US2021185093A1PendingUtilityA1

Fine grained network security

51
Assignee: TIGERA INCPriority: May 30, 2018Filed: Mar 2, 2021Published: Jun 17, 2021
Est. expiryMay 30, 2038(~11.9 yrs left)· nominal 20-yr term from priority
H04L 41/0893H04L 41/0897H04L 41/0894H04L 41/0895H04L 41/40H04L 63/20H04L 67/10H04L 63/104G06F 2009/45587G06F 9/45558H04L 41/0816H04L 63/1425H04L 41/046H04L 41/0806H04L 43/026H04L 63/1441
51
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

One or more security groups associated with a cloud provider are determined. One or more network polices associated with a container-orchestrator system are determined. One or more network security policies are generated based on the one or more determined security groups associated with the cloud provider and the one or more determined network policies associated with the container. The one or more network security policies are distributed to one or more VM instances of a cloud network. The one or more VM instances are configured to enforce network security based on the one or more network security policies.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
         1 . A method, comprising:
 analyzing flow data received from a first application pod; and   permitting traffic between the first application pod and a second application pod based on whether communications is permitted between the first application pod and the second application pod and whether communications is permitted a first virtual machine hosting the first application pod and a second virtual machine hosting the second application pod.   
     
     
         2 . The method of  claim 1 , further comprising receiving the flow data. 
     
     
         3 . The method of  claim 1 , wherein the flow data includes one or more of a source internet protocol (IP) address, a source port, a destination IP address, a destination port, and a protocol. 
     
     
         4 . The method of  claim 1 , further comprising determining whether communications is permitted between the first application pod and the second application pod. 
     
     
         5 . The method of  claim 4 , wherein communications is determined to permitted between the first application pod and the second application pod based on label associated with the first application pod and the second application pod. 
     
     
         6 . The method of  claim 4 , wherein communications is determined to permitted between the first application pod and the second application pod based on a security group associated with the first application pod and the second application pod. 
     
     
         7 . The method of  claim 4 , wherein communications is determined to permitted between the first application pod and the second application pod based on a rule associated with the first application pod and the second application pod. 
     
     
         8 . The method of  claim 1 , wherein traffic between the first application pod and the second application pod is permitted in the event communications between the first application pod and the second application pod is permitted and communications between a first virtual machine hosting the first application pod and a second virtual machine hosting the second application pod is permitted. 
     
     
         9 . The method of  claim 1 , wherein traffic between the first application pod and the second application pod is not permitted in the event communications between the first application pod and the second application pod is not permitted. 
     
     
         10 . The method of  claim 1 , wherein traffic between the first application pod and the second application pod is permitted in the event communications between the first application pod and the second application pod is permitted, the first application pod and the second application pod have a same label, the first virtual machine and the second virtual machine are not part of the same security group, and communications between the first virtual machine hosting the first application pod and the second virtual machine hosting the second application pod is not permitted. 
     
     
         11 . A system, comprising:
 a processor configured to:
 analyze flow data received from a first application pod; and 
 permit traffic between the first application pod and a second application based on whether communications is permitted between the first application pod and the second application pod and whether communications is permitted a first virtual machine hosting the first application pod and a second virtual machine hosting the second application pod; and 
   a memory coupled to the processor and configured to provide the processor with instructions.   
     
     
         12 . The system of  claim 11 , wherein the processor is further configured to receive the flow data. 
     
     
         13 . The system of  claim 11 , wherein the flow data includes one or more of a source IP address, a source port, a destination IP address, a destination port, and a protocol. 
     
     
         14 . The system of  claim 11 , wherein the processor is further configured to determine whether communications is permitted between the first application pod and the second application pod. 
     
     
         15 . The system of  claim 14 , wherein communications is determined to permitted between the first application pod and the second application pod based on label associated with the first application pod and the second application pod. 
     
     
         16 . The system of  claim 14 , wherein communications is determined to permitted between the first application pod and the second application pod based on a security group associated with the first application pod and the second application pod. 
     
     
         17 . The system of  claim 14 , wherein communications is determined to permitted between the first application pod and the second application pod based on a rule associated with the first application pod and the second application pod. 
     
     
         18 . A computer program product embodied in a non-transitory computer readable medium and comprising computer instructions for:
 analyzing flow data received from a first application pod; and   permitting traffic between the first application pod and a second application based on whether communications is permitted between the first application pod and the second application pod and whether communications is permitted a first virtual machine hosting the first application pod and a second virtual machine hosting the second application pod.   
     
     
         19 . The computer program product of  claim 18 , further comprising instructions for determining whether communications is permitted between the first application pod and the second application pod. 
     
     
         20 . The computer program product of  claim 18 , wherein the flow data includes one or more of a source internet protocol (IP) address, a source port, a destination IP address, a destination port, and a protocol.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.