US2021185093A1PendingUtilityA1
Fine grained network security
Est. expiryMay 30, 2038(~11.9 yrs left)· nominal 20-yr term from priority
H04L 41/0893H04L 41/0897H04L 41/0894H04L 41/0895H04L 41/40H04L 63/20H04L 67/10H04L 63/104G06F 2009/45587G06F 9/45558H04L 41/0816H04L 63/1425H04L 41/046H04L 41/0806H04L 43/026H04L 63/1441
51
PatentIndex Score
0
Cited by
0
References
0
Claims
Abstract
One or more security groups associated with a cloud provider are determined. One or more network polices associated with a container-orchestrator system are determined. One or more network security policies are generated based on the one or more determined security groups associated with the cloud provider and the one or more determined network policies associated with the container. The one or more network security policies are distributed to one or more VM instances of a cloud network. The one or more VM instances are configured to enforce network security based on the one or more network security policies.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1 . A method, comprising:
analyzing flow data received from a first application pod; and permitting traffic between the first application pod and a second application pod based on whether communications is permitted between the first application pod and the second application pod and whether communications is permitted a first virtual machine hosting the first application pod and a second virtual machine hosting the second application pod.
2 . The method of claim 1 , further comprising receiving the flow data.
3 . The method of claim 1 , wherein the flow data includes one or more of a source internet protocol (IP) address, a source port, a destination IP address, a destination port, and a protocol.
4 . The method of claim 1 , further comprising determining whether communications is permitted between the first application pod and the second application pod.
5 . The method of claim 4 , wherein communications is determined to permitted between the first application pod and the second application pod based on label associated with the first application pod and the second application pod.
6 . The method of claim 4 , wherein communications is determined to permitted between the first application pod and the second application pod based on a security group associated with the first application pod and the second application pod.
7 . The method of claim 4 , wherein communications is determined to permitted between the first application pod and the second application pod based on a rule associated with the first application pod and the second application pod.
8 . The method of claim 1 , wherein traffic between the first application pod and the second application pod is permitted in the event communications between the first application pod and the second application pod is permitted and communications between a first virtual machine hosting the first application pod and a second virtual machine hosting the second application pod is permitted.
9 . The method of claim 1 , wherein traffic between the first application pod and the second application pod is not permitted in the event communications between the first application pod and the second application pod is not permitted.
10 . The method of claim 1 , wherein traffic between the first application pod and the second application pod is permitted in the event communications between the first application pod and the second application pod is permitted, the first application pod and the second application pod have a same label, the first virtual machine and the second virtual machine are not part of the same security group, and communications between the first virtual machine hosting the first application pod and the second virtual machine hosting the second application pod is not permitted.
11 . A system, comprising:
a processor configured to:
analyze flow data received from a first application pod; and
permit traffic between the first application pod and a second application based on whether communications is permitted between the first application pod and the second application pod and whether communications is permitted a first virtual machine hosting the first application pod and a second virtual machine hosting the second application pod; and
a memory coupled to the processor and configured to provide the processor with instructions.
12 . The system of claim 11 , wherein the processor is further configured to receive the flow data.
13 . The system of claim 11 , wherein the flow data includes one or more of a source IP address, a source port, a destination IP address, a destination port, and a protocol.
14 . The system of claim 11 , wherein the processor is further configured to determine whether communications is permitted between the first application pod and the second application pod.
15 . The system of claim 14 , wherein communications is determined to permitted between the first application pod and the second application pod based on label associated with the first application pod and the second application pod.
16 . The system of claim 14 , wherein communications is determined to permitted between the first application pod and the second application pod based on a security group associated with the first application pod and the second application pod.
17 . The system of claim 14 , wherein communications is determined to permitted between the first application pod and the second application pod based on a rule associated with the first application pod and the second application pod.
18 . A computer program product embodied in a non-transitory computer readable medium and comprising computer instructions for:
analyzing flow data received from a first application pod; and permitting traffic between the first application pod and a second application based on whether communications is permitted between the first application pod and the second application pod and whether communications is permitted a first virtual machine hosting the first application pod and a second virtual machine hosting the second application pod.
19 . The computer program product of claim 18 , further comprising instructions for determining whether communications is permitted between the first application pod and the second application pod.
20 . The computer program product of claim 18 , wherein the flow data includes one or more of a source internet protocol (IP) address, a source port, a destination IP address, a destination port, and a protocol.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.