Permissions Framework for Multi-Cloud Infrastructure
Patent Information
- Authority / Receiving Office
- JP · JP
- Patent Type
- Applications
- Current Assignee / Owner
- ORACLE INT CORP
- Filing Date
- 2023-10-13
- Publication Date
- 2026-06-16
Smart Images

Figure 00000000_0000_ABST
Abstract
Description
[Technical Field]
[0001] CROSS-REFERENCE TO RELATED APPLICATIONS This application is a non-provisional application of, and claims the benefit of, each of the following provisional applications, the entire contents of each of which are incorporated herein by reference for all purposes: (1) U.S. Provisional Patent Application No. 63 / 416,042, filed October 14, 2022; (2) U.S. Provisional Patent Application No. 63 / 464,903, filed May 8, 2023; (3) U.S. Provisional Patent Application No. 63 / 467,241, filed May 17, 2023; (4) U.S. Provisional Patent Application No. 63 / 468,739, filed May 24, 2023; (5) U.S. Provisional Patent Application No. 63 / 469,763, filed May 30, 2023; (6) U.S. Provisional Patent Application No. 63 / 471,573, filed June 7, 2023.
[0002] Field The present disclosure relates to cloud architectures, and more particularly to techniques for linking two cloud environments provided by different cloud service providers, such that a user of one cloud environment provided by a service provider can access and manage services provided by another cloud environment provided by another cloud service provider. [Background technology]
[0003] background The past few years have seen a dramatic increase in the adoption of cloud services, and this trend is only increasing. Various cloud environments are offered by different cloud service providers (CSPs), with each cloud environment offering a set of one or more cloud services. The set of cloud services offered by a cloud environment may include one or more different types of services, including, but not limited to, Software-as-a-Service (SaaS) services, Infrastructure-as-a-Service (IaaS) services, Platform-as-a-Service (PaaS) services, etc.
[0004] While a variety of cloud environments are currently available, each cloud environment provides a closed ecosystem to subscribing customers. As a result, customers of a cloud environment are limited to using the services offered by that cloud environment. There is no easy way for customers subscribing to a cloud environment offered by a CSP to use, via that cloud environment, services offered in a different cloud environment offered by a different CSP. The embodiments described herein address these and other problems. Summary of the Invention
[0005] overview The present disclosure relates to cloud architectures, and more particularly to techniques for linking two cloud environments provided by different cloud service providers. A user of one cloud environment provided by a service provider can manage services provided by another cloud environment provided by another cloud service provider. Various embodiments are described herein, including methods, systems, non-transitory computer-readable storage media storing programs, code, or instructions executable by one or more processors, etc. Some embodiments may be implemented using a computer program product including computer programs / instructions that, when executed by a processor, cause the processor to perform any of the methods described in this disclosure.
[0006] Embodiments of the present disclosure provide a multi-cloud control plane (MCCP) framework that provisions functions for delivering services of a particular cloud network (e.g., Oracle Cloud Infrastructure (OCI)) to users on other clouds (e.g., AWS). The MCCP framework enables users (of other cloud environments) to access services of the cloud environment (e.g., PaaS services, database services such as autonomous database services, etc.) while providing a user experience that is as close as possible to the user's experience of their native cloud environment. A key challenge of MCCP is to enable customers to experience the full data plane functionality of services in external clouds.
[0007] One embodiment of the present disclosure is directed to a method that includes receiving, by a multi-cloud infrastructure included in a first cloud environment, a request from a user associated with an account in a second cloud environment requesting user sign-up, the request including metadata information associated with the user regarding services offered by the multi-cloud infrastructure; in response to determining, based on the metadata information, that a set of required resources has not been configured in the second cloud environment for the user, sending, by the multi-cloud infrastructure, a notification to the user, the notification indicating that the set of required resources should be configured in the second cloud environment; verifying, by the multi-cloud infrastructure, the validity of the set of required resources configured in the second cloud environment and the user settings; and creating, by the multi-cloud infrastructure, a link resource object including information linking the user's tenancy in the first cloud environment to the user's account in the second cloud environment, the link resource object enabling the user to utilize services offered by the multi-cloud infrastructure.
[0008] According to one aspect of the disclosure, one or more computer-readable non-transitory media are provided having computer-executable instructions stored thereon that, when executed by one or more processors, cause a multi-cloud infrastructure included in a first cloud environment to receive a request from a user associated with an account in a second cloud environment, the request requesting user sign-up including metadata information associated with the user for services provided by the multi-cloud infrastructure; in response to determining, based on the metadata information, that a set of required resources has not been configured in the second cloud environment for the user, sending a notification by the multi-cloud infrastructure to the user, the notification indicating that the set of required resources should be configured in the second cloud environment; verifying, by the multi-cloud infrastructure, the validity of the set of required resources configured in the second cloud environment and the user settings; and creating, by the multi-cloud infrastructure, a link resource object including information linking the user's tenancy in the first cloud environment to the user's account in the second cloud environment, the link resource object enabling the user to utilize services provided by the multi-cloud infrastructure.
[0009] According to one aspect of the disclosure, a computing device is provided, comprising one or more processors and a memory including instructions that, when executed using the one or more processors, cause the computing device to at least: receive, by a multi-cloud infrastructure included in a first cloud environment, a request from a user associated with an account in a second cloud environment, the request requesting user sign-up including metadata information associated with the user for services provided by the multi-cloud infrastructure; in response to determining, based on the metadata information, that a set of required resources has not been configured in the second cloud environment for the user, sending, by the multi-cloud infrastructure, a notification to the user, the notification indicating that the set of required resources should be configured in the second cloud environment; verifying, by the multi-cloud infrastructure, the validity of the set of required resources configured in the second cloud environment and the user settings; and creating, by the multi-cloud infrastructure, a link resource object including information linking the user's tenancy in the first cloud environment to the user's account in the second cloud environment, the link resource object enabling the user to utilize services provided by the multi-cloud infrastructure.
[0010] Aspects of the present disclosure provide a computing device comprising one or more data processors and a non-transitory computer-readable storage medium containing instructions that, when executed on the one or more data processors, cause the computing device to perform some or all of one or more methods disclosed herein.
[0011] Another aspect of the present disclosure provides a computer program product, tangibly embodied in a non-transitory machine-readable storage medium, comprising instructions configured to cause one or more data processors to perform some or all of one or more of the methods disclosed herein.
[0012] The foregoing, together with other features and embodiments, will become more apparent upon reference to the following specification, claims, and accompanying drawings.
[0013] The features, embodiments, and advantages of the present disclosure will be better understood when the following detailed description is read in conjunction with the accompanying drawings. [Brief explanation of the drawings]
[0014] [Figure 1] 1 is a high-level diagram of a distributed environment illustrating a virtual or overlay cloud network hosted by a cloud service provider infrastructure, according to an embodiment. [Figure 2] FIG. 2 illustrates a simplified architectural diagram of physical components in a physical network within a CSPI, according to an embodiment. [Figure 3] FIG. 1 illustrates an exemplary arrangement within CSPI in which a host machine is connected to multiple network virtualization devices (NVDs), according to one embodiment. [Figure 4] A diagram illustrating connections between a host machine and an NVD to achieve I / O virtualization to support multi-tenancy functionality in accordance with one embodiment. [Figure 5] FIG. 2 illustrates a simplified block diagram of a physical network provided by CSPI, according to one embodiment. [Figure 6]1 is a simplified high-level diagram of a distributed environment including multiple cloud environments offered by different cloud service providers (CSPs), including a particular cloud environment that provides specialized infrastructure that enables one or more cloud services offered by that particular cloud environment to be used by customers of the other cloud environments, according to one embodiment. [Figure 7] FIG. 1 illustrates an exemplary high-level architecture of a multi-cloud infrastructure that interconnects two different cloud environments, according to some embodiments. [Figure 8] FIG. 10 shows an exemplary swim diagram illustrating steps corresponding to a user sign-up process, according to some embodiments. [Figure 9] FIG. 10 shows an exemplary swim diagram illustrating steps corresponding to an inbound admission process, according to some embodiments. [Figure 10] FIG. 10 shows an exemplary swim diagram illustrating steps corresponding to an outbound authorization process, according to some embodiments. [Figure 11A] FIG. 10 shows an exemplary swim diagram illustrating steps corresponding to a user sign-in process, according to an embodiment, in accordance with some embodiments. [Figure 11B] FIG. 1 shows a schematic diagram illustrating the deployment of resources with a multi-cloud infrastructure, according to some embodiments. [Figure 12] FIG. 1 is a block diagram illustrating one pattern for implementing a cloud infrastructure as a service system, according to at least one embodiment. [Figure 13] FIG. 1 is a block diagram illustrating another pattern for implementing a cloud infrastructure as a service system, according to at least one embodiment. [Figure 14] FIG. 1 is a block diagram illustrating another pattern for implementing a cloud infrastructure as a service system, according to at least one embodiment. [Figure 15]FIG. 1 is a block diagram illustrating another pattern for implementing a cloud infrastructure as a service system, according to at least one embodiment. [Figure 16] FIG. 1 is a block diagram illustrating an exemplary computer system according to at least one embodiment. DETAILED DESCRIPTION OF THE INVENTION
[0015] Detailed Description In the following description, for purposes of explanation, specific details are set forth in order to provide a thorough understanding of certain embodiments. However, it will be apparent that various embodiments may be practiced without these specific details. The figures and descriptions are not intended to be limiting. The word "exemplary" is used herein to mean "serving as an example, instance, or illustration." Any embodiment or design described herein as "exemplary" is not necessarily to be construed as preferred or advantageous over other embodiments or designs.
[0016] The present disclosure relates generally to improved cloud architectures, and more particularly to techniques for linking two cloud environments (each provided by a different cloud service provider (CSP)) so that a user of one cloud environment can use services provided by another, different cloud environment. Various embodiments are described herein, including methods, systems, non-transitory computer-readable storage media that store programs, code, or instructions executable by one or more processors, and the like. Some embodiments may be implemented using a computer program product that includes computer programs / instructions that, when executed by a processor, cause the processor to perform any of the methods described in this disclosure.
[0017] Embodiments of the present disclosure provide a Multi-Cloud Control Plane (MCCP) framework that provisions functionality for delivering services of a particular cloud network (e.g., Oracle Cloud Infrastructure (OCI)) to users on other clouds (e.g., in Amazon's AWS). The MCCP framework enables users (of other cloud environments) to access services of the cloud environment (e.g., PaaS services) while providing a user experience that is as close as possible to the user's experience of their native cloud environment. A key challenge of MCCP is to enable customers to experience the full data plane functionality of services in external clouds.
[0018] The MCCP enables users of a second cloud infrastructure (e.g., AWS users) to utilize resources (e.g., database resources) provided by a first cloud infrastructure (e.g., OCI) in a manner that is transparent to the users. In particular, the services provided by the first cloud infrastructure appear as "native" services in the second cloud infrastructure. This allows customers of the second cloud infrastructure to natively access services provided by the first cloud infrastructure. As described below with reference to Figures 6-11, the MCCP is a collection of microservices running in the first cloud infrastructure that expose the resources of the first cloud infrastructure for utilization by external cloud users (e.g., users of the second cloud infrastructure). Each of these microservices acts as a proxy that provides communication with the resources provided by the first cloud infrastructure.
[0019] Cloud Network Example The term cloud services is typically used to refer to services made available on-demand (e.g., through a subscription model) by a cloud service provider (CSP) to users or customers using systems and infrastructure (cloud infrastructure) provided by the CSP. Typically, the servers and systems that make up the CSP's infrastructure are separate from the customer's own on-premises servers and systems. Thus, customers can use cloud services provided by the CSP without having to purchase separate hardware and software resources for the service. Cloud services are designed to provide subscribing customers with easy and scalable access to applications and computing resources without requiring the customer to invest in procuring the infrastructure used to deliver the service.
[0020] There are multiple cloud service providers offering different types of cloud services. There are various types or models of cloud services, including Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), Infrastructure-as-a-Service (IaaS), etc.
[0021] A customer can subscribe to one or more cloud services offered by a CSP. A customer can be any entity, such as an individual, an organization, or a business. When a customer subscribes or registers for a service offered by a CSP, a tenancy or account is created for that customer. The account then enables the customer to access one or more subscribed cloud resources associated with the account.
[0022] As mentioned above, infrastructure as a service (IaaS) is a specific type of cloud computing service. In the IaaS model, a CSP provides infrastructure (called cloud services provider infrastructure or CSPI) that can be used by customers to build their own customizable networks and deploy their resources. Therefore, the customer's resources and network are hosted in a distributed environment by the infrastructure provided by the CSP. This differs from traditional computing, where the customer's resources and network are hosted by the infrastructure provided by the customer.
[0023] CSPI can comprise interconnected, high-performance computing resources, including various host machines, memory resources, and network resources that form a physical network, also known as a substrate network or underlay network. Resources in CSPI can be distributed across one or more data centers, which can be geographically distributed across one or more geographic regions. Virtualization software can be run by these physical resources to provide a virtualized, distributed environment. This virtualization creates an overlay network (also known as a software-based network, software-defined network, or virtual network) on top of the physical network. The CSPI physical network provides the underlying foundation upon which one or more overlay or virtual networks can be created on top of the physical network. The physical network (or substrate or underlay network) includes physical network devices such as physical switches, routers, computers, and host machines. An overlay network is a logical (or virtual) network that operates on top of the physical substrate network. A particular physical network can support one or more overlay networks. Overlay networks typically use encapsulation techniques to distinguish traffic belonging to different overlay networks. A virtual network or overlay network is also called a virtual cloud network (VCN). A virtual network is implemented using software virtualization technologies (e.g., hypervisors, network virtualization devices (NVDs) (e.g., smart NICs), top-of-rack (TOR) switches, virtualization functions performed by smart TORs that perform one or more functions performed by NVDs, and other mechanisms) to create a layer of network abstraction that can run on top of a physical network. Virtual networks can take many forms, including peer-to-peer networks, IP networks, etc.Virtual networks are typically either Layer 3 IP networks or Layer 2 VLANs. This method of virtual or overlay networking is often called a virtual Layer 3 network or an overlay Layer 3 network. Examples of protocols developed for virtual networks include IP-in-IP (or Generic Routing Encapsulation (GRE)), Virtual Extensible LAN (VXLAN - IETF RFC 7348), Virtual Private Networks (VPN) (e.g., MPLS Layer 3 Virtual Private Network (RFC 4364)), VMware's NSX, and Generic Network Virtualization Encapsulation (GENEVE).
[0024] In the case of IaaS, the infrastructure provided by the CSP (CSPI) may be configured to provide virtualized computing resources over a public network (e.g., the Internet). In the IaaS model, a cloud computing service provider may host infrastructure components (e.g., servers, storage devices, network nodes (e.g., hardware), deployment software, platform virtualization (e.g., hypervisor layer), etc.). In some cases, the IaaS provider may offer various services (e.g., billing, monitoring, logging, security, load balancing, clustering, etc.) incidental to those infrastructure components. Accordingly, these services may be policy-driven, allowing IaaS users to implement policies to drive load balancing and maintain application availability and performance. CSPI provides infrastructure and a set of complementary cloud services that enable customers to build and run a wide range of applications and services within a highly available, hosted, distributed environment. CSPI provides high-performance computing resources and computing power as well as storage capacity within a flexible virtual network that can be securely accessed from various networked locations, such as from the customer's on-premises network. When a customer subscribes or registers for an IaaS service offered by a CSP, the tenancy created for that customer is a secure, isolated partition within the CSP where the customer can create, organize, and manage their cloud resources.
[0025] Customers can build their own virtual networks using the compute, memory, and network resources provided by CSPI. One or more customer resources or workloads, such as compute instances, can be deployed into these virtual networks. For example, customers can build one or more customizable private virtual networks called virtual cloud networks (VCNs) using resources provided by CSPI. Customers can deploy one or more customer resources, such as compute instances, into their VCNs. Compute instances can take the form of virtual machines, bare metal instances, etc. Thus, CSPI provides infrastructure and a set of complementary cloud services that enable customers to build and run a wide range of applications and services within a highly available, hosted virtual environment. While customers do not manage or control the underlying physical resources provided by CSPI, they have control over the operating system, storage, deployed applications, and in some cases, limited control over selected network components (e.g., firewalls).
[0026] The CSP may provide a console that allows customers and network administrators to configure, access, and manage resources deployed in the cloud using CSPI resources. In one embodiment, the console provides a web-based user interface that can be used to access and manage the CSPI. In some implementations, the console is a web-based application provided by the CSP.
[0027] CSPI may support single-tenancy or multi-tenancy architectures. In a single-tenancy architecture, a software component (e.g., an application, a database) or a hardware component (e.g., a host machine or server) serves a single customer or tenant. In a multi-tenancy architecture, a software component or hardware component serves multiple customers or tenants. Thus, in a multi-tenancy architecture, CSPI resources are shared among multiple customers or tenants. In a multi-tenancy situation, precautions are taken and safeguards are implemented within CSPI to ensure that each tenant's data remains isolated and invisible to other tenants.
[0028] In a physical network, a network endpoint (“endpoint”) refers to a computing device or system that is connected to the physical network and communicates with the connected network. Network endpoints in a physical network may be connected to a local area network (LAN), a wide area network (WAN), or other types of physical networks. Examples of traditional endpoints in a physical network include modems, hubs, bridges, switches, routers, and other network devices, physical computers (or host machines), and the like. Each physical device in a physical network has a fixed network address that can be used to communicate with the device. This fixed network address can be a Layer 2 address (e.g., a MAC address), a fixed Layer 3 address (e.g., an IP address), and the like. In a virtual environment or virtual network, endpoints can include various virtual endpoints, such as virtual machines hosted by components of the physical network (e.g., hosted by a physical host machine). These endpoints in the virtual network are addressed by overlay addresses, such as overlay Layer 2 addresses (e.g., an overlay MAC address) and overlay Layer 3 addresses (e.g., an overlay IP address). Network overlays enable flexibility by allowing network administrators to move between overlay addresses associated with network endpoints using software management (e.g., by software implementing the virtual network's control plane). Thus, unlike physical networks, in virtual networks, overlay addresses (e.g., overlay IP addresses) can be moved from one endpoint to another using network management software. Because virtual networks are built on top of physical networks, communication between components in a virtual network involves both the virtual network and the underlying physical network.To facilitate such communications, CSPI components are configured to learn and store mappings that map overlay addresses in the virtual network to actual physical addresses in the substrate network, and vice versa. These mappings are then used to facilitate communications. Customer traffic is encapsulated to facilitate routing within the virtual network.
[0029] Thus, a physical address (e.g., a physical IP address) is associated with a component in a physical network, and an overlay address (e.g., an overlay IP address) is associated with an entity in a virtual or overlay network. A physical IP address is an IP address associated with a physical device (e.g., a network device) in a substrate or physical network. For example, each NVD has an associated physical IP address. An overlay IP address is an overlay address associated with an entity in an overlay network, such as associated with a compute instance in a customer's virtual cloud network (VCN). Two different customers or tenants, each with their own private VCN, could potentially use the same overlay IP address in their VCN without any knowledge of each other. Both physical IP addresses and overlay IP addresses are types of real IP addresses. These IP addresses exist separately from virtual IP addresses. A virtual IP address is typically a single IP address that represents or maps to multiple real IP addresses. A virtual IP address provides a one-to-many mapping between a virtual IP address and multiple real IP addresses. For example, a load balancer may use a VIP to map to or represent multiple servers, each with its own real IP address.
[0030] A cloud infrastructure or CSPI is physically hosted in one or more data centers in one or more regions around the world. The CSPI may include components in a physical or substrate network and virtual components (e.g., virtual networks, compute instances, virtual machines, etc.) in a virtual network built on top of the physical network components. In one embodiment, the CSPI is organized and hosted in realms, regions, and availability domains. A region is a local geographic area that typically contains one or more data centers. Regions are generally independent of each other and may be separated by vast distances, for example, spanning multiple countries or continents. For example, a first region may be in Australia, another region may be in Japan, yet another region may be in India, etc. CSPI resources are divided among regions so that each region contains its own independent subset of CSPI resources. Each region may provide a set of core infrastructure services and resources, such as compute resources (e.g., bare metal servers, virtual machines, containers, and related infrastructure), storage resources (e.g., block volume storage, file storage, object storage, archive storage), network resources (e.g., virtual cloud networks (VCNs), load balancing resources, connectivity to on-premises networks), database resources, edge network resources (e.g., DNS), and access management and monitoring resources. Each region typically has multiple paths connecting it to other regions within the realm.
[0031] Because using nearby resources is faster than using resources that are farther away, applications are typically deployed in the region where they are most frequently used (i.e., deployed to the infrastructure associated with that region). Applications may also be deployed in different regions for a variety of reasons, such as redundancy to mitigate the risk of region-wide events such as large weather systems or earthquakes, to meet changing requirements for legal jurisdictions, tax areas, and other business or societal criteria.
[0032] Data centers within a region may be further organized and subdivided into availability domains (ADs). An availability domain may correspond to one or more data centers located within a region. A region may be composed of one or more availability domains. In such a distributed environment, CSPI resources are either specific to a region, such as a virtual cloud network (VCN), or specific to an availability domain, such as a compute instance.
[0033] ADs within a region are isolated from each other, fault-tolerant, and configured to be highly unlikely to fail simultaneously. This is achieved by ADs that do not share critical infrastructure resources, such as networks, physical cables, cable routes, or cable entry points, so that a failure in one AD within a region is unlikely to affect the availability of other ADs in the same region. ADs within the same region may be connected to each other by low-latency, high-bandwidth networks that provide highly available connectivity to other networks (e.g., the Internet, customer on-premises networks, etc.) and enable the creation of replicated systems in multiple ADs for both high availability and disaster recovery. Cloud services use multiple ADs to ensure high availability and protect against resource failures. As the infrastructure provided by an IaaS provider grows, more regions and ADs with additional capacity may be added. Traffic between availability domains is typically encrypted.
[0034] In one embodiment, regions are grouped into realms. A realm is a logical collection of regions. Realms are isolated from each other and do not share any data. Regions within the same realm may communicate with each other, but regions in different realms cannot. A customer's tenancy or account, along with a CSP, exists within a single realm and can be distributed across one or more regions belonging to that realm. Typically, when a customer subscribes to an IaaS service, a tenancy or account is created for the customer in a region designated by the customer within the realm (called the "home" region). The customer can extend their tenancy across one or more other regions within the realm. A customer cannot access regions that are not within the realm in which the customer's tenancy resides.
[0035] An IaaS provider may offer multiple realms, each catering to the requirements of a particular set of customers or users. For example, a commercial realm may be offered to commercial customers. As another example, a realm may be offered to a particular country for customers in that country. As yet another example, a government realm may be offered to a government, etc. For example, the government realm may cater to specific government requirements and may have higher security than the commercial realm. For example, Oracle Cloud Infrastructure (OCI) currently offers two realms: one for a commercial region and one for a government cloud region (e.g., FedRAMP-certified and IL5-certified).
[0036] In one embodiment, an AD can be subdivided into one or more failure domains. A failure domain is a group of infrastructure resources within an AD to provide anti-affinity. Fault domains enable the distribution of compute instances so that multiple compute instances do not reside on the same physical hardware within a single AD. This distribution is known as anti-affinity. A failure domain refers to a set of hardware components (computers, switches, etc.) that share a single point of failure. A compute pool is logically divided into failure domains. Therefore, a hardware failure or compute hardware maintenance event that affects one failure domain does not affect instances in other failure domains. Depending on the embodiment, the number of failure domains per AD may vary. For example, in one embodiment, each AD includes three failure domains. Fault domains act as logical data centers within an AD.
[0037] When a customer subscribes to an IaaS service, resources from CSPI are provisioned for the customer and associated with the customer's tenancy. The customer can use these provisioned resources to build private networks and deploy resources into these networks. A customer's network hosted in the cloud by CSPI is called a virtual cloud network (VCN). A customer can configure one or more virtual cloud networks (VCNs) using the CSPI resources allocated to the customer. A VCN is a virtual private network or software-defined private network. The customer's resources deployed within a customer's VCN can include compute instances (e.g., virtual machines, bare metal instances) and other resources. These compute instances may represent various customer workloads, such as applications, load balancers, databases, etc. Compute instances deployed in a VCN can communicate with endpoints publicly accessible over public networks such as the Internet ("public endpoints"), with other instances in the same VCN or other VCNs (e.g., other VCNs of the customer or VCNs not belonging to the customer), with the customer's on-premises data center or network, and with service endpoints and other types of endpoints.
[0038] CSPs may offer various services using CSPI. In some cases, customers of a CSPI may act as service providers themselves and offer services using CSPI resources. Service providers may expose service endpoints characterized by identifying information (e.g., IP addresses, DNS names, and DNS ports). Customer resources (e.g., compute instances) can consume a particular service by accessing the service endpoint exposed by the service for that service. These service endpoints are generally publicly accessible by users over a public communications network, such as the Internet, using the public IP address associated with the endpoint. Publicly accessible network endpoints are sometimes referred to as public endpoints.
[0039] In one embodiment, a service provider may expose a service via an endpoint for the service (sometimes referred to as a service endpoint). Customers of the service can then access the service using this service endpoint. In some implementations, a service endpoint provided for a service can be accessed by multiple customers wishing to consume the service. In other implementations, a dedicated service endpoint may be provided to a customer, allowing only that customer to access the service using that dedicated service endpoint.
[0040] In one embodiment, when a VCN is created, it is associated with a private overlay Classless Inter-Domain Routing (CIDR) address space, which is a range of private overlay IP addresses (e.g., 10.0 / 16) that is assigned to the VCN. A VCN includes associated subnets, route tables, and gateways. A VCN exists within a single region but can span one, more, or all of the region's availability domains. A gateway is a virtual interface configured for a VCN that enables traffic to and from the VCN to one or more endpoints outside the VCN. One or more different types of gateways may be configured for a VCN to enable communication with different types of endpoints.
[0041] A VCN can be subdivided into one or more subnetworks, such as one or more subnets. A subnet is thus a unit of configuration or subdivision that can be created within a VCN. A VCN can contain one or more subnets. Each subnet in a VCN is associated with a contiguous range of overlay IP addresses (e.g., 10.0.0.0 / 24 and 10.0.1.0 / 24) that represents a subset of address space within the VCN's address space and does not overlap with other subnets in that VCN.
[0042] Each compute instance is associated with a virtual network interface card (VNIC) that allows the compute instance to participate in a subnet of a VCN. A VNIC is a logical representation of a physical network interface card (NIC). In general, a VNIC is an interface between an entity (e.g., a compute instance, a service) and a virtual network. A VNIC resides in a subnet and has one or more associated IP addresses and associated security rules or policies. A VNIC is equivalent to a Layer 2 port on a switch. A VNIC is connected to a compute instance and to a subnet within a VCN. A VNIC associated with a compute instance allows the compute instance to become part of a subnet of a VCN and enables the compute instance to communicate (e.g., send and receive packets) with endpoints on the same subnet as the compute instance, endpoints in a different subnet within the VCN, or endpoints outside the VCN. Thus, the VNIC associated with a compute instance determines how the compute instance connects with endpoints inside and outside the VCN. A VNIC for a compute instance is created and associated with the compute instance when the compute instance is created and added to a subnet in a VCN. For a subnet containing a set of compute instances, the subnet contains VNICs corresponding to the set of compute instances, and each VNIC connects to one compute instance in the set of compute instances.
[0043] Each compute instance is assigned a private overlay IP address through the VNIC associated with the compute instance. This private overlay IP address is assigned to the VNIC associated with the compute instance when the compute instance is created and is used to route traffic to and from the compute instance. All VNICs within a particular subnet use the same route table, security lists, and DHCP options. As previously mentioned, each subnet within a VCN is associated with a contiguous range of overlay IP addresses (e.g., 10.0.0.0 / 24 and 10.0.1.0 / 24) that represents a subset of address space within the VCN's address space that does not overlap with other subnets within that VCN. For a VNIC on a particular subnet of a VCN, the private overlay IP address assigned to the VNIC is an address from the contiguous range of overlay IP addresses assigned to that subnet.
[0044] In one embodiment, a compute instance may optionally be assigned an additional overlay IP address in addition to the private overlay IP address, such as one or more public IP addresses if it is in a public subnet. These multiple addresses may be assigned to the same VNIC or across multiple VNICs associated with the compute instance. However, each instance has a primary VNIC that is created during instance launch and associated with the private overlay IP address assigned to the instance, and this primary VNIC cannot be removed. Additional VNICs, called secondary VNICs, may be added to an existing instance in the same availability domain as the primary VNIC. All VNICs are in the same availability domain as the instance. The secondary VNICs can be in a subnet in the same VCN as the primary VNIC or in a different subnet, either in the same VCN or in a different VCN.
[0045] If a compute instance is in a public subnet, the compute instance may optionally be assigned a public IP address. When a subnet is created, it can be specified as either a public subnet or a private subnet. A private subnet means that resources (e.g., compute instances) and associated VNICs in the subnet cannot have public overlay IP addresses. A public subnet means that resources and associated VNICs in the subnet can have public IP addresses. Customers can specify a subnet to exist in a single availability domain or across multiple availability domains within a region or realm.
[0046] As mentioned above, a VCN may be subdivided into one or more subnets. In one embodiment, a virtual router (VR) configured for a VCN (referred to as a VCN VR or simply VR) enables communication between subnets of the VCN. For a subnet within a VCN, the VR represents the logical gateway for that subnet, allowing the subnet (i.e., the compute instances on that subnet) to communicate with endpoints on other subnets within the VCN and with other endpoints outside the VCN. A VCN VR is a logical entity configured to route traffic between VNICs within a VCN and a virtual gateway ("gateway") associated with the VCN. Gateways are further described below with respect to FIG. 1. A VCN VR is a Layer 3 / IP layer concept. In one embodiment, there is one VCN VR per VCN, and the VCN VR has a potentially unlimited number of ports addressed by IP addresses, one port for each subnet of the VCN. In this way, the VCN VR has a different IP address for each subnet within the VCN to which the VCN VR is connected. The VRs are also connected to various gateways configured for the VCN. In one embodiment, a specific overlay IP address from a subnet's overlay IP address range is reserved for ports in that subnet's VCN VR. For example, consider a VCN that includes two subnets with associated address ranges 10.0 / 16 and 10.1 / 16, respectively. For the first subnet in the VCN with address range 10.0 / 16, an address from this range is reserved for ports in that subnet's VCN VR. In some cases, the first IP address from this range may be reserved for a VCN VR. For example, for a subnet with overlay IP address range 10.0 / 16, IP address 10.0.0.1 may be reserved for ports in that subnet's VCN VR.For a second subnet in the same VCN with address range 10.1 / 16, the VCN VR may have a port in that second subnet with IP address 10.1.0.1. The VCN VR has a different IP address for each of the subnets in the VCN.
[0047] In some other embodiments, each subnet in a VCN may include a VR associated with it that is addressable by the subnet using a reserved or default IP address associated with the VR. The reserved or default IP address may, for example, be the first IP address from a range of IP addresses associated with the subnet. VNICs in a subnet can use this default or reserved IP address to communicate with (e.g., send and receive packets from) the VR associated with the subnet. In such embodiments, a VR is an ingress / egress point for that subnet. VRs associated with a subnet in a VCN can communicate with other VRs associated with other subnets in the VCN. VRs can also communicate with gateways associated with the VCN. The VR functions for a subnet are running on or performed by one or more NVDs that are performing the VNIC functions for VNICs in the subnet.
[0048] Route tables, security rules, and DHCP options may be configured for a VCN. A route table is a virtual route table for a VCN and contains rules for routing traffic from subnets within the VCN to destinations outside the VCN via gateways or specially configured instances. A VCN's route table can be customized to control how packets are forwarded / routed to and from the VCN. DHCP options refer to configuration information that is automatically provided to instances when they launch.
[0049] Security rules configured for a VCN represent the overlay firewall rules for the VCN. Security rules include ingress and egress rules and can specify the type of traffic (e.g., based on protocol and port) allowed in and out of instances within the VCN. Customers can choose whether a particular rule is stateful or stateless. For example, a customer can allow incoming SSH traffic from any location to a set of instances by configuring a stateful ingress rule with source CIDR 0.0.0.0 / 0 and destination TCP port 22. Security rules can be implemented using network security groups or security lists. A network security group consists of a set of security rules that apply only to resources within that group. A security list, on the other hand, contains rules that apply to all resources in any subnet that uses the security list. A VCN may have a default security list that contains default security rules. DHCP options configured for a VCN provide configuration information that is automatically provided to instances within the VCN when the instances launch.
[0050] In one embodiment, configuration information for a VCN is determined and stored by a VCN control plane. The configuration information for a VCN may include, for example, information about address ranges associated with the VCN, subnets and associated information within the VCN, one or more VRs associated with the VCN, compute instances and associated VNICs within the VCN, NVDs (e.g., VNICs, VRs, gateways) performing various virtualized network functions associated with the VCN, VCN state information, and other VCN-related information. In one embodiment, a VCN distribution service publishes the configuration information stored by the VCN control plane or portions thereof to the NVD. The distributed information may be used to update information (e.g., forwarding tables, routing tables, etc.) stored and used by the NVD to forward packets to and from compute instances within the VCN.
[0051] In one embodiment, VCN and subnet creation is handled by a VCN Control Plane (CP), and compute instance launch is handled by the Compute Control Plane. The Compute Control Plane is responsible for allocating physical resources to compute instances and then calls the VCN Control Plane to create and attach VNICs to the compute instances. The VCN CP also sends VCN data mappings to a VCN Data Plane configured to perform packet forwarding and routing functions. In one embodiment, the VCN CP provides a distribution service that is responsible for providing updates to the VCN Data Plane. Examples of VCN Control Planes are also shown in Figures 12, 13, 14, and 15 (see reference numbers 1216, 1316, 1416, and 1516) and are described below.
[0052] A customer may create one or more VCNs using resources hosted by CSPI. Compute instances deployed in a customer's VCN may communicate with various endpoints. These endpoints may include endpoints hosted by CSPI and endpoints external to CSPI.
[0053] Various different architectures for implementing cloud-based services using CSPI are shown in Figures 1, 2, 3, 4, 5, and 12-16 and are described below. Figure 1 is a high-level diagram of a distributed environment 100 illustrating an overlay VCN or customer VCN hosted by CSPI according to one embodiment. The distributed environment shown in Figure 1 includes multiple components within an overlay network. The distributed environment 100 shown in Figure 1 is merely an example and is not intended to unduly limit the scope of the claimed embodiments. Many variations, alternatives, and modifications are possible. For example, in some implementations, the distributed environment shown in Figure 1 may include more or fewer systems or components than those shown in Figure 1, may combine two or more subsystems, or may include a different configuration or arrangement of systems.
[0054] As shown in the example depicted in FIG. 1 , distributed environment 100 includes CSPI 101, which provides services and resources that customers can subscribe to and use to build their own virtual cloud networks (VCNs). In one embodiment, CSPI 101 provides IaaS services to subscribing customers. Data centers within CSPI 101 may be organized into one or more regions. One exemplary region, “Region US” 102, is shown in FIG. 1 . A customer has configured a customer VCN with Oracle International Corporation for region 102. A customer may deploy various compute instances into VCN 104, which may include virtual machines or bare metal instances. Example instances include applications, databases, load balancers, etc.
[0055] In the embodiment shown in FIG. 1 , customer VCN 104 includes two subnets, "Subnet 1" and "Subnet 2," each with its own CIDR IP address range. In FIG. 1 , Subnet 1's overlay IP address range is 10.0 / 16, and Subnet 2's address range is 10.1 / 16. VCN virtual router 105 represents the VCN's logical gateway, enabling communication between subnets in VCN 104 and with other endpoints outside the VCN. VCN VR 105 is configured to route traffic between VNICs in VCN 104 and the gateway associated with VCN 104. VCN VR 105 provides a port for each subnet in VCN 104. For example, VR 105 may provide a port with IP address 10.0.0.1 for Subnet 1 and a port with IP address 10.1.0.1 for Subnet 2.
[0056] Multiple compute instances may be deployed in each subnet, and the compute instances can be virtual machine instances and / or bare metal instances. The compute instances in a subnet may be hosted by one or more host machines in CSPI101. A compute instance joins a subnet through a VNIC associated with the compute instance. For example, as shown in FIG. 1, compute instance C1 becomes part of subnet 1 through a VNIC associated with the compute instance. Similarly, compute instance C2 becomes part of subnet 1 through a VNIC associated with C2. In a similar manner, multiple compute instances, which may be virtual machine instances or bare metal instances, may become part of subnet 1. Each compute instance is assigned a private overlay IP address and a MAC address through its associated VNIC. For example, in FIG. 1, compute instance C1 has an overlay IP address of 10.0.0.2 and a MAC address of M1, while compute instance C2 has a private overlay IP address of 10.0.0.3 and a MAC address of M2. Each compute instance in Subnet 1, including compute instances C1 and C2, has a default route to VCN VR105 using IP address 10.0.0.1, which is the IP address of a port in VCN VR105 in Subnet 1.
[0057] Subnet2 may have multiple compute instances deployed, including virtual machine instances and / or bare metal instances. For example, as shown in FIG. 1, compute instances D1 and D2 become part of Subnet2 through VNICs associated with the respective compute instances. In the embodiment shown in FIG. 1, compute instance D1 has an overlay IP address of 10.1.0.2 and a MAC address of MM1, while compute instance D2 has a private overlay IP address of 10.1.0.3 and a MAC address of MM2. Each compute instance in Subnet2, including compute instances D1 and D2, has a default route to VCN VR105 using IP address 10.1.0.1, which is the IP address of a port in VCN VR105 in Subnet2.
[0058] VCN A 104 may include one or more load balancers. For example, a load balancer may be provided for a subnet and configured to load balance traffic across multiple compute instances on the subnet. A load balancer may be provided to load balance traffic across multiple subnets within a VCN.
[0059] A particular compute instance deployed in VCN 104 can communicate with various endpoints. These endpoints may include endpoints hosted by CSPI 200 and endpoints outside of CSPI 200. Endpoints hosted by CSPI 101 may include endpoints on the same subnet as the particular compute instance (e.g., communication between two compute instances in Subnet 1), endpoints on a different subnet but within the same VCN (e.g., communication between a compute instance in Subnet 1 and a compute instance in Subnet 2), endpoints in a different VCN within the same region (e.g., communication between a compute instance in Subnet 1 and an endpoint in a VCN within the same region 106 or 110, communication between a compute instance in Subnet 1 and an endpoint within the service network 110 within the same region), or endpoints in a VCN in a different region (e.g., communication between a compute instance in Subnet 1 and an endpoint in a VCN in a different region 108). Compute instances in a subnet hosted by CSPI 101 may communicate with endpoints not hosted by CSPI 101 (i.e., outside of CSPI 101). These external endpoints include endpoints within the customer's on-premise network 116, endpoints within other remote cloud-hosted networks 118, public endpoints 114 accessible via public networks such as the Internet, and other endpoints.
[0060] Communication between compute instances on the same subnet is facilitated using VNICs associated with the source and destination compute instances. For example, compute instance C1 in Subnet 1 may want to send a packet to compute instance C2 in Subnet 1. For a packet originating from the source compute instance and destined for another compute instance in the same subnet, the packet is first processed by the VNIC associated with the source compute instance. The processing performed by the VNIC associated with the source compute instance may include determining the packet's destination information from the packet header, identifying any policies (e.g., security lists) configured for the VNIC associated with the source compute instance, determining the packet's next hop, performing any packet encapsulation / decapsulation functions as needed, and then forwarding / routing the packet to the next hop to facilitate communication of the packet with its intended destination. If the destination compute instance is in the same subnet as the source compute instance, the VNIC associated with the source compute instance is configured to identify the VNIC associated with the destination compute instance and forward the packet to that VNIC for processing. The VNIC associated with the destination compute instance then executes and forwards the packet to the destination compute instance.
[0061] For packets traveling from a compute instance in a subnet to an endpoint in a different subnet within the same VCN, this communication is facilitated by the VNICs and VCN VRs associated with the source and destination compute instances. For example, if compute instance C1 in Subnet 1 in Figure 1 wants to send a packet to compute instance D1 in Subnet 2, the packet is first processed by the VNIC associated with compute instance C1. The VNIC associated with compute instance C1 is configured to route the packet to VCN VR105 using the VCN VR's default route or port 10.0.0.1. VCN VR105 is configured to route the packet to Subnet 2 using port 10.1.0.1. The packet is then received and processed by the VNIC associated with D1, which forwards the packet to compute instance D1.
[0062] For packets traveling from a compute instance within VCN 104 to an endpoint outside VCN 104, the communication is facilitated by a VNIC associated with the source compute instance, VCN VR 105, and a gateway associated with VCN 104. One or more types of gateways may be associated with VCN 104. A gateway is an interface between a VCN and another endpoint, where the other endpoint is outside the VCN. A gateway is a Layer 3 / IP layer concept that allows a VCN to communicate with endpoints outside the VCN. Thus, a gateway facilitates traffic flow between a VCN and other VCNs or networks. Different types of gateways may be configured for a VCN to facilitate different types of communication with different types of endpoints. Depending on the gateway, the communication may go over a public network (e.g., the Internet) or a private network. Various communication protocols may be used for these communications.
[0063] For example, compute instance C1 may wish to communicate with an endpoint outside VCN 104. The packet may first be processed by a VNIC associated with the source compute instance C1. This VNIC processing determines that the packet's destination is outside of Subnet 1 of C1. The VNIC associated with C1 may forward the packet to VCN VR105 of VCN 104. VCN VR105 then processes the packet and, as part of this processing, determines a particular gateway associated with VCN 104 as the packet's next hop based on the packet's destination. VCN VR105 may then forward the packet to the particular identified gateway. For example, if the destination is an endpoint within a customer's on-premises network, VCN VR105 may forward the packet to a dynamic routing gateway (DRG) gateway 122 configured for VCN 104. The packet may then be forwarded from the gateway to the next hop to facilitate propagation of the packet to its final intended destination.
[0064] Various types of gateways may be configured for a VCN. Examples of gateways that may be configured for a VCN are shown in FIG. 1 and described below. Examples of gateways associated with a VCN are also shown in FIGS. 12, 13, 14, and 15 (e.g., gateways referenced by reference numbers 1234, 1236, 1238, 1334, 1336, 1338, 1434, 1436, 1438, 1534, 1536, and 1538) and described below. As shown in the embodiment shown in FIG. 1, a dynamic routing gateway (DRG) 122 may be added to or associated with a customer's VCN 104 to provide a path for private network traffic communication between the customer's VCN 104 and another endpoint, which could be the customer's on-premises network 116, a VCN 108 in a different region of CSPI 101, or another remote cloud network 118 not hosted by CSPI 101. The customer on-premises network 116 may be a customer network or a customer data center built using the customer's resources. Access to the customer on-premises network 116 is typically highly restricted. For customers with both a customer on-premises network 116 and one or more VCNs 104 deployed or hosted in the cloud by CSPI 101, the customer may want the customer on-premises network 116 and the customer's cloud-based VCNs 104 to be able to communicate with each other. This allows the customer to build an extended hybrid environment that encompasses the customer VCNs 104 hosted by CSPI 101 and the customer on-premises network 116. The DRG 122 enables this communication. To enable such communication, a communication channel 124 is set up, with one endpoint of the channel in the customer on-premises network 116 and the other endpoint in CSPI 101 connected to the customer VCN 104. The communication channel 124 can traverse a public or private communication network, such as the Internet.Various communication protocols may be used, such as IPsec VPN technology over a public communication network such as the Internet, or Oracle's FastConnect technology, which uses a private network instead of a public network. A device or equipment in the customer's on-premises network 116 that forms one endpoint of the communication channel 124 is called customer premise equipment (CPE), such as CPE 126 shown in Figure 1. On the CSPI 101 side, the endpoint may be a host machine running DRG 122.
[0065] In one embodiment, a Remote Peering Connection (RPC) can be added to a DRG, allowing a customer to peer one VCN with another VCN in a different region. Using such an RPC, a customer's VCN 104 can connect with a VCN 108 in another region using the DRG 122. The DRG 122 may also be used to communicate with other remote cloud networks 118 not hosted by CSPI 101, such as the Microsoft Azure cloud, the Amazon AWS cloud, etc.
[0066] 1, an Internet Gateway (IGW) 120 may be configured for a customer's VCN 104, enabling compute instances on VCN 104 to communicate with public endpoints 114 accessible over a public network, such as the Internet. IGW 120 is a gateway that connects a VCN to a public network, such as the Internet. IGW 120 enables direct access for public subnets within a VCN, such as VCN 104 (resources within the public subnet have public overlay IP addresses) to public endpoints 112 on the public network 114, such as the Internet. Using IGW 120, connections can be initiated from subnets within VCN 104 or from the Internet.
[0067] A Network Address Translation (NAT) gateway 128 may be configured for customer VCN 104 to enable access to the Internet for cloud resources in the customer's VCN that do not have dedicated public overlay IP addresses, without exposing those resources to direct incoming Internet connections (e.g., L4-L7 connections). This allows private subnets in the VCN, such as Private Subnet 1 in VCN 104, to private endpoints on the Internet. The NAT gateway only allows connections to be initiated from the private subnet to the public Internet; connections cannot be initiated from the Internet to the private subnet.
[0068] In one embodiment, a service gateway (SGW) 126 may be configured for a customer's VCN 104 and provides a pathway for private network traffic between VCN 104 and supported service endpoints in service network 110. In one embodiment, service network 110 may be provided by a CSP and may offer a variety of services. An example of such a service network is Oracle's Services Network, which offers a variety of services that may be used by customers. For example, a compute instance (e.g., a database system) in a private subnet of a customer's VCN 104 can back up data to a service endpoint (e.g., object storage) without requiring a public IP address or access to the Internet. In one embodiment, a VCN may include only one SGW, and connections can be initiated only from subnets within the VCN, not from service network 110. When a VCN is peered with another VCN, resources in the other VCN typically do not have access to the SGW. Resources in an on-premises network connected to a VCN using a FastConnect or VPN connection can also use a service gateway configured for that VCN.
[0069] In one implementation, SGW 126 uses the concept of a service classless inter-domain routing (CIDR) label, which is a string that represents the public IP address range of all regions for a service or group of services of interest. A customer uses the service CIDR label when configuring the SGW and associated route rules to control traffic to the service. A customer can optionally utilize the service CIDR label when configuring security rules, avoiding the need to adjust those security rules if the service's public IP address changes in the future.
[0070] A Local Peering Gateway (LPG) 132 is a gateway that can be added to a customer's VCN 104, allowing the VCN 104 to peer with another VCN in the same region. Peering means that the VCNs communicate using private IP addresses without the traffic traversing a public network such as the Internet or routing the traffic through the customer's on-premises network 116. In a preferred embodiment, a VCN includes a separate LPG for each peering it establishes. Local peering or VCN peering is a common method used to establish network connectivity between different applications or infrastructure management functions.
[0071] A service provider, such as a provider of a service in service network 110, may provide access to the service using various access models. According to a public access model, the service may be exposed as a public endpoint, which may be publicly accessible by compute instances in the customer's VCN over a public network such as the Internet, and / or privately accessible through SGW 126. According to a specific private access model, the service is made accessible as a private IP endpoint in a private subnet in the customer's VCN. This access is called Private Endpoint (PE) access and allows service providers to expose services as instances in the customer's private network. A private endpoint resource represents a service in a customer's VCN. Each PE appears as a VNIC (referred to as a PE-VNIC with one or more private IPs) in a customer-selected subnet in the customer's VCN. Thus, the PE provides a way to present services in a subnet of the private customer's VCN using VNICs. Because the endpoints are exposed as VNICs, all features associated with the VNIC, such as routing rules, security lists, etc., are available to the PE VNIC.
[0072] A service provider can register a service to make it accessible through the PE. The provider can associate a policy with the service that limits the visibility of the service to the customer's tenancy. The provider can register multiple services under a single virtual IP address (VIP), especially for multi-tenant services. There can be multiple such private endpoints (in multiple VCNs) representing the same service.
[0073] Compute instances in the private subnet can then access the service using the private IP address of the PE VNIC or the DNS name of the service. Compute instances in a customer's VCN can access the service by sending traffic to the private IP address of the PE in the customer's VCN. A Private Access Gateway (PAGW) 130 is a gateway resource that can be connected to a service provider's VCN (e.g., a VCN in service network 110) and serves as the ingress / egress point for all traffic to and from private endpoints in customer subnets. The PAGW 130 allows providers to scale the number of PE connections without utilizing internal IP address resources. A provider needs to configure only one PAGW for any number of services registered within a single VCN. A provider can represent services as private endpoints in multiple VCNs for one or more customers. From the customer's perspective, the PE VNIC appears to be connected to the service with which the customer wants to interact, instead of to a customer instance. Traffic going to the private endpoint is routed to the service through the PAGW 130. These are called customer-to-service private connections (C2S (customer-to-service) connections).
[0074] The PE concept can also be used to extend private access of services to customer on-premises networks and data centers by allowing traffic to flow through FastConnect / IPsec links and private endpoints in the customer's VCN. Private access of services can also be extended to customer peered VCNs by allowing traffic to flow between LPG 132 and PEs in the customer's VCN.
[0075] A customer can control routing within a VCN at the subnet level, allowing the customer to specify which subnets within a customer's VCN, such as VCN 104, use each gateway. A VCN's route tables are used to determine whether traffic is allowed to exit a VCN through a particular gateway. For example, in a particular example, a route table for a public subnet within a customer's VCN 104 may send non-local traffic through IGW 120. A route table for a private subnet within the same customer's VCN 104 may send traffic going to a CSP service through SGW 126. All remaining traffic may be sent through NAT gateway 128. Route tables only control traffic that exits a VCN.
[0076] Security lists associated with a VCN are used to control traffic entering the VCN through the gateway via inbound connections. All resources within a subnet use the same route table and security lists. Security lists may be used to control the specific types of traffic allowed into and out of instances within a VCN's subnet. Security list rules may include ingress (inbound) rules and egress (outbound) rules. For example, ingress rules may specify allowed source address ranges, while egress rules may specify allowed destination address ranges. Security rules may specify a specific protocol (e.g., TCP, ICMP), a specific port (e.g., 22 for SSH, 3389 for Windows RDP), etc. In some implementations, the instance's operating system may enforce its own firewall rules that match the security list rules. Rules may be stateful (e.g., connections are tracked and responses are automatically allowed without explicit security list rules for the response traffic) or stateless.
[0077] Access from a customer's VCN (i.e., by resources or compute instances deployed in VCN 104) can be categorized as public access, private access, or dedicated access. Public access refers to an access model in which public IP addresses or NATs are used to access public endpoints. Private access allows customer workloads in VCN 104 with private IP addresses (e.g., resources in a private subnet) to access services without traversing a public network such as the Internet. In one embodiment, CSPI 101 enables workloads in a customer's VCN with private IP addresses to access (public service endpoints of) services using a service gateway. Thus, the service gateway provides a private access model by establishing a virtual link between the customer's VCN and the service's public endpoints, which reside outside the customer's private network.
[0078] Additionally, CSPI may provide dedicated public access using technologies such as FastConnect public peering, where a customer's on-premises instances can use a FastConnect connection to access one or more services in the customer's VCN without traversing a public network such as the internet. CSPI may also provide dedicated private access using FastConnect private peering, where a customer's on-premises instances with private IP addresses can use a FastConnect connection to access workloads in the customer's VCN. FastConnect is a network connectivity alternative to using the public internet for connecting a customer's on-premises network to CSPI and its services. FastConnect provides an easy, resilient, and economical way to create dedicated private connections with higher bandwidth options and a more reliable and consistent network experience when compared to internet-based connections.
[0079] FIG. 1 and the accompanying discussion above describe various virtual components within an exemplary virtual network. As previously mentioned, a virtual network is built on top of an underlying physical or substrate network. FIG. 2 illustrates a simplified architectural diagram of physical components in a physical network within CSPI 200 that serves as the foundation for a virtual network, according to one embodiment. As illustrated, CSPI 200 provides a distributed environment that includes components and resources (e.g., compute, memory, and network resources) provided by a cloud service provider (CSP). These components and resources are used to provide cloud services (e.g., IaaS services) to subscribing customers, i.e., customers who subscribe to one or more services offered by the CSP. Based on the services to which the customer subscribes, a subset of CSPI 200's resources (e.g., compute, memory, and network resources) is provisioned for the customer. The customer can then build their own cloud-based (i.e., CSPI-hosted), customizable private virtual network using the physical compute, memory, and network resources provided by CSPI 200. As previously indicated, these customer networks are called virtual cloud networks (VCNs). Customers can deploy one or more customer resources, such as compute instances, into these customer VCNs. The compute instances can be in the form of virtual machines, bare metal instances, etc. CSPI 200 provides infrastructure and a set of complementary cloud services that enable customers to build and run a wide range of applications and services within a highly available hosted environment.
[0080] In the example embodiment shown in FIG. 2, the physical components of CSPI 200 include one or more physical host machines or servers (e.g., 202, 206, 208), network virtualization devices (NVDs) (e.g., 210, 212), top-of-rack (TOR) switches (e.g., 214, 216), and a physical network (e.g., 218), as well as switches within physical network 218. The physical host machines or servers may host and execute various compute instances that participate in one or more subnets of the VCN. The compute instances may include virtual machine instances and bare metal instances. For example, the various compute instances shown in FIG. 1 may be hosted by the physical host machines shown in FIG. 2. The virtual machine compute instances in the VCN may be executed by one host machine or by multiple different host machines. The physical host machines may host virtual host machines, container-based hosts or functions, etc. The VNICs and VCN VRs shown in FIG. 1 may be executed by the NVDs shown in FIG. 2. The gateway shown in FIG. 1 may be executed by a host machine and / or by the NVD shown in FIG.
[0081] A host machine or server may run a hypervisor (also called a virtual machine monitor or VMM) that creates and enables a virtual environment on the host machine. The virtualized environment facilitates cloud-based computing. One or more compute instances may be created, run, and managed on the host machine by the hypervisor on the host machine. The hypervisor on the host machine enables the host machine's physical computing resources (e.g., compute, memory, and network resources) to be shared among the various compute instances executed by the host machine.
[0082] For example, as shown in FIG. 2, host machines 202 and 208 execute hypervisors 260 and 266, respectively. These hypervisors may be implemented using software, firmware, or hardware, or a combination thereof. Typically, a hypervisor is a process or software layer that resides on a host machine's operating system (OS), which executes on the host machine's hardware processor. A hypervisor provides a virtual environment by allowing the host machine's physical computing resources (e.g., processing resources such as processors / cores, memory resources, and network resources) to be shared among various virtual machine computing instances executed by the host machine. For example, in FIG. 2, hypervisor 260 may reside on top of host machine 202's OS and allow host machine 202's computing resources (e.g., processing resources, memory resources, and network resources) to be shared among computing instances (e.g., virtual machines) executed by host machine 202. A virtual machine can have its own operating system (referred to as a guest operating system), which may be the same as or different from the host machine's OS. The operating system of a virtual machine executed by a host machine may be the same as or different from the operating system of another virtual machine executed by the same host machine. Thus, a hypervisor allows multiple operating systems to run side by side with each other while sharing the same computing resources of the host machine. The host machines shown in Figure 2 may have the same or different types of hypervisors.
[0083] A compute instance can be a virtual machine instance or a bare metal instance. In Figure 2, compute instance 268 on host machine 202 and compute instance 274 on host machine 208 are examples of virtual machine instances. Host machine 206 is an example of a bare metal instance being offered to a customer.
[0084] In some examples, an entire host machine may be provisioned to a single customer, and one or more compute instances (either virtual machines or bare metal instances) hosted by that host machine all belong to that same customer. In other examples, a host machine may be shared among multiple customers (i.e., multiple tenants). In such a multi-tenancy situation, a host machine may host virtual machine compute instances belonging to different customers. These compute instances may be members of different VCNs for different customers. In some embodiments, bare metal compute instances are hosted by bare metal servers that do not have a hypervisor. When a bare metal compute instance is provisioned, a single customer or tenant maintains control of the physical CPU, memory, and network interfaces of the host machine hosting the bare metal instance, and the host machine is not shared with other customers or tenants.
[0085] As previously mentioned, each compute instance that is part of a VCN is associated with a VNIC that enables the compute instance to be a member of a subnet of the VCN. The VNIC associated with a compute instance facilitates communication of packets or frames to and from the compute instance. The VNIC is associated with the compute instance when the compute instance is created. In one embodiment, for a compute instance executed by a host machine, the VNIC associated with the compute instance is executed by an NVD connected to the host machine. For example, in FIG. 2, host machine 202 executes virtual machine compute instance 268 that is associated with VNIC 276, which is executed by NVD 210 connected to host machine 202. As another example, bare metal instance 272 hosted by host machine 206 is associated with VNIC 280, which is executed by NVD 212 connected to host machine 206. As yet another example, VNIC 284 is associated with compute instance 274 executed by host machine 208, which is executed by NVD 212 connected to host machine 208.
[0086] For compute instances hosted by a host machine, the NVD connected to that host machine also executes VCN VRs corresponding to the VCNs of which those compute instances are members. For example, in the embodiment shown in Figure 2, NVD 210 executes VCN VR 277 corresponding to the VCN of which compute instance 268 is a member. NVD 212 may execute one or more VCN VRs 283 corresponding to the VCNs corresponding to the compute instances hosted by host machines 206 and 208.
[0087] A host machine may include one or more network interface cards (NICs) that allow the host machine to be connected to other devices. The NICs on the host machine may provide one or more ports (or interfaces) that allow the host machine to be communicatively connected to another device. For example, a host machine may be connected to an NVD using one or more ports (or interfaces) provided on the host machine and the NVD. A host machine may also be connected to other devices, such as another host machine.
[0088] 2, host machine 202 is connected to NVD 210 using link 220 extending between port 234 provided by NIC 232 of host machine 202 and port 236 of NVD 210. Host machine 206 is connected to NVD 212 using link 224 extending between port 246 provided by NIC 244 of host machine 206 and port 248 of NVD 212. Host machine 208 is connected to NVD 212 using link 226 extending between port 252 provided by NIC 250 of host machine 208 and port 254 of NVD 212.
[0089] The NVDs are then connected via communication links to top-of-rack (TOR) switches (also called switch fabrics) that are connected to a physical network 218. In one embodiment, the links between the host machines and the NVDs and between the NVDs and the TOR switches are Ethernet links. For example, in Figure 2, links 228 and 230 are used to connect NVDs 210 and 212 to TOR switches 214 and 216, respectively. In one embodiment, links 220, 224, 226, 228, and 230 are Ethernet links. The collection of host machines and NVDs connected to a TOR may be referred to as a rack.
[0090] The physical network 218 provides a communications fabric that allows the TOR switches to communicate with each other. The physical network 218 can be a multi-tier network. In one implementation, the physical network 218 is a multi-tier Clos network of switches, with the TOR switches 214 and 216 representing leaf-level nodes of the multi-tier, multi-node physical switching network 218. Various Clos network configurations are possible, including, but not limited to, 2-tier networks, 3-tier networks, 4-tier networks, 5-tier networks, and generally, "n"-tier networks. An example Clos network is shown in FIG. 5 and described below.
[0091] Various connection configurations are possible between host machines and NVDs, such as one-to-one, many-to-one, and one-to-many configurations. In a one-to-one implementation, each host machine is connected to its own separate NVD. For example, in FIG. 2, host machine 202 is connected to NVD 210 via NIC 232 on host machine 202. In a many-to-one configuration, multiple host machines are connected to a single NVD. For example, in FIG. 2, host machines 206 and 208 are connected to the same NVD 212 via NICs 244 and 250, respectively.
[0092] In a one-to-many configuration, one host machine is connected to multiple NVDs. FIG. 3 illustrates an example of a CSPI 300 in which a host machine is connected to multiple NVDs. As illustrated in FIG. 3, a host machine 302 includes a network interface card (NIC) 304 including multiple ports 306 and 308. The host machine 300 is connected to a first NVD 310 via port 306 and link 320, and to a second NVD 312 via port 308 and link 322. Ports 306 and 308 may be Ethernet ports, and links 320 and 322 between the host machine 302 and the NVDs 310 and 312 may be Ethernet links. The NVD 310 is then connected to a first TOR switch 314, and the NVD 312 is connected to a second TOR switch 316. The links between the NVDs 310 and 312 and the TOR switches 314 and 316 may be Ethernet links. TOR switches 314 and 316 represent layer 0 switching devices within a multi-tier physical network 318 .
[0093] 3 provides two separate physical network paths between the physical switch network 318 and the host machine 302: a first path traversing the TOR switch 314, through the NVD 310, and to the host machine 302, and a second path traversing the TOR switch 316, through the NVD 312, and to the host machine 302. The separate paths result in improved availability (referred to as high availability) of the host machine 302. If there is a problem with one of the paths (e.g., a link in one of the paths fails) or devices (e.g., a particular NVD is not functioning), the other path may be used for communication to and from the host machine 302.
[0094] In the configuration shown in Figure 3, the host machine is connected to two different NVDs using two different ports provided by the host machine's NIC. In other embodiments, the host machine may include multiple NICs that allow the host machine to be connected to multiple NVDs.
[0095] Referring again to Figure 2, an NVD is a physical device or component that performs one or more network and / or storage virtualization functions. An NVD may be any device that has one or more processing units (e.g., a CPU, Network Processing Units (NPUs), FPGAs, packet processing pipelines, etc.), memory including cache, and ports. Various virtualization functions may be performed by software / firmware executed by the one or more processing units of the NVD.
[0096] The NVD may be implemented in various forms. For example, in one embodiment, the NVD is implemented as an interface card called a smart NIC or intelligent NIC that contains an embedded processor. A smart NIC is a separate device from the NIC on the host machine. In Figure 2, NVDs 210 and 212 may be implemented as smart NICs connected to host machine 202 and host machines 206 and 208, respectively.
[0097] However, a smart NIC is just one example of an implementation of an NVD. Various other implementations are possible. For example, in some other implementations, the NVD or one or more functions performed by the NVD may be incorporated into or performed by one or more host machines, one or more TOR switches, and other components of CSPI200. For example, the NVD may be embodied in a host machine, and the functions performed by the NVD may be performed by the host machine. As another example, the NVD may be part of a TOR switch, or a TOR switch may be configured to perform the functions performed by the NVD, allowing the TOR switch to perform various complex packet transformations used in public clouds. A TOR that performs the functions of an NVD may be referred to as a smart TOR. In yet other implementations where customers are provided with virtual machine (VM) instances rather than bare metal (BM) instances, the functions performed by the NVD may be implemented inside the hypervisor of the host machine. In some other implementations, some of the NVD's functions may be offloaded to a centralized service running on a set of host machines.
[0098] In one embodiment, such as when implemented as a smart NIC as shown in FIG. 2, the NVD may include multiple physical ports that allow the NVD to be connected to one or more host machines and one or more TOR switches. Ports on the NVD may be classified as host-facing ports (also referred to as "south ports") or network-facing or TOR-facing ports (also referred to as "north ports"). Host-facing ports of an NVD are ports used to connect the NVD to host machines. Examples of host-facing ports in FIG. 2 include port 236 on NVD 210 and ports 248 and 254 on NVD 212. Network-facing ports of an NVD are ports used to connect the NVD to TOR switches. Examples of network-facing ports in FIG. 2 include port 256 on NVD 210 and port 258 on NVD 212. As shown in FIG. 2, the NVD 210 is connected to the TOR switch 214 using link 228 extending from port 256 of the NVD 210 to the TOR switch 214. Similarly, the NVD 212 is connected to the TOR switch 216 using a link 230 that extends from a port 258 of the NVD 212 to the TOR switch 216 .
[0099] The NVD may receive packets and frames from the host machine (e.g., packets and frames generated by compute instances hosted by the host machine) via a host-facing port, and after performing any necessary packet processing, may forward those packets and frames to the TOR switch via the NVD's network-facing port. The NVD may receive packets and frames from the TOR switch via the NVD's network-facing port, and after performing any necessary packet processing, may forward those packets and frames to the host machine via the NVD's host-facing port.
[0100] In one embodiment, there may be multiple ports and associated links between the NVD and the TOR switch. These ports and links may be aggregated to form a link aggregator group (called a LAG) of multiple ports or links. Link aggregation allows multiple physical links between two endpoints (e.g., between the NVD and the TOR switch) to be treated as a single logical link. All physical links within a particular LAG may operate in full-duplex mode at the same speed. LAGs help increase bandwidth and improve the reliability of the connection between two endpoints. If one of the physical links in the LAG fails, traffic is dynamically and transparently reassigned to one of the other physical links in the LAG. The aggregated physical link provides higher bandwidth than an individual link. Multiple ports associated with a LAG are treated as a single logical port. Traffic can be load-balanced across the multiple physical links in a LAG. One or more LAGs may be configured between two endpoints. Two endpoints may exist between the NVD and the TOR switch, between a host machine and the NVD, etc.
[0101] The NVD implements or performs network virtualization functions. These functions are performed by software / firmware executed by the NVD. Examples of network virtualization functions include, but are not limited to, packet encapsulation and decapsulation functions, functions for creating VCN networks, functions for enforcing network policies such as VCN security list (firewall) functions, and functions for facilitating routing and forwarding of packets to and from compute instances in the VCN. In one embodiment, upon receiving a packet, the NVD is configured to execute a packet processing pipeline to process the packet and determine how the packet should be forwarded or routed. As part of this packet processing pipeline, the NVD may perform one or more virtual functions associated with the overlay network, such as running VNICs associated with compute instances in the VCN, running virtual routers (VRs) associated with the VCN, encapsulating and decapsulating packets to facilitate forwarding or routing within the virtual network, running certain gateways (e.g., local peering gateways), enforcing security lists, network security groups, network address translation (NAT) functions (e.g., per-host public IP to private IP translation), bandwidth throttling functions, and other functions.
[0102] In one embodiment, the packet processing data path within the NVD may comprise multiple packet pipelines, each consisting of a series of packet transformation stages. In one implementation, upon receipt of a packet, the packet is parsed and sorted into a single pipeline. The packet is then processed in a linear fashion, one stage at a time, until the packet is either dropped or transmitted through an interface of the NVD. These stages provide basic functional packet processing building blocks (e.g., header validation, performing bandwidth throttling, inserting a new Layer 2 header, performing L4 firewalling, VCN encapsulation / decapsulation, etc.), such that new pipelines can be constructed by assembling existing stages, and new functionality can be added by creating and inserting new stages into existing pipelines.
[0103] The NVD may perform both control plane and data plane functions corresponding to the control and data planes of a VCN. Examples of a VCN control plane are also shown in Figures 12, 13, 14, and 15 (see reference numbers 1216, 1316, 1416, and 1516) and are described below. Examples of a VCN data plane are shown in Figures 12, 13, 14, and 15 (see reference numbers 1218, 1318, 1418, and 1518) and are described below. Control plane functions include functions used to configure the network (e.g., set up routes and route tables, configure VNICs, etc.) that control how data is forwarded. In one embodiment, a VCN control plane is provided that centrally computes mappings between all overlays and substrates and publishes these mappings to the NVD and to virtual network edge devices such as various gateways, such as DRGs, SGWs, and IGWs. Firewall rules may also be published using the same mechanism. In one embodiment, the NVD retrieves only mappings that are relevant to the NVD. The data plane functions include functionality for the actual routing / forwarding of packets based on configuration settings using the control plane. The VCN data plane is implemented by encapsulating customer network packets before they traverse the substrate network. The encapsulation / decapsulation functions are implemented in the NVD. In one embodiment, the NVD is configured to intercept all network packets entering and leaving the host machine and perform network virtualization functions.
[0104] As indicated above, the NVD performs various virtualization functions, including VNICs and VCN VRs. The NVD may execute VNICs associated with compute instances hosted by one or more host machines connected to the VNICs. For example, as shown in FIG. 2, NVD 210 executes the functions of VNIC 276 associated with compute instance 268 hosted by host machine 202 connected to NVD 210. As another example, NVD 212 executes VNIC 280 associated with bare metal compute instance 272 hosted by host machine 206 and VNIC 284 associated with compute instance 274 hosted by host machine 208. The host machines may host compute instances belonging to different VCNs that belong to different customers, and the NVDs connected to the host machines may execute VNICs (i.e., perform functions related to the VNICs) corresponding to the compute instances.
[0105] NVDs also execute VCN virtual routers corresponding to the VCNs of the compute instances. For example, in the embodiment shown in FIG. 2, NVD 210 executes VCN VR 277 corresponding to the VCN to which compute instance 268 belongs. NVD 212 executes one or more VCN VRs 283 corresponding to one or more VCNs to which compute instances hosted by host machines 206 and 208 belong. In one embodiment, a VCN VR corresponding to that VCN is executed by all NVDs connected to a host machine that hosts at least one compute instance belonging to that VCN. If a host machine hosts compute instances that belong to different VCNs, the NVDs connected to that host machine may execute VCN VRs corresponding to those different VCNs.
[0106] In addition to VNICs and VCN VRs, the NVD may run various software (e.g., daemons) and may include one or more hardware components that facilitate the various network virtualization functions performed by the NVD. For simplicity, these various components are grouped together as a “packet processing component” shown in FIG. 2 . For example, NVD 210 includes packet processing component 286, and NVD 212 includes packet processing component 288. For example, the packet processing component of the NVD may include a packet processor configured to interact with the NVD's ports and hardware interfaces, monitor all packets received by and transmitted using the NVD, and store network information. The network information may include, for example, network flow information and per-flow information (e.g., per-flow statistics) that identify the various network flows processed by the NVD. In one embodiment, the network flow information may be stored per VNIC. In addition to performing per-packet operations, the packet processor may implement a stateful NAT and an L4 firewall (FW). As another example, the packet processing component may include a replication agent configured to replicate information stored by the NVD to one or more different replication target stores. As yet another example, the packet processing component may include a logging agent configured to perform the logging functions of the NVD. The packet processing component may also include software for monitoring the performance and health of the NVD, and possibly software for monitoring the status and health of other components connected to the NVD.
[0107] FIG. 1 illustrates components of an exemplary virtual network or overlay network, including a VCN, subnets within the VCN, compute instances deployed to the subnets, VNICs associated with the compute instances, VRs for the VCN, and a set of gateways configured for the VCN. The overlay components illustrated in FIG. 1 may be executed or hosted by one or more of the physical components illustrated in FIG. 2. For example, compute instances within a VCN may be executed or hosted by one or more host machines illustrated in FIG. 2. For compute instances hosted by a host machine, the VNICs associated with the compute instances are typically executed by an NVD connected to the host machine (i.e., the VNIC functionality is provided by the NVD connected to the host machine). The VCN VR functionality for the VCN is performed by all NVDs connected to host machines hosting or running compute instances that are part of the VCN. The gateways associated with a VCN may be executed by one or more different types of NVDs. For example, some gateways may be executed by smart NICs, while other gateways may be executed by one or more host machines or other implementations of NVDs.
[0108] As previously mentioned, compute instances within a customer's VCN may communicate with various endpoints, which can be in the same subnet as the source compute instance, or in a different subnet within the same VCN as the source compute instance, or the endpoints are outside the VCN of the source compute instance. These communications are facilitated using VNICs associated with the compute instances, VCN VRs, and gateways associated with the VCN.
[0109] For communication between two compute instances on the same subnet within a VCN, the communication is facilitated using VNICs associated with the source and destination compute instances. The source and destination compute instances may be hosted by the same host machine or by different host machines. A packet originating from the source compute instance may be forwarded from the host machine hosting the source compute instance to an NVD connected to that host machine. In the NVD, the packet is processed using a packet processing pipeline, which may include execution of the VNIC associated with the source compute instance. Because the packet's destination endpoint is within the same subnet, execution of the VNIC associated with the source compute instance causes the packet to be forwarded to an NVD running the VNIC associated with the destination compute instance, which then processes the packet and forwards it to the destination compute instance. The VNICs associated with the source and destination compute instances may run on the same NVD (e.g., when the source and destination compute instances are both hosted by the same host machine) or on different NVDs (e.g., when the source and destination compute instances are hosted by different host machines connected to different NVDs). The VNICs may use routing / forwarding tables stored by the NVDs to determine the next hop of a packet.
[0110] For packets traveling from a compute instance in a subnet to an endpoint in a different subnet within the same VCN, the packet originating from the source compute instance travels from the host machine hosting the source compute instance to the NVD connected to that host machine. In the NVD, the packet is processed using a packet processing pipeline, which may include running one or more VNICs and VRs associated with the VCN. For example, as part of the packet processing pipeline, the NVD executes or invokes a function corresponding to the VNIC associated with the source compute instance (also referred to as executing the VNIC). The function executed by the VNIC may include examining the VLAN tag on the packet. Because the packet's destination is outside the subnet, a VCN VR function is then invoked and executed by the NVD. The VCN VR then routes the packet to the NVD running the VNIC associated with the destination compute instance. The VNIC associated with the destination compute instance then processes the packet and forwards the packet to the destination compute instance. The VNICs associated with the source compute instance and the destination compute instance may run on the same NVD (e.g., when the source compute instance and the destination compute instance are both hosted by the same host machine) or on different NVDs (e.g., when the source compute instance and the destination compute instance are hosted by different host machines connected to different NVDs).
[0111] If the packet's destination is outside the VCN of the source compute instance, the packet originating from the source compute instance is propagated from the host machine hosting the source compute instance to the NVD connected to that host machine. The NVD runs the VNIC associated with the source compute instance. Because the packet's destination endpoint is outside the VCN, the packet is then processed by the VCN VR for that VCN. The NVD may invoke a VCN VR function to cause the packet to be forwarded to an NVD running the appropriate gateway associated with the VCN. For example, if the destination is an endpoint in a customer's on-premises network, the packet may be forwarded by the VCN VR to an NVD running a DRG gateway configured for the VCN. The VCN VR may run on the same NVD as the NVD running the VNIC associated with the source compute instance or by a different NVD. The gateway may be run by the NVD, which can be a smart NIC, a host machine, or another NVD implementation. The packet is then processed by the gateway and forwarded to the next hop, which facilitates the packet's propagation to the intended destination endpoint. 2, a packet originating from compute instance 268 may be communicated from host machine 202 (using NIC 232) over link 220 to NVD 210. At NVD 210, VNIC 276 is invoked because it is the VNIC associated with source compute instance 268. VNIC 276 is configured to examine information encapsulated within the packet, determine a next hop for forwarding the packet in order to facilitate communication of the packet to its intended destination endpoint, and then forward the packet to the determined next hop.
[0112] Compute instances deployed in a VCN can communicate with various endpoints. These endpoints may include endpoints hosted by CSPI200 and endpoints external to CSPI200. Endpoints hosted by CSPI200 may include instances in the same VCN or other VCNs, which may be the customer's VCN or VCNs not belonging to the customer. Communication between endpoints hosted by CSPI200 may occur via physical network 218. Compute instances may communicate with endpoints not hosted by CSPI200 or external to CSPI200. Examples of these endpoints include endpoints within a customer's on-premises network or data center, or public endpoints accessible via a public network such as the Internet. Communication with endpoints external to CSPI200 may occur via a public network (e.g., the Internet) (not shown in FIG. 2) or a private network (not shown in FIG. 2) using various communication protocols.
[0113] The architecture of CSPI 200 shown in FIG. 2 is merely exemplary and is not intended to be limiting. Variations, substitutions, and modifications are possible in alternative embodiments. For example, in some implementations, CSPI 200 may include more or fewer systems or components than those shown in FIG. 2, may combine two or more systems, or may include a different configuration or arrangement of systems. The systems, subsystems, and other components shown in FIG. 2 may be implemented in software (e.g., code, instructions, programs) executed by one or more processing units (e.g., processors, cores) of the respective systems, using hardware, or a combination thereof. The software may be stored in a non-transitory storage medium (e.g., a memory device).
[0114] FIG. 4 illustrates connections between host machines and an NVD to achieve I / O virtualization to support multitenancy functionality, according to one embodiment. As shown in FIG. 4, host machine 402 runs hypervisor 404, which provides a virtual environment. Host machine 402 runs two virtual machine instances: VM1 406 belonging to customer / tenant #1 and VM2 408 belonging to customer / tenant #2. Host machine 402 includes a physical NIC 410 connected to an NVD 412 via link 414. Each of the compute instances is connected to a VNIC run by NVD 412. In the embodiment of FIG. 4, VM1 406 is connected to VNIC-VM1 420, and VM2 408 is connected to VNIC-VM2 422.
[0115] 4, NIC 410 includes two logical NICs: logical NIC A 416 and logical NIC B 418. Each virtual machine is connected to and configured to function with its own logical NIC. For example, VM1 406 is connected to logical NIC A 416, and VM2 408 is connected to logical NIC B 418. Because of the logical NICs, each tenant's virtual machine believes it has its own host machine and NIC, even though host machine 402 includes only one physical NIC 410 that is shared by multiple tenants.
[0116] In one embodiment, each logical NIC is assigned its own VLAN ID. Thus, a particular VLAN ID is assigned to logical NIC A 416 for Tenant 1, and another VLAN ID is assigned to logical NIC B 418 for Tenant 2. When a packet is communicated from VM1 406, a tag assigned to Tenant 1 is attached to the packet by the hypervisor, and the packet is then communicated from host machine 402 to NVD 412 via link 414. In a similar manner, when a packet is communicated from VM2 408, a tag assigned to Tenant 2 is attached to the packet by the hypervisor, and the packet is then communicated from host machine 402 to NVD 412 via link 414. Thus, a packet 424 communicated from host machine 402 to NVD 412 has an associated tag 426 that identifies the particular tenant and associated VM. At the NVD, for a packet 424 received from host machine 402, a tag 426 associated with the packet is used to determine whether the packet should be processed by VNIC-VM1 420 or VNIC-VM2 422. The packet is then processed by the corresponding VNIC. The configuration shown in Figure 4 allows each tenant's compute instance to be confident that it owns its own host machine and NIC. The setup shown in Figure 4 enables I / O virtualization to support multi-tenancy capabilities.
[0117] FIG. 5 illustrates a simplified block diagram of a physical network 500, according to one embodiment. The embodiment illustrated in FIG. 5 is structured as a Clos network. A Clos network is a specific type of network topology designed to provide connection redundancy while maintaining high bisection bandwidth and maximum resource utilization. A Clos network is a type of nonblocking multi-stage or multi-layer switching network, and the number of stages or layers can be two, three, four, five, etc. The embodiment illustrated in FIG. 5 is a three-layer network, including layers 1, 2, and 3. TOR switch 504 represents a layer 0 switch in the Clos network. One or more NVDs are connected to the TOR switch. Layer 0 switches are also referred to as edge devices of the physical network. Layer 0 switches are connected to layer 1 switches, also referred to as leaf switches. In the embodiment illustrated in FIG. 5, a set of “n” layer 0 TOR switches are connected to a set of “n” layer 1 switches, together forming a pod. Each layer 0 switch in a pod is interconnected to all layer 1 switches within the pod, but there are no switch connections between pods. In one implementation, the two pods are referred to as blocks. Each block is served by or connected to a set of "n" layer 2 switches (sometimes called spine switches). There can be multiple blocks in a physical network topology. The layer 2 switches are then connected to "n" layer 3 switches (sometimes called super spine switches). Communication of packets through the physical network 500 is typically performed using one or more layer 3 communication protocols. Typically, all layers of the physical network except the TOR layer have n-way redundancy, thus enabling high availability. Policies may be specified for pods and blocks to control the visibility of switches to each other within the physical network to enable scaling of the physical network.
[0118] A characteristic of Clos networks is that the maximum number of hops required to reach from one tier-0 switch to another tier-0 switch (or from an NVD connected to a tier-0 switch to another NVD connected to a tier-0 switch) is fixed. For example, in a three-tier Clos network, a maximum of seven hops are required for a packet to reach from one NVD to another, with the source and target NVDs connected to the leaf layers of the Clos network. Similarly, in a four-tier Clos network, a maximum of nine hops are required for a packet to reach from one NVD to another, with the source and target NVDs connected to the leaf layers of the Clos network. Therefore, the Clos network architecture maintains consistent latency throughout the network, which is important for intra- and inter-datacenter communications. Clos topologies scale horizontally and are cost-effective. The network's bandwidth / throughput capacity can be easily increased by adding more switches (e.g., more leaf switches and spine switches) to various tiers and by increasing the number of links between switches at adjacent tiers.
[0119] In one embodiment, each resource in CSPI is assigned a unique identifier called a Cloud Identifier (CID). This identifier is included as part of the resource's information and can be used to manage the resource, for example, via a console or via an API. An exemplary syntax for a CID is as follows: ocid1.<resource type>.<realm>.[region][.future use].<unique ID> where: ocid1: A literal column that indicates the version of the CID. Resource Type: The type of resource (e.g., instance, volume, VCN, subnet, user, group, etc.). Realm: The realm the resource resides in. Example values are "c1" for the commercial realm, "c2" for the government cloud realm, or "c3" for the federal cloud realm. Each realm may have its own domain name. Region: The region the resource is in. If a region is not applicable to the resource, this part may be blank. Future Use: Reserved for future use. Unique ID: The unique part of the ID. This format may vary depending on the type of resource or service.
[0120] Multi-cloud adoption Figure 6 shows a simplified high-level diagram of a distributed environment 600 including multiple cloud environments offered by different cloud service providers (CSPs), according to one embodiment, with a particular cloud environment providing specialized infrastructure that enables one or more cloud services offered by that particular cloud environment to be used by customers of the other cloud environments. As shown in Figure 6, various cloud environments (also referred to as "clouds") may be offered by different cloud service providers (CSPs), with each cloud environment or cloud offering one or more cloud services to which one or more customers of that cloud environment can subscribe. The suite of cloud services offered by the cloud environments offered by the CSPs may include one or more different types of cloud services, including, but not limited to, Software-as-a-Service (SaaS) services, Infrastructure-as-a-Service (IaaS) services, Platform-as-a-Service (PaaS) services, Database-as-a-Service (DBaaS), etc. Examples of cloud environments offered by various CSPs include Oracle® Cloud Infrastructure (OCI) offered by Oracle Corporation, Microsoft® Azure offered by Microsoft Corporation, Google Cloud™ offered by Google® LLC, Amazon Web Services (AWS®) offered by Amazon Corporation, etc. The set of cloud services offered by a particular cloud environment may differ from the set of cloud services offered by another cloud environment.
[0121] In a typical cloud environment, a CSP provides a cloud service infrastructure (CSPI) that is used to provide one or more cloud services offered by the cloud environment to customers. The CSPI provided by the CSP may include various types of hardware and software resources, including compute resources, memory resources, network resources, a console for accessing the cloud services, and the like. Customers of the cloud environment provided by the CSP may subscribe to one or more of the cloud services offered by the cloud environment. Various subscription models may be offered to customers by the CSP. After a customer subscribes to cloud services offered by the cloud environment, one or more users may be associated with the subscribing customer, and these users may use the cloud services to which the customer subscribes. In one implementation, when a customer subscribes to cloud services offered by a particular cloud environment, a customer account or customer tenancy is created for the customer. One or more users may then be associated with the customer tenancy, and these users may then use the services to which the customer subscribed under the customer tenancy. Information about the services a customer subscribes to, the users associated with the customer's tenancy, etc. is typically stored within the cloud environment and associated with the customer's tenancy.
[0122] For example, three different cloud environments offered by three different CSPs are shown in Figure 6. These cloud environments include cloud environment A (Cloud A) 610 offered by CSP A, cloud environment B (Cloud B) 640 offered by CSP B, and cloud environment C (Cloud C) 660 offered by CSP C. Cloud A 610 includes infrastructure CSPI_A 612 offered by CSP A, which may be used to provide a set of services "Service A" 614 offered by Cloud A 610. One or more customers (e.g., Customer A1 616-1, Customer A2 616-2) may subscribe to one or more services from Service A 614 offered by Cloud A 610. One or more users 618-1 may be associated with Customer A1 616-1 and can use the services to which Customer A1 616-1 subscribed within Cloud A 610. In a similar manner, one or more users 618-2 may be associated with customer A2 616-2 and may use the services to which customer A2 616-2 subscribes within cloud A 610. In various use cases, the services to which customer A1 616-1 subscribes may differ from the services to which customer A2 616-2 subscribes.
[0123] 6, Cloud B 640 includes an infrastructure CSPI_B 642 provided by CSP B, which may be used to provide a set of services “Service B” 644 offered by Cloud B 640. One or more customers (e.g., Customer B1 646-1) may subscribe to one or more services from Service B 644. One or more Users 648-1 may be associated with Customer B1 646-1 and can use the services to which Customer B1 646-1 has subscribed within Cloud B 640.
[0124] As shown in FIG. 6, Cloud C 660 includes an infrastructure CSPI_C 662 provided by CSP C, which may be used to provide a set of services “Service C” 664 offered by Cloud C 660. One or more customers (e.g., Customer C1 666-1) may subscribe to one or more services from Service C 664. One or more Users 668-1 may be associated with Customer C1 666-1 and can use the services to which Customer C1 666-1 subscribes within Cloud C 660. It should be noted that Service A 614, Service B 644, and Service C 664 can be different from one another.
[0125] In existing cloud implementations, each cloud provides a closed ecosystem to subscribing customers and associated users. As a result, customers and associated users of a cloud environment are limited to using services offered by the cloud to which the customer subscribes. For example, customer B1 646-1 and its user 648-1 are limited to using service B 644 offered by cloud B 640 and cannot use their account in cloud B 640 to access services from a different cloud environment, such as services from service A 614 offered by cloud A 610 or services from service C 664 offered by cloud C 660. The teachings described herein overcome this limitation. As described in this disclosure, various techniques are described that allow a link to be created between two cloud environments, thereby allowing services offered by a first cloud environment offered by a first CSP to be used by a customer (and associated users) of a second, different cloud environment offered by a second, different CSP, using the customer's account in the second cloud environment.
[0126] 6 , the infrastructure CSPI_A 612 provided by CSP A includes, in addition to other infrastructure 620, a specialized infrastructure 622 (referred to as multi-cloud enabling infrastructure 622 or MEI (multi-cloud enabling infrastructure) 622 or multi-cloud infrastructure 622) that enables one or more services 614 provided by Cloud A to be used by customers and associated users of other clouds, such as Clouds B 640 and C 660, using the customers' accounts in those other clouds. In one implementation, customers of Clouds B and C do not need to open separate accounts with Cloud A to use one or more of the services 614 provided by Cloud A 610. Customer B1 646-1 and associated user 648-1 of Cloud B 640 can use one or more services 614 provided by Cloud A 610 using the customer's account or tenancy in Cloud B 640. As another example, customer C1 666-1 and associated user 668-1 of cloud C 660 may use one or more services 614 provided by cloud A 610 using the customer's account or tenancy in cloud C 660.
[0127] In one implementation, the MEI 622 allows links to be created between Cloud A 610 and other clouds, and these links can be used by customers and associated users of the other clouds to access and utilize services offered by Cloud A 610. This is symbolically shown in FIG. 6 as link 670 created between Cloud A 610 and Cloud B 640 and link 672 created between Cloud A 610 and Cloud C 660. Via link 670, customers of Cloud B 640 can access or use one or more services 614 offered by Cloud A 610. Similarly, via link 672, customers of Cloud C 660 can access or use one or more services 614 offered by Cloud A 610.
[0128] There are various ways in which the MEI 612 may be implemented. In some embodiments, the MEI 612 may include components that allow links to different clouds to be established. For example, in FIG. 6, the MEI 622 includes an infrastructure component 624 responsible for enabling a link 670 with cloud B 640 and an infrastructure component 626 responsible for enabling a link 672 with cloud C 660. In a similar manner, the MEI 622 may include other components that enable and facilitate links with other clouds. In some implementations, the components of the MEI 622 may facilitate links with multiple different clouds.
[0129] There are multiple reasons why a customer of one cloud may want or desire to use a cloud service offered by a different cloud. Using FIG. 6 as an example, there are multiple reasons why customer B1 646-1 of cloud B 640 may want to use the cloud service 614 offered by cloud A 610. In one use case situation, this reason may arise because cloud A 610 offers a cloud service with capabilities not offered by cloud B 640. In another use case situation, clouds A and B may offer similar services, but the service offered by cloud A 610 may be better (e.g., more features / functionality, faster speed, etc.) than the corresponding service offered by cloud B 640. In yet another use case situation, customer B1 646-1 of cloud B 640 may want to use the cloud service offered by cloud A 610 because it offers the service at a lower price than the cloud service offered by cloud B 640. In some cases, there may be geographic constraints or other reasons why a customer B1 646-1 of Cloud B 640 wants to use a cloud service offered by Cloud A 610. For example, Cloud A 610 may offer a desired service in a geographic region that is not offered by Cloud B 640, or a particular service is not offered by Cloud B 640 in the geographic region where the customer wants the service. Several other use case situations are possible regarding why a customer of one cloud may want to use a service offered by a different cloud.
[0130] In one embodiment, the MEI 622 provides the capability and performs the functions of creating a link between Cloud A 610 and another cloud, through which a user associated with a customer of the other cloud can access and use services offered by Cloud A 610 from the other cloud itself in a seamless manner. For example, the MEI 622 enables a user 648-1 associated with Customer B1 646-1 of Cloud 640 to access services from Service A 614 offered by Cloud A 610 in a seamless manner. In one implementation, a user interface (e.g., a console) accessible to User 648-1 from within Cloud B 640 may be provided, which allows the user to view a list of services 614 offered by Cloud A 610 and select the particular service that User 648-1 wishes to access. In response to the user's selection, the MEI 622 is responsible for performing processing to establish a link 670 between Clouds A and B to enable access to the requested service. The processing to set up the link 670 is performed substantially automatically by the MEI 622. Customer B1 646-1 or associated user 648-1 do not have to worry about performing all the system, network, or other configuration changes required to facilitate the creation, maintenance, and use of link 670 between clouds A 610 and B 640. Creating links between clouds is effortless for both users and customers. Using the techniques described in this disclosure, links are created in a fast and efficient manner.
[0131] The MEI 622 can use various techniques to create and use links that are seamless for users and customers, thus providing an improved user experience. In one implementation, the MEI 622 makes the user interface (e.g., graphical user interface (GUI)) and process flow that customer B1 and associated user 648-1 interact with, such as to request services from cloud A 610 and access requested services from cloud A 610, substantially similar to the interface and process flow that the customer / user experiences within cloud B 640. In this way, a customer or user who may be familiar with the interface and process flow of cloud B 640 does not need to learn a new interface and process flow to access services 614 from cloud A 610. The MEI 622 may present different interfaces and process flows to users of different cloud environments. For example, a first set of user interfaces and process flows substantially similar to the user interfaces and flows of Cloud B may be presented to a user from Cloud B 640, while a different set of user interfaces and process flows substantially similar to the user interfaces and flows of Cloud C may be presented to a user accessing Cloud A 610 from Cloud C 660. This is done to simplify and therefore improve the user's experience for accessing the services 614 of Cloud A 610 from other clouds.
[0132] As another example, each cloud environment typically includes an identity management system configured to provide security for the cloud environment. The identity management system is configured to protect resources in the cloud environment, including resources provided by the CSP and resources of subscribing cloud customers that are deployed in the cloud environment. Functions performed by the identity management system include, for example, managing identity credentials (e.g., usernames, passwords, etc.) associated with the cloud's subscribing customers and associated users, using the identity credentials to regulate users' access to cloud resources and services based on authorization / access policies configured for the cloud environment, and other functions. Different clouds may use different identity management systems and associated technologies. For example, the identity management system and associated procedures in cloud A 610 may be completely different from the identity management system and associated procedures in cloud B 640, which may in turn be completely different from the identity management system and associated procedures in cloud C 660. In one implementation, despite these differences in identity management systems and associated procedures between different cloud environments, the techniques described herein enable a user associated with a customer of a first cloud to access cloud services provided by a different cloud using the same identity credentials associated with the customer and user in the first cloud.
[0133] For example, in the embodiment shown in FIG. 6 , Cloud B 640 provided by CSP B may include an identity management system that assigns or allocates identity credentials to subscribing customers and associated users, such as Customer B1 646-1 and associated User 648-1. These identity credentials are associated with a tenancy created for Customer B1 646-1 in Cloud B 640. In one implementation, MEI 622 provided by Cloud A 610 enables User 648-1 associated with Cloud B Customer B1 646-1 to access services from Service A 614 in Cloud A 610 using identity credentials associated with User 648-1 and Customer B1 646-1 in Cloud B 640. This significantly improves the user experience for User 648-1 because User 648-1 does not need to create new identity credentials specific to Cloud A 610 simply to access Services 614 in Cloud A 610. The MEI 622 facilitates such access.
[0134] As an example, customer B1 of cloud B 640 may select to use a service such as database-as-a-service (DBaaS) from the set of services 614 offered by cloud A 610. In response to such a selection, MEI 622 causes a link 670 to be automatically created between cloud A 610 and cloud B 640 to enable user 648-1 associated with customer B1 646-1 to use the DBaaS service offered by cloud A 610. The automatic establishment of link 670 is facilitated by MEI 622. After link 670 is established, user 668-1 can use the DBaaS service in cloud A 610 via cloud B 640. As part of using this service, user 668-1 can send a request to cloud A 610 via cloud B 640 to create a database resource. In response, CSPI_A 612 can create the requested database in cloud A 610. In one implementation, the created database may be provisioned within a virtual network (e.g., a virtual cloud network or VCN) created for customer B1 in cloud A 610 and accessible by user 668-1 via cloud B 640. User 668-1 may then send requests to cloud A 610 from cloud B 640 to use the provisioned database. These requests may include, for example, requests to write data to the database, update data stored in the database, delete data in the database, delete the database, create additional databases, etc. In some use cases, these requests may originate from user 668-1 via cloud B 640 or from services 644 offered by cloud B 640. In this way, the MEI 622 offered by cloud A 610 enables users associated with customers of different clouds offered by different CSPs to seamlessly access services offered by cloud A 610.
[0135] The distributed environment 600 shown in FIG. 6 is merely an example and is not intended to unduly limit the scope of the claimed embodiments. Many variations, alternatives, and modifications are possible. For example, in alternative embodiments, the distributed environment 600 may include more or fewer cloud environments. The cloud environments may include more or fewer systems and components, or may have a different configuration or arrangement of systems and components. The systems and components shown in FIG. 6 may be implemented in software (e.g., code, instructions, programs) executed by one or more processing units (e.g., processors, cores) of the respective systems, using hardware, or a combination thereof. The software may be stored in a non-transitory storage medium (e.g., a memory device).
[0136] Multi-Cloud Control Plane (MCCP) 7 illustrates an exemplary high-level architecture of a multi-cloud infrastructure that interconnects two different cloud environments, each provided by a cloud service provider, according to some embodiments. As shown in FIG. 7, the high-level architecture 700 includes a first cloud environment (e.g., OCI) 710 provided by a first cloud service provider and a second cloud environment 720 (e.g., AWS) provided by a second cloud service provider. The first cloud environment 710 includes a multi-cloud infrastructure that provisions functionality for delivering services of the first cloud environment to users of another cloud environment (e.g., the second cloud environment 720). In particular, as described below, the multi-cloud infrastructure includes a multi-cloud control plane (MCCP) 712 and a multi-cloud network data plane (MCNDP) 716 that provision users to access / manage services of the first cloud environment from another cloud environment (e.g., PaaS services).
[0137] The multi-cloud infrastructure provides a user experience that is as close as possible to that of the user's native cloud environment (e.g., second cloud environment 720) while providing simple integration between the cloud environments. Note that MCCP 712 and MCNDP 716 are components of the multi-cloud infrastructure that are deployed in (and managed by) the first cloud environment 710 by the first cloud service provider. In some embodiments, the multi-cloud infrastructure includes another component (i.e., multi-cloud service account 726A) that is deployed in the second cloud environment 720 and managed by the first cloud service provider.
[0138] According to some embodiments, the second cloud environment 720 includes a customer account 721 and a first cloud service provider account (referred to herein as a multi-cloud account or multi-cloud service account 726A). Note that the second cloud environment 720 may also include a second cloud portal (not shown) that forms a centralized access point where customers of the second environment 720 can log in and manage their native cloud deployments and instances. The second cloud portal may provide a selection of both monitoring and operational services offered by the second cloud infrastructure. According to some embodiments, the second cloud environment 720 includes a provisioning module 722, a monitoring module 724, and an identity system 723 (i.e., also referred to herein as an identity and access management (IAM) module) that includes an identity module 723A and an access control module 723B. Additionally, the customer account 721 includes a customer virtual private cloud (VPC) 725A that can host one or more compute instances 725B. The identity module 723A is configured to perform tasks such as creating a set of one or more roles (and associated policies, permissions, etc. corresponding to each role) for one or more users of the second cloud environment 720. In some implementations, the access control module 723B serves as a user directory for the second cloud environment. In particular, the access control module 723B may be configured to perform functions such as creating user pools and adding user sign-up, sign-in, and access control to web and mobile applications.
[0139] The provisioning module 722 corresponds to services provided by the second cloud environment 720 that enable users to model and manage infrastructure resources in an automated and secure manner. For example, the provisioning module 722 enables developers to define and provision infrastructure resources using infrastructure as code templates. In other words, the provisioning module 722 automates the required configuration of resources in a customer's account in the second cloud environment 720. As another example, the provisioning module 722 may also be configured to set required resources that enable components of the first cloud environment to access resources in the customer's account in the second cloud environment. According to some embodiments, this is achieved by enabling the multi-cloud service account 726A to access resources in the customer's account 721, e.g., by allowing the multi-cloud service account to peer with the customer's account, enabling components of the multi-cloud infrastructure (e.g., observability adapters to expose metrics in the second cloud environment, etc.). The monitoring module 724 enables monitoring of the full stack (e.g., applications, infrastructure, network, and services) and performs automated actions using alarm, log, and event data. The monitoring module 724 may also utilize a dashboard to visually (eg, in a GUI) depict one or more metric data obtained from the first cloud environment.
[0140] The multi-cloud service account 726A includes a virtual private cloud 726B that hosts a transit gateway and a direct connect component. The direct connect component is a network component that provides an alternative to using the internet to consume cloud services in the second cloud environment. The direct connect allows a customer to have a low-latency, secure, private connection to the second cloud environment for workloads that require faster speeds or lower latency than the internet. The transit gateway is a network hub that can be utilized to interconnect VPCs and on-premises networks. In some embodiments, the transit gateway in the multi-cloud service account 726A is utilized to peer (i.e., communicatively couple) with the customer's account 721 in the second cloud environment 720.
[0141] The first cloud environment 710 includes an MCCP 712, a customer tenancy 714, and an MCNDP 716. As previously mentioned, the MCCP 712 and the MCNDP 716 are part of a multi-cloud infrastructure that provisions users of other cloud environments (e.g., the second cloud environment 720) to access services offered by the first cloud environment 710 with a user experience that is as close as possible to that of the user's native cloud environment, while providing simple integration between the cloud environments.
[0142] The first cloud environment 710 further includes a multicloud console 750 (distinct from the second cloud portal) that allows users authenticated within the second cloud infrastructure 720 to perform control plane operations on resources of the first cloud infrastructure 710 exposed through the multicloud infrastructure. In other words, the multicloud console 750 forms a gateway for users of the second cloud environment 720 to access resources deployed in the first cloud environment 710. It is understood that a user 705 can issue requests (e.g., CRUD requests) related to resources provided by the first cloud infrastructure directly from the multicloud console 750.
[0143] The first cloud environment includes an MCCP 712 that includes multiple microservices, such as a proxy module 712A, a platform services module 712B, and a pool of adapters 712C. The pool of adapters 712C includes a cloud link adapter, a database (DB) adapter, a network adapter, an observability adapter, and a support adapter.
[0144] Each adapter included in the adapter pool 712C is responsible for exposing a unique set of underlying resources (provided by the first cloud environment) to users of another cloud environment (e.g., a second cloud environment). In particular, each adapter in the adapter pool 712C maps to a specific product or resource provided by the first cloud infrastructure. Note that in some implementations, the actual resources may be created by a native control plane (not shown) of the first cloud infrastructure. The native control plane of the first cloud environment provides management and orchestration of the entire cloud environment. In the native control plane, configuration baselines can be set, user and role access is provisioned, and applications exist so that they can run with their associated services. For example, with respect to database as a service (DBaaS), a DBaaS control plane included in the native control plane of the first cloud environment is configured to instantiate an exadatabase resource within the customer's tenancy 714 of the first cloud environment.
[0145] Requests issued by a user 705 on the multi-cloud console 750 are routed to the MCCP's proxy module 712A. Note that the proxy module 712A processes incoming requests to perform authentication and access control. Each request includes a token (described below) associated with the user's account in the second cloud infrastructure. The proxy module extracts this token and validates the token together with the access control module 723B (i.e., the identity provider system of the second cloud environment). Upon successful validation, the proxy module 712A may check the role (i.e., set of permissions) associated with the user. Note that a role may be associated with one or more tasks / operations that are permitted for the role.
[0146] According to one embodiment, the proxy module 712A is responsible for authenticating incoming requests to the MCCP and authorizing if the user is allowed to perform the requested operation based on the role associated with the token. In some implementations, the proxy module 712A may perform the aforementioned authentication process by utilizing custom authentication capabilities of a service platform (SPLAT) associated with the first cloud infrastructure. It is understood that SPLAT is, broadly speaking, an infrastructure that facilitates the delivery of various cloud services offered by cloud service providers. The SPLAT receives and forwards the incoming request to the proxy module 712A, which further parses the incoming request to determine an authorization decision and returns a success or failure message to the SPLAT. Upon success, the SPLAT may direct the request to a routing module, which directs the request to an appropriate adapter in a pool of adapters; whereas, upon failure, the SPLAT returns an error response directly to the caller.
[0147] According to one embodiment, the proxy module 712A receives pre-authenticated requests from the service platform (i.e., SPLAT) of the first cloud environment and routes the requests to the appropriate adapter based on the route information included in the incoming request. In some implementations, the proxy module may extract an identifier corresponding to the provider of the service (from the incoming request) and route the request to the appropriate adapter in the pool of adapters 712C.
[0148] The cloud link adapter included in MCCP 712 is responsible for handling lifecycle operations of resources provided by the first cloud environment. The cloud link adapter is configured to create a mapping (or relationship created during the sign-up process) between a user's account in the second cloud environment and the user's corresponding tenancy / account in the first cloud infrastructure. In other words, the cloud link adapter generates a mapping of a first identifier associated with the user's tenancy in the first cloud environment to a second identifier associated with the user's account in the second cloud environment.
[0149] In some implementations, the cloud link adapter performs translation between an external cloud identifier (e.g., a second identifier associated with the user's account in the second cloud environment) and a first identifier (associated with the user's tenancy in the first cloud environment) to enable operations traversing the MCCP to be mapped to the appropriate underlying resource in the first cloud environment. In some embodiments, the cloud link adapter generates a data object to store such mapping information. Additionally, the cloud link adapter also generates a resource principal associated with the data object. The resource principal is assigned one or more permissions based on the token (and its associated role) included in the request. Access to downstream services provided by the first cloud environment is achieved by the user from the second cloud infrastructure based on the resource principal. The cloud link adapter may store the data object and the associated resource principal in the root partition of the user's tenancy in the first cloud infrastructure. Alternatively or additionally, the cloud link adapter may maintain data objects and resource principals locally in the multi-cloud infrastructure platform module 712B for seamless access by other adapters included in the multi-cloud infrastructure.
[0150] The network adapter (also referred to as a network link adapter) is responsible for creating a network link (i.e., a communication link / channel) between a customer account 721 (in the second cloud environment) and a corresponding customer tenancy / account 714 (in the first cloud environment). In some embodiments, the network link adapter obtains a token (from the platform module 712B) and creates (1) a first peering relationship (in the first cloud environment) between the MCNDP 716 and the customer tenancy 714, and (2) a second peering relationship (in the second cloud environment) between the customer account 721 included in the second cloud environment and a multi-cloud services account 726A of the first cloud service provider 717. The MCNDP 716 in the first cloud environment 710 includes a high-speed connection and a hub-and-spoke VCN that provision network connectivity (e.g., from on-premises locations, from external cloud environments) established with a customer's tenancy 714 in the first cloud environment. Meanwhile, a transit gateway included in the multi-cloud service account peers with the customer's account in the second cloud environment. A network adapter can configure an interconnect 719 to communicatively couple the two cloud environments. Specifically, at one end, the interconnect is coupled with a direct connection (located in the multi-cloud service account 726A), and at the other end, the interconnect is coupled with a high-speed connection in the MCDP. It is understood that the high-speed connection (included in the first cloud environment) and the direct connection included in the second cloud environment can be co-located within the same region. Furthermore, forming a network link between the two cloud environments allows applications running in the customer's account (e.g., within the customer's VPC in the second cloud environment) to access resources (e.g., exadatabase resources deployed in the customer's tenancy 714 in the first cloud environment). It is understood that the network link communicatively couples a user's tenancy in a first cloud environment to a user's account in a second cloud environment.
[0151] As shown in FIG. 7 , the observability module (included in the pool of adapters 712C) is configured to mirror or forward (e.g., publish) logs, metrics, and other performance parameters related to resources deployed in a customer's tenancy in the first cloud environment to a dashboard included in the monitoring module 724 included in the second cloud environment, for example, for further processing. According to some embodiments, the platform services module 712B included in the multi-cloud infrastructure is configured to store authentication information associated with services of the first cloud environment provided to users of the second cloud infrastructure. The platform services module 712B, for example, provides tokens / resource principals for the various adapters included in the pool of adapters 712C so that the adapters can communicate with the native control plane of the first cloud infrastructure. According to some embodiments, the platform services module 712B exposes APIs that are called by the various adapters to perform tasks such as: Selling minimally scoped access tokens (issued by the second cloud infrastructure) to adapters. For example, a network adapter needs an access token to perform the network peering operations mentioned above. Provides a resource principal that the adapter uses to invoke downstream services to create resources in the customer's tenancy in the first cloud infrastructure. Inducing replication of observability data (logs, metrics, events) from the first cloud infrastructure to the second cloud infrastructure.
[0152] As previously mentioned, the adapter pool 712C includes multiple adapters, each responsible for exposing a unique set of underlying resources of the first cloud infrastructure to users of the second cloud infrastructure; i.e., each adapter maps to a specific product or resource provided by the first cloud environment. For example, the Exadatabase adapter serves as a proxy through which users of the second cloud infrastructure can create and utilize Exadatabase resources. An Exadatabase is a pre-configured combination of hardware and software that provides the infrastructure for running a database. In some embodiments, an Exadatabase includes the following stack of resources: (a) Exadata infrastructure (i.e., hardware), (b) VM cloud cluster, (c) container database, and (d) pluggable database. In some embodiments, the multicloud infrastructure provides users of the second cloud infrastructure the ability to analyze each level of the stacked infrastructure. Furthermore, the MCCP provides the flexibility for users to simply issue a workflow creation command (via the multicloud console 750), and the MCCP then performs the automated creation of individual resources at each level of the stack. 7, the pool of adapters 712C includes five different adapters, although it will be understood that this in no way limits the scope of the MCCP architecture 700. The MCCP architecture may include other adapters, for example, proprietary adapters intended for use by specific cloud service providers based on the cloud service provider's requirements.
[0153] During operation, when a user 705 accesses the multi-cloud console 750 (e.g., for the first time) to perform a sign-up operation (e.g., for a multi-cloud service), the user 705 is redirected to a provisioning module 722 (included in the second cloud environment 720). The user may perform a login operation to the second cloud environment, i.e., using credentials associated with the second cloud environment. Upon successfully logging in to the second cloud environment, the provisioning module 722 performs the required configuration of resources in the customer's account in the second cloud environment. Note that provisioning of the required resources in the second cloud environment may include creating roles (and associated policies) and configuring a user pool with the identity system 723.
[0154] The provisioning process, for example, authorizes a multi-cloud service account in the second cloud environment to access resources in a customer's account in the second cloud environment. In doing so, resources in the first cloud environment 710 may perform an action with respect to the second cloud environment. For example, an observability adapter / module (included in pool of adapters 712C) may send metrics associated with resources deployed in the first cloud environment to a monitoring module in the second cloud environment. As another example of the provisioning process, a network adapter (included in pool of adapters 712C) may connect a transit gateway in the second cloud environment to a customer's VPC, i.e., form a peering within the second cloud environment.
[0155] According to some embodiments of the present disclosure, the identity system 723 of the second cloud environment 720 includes functionality (referred to herein as “assuming a role”) that allows a user or service to temporarily acquire the permissions of a different role. Such functionality enables cross-account access or delegation of permissions within or outside the same account. When a user or service assumes a role, they receive a set of temporary security credentials that may include an access key, a secret access key, and a session token. These credentials can then be used to make API calls or access resources (in the second cloud environment) based on the permissions granted to the assumed role. Thus, as part of the provisioning process, a multi-cloud service account may be configured to assume a role, and the multi-cloud service account may use this role to access a customer's account in the second cloud environment.
[0156] Once a user successfully logs into the second cloud environment 720 and completes the provisioning process described above, an access token may be issued to the user. Such token is then forwarded to the multi-cloud console 750, which in turn forwards the token to the MCCP 712. A proxy module 712A included in the MCCP 712 performs authentication of the user as described above, and, if the user is successfully authorized (e.g., by checking whether the user has sufficient privileges to issue a particular type of request), forwards the request to an appropriate adapter included in a pool of adapters 712C to fulfill the user's request.
[0157] FIG. 8 shows an exemplary swim diagram illustrating steps corresponding to a user sign-up process, according to some embodiments. In particular, FIG. 8 shows steps performed in signing up a user (of a second cloud environment) to utilize multi-cloud services provided by a first cloud environment that is different from the second cloud environment. FIG. 8 illustrates interactions between a user 801, a provisioning module 802 of the second cloud environment, an identity module 803 of the second cloud environment, an identity and access management module (IAM) 804 (also referred to herein as an access control module) of the second cloud environment, a multi-cloud console (e.g., a sign-up console) 805 included in the first cloud environment, and a multi-cloud control plane (MCCP) 806 of a multi-cloud infrastructure included in the first cloud environment. It is understood that the multi-cloud console 805, like the MCCP 806, can be considered a component of the multi-cloud infrastructure included in the first cloud environment.
[0158] The process begins at step S1, where a user 801 sends a request to sign up for a multi-cloud service provided by a first cloud environment to a multi-cloud console 805, e.g., a sign-up API of the multi-cloud console. In some implementations, once the request is received, the user may be redirected to the second cloud environment to perform a login operation on the second cloud environment, i.e., the user 801 enters their login credentials (of the second cloud environment), which may be verified by the identity system (e.g., identity module 803) of the second cloud environment. Upon successfully logging in to the second cloud environment (step S2), the user 801 may be redirected to the multi-cloud console 805. In some implementations, metadata information including the user's account ID (corresponding to the user's account in the second cloud environment), the user's email address / ID, etc. may be forwarded to the multi-cloud console 805. It is understood that a user may be provided with a link (e.g., a hyperlink) corresponding to the multicloud console's sign-up API by various means, such as, for example, through a service associated with the second cloud environment, through online documentation of the first cloud environment which may include a link to the multicloud infrastructure's sign-up console, etc. Additionally, services offered by the multicloud infrastructure may include an exadatabase service, a shared autonomous database service, a dedicated autonomous database service, or a virtual machine database service, etc.
[0159] Upon receiving the metadata information, the multicloud console 805 sends a request to the MCCP 806 to determine whether a set of required resources has been configured for this user (step S3). In step S4, the MCCP begins processing to determine whether a set of required resources has been configured. In step S5, the MCCP proceeds to assume a validator role, i.e., a role that allows the MCCP to perform user validation. In some implementations, an API associated with the MCCP assumes the validator role and performs user validation. When the user 801 accesses the multicloud console 805 for the first time to sign up for services provided by the multicloud infrastructure, provisioning of the set of required resources has not yet occurred. Therefore, in step S6, the identity system of the second cloud environment (e.g., identity system 723 in FIG. 7 ), which includes the IAM module 804, sends a notification to the MCCP indicating that the validator role does not exist.
[0160] The MCCP 806 sends a notification to the multicloud console 805 informing it that the required configuration of the resource is incomplete or invalid (step S7). Then, in step S8, the multicloud console provides a notification to the user (e.g., via an API associated with the multicloud console) to initiate or undertake the provisioning process of the required resource. In step S9, the user 801 communicates with a provisioning module 802 included in the customer's account in the second cloud environment to trigger the provisioning process.
[0161] In step S10, the provisioning module 802 causes the identity module 803 to initiate provisioning of the required resources for the user. For example, as described above with reference to FIG. 7, this provisioning includes creating a set of one or more roles (and associated policies, permissions, etc. corresponding to each role) for one or more users of the second cloud environment. In some implementations, the identity module 803 serves as a user directory for the second cloud environment. Additionally, the access control module 804 may be configured to perform functions such as creating user pools and adding user sign-up, sign-in, and access control to web and mobile applications. In some implementations, the provisioning module 802 is configured to create a hierarchy of resources, each of which is associated with a corresponding role, e.g., a network role, an observability role, and a validator role. It is understood that the network role allows for the creation of network links, i.e., communication paths, to interconnect resources of the first cloud environment and the second cloud environment, while the observability role provisions an observability module (of the MCCP) to expose metrics associated with one or more resources deployed in the first cloud environment, which are forwarded to a monitoring module of the second cloud environment.
[0162] The configuration of required resources is illustrated in steps S10-S12 of FIG. 8. Note that in step S11, the identity module 803 of the second cloud environment may perform user validation based on the user's credentials (e.g., login information) associated with the second cloud environment. It is understood that while the process of provisioning the required resources is running in the second cloud environment, the multi-cloud console 805 of the first cloud environment may simultaneously communicate with the MCCP 806 to determine whether resource prerequisite validation has been configured (steps S8′ and S9′). Because the provisioning of the required resources is occurring simultaneously (i.e., not yet completed), in step S10′ the IAM module 804 of the second cloud environment sends a notification to the MCCP 806 indicating that the role has not yet been created.
[0163] In step S13, the MCCP 806 retries assuming the validator role. This time, because the role has been created (i.e., the required resources have been provisioned in step S12), the MCCP 806 receives a notification from the IAM module 804 of the second cloud environment informing it that the validator role exists. Furthermore, in step S14, the IAM module 804 provides the MCCP with temporary credentials for a multi-cloud service account (e.g., deployed in the second cloud environment and controlled by the first CSP in the first cloud environment). In step S15, the MCCP 806 checks the validity of other roles in the role hierarchy. For example, the MCCP 806 verifies whether the network role and the observability role have been created. In step S16, the MCCP 806 receives confirmation that the roles have been successfully created.
[0164] In step S17, the MCCP 806 sends a request to the identity module 803 included in the identity system of the second cloud environment to validate the user settings (e.g., validate the configuration of the user's user pool) and obtains a client ID (e.g., the ID of the user pool to which the user 801 belongs). In particular, the user settings validation may include determining an identifier of the user's pool in the second cloud environment and membership information indicating that the user is a member of the user's pool, e.g., a group of administrators with sufficient rights / authorizations. In step S18, the MCCP 806 provides a uniform resource link (URL) to the multi-cloud console 805. Such a URL corresponds to a sign-in URL, i.e., a sign-in for a multi-cloud service provided by the first cloud environment. In step S19, a notification may be provided to the user 801 instructing the user to perform a sign-in process. It is understood that such a notification may be provided via an API associated with the multi-cloud console 805.
[0165] After the user performs a sign-in process in step S20, for example, by logging into the second cloud environment's identity system, e.g., identity module 803, the user is directed to the multicloud console in step S21. Note that upon successful login of user 801 to the second cloud environment's identity module 803, an access token may be provided to the user by identity module 803. Such access token may be forwarded to multicloud console 805, where it is used to authenticate the user's authorization when the user selects any one of the services provided by the multicloud infrastructure.
[0166] In step S22, once the user is successfully directed to the multi-cloud console, a cloud link adapter included in the MCCP may be activated and provide the user 801 with the option to link the customer's account in the second cloud environment with the customer's account in the first cloud environment. In other words, the cloud link adapter performs the process of linking two accounts of a customer in two different cloud environments, as described above with reference to FIG. 7. Note that linking two accounts in different cloud environments allows a user of the second cloud environment to utilize services provided by the multi-cloud infrastructure included in the first cloud environment. Furthermore, it is understood that the multi-cloud infrastructure may provide the user with the option to create a tenancy (for the user) in the first cloud environment if the user does not have an account in the first cloud environment.
[0167] 9 shows an exemplary swim diagram illustrating steps corresponding to an inbound authorization process, according to some embodiments. The inbound authorization process corresponds to a process in which an action is initiated / created in the multicloud console and the results of the action are executed in the customer's tenancy in the first cloud environment (e.g., the customer's OCI tenancy). FIG. 9 shows interactions between multiple entities, including an administrator 910, an identity module 915 (of the second cloud environment), a user 920, a multicloud console 925, an MCCP 930, and an adapter (e.g., an ADB shared adapter) 935.
[0168] As shown in FIG. 9 , in step S1, a customer administrator (i.e., the person who performed the sign-up operation in FIG. 8 ) performs a login operation on the identity module 915 of the second cloud environment. Note that the administrator performs the login operation using credentials associated with the second cloud environment. Because the administrator has sufficient privileges, the administrator 910 may want to add a particular user (e.g., user 920) to an administrative group. Upon adding user 920 to the administrative group, in step S2, a verification message is sent to user 920. For example, the verification message may be sent to user 920 via email.
[0169] In step S3, upon receiving the verification message, the user 920 performs a verification process, i.e., by logging into the second cloud environment using their authentication information. It is understood that the verification message may include a temporary password generated by the identity module 915. Once the user 920 successfully logs into their account associated with the second cloud environment, in step S4 the user may choose to reset the temporary password. Furthermore, upon successful login to the second cloud environment, in step S5 a token (e.g., an access token) is granted to the user by the identity module 915.
[0170] In step S6, the user is directed to a multicloud console 925 (e.g., a GUI of the multicloud console) included in the first cloud environment. It is understood that the token and metadata granted to the user are transferred to the multicloud console 925. The metadata may include information including the user's account ID in the second cloud environment, a user pool ID (i.e., an identifier associated with a user group to which the user belongs), etc. In step S7, the user 920 selects a resource type from multiple resource types available for deployment. Note that each of the various resource types may be provided as an icon on the GUI of the multicloud console 925, and the user may select a particular type of resource for deployment by selecting (e.g., clicking) the corresponding icon on the GUI. Alternatively, the user 920 may select the desired type of resource for deployment from a drop-down menu in the GUI.
[0171] Once the user 920 has performed a selection of the type of resource desired to be deployed, in step S8, a request is sent from the multicloud console 925 to a corresponding adapter (associated with the resource type) included in the pool of adapters of the multicloud infrastructure of the first cloud environment. For purposes of explanation, it is assumed herein that the user 920 wishes to deploy an autonomous database-shared (ADB-S) resource. However, it should be noted that this does not limit the scope of the present disclosure in any way. Furthermore, the request includes a token (obtained in step S6) and other metadata information associated with the user 920. In some implementations, the request sent from the multicloud console 925 to the database adapter 935 may be signed using a private key associated with the identity module of the second cloud environment to generate a signed request (i.e., a signature).
[0172] When the database adapter 935 receives a request to deploy ADB-S resources to a customer's tenancy in the customer's first cloud environment, the database adapter 935 forwards the signed request, i.e., signature, to the MCCP 930 in step S9 to authorize the user, i.e., to determine whether the user who initiated the request to deploy a resource type in the multi-cloud console has sufficient authority to issue this request. The MCCP 925 proceeds to authorize the user by decrypting the signed request using the public key associated with the identity module 915. If the MCCP 925 successfully decrypts the signature, the MCCP 925 extracts a token from the decrypted signed request and authorizes the user 920 based on the token, e.g., by determining whether the user 920 is a member of a user group, e.g., an administrative group, that has authority to issue requests, such as deploying resources. Upon successfully authorizing the user, the MCCP 925 sends an authorization notification to the database adapter 935 in step S10. It is noted that the above authorization process may be performed by a proxy module (eg, proxy module 712A of the MCCP).
[0173] Upon receiving the authorization notification, the database adapter proceeds to deploy the selected type of resource, e.g., an ADB-S resource, to a partition of the customer's tenancy in the first cloud environment. For example, in one implementation, the database adapter may retrieve a link resource object previously created for the user. The link resource object includes information linking a tenancy associated with the user in the first cloud environment to an account associated with the user in the second cloud environment. The database adapter, in step S11, sends a notification to the multicloud console 925 indicating that the resource is being deployed to the first cloud environment. The multicloud console 925 then notifies the user 920 that the resource is being deployed. It is understood that a similar notification may be sent from the database adapter to the multicloud console when the deployment of the resource is complete.
[0174] FIG. 10 shows an exemplary swim diagram illustrating steps corresponding to an outbound authorization process, according to some embodiments. The outbound authorization process corresponds to a process in which a resource / component in a first cloud environment desires to access a resource in a second cloud environment (different from the first cloud environment). For example, an example outbound process may correspond to an observability module (e.g., an observability adapter) of an MCCP in a first cloud environment accessing a resource (e.g., a monitoring module of a second cloud environment) to expose one or more metrics related to the performance of one or more resources deployed in the first cloud environment. FIG. 10 shows interactions between multiple entities, including an observability module 1005, a multi-cloud secret store 1010 (e.g., a database), a multi-cloud service account 1015 (i.e., an account with a first cloud service provider in a second cloud environment), a customer's account in a second cloud environment 1020, and a monitoring module in a second cloud environment 1025. The swim diagram shown in Figure 10 corresponds to a situation in which an observability module of a multi-cloud infrastructure (contained in a first cloud environment) desires to access a monitoring module contained in a second cloud environment to expose metrics related to the performance of one or more resources (e.g., databases) deployed in the first cloud environment.
[0175] In step S1, the observability module 1005 retrieves credentials associated with a multi-cloud service account deployed in a second cloud environment (and controlled by the first CSP) from a multi-cloud secret database 1010 (included in the multi-cloud infrastructure) to enable the observability module 1005 to access the multi-cloud service account in the second cloud environment.
[0176] Upon retrieving the credentials associated with the multi-cloud service account, in step S2, the observability module 1005 proceeds to assume a role in the multi-cloud service account to act on behalf of the customer. In other words, the observability module determines whether it has permission to assume a role on behalf of the customer in the multi-cloud service account. Note that during the sign-up phase (already described with respect to FIG. 8 ), the multi-cloud service account is granted permission to act on behalf of the customer in the step of provisioning the required resources in the second cloud environment. If the configuration of the required resources has been performed in the appropriate manner, the observability module 1005 (in step S2) is granted permission to act on behalf of the customer.
[0177] In step S3, the observability module proceeds to assume a particular role (e.g., an observability role) and push metrics associated with one or more resources to the second cloud environment. In some implementations, the identity system 723 of the second cloud environment may validate the customer to ensure that the provisioning of required resources has been properly configured to allow the multi-cloud service account to assume such a role. If the identity system 723 of the second cloud environment successfully validates the required provisioning of resources, the identity system 723 provides the observability module 1005 with temporary credentials to access the customer's account in the second cloud environment. In other words, during the sign-up phase of FIG. 8, a trust policy is configured that allows the multi-cloud service account to assume the observability role to push metrics associated with one or more resources in the first cloud environment to the second cloud environment. Upon successfully assuming the observability role, in step S4, the observability module forwards or pushes the metrics to a monitoring module (eg, monitoring module 724 of FIG. 7) for exposure in the monitoring module's dashboard application.
[0178] 11A shows an exemplary swim diagram illustrating steps corresponding to a user sign-in process, according to some embodiments. FIG. 11A shows interactions between multiple entities, including a user 1101, a browser 1102, an identity module 1103 (of a second cloud environment), and a multi-cloud console 1104 and MCCP 1105 included in a first cloud environment.
[0179] In step S1, user 1101 utilizes browser 1102 to access multicloud console 1104, e.g., the API of multicloud console 1104. In step S2, multicloud console 1104 provides a prompt to the user to enter an account ID associated with a customer (e.g., an organization). Note that the user is a member (e.g., an employee) of the customer. In step S3, user 1101 enters the customer's account ID, after which a request is sent from the browser to MCCP 1105 to retrieve a unique configuration associated with the customer (step S4). Note that the configuration may correspond to information including the customer's unique URL (e.g., a URL associated with a second cloud environment that corresponds to the customer and to which the user can perform a login operation), and other metadata related to the customer, such as a client ID, a scope, a redirect URL (e.g., a URL associated with the multicloud console to which the customer is directed), etc.
[0180] Based on the customer's account ID obtained in step S2, the MCCP 1105 returns the customer configuration to the browser in step S5. It is understood that in the customer sign-up process of FIG. 8, a mapping of the customer's account ID to a specific configuration associated with the customer may be stored in the MCCP 1105's database. Steps S6-S9, described below, relate to an authorization process involving a proof key for code exchange (PKCE), which enhances customer security. In particular, in step S6, the browser may generate a code verifier and a code challenge and store the generated verifier and challenge in browser storage. In some implementations, the code verifier corresponds to a cryptographically generated random string, e.g., a high-entropy secret string. Furthermore, the code challenge may be generated based on the code verifier, e.g., by performing a hash operation on the code verifier (using a hash function, e.g., SHA256). Note that the code verifier and the code challenge may be used to perform challenge-response validation.
[0181] Based on the code challenge generated in step S6 and the configuration information received in step S5, in step S7 the browser constructs / creates a URL to direct the user to the identity module 1103 of the second cloud environment. In step S8, the user 1101 accesses the URL generated in step S7 to perform a login operation. In some implementations, the authorization request of S8 may include the code challenge generated in step S6. In step S9, the identity module 1103 of the second cloud environment provides the user 1101 with a prompt to enter user credentials. Once the user 1101 enters the user credentials, the credentials are submitted to the identity module 1103 of the second cloud environment in step S11.
[0182] In step S12, the identity provider of the second cloud environment redirects the user's browser with the authentication code. In step S13, the browser 1102 performs a GET function on the URL as instructed in step S12. In step S14, a response is obtained from the multi-cloud console 1104. For example, this response may correspond to a status response (e.g., a 200 OK response) that includes a script (e.g., Javascript) that performs the call in the next step.
[0183] In step S15, a request is sent from the browser to the MCCP 1105 to obtain a unique configuration associated with the customer. Note that this configuration may correspond to information including the customer's unique URL. In step S16, configuration information is obtained. Note that this configuration information includes the customer's unique URL as well as other metadata including a client ID, scope, redirect URL, etc. In step S17, the browser retrieves a code verifier from its local storage. In step S18, to obtain a token from the identity system of the second cloud environment, the browser 1102 sends a request to obtain a token, the request including the code verifier and then the authentication code. In some implementations, the identity module 1103 of the second cloud environment may (i) perform processing to determine whether the authentication code received in step S18 corresponds to the previously sent authentication code of step S12, and (ii) based on the code verifier, the identity module 1103 may generate a code challenge and compare it to the challenge received in step S8. Based on the above conditions being verified, the identity module 1103 may generate one or more tokens for the user (step S19). Note that the user 1101 can utilize the tokens to access multi-cloud services provided by the first cloud environment (via the multi-cloud console), where the first cloud environment is different from the cloud environment from which the user is initiating a request to access such services (i.e., the second cloud environment).
[0184] FIG. 11B shows a schematic diagram illustrating the deployment of resources with a multi-cloud infrastructure, according to some embodiments. As shown in FIG. 11B , a first cloud environment includes a multi-cloud console 1151, a service platform (SPLAT) 1152, a proxy 1153, a cloud link adapter 1154, a database adapter 1155, and a platform 1156. When a user accesses the multi-cloud console 1151, in some implementations, the user may be directed to an identity management system 1160 of the second cloud environment to perform a login operation for the second cloud environment. Note that upon successful login, the user is redirected back to the multi-cloud console 1151 with a token, e.g., an access token. It is understood that the user may utilize the multi-cloud console 1151 to issue commands to access, create, or update resources in the user's tenancy in the first cloud infrastructure. For purposes of explanation, the following describes a situation in which a user utilizes the multi-cloud console 1151 to issue a request to create a database resource, e.g., an exadatabase resource.
[0185] The multicloud console 1151 provides a number of options, such as, for example, creating a resource, accessing a resource, updating a resource, etc. Such options may be provided to the user in the form of selectable icons (e.g., buttons) within the multicloud console 1151. When the user makes a selection (e.g., to create a resource), an API call to the service platform 1152 is triggered. It is understood that in some implementations, the request made to the service platform 1151 may be a call, such as a REST-style call (or a POST call), that includes an authorization header that includes a token associated with the user in the second cloud infrastructure. The request also includes metadata information, including an account ID (for the second cloud environment), a resource name, a provider name, and the type of resource requested by the user.
[0186] The call, including the token, is further forwarded to a proxy module 1153, which performs authentication and access control operations. According to some embodiments, the proxy module 1153 performs authentication operations by extracting the token included in the call. In some implementations, the proxy module 1153 validates the token by comparing the signature (used to sign the request) with the publicly available signature of the second cloud infrastructure to ensure that the request originates from a valid customer associated with the second cloud infrastructure. Additionally, the proxy module 1153 may check the role, i.e., the privileges associated with the token, such as whether the role corresponds to a DB administrator. Based on the role, the proxy module 1153 may route the request to an appropriate adapter included in the MCCP framework, i.e., one of the adapters included in the pool of adapters 712C as shown in FIG. 7.
[0187] According to one embodiment, proxy module 1153 compares the role (associated with the token) with a pre-configured list of roles that have been published and assigned to each of the adapters (as part of the API specification). For example, if the role associated with the token corresponds to "Exadata DB Administrator", the request may be understood as a request to create an Exadatabase, and the request is therefore forwarded to database adapter 1155. Furthermore, according to some embodiments, proxy module 1153 may analyze information included in the REST call, such as the provider ID, the type of resource requested, etc., and based on the analyzed information, proxy module 1153 may forward the request to the appropriate adapter.
[0188] In some implementations, the request obtained by the proxy module 1153 may not include information identifying the user's tenancy in the first cloud infrastructure where the resource should be deployed. Therefore, the proxy module 1153 communicates with the cloud link adapter 1154 to obtain mapping information of the user's account in the second cloud infrastructure to the user's tenancy in the first cloud infrastructure. If the mapping information exists, the proxy module 1153 obtains information about the user's tenancy in the first cloud infrastructure and passes this information to the database adapter 1155. In this way, the database adapter 1155 knows the user's tenancy in the first cloud infrastructure where the resource should be created / deployed. However, if the cloud link adapter 1154 determines that the mapping information does not exist, the proxy module 1153 may simply issue an “access not authorized” message returned to the user as a response to the request to create the database resource.
[0189] Note that in some implementations, the cloud link adapter 1154 creates a data object (referred to herein as a cloud link resource object or link resource object) to store metadata information identifying the two linked accounts. For example, the data object stores metadata information including a mapping of a first identifier associated with a tenancy (i.e., an account) in the first cloud infrastructure and a second identifier associated with the user's account with the second cloud service provider. Such a mapping is referred to herein as a resource context. Additionally, the cloud link adapter 1154 may also create a resource principal (referred to herein as a cloud link resource principal) associated with the resource context. The cloud link adapter 1154 may maintain the data object and resource principal in the root partition of the user's tenancy in the first cloud infrastructure. In some embodiments, the cloud link adapter 1154 may also maintain the data object and / or resource principal locally in the platform 1156.
[0190] In some implementations, the database adapter 1155 may obtain resource principals maintained locally within the platform 1156. The database adapter 1155 may send a request (including the resource principals) to one or more downstream services included in the first cloud infrastructure to create resources in the user's tenancy within the first cloud infrastructure. In other words, the downstream services included in the first cloud infrastructure utilize the identity, i.e., the resource principals obtained from the platform 1156, to create / deploy the requested resource (e.g., an exadatabase in the user's tenancy within the first cloud infrastructure). Once the user issues a request to create an exadatabase, the user may intermittently poll the MCCP to obtain the status of the request. Once the downstream services in the first cloud infrastructure create the resources in the user's tenancy within the first cloud infrastructure, the MCCP may notify the user regarding successful completion of the request.
[0191] Cloud Infrastructure Examples As mentioned above, infrastructure as a service (IaaS) is a specific type of cloud computing. IaaS can be configured to provide virtualized computing resources over a public network (e.g., the Internet). In the IaaS model, a cloud computing provider can host infrastructure components (e.g., servers, storage devices, network nodes (e.g., hardware), deployment software, platform virtualization (e.g., hypervisor layer), etc.). In some cases, an IaaS provider may offer various services (e.g., billing, monitoring, logging, security, load balancing, clustering, etc.) incidental to those infrastructure components. Accordingly, these services can be policy-driven, allowing IaaS users to implement policies to drive load balancing and maintain application availability and performance.
[0192] In some cases, IaaS customers may access resources and services over a wide area network (WAN), such as the Internet, and can use the cloud provider's services to install the remaining elements of their application stack. For example, a user may log into an IaaS platform to create virtual machines (VMs), install an operating system (OS) on each VM, deploy middleware such as databases, create storage buckets for workloads and backups, and even install enterprise software on the VMs. The customer can then use the provider's services to perform a variety of functions, including balancing network traffic, troubleshooting application issues, monitoring performance, managing disaster recovery, etc.
[0193] In most cases, the cloud computing model requires the participation of a cloud provider. A cloud provider may be, but need not be, a third-party service that specializes in providing (e.g., offering, renting, selling) IaaS. An entity may choose to deploy a private cloud and become its own provider of infrastructure services.
[0194] In some examples, IaaS deployment is the process of connecting a new application or a new version of an application to a prepared application server or the like. This process may include the process of preparing the server (e.g., installing libraries, daemons, etc.). This process is often managed by the cloud provider below the hypervisor layer (e.g., server, storage, network hardware, and virtualization). Thus, the customer may be responsible for handling the deployment of the OS, middleware, and / or application (e.g., on self-service virtual machines (e.g., that can be spun up on demand)).
[0195] In some examples, IaaS provisioning may also refer to obtaining computers or virtual hosts for use and installing needed libraries or services on those computers or virtual hosts. In most cases, deployment does not include provisioning, which may need to be performed first.
[0196] In some cases, IaaS provisioning presents two distinct challenges. First, there is the initial challenge of provisioning an initial set of infrastructure before anything can be run. Second, there is the challenge of evolving the existing infrastructure (e.g., adding new services, modifying services, removing services, etc.) after everything has been provisioned. In some cases, these two challenges may be addressed by allowing the configuration of the infrastructure to be defined declaratively. In other words, the infrastructure (e.g., which components are needed and how those components interact) may be defined by one or more configuration files. In this way, the entire topology of the infrastructure (e.g., which resources depend on which resources and how each of those resources works together) may be described declaratively. In some cases, after the topology is defined, workflows may be generated to create and / or manage the various components described in the configuration files.
[0197] In some examples, the infrastructure may include many interconnected elements. For example, there may be one or more virtual private clouds (VPCs) (e.g., configurable and / or shared, possibly on-demand pools of computing resources), also known as a core network. In some examples, there may be one or more security group rules and one or more virtual machines (VMs) provisioned to define how the network is secured. Other infrastructure elements, such as load balancers, databases, etc., may also be provisioned. The infrastructure can evolve over time as more infrastructure elements are desired and / or added.
[0198] In some cases, continuous deployment techniques may be employed to enable deployment of infrastructure code across various virtual computing environments. Additionally, the described techniques may enable infrastructure management within these environments. In some examples, a service team may write code that is desired to be deployed to one or more, but often many, different production environments (e.g., across various geographic locations, sometimes across the world). However, in some examples, the infrastructure onto which the code will be deployed must first be set up. In some cases, provisioning can be done manually, and provisioning tools may be utilized to provision the resources and / or deployment tools may be utilized to deploy the code after the infrastructure has been provisioned.
[0199] 12 is a block diagram 1200 illustrating an example pattern of an IaaS architecture according to at least one embodiment. A service operator 1202 may be communicatively coupled to a secure host tenancy 1204, which may include a virtual cloud network (VCN) 1206 and a secure host subnet 1208. In some examples, the service operator 1202 may employ one or more client computing devices, which may be portable handheld devices (e.g., iPhones, mobile phones, iPads, computing tablets, personal digital assistants (PDAs)) or wearable devices (e.g., Google Glass head-mounted displays) that are Internet, email, short message service (SMS), Blackberry, or other communication protocol enabled, running software such as Microsoft Windows Mobile, and / or various mobile operating systems such as iOS, Windows Phone, Android, BlackBerry 8, Palm OS, etc. Alternatively, the client computing devices may be general-purpose personal computers, including, by way of example, personal and / or laptop computers running various versions of the Microsoft Windows, Apple Macintosh, and / or Linux operating systems. The client computing devices may be workstation computers running any of a variety of commercially available UNIX or UNIX-like operating systems, including, but not limited to, various GNU / Linux operating systems, such as Google Chrome OS.Alternatively or additionally, the client computing device may be any other electronic device, such as a thin client computer, an Internet-enabled gaming system (e.g., a Microsoft Xbox gaming console with or without a Kinect® gesture input device), and / or a personal messaging device, that can communicate over a network accessible to VCN 1206 and / or the Internet.
[0200] VCN 1206 may include a local peering gateway (LPG) 1210, which may be communicatively coupled to a secure shell (SSH) VCN 1212 via an LPG 1210 included in the SSH VCN 1212. The SSH VCN 1212 may include an SSH subnet 1214, which may be communicatively coupled to a control plane VCN 1216 via an LPG 1210 included in the control plane VCN 1216. The SSH VCN 1212 may also be communicatively coupled to a data plane VCN 1218 via the LPG 1210. The control plane VCN 1216 and the data plane VCN 1218 may be included in a service tenancy 1219, which may be owned and / or operated by the IaaS provider.
[0201] The control plane VCN 1216 may include a control plane demilitarized zone (DMZ) tier 1220 that serves as a perimeter network (e.g., a portion of an enterprise network between the enterprise intranet and an external network). Servers based in the DMZ may have limited responsibilities and help keep security breaches contained. Additionally, the DMZ tier 1220 may include one or more load balancer (LB) subnets 1222, a control plane app tier 1224 that may include an app subnet 1226, and a control plane data tier 1228 that may include a database (DB) subnet 1230 (e.g., a front-end DB subnet and / or a back-end DB subnet). LB subnet 1222 included in control plane DMZ tier 1220 can be communicatively coupled to app subnet 1226 and Internet gateway 1234 included in control plane app tier 1224, which may be included in control plane VCN 1216, and app subnet 1226 can be communicatively coupled to DB subnet 1230, as well as service gateway 1236 and network address translation (NAT) gateway 1238 included in control plane data tier 1228. Control plane VCN 1216 can include service gateway 1236 and NAT gateway 1238.
[0202] Control plane VCN 1216 can include a data plane mirror app layer 1240 that can include an app subnet 1226. The app subnet 1226 included in data plane mirror app layer 1240 can include a virtual network interface controller (VNIC) 1242 that can run a compute instance 1244. The compute instance 1244 can communicatively couple the app subnet 1226 of data plane mirror app layer 1240 to the app subnet 1226 that can be included in the data plane app layer 1246.
[0203] Data plane VCN 1218 may include a data plane app layer 1246, a data plane DMZ layer 1248, and a data plane data layer 1250. Data plane DMZ layer 1248 may include a LB subnet 1222, which may be communicatively coupled to an app subnet 1226 of data plane app layer 1246 and an internet gateway 1234 of data plane VCN 1218. App subnet 1226 may be communicatively coupled to a service gateway 1236 of data plane VCN 1218 and a NAT gateway 1238 of data plane VCN 1218. Data plane data layer 1250 may also include a DB subnet 1230, which may be communicatively coupled to app subnet 1226 of data plane app layer 1246.
[0204] Internet gateways 1234 of control plane VCN 1216 and of data plane VCN 1218 may be communicatively coupled to metadata management service 1252, which may be communicatively coupled to public internet 1254. Public internet 1254 may be communicatively coupled to NAT gateways 1238 of control plane VCN 1216 and of data plane VCN 1218. Service gateways 1236 of control plane VCN 1216 and of data plane VCN 1218 may be communicatively coupled to cloud services 1256.
[0205] In some examples, a service gateway 1236 in the control plane VCN 1216 or in the data plane VCN 1218 can make application programming interface (API) calls to cloud services 1256 without traversing the public internet 1254. API calls from the service gateway 1236 to the cloud services 1256 can be one-way: the service gateway 1236 can make the API call to the cloud services 1256, and the cloud services 1256 can send the requested data to the service gateway 1236. However, the cloud services 1256 may not initiate the API call to the service gateway 1236.
[0206] In some examples, secure host tenancy 1204 can be directly connected to service tenancy 1219 or may be otherwise separate. Secure host subnet 1208 can communicate with SSH subnet 1214 through LPG 1210, which may enable bidirectional communication on otherwise separate systems. Connecting secure host subnet 1208 to SSH subnet 1214 may give secure host subnet 1208 access to other entities within service tenancy 1219.
[0207] Control plane VCN 1216 may enable users of service tenancy 1219 to configure or otherwise provision desired resources. The desired resources provisioned in control plane VCN 1216 may be deployed or otherwise used in data plane VCN 1218. In some examples, control plane VCN 1216 may be separate from data plane VCN 1218, and data plane mirror app layer 1240 of control plane VCN 1216 may communicate with data plane app layer 1246 of data plane VCN 1218 via VNIC 1242, which may be included in data plane mirror app layer 1240 and data plane app layer 1246.
[0208] In some examples, a user or customer of the system may make a request, for example, a create, read, update, or delete (CRUD) operation, via the public internet 1254, which may communicate the request to a metadata management service 1252. The metadata management service 1252 may communicate the request to the control plane VCN 1216 via an internet gateway 1234. The request may be received by a LB subnet 1222 included in the control plane DMZ tier 1220. The LB subnet 1222 may determine that the request is valid, and in response to this determination, the LB subnet 1222 may send the request to an app subnet 1226 included in the control plane app tier 1224. If the validity of the request is confirmed and the request requires a call to the public internet 1254, the call to the public internet 1254 may be sent to a NAT gateway 1238, which may make the call to the public internet 1254. Memory that may be desirable to store with the request may be stored within the DB subnet 1230.
[0209] In some examples, data plane mirror app layer 1240 can facilitate direct communication between control plane VCN 1216 and data plane VCN 1218. For example, it may be desirable for changes, updates, or other appropriate modifications to the configuration to be applied to resources included in data plane VCN 1218. Via VNIC 1242, control plane VCN 1216 communicates directly with resources included in data plane VCN 1218, thereby enabling changes, updates, or other appropriate modifications to the configuration of the resources.
[0210] In some embodiments, the control plane VCN 1216 and the data plane VCN 1218 may be included in the service tenancy 1219. In this case, a user or customer of the system may not own or operate either the control plane VCN 1216 or the data plane VCN 1218. Instead, an IaaS provider may own or operate the control plane VCN 1216 and the data plane VCN 1218, which may both be included in the service tenancy 1219. This embodiment may enable network isolation that can prevent users or customers from interacting with other users' or customers' resources. This embodiment may also enable users or customers of the system to store databases privately without having to rely on the public internet 1254 for storage, which may not have a desirable level of security.
[0211] In another embodiment, LB subnet 1222 included in control plane VCN 1216 may be configured to receive signals from service gateway 1236. In this embodiment, control plane VCN 1216 and data plane VCN 1218 may be configured to be called by customers of the IaaS provider without calling the public internet 1254. Customers of the IaaS provider may desire this embodiment because databases used by the customers may be stored in service tenancy 1219, which may be controlled by the IaaS provider and isolated from the public internet 1254.
[0212] 13 is a block diagram 1300 illustrating another example pattern of an IaaS architecture, according to at least one embodiment. A service operator 1302 (e.g., service operator 1202 of FIG. 12 ) may be communicatively coupled to a secure host tenancy 1304 (e.g., secure host tenancy 1204 of FIG. 12 ), which may include a virtual cloud network (VCN) 1306 (e.g., VCN 1206 of FIG. 12 ) and a secure host subnet 1308 (e.g., secure host subnet 1208 of FIG. 12 ). VCN 1306 may include a local peering gateway (LPG) 1310 (e.g., LPG 1210 of FIG. 12 ), which may be communicatively coupled to a secure shell (SSH) VCN 1312 (e.g., SSH VCN 1212 of FIG. 12 ) via an LPG 1310 included in SSH VCN 1312. SSH VCN 1312 can include SSH subnet 1314 (e.g., SSH subnet 1214 in FIG. 12 ), and SSH VCN 1312 can be communicatively coupled to control plane VCN 1316 (e.g., control plane VCN 1216 in FIG. 12 ) via LPG 1310 included in control plane VCN 1316. Control plane VCN 1316 can be included in service tenancy 1319 (e.g., service tenancy 1219 in FIG. 12 ), and data plane VCN 1318 (e.g., data plane VCN 1218 in FIG. 12 ) can be included in customer tenancy 1321, which can be owned or operated by a user or customer of the system.
[0213] The control plane VCN 1316 may include a control plane DMZ tier 1320 (e.g., control plane DMZ tier 1220 of FIG. 12 ) that may include a LB subnet 1322 (e.g., LB subnet 1222 of FIG. 12 ), a control plane app tier 1324 (e.g., control plane app tier 1224 of FIG. 12 ) that may include an app subnet 1326 (e.g., app subnet 1226 of FIG. 12 ), and a control plane data tier 1328 (e.g., control plane data tier 1228 of FIG. 12 ) that may include a database (DB) subnet 1330 (e.g., similar to database (DB) subnet 1230 of FIG. 12 ). The LB subnet 1322 included in the control plane DMZ layer 1320 can be communicatively coupled to an app subnet 1326 and an Internet gateway 1334 (e.g., Internet gateway 1234 in FIG. 12 ) included in the control plane app layer 1324, which may be included in the control plane VCN 1316, and the app subnet 1326 can be communicatively coupled to a DB subnet 1330 and a service gateway 1336 (e.g., service gateway in FIG. 12 ) and a network address translation (NAT) gateway 1338 (e.g., NAT gateway 1238 in FIG. 12 ) included in the control plane data layer 1328. The control plane VCN 1316 can include the service gateway 1336 and the NAT gateway 1338.
[0214] The control plane VCN 1316 can include a data plane mirror app layer 1340 (e.g., data plane mirror app layer 1240 of FIG. 12 ), which can include an app subnet 1326. The app subnet 1326 included in the data plane mirror app layer 1340 can include a virtual network interface controller (VNIC) 1342 (e.g., VNIC 1242) on which a compute instance 1344 (e.g., similar to compute instance 1244 of FIG. 12 ) can run. The compute instance 1344 can facilitate communication between the app subnet 1326 of the data plane mirror app layer 1340 and the app subnet 1326, which can be included in the data plane app layer 1346 (e.g., data plane app layer 1246 of FIG. 12 ), via the VNIC 1342 included in the data plane mirror app layer 1340 and the VNIC 1342 included in the data plane app layer 1346.
[0215] The internet gateway 1334 included in the control plane VCN 1316 may be communicatively coupled to a metadata management service 1352 (e.g., metadata management service 1252 of FIG. 12 ), which may be communicatively coupled to the public internet 1354 (e.g., public internet 1254 of FIG. 12 ). The public internet 1354 may be communicatively coupled to a NAT gateway 1338 included in the control plane VCN 1316. The service gateway 1336 included in the control plane VCN 1316 may be communicatively coupled to cloud services 1356 (e.g., cloud services 1256 of FIG. 12 ).
[0216] In some examples, data plane VCN 1318 may be included in customer tenancy 1321. In this case, the IaaS provider may provide a control plane VCN 1316 for each customer, and the IaaS provider may configure a unique compute instance 1344 for each customer that is included in service tenancy 1319. Each compute instance 1344 may enable communication between the control plane VCN 1316 included in service tenancy 1319 and the data plane VCN 1318 included in customer tenancy 1321. The compute instance 1344 may enable resources provisioned in the control plane VCN 1316 included in service tenancy 1319 to be deployed or otherwise used in the data plane VCN 1318 included in customer tenancy 1321.
[0217] In another example, an IaaS provider customer may have a database that resides in the customer's tenancy 1321. In this example, control plane VCN 1316 may include a data plane mirror app tier 1340, which may include app subnet 1326. Data plane mirror app tier 1340 may reside in data plane VCN 1318, but data plane mirror app tier 1340 may not reside in data plane VCN 1318. That is, data plane mirror app tier 1340 may have access to customer tenancy 1321, but data plane mirror app tier 1340 may not reside in data plane VCN 1318 and may not be owned or operated by the IaaS provider customer. Data plane mirror app tier 1340 may be configured to make calls to data plane VCN 1318, but may not be configured to make calls to any entities included in control plane VCN 1316. A customer may desire to deploy or otherwise use resources in the data plane VCN 1318 that have been provisioned in the control plane VCN 1316, and the data plane mirror app layer 1340 can facilitate the desired deployment or other use of the customer's resources.
[0218] In some embodiments, the IaaS provider's customer can apply filters to the data plane VCN 1318. In this embodiment, the customer can determine which data plane VCNs 1318 are accessible, and the customer may restrict access from the data plane VCN 1318 to the public internet 1354. The IaaS provider may not be able to apply filters or otherwise control the data plane VCN 1318's access to any external networks or databases. Applying filters and controls by the customer to the data plane VCN 1318 contained in the customer's tenancy 1321 can help to isolate the data plane VCN 1318 from other customers and from the public internet 1354.
[0219] In some embodiments, cloud services 1356 may be called by service gateway 1336 to access services that may not reside on public internet 1354, control plane VCN 1316, or data plane VCN 1318. The connection between cloud services 1356 and control plane VCN 1316 or data plane VCN 1318 may not be up and running or continuous. Cloud services 1356 may reside on different networks owned or operated by the IaaS provider. Cloud services 1356 may be configured to receive calls from service gateway 1336 and may not be configured to receive calls from public internet 1354. Some cloud services 1356 may be isolated from other cloud services 1356, and control plane VCN 1316 may be isolated from cloud services 1356 that may not be in the same region as control plane VCN 1316. For example, control plane VCN 1316 may be located in "Region 1," and cloud service "deployment 12" may be located in Region 1 and Region 2. If a call to deployment 12 is made by service gateway 1336 included in control plane VCN 1316 located in Region 1, the call may be sent to deployment 12 in Region 1. In this example, control plane VCN 1316, or deployment 12 in Region 1, may not be communicatively coupled to or otherwise in communication with deployment 12 in Region 2.
[0220] 14 is a block diagram 1400 illustrating another example pattern of an IaaS architecture, according to at least one embodiment. A service operator 1402 (e.g., service operator 1202 of FIG. 12 ) may be communicatively coupled to a secure host tenancy 1404 (e.g., secure host tenancy 1204 of FIG. 12 ), which may include a virtual cloud network (VCN) 1406 (e.g., VCN 1206 of FIG. 12 ) and a secure host subnet 1408 (e.g., secure host subnet 1208 of FIG. 12 ). VCN 1406 may include an LPG 1410 (e.g., LPG 1210 of FIG. 12 ), which may be communicatively coupled to an SSH VCN 1412 (e.g., SSH VCN 1212 of FIG. 12 ) via an LPG 1410 included in SSH VCN 1412. SSH VCN 1412 can include SSH subnet 1414 (e.g., SSH subnet 1214 in FIG. 12 ), and SSH VCN 1412 can be communicatively coupled to control plane VCN 1416 (e.g., control plane VCN 1216 in FIG. 12 ) via LPG 1410 included in control plane VCN 1416, and to data plane VCN 1418 (e.g., data plane 1218 in FIG. 12 ) via LPG 1410 included in data plane VCN 1418. Control plane VCN 1416 and data plane VCN 1418 can be included in service tenancy 1419 (e.g., service tenancy 1219 in FIG. 12 ).
[0221] The control plane VCN 1416 may include a control plane DMZ tier 1420 (e.g., control plane DMZ tier 1220 of FIG. 12 ) that may include a load balancer (LB) subnet 1422 (e.g., LB subnet 1222 of FIG. 12 ), a control plane app tier 1424 (e.g., control plane app tier 1224 of FIG. 12 ) that may include an app subnet 1426 (e.g., similar to app subnet 1226 of FIG. 12 ), and a control plane data tier 1428 (e.g., control plane data tier 1228 of FIG. 12 ) that may include a DB subnet 1430. LB subnet 1422 included in control plane DMZ tier 1420 can be communicatively coupled to app subnet 1426 included in control plane app tier 1424, which may be included in control plane VCN 1416, and to an Internet gateway 1434 (e.g., Internet gateway 1234 in FIG. 12 ), and app subnet 1426 can be communicatively coupled to DB subnet 1430 included in control plane data tier 1428, as well as to service gateway 1436 (e.g., service gateway in FIG. 12 ) and network address translation (NAT) gateway 1438 (e.g., NAT gateway 1238 in FIG. 12 ). Control plane VCN 1416 can include service gateway 1436 and NAT gateway 1438.
[0222] Data plane VCN 1418 may include a data plane app layer 1446 (e.g., data plane app layer 1246 in FIG. 12 ), a data plane DMZ layer 1448 (e.g., data plane DMZ layer 1248 in FIG. 12 ), and a data plane data layer 1450 (e.g., data plane data layer 1250 in FIG. 12 ). Data plane DMZ layer 1448 may include a trusted app subnet 1460 and an untrusted app subnet 1462 of data plane app layer 1446 and an LB subnet 1422 that may be communicatively coupled to an Internet gateway 1434 included in data plane VCN 1418. Trusted app subnet 1460 may be communicatively coupled to a service gateway 1436 included in data plane VCN 1418, a NAT gateway 1438 included in data plane VCN 1418, and a DB subnet 1430 included in data plane data layer 1450. The untrusted app subnet 1462 may be communicatively coupled to a service gateway 1436 included in the data plane VCN 1418 and to a DB subnet 1430 included in the data plane data layer 1450. The data plane data layer 1450 may include a DB subnet 1430 that may be communicatively coupled to a service gateway 1436 included in the data plane VCN 1418.
[0223] The untrusted app subnet 1462 may include one or more primary VNICs 1464(1)-(N), which may be communicatively coupled to tenant virtual machines (VMs) 1466(1)-(N). Each tenant VM 1466(1)-(N) may be communicatively coupled to a respective app subnet 1467(1)-(N), which may be included in a respective container egress VCN 1468(1)-(N), which may be included in a respective customer's tenancy 1470(1)-(N). Each secondary VNIC 1472(1)-(N) may facilitate communication between the untrusted app subnet 1462 included in the data plane VCN 1418 and the app subnet included in the container egress VCN 1468(1)-(N). Each container egress VCN 1468(1)-(N) may include a NAT gateway 1438, which may be communicatively coupled to the public internet 1454 (e.g., public internet 1254 in FIG. 12 ).
[0224] An internet gateway 1434 included in the control plane VCN 1416 and included in the data plane VCN 1418 may be communicatively coupled to a metadata management service 1452 (e.g., metadata management system 1252 of FIG. 12 ), which may be communicatively coupled to the public internet 1454. The public internet 1454 may be communicatively coupled to a NAT gateway 1438 included in the control plane VCN 1416 and included in the data plane VCN 1418. A service gateway 1436 included in the control plane VCN 1416 and included in the data plane VCN 1418 may be communicatively coupled to cloud services 1456.
[0225] In some embodiments, data plane VCN 1418 may be integrated with a customer's tenancy 1470. This integration may be useful or desirable for an IaaS provider's customer in some cases, such as when they may want support when executing code. A customer may provide code for execution that may be destructive, may communicate with other customers' resources, or may otherwise cause undesirable effects. In response, the IaaS provider may determine whether to execute the code provided to the IaaS provider by the customer.
[0226] In some examples, a customer of an IaaS provider may grant temporary network access to the IaaS provider and request the ability to connect to the data plane app layer 1446. The code to perform this function may run in VMs 1466(1)-(N), and this code may not be configured to run elsewhere on the data plane VCN 1418. Each VM 1466(1)-(N) may be connected to one customer's tenancy 1470. Each container 1471(1)-(N) contained in a VM 1466(1)-(N) may be configured to run code. In this case, double isolation may exist (e.g., containers 1471(1)-(N) running code may be contained in at least VMs 1466(1)-(N) that are included in untrusted app subnet 1462), which may help prevent incorrect or otherwise unwanted code from causing damage to the IaaS provider's network or to a different customer's network. Containers 1471(1)-(N) may be communicatively coupled to customer tenancy 1470 and may be configured to send or receive data to or from customer tenancy 1470. Containers 1471(1)-(N) may not be configured to send or receive data to or from any other entities in data plane VCN 1418. Upon completion of code execution, the IaaS provider may kill or otherwise destroy containers 1471(1)-(N).
[0227] In some embodiments, trusted app subnet 1460 may execute code that may be owned or operated by the IaaS provider. In this embodiment, trusted app subnet 1460 may be communicatively coupled to DB subnet 1430 and may be configured to perform CRUD operations within DB subnet 1430. Untrusted app subnet 1462 may be communicatively coupled to DB subnet 1430, but in this embodiment, the untrusted app subnet may be configured to perform read operations within DB subnet 1430. Containers 1471(1)-(N) capable of executing code from the customer, which may be included in each customer's VMs 1466(1)-(N), may not be communicatively coupled to DB subnet 1430.
[0228] In other embodiments, the control plane VCN 1416 and the data plane VCN 1418 may not be directly communicatively coupled. In this embodiment, there may not be direct communication between the control plane VCN 1416 and the data plane VCN 1418. However, communication can occur indirectly through at least one method. The LPG 1410 may be established by an IaaS provider and can facilitate communication between the control plane VCN 1416 and the data plane VCN 1418. In another example, the control plane VCN 1416 or the data plane VCN 1418 can make a call to a cloud service 1456 via the service gateway 1436. For example, a call from the control plane VCN 1416 to the cloud service 1456 can include a request for a service that can communicate with the data plane VCN 1418.
[0229] 15 is a block diagram 1500 illustrating another example pattern of an IaaS architecture, according to at least one embodiment. A service operator 1502 (e.g., service operator 1202 of FIG. 12 ) may be communicatively coupled to a secure host tenancy 1504 (e.g., secure host tenancy 1204 of FIG. 12 ), which may include a virtual cloud network (VCN) 1506 (e.g., VCN 1206 of FIG. 12 ) and a secure host subnet 1508 (e.g., secure host subnet 1208 of FIG. 12 ). VCN 1506 may include an LPG 1510 (e.g., LPG 1210 of FIG. 12 ), which may be communicatively coupled to an SSH VCN 1512 (e.g., SSH VCN 1212 of FIG. 12 ) via an LPG 1510 included in SSH VCN 1512. SSH VCN 1512 can include SSH subnet 1514 (e.g., SSH subnet 1214 in FIG. 12 ), and SSH VCN 1512 can be communicatively coupled to control plane VCN 1516 (e.g., control plane VCN 1216 in FIG. 12 ) via LPG 1510 included in control plane VCN 1516, and to data plane VCN 1518 (e.g., data plane 1218 in FIG. 12 ) via LPG 1510 included in data plane VCN 1518. Control plane VCN 1516 and data plane VCN 1518 can be included in service tenancy 1519 (e.g., service tenancy 1219 in FIG. 12 ).
[0230] The control plane VCN 1516 may include a control plane DMZ layer 1520 (e.g., control plane DMZ layer 1220 of FIG. 12 ) that may include a LB subnet 1522 (e.g., LB subnet 1222 of FIG. 12 ), a control plane app layer 1524 (e.g., control plane app layer 1224 of FIG. 12 ) that may include an app subnet 1526 (e.g., app subnet 1226 of FIG. 12 ), and a control plane data layer 1528 (e.g., control plane data layer 1228 of FIG. 12 ) that may include a DB subnet 1530 (e.g., DB subnet 1430 of FIG. 14 ). The LB subnet 1522 included in the control plane DMZ layer 1520 can be communicatively coupled to an app subnet 1526 included in a control plane app layer 1524 that may be included in the control plane VCN 1516, and to an Internet gateway 1534 (e.g., Internet gateway 1234 in FIG. 12 ), and the app subnet 1526 can be communicatively coupled to a DB subnet 1530 included in a control plane data layer 1528, as well as to a service gateway 1536 (e.g., service gateway in FIG. 12 ) and a network address translation (NAT) gateway 1538 (e.g., NAT gateway 1238 in FIG. 12 ). The control plane VCN 1516 can include the service gateway 1536 and the NAT gateway 1538.
[0231] Data plane VCN 1518 may include a data plane app layer 1546 (e.g., data plane app layer 1246 in FIG. 12 ), a data plane DMZ layer 1548 (e.g., data plane DMZ layer 1248 in FIG. 12 ), and a data plane data layer 1550 (e.g., data plane data layer 1250 in FIG. 12 ). Data plane DMZ layer 1548 may include trusted app subnet 1560 (e.g., trusted app subnet 1460 in FIG. 14 ) and untrusted app subnet 1562 (e.g., untrusted app subnet 1462 in FIG. 14 ) of data plane app layer 1546, as well as LB subnet 1522, which may be communicatively coupled to an Internet gateway 1534 included in data plane VCN 1518. The trusted app subnet 1560 may be communicatively coupled to a service gateway 1536 included in the data plane VCN 1518, a NAT gateway 1538 included in the data plane VCN 1518, and a DB subnet 1530 included in the data plane data layer 1550. The untrusted app subnet 1562 may be communicatively coupled to the service gateway 1536 included in the data plane VCN 1518 and the DB subnet 1530 included in the data plane data layer 1550. The data plane data layer 1550 may include a DB subnet 1530 that may be communicatively coupled to the service gateway 1536 included in the data plane VCN 1518.
[0232] The untrusted app subnet 1562 may include primary VNICs 1564(1)-(N), which may be communicatively coupled to tenant virtual machines (VMs) 1566(1)-(N) residing in the untrusted app subnet 1562. Each tenant VM 1566(1)-(N) may execute code in a respective container 1567(1)-(N) and may be communicatively coupled to an app subnet 1526, which may be included in a data plane app layer 1546, which may be included in a container egress VCN 1568. Each secondary VNIC 1572(1)-(N) may facilitate communication between the untrusted app subnet 1562, which is included in the data plane VCN 1518, and the app subnet included in the container egress VCN 1568. The container egress VCN may include a NAT gateway 1538, which may be communicatively coupled to the public internet 1554 (e.g., public internet 1254 in FIG. 12 ).
[0233] An internet gateway 1534 included in the control plane VCN 1516 and included in the data plane VCN 1518 may be communicatively coupled to a metadata management service 1552 (e.g., metadata management system 1252 of FIG. 12 ), which may be communicatively coupled to the public internet 1554. The public internet 1554 may be communicatively coupled to a NAT gateway 1538 included in the control plane VCN 1516 and included in the data plane VCN 1518. A service gateway 1536 included in the control plane VCN 1516 and included in the data plane VCN 1518 may be communicatively coupled to cloud services 1556.
[0234] In some examples, the pattern illustrated by the architecture of block diagram 1500 in FIG. 15 may be considered an exception to the pattern illustrated by the architecture of block diagram 1400 in FIG. 14 and may be desirable for an IaaS provider's customers when the IaaS provider cannot communicate directly with the customer (e.g., in a disconnected region). Each container 1567(1)-(N) contained in a VM 1566(1)-(N) per customer may be accessed by the customer in real time. The containers 1567(1)-(N) may be configured to make calls to each secondary VNIC 1572(1)-(N) contained in the app subnet 1526 of the data plane app tier 1546, which may be contained in a container egress VCN 1568. The secondary VNICs 1572(1)-(N) may send the calls to a NAT gateway 1538, which may send the calls to the public Internet 1554. In this example, containers 1567(1)-(N) that may be accessed in real time by customers may be isolated from control plane VCN 1516 and may be isolated from other entities included in data plane VCN 1518. Containers 1567(1)-(N) may be isolated from other customer resources.
[0235] In another example, a customer can invoke cloud service 1556 using container 1567(1)-(N). In this example, the customer may execute code in container 1567(1)-(N) that requests a service from cloud service 1556. Container 1567(1)-(N) can send the request to secondary VNICs 1572(1)-(N), which can send the request to a NAT gateway, which can send the request to public internet 1554. Public internet 1554 can send the request via internet gateway 1534 to LB subnet 1522, which is included in control plane VCN 1516. In response to determining that the request is valid, LB subnet 1526 can send the request to app subnet 1526, which can send the request to cloud service 1556 via service gateway 1536.
[0236] It should be understood that the IaaS architectures 1200, 1300, 1400, 1500 depicted in the figures may include components other than those depicted. Additionally, the depicted embodiments are merely some examples of cloud infrastructure systems that may incorporate embodiments of the present disclosure. In some other embodiments, the IaaS systems may include more or fewer components than those depicted in the figures, may combine two or more components, or may have a different configuration or arrangement of components.
[0237] In one embodiment, the IaaS system described herein may include a suite of application, middleware, and database service offerings delivered to customers in a self-service, subscription-based, elastically scalable, reliable, highly available, and secure manner. An example of such an IaaS system is Oracle Cloud Infrastructure (OCI), offered by the present assignee.
[0238] 16 illustrates an exemplary computer system 1600 upon which various embodiments may be implemented. System 1600 may be used to implement any of the computer systems described above. As shown, computer system 1600 includes a processing unit 1604 that communicates with multiple peripheral subsystems via a bus subsystem 1602. These peripheral subsystems may include a processing acceleration unit 1606, an I / O subsystem 1608, a storage subsystem 1618, and a communication subsystem 1624. Storage subsystem 1618 includes a tangible computer-readable storage medium 1622 and a system memory 1610.
[0239] Bus subsystem 1602 provides a mechanism for allowing the various components and subsystems of computer system 1600 to communicate with each other as intended. While bus subsystem 1602 is shown schematically as a single bus, alternative embodiments of the bus subsystem may utilize multiple buses. Bus subsystem 1602 may be any of several types of bus structures, including a memory bus or memory controller, a peripheral bus, and a local bus using any of a variety of bus architectures. For example, such architectures may include an Industry Standard Architecture (ISA) bus, a Micro Channel Architecture (MCA) bus, an Enhanced ISA (EISA) bus, a Video Electronics Standards Association (VESA) local bus, and a Peripheral Component Interconnect (PCI) bus, which may be implemented as a mezzanine bus manufactured to the IEEE P1386.1 standard.
[0240] Processing unit 1604, which may be implemented as one or more integrated circuits (e.g., conventional microprocessors or microcontrollers), controls the operation of computer system 1600. One or more processors may be included in processing unit 1604. These processors may include single-core or multi-core processors. In one embodiment, processing unit 1604 may be implemented as one or more independent processing units 1632 and / or 1634, with a single-core or multi-core processor included in each processing unit. In other embodiments, processing unit 1604 may be implemented as a quad-core processing unit formed by integrating two dual-core processors into a single chip.
[0241] In various embodiments, processing unit 1604 may execute various programs in response to program code and may maintain multiple simultaneously executing programs or processes. At any particular time, some or all of the program code being executed may reside on processor 1604 and / or on storage subsystem 1618. With appropriate programming, processor 1604 may provide the various functions discussed above. Computer system 1600 may further include a processing acceleration unit 1606, which may include a digital signal processor (DSP), a special purpose processor, and / or the like.
[0242] The I / O subsystem 1608 may include user interface input devices and user interface output devices. User interface input devices may include a keyboard, a pointing device such as a mouse or trackball, a touchpad or touchscreen integrated into a display, a scroll wheel, a click wheel, a dial, buttons, switches, a keypad, a voice input device with a voice command recognition system, a microphone, and other types of input devices. User interface input devices may include, for example, a motion detection device and / or gesture recognition device, such as a Microsoft Kinect® motion sensor, which allows a user to control and interact with an input device, such as a Microsoft Xbox® 360 game controller, through a natural user interface using gestures and spoken commands. User interface input devices may also include an eye gesture recognition device, such as a Google Glass® blink detector, which detects a user's eye activity (e.g., "blinking" when taking a photo and / or selecting a menu) and translates the eye gesture as input to an input device (e.g., Google Glass®). Additionally, the user interface input devices may include a voice recognition detection device that allows a user to interact with a voice recognition system (e.g., Siri® Navigator) via voice commands.
[0243] User interface input devices may include, but are not limited to, three-dimensional (3D) mice, joysticks or pointing sticks, gamepads, and graphic tablets, as well as audio / visual devices such as speakers, digital cameras, digital video cameras, portable media players, webcams, image scanners, fingerprint scanners, barcode reader 3D scanners, 3D printers, laser range finders, and eye-tracking devices. Additionally, user interface input devices may include medical imaging input devices such as, for example, computed tomography, magnetic resonance imaging, position emission tomography, and medical ultrasound devices. User interface input devices may also include audio input devices such as, for example, MIDI keyboards, digital musical instruments, and the like.
[0244] User interface output devices may include non-visual displays such as a display subsystem, indicator lights, or audio output devices. The display subsystem may be a flat-panel device, such as a flat-panel device using a cathode ray tube (CRT), a liquid crystal display (LCD), or a plasma display, a projection device, a touch screen, or the like. In general, use of the term "output device" is intended to include all possible types of devices and mechanisms for outputting information from computer system 1600 to a user or to another computer. For example, user interface output devices may include, but are not limited to, various display devices that visually convey textual, graphical, and audio / video information, such as monitors, printers, speakers, headphones, navigation systems, plotters, audio output devices, and modems.
[0245] Computer system 1600 may include a storage subsystem 1618 that includes the software elements shown as presently residing in system memory 1610. System memory 1610 may store program instructions readable and executable by processing unit 1604, as well as data generated during the execution of these programs.
[0246] Depending on the configuration and type of computer system 1600, the system memory 1610 may be volatile (such as random-access memory (RAM)) and / or non-volatile (such as read-only memory (ROM), flash memory, etc.). RAM typically contains data and / or program modules that are immediately accessible to and / or presently being operated on and executed by the processing unit 1604. In some implementations, the system memory 1610 may include several different types of memory, such as static random-access memory (SRAM) or dynamic random-access memory (DRAM). In some implementations, the basic input / output system (BIOS), containing the basic routines that help to transfer information between elements within the computer system 1600, such as during start-up, may typically be stored in ROM. By way of example and not limitation, system memory 1610 also illustrates application programs 1612, program data 1614, and operating system 1616, which may include client applications, web browsers, mid-tier applications, relational database management systems (RDBMS), and the like.Examples of operating system 1616 may include various versions of Microsoft Windows®, Apple Macintosh®, and / or Linux operating systems, various commercially available UNIX® or UNIX-like operating systems (including, but not limited to, various GNU / Linux operating systems, Google Chrome® OS, etc.), and / or mobile operating systems such as iOS, Windows® Phone, Android® OS, BlackBerry® 16 OS, and Palm® OS operating systems.
[0247] The storage subsystem 1618 may provide a tangible, computer-readable storage medium for storing the basic programming and data constructs that provide the functionality of some embodiments. Software (programs, code modules, instructions) that, when executed by a processor, provide the aforementioned functionality may be stored in the storage subsystem 1618. These software modules or instructions may be executed by the processing unit 1604. The storage subsystem 1618 may provide a repository for storing data used in accordance with the present disclosure.
[0248] Storage subsystem 1600 may include computer-readable storage medium reader 1620, which may further be connected to computer-readable storage medium 1622. In combination with system memory 1610, and together, optionally, computer-readable storage medium 1622 may comprehensively represent remote, local, fixed, and / or removable storage media as well as storage media for temporarily and / or more permanently containing, storing, transmitting, and retrieving computer-readable information.
[0249] The computer-readable storage medium 1622 containing the code or portions of code may include any suitable medium known or used in the art, including storage and communication media, such as, but not limited to, volatile and nonvolatile, removable and non-removable media, implemented in any manner or technology for storing and / or transmitting information. The computer-readable storage medium may include tangible computer-readable storage media, such as RAM, ROM, electronically erasable programmable ROM (EEPROM), flash memory or other memory technology, CD-ROM, digital versatile disk (DVD), or other optical storage, magnetic cassette, magnetic tape, magnetic disk storage, or other magnetic storage devices, or other tangible computer-readable media. The computer-readable storage medium may also include non-tangible computer-readable media, such as a data signal, data transmission, or any other medium that can be used to transmit the desired information and that can be accessed by computing system 1600.
[0250] By way of example, computer-readable storage medium 1622 may include a hard disk drive that reads from or writes to non-removable, nonvolatile magnetic media, a magnetic disk drive that reads from or writes to removable, nonvolatile magnetic disks, and an optical disk drive that reads from or writes to removable, nonvolatile optical disks, such as CD-ROMs, DVDs, and Blu-ray disks or other optical media. Computer-readable storage medium 1622 may include, but is not limited to, Zip drives, flash memory cards, universal serial bus (USB) flash drives, secure digital (SD) cards, DVD disks, digital video tapes, and the like. The computer-readable storage media 1622 may include solid-state drives (SSDs) based on non-volatile memory such as flash memory-based SSDs, enterprise flash drives, semiconductor ROM, volatile memory-based SSDs such as semiconductor RAM, dynamic RAM, static RAM, DRAM-based SSDs, magneto-resistive RAM (MRAM) SSDs, and hybrid SSDs that use a combination of DRAM and flash memory-based SSDs. Disk drives and associated computer-readable media may provide non-volatile storage of computer-readable instructions, data structures, program modules, and other data for the computer system 1600.
[0251] The communications subsystem 1624 provides an interface to other computer systems and networks. The communications subsystem 1624 serves as an interface for receiving data from and transmitting data to other systems in the computer system 1600. For example, the communications subsystem 1624 may enable the computer system 1600 to connect to one or more devices via the Internet. In some embodiments, the communications subsystem 1624 may include radio frequency (RF) transceiver components for accessing wireless voice and / or data networks (e.g., using cellular technology, advanced data network technologies such as 3G, 4G, or EDGE (enhanced data rates for global evolution), Wi-Fi (using the IEEE 802.11 family of standards, or other mobile communications technologies, or any combination thereof), global positioning system (GPS) receiver components, and / or other components. In some embodiments, the communications subsystem 1624 may provide a wired network connection (e.g., Ethernet) in addition to or instead of a wireless interface.
[0252] In some embodiments, the communications subsystem 1624 may receive incoming communications in the form of structured and / or unstructured data feeds 1626, event streams 1628, event updates 1630, etc., on behalf of one or more users who may use the computer system 1600.
[0253] By way of example, the communications subsystem 1624 may be configured to receive data feeds 1626 in real time from users of social networks and / or other communications services, such as Twitter® feeds, Facebook® updates, web feeds, such as Rich Site Summary (RSS) feeds, and / or real-time updates from one or more third-party sources.
[0254] Additionally, the communications subsystem 1624 may be configured to receive data in the form of a continuous data stream, which may include an event stream 1628 of real-time events and / or event updates 1630 that may have no explicit end, be continuous in nature, or be boundless. Examples of applications that generate continuous data may include, for example, sensor data applications, financial tickers, network performance measurement tools (e.g., network monitoring and traffic management applications), clickstream analysis tools, automobile traffic monitoring, etc.
[0255] The communications subsystem 1624 may be configured to output structured and / or unstructured data feeds 1626, event streams 1628, event updates 1630, etc. to one or more databases that can communicate with one or more streaming data source computers coupled to the computer system 1600.
[0256] The computer system 1600 can be one of a variety of types, including a handheld portable device (e.g., an iPhone® mobile phone, an iPad® computing tablet, a PDA), a wearable device (e.g., a Google Glass® head-mounted display), a PC, a workstation, a mainframe, a ticket machine, a server rack, or any other data processing system.
[0257] Due to the ever-changing nature of computers and networks, the description of computer system 1600 shown in the figure is intended to be a specific example only. Many other configurations are possible, including more or fewer components than the system shown in the figure. For example, customized hardware may be used, and / or particular elements may be implemented in hardware, firmware, software (including applets), or a combination thereof. Furthermore, connections to other computing devices, such as network input / output devices, may be employed. Based on the disclosure and teachings provided herein, those skilled in the art will appreciate other ways and / or manners for implementing the various embodiments.
[0258] While specific embodiments have been described, various modifications, variations, alternative constructions, and equivalents are encompassed within the scope of the present disclosure. The embodiments are not limited to operation in one particular data processing environment, but can freely operate in multiple data processing environments. Furthermore, while the embodiments have been described using a particular sequence of transactions and steps, it should be apparent to those skilled in the art that the scope of the present disclosure is not limited to the sequence of transactions and steps described. Various features and aspects of the above-described embodiments may be used individually or together.
[0259] Furthermore, while embodiments have been described using particular combinations of hardware and software, it should be recognized that other combinations of hardware and software are within the scope of the present disclosure. Embodiments may be implemented exclusively in hardware, exclusively in software, or using a combination thereof. Various processes described herein may be performed on the same processor or on different processors in any combination. Thus, when a component or module is described as being configured to perform an operation, such configuration may be realized, for example, by designing electronic circuitry to perform the operation, by programming a programmable electronic circuit (such as a microprocessor) to perform the operation, or by any combination thereof. Processes may communicate using various techniques, including, but not limited to, conventional techniques for inter-process communication; different pairs of processes may use different techniques, or the same pair of processes may use different techniques at different times.
[0260] Accordingly, the specification and drawings should be regarded in an illustrative, rather than a limiting sense. However, it will be apparent that additions, subtractions, deletions, and other modifications and changes may be made to the specification and drawings without departing from the broader spirit and scope as set forth in the claims. Accordingly, while particular disclosed embodiments have been described, they are not intended to be limiting. Various modifications and equivalents are within the scope of the appended claims.
[0261] The use of the terms "a," "an," and "the" and similar referents in the context of describing the disclosed embodiments (particularly in the context of the appended claims) should be construed to cover both the singular and the plural, unless otherwise indicated herein or clearly contradicted by context. The terms "comprising," "having," "including," and "containing" should be construed as open-ended (i.e., meaning "including, but not limited to"), unless otherwise noted. The term "connected" should be construed as partially or fully contained within, connected to, or joined together, even if there is something intervening. The recitation of ranges of values herein is merely intended to serve as a shorthand method of individually referring to each separate value included in the range, unless otherwise indicated herein, and each separate value is incorporated herein as if it were individually recited herein. All methods described herein can be performed in any suitable order unless otherwise indicated herein or otherwise clearly contradicted by context. Any and all examples provided herein, or the use of exemplary language (e.g., "etc.") are intended merely to better clarify the embodiments and do not impose limitations on the scope of the disclosure unless specifically claimed. No language in the specification should be construed as indicating any non-claimed element as essential to the practice of the disclosure.
[0262] Disjunctive language, such as the phrase "at least one of X, Y, or Z," is generally intended to be understood within the context as being used to state that an item, condition, etc. may be either X, Y, or Z, or any combination thereof (e.g., X, Y, and / or Z), unless expressly stated otherwise. Thus, such disjunctive language is generally not intended to, and should not, imply that an embodiment requires that at least one of X, at least one of Y, or at least one of Z, respectively, be present.
[0263] Preferred embodiments of the present disclosure are described herein, including the best mode known for carrying out the disclosure. Variations of such preferred embodiments may become apparent to those skilled in the art upon reading the foregoing description. Those skilled in the art will be able to adopt such variations as appropriate, and the present disclosure may be practiced other than as specifically described herein. Accordingly, this disclosure includes all modifications and equivalents of the subject matter recited in the claims appended hereto as permitted by applicable law. Moreover, any combination of the above-described elements in all possible variations of the embodiments is encompassed by the present disclosure, unless otherwise indicated herein.
[0264] All references cited herein, including publications, patent applications, and patents, are incorporated by reference herein to the same extent as if each reference were individually and specifically indicated as incorporated by reference and were set forth herein in its entirety. While the foregoing specification has described aspects of the present disclosure with reference to specific embodiments herein, those skilled in the art will recognize that the present disclosure is not limited thereto. Various features and aspects of the foregoing disclosure may be used individually or together. Furthermore, embodiments may be utilized in any number of environments and applications beyond those described herein without departing from the broader spirit and scope of the present specification. Accordingly, the specification and drawings should be considered illustrative and not restrictive.
Claims
1. It is a method, The multi-cloud infrastructure included in the first cloud environment receives requests from users associated with accounts in the second cloud environment, and the requests correspond to the deployment of resources in the tenancy associated with the user in the first cloud environment. The method further includes the multi-cloud infrastructure verifying the user's validity based on a token included in the request, the token being generated by the identity system of the second cloud environment. In response to the successful validation of the aforementioned user, The method further includes retrieving a linked resource object previously created for the user, the linked resource object containing information linking the tenancy associated with the user in the first cloud environment to the account associated with the user in the second cloud environment. The method further comprises deploying the multi-cloud infrastructure to the tenancy associated with the user in the first cloud environment.
2. The aforementioned validation is, Decrypting the aforementioned request and extracting the aforementioned token, Based on the aforementioned token, obtain the role associated with the user in the second cloud environment, Based on the role, determine whether the user is permitted to issue the request, The method according to claim 1, further comprising deploying the resources based on the success of the determination.
3. The method according to claim 1, wherein the request is signed using a private key associated with the identity system, and the request is decrypted using a public key associated with the identity system in the second cloud environment.
4. The method according to claim 1, further comprising the multi-cloud infrastructure sending a notification to the user indicating the status of the deployment in response to successfully deploying the resource to the tenancy associated with the user in the first cloud environment.
5. The method according to claim 1, further comprising deploying a multicloud service account to the second cloud environment, wherein the multicloud service account is configured to access the user's account in the second cloud environment.
6. The observability adapter included in the multi-cloud infrastructure obtains authentication information associated with the multi-cloud service account in the second cloud environment, The observability adapter acquires a role based on the authentication information, The method according to claim 5, further comprising the observability adapter accessing the monitoring module in the user's account in the second cloud environment in accordance with the role.
7. The method according to claim 6, further comprising the observability adapter included in the multi-cloud infrastructure transmitting metrics associated with the performance of the resources deployed in the tenancy included in the first cloud environment to the monitoring module.
8. The method according to claim 1, wherein the resource deployed to the tenancy of the first cloud environment is one of an exadatabase, a shared autonomous database, a dedicated autonomous database, or a virtual machine database.
9. A program for causing one or more processors to perform the method according to any one of claims 1 to 8.
10. One or more processors, A computing device comprising memory containing instructions, wherein, when the instructions are executed using one or more processors, the computing device receives at least, The multi-cloud infrastructure included in the first cloud environment is configured to receive requests from users associated with accounts in the second cloud environment, and these requests correspond to the deployment of resources in the tenancy associated with the user in the first cloud environment. The multi-cloud infrastructure further verifies the validity of the user based on the token included in the request, the token being generated by the identity system of the second cloud environment. In response to the successful validation of the aforementioned user, Further, retrieve a linked resource object previously created for the user, the linked resource object containing information linking the tenancy associated with the user in the first cloud environment to the account associated with the user in the second cloud environment. A computing device that, through the multi-cloud infrastructure, further enables the deployment of the resources to the tenancy associated with the user in the first cloud environment.
11. The one or more processors described above are Decrypting the aforementioned request and extracting the aforementioned token, Based on the aforementioned token, obtain the role associated with the user in the second cloud environment, Based on the role, determine whether the user is permitted to issue the request, The computing device according to claim 10, further configured to perform the deployment of the resources based on the success of the determination.
12. The computing device according to claim 10 or 11, wherein the request is signed using a private key associated with the user, and the request is decrypted using a public key associated with an access control module of the second cloud environment.
13. The computing device according to claim 10 or 11, further comprising the multi-cloud infrastructure sending a notification to the user indicating the status of the deployment in response to the successful deployment of the resource to the tenancy associated with the user in the first cloud environment.
14. The one or more processors described above are The computing device according to claim 10 or 11, further configured to deploy a multi-cloud service account to the second cloud environment, wherein the multi-cloud service account is configured to access the user's account in the second cloud environment.