Search

EP-4736373-A1 - EGRESS TRAFFIC POLICY ENFORCEMENT AT TARGET SERVICE ON TRAFFIC FROM SERVICE TENANCY

EP4736373A1EP 4736373 A1EP4736373 A1EP 4736373A1EP-4736373-A1

Abstract

Techniques for enforcing an egress policy at a target service are described. In an example, traffic is generated for a customer tenancy, where the traffic is generated by a multi-tenancy service. The traffic can be destined to the target service. The traffic can be tagged by the multi-tenancy service with information indicating that the traffic is egressing therefrom on behalf of the customer tenancy. The customer tenancy can be associated with the egress policy. The target service can determine the egress policy based on the information tagged to the traffic and can enforce the egress policy on the traffic that the target service is receiving.

Inventors

  • NAGARAJA, GIRISH
  • SLEEMAN, MARTIN JOHN
  • BAKITA, THOMAS RAY
  • STOCKTON, RICHARD BENJAMIN
  • LEVIN, TROY ARI
  • CHOI, Jinsu
  • ANDREWS, THOMAS JAMES

Assignees

  • Oracle International Corporation

Dates

Publication Date
20260506
Application Date
20240628

Claims (20)

  1. WHAT IS CLAIMED IS: 1. A computer-implemented method comprising: receiving, by a gateway having a network location that belongs to a multi-customer tenancy hosting services for multiple customer tenancies hosted by a cloud infrastructure, traffic of a first service hosted by the multi-customer tenancy for a customer, wherein the traffic is destined to a second service of a service tenancy of the cloud infrastructure, and wherein the customer is associated with a customer tenancy hosted by the cloud infrastructure; tagging, by the gateway, the traffic with a first identifier of the network location and a second identifier of the customer tenancy, wherein the first identifier is different from a network address of the gateway, wherein the first identifier and the second identifier are associated with an egress policy of the customer, and wherein the egress policy indicates whether the traffic is to be allowed or disallowed based on the network location; and sending, by the gateway, the traffic after being tagged to the second service of the service tenancy.
  2. 2. The computer-implemented method of claim 1, wherein the first identifier includes a data plane identifier (DPID) of the gateway.
  3. 3. The computer-implemented method of claim 2, wherein the DPID is translated into a cloud identifier (CID) by the cloud infrastructure, and wherein the CID is used to determine the egress policy by the cloud infrastructure.
  4. 4. The computer-implemented method of claim 3, wherein the CID is generated based on a registration of the network location by the customer in association with defining the egress policy.
  5. 5. The computer-implemented method of any of the preceding claims, wherein tagging the traffic comprises including, in the traffic, the first identifier, the second identifier, and a source internet protocol (IP) address.
  6. 6. The computer-implemented method of claim 5, wherein the first identifier, the second identifier, and the source IP address are included in one or more IP options fields of a packet that represents the traffic. ORC23137498-WO-PCT (IaaS #644.1)
  7. 7. The computer-implemented method of claim 5, further comprising: receiving, by the second service of the service tenancy, the traffic; determining, by the second service of the service tenancy, an action to be performed on the traffic based on a lookup of the egress policy, wherein the action includes either allowing or disallowing the traffic, and wherein the lookup is based on the second identifier; and performing, by the second service of the service tenancy, the action on the traffic.
  8. 8. A system having a network location that belongs to a multi-customer tenancy hosting services for multiple customer tenancies hosted by a cloud infrastructure, the system comprising: one or more processors; and one or more memory storing instructions that, upon execution by the one or more processors, configure the system to: receive traffic of a first service hosted by the multi-customer tenancy for a customer, wherein the traffic is destined to a second service of a service tenancy of the cloud infrastructure, and wherein the customer is associated with a customer tenancy hosted by the cloud infrastructure; tag the traffic with a first identifier of the network location and a second identifier of the customer tenancy, wherein the first identifier is different from a network address of the gateway, wherein the first identifier and the second identifier are associated with an egress policy of the customer, and wherein the egress policy indicates whether the traffic is to be allowed or disallowed based on the network location; and send the traffic after being tagged to the second service of the service tenancy.
  9. 9. The system of claim 8, wherein the first identifier includes a data plane identifier (DPID) of the gateway.
  10. 10. The system of claim 9, wherein the DPID is translated into a cloud identifier (CID), and wherein the CID is used to determine the egress policy.
  11. 11. The system of claim 10, wherein the CID is generated based on a registration of the network location by the customer in association with defining the egress policy. ORC23137498-WO-PCT (IaaS #644.1)
  12. 12. The system of any of claims 8 to 11, wherein tagging the traffic comprises including, in the traffic, the first identifier, the second identifier, and a source internet protocol (IP) address.
  13. 13. The system of claim 12, wherein the first identifier, the second identifier, and the source IP address are included in one or more IP options fields of a packet that corresponds to the traffic.
  14. 14. The system of claim 12, wherein the one or more memory store further instructions that, upon execution by the one or more processors, further configure the system to: receive, by the second service of the service tenancy, the traffic; determine, by the second service of the service tenancy, an action to be performed on the traffic based on a lookup of the egress policy, wherein the action includes either allowing or disallowing the traffic, and wherein the lookup is based on the second identifier; and perform, by the second service of the service tenancy, the action on the traffic.
  15. 15. One or more computer-readable storage media storing instructions that, upon execution on a system, cause the system to perform operations comprising: receiving traffic of a first service hosted by a multi-customer tenancy for a customer, wherein the traffic is destined to a second service of a service tenancy of a cloud infrastructure, and wherein the customer is associated with a customer tenancy hosted by the cloud infrastructure, the system having a network location that belongs to the multi-customer tenancy hosting services for multiple customer tenancies hosted by the cloud infrastructure; tagging the traffic with a first identifier of the network location and a second identifier of the customer tenancy, wherein the first identifier is different from a network address of the gateway, wherein the first identifier and the second identifier are associated with an egress policy of the customer, and wherein the egress policy indicates whether the traffic is to be allowed or disallowed based on the network location; and sending traffic after being tagged to the second service of the service tenancy.
  16. 16. The one or more computer-readable storage media of claim 15, wherein the first identifier includes a data plane identifier (DPID) of the gateway. ORC23137498-WO-PCT (IaaS #644.1)
  17. 17. The one or more computer-readable storage media of claim 16, wherein the DPID is translated into a cloud identifier (CID), and wherein the CID is used to determine the egress policy.
  18. 18. The one or more computer-readable storage media of claim 17, wherein the CID is generated based on a registration of the network location by the customer in association with defining the egress policy.
  19. 19. The one or more computer-readable storage media of any of claims 15 to 18, wherein tagging the traffic comprises including, in the traffic, the first identifier, the second identifier, and a source internet protocol (IP) address.
  20. 20. The one or more computer-readable storage media of claim 19, wherein the first identifier, the second identifier, and the source IP address are included in one or more IP options fields of a packet that corresponds to the traffic. ORC23137498-WO-PCT (IaaS #644.1)

Description

PATENT Attorney Docket No.088325-1428045-418200PC Client Reference No. ORC23137498-WO-PCT (IaaS #644.1) EGRESS TRAFFIC POLICY ENFORCEMENT AT TARGET SERVICE ON TRAFFIC FROM SERVICE TENANCY CROSS-REFERENCE TO RELATED APPLICATIONS [0001] This international patent application claims priority to U.S. Patent Application No.18/375,366, filed on September 29, 2023, entitled “EGRESS TRAFFIC POLICY ENFORCEMENT AT TARGET SERVICE ON TRAFFIC FROM SERVICE TENANCY,” 18/375,374, filed on September 29, 2023, entitled “EGRESS TRAFFIC POLICY ENFORCEMENT AT TARGET SERVICE,” 18/375,387, filed on September 29, 2023, entitled “EGRESS TRAFFIC POLICY DEFINITION AND ENFORCEMENT AT TARGET SERVICE,” which claims the benefit and priority under 35 U.S.C.119(e) of U.S. Provisional Patent Application No.63/524,550, filed June 30, 2023, entitled, “EGRESS TRAFFIC POLICY ENFORCEMENT AT TARGET SERVICE,” and of U.S. Provisional Patent Application No.63/524,539, filed June 30, 2023, entitled, “EGRESS TRAFFIC POLICY ENFORCEMENT AT TARGET SERVICE,” and 18/375,382, filed on September 29, 2023, entitled “EGRESS TRAFFIC POLICY ENFORCEMENT AT TARGET SERVICE ON TRAFFIC FROM CUSTOMER NETWORK,” which claims the benefit and priority under 35 U.S.C.119(e) of U.S. Provisional Patent Application No. 63/524,539, filed June 30, 2023, the contents of which are herein incorporated by reference in their entirety for all purposes. FIELD [0002] The present disclosure relates to virtualized cloud environments. Techniques are described for egress traffic policy enforcement at a target service. BACKGROUND [0003] The last few years have seen a dramatic increase in the adoption of cloud services and this trend is only going to increase. Various different cloud environments are being provided by different cloud service providers (CSPs), each cloud environment providing a set of one or more cloud services. The set of cloud services offered by a cloud environment may include one or more different types of services including but not restricted to Software-as-a- ORC23137498-WO-PCT (IaaS #644.1) 1 Service (SaaS) services, Infrastructure-as-a-Service (IaaS) services, Platform-as-a-Service (PaaS) services, and others. [0004] As organizations increasingly rely on clous services for their operations, there is a growing need for improved security measures to control network traffic and ensure data integrity. BRIEF SUMMARY [0005] Some embodiments of the present disclosure relate to performing an action on traffic that originates from a network and is destined to a service of a service tenancy. Such traffic can be referred to as egress traffic because it egresses from the network. In an example, the network is a virtual cloud of a customer that is associated with a customer tenancy. In another example, the network is an on-premise network of the customer. In both examples, the egress traffic can correspond to a direct traffic flow because the traffic egresses directly from a network of the customer. In yet another example, the network belongs to a multi-customer tenancy that provides services to different customers. In this example, the egress traffic can correspond to an indirect traffic flow because the traffic egresses from the multi-customer tenancy on behalf of the customer. In all three examples, the customer can define an egress policy that specifies an action to be performed (e.g., allow traffic, disallow traffic, allow a write operation, etc.) based on a set of conditions being met. One of such conditions can indicate network location belonging to the network and from which the traffic egresses from the network. For example, the network location can correspond to a gateway (e.g., a service gateway). As such, if the traffic egresses from the network location, the action can be performed on the traffic. Enforcement of the egress policy can be performed by the service to which the traffic is destined. For example, the service can determine the action to be performed by making an application programming interface (API) call to a policy evaluator, where this call can indicate some or all of the values of the conditions (e.g., by including an identifier of the network location). The policy evaluation can respond with an indication of the action to be performed. [0006] In the direct traffic flow examples, the network location from which the traffic egresses out of the network (e.g., the service gateway) can tag the traffic with information not only about the network but also about the network location. For example, this information can include an identifier of the network, a source internet protocol (IP) address, and an ORC23137498-WO-PCT (IaaS #644.1) 2 identifier of the network location (e.g., a data plane identifier (DPID) that is different from a network address of the network location such as its IP address). This information can be included in one or more IP options fields in a packet that represents a portion of the traffic. [0007] In the indirect traffic flow examples