公开(公告)号：US11709694B2

公开(公告)日：2023-07-25

申请号：US16664552

申请日：2019-10-25

Applicant: Microsoft Technology Licensing, LLC

Inventor： Vishal Taneja ,  Abhishek Shukla ,  Parag Sharma ,  Xinyan Zan ,  Kaihua Xu

IPC: G06F9/455 ,  H04L12/46 ,  H04L45/74 ,  H04L61/5007

CPC classification number: G06F9/45558 ,  H04L12/4633 ,  H04L12/4641 ,  H04L45/74 ,  H04L61/5007 ,  G06F2009/4557 ,  G06F2009/45595

Abstract: A hybrid state for a virtual machine (VM) in a cloud computing system enables a VM to communicate with other VMs that belong to a virtual network (VNET VMs) while maintaining connectivity with other VMs that do not belong to the virtual network (non-VNET VMs). A non-VNET VM can be transitioned to a hybrid VM that operates in a hybrid state. The hybrid VM can be assigned a private virtual IP address (VNET address) for communication with other VNET VMs. The hybrid VM can continue to use a physical IP address to communicate with other non-VNET VMs. In this way, the hybrid VM is able to maintain connectivity with other non-VNET VMs during and after migration to the VNET. A network stack can be configured to process data packets that are destined for non-VNET VMs differently from data packets that are destined for VNET VMs.

公开(公告)号：US11063857B2

公开(公告)日：2021-07-13

申请号：US16198732

申请日：2018-11-21

Applicant: Microsoft Technology Licensing, LLC

Inventor： Rishabh Tewari ,  Daniel Firestone ,  Harish Kumar Chandrappa ,  Anitha Adusumilli ,  David Michael Brumley ,  Deepak Bansal ,  Albert Gordon Greenberg ,  Parag Sharma ,  Arjun Roy

IPC: H04L12/26 ,  G06F9/455 ,  H04L12/24 ,  G06F9/48

Abstract: Techniques are described herein that are capable of monitoring connectivity and latency of network links in virtual networks. For instance, a ping agent injects first ping packets into network traffic on behalf of hosts in the virtual network. The ping agent monitors incoming packets to identify first ping response packets, which are in response to the first ping packets, among the incoming packets. A ping responder rule that is included in inbound packet filter rules for a port in a virtual switch intercepts second ping packets in the network traffic. The ping responder rule converts the second ping packets into second ping response packets and injects the second ping response packets into outbound packet filter rules to be transferred to sources from which the second ping packets are received.

公开(公告)号：US10999244B2

公开(公告)日：2021-05-04

申请号：US16262626

申请日：2019-01-30

Applicant: MICROSOFT TECHNOLOGY LICENSING, LLC

Inventor： Sumeet Mittal ,  Abhishek Shukla ,  Rishabh Tewari ,  Qiming Chen ,  Harish Kumar Chandrappa ,  Pranjal Shrivastava ,  Anitha Adusumilli ,  Parag Sharma ,  Abhishek Ellore Sreenath

IPC: H04L29/12 ,  H04L29/08

Abstract: The techniques described herein enable a private connectivity solution between a virtual network of a service consumer and a virtual network of a service provider in a cloud-based platform. The techniques map a service (e.g., one or more workloads or containers) executing in the virtual network of the service provider into the virtual network of the service consumer. The mapping uses network address translation (NAT) that is performed by the cloud-based infrastructure. As a result of the techniques described herein, a public Internet Protocol (IP) address does not need to be used to establish a connection thereby alleviating privacy and/or security concerns for the virtual networks of the service provider and/or the service consumer that are hosted by the cloud-based platform.

公开(公告)号：US10911406B2

公开(公告)日：2021-02-02

申请号：US15967518

申请日：2018-04-30

Applicant: Microsoft Technology Licensing, LLC

Inventor： Rishabh Tewari ,  Deepak Bansal ,  Longzhang Fu ,  Harish Kumar Chandrappa ,  Tomas Talius ,  Dhruv Malik ,  Anitha Adusumilli ,  Parag Sharma ,  Nimish Aggarwal ,  Shekhar Agarwal ,  Joemmanuel Ponce Galindo

IPC: H04L29/06 ,  G06F9/455 ,  H04L12/715 ,  H04L12/935 ,  H04L29/12 ,  H04L29/08

Abstract: Techniques for allowing access to shared cloud resource using private network addresses are disclosed herein. In one embodiment, a connection packet representing a connection request to a shared cloud resource in the cloud computing system can be intercepted. In response, the connection packet can be encapsulated with data representing one or more of a VNET ID, a VNET source address, or a VNET destination address of a virtual network from which the connection packet is received. The encapsulated connection packet can then be forwarded to the shared cloud resource while retaining the data representing one or more of the VNET ID, the VNET source address, or the VNET destination address for access control at the shared cloud resource.

公开(公告)号：US11831516B2

公开(公告)日：2023-11-28

申请号：US17565234

申请日：2021-12-29

Applicant: Microsoft Technology Licensing, LLC

Inventor： Jie Li ,  Ashish Bhargava ,  Mohamed N. Hassan ,  Parag Sharma ,  Neeraj Motwani ,  Rishabh Tewari

IPC: H04L41/12 ,  H04L12/46 ,  H04L41/18 ,  H04L41/0895 ,  H04L41/0893 ,  H04L12/66 ,  H04L9/40

CPC classification number: H04L41/12 ,  H04L12/4641 ,  H04L12/66 ,  H04L41/0893 ,  H04L41/0895 ,  H04L41/18 ,  H04L63/205

Abstract: A virtual network manager and associated user interface/portal provide customers with simplified centralized management of virtual networks to implement logical groupings of network resources at scale. The virtual network manager enables network segmentation using names or tags, connectivity configuration to create different virtual network topologies, security configuration to provide enforcement of organizational rules without being overwritten and Network Security Group (NSG) management in a simple and scalable manner, safe deployment of network configurations to designated regions on a fix and roll forward basis, and virtual network (VNet) level monitoring.

公开(公告)号：US11582217B2

公开(公告)日：2023-02-14

申请号：US17344857

申请日：2021-06-10

Applicant: Microsoft Technology Licensing, LLC

Inventor： Abhijeet Kumar ,  Aanand Ramachandran ,  Jayesh Kumaran ,  David Michael Brumley ,  Rishabh Tewari ,  Nisheeth Srivastava ,  Sushant Sharma ,  Deepak Bansal ,  Abhishek Ellore Sreenath ,  Parag Sharma ,  Abhishek Shukla ,  Avijit Gupta

IPC: G06F21/71 ,  G06F21/53 ,  H04L9/40 ,  G06F9/46 ,  G06F9/455 ,  H04L12/22

Abstract: The disclosed system implements techniques to secure communications for injecting a workload (e.g., a container) into a virtual network hosted by a cloud-based platform. Based on a delegation instruction received from a tenant, a virtual network of the tenant can connect to and execute a workload via a virtual machine that is part of a virtual network that belongs to a resource provider. To secure calls and authorize access to the tenant's virtual network, authentication information provided with a call from the virtual network of the resource provider may need to match authorization information made available via a publication service of the cloud-based platform. Additionally or alternatively, an identifier of a NIC used to make a call may need to correspond to a registered name of the resource provider for the call to be authorized. These checks provide increased security by preventing unauthorized calls to the tenant's virtual network.

公开(公告)号：US10996972B2

公开(公告)日：2021-05-04

申请号：US16141502

申请日：2018-09-25

Applicant: Microsoft Technology Licensing, LLC

Inventor： Abhishek Shukla ,  Abhishek Ellore Sreenath ,  Neha Aggarwal ,  Naveen Prabhat ,  Nisheeth Srivastava ,  Xinyan Zan ,  Ashish Bhargava ,  Parag Sharma ,  Rishabh Tewari

IPC: G06F9/455 ,  H04W4/50 ,  H04L12/66 ,  H04L29/06

Abstract: A virtual network interface controller (NIC) associated with a virtual machine in a cloud computing network is configured to support one or more network containers that encapsulate networking configuration data and policies that are applicable to a specific discrete computing workload to thereby enable the virtual machine to simultaneously belong to multiple virtual networks using the single NIC. The network containers supported by the NIC can be associated with a single tenant to enable additional flexibility such quickly switching between virtual networks and support pre-provisioning of additional computing resources with associated networking policies for rapid deployment. The network containers can also be respectively associated with different tenants so that the single NIC can support multi-tenant services on the same virtual machine.

公开(公告)号：US11599380B2

公开(公告)日：2023-03-07

申请号：US17241963

申请日：2021-04-27

Applicant: Microsoft Technology Licensing, LLC

Inventor： Abhishek Shukla ,  Abhishek Ellore Sreenath ,  Neha Aggarwal ,  Naveen Prabhat ,  Nisheeth Srivastava ,  Xinyan Zan ,  Ashish Bhargava ,  Parag Sharma ,  Rishabh Tewari

IPC: G06F9/455 ,  H04W4/50 ,  H04L12/66 ,  H04L9/40 ,  G06F9/50

Abstract: A virtual network interface controller (NIC) associated with a virtual machine in a cloud computing network is configured to support one or more network containers that encapsulate networking configuration data and policies that are applicable to a specific discrete computing workload to thereby enable the virtual machine to simultaneously belong to multiple virtual networks using the single NIC. The network containers supported by the NIC can be associated with a single tenant to enable additional flexibility such quickly switching between virtual networks and support pre-provisioning of additional computing resources with associated networking policies for rapid deployment. The network containers can also be respectively associated with different tenants so that the single NIC can support multi-tenant services on the same virtual machine.

公开(公告)号：US11140121B2

公开(公告)日：2021-10-05

申请号：US16572491

申请日：2019-09-16

Applicant: Microsoft Technology Licensing, LLC

Inventor： Parag Sharma ,  Hemant Kumar ,  Xinyan Zan ,  Nimish Aggarwal

IPC: H04L29/12 ,  G06F9/455 ,  H04L12/46

Abstract: A distributed resource may be mapped into a virtual network, where the resource is distributed across a large number of nodes that are uniquely addressable within the distributed resource service's address space. The resource can be represented using a relatively small number of private VIP addresses within the virtual network, while still enabling access to all of the nodes that are uniquely addressable within the address space of the distributed resource service. A resource map may be created that relates the distributed resource service's address space to the virtual network's address space. The resource map may be used by a gateway that facilitates access to a distributed resource by clients. The resource map may also be used to translate packets that are sent from clients within a virtual network into the distributed resource service's address space.

公开(公告)号：US11038866B2

公开(公告)日：2021-06-15

申请号：US16234211

申请日：2018-12-27

Applicant: Microsoft Technology Licensing, LLC

Inventor： Abhijeet Kumar ,  Aanand Ramachandran ,  Jayesh Kumaran ,  David Michael Brumley ,  Rishabh Tewari ,  Nisheeth Srivastava ,  Sushant Sharma ,  Deepak Bansal ,  Abhishek Ellore Sreenath ,  Parag Sharma ,  Abhishek Shukla ,  Avijit Gupta

IPC: G06F21/31 ,  G06F21/45 ,  H04L29/06 ,  G06F9/46 ,  G06F9/455 ,  G06F21/53

Abstract: The disclosed system implements techniques to secure communications for injecting a workload (e.g., a container) into a virtual network hosted by a cloud-based platform. Based on a delegation instruction received from a tenant, a virtual network of the tenant can connect to and execute a workload via a virtual machine that is part of a virtual network that belongs to a resource provider. To secure calls and authorize access to the tenant's virtual network, authentication information provided in association with a call from the virtual network of the resource provider may need to match authorization information made available via a publication service of the cloud-based platform. Moreover, an identifier of a NIC used to make a call may need to correspond to a registered name of the resource provider for the call to be authorized. These checks provide increased security by preventing unauthorized calls from accessing the tenant's virtual network.