include a user change 26 a implemented by the user 12 via the user device 20 or a system change 26 b caused by the cloud network 200 .
- User changes 26 a may include pending changes proposed by the user 12 or changes that have already been deployed.
- System changes 26 b may include automated configuration changes incorporated by network monitoring applications and/or network state changes associated with involuntary changes in the VPC 208 (e.g., operation states down).
- the changes 26 a , 26 b are shown as being incorporated between the illustrated second and third network configuration snapshots 304 b , 304 c in FIG. 1 .
- the actual changes 26 a , 26 b are implemented within the network 208 , upstream up the data plane modeler 302 .
- the second network configuration snapshot 304 b includes the pre-change first data plane model protocol 306 a and the third network configuration snapshot 304 c includes the post-change second data plane model protocol 306 b.
- the cloud reachability impact analyzer receives the network configuration snapshots 304 b , 304 c including the pre-change first data plane model protocol 306 a and the post-change second data plane model protocol 306 b and generates the human-interpretable differentiation report 352 identifying changes to forwarding behavior between the two network configuration snapshots 304 b , 304 c .
- Human-interpretable format includes providing descriptions of the changes to the forwarding behavior using written representations of the differences in network topologies.
- the differentiation report 352 may include text describing that one of the VMs 250 has become unreachable in the third network configuration snapshot 304 c , or that prefix 10.0.0.0/24 goes to a VPN tunnel in the second network configuration snapshot 304 b and to a subnet in the third network configuration snapshot 304 c.
- the cloud reachability impact analyzer 300 includes an optional snapshot selector 310 configured to extract consecutive network configuration snapshots 304 from the data plane modeler 302 .
- the cloud reachability impact analyzer 300 also includes a packet equivalence classifier 320 that computes packet equivalences for each of the selected consecutive network configuration snapshots 304 .
- the cloud reachability impact analyzer 300 further includes a graph generator 330 that creates a reachability graph 332 a , 332 b corresponding to each of the selected network configuration snapshots 304 .
- a graph analyzer 340 receives and compares the reachability graphs 332 a , 332 b to generate a differentiation graph 342 .
- the cloud reachability impact analyzer 300 further includes a graph interpreter 350 that evaluates the differentiation graph 342 and generates the human-interpretable differentiation report 352 .
- FIG. 4 shows a more detailed schematic illustrating the configuration and operation of the cloud reachability impact analyzer 300 .
- the cloud reachability impact analyzer 300 receives or obtains a continuous feed of the network configuration snapshots 304 from the cloud network 200 . More specifically, when included, the snapshot selector 310 continuously receives and compares the network configuration snapshots 304 to determine when one or more changes 26 a , 26 b have been implemented in the VPC 208 .
- the snapshot selector 310 executes a first comparison between the first network configuration snapshot 304 a and the second network configuration snapshot 304 b and does not determine that any changes 26 a , 26 b have been implemented, as both snapshots 304 a , 304 b include the same data plane model protocol 306 a .
- the snapshot selector 310 executes a second comparison between the second network configuration snapshot 304 b and the third network configuration snapshot 304 c and identifies that the one or more changes 26 a , 26 b have been implemented in the third network configuration snapshot 304 c where the second network configuration snapshot 304 b includes a different data plane model protocol 306 a than the data plan model protocol 306 b of the third network configuration snapshot 304 c .
- the snapshot selector 310 selects the second network configuration snapshot 304 b immediately preceding the change 26 a , 26 b and the third network configuration snapshot 304 c including the change 26 a , 26 b.
- the snapshot selector 310 may automatically select the network configuration snapshots 304 , as described here, in other examples the snapshot selector 310 may receive instructions for selecting the network configuration snapshots 304 b , 304 c from the user device 20 or the cloud network 200 in conjunction with one of the changes 26 a , 26 b being implemented. For instance, the user 12 or the cloud network 200 may provide instructions to the snapshot selector 310 including information identifying the consecutive network configuration snapshots 304 b , 304 c and/or the time instances associated with the change 26 a , 26 b.
- the packet equivalence classifier 320 receives the selected network configuration snapshots 304 b , 304 c from the snapshot selector 310 and computes packet equivalence classes for each of the network configuration snapshots 304 b , 304 c .
- a packet equivalence class EC, EC1-EC6 represents a set of packets that have the same forwarding behavior with respect to all configuration rules of both of the network configuration snapshots 304 b , 304 c .
- the illustrated examples of the network configuration snapshots 304 b , 304 c include a total of six of the equivalence classes EC1-EC6.
- the packet equivalence classifier 320 may compile the computed equivalence classes EC1-EC6 into a first subgroup 322 a associated with the second network configuration snapshot 304 b and a second subgroup 322 b associated with the third network configuration snapshot 304 c.
- the graph generator 330 receives the equivalence class subgroups 322 a , 322 b including the computed equivalence classes EC1-EC6 and builds reachability graphs 332 a , 332 b representing routing of the equivalence classes EC1-EC6 relative to the network topologies associated with each of the respective network configuration snapshots 304 b , 304 c .
- each of the reachability graphs 332 a , 332 b includes a directed graph 332 having a plurality of nodes 334 , 334 a - 334 c and edges 336 , 336 a - 336 f .
- Each of the nodes 334 represents a network endpoint associated with a network resource, such as a VM 250 or a network gateway 42 .
- Each of the edges 336 represents a forwarding route from one of the nodes 334 to another one of the nodes 334 .
- the network reachability graphs 332 a , 332 b each represent a network topology including a gateway node 334 a , a first VM node 334 b , and a second VM node 334 c.
- Each node 334 a - 334 c is connected each other node 334 a - 334 c by an edge 336 a - 336 f representing a forwarding route from one endpoint to another.
- a first edge 336 a represents a forwarding route from the gateway node 334 a to the first VM node 334 b
- a second edge 336 b represents a forwarding route from the gateway node 334 a to the second VM node 334 c
- a third edge 336 c represents a forwarding route from the first VM node 334 b to the gateway node 334 a
- a fourth edge 336 d represents a forwarding route from the second VM node 334 c to the gateway node 334 a
- a fifth edge 336 e represents a forwarding route from the first VM node 334 b to the second VM node 334 c
- a sixth edge 336 f represents a forwarding route from the
- the graph generator 330 uses the reachability graphs 332 a , 332 b to model which of the equivalence classes EC1-EC6 are allowed to travel through each edge for each reachability graph 332 a , 332 b .
- the graph generator 330 assigns each of the equivalence classes EC1-EC6 to respective ones of the edges 336 a - 336 f that the equivalence class EC1-EC6 is allowed to travel along.
- assignments are illustrated by labeling each edge 336 a - 336 c with the corresponding equivalence classes EC1-EC6 that are allowed to travel along the edge 336 a - 336 c.
- the reachability graphs 332 a , 332 b created by the graph generator 330 are forwarded to the graph analyzer 340 , which evaluates the reachability graphs 332 a , 332 b to determine an impact to reachability between the two reachability graphs 332 a , 332 b .
- the graph analyzer 340 compares the reachability graphs 332 a , 332 b to identify differences in reachability between each of the nodes 334 a - 334 c caused by implementing the changes 26 a , 26 b .
- the graph analyzer 340 models the reachability impact as a differentiation graph 342 including the same nodes 334 a - 334 c and edges 336 a - 336 f as the reachability graphs 332 a , 332 b .
- the reachability impact analyzer 340 then computes a net change (e.g., addition/removal of equivalence classes) for each edge 336 a - 336 f to determine the impact to reachability from the second network configuration snapshot 304 b to the third network configuration snapshot 304 c.
- the differentiation graph 342 shows that reachability along the first and second edges 336 a , 336 b corresponding to the forwarding paths from the gateway node 334 a to each of the VM nodes 334 b , 334 c is unchanged between the first reachability graph 332 a and the second reachability graph 332 b .
- the differentiation graph 342 shows that the remaining edges 336 c - 336 f each include changes corresponding to added or removed allowances of equivalence classes EC1-EC6.
- the fourth equivalence class EC4 is added +EC4 to the third edge 336 c and removed ⁇ EC4 from the fifth edge 336 e , representing that the fourth equivalence class EC4 can now travel to (i.e., reach) the gateway node 334 a from the first VM node 334 b , but cannot travel to (i.e., reach) the second VM node 336 c from the first VM node 334 b .
- the second equivalence class EC2 is added +EC2 to the sixth edge 336 f and deleted from the fourth edge 336 d , representing that the second equivalence class EC2 is allowed to travel to (i.e., reach) the first VM node 334 b from the second VM node 334 c and cannot traveling to (i.e., reach) the gateway node 334 a from the second VM node 334 c.
- the graph interpreter 350 receives the differentiation graph 342 from the graph analyzer 340 and translates the graphical representation of the reachability changes +/ ⁇ EC2, +/ ⁇ EC4 into the human-interpretable differentiation report 352 .
- the graph interpreter 350 translates the reachability changes +/ ⁇ EC2, +/ ⁇ EC4 of the directed graph into a text-based differentiation report 352 identifying the impact of the changes 26 a , 26 b on reachability.
- the graph interpreter 350 analyzes the reachability changes +/ ⁇ EC2, +/ ⁇ EC4 relative to one or more network intentions identified by the user 12 .
- the graph interpreter 350 may highlight or identify specific ones of the reachability changes +/ ⁇ EC2, +/ ⁇ EC4 that will impact the user intention for the network.
- a network user 12 can determine whether changes 26 a , 26 b to a network topology of a VPC 208 should be implemented. Where the impact on reachability is unintended and/or unacceptable, the user 12 may decline the changes 26 a , 26 b or revert the network configuration to a state prior to the change 26 a , 26 b .
- the reachability impact analyzer 300 may be implemented in conjunction with a network change simulator to model and analyze reachability impact prior to the change 26 a , 26 b being implemented on the production VPC 208 .
- FIG. 5 is a flowchart of an exemplary arrangement of operations for a method 500 of performing cloud network reachability impact analysis.
- the method 500 includes, at operation 502 , receiving, at data processing hardware 202 , a plurality of network configuration snapshots 304 , 304 a - 304 n for a network 208 .
- the network configuration snapshots 304 , 304 a - 304 n include data plane model protocols 306 , 306 a - 306 n .
- the method 500 includes selecting a first network configuration snapshot 304 b and a second network configuration snapshot 304 c of the network 208 .
- the method 500 may also include computing, at operation 506 , packet equivalence classes for each of the first network snapshot and the second network snapshot.
- the method 500 also includes, at operation 508 , generating a first reachability graph 332 a representing packet reachability of the network 208 for the first network configuration snapshot 304 b .
- the method 500 includes generating a second reachability graph 332 b representing packet reachability of the network 208 for the second network configuration snapshot 304 c .
- the method 500 also includes, at operation 512 , computing a reachability differentiation graph 342 that identifies net change to reachability from the first reachability graph 332 a to the second reachability graph 332 b .
- the method 500 includes generating a differentiation report 352 including human-interpretable output representing a net change to reachability.
- FIG. 6 is schematic view of an example computing device 600 that may be used to implement the systems and methods described in this document.
- the computing device 600 is intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers.
- the components shown here, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the inventions described and/or claimed in this document.
- the computing device 600 includes a processor 610 , memory 620 , a storage device 630 , a high-speed interface/controller 640 connecting to the memory 620 and high-speed expansion ports 650 , and a low speed interface/controller 660 connecting to a low speed bus 670 and a storage device 630 .
- Each of the components 610 , 620 , 630 , 640 , 650 , and 660 are interconnected using various busses, and may be mounted on a common motherboard or in other manners as appropriate.
- the processor 610 can process instructions for execution within the computing device 600 , including instructions stored in the memory 620 or on the storage device 630 to display graphical information for a graphical user interface (GUI) on an external input/output device, such as display 680 coupled to high speed interface 640 .
- GUI graphical user interface
- multiple processors and/or multiple buses may be used, as appropriate, along with multiple memories and types of memory.
- multiple computing devices 600 may be connected, with each device providing portions of the necessary operations (e.g., as a server bank, a group of blade servers, or a multi-processor system).
- the memory 620 stores information non-transitorily within the computing device 600 .
- the memory 620 may be a computer-readable medium, a volatile memory unit(s), or non-volatile memory unit(s).
- the non-transitory memory 620 may be physical devices used to store programs (e.g., sequences of instructions) or data (e.g., program state information) on a temporary or permanent basis for use by the computing device 600 .
- non-volatile memory examples include, but are not limited to, flash memory and read-only memory (ROM)/programmable read-only memory (PROM)/erasable programmable read-only memory (EPROM)/electronically erasable programmable read-only memory (EEPROM) (e.g., typically used for firmware, such as boot programs).
- volatile memory examples include, but are not limited to, random access memory (RAM), dynamic random access memory (DRAM), static random access memory (SRAM), phase change memory (PCM) as well as disks or tapes.
- the storage device 630 is capable of providing mass storage for the computing device 600 .
- the storage device 630 is a computer-readable medium.
- the storage device 630 may be a floppy disk device, a hard disk device, an optical disk device, or a tape device, a flash memory or other similar solid state memory device, or an array of devices, including devices in a storage area network or other configurations.
- a computer program product is tangibly embodied in an information carrier.
- the computer program product contains instructions that, when executed, perform one or more methods, such as those described above.
- the information carrier is a computer- or machine-readable medium, such as the memory 620 , the storage device 630 , or memory on processor 610 .
- the high speed controller 640 manages bandwidth-intensive operations for the computing device 600 , while the low speed controller 660 manages lower bandwidth-intensive operations. Such allocation of duties is exemplary only.
- the high-speed controller 640 is coupled to the memory 620 , the display 680 (e.g., through a graphics processor or accelerator), and to the high-speed expansion ports 650 , which may accept various expansion cards (not shown).
- the low-speed controller 660 is coupled to the storage device 630 and a low-speed expansion port 690 .
- the low-speed expansion port 690 which may include various communication ports (e.g., USB, Bluetooth, Ethernet, wireless Ethernet), may be coupled to one or more input/output devices, such as a keyboard, a pointing device, a scanner, or a networking device such as a switch or router, e.g., through a network adapter.
- input/output devices such as a keyboard, a pointing device, a scanner, or a networking device such as a switch or router, e.g., through a network adapter.
- the computing device 600 may be implemented in a number of different forms, as shown in the figure. For example, it may be implemented as a standard server 600 a or multiple times in a group of such servers 600 a , as a laptop computer 600 b , or as part of a rack server system 600 c.
- implementations of the systems and techniques described herein can be realized in digital electronic and/or optical circuitry, integrated circuitry, specially designed ASICs (application specific integrated circuits), computer hardware, firmware, software, and/or combinations thereof.
- ASICs application specific integrated circuits
- These various implementations can include implementation in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be special or general purpose, coupled to receive data and instructions from, and to transmit data and instructions to, a storage system, at least one input device, and at least one output device.
- a software application may refer to computer software that causes a computing device to perform a task.
- a software application may be referred to as an “application,” an “app,” or a “program.”
- Example applications include, but are not limited to, system diagnostic applications, system management applications, system maintenance applications, word processing applications, spreadsheet applications, messaging applications, media streaming applications, social networking applications, and gaming applications.
- the processes and logic flows described in this specification can be performed by one or more programmable processors, also referred to as data processing hardware, executing one or more computer programs to perform functions by operating on input data and generating output.
- the processes and logic flows can also be performed by special purpose logic circuitry, e.g., an FPGA (field programmable gate array) or an ASIC (application specific integrated circuit).
- processors suitable for the execution of a computer program include, by way of example, both general and special purpose microprocessors, and any one or more processors of any kind of digital computer.
- a processor will receive instructions and data from a read only memory or a random access memory or both.
- the essential elements of a computer are a processor for performing instructions and one or more memory devices for storing instructions and data.
- a computer will also include, or be operatively coupled to receive data from or transfer data to, or both, one or more mass storage devices for storing data, e.g., magnetic, magneto optical disks, or optical disks.
- mass storage devices for storing data
- a computer need not have such devices.
- Computer readable media suitable for storing computer program instructions and data include all forms of non-volatile memory, media and memory devices, including by way of example semiconductor memory devices, e.g., EPROM, EEPROM, and flash memory devices; magnetic disks, e.g., internal hard disks or removable disks; magneto optical disks; and CD ROM and DVD-ROM disks.
- the processor and the memory can be supplemented by, or incorporated in, special purpose logic circuitry.
- one or more aspects of the disclosure can be implemented on a computer having a display device, e.g., a CRT (cathode ray tube), LCD (liquid crystal display) monitor, or touch screen for displaying information to the user and optionally a keyboard and a pointing device, e.g., a mouse or a trackball, by which the user can provide input to the computer.
- a display device e.g., a CRT (cathode ray tube), LCD (liquid crystal display) monitor, or touch screen for displaying information to the user and optionally a keyboard and a pointing device, e.g., a mouse or a trackball, by which the user can provide input to the computer.
- Other kinds of devices can be used to provide interaction with a user as well; for example, feedback provided to the user can be any form of sensory feedback, e.g., visual feedback, auditory feedback, or tactile feedback; and input from the user can be received in any form, including acoustic, speech, or tactile input
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Mining & Analysis (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
A method of network reachability impact analysis includes receiving a plurality of network configuration snapshots for a network. The method also include selecting a first network configuration snapshot of the network and a second network configuration snapshot of the network. The method further includes generating a first reachability graph representing packet reachability of the network for the first network configuration snapshot. The method also includes generating a second reachability graph representing packet reachability of the network for the second network configuration snapshot. The method also includes computing a reachability differentiation graph identifying a net change to reachability from the first reachability graph to the second reachability graph. The method further includes generating a reachability differentiation report including a human-interpretable output of the net change to reachability.
Description
- This disclosure relates to reachability impact analysis of a cloud network.
- A virtual private cloud (VPC) is an on-demand configurable pool of shared computing resources allocated within a public cloud environment. The VPC provides isolation for a user from other cloud users. The VPC may execute one or more virtual machines (VMs) which may communication with the user's on-premises network or other remote resources via a virtual private network (VPN). Due to the potential scale and complexity of the VPC, which may include any number of VMs, network gateways, load balancers, etc., significant network configuration is often necessary to operate and maintain the VPC.
- One aspect of the disclosure provides a method of network reachability impact analysis. The method includes receiving, at data processing hardware, a plurality of network configuration snapshots for a network. The method also include selecting, by the data processing hardware, a first network configuration snapshot of the network and a second network configuration snapshot of the network. The method further includes generating, by the data processing hardware, a first reachability graph representing packet reachability of the network for the first network configuration snapshot. The method also includes generating, by the data processing hardware, a second reachability graph representing packet reachability of the network for the second network configuration snapshot. The method also includes computing, by the data processing hardware, a reachability differentiation graph identifying a net change to reachability from the first reachability graph to the second reachability graph. The method further includes generating, by the data processing hardware, a reachability differentiation report including a human-interpretable output of the net change to reachability.
- Implementations of the disclosure may include one or more of the following optional features. In some implementations, generating the reachability differentiation report further includes translating, by the data processing hardware the reachability differentiation graph from a computer-interpretable format to the human-interpretable output. In some examples, each of the plurality of network configuration snapshots includes a data plane model protocol taken at a respective time instance. Here, selecting the first network configuration snapshot and the second network configuration snapshot may include comparing, by the data processing hardware, the data plane model protocols of consecutive network configuration snapshots Optionally, selecting the first network configuration snapshot and the second network configuration snapshot includes, when a first data plane model protocol of a first one of the consecutive network configuration snapshots is different than a second data plane model protocol of a second one of the consecutive network configuration snapshots, selecting, by the data processing hardware, the first one of one of the consecutive network configuration snapshots as the first network configuration snapshot and the second one of the consecutive network configuration snapshots as the second network configuration snapshot.
- In some implementations, the method further includes computing, by the data processing hardware, one or more packet equivalence classes for the first network configuration snapshot and the second network configuration snapshot, each of the one or more packet equivalence classes including a set of packets having the same forwarding behavior. Optionally, the method further includes assigning, by the data processing hardware, the one or more packet equivalence classes to the first reachability graph, and assigning, by the data processing hardware, the one or more packet equivalence classes to the second reachability graph. In some examples, computing the reachability differentiation graph includes identifying a net change to network equivalence classes from the first reachability graph to the second reachability graph.
- In some configurations, the method includes generating the first reachability graph and the second reachability graph includes generating, by the data processing hardware, a directed graph including two or more nodes and one or more edges connecting each of the two or more nodes. Here, generating the directed graph may include associating, by the data processing hardware, each of the two or more nodes to a network endpoint and associating each of the one or more edges to a network forwarding route from one network endpoint to another network endpoint.
- Another aspect of the disclosure provides a system. The system includes data processing hardware and memory hardware in communication with the data processing hardware. The memory hardware stores instructions that when executed on the data processing hardware cause the data processing hardware to perform operations. One operation includes receiving a plurality of network configuration snapshots for a network. Another operation includes selecting a first network configuration snapshot of the network and a second network configuration snapshot of the network. The operations further include generating a first reachability graph representing packet reachability of the network for the first network configuration snapshot. Another operation includes generating a second reachability graph representing packet reachability of the network for the second network configuration snapshot. The operations further include computing a reachability differentiation graph identifying a net change to reachability from the first reachability graph to the second reachability graph, and generating a reachability differentiation report including a human-interpretable output of the net change to reachability.
- This aspect of the disclosure may include one or more of the following optional features. In some examples, generating the reachability differentiation report further includes translating the reachability differentiation graph from a computer-interpretable format to the human-interpretable output. In some examples, each of the plurality of network configuration snapshots includes a data plane model protocol taken at a respective time instance. Here, selecting the first network configuration snapshot and the second network configuration snapshot may further include comparing the data plane model protocols of consecutive network configuration snapshots. Optionally, selecting the first network configuration snapshot and the second network configuration snapshot includes, when a first data plane model protocol of a first one of the consecutive network configuration snapshots is different than a second data plane model protocol of a second one of the consecutive network configuration snapshots, selecting the first one of one of the consecutive network configuration snapshots as the first network configuration snapshot and the second one of the consecutive network configuration snapshots as the second network configuration snapshot.
- In some examples, the operations further include computing one or more packet equivalence classes for the first network configuration snapshot and the second network configuration snapshot, each of the one or more packet equivalence classes including a set of packets having the same forwarding behavior. Here, the operations further include assigning the one or more packet equivalence classes to the first reachability graph and assigning the one or more packet equivalence classes to the second reachability graph. Optionally, computing the reachability differentiation graph includes identifying a net change to network equivalence classes from the first reachability graph to the second reachability graph.
- In some implementations, generating the first reachability graph and the second reachability graph includes generating a directed graph including two or more nodes and one or more edges connecting each of the two or more nodes. Here, generating the directed graph includes associating each of the two or more nodes to a network endpoint and associating each of the one or more edges to a network forwarding route from one network endpoint to another network endpoint.
- The details of one or more implementations of the disclosure are set forth in the accompanying drawings and the description below. Other aspects, features, and advantages will be apparent from the description and drawings, and from the claims.
-
FIG. 1 is a schematic view of an example system for performing network reachability impact analysis. -
FIG. 2 is a schematic view of exemplary components of a virtual machine of the system ofFIG. 1 . -
FIG. 3 is a schematic view of an example system for performing network reachability impact analysis. -
FIG. 4 is a schematic view of an example system for performing network reachability impact analysis. -
FIG. 5 is a flowchart of an example arrangement of operations for a method of performing cloud network reachability analysis. -
FIG. 6 is a schematic view of an example computing device that may be used to implement the systems and methods described herein. - Like reference symbols in the various drawings indicate like elements.
- A virtual private cloud (VPC) is an on-demand configurable pool of shared computing resources allocated within a public cloud environment to provide isolation for a user from other cloud users. This isolation may occur through allocation of private Internet Protocol (IP) subnets and/or virtual communication constructs. The VPC may execute one or more virtual machines (VMs) which may communication with the user's on-premises network or other remote resources via a virtual private network (VPN) to ensure secure access to the VPC environment. Because some VPC environments are very complex with a very large scale (i.e., include a number of VMs, network gateways, load balancers, etc.), significant network configuration is often necessary to operate and maintain the VPC.
- Implementations herein are directed toward a cloud reachability impact analyzer that allows a user understand the impact that changes to the configuration of the network will have on packet reachability within the network. The cloud reachability impact analyzer generates directed graphs representing network reachability for two network configuration snapshots. The cloud reachability impact analyzer then performs a reachability analysis on the graphs to identify changes to reachability caused by the network configuration changes between the two network configuration snapshots. Thus, the cloud reachability impact analyzer allows the user to verify how a network configuration change will affect packet reachability relative to a previous network configuration.
- Referring to
FIG. 1 , in some implementations, anexample system 10 includes auser device 20 associated with arespective user 12 and in communication with acloud network 200 via a network 30 (e.g., the Internet) and an on-premises network 40 (i.e., the local network that theuser device 20 uses to connect to the network 30). The on-premises network 40 includes a network gateway 42 (e.g., a router) that serves as the forwarding host for the on-premises network 40. Theuser device 20 may correspond to any computing device, such as a desktop workstation, a laptop workstation, or a mobile device (e.g., a smart phone or tablet). Theuser device 20 includes computing resources 22 (e.g., data processing hardware) and/or storage resources 24 (e.g., memory hardware). - The
cloud network 200 may be a single computer, multiple computers, or a distributed system (e.g., a cloud environment) having scalable/elastic resources 202 including computing resources 204 (e.g., data processing hardware) and/or storage resources 206 (e.g., memory hardware). A data store (i.e., a remote storage device) may be overlain on thestorage resources 206 to allow scalable use of thestorage resources 206 by one or more of the client or computingresources 204. Thecloud network 200 is configured to implement and execute one or more virtual machines (VMs) 250, 250 a-n. One or more of the VMs execute securely in a virtual private cloud (VPC) environment orVPC 208 associated with or operated by theuser 12. TheVPC 208 may include a variety of other network elements, such as load balancers, gateways, front ends, and back ends. - In the example shown in
FIG. 2 , the distributedsystem 200 includes acollection 210 of resources 110 (e.g., hardware resources 110 h), a virtual machine monitor (VMM) 220, aVM layer 240 executing one or more of theVMs 250, and anapplication layer 260. Each hardware resource 110 h may include one or more physical central processing units (pCPU) 204 (“physical processor 204”) andmemory hardware 206. While each hardware resource 110 h is shown having a singlephysical processor 204, any hardware resource 110 h may include multiplephysical processors 204. An operating system 212 may execute on thecollection 210 of resources 110. - In some examples, the
VMM 220 corresponds to a hypervisor 220 (e.g., a Compute Engine) that includes at least one of software, firmware, or hardware configured to create and execute theVMs 250. A computer (i.e., data processing hardware 204) associated with theVMM 220 that executes the one ormore VMs 250 may be referred to as a host machine, while eachVM 250 may be referred to as a guest machine. Here, theVMM 220 or hypervisor is configured to provide each VM 250 a corresponding guest operating system (OS) 212 g having a virtual operating platform and manage execution of the corresponding guest OS 212 g on theVM 250. As used herein, eachVM 250 may be referred to as an “instance” or a “VM instance”. In some examples, multiple instances of a variety of operating systems may share virtualized resources. For instance, afirst VM 250 of the Linux® operating system, asecond VM 250 of the Windows® operating system, and athird VM 250 of the OS X® operating system may all run on a single physical x86 machine. - The
VM layer 240 includes one or morevirtual machines 250. The distributedsystem 200 enables theuser 12 to launchVMs 250 on demand. AVM 250 emulates a real computer system and operates based on the computer architecture and functions of the real computer system or a hypothetical computer system, which may involve specialized hardware, software, or a combination thereof. In some examples, the distributedsystem 200 authorizes and authenticates theuser 12 before launching the one ormore VMs 250. An instance of software, or simply an instance, refers to aVM 250 hosted on (executing on) thedata processing hardware 204 of the distributedsystem 200. - Each
VM 250 may include one or more virtual central processing units (vCPUs) 252 (“virtual processor”). In the example shown, a first virtual machine 250 a includes a first set 252 a of one or more virtual processors 252 and a secondvirtual machine 250 b includes a second set 252 b of one or more virtual processors 252. While the second set 252 b is shown as only including one virtual processor 252, any number of virtual processors 252 is possible. Each virtual processor 252 emulates one or morephysical processors 204. For example, the first set 252 a of the one or more virtual processors 252 emulates afirst set 204 aa of one or morephysical processors 204, and the second set 252 b of the one or more virtual processors 252 emulates asecond set 204 b of one or morephysical processors 204. Theapplication layer 260 includes software resources 110 s, 100 sa, 110 sb (software applications) that may execute on the virtual machine(s) 250. - Typically, each instance of software (e.g., a virtual machine 250) includes at least one
virtual storage device 254 that provides volatile and non-volatile storage capacity for the service on thephysical memory hardware 206. For instance, the storage capacity on thephysical memory hardware 206 can include persistent disks (PD) that store data for theuser 12 across several physical disks (e.g., memory regions 620 (FIG. 9 ) of thememory hardware 206 or random access memory (RAM) to provide volatile memory. More specifically, eachvirtual storage device 254 of acorresponding VM 250 moves data in sequences of bytes or bits (blocks) to an associated physical block storage volume V on thememory hardware 206 to provide non-volatile storage. Accordingly, avirtual storage device 254 of acorresponding VM instance 250 provides a storage capacity that maps to corresponding physical block storage volumes V on thememory hardware 206. In some examples, thevirtual storage devices 254 support random access to the data on thememory hardware 206 and generally use buffered I/O. Examples include hard disks, CD-ROM drives, and flash drives. Similarly, portions of volatile memory (e.g., RAM) ofphysical memory hardware 206 may be divided across thevirtual storage devices 254. - Within the guest operating system 212 g resides a guest kernel 214 g. A kernel is a computer program that is the core of the operating system with full access and control over the OS. That is, the kernel is an intermediary between applications 110 s and the hardware resources 110 h of the host machine. Most modern computing systems segregate virtual memory into protected kernel space and
user space 216 g. The kernel typically remains in volatile memory within the protected kernel space and is isolated fromuser space 216 g. To increase safety and reliability, applications 110 s and other software services typically execute in theguest user space 216 g and lack the privileges necessary to interact with the protected kernel space. - Referring to
FIGS. 1 and 3 , thecloud network 200 executes a cloudreachability impact analyzer 300 for analyzing network configuration snapshots 304, 304 a-304 n of thecloud network 200 to determine differences in packet reachability between two consecutive network configuration snapshots 304, 304 a-304 n. The cloudreachability impact analyzer 300 then generates a human-interpretable differentiation report 352 identifying the differences in packet reachability between the analyzed configuration snapshots 304 and presents thedifferentiation report 352 to theuser 12 via theuser device 20. In some examples, theanalyzer 300 determines whether changes to thenetwork 208 result in a policy violation that affects reachability, and localize a configuration stanza responsible for the policy violation. - The cloud
reachability impact analyzer 300 continuously receives or obtains the network configuration snapshots 304, 304 a-304 n from thecloud network 200. The network configuration snapshots 304 are provided by thecloud network 200 in a format of a data plane model protocol 306 including network configuration information. Optionally, thecloud network 200 may execute adata plane modeler 302 that obtains the network configuration information from network components of theVPC 208 and includes, for example, routes between network resources (e.g., VMs, load balances, network gateways, etc.) of theVPC 208, subnets, firewall rules, and/or ports or interfaces for directing a data packet within theVPC 208 and/or between theVPC 208 and other networks (e.g., other VPCs and/or the on-premises network 40). - In
FIG. 1 , the network configuration snapshots 304 include a firstnetwork configuration snapshot 304 a including a first dataplane model protocol 306 a of theVPC 208 at a first time instance, a secondnetwork configuration snapshot 304 b including the first dataplane model protocol 306 a of theVPC 208 at a second time instance immediately subsequent to the first time instance, a thirdnetwork configuration snapshot 304 c including a second dataplane model protocol 306 b of theVPC 208 at a third time instance immediately subsequent to the second time instance, and a plurality ofsubsequent configuration snapshots 304 n including data plane model protocols 306 n taken at time instances following the third time instance. - Consecutive ones of the network configuration snapshots 304 may include the same data plane model protocol 306 when the network configuration is not changed from one time instance to the next. For example, in the illustrated example, the first
network configuration snapshot 304 a and the secondnetwork configuration snapshot 304 b include the same first dataplane model protocol 306 a associated with an unchanged network configuration at the first and second time instances. Alternatively, subsequent ones of the network configuration snapshots 304 may include different data plane model protocols 306 when the network configuration is changed between time instances. For example, inFIG. 1 , achange VPC 208 is incorporated between the secondnetwork configuration snapshot 304 b associated with the second time instance and the thirdnetwork configuration snapshot 304 c associated with the third time instance. Thus, the thirdnetwork configuration snapshot 304 c has a different dataplane model protocol 306 b than the dataplane model protocol 306 a of the immediately precedingnetwork configuration snapshot 304 b. - Examples of network changes 26 a, 26 b include a
user change 26 a implemented by theuser 12 via theuser device 20 or asystem change 26 b caused by thecloud network 200. User changes 26 a may include pending changes proposed by theuser 12 or changes that have already been deployed. System changes 26 b may include automated configuration changes incorporated by network monitoring applications and/or network state changes associated with involuntary changes in the VPC 208 (e.g., operation states down). For clarity, thechanges network configuration snapshots FIG. 1 . However, theactual changes network 208, upstream up thedata plane modeler 302. Thus, the secondnetwork configuration snapshot 304 b includes the pre-change first dataplane model protocol 306 a and the thirdnetwork configuration snapshot 304 c includes the post-change second dataplane model protocol 306 b. - As generally illustrated in
FIG. 3 , the cloud reachability impact analyzer receives thenetwork configuration snapshots plane model protocol 306 a and the post-change second dataplane model protocol 306 b and generates the human-interpretable differentiation report 352 identifying changes to forwarding behavior between the twonetwork configuration snapshots differentiation report 352 may include text describing that one of theVMs 250 has become unreachable in the thirdnetwork configuration snapshot 304 c, or that prefix 10.0.0.0/24 goes to a VPN tunnel in the secondnetwork configuration snapshot 304 b and to a subnet in the thirdnetwork configuration snapshot 304 c. - With continued reference to
FIG. 1 , the cloudreachability impact analyzer 300 includes anoptional snapshot selector 310 configured to extract consecutive network configuration snapshots 304 from thedata plane modeler 302. The cloudreachability impact analyzer 300 also includes apacket equivalence classifier 320 that computes packet equivalences for each of the selected consecutive network configuration snapshots 304. The cloudreachability impact analyzer 300 further includes agraph generator 330 that creates areachability graph graph analyzer 340 receives and compares thereachability graphs differentiation graph 342. The cloudreachability impact analyzer 300 further includes agraph interpreter 350 that evaluates thedifferentiation graph 342 and generates the human-interpretable differentiation report 352. -
FIG. 4 shows a more detailed schematic illustrating the configuration and operation of the cloudreachability impact analyzer 300. As previously discussed, the cloudreachability impact analyzer 300 receives or obtains a continuous feed of the network configuration snapshots 304 from thecloud network 200. More specifically, when included, thesnapshot selector 310 continuously receives and compares the network configuration snapshots 304 to determine when one ormore changes VPC 208. Thus, in the example shown, thesnapshot selector 310 executes a first comparison between the firstnetwork configuration snapshot 304 a and the secondnetwork configuration snapshot 304 b and does not determine that anychanges snapshots plane model protocol 306 a. Subsequently, thesnapshot selector 310 executes a second comparison between the secondnetwork configuration snapshot 304 b and the thirdnetwork configuration snapshot 304 c and identifies that the one ormore changes network configuration snapshot 304 c where the secondnetwork configuration snapshot 304 b includes a different dataplane model protocol 306 a than the dataplan model protocol 306 b of the thirdnetwork configuration snapshot 304 c. Thesnapshot selector 310 then selects the secondnetwork configuration snapshot 304 b immediately preceding thechange network configuration snapshot 304 c including thechange - While the
snapshot selector 310 may automatically select the network configuration snapshots 304, as described here, in other examples thesnapshot selector 310 may receive instructions for selecting thenetwork configuration snapshots user device 20 or thecloud network 200 in conjunction with one of thechanges user 12 or thecloud network 200 may provide instructions to thesnapshot selector 310 including information identifying the consecutivenetwork configuration snapshots change - The
packet equivalence classifier 320 receives the selectednetwork configuration snapshots snapshot selector 310 and computes packet equivalence classes for each of thenetwork configuration snapshots network configuration snapshots network configuration snapshots packet equivalence classifier 320 may compile the computed equivalence classes EC1-EC6 into afirst subgroup 322 a associated with the secondnetwork configuration snapshot 304 b and asecond subgroup 322 b associated with the thirdnetwork configuration snapshot 304 c. - The
graph generator 330 receives theequivalence class subgroups reachability graphs network configuration snapshots reachability graphs VM 250 or a network gateway 42. Each of the edges 336 represents a forwarding route from one of the nodes 334 to another one of the nodes 334. In the illustrated example, thenetwork reachability graphs gateway node 334 a, afirst VM node 334 b, and asecond VM node 334 c. - Each node 334 a-334 c is connected each other node 334 a-334 c by an edge 336 a-336 f representing a forwarding route from one endpoint to another. A
first edge 336 a represents a forwarding route from thegateway node 334 a to thefirst VM node 334 b, asecond edge 336 b represents a forwarding route from thegateway node 334 a to thesecond VM node 334 c, athird edge 336 c represents a forwarding route from thefirst VM node 334 b to thegateway node 334 a, afourth edge 336 d represents a forwarding route from thesecond VM node 334 c to thegateway node 334 a, afifth edge 336 e represents a forwarding route from thefirst VM node 334 b to thesecond VM node 334 c, and asixth edge 336 f represents a forwarding route from thesecond VM node 334 c to thefirst VM node 334 b. - The
graph generator 330 uses thereachability graphs reachability graph graph generator 330 assigns each of the equivalence classes EC1-EC6 to respective ones of the edges 336 a-336 f that the equivalence class EC1-EC6 is allowed to travel along. Here, assignments are illustrated by labeling each edge 336 a-336 c with the corresponding equivalence classes EC1-EC6 that are allowed to travel along the edge 336 a-336 c. - The
reachability graphs graph generator 330 are forwarded to thegraph analyzer 340, which evaluates thereachability graphs reachability graphs graph analyzer 340 compares thereachability graphs changes graph analyzer 340 models the reachability impact as adifferentiation graph 342 including the same nodes 334 a-334 c and edges 336 a-336 f as thereachability graphs reachability impact analyzer 340 then computes a net change (e.g., addition/removal of equivalence classes) for each edge 336 a-336 f to determine the impact to reachability from the secondnetwork configuration snapshot 304 b to the thirdnetwork configuration snapshot 304 c. - In the illustrated example, the
differentiation graph 342 shows that reachability along the first andsecond edges gateway node 334 a to each of theVM nodes first reachability graph 332 a and thesecond reachability graph 332 b. However, thedifferentiation graph 342 shows that the remainingedges 336 c-336 f each include changes corresponding to added or removed allowances of equivalence classes EC1-EC6. Particularly, the fourth equivalence class EC4 is added +EC4 to thethird edge 336 c and removed−EC4 from thefifth edge 336 e, representing that the fourth equivalence class EC4 can now travel to (i.e., reach) thegateway node 334 a from thefirst VM node 334 b, but cannot travel to (i.e., reach) thesecond VM node 336 c from thefirst VM node 334 b. Additionally, the second equivalence class EC2 is added +EC2 to thesixth edge 336 f and deleted from thefourth edge 336 d, representing that the second equivalence class EC2 is allowed to travel to (i.e., reach) thefirst VM node 334 b from thesecond VM node 334 c and cannot traveling to (i.e., reach) thegateway node 334 a from thesecond VM node 334 c. - In some examples, the
graph interpreter 350 receives thedifferentiation graph 342 from thegraph analyzer 340 and translates the graphical representation of the reachability changes +/−EC2, +/−EC4 into the human-interpretable differentiation report 352. For example, thegraph interpreter 350 translates the reachability changes +/−EC2, +/−EC4 of the directed graph into a text-baseddifferentiation report 352 identifying the impact of thechanges graph interpreter 350 analyzes the reachability changes +/−EC2, +/−EC4 relative to one or more network intentions identified by theuser 12. Here, thegraph interpreter 350 may highlight or identify specific ones of the reachability changes +/−EC2, +/−EC4 that will impact the user intention for the network. - Using the
differentiation report 352, anetwork user 12 can determine whetherchanges VPC 208 should be implemented. Where the impact on reachability is unintended and/or unacceptable, theuser 12 may decline thechanges change reachability impact analyzer 300 may be implemented in conjunction with a network change simulator to model and analyze reachability impact prior to thechange production VPC 208. -
FIG. 5 is a flowchart of an exemplary arrangement of operations for amethod 500 of performing cloud network reachability impact analysis. Themethod 500 includes, atoperation 502, receiving, atdata processing hardware 202, a plurality of network configuration snapshots 304, 304 a-304 n for anetwork 208. Optionally, the network configuration snapshots 304, 304 a-304 n include data plane model protocols 306, 306 a-306 n. Atoperation 504, themethod 500 includes selecting a firstnetwork configuration snapshot 304 b and a secondnetwork configuration snapshot 304 c of thenetwork 208. Themethod 500 may also include computing, atoperation 506, packet equivalence classes for each of the first network snapshot and the second network snapshot. Themethod 500 also includes, atoperation 508, generating afirst reachability graph 332 a representing packet reachability of thenetwork 208 for the firstnetwork configuration snapshot 304 b. Atoperation 510, themethod 500 includes generating asecond reachability graph 332 b representing packet reachability of thenetwork 208 for the secondnetwork configuration snapshot 304 c. Themethod 500 also includes, atoperation 512, computing areachability differentiation graph 342 that identifies net change to reachability from thefirst reachability graph 332 a to thesecond reachability graph 332 b. Atoperation 514, themethod 500 includes generating adifferentiation report 352 including human-interpretable output representing a net change to reachability. -
FIG. 6 is schematic view of anexample computing device 600 that may be used to implement the systems and methods described in this document. Thecomputing device 600 is intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The components shown here, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the inventions described and/or claimed in this document. - The
computing device 600 includes aprocessor 610,memory 620, astorage device 630, a high-speed interface/controller 640 connecting to thememory 620 and high-speed expansion ports 650, and a low speed interface/controller 660 connecting to a low speed bus 670 and astorage device 630. Each of thecomponents processor 610 can process instructions for execution within thecomputing device 600, including instructions stored in thememory 620 or on thestorage device 630 to display graphical information for a graphical user interface (GUI) on an external input/output device, such asdisplay 680 coupled tohigh speed interface 640. In other implementations, multiple processors and/or multiple buses may be used, as appropriate, along with multiple memories and types of memory. Also,multiple computing devices 600 may be connected, with each device providing portions of the necessary operations (e.g., as a server bank, a group of blade servers, or a multi-processor system). - The
memory 620 stores information non-transitorily within thecomputing device 600. Thememory 620 may be a computer-readable medium, a volatile memory unit(s), or non-volatile memory unit(s). Thenon-transitory memory 620 may be physical devices used to store programs (e.g., sequences of instructions) or data (e.g., program state information) on a temporary or permanent basis for use by thecomputing device 600. Examples of non-volatile memory include, but are not limited to, flash memory and read-only memory (ROM)/programmable read-only memory (PROM)/erasable programmable read-only memory (EPROM)/electronically erasable programmable read-only memory (EEPROM) (e.g., typically used for firmware, such as boot programs). Examples of volatile memory include, but are not limited to, random access memory (RAM), dynamic random access memory (DRAM), static random access memory (SRAM), phase change memory (PCM) as well as disks or tapes. - The
storage device 630 is capable of providing mass storage for thecomputing device 600. In some implementations, thestorage device 630 is a computer-readable medium. In various different implementations, thestorage device 630 may be a floppy disk device, a hard disk device, an optical disk device, or a tape device, a flash memory or other similar solid state memory device, or an array of devices, including devices in a storage area network or other configurations. In additional implementations, a computer program product is tangibly embodied in an information carrier. The computer program product contains instructions that, when executed, perform one or more methods, such as those described above. The information carrier is a computer- or machine-readable medium, such as thememory 620, thestorage device 630, or memory onprocessor 610. - The
high speed controller 640 manages bandwidth-intensive operations for thecomputing device 600, while thelow speed controller 660 manages lower bandwidth-intensive operations. Such allocation of duties is exemplary only. In some implementations, the high-speed controller 640 is coupled to thememory 620, the display 680 (e.g., through a graphics processor or accelerator), and to the high-speed expansion ports 650, which may accept various expansion cards (not shown). In some implementations, the low-speed controller 660 is coupled to thestorage device 630 and a low-speed expansion port 690. The low-speed expansion port 690, which may include various communication ports (e.g., USB, Bluetooth, Ethernet, wireless Ethernet), may be coupled to one or more input/output devices, such as a keyboard, a pointing device, a scanner, or a networking device such as a switch or router, e.g., through a network adapter. - The
computing device 600 may be implemented in a number of different forms, as shown in the figure. For example, it may be implemented as astandard server 600 a or multiple times in a group ofsuch servers 600 a, as alaptop computer 600 b, or as part of arack server system 600 c. - Various implementations of the systems and techniques described herein can be realized in digital electronic and/or optical circuitry, integrated circuitry, specially designed ASICs (application specific integrated circuits), computer hardware, firmware, software, and/or combinations thereof. These various implementations can include implementation in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be special or general purpose, coupled to receive data and instructions from, and to transmit data and instructions to, a storage system, at least one input device, and at least one output device.
- A software application (i.e., a software resource) may refer to computer software that causes a computing device to perform a task. In some examples, a software application may be referred to as an “application,” an “app,” or a “program.” Example applications include, but are not limited to, system diagnostic applications, system management applications, system maintenance applications, word processing applications, spreadsheet applications, messaging applications, media streaming applications, social networking applications, and gaming applications.
- These computer programs (also known as programs, software, software applications or code) include machine instructions for a programmable processor, and can be implemented in a high-level procedural and/or object-oriented programming language, and/or in assembly/machine language. As used herein, the terms “machine-readable medium” and “computer-readable medium” refer to any computer program product, non-transitory computer readable medium, apparatus and/or device (e.g., magnetic discs, optical disks, memory, Programmable Logic Devices (PLDs)) used to provide machine instructions and/or data to a programmable processor, including a machine-readable medium that receives machine instructions as a machine-readable signal. The term “machine-readable signal” refers to any signal used to provide machine instructions and/or data to a programmable processor.
- The processes and logic flows described in this specification can be performed by one or more programmable processors, also referred to as data processing hardware, executing one or more computer programs to perform functions by operating on input data and generating output. The processes and logic flows can also be performed by special purpose logic circuitry, e.g., an FPGA (field programmable gate array) or an ASIC (application specific integrated circuit). Processors suitable for the execution of a computer program include, by way of example, both general and special purpose microprocessors, and any one or more processors of any kind of digital computer. Generally, a processor will receive instructions and data from a read only memory or a random access memory or both. The essential elements of a computer are a processor for performing instructions and one or more memory devices for storing instructions and data. Generally, a computer will also include, or be operatively coupled to receive data from or transfer data to, or both, one or more mass storage devices for storing data, e.g., magnetic, magneto optical disks, or optical disks. However, a computer need not have such devices. Computer readable media suitable for storing computer program instructions and data include all forms of non-volatile memory, media and memory devices, including by way of example semiconductor memory devices, e.g., EPROM, EEPROM, and flash memory devices; magnetic disks, e.g., internal hard disks or removable disks; magneto optical disks; and CD ROM and DVD-ROM disks. The processor and the memory can be supplemented by, or incorporated in, special purpose logic circuitry.
- To provide for interaction with a user, one or more aspects of the disclosure can be implemented on a computer having a display device, e.g., a CRT (cathode ray tube), LCD (liquid crystal display) monitor, or touch screen for displaying information to the user and optionally a keyboard and a pointing device, e.g., a mouse or a trackball, by which the user can provide input to the computer. Other kinds of devices can be used to provide interaction with a user as well; for example, feedback provided to the user can be any form of sensory feedback, e.g., visual feedback, auditory feedback, or tactile feedback; and input from the user can be received in any form, including acoustic, speech, or tactile input. In addition, a computer can interact with a user by sending documents to and receiving documents from a device that is used by the user; for example, by sending web pages to a web browser on a user's client device in response to requests received from the web browser.
- A number of implementations have been described. Nevertheless, it will be understood that various modifications may be made without departing from the spirit and scope of the disclosure. Accordingly, other implementations are within the scope of the following claims.
Claims (20)
1. A method of network reachability impact analysis, the method comprising:
receiving, at data processing hardware, a stream of consecutive network configuration snapshots for a network;
determining whether a first data plane model protocol of a first network configuration snapshot of the network is the same as a second data plane model protocol of a second network configuration snapshot, the second network configuration snapshot of the network consecutive with the first network configuration snapshot;
when the first data plane model protocol and the second data plane model protocol are the same, determining whether the second data plane model protocol of the second network configuration snapshot of the network is the same as a third data plane model protocol of a third network configuration snapshot, the third network configuration snapshot of the network consecutive with the second network configuration snapshot;
when the first data plane model protocol and the second data plane model protocol are not the same:
selecting, by the data processing hardware, first network configuration snapshot of the network and the second network configuration snapshot of the network;
generating, by the data processing hardware, a first reachability graph representing packet reachability of the network for the first network configuration snapshot;
generating, by the data processing hardware, a second reachability graph representing packet reachability of the network for the second network configuration snapshot;
computing, by the data processing hardware, a reachability differentiation graph identifying a net change to reachability from the first reachability graph to the second reachability graph; and
generating, by the data processing hardware, a reachability differentiation report including a human-interpretable output of the net change to reachability.
2. The method of claim 1 , wherein generating the reachability differentiation report further comprises translating, by the data processing hardware the reachability differentiation graph from a computer-interpretable format to the human-interpretable output.
3. The method of claim 1 , wherein each network configuration snapshot of the stream of consecutive network configuration snapshots includes a data plane model protocol taken at a respective time instance.
4. (canceled)
5. The method of claim 1 , wherein, when the first data plane model protocol and the second data plane model protocol are the same, the network is unchanged between the first network configuration snapshot and the second network configuration snapshot.
6. The method of claim 1 , further comprising computing, by the data processing hardware, one or more packet equivalence classes for the first network configuration snapshot and the second network configuration snapshot, each of the one or more packet equivalence classes including a set of packets having the same forwarding behavior.
7. The method of claim 6 , further comprising:
assigning, by the data processing hardware, the one or more packet equivalence classes to the first reachability graph; and
assigning, by the data processing hardware, the one or more packet equivalence classes to the second reachability graph.
8. The method of claim 7 , wherein computing the reachability differentiation graph includes identifying a net change to network equivalence classes from the first reachability graph to the second reachability graph.
9. The method of claim 1 , wherein generating the first reachability graph and the second reachability graph includes generating, by the data processing hardware, a directed graph including two or more nodes and one or more edges connecting each of the two or more nodes.
10. The method of claim 9 , wherein generating the directed graph includes associating, by the data processing hardware, each of the two or more nodes to a network endpoint and associating each of the one or more edges to a network forwarding route from one network endpoint to another network endpoint.
11. A system comprising:
data processing hardware; and
memory hardware in communication with the data processing hardware, the memory hardware storing instructions that when executed on the data processing hardware cause the data processing hardware to perform operations comprising:
receiving a stream of consecutive network configuration snapshots for a network;
determining whether a first data plane model protocol of a first network configuration snapshot of the network is the same as a second data plane model protocol of a second network configuration snapshot, the second network configuration snapshot of the network consecutive with the first network configuration snapshot;
when the first data plane model protocol and the second data plane model protocol are the same, determining whether the second data plane model protocol of the second network configuration snapshot of the network is the same as a third data plane model protocol of a third network configuration snapshot, the third network configuration snapshot of the network consecutive with the second network configuration snapshot;
when the first data plane model protocol and the second data plane model protocol are not the same:
selecting a first network configuration snapshot of the network and a second network configuration snapshot of the network;
generating a first reachability graph representing packet reachability of the network for the first network configuration snapshot;
generating a second reachability graph representing packet reachability of the network for the second network configuration snapshot;
computing a reachability differentiation graph identifying a net change to reachability from the first reachability graph to the second reachability graph; and
generating a reachability differentiation report including a human-interpretable output of the net change to reachability.
12. The system of claim 11 , wherein generating the reachability differentiation report further comprises translating the reachability differentiation graph from a computer-interpretable format to the human-interpretable output.
13. The system of claim 11 , wherein each network configuration snapshot of the stream of consecutive network configuration snapshots includes a data plane model protocol taken at a respective time instance.
14. (canceled)
15. The system of claim 11 , wherein when the first data plane model protocol and the second data plane model protocol are the same, the network is unchanged between the first network configuration snapshot and the second network configuration snapshot.
16. The system of claim 11 , wherein the operations further comprise computing one or more packet equivalence classes for the first network configuration snapshot and the second network configuration snapshot, each of the one or more packet equivalence classes including a set of packets having the same forwarding behavior.
17. The system of claim 16 , wherein the operations further comprise:
assigning the one or more packet equivalence classes to the first reachability graph; and
assigning the one or more packet equivalence classes to the second reachability graph.
18. The system of claim 17 , wherein computing the reachability differentiation graph comprises identifying a net change to network equivalence classes from the first reachability graph to the second reachability graph.
19. The system of claim 11 , wherein generating the first reachability graph and the second reachability graph includes generating a directed graph including two or more nodes and one or more edges connecting each of the two or more nodes.
20. The system of claim 19 , wherein generating the directed graph includes associating each of the two or more nodes to a network endpoint and associating each of the one or more edges to a network forwarding route from one network endpoint to another network endpoint.
Priority Applications (5)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US17/117,376 US11381460B1 (en) | 2020-12-10 | 2020-12-10 | Network reachability impact analysis |
EP21839298.3A EP4260531A1 (en) | 2020-12-10 | 2021-12-10 | Network reachability impact analysis |
PCT/US2021/062818 WO2022125905A1 (en) | 2020-12-10 | 2021-12-10 | Network reachability impact analysis |
US17/804,389 US12009985B2 (en) | 2020-12-10 | 2022-05-27 | Network reachability impact analysis |
US18/660,306 US20240291720A1 (en) | 2020-12-10 | 2024-05-10 | Network Reachability Impact Analysis |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US17/117,376 US11381460B1 (en) | 2020-12-10 | 2020-12-10 | Network reachability impact analysis |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US17/804,389 Continuation US12009985B2 (en) | 2020-12-10 | 2022-05-27 | Network reachability impact analysis |
Publications (2)
Publication Number | Publication Date |
---|---|
US20220191102A1 true US20220191102A1 (en) | 2022-06-16 |
US11381460B1 US11381460B1 (en) | 2022-07-05 |
Family
ID=79269703
Family Applications (3)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US17/117,376 Active US11381460B1 (en) | 2020-12-10 | 2020-12-10 | Network reachability impact analysis |
US17/804,389 Active US12009985B2 (en) | 2020-12-10 | 2022-05-27 | Network reachability impact analysis |
US18/660,306 Pending US20240291720A1 (en) | 2020-12-10 | 2024-05-10 | Network Reachability Impact Analysis |
Family Applications After (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US17/804,389 Active US12009985B2 (en) | 2020-12-10 | 2022-05-27 | Network reachability impact analysis |
US18/660,306 Pending US20240291720A1 (en) | 2020-12-10 | 2024-05-10 | Network Reachability Impact Analysis |
Country Status (3)
Country | Link |
---|---|
US (3) | US11381460B1 (en) |
EP (1) | EP4260531A1 (en) |
WO (1) | WO2022125905A1 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20230125189A1 (en) * | 2021-10-14 | 2023-04-27 | Zhejiang University | Network reachability solving algorithm based on formal verification |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20240089184A1 (en) * | 2022-09-08 | 2024-03-14 | Vmware, Inc. | Distributed network verification |
Family Cites Families (20)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7653712B1 (en) * | 2004-09-30 | 2010-01-26 | Emc Corporation | Methods and apparatus for processing configuration data |
GB2432992B (en) * | 2005-11-18 | 2008-09-10 | Cramer Systems Ltd | Network planning |
US7933981B1 (en) * | 2006-06-21 | 2011-04-26 | Vmware, Inc. | Method and apparatus for graphical representation of elements in a network |
US8195876B2 (en) * | 2007-12-20 | 2012-06-05 | International Business Machines Corporation | Adaptation of contentious storage virtualization configurations |
US8156421B2 (en) * | 2008-06-30 | 2012-04-10 | Yahoo! Inc. | Analysis of database performance reports for graphical presentation of summary results |
CN101788991B (en) * | 2009-06-23 | 2013-03-06 | 北京搜狗科技发展有限公司 | Updating reminding method and system |
US9032518B2 (en) * | 2011-10-17 | 2015-05-12 | New Mexico Technical Research Foundation | Internet monitoring and alerting system |
US9117073B1 (en) * | 2013-02-08 | 2015-08-25 | Mantech Advanced Systems International, Inc. | Secure, controlled, and autonomous network path generation |
US9450817B1 (en) * | 2013-03-15 | 2016-09-20 | Juniper Networks, Inc. | Software defined network controller |
US9590854B1 (en) * | 2014-06-25 | 2017-03-07 | Amazon Technologies, Inc. | Automated network security |
AU2015296248B2 (en) * | 2014-07-30 | 2018-01-18 | Forward Networks, Inc. | Systems and methods for network management |
US10536357B2 (en) * | 2015-06-05 | 2020-01-14 | Cisco Technology, Inc. | Late data detection in data center |
US9830345B1 (en) * | 2016-09-26 | 2017-11-28 | Semmle Limited | Content-addressable data storage |
US12058015B2 (en) * | 2016-10-21 | 2024-08-06 | Forward Networks, Inc. | Systems and methods for an interactive network analysis platform |
US10423647B2 (en) * | 2016-12-21 | 2019-09-24 | Ca, Inc. | Descriptive datacenter state comparison |
US10439889B2 (en) * | 2017-05-16 | 2019-10-08 | Microsoft Technology Licensing, Llc | High fidelity network emulation |
US10305776B2 (en) * | 2017-05-31 | 2019-05-28 | Fujitsu Limited | Network verification |
US10778545B2 (en) * | 2018-07-19 | 2020-09-15 | Futurewei Technologies, Inc. | Network verification system |
US10990385B1 (en) * | 2018-12-12 | 2021-04-27 | Amazon Technologies, Inc. | Streaming configuration management |
US10797952B1 (en) * | 2019-07-16 | 2020-10-06 | Hewlett Packard Enterprise Development Lp | Intelligent rollback analysis of configuration changes |
-
2020
- 2020-12-10 US US17/117,376 patent/US11381460B1/en active Active
-
2021
- 2021-12-10 WO PCT/US2021/062818 patent/WO2022125905A1/en active Application Filing
- 2021-12-10 EP EP21839298.3A patent/EP4260531A1/en active Pending
-
2022
- 2022-05-27 US US17/804,389 patent/US12009985B2/en active Active
-
2024
- 2024-05-10 US US18/660,306 patent/US20240291720A1/en active Pending
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20230125189A1 (en) * | 2021-10-14 | 2023-04-27 | Zhejiang University | Network reachability solving algorithm based on formal verification |
Also Published As
Publication number | Publication date |
---|---|
US20220294699A1 (en) | 2022-09-15 |
US11381460B1 (en) | 2022-07-05 |
US20240291720A1 (en) | 2024-08-29 |
EP4260531A1 (en) | 2023-10-18 |
US12009985B2 (en) | 2024-06-11 |
WO2022125905A1 (en) | 2022-06-16 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11968110B2 (en) | Cloud network reachability analysis for virtual private clouds | |
US9602334B2 (en) | Independent network interfaces for virtual network environments | |
US11765044B2 (en) | Change impact simulation analysis | |
US20240291720A1 (en) | Network Reachability Impact Analysis | |
EP2823397B1 (en) | Multitenant access to multiple desktops on host machine partitions in a service provider network | |
US10263856B2 (en) | Dynamic highlight | |
US20180287885A1 (en) | Gui for analysis of logical network modifications | |
US20120311120A1 (en) | Multi-Tenant Information Processing System, Management Server, and Configuration Management Method | |
US10686685B2 (en) | Suspending and resuming virtual machines in a network | |
US10419396B2 (en) | Deep packet inspection with enhanced data packet analyzers | |
US20220383187A1 (en) | System and method for detecting non-compliances based on semi-supervised machine learning | |
KR102717590B1 (en) | Cloud Network Reachability Analysis | |
KR20240150537A (en) | Cloud network reachability analysis |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: GOOGLE LLC, CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:YANG, HONGKUN;LIU, HUI;ADHAV, GARGI;AND OTHERS;REEL/FRAME:054675/0231 Effective date: 20201210 |
|
FEPP | Fee payment procedure |
Free format text: ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: BIG.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |