公开(公告)号：US20210365308A1

公开(公告)日：2021-11-25

申请号：US17397936

申请日：2021-08-09

Applicant: VMware, Inc.

Inventor： Sirisha Myneni ,  Arijit Chanda ,  Laxmikant Vithal Gunda ,  Arnold Koon-Chee Poon ,  Farzad Ghannadian ,  Kausum Kumar

IPC: G06F9/54 ,  G06F8/60

Abstract: Some embodiments provide a simplified mechanism to deploy and control a multi-segmented application by using application-based manifests that express how application segments of the multi-segment application are to be defined or modified, and how the communication profiles between these segments. In some embodiments, these manifests are application specific. Also, in some embodiments, deployment managers in a software defined datacenter (SDDC) provide these manifests as templates to administrators, who can use these templates to express their intent when they are deploying multi-segment applications in the datacenter. Application-based manifests can also be used to control previously deployed multi-segmented applications in the SDDC. Using such manifests would enable the administrators to be able to manage fine grained micro-segmentation rules based on endpoint and network attributes.

公开(公告)号：US11522835B2

公开(公告)日：2022-12-06

申请号：US16027086

申请日：2018-07-03

Applicant: VMware, Inc.

Inventor： Arijit Chanda ,  Sirisha Myneni ,  Arnold Poon ,  Kausum Kumar ,  Dhivya Srinivasan

IPC: H04L29/06 ,  H04L9/40 ,  H04L41/5041 ,  H04L65/1033 ,  G06F9/455

Abstract: A system and method for performing firewall operations on an edge service gateway virtual machine that monitors traffic for a network. The method includes detecting, from a directory service executing on a computing device, a login event on the computing device, obtaining, from the detected login event, login event information comprising an identifier that identifies a user associated with the login event, storing the login event information as one or more context attributes in an attribute table, and applying a firewall rule to a data message that corresponds to the one or more context attributes.

公开(公告)号：US11184327B2

公开(公告)日：2021-11-23

申请号：US16028347

申请日：2018-07-05

Applicant: VMware, Inc.

Inventor： Tori Chen ,  Sirisha Myneni ,  Arijit Chanda ,  Arnold Poon ,  Farzad Ghannadian ,  Venkat Rajagopalan

IPC: H04L29/06 ,  G06F9/455

Abstract: Some embodiments of the invention provide a novel architecture for providing context-aware middlebox services at the edge of a physical datacenter. In some embodiments, the middlebox service engines run in an edge host (e.g., an NSX Edge) that provides routing services and connectivity to external networks (e.g., networks external to an NSX-T deployment). Some embodiments use a novel architecture for capturing contextual attributes on host computers that execute one or more machines and providing the captured contextual attributes to context-aware middlebox service engines providing the context-aware middlebox services. In some embodiments, a context header insertion processor uses contextual attributes to generate a header including data regarding the contextual attributes (a “context header”) that is used to encapsulate a data message that is processed by the SFE and sent to the context-aware middlebox service engine.

公开(公告)号：US11086700B2

公开(公告)日：2021-08-10

申请号：US16112408

申请日：2018-08-24

Applicant: VMware, Inc.

Inventor： Sirisha Myneni ,  Arijit Chanda ,  Laxmikant Vithal Gunda ,  Arnold Poon ,  Farzad Ghannadian ,  Kausum Kumar

IPC: G06F9/54 ,  G06F8/60 ,  H04L29/06

Abstract: A simplified mechanism to deploy and control a multi-segmented application by using application-based manifests that express how application segments of the multi-segment application are to be defined or modified, and how the communication profiles between these segments. These manifests are application specific. Also, in some cases, deployment managers in a software defined datacenter (SDDC) provide these manifests as templates to administrators, who can use these templates to express their intent when they are deploying multi-segment applications in the datacenter. Application-based manifests can also be used to control previously deployed multi-segmented applications in the SDDC. Using such manifests would enable the administrators to be able to manage fine grained micro-segmentation rules based on endpoint and network attributes.

公开(公告)号：US20200065166A1

公开(公告)日：2020-02-27

申请号：US16112408

申请日：2018-08-24

Applicant: VMware, Inc.

Inventor： Sirisha Myneni ,  Arijit Chanda ,  Laxmikant Vithal Gunda ,  Arnold Poon ,  Farzad Ghannadian ,  Kausum Kumar

IPC: G06F9/54 ,  G06F8/60

Abstract: Some embodiments provide a simplified mechanism to deploy and control a multi-segmented application by using application-based manifests that express how application segments of the multi-segment application are to be defined or modified, and how the communication profiles between these segments. In some embodiments, these manifests are application specific. Also, in some embodiments, deployment managers in a software defined datacenter (SDDC) provide these manifests as templates to administrators, who can use these templates to express their intent when they are deploying multi-segment applications in the datacenter. Application-based manifests can also be used to control previously deployed multi-segmented applications in the SDDC. Using such manifests would enable the administrators to be able to manage fine grained micro-segmentation rules based on endpoint and network attributes.

公开(公告)号：US20200014662A1

公开(公告)日：2020-01-09

申请号：US16027086

申请日：2018-07-03

Applicant: VMware, Inc.

Inventor： Arijit Chanda ,  Sirisha Myneni ,  Arnold Poon ,  Kausum Kumar ,  Dhivya Srinivasan

IPC: H04L29/06 ,  H04L12/24 ,  G06F9/455

Abstract: A system and method for performing firewall operations on an edge service gateway virtual machine that monitors traffic for a network. The method includes detecting, from a directory service executing on a computing device, a login event on the computing device, obtaining, from the detected login event, login event information comprising an identifier that identifies a user associated with the login event, storing the login event information as one or more context attributes in an attribute table, and applying a firewall rule to a data message that corresponds to the one or more context attributes.

公开(公告)号：US11765174B2

公开(公告)日：2023-09-19

申请号：US16213545

申请日：2018-12-07

Applicant: VMware, Inc.

Inventor： Arijit Chanda ,  Venkat Rajagopalan ,  Rajiv Mordani ,  Arnold Poon ,  Rajiv Krishnamurthy ,  Farzad Ghannadian ,  Sirisha Myneni

IPC: H04L9/40 ,  G06F9/455

CPC classification number: H04L63/102 ,  H04L63/205 ,  G06F9/45533

Abstract: Techniques for providing application-independent access control in a cloud-services computing environment are provided. In one embodiment, a method for providing application-independent access control is provided. The method includes obtaining a user identity for accessing the cloud-services computing environment and receiving a user request to perform a task using an application. The method further includes collecting process-related data for performing the task using the application and obtaining one or more network routing addresses. The method further includes determining, based on the user identity, the process-related data, and the one or more network routing addresses, whether the task is to be performed. If that the task is to be performed, the task is caused to be performed using the application; and if the task is not to be performed, the user request is denied.

公开(公告)号：US10938681B2

公开(公告)日：2021-03-02

申请号：US16045108

申请日：2018-07-25

Applicant: VMware, Inc.

Inventor： Arijit Chanda ,  Nafisa Mandliwala

IPC: H04L12/26 ,  H04L29/06

Abstract: Example methods are provided for a first host to perform context-aware network mapping a software-defined networking (SDN) environment. One example method may comprise: detecting multiple packet flows that include an egress packet flow originating from a first endpoint and destined for a second host, and an ingress packet flow originating from a second host or a third host and destined for the first endpoint or a second endpoint. The method may also comprise: in response to detecting the egress packet flow, obtaining first packet flow information and first context information; in response to detecting the ingress packet flow, obtaining second packet header information and second context information; and generating network map information that identifies the egress packet flow based on the first packet flow information and first context information, and the ingress packet flow based on the second packet flow information and second context information.

公开(公告)号：US20200065080A1

公开(公告)日：2020-02-27

申请号：US16112396

申请日：2018-08-24

Applicant: VMware, Inc.

Inventor： Sirisha Myneni ,  Arijit Chanda ,  Laxmikant Vithal Gunda ,  Arnold Poon ,  Farzad Ghannadian ,  Kausum Kumar

IPC: G06F8/60 ,  H04L29/08 ,  H04L29/06 ,  H04L29/12 ,  G06F17/27 ,  G06F9/54 ,  G06F9/455

Abstract: Some embodiments provide a simplified mechanism to deploy and control a multi-segmented application by using application-based manifests that express how application segments of the multi-segment application are to be defined or modified, and how the communication profiles between these segments. In some embodiments, these manifests are application specific. Also, in some embodiments, deployment managers in a software defined datacenter (SDDC) provide these manifests as templates to administrators, who can use these templates to express their intent when they are deploying multi-segment applications in the datacenter. Application-based manifests can also be used to control previously deployed multi-segmented applications in the SDDC. Using such manifests would enable the administrators to be able to manage fine grained micro-segmentation rules based on endpoint and network attributes.

公开(公告)号：US20200014663A1

公开(公告)日：2020-01-09

申请号：US16028347

申请日：2018-07-05

Applicant: VMware, Inc.

Inventor： Tori Chen ,  Sirisha Myneni ,  Arijit Chanda ,  Arnold Poon ,  Farzad Ghannadian ,  Venkat Rajagopalan

IPC: H04L29/06 ,  G06F9/455

Abstract: Some embodiments of the invention provide a novel architecture for providing context-aware middlebox services at the edge of a physical datacenter. In some embodiments, the middlebox service engines run in an edge host (e.g., an NSX Edge) that provides routing services and connectivity to external networks (e.g., networks external to an NSX-T deployment). Some embodiments use a novel architecture for capturing contextual attributes on host computers that execute one or more machines and providing the captured contextual attributes to context-aware middlebox service engines providing the context-aware middlebox services. In some embodiments, a context header insertion processor uses contextual attributes to generate a header including data regarding the contextual attributes (a “context header”) that is used to encapsulate a data message that is processed by the SFE and sent to the context-aware middlebox service engine.