Validating resources in a multi-cloud infrastructure
Patent Information
- Authority / Receiving Office
- JP · JP
- Patent Type
- Applications
- Current Assignee / Owner
- ORACLE INT CORP
- Filing Date
- 2023-10-13
- Publication Date
- 2026-06-18
AI Technical Summary
Existing cloud environments provided by different cloud service providers operate as closed ecosystems, limiting customers to using only the services offered by that environment, with no easy way to access services from other cloud environments.
A Multi-Cloud Control Plane (MCCP) framework that enables users to access and manage services across different cloud environments, providing a seamless user experience by enabling the full data plane functionality of external clouds, with a focus on Oracle Cloud Infrastructure (OCI) services on Amazon Web Services (AWS).
Enables customers to natively access and utilize resources from different cloud environments, ensuring a transparent and integrated user experience across cloud platforms.
Smart Images

Figure 00000000_0000_ABST
Abstract
Description
[Technical Field]
[0001] CROSS-REFERENCE TO RELATED APPLICATIONS This application is a non-provisional application of, and claims the benefit of, each of the following provisional applications, the entire contents of each of which are incorporated herein by reference for all purposes: (1) U.S. Provisional Patent Application No. 63 / 416,042, filed October 14, 2022; (2) U.S. Provisional Patent Application No. 63 / 464,903, filed May 8, 2023; (3) U.S. Provisional Patent Application No. 63 / 467,241, filed May 17, 2023; (4) U.S. Provisional Patent Application No. 63 / 468,739, filed May 24, 2023; (5) U.S. Provisional Patent Application No. 63 / 469,763, filed May 30, 2023; (6) U.S. Provisional Patent Application No. 63 / 471,573, filed June 7, 2023.
[0002] Field The present disclosure relates to cloud architectures, and more particularly to techniques for linking two cloud environments provided by different cloud service providers, such that a user of one cloud environment provided by a service provider can access and manage services provided by another cloud environment provided by another cloud service provider. [Background technology]
[0003] background The past few years have seen a dramatic increase in the adoption of cloud services, and this trend is only increasing. Various cloud environments are offered by different cloud service providers (CSPs), with each cloud environment offering a set of one or more cloud services. The set of cloud services offered by a cloud environment may include one or more different types of services, including, but not limited to, Software-as-a-Service (SaaS) services, Infrastructure-as-a-Service (IaaS) services, Platform-as-a-Service (PaaS) services, etc.
[0004] While a variety of cloud environments are currently available, each cloud environment provides a closed ecosystem to subscribing customers. As a result, customers of a cloud environment are limited to using the services offered by that cloud environment. There is no easy way for customers subscribing to a cloud environment offered by a CSP to use, via that cloud environment, services offered in a different cloud environment offered by a different CSP. The embodiments described herein address these and other problems. Summary of the Invention
[0005] overview The present disclosure relates to cloud architectures, and more particularly to techniques for linking two cloud environments provided by different cloud service providers. A user of one cloud environment provided by a service provider can manage services provided by another cloud environment provided by another cloud service provider. Various embodiments are described herein, including methods, systems, non-transitory computer-readable storage media storing programs, code, or instructions executable by one or more processors, etc. Some embodiments may be implemented using a computer program product including computer programs / instructions that, when executed by a processor, cause the processor to perform any of the methods described in this disclosure.
[0006] Embodiments of the present disclosure provide a multi-cloud control plane (MCCP) framework that provisions functions for delivering services of a particular cloud network (e.g., Oracle Cloud Infrastructure (OCI)) to users on other clouds (e.g., AWS). The MCCP framework enables users (of other cloud environments) to access services of the cloud environment (e.g., PaaS services, database services such as autonomous database services, etc.) while providing a user experience that is as close as possible to the user's experience of their native cloud environment. A key challenge of MCCP is to enable customers to experience the full data plane functionality of services in external clouds.
[0007] One embodiment of the present disclosure is directed to a method that includes receiving, by a multicloud control plane of a multicloud infrastructure included in a first cloud environment, a notification from an identity system of a second cloud environment, the notification indicating that a set of required resources is not configured for a customer in the second cloud environment; in response to receiving the notification, invoking, by the multicloud control plane, a provisioning module included in the second cloud environment, the provisioning module creating the set of required resources in the second cloud environment; and in response to successful validation of the set of required resources, creating, by the multicloud control plane, a link resource object that includes information linking a tenancy associated with a user in the first cloud environment to an account associated with the user of the customer in the second cloud environment.
[0008] According to one aspect of the present disclosure, one or more computer-readable non-transitory media are provided having computer-executable instructions stored thereon that, when executed by one or more processors, cause a multicloud control plane of a multicloud infrastructure included in a first cloud environment to receive a notification from an identity system of a second cloud environment, the notification indicating that a set of required resources has not been configured for a customer in the second cloud environment; in response to receiving the notification, the multicloud control plane to invoke a provisioning module included in the second cloud environment, the provisioning module creating the set of required resources in the second cloud environment; and in response to successful validation of the set of required resources, the multicloud control plane to create a linked resource object including information linking a tenancy associated with a user in the first cloud environment to an account associated with the user of the customer in the second cloud environment.
[0009] According to one aspect of the disclosure, a computing device is provided, comprising one or more processors and a memory including instructions that, when executed using the one or more processors, cause the computing device to at least: receive, by a multicloud control plane of a multicloud infrastructure included in a first cloud environment, a notification from an identity system of a second cloud environment, the notification indicating that a set of required resources has not been configured for a customer in the second cloud environment; in response to receiving the notification, invoke, by the multicloud control plane, a provisioning module included in the second cloud environment, where the provisioning module creates the set of required resources in the second cloud environment; and in response to successful validation of the set of required resources, create, by the multicloud control plane, a link resource object including information linking a tenancy associated with a user in the first cloud environment to an account associated with the user of the customer in the second cloud environment.
[0010] Aspects of the present disclosure provide a computing device comprising one or more data processors and a non-transitory computer-readable storage medium containing instructions that, when executed on the one or more data processors, cause the computing device to perform some or all of one or more methods disclosed herein.
[0011] Another aspect of the present disclosure provides a computer program product, tangibly embodied in a non-transitory machine-readable storage medium, comprising instructions configured to cause one or more data processors to perform some or all of one or more of the methods disclosed herein.
[0012] The foregoing, together with other features and embodiments, will become more apparent upon reference to the following specification, claims, and accompanying drawings.
[0013] The features, embodiments, and advantages of the present disclosure will be better understood when the following detailed description is read in conjunction with the accompanying drawings. [Brief explanation of the drawings]
[0014] [Figure 1] 1 is a high-level diagram of a distributed environment illustrating a virtual or overlay cloud network hosted by a cloud service provider infrastructure, according to an embodiment. [Figure 2] FIG. 2 illustrates a simplified architectural diagram of physical components in a physical network within CSPI, according to an embodiment. [Figure 3] FIG. 1 illustrates an exemplary arrangement within CSPI in which a host machine is connected to multiple network virtualization devices (NVDs), according to one embodiment. [Figure 4] A diagram illustrating connections between a host machine and an NVD to achieve I / O virtualization to support multi-tenancy functionality in accordance with one embodiment. [Figure 5] FIG. 2 illustrates a simplified block diagram of a physical network provided by CSPI, according to one embodiment. [Figure 6] 1 is a simplified high-level diagram of a distributed environment including multiple cloud environments offered by different cloud service providers (CSPs), including a particular cloud environment that provides specialized infrastructure that enables one or more cloud services offered by that particular cloud environment to be used by customers of the other cloud environments, according to one embodiment. [Figure 7]FIG. 1 illustrates an exemplary high-level architecture of a multi-cloud infrastructure that interconnects two different cloud environments, according to some embodiments. [Figure 8] FIG. 1 illustrates a multi-cloud architecture illustrating an identity framework, according to some embodiments. [Figure 9] FIG. 10 shows an exemplary flowchart illustrating steps corresponding to a user sign-up process, according to some embodiments. [Figure 10] FIG. 1 illustrates a block diagram illustrating an identity connector framework for a first cloud environment, according to some embodiments. [Figure 11] FIG. 1 shows an exemplary swim diagram illustrating steps corresponding to a process of performing identity federation, according to some embodiments. [Figure 12] FIG. 10 shows an exemplary swim diagram illustrating steps corresponding to a required resource validation process, according to some embodiments. [Figure 13] FIG. 10 shows an exemplary swim diagram illustrating steps performed to address the confused proxy problem, according to some embodiments. [Figure 14] FIG. 10 illustrates a schematic diagram illustrating a cloud link resource object, according to some embodiments. [Figure 15] FIG. 1 shows a schematic diagram illustrating the deployment of resources with a multi-cloud infrastructure, according to some embodiments. [Figure 16] FIG. 1 is a block diagram illustrating one pattern for implementing a cloud infrastructure as a service system, according to at least one embodiment. [Figure 17] FIG. 1 is a block diagram illustrating another pattern for implementing a cloud infrastructure as a service system, according to at least one embodiment. [Figure 18]FIG. 1 is a block diagram illustrating another pattern for implementing a cloud infrastructure as a service system, according to at least one embodiment. [Figure 19] FIG. 1 is a block diagram illustrating another pattern for implementing a cloud infrastructure as a service system, according to at least one embodiment. [Figure 20] FIG. 1 is a block diagram illustrating an exemplary computer system according to at least one embodiment. DETAILED DESCRIPTION OF THE INVENTION
[0015] Detailed Description In the following description, for purposes of explanation, specific details are set forth in order to provide a thorough understanding of certain embodiments. However, it will be apparent that various embodiments may be practiced without these specific details. The figures and descriptions are not intended to be limiting. The word "exemplary" is used herein to mean "serving as an example, instance, or illustration." Any embodiment or design described herein as "exemplary" is not necessarily to be construed as preferred or advantageous over other embodiments or designs.
[0016] The present disclosure relates generally to improved cloud architectures, and more particularly to techniques for linking two cloud environments (each provided by a different cloud service provider (CSP)) so that a user of one cloud environment can use services provided by another, different cloud environment. Various embodiments are described herein, including methods, systems, non-transitory computer-readable storage media that store programs, code, or instructions executable by one or more processors, and the like. Some embodiments may be implemented using a computer program product that includes computer programs / instructions that, when executed by a processor, cause the processor to perform any of the methods described in this disclosure.
[0017] Embodiments of the present disclosure provide a Multi-Cloud Control Plane (MCCP) framework that provisions functionality for delivering services of a particular cloud network (e.g., Oracle Cloud Infrastructure (OCI)) to users on other clouds (e.g., in Amazon's AWS). The MCCP framework enables users (of other cloud environments) to access services of the cloud environment (e.g., PaaS services) while providing a user experience that is as close as possible to the user's experience of their native cloud environment. A key challenge of MCCP is to enable customers to experience the full data plane functionality of services in external clouds.
[0018] The MCCP enables users of a second cloud infrastructure (e.g., AWS users) to utilize resources (e.g., database resources) provided by a first cloud infrastructure (e.g., OCI) in a manner that is transparent to the users. In particular, the services provided by the first cloud infrastructure appear as "native" services in the second cloud infrastructure. This allows customers of the second cloud infrastructure to natively access services provided by the first cloud infrastructure. As described below with reference to Figures 6-11, the MCCP is a collection of microservices running in the first cloud infrastructure that expose the resources of the first cloud infrastructure for utilization by external cloud users (e.g., users of the second cloud infrastructure). Each of these microservices acts as a proxy that provides communication with the resources provided by the first cloud infrastructure.
[0019] Cloud Network Example The term cloud services is typically used to refer to services made available on-demand (e.g., through a subscription model) by a cloud service provider (CSP) to users or customers using systems and infrastructure (cloud infrastructure) provided by the CSP. Typically, the servers and systems that make up the CSP's infrastructure are separate from the customer's own on-premises servers and systems. Thus, customers can use cloud services provided by the CSP without having to purchase separate hardware and software resources for the service. Cloud services are designed to provide subscribing customers with easy and scalable access to applications and computing resources without requiring the customer to invest in procuring the infrastructure used to deliver the service.
[0020] There are multiple cloud service providers offering different types of cloud services. There are various types or models of cloud services, including Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), Infrastructure-as-a-Service (IaaS), etc.
[0021] A customer can subscribe to one or more cloud services offered by a CSP. A customer can be any entity, such as an individual, an organization, or a business. When a customer subscribes or registers for a service offered by a CSP, a tenancy or account is created for that customer. The account then enables the customer to access one or more subscribed cloud resources associated with the account.
[0022] As mentioned above, infrastructure as a service (IaaS) is a specific type of cloud computing service. In the IaaS model, a CSP provides infrastructure (called cloud services provider infrastructure or CSPI) that can be used by customers to build their own customizable networks and deploy their resources. Therefore, the customer's resources and network are hosted in a distributed environment by the infrastructure provided by the CSP. This differs from traditional computing, where the customer's resources and network are hosted by the infrastructure provided by the customer.
[0023] CSPI can comprise interconnected, high-performance computing resources, including various host machines, memory resources, and network resources that form a physical network, also known as a substrate network or underlay network. Resources in CSPI can be distributed across one or more data centers, which can be geographically distributed across one or more geographic regions. Virtualization software can be run by these physical resources to provide a virtualized, distributed environment. This virtualization creates an overlay network (also known as a software-based network, software-defined network, or virtual network) on top of the physical network. The CSPI physical network provides the underlying foundation upon which one or more overlay or virtual networks can be created on top of the physical network. The physical network (or substrate or underlay network) includes physical network devices such as physical switches, routers, computers, and host machines. An overlay network is a logical (or virtual) network that operates on top of the physical substrate network. A particular physical network can support one or more overlay networks. Overlay networks typically use encapsulation techniques to distinguish traffic belonging to different overlay networks. A virtual network or overlay network is also called a virtual cloud network (VCN). A virtual network is implemented using software virtualization technologies (e.g., hypervisors, network virtualization devices (NVDs) (e.g., smart NICs), top-of-rack (TOR) switches, virtualization functions performed by smart TORs that perform one or more functions performed by NVDs, and other mechanisms) to create a layer of network abstraction that can run on top of a physical network. Virtual networks can take many forms, including peer-to-peer networks, IP networks, etc.Virtual networks are typically either Layer 3 IP networks or Layer 2 VLANs. This method of virtual or overlay networking is often called a virtual Layer 3 network or an overlay Layer 3 network. Examples of protocols developed for virtual networks include IP-in-IP (or Generic Routing Encapsulation (GRE)), Virtual Extensible LAN (VXLAN - IETF RFC 7348), Virtual Private Networks (VPN) (e.g., MPLS Layer 3 Virtual Private Network (RFC 4364)), VMware's NSX, and Generic Network Virtualization Encapsulation (GENEVE).
[0024] In the case of IaaS, the infrastructure provided by the CSP (CSPI) may be configured to provide virtualized computing resources over a public network (e.g., the Internet). In the IaaS model, a cloud computing service provider may host infrastructure components (e.g., servers, storage devices, network nodes (e.g., hardware), deployment software, platform virtualization (e.g., hypervisor layer), etc.). In some cases, the IaaS provider may offer various services (e.g., billing, monitoring, logging, security, load balancing, clustering, etc.) incidental to those infrastructure components. Accordingly, these services may be policy-driven, allowing IaaS users to implement policies to drive load balancing and maintain application availability and performance. CSPI provides infrastructure and a set of complementary cloud services that enable customers to build and run a wide range of applications and services within a highly available, hosted, distributed environment. CSPI provides high-performance computing resources and computing power as well as storage capacity within a flexible virtual network that can be securely accessed from various networked locations, such as from the customer's on-premises network. When a customer subscribes or registers for an IaaS service offered by a CSP, the tenancy created for that customer is a secure, isolated partition within the CSP where the customer can create, organize, and manage their cloud resources.
[0025] Customers can build their own virtual networks using the compute, memory, and network resources provided by CSPI. One or more customer resources or workloads, such as compute instances, can be deployed into these virtual networks. For example, customers can build one or more customizable private virtual networks called virtual cloud networks (VCNs) using resources provided by CSPI. Customers can deploy one or more customer resources, such as compute instances, into their VCNs. Compute instances can take the form of virtual machines, bare metal instances, etc. Thus, CSPI provides infrastructure and a set of complementary cloud services that enable customers to build and run a wide range of applications and services within a highly available, hosted virtual environment. While customers do not manage or control the underlying physical resources provided by CSPI, they have control over the operating system, storage, deployed applications, and in some cases, limited control over selected network components (e.g., firewalls).
[0026] The CSP may provide a console that allows customers and network administrators to configure, access, and manage resources deployed in the cloud using CSPI resources. In one embodiment, the console provides a web-based user interface that can be used to access and manage the CSPI. In some implementations, the console is a web-based application provided by the CSP.
[0027] CSPI may support single-tenancy or multi-tenancy architectures. In a single-tenancy architecture, a software component (e.g., an application, a database) or a hardware component (e.g., a host machine or server) serves a single customer or tenant. In a multi-tenancy architecture, a software component or hardware component serves multiple customers or tenants. Thus, in a multi-tenancy architecture, CSPI resources are shared among multiple customers or tenants. In a multi-tenancy situation, precautions are taken and safeguards are implemented within CSPI to ensure that each tenant's data remains isolated and invisible to other tenants.
[0028] In a physical network, a network endpoint (“endpoint”) refers to a computing device or system that is connected to the physical network and communicates with the connected network. Network endpoints in a physical network may be connected to a local area network (LAN), a wide area network (WAN), or other types of physical networks. Examples of traditional endpoints in a physical network include modems, hubs, bridges, switches, routers, and other network devices, physical computers (or host machines), and the like. Each physical device in a physical network has a fixed network address that can be used to communicate with the device. This fixed network address can be a Layer 2 address (e.g., a MAC address), a fixed Layer 3 address (e.g., an IP address), and the like. In a virtual environment or virtual network, endpoints can include various virtual endpoints, such as virtual machines hosted by components of the physical network (e.g., hosted by a physical host machine). These endpoints in the virtual network are addressed by overlay addresses, such as overlay Layer 2 addresses (e.g., an overlay MAC address) and overlay Layer 3 addresses (e.g., an overlay IP address). Network overlays enable flexibility by allowing network administrators to move between overlay addresses associated with network endpoints using software management (e.g., by software implementing the virtual network's control plane). Thus, unlike physical networks, in virtual networks, overlay addresses (e.g., overlay IP addresses) can be moved from one endpoint to another using network management software. Because virtual networks are built on top of physical networks, communication between components in a virtual network involves both the virtual network and the underlying physical network.To facilitate such communications, CSPI components are configured to learn and store mappings that map overlay addresses in the virtual network to actual physical addresses in the substrate network, and vice versa. These mappings are then used to facilitate communications. Customer traffic is encapsulated to facilitate routing within the virtual network.
[0029] Thus, a physical address (e.g., a physical IP address) is associated with a component in a physical network, and an overlay address (e.g., an overlay IP address) is associated with an entity in a virtual or overlay network. A physical IP address is an IP address associated with a physical device (e.g., a network device) in a substrate or physical network. For example, each NVD has an associated physical IP address. An overlay IP address is an overlay address associated with an entity in an overlay network, such as associated with a compute instance in a customer's virtual cloud network (VCN). Two different customers or tenants, each with their own private VCN, could potentially use the same overlay IP address in their VCN without any knowledge of each other. Both physical IP addresses and overlay IP addresses are types of real IP addresses. These IP addresses exist separately from virtual IP addresses. A virtual IP address is typically a single IP address that represents or maps to multiple real IP addresses. A virtual IP address provides a one-to-many mapping between a virtual IP address and multiple real IP addresses. For example, a load balancer may use a VIP to map to or represent multiple servers, each with its own real IP address.
[0030] A cloud infrastructure or CSPI is physically hosted in one or more data centers in one or more regions around the world. The CSPI may include components in a physical or substrate network and virtual components (e.g., virtual networks, compute instances, virtual machines, etc.) in a virtual network built on top of the physical network components. In one embodiment, the CSPI is organized and hosted in realms, regions, and availability domains. A region is a local geographic area that typically contains one or more data centers. Regions are generally independent of each other and may be separated by vast distances, for example, spanning multiple countries or continents. For example, a first region may be in Australia, another region may be in Japan, yet another region may be in India, etc. CSPI resources are divided among regions so that each region contains its own independent subset of CSPI resources. Each region may provide a set of core infrastructure services and resources, such as compute resources (e.g., bare metal servers, virtual machines, containers, and related infrastructure), storage resources (e.g., block volume storage, file storage, object storage, archive storage), network resources (e.g., virtual cloud networks (VCNs), load balancing resources, connectivity to on-premises networks), database resources, edge network resources (e.g., DNS), and access management and monitoring resources. Each region typically has multiple paths connecting it to other regions within the realm.
[0031] Because using nearby resources is faster than using resources that are farther away, applications are typically deployed in the region where they are most frequently used (i.e., deployed to the infrastructure associated with that region). Applications may also be deployed in different regions for a variety of reasons, such as redundancy to mitigate the risk of region-wide events such as large weather systems or earthquakes, to meet changing requirements for legal jurisdictions, tax areas, and other business or societal criteria.
[0032] Data centers within a region may be further organized and subdivided into availability domains (ADs). An availability domain may correspond to one or more data centers located within a region. A region may be composed of one or more availability domains. In such a distributed environment, CSPI resources are either specific to a region, such as a virtual cloud network (VCN), or specific to an availability domain, such as a compute instance.
[0033] ADs within a region are isolated from each other, fault-tolerant, and configured to be highly unlikely to fail simultaneously. This is achieved by ADs that do not share critical infrastructure resources, such as networks, physical cables, cable routes, or cable entry points, so that a failure in one AD within a region is unlikely to affect the availability of other ADs in the same region. ADs within the same region may be connected to each other by low-latency, high-bandwidth networks that provide highly available connectivity to other networks (e.g., the Internet, customer on-premises networks, etc.) and enable the creation of replicated systems in multiple ADs for both high availability and disaster recovery. Cloud services use multiple ADs to ensure high availability and protect against resource failures. As the infrastructure provided by an IaaS provider grows, more regions and ADs with additional capacity may be added. Traffic between availability domains is typically encrypted.
[0034] In one embodiment, regions are grouped into realms. A realm is a logical collection of regions. Realms are isolated from each other and do not share any data. Regions within the same realm may communicate with each other, but regions in different realms cannot. A customer's tenancy or account, along with a CSP, exists within a single realm and can be distributed across one or more regions belonging to that realm. Typically, when a customer subscribes to an IaaS service, a tenancy or account is created for the customer in a region designated by the customer within the realm (called the "home" region). The customer can extend their tenancy across one or more other regions within the realm. A customer cannot access regions that are not within the realm in which the customer's tenancy resides.
[0035] An IaaS provider may offer multiple realms, each catering to the requirements of a particular set of customers or users. For example, a commercial realm may be offered to commercial customers. As another example, a realm may be offered to a particular country for customers in that country. As yet another example, a government realm may be offered to a government, etc. For example, the government realm may cater to specific government requirements and may have higher security than the commercial realm. For example, Oracle Cloud Infrastructure (OCI) currently offers two realms: one for a commercial region and one for a government cloud region (e.g., FedRAMP-certified and IL5-certified).
[0036] In one embodiment, an AD can be subdivided into one or more failure domains. A failure domain is a group of infrastructure resources within an AD to provide anti-affinity. Fault domains enable the distribution of compute instances so that multiple compute instances do not reside on the same physical hardware within a single AD. This distribution is known as anti-affinity. A failure domain refers to a set of hardware components (computers, switches, etc.) that share a single point of failure. A compute pool is logically divided into failure domains. Therefore, a hardware failure or compute hardware maintenance event that affects one failure domain does not affect instances in other failure domains. Depending on the embodiment, the number of failure domains per AD may vary. For example, in one embodiment, each AD includes three failure domains. Fault domains act as logical data centers within an AD.
[0037] When a customer subscribes to an IaaS service, resources from CSPI are provisioned for the customer and associated with the customer's tenancy. The customer can use these provisioned resources to build private networks and deploy resources into these networks. A customer's network hosted in the cloud by CSPI is called a virtual cloud network (VCN). A customer can configure one or more virtual cloud networks (VCNs) using the CSPI resources allocated to the customer. A VCN is a virtual private network or software-defined private network. The customer's resources deployed within a customer's VCN can include compute instances (e.g., virtual machines, bare metal instances) and other resources. These compute instances may represent various customer workloads, such as applications, load balancers, databases, etc. Compute instances deployed in a VCN can communicate with endpoints publicly accessible over public networks such as the Internet ("public endpoints"), with other instances in the same VCN or other VCNs (e.g., other VCNs of the customer or VCNs not belonging to the customer), with the customer's on-premises data center or network, and with service endpoints and other types of endpoints.
[0038] CSPs may offer various services using CSPI. In some cases, customers of a CSPI may act as service providers themselves and offer services using CSPI resources. Service providers may expose service endpoints characterized by identifying information (e.g., IP addresses, DNS names, and DNS ports). Customer resources (e.g., compute instances) can consume a particular service by accessing the service endpoint exposed by the service for that service. These service endpoints are generally publicly accessible by users over a public communications network, such as the Internet, using the public IP address associated with the endpoint. Publicly accessible network endpoints are sometimes referred to as public endpoints.
[0039] In one embodiment, a service provider may expose a service via an endpoint for the service (sometimes referred to as a service endpoint). Customers of the service can then access the service using this service endpoint. In some implementations, a service endpoint provided for a service can be accessed by multiple customers wishing to consume the service. In other implementations, a dedicated service endpoint may be provided to a customer, allowing only that customer to access the service using that dedicated service endpoint.
[0040] In one embodiment, when a VCN is created, it is associated with a private overlay Classless Inter-Domain Routing (CIDR) address space, which is a range of private overlay IP addresses (e.g., 10.0 / 16) that is assigned to the VCN. A VCN includes associated subnets, route tables, and gateways. A VCN exists within a single region but can span one, more, or all of the region's availability domains. A gateway is a virtual interface configured for a VCN that enables traffic to and from the VCN to one or more endpoints outside the VCN. One or more different types of gateways may be configured for a VCN to enable communication with different types of endpoints.
[0041] A VCN can be subdivided into one or more subnetworks, such as one or more subnets. A subnet is thus a unit of configuration or subdivision that can be created within a VCN. A VCN can contain one or more subnets. Each subnet in a VCN is associated with a contiguous range of overlay IP addresses (e.g., 10.0.0.0 / 24 and 10.0.1.0 / 24) that represents a subset of address space within the VCN's address space and does not overlap with other subnets in that VCN.
[0042] Each compute instance is associated with a virtual network interface card (VNIC) that allows the compute instance to participate in a subnet of a VCN. A VNIC is a logical representation of a physical network interface card (NIC). In general, a VNIC is an interface between an entity (e.g., a compute instance, a service) and a virtual network. A VNIC resides in a subnet and has one or more associated IP addresses and associated security rules or policies. A VNIC is equivalent to a Layer 2 port on a switch. A VNIC is connected to a compute instance and to a subnet within a VCN. A VNIC associated with a compute instance allows the compute instance to become part of a subnet of a VCN and enables the compute instance to communicate (e.g., send and receive packets) with endpoints on the same subnet as the compute instance, endpoints in a different subnet within the VCN, or endpoints outside the VCN. Thus, the VNIC associated with a compute instance determines how the compute instance connects with endpoints inside and outside the VCN. A VNIC for a compute instance is created and associated with the compute instance when the compute instance is created and added to a subnet in a VCN. For a subnet containing a set of compute instances, the subnet contains VNICs corresponding to the set of compute instances, and each VNIC connects to one compute instance in the set of compute instances.
[0043] Each compute instance is assigned a private overlay IP address through the VNIC associated with the compute instance. This private overlay IP address is assigned to the VNIC associated with the compute instance when the compute instance is created and is used to route traffic to and from the compute instance. All VNICs within a particular subnet use the same route table, security lists, and DHCP options. As previously mentioned, each subnet within a VCN is associated with a contiguous range of overlay IP addresses (e.g., 10.0.0.0 / 24 and 10.0.1.0 / 24) that represents a subset of address space within the VCN's address space that does not overlap with other subnets within that VCN. For a VNIC on a particular subnet of a VCN, the private overlay IP address assigned to the VNIC is an address from the contiguous range of overlay IP addresses assigned to that subnet.
[0044] In one embodiment, a compute instance may optionally be assigned an additional overlay IP address in addition to the private overlay IP address, such as one or more public IP addresses if it is in a public subnet. These multiple addresses may be assigned to the same VNIC or across multiple VNICs associated with the compute instance. However, each instance has a primary VNIC that is created during instance launch and associated with the private overlay IP address assigned to the instance, and this primary VNIC cannot be removed. Additional VNICs, called secondary VNICs, may be added to an existing instance in the same availability domain as the primary VNIC. All VNICs are in the same availability domain as the instance. The secondary VNICs can be in a subnet in the same VCN as the primary VNIC or in a different subnet, either in the same VCN or in a different VCN.
[0045] If a compute instance is in a public subnet, the compute instance may optionally be assigned a public IP address. When a subnet is created, it can be specified as either a public subnet or a private subnet. A private subnet means that resources (e.g., compute instances) and associated VNICs in the subnet cannot have public overlay IP addresses. A public subnet means that resources and associated VNICs in the subnet can have public IP addresses. Customers can specify a subnet to exist in a single availability domain or across multiple availability domains within a region or realm.
[0046] As mentioned above, a VCN may be subdivided into one or more subnets. In one embodiment, a virtual router (VR) configured for a VCN (referred to as a VCN VR or simply VR) enables communication between subnets of the VCN. For a subnet within a VCN, the VR represents the logical gateway for that subnet, allowing the subnet (i.e., the compute instances on that subnet) to communicate with endpoints on other subnets within the VCN and with other endpoints outside the VCN. A VCN VR is a logical entity configured to route traffic between VNICs within a VCN and a virtual gateway ("gateway") associated with the VCN. Gateways are further described below with respect to FIG. 1. A VCN VR is a Layer 3 / IP layer concept. In one embodiment, there is one VCN VR per VCN, and the VCN VR has a potentially unlimited number of ports addressed by IP addresses, one port for each subnet of the VCN. In this way, the VCN VR has a different IP address for each subnet within the VCN to which the VCN VR is connected. The VRs are also connected to various gateways configured for the VCN. In one embodiment, a specific overlay IP address from a subnet's overlay IP address range is reserved for ports in that subnet's VCN VR. For example, consider a VCN that includes two subnets with associated address ranges 10.0 / 16 and 10.1 / 16, respectively. For the first subnet in the VCN with address range 10.0 / 16, an address from this range is reserved for ports in that subnet's VCN VR. In some cases, the first IP address from this range may be reserved for a VCN VR. For example, for a subnet with overlay IP address range 10.0 / 16, IP address 10.0.0.1 may be reserved for ports in that subnet's VCN VR.For a second subnet in the same VCN with address range 10.1 / 16, the VCN VR may have a port in that second subnet with IP address 10.1.0.1. The VCN VR has a different IP address for each of the subnets in the VCN.
[0047] In some other embodiments, each subnet in a VCN may include a VR associated with it that is addressable by the subnet using a reserved or default IP address associated with the VR. The reserved or default IP address may, for example, be the first IP address from a range of IP addresses associated with the subnet. VNICs in a subnet can use this default or reserved IP address to communicate with (e.g., send and receive packets from) the VR associated with the subnet. In such embodiments, a VR is an ingress / egress point for that subnet. VRs associated with a subnet in a VCN can communicate with other VRs associated with other subnets in the VCN. VRs can also communicate with gateways associated with the VCN. The VR functions for a subnet are running on or performed by one or more NVDs that are performing the VNIC functions for VNICs in the subnet.
[0048] Route tables, security rules, and DHCP options may be configured for a VCN. A route table is a virtual route table for a VCN and contains rules for routing traffic from subnets within the VCN to destinations outside the VCN via gateways or specially configured instances. A VCN's route table can be customized to control how packets are forwarded / routed to and from the VCN. DHCP options refer to configuration information that is automatically provided to instances when they launch.
[0049] Security rules configured for a VCN represent the overlay firewall rules for the VCN. Security rules include ingress and egress rules and can specify the type of traffic (e.g., based on protocol and port) allowed in and out of instances within the VCN. Customers can choose whether a particular rule is stateful or stateless. For example, a customer can allow incoming SSH traffic from any location to a set of instances by configuring a stateful ingress rule with source CIDR 0.0.0.0 / 0 and destination TCP port 22. Security rules can be implemented using network security groups or security lists. A network security group consists of a set of security rules that apply only to resources within that group. A security list, on the other hand, contains rules that apply to all resources in any subnet that uses the security list. A VCN may have a default security list that contains default security rules. DHCP options configured for a VCN provide configuration information that is automatically provided to instances within the VCN when the instances launch.
[0050] In one embodiment, configuration information for a VCN is determined and stored by a VCN control plane. The configuration information for a VCN may include, for example, information about address ranges associated with the VCN, subnets and associated information within the VCN, one or more VRs associated with the VCN, compute instances and associated VNICs within the VCN, NVDs (e.g., VNICs, VRs, gateways) performing various virtualized network functions associated with the VCN, VCN state information, and other VCN-related information. In one embodiment, a VCN distribution service publishes the configuration information stored by the VCN control plane or portions thereof to the NVD. The distributed information may be used to update information (e.g., forwarding tables, routing tables, etc.) stored and used by the NVD to forward packets to and from compute instances within the VCN.
[0051] In one embodiment, VCN and subnet creation is handled by a VCN Control Plane (CP), and compute instance launch is handled by the Compute Control Plane. The Compute Control Plane is responsible for allocating physical resources to compute instances and then calls the VCN Control Plane to create and attach VNICs to the compute instances. The VCN CP also sends VCN data mappings to a VCN Data Plane configured to perform packet forwarding and routing functions. In one embodiment, the VCN CP provides a distribution service that is responsible for providing updates to the VCN Data Plane. Examples of VCN Control Planes are also shown in Figures 12, 13, 14, and 15 (see reference numbers 1216, 1316, 1416, and 1516) and are described below.
[0052] A customer may create one or more VCNs using resources hosted by CSPI. Compute instances deployed in a customer's VCN may communicate with various endpoints. These endpoints may include endpoints hosted by CSPI and endpoints external to CSPI.
[0053] Various different architectures for implementing cloud-based services using CSPI are shown in Figures 1, 2, 3, 4, 5, and 12-16 and are described below. Figure 1 is a high-level diagram of a distributed environment 100 illustrating an overlay VCN or customer VCN hosted by CSPI according to one embodiment. The distributed environment shown in Figure 1 includes multiple components within an overlay network. The distributed environment 100 shown in Figure 1 is merely an example and is not intended to unduly limit the scope of the claimed embodiments. Many variations, alternatives, and modifications are possible. For example, in some implementations, the distributed environment shown in Figure 1 may include more or fewer systems or components than those shown in Figure 1, may combine two or more subsystems, or may include a different configuration or arrangement of systems.
[0054] As shown in the example depicted in FIG. 1 , distributed environment 100 includes CSPI 101, which provides services and resources that customers can subscribe to and use to build their own virtual cloud networks (VCNs). In one embodiment, CSPI 101 provides IaaS services to subscribing customers. Data centers within CSPI 101 may be organized into one or more regions. One exemplary region, “Region US” 102, is shown in FIG. 1 . A customer has configured a customer VCN with Oracle International Corporation for region 102. A customer may deploy various compute instances into VCN 104, which may include virtual machines or bare metal instances. Example instances include applications, databases, load balancers, etc.
[0055] In the embodiment shown in FIG. 1 , customer VCN 104 includes two subnets, "Subnet 1" and "Subnet 2," each with its own CIDR IP address range. In FIG. 1 , Subnet 1's overlay IP address range is 10.0 / 16, and Subnet 2's address range is 10.1 / 16. VCN virtual router 105 represents the VCN's logical gateway, enabling communication between subnets in VCN 104 and with other endpoints outside the VCN. VCN VR 105 is configured to route traffic between VNICs in VCN 104 and the gateway associated with VCN 104. VCN VR 105 provides a port for each subnet in VCN 104. For example, VR 105 may provide a port with IP address 10.0.0.1 for Subnet 1 and a port with IP address 10.1.0.1 for Subnet 2.
[0056] Multiple compute instances may be deployed in each subnet, and the compute instances can be virtual machine instances and / or bare metal instances. The compute instances in a subnet may be hosted by one or more host machines in CSPI101. A compute instance joins a subnet through a VNIC associated with the compute instance. For example, as shown in FIG. 1, compute instance C1 becomes part of subnet 1 through a VNIC associated with the compute instance. Similarly, compute instance C2 becomes part of subnet 1 through a VNIC associated with C2. In a similar manner, multiple compute instances, which may be virtual machine instances or bare metal instances, may become part of subnet 1. Each compute instance is assigned a private overlay IP address and a MAC address through its associated VNIC. For example, in FIG. 1, compute instance C1 has an overlay IP address of 10.0.0.2 and a MAC address of M1, while compute instance C2 has a private overlay IP address of 10.0.0.3 and a MAC address of M2. Each compute instance in Subnet 1, including compute instances C1 and C2, has a default route to VCN VR105 using IP address 10.0.0.1, which is the IP address of a port in VCN VR105 in Subnet 1.
[0057] Subnet2 may have multiple compute instances deployed, including virtual machine instances and / or bare metal instances. For example, as shown in FIG. 1, compute instances D1 and D2 become part of Subnet2 through VNICs associated with the respective compute instances. In the embodiment shown in FIG. 1, compute instance D1 has an overlay IP address of 10.1.0.2 and a MAC address of MM1, while compute instance D2 has a private overlay IP address of 10.1.0.3 and a MAC address of MM2. Each compute instance in Subnet2, including compute instances D1 and D2, has a default route to VCN VR105 using IP address 10.1.0.1, which is the IP address of a port in VCN VR105 in Subnet2.
[0058] VCN A 104 may include one or more load balancers. For example, a load balancer may be provided for a subnet and configured to load balance traffic across multiple compute instances on the subnet. A load balancer may be provided to load balance traffic across multiple subnets within a VCN.
[0059] A particular compute instance deployed in VCN 104 can communicate with various endpoints. These endpoints may include endpoints hosted by CSPI 200 and endpoints outside of CSPI 200. Endpoints hosted by CSPI 101 may include endpoints on the same subnet as the particular compute instance (e.g., communication between two compute instances in Subnet 1), endpoints on a different subnet but within the same VCN (e.g., communication between a compute instance in Subnet 1 and a compute instance in Subnet 2), endpoints in a different VCN within the same region (e.g., communication between a compute instance in Subnet 1 and an endpoint in a VCN within the same region 106 or 110, communication between a compute instance in Subnet 1 and an endpoint within the service network 110 within the same region), or endpoints in a VCN in a different region (e.g., communication between a compute instance in Subnet 1 and an endpoint in a VCN in a different region 108). Compute instances in a subnet hosted by CSPI 101 may communicate with endpoints not hosted by CSPI 101 (i.e., outside of CSPI 101). These external endpoints include endpoints within the customer's on-premise network 116, endpoints within other remote cloud-hosted networks 118, public endpoints 114 accessible via public networks such as the Internet, and other endpoints.
[0060] Communication between compute instances on the same subnet is facilitated using VNICs associated with the source and destination compute instances. For example, compute instance C1 in Subnet 1 may want to send a packet to compute instance C2 in Subnet 1. For a packet originating from the source compute instance and destined for another compute instance in the same subnet, the packet is first processed by the VNIC associated with the source compute instance. The processing performed by the VNIC associated with the source compute instance may include determining the packet's destination information from the packet header, identifying any policies (e.g., security lists) configured for the VNIC associated with the source compute instance, determining the packet's next hop, performing any packet encapsulation / decapsulation functions as needed, and then forwarding / routing the packet to the next hop to facilitate communication of the packet with its intended destination. If the destination compute instance is in the same subnet as the source compute instance, the VNIC associated with the source compute instance is configured to identify the VNIC associated with the destination compute instance and forward the packet to that VNIC for processing. The VNIC associated with the destination compute instance then executes and forwards the packet to the destination compute instance.
[0061] For packets traveling from a compute instance in a subnet to an endpoint in a different subnet within the same VCN, this communication is facilitated by the VNICs and VCN VRs associated with the source and destination compute instances. For example, if compute instance C1 in Subnet 1 in Figure 1 wants to send a packet to compute instance D1 in Subnet 2, the packet is first processed by the VNIC associated with compute instance C1. The VNIC associated with compute instance C1 is configured to route the packet to VCN VR105 using the VCN VR's default route or port 10.0.0.1. VCN VR105 is configured to route the packet to Subnet 2 using port 10.1.0.1. The packet is then received and processed by the VNIC associated with D1, which forwards the packet to compute instance D1.
[0062] For packets traveling from a compute instance within VCN 104 to an endpoint outside VCN 104, the communication is facilitated by a VNIC associated with the source compute instance, VCN VR 105, and a gateway associated with VCN 104. One or more types of gateways may be associated with VCN 104. A gateway is an interface between a VCN and another endpoint, where the other endpoint is outside the VCN. A gateway is a Layer 3 / IP layer concept that allows a VCN to communicate with endpoints outside the VCN. Thus, a gateway facilitates traffic flow between a VCN and other VCNs or networks. Different types of gateways may be configured for a VCN to facilitate different types of communication with different types of endpoints. Depending on the gateway, the communication may go over a public network (e.g., the Internet) or a private network. Various communication protocols may be used for these communications.
[0063] For example, compute instance C1 may wish to communicate with an endpoint outside VCN 104. The packet may first be processed by a VNIC associated with the source compute instance C1. This VNIC processing determines that the packet's destination is outside of Subnet 1 of C1. The VNIC associated with C1 may forward the packet to VCN VR105 of VCN 104. VCN VR105 then processes the packet and, as part of this processing, determines a particular gateway associated with VCN 104 as the packet's next hop based on the packet's destination. VCN VR105 may then forward the packet to the particular identified gateway. For example, if the destination is an endpoint within a customer's on-premises network, VCN VR105 may forward the packet to a dynamic routing gateway (DRG) gateway 122 configured for VCN 104. The packet may then be forwarded from the gateway to the next hop to facilitate propagation of the packet to its final intended destination.
[0064] Various types of gateways may be configured for a VCN. Examples of gateways that may be configured for a VCN are shown in FIG. 1 and described below. Examples of gateways associated with a VCN are also shown in FIGS. 12, 13, 14, and 15 (e.g., gateways referenced by reference numbers 1234, 1236, 1238, 1334, 1336, 1338, 1434, 1436, 1438, 1534, 1536, and 1538) and described below. As shown in the embodiment shown in FIG. 1, a dynamic routing gateway (DRG) 122 may be added to or associated with a customer's VCN 104 to provide a path for private network traffic communication between the customer's VCN 104 and another endpoint, which could be the customer's on-premises network 116, a VCN 108 in a different region of CSPI 101, or another remote cloud network 118 not hosted by CSPI 101. The customer on-premises network 116 may be a customer network or a customer data center built using the customer's resources. Access to the customer on-premises network 116 is typically highly restricted. For customers with both a customer on-premises network 116 and one or more VCNs 104 deployed or hosted in the cloud by CSPI 101, the customer may want the customer on-premises network 116 and the customer's cloud-based VCNs 104 to be able to communicate with each other. This allows the customer to build an extended hybrid environment that encompasses the customer VCNs 104 hosted by CSPI 101 and the customer on-premises network 116. The DRG 122 enables this communication. To enable such communication, a communication channel 124 is set up, with one endpoint of the channel in the customer on-premises network 116 and the other endpoint in CSPI 101 connected to the customer VCN 104. The communication channel 124 can traverse a public or private communication network, such as the Internet.Various communication protocols may be used, such as IPsec VPN technology over a public communication network such as the Internet, or Oracle's FastConnect technology, which uses a private network instead of a public network. A device or equipment in the customer's on-premises network 116 that forms one endpoint of the communication channel 124 is called customer premise equipment (CPE), such as CPE 126 shown in Figure 1. On the CSPI 101 side, the endpoint may be a host machine running DRG 122.
[0065] In one embodiment, a Remote Peering Connection (RPC) can be added to a DRG, allowing a customer to peer one VCN with another VCN in a different region. Using such an RPC, a customer's VCN 104 can connect with a VCN 108 in another region using the DRG 122. The DRG 122 may also be used to communicate with other remote cloud networks 118 not hosted by CSPI 101, such as the Microsoft Azure cloud, the Amazon AWS cloud, etc.
[0066] 1, an Internet Gateway (IGW) 120 may be configured for a customer's VCN 104, enabling compute instances on VCN 104 to communicate with public endpoints 114 accessible over a public network, such as the Internet. IGW 120 is a gateway that connects a VCN to a public network, such as the Internet. IGW 120 enables direct access for public subnets within a VCN, such as VCN 104 (resources within the public subnet have public overlay IP addresses) to public endpoints 112 on the public network 114, such as the Internet. Using IGW 120, connections can be initiated from subnets within VCN 104 or from the Internet.
[0067] A Network Address Translation (NAT) gateway 128 may be configured for customer VCN 104 to enable access to the Internet for cloud resources in the customer's VCN that do not have dedicated public overlay IP addresses, without exposing those resources to direct incoming Internet connections (e.g., L4-L7 connections). This allows private subnets in the VCN, such as Private Subnet 1 in VCN 104, to private endpoints on the Internet. The NAT gateway only allows connections to be initiated from the private subnet to the public Internet; connections cannot be initiated from the Internet to the private subnet.
[0068] In one embodiment, a service gateway (SGW) 126 may be configured for a customer's VCN 104 and provides a pathway for private network traffic between VCN 104 and supported service endpoints in service network 110. In one embodiment, service network 110 may be provided by a CSP and may offer a variety of services. An example of such a service network is Oracle's Services Network, which offers a variety of services that may be used by customers. For example, a compute instance (e.g., a database system) in a private subnet of a customer's VCN 104 can back up data to a service endpoint (e.g., object storage) without requiring a public IP address or access to the Internet. In one embodiment, a VCN may include only one SGW, and connections can be initiated only from subnets within the VCN, not from service network 110. When a VCN is peered with another VCN, resources in the other VCN typically do not have access to the SGW. Resources in an on-premises network connected to a VCN using a FastConnect or VPN connection can also use a service gateway configured for that VCN.
[0069] In one implementation, SGW 126 uses the concept of a service classless inter-domain routing (CIDR) label, which is a string that represents the public IP address range of all regions for a service or group of services of interest. A customer uses the service CIDR label when configuring the SGW and associated route rules to control traffic to the service. A customer can optionally utilize the service CIDR label when configuring security rules, avoiding the need to adjust those security rules if the service's public IP address changes in the future.
[0070] A Local Peering Gateway (LPG) 132 is a gateway that can be added to a customer's VCN 104, allowing the VCN 104 to peer with another VCN in the same region. Peering means that the VCNs communicate using private IP addresses without the traffic traversing a public network such as the Internet or routing the traffic through the customer's on-premises network 116. In a preferred embodiment, a VCN includes a separate LPG for each peering it establishes. Local peering or VCN peering is a common method used to establish network connectivity between different applications or infrastructure management functions.
[0071] A service provider, such as a provider of a service in service network 110, may provide access to the service using various access models. According to a public access model, the service may be exposed as a public endpoint, which may be publicly accessible by compute instances in the customer's VCN over a public network such as the Internet, and / or privately accessible through SGW 126. According to a specific private access model, the service is made accessible as a private IP endpoint in a private subnet in the customer's VCN. This access is called Private Endpoint (PE) access and allows service providers to expose services as instances in the customer's private network. A private endpoint resource represents a service in a customer's VCN. Each PE appears as a VNIC (referred to as a PE-VNIC with one or more private IPs) in a customer-selected subnet in the customer's VCN. Thus, the PE provides a way to present services in a subnet of the private customer's VCN using VNICs. Because the endpoints are exposed as VNICs, all features associated with the VNIC, such as routing rules, security lists, etc., are available to the PE VNIC.
[0072] A service provider can register a service to make it accessible through the PE. The provider can associate a policy with the service that limits the visibility of the service to the customer's tenancy. The provider can register multiple services under a single virtual IP address (VIP), especially for multi-tenant services. There can be multiple such private endpoints (in multiple VCNs) representing the same service.
[0073] Compute instances in the private subnet can then access the service using the private IP address of the PE VNIC or the DNS name of the service. Compute instances in a customer's VCN can access the service by sending traffic to the private IP address of the PE in the customer's VCN. A Private Access Gateway (PAGW) 130 is a gateway resource that can be connected to a service provider's VCN (e.g., a VCN in service network 110) and serves as the ingress / egress point for all traffic to and from private endpoints in customer subnets. The PAGW 130 allows providers to scale the number of PE connections without utilizing internal IP address resources. A provider needs to configure only one PAGW for any number of services registered within a single VCN. A provider can represent services as private endpoints in multiple VCNs for one or more customers. From the customer's perspective, the PE VNIC appears to be connected to the service with which the customer wants to interact, instead of to a customer instance. Traffic going to the private endpoint is routed to the service through the PAGW 130. These are called customer-to-service private connections (C2S (customer-to-service) connections).
[0074] The PE concept can also be used to extend private access of services to customer on-premises networks and data centers by allowing traffic to flow through FastConnect / IPsec links and private endpoints in the customer's VCN. Private access of services can also be extended to customer peered VCNs by allowing traffic to flow between LPG 132 and PEs in the customer's VCN.
[0075] A customer can control routing within a VCN at the subnet level, allowing the customer to specify which subnets within a customer's VCN, such as VCN 104, use each gateway. A VCN's route tables are used to determine whether traffic is allowed to exit a VCN through a particular gateway. For example, in a particular example, a route table for a public subnet within a customer's VCN 104 may send non-local traffic through IGW 120. A route table for a private subnet within the same customer's VCN 104 may send traffic going to a CSP service through SGW 126. All remaining traffic may be sent through NAT gateway 128. Route tables only control traffic that exits a VCN.
[0076] Security lists associated with a VCN are used to control traffic entering the VCN through the gateway via inbound connections. All resources within a subnet use the same route table and security lists. Security lists may be used to control the specific types of traffic allowed into and out of instances within a VCN's subnet. Security list rules may include ingress (inbound) rules and egress (outbound) rules. For example, ingress rules may specify allowed source address ranges, while egress rules may specify allowed destination address ranges. Security rules may specify a specific protocol (e.g., TCP, ICMP), a specific port (e.g., 22 for SSH, 3389 for Windows RDP), etc. In some implementations, the instance's operating system may enforce its own firewall rules that match the security list rules. Rules may be stateful (e.g., connections are tracked and responses are automatically allowed without explicit security list rules for the response traffic) or stateless.
[0077] Access from a customer's VCN (i.e., by resources or compute instances deployed in VCN 104) can be categorized as public access, private access, or dedicated access. Public access refers to an access model in which public IP addresses or NATs are used to access public endpoints. Private access allows customer workloads in VCN 104 with private IP addresses (e.g., resources in a private subnet) to access services without traversing a public network such as the Internet. In one embodiment, CSPI 101 enables workloads in a customer's VCN with private IP addresses to access (public service endpoints of) services using a service gateway. Thus, the service gateway provides a private access model by establishing a virtual link between the customer's VCN and the service's public endpoints, which reside outside the customer's private network.
[0078] Additionally, CSPI may provide dedicated public access using technologies such as FastConnect public peering, where a customer's on-premises instances can use a FastConnect connection to access one or more services in the customer's VCN without traversing a public network such as the internet. CSPI may also provide dedicated private access using FastConnect private peering, where a customer's on-premises instances with private IP addresses can use a FastConnect connection to access workloads in the customer's VCN. FastConnect is a network connectivity alternative to using the public internet for connecting a customer's on-premises network to CSPI and its services. FastConnect provides an easy, resilient, and economical way to create dedicated private connections with higher bandwidth options and a more reliable and consistent network experience when compared to internet-based connections.
[0079] FIG. 1 and the accompanying discussion above describe various virtual components within an exemplary virtual network. As previously mentioned, a virtual network is built on top of an underlying physical or substrate network. FIG. 2 illustrates a simplified architectural diagram of physical components in a physical network within CSPI 200 that serves as the foundation for a virtual network, according to one embodiment. As illustrated, CSPI 200 provides a distributed environment that includes components and resources (e.g., compute, memory, and network resources) provided by a cloud service provider (CSP). These components and resources are used to provide cloud services (e.g., IaaS services) to subscribing customers, i.e., customers who subscribe to one or more services offered by the CSP. Based on the services to which the customer subscribes, a subset of CSPI 200's resources (e.g., compute, memory, and network resources) is provisioned for the customer. The customer can then build their own cloud-based (i.e., CSPI-hosted), customizable private virtual network using the physical compute, memory, and network resources provided by CSPI 200. As previously indicated, these customer networks are called virtual cloud networks (VCNs). Customers can deploy one or more customer resources, such as compute instances, into these customer VCNs. The compute instances can be in the form of virtual machines, bare metal instances, etc. CSPI 200 provides infrastructure and a set of complementary cloud services that enable customers to build and run a wide range of applications and services within a highly available hosted environment.
[0080] In the example embodiment shown in FIG. 2, the physical components of CSPI 200 include one or more physical host machines or servers (e.g., 202, 206, 208), network virtualization devices (NVDs) (e.g., 210, 212), top-of-rack (TOR) switches (e.g., 214, 216), and a physical network (e.g., 218), as well as switches within physical network 218. The physical host machines or servers may host and execute various compute instances that participate in one or more subnets of the VCN. The compute instances may include virtual machine instances and bare metal instances. For example, the various compute instances shown in FIG. 1 may be hosted by the physical host machines shown in FIG. 2. The virtual machine compute instances in the VCN may be executed by one host machine or by multiple different host machines. The physical host machines may host virtual host machines, container-based hosts or functions, etc. The VNICs and VCN VRs shown in FIG. 1 may be executed by the NVDs shown in FIG. 2. The gateway shown in FIG. 1 may be executed by a host machine and / or by the NVD shown in FIG.
[0081] A host machine or server may run a hypervisor (also called a virtual machine monitor or VMM) that creates and enables a virtual environment on the host machine. The virtualized environment facilitates cloud-based computing. One or more compute instances may be created, run, and managed on the host machine by the hypervisor on the host machine. The hypervisor on the host machine enables the host machine's physical computing resources (e.g., compute, memory, and network resources) to be shared among the various compute instances executed by the host machine.
[0082] For example, as shown in FIG. 2, host machines 202 and 208 execute hypervisors 260 and 266, respectively. These hypervisors may be implemented using software, firmware, or hardware, or a combination thereof. Typically, a hypervisor is a process or software layer that resides on a host machine's operating system (OS), which executes on the host machine's hardware processor. A hypervisor provides a virtual environment by allowing the host machine's physical computing resources (e.g., processing resources such as processors / cores, memory resources, and network resources) to be shared among various virtual machine computing instances executed by the host machine. For example, in FIG. 2, hypervisor 260 may reside on top of host machine 202's OS and allow host machine 202's computing resources (e.g., processing resources, memory resources, and network resources) to be shared among computing instances (e.g., virtual machines) executed by host machine 202. A virtual machine can have its own operating system (referred to as a guest operating system), which may be the same as or different from the host machine's OS. The operating system of a virtual machine executed by a host machine may be the same as or different from the operating system of another virtual machine executed by the same host machine. Thus, a hypervisor allows multiple operating systems to run side by side with each other while sharing the same computing resources of the host machine. The host machines shown in Figure 2 may have the same or different types of hypervisors.
[0083] A compute instance can be a virtual machine instance or a bare metal instance. In Figure 2, compute instance 268 on host machine 202 and compute instance 274 on host machine 208 are examples of virtual machine instances. Host machine 206 is an example of a bare metal instance being offered to a customer.
[0084] In some examples, an entire host machine may be provisioned to a single customer, and one or more compute instances (either virtual machines or bare metal instances) hosted by that host machine all belong to that same customer. In other examples, a host machine may be shared among multiple customers (i.e., multiple tenants). In such a multi-tenancy situation, a host machine may host virtual machine compute instances belonging to different customers. These compute instances may be members of different VCNs for different customers. In some embodiments, bare metal compute instances are hosted by bare metal servers that do not have a hypervisor. When a bare metal compute instance is provisioned, a single customer or tenant maintains control of the physical CPU, memory, and network interfaces of the host machine hosting the bare metal instance, and the host machine is not shared with other customers or tenants.
[0085] As previously mentioned, each compute instance that is part of a VCN is associated with a VNIC that enables the compute instance to be a member of a subnet of the VCN. The VNIC associated with a compute instance facilitates communication of packets or frames to and from the compute instance. The VNIC is associated with the compute instance when the compute instance is created. In one embodiment, for a compute instance executed by a host machine, the VNIC associated with the compute instance is executed by an NVD connected to the host machine. For example, in FIG. 2, host machine 202 executes virtual machine compute instance 268 that is associated with VNIC 276, which is executed by NVD 210 connected to host machine 202. As another example, bare metal instance 272 hosted by host machine 206 is associated with VNIC 280, which is executed by NVD 212 connected to host machine 206. As yet another example, VNIC 284 is associated with compute instance 274 executed by host machine 208, which is executed by NVD 212 connected to host machine 208.
[0086] For compute instances hosted by a host machine, the NVD connected to that host machine also executes VCN VRs corresponding to the VCNs of which those compute instances are members. For example, in the embodiment shown in Figure 2, NVD 210 executes VCN VR 277 corresponding to the VCN of which compute instance 268 is a member. NVD 212 may execute one or more VCN VRs 283 corresponding to the VCNs corresponding to the compute instances hosted by host machines 206 and 208.
[0087] A host machine may include one or more network interface cards (NICs) that allow the host machine to be connected to other devices. The NICs on the host machine may provide one or more ports (or interfaces) that allow the host machine to be communicatively connected to another device. For example, a host machine may be connected to an NVD using one or more ports (or interfaces) provided on the host machine and the NVD. A host machine may also be connected to other devices, such as another host machine.
[0088] 2, host machine 202 is connected to NVD 210 using link 220 extending between port 234 provided by NIC 232 of host machine 202 and port 236 of NVD 210. Host machine 206 is connected to NVD 212 using link 224 extending between port 246 provided by NIC 244 of host machine 206 and port 248 of NVD 212. Host machine 208 is connected to NVD 212 using link 226 extending between port 252 provided by NIC 250 of host machine 208 and port 254 of NVD 212.
[0089] The NVDs are then connected via communication links to top-of-rack (TOR) switches (also called switch fabrics) that are connected to a physical network 218. In one embodiment, the links between the host machines and the NVDs and between the NVDs and the TOR switches are Ethernet links. For example, in Figure 2, links 228 and 230 are used to connect NVDs 210 and 212 to TOR switches 214 and 216, respectively. In one embodiment, links 220, 224, 226, 228, and 230 are Ethernet links. The collection of host machines and NVDs connected to a TOR may be referred to as a rack.
[0090] The physical network 218 provides a communications fabric that allows the TOR switches to communicate with each other. The physical network 218 can be a multi-tier network. In one implementation, the physical network 218 is a multi-tier Clos network of switches, with the TOR switches 214 and 216 representing leaf-level nodes of the multi-tier, multi-node physical switching network 218. Various Clos network configurations are possible, including, but not limited to, 2-tier networks, 3-tier networks, 4-tier networks, 5-tier networks, and generally, "n"-tier networks. An example Clos network is shown in FIG. 5 and described below.
[0091] Various connection configurations are possible between host machines and NVDs, such as one-to-one, many-to-one, and one-to-many configurations. In a one-to-one implementation, each host machine is connected to its own separate NVD. For example, in FIG. 2, host machine 202 is connected to NVD 210 via NIC 232 on host machine 202. In a many-to-one configuration, multiple host machines are connected to a single NVD. For example, in FIG. 2, host machines 206 and 208 are connected to the same NVD 212 via NICs 244 and 250, respectively.
[0092] In a one-to-many configuration, one host machine is connected to multiple NVDs. FIG. 3 illustrates an example of a CSPI 300 in which a host machine is connected to multiple NVDs. As illustrated in FIG. 3, a host machine 302 includes a network interface card (NIC) 304 including multiple ports 306 and 308. The host machine 300 is connected to a first NVD 310 via port 306 and link 320, and to a second NVD 312 via port 308 and link 322. Ports 306 and 308 may be Ethernet ports, and links 320 and 322 between the host machine 302 and the NVDs 310 and 312 may be Ethernet links. The NVD 310 is then connected to a first TOR switch 314, and the NVD 312 is connected to a second TOR switch 316. The links between the NVDs 310 and 312 and the TOR switches 314 and 316 may be Ethernet links. TOR switches 314 and 316 represent layer 0 switching devices within a multi-tier physical network 318 .
[0093] 3 provides two separate physical network paths between the physical switch network 318 and the host machine 302: a first path traversing the TOR switch 314, through the NVD 310, and to the host machine 302, and a second path traversing the TOR switch 316, through the NVD 312, and to the host machine 302. The separate paths result in improved availability (referred to as high availability) of the host machine 302. If there is a problem with one of the paths (e.g., a link in one of the paths fails) or devices (e.g., a particular NVD is not functioning), the other path may be used for communication to and from the host machine 302.
[0094] In the configuration shown in Figure 3, the host machine is connected to two different NVDs using two different ports provided by the host machine's NIC. In other embodiments, the host machine may include multiple NICs that allow the host machine to be connected to multiple NVDs.
[0095] Referring again to Figure 2, an NVD is a physical device or component that performs one or more network and / or storage virtualization functions. An NVD may be any device that has one or more processing units (e.g., a CPU, Network Processing Units (NPUs), FPGAs, packet processing pipelines, etc.), memory including cache, and ports. Various virtualization functions may be performed by software / firmware executed by the one or more processing units of the NVD.
[0096] The NVD may be implemented in various forms. For example, in one embodiment, the NVD is implemented as an interface card called a smart NIC or intelligent NIC that contains an embedded processor. A smart NIC is a separate device from the NIC on the host machine. In Figure 2, NVDs 210 and 212 may be implemented as smart NICs connected to host machine 202 and host machines 206 and 208, respectively.
[0097] However, a smart NIC is just one example of an implementation of an NVD. Various other implementations are possible. For example, in some other implementations, the NVD or one or more functions performed by the NVD may be incorporated into or performed by one or more host machines, one or more TOR switches, and other components of CSPI200. For example, the NVD may be embodied in a host machine, and the functions performed by the NVD may be performed by the host machine. As another example, the NVD may be part of a TOR switch, or a TOR switch may be configured to perform the functions performed by the NVD, allowing the TOR switch to perform various complex packet transformations used in public clouds. A TOR that performs the functions of an NVD may be referred to as a smart TOR. In yet other implementations where customers are provided with virtual machine (VM) instances rather than bare metal (BM) instances, the functions performed by the NVD may be implemented inside the hypervisor of the host machine. In some other implementations, some of the NVD's functions may be offloaded to a centralized service running on a set of host machines.
[0098] In one embodiment, such as when implemented as a smart NIC as shown in FIG. 2, the NVD may include multiple physical ports that allow the NVD to be connected to one or more host machines and one or more TOR switches. Ports on the NVD may be classified as host-facing ports (also referred to as "south ports") or network-facing or TOR-facing ports (also referred to as "north ports"). Host-facing ports of an NVD are ports used to connect the NVD to host machines. Examples of host-facing ports in FIG. 2 include port 236 on NVD 210 and ports 248 and 254 on NVD 212. Network-facing ports of an NVD are ports used to connect the NVD to TOR switches. Examples of network-facing ports in FIG. 2 include port 256 on NVD 210 and port 258 on NVD 212. As shown in FIG. 2, the NVD 210 is connected to the TOR switch 214 using link 228 extending from port 256 of the NVD 210 to the TOR switch 214. Similarly, the NVD 212 is connected to the TOR switch 216 using a link 230 that extends from a port 258 of the NVD 212 to the TOR switch 216 .
[0099] The NVD may receive packets and frames from the host machine (e.g., packets and frames generated by compute instances hosted by the host machine) via a host-facing port, and after performing any necessary packet processing, may forward those packets and frames to the TOR switch via the NVD's network-facing port. The NVD may receive packets and frames from the TOR switch via the NVD's network-facing port, and after performing any necessary packet processing, may forward those packets and frames to the host machine via the NVD's host-facing port.
[0100] In one embodiment, there may be multiple ports and associated links between the NVD and the TOR switch. These ports and links may be aggregated to form a link aggregator group (called a LAG) of multiple ports or links. Link aggregation allows multiple physical links between two endpoints (e.g., between the NVD and the TOR switch) to be treated as a single logical link. All physical links within a particular LAG may operate in full-duplex mode at the same speed. LAGs help increase bandwidth and improve the reliability of the connection between two endpoints. If one of the physical links in the LAG fails, traffic is dynamically and transparently reassigned to one of the other physical links in the LAG. The aggregated physical link provides higher bandwidth than an individual link. Multiple ports associated with a LAG are treated as a single logical port. Traffic can be load-balanced across the multiple physical links in a LAG. One or more LAGs may be configured between two endpoints. Two endpoints may exist between the NVD and the TOR switch, between a host machine and the NVD, etc.
[0101] The NVD implements or performs network virtualization functions. These functions are performed by software / firmware executed by the NVD. Examples of network virtualization functions include, but are not limited to, packet encapsulation and decapsulation functions, functions for creating VCN networks, functions for enforcing network policies such as VCN security list (firewall) functions, and functions for facilitating routing and forwarding of packets to and from compute instances in the VCN. In one embodiment, upon receiving a packet, the NVD is configured to execute a packet processing pipeline to process the packet and determine how the packet should be forwarded or routed. As part of this packet processing pipeline, the NVD may perform one or more virtual functions associated with the overlay network, such as running VNICs associated with compute instances in the VCN, running virtual routers (VRs) associated with the VCN, encapsulating and decapsulating packets to facilitate forwarding or routing within the virtual network, running certain gateways (e.g., local peering gateways), enforcing security lists, network security groups, network address translation (NAT) functions (e.g., per-host public IP to private IP translation), bandwidth throttling functions, and other functions.
[0102] In one embodiment, the packet processing data path within the NVD may comprise multiple packet pipelines, each consisting of a series of packet transformation stages. In one implementation, upon receipt of a packet, the packet is parsed and sorted into a single pipeline. The packet is then processed in a linear fashion, one stage at a time, until the packet is either dropped or transmitted through an interface of the NVD. These stages provide basic functional packet processing building blocks (e.g., header validation, performing bandwidth throttling, inserting a new Layer 2 header, performing L4 firewalling, VCN encapsulation / decapsulation, etc.), such that new pipelines can be constructed by assembling existing stages, and new functionality can be added by creating and inserting new stages into existing pipelines.
[0103] The NVD may perform both control plane and data plane functions corresponding to the control and data planes of a VCN. Examples of a VCN control plane are also shown in Figures 12, 13, 14, and 15 (see reference numbers 1216, 1316, 1416, and 1516) and are described below. Examples of a VCN data plane are shown in Figures 12, 13, 14, and 15 (see reference numbers 1218, 1318, 1418, and 1518) and are described below. Control plane functions include functions used to configure the network (e.g., set up routes and route tables, configure VNICs, etc.) that control how data is forwarded. In one embodiment, a VCN control plane is provided that centrally computes mappings between all overlays and substrates and publishes these mappings to the NVD and to virtual network edge devices such as various gateways, such as DRGs, SGWs, and IGWs. Firewall rules may also be published using the same mechanism. In one embodiment, the NVD retrieves only mappings that are relevant to the NVD. The data plane functions include functionality for the actual routing / forwarding of packets based on configuration settings using the control plane. The VCN data plane is implemented by encapsulating customer network packets before they traverse the substrate network. The encapsulation / decapsulation functions are implemented in the NVD. In one embodiment, the NVD is configured to intercept all network packets entering and leaving the host machine and perform network virtualization functions.
[0104] As indicated above, the NVD performs various virtualization functions, including VNICs and VCN VRs. The NVD may execute VNICs associated with compute instances hosted by one or more host machines connected to the VNICs. For example, as shown in FIG. 2, NVD 210 executes the functions of VNIC 276 associated with compute instance 268 hosted by host machine 202 connected to NVD 210. As another example, NVD 212 executes VNIC 280 associated with bare metal compute instance 272 hosted by host machine 206 and VNIC 284 associated with compute instance 274 hosted by host machine 208. The host machines may host compute instances belonging to different VCNs that belong to different customers, and the NVDs connected to the host machines may execute VNICs (i.e., perform functions related to the VNICs) corresponding to the compute instances.
[0105] NVDs also execute VCN virtual routers corresponding to the VCNs of the compute instances. For example, in the embodiment shown in FIG. 2, NVD 210 executes VCN VR 277 corresponding to the VCN to which compute instance 268 belongs. NVD 212 executes one or more VCN VRs 283 corresponding to one or more VCNs to which compute instances hosted by host machines 206 and 208 belong. In one embodiment, a VCN VR corresponding to that VCN is executed by all NVDs connected to a host machine that hosts at least one compute instance belonging to that VCN. If a host machine hosts compute instances that belong to different VCNs, the NVDs connected to that host machine may execute VCN VRs corresponding to those different VCNs.
[0106] In addition to VNICs and VCN VRs, the NVD may run various software (e.g., daemons) and may include one or more hardware components that facilitate the various network virtualization functions performed by the NVD. For simplicity, these various components are grouped together as a “packet processing component” shown in FIG. 2 . For example, NVD 210 includes packet processing component 286, and NVD 212 includes packet processing component 288. For example, the packet processing component of the NVD may include a packet processor configured to interact with the NVD's ports and hardware interfaces, monitor all packets received by and transmitted using the NVD, and store network information. The network information may include, for example, network flow information and per-flow information (e.g., per-flow statistics) that identify the various network flows processed by the NVD. In one embodiment, the network flow information may be stored per VNIC. In addition to performing per-packet operations, the packet processor may implement a stateful NAT and an L4 firewall (FW). As another example, the packet processing component may include a replication agent configured to replicate information stored by the NVD to one or more different replication target stores. As yet another example, the packet processing component may include a logging agent configured to perform the logging functions of the NVD. The packet processing component may also include software for monitoring the performance and health of the NVD, and possibly software for monitoring the status and health of other components connected to the NVD.
[0107] FIG. 1 illustrates components of an exemplary virtual network or overlay network, including a VCN, subnets within the VCN, compute instances deployed to the subnets, VNICs associated with the compute instances, VRs for the VCN, and a set of gateways configured for the VCN. The overlay components illustrated in FIG. 1 may be executed or hosted by one or more of the physical components illustrated in FIG. 2. For example, compute instances within a VCN may be executed or hosted by one or more host machines illustrated in FIG. 2. For compute instances hosted by a host machine, the VNICs associated with the compute instances are typically executed by an NVD connected to the host machine (i.e., the VNIC functionality is provided by the NVD connected to the host machine). The VCN VR functionality for the VCN is performed by all NVDs connected to host machines hosting or running compute instances that are part of the VCN. The gateways associated with a VCN may be executed by one or more different types of NVDs. For example, some gateways may be executed by smart NICs, while other gateways may be executed by one or more host machines or other implementations of NVDs.
[0108] As previously mentioned, compute instances within a customer's VCN may communicate with various endpoints, which can be in the same subnet as the source compute instance, or in a different subnet within the same VCN as the source compute instance, or the endpoints are outside the VCN of the source compute instance. These communications are facilitated using VNICs associated with the compute instances, VCN VRs, and gateways associated with the VCN.
[0109] For communication between two compute instances on the same subnet within a VCN, the communication is facilitated using VNICs associated with the source and destination compute instances. The source and destination compute instances may be hosted by the same host machine or by different host machines. A packet originating from the source compute instance may be forwarded from the host machine hosting the source compute instance to an NVD connected to that host machine. In the NVD, the packet is processed using a packet processing pipeline, which may include execution of the VNIC associated with the source compute instance. Because the packet's destination endpoint is within the same subnet, execution of the VNIC associated with the source compute instance causes the packet to be forwarded to an NVD running the VNIC associated with the destination compute instance, which then processes the packet and forwards it to the destination compute instance. The VNICs associated with the source and destination compute instances may run on the same NVD (e.g., when the source and destination compute instances are both hosted by the same host machine) or on different NVDs (e.g., when the source and destination compute instances are hosted by different host machines connected to different NVDs). The VNICs may use routing / forwarding tables stored by the NVDs to determine the next hop of a packet.
[0110] For packets traveling from a compute instance in a subnet to an endpoint in a different subnet within the same VCN, the packet originating from the source compute instance travels from the host machine hosting the source compute instance to the NVD connected to that host machine. In the NVD, the packet is processed using a packet processing pipeline, which may include running one or more VNICs and VRs associated with the VCN. For example, as part of the packet processing pipeline, the NVD executes or invokes a function corresponding to the VNIC associated with the source compute instance (also referred to as executing the VNIC). The function executed by the VNIC may include examining the VLAN tag on the packet. Because the packet's destination is outside the subnet, a VCN VR function is then invoked and executed by the NVD. The VCN VR then routes the packet to the NVD running the VNIC associated with the destination compute instance. The VNIC associated with the destination compute instance then processes the packet and forwards the packet to the destination compute instance. The VNICs associated with the source compute instance and the destination compute instance may run on the same NVD (e.g., when the source compute instance and the destination compute instance are both hosted by the same host machine) or on different NVDs (e.g., when the source compute instance and the destination compute instance are hosted by different host machines connected to different NVDs).
[0111] If the packet's destination is outside the VCN of the source compute instance, the packet originating from the source compute instance is propagated from the host machine hosting the source compute instance to the NVD connected to that host machine. The NVD runs the VNIC associated with the source compute instance. Because the packet's destination endpoint is outside the VCN, the packet is then processed by the VCN VR for that VCN. The NVD may invoke a VCN VR function to cause the packet to be forwarded to an NVD running the appropriate gateway associated with the VCN. For example, if the destination is an endpoint in a customer's on-premises network, the packet may be forwarded by the VCN VR to an NVD running a DRG gateway configured for the VCN. The VCN VR may run on the same NVD as the NVD running the VNIC associated with the source compute instance or by a different NVD. The gateway may be run by the NVD, which can be a smart NIC, a host machine, or another NVD implementation. The packet is then processed by the gateway and forwarded to the next hop, which facilitates the packet's propagation to the intended destination endpoint. 2, a packet originating from compute instance 268 may be communicated from host machine 202 (using NIC 232) over link 220 to NVD 210. At NVD 210, VNIC 276 is invoked because it is the VNIC associated with source compute instance 268. VNIC 276 is configured to examine information encapsulated within the packet, determine a next hop for forwarding the packet in order to facilitate communication of the packet to its intended destination endpoint, and then forward the packet to the determined next hop.
[0112] Compute instances deployed in a VCN can communicate with various endpoints. These endpoints may include endpoints hosted by CSPI200 and endpoints external to CSPI200. Endpoints hosted by CSPI200 may include instances in the same VCN or other VCNs, which may be the customer's VCN or VCNs not belonging to the customer. Communication between endpoints hosted by CSPI200 may occur via physical network 218. Compute instances may communicate with endpoints not hosted by CSPI200 or external to CSPI200. Examples of these endpoints include endpoints within a customer's on-premises network or data center, or public endpoints accessible via a public network such as the Internet. Communication with endpoints external to CSPI200 may occur via a public network (e.g., the Internet) (not shown in FIG. 2) or a private network (not shown in FIG. 2) using various communication protocols.
[0113] The architecture of CSPI 200 shown in FIG. 2 is merely exemplary and is not intended to be limiting. Variations, substitutions, and modifications are possible in alternative embodiments. For example, in some implementations, CSPI 200 may include more or fewer systems or components than those shown in FIG. 2, may combine two or more systems, or may include a different configuration or arrangement of systems. The systems, subsystems, and other components shown in FIG. 2 may be implemented in software (e.g., code, instructions, programs) executed by one or more processing units (e.g., processors, cores) of the respective systems, using hardware, or a combination thereof. The software may be stored in a non-transitory storage medium (e.g., a memory device).
[0114] FIG. 4 illustrates connections between host machines and an NVD to achieve I / O virtualization to support multitenancy functionality, according to one embodiment. As shown in FIG. 4, host machine 402 runs hypervisor 404, which provides a virtual environment. Host machine 402 runs two virtual machine instances: VM1 406 belonging to customer / tenant #1 and VM2 408 belonging to customer / tenant #2. Host machine 402 includes a physical NIC 410 connected to an NVD 412 via link 414. Each of the compute instances is connected to a VNIC run by NVD 412. In the embodiment of FIG. 4, VM1 406 is connected to VNIC-VM1 420, and VM2 408 is connected to VNIC-VM2 422.
[0115] 4, NIC 410 includes two logical NICs: logical NIC A 416 and logical NIC B 418. Each virtual machine is connected to and configured to function with its own logical NIC. For example, VM1 406 is connected to logical NIC A 416, and VM2 408 is connected to logical NIC B 418. Because of the logical NICs, each tenant's virtual machine believes it has its own host machine and NIC, even though host machine 402 includes only one physical NIC 410 that is shared by multiple tenants.
[0116] In one embodiment, each logical NIC is assigned its own VLAN ID. Thus, a particular VLAN ID is assigned to logical NIC A 416 for Tenant 1, and another VLAN ID is assigned to logical NIC B 418 for Tenant 2. When a packet is communicated from VM1 406, a tag assigned to Tenant 1 is attached to the packet by the hypervisor, and the packet is then communicated from host machine 402 to NVD 412 via link 414. In a similar manner, when a packet is communicated from VM2 408, a tag assigned to Tenant 2 is attached to the packet by the hypervisor, and the packet is then communicated from host machine 402 to NVD 412 via link 414. Thus, a packet 424 communicated from host machine 402 to NVD 412 has an associated tag 426 that identifies the particular tenant and associated VM. At the NVD, for a packet 424 received from host machine 402, a tag 426 associated with the packet is used to determine whether the packet should be processed by VNIC-VM1 420 or VNIC-VM2 422. The packet is then processed by the corresponding VNIC. The configuration shown in Figure 4 allows each tenant's compute instance to be confident that it owns its own host machine and NIC. The setup shown in Figure 4 enables I / O virtualization to support multi-tenancy capabilities.
[0117] FIG. 5 illustrates a simplified block diagram of a physical network 500, according to one embodiment. The embodiment illustrated in FIG. 5 is structured as a Clos network. A Clos network is a specific type of network topology designed to provide connection redundancy while maintaining high bisection bandwidth and maximum resource utilization. A Clos network is a type of nonblocking multi-stage or multi-layer switching network, and the number of stages or layers can be two, three, four, five, etc. The embodiment illustrated in FIG. 5 is a three-layer network, including layers 1, 2, and 3. TOR switch 504 represents a layer 0 switch in the Clos network. One or more NVDs are connected to the TOR switch. Layer 0 switches are also referred to as edge devices of the physical network. Layer 0 switches are connected to layer 1 switches, also referred to as leaf switches. In the embodiment illustrated in FIG. 5, a set of “n” layer 0 TOR switches are connected to a set of “n” layer 1 switches, together forming a pod. Each layer 0 switch in a pod is interconnected to all layer 1 switches within the pod, but there are no switch connections between pods. In one implementation, the two pods are referred to as blocks. Each block is served by or connected to a set of "n" layer 2 switches (sometimes called spine switches). There can be multiple blocks in a physical network topology. The layer 2 switches are then connected to "n" layer 3 switches (sometimes called super spine switches). Communication of packets through the physical network 500 is typically performed using one or more layer 3 communication protocols. Typically, all layers of the physical network except the TOR layer have n-way redundancy, thus enabling high availability. Policies may be specified for pods and blocks to control the visibility of switches to each other within the physical network to enable scaling of the physical network.
[0118] A characteristic of Clos networks is that the maximum number of hops required to reach from one tier-0 switch to another tier-0 switch (or from an NVD connected to a tier-0 switch to another NVD connected to a tier-0 switch) is fixed. For example, in a three-tier Clos network, a maximum of seven hops are required for a packet to reach from one NVD to another, with the source and target NVDs connected to the leaf layers of the Clos network. Similarly, in a four-tier Clos network, a maximum of nine hops are required for a packet to reach from one NVD to another, with the source and target NVDs connected to the leaf layers of the Clos network. Therefore, the Clos network architecture maintains consistent latency throughout the network, which is important for intra- and inter-datacenter communications. Clos topologies scale horizontally and are cost-effective. The network's bandwidth / throughput capacity can be easily increased by adding more switches (e.g., more leaf switches and spine switches) to various tiers and by increasing the number of links between switches at adjacent tiers.
[0119] In one embodiment, each resource in CSPI is assigned a unique identifier called a Cloud Identifier (CID). This identifier is included as part of the resource's information and can be used to manage the resource, for example, via a console or via an API. An exemplary syntax for a CID is as follows: ocid1.<resource type>.<realm>.[region][.future use].<unique ID> where: ocid1: A literal column that indicates the version of the CID. Resource Type: The type of resource (e.g., instance, volume, VCN, subnet, user, group, etc.). Realm: Realm: The realm the resource resides in. Example values are "c1" for the commercial realm, "c2" for the government cloud realm, or "c3" for the federal cloud realm, etc. Each realm may have its own domain name. Region: The region the resource is in. If a region is not applicable to the resource, this part may be blank. Future Use: Reserved for future use. Unique ID: The unique part of the ID. This format may vary depending on the type of resource or service.
[0120] Multi-cloud adoption Figure 6 shows a simplified high-level diagram of a distributed environment 600 including multiple cloud environments offered by different cloud service providers (CSPs), according to one embodiment, with a particular cloud environment providing specialized infrastructure that enables one or more cloud services offered by that particular cloud environment to be used by customers of the other cloud environments. As shown in Figure 6, various cloud environments (also referred to as "clouds") may be offered by different cloud service providers (CSPs), with each cloud environment or cloud offering one or more cloud services to which one or more customers of that cloud environment can subscribe. The suite of cloud services offered by the cloud environments offered by the CSPs may include one or more different types of cloud services, including, but not limited to, Software-as-a-Service (SaaS) services, Infrastructure-as-a-Service (IaaS) services, Platform-as-a-Service (PaaS) services, Database-as-a-Service (DBaaS), etc. Examples of cloud environments offered by various CSPs include Oracle® Cloud Infrastructure (OCI) offered by Oracle Corporation, Microsoft® Azure offered by Microsoft Corporation, Google Cloud™ offered by Google® LLC, Amazon Web Services (AWS®) offered by Amazon Corporation, etc. The set of cloud services offered by a particular cloud environment may differ from the set of cloud services offered by another cloud environment.
[0121] In a typical cloud environment, a CSP provides a cloud service infrastructure (CSPI) that is used to provide one or more cloud services offered by the cloud environment to customers. The CSPI provided by the CSP may include various types of hardware and software resources, including compute resources, memory resources, network resources, a console for accessing the cloud services, and the like. Customers of the cloud environment provided by the CSP may subscribe to one or more of the cloud services offered by the cloud environment. Various subscription models may be offered to customers by the CSP. After a customer subscribes to cloud services offered by the cloud environment, one or more users may be associated with the subscribing customer, and these users may use the cloud services to which the customer subscribes. In one implementation, when a customer subscribes to cloud services offered by a particular cloud environment, a customer account or customer tenancy is created for the customer. One or more users may then be associated with the customer tenancy, and these users may then use the services to which the customer subscribed under the customer tenancy. Information about the services a customer subscribes to, the users associated with the customer's tenancy, etc. is typically stored within the cloud environment and associated with the customer's tenancy.
[0122] For example, three different cloud environments offered by three different CSPs are shown in Figure 6. These cloud environments include cloud environment A (Cloud A) 610 offered by CSP A, cloud environment B (Cloud B) 640 offered by CSP B, and cloud environment C (Cloud C) 660 offered by CSP C. Cloud A 610 includes infrastructure CSPI_A 612 offered by CSP A, which may be used to provide a set of services "Service A" 614 offered by Cloud A 610. One or more customers (e.g., Customer A1 616-1, Customer A2 616-2) may subscribe to one or more services from Service A 614 offered by Cloud A 610. One or more users 618-1 may be associated with Customer A1 616-1 and can use the services to which Customer A1 616-1 subscribed within Cloud A 610. In a similar manner, one or more users 618-2 may be associated with customer A2 616-2 and may use the services to which customer A2 616-2 subscribes within cloud A 610. In various use cases, the services to which customer A1 616-1 subscribes may differ from the services to which customer A2 616-2 subscribes.
[0123] 6, Cloud B 640 includes an infrastructure CSPI_B 642 provided by CSP B, which may be used to provide a set of services “Service B” 644 offered by Cloud B 640. One or more customers (e.g., Customer B1 646-1) may subscribe to one or more services from Service B 644. One or more Users 648-1 may be associated with Customer B1 646-1 and can use the services to which Customer B1 646-1 has subscribed within Cloud B 640.
[0124] As shown in FIG. 6, Cloud C 660 includes an infrastructure CSPI_C 662 provided by CSP C, which may be used to provide a set of services “Service C” 664 offered by Cloud C 660. One or more customers (e.g., Customer C1 666-1) may subscribe to one or more services from Service C 664. One or more Users 668-1 may be associated with Customer C1 666-1 and can use the services to which Customer C1 666-1 subscribes within Cloud C 660. It should be noted that Service A 614, Service B 644, and Service C 664 can be different from one another.
[0125] In existing cloud implementations, each cloud provides a closed ecosystem to subscribing customers and associated users. As a result, customers and associated users of a cloud environment are limited to using services offered by the cloud to which the customer subscribes. For example, customer B1 646-1 and its user 648-1 are limited to using service B 644 offered by cloud B 640 and cannot use their account in cloud B 640 to access services from a different cloud environment, such as services from service A 614 offered by cloud A 610 or services from service C 664 offered by cloud C 660. The teachings described herein overcome this limitation. As described in this disclosure, various techniques are described that allow a link to be created between two cloud environments, thereby allowing services offered by a first cloud environment offered by a first CSP to be used by a customer (and associated users) of a second, different cloud environment offered by a second, different CSP, using the customer's account in the second cloud environment.
[0126] 6 , the infrastructure CSPI_A 612 provided by CSP A includes, in addition to other infrastructure 620, a specialized infrastructure 622 (referred to as multi-cloud enabling infrastructure 622 or MEI (multi-cloud enabling infrastructure) 622 or multi-cloud infrastructure 622) that enables one or more services 614 provided by Cloud A to be used by customers and associated users of other clouds, such as Clouds B 640 and C 660, using the customers' accounts in those other clouds. In one implementation, customers of Clouds B and C do not need to open separate accounts with Cloud A to use one or more of the services 614 provided by Cloud A 610. Customer B1 646-1 and associated user 648-1 of Cloud B 640 can use one or more services 614 provided by Cloud A 610 using the customer's account or tenancy in Cloud B 640. As another example, customer C1 666-1 and associated user 668-1 of cloud C 660 may use one or more services 614 provided by cloud A 610 using the customer's account or tenancy in cloud C 660.
[0127] In one implementation, the MEI 622 allows links to be created between Cloud A 610 and other clouds, and these links can be used by customers and associated users of the other clouds to access and utilize services offered by Cloud A 610. This is symbolically shown in FIG. 6 as link 670 created between Cloud A 610 and Cloud B 640 and link 672 created between Cloud A 610 and Cloud C 660. Via link 670, customers of Cloud B 640 can access or use one or more services 614 offered by Cloud A 610. Similarly, via link 672, customers of Cloud C 660 can access or use one or more services 614 offered by Cloud A 610.
[0128] There are various ways in which the MEI 612 may be implemented. In some embodiments, the MEI 612 may include components that allow links to different clouds to be established. For example, in FIG. 6, the MEI 622 includes an infrastructure component 624 responsible for enabling a link 670 with cloud B 640 and an infrastructure component 626 responsible for enabling a link 672 with cloud C 660. In a similar manner, the MEI 622 may include other components that enable and facilitate links with other clouds. In some implementations, the components of the MEI 622 may facilitate links with multiple different clouds.
[0129] There are multiple reasons why a customer of one cloud may want or desire to use a cloud service offered by a different cloud. Using FIG. 6 as an example, there are multiple reasons why customer B1 646-1 of cloud B 640 may want to use the cloud service 614 offered by cloud A 610. In one use case situation, this reason may arise because cloud A 610 offers a cloud service with capabilities not offered by cloud B 640. In another use case situation, clouds A and B may offer similar services, but the service offered by cloud A 610 may be better (e.g., more features / functionality, faster speed, etc.) than the corresponding service offered by cloud B 640. In yet another use case situation, customer B1 646-1 of cloud B 640 may want to use the cloud service offered by cloud A 610 because it offers the service at a lower price than the cloud service offered by cloud B 640. In some cases, there may be geographic constraints or other reasons why a customer B1 646-1 of Cloud B 640 wants to use a cloud service offered by Cloud A 610. For example, Cloud A 610 may offer a desired service in a geographic region that is not offered by Cloud B 640, or a particular service is not offered by Cloud B 640 in the geographic region where the customer wants the service. Several other use case situations are possible regarding why a customer of one cloud may want to use a service offered by a different cloud.
[0130] In one embodiment, the MEI 622 provides the capability and performs the functions of creating a link between Cloud A 610 and another cloud, through which a user associated with a customer of the other cloud can access and use services offered by Cloud A 610 from the other cloud itself in a seamless manner. For example, the MEI 622 enables a user 648-1 associated with Customer B1 646-1 of Cloud 640 to access services from Service A 614 offered by Cloud A 610 in a seamless manner. In one implementation, a user interface (e.g., a console) accessible to User 648-1 from within Cloud B 640 may be provided, which allows the user to view a list of services 614 offered by Cloud A 610 and select the particular service that User 648-1 wishes to access. In response to the user's selection, the MEI 622 is responsible for performing processing to establish a link 670 between Clouds A and B to enable access to the requested service. The processing to set up the link 670 is performed substantially automatically by the MEI 622. Customer B1 646-1 or associated user 648-1 do not have to worry about performing all the system, network, or other configuration changes required to facilitate the creation, maintenance, and use of link 670 between clouds A 610 and B 640. Creating links between clouds is effortless for both users and customers. Using the techniques described in this disclosure, links are created in a fast and efficient manner.
[0131] The MEI 622 can use various techniques to create and use links that are seamless for users and customers, thus providing an improved user experience. In one implementation, the MEI 622 makes the user interface (e.g., graphical user interface (GUI)) and process flow that customer B1 and associated user 648-1 interact with, such as to request services from cloud A 610 and access requested services from cloud A 610, substantially similar to the interface and process flow that the customer / user experiences within cloud B 640. In this way, a customer or user who may be familiar with the interface and process flow of cloud B 640 does not need to learn a new interface and process flow to access services 614 from cloud A 610. The MEI 622 may present different interfaces and process flows to users of different cloud environments. For example, a first set of user interfaces and process flows substantially similar to the user interfaces and flows of Cloud B may be presented to a user from Cloud B 640, while a different set of user interfaces and process flows substantially similar to the user interfaces and flows of Cloud C may be presented to a user accessing Cloud A 610 from Cloud C 660. This is done to simplify and therefore improve the user's experience for accessing the services 614 of Cloud A 610 from other clouds.
[0132] As another example, each cloud environment typically includes an identity management system configured to provide security for the cloud environment. The identity management system is configured to protect resources in the cloud environment, including resources provided by the CSP and resources of subscribing cloud customers that are deployed in the cloud environment. Functions performed by the identity management system include, for example, managing identity credentials (e.g., usernames, passwords, etc.) associated with the cloud's subscribing customers and associated users, using the identity credentials to regulate users' access to cloud resources and services based on authorization / access policies configured for the cloud environment, and other functions. Different clouds may use different identity management systems and associated technologies. For example, the identity management system and associated procedures in cloud A 610 may be completely different from the identity management system and associated procedures in cloud B 640, which may in turn be completely different from the identity management system and associated procedures in cloud C 660. In one implementation, despite these differences in identity management systems and associated procedures between different cloud environments, the techniques described herein enable a user associated with a customer of a first cloud to access cloud services provided by a different cloud using the same identity credentials associated with the customer and user in the first cloud.
[0133] For example, in the embodiment shown in FIG. 6 , Cloud B 640 provided by CSP B may include an identity management system that assigns or allocates identity credentials to subscribing customers and associated users, such as Customer B1 646-1 and associated User 648-1. These identity credentials are associated with a tenancy created for Customer B1 646-1 in Cloud B 640. In one implementation, MEI 622 provided by Cloud A 610 enables User 648-1 associated with Cloud B Customer B1 646-1 to access services from Service A 614 in Cloud A 610 using identity credentials associated with User 648-1 and Customer B1 646-1 in Cloud B 640. This significantly improves the user experience for User 648-1 because User 648-1 does not need to create new identity credentials specific to Cloud A 610 simply to access Services 614 in Cloud A 610. The MEI 622 facilitates such access.
[0134] As an example, customer B1 of cloud B 640 may select to use a service such as database-as-a-service (DBaaS) from the set of services 614 offered by cloud A 610. In response to such a selection, MEI 622 causes a link 670 to be automatically created between cloud A 610 and cloud B 640 to enable user 648-1 associated with customer B1 646-1 to use the DBaaS service offered by cloud A 610. The automatic establishment of link 670 is facilitated by MEI 622. After link 670 is established, user 668-1 can use the DBaaS service in cloud A 610 via cloud B 640. As part of using this service, user 668-1 can send a request to cloud A 610 via cloud B 640 to create a database resource. In response, CSPI_A 612 can create the requested database in cloud A 610. In one implementation, the created database may be provisioned within a virtual network (e.g., a virtual cloud network or VCN) created for customer B1 in cloud A 610 and accessible by user 668-1 via cloud B 640. User 668-1 may then send requests to cloud A 610 from cloud B 640 to use the provisioned database. These requests may include, for example, requests to write data to the database, update data stored in the database, delete data in the database, delete the database, create additional databases, etc. In some use cases, these requests may originate from user 668-1 via cloud B 640 or from services 644 offered by cloud B 640. In this way, the MEI 622 offered by cloud A 610 enables users associated with customers of different clouds offered by different CSPs to seamlessly access services offered by cloud A 610.
[0135] The distributed environment 600 shown in FIG. 6 is merely an example and is not intended to unduly limit the scope of the claimed embodiments. Many variations, alternatives, and modifications are possible. For example, in alternative embodiments, the distributed environment 600 may include more or fewer cloud environments. The cloud environments may include more or fewer systems and components, or may have a different configuration or arrangement of systems and components. The systems and components shown in FIG. 6 may be implemented in software (e.g., code, instructions, programs) executed by one or more processing units (e.g., processors, cores) of the respective systems, using hardware, or a combination thereof. The software may be stored in a non-transitory storage medium (e.g., a memory device).
[0136] Multi-Cloud Control Plane (MCCP) 7 illustrates an exemplary high-level architecture of a multi-cloud infrastructure that interconnects two different cloud environments, each provided by a cloud service provider, according to some embodiments. As shown in FIG. 7, the high-level architecture 700 includes a first cloud environment (e.g., OCI) 710 provided by a first cloud service provider and a second cloud environment (e.g., AWS) 720 provided by a second cloud service provider. The first cloud environment 710 includes a multi-cloud infrastructure that provisions functionality for delivering services of the first cloud environment to users of another cloud environment (e.g., the second cloud environment 720). In particular, as described below, the multi-cloud infrastructure includes a multi-cloud control plane (MCCP) 712 and a multi-cloud network data plane (MCNDP) 716 that provision users to access / manage services of the first cloud environment from another cloud environment (e.g., PaaS services).
[0137] The multi-cloud infrastructure provides a user experience that is as close as possible to that of the user's native cloud environment (e.g., second cloud environment 720) while providing simple integration between the cloud environments. Note that MCCP 712 and MCNDP 716 are components of the multi-cloud infrastructure that are deployed in (and managed by) the first cloud environment 710 by the first cloud service provider. In some embodiments, the multi-cloud infrastructure includes another component (i.e., multi-cloud service account 726A) that is deployed in the second cloud environment 720 and managed by the first cloud service provider.
[0138] According to some embodiments, the second cloud environment 720 includes a customer account 721 and a first cloud service provider account (referred to herein as a multi-cloud account or multi-cloud service account 726A). Note that the second cloud environment 720 may also include a second cloud portal (not shown) that forms a centralized access point where customers of the second environment 720 can log in and manage their native cloud deployments and instances. The second cloud portal may provide a selection of both monitoring and operational services offered by the second cloud infrastructure. According to some embodiments, the second cloud environment 720 includes a provisioning module 722, a monitoring module 724, and an identity system 723 (i.e., also referred to herein as an identity and access management (IAM) module) that includes an identity module 723A and an access control module 723B. Additionally, the customer account 721 includes a customer virtual private cloud (VPC) 725A that can host one or more compute instances 725B. The identity module 723A is configured to perform tasks such as creating a set of one or more roles (and associated policies, permissions, etc. corresponding to each role) for one or more users of the second cloud environment 720. In some implementations, the access control module 723B serves as a user directory for the second cloud environment. In particular, the access control module 723B may be configured to perform functions such as creating user pools and adding user sign-up, sign-in, and access control to web and mobile applications.
[0139] The provisioning module 722 corresponds to services provided by the second cloud environment 720 that enable users to model and manage infrastructure resources in an automated and secure manner. For example, the provisioning module 722 enables developers to define and provision infrastructure resources using infrastructure as code templates. In other words, the provisioning module 722 automates the required configuration of resources in a customer's account in the second cloud environment 720. As another example, the provisioning module 722 may also be configured to set required resources that enable components of the first cloud environment to access resources in the customer's account in the second cloud environment. According to some embodiments, this is achieved by enabling the multi-cloud service account 726A to access resources in the customer's account 721, e.g., by allowing the multi-cloud service account to peer with the customer's account, enabling components of the multi-cloud infrastructure (e.g., observability adapters to expose metrics in the second cloud environment, etc.). The monitoring module 724 enables monitoring of the full stack (e.g., applications, infrastructure, network, and services) and performs automated actions using alarm, log, and event data. The monitoring module 724 may also utilize a dashboard to visually (eg, in a GUI) depict one or more metric data obtained from the first cloud environment.
[0140] The multi-cloud service account 726A includes a virtual private cloud 726B that hosts a transit gateway and a direct connect component. The direct connect component is a network component that provides an alternative to using the internet to consume cloud services in the second cloud environment. The direct connect allows a customer to have a low-latency, secure, private connection to the second cloud environment for workloads that require faster speeds or lower latency than the internet. The transit gateway is a network hub that can be utilized to interconnect VPCs and on-premises networks. In some embodiments, the transit gateway in the multi-cloud service account 726A is utilized to peer (i.e., communicatively couple) with the customer's account 721 in the second cloud environment 720.
[0141] The first cloud environment 710 includes an MCCP 712, a customer tenancy 714, and an MCNDP 716. As previously mentioned, the MCCP 712 and the MCNDP 716 are part of a multi-cloud infrastructure that provisions users of other cloud environments (e.g., the second cloud environment 720) to access services offered by the first cloud environment 710 with a user experience that is as close as possible to that of the user's native cloud environment, while providing simple integration between the cloud environments.
[0142] The first cloud environment 710 further includes a multicloud console 750 (distinct from the second cloud portal) that allows users authenticated within the second cloud infrastructure 720 to perform control plane operations on resources of the first cloud infrastructure 710 exposed through the multicloud infrastructure. In other words, the multicloud console 750 forms a gateway for users of the second cloud environment 720 to access resources deployed in the first cloud environment 710. It is understood that a user 705 can issue requests (e.g., CRUD requests) related to resources provided by the first cloud infrastructure directly from the multicloud console 750.
[0143] The first cloud environment includes an MCCP 712 that includes multiple microservices, such as a proxy module 712A, a platform services module 712B, and a pool of adapters 712C. The pool of adapters 712C includes a cloud link adapter, a database (DB) adapter, a network adapter, an observability adapter, and a support adapter.
[0144] Each adapter included in the adapter pool 712C is responsible for exposing a unique set of underlying resources (provided by the first cloud environment) to users of another cloud environment (e.g., a second cloud environment). In particular, each adapter in the adapter pool 712C maps to a specific product or resource provided by the first cloud infrastructure. Note that in some implementations, the actual resources may be created by a native control plane (not shown) of the first cloud infrastructure. The native control plane of the first cloud environment provides management and orchestration of the entire cloud environment. In the native control plane, configuration baselines can be set, user and role access is provisioned, and applications exist so that they can run with their associated services. For example, with respect to database as a service (DBaaS), a DBaaS control plane included in the native control plane of the first cloud environment is configured to instantiate an exadatabase resource within the customer's tenancy 714 of the first cloud environment.
[0145] Requests issued by a user 705 on the multi-cloud console 750 are routed to the MCCP's proxy module 712A. Note that the proxy module 712A processes incoming requests to perform authentication and access control. Each request includes a token (described below) associated with the user's account in the second cloud infrastructure. The proxy module extracts this token and validates the token together with the access control module 723B (i.e., the identity provider system of the second cloud environment). Upon successful validation, the proxy module 712A may check the role (i.e., set of permissions) associated with the user. Note that a role may be associated with one or more tasks / operations that are permitted for the role.
[0146] According to one embodiment, the proxy module 712A is responsible for authenticating incoming requests to the MCCP and authorizing if the user is allowed to perform the requested operation based on the role associated with the token. In some implementations, the proxy module 712A may perform the aforementioned authentication process by utilizing custom authentication capabilities of a service platform (SPLAT) associated with the first cloud infrastructure. It is understood that SPLAT is, broadly speaking, an infrastructure that facilitates the delivery of various cloud services offered by cloud service providers. The SPLAT receives and forwards the incoming request to the proxy module 712A, which further parses the incoming request to determine an authorization decision and returns a success or failure message to the SPLAT. Upon success, the SPLAT may direct the request to a routing module, which directs the request to an appropriate adapter in a pool of adapters; whereas, upon failure, the SPLAT returns an error response directly to the caller.
[0147] According to one embodiment, the proxy module 712A receives pre-authenticated requests from the service platform (i.e., SPLAT) of the first cloud environment and routes the requests to the appropriate adapter based on the route information included in the incoming request. In some implementations, the proxy module may extract an identifier corresponding to the provider of the service (from the incoming request) and route the request to the appropriate adapter in the pool of adapters 712C.
[0148] The cloud link adapter included in MCCP 712 is responsible for handling lifecycle operations of resources provided by the first cloud environment. The cloud link adapter is configured to create a mapping (or relationship created during the sign-up process) between a user's account in the second cloud environment and the user's corresponding tenancy / account in the first cloud infrastructure. In other words, the cloud link adapter generates a mapping of a first identifier associated with the user's tenancy in the first cloud environment to a second identifier associated with the user's account in the second cloud environment.
[0149] In some implementations, the cloud link adapter performs translation between an external cloud identifier (e.g., a second identifier associated with the user's account in the second cloud environment) and a first identifier (associated with the user's tenancy in the first cloud environment) to enable operations traversing the MCCP to be mapped to the appropriate underlying resource in the first cloud environment. In some embodiments, the cloud link adapter generates a data object to store such mapping information. Additionally, the cloud link adapter also generates a resource principal associated with the data object. The resource principal is assigned one or more permissions based on the token (and its associated role) included in the request. Access to downstream services provided by the first cloud environment is achieved by the user from the second cloud infrastructure based on the resource principal. The cloud link adapter may store the data object and the associated resource principal in the root partition of the user's tenancy in the first cloud infrastructure. Alternatively or additionally, the cloud link adapter may maintain data objects and resource principals locally in the multi-cloud infrastructure platform module 712B for seamless access by other adapters included in the multi-cloud infrastructure.
[0150] The network adapter (also referred to as a network link adapter) is responsible for creating a network link (i.e., a communication link / channel) between a customer account 721 (in the second cloud environment) and a corresponding customer tenancy / account 714 (in the first cloud environment). In some embodiments, the network link adapter obtains a token (from the platform module 712B) and creates (1) a first peering relationship (in the first cloud environment) between the MCNDP 716 and the customer tenancy 714, and (2) a second peering relationship (in the second cloud environment) between the customer account 721 included in the second cloud environment and a multi-cloud services account 726A of the first cloud service provider 717. The MCNDP 716 in the first cloud environment 710 includes a high-speed connection and a hub-and-spoke VCN that provision network connectivity (e.g., from on-premises locations, from external cloud environments) established with a customer's tenancy 714 in the first cloud environment. Meanwhile, a transit gateway included in the multi-cloud service account peers with the customer's account in the second cloud environment. A network adapter can configure an interconnect 719 to communicatively couple the two cloud environments. Specifically, at one end, the interconnect is coupled with a direct connection (located in the multi-cloud service account 726A), and at the other end, the interconnect is coupled with a high-speed connection in the MCDP. It is understood that the high-speed connection (included in the first cloud environment) and the direct connection included in the second cloud environment can be co-located within the same region. Furthermore, forming a network link between the two cloud environments allows applications running in the customer's account (e.g., within the customer's VPC in the second cloud environment) to access resources (e.g., exadatabase resources deployed in the customer's tenancy 714 in the first cloud environment). It is understood that the network link communicatively couples a user's tenancy in a first cloud environment to a user's account in a second cloud environment.
[0151] As shown in FIG. 7 , the observability module (included in the pool of adapters 712C) is configured to mirror or forward (e.g., publish) logs, metrics, and other performance parameters related to resources deployed in a customer's tenancy in the first cloud environment to a dashboard included in the monitoring module 724 included in the second cloud environment, for example, for further processing. According to some embodiments, the platform services module 712B included in the multi-cloud infrastructure is configured to store authentication information associated with services of the first cloud environment provided to users of the second cloud infrastructure. The platform services module 712B, for example, provides tokens / resource principals for the various adapters included in the pool of adapters 712C so that the adapters can communicate with the native control plane of the first cloud infrastructure. According to some embodiments, the platform services module 712B exposes APIs that are called by the various adapters to perform tasks such as: Selling minimally scoped access tokens (issued by the second cloud infrastructure) to adapters. For example, a network adapter needs an access token to perform the network peering operations mentioned above. Provides a resource principal that the adapter uses to invoke downstream services to create resources in the customer's tenancy in the first cloud infrastructure. Inducing replication of observability data (logs, metrics, events) from the first cloud infrastructure to the second cloud infrastructure.
[0152] As previously mentioned, the adapter pool 712C includes multiple adapters, each responsible for exposing a unique set of underlying resources of the first cloud infrastructure to users of the second cloud infrastructure; i.e., each adapter maps to a specific product or resource provided by the first cloud environment. For example, the Exadatabase adapter serves as a proxy through which users of the second cloud infrastructure can create and utilize Exadatabase resources. An Exadatabase is a pre-configured combination of hardware and software that provides the infrastructure for running a database. In some embodiments, an Exadatabase includes the following stack of resources: (a) Exadata infrastructure (i.e., hardware), (b) VM cloud cluster, (c) container database, and (d) pluggable database. In some embodiments, the multicloud infrastructure provides users of the second cloud infrastructure the ability to analyze each level of the stacked infrastructure. Furthermore, the MCCP provides the flexibility for users to simply issue a workflow creation command (via the multicloud console 750), and the MCCP then performs the automated creation of individual resources at each level of the stack. 7, the pool of adapters 712C includes five different adapters, although it will be understood that this in no way limits the scope of the MCCP architecture 700. The MCCP architecture may include other adapters, for example, proprietary adapters intended for use by specific cloud service providers based on the cloud service provider's requirements.
[0153] During operation, when a user 705 accesses the multi-cloud console 750 (e.g., for the first time) to perform a sign-up operation (e.g., for a multi-cloud service), the user 705 is redirected to a provisioning module 722 (included in the second cloud environment 720). The user may perform a login operation to the second cloud environment, i.e., using credentials associated with the second cloud environment. Upon successfully logging in to the second cloud environment, the provisioning module 722 performs the required configuration of resources in the customer's account in the second cloud environment. Note that provisioning of the required resources in the second cloud environment may include creating roles (and associated policies) and configuring a user pool with the identity system 723.
[0154] The provisioning process, for example, authorizes a multi-cloud service account in the second cloud environment to access resources in a customer's account in the second cloud environment. In doing so, resources in the first cloud environment 710 may perform an action with respect to the second cloud environment. For example, an observability adapter / module (included in pool of adapters 712C) may send metrics associated with resources deployed in the first cloud environment to a monitoring module in the second cloud environment. As another example of the provisioning process, a network adapter (included in pool of adapters 712C) may connect a transit gateway in the second cloud environment to a customer's VPC, i.e., form a peering within the second cloud environment.
[0155] According to some embodiments of the present disclosure, the identity system 723 of the second cloud environment 720 includes functionality (referred to herein as “assuming a role”) that allows a user or service to temporarily acquire the permissions of a different role. Such functionality enables cross-account access or delegation of permissions within or outside the same account. When a user or service assumes a role, they receive a set of temporary security credentials that may include an access key, a secret access key, and a session token. These credentials can then be used to make API calls or access resources (in the second cloud environment) based on the permissions granted to the assumed role. Thus, as part of the provisioning process, a multi-cloud service account may be configured to assume a role, and the multi-cloud service account may use this role to access a customer's account in the second cloud environment.
[0156] Once a user successfully logs into the second cloud environment 720 and completes the provisioning process described above, an access token may be issued to the user. Such token is then forwarded to the multi-cloud console 750, which in turn forwards the token to the MCCP 712. A proxy module 712A included in the MCCP 712 performs authentication of the user as described above, and, if the user is successfully authorized (e.g., by checking whether the user has sufficient privileges to issue a particular type of request), forwards the request to an appropriate adapter included in a pool of adapters 712C to fulfill the user's request.
[0157] In providing services of a cloud environment (e.g., a first cloud environment 710) to customers of another cloud environment (e.g., a second cloud environment 720), there is a need for a framework (i.e., a multi-cloud infrastructure framework) that allows users of the other cloud environment (i.e., the second cloud environment) to access / control resources (deployed in the first cloud environment) from their respective cloud environments in a manner that is transparent to the users. A key aspect of a multi-cloud infrastructure is to design an identity framework that is configured to validate whether users of the other cloud environments have sufficient rights / permissions to issue requests to the first cloud environment to access / modify the deployed resources.
[0158] A simple approach to implementing an identity management framework in a multi-cloud setting is to rely on the identity management tool of an external cloud (e.g., a second cloud environment) to perform user validation. For example, if the second cloud environment is AWS, AWS's identity management tool, i.e., Cognito, may be used for identity management. A drawback of such an approach is that services such as Cognito require specialized configuration and are time-consuming. Furthermore, relying on a specific service provider's identity management system (e.g., AWS's Cognito) introduces compatibility issues and therefore may not be widely used or accepted. Therefore, a unified identity management framework is described herein that allows users of any external cloud environment to access resources (in a first cloud environment) when validated.
[0159] Figure 8 shows a multi-cloud architecture 800 illustrating an identity framework, according to some embodiments. Figure 8 shows interaction between two cloud environments, e.g., a first cloud environment 810 (provided by a first cloud service provider) and a second cloud environment 860 (provided by a second cloud service provider). The first cloud environment 810 includes multiple components, such as a portal 811 (e.g., a sign-on portal for the first cloud environment), a customer tenancy 813, a service platform 815, a multi-cloud control plane 820, a database 821, and downstream services 830. The customer tenancy 813 includes an identity module 813A and one or more policies 813B (e.g., associated with a user).
[0160] The second cloud environment 860 includes a customer account 861, a multicloud account (also referred to herein as a multicloud service account) 863, and one or more APIs 864 of the second cloud environment. As described below, the architecture 800 of FIG. 8 provisions users of the second cloud environment 860 to deploy and utilize resources in the first cloud environment 810. In some implementations, requests to issue deployments of such resources may be made through the multicloud console 850. For example, the request may be directed to a GUI of the multicloud console that provides a list of one or more services (e.g., Exadatabase service, MySQL® service, autonomous database service, virtual database service, etc.). Below, an identity framework is described that is implemented to enable authorized users of the (second cloud environment) to utilize services of the first cloud environment. The identity framework uses identity federation as a tool for multicloud authentication of users.
[0161] According to some embodiments, the steps for managing user identities within the multi-cloud infrastructure environment 800 are as follows: (1) In step 1, a user 801 performs a login operation to a first cloud environment. Note that this login operation may be performed using the user's credentials associated with the first cloud environment. Note that this login operation may be performed via a portal 811, for example, a sign-on user interface portal (SOUP), also referred to as a sign-on portal, of the first cloud environment. The request is forwarded from the SOUP to an identity management system (i.e., an identity module) of the first cloud environment 813A for the purpose of authenticating the user. An example of an identity management system may be identity cloud services (IDCS).
[0162] Upon successful authentication, the user may be redirected to the second cloud environment. In particular, the user may be directed to an identity provider of the second cloud environment. In step 1.1, the user may perform a login operation on the second cloud environment using the user's credentials associated with the second cloud environment. Upon successful login, in step 1.2, the user identities (e.g., user groups, group policies, roles, etc.) from the second cloud environment 860 may be federated, i.e., migrated, to the first cloud environment. According to some embodiments, the federation process is facilitated by the use of a connector framework associated with the identity system of the first cloud environment. Details of the federation process and the use of the connector framework are described below with respect to FIGS. 10 and 11.
[0163] When user 801 successfully logs in to the first cloud environment 810, in step 2, the user is provided with an access token, e.g., a user principal session token (UPST), and redirected to the multicloud console 850. Note that the UPST is generated by the identity module 813A in response to successfully authenticating the user's credentials (e.g., login information). User 801 may use the multicloud console 850 to issue a request, such as to deploy one or more resources (e.g., an exadatabase resource, an autonomous database resource, etc.) to the first cloud environment 810. The multicloud console 850 invokes an API call (including the UPST) to the service platform (SPLAT), as shown in step 3. SPLAT is configured to authorize the UPST (in step 4), i.e., determine whether the user is entitled (i.e., has sufficient privileges / permissions) to issue the call to the multicloud console 850 and verify the roles, permissions, etc. associated with the token. According to some embodiments, the user's authorization may be performed with respect to the user's roles, policies, and other information (i.e., policies 813B) federated from the second cloud environment 860 and stored in the customer's tenancy in the first cloud environment 810. Upon successful validation of the UPST (i.e., the user is successfully validated), the request is forwarded to the multi-cloud control plane 820.
[0164] According to some embodiments, as described above with respect to Figure 7, one aspect of the multi-cloud control plane 820 is to establish a network link between a first cloud environment and a second cloud environment (e.g., establish a network / communication link between a customer's account in the two cloud environments). To do this, the multi-cloud control plane 820 needs access to the customer's account in the second cloud environment. In some implementations, this access is achieved through a multi-cloud account 863, i.e., a multi-cloud service account deployed in the second cloud environment and belonging to the cloud service provider of the first cloud environment.
[0165] It is understood that a simple way for the multi-cloud control plane 820 to access different customer accounts in the second cloud environment 860 is for individual customers to be able to provide an API key to the multi-cloud control plane 820. In this configuration, the multi-cloud control plane 820 would be burdened with the task of storing multiple keys, one key corresponding to each customer's account in the second cloud environment, to gain access to each customer's account in the second cloud environment. Clearly, such a framework is not scalable and further imposes a computational burden on the multi-cloud control plane 820. Therefore, to avoid this, according to some embodiments of the present disclosure, the multi-cloud control plane 820 accesses different customer accounts in the second cloud environment 860 via a multi-cloud service account 863 pre-deployed in the second cloud environment 860. Such access to different customer accounts in the second cloud environment 860 may be obtained via a single session token stored in the database 821 in the first cloud environment 810.
[0166] The multi-cloud control plane 820 retrieves a session token (e.g., a private key) from the database to access the multi-cloud service account 863 in the second cloud environment 860 (step 5). The multi-cloud service account 863 then binds with the different customer's account in the second cloud environment to establish a network link. Note that as part of this binding, the multi-cloud service account also accesses the compute instances running in the customer's account in the second cloud environment. Additionally, a copy of the user's roles may be made available in the multi-cloud service account 863 (step 6). Note that the session token may also be utilized by the multi-cloud control plane 820 to access one or more APIs of the second cloud environment, for example, to perform the provisioning of required resources (described later with reference to FIG. 12 ). Further, in step 8, the multi-cloud control plane exchanges / converts the UPST into an on-behalf-of token (OBO) to issue downstream calls to native services (i.e., downstream services) in the first cloud environment.
[0167] It is understood that required provisioning of resources is performed within the second cloud environment to enable the multi-cloud service account 863 to access individual customer accounts in the second cloud environment. For example, as described above with reference to FIG. 7, the provisioning module 722 allows a developer to define and provision infrastructure resources using an infrastructure as code template. In other words, the provisioning module 722 automates the required configuration of resources in customer accounts in the second cloud environment 720. The provisioning module 722 may also be configured to set required resources that enable components of the first cloud environment (i.e., the multi-cloud service account) to access resources in customer accounts in the second cloud environment. A detailed description of the provisioning of required resources is described later with reference to FIG. 12. Furthermore, in the above-described architecture of FIG. 8, a software development kit (SDK) 840 may be implemented by a user to perform the above-described functions in a programmatic manner.
[0168] FIG. 9 shows an exemplary flowchart 900 illustrating steps corresponding to a user sign-up process, according to some embodiments. The process shown in FIG. 9 may be implemented in software (e.g., code, instructions, programs) executed by one or more processing units (e.g., processors, cores) of the respective systems, using hardware, or a combination thereof. The software may be stored in a non-transitory storage medium (e.g., a memory device). The method presented in FIG. 9 and described below is intended to be exemplary and non-limiting. While FIG. 9 shows various process steps occurring in a particular sequence or order, this is not intended to be limiting. In an alternative embodiment, the process may be performed in some different order, or some steps may be performed in parallel.
[0169] The process begins in step 901, where a user navigates to a multicloud console (e.g., via a browser). For example, the user navigates to a sign-up API / GUI of the multicloud console to sign up for a multicloud service provided by a first cloud environment. Such an interface of the multicloud console is referred to herein as a sign-up GUI. In step 903, the user enters a tenancy name (e.g., an identifier for a tenancy in the first cloud environment) or selects to sign up for a tenancy in the first cloud environment.
[0170] In response to the user selecting to sign up for a tenancy in the first cloud environment, the process moves to step 904, where the user is directed to a sign-up page for the first cloud environment. Thereafter, upon signing up for a tenancy in the first cloud environment, the process returns to step 903. In response to the user entering a tenancy name in step 903, the process moves to step 905, where the user enters their authentication information (e.g., login username, password, etc.) to perform a login operation. In step 907, the process performs a query to determine whether a network link (i.e., a communication link between the customer's account in the second cloud environment and the customer's tenancy in the first cloud environment) exists. In some implementations, such a determination may be made by querying a link resource object that contains information linking the user's tenancy in the first cloud environment to the user's account in the second cloud environment. Such a link resource object may also include information (e.g., a status flag) indicating whether a network link is configured between the respective cloud environments. If the response to the query is affirmative, the process moves to step 923; otherwise, in response to the query being negative, the process moves to step 908.
[0171] If a multi-cloud link (i.e., a network link) does not exist, then in step 908, the process redirects the user to the second cloud environment (e.g., redirects the user to a GUI associated with the second cloud environment). In particular, the user is redirected to perform a login operation using credentials associated with the second cloud environment. Such a GUI may correspond to a login GUI associated with a portal of the second cloud environment. If the login is successful, then in step 909, the process initiates a validation process. In particular, the process attempts to validate a set of required resources configured in the second cloud environment. Note that a set of required resources is required to establish a network link between two cloud environments.
[0172] According to some embodiments, a provisioning module (block labeled 722 in FIG. 7 ) included in a customer's account in the second cloud environment can trigger the provisioning process of the required resources. For example, the provisioning module causes an access control module (block labeled 723B in FIG. 7 ) to initiate provisioning of the required resources for a user. This provisioning includes creating a set of one or more roles (and associated policies, permissions, etc. corresponding to each role) for one or more users of the second cloud environment. In some implementations, the access control module serves as a user directory for the second cloud environment. In particular, the access control module may be configured to perform functions such as creating user pools and adding user sign-up, sign-in, and access control to web and mobile applications.
[0173] In some implementations, the provisioning module is configured to create a hierarchy of resources (i.e., a set of required resources), each of which is associated with a corresponding role, e.g., a network role, an observability role, and a validator role. It is understood that the network role allows for the creation of network links, i.e., communication paths, to interconnect resources in the first and second cloud environments, while the observability role provisions an observability module (i.e., an observability adapter included in the MCCP) to expose metrics associated with one or more resources deployed in the first cloud environment, which are forwarded to a monitoring module in the second cloud environment. In some implementations, the provisioning module may also be configured to set required resources that enable components of the first cloud environment to access resources in a customer's account in the second cloud environment. According to some embodiments, this is accomplished by enabling the multi-cloud service account (block labeled 726A in FIG. 7) to access resources in the customer's account, e.g., by allowing the multi-cloud service account to peer with the customer's account, by enabling components of the multi-cloud infrastructure (e.g., an observability adapter to expose metrics in the second cloud environment, etc.). Further details regarding provisioning of the required resources are described below with reference to FIG. 12.
[0174] At step 911, the process executes a query to determine whether the required resources are properly configured and validated. If the response to the query is affirmative, the process moves to step 917; otherwise, the process moves to step 913. At step 913, i.e., if the required resources are not configured, a provisioning module within the customer's account in the second cloud environment is activated to initiate a process to provision the required resources as described above. Such a process includes the user performing a login operation within the second cloud environment to execute the required resource provisioning process (step 915). Upon successful execution of the required resource provisioning process, the process returns to step 911.
[0175] Once the required resources are validated, the process checks what geographic regions are available (for both the first and second cloud environments) so that a network link can be established, in step 917. For example, a check may be performed to determine that the selected regions for the first and second cloud environments are co-located (i.e., geographically located near each other) so that a network link can be established between the two cloud environments.
[0176] At step 919, a primary region is selected (from the available regions obtained at step 917) for both cloud environments. For example, a first primary region for a first cloud environment is selected from the available regions of the first cloud environment, and a second primary region for a second cloud environment is selected from the available regions of the second cloud environment. Once the primary regions for the two cloud environments are selected, the process at step 921 establishes a network link between the two cloud environments.
[0177] In some implementations, step 921 may initiate a workflow that performs multiple functions. For example, the workflow may include steps such as (i) causing a network adapter (included in the MCCP in FIG. 7) to configure an interconnect (link labeled 719 in FIG. 7) to communicatively couple the two cloud environments, and (ii) creating a partition in the user's tenancy in the first cloud environment so that the requested resources may be deployed thereto. It is understood that configuring the interconnect may include (on one end) coupling the interconnect with a direct connection (located in multi-cloud service account 726A) in the second cloud environment, and (on the other end) coupling the interconnect with a high-speed connection included in the first cloud environment.
[0178] At step 923, the process determines the status of the multicloud link. For example, the process determines whether the network link is up and functioning properly. At step 925, a query is performed to determine whether the network link is ready. If the query is answered affirmatively, the process moves to step 927, where the user is directed to the multicloud console, e.g., to an API of the multicloud console that indicates (i.e., provides a list of) various resources that may be available for deployment by the user to the user's tenancy in the first cloud environment. If the query at step 925 is answered negatively, the process returns to step 923, where the status of the network link is rechecked.
[0179] As mentioned above, in providing services of a first cloud environment to customers of another cloud environment (e.g., a second cloud environment), there is a need for a framework (i.e., a multi-cloud infrastructure framework) that allows users of the other cloud environments to access / control resources (deployed in the first cloud environment) from their respective cloud environments in a manner that is transparent to the users. Figure 8 illustrates such a multi-cloud infrastructure framework, which includes a unified identity management framework that allows users of any external cloud environment to access resources deployed in the first cloud environment upon successful validation. A key aspect of the validation process was federating user authentication information in one cloud environment (e.g., the second cloud environment) so that it is automatically replicated / synchronized within another cloud environment, e.g., the first cloud environment (see step 1.2 of Figure 8).
[0180] The following describes a process, i.e., a federation mechanism, for instantiating a multi-cloud service account (e.g., the block labeled 726A in FIG. 7 ) in a second cloud environment to establish trust between the two cloud environments and subsequently enable user authentication information to be synchronized from the second cloud environment to the first cloud environment. Identity federation is understood to be the process of delegating the authentication responsibility of an individual or entity to a trusted external party. Each party in the federation process plays the role of an identity provider (IdP) or a service provider (SP). In identity federation, the IdP vouches for the user's identity, and the SP provides services to the user. When a user wants to access the SP's services, the SP delegates authentication to the IdP. Note that for identity federation to occur, the SP must trust the IdP's authentication capabilities. The following describes a specific framework adopted by a multi-cloud infrastructure in performing identity federation, with reference to FIG. 10.
[0181] 10 , a block diagram 1000 illustrating an identity connector framework for a first cloud environment is shown, according to some embodiments. In particular, FIG. 10 shows an identity system for a first cloud environment 1010 and an identity system for a second cloud environment 1030 communicatively coupled to each other. The identity system for the first cloud environment 1010 includes an identity management service 1011, an identity connector framework 1013, and a connector 1015.
[0182] According to some embodiments of the present disclosure, federation is achieved through the use of the identity connector framework (ICF), which provides a consistent, generic layer between a calling application (e.g., identity management service 1011) and a connector module / connector bundle that accesses a target resource (e.g., user credentials in the identity system 1030 of the second cloud environment). While each target resource may be a system or application in itself, the connector bundle allows any calling application to manage objects that exist in the target resource. Thus, the connector 1015 is an integration tool used in the identity system of the first cloud environment. The connector is built on the ICF framework 1013 and is intentionally stateless; i.e., the connector does not store information. The calling application (e.g., identity management service 1011) provides the connector 1015 with a set of values for its configuration, which includes information needed to connect to the target application. This is because identity connectors are stateless, thereby decoupling the implementation of each connector bundle from the implementation of the calling application. In other words, a connector is a component that enables federation from one identity system (e.g., a second cloud environment) to a different identity system (e.g., a first cloud environment).
[0183] The federation process is understood to allow any changes made to a user identity in the second cloud environment (e.g., adding a user, removing a user membership from a particular user group, etc.) to be seamlessly reflected in the identity system of the first cloud environment. The federation process in this disclosure is enabled by connector 1015, which communicates with endpoints in a multi-cloud service account (i.e., an account owned by a first cloud service provider of a first cloud environment and deployed to a second cloud environment) to retrieve information (e.g., user identity information) from the second cloud environment.
[0184] Figure 11 shows an exemplary swim diagram illustrating steps corresponding to a process of performing identity federation, according to some embodiments. In particular, Figure 11 shows steps performed in federating a user's identity from a second cloud environment 1130 to a first cloud environment 1110. Figure 11 shows interactions between the first cloud environment's identity service 1101, the first cloud environment's multi-cloud platform 1102, the first cloud environment's database (secret store) 1103, a multi-cloud account (i.e., multi-cloud service account 1105) included in the second cloud environment, the second cloud environment's customer's account 1106, and the customer's VPC, including the identity service 1107.
[0185] According to some embodiments, the identity service (or alternatively, the connector module) of the first cloud environment 1101 communicates with an endpoint in the second cloud environment to retrieve the customer's credentials from the customer's account in the second cloud environment. It is understood that the identity service of the first cloud environment cannot directly access the customer's account in the second cloud environment due to trust and policy issues. Therefore, the endpoint with which the connector communicates is a multi-cloud service account owned by the provider of the first cloud environment and located in the second cloud environment. Note that during the required resource provisioning process performed at user signup (described next with reference to FIG. 12 ), the multi-cloud service account is granted access to the customer's account in the second cloud environment. In other words, trust is established between the multi-cloud service account and the customer's account in the second cloud environment.
[0186] Additionally, according to some embodiments of the present disclosure, the identity system 723 of the second cloud environment 720 includes functionality (referred to herein as “assuming a role”) that allows a user or service to temporarily acquire the permissions of a different role. Such functionality enables cross-account access or delegation of permissions within or outside the same account. When a user or service assumes a role, they receive a set of temporary security credentials that may include an access key, a secret access key, and a session token. These credentials can then be used to make API calls or access resources (in the second cloud environment) based on the permissions granted to the assumed role. Thus, as part of the provisioning process, a multi-cloud service account may be configured to assume a role, and the multi-cloud service account may use this role to access a customer's account in the second cloud environment.
[0187] The process begins at step 1, as shown in FIG. 11, where an identity service 1101 in a first cloud environment sends a request to a multi-cloud platform 1102 to retrieve credentials associated with a multi-cloud account 1105 deployed in a second cloud environment. In step 2, the multi-cloud platform 1102 attempts to retrieve the credentials from a database 1103 included in the first cloud environment. The credentials are obtained by the multi-cloud platform 1102 in step 3. Upon obtaining the credentials, in step 4, the multi-cloud platform 1102 attempts to assume a role with respect to the multi-cloud service account, i.e., the multi-cloud platform 1102 is assigned a role that allows it to access the multi-cloud service account 1105. If the required resource configuration was performed correctly during user sign-up, the multi-cloud platform 1102 retrieves credentials (e.g., first credentials) associated with the multi-cloud service account (step 5).
[0188] Upon successfully accessing the multi-cloud service account, the multi-cloud platform 1102 attempts to assume a role (based on the credentials obtained in step 5) for the customer's account 1106 in the second cloud environment 1130 in step 6. Note that this is possible because the multi-cloud service account 1105 was granted permission to access the customer's account in the second cloud environment during configuration. In step 7, credentials (e.g., second credentials) associated with the customer's account are obtained by the multi-cloud platform 1102. In step 8, a role change process is performed, and the credentials associated with the customer's account 1106 in the second cloud environment obtained by the multi-cloud platform 1102 are passed / sent to the identity service module 1101 of the first cloud environment. Upon obtaining the second credentials, the identity service module of the first cloud environment is communicatively coupled to the identity service 1107 of the second cloud environment (step 9). In step 10, upon obtaining the second authentication information, the identity service 1101 of the first cloud environment can issue a call / request to the identity service of the second cloud environment to synchronize the user identity, i.e., user groups, permissions, roles, etc. In this way, the user identity is federated from the second cloud environment to the first cloud environment. It is noted that the above-described identity federation process may be performed continuously at a fixed time instance so that any changes in the user identity performed in the second cloud environment are seamlessly migrated to the first cloud environment.
[0189] Referring now to FIG. 12 , an exemplary swim diagram illustrating steps corresponding to a required resource validation process is shown, according to some embodiments. In particular, FIG. 12 shows steps performed in determining whether a set of resources that facilitates a user of a second cloud environment utilizing a multi-cloud service provided by a first cloud environment that is different from the second cloud environment is configured in the second cloud environment. FIG. 12 shows interactions between a user 1201, a provisioning module 1202 of the second cloud environment, an identity management module 1203 of the second cloud environment, a multi-cloud console (sign-up) 1205 included in the first cloud environment, a multi-cloud control plane (MCCP) 1206 of a multi-cloud infrastructure included in the first cloud environment, a multi-cloud database 1207, and a multi-cloud service account 1208. It is understood that the multi-cloud console 1205, like the MCCP 1206, can be considered a component of the multi-cloud infrastructure included in the first cloud environment.
[0190] The process begins at step S1, where a user 1201 provides authentication information (e.g., an account ID associated with a second cloud environment) to a multi-cloud sign-up console 1205, e.g., a multi-cloud console sign-up API. Upon receiving the authentication information, the multi-cloud console 1205 sends a request to the MCCP 1206 to determine whether the required set of resources has been configured for this user (step S2).
[0191] In response to receiving a request to initiate validation of the set of required resources, in step S3A, MCCP 1206 retrieves from database 1207 credentials associated with the service account, i.e., the multi-cloud service account instantiated in the second cloud environment and belonging to the first cloud environment. In step S3B, MCCP 1206 retrieves the credentials associated with the service account. Further, in step S4A, MCCP 1206 accesses service account 1208 based on the credentials retrieved in step S3B. Essentially, MCCP 1206 assumes the role of an agent, i.e., acting on behalf of the customer, to access the service account. In step S4B, MCCP 1206 retrieves temporary access credentials for the service account.
[0192] In step S5, MCCP 1206 proceeds to assume the validator role, i.e., a role that allows MCCP 1206 to perform validation of the user. In some implementations, an API associated with MCCP 1206 assumes the validator role and performs user validation. In one case, when user 1201 is accessing multi-cloud console 1205 for the first time (e.g., to sign up for services provided by the multi-cloud infrastructure), provisioning of the required set of resources has not yet occurred. Therefore, in step S6, the identity system (including IAM module 1204) of the second cloud environment sends a notification to MCCP 1206 indicating that the validator role does not exist. In step S7, MCCP 1206 may store metadata information including the user's tenancy identifier in the first cloud environment and the user's account in the second cloud environment.
[0193] The MCCP 1206 sends a notification to the multicloud console 1205 informing it that the required configuration of the resource is incomplete or invalid (step S8). Then, in step S9, the multicloud console 1205 provides a notification to the user (e.g., via an API associated with the multicloud console) to initiate or undertake the provisioning process for the required resource. In step S10, the user 1201 communicates with a provisioning module 1202 included in the customer's account in the second cloud environment to trigger the provisioning process.
[0194] In step S11, the provisioning module 1202 causes the IAM module 1203 to initiate provisioning of the required resources for the user. For example, as described above with reference to FIG. 7, this provisioning includes creating a set of one or more roles (and associated policies, permissions, etc. corresponding to each role) for one or more users of the second cloud environment. In some implementations, an access control module (included in the identity system of the second cloud environment) serves as a user directory for the second cloud environment. In particular, the access control module may be configured to perform functions such as creating a user pool and adding user sign-up, sign-in, and access control to web and mobile applications. In some implementations, the provisioning module 1202 is configured to create a hierarchy of resources, each of which is associated with a corresponding role, e.g., a network role, an observability role, and a validator role.
[0195] It is understood that while the process of provisioning the required resources is running in the second cloud environment, the multi-cloud console 1205 of the first cloud environment may simultaneously communicate with the MCCP 1206 to determine whether prerequisite validation for the resources is configured (steps S2′, S5′, S6′, and S8′, corresponding to steps S2, S5, S6, and S8, respectively). Because the provisioning of the required resources is occurring simultaneously (i.e., not yet completed), in step S6′ the IAM module 1204 of the second cloud environment sends a notification to the MCCP 1206 indicating that the role has not yet been created.
[0196] In step S12, the multi-cloud console 1205 sends another request to the MCCP 1206 to determine whether the set of required resources has been configured for this user. The MCCP 1206 retries to assume the validator role (step S13). This time, because the role has been created (i.e., the required resources have been provisioned), the MCCP 1206 receives a notification from the IAM module 1204 of the second cloud environment informing it that the validator role exists. In particular, in step S14, the IAM module 1204 provides the MCCP 1206 with temporary credentials for a multi-cloud service account (e.g., deployed in the second cloud environment and controlled by the first CSP in the first cloud environment).
[0197] In step S15, the MCCP 1206 checks the validity of other roles in the hierarchy of roles. For example, the MCCP 1206 verifies whether the Network role and the Observability role have been created. In step S16, confirmation that the roles have been successfully created is received by the MCCP 1206. In step S17, the MCCP 1206 sends a notification to the multicloud console 1205 indicating that the configuration of the required resources is complete. Then, in step S18, the multicloud console 1205 may notify the user of the successful configuration of the required resources.
[0198] Additionally, in step S19, once the user is successfully directed to the multi-cloud console 1205, a cloud link adapter included in the MCCP may be activated and provide the user 1201 with the option to link the customer's account in the second cloud environment with the customer's account in the first cloud environment. In other words, the cloud link adapter performs a process for linking the customer's two accounts in two different cloud environments, as described below with reference to FIG. 14. Note that linking the two accounts in different cloud environments allows a user of the second cloud environment to utilize services provided by the multi-cloud infrastructure included in the first cloud environment. It is understood that when a user signs up for the multi-cloud infrastructure, the MCCP 1206 is also configured to create a network link that communicatively couples the first cloud environment to the second cloud environment.
[0199] According to some embodiments, one aspect of a multi-cloud infrastructure is the instantiation of a multi-cloud account (also referred to as a multi-cloud service account) in a first cloud environment that is controlled by a service provider of the first cloud environment and is pre-configured with sufficient permissions to communicate with accounts of different customers in the second cloud environment. In such a setup, there may be some security concerns that the multi-cloud service account may be coerced (e.g., by a malicious third party) into improperly accessing a particular customer's account in the second cloud environment. Such a security problem is referred to herein as the "confused deputy problem," i.e., the multi-cloud service account corresponds to a confused deputy. Below, security solutions implemented by the multi-cloud control plane to address the confused deputy problem are described.
[0200] As described above, the second cloud environment provides a service called a cross-account access service, i.e., a particular account is permitted to assume a role in another account in the second cloud environment. In a multi-cloud environment configuration, a multi-cloud service account (deployed in the second cloud environment) can utilize such a cross-account service. A security concern arising from this cross-account access service is the confused deputy problem, i.e., a multi-cloud service account may attempt to assume a role in a particular customer's account (under coercion from a malicious third party) to unauthorizedly access customer information. This specification describes techniques for preventing such unauthorized access by a multi-cloud service account. In particular, the techniques presented herein relate to (a) the utilization of an external ID (unique to each customer) that may be generated by the multi-cloud platform and / or the multi-cloud console, and (b) a mechanism for generating and storing the external ID.
[0201] FIG. 13 shows an exemplary swim diagram illustrating steps performed to address the confused proxy problem, according to some embodiments. In particular, FIG. 13 shows steps illustrating interactions between a multi-cloud sign-up console 1301, a provisioning module 1302 (included in a second cloud environment), an MCCP sign-up API 1303, a cloud link adapter's API 1304, an adapter 1305 (included in a pool of adapters), an MCCP platform 1306, and a customer's account 1307 in the second cloud environment. The swim diagram shown in FIG. 13 includes the generation of a unique ID (referred to herein as an external ID) for each customer by the multi-cloud platform (MCP). The customer's external ID is initially stored in the platform (e.g., in a key-value database included in the first cloud environment during the user sign-up process) and is short-lived. The external ID is ultimately stored in the respective customer's account (e.g., customer vault) in the second cloud environment upon formation of the cloud link, i.e., mapping between the customer's account in the first cloud environment and the customer's account in the second cloud environment. It is understood that the external ID may be stored in the customer vault or in a link resource object (i.e., cloud link object), after which the external ID may be removed from the key-value database included in the first cloud environment due to security concerns.
[0202] The process of Figure 13 begins at step S1, where the multi-cloud console 1301 sends a request (i.e., a prerequisite validation request) to the MCP sign-up API 1303. Such request may include the customer's account ID (in the second cloud environment). At step S2, the MCCP sign-up API 1303 attempts to obtain the customer's authentication information from the MCCP platform 1306. Because the customer's account has not yet been established, a "no access" message may be sent back to the MCCP sign-up API 1303, which may then be relayed to the multi-cloud console 1301 (step S3).
[0203] In step S4, the multicloud console 1301 sends a request to the MCCP platform 1306 to obtain the customer's external ID. In step S5, the MCCP platform 1306 generates the customer's external ID, i.e., a unique ID, and stores the generated ID in a database, for example, a key-value database. In step S6, the MCCP platform 1306 provides the external ID to the multicloud console 1301. In step S7, the multicloud console 1301 issues a request to the provisioning module 1302 to initiate a process of provisioning the required resources. The provisioning process may include the provisioning module 1302 causing an access control module (e.g., block labeled 803 in FIG. 8 ) to initiate provisioning of the required resources for the user. For example, as described above with reference to FIG. 7 , this provisioning may include creating a set of one or more roles (and associated policies, permissions, etc. corresponding to each role) for one or more users of the second cloud environment.
[0204] The access control module may be configured to perform functions such as creating user pools and adding user sign-up, sign-in, and access control to web and mobile applications. In some implementations, the provisioning module 1303 is configured to create a hierarchy of resources (referred to herein as a set of required resources), each of which is associated with a corresponding role, e.g., a network role, an observability role, and a validator role. It is understood that the network role allows for the creation of network links, i.e., communication paths, to interconnect resources in the first and second cloud environments, while the observability role provisions an observability module (of the MCCP) to publish metrics associated with one or more resources deployed in the first cloud environment, which are forwarded to a monitoring module in the second cloud environment. The validator role allows the multi-cloud infrastructure control plane to perform user validation. Note that the required provisioning of resources in step S7 corresponds to the required provisioning of resources corresponding to step S10 in FIG. 12. However, an additional requirement in the mandatory provisioning of resources in step S7 is the use of a generated external ID that is used as a parameter in the mandatory process validation for the customer.
[0205] It is understood that while the process of provisioning the required resources is running in the second cloud environment, the multi-cloud console 1301 of the first cloud environment may simultaneously communicate with the MCCP sign-up API 1303 to determine whether resource prerequisite validation is configured (step S8). Because the provisioning of the required resources is occurring simultaneously (i.e., not yet completed), in step S9 the MCCP sign-up API 1303 sends a notification to the multi-cloud console 1301 indicating that the role has not yet been created.
[0206] Furthermore, in step S10, the multi-cloud console 1301 of the first cloud environment communicates with the MCCP sign-up API 1303 to determine whether resource prerequisite validation is configured. If the prerequisite validation has been completed by the provisioning module of the second cloud environment, in step S11, the MCCP sign-up API 1303 sends a request to obtain authentication information from the MCCP platform 1306. Next, in step S12, the MCCP platform 1306 extracts the external ID stored in the key-value database in step S5. Based on the extracted external ID, the MCCP platform 1306 assumes a role for the customer's account in the second cloud environment 1307 in step S13 and extracts a session key in step S14. In step S15, the MCCP sign-up API 1303 utilizes the session key to obtain a list of roles, user groups, and other resources (step S16), after which the MCCP sign-up API 1303 may notify the multi-cloud console 1301 that the validation process is complete (step S17).
[0207] It is noted that up until this step (i.e., step S17), the customer's external ID is stored locally in the MCCP platform (e.g., in a key-value database). Furthermore, once the cloud linking process, i.e., the process of mapping the customer's account (in the first cloud environment) to the customer's account in the second cloud environment, is initiated, the external ID may be removed from the MCCP platform and stored in the customer's vault, i.e., in the customer's account compartment (e.g., in the second cloud environment). The external ID may be stored in the platform for a short period of time, e.g., one week, and then may be stored in the customer's vault for a long period of time. It is understood that steps S1-S17 correspond to the validation process, while steps S19-S22 correspond to the resource provisioning process.
[0208] In step S18, the multi-cloud console initiates the cloud link process, causing a request to be sent to the API of the cloud link adapter 1304. FIG. 14 shows a pictorial representation of such a mapping. In particular, referring to FIG. 14, a schematic diagram illustrating a cloud link resource object is shown, according to some embodiments. The cloud link resource object maps information of a user's account in a second cloud infrastructure to the user's tenancy in a first cloud infrastructure. As shown in FIG. 14, the second cloud environment 1410 includes a customer's account 1401, which includes certain account metadata 1402. The account metadata may include information such as a user group identifier. The first cloud environment 1405 includes a customer's tenancy 1411, which includes a cloud link resource object 1430. Cloud link resource object 1430 includes multiple parameters, such as a tenancy ID 1430A for the customer in the first cloud environment, a user pool ID 1430B that mirrors information in account metadata 1402, a client ID 1430C that corresponds to an identifier for the identity management system of the second cloud environment, a base partition ID that contains a pointer to a partition 1440 that has been instantiated for the customer, and an account ID 1430D that includes an identifier for the customer's account in the second cloud environment and contains a pointer to a partition 1440A that has been instantiated for the customer in the first cloud environment. It is understood that the customer's resources are deployed to the partition that has been instantiated for the customer in the first cloud environment.
[0209] 13, once the cloud linking process is complete, during the resource provisioning phase, an adapter 1305 (e.g., from a pool of adapters included in the MCCP) sends a request to obtain authentication information (e.g., for a multi-cloud service account in a second cloud environment) from the MCCP platform 1306. The MCCP platform 1306 may then extract an external ID from the customer's account in the second cloud environment and further assume a role that allows the MCCP platform to perform operations on behalf of the customer (step S20). For example, upon obtaining a session key from the customer's account 1307 in the second cloud environment (step S21), the adapter 1305 may utilize the session key to deploy a resource (e.g., an autonomous database) to the customer's account in the first cloud environment.
[0210] In this manner, the multi-cloud infrastructure of the present disclosure addresses the confused delegation problem by prohibiting unauthorized third-party entities from accessing customer accounts (i.e., because unauthorized third-party entities cannot access the external IDs stored in the customer vault and required to access the customer accounts). Note that the foregoing features with respect to FIG. 13 in no way limit the scope of the present disclosure. For example, in an alternative approach, the generation of a customer's external ID (and storage of the generated external ID in the customer vault) may be performed by the multi-cloud sign-up console.
[0211] FIG. 15 shows a schematic diagram illustrating the deployment of resources with a multi-cloud infrastructure, according to some embodiments. As shown in FIG. 15 , a first cloud environment includes a multi-cloud console 1551, a service platform (SPLAT) 1552, a proxy 1553, a cloud link adapter 1554, a database adapter 1555, and a platform 1556. When a user accesses the multi-cloud console 1551, in some implementations, the user may be directed to an identity management system 1560 of the second cloud environment to perform a login operation related to the second cloud environment. Note that upon successful login, the user is redirected back to the multi-cloud console 1551 with a token, e.g., an access token. It is understood that the user may utilize the multi-cloud console 1551 to issue commands to access, create, or update resources in the user's tenancy in the first cloud infrastructure. For purposes of explanation, the following describes a situation in which a user utilizes the multi-cloud console 1551 to issue a request to create a database resource, e.g., an exadatabase resource.
[0212] The multicloud console 1551 provides a number of options, such as, for example, creating a resource, accessing a resource, updating a resource, etc. Such options may be provided to the user in the form of selectable icons (e.g., buttons) within the multicloud console 1551. When the user makes a selection (e.g., to create a resource), an API call to the service platform 1552 is triggered. It is understood that in some implementations, the request made to the service platform 1551 may be a call, such as a REST-style call (or a POST call), that includes an authorization header that includes a token associated with the user in the second cloud infrastructure. The request also includes metadata information, including the account ID (of the second cloud environment), the resource name, the provider name, and the type of resource requested by the user.
[0213] The call, including the token, is further forwarded to a proxy module 1553, which performs authentication and access control operations. According to some embodiments, the proxy module 1553 performs authentication operations by extracting the token included in the call. In some implementations, the proxy module 1553 validates the token by comparing the signature (used to sign the request) with the publicly available signature of the second cloud infrastructure to ensure that the request originates from a valid customer associated with the second cloud infrastructure. Additionally, the proxy module 1553 may check the role, i.e., the privileges associated with the token, such as whether the role corresponds to a DB administrator. Based on the role, the proxy module 1553 may route the request to an appropriate adapter included in the MCCP framework, i.e., one of the adapters included in the pool of adapters 712C as shown in FIG. 7.
[0214] According to one embodiment, proxy module 1553 compares the role (associated with the token) with a pre-configured list of roles that have been published and assigned to each of the adapters (as part of the API specification). For example, if the role associated with the token corresponds to "Exadata DB Administrator," the request may be understood as a request to create an Exadatabase, and the request is therefore forwarded to database adapter 1555. Furthermore, according to some embodiments, proxy module 1553 may analyze information included in the REST call, such as the provider ID, the type of resource requested, etc., and based on the analyzed information, proxy module 1553 may forward the request to the appropriate adapter.
[0215] In some implementations, the request obtained by the proxy module 1553 may not include information identifying the user's tenancy in the first cloud infrastructure where the resource should be deployed. Therefore, the proxy module 1553 communicates with the cloud link adapter 1554 to obtain mapping information of the user's account in the second cloud infrastructure to the user's tenancy in the first cloud infrastructure. If the mapping information exists, the proxy module 1553 obtains information about the user's tenancy in the first cloud infrastructure and passes this information to the database adapter 1555. In this way, the database adapter 1555 knows the user's tenancy in the first cloud infrastructure where the resource should be created / deployed. However, if the cloud link adapter 1554 determines that the mapping information does not exist, the proxy module 1553 may simply issue an “access not authorized” message returned to the user as a response to the request to create the database resource.
[0216] Note that in some implementations, the cloud link adapter 1554 creates a data object (referred to herein as a cloud link resource object or link resource object) to store metadata information identifying the two linked accounts. For example, the data object stores metadata information including a mapping of a first identifier associated with a tenancy (i.e., an account) in the first cloud infrastructure and a second identifier associated with the user's account with the second cloud service provider. Such a mapping is referred to herein as a resource context. Additionally, the cloud link adapter 1554 may also create a resource principal (referred to herein as a cloud link resource principal) associated with the resource context. The cloud link adapter 1554 may maintain the data object and resource principal in the root partition of the user's tenancy in the first cloud infrastructure. In some embodiments, the cloud link adapter 1554 may also maintain the data object and / or resource principal locally within the platform 1156.
[0217] In some implementations, the database adapter 1555 may obtain resource principals maintained locally within the platform 1556. The database adapter 1555 may send a request (including the resource principals) to one or more downstream services included in the first cloud infrastructure to create resources in the user's tenancy within the first cloud infrastructure. In other words, the downstream services included in the first cloud infrastructure utilize the identity, i.e., the resource principals obtained from the platform 1556, to create / deploy the requested resource (e.g., an exadatabase in the user's tenancy within the first cloud infrastructure). Once the user issues a request to create an exadatabase, the user may intermittently poll the MCCP to obtain the status of the request. Once the downstream services in the first cloud infrastructure create the resources in the user's tenancy within the first cloud infrastructure, the MCCP may notify the user regarding successful completion of the request.
[0218] Cloud Infrastructure Examples As mentioned above, infrastructure as a service (IaaS) is a specific type of cloud computing. IaaS can be configured to provide virtualized computing resources over a public network (e.g., the Internet). In the IaaS model, a cloud computing provider can host infrastructure components (e.g., servers, storage devices, network nodes (e.g., hardware), deployment software, platform virtualization (e.g., hypervisor layer), etc.). In some cases, an IaaS provider may offer various services (e.g., billing, monitoring, logging, security, load balancing, clustering, etc.) incidental to those infrastructure components. Accordingly, these services can be policy-driven, allowing IaaS users to implement policies to drive load balancing and maintain application availability and performance.
[0219] In some cases, IaaS customers may access resources and services over a wide area network (WAN), such as the Internet, and can use the cloud provider's services to install the remaining elements of their application stack. For example, a user may log into an IaaS platform to create virtual machines (VMs), install an operating system (OS) on each VM, deploy middleware such as databases, create storage buckets for workloads and backups, and even install enterprise software on the VMs. The customer can then use the provider's services to perform a variety of functions, including balancing network traffic, troubleshooting application issues, monitoring performance, managing disaster recovery, etc.
[0220] In most cases, the cloud computing model requires the participation of a cloud provider. A cloud provider may be, but need not be, a third-party service that specializes in providing (e.g., offering, renting, selling) IaaS. An entity may choose to deploy a private cloud and become its own provider of infrastructure services.
[0221] In some examples, IaaS deployment is the process of connecting a new application or a new version of an application to a prepared application server or the like. This process may include the process of preparing the server (e.g., installing libraries, daemons, etc.). This process is often managed by the cloud provider below the hypervisor layer (e.g., server, storage, network hardware, and virtualization). Thus, the customer may be responsible for handling the deployment of the OS, middleware, and / or application (e.g., on self-service virtual machines (e.g., that can be spun up on demand)).
[0222] In some examples, IaaS provisioning may also refer to obtaining computers or virtual hosts for use and installing needed libraries or services on those computers or virtual hosts. In most cases, deployment does not include provisioning, which may need to be performed first.
[0223] In some cases, IaaS provisioning presents two distinct challenges. First, there is the initial challenge of provisioning an initial set of infrastructure before anything can be run. Second, there is the challenge of evolving the existing infrastructure (e.g., adding new services, modifying services, removing services, etc.) after everything has been provisioned. In some cases, these two challenges may be addressed by allowing the configuration of the infrastructure to be defined declaratively. In other words, the infrastructure (e.g., which components are needed and how those components interact) may be defined by one or more configuration files. In this way, the entire topology of the infrastructure (e.g., which resources depend on which resources and how each of those resources works together) may be described declaratively. In some cases, after the topology is defined, workflows may be generated to create and / or manage the various components described in the configuration files.
[0224] In some examples, the infrastructure may include many interconnected elements. For example, there may be one or more virtual private clouds (VPCs) (e.g., configurable and / or shared, possibly on-demand pools of computing resources), also known as a core network. In some examples, there may be one or more security group rules and one or more virtual machines (VMs) provisioned to define how the network is secured. Other infrastructure elements, such as load balancers, databases, etc., may also be provisioned. The infrastructure can evolve over time as more infrastructure elements are desired and / or added.
[0225] In some cases, continuous deployment techniques may be employed to enable deployment of infrastructure code across various virtual computing environments. Additionally, the described techniques may enable infrastructure management within these environments. In some examples, a service team may write code that is desired to be deployed to one or more, but often many, different production environments (e.g., across various geographic locations, sometimes across the world). However, in some examples, the infrastructure onto which the code will be deployed must first be set up. In some cases, provisioning can be done manually, and provisioning tools may be utilized to provision the resources and / or deployment tools may be utilized to deploy the code after the infrastructure has been provisioned.
[0226] 16 is a block diagram 1600 illustrating an example pattern of an IaaS architecture according to at least one embodiment. A service operator 1602 may be communicatively coupled to a secure host tenancy 1604, which may include a virtual cloud network (VCN) 1606 and a secure host subnet 1608. In some examples, the service operator 1602 may employ one or more client computing devices, which may be portable handheld devices (e.g., iPhone®, mobile phone, iPad®, computing tablet, personal digital assistant (PDA)) or wearable devices (e.g., Google Glass® head-mounted display) that are Internet, email, short message service (SMS), Blackberry®, or other communication protocol enabled, running software such as Microsoft Windows Mobile® and / or various mobile operating systems such as iOS, Windows Phone, Android, BlackBerry 8, Palm OS, etc. Alternatively, the client computing devices may be general-purpose personal computers, including, by way of example, personal and / or laptop computers running various versions of the Microsoft Windows, Apple Macintosh, and / or Linux operating systems. The client computing devices may be workstation computers running any of a variety of commercially available UNIX or UNIX-like operating systems, including, but not limited to, various GNU / Linux operating systems, such as Google Chrome OS.Alternatively or additionally, the client computing device may be any other electronic device, such as a thin client computer, an Internet-enabled gaming system (e.g., a Microsoft Xbox gaming console with or without a Kinect® gesture input device), and / or a personal messaging device, that can communicate over a network accessible to VCN 1606 and / or the Internet.
[0227] VCN 1606 may include a local peering gateway (LPG) 1610 that may be communicatively coupled to a secure shell (SSH) VCN 1612 via an LPG 1610 included in SSH VCN 1612. SSH VCN 1612 may include an SSH subnet 1614, which may be communicatively coupled to a control plane VCN 1616 via an LPG 1610 included in control plane VCN 1616. SSH VCN 1612 may also be communicatively coupled to a data plane VCN 1618 via LPG 1610. The control plane VCN 1616 and the data plane VCN 1618 may be included in a service tenancy 1619, which may be owned and / or operated by the IaaS provider.
[0228] The control plane VCN 1616 may include a control plane demilitarized zone (DMZ) tier 1620 that serves as a perimeter network (e.g., a portion of an enterprise network between the enterprise intranet and an external network). Servers based in the DMZ may have limited responsibilities and help keep security breaches contained. Additionally, the DMZ tier 1620 may include one or more load balancer (LB) subnets 1622, a control plane app tier 1624 that may include an app subnet 1626, and a control plane data tier 1628 that may include a database (DB) subnet 1630 (e.g., a front-end DB subnet and / or a back-end DB subnet). LB subnet 1622 included in control plane DMZ layer 1620 can be communicatively coupled to app subnet 1626 and Internet gateway 1634 included in control plane app layer 1624, which may be included in control plane VCN 1616, and app subnet 1626 can be communicatively coupled to DB subnet 1630, as well as service gateway 1636 and network address translation (NAT) gateway 1638 included in control plane data layer 1628. Control plane VCN 1616 can include service gateway 1636 and NAT gateway 1638.
[0229] The control plane VCN 1616 can include a data plane mirror app layer 1640, which can include an app subnet 1626. The app subnet 1626 included in the data plane mirror app layer 1640 can include a virtual network interface controller (VNIC) 1642, which can run a compute instance 1644. The compute instance 1644 can communicatively couple the app subnet 1626 of the data plane mirror app layer 1640 to the app subnet 1626, which can be included in the data plane app layer 1646.
[0230] The data plane VCN 1618 may include a data plane app layer 1646, a data plane DMZ layer 1648, and a data plane data layer 1650. The data plane DMZ layer 1648 may include a LB subnet 1622, which may be communicatively coupled to an app subnet 1626 of the data plane app layer 1646 and an internet gateway 1634 of the data plane VCN 1618. The app subnet 1626 may be communicatively coupled to a service gateway 1636 of the data plane VCN 1618 and a NAT gateway 1638 of the data plane VCN 1618. The data plane data layer 1650 may also include a DB subnet 1630, which may be communicatively coupled to the app subnet 1626 of the data plane app layer 1646.
[0231] The internet gateways 1634 of the control plane VCNs 1616 and of the data plane VCNs 1618 may be communicatively coupled to a metadata management service 1652, which may be communicatively coupled to the public internet 1654. The public internet 1654 may be communicatively coupled to NAT gateways 1638 of the control plane VCNs 1616 and of the data plane VCNs 1618. The service gateways 1636 of the control plane VCNs 1616 and of the data plane VCNs 1618 may be communicatively coupled to cloud services 1656.
[0232] In some examples, a service gateway 1636 in the control plane VCN 1616 or in the data plane VCN 1618 can make application programming interface (API) calls to cloud services 1656 without traversing the public internet 1654. API calls from the service gateway 1636 to the cloud services 1656 can be one-way: the service gateway 1636 can make the API call to the cloud services 1656, and the cloud services 1656 can send the requested data to the service gateway 1636. However, the cloud services 1656 may not initiate the API call to the service gateway 1636.
[0233] In some examples, secure host tenancy 1604 can be directly connected to service tenancy 1619 or may be otherwise separate. Secure host subnet 1608 can communicate with SSH subnet 1614 through LPG 1610, which may enable bidirectional communication on otherwise separate systems. Connecting secure host subnet 1608 to SSH subnet 1614 may give secure host subnet 1608 access to other entities within service tenancy 1619.
[0234] The control plane VCN 1616 may enable users of the service tenancy 1619 to configure or otherwise provision desired resources. The desired resources provisioned in the control plane VCN 1616 may be deployed or otherwise used in the data plane VCN 1618. In some examples, the control plane VCN 1616 may be separate from the data plane VCN 1618, and the data plane mirror app layer 1640 of the control plane VCN 1616 may communicate with the data plane app layer 1646 of the data plane VCN 1618 via a VNIC 1642, which may be included in the data plane mirror app layer 1640 and the data plane app layer 1646.
[0235] In some examples, a user or customer of the system may make a request, for example, a create, read, update, or delete (CRUD) operation, via the public internet 1654, which may communicate the request to a metadata management service 1652. The metadata management service 1652 may communicate the request to the control plane VCN 1616 via an internet gateway 1634. The request may be received by a LB subnet 1622 included in the control plane DMZ tier 1620. The LB subnet 1622 may determine that the request is valid, and in response to this determination, the LB subnet 1622 may send the request to an app subnet 1626 included in the control plane app tier 1624. If the validity of the request is confirmed and the request requires a call to the public internet 1654, the call to the public internet 1654 may be sent to a NAT gateway 1638, which may make the call to the public internet 1654. Memory that may be desirable to store with the request may be stored within the DB subnet 1630.
[0236] In some examples, the data plane mirror app layer 1640 can facilitate direct communication between the control plane VCN 1616 and the data plane VCN 1618. For example, it may be desirable for changes, updates, or other appropriate modifications to the configuration to be applied to resources included in the data plane VCN 1618. Via the VNIC 1642, the control plane VCN 1616 can communicate directly with the resources included in the data plane VCN 1618, thereby performing changes, updates, or other appropriate modifications to the configuration of the resources.
[0237] In some embodiments, the control plane VCN 1616 and the data plane VCN 1618 may be included in the service tenancy 1619. In this case, a user or customer of the system may not own or operate either the control plane VCN 1616 or the data plane VCN 1618. Instead, an IaaS provider may own or operate the control plane VCN 1616 and the data plane VCN 1618, which may both be included in the service tenancy 1619. This embodiment may enable network isolation that can prevent users or customers from interacting with other users' or other customers' resources. This embodiment may also enable users or customers of the system to store databases privately without having to rely on the public internet 1654 for storage, which may not have a desirable level of security.
[0238] In another embodiment, the LB subnet 1622 included in the control plane VCN 1616 may be configured to receive signals from the service gateway 1636. In this embodiment, the control plane VCN 1616 and the data plane VCN 1618 may be configured to be called by the IaaS provider's customers without calling the public Internet 1654. The IaaS provider's customers may desire this embodiment because databases used by the customers may be stored in the service tenancy 1619, which may be controlled by the IaaS provider and isolated from the public Internet 1654.
[0239] 17 is a block diagram 1700 illustrating another example pattern of an IaaS architecture, according to at least one embodiment. A service operator 1702 (e.g., service operator 1602 of FIG. 16 ) may be communicatively coupled to a secure host tenancy 1704 (e.g., secure host tenancy 1604 of FIG. 16 ), which may include a virtual cloud network (VCN) 1706 (e.g., VCN 1606 of FIG. 16 ) and a secure host subnet 1708 (e.g., secure host subnet 1608 of FIG. 16 ). VCN 1706 may include a local peering gateway (LPG) 1710 (e.g., LPG 1610 of FIG. 16 ), which may be communicatively coupled to a secure shell (SSH) VCN 1712 (e.g., SSH VCN 1612 of FIG. 16 ) via an LPG 1710 included in an SSH VCN 1712. SSH VCN 1712 can include SSH subnet 1714 (e.g., SSH subnet 1614 in FIG. 16 ), and SSH VCN 1712 can be communicatively coupled to control plane VCN 1716 (e.g., control plane VCN 1616 in FIG. 16 ) via LPG 1710 included in control plane VCN 1716. Control plane VCN 1716 can be included in service tenancy 1719 (e.g., service tenancy 1619 in FIG. 16 ), and data plane VCN 1718 (e.g., data plane VCN 1618 in FIG. 16 ) can be included in customer tenancy 1721, which can be owned or operated by a user or customer of the system.
[0240] The control plane VCN 1716 may include a control plane DMZ tier 1720 (e.g., the control plane DMZ tier 1620 of FIG. 16 ) that may include a LB subnet 1722 (e.g., the LB subnet 1622 of FIG. 16 ), a control plane app tier 1724 (e.g., the control plane app tier 1624 of FIG. 16 ) that may include an app subnet 1726 (e.g., the app subnet 1626 of FIG. 16 ), and a control plane data tier 1728 (e.g., the control plane data tier 1628 of FIG. 16 ) that may include a database (DB) subnet 1730 (e.g., similar to the database (DB) subnet 1630 of FIG. 16 ). The LB subnet 1722 included in the control plane DMZ layer 1720 can be communicatively coupled to an app subnet 1726 and an Internet gateway 1734 (e.g., Internet gateway 1634 in FIG. 16 ) included in the control plane app layer 1724, which may be included in the control plane VCN 1716, and the app subnet 1726 can be communicatively coupled to a DB subnet 1730 and a service gateway 1736 (e.g., service gateway in FIG. 16 ) and a network address translation (NAT) gateway 1738 (e.g., NAT gateway 1638 in FIG. 16 ) included in the control plane data layer 1728. The control plane VCN 1716 can include the service gateway 1736 and the NAT gateway 1738.
[0241] The control plane VCN 1716 can include a data plane mirror app layer 1740 (e.g., data plane mirror app layer 1640 of FIG. 16 ), which can include an app subnet 1726. The app subnet 1726 included in the data plane mirror app layer 1740 can include a virtual network interface controller (VNIC) 1742 (e.g., VNIC 1642) that can run a compute instance 1744 (e.g., similar to compute instance 1644 of FIG. 16 ). The compute instance 1744 can facilitate communication between the app subnet 1726 of the data plane mirror app layer 1740 and the app subnet 1726, which can be included in the data plane app layer 1746 (e.g., data plane app layer 1646 of FIG. 16 ), via the VNIC 1742 included in the data plane mirror app layer 1740 and the VNIC 1742 included in the data plane app layer 1746.
[0242] The internet gateway 1734 included in the control plane VCN 1716 may be communicatively coupled to a metadata management service 1752 (e.g., metadata management service 1652 of FIG. 16 ), which may be communicatively coupled to the public internet 1754 (e.g., public internet 1654 of FIG. 16 ). The public internet 1754 may be communicatively coupled to a NAT gateway 1738 included in the control plane VCN 1716. The service gateway 1736 included in the control plane VCN 1716 may be communicatively coupled to cloud services 1756 (e.g., cloud services 1656 of FIG. 16 ).
[0243] In some examples, data plane VCN 1718 may be included in customer tenancy 1721. In this case, the IaaS provider may provide a control plane VCN 1716 for each customer, and the IaaS provider may configure a unique compute instance 1744 for each customer that is included in service tenancy 1719. Each compute instance 1744 may enable communication between the control plane VCN 1716 included in service tenancy 1719 and the data plane VCN 1718 included in customer tenancy 1721. The compute instance 1744 may enable resources provisioned in the control plane VCN 1716 included in service tenancy 1719 to be deployed or otherwise used in the data plane VCN 1718 included in customer tenancy 1721.
[0244] In another example, an IaaS provider customer may have a database that resides in customer tenancy 1721. In this example, control plane VCN 1716 may include data plane mirror app tier 1740, which may include app subnet 1726. Data plane mirror app tier 1740 may reside in data plane VCN 1718, but data plane mirror app tier 1740 may not reside in data plane VCN 1718. That is, data plane mirror app tier 1740 may have access to customer tenancy 1721, but data plane mirror app tier 1740 may not reside in data plane VCN 1718 and may not be owned or operated by the IaaS provider customer. Data plane mirror app tier 1740 may be configured to make calls to data plane VCN 1718, but may not be configured to make calls to any entities included in control plane VCN 1716. A customer may desire to deploy or otherwise use resources in the data plane VCN 1718 that have been provisioned in the control plane VCN 1716, and the data plane mirror app layer 1740 can facilitate the desired deployment or other use of the customer's resources.
[0245] In some embodiments, the IaaS provider's customer can apply filters to the data plane VCN 1718. In this embodiment, the customer can determine which data plane VCNs 1718 are accessible, and the customer may restrict access from the data plane VCN 1718 to the public internet 1754. The IaaS provider may not be able to apply filters or otherwise control the data plane VCN 1718's access to any external networks or databases. Applying filters and controls by the customer to the data plane VCN 1718 contained in the customer's tenancy 1721 can help to isolate the data plane VCN 1718 from other customers and from the public internet 1754.
[0246] In some embodiments, cloud services 1756 may be called by service gateway 1736 to access services that may not reside on public internet 1754, control plane VCN 1716, or data plane VCN 1718. The connection between cloud services 1756 and control plane VCN 1716 or data plane VCN 1718 may not be up and running or continuous. Cloud services 1756 may reside on different networks owned or operated by the IaaS provider. Cloud services 1756 may be configured to receive calls from service gateway 1736 and may not be configured to receive calls from public internet 1754. Some cloud services 1756 may be isolated from other cloud services 1756, and control plane VCN 1716 may be isolated from cloud services 1756 that may not be in the same region as control plane VCN 1716. For example, control plane VCN 1716 may be located in "Region 1," and cloud service "deployment 16" may be located in Region 1 and Region 2. If a call is made to deployment 16 by service gateway 1736 included in control plane VCN 1716 located in Region 1, the call may be sent to deployment 16 in Region 1. In this example, control plane VCN 1716, or deployment 16 in Region 1, may not be communicatively coupled to or otherwise in communication with deployment 16 in Region 2.
[0247] 18 is a block diagram 1800 illustrating another example pattern of an IaaS architecture, according to at least one embodiment. A service operator 1802 (e.g., service operator 1602 of FIG. 16 ) may be communicatively coupled to a secure host tenancy 1804 (e.g., secure host tenancy 1604 of FIG. 16 ), which may include a virtual cloud network (VCN) 1806 (e.g., VCN 1606 of FIG. 16 ) and a secure host subnet 1808 (e.g., secure host subnet 1608 of FIG. 16 ). VCN 1806 may include an LPG 1810 (e.g., LPG 1610 of FIG. 16 ), which may be communicatively coupled to an SSH VCN 1812 (e.g., SSH VCN 1612 of FIG. 16 ) via an LPG 1810 included in SSH VCN 1812. SSH VCN 1812 can include SSH subnet 1814 (e.g., SSH subnet 1614 in FIG. 16 ), and SSH VCN 1812 can be communicatively coupled to control plane VCN 1816 (e.g., control plane VCN 1616 in FIG. 16 ) via LPG 1810 included in control plane VCN 1816, and to data plane VCN 1818 (e.g., data plane 1618 in FIG. 16 ) via LPG 1810 included in data plane VCN 1818. Control plane VCN 1816 and data plane VCN 1818 can be included in service tenancy 1819 (e.g., service tenancy 1619 in FIG. 16 ).
[0248] The control plane VCN 1816 may include a control plane DMZ tier 1820 (e.g., the control plane DMZ tier 1620 of FIG. 16 ) that may include a load balancer (LB) subnet 1822 (e.g., the LB subnet 1622 of FIG. 16 ), a control plane app tier 1824 (e.g., the control plane app tier 1624 of FIG. 16 ) that may include an app subnet 1826 (e.g., similar to the app subnet 1626 of FIG. 16 ), and a control plane data tier 1828 (e.g., the control plane data tier 1628 of FIG. 16 ) that may include a DB subnet 1830. The LB subnet 1822 included in the control plane DMZ layer 1820 can be communicatively coupled to an app subnet 1826 included in a control plane app layer 1824 that may be included in the control plane VCN 1816, and to an Internet gateway 1834 (e.g., Internet gateway 1634 in FIG. 16 ), and the app subnet 1826 can be communicatively coupled to a DB subnet 1830 included in a control plane data layer 1828, as well as to a service gateway 1836 (e.g., service gateway in FIG. 16 ) and a network address translation (NAT) gateway 1838 (e.g., NAT gateway 1638 in FIG. 16 ). The control plane VCN 1816 can include the service gateway 1836 and the NAT gateway 1838.
[0249] Data plane VCN 1818 may include a data plane app layer 1846 (e.g., data plane app layer 1646 in FIG. 16 ), a data plane DMZ layer 1848 (e.g., data plane DMZ layer 1648 in FIG. 16 ), and a data plane data layer 1850 (e.g., data plane data layer 1650 in FIG. 16 ). Data plane DMZ layer 1848 may include a trusted app subnet 1860 and an untrusted app subnet 1862 of data plane app layer 1846 and an LB subnet 1822 that may be communicatively coupled to an Internet gateway 1834 included in data plane VCN 1818. Trusted app subnet 1860 may be communicatively coupled to a service gateway 1836 included in data plane VCN 1818, a NAT gateway 1838 included in data plane VCN 1818, and a DB subnet 1830 included in data plane data layer 1850. The untrusted app subnet 1862 may be communicatively coupled to a service gateway 1836 included in the data plane VCN 1818 and to a DB subnet 1830 included in the data plane data layer 1850. The data plane data layer 1850 may include a DB subnet 1830 that may be communicatively coupled to a service gateway 1836 included in the data plane VCN 1818.
[0250] The untrusted app subnet 1862 may include one or more primary VNICs 1864(1)-(N), which may be communicatively coupled to tenant virtual machines (VMs) 1866(1)-(N). Each tenant VM 1866(1)-(N) may be communicatively coupled to a respective app subnet 1867(1)-(N), which may be included in a respective container egress VCN 1868(1)-(N), which may be included in a respective customer's tenancy 1870(1)-(N). Each secondary VNIC 1872(1)-(N) may facilitate communication between the untrusted app subnet 1862 included in the data plane VCN 1818 and the app subnet included in the container egress VCN 1868(1)-(N). Each container egress VCN 1868(1)-(N) may include a NAT gateway 1838, which may be communicatively coupled to the public internet 1854 (e.g., public internet 1654 in FIG. 16 ).
[0251] An internet gateway 1834 included in the control plane VCN 1816 and included in the data plane VCN 1818 may be communicatively coupled to a metadata management service 1852 (e.g., metadata management system 1652 of FIG. 16 ), which may be communicatively coupled to the public internet 1854. The public internet 1854 may be communicatively coupled to a NAT gateway 1838 included in the control plane VCN 1816 and included in the data plane VCN 1818. A service gateway 1836 included in the control plane VCN 1816 and included in the data plane VCN 1818 may be communicatively coupled to cloud services 1856.
[0252] In some embodiments, data plane VCN 1818 may be integrated with a customer's tenancy 1870. This integration may be useful or desirable for an IaaS provider's customer in some cases, such as when they may want support when executing code. A customer may provide code for execution that may be destructive, may communicate with other customers' resources, or may otherwise cause undesirable effects. In response, the IaaS provider may determine whether to execute the code provided to the IaaS provider by the customer.
[0253] In some examples, a customer of an IaaS provider may grant temporary network access to the IaaS provider and request the ability to connect to the data plane app layer 1846. The code to perform this function may run in VMs 1866(1)-(N), which may not be configured to run elsewhere on the data plane VCN 1818. Each VM 1866(1)-(N) may be connected to one customer's tenancy 1870. Each container 1871(1)-(N) contained in a VM 1866(1)-(N) may be configured to run code. In this case, double isolation may exist (e.g., containers 1871(1)-(N) running code may be contained in at least VMs 1866(1)-(N) that are included in untrusted app subnet 1862), which may help prevent incorrect or otherwise unwanted code from causing damage to the IaaS provider's network or to a different customer's network. Containers 1871(1)-(N) may be communicatively coupled to customer tenancy 1870 and may be configured to send or receive data to or from customer tenancy 1870. Containers 1871(1)-(N) may not be configured to send or receive data to or from any other entities in data plane VCN 1818. Upon completion of code execution, the IaaS provider may kill or otherwise destroy containers 1871(1)-(N).
[0254] In some embodiments, trusted app subnet 1860 may execute code that may be owned or operated by the IaaS provider. In this embodiment, trusted app subnet 1860 may be communicatively coupled to DB subnet 1830 and may be configured to perform CRUD operations within DB subnet 1830. Untrusted app subnet 1862 may be communicatively coupled to DB subnet 1830, but in this embodiment, the untrusted app subnet may be configured to perform read operations within DB subnet 1830. Containers 1871(1)-(N) capable of executing code from the customer, which may be included in each customer's VMs 1866(1)-(N), may not be communicatively coupled to DB subnet 1830.
[0255] In other embodiments, the control plane VCN 1816 and the data plane VCN 1818 may not be directly communicatively coupled. In this embodiment, there may not be direct communication between the control plane VCN 1816 and the data plane VCN 1818. However, communication can occur indirectly through at least one method. The LPG 1810 may be established by an IaaS provider and can facilitate communication between the control plane VCN 1816 and the data plane VCN 1818. In another example, the control plane VCN 1816 or the data plane VCN 1818 can make a call to a cloud service 1856 via a service gateway 1836. For example, a call from the control plane VCN 1816 to the cloud service 1856 may include a request for a service that can communicate with the data plane VCN 1818.
[0256] 19 is a block diagram 1900 illustrating another example pattern of an IaaS architecture, according to at least one embodiment. A service operator 1902 (e.g., service operator 1602 of FIG. 16 ) may be communicatively coupled to a secure host tenancy 1904 (e.g., secure host tenancy 1604 of FIG. 16 ), which may include a virtual cloud network (VCN) 1906 (e.g., VCN 1606 of FIG. 16 ) and a secure host subnet 1908 (e.g., secure host subnet 1608 of FIG. 16 ). VCN 1906 may include an LPG 1910 (e.g., LPG 1610 of FIG. 16 ), which may be communicatively coupled to an SSH VCN 1912 (e.g., SSH VCN 1612 of FIG. 16 ) via an LPG 1910 included in SSH VCN 1912. SSH VCN 1912 can include SSH subnet 1914 (e.g., SSH subnet 1614 in FIG. 16 ), and SSH VCN 1912 can be communicatively coupled to control plane VCN 1916 (e.g., control plane VCN 1616 in FIG. 16 ) via LPG 1910 included in control plane VCN 1916, and to data plane VCN 1918 (e.g., data plane 1618 in FIG. 16 ) via LPG 1910 included in data plane VCN 1918. Control plane VCN 1916 and data plane VCN 1918 can be included in service tenancy 1919 (e.g., service tenancy 1619 in FIG. 16 ).
[0257] The control plane VCN 1916 may include a control plane DMZ layer 1920 (e.g., the control plane DMZ layer 1620 of FIG. 16 ) that may include a LB subnet 1922 (e.g., the LB subnet 1622 of FIG. 16 ), a control plane app layer 1924 (e.g., the control plane app layer 1624 of FIG. 16 ) that may include an app subnet 1926 (e.g., the app subnet 1626 of FIG. 16 ), and a control plane data layer 1928 (e.g., the control plane data layer 1628 of FIG. 16 ) that may include a DB subnet 1930 (e.g., the DB subnet 1830 of FIG. 18 ). LB subnet 1922 included in control plane DMZ tier 1920 can be communicatively coupled to app subnet 1926 included in control plane app tier 1924, which may be included in control plane VCN 1916, and to an Internet gateway 1934 (e.g., Internet gateway 1634 in FIG. 16 ), and app subnet 1926 can be communicatively coupled to DB subnet 1930 included in control plane data tier 1928, as well as to service gateway 1936 (e.g., service gateway in FIG. 16 ) and network address translation (NAT) gateway 1938 (e.g., NAT gateway 1638 in FIG. 16 ). Control plane VCN 1916 can include service gateway 1936 and NAT gateway 1938.
[0258] Data plane VCN 1918 may include a data plane app layer 1946 (e.g., data plane app layer 1646 in FIG. 16 ), a data plane DMZ layer 1948 (e.g., data plane DMZ layer 1648 in FIG. 16 ), and a data plane data layer 1950 (e.g., data plane data layer 1650 in FIG. 16 ). Data plane DMZ layer 1948 may include a trusted app subnet 1960 (e.g., trusted app subnet 1860 in FIG. 18 ) and an untrusted app subnet 1962 (e.g., untrusted app subnet 1862 in FIG. 18 ) of data plane app layer 1946, as well as an LB subnet 1922 that may be communicatively coupled to an Internet gateway 1934 included in data plane VCN 1918. The trusted app subnet 1960 may be communicatively coupled to a service gateway 1936 included in the data plane VCN 1918, a NAT gateway 1938 included in the data plane VCN 1918, and a DB subnet 1930 included in the data plane data layer 1950. The untrusted app subnet 1962 may be communicatively coupled to the service gateway 1936 included in the data plane VCN 1918 and the DB subnet 1930 included in the data plane data layer 1950. The data plane data layer 1950 may include a DB subnet 1930 that may be communicatively coupled to the service gateway 1936 included in the data plane VCN 1918.
[0259] The untrusted app subnet 1962 may include primary VNICs 1964(1)-(N), which may be communicatively coupled to tenant virtual machines (VMs) 1966(1)-(N) residing within the untrusted app subnet 1962. Each tenant VM 1966(1)-(N) may execute code within a respective container 1967(1)-(N), which may be communicatively coupled to an app subnet 1926, which may be included in a data plane app layer 1946, which may be included in a container egress VCN 1968. Each secondary VNIC 1972(1)-(N) may facilitate communication between the untrusted app subnet 1962, which is included in the data plane VCN 1918, and the app subnet included in the container egress VCN 1968. The container egress VCN may include a NAT gateway 1938, which may be communicatively coupled to the public internet 1954 (e.g., public internet 1654 in FIG. 16 ).
[0260] An internet gateway 1934 included in the control plane VCN 1916 and included in the data plane VCN 1918 may be communicatively coupled to a metadata management service 1952 (e.g., metadata management system 1652 of FIG. 16 ), which may be communicatively coupled to the public internet 1954. The public internet 1954 may be communicatively coupled to a NAT gateway 1938 included in the control plane VCN 1916 and included in the data plane VCN 1918. A service gateway 1936 included in the control plane VCN 1916 and included in the data plane VCN 1918 may be communicatively coupled to cloud services 1956.
[0261] In some examples, the pattern illustrated by the architecture of block diagram 1900 in FIG. 19 may be considered an exception to the pattern illustrated by the architecture of block diagram 1800 in FIG. 18 and may be desirable for an IaaS provider's customers when the IaaS provider cannot communicate directly with the customer (e.g., in a disconnected region). Each container 1967(1)-(N) contained in a VM 1966(1)-(N) for each customer may be accessed by the customer in real time. The containers 1967(1)-(N) may be configured to make calls to each secondary VNIC 1972(1)-(N) contained in the app subnet 1926 of the data plane app tier 1946, which may be included in a container egress VCN 1968. The secondary VNICs 1972(1)-(N) may send the calls to a NAT gateway 1938, which may send the calls to the public Internet 1954. In this example, containers 1967(1)-(N) that may be accessed in real time by customers may be isolated from control plane VCN 1916 and may be isolated from other entities included in data plane VCN 1918. Containers 1967(1)-(N) may be isolated from other customer resources.
[0262] In another example, a customer can invoke cloud service 1956 using container 1967(1)-(N). In this example, the customer may execute code in container 1967(1)-(N) that requests a service from cloud service 1956. Container 1967(1)-(N) can send the request to secondary VNICs 1972(1)-(N), which can send the request to a NAT gateway, which can send the request to public internet 1954. Public internet 1954 can send the request via internet gateway 1934 to LB subnet 1922, which is included in control plane VCN 1916. In response to determining that the request is valid, LB subnet 1926 can send the request to app subnet 1926, which can send the request to cloud service 1956 via service gateway 1936.
[0263] It should be understood that the IaaS architectures 1600, 1700, 1800, 1900 shown in the figures may include components other than those shown. Furthermore, the illustrated embodiments are merely some examples of cloud infrastructure systems that may incorporate embodiments of the present disclosure. In some other embodiments, the IaaS systems may include more or fewer components than those shown in the figures, may combine two or more components, or may have a different configuration or arrangement of components.
[0264] In one embodiment, the IaaS system described herein may include a suite of application, middleware, and database service offerings delivered to customers in a self-service, subscription-based, elastically scalable, reliable, highly available, and secure manner. An example of such an IaaS system is Oracle Cloud Infrastructure (OCI), offered by the present assignee.
[0265] 20 illustrates an exemplary computer system 2000 in which various embodiments may be implemented. System 2000 may be used to implement any of the computer systems described above. As shown, computer system 2000 includes a processing unit 2004 that communicates with multiple peripheral subsystems via a bus subsystem 2002. These peripheral subsystems may include a processing acceleration unit 2006, an I / O subsystem 2008, a storage subsystem 2018, and a communication subsystem 2024. Storage subsystem 2018 includes a tangible computer-readable storage medium 2022 and a system memory 2010.
[0266] Bus subsystem 2002 provides a mechanism for allowing the various components and subsystems of computer system 2000 to communicate with each other as intended. While bus subsystem 2002 is shown schematically as a single bus, alternative embodiments of the bus subsystem may utilize multiple buses. Bus subsystem 2002 may be any of several types of bus structures, including a memory bus or memory controller, a peripheral bus, and a local bus using any of a variety of bus architectures. For example, such architectures may include an Industry Standard Architecture (ISA) bus, a Micro Channel Architecture (MCA) bus, an Enhanced ISA (EISA) bus, a Video Electronics Standards Association (VESA) local bus, and a Peripheral Component Interconnect (PCI) bus, which may be implemented as a mezzanine bus manufactured to the IEEE P1386.1 standard.
[0267] Processing unit 2004, which may be implemented as one or more integrated circuits (e.g., conventional microprocessors or microcontrollers), controls the operation of computer system 2000. One or more processors may be included in processing unit 2004. These processors may include single-core or multi-core processors. In one embodiment, processing unit 2004 may be implemented as one or more independent processing units 2032 and / or 2034, with a single-core or multi-core processor included in each processing unit. In other embodiments, processing unit 2004 may be implemented as a quad-core processing unit formed by integrating two dual-core processors onto a single chip.
[0268] In various embodiments, processing unit 2004 may execute various programs in response to program code and may maintain multiple simultaneously executing programs or processes. At any particular time, some or all of the program code being executed may reside in processor 2004 and / or in storage subsystem 2018. With appropriate programming, processor 2004 may provide the various functions described above. Computer system 2000 may further include a processing acceleration unit 2006, which may include a digital signal processor (DSP), a special purpose processor, and / or the like.
[0269] The I / O subsystem 2008 may include user interface input devices and user interface output devices. User interface input devices may include a keyboard, a pointing device such as a mouse or trackball, a touchpad or touchscreen integrated into a display, a scroll wheel, a click wheel, a dial, buttons, switches, a keypad, a voice input device with a voice command recognition system, a microphone, and other types of input devices. User interface input devices may include, for example, a motion detection device and / or gesture recognition device, such as a Microsoft Kinect® motion sensor, which allows a user to control an input device, such as a Microsoft Xbox® 360 game controller, to interact with information via a natural user interface using gestures and spoken commands. User interface input devices may also include an eye gesture recognition device, such as a Google Glass® blink detector, which detects a user's eye activity (e.g., "blinking" when taking a photo and / or selecting a menu) and translates the eye gesture as input to an input device (e.g., Google Glass®). Additionally, the user interface input devices may include a voice recognition detection device that allows a user to interact with a voice recognition system (e.g., Siri® Navigator) via voice commands.
[0270] User interface input devices may include, but are not limited to, three-dimensional (3D) mice, joysticks or pointing sticks, gamepads, and graphic tablets, as well as audio / visual devices such as speakers, digital cameras, digital video cameras, portable media players, webcams, image scanners, fingerprint scanners, barcode reader 3D scanners, 3D printers, laser range finders, and eye-tracking devices. Additionally, user interface input devices may include medical imaging input devices such as, for example, computed tomography, magnetic resonance imaging, position emission tomography, and medical ultrasound devices. User interface input devices may also include audio input devices such as, for example, MIDI keyboards, digital musical instruments, and the like.
[0271] User interface output devices may include non-visual displays such as a display subsystem, indicator lights, or audio output devices. The display subsystem may be a flat-panel device, such as a flat-panel device using a cathode ray tube (CRT), a liquid crystal display (LCD), or a plasma display, a projection device, a touch screen, or the like. In general, use of the term "output device" is intended to include all possible types of devices and mechanisms for outputting information from computer system 2000 to a user or to another computer. For example, user interface output devices may include, but are not limited to, various display devices that visually convey textual, graphical, and audio / video information, such as monitors, printers, speakers, headphones, navigation systems, plotters, audio output devices, and modems.
[0272] Computer system 2000 may include a storage subsystem 2018, which includes software elements shown as presently residing in system memory 2010. System memory 2010 may store program instructions readable and executable by processing unit 2004, as well as data generated during the execution of these programs.
[0273] Depending on the configuration and type of computer system 2000, the system memory 2010 may be volatile (such as random-access memory (RAM)) and / or non-volatile (such as read-only memory (ROM), flash memory, etc.). RAM typically contains data and / or program modules that are immediately accessible to and / or presently being operated on and executed by the processing unit 2004. In some implementations, the system memory 2010 may include several different types of memory, such as static random access memory (SRAM) or dynamic random access memory (DRAM). In some implementations, the basic input / output system (BIOS), containing the basic routines that help to transfer information between elements within the computer system 2000, such as during start-up, may typically be stored in ROM. By way of example and not limitation, system memory 2010 also illustrates application programs 2012, program data 2014, and an operating system 2016, which may include client applications, web browsers, mid-tier applications, relational database management systems (RDBMS), and the like.Examples of operating systems 2016 may include various versions of Microsoft Windows®, Apple Macintosh®, and / or Linux operating systems, various commercially available UNIX® or UNIX-like operating systems (including, but not limited to, various GNU / Linux operating systems, Google Chrome® OS, etc.), and / or mobile operating systems such as iOS, Windows® Phone, Android® OS, BlackBerry® 20 OS, and Palm® OS operating systems.
[0274] The storage subsystem 2018 may provide a tangible, computer-readable storage medium for storing the basic programming and data configurations that provide the functionality of some embodiments. Software (programs, code modules, instructions) that, when executed by a processor, provide the aforementioned functionality may be stored in the storage subsystem 2018. These software modules or instructions may be executed by the processing unit 2004. The storage subsystem 2018 may provide a repository for storing data used in accordance with the present disclosure.
[0275] Storage subsystem 2000 may include computer-readable storage medium reader 2020, which may further be connected to computer-readable storage medium 2022. In combination with system memory 2010, and together, optionally, computer-readable storage medium 2022 may comprehensively represent remote, local, fixed, and / or removable storage media, as well as storage media for temporarily and / or more permanently containing, storing, transmitting, and retrieving computer-readable information.
[0276] The computer-readable storage medium 2022 containing the code or portions of code may include any suitable medium known or used in the art, including storage and communication media, such as, but not limited to, volatile and nonvolatile, removable and non-removable media, implemented in any manner or technology for storing and / or transmitting information. The computer-readable storage medium may include tangible computer-readable storage media, such as RAM, ROM, electronically erasable programmable ROM (EEPROM), flash memory or other memory technology, CD-ROM, digital versatile disk (DVD), or other optical storage, magnetic cassette, magnetic tape, magnetic disk storage, or other magnetic storage devices, or other tangible computer-readable media. The computer-readable storage medium may also include non-tangible computer-readable media, such as a data signal, data transmission, or any other medium that can be used to transmit the desired information and that can be accessed by the computing system 2000.
[0277] By way of example, computer-readable storage medium 2022 may include hard disk drives that read from or write to non-removable, nonvolatile magnetic media, magnetic disk drives that read from or write to removable, nonvolatile magnetic disks, and optical disk drives that read from or write to removable, nonvolatile optical disks such as CD-ROMs, DVDs, and Blu-ray® disks or other optical media. Computer-readable storage medium 2022 may include, but is not limited to, Zip® drives, flash memory cards, universal serial bus (USB) flash drives, secure digital (SD) cards, DVD disks, digital video tapes, and the like. The computer-readable storage media 2022 may include solid-state drives (SSDs) based on non-volatile memory such as flash memory-based SSDs, enterprise flash drives, semiconductor ROM, volatile memory-based SSDs such as semiconductor RAM, dynamic RAM, static RAM, DRAM-based SSDs, magnetoresistive RAM (MRAM) SSDs, and hybrid SSDs that use a combination of DRAM and flash memory-based SSDs. Disk drives and associated computer-readable media may provide non-volatile storage of computer-readable instructions, data structures, program modules, and other data for the computer system 2000.
[0278] The communications subsystem 2024 provides an interface to other computer systems and networks. The communications subsystem 2024 serves as an interface for receiving data from and transmitting data to other systems in the computer system 2000. For example, the communications subsystem 2024 may enable the computer system 2000 to connect to one or more devices via the Internet. In some embodiments, the communications subsystem 2024 may include radio frequency (RF) transceiver components for accessing wireless voice and / or data networks (e.g., using cellular technology, advanced data network technologies such as 3G, 4G, or EDGE (enhanced data rates for global evolution), Wi-Fi (using the IEEE 802.11 family of standards, or other mobile communications technologies, or any combination thereof), global positioning system (GPS) receiver components, and / or other components. In some embodiments, the communications subsystem 2024 may provide a wired network connection (e.g., Ethernet) in addition to or instead of a wireless interface.
[0279] In some embodiments, the communications subsystem 2024 may receive incoming communications in the form of structured and / or unstructured data feeds 2026, event streams 2028, event updates 2030, etc., on behalf of one or more users who may use the computer system 2000.
[0280] By way of example, the communications subsystem 2024 may be configured to receive data feeds 2026 in real time from users of social networks and / or other communications services, such as Twitter® feeds, Facebook® updates, web feeds, such as Rich Site Summary (RSS) feeds, and / or real-time updates from one or more third-party sources.
[0281] Additionally, the communications subsystem 2024 may be configured to receive data in the form of a continuous data stream, which may include an event stream 2028 of real-time events and / or event updates 2030 that may have no explicit end and may be continuous in nature or unbounded. Examples of applications that generate continuous data may include, for example, sensor data applications, financial tickers, network performance measurement tools (e.g., network monitoring and traffic management applications), clickstream analysis tools, automobile traffic monitoring, etc.
[0282] The communications subsystem 2024 may be configured to output structured and / or unstructured data feeds 2026, event streams 2028, event updates 2030, etc. to one or more databases that can communicate with one or more streaming data source computers coupled to the computer system 2000.
[0283] The computer system 2000 can be one of a variety of types, including a handheld portable device (e.g., an iPhone® mobile phone, an iPad® computing tablet, a PDA), a wearable device (e.g., a Google Glass® head-mounted display), a PC, a workstation, a mainframe, a ticket machine, a server rack, or any other data processing system.
[0284] Due to the ever-changing nature of computers and networks, the description of computer system 2000 shown in the figure is intended to be a specific example only. Many other configurations are possible, including more or fewer components than the system shown in the figure. For example, customized hardware may be used, and / or particular elements may be implemented in hardware, firmware, software (including applets), or a combination thereof. Furthermore, connections to other computing devices, such as network input / output devices, may be employed. Based on the disclosure and teachings provided herein, those skilled in the art will appreciate other ways and / or manners for implementing the various embodiments.
[0285] While specific embodiments have been described, various modifications, variations, alternative constructions, and equivalents are encompassed within the scope of the present disclosure. The embodiments are not limited to operation in one particular data processing environment, but can freely operate in multiple data processing environments. Furthermore, while the embodiments have been described using a particular sequence of transactions and steps, it should be apparent to those skilled in the art that the scope of the present disclosure is not limited to the sequence of transactions and steps described. Various features and aspects of the above-described embodiments may be used individually or together.
[0286] Furthermore, while embodiments have been described using particular combinations of hardware and software, it should be recognized that other combinations of hardware and software are within the scope of the present disclosure. Embodiments may be implemented exclusively in hardware, exclusively in software, or using a combination thereof. Various processes described herein may be performed on the same processor or on different processors in any combination. Thus, when a component or module is described as being configured to perform an operation, such configuration may be realized, for example, by designing electronic circuitry to perform the operation, by programming a programmable electronic circuit (such as a microprocessor) to perform the operation, or by any combination thereof. Processes may communicate using various techniques, including, but not limited to, conventional techniques for inter-process communication; different pairs of processes may use different techniques, or the same pair of processes may use different techniques at different times.
[0287] Accordingly, the specification and drawings should be regarded in an illustrative, rather than a limiting sense. However, it will be apparent that additions, subtractions, deletions, and other modifications and changes may be made to the specification and drawings without departing from the broader spirit and scope as set forth in the claims. Accordingly, while particular disclosed embodiments have been described, they are not intended to be limiting. Various modifications and equivalents are within the scope of the appended claims.
[0288] The use of the terms "a," "an," and "the" and similar referents in the context of describing the disclosed embodiments (particularly in the context of the appended claims) should be construed to cover both the singular and the plural, unless otherwise indicated herein or clearly contradicted by context. The terms "comprising," "having," "including," and "containing" should be construed as open-ended (i.e., meaning "including, but not limited to"), unless otherwise noted. The term "connected" should be construed as partially or fully contained within, connected to, or joined together, even if there is something intervening. The recitation of ranges of values herein is merely intended to serve as a shorthand method of individually referring to each separate value included in the range, unless otherwise indicated herein, and each separate value is incorporated herein as if it were individually recited herein. All methods described herein can be performed in any suitable order unless otherwise indicated herein or otherwise clearly contradicted by context. Any and all examples provided herein, or the use of exemplary language (e.g., "etc.") are intended merely to better clarify the embodiments and do not impose limitations on the scope of the disclosure unless specifically claimed. No language in the specification should be construed as indicating any non-claimed element as essential to the practice of the disclosure.
[0289] Disjunctive language, such as the phrase "at least one of X, Y, or Z," is generally intended to be understood within the context as being used to state that an item, condition, etc. may be either X, Y, or Z, or any combination thereof (e.g., X, Y, and / or Z), unless expressly stated otherwise. Thus, such disjunctive language is generally not intended to, and should not, imply that an embodiment requires that at least one of X, at least one of Y, or at least one of Z, respectively, be present.
[0290] Preferred embodiments of the present disclosure are described herein, including the best mode known for carrying out the disclosure. Variations of such preferred embodiments may become apparent to those skilled in the art upon reading the foregoing description. Those skilled in the art will be able to adopt such variations as appropriate, and the present disclosure may be practiced other than as specifically described herein. Accordingly, this disclosure includes all modifications and equivalents of the subject matter recited in the claims appended hereto as permitted by applicable law. Moreover, any combination of the above-described elements in all possible variations of the embodiments is encompassed by the present disclosure, unless otherwise indicated herein.
[0291] All references, including publications, patent applications, and patents, cited in this specification are hereby incorporated by reference to the same extent as if each reference was individually indicated to be incorporated by reference and were set forth in its entirety herein. While the foregoing specification has described aspects of the present disclosure with reference to specific embodiments thereof, those skilled in the art will recognize that the disclosure is not limited thereto. Various features and aspects of the foregoing disclosure may be used individually or together. Moreover, the embodiments may be utilized in any number of environments and applications beyond those described herein without departing from the broader spirit and scope of the specification. Accordingly, the specification and drawings should be regarded as illustrative rather than restrictive.
Claims
1. It is a method, The multi-cloud control plane of the multi-cloud infrastructure included in the first cloud environment receives a notification from the identity system of the second cloud environment, the notification indicating that a set of essential resources is not configured for the customer in the second cloud environment. The method further includes, in response to receiving the notification, the multi-cloud control plane invoking a provisioning module included in the second cloud environment, the provisioning module creating the required set of resources in the second cloud environment. The method further comprises, in response to successful validation of the set of required resources, the multi-cloud control plane creating a linked resource object containing information linking tenancies associated with users in the first cloud environment to accounts associated with the users of the customer in the second cloud environment.
2. The method according to claim 1, wherein the set of required resources is associated with a hierarchy of roles.
3. The aforementioned role hierarchy includes network roles, observability roles, and validator roles. The aforementioned network role permits the creation of a network link between the first cloud environment and the second cloud environment. The observability role allows the observability module included in the multi-cloud infrastructure to expose data associated with resources deployed in the first cloud environment to the second cloud environment. The method according to claim 2, wherein the validator role allows the multicloud control plane of the multicloud infrastructure to perform user validation.
4. The method according to claim 2, further comprising deploying a service account to the second cloud environment, wherein the service account is configured to access the user's account in the second cloud environment, and a network role included in the role hierarchy allows the service account to peer with the user's account in the second cloud environment.
5. The multi-cloud control plane further includes validating the set of essential resources created by the provisioning module of the second cloud environment, and the validation is performed The multi-cloud control plane obtains authentication information associated with the service account in the second cloud environment, The method according to claim 1, further comprising obtaining a role based on the authentication information using the multi-cloud control plane.
6. The multi-cloud control plane generates the customer's external ID, The method of claim 2, further comprising the multi-cloud control plane transmitting the customer's external ID to the provisioning module, wherein the external ID is used in creating the required set of resources.
7. The method according to claim 6, further comprising the multi-cloud control plane storing the external ID in a key-value database included in the first cloud environment.
8. In response to creating the linked resource object, the multi-cloud control plane stores the external ID in the customer's vault included in the second cloud environment. The method according to claim 7, further comprising deleting the external ID stored in the key value database.
9. The method according to claim 6, wherein the external ID is required by the multicloud control plane to obtain any role from the role hierarchy.
10. A program for causing one or more processors to perform the method according to any one of claims 1 to 9.
11. One or more processors, A computing device comprising memory containing instructions, wherein, when the instructions are executed using one or more processors, the computing device receives at least, The multi-cloud control plane of the multi-cloud infrastructure included in the first cloud environment is configured to receive a notification from the identity system of the second cloud environment, the notification indicating that a required set of resources is not configured for the customer in the second cloud environment. In response to receiving the notification, the multi-cloud control plane further causes the provisioning module included in the second cloud environment to be activated, the provisioning module creates the required set of resources in the second cloud environment, In response to successful validation of the aforementioned set of required resources, the computing device further causes the multi-cloud control plane to create a linked resource object containing information linking tenancies associated with users in the first cloud environment to accounts associated with the customers of the users in the second cloud environment.
12. The computing device according to claim 11, wherein the aforementioned set of required resources is associated with a hierarchy of roles.
13. One or more processors, A computing device comprising a memory containing instructions, wherein, when the instructions are executed using one or more processors, the computing device causes the computing device to perform the method according to any one of claims 1 to 9.