Virtual private networks distributed across multiple cloud-computing facilities

摘要

The current document discloses methods and systems for extending an internal network within a first cloud-computing facility to a second cloud-computing facility and using the extended internal network as a basis for creating virtual private clouds distributed across multiple cloud-computing facilities. In one implementation, a pool of IP addresses is allocated and distributed to end appliances of the first and second cloud-computing facilities. In this implementation, the internal network is extended via a secure tunnel between end appliances in the first and second cloud-computing facilities and the end appliances of the extended internal network are configured to route messages transmitted by a first member of the virtual private cloud executing on a first cloud-computing facility to a second member of the virtual private cloud executing on a second cloud-computing facility through the secure tunnel.

主权项

1. A cloud-connector subsystem that provides a virtual private cloud operation for creating virtual private clouds distributed across a first and a second cloud-computing facility, the cloud- connector subsystem comprising:
cloud-connector nodes associated with each of the first and second cloud-computing facilities; and a cloud-connector server that includes one or more processors, one or more memories, one or more data-storage devices, and computer instructions that, when executed on the one or more processors, control the cloud-connector server to provide, in cooperation with the cloud- connector nodes, a virtual-private-cloud-creation operation that
securely interconnects a first organization edge appliance associated with a first virtual organization network within the first cloud-computing facility to a second organization edge appliance associated with a second virtual organization network within the second cloud-computing facility using an Internet-protocol-secure tunnel or a secure-socket-layer secure tunnel between the first and second organization edge appliances, each of the first and second organization edge appliances perform the steps of:
receiving virtual-private-network IP addresses and virtual-private-network configuration information, rules, and policies from the cloud-connector server;internally storing the received virtual-private-network IP addresses in routing tables;distributing a portion of the virtual-private-network IP addresses and virtual-private-network configuration information, rules, and policies received from the cloud-connector server to additional edge appliances connected to the virtual organization network with which the organization edge appliance is associated; andproviding a firewall that isolates a sub-network within each respective cloud-computing facility from a network external to each respective cloud-computing facility;distributes internal IP virtual-private-network addresses to the first and second cloud-computing facilities for use by two or more virtual-private-cloud members that execute within the first and second cloud-computing facilities to communicate over the virtual private network; andconfigures organization-edge appliances and edge appliances associated with virtual appliances within the first and second cloud-computing facilities to route packets transmitted by the two or more virtual-private-cloud members through the virtual private network.