[go: up one dir, main page]

HK1167533B - Providing virtual networks using multi-tenant relays - Google Patents

Providing virtual networks using multi-tenant relays Download PDF

Info

Publication number
HK1167533B
HK1167533B HK12108033.8A HK12108033A HK1167533B HK 1167533 B HK1167533 B HK 1167533B HK 12108033 A HK12108033 A HK 12108033A HK 1167533 B HK1167533 B HK 1167533B
Authority
HK
Hong Kong
Prior art keywords
tenant
computer system
data
relay service
routing
Prior art date
Application number
HK12108033.8A
Other languages
Chinese (zh)
Other versions
HK1167533A1 (en
Inventor
G.H.奥斯莱德
H.S.阿尔哈提布
Original Assignee
微软技术许可有限责任公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US12/889,283 external-priority patent/US8935427B2/en
Application filed by 微软技术许可有限责任公司 filed Critical 微软技术许可有限责任公司
Publication of HK1167533A1 publication Critical patent/HK1167533A1/en
Publication of HK1167533B publication Critical patent/HK1167533B/en

Links

Description

Providing virtual networks using multi-tenant relays
Technical Field
The present invention relates to providing multi-tenant relay services, and more particularly, to providing virtual networks using multi-tenant relays.
Background
Computers have become highly integrated in work, homes, mobile devices, and many other places. Computers can process large amounts of information quickly and efficiently. Software applications designed to run on computer systems allow users to perform a wide variety of functions including business applications, school assignments, entertainment, and the like. Software applications are typically designed to perform specific tasks, such as word processor applications for drafting documents or email programs for sending, receiving and organizing emails.
In many cases, software applications are designed to interact with other software applications or other computer systems. For example, a client computer system may be configured to request a service from a service provider. A service provider may receive requests from various clients and provide services in response to the requests. Providing services may include transferring various communications between the provider and client computer systems. Typically, these computer systems are on different computer networks that are separated or blocked by various hardware or software devices, such as routers and firewalls.
In some cases, a Virtual Private Network (VPN), relay, or other secure communication channel may be established between computer systems on separate networks. However, relays are typically either organization specific or public, which allows access to any user, including potentially harmful users.
Disclosure of Invention
Embodiments described herein relate to providing a multi-tenant relay service that securely relays data between computer systems. In one embodiment, a computer system receives a portion of data to be transferred from a first computer system belonging to a first tenant to a different second computer system. An instantiated multi-tenant relay service is configured to securely relay data for a plurality of different tenants. The computer system creates a secure routing channel for routing the data of the first tenant between the first computer system and the second computer system. The secure routing channel applies a unique identifier to each portion of the data received from the first tenant. The computer system also routes the received data from the first computer system to the second computer system through the secure routing channel using the applied unique identifier.
In another embodiment, a computer system receives a portion of data to be transferred from a first computer system to a different second computer system. The instantiated multi-tenant relay service is configured to relay data for a plurality of different tenants. The computer system creates a secure routing channel for routing the data between the first computer system and the second computer system. The secure routing channel provides a unique identifier to each portion of the data received from the first tenant. The computer system determines which of a variety of different network protocols are available for routing the received data, and dynamically selects an appropriate protocol that optimizes data transfer efficiency based on the determination of which network protocols are available. The computer system also routes the received data from the first computer system to the second computer system using the determined protocol. The data is routed through the secure routing channel using the applied unique identifier.
This summary is provided to introduce a selection of concepts in a simplified form that are further described below in the detailed description. This summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used as an aid in determining the scope of the claimed subject matter.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the principles herein. The features and advantages of the invention may be realized and obtained by means of the instruments and combinations particularly pointed out in the appended claims. Features of the present invention will become more fully apparent from the following description and appended claims, or may be learned by the practice of the invention as set forth hereinafter.
Drawings
To further clarify the above and other advantages and features of embodiments of the present invention, a more particular description of embodiments of the present invention will be rendered by reference to the appended drawings. It is appreciated that these drawings depict only typical embodiments of the invention and are therefore not to be considered limiting of its scope. The invention will be described and explained with additional specificity and detail through the use of the accompanying drawings in which:
FIG. 1 illustrates a computer architecture in which embodiments of the invention may operate, including providing a multi-tenant relay service that securely relays data between computer systems.
FIG. 2 illustrates a flow diagram of an example method for providing a multi-tenant relay service that securely relays data between computer systems.
FIG. 3 illustrates a flow diagram of an alternative example method for providing a multi-tenant relay service that securely relays data between computer systems.
Fig. 4 illustrates an embodiment of the invention in which communications from multiple tenants are securely routed through secure routing channels.
Detailed Description
Embodiments described herein relate to providing a multi-tenant relay service that securely relays data between computer systems that cannot directly route secure connections between each other. In one embodiment, a computer system receives a portion of data to be transferred from a first computer system belonging to a first tenant to a different second computer system. An instantiated multi-tenant relay service is configured to securely relay data for a plurality of different tenants. The computer system creates a secure routing channel for routing the data of the first tenant between the first computer system and the second computer system. The secure routing channel applies a unique identifier to each portion of the data received from the first tenant. The computer system also routes the received data from the first computer system to the second computer system through the secure routing channel using the applied unique identifier.
In another embodiment, a computer system receives a portion of data to be transferred from a first computer system to a different second computer system. The instantiated multi-tenant relay service is configured to relay data for a plurality of different tenants. The computer system creates a secure routing channel for routing the data between the first computer system and the second computer system. The secure routing channel provides a unique identifier to each portion of the data received from the first tenant. The computer system determines which of a variety of different network protocols are available for routing the received data, and dynamically selects an appropriate protocol that optimizes data transfer efficiency based on the determination of which network protocols are available. The computer system also routes the received data from the first computer system to the second computer system using the determined protocol. The data is routed through the secure routing channel using the applied unique identifier.
The subsequent discussion now refers to a number of methods and method acts that may be performed. It should be kept in mind that while the method acts may be discussed in a certain order or depicted in a flowchart as occurring in a particular order, that particular order is not necessarily required unless specifically stated or required because one act is dependent on another act being completed before the act is performed.
Embodiments of the present invention may comprise or utilize a special purpose or general-purpose computer including computer hardware, such as, for example, one or more processors and system memory, as discussed in greater detail below. Embodiments within the scope of the present invention also include physical and other computer-readable media for carrying or storing computer-executable instructions and/or data structures. Such computer-readable media can be any available media that can be accessed by a general purpose or special purpose computer system. Computer-readable media storing computer-executable instructions are computer storage media. Computer-readable media carrying computer-executable instructions are transmission media. Thus, by way of example, and not limitation, embodiments of the invention can include at least two disparate types of computer-readable media: computer storage media and transmission media.
Computer storage media includes RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store desired program code means in the form of computer-executable instructions or data structures and which can be accessed by a general purpose or special purpose computer.
A "network" is defined as one or more data links that allow electronic data to be transferred between computer systems and/or modules and/or other electronic devices. When information is transferred or provided over a network or another communications connection (either hardwired, wireless, or a combination of hardwired or wireless) to a computer, the computer properly views the connection as a transmission medium. Transmission media can include a network and/or data links which can be used to carry desired program code means in the form of computer-executable instructions or data structures and which can be accessed by a general purpose or special purpose computer. Combinations of the above should also be included within the scope of computer-readable media.
Further, upon reaching various computer system components, program code means in the form of computer-executable instructions or data structures may be transferred automatically from transmission media to computer storage media (or vice versa). For example, computer-executable instructions or data structures received over a network or data link may be cached in RAM within a network interface module (e.g., a "NIC") and then ultimately transferred to computer system RAM and/or to less volatile computer storage media at a computer system. Thus, it should be understood that computer storage media can be included in computer system components that also utilize (or even primarily utilize) transmission media.
Computer-executable instructions comprise, for example, instructions and data which cause a general purpose computer, special purpose computer, or special purpose processing device to perform a certain function or group of functions. The computer-executable instructions may be, for example, binaries, intermediate format instructions such as assembly language, or even source code. Although the subject matter has been described in language specific to structural features and/or methodological acts, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the features and acts described above are disclosed as example forms of implementing the claims.
Those skilled in the art will appreciate that the invention may be practiced in network computing environments with many types of computer system configurations, including, personal computers, desktop computers, laptop computers, message processors, hand-held devices, multi-processor systems, microprocessor-based or programmable consumer electronics, network PCs, minicomputers, mainframe computers, mobile telephones, PDAs, pagers, routers, switches, and the like. The invention may also be practiced in distributed system environments where local and remote computer systems, which are linked (either by hardwired data links, wireless data links, or by a combination of hardwired and wireless data links) through a network, both perform tasks. In a distributed system environment, program modules may be located in both local and remote memory storage devices.
FIG. 1 illustrates a computer architecture 100 in which the principles of the present invention may be employed. Computer architecture 100 includes tenants 120 and hosts 135 that communicate over the internet 130. The tenants and hosts may be configured to communicate across firewalls 125A and 125B. In addition to firewalls, communications may also pass through routers, switches, gateways, or other network communication devices. Tenant 120 may have substantially any number of computer systems. For example, a tenant may be an organization, such as a government entity, school, company, or other business entity that may have hundreds, thousands, or more computer systems. Alternatively, a tenant may be a single user with a single computer system. Accordingly, it is to be understood that although tenant 1(120) is shown in fig. 1 as having three computer systems (121a1, 121a2, and 121A3), the tenant may have any number of computer systems.
Accordingly, host 135 may also have any number of computer systems and may provide or host (host) any number of services. The host may be a multi-tenant host hosting various different services for different tenants. Each tenant may subscribe to a different service, even a different version of the service. Each of the users of the tenant can access those services. The multi-tenant host verifies that the user's identity is part of a client or tenant and provides those services to which the tenant subscribes. The settings, configuration, subscriptions, stored documents and other items for each tenant are kept separate from the information for all other tenants. In some cases, host 135 may be a cloud-based host, distributed among a number of different computer systems that may be physically located anywhere in the world. In this way, any computer system of the host can provide the service requested by the tenant.
In some embodiments, a virtual network can be established between tenant 120 and host 135. The virtual network may use a multi-tenant relay service 105 (or "service 105" herein) to securely transfer data between tenants and hosts. The tenant may send data 106 through a secure routing channel 110 established by service 105. Data sent from each different tenant may be tagged with a unique identifier (unique ID107) that indicates from which tenant the data was received. The data 106 may be transmitted over a Virtual Private Network (VPN) through a Secure Socket Layer (SSL) tunnel or other secure communication means.
In some cases, this virtual network may be described as a network virtualization layer that manages the creation and address assignment of tenant computer systems connected to the virtual network. Multi-tenant relay service 105 may support connectivity between computer systems participating in a virtual network. The network virtualization layer may expose Internet Protocol (IP) endpoints as network adapters within the operating system of the computer system. Each endpoint (i.e., each computer system or tenant) in the virtual network may receive a unique address or other identifier from the directory service that allows the computer system to communicate with other endpoints in the virtual network. A driver or software agent installed on a computer system participating in the virtual network may be responsible for sending IP traffic through and receiving traffic from the relay service 105.
In some embodiments, multi-tenant service 105 is configured to create an isolated routing domain that interacts with relay services. Each routing domain can restrict access to a set of authorized (tenant or host) machines and can provide a namespace to uniquely identify machines in the domain. This not only secures access to the relay service, but also divides access between computer systems after they are connected to the relay service. In one embodiment, a multi-tenant relay service may provide one or more isolated routing domains that may be used to build a virtual network. In some cases, a Secure Socket Tunneling Protocol (SSTP) relay may be instantiated, the SSTP relay assigning an IP address from a particular subnet based on the identity of the tenant. These and other concepts are described in more detail below with respect to methods 200 and 300 of fig. 2 and 3, respectively.
In view of the above-described systems and architectures, methodologies that may be implemented in accordance with the disclosed subject matter will be better appreciated with reference to the flow charts of fig. 2 and 3. For purposes of simplicity of explanation, the methodologies are shown and described as a series of blocks. It is to be understood and appreciated, however, that the claimed subject matter is not limited by the order of the blocks, as some blocks may occur in different orders and/or concurrently with other blocks from what is depicted and described herein. Moreover, not all illustrated blocks may be required to implement the methodologies described hereinafter.
Fig. 2 illustrates a flow diagram of a method 200 for providing a multi-tenant relay service that securely relays data between computer systems. The method 200 will now be described with frequent reference to the components and data of the environment 100.
Method 200 includes the acts of: at an instantiated multi-tenant relay service, a portion of data to be transferred from a first computer system belonging to a first tenant to a different second computer system is received, wherein the instantiated multi-tenant relay service is configured to securely relay data for a plurality of different tenants (act 210). For example, multi-tenant relay service 105 can receive data 106 to be passed from tenant 1(120) to host 135. The relay service can be configured to securely relay data for multiple different tenants. In some cases, the relay service may uniquely identify each computer system (e.g., 121a1) as belonging to a certain tenant (e.g., tenant 120). In other cases, the relay service may uniquely identify the data as coming from a tenant, regardless of the computer system from which the data came. Accordingly, the unique ID107 appended to the data by the relay service 105 can uniquely identify the tenant from which the data was received and/or the particular computer system or user that is part of the tenant 120.
As indicated above, the host and tenant computer systems may be physically distributed, or may be distributed locally over different networks. The multi-tenant relay service may also run on multiple distributed computer systems. In such a case, the relay service may determine which paths are optimal (e.g., highest bandwidth, most secure, shortest path, etc.) and may route the data 106 using the preferred paths. In some embodiments, a software agent may be installed or otherwise provided for each computer system connected to the multi-tenant relay service. The proxy may be responsible for joining the computer system to the relay service and/or providing Domain Name System (DNS) services for IP address translation. Thus, within a virtual network established using the relay service, a computer system may use DNS in its communications. In some cases, the multi-tenant relay service is an IP layer relay. In such a case, communication between the first and second computer systems is managed at the IP layer.
Method 200 includes the acts of: the multi-tenant relay service creates a secure routing channel for routing the data for the first tenant between the first computer system and the second computer system, wherein the secure routing channel applies a unique identifier to each portion of the data received from the first tenant (act 220). For example, multi-tenant relay service 105 can create a secure routing channel 110 for routing data 106 between tenant 120 and host 135. The secure routing channel can apply a unique identifier 107 to each portion of data received from tenant 120. Additionally or alternatively, the secure routing channel can apply the unique identifier to each portion of data received from a particular computer system of the tenant (e.g., from computer system 121a 2).
Creating a secure routing channel may include creating an IP address space for routing between IP addresses in the secure routing channel. In the case of using DNS, the unique ID107 applied to the tenant's data can be mapped from the tenant to the first computer system's (e.g., 121a2) DNS name to resolve the first computer's DNS name. Thus, the DNS name of the computer sending the data 106 is mapped to a unique ID applied by the secure routing channel.
As previously mentioned, unique identifier 107 can be applied to all data received from a tenant (e.g., tenant 120), regardless of the computer system or computer systems from which the data was received. In this way, the applied unique identifier allows each tenant to have its own unique namespace in the multi-tenant relay service because each portion of data transferred between the tenant and the host is uniquely identified as coming from that tenant. Similarly, the unique identifier 107 may be applied to all data received from a computer system from which each portion of data transmitted between the computer system and a host is uniquely identified. Thus, data from a given tenant (regardless of which of the tenant's users is sending the data) is kept separate from the data of other tenants. This increases the security of the data transmission. This increased security (as well as other features) allows the relay service 105 to provide security guarantees to tenants using the service. This is particularly important for services involving private, financial, confidential or other information that needs to be communicated in a secure environment.
Method 200 includes the acts of: the multi-tenant relay service routes the received data from the first computer system to the second computer system through the secure routing channel using the applied unique identifier (act 230). For example, the relay service 105 can route the data 106 from the tenant 120 to the host 135 through the secure routing channel 110 using the applied unique identifier 107. The unique identifier is applied to all data (to and from the tenant and host) that is transmitted over the secure routing channel. In some cases, multiple different tenants send data to host 105 and receive data from host 105.
For example, as shown in computer environment 400 of fig. 4, tenants 420A, 420B, and 420C can each send different data to multi-tenant relay service 405. Specifically, tenant 420A sends data 406A to secure routing channel 410 of relay service 405. The secure routing channel then applies the unique identifier (tenant 420A unique ID)407A and transmits the data to service provider 435. Similarly, tenants 420B and 420C send data 406B and 406C to the secure routing channel 410 of the relay service 405. The secure routing channel then applies unique identifiers (tenant 420B unique ID and tenant 420C unique ID)407B and 407C, respectively, and transmits the data to service provider 435.
The data for each tenant is kept separate and secure from the data for other tenants even though the tenants are connected to the same service. Moreover, each tenant's data is uniquely identified as coming from a given tenant (or from that tenant's particular user/computer system). Thus, in the case where each tenant has its own unique identifier, data can be separated and routed even in the case where two tenants have the same IP address. In this way, the relay service can securely relay information between the tenant and the host. The data transmitted back to the tenant's computer system remains assigned its unique ID by the secure routing channel. Moreover, applications running on the tenant's computer system may appear to be directly connected to applications or services running on the host system without network address translation, as the communication data is passed (channel) through a secure routing channel through the virtual network between the source and destination.
Turning now to fig. 3, fig. 3 illustrates a flow diagram of a method 300 for providing a multi-tenant relay service that securely relays data between computer systems. The method 300 will now be described with frequent reference to the components and data of the environment 100.
Method 300 includes the acts of: at an instantiated multi-tenant relay service, a portion of data to be transferred from a first computer system to a different second computer system is received, wherein the instantiated multi-tenant relay service is configured to relay data for a plurality of different tenants (act 310). For example, the multi-tenant relay service 105 can receive data 106 to be transferred from the computer system 121A3 to one of the computer systems 131a1, 131a2, or 131A3 of the host 135. As noted above, the relay service 105 can be configured to relay data for a variety of different tenants. Some tenants may include one computer user and some tenants may include thousands or more users. The relay service can uniquely identify a computer system (e.g., 121a3) as belonging to tenant 120. Additionally or alternatively, the relay service may identify the computer user as belonging to a tenant regardless of which computer system the user is using. For example, a user may authenticate as a member of tenant 120 and, through the authentication, may be able to access services subscribed to by the tenant.
Method 300 further includes the acts of: the multi-tenant relay service creates a secure routing channel for routing data between the first computer system and the second computer system, wherein the secure routing channel provides a unique identifier for each portion of data received from the first tenant (act 320). For example, multi-tenant relay service 105 can create a secure routing channel 110 for routing or relaying data between tenant 120 and host 135. The secure routing channel applies a unique identifier 107 to each portion of data received from a given computer user or computer system.
Method 300 includes the acts of: a determination is made as to which of a plurality of different network protocols are available for routing the received data (act 330). For example, the relay service 105 can determine which network services are available for routing the data 106. The protocol may include hypertext transfer protocol (HTTP), Transmission Control Protocol (TCP), Internet Protocol (IP), or any other protocol for transferring data over a network. The relay service may also determine whether a local network is available for transmitting data. The relay service may then dynamically select an appropriate protocol that optimizes data transfer efficiency based on the determination of which network protocols are available (act 340). For example, if a local network is available and determined to be secure, the local network may be selected to be the most efficient and used to transfer data. After making the initial selection, if the network changes, the relay service may reevaluate which available protocols are most appropriate for transmitting data.
Method 300 further includes the acts of: the received data from the first computer system is routed to the second computer system using the determined protocol, where the data is routed through the secure routing channel using the applied unique identifier (act 350). For example, the secure routing channel 110 of the relay service 105 can use the determined protocol to route the data 106 from the tenant 120 to the host 135. The data (which has a unique identifier 107 attached to it) is transmitted using HTTP, TCP, IP, or some other determined appropriate protocol. In some cases, if the tenant and host are on the same local computer network, the relay service may direct both systems to connect to the local network without either system leaving the firewall protected environment. By selecting the most efficient (and secure) protocol, optimal routing efficiency can be ensured.
Accordingly, methods, systems, and computer program products are provided that provide a multi-tenant relay service that securely relays data between computer systems. The system may use the local network (when available) and may make a selection among the available protocols to use the most efficient protocol for a particular situation. The relay service can establish and maintain a virtual network between tenants and hosts by securely relaying and uniquely identifying data it receives from each tenant. In this way, the multi-tenant relay service can service the multi-tenant host.
The present invention may be embodied in other specific forms without departing from its spirit or essential characteristics. The described embodiments are to be considered in all respects only as illustrative and not restrictive. The scope of the invention is, therefore, indicated by the appended claims rather than by the foregoing description. All changes which come within the meaning and range of equivalency of the claims are to be embraced within their scope.

Claims (21)

1. In a computer networking environment comprising a plurality of computing systems, a computer-implemented method at a computer system comprising a processor and a memory for providing a multi-tenant relay service that securely relays data between computer systems, the method comprising:
an act of receiving, at an instantiated multi-tenant relay service, a portion of data to be transferred from a first computer system belonging to a first tenant to a different second computer system, wherein the instantiated multi-tenant relay service is configured to securely relay data for a plurality of different tenants, the multi-tenant relay service providing one or more orphaned routing domains, each routing domain providing a namespace that uniquely identifies each machine in each of the one or more orphaned routing domains to divide access between the computer systems;
an act of the multi-tenant relay service creating a secure routing channel for routing the data of the first tenant between the first computer system and the second computer system, wherein the secure routing channel applies a unique identifier to each portion of data received from the first tenant; and
an act of the multi-tenant relay service routing the received data from the first computer system to the second computer system through the secure routing channel using the applied unique identifier.
2. The method of claim 1, further comprising:
an act of receiving, at the multi-tenant relay service, a portion of data from a different third computer system belonging to a different second tenant;
an act of the multi-tenant relay service applying a different unique identifier to each portion of information received from the second tenant; and
an act of the multi-tenant relay service routing the received data from the third computer system to the second computer system through the secure routing channel using the applied different unique identifier.
3. The method of claim 2, wherein the data received from the second tenant is isolated from the data received from the first tenant even though the second tenant is connecting to the same service to which the first tenant is connecting, the same service being provided by the second computer system.
4. The method of claim 2, wherein the first computer system of the first tenant and the third computer system of the second tenant have the same IP address.
5. The method of claim 1, wherein creating a secure routing channel comprises creating an IP address space for routing between IP addresses in the secure routing channel.
6. The method of claim 1, further comprising mapping the unique identifier of tenant data from the first tenant to a DNS name of the first computer system to resolve the DNS name of the first computer.
7. The method of claim 1, wherein the unique identifier is applied to all data received from the first tenant, regardless of the computer system or computer systems from which the data is received.
8. The method of claim 1, wherein the applied unique identifier allows each tenant to have their own unique namespace in the multi-tenant relay service.
9. The method of claim 1, wherein communication data is communicated over the secure routing channel via a virtual connection such that an application running on the first computer system is virtually connected to an application or service running on the second computer system without network address translation.
10. The method of claim 1, wherein the relay service runs on a plurality of distributed computer systems.
11. The method of claim 10, wherein data paths are optimized across the plurality of distributed computer systems.
12. The method of claim 1, wherein the multi-tenant relay service provides one or more security guarantees to the tenant using the service.
13. The method of claim 1, further comprising an act of providing a software agent for each computer system connected to the multi-tenant relay service.
14. The method of claim 13, wherein the proxy joins a machine to the multi-tenant relay service and provides additional services including DNS services for IP address translation.
15. The method of claim 1, wherein the multi-tenant relay service comprises an IP layer relay to manage communications between the first and second computer systems at the IP layer.
16. A method for providing a multi-tenant relay service that securely relays data between computer systems, the method comprising:
an act of receiving, at an instantiated multi-tenant relay service, a portion of data to be transferred from a first computer system belonging to a first tenant to a different second computer system, wherein the instantiated multi-tenant relay service is configured to relay data for a plurality of different tenants, the multi-tenant relay service providing one or more isolated routing domains, each routing domain providing a namespace that uniquely identifies each machine in each of the one or more isolated routing domains to divide access between the computer systems;
an act of a multi-tenant relay service creating a secure routing channel for routing the data of the first tenant between the first computer system and the second computer system, wherein the secure routing channel provides a unique identifier for each portion of data received from the first tenant;
an act of determining which of a plurality of different network protocols are available for routing the received data;
an act of dynamically selecting an appropriate protocol that optimizes data transfer efficiency based on the determination of which network protocols are available; and
an act of routing the received data from the first computer system to the second computer system using the determined protocol, wherein the data is routed through the secure routing channel using the applied unique identifier.
17. The method of claim 16, wherein if the first computer system and the second computer system are in the same network, the multi-tenant relay service directs both systems to connect locally on a local network without either system leaving a firewall protected environment.
18. The method of claim 17, wherein the local network is determined to be secure.
19. The method of claim 16, wherein after determining that one or more changes have occurred to the network, re-evaluating which available protocol is the most appropriate action for transferring data.
20. A computer system for providing a multi-tenant relay service for securely relaying data between computer systems, comprising:
means for receiving, at an instantiated multi-tenant relay service, a portion of data to be transferred from a first computer system belonging to a first tenant to a different second computer system, wherein the instantiated multi-tenant relay service is configured to securely relay data for a plurality of different tenants, the multi-tenant relay service providing one or more orphaned routing domains, each routing domain providing a namespace uniquely identifying each machine in each of the one or more orphaned routing domains to divide access between the computer systems;
means for creating a secure routing channel for routing the data of the first tenant between the first computer system and the second computer system, wherein the secure routing channel applies a unique identifier to each portion of data received from the first tenant; and
means for routing the received data from the first computer system to the second computer system through the secure routing channel using the applied unique identifier.
21. The computer system of claim 20, further comprising:
means for receiving, at the multi-tenant relay service, a portion of data from a different third computer system belonging to a different second tenant;
means for applying a different unique identifier to each portion of information received from the second tenant; and
means for routing the received data from the third computer system to the second computer system over the secure routing channel using the applied different unique identifier.
HK12108033.8A 2010-09-23 2012-08-15 Providing virtual networks using multi-tenant relays HK1167533B (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US12/889,283 US8935427B2 (en) 2010-09-23 2010-09-23 Providing virtual networks using multi-tenant relays
US12/889,283 2010-09-23

Publications (2)

Publication Number Publication Date
HK1167533A1 HK1167533A1 (en) 2012-11-30
HK1167533B true HK1167533B (en) 2015-01-30

Family

ID=

Similar Documents

Publication Publication Date Title
CN102413032B (en) Providing virtual networks using multi-tenant relays
US11563681B2 (en) Managing communications using alternative packet addressing
US11063819B2 (en) Managing use of alternative intermediate destination computing nodes for provided computer networks
US11171836B2 (en) Providing virtual networking functionality for managed computer networks
US11671365B2 (en) Associating route tables with ingress traffic to logically isolated networks
US9491002B1 (en) Managing communications involving external nodes of provided computer networks
US9973379B1 (en) Managing integration of external nodes into provided computer networks
US9794116B2 (en) Managing use of intermediate destination computing nodes for provided computer networks
US8988983B1 (en) Managing failure behavior for computing nodes of provided computer networks
US8972603B1 (en) Managing encoded multi-part communications
US8645508B1 (en) Managing external communications for provided computer networks
US10084851B1 (en) Managing use of intermediate destination hardware devices for provided computer networks
US9654340B2 (en) Providing private access to network-accessible services
HK1167533B (en) Providing virtual networks using multi-tenant relays