Search

EP-4736375-A1 - EGRESS TRAFFIC POLICY DEFINITION AND ENFORCEMENT AT TARGET SERVICE

EP4736375A1EP 4736375 A1EP4736375 A1EP 4736375A1EP-4736375-A1

Abstract

Techniques for enforcing an egress policy at a target service are described. In an example, traffic is generated for a customer, where the traffic is generated by a customer network of the customer, such as a customer tenancy or an on-premise network. The traffic can be destined to the target service. The traffic can be tagged by the customer network (e.g., by a gateway of the customer network). The customer network can be associated with the egress policy. The customer can define the egress policy at different granularity levels by using different attributes. The target service can determine the egress policy based on the information tagged to the traffic and can enforce the egress policy, based on the customer-defined attributes, on the traffic that the target service is receiving.

Inventors

  • NAGARAJA, GIRISH
  • SLEEMAN, MARTIN JOHN
  • BAKITA, THOMAS RAY
  • STOCKTON, RICHARD BENJAMIN
  • LEVIN, TROY ARI
  • CHOI, Jinsu
  • ANDREWS, THOMAS JAMES

Assignees

  • Oracle International Corporation

Dates

Publication Date
20260506
Application Date
20240628

Claims (1)

  1. WHAT IS CLAIMED IS: 1. A computer-implemented method comprising: receiving, by a computing system, input of a customer indicating a network location and whether egress traffic of the customer is to be allowed or disallowed based on the network location, wherein the customer is associated with a customer tenancy hosted by a cloud infrastructure, wherein the network location includes either a first network location of a network associated with the customer or a second network location of a multi-service tenancy hosting services for multiple customer tenancies; generating, by the computing system, an egress policy based on the input, wherein the egress policy indicates whether the egress traffic is to be allowed or disallowed based on the network location; storing, by the computing system, the egress policy in a data store; and causing, by the computing system, a service of a service tenancy to enforce the egress policy on traffic sent from the network location, destined to the service of the service tenancy, and associated with the customer. 2. The computer-implemented method of claim 1, wherein the egress policy indicates an authorized user to send the egress traffic outside the customer tenancy, wherein causing the service of the service tenancy to enforce the egress policy comprises determining that the traffic is associated with the customer tenancy and allowing the traffic to be processed by the service of the service tenancy. 3. The computer-implemented method of claim 1 or 2, wherein the egress policy indicates a compute resource of the customer tenancy or any compute resource is authorized to send or request sending of the egress traffic, wherein causing the service of the service tenancy to enforce the egress policy comprises determining that the traffic is associated with a particular compute resource. 4. The computer-implemented method of any of claims 1 to 3, wherein the egress policy indicates one or more network locations defined by the customer and from which the egress traffic can leave the network, all network gateways associated with the network, or all network locations used by customer instances, wherein causing the service of the service tenancy to ORC23137498-WO-PCT-4 (IaaS #644.4) 91 enforce the egress policy comprises determining that the traffic is associated with the network location. 5. The computer-implemented method of any of the preceding claims, wherein the egress policy indicates a type of action to be performed and the service of the service tenancy, wherein causing the service of the service tenancy to enforce the egress policy comprises performing the type of action by the service of the service tenancy on the traffic. 6. The computer-implemented method of any of the preceding claims, wherein the egress policy indicates an authorized target to receive the egress traffic, wherein causing the service of the service tenancy to enforce the egress policy comprises determining that the authorized target includes the service of the service tenancy. . The computer-implemented method of any of the preceding claims, wherein the egress policy indicates a condition to allow the egress traffic to leave the customer tenancy, wherein causing the service of the service tenancy to enforce the egress policy comprises determining that the condition is met. 8. The computer-implemented method of any of the preceding claims, wherein the traffic is tagged with at least an identifier of the network location other than a network address of the network location. 9. The computer-implemented method of claim 8, further comprising: receiving, by the service of the service tenancy, the traffic; determining, by the service of the service tenancy, an action to be performed on the traffic based on a lookup of the egress policy, wherein the action includes either allowing or disallowing the traffic, and wherein the lookup is based on the identifier; and performing, by the service of the service tenancy, the action on the traffic. 10. A system comprising: one or more processors; and one or more memory storing instructions that, upon execution by the one or more processors, configure the system to: ORC23137498-WO-PCT-4 (IaaS #644.4) 92 receive input of a customer indicating a network location and whether egress traffic of the customer is to be allowed or disallowed based on the network location, wherein the customer is associated with a customer tenancy hosted by a cloud infrastructure, wherein the network location includes either a first network location of a network associated with the customer or a second network location of a multi-service tenancy hosting services for multiple customer tenancies; generate an egress policy based on the input, wherein the egress policy indicates whether the egress traffic is to be allowed or disallowed based on the network location; store the egress policy in a data store; and cause a service of a service tenancy to enforce the egress policy on traffic sent from the network location, destined to the service of the service tenancy, and associated with the customer. 11. The system of claim 10, wherein the egress policy indicates an authorized user to send the egress traffic outside the customer tenancy, wherein causing the service of the service tenancy to enforce the egress policy comprises determining that the traffic is associated with the customer tenancy and allowing the traffic to be processed by the service of the service tenancy. 12. The system of claim 10 or 11, wherein the egress policy indicates a compute resource of the customer tenancy or any compute resource is authorized to send or request sending of the egress traffic, wherein causing the service of the service tenancy to enforce the egress policy comprises determining that the traffic is associated with a particular compute resource. 13. The system of any of claims 10 to 12, wherein the egress policy indicates one or more network locations defined by the customer and from which the egress traffic can leave the network, all network gateways associated with the network, or all network locations used by customer instances, wherein causing the service of the service tenancy to enforce the egress policy comprises determining that the traffic is associated with the network location. 14. The system of any of claims 10 to 13, wherein the egress policy indicates a type of action to be performed and the service of the service tenancy, wherein causing the service of the service tenancy to enforce the egress policy comprises performing the type of action by the service of the service tenancy on the traffic. ORC23137498-WO-PCT-4 (IaaS #644.4) 93 15. The system of any of claims 10 to 14, wherein the egress policy indicates an authorized target to receive the egress traffic, wherein causing the service of the service tenancy to enforce the egress policy comprises determining that the authorized target includes the service of the service tenancy. 16. The system of any of claims 10 to 15, wherein the egress policy indicates a condition to allow the egress traffic to leave the customer tenancy, wherein causing the service of the service tenancy to enforce the egress policy comprises determining that the condition is met. 17. The system of any of claims 10 to 16, wherein the traffic is tagged with at least an identifier of the network location other than a network address of the network location. 18. One or more computer-readable storage media storing instructions that, upon execution on a system, cause the system to perform operations comprising: receiving input of a customer indicating a network location and whether egress traffic of the customer is to be allowed or disallowed based on the network location, wherein the customer is associated with a customer tenancy hosted by a cloud infrastructure, wherein the network location includes either a first network location of a network associated with the customer or a second network location of a multi-service tenancy hosting services for multiple customer tenancies; generating an egress policy based on the input, wherein the egress policy indicates whether the egress traffic is to be allowed or disallowed based on the network location; storing the egress policy in a data store; and causing a service of a service tenancy to enforce the egress policy on traffic sent from the network location, destined to the service of the service tenancy, and associated with the customer. 19. The one or more computer-readable storage media of claim 18, wherein the egress policy indicates an authorized user to send the egress traffic outside the customer tenancy, wherein causing the service of the service tenancy to enforce the egress policy comprises determining that the traffic is associated with the customer tenancy and allowing the traffic to be processed by the service of the service tenancy. ORC23137498-WO-PCT-4 (IaaS #644.4) 94 20. The one or more computer-readable storage media of claim 18 or 19, wherein the egress policy indicates a compute resource of the customer tenancy or any compute resource is authorized to send or request sending of the egress traffic, wherein causing the service of the service tenancy to enforce the egress policy comprises determining that the traffic is associated with a particular compute resource. ORC23137498-WO-PCT-4 (IaaS #644.4) 95

Description

PATENT Attorney Docket No.: 088325-1428048-418230PC Client Reference No.: ORC23137498-WO-PCT-4 (IaaS #644.4) EGRESS TRAFFIC POLICY DEFINITION AND ENFORCEMENT AT TARGET SERVICE CROSS-REFERENCE TO RELATED APPLICATIONS [0001] This international patent application claims priority to U.S. Patent Application No. 18/375,366, filed on September 29, 2023, entitled “EGRESS TRAFFIC POLICY ENFORCEMENT AT TARGET SERVICE ON TRAFFIC FROM SERVICE TENANCY,” 18/375,374, filed on September 29, 2023, entitled “EGRESS TRAFFIC POLICY ENFORCEMENT AT TARGET SERVICE,” 18/375,387, filed on September 29, 2023, entitled “EGRESS TRAFFIC POLICY DEFINITION AND ENFORCEMENT AT TARGET SERVICE,” which claims the benefit and priority under 35 U.S.C.119(e) of U.S. Provisional Patent Application No.63/524,550, filed June 30, 2023, entitled, “EGRESS TRAFFIC POLICY ENFORCEMENT AT TARGET SERVICE,” and of U.S. Provisional Patent Application No. 63/524,539, filed June 30, 2023, entitled, “EGRESS TRAFFIC POLICY ENFORCEMENT AT TARGET SERVICE,” and 18/375,382, filed on September 29, 2023, entitled “EGRESS TRAFFIC POLICY ENFORCEMENT AT TARGET SERVICE ON TRAFFIC FROM CUSTOMER NETWORK,” which claims the benefit and priority under 35 U.S.C.119(e) of U.S. Provisional Patent Application No.63/524,539, filed June 30, 2023, the contents of which are herein incorporated by reference in their entirety for all purposes. FIELD [0002] The present disclosure relates to virtualized cloud environments. Techniques are described for egress traffic policy enforcement at a target service. BACKGROUND [0003] The last few years have seen a dramatic increase in the adoption of cloud services and this trend is only going to increase. Various different cloud environments are being provided by different cloud service providers (CSPs), each cloud environment providing a set of one or more cloud services. The set of cloud services offered by a cloud environment may include one or more different types of services including but not restricted to Software-as-a-Service (SaaS) ORC23137498-WO-PCT-4 (IaaS #644.4) 1 services, Infrastructure-as-a-Service (IaaS) services, Platform-as-a-Service (PaaS) services, and others. [0004] As organizations increasingly rely on clous services for their operations, there is a growing need for improved security measures to control network traffic and ensure data integrity. BRIEF SUMMARY [0005] Some embodiments of the present disclosure relate to performing an action on traffic that originates from a network and is destined to a service of a service tenancy. Such traffic can be referred to as egress traffic because it egresses from the network. In an example, the network is a virtual cloud of a customer that is associated with a customer tenancy. In another example, the network is an on-premise network of the customer. In both examples, the egress traffic can correspond to a direct traffic flow because the traffic egresses directly from a network of the customer. In yet another example, the network belongs to a multi-customer tenancy that provides services to different customers. In this example, the egress traffic can correspond to an indirect traffic flow because the traffic egresses from the multi-customer tenancy on behalf of the customer. In all three examples, the customer can define an egress policy that specifies an action to be performed (e.g., allow traffic, disallow traffic, allow a write operation, etc.) based on a set of conditions being met. One of such conditions can indicate network location belonging to the network and from which the traffic egresses from the network. For example, the network location can correspond to a gateway (e.g., a service gateway). As such, if the traffic egresses from the network location, the action can be performed on the traffic. Enforcement of the egress policy can be performed by the service to which the traffic is destined. For example, the service can determine the action to be performed by making an application programming interface (API) call to a policy evaluator, where this call can indicate some or all of the values of the conditions (e.g., by including an identifier of the network location). The policy evaluation can respond with an indication of the action to be performed. [0006] In the direct traffic flow examples, the network location from which the traffic egresses out of the network (e.g., the service gateway) can tag the traffic with information not only about the network but also about the network location. For example, this information can include an identifier of the network, a source internet protocol (IP) address, and an identifier of the network ORC23137498-WO-PCT-4 (IaaS #644.4)2 location (e.g., a data plane identifier (DPID) that is different from a network address of the network location such as its IP address). This information can be included in one or more IP options fields in a packet that represents a portion of the traffic. [0007] In the indirect traffic flow examples, the netwo