Network-level access control management for the cloud

摘要

A cloud access manager obtains input regarding access control for at least one application deployed on a plurality of virtual machine instances in a cloud computing environment; the virtual machine instances are divided into at least first and second access zones. A cloud access manager registrar located in the cloud computing environment registers internet protocol addresses of external clients as seen from the cloud computing environment; at least some of the addresses are assigned to the clients via network address translation (NAT). Session traversal utility for NAT (STUN) is carried out to determine public internet protocol addresses assigned to the clients via NAT. The cloud access manager controls (i) access of the external clients to the plurality of virtual machine instances; and (ii) access of the plurality of virtual machine instances to each other, based on the registered internet protocol addresses, in accordance with the access zones.

主权项

1. A method comprising:
obtaining, at a cloud access manager executing on at least one hardware processor, input regarding access control for at least one application deployed on a plurality of virtual machine instances in a cloud computing environment; with said cloud access manager executing on said at least one hardware processor, dividing said plurality of virtual machine instances into at least first and second access zones in accordance with said input; registering, with a cloud access manager registrar located in said cloud computing environment, internet protocol addresses of external clients as seen from said cloud computing environment, at least some of said registered internet protocol addresses comprising public internet protocol addresses assigned to said clients via network address translation; carrying out session traversal utility for network address translation to determine said public internet protocol addresses assigned to said clients via said network address translation; with said cloud access manager executing on said at least one hardware processor, controlling, based on said registered internet protocol addresses:
access of said external clients to said plurality of virtual machine instances; andaccess of said plurality of virtual machine instances to each other; in accordance with said access zones, such that:
those of said virtual machine instances in a same given one of said access zones have access to each other;said external clients are permitted a first level of access to those of said virtual machine instances in said first access zone, according to a first policy; andsaid external clients are permitted a second level of access, different than said first level of access, to those of said virtual machine instances in said second access zone, according to a second policy.