Search

CN-122001848-A - Stateless address translation in a multi-tenant cloud environment

CN122001848ACN 122001848 ACN122001848 ACN 122001848ACN-122001848-A

Abstract

The present disclosure relates to stateless address translation in a multi-tenant cloud environment. Methods and systems for stateless address translation in a multi-tenant cloud environment are provided herein. Network traffic is received from a first tenant in a multi-tenant system. The received network traffic is associated with a first source host address and a target host address of a first host assigned to a first tenant and a first target host address associated with the network traffic. The first source host address and the target host address are provided as inputs to a bi-directional address translation function that translates a given host address to a network address and translates the given host address to a network address and vice versa. One or more outputs of the bi-directional address translation function are obtained, including a first source network address and a first destination network address. Received network traffic of the first tenant is forwarded to a receiving device of the multi-tenant system via a network channel associated with the first tenant based on the first source network address and the first target network address.

Inventors

  • L. Xiao Shan Hannigby
  • T. Oved
  • R. Y. Everem
  • M. Jin Molin

Assignees

  • 迈络思科技有限公司

Dates

Publication Date
20260508
Application Date
20251104
Priority Date
20251027

Claims (20)

  1. 1. A networking device: Memory, and A set of one or more processors coupled with the memory, wherein the set of one or more processors performs operations comprising: Receiving network traffic from a first tenant of a multi-tenant system, wherein the received network traffic is associated with a first source host address of a first source host assigned to the first tenant and a first target host address of a first target host associated with the network traffic; Providing the first source host address and the first destination host address as inputs to a bi-directional address translation function, wherein the bi-directional address translation function translates a given host address to a network address and translates the given network address to a host address; obtaining one or more outputs of the bi-directional address translation function, wherein the one or more outputs include a first source network address associated with the first source host and a first target network address associated with the first target host, and Forwarding the received network traffic of the first tenant to the first target host via a network channel associated with the first tenant based on the first source network address and the first target network address.
  2. 2. The networking device of claim 1, wherein the operations further comprise: receiving additional network traffic directed to the first tenant, wherein the additional network traffic is associated with at least a second target network address; providing said second target network address as an additional input to said bi-directional address translation function; obtaining one or more additional outputs of the bi-directional address translation function, the one or more additional outputs including the first source host address associated with the networking device, and Forwarding the received additional network traffic to the first host based on the first source host address.
  3. 3. The networking device of claim 1, wherein the operations further comprise: Receiving additional network traffic associated with a second tenant associated with at least one of the first host or a second host, wherein the additional network traffic is associated with a second source host address of a second source host and a second target host address of a second target host associated with the network traffic; Providing said second source host address and said second destination host address as additional inputs to said bi-directional address translation function; obtaining one or more additional outputs of the bi-directional address translation function, the one or more additional outputs including a second source network address associated with the first host and a second target network address associated with the second target host, and Forwarding the additional network traffic to an additional receiving device via an additional network channel associated with the second tenant based on the second source network address and the second target network address.
  4. 4. The networking device of claim 1, wherein the bi-directional address translation function comprises at least one of a bitmask function, a prefix modification function, or a bit value flip function.
  5. 5. The networking device of claim 1, wherein the operations further comprise: Receiving an instruction from a networked controller to initiate an isolation mode at the networked device; transmitting a response to the received instruction indicating that the quarantine mode has been initiated at the networked device, and The bi-directional address translation function is received from the networked controller in response to sending the response.
  6. 6. The networking device of claim 5, wherein the instructions from the networking controller comprise firmware commands for the networking device.
  7. 7. The networking device of claim 5, wherein the sent response to the received instruction comprises an indication of a set of networking device addresses associated with the networking device, and wherein at least a portion of the received bi-directional address translation function references one or more of the set of networking device addresses.
  8. 8. The networking device of claim 1, forwarding the received network traffic of the first host via the network channel comprises: Updating a header of the received one or more network packets of the network traffic to include the first source network address as a source of the received network traffic and the first destination network address as an endpoint of the received network traffic.
  9. 9. The networking device of claim 8, wherein the updated header comprises a tunnel header of the one or more network packets, and the endpoint comprises a tunnel endpoint.
  10. 10. The networking device of claim 1, wherein the networking device has a first networking device type, and wherein the amount of power consumed by the networking device is below a threshold amount of power, wherein the threshold amount of power corresponds to the amount of power consumed by networking devices having a second networking device type.
  11. 11. The networking device of claim 10, wherein the first networking device type is a simple NIC type and the second networking device type is a smart NIC type.
  12. 12. The networking device of claim 1, wherein the first source networking device comprises a first tunnel identifier and the first target networking device comprises a second tunnel identifier.
  13. 13. The networking device of claim 1, wherein the networking device is included in at least one of: a control system for an autonomous or semi-autonomous machine; A perception system for an autonomous or semi-autonomous machine; A system for performing a simulation operation; a system for performing digital twinning operations; a system for performing optical transmission simulation; a system for performing three-dimensional 3D asset collaboration content creation; a system for performing a deep learning operation; a system implemented using edge devices; A system implemented using a robot; a system for performing a conversational AI operation; A system for performing operations using one or more large language model LLMs; a system for performing operations using one or more small language model SLMs; A system for performing operations using one or more visual language models VLM; A system for performing operations using one or more multimodal language models MMLM; A system for performing synthetic data generation; A system for generating synthetic data using AI; a system for presenting at least one of virtual reality content, augmented reality content, or mixed reality content; A system comprising one or more virtual machine VMs; a system that uses or deploys one or more inference micro-services; A system comprising one or more machine learning models deployed in a service or microservice and an operating system level virtualization software package; a system implemented at least partially in a data center, or A system implemented at least in part using cloud computing resources.
  14. 14. A method, comprising: Receiving network traffic from a first tenant of a multi-tenant system, wherein the received network traffic is associated with a first source host address of a first source host assigned to the first tenant and a first target host address of a first target host associated with the network traffic; Providing the first source host address and the first destination host address as inputs to a bi-directional address translation function, wherein the bi-directional address translation function translates a given host address to a network address and translates the given network address to a host address; obtaining one or more outputs of the bi-directional address translation function, wherein the one or more outputs include a first source network address associated with the first source host and a first target network address associated with the first target host, and Forwarding the received network traffic of the first tenant to the first target host via a network channel associated with the first tenant based on the first source network address and the first target network address.
  15. 15. The method of claim 14, further comprising: receiving additional network traffic directed to the first tenant, wherein the additional network traffic is associated with at least a second target network address; providing said second target network address as an additional input to said bi-directional address translation function; obtaining one or more additional outputs of the bi-directional address translation function, the one or more additional outputs including the first source host address associated with the networking device, and Forwarding the received additional network traffic to the first host based on the first source host address.
  16. 16. The method of claim 14, further comprising: Receiving additional network traffic associated with a second tenant associated with at least one of the first host or a second host, wherein the additional network traffic is associated with a second source host address of a second source host and a second target host address of a second target host associated with the network traffic; Providing said second source host address and said second destination host address as additional inputs to said bi-directional address translation function; obtaining one or more additional outputs of the bi-directional address translation function, the one or more additional outputs including a second source network address associated with the first host and a second target network address associated with the second target host, and Forwarding the additional network traffic to an additional receiving device via an additional network channel associated with the second tenant based on the second source network address and the second target network address.
  17. 17. The method of claim 14, wherein the bi-directional address translation function comprises at least one of a bitmask function, a prefix modification function, or a bit value flip function.
  18. 18. The method of claim 14, further comprising: Receiving an instruction from a networked controller to initiate an isolation mode at the networked device; transmitting a response to the received instruction indicating that the quarantine mode has been initiated at the networked device, and The bi-directional address translation function is received from the networked controller in response to sending the response.
  19. 19. The method of claim 18, wherein the instructions from the networking controller comprise firmware commands for the networking device.
  20. 20. A non-transitory computer-readable medium containing instructions that, when executed by a set of one or more processors, cause the set of one or more processors to perform operations comprising: Receiving network traffic from a first tenant of a multi-tenant system, wherein the received network traffic is associated with a first source host address of a first source host assigned to the first tenant and a first target host address of a first target host associated with the network traffic; Providing the first source host address and the first destination host address as inputs to a bi-directional address translation function, wherein the bi-directional address translation function translates a given host address to a network address and translates the given network address to a host address; obtaining one or more outputs of the bi-directional address translation function, wherein the one or more outputs include a first source network address associated with the first source host and a first target network address associated with the first target host, and Forwarding the received network traffic of the first tenant to the first target host via a network channel associated with the first tenant based on the first source network address and the first target network address.

Description

Stateless address translation in a multi-tenant cloud environment RELATED APPLICATIONS The application claims the benefit of U.S. provisional patent application No. 63/716,859, filed on month 11 and 6 of 2024, the entire contents of which are incorporated herein by reference. Technical Field Various aspects and embodiments of the present disclosure relate to methods and systems for stateless address translation in a multi-tenant cloud environment. Background In a multi-tenant system, bare metal isolation (bare metal isolation) refers to implementing strict network and resource isolation between different tenants each assigned dedicated computing resources (referred to as bare metal hosts). Unlike virtualized environments where cloud providers can rely on virtual machine hypervisors (hypervisor) to implement isolation, bare machine tenants face unique challenges because the provider cannot control the tenant's operating system or stack software. Thus, networking devices of the multi-tenant system are configured to block network traffic originating from one tenant host from reaching another tenant's resources or network domains. Drawings The following detailed description and accompanying drawings will more fully understand the various aspects and embodiments of the present disclosure, which are presented but should not be taken to limit the disclosure to specific aspects or embodiments, but are for explanation and understanding only. FIG. 1 is a block diagram of an example system architecture in accordance with at least one embodiment; Fig. 2 is a block diagram of an example networking device and an example network controller of a multi-tenant system in accordance with at least one embodiment; FIG. 3 illustrates a flow diagram of an example method of stateless address conversion in a multi-tenant cloud environment in accordance with at least one embodiment; FIG. 4 illustrates a flow diagram of another example method of stateless address translation in a multi-tenant cloud environment in accordance with at least one embodiment; FIG. 5A illustrates a hardware structure of inference and/or training logic in accordance with at least one embodiment; FIG. 5B illustrates a hardware structure of inference and/or training logic in accordance with at least one embodiment; FIG. 6 illustrates an example data center system in accordance with at least one embodiment; FIG. 7 illustrates a computer system in accordance with at least one embodiment; FIG. 8 illustrates a computer system in accordance with at least one embodiment; FIG. 9 illustrates at least a portion of a graphics processor in accordance with one or more embodiments; FIG. 10 illustrates at least a portion of a graphics processor in accordance with one or more embodiments; FIG. 11 is an example data flow diagram for a high-level computing pipeline in accordance with at least one embodiment; FIG. 12 is a system diagram of an example system for training, adapting, instantiating, and deploying a machine learning model in a high-level computing pipeline in accordance with at least one embodiment and Fig. 13A and 13B illustrate a data flow diagram of a process for training a machine learning model, and a client-server architecture for enhancing an annotation tool with a pre-trained annotation model, in accordance with at least one embodiment. Detailed Description Aspects of the present disclosure generally relate to stateless address translation in a multi-tenant cloud environment. In modern cloud computing environments, a system may allocate system resources (e.g., computing resources such as servers) to different tenants. These resources are called bare metal hosts. Each tenant can run its own operating system and application directly on the bare metal host's resources without requiring a virtual machine hypervisor or abstraction layer for the virtual machine. This approach is known as bare metal rental and is becoming increasingly popular in workloads involving high performance, low latency, or specific hardware constraints. However, bare metal leasing presents significant challenges for network security and management, especially in multi-tenant data centers where multiple tenants may share the same physical infrastructure. For example, it is difficult for a system to enforce strict isolation between tenants and ensure that network traffic from one tenant does not access or interfere with resources of another tenant. Bare metal isolation refers to a mechanism or technique implemented by a system that prevents network traffic originating from a host of a first tenant from reaching a network domain or resource of a second tenant. In a virtualized environment, quarantine may be enforced by a virtual machine manager that may control and filter network traffic at the software level. Because cloud system providers cannot access or control the tenant's operating system or application, the system provider cannot rely on host-based control to achieve network isolation.