Invented by Jeffrey R Hoy, Sreekanth R Iyer, Kaushal K Kapadia, Ravi K Muthukrishnan, Nataraj Nagaratnam, International Business Machines Corp
The International Business Machines Corp invention works as followsA method, apparatus and software product are described for managing multiple VPN tunnels in a hybrid cloud. A first cloud application residing in the first cloud sends a request to a virtual private network manager. The request contains a set of first requirements for the first VPN tunnel of a plurality of VPN Tunnels. The VPN manager sends a VPN manager request to the first system within a cloud. This first system then creates the VPN tunnel according the first set requirements. A second cloud application in the first cloud sends a request to the VPN manager. The request contains a second set requirements for a VPN Tunnel in the plurality VPN tunnels. The VPN manager sends the second VPN Manager request to the first cloud system, which contains the second set requirements. Second VPN manager request either tunes the first VPN tunnel to meet both first and secondary requirements, if they are compatible. Or creates a second VPN between the nodes of the first cloud and the nodes of the second cloud if first and two requirements are incompatible.
Background for Dynamically defined Virtual Private Network Tunnels in Hybrid Cloud Environments
This disclosure is a general description of communications in a “cloud” computing environment. It relates to dynamically creating virtual private network tunnels in a hybrid cloud environment. It relates more specifically to creating dynamically virtual private network tunnels within a hybrid cloud.
Background of Related Art
Cloud computing is a new model of IT delivery that allows shared resources, software, and information to be delivered over the Internet on demand to computers and other devices. Cloud computing reduces IT costs, while also improving service delivery and workload optimization. This approach allows an application instance to be hosted from Internet resources accessible via HTTP and a standard Web browser. One example of an application that offers a set of common messaging functions such as emailing, calendaring and contact management could be a program that provides instant messaging, calendaring and contact management. The user can then directly access the service via the Internet. This service allows an enterprise to place their email, calendar, and/or collaboration infrastructure on the cloud. End users can then access these services using an appropriate client.
Cloud computing resources are usually housed on large server farms, which run network applications. They can be either a hardware-based architecture (so-called “bare metal cloud hosting”) or a virtualized one, where applications run in virtual servers or “virtual machines”. Virtual machines (VMs) are virtual servers that are mapped to physical servers within a datacenter facility. Hypervisors, control programs that assign physical resources to virtual machines, are typically used by virtual machines.
It is well known that an organization can arrange computing resources into a hybrid cloud, which contains both a private and public cloud. The latter includes a cloud where the resources are owned and used by the organization itself, while the former provides services to a number of “tenants”. The organization that operates the hybrid cloud is included. A hybrid cloud model has the advantage of having private infrastructure on-premises that is easily accessible. It also allows for access to public cloud environments in times of high demand. This integration requires secure communication between both environments. A dedicated virtual public network tunnel (VPN), for example, is one way to establish communications.
The disclosure below outlines ways to improve VPN communications in a hybrid cloud setting.
This disclosure describes a method, an apparatus, and a computer program product that manages a plurality VPN tunnels between the first cloud and the second cloud within a hybrid cloud. A first cloud application residing in the first cloud sends a request to a virtual private network manager. The request contains a set of first requirements for the first VPN tunnel of a plurality of VPN Tunnels. The VPN manager sends the VPN manager’s first request to a system in the first cloud. This system then creates the VPN tunnel according the first set requirements. A second cloud application in the first cloud sends a request to the VPN manager. The request contains a second set requirements for a VPN Tunnel in the plurality VPN tunnels. The VPN manager sends the second VPN Manager request to the first cloud system, which contains the second set requirements. Second VPN manager request either tunes the first VPN tunnel to meet both first and secondary requirements, if they are compatible. Or creates a second VPN between the nodes of the first cloud and the node of the second cloud if first and two requirements are incompatible.
The above has highlighted some of the most pertinent features of disclosed subject matter. These features are merely indicative. “Many other benefits can be achieved by using the disclosed subject matter differently or by altering the invention in the manner described.
Hybrid cloud environments are driving the need for secure communications between applications in different cloud hosting environments. The number of communication channels that need to be protected grows as the number and variety of platforms and applications increases. Customers often use dedicated VPNs in hybrid cloud environments to connect different clouds. However, dedicated VPNs have a few drawbacks. They are limited in flexibility and create a communication hole in environments which need to be secure. In order to meet a very specific requirement, such as event management in a hybrid cloud, small logs can be sent to a central server from many devices. However, traditional VPN options would require a large number of communication channels between the source devices of the data and the central server. The present invention allows for more finely tuned VPNs to be provided based on the application requirements and topology needs of a hybrid cloud environment.
A hybrid cloud environment” “A ‘hybrid cloud environment? “A cloud environment is a hybrid of a private cloud, where the computing resources are owned by an organization and provide services only for that organization, and a public cloud in which another organisation provides computing services to?tenants?
A ?node? “A?node? can be any electronic object, client, server or peer, service or application or other object that is capable of sending or receiving information through communications channels on a network.
A ?VPN agent? “A?VPN agent?
A ?VPN manager? Cloud application that manages an infrastructure for VPN tunnels within a hybrid cloud environment. The VPN Manager manages an infrastructure including VPN agents that manage VPN tunnels in preferred embodiments.
A ?VPN tunnel? “A?VPN tunnel? is a communication channel between two nodes which transports data using Internet Protocol (IP), packets, according to any suitable cryptographic protocol.
With reference to the drawings, and particularly to FIGS. In FIGS. 1-2 are illustrative diagrams of data-processing environments in which the disclosure can be implemented. Please note that FIGS. The environments in which the disclosed subject matter can be implemented are not limited by FIGS. The depicted environments can be modified in many ways without departing the spirit or scope of the invention.
Referring now to the drawings FIG. The pictorial representation 1 shows an example of a distributed data processing system that may implement aspects of the illustrative examples. The distributed data processing system 100 can include a computer network in which the illustrative implementations are implemented. The distributed data processor 100 includes at least one network, which provides communication links among various devices and computers within the distributed data processor 100. The network 102 can include wires, wireless communication links or fiber optic cables.
In the example shown, servers 104 and 106 along with storage units 108 are connected to network 102. Clients 110, 112, 114, and other devices are also connected to the network 102. Clients 110, 112, 114 can be personal computers, network computer, or similar. In the example shown, the server 104 sends data to clients 110, 112, 114, including boot files, images of operating systems, and applications. In the example shown, clients 110, 112, 114 and server 104 are all clients. The distributed data processing system 100 can include other servers, clients and devices that are not shown.
In the shown example, the Internet is represented by network 102. This represents a collection of worldwide networks and gateways which communicate using the Transmission Control Protocol/Internet Protocol suite of protocols. The Internet’s backbone is made up of thousands of computer systems, including those used by government, education, and commercial organizations, that communicate data and messages. The distributed data processing system may be implemented in a variety of ways, including, for example, as an intranet or a local network. As mentioned above, FIG. As stated above, FIG. “Figure 1 is not intended to be a limitation in terms of the environments that the illustrative examples of the disclosed subject matter may be implemented.
Referring now to FIG. In Figure 2, a block-diagram of an example data processing system in which the illustrative examples may be implemented is shown. Data processing system is an example computer such as client 110 of FIG. “1. In which computer-usable code or instructions that implement the processes of illustrative examples of the disclosure can be located.
Referring to FIG. A block diagram of a computer system is shown on FIG. 2, in which various illustrative implementations can be made. Data processing system 200 can be compared to a computer such as the server 104 in FIG. or client 110. In the example embodiments, computer-usable code or instructions may be found in FIG. This illustrative data processing system includes communications fabric (202), which allows communication between processor unit 200, memory 206 and persistent storage 208. It also provides communications to communications unit 210.
Click here to view the patent on Google Patents.