WO2021107768A1 - Segmentation system and method for virtualized environment - Google Patents

Segmentation system and method for virtualized environment Download PDF

Info

Publication number
WO2021107768A1
WO2021107768A1 PCT/MY2020/050135 MY2020050135W WO2021107768A1 WO 2021107768 A1 WO2021107768 A1 WO 2021107768A1 MY 2020050135 W MY2020050135 W MY 2020050135W WO 2021107768 A1 WO2021107768 A1 WO 2021107768A1
Authority
WO
WIPO (PCT)
Prior art keywords
segmentation
module
groups
eco
group
Prior art date
Application number
PCT/MY2020/050135
Other languages
French (fr)
Inventor
Shahrol Hisham BAHAROM
Sharipah Setapa
Hong Hoe ONG
Jing Yuan Luke
Original Assignee
Mimos Berhad
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Mimos Berhad filed Critical Mimos Berhad
Publication of WO2021107768A1 publication Critical patent/WO2021107768A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • G06F9/5061Partitioning or combining of resources
    • G06F9/5077Logical partitioning of resources; Management or configuration of virtualized resources
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45587Isolation or security of virtual machine instances
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45595Network integration; Enabling network access in virtual machine instances

Definitions

  • Embodiments of the present invention generally relate to a virtualized environment, and in particular relate to establishing segmentation functionality in a virtualized environment.
  • Virtualization technologies are in great demand today due to increasing need of for enterprise-level networks to function and manage numerous resources.
  • Virtualization technology includes software that can create a virtual machine on a host computer in which each virtual machine instance can execute its own virtual operating system.
  • the virtual operating system may enable diverse applications to run in different environment on shared hardware platform.
  • These virtual operating systems usually include a software layer that runs on a host computer platform.
  • a segmentation system (102) to provide various segmentation functionalities in a virtualized environment includes a group module (202) configured to identify eco-structure of a virtualized environment, and divide the eco-structure into a plurality of groups.
  • the segmentation system (102) further includes a function module (204) configured to establish functions for each of the plurality of groups in the eco-structure.
  • the segmentation system (102) further includes a match module (206) configured to match resources and data for each of the plurality of groups.
  • the segmentation system (102) further includes a test module (208) configured to test functionality and data of each of the plurality of groups.
  • the segmentation system (102) further includes a segmentation module (210) configured to establish segmentation for the plurality of groups in the virtualized environment.
  • a computer-implemented method for establishing various segmentation functionalities in a virtualized environment includes identifying eco-structure of virtualized environment and dividing the eco-structure into group, tenants, data functionality, secrecy, and sub eco-structure.
  • the computer-implemented method further includes establishing functions for each of a plurality of groups in the eco-structure.
  • the computer-implemented method further includes creating context and interacting with selected resources and devices.
  • the computer-implemented method further includes testing a context provision and interacting with the context provision.
  • the computer-implemented method further includes establishing independent segmentation for the plurality of groups in the virtualized environment.
  • FIG. 1 is a block diagram depicting a network environment according to an embodiment of the present invention
  • FIG. 2 is a block diagram of modules stored in memory, according to an embodiment of the present invention.
  • FIG. 3 is a schematic diagram of a conventional virtual gateway that is utilized to connect on different network and segmentation
  • FIG. 4 is a schematic diagram of various groups created inside the virtualized environment, according to an embodiment of the present invention
  • FIG. 5 is a schematic diagram of multiple virtual routers and primary virtual routers created inside the virtualized environment, according to an embodiment of the present invention
  • FIG. 6 is a schematic diagram of ‘segmentwall’ and ‘subsegmentwall’ policy inside segmentation, according to an embodiment of the present invention
  • FIG. 7 is a schematic diagram of congestion handling inside a particular group of segmentation, according to an embodiment of the present invention.
  • FIG. 8 depicts an exemplary flowchart illustrating a segmentation method to establish various segmentation functionalities in a virtualized environment, according to an embodiment of the present invention
  • FIG. 9 depicts an exemplary flowchart illustrating a method of identifying eco- structure of the virtualized environment, according to an embodiment of the present invention.
  • FIG. 10 depicts an exemplary flowchart illustrating a method of establishing and providing suitable eco-structure to suit with segmentation, according to an embodiment of the present invention
  • FIG. 11 depicts an exemplary flowchart illustrating a method of creating context and interacting with selected resources or devices, according to an embodiment of the present invention
  • FIG. 12 depicts an exemplary flowchart illustrating a method of testing context provision and interaction, according to an embodiment of the present invention.
  • FIG. 13 depicts an exemplary flowchart illustrating a method of establishing independent segmentation in virtualized environment, according to an embodiment of the present invention.
  • like reference numerals have been used, where possible, to designate like elements common to the figures.
  • the word “may” is used in a permissive sense (i.e., meaning having the potential to), rather than the mandatory sense (i.e., meaning must).
  • the words “include”, “including”, and “includes” mean including but not limited to.
  • each of the expressions “at least one of A, B and C”, “at least one of A, B, or C”, “one or more of A, B, and C”, “one or more of A, B, or C” and “A, B, and/or C” means A alone, B alone, C alone, A and B together, A and C together, B and C together, or A, B and C together.
  • automated refers to any process or operation done without material human input when the process or operation is performed. However, a process or operation can be automatic, even though performance of the process or operation uses material or immaterial human input, if the input is received before performance of the process or operation. Human input is deemed to be material if such input influences how the process or operation will be performed. Human input that consents to the performance of the process or operation is not deemed to be “material”.
  • FIG. 1 illustrates an exemplary network environment (100) where various embodiments of the present invention may be implemented.
  • the network environment (100) includes a segmentation system (102) connected to various client systems 104A, 104B,...104N, (hereinafter referred as 104) via a network (106).
  • the Network (106) may include, but is not restricted to, a communication network such as Internet, PSTN, Local Area Network (LAN), Wide Area Network (WAN), Metropolitan Area Network (MAN), and so forth.
  • the network (106) can be a data network such as the Internet.
  • the client systems (104) may belong to various enterprises and may be hardware and/or software (for example, threads, processes, computing devices). Further, the client systems (104) are configured to exchange data among themselves using the segmentation system (102).
  • the messages exchanged between the segmentation system (102) and the client systems (104) can comprise any suitable message format and protocol capable of communicating the information necessary for the segmentation system (102) to establish segmentation functionality in virtualized environment.
  • the client systems (104) may utilize the segmentation system (102) to receive segmentation functionality in virtualized environment.
  • the segmentation system (102) may be a computing device.
  • the segmentation system (102) includes a processor (110) and a memory (112).
  • the processor (110) includes a single processor and resides in the segmentation system (102).
  • the processor (110) may include multiple sub-processors.
  • the memory (112) may comprise suitable logic, circuitry, and/or interfaces that may be operable to store a machine readable code and/or a computer program with at least one code section executable by the processor (110).
  • the memory (112) includes one or more instructions that may be executed by the processor (110) to identify eco-structure of a virtualized environment and divide the eco-structure into a plurality of groups, establish functions for each of the plurality of groups in the eco-structure, test functionality and data of each of the plurality of groups, and establish segmentation for the plurality of groups in the virtualized environment.
  • the memory (112) includes the modules (114), a database (116), and other data (not shown in figure).
  • the other data may include various data generated during testing various groups in the segmentation functionality in virtualized environment.
  • the database (116) is stored inside the segmentation system (102).
  • the database (116) may be stored outside of the segmentation system (102), and may be accessed via the network (106).
  • the memory (112) of the segmentation system (102) is coupled to the processor (110).
  • the modules (114) includes a group module (202), a function module (204), a match module (206), a test module (208), and a segmentation module (210).
  • the modules (114) are instruction stored in the memory and may establish segmentation functionality in virtualized environment.
  • the group module (202) is configured to identify eco-structure of a virtualized environment of enterprise level networks, and further divide the eco-structure into various groups.
  • the group module (202) may gather eco- structure of enterprise level network to identify the eco-structure of the virtualized environment. Further, the group module (202) is configured to divide the eco- structure into group, tenants, data functionality, secrecy, and sub eco-structure details.
  • the groups created by the group module (202) may include ‘tenant-finance’, ‘tenant FIRD’ (i.e., tenant human resource development), and ‘tenant lab’, as shown in FIG. 4.
  • the group module (202) is configured to check identification of the eco- structure with predetermined criteria, for example, capability, resources, and functionality. Further, the group module (202) is configured to revise the eco- structure of the virtualized environment in case the identifying is not satisfied with respect to the predetermined criteria of capability, resources, and functionality. In an embodiment, the eco-structure is revised if there is need to update with new virtual devices. In such cases, the group module (202) is configured to update the eco- structure with new virtual devices (for example, virtual routers). As shown in FIG. 4, the group module (202) may create individual virtual router for each of the groups created, i.e., ‘tenant-finance’, ‘tenant FIRD’, and ‘tenant lab’.
  • the group module (202) is configured to simulate the eco-structure to make sure it works when it is divided in various groups.
  • the function module (204) is configured to establish suitable functions to various groups in the eco-structure.
  • the function module (204) is configured to check which group belongs to which data. Further, the function module (204) is configured to select and expand respective group.
  • the functionality of each group, tenant and functionality with data may be selected with detail by the function module (204).
  • the function module (204) may enable an administrator of the virtualized environment to select details of each group, tenant, and functionality.
  • the function module (204) is further configured to determine which group needs to be updated.
  • the function module (204) is configured to check potential of each group which can be expanded.
  • the function module (204) may check potential of expansion of each group including tenant-finance, tenant FIRD, tenant lab, and other groups.
  • the tenant-finance group is connected to critical resources like file server, application server, database server by a secure channel.
  • the tenant FIRD is connected to critical resources like file server, application server, database server by a semi-secure channel.
  • the tenant lab is connected to critical resources like file server, application server, database server by non-secure channel.
  • type of channel secure, semi-secure, or non-secure
  • the function module (204) is configured to stabilize the eco-structure.
  • the match module (206) is configured to determine which group belongs to which data. For example, the match module (206) may determine data corresponding to different groups, i.e., tenant-finance, tenant FIRD, and tenant lab. Further, the match module (206) is configured to select and expand respective group. In an embodiment, the functionality of each group, tenant and functionality with data may be selected with detail.
  • the match module (206) is configured to determine which group needs to be updated. In an embodiment, potential of each group may be checked to determine which group can be expanded. Further, the match module (206) is configured to check if there is need to update resources, department group or data. Further, the match module (206) is configured to stabilize the eco-structure. In an embodiment, connectivity, department and resources are stabilized. Further, the match module (206) is configured to proceed with grouping having matching functionality data.
  • the test module (208) is configured to test context provision of each group created in the virtualized environment.
  • context provision may include tenant-finance, tenant HRD, and tenant lab.
  • context with resources such as tenants, grouping tenants and data functionality is provisioned which already has been finalized after checking the stability of new selection eco- structure.
  • the test module (208) is further configured to check if provisions are working as per predetermined expectation.
  • ‘ping command’ may be used by the test module (208) to troubleshoot when establishing the logical context.
  • the test module (208) is further configured to test respective group functionality and data using predetermined resources like group functionality stored in database (116). Further, the test module (208) is configured to determine if there is need to create primary virtual router based on predetermined criteria. In an embodiment, the predetermined criteria may be defined by administrator of virtualized environment of an enterprise. In case, there is a need, the test module (208) will configured to create a ‘primary virtual router’ that can interconnect the common virtual router and multiple virtual routers inside the virtualized environment of enterprise networks, as shown in FIG. 5. In an embodiment, the test module (208) is configured to combine the overall segmentation by creating one primary virtual router as an anchor, as shown in FIG. 5.
  • the segmentation module (210) is configured to establish independent segmentation in virtualized environment, according to an embodiment of the present invention.
  • the segmentation module (210) is configured to establish segmentation policy trust.
  • a surface policy for various segmentations may be established, as shown in TABLE 1 below.
  • Vrouter 1 secure tenant finance Establish new segmentation between Tenant finance and resources nt and resources
  • Vrouter 3 None secure Tenant hrd Establish new segmentation between Tenant hrd and resources
  • ‘Vrouter 1’ may be assigned for secure action from team finance to establish new segmentation between tenant finance and resources.
  • Vrouter 2’ may be used for selecting specific data from tenant procurement.
  • ‘Vrouter 3’ and ‘Vrouter 4’ may be used for non-secure actions from tenant hrd and tenant facilities.
  • index ‘vrT may be used for secure channel type for congest trigger for creating ‘new segmentation virtual route’.
  • index ‘vr2’ may be used for semi-secure channel.
  • segmentation module (210) is configured to categorize the segmentation policy trust into ‘segmentwall’ and ‘subsegmentwall’, as shown in FIG. 6.
  • inner policy may also be created to handle inside respective segmentation.
  • ‘segmentwall’ may separate primary virtual router from multiple virtual routers inside virtualized environment.
  • ‘subsegmentwall’ may separate individual groups inside the enterprise level network, for example, tenant finance, tenant HRD, and tenant lab. Those skilled in art will appreciate that separating primary virtual router from multiple virtual routers provides better control of ‘subsegmentwall’ and ‘segmentwall’.
  • the segmentation module (210) is configured to test the ‘segmentwall’ and ‘subsegmentwall’ and determine if ‘segmentwall’ and ‘subsegmentwall’ are functioning properly, as per predetermined criteria.
  • the predetermined criteria may include whether the policy inside respective segmentation is working or not.
  • the segmentation module (210) is further configured to establish suitable type of tunnel. In an embodiment, the type of tunnel may be established based on characteristics (for example, secure, semi-secure etc.). Further, the segmentation module (210) is configured to establish group segmentation, and further establish the group and data functionality.
  • the segmentation module (210) is configured to establish new segmentation, in case congestion happens in the virtualized environment, according to an embodiment of the present invention.
  • the segmentation module (210) is configured to determine congestion based on predetermined parameters such as queuing delay, packet loss, link down, and blocking of new connection. For example, as shown in FIG. 7, the segmentation module (210) is configured to add another ‘vrouter 1A’ in the tenant lab group, in case of congestion in the tenant lab group.
  • Vroutela sub virtual router
  • new ‘segmentwall’ may be added to secure the channel on selected resources.
  • FIG. 8 illustrates an exemplary flowchart of a segmentation method (1000) to establish various segmentation functionalities in a virtualized environment, according to an embodiment of the present invention.
  • the eco- structure of the virtualized environment is identified.
  • complete eco-structure is identified before dividing the eco-structure into small eco-structure.
  • suitable eco-structure is detected and established to suit with functionality.
  • suitable resources, group of tenants, similar data, and similar policy is detected.
  • context is created and selected resources and devices are interacted with the context.
  • a combination of selected resources and devices is created and interaction context is obtained for efficient and safe working of selected segmentation.
  • context provision is tested and interacted with critical resources including file server, application server, and database server.
  • connection interaction is tested.
  • independent segmentation is established.
  • new segmentation is established.
  • FIG. 9 depicts an exemplary flowchart 1010 illustrating a method of identifying eco- structure of the virtualized environment, according to an embodiment of the present invention.
  • the eco-structure is identified and checked.
  • an eco-structure of current condition may be gathered, and then it may be checked and identified.
  • the eco-structure is divided.
  • the eco-structure is divided into group, tenants, data functionality, secrecy, and sub eco-structure details.
  • step 1014 the eco-structure is revised. In an embodiment, the eco-structure is revised if need to be updated with new virtual devices. If identifying is satisfied, the method proceeds to step 1015.
  • step 1015 the eco-structure is simulated. In an embodiment, selected eco-structure is simulated logically to make sure it working when it is divided from existing eco-structure (as an example ping command).
  • step 1016 the new eco- structure is started.
  • FIG. 10 depicts an exemplary flowchart illustrating a method 1020 of establishing and providing suitable eco-structure to suit with segmentation, according to an embodiment of the present invention.
  • new eco-structure is studied.
  • potential eco-structure may be studied.
  • respective group for example, finance, HRD or lab
  • the functionality of each group, tenant and functionality with data is selected with detail.
  • step 1023 it is determined if any group needs to be updated. If answer is ‘no’ at step 1023, the method proceeds to step 1025. If answer is ‘yes’ at step 1023, the method proceeds to step 1024. At step 1024, the eco-structure is revised, and method returns to step 1022. At step 125, the eco-structure is stabilized. At step 1026, it is decided to proceed with grouping and matching.
  • FIG. 11 depicts an exemplary flowchart illustrating a method 1030 of creating context and interacting with selected resources or devices, according to an embodiment of the present invention.
  • step 1031 it is checked which group belongs to which data.
  • step 1032 each of respective group is selected and expanded.
  • the functionality of each group, tenant and functionality with data is selected with detail.
  • step 1033 it is determined if there is need to update any group. In an embodiment, it is checked whether there is need to update resources, department group, or data. If there is no need to update groups, method proceeds to step 1035. Otherwise, at step 1034, potential of each group is checked that can be expanded, and method returns to step 1032. At step 1035, the eco-structure is stabilized and simulated. In an embodiment, connectivity, department and resources are stabilized. At step 1036, it is decided to proceed with grouping and matching. In an embodiment, it may be decided to proceed with matching functionality data and group.
  • FIG. 12 depicts an exemplary flowchart illustrating a method 1040 of testing context provision and interaction, according to an embodiment of the present invention.
  • the context is provisioned.
  • context with resources such as tenants, grouping tenants and data functionality is provisioned which already be finalized after checking the stability of new selection eco-structure.
  • it is checked if provision is working as expected.
  • commands like ping or wire shark may be used to troubleshoot when establish the logical context.
  • step 1043 respective group functionality and group data is tested.
  • step 1044 it is determined if there is need to create primary virtual router.
  • the overall segmentation may be combined by creating one primary virtual router as an anchor. If answer is ‘NO’, the method returns to step 1043. Otherwise, the method proceeds to step 1045. At step 1045, frequently test with different segment and data is created.
  • FIG. 13 depicts an exemplary flowchart illustrating a method 1050 of establishing independent segmentation in virtualized environment, according to an embodiment of the present invention.
  • segmentation policy trust is established.
  • a surface policy for various segmentations may be established.
  • the segmentation policy trust is categorized into ‘segmentwair and ‘subsegmentwall’.
  • inner policy may also be created to handle inside respective segmentation.
  • the ‘segmentwair and ‘subsegmentwall’ are tested.
  • the inner policy may be tested.
  • type of tunnel is established. In an embodiment, the type of tunnel may be established based on characteristics like secure, semi-secure or non-secure.
  • group segmentation is established. In an embodiment, the group and data functionality is established.
  • the segmentation system (102) and the method (1000) performed by the segmentation system (102) advantageously provides stability of connectivity in the virtualized environment even after providing segmentation. Further, the segmentation system (102) provides enhanced security for new tenancy to access the resources on the network. Further, the segmentation system (102) advantageously provides good traffic visibility, because of providing segmentations policies having similar rules, tenants, and resources.

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A segmentation system (102) for establishing segmentation functionalities in a virtualized environment is provided herein. The segmentation system (102) includes a group module (202) configured to identify eco-structure of a virtualized environment, and divide the eco-structure into a plurality of groups. The segmentation system (102) further includes a function module (204) configured to establish functions for each of the plurality of groups in the eco-structure. The segmentation system (102) further includes a match module (206) configured to match resources and data for each of the plurality of groups. The segmentation system (102) further includes a test module (208) configured to test functionality and data of each of the plurality of groups. The segmentation system (102) further includes a segmentation module (210) configured to establish segmentation for the plurality of groups in the virtualized environment.

Description

SEGMENTATION SYSTEM AND METHOD FOR VIRTUALIZED ENVIRONMENT
FIELD OF THE INVENTION Embodiments of the present invention, generally relate to a virtualized environment, and in particular relate to establishing segmentation functionality in a virtualized environment.
BACKGROUND
Virtualization technologies are in great demand today due to increasing need of for enterprise-level networks to function and manage numerous resources. Virtualization technology includes software that can create a virtual machine on a host computer in which each virtual machine instance can execute its own virtual operating system. The virtual operating system may enable diverse applications to run in different environment on shared hardware platform. These virtual operating systems usually include a software layer that runs on a host computer platform.
Further, there is increasing desirability among enterprises for connecting virtual machines together via virtual computer networks, (also called as subnets), so that they can exchange data in a manner very similar to physical machines exchanging data via a physical data network. The enterprises also felt requirements of being able to connect different subgroups of virtual machines to different virtual networks. Conventionally, in virtual environment, a gateway or router is utilized to connect on different network and segmentation, as shown in FIG. 3. In network virtualization, a spread network that consists various subnet tenancy need to be connected through a virtual router. Flowever, these conventional methods also suffer from many disadvantages. First, new emerging segmentation may cause instability of the connectivity. Further, it may cause a lop hole on certain part of new tenancy such as security of accessing the resource. Further, there is a limited traffic visibility because various segmentations have different rule, tenants and resources, and lack properly defined segmentation policies. Further, in case, if new virtual segmentation includes limited control, then new segmentation may cause a breach.
Additionally, a prior art, published as United States Patent Application US 20130283270 A1 , discloses generally a method and facility useful for provisioning virtual data centers. Although the prior art may be expedient in improving communication between virtual machines and real physical machines, this solution suffers from the lack of comprehensive segmentation based on functionality, hence may not provide an efficient provisioning of virtual data centers.Therefore, there is a need for an improved system and method for establishing segmentation functionality in a virtualized environment which solves above disadvantages associated with the conventional methods.
SUMMARY
According to an aspect of the present disclosure, a segmentation system (102) to provide various segmentation functionalities in a virtualized environment is provided herein. The segmentation system (102) includes a group module (202) configured to identify eco-structure of a virtualized environment, and divide the eco-structure into a plurality of groups. The segmentation system (102) further includes a function module (204) configured to establish functions for each of the plurality of groups in the eco-structure. The segmentation system (102) further includes a match module (206) configured to match resources and data for each of the plurality of groups. The segmentation system (102) further includes a test module (208) configured to test functionality and data of each of the plurality of groups. The segmentation system (102) further includes a segmentation module (210) configured to establish segmentation for the plurality of groups in the virtualized environment.
According to another aspect of the present disclosure, a computer-implemented method for establishing various segmentation functionalities in a virtualized environment is provided herein. The computer-implemented method includes identifying eco-structure of virtualized environment and dividing the eco-structure into group, tenants, data functionality, secrecy, and sub eco-structure. The computer-implemented method further includes establishing functions for each of a plurality of groups in the eco-structure. The computer-implemented method further includes creating context and interacting with selected resources and devices. The computer-implemented method further includes testing a context provision and interacting with the context provision. The computer-implemented method further includes establishing independent segmentation for the plurality of groups in the virtualized environment.
The preceding is a simplified summary to provide an understanding of some aspects of embodiments of the present invention. This summary is neither an extensive nor exhaustive overview of the present invention and its various embodiments. The summary presents selected concepts of the embodiments of the present invention in a simplified form as an introduction to the more detailed description presented below. As will be appreciated, other embodiments of the present invention are possible utilizing, alone or in combination, one or more of the features set forth above or described in detail below.
BRIEF DESCRIPTION OF THE DRAWINGS
The above and still further features and advantages of embodiments of the present invention will become apparent upon consideration of the following detailed description of embodiments thereof, especially when taken in conjunction with the accompanying drawings, and wherein:
FIG. 1 is a block diagram depicting a network environment according to an embodiment of the present invention;
FIG. 2 is a block diagram of modules stored in memory, according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of a conventional virtual gateway that is utilized to connect on different network and segmentation;
FIG. 4 is a schematic diagram of various groups created inside the virtualized environment, according to an embodiment of the present invention; FIG. 5 is a schematic diagram of multiple virtual routers and primary virtual routers created inside the virtualized environment, according to an embodiment of the present invention;
FIG. 6 is a schematic diagram of ‘segmentwall’ and ‘subsegmentwall’ policy inside segmentation, according to an embodiment of the present invention;
FIG. 7 is a schematic diagram of congestion handling inside a particular group of segmentation, according to an embodiment of the present invention;
FIG. 8 depicts an exemplary flowchart illustrating a segmentation method to establish various segmentation functionalities in a virtualized environment, according to an embodiment of the present invention;
FIG. 9 depicts an exemplary flowchart illustrating a method of identifying eco- structure of the virtualized environment, according to an embodiment of the present invention;
FIG. 10 depicts an exemplary flowchart illustrating a method of establishing and providing suitable eco-structure to suit with segmentation, according to an embodiment of the present invention;
FIG. 11 depicts an exemplary flowchart illustrating a method of creating context and interacting with selected resources or devices, according to an embodiment of the present invention;
FIG. 12 depicts an exemplary flowchart illustrating a method of testing context provision and interaction, according to an embodiment of the present invention; and
FIG. 13 depicts an exemplary flowchart illustrating a method of establishing independent segmentation in virtualized environment, according to an embodiment of the present invention. To facilitate understanding, like reference numerals have been used, where possible, to designate like elements common to the figures.
DETAILED DESCRIPTION
As used throughout this application, the word "may" is used in a permissive sense (i.e., meaning having the potential to), rather than the mandatory sense (i.e., meaning must). Similarly, the words “include”, “including”, and “includes” mean including but not limited to.
The phrases “at least one”, “one or more”, and “and/or” are open-ended expressions that are both conjunctive and disjunctive in operation. For example, each of the expressions “at least one of A, B and C”, “at least one of A, B, or C”, “one or more of A, B, and C”, “one or more of A, B, or C” and “A, B, and/or C” means A alone, B alone, C alone, A and B together, A and C together, B and C together, or A, B and C together.
The term “a” or “an” entity refers to one or more of that entity. As such, the terms “a” (or “an”), “one or more” and “at least one” can be used interchangeably herein. It is also to be noted that the terms “comprising”, “including”, and “having” can be used interchangeably.
The term “automatic” and variations thereof, as used herein, refers to any process or operation done without material human input when the process or operation is performed. However, a process or operation can be automatic, even though performance of the process or operation uses material or immaterial human input, if the input is received before performance of the process or operation. Human input is deemed to be material if such input influences how the process or operation will be performed. Human input that consents to the performance of the process or operation is not deemed to be “material”.
FIG. 1 illustrates an exemplary network environment (100) where various embodiments of the present invention may be implemented. The network environment (100) includes a segmentation system (102) connected to various client systems 104A, 104B,...104N, (hereinafter referred as 104) via a network (106). The Network (106) may include, but is not restricted to, a communication network such as Internet, PSTN, Local Area Network (LAN), Wide Area Network (WAN), Metropolitan Area Network (MAN), and so forth. In an embodiment, the network (106) can be a data network such as the Internet. The client systems (104) may belong to various enterprises and may be hardware and/or software (for example, threads, processes, computing devices). Further, the client systems (104) are configured to exchange data among themselves using the segmentation system (102). Further, the messages exchanged between the segmentation system (102) and the client systems (104) can comprise any suitable message format and protocol capable of communicating the information necessary for the segmentation system (102) to establish segmentation functionality in virtualized environment. The client systems (104) may utilize the segmentation system (102) to receive segmentation functionality in virtualized environment.
In an embodiment of the present invention, the segmentation system (102) may be a computing device. The segmentation system (102) includes a processor (110) and a memory (112). In one embodiment, the processor (110) includes a single processor and resides in the segmentation system (102). In another embodiment, the processor (110) may include multiple sub-processors. Further, the memory (112) may comprise suitable logic, circuitry, and/or interfaces that may be operable to store a machine readable code and/or a computer program with at least one code section executable by the processor (110).
In an embodiment, the memory (112) includes one or more instructions that may be executed by the processor (110) to identify eco-structure of a virtualized environment and divide the eco-structure into a plurality of groups, establish functions for each of the plurality of groups in the eco-structure, test functionality and data of each of the plurality of groups, and establish segmentation for the plurality of groups in the virtualized environment.
In one embodiment, the memory (112) includes the modules (114), a database (116), and other data (not shown in figure). The other data may include various data generated during testing various groups in the segmentation functionality in virtualized environment. In one embodiment, the database (116) is stored inside the segmentation system (102). In another embodiment, the database (116) may be stored outside of the segmentation system (102), and may be accessed via the network (106). Furthermore, the memory (112) of the segmentation system (102) is coupled to the processor (110).
Referring to FIG. 2, the modules (114) includes a group module (202), a function module (204), a match module (206), a test module (208), and a segmentation module (210). The modules (114) are instruction stored in the memory and may establish segmentation functionality in virtualized environment.
The group module (202) is configured to identify eco-structure of a virtualized environment of enterprise level networks, and further divide the eco-structure into various groups. In an embodiment, the group module (202) may gather eco- structure of enterprise level network to identify the eco-structure of the virtualized environment. Further, the group module (202) is configured to divide the eco- structure into group, tenants, data functionality, secrecy, and sub eco-structure details. In an embodiment, the groups created by the group module (202) may include ‘tenant-finance’, ‘tenant FIRD’ (i.e., tenant human resource development), and ‘tenant lab’, as shown in FIG. 4.
Further, the group module (202) is configured to check identification of the eco- structure with predetermined criteria, for example, capability, resources, and functionality. Further, the group module (202) is configured to revise the eco- structure of the virtualized environment in case the identifying is not satisfied with respect to the predetermined criteria of capability, resources, and functionality. In an embodiment, the eco-structure is revised if there is need to update with new virtual devices. In such cases, the group module (202) is configured to update the eco- structure with new virtual devices (for example, virtual routers). As shown in FIG. 4, the group module (202) may create individual virtual router for each of the groups created, i.e., ‘tenant-finance’, ‘tenant FIRD’, and ‘tenant lab’. Further, the group module (202) is configured to simulate the eco-structure to make sure it works when it is divided in various groups. The function module (204) is configured to establish suitable functions to various groups in the eco-structure. The function module (204) is configured to check which group belongs to which data. Further, the function module (204) is configured to select and expand respective group. In an embodiment, the functionality of each group, tenant and functionality with data may be selected with detail by the function module (204). For example, the function module (204) may enable an administrator of the virtualized environment to select details of each group, tenant, and functionality.
The function module (204) is further configured to determine which group needs to be updated. The function module (204) is configured to check potential of each group which can be expanded. For example, the function module (204) may check potential of expansion of each group including tenant-finance, tenant FIRD, tenant lab, and other groups. As shown in FIG. 5, in an embodiment, the tenant-finance group is connected to critical resources like file server, application server, database server by a secure channel. Further, the tenant FIRD is connected to critical resources like file server, application server, database server by a semi-secure channel. Furthermore, the tenant lab is connected to critical resources like file server, application server, database server by non-secure channel. Those skilled in art will appreciate that depending upon security level required for different types of groups, type of channel (secure, semi-secure, or non-secure) is used. Further, the function module (204) is configured to stabilize the eco-structure.
The match module (206) is configured to determine which group belongs to which data. For example, the match module (206) may determine data corresponding to different groups, i.e., tenant-finance, tenant FIRD, and tenant lab. Further, the match module (206) is configured to select and expand respective group. In an embodiment, the functionality of each group, tenant and functionality with data may be selected with detail.
Further, the match module (206) is configured to determine which group needs to be updated. In an embodiment, potential of each group may be checked to determine which group can be expanded. Further, the match module (206) is configured to check if there is need to update resources, department group or data. Further, the match module (206) is configured to stabilize the eco-structure. In an embodiment, connectivity, department and resources are stabilized. Further, the match module (206) is configured to proceed with grouping having matching functionality data.
The test module (208) is configured to test context provision of each group created in the virtualized environment. In an embodiment, context provision may include tenant-finance, tenant HRD, and tenant lab. In an embodiment, context with resources such as tenants, grouping tenants and data functionality is provisioned which already has been finalized after checking the stability of new selection eco- structure. The test module (208) is further configured to check if provisions are working as per predetermined expectation. In an embodiment, ‘ping command’ may be used by the test module (208) to troubleshoot when establishing the logical context.
The test module (208) is further configured to test respective group functionality and data using predetermined resources like group functionality stored in database (116). Further, the test module (208) is configured to determine if there is need to create primary virtual router based on predetermined criteria. In an embodiment, the predetermined criteria may be defined by administrator of virtualized environment of an enterprise. In case, there is a need, the test module (208) will configured to create a ‘primary virtual router’ that can interconnect the common virtual router and multiple virtual routers inside the virtualized environment of enterprise networks, as shown in FIG. 5. In an embodiment, the test module (208) is configured to combine the overall segmentation by creating one primary virtual router as an anchor, as shown in FIG. 5.
The segmentation module (210) is configured to establish independent segmentation in virtualized environment, according to an embodiment of the present invention. The segmentation module (210) is configured to establish segmentation policy trust. In an embodiment, a surface policy for various segmentations may be established, as shown in TABLE 1 below. TABLE 1
Exemplary policy wall for multiple virtual routers for different groups
Figure imgf000011_0003
Vrouter 1 secure tenant finance Establish new segmentation between Tenant finance and resources
Figure imgf000011_0001
nt and resources
Vrouter 3 None secure Tenant hrd Establish new segmentation between Tenant hrd and resources
Vrouter 4 None secure Tenant facilities No segmentation
For example, as shown in TABLE 1 , ‘Vrouter 1’ may be assigned for secure action from team finance to establish new segmentation between tenant finance and resources. Further, ‘Vrouter 2’ may be used for selecting specific data from tenant procurement. Furthermore, ‘Vrouter 3’ and ‘Vrouter 4’ may be used for non-secure actions from tenant hrd and tenant facilities. Further, as shown in TABLE 2 below, index ‘vrT may be used for secure channel type for congest trigger for creating ‘new segmentation virtual route’. Similarly, index ‘vr2’ may be used for semi-secure channel.
TABLE 2
Example of segmentation virtual route and different channel type for different groups
Figure imgf000011_0002
Secure Congest New segmentation channel virtual route
Semi secure none Use same channel segmentation route
Secure for Need a secure New segmentation specific data path virtual route
Further, the segmentation module (210) is configured to categorize the segmentation policy trust into ‘segmentwall’ and ‘subsegmentwall’, as shown in FIG. 6. In an embodiment, inner policy may also be created to handle inside respective segmentation. For example, ‘segmentwall’ may separate primary virtual router from multiple virtual routers inside virtualized environment. Further, ‘subsegmentwall’ may separate individual groups inside the enterprise level network, for example, tenant finance, tenant HRD, and tenant lab. Those skilled in art will appreciate that separating primary virtual router from multiple virtual routers provides better control of ‘subsegmentwall’ and ‘segmentwall’.
Further, the segmentation module (210) is configured to test the ‘segmentwall’ and ‘subsegmentwall’ and determine if ‘segmentwall’ and ‘subsegmentwall’ are functioning properly, as per predetermined criteria. In an embodiment, the predetermined criteria may include whether the policy inside respective segmentation is working or not. The segmentation module (210) is further configured to establish suitable type of tunnel. In an embodiment, the type of tunnel may be established based on characteristics (for example, secure, semi-secure etc.). Further, the segmentation module (210) is configured to establish group segmentation, and further establish the group and data functionality.
Further, the segmentation module (210) is configured to establish new segmentation, in case congestion happens in the virtualized environment, according to an embodiment of the present invention. In an embodiment, the segmentation module (210) is configured to determine congestion based on predetermined parameters such as queuing delay, packet loss, link down, and blocking of new connection. For example, as shown in FIG. 7, the segmentation module (210) is configured to add another ‘vrouter 1A’ in the tenant lab group, in case of congestion in the tenant lab group. In an embodiment, if the congestion happen and the link is down or not secure, then data may be forwarded via new path which has been allocated sub virtual router (Vroutela). Further, in an embodiment, before accessing the resource, new ‘segmentwall’ may be added to secure the channel on selected resources.
FIG. 8 illustrates an exemplary flowchart of a segmentation method (1000) to establish various segmentation functionalities in a virtualized environment, according to an embodiment of the present invention. Initially, at step 1010, the eco- structure of the virtualized environment is identified. In an embodiment, complete eco-structure is identified before dividing the eco-structure into small eco-structure.
At step 1020, suitable eco-structure is detected and established to suit with functionality. In an embodiment, suitable resources, group of tenants, similar data, and similar policy is detected. At step 1030, context is created and selected resources and devices are interacted with the context. In an embodiment, a combination of selected resources and devices is created and interaction context is obtained for efficient and safe working of selected segmentation. At step 1040, context provision is tested and interacted with critical resources including file server, application server, and database server. In an embodiment, connection interaction is tested. At step 1050, independent segmentation is established. In an embodiment, new segmentation is established.
FIG. 9 depicts an exemplary flowchart 1010 illustrating a method of identifying eco- structure of the virtualized environment, according to an embodiment of the present invention. Initially, at step 1011 , the eco-structure is identified and checked. In an embodiment, an eco-structure of current condition may be gathered, and then it may be checked and identified. At step 1012, the eco-structure is divided. In an embodiment, the eco-structure is divided into group, tenants, data functionality, secrecy, and sub eco-structure details. At step 1013, it is determined if identifying is satisfied with capability resources and functionality.
If identifying is not satisfied, the method proceeds to step 1014. At step 1014, the eco-structure is revised. In an embodiment, the eco-structure is revised if need to be updated with new virtual devices. If identifying is satisfied, the method proceeds to step 1015. At step 1015, the eco-structure is simulated. In an embodiment, selected eco-structure is simulated logically to make sure it working when it is divided from existing eco-structure (as an example ping command). At step 1016, the new eco- structure is started.
FIG. 10 depicts an exemplary flowchart illustrating a method 1020 of establishing and providing suitable eco-structure to suit with segmentation, according to an embodiment of the present invention. Initially, at step 1021 , new eco-structure is studied. In an embodiment, potential eco-structure may be studied. At step 1022, respective group (for example, finance, HRD or lab) is selected and expanded. In an embodiment, the functionality of each group, tenant and functionality with data is selected with detail.
At step 1023, it is determined if any group needs to be updated. If answer is ‘no’ at step 1023, the method proceeds to step 1025. If answer is ‘yes’ at step 1023, the method proceeds to step 1024. At step 1024, the eco-structure is revised, and method returns to step 1022. At step 125, the eco-structure is stabilized. At step 1026, it is decided to proceed with grouping and matching.
FIG. 11 depicts an exemplary flowchart illustrating a method 1030 of creating context and interacting with selected resources or devices, according to an embodiment of the present invention. Initially, at step 1031 , it is checked which group belongs to which data. At step 1032, each of respective group is selected and expanded. In an embodiment, the functionality of each group, tenant and functionality with data is selected with detail.
At step 1033, it is determined if there is need to update any group. In an embodiment, it is checked whether there is need to update resources, department group, or data. If there is no need to update groups, method proceeds to step 1035. Otherwise, at step 1034, potential of each group is checked that can be expanded, and method returns to step 1032. At step 1035, the eco-structure is stabilized and simulated. In an embodiment, connectivity, department and resources are stabilized. At step 1036, it is decided to proceed with grouping and matching. In an embodiment, it may be decided to proceed with matching functionality data and group.
FIG. 12 depicts an exemplary flowchart illustrating a method 1040 of testing context provision and interaction, according to an embodiment of the present invention. Initially, at step 1041 , the context is provisioned. In an embodiment, context with resources such as tenants, grouping tenants and data functionality is provisioned which already be finalized after checking the stability of new selection eco-structure. At step 1042, it is checked if provision is working as expected. In an embodiment, commands like ping or wire shark may be used to troubleshoot when establish the logical context.
At step 1043, respective group functionality and group data is tested. At step 1044, it is determined if there is need to create primary virtual router. In an embodiment, the overall segmentation may be combined by creating one primary virtual router as an anchor. If answer is ‘NO’, the method returns to step 1043. Otherwise, the method proceeds to step 1045. At step 1045, frequently test with different segment and data is created.
FIG. 13 depicts an exemplary flowchart illustrating a method 1050 of establishing independent segmentation in virtualized environment, according to an embodiment of the present invention. Initially, at step 1051 , segmentation policy trust is established. In an embodiment, a surface policy for various segmentations may be established. At step 1052, the segmentation policy trust is categorized into ‘segmentwair and ‘subsegmentwall’. In an embodiment, inner policy may also be created to handle inside respective segmentation.
At step 1053, the ‘segmentwair and ‘subsegmentwall’ are tested. In an embodiment, the inner policy may be tested. At step 1054, it is determined if ‘segmentwall’ and ‘subsegmentwall’ are working. In an embodiment, it may be checked if the policy inside respective segmentation is working or not. If yes, the method proceeds to step 1055. Otherwise the method returns to step 1053. At step 1055, type of tunnel is established. In an embodiment, the type of tunnel may be established based on characteristics like secure, semi-secure or non-secure. At step 1056, group segmentation is established. In an embodiment, the group and data functionality is established.
The segmentation system (102) and the method (1000) performed by the segmentation system (102) advantageously provides stability of connectivity in the virtualized environment even after providing segmentation. Further, the segmentation system (102) provides enhanced security for new tenancy to access the resources on the network. Further, the segmentation system (102) advantageously provides good traffic visibility, because of providing segmentations policies having similar rules, tenants, and resources.
The foregoing discussion of the present invention has been presented for purposes of illustration and description. It is not intended to limit the present invention to the form or forms disclosed herein. In the foregoing detailed description, for example, various features of the present invention are grouped together in one or more embodiments, configurations, or aspects for the purpose of streamlining the disclosure. The features of the embodiments, configurations, or aspects may be combined in alternate embodiments, configurations, or aspects other than those discussed above. This method of disclosure is not to be interpreted as reflecting an intention the present invention requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment, configuration, or aspect. Thus, the following claims are hereby incorporated into this Detailed Description, with each claim standing on its own as a separate embodiment of the present invention.
Moreover, though the description of the present invention has included description of one or more embodiments, configurations, or aspects and certain variations and modifications, other variations, combinations, and modifications are within the scope of the present invention, e.g., as may be within the skill and knowledge of those in the art, after understanding the present disclosure. It is intended to obtain rights which include alternative embodiments, configurations, or aspects to the extent permitted, including alternate, interchangeable and/or equivalent structures, functions, ranges or steps to those claimed, whether or not such alternate, interchangeable and/or equivalent structures, functions, ranges or steps are disclosed herein, and without intending to publicly dedicate any patentable subject matter.

Claims

1 . A segmentation system (102) for establishing segmentation functionalities in a virtualized environment of enterprise level networks, the segmentation system
(102) comprising a processor (110) and a memory (112); characterized in that: the memory (112) storing: a group module (202) configured to identify an eco-structure of a virtualized environment, and divide the eco-structure into a plurality of eco-structure groups; a function module (204) configured to establish functions for each of the plurality of eco-structure groups identified by the group module (202)in the eco-structure; a match module (206) configured to match resources and data for each of the plurality of groups; a test module (208) configured to test functionality and data of each of the pluralityof groups; and a segmentation module (210) configured to establish segmentation for the plurality of groups in the virtualized environment.
2. The segmentation system (102) of claim 1 , wherein the plurality of groups created by the group module (202) comprising tenant-finance, tenant HRD, and tenant lab.
3. The segmentation system (102) of claim 1 , wherein the group module (202) further configured to create individual virtual router for each of the plurality of groups.
4. The segmentation system (204) of claim 1 , wherein the function module (204) is configured to establish functionality of each group, tenant and functionality with data.
5. The segmentation system (102) of claim 1 , wherein the match module (206) further configured to select and expand each of the plurality of groups.
6. The segmentation system (102) of claim 1 , wherein the test module (208) is configured to check the need to update resources, department group or data of each group.
7. The segmentation system (102) of claim 1 , wherein the test module (208) is further configured to create a ‘primary virtual router’ to interconnect a common virtual router and a plurality of virtual routers inside the virtualized environment.
8. The segmentation system (102) of claim 1 , wherein segmentation module (210) is configured to categorize a segmentation policy trust into ‘segmentwall’ and ‘subsegmentwair.
9. The segmentation system (102) of claim 6, wherein ‘segmentwall’ is configured to separate ‘primary virtual router’ from the plurality of virtual routers inside virtualized environment, and ‘subsegmentwair is configured to separate ‘individual groups’ inside the virtualized environment.
10. The segmentation system (102) of claim 1 , wherein the segmentation module (210) is further configured to test functioning of the ‘segmentwall’ and ‘subsegmentwall’.
11. The segmentation system (102) of claim 1 , wherein the segmentation module (210) is further configured to establish new segmentation, in case of congestion in any group of the virtualized environment.
12. A computer-implemented method for establishing segmentation functionalities in a virtualized environment of enterprise level networks, the computer- implemented method is characterized by the steps of: identifying eco-structure of virtualized environment; establishing functions for each of a plurality of groups in the eco- structure; creating context and interacting with selected resources and devices; testing a context provision and interacting with the context provision; and establishing independent segmentation for the plurality of groups in the virtualized environment.
13. The computer-implemented method of claim 13, wherein the identifying eco- structure of virtualized environment comprising dividing the eco-structure into a plurality of groups.
14. The computer implemented method of claims 14, wherein the groups comprising: tenant-finance, tenant HRD, and tenant lab.
15. The computer-implemented method of claim 13, wherein the establishing functions comprising selecting functionality of each group, tenant and functionality with data. 16. The computer-implemented method of claim 13, wherein the creating context comprising checking need to update resources, department group or data of each group.
17. The computer-implemented method of claim 13, wherein the testing a context provision comprising testing respective group functionality and data.
18. The computer-implemented method of claim 13, wherein the establishing independent segmentation comprising categorizing segmentation policy into ‘segmentwair and ‘subsegmentwall’.
PCT/MY2020/050135 2019-11-29 2020-11-06 Segmentation system and method for virtualized environment WO2021107768A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
MYPI2019007096 2019-11-29
MYPI2019007096 2019-11-29

Publications (1)

Publication Number Publication Date
WO2021107768A1 true WO2021107768A1 (en) 2021-06-03

Family

ID=76130674

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/MY2020/050135 WO2021107768A1 (en) 2019-11-29 2020-11-06 Segmentation system and method for virtualized environment

Country Status (1)

Country Link
WO (1) WO2021107768A1 (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160021032A1 (en) * 2014-07-21 2016-01-21 Big Switch Networks, Inc. Systems and methods for performing logical network forwarding using a controller
US20160080213A1 (en) * 2009-12-07 2016-03-17 Amazon Technologies, Inc. Emulating virtual router device functionality in virtual computer networks
US20170004192A1 (en) * 2015-06-30 2017-01-05 Nicira, Inc. Replicating firewall policy across multiple data centers
US20170010921A1 (en) * 2012-03-07 2017-01-12 Vmware, Inc. Multitenant access to multiple desktops on host machine partitions in a service provider network
US20170250870A1 (en) * 2014-11-27 2017-08-31 Huawei Technologies Co., Ltd. Virtual network policy configuration method and system, and virtual network element and network administration system thereof

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160080213A1 (en) * 2009-12-07 2016-03-17 Amazon Technologies, Inc. Emulating virtual router device functionality in virtual computer networks
US20170010921A1 (en) * 2012-03-07 2017-01-12 Vmware, Inc. Multitenant access to multiple desktops on host machine partitions in a service provider network
US20160021032A1 (en) * 2014-07-21 2016-01-21 Big Switch Networks, Inc. Systems and methods for performing logical network forwarding using a controller
US20170250870A1 (en) * 2014-11-27 2017-08-31 Huawei Technologies Co., Ltd. Virtual network policy configuration method and system, and virtual network element and network administration system thereof
US20170004192A1 (en) * 2015-06-30 2017-01-05 Nicira, Inc. Replicating firewall policy across multiple data centers

Similar Documents

Publication Publication Date Title
US11700237B2 (en) Intent-based policy generation for virtual networks
US10893004B2 (en) Configurable detection of network traffic anomalies at scalable virtual traffic hubs
CN109417496B (en) Automatic service function verification in a virtual network environment
US11500670B2 (en) Computing service with configurable virtualization control levels and accelerated launches
US10666516B2 (en) Constraint-based virtual network function placement
Chowdhury et al. Vineyard: Virtual network embedding algorithms with coordinated node and link mapping
KR101714279B1 (en) System and method providing policy based data center network automation
US11258761B2 (en) Self-service firewall configuration
US11425095B2 (en) Fast ordering of firewall sections and rules
CN105657081B (en) The method, apparatus and system of DHCP service are provided
US10698741B2 (en) Resource allocation method for VNF and apparatus
US9088503B2 (en) Multi-tenant information processing system, management server, and configuration management method
US10924298B2 (en) Network service chain construction
WO2015087475A1 (en) Software-defined networking interface between multiple platform managers
US10725810B2 (en) Migrating virtualized computing instances that implement a logical multi-node application
US11531564B2 (en) Executing multi-stage distributed computing operations with independent rollback workflow
US10747584B2 (en) Security-aware partitioning of processes
WO2021107768A1 (en) Segmentation system and method for virtualized environment
US11425003B2 (en) Network aware element and a method for using same
US11991211B1 (en) Symmetric cross-region network data flow management
CN114428620A (en) Data stream mirroring method and device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20891934

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20891934

Country of ref document: EP

Kind code of ref document: A1