Search

EP-4736374-A1 - EGRESS TRAFFIC POLICY ENFORCEMENT AT TARGET SERVICE

EP4736374A1EP 4736374 A1EP4736374 A1EP 4736374A1EP-4736374-A1

Abstract

Techniques for enforcing an egress policy at a target service are described. In an example, traffic is generated for a customer, where the traffic is generated by a customer network of the customer, such as a customer tenancy or an on-premise network, or by a multi-tenancy service on behalf of the customer. The traffic can be destined to the target service. The traffic can be tagged by the customer network (e.g., by a gateway of the customer network) or by the multi-tenancy service. The customer network can be associated with the egress policy. The target service can determine the egress policy based on the information tagged to the traffic and can enforce the egress policy on the traffic that the target service is receiving.

Inventors

  • NAGARAJA, GIRISH
  • SLEEMAN, MARTIN JOHN
  • BAKITA, THOMAS RAY
  • STOCKTON, RICHARD BENJAMIN
  • LEVIN, TROY ARI
  • CHOI, Jinsu
  • ANDREWS, THOMAS JAMES

Assignees

  • Oracle International Corporation

Dates

Publication Date
20260506
Application Date
20240628

Claims (1)

  1. WHAT IS CLAIMED IS: 1. A computer-implemented method comprising: receiving, by a service of a service tenancy of a cloud infrastructure, traffic of a customer that is associated with a customer tenancy hosted by the cloud infrastructure, wherein the traffic is received from a network location and is destined to the service of the service tenancy, wherein the network location includes either a first network location of a network associated with the customer or a second network location of a multi-service tenancy hosting services for multiple customer tenancies; determining, by the service of the service tenancy, an action to be performed on the traffic based on an egress policy associated with the customer tenancy, wherein the action includes either allowing or disallowing the traffic, and wherein the egress policy indicates whether the traffic is to be allowed or disallowed based on the network location; and performing, by the service of the service tenancy, the action on the traffic. 2. The computer-implemented method of claim 1, wherein the traffic is received from the first network location, wherein the first network location belongs to an on-premise network of the customer or is associated with a cloud identifier such that the first network location is represented as belonging to a virtual cloud network of the customer tenancy. 3. The computer-implemented method of claim 1, wherein the traffic is received from the first network location, wherein the first network location belongs to an on-premise network of the customer or is associated with a cloud identifier (CID) such that the first network location is represented as belonging to a virtual cloud network of the customer tenancy, and wherein the CID is generated based on a registration of the first network location. 4. The computer-implemented method of claim 1, wherein the traffic is received from the first network location, wherein the customer tenancy includes a virtual cloud network, and wherein the first network location belongs to the virtual cloud network. 5. The computer-implemented method of claim 1, wherein the traffic is received from the second network location, wherein the second network location corresponds to a gateway that ORC23137498-WO-PCT-2 (IaaS #644.2) handles egress traffic of the services and tags the traffic as being associated with the customer tenancy. 6. The computer-implemented method of claim 1, wherein the traffic is received from the second network location, wherein the second network location corresponds to a gateway that handles egress traffic of the services and tags the traffic with a cloud identifier (CID) to indicate that the traffic is associated with the customer tenancy, and wherein the CID is generated based on a registration of a service by the multi-service tenancy for the customer tenancy. 7. The computer-implemented method of any of the preceding claims, wherein the traffic is tagged by a gateway corresponding to the network location with an identifier of the network location, wherein the identifier is different from an internet protocol address. 8. The computer-implemented method of claim 7, wherein the identifier includes a data plane identifier (DPID), wherein the DPID is translated into a cloud identifier (CID) by the cloud infrastructure, and wherein the CID is used to determine the egress policy by the cloud infrastructure. 9. The computer-implemented method of any of the preceding claims, wherein the traffic includes network information, wherein the network information includes a first identifier of a network from which the traffic originated, a source internet protocol (IP) address, and a second identifier the network location from which the traffic egresses the network, and wherein determining the action comprises: sending, to a data store storing egress policies, at least a portion of the network information, wherein the portion includes the second identifier; and receiving a response indicating the action, wherein the response is generated based on the egress policy. 10. The computer-implemented method of any of claims 1 to 8, wherein the traffic includes network information, wherein the network information includes a first identifier of a network from which the traffic originated, a source internet protocol (IP) address, and a second identifier of the network location from which the traffic egresses the network, and wherein determining the action comprises: ORC23137498-WO-PCT-2 (IaaS #644.2) 92 sending at least a portion of the network information, wherein the portion includes the second identifier; receiving a first response indicating a third identifier of the network location, wherein the third identifier corresponds to a translation of the second identifier; sending, to a data store storing egress policies, at least the third identifier; and receiving a second response indicating the action, wherein the second response is generated based on the egress policy. 11. The computer-implemented method of any of the preceding claims, wherein the traffic includes network information, wherein the network information includes a first identifier of a virtual cloud network from which the traffic originated, a source internet protocol (IP) address, and a data plane identifier (DPID) of the network location from which the traffic egresses the network. 12. The computer-implemented method of claim 11, wherein the network information is included in one or more IP options fields of a packet that represents the traffic. 13. The computer-implemented method of claim 12, wherein receiving the traffic includes receiving a Hypertext Transfer Protocol (HTTP) or a proxy protocol version two (PPV2) header that includes a cloud identifier (CID) corresponding to a translation of the DPID, and wherein determining the action comprises: sending, to an identity data plane, at least the CID; and receiving a response from the identity data plane indicating the action, wherein the response is generated by the identity data plane based on the egress policy. 14. A system comprising: one or more processor; and one or more memory storing instructions that, upon execution by the one or more processors, configure the system to provide a service of a service tenancy of a cloud infrastructure, wherein the service is configured to: receive traffic of a customer that is associated with a customer tenancy hosted by the cloud infrastructure, wherein the traffic is received from a network location and is destined to the service of the service tenancy, wherein the network location includes ORC23137498-WO-PCT-2 (IaaS #644.2) either a first network location of a network associated with the customer or a second network location of a multi-service tenancy hosting services for multiple customer tenancies; determine an action to be performed on the traffic based on an egress policy associated with the customer tenancy, wherein the action includes either allowing or disallowing the traffic, and wherein the egress policy indicates whether the traffic is to be allowed or disallowed based on the network location; and perform the action on the traffic. 15. The system of claim 14, wherein the traffic is received from the first network location, wherein the first network location belongs to an on-premise network of the customer or is associated with a cloud identifier such that the first network location is represented as belonging to a virtual cloud network of the customer tenancy. 16. The system of claim 14, wherein the traffic is received from the first network location, wherein the customer tenancy includes a virtual cloud network, and wherein the first network location belongs to the virtual cloud network. 17. The system of claim 14, wherein the traffic is received from the second network location, wherein the second network location corresponds to a gateway that handles egress traffic of the services and tags the traffic as being associated with the customer tenancy. 18. One or more computer-readable storage media storing instructions that, upon execution on a system, cause the system to perform operations comprising providing a service of a service tenancy of a cloud infrastructure, wherein the service is configured to: receive traffic of a customer that is associated with a customer tenancy hosted by the cloud infrastructure, wherein the traffic is received from a network location and is destined to the service of the service tenancy, wherein the network location includes either a first network location of a network associated with the customer or a second network location of a multi-service tenancy hosting services for multiple customer tenancies; determine an action to be performed on the traffic based on an egress policy associated with the customer tenancy, wherein the action includes either allowing or ORC23137498-WO-PCT-2 (IaaS #644.2) disallowing the traffic, and wherein the egress policy indicates whether the traffic is to be allowed or disallowed based on the network location; and perform the action on the traffic. 19. The one or more computer-readable storage media of claim 18, wherein the traffic is tagged by a gateway corresponding to the network location with an identifier of the network location, wherein the identifier is different from an internet protocol address. 20. The one or more computer-readable storage media of claim 19, wherein the identifier includes a data plane identifier (DPID), wherein the DPID is translated into a cloud identifier (CID), and wherein the CID is used to determine the egress policy. ORC23137498-WO-PCT-2 (IaaS #644.2)

Description

PATENT Attorney Docket No.: 088325-1428046-418210PC Client Reference No.: ORC23137498-WO-PCT-2 (IaaS #644.2) EGRESS TRAFFIC POLICY ENFORCEMENT AT TARGET SERVICE CROSS-REFERENCE TO RELATED APPLICATIONS [0001] This international patent application claims priority to U.S. Patent Application No. 18/375,366, filed on September 29, 2023, entitled “EGRESS TRAFFIC POLICY ENFORCEMENT AT TARGET SERVICE ON TRAFFIC FROM SERVICE TENANCY,” 18/375,374, filed on September 29, 2023, entitled “EGRESS TRAFFIC POLICY ENFORCEMENT AT TARGET SERVICE,” 18/375,387, filed on September 29, 2023, entitled “EGRESS TRAFFIC POLICY DEFINITION AND ENFORCEMENT AT TARGET SERVICE,” which claims the benefit and priority under 35 U.S.C.119(e) of U.S. Provisional Patent Application No.63/524,550, filed June 30, 2023, entitled, “EGRESS TRAFFIC POLICY ENFORCEMENT AT TARGET SERVICE,” and of U.S. Provisional Patent Application No. 63/524,539, filed June 30, 2023, entitled, “EGRESS TRAFFIC POLICY ENFORCEMENT AT TARGET SERVICE,” and 18/375,382, filed on September 29, 2023, entitled “EGRESS TRAFFIC POLICY ENFORCEMENT AT TARGET SERVICE ON TRAFFIC FROM CUSTOMER NETWORK,” which claims the benefit and priority under 35 U.S.C.119(e) of U.S. Provisional Patent Application No.63/524,539, filed June 30, 2023, the contents of which are herein incorporated by reference in their entirety for all purposes. FIELD [0002] The present disclosure relates to virtualized cloud environments. Techniques are described for egress traffic policy enforcement at a target service. BACKGROUND [0003] The last few years have seen a dramatic increase in the adoption of cloud services and this trend is only going to increase. Various different cloud environments are being provided by different cloud service providers (CSPs), each cloud environment providing a set of one or more cloud services. The set of cloud services offered by a cloud environment may include one or more different types of services including but not restricted to Software-as-a-Service (SaaS) ORC23137498-WO-PCT-2 (IaaS #644.2) services, Infrastructure-as-a-Service (IaaS) services, Platform-as-a-Service (PaaS) services, and others. [0004] As organizations increasingly rely on clous services for their operations, there is a growing need for improved security measures to control network traffic and ensure data integrity. BRIEF SUMMARY [0005] Some embodiments of the present disclosure relate to performing an action on traffic that originates from a network and is destined to a service of a service tenancy. Such traffic can be referred to as egress traffic because it egresses from the network. In an example, the network is a virtual cloud of a customer that is associated with a customer tenancy. In another example, the network is an on-premise network of the customer. In both examples, the egress traffic can correspond to a direct traffic flow because the traffic egresses directly from a network of the customer. In yet another example, the network belongs to a multi-customer tenancy that provides services to different customers. In this example, the egress traffic can correspond to an indirect traffic flow because the traffic egresses from the multi-customer tenancy on behalf of the customer. In all three examples, the customer can define an egress policy that specifies an action to be performed (e.g., allow traffic, disallow traffic, allow a write operation, etc.) based on a set of conditions being met. One of such conditions can indicate network location belonging to the network and from which the traffic egresses from the network. For example, the network location can correspond to a gateway (e.g., a service gateway). As such, if the traffic egresses from the network location, the action can be performed on the traffic. Enforcement of the egress policy can be performed by the service to which the traffic is destined. For example, the service can determine the action to be performed by making an application programming interface (API) call to a policy evaluator, where this call can indicate some or all of the values of the conditions (e.g., by including an identifier of the network location). The policy evaluation can respond with an indication of the action to be performed. [0006] In the direct traffic flow examples, the network location from which the traffic egresses out of the network (e.g., the service gateway) can tag the traffic with information not only about the network but also about the network location. For example, this information can include an identifier of the network, a source internet protocol (IP) address, and an identifier of the network ORC23137498-WO-PCT-2 (IaaS #644.2) location (e.g., a data plane identifier (DPID) that is different from a network address of the network location such as its IP address). This information can be included in one or more IP options fields in a packet that represents a portion of the traffic. [0007] In the indirect traffic flow examples, the network location from w