公开(公告)号：US20250030663A1

公开(公告)日：2025-01-23

申请号：US18235772

申请日：2023-08-18

Applicant: VMware, Inc.

Inventor： Yang Ding ,  Jiahao Wu ,  Jianjun Shen ,  Lan Luo ,  Akshay Katrekar ,  Guna Singh Bagavath Singh Chidambaram Udhaya Singh

IPC: H04L9/40

Abstract: Techniques associated with exchanging data between clusters are disclosed. A data packet can be received from a first pod in a first cluster of a cluster set that targets a second pod or service in a second cluster of the cluster set. A label identity is determined for the first pod from a table of pods and label identities. The label identity for the first pod is added in a virtual network identifier field of a data packet header. The data packet is communicated from a first virtual switch to the second cluster through a tunnel interface and gateway node. Upon receipt of the data packet, the label identity is extracted from the data packet header, and an ingress rule associated with the label identity can be determined. Access to the second pod is controlled based on the rule.

公开(公告)号：US20230171291A1

公开(公告)日：2023-06-01

申请号：US17570354

申请日：2022-01-06

Applicant: VMware, Inc.

Inventor： Abhishek Raut ,  Yang Ding ,  Kai Su ,  Donghai Han ,  Zhengsheng Zhou ,  Wenfeng Liu

IPC: H04L9/40

CPC classification number: H04L63/20

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for managing access to network security policies. One of the methods includes determining, for a policy access request i) received from a device and ii) that requests access to a network security policy that defines a rule for controlling network traffic, whether there is an entitlement for the network security policy, wherein the entitlement indicates one or more types of operations that a subset of user accounts can perform on the network security policy; in response to determining that there is an entitlement, determining, using a mapping for the entitlement that identifies the subset of user accounts that have access to the network security policy, whether a user account for the device is included in the subset of user accounts; and selectively allowing or denying the policy access request using the entitlement and a result of the determination.