Search

EP-4407489-B1 - GLOBAL POLICY CONFIGURATION FOR NETWORK MANAGEMENT SERVICE OPERATING IN PUBLIC CLOUD

EP4407489B1EP 4407489 B1EP4407489 B1EP 4407489B1EP-4407489-B1

Inventors

  • MAKHIJANI, Shailesh
  • BOKARE, NIKHIL
  • VIGNERON, THOMAS PIERRE LABOR
  • WAGH, RUSHIKESH
  • VAIDYA, SACHIN MOHAN
  • MARGARIAN, Pavlush
  • DORR, JOSH
  • BHANDARI, VAIBHAV

Dates

Publication Date
20260506
Application Date
20240124

Claims (15)

  1. A method of managing policy for a logical network spanning a plurality of datacenters (110, 115, 120) that includes at least first (115) and second (110, 120) datacenters, the method comprising: at a network management service (140) operating in a public cloud to manage the plurality of datacenters (110, 115, 120): receiving a first policy configuration (2205) specifying logical network policy at the first datacenter (115) from a first local network manager (130) at the first datacenter (115) and a second policy configuration (2210) specifying logical network policy at the second datacenter (110; 120) from a second local network manager (125, 135) at the second datacenter (110; 120); consolidating the first (2205) and second (2210) policy configurations into a global policy configuration (2300) that also includes policy configuration (2310) defined at the network management service (140); and using the global policy configuration (2300) to manage the policy configurations for the logical network at the plurality of datacenters (110, 115).
  2. The method of claim 1, wherein the first policy configuration (2205) is stored as a first policy tree at the first local network manager (130) and the second policy configuration (2210) is stored as a second policy tree at the second local network manager (125, 135).
  3. The method of claim 2, wherein the global policy configuration (2300) is stored as a third policy tree that incorporates at least portions of the first and second policy trees.
  4. The method of claim 3, wherein: the third policy tree comprises a set of sub-trees; and portions of the first and second policy trees are incorporated into a particular sub-tree of the third policy tree.
  5. The method of claim 4, wherein within the particular sub-tree, the network management service (140) adds site identifiers to nodes from the first policy tree and nodes of the second policy tree in order to differentiate elements that have the same name in the first and second policy trees.
  6. The method of claim 4, wherein: a particular portion of the first policy tree defines a sub-network at the first datacenter (115); and the particular portion of the first policy tree is incorporated into a separate sub-tree of the third policy tree.
  7. The method of claim 6, wherein: the plurality of datacenters (110, 115) belongs to an enterprise that is a tenant (T1) of a network management system (100) that includes the network management service (140); and the sub-network is a network defined at the first datacenter (115) for a sub-tenant of the enterprise.
  8. The method of claim 4 further comprising: receiving a definition of a sub-network at the network management service (140), the sub-network spanning at least the first (115) and second (110, 120) datacenters; storing the definition of the sub-network as a separate sub-tree of the third policy tree; and providing the separate sub-tree to the first and second local network managers for the first and second local network managers to incorporate the separate sub-tree into the first and second policy trees, respectively.
  9. The method of any one of the claims 1 to 8, further comprising: receiving, at the network management service (140), a modification to the logical network policy at the first datacenter (115); updating the global policy configuration (2300) based on the received modification; and providing the modification to the first local network manager for the first local network manager to update the first policy configuration based on the modification.
  10. The method of any one of the claims 1 to 9, wherein the first policy configuration defines at least logical forwarding elements implemented by physical network elements at the first datacenter (115) and security policy enforced by the physical network elements at the first datacenter (115).
  11. The method of any one of the claims 1 to 10, wherein: the network management service (140) operates in a container cluster (105) of the public cloud; and a plurality of additional network management services (150) operate in the container cluster (105) to manage additional pluralities of datacenters (120).
  12. The method of claim 11, wherein: the plurality of datacenters (110, 115) belong to a first tenant (T1) of a network management system (100) and the additional pluralities of datacenters (120) belong to additional tenants of the network management system (100); and the network management service (140) and the additional network management services (150) are isolated from each other.
  13. The method of any one of the claims 1 to 12, wherein the public cloud is a first public cloud, wherein the first datacenter (115) is a physical on-premises datacenter of the first tenant and the second datacenter (120) is a virtual datacenter of the second tenant operating in a second public cloud.
  14. The method of any one of the claims 1 to 13, wherein the policy configuration defined at the network management service (140) is defined by a network administrator.
  15. A non-transitory machine-readable medium having stored thereon instructions which, when executed by at least one processing unit, cause the processing units to carry out the method of any one of claims 1 to 14.

Description

BACKGROUND Network management services (e.g., policy management, network monitoring, etc.) have mostly been contained to managing networks at a single datacenter, with recent innovations allowing for certain features to be managed at a higher level in order to enable logical networks that span multiple datacenters. Even in this latter case, the network management system typically operates within one of these datacenters owned by the entity. However, more applications are moving to the cloud. Providing a cloud-based network management system presents numerous challenges that must be overcome. Document US 2022/350675 discloses managing containerized applications across multiple clusters (e.g., Kubernetes clusters) in a hybrid datacenter environment. Document US 2018/234459 discloses automatically configuring native, network level security mechanisms within computer networks using security policies. BRIEF SUMMARY "The invention is defined by the appended claims. Some embodiments of the invention provide a cloud-based network management and monitoring system capable of managing multiple tenant networks that are each distributed across one or more datacenters. The tenant networks, in some embodiments, can include multiple different types of datacenters. For instance, a given tenant network may include a combination of on-premises and/or branch datacenters (i.e., physical datacenters using the tenant's infrastructure) as well as virtual datacenters that operate in a public cloud (but with network management components incorporated into the virtual datacenter). In some embodiments, the network management and monitoring system (hereafter referred to as the network management system) deploys one or more service instances in the cloud for each group of datacenters. These group-specific services may include a policy management service, a network flow monitoring service, and a threat monitoring service. In some embodiments, upon defining a group of datacenters for the network management system to manage, a tenant selects which of these services should be deployed for the group of datacenters, and the network management system deploys instances of these services in the cloud. As the network management system manages multiple different datacenter groups, multiple instances of each service are deployed in the public cloud (i.e., one or more service instances for each datacenter group). Different tenants may specify different sets of network management services for their respective datacenter groups. In fact, a single tenant might have multiple datacenter groups and can define separate (and different) sets of network management services (e.g., a tenant might only want threat monitoring for one of the datacenter groups). The network management system, in some embodiments, is deployed in a container cluster (e.g., a Kubernetes cluster) within the public cloud. In some such embodiments, each of the different network management services is implemented as a group of microservices. Each service includes multiple microservices that perform different functions within the service. For instance a policy management service (that manages logical network policy for a logical network spanning a group of datacenters) could include a database microservice (e.g., a Corfu database service that stores network policy configuration via a log), a channel management microservice (e.g., for managing asynchronous replication channels that push configuration to each of the datacenters managed by the policy management service), an API microservice (for handling API requests from users to modify and/or query for policy), a span calculation microservice (for identifying which atomic policy configuration data should be sent to which datacenters), among other microservices. Each of the different types of services has its own set of microservices that are deployed in the container cluster for each instance of the service. In addition to the datacenter-group-specific service instance, the network management system of some embodiments also includes (i) local managers at each of the datacenters managed by the network management system and (ii) multi-tenant services within the public cloud (e.g., within the container cluster implementing the network management system). The local managers are not within the public cloud, but rather operate at each of the datacenters and interact with the network management system service instances that manage their datacenter (as described further below). In some embodiments, for example, the network management system (e.g., a policy management service instance) managing a group of datacenters provides logical network configuration data to the local managers in each group, which in turn are responsible for ensuring that the logical network configuration is realized by physical network elements at their respective datacenters. The multi-tenant services, in some embodiments, are services that are not specific to any datacenter