公开(公告)号：US11936558B1

公开(公告)日：2024-03-19

申请号：US17643774

申请日：2021-12-10

Applicant: Amazon Technologies, Inc.

Inventor： Baihu Qian ,  Bashuman Deb ,  Justin Lin Hsieh ,  Daniel William Dacosta ,  Nick Matthews ,  Anoop Dawani ,  Omer Hashmi ,  Thomas Nguyen Spendley ,  Viktor Heorhiadi

IPC: H04L45/42 ,  H04L12/46 ,  H04L45/00 ,  H04L45/12 ,  H04L45/745

CPC classification number: H04L45/42 ,  H04L12/4641 ,  H04L45/123 ,  H04L45/22 ,  H04L45/745

Abstract: Systems and methods are provided for evaluation of networks and changes thereto using automated analysis of network models. The automated analysis can be used to determine how to implement and mutate networks efficiently and effectively, to determine whether and why network resources are unable to communicate with each other, and the like. Automated analysis can allow users (e.g., network administrators) to define networks and pose changes to networks using high-level policies (e.g., written in a declarative language), have those polices automatically translated to lower-level implementation operations for analysis, and in some cases have results of the analysis presented back to the users in an easy-to-understand form.

公开(公告)号：US11743122B1

公开(公告)日：2023-08-29

申请号：US17709068

申请日：2022-03-30

Applicant: Amazon Technologies, Inc.

Inventor： Samuel Bayless ,  John David Backes ,  Daniel William Dacosta ,  Vaibhav Katkade ,  Sagar Chintamani Joshi ,  Nadia Labai ,  Syed Mubashir Iqbal ,  Patrick Trentin ,  Nathan Launchbury ,  Nikolaos Giannarakis ,  Victor Heorhiadi ,  Nick Matthews

IPC: H04L41/0869 ,  H04L41/08 ,  H04L41/22 ,  H04L41/0816 ,  H04L41/14 ,  H04L41/147 ,  H04L9/40

CPC classification number: H04L41/0869 ,  H04L41/0816 ,  H04L41/0883 ,  H04L41/145 ,  H04L41/147 ,  H04L41/22 ,  H04L63/0263

Abstract: A network change verification (NCV) system is disclosed for checking whether a proposed configuration change on a network alters the way that the network controls recently observed network flows. In embodiments, the system builds an observed flow control model (OFCM) from logs of recent flows observed in the network. The OFCM, which may be periodically updated based on newly observed flows, provides a compact representation of how individual network flows were ostensibly controlled by the network. When a proposed configuration change is received, the system analyzes the change against the OFCM to check whether the change will alter how the network controls recently observed flows. If so, the proposed change is blocked, and an alert is generated identifying flows that are affected by the change. The NCV system thus prevents network operators from accidentally making changes on the network that will materially alter the behavior of the network.

公开(公告)号：US20240333775A1

公开(公告)日：2024-10-03

申请号：US18741445

申请日：2024-06-12

Applicant: Amazon Technologies, Inc.

Inventor： Baihu Qian ,  Bashuman Deb ,  Justin Lin Hsieh ,  Daniel William Dacosta ,  Nick Matthews ,  Viktor Heorhiadi ,  Lalith Kumar Ramamoorthi ,  Anoop Dawani ,  Omer Hashmi ,  Thomas Nguyen Spendley

IPC: H04L9/40 ,  H04L12/46 ,  H04L41/0893 ,  H04L45/24 ,  H04L47/20

CPC classification number: H04L63/205 ,  H04L12/4675 ,  H04L41/0893 ,  H04L45/24 ,  H04L47/20 ,  H04L63/0272

Abstract: Systems and methods are provided for obtaining policy data associated with a private network implemented at least partly within a cloud provider network; establishing, based on the policy data, a first segment within the private network, wherein in a first geographic region of the cloud provider network, traffic associated with the first segment is isolated from traffic associated with a second segment of the private network, and wherein in a second geographic region of the cloud provider network, traffic associated with the first segment is isolated from traffic associated with a third segment of the private network; obtaining metadata indicating an isolated network of the cloud provider network is associated with the first segment; and enabling the isolated network to communicate, over the first segment, across the first geographic region and the second geographic region.

公开(公告)号：US12021902B1

公开(公告)日：2024-06-25

申请号：US17643769

申请日：2021-12-10

Applicant: Amazon Technologies, Inc.

Inventor： Baihu Qian ,  Bashuman Deb ,  Justin Lin Hsieh ,  Daniel William Dacosta ,  Nick Matthews ,  Viktor Heorhiadi ,  Lalith Kumar Ramamoorthi ,  Anoop Dawani ,  Omer Hashmi ,  Thomas Nguyen Spendley

IPC: H04L29/06 ,  H04L9/40 ,  H04L12/46 ,  H04L41/0893 ,  H04L45/24 ,  H04L47/20

CPC classification number: H04L63/205 ,  H04L12/4675 ,  H04L41/0893 ,  H04L45/24 ,  H04L47/20 ,  H04L63/0272

Abstract: Systems and methods are provided for evaluation of communication paths through networks to determine whether communication is permitted across one or more internal network boundaries. The analysis may be used to determine whether a node in one isolated network (e.g., VPC, VPN, client on-premise network, etc.) is able to communicate with a node in another isolated network across region and/or segment boundaries. The automated analysis can allow users (e.g., network administrators) to see what high-level policies (e.g., Cloud WAN policies written in a declarative language) are interfering with or permitting communication between the nodes.

公开(公告)号：US11245614B1

公开(公告)日：2022-02-08

申请号：US17114327

申请日：2020-12-07

Applicant: Amazon Technologies, Inc.

Inventor： John David Backes ,  Samuel Bayless ,  Daniel William Dacosta ,  Ao Li

IPC: H04L12/46 ,  H04L12/751 ,  H04L12/24

Abstract: Features are disclosed for managing routing rules stored by a routing device and used to manage network traffic in a network. A computing device can receive multiple routing rules corresponding to multiple routing devices in the network. The computing device can use a formal specification and a snapshot to generate a model of the network. The computing device may use the model in order to statically determine the set of possible paths without causing the transmission of data between a routing device and a destination. the computing device may compare the identified routing rules and the possible paths in order to determine excess routing rules. The computing device may remove the excess routing rules from the routing rules for each routing device such that each routing device routes subsequent network traffic based on the updated routing rules.

公开(公告)号：US11206175B1

公开(公告)日：2021-12-21

申请号：US17117930

申请日：2020-12-10

Applicant: Amazon Technologies, Inc.

Inventor： Samuel Bayless ,  John David Backes ,  Daniel William Dacosta ,  Benjamin F Jones ,  Patrick Trentin ,  Nathan Launchbury ,  Sagar Chintamani Joshi ,  Nandita Mathews

IPC: G06F15/177 ,  H04L12/24 ,  H04L12/26

Abstract: This disclosure describes techniques for identifying blocked paths and network configuration settings that block paths in networks, such as network paths in a virtual private cloud (VPC). The configuration of virtual networks depends on the correct configuration of many networking resources, such as firewalls, security groups, routing lists, access control lists (ACLs), and the like. In some cases, an analysis that uses formal methods can be performed to determine a network configuration of a virtual network. Using the network configuration information, network paths that are blocked and network configuration settings that may be blocking one or more of the network paths can be determined. The PAS can provide an explanation of what is blocking the network paths. For example, the PAS may identify that a configuration setting of a firewall, router, network gateway, an access control list (ACL), and the like may be blocking a network path.