Search

EP-4736376-A1 - EGRESS TRAFFIC POLICY ENFORCEMENT AT TARGET SERVICE ON TRAFFIC FROM CUSTOMER NETWORK

EP4736376A1EP 4736376 A1EP4736376 A1EP 4736376A1EP-4736376-A1

Abstract

Techniques for enforcing an egress policy at a target service are described. In an example, traffic is generated for a customer, where the traffic is generated by a customer network of the customer, such as a customer tenancy or an on-premise network. The traffic can be destined to the target service. The traffic can be tagged by the customer network (e.g., by a gateway of the customer network). The customer network can be associated with the egress policy. The customer can define the egress policy at different granularity levels by using different attributes. The target service can determine the egress policy based on the information tagged to the traffic and can enforce the egress policy, based on the customer-defined attributes, on the traffic that the target service is receiving.

Inventors

  • NAGARAJA, GIRISH
  • SLEEMAN, MARTIN JOHN
  • BAKITA, THOMAS RAY
  • STOCKTON, RICHARD BENJAMIN
  • LEVIN, TROY ARI
  • CHOI, Jinsu
  • ANDREWS, THOMAS JAMES

Assignees

  • Oracle International Corporation

Dates

Publication Date
20260506
Application Date
20240628

Claims (20)

  1. WHAT IS CLAIMED IS: 1. A computer-implemented method comprising: receiving, by a gateway having a network location that belongs to a network of a customer, traffic destined to a service of a service tenancy of a cloud infrastructure, wherein the customer is associated with a customer tenancy hosted by the cloud infrastructure; tagging, by the gateway, the traffic with an identifier of the network location, wherein the identifier is different from a network address of the gateway and is associated with an egress policy of the customer, and wherein the egress policy indicates whether the traffic is to be allowed or disallowed based on the network location; and sending, by the gateway, the traffic after being tagged to the service of the service tenancy.
  2. 2. The computer-implemented method of claim 1, wherein the network location belongs to an on-premise network of the customer and is associated with a cloud identifier such that the network location is represented as belonging to a virtual cloud network of the customer tenancy.
  3. 3. The computer-implemented method of claim 1 or 2, wherein the customer tenancy includes a virtual cloud network, and wherein the network location belongs to the virtual cloud network.
  4. 4. The computer-implemented method of any of claims 1 to 3, wherein the identifier includes a data plane identifier (DPID) of the gateway.
  5. 5. The computer-implemented method of claim 4, wherein tagging the traffic comprises including, in the traffic, the DPID, an identifier of the network, and a source internet protocol (IP) address.
  6. 6. The computer-implemented method of claim 5, wherein the DPID, the identifier of the network, and the source IP address are included in one or more IP options fields of a packet that corresponds to the traffic.
  7. 7. The computer-implemented method of claim 5, wherein the DPID is translated into a cloud identifier (CID), and wherein the CID is used to determine the egress policy. O 78 R 62 C 7 2 4 3 5 1 9 3 V 7 .1 498-WO-PCT-3 (IaaS #644.3)
  8. 8. The computer-implemented method of claim 7, wherein the CID is generated based on a registration of the network location by the customer in association with defining the egress policy.
  9. 9. A system having a network location that belongs to a network of a customer, the system comprising: one or more processors; and one or more memory storing instructions that, upon execution by the one or more processors, configure the system to: receive traffic destined to a service of a service tenancy of a cloud infrastructure, wherein the customer is associated with a customer tenancy hosted by the cloud infrastructure; tag the traffic with an identifier of the network location, wherein the identifier is different from a network address of the gateway and is associated with an egress policy of the customer, and wherein the egress policy indicates whether the traffic is to be allowed or disallowed based on the network location; and send the traffic after being tagged to the service of the service tenancy.
  10. 10. The system of claim 9, wherein the network location belongs to an on-premise network of the customer and is associated with a cloud identifier such that the network location is represented as belonging to a virtual cloud network of the customer tenancy.
  11. 11. The system of claim 9 or 11, wherein the customer tenancy includes a virtual cloud network, and wherein the network location belongs to the virtual cloud network.
  12. 12. The system of any one of claims 9 to 11, wherein the identifier includes a data plane identifier (DPID) of the gateway.
  13. 13. The system of claim 12, wherein tagging the traffic comprises including, in the traffic, the DPID, an identifier of the network, and a source internet protocol (IP) address.
  14. 14. The system of claim 13, wherein the DPID, the identifier of the network, and the source IP address are included in one or more IP options fields of a packet that corresponds to the traffic. 78627459V.1 ORC23137498-WO-PCT-3 (IaaS #644.3) 92
  15. 15. The system of claim 13, wherein the DPID is translated into a cloud identifier (CID), and wherein the CID is used to determine the egress policy.
  16. 16. The system of claim 15, wherein the CID is generated based on a registration of the network location by the customer in association with defining the egress policy.
  17. 17. One or more computer-readable storage media storing instructions that, upon execution on a system, cause the system to perform operations comprising: receiving traffic destined to a service of a service tenancy of a cloud infrastructure, wherein a customer is associated with a customer tenancy hosted by the cloud infrastructure, the system having a network location that belongs to a network of the customer; tagging traffic with an identifier of the network location, wherein the identifier is different from a network address of the gateway and is associated with an egress policy of the customer, and wherein the egress policy indicates whether the traffic is to be allowed or disallowed based on the network location; and sending the traffic after being tagged to the service of the service tenancy.
  18. 18. The one or more computer-readable storage media of claim 17, wherein the network location belongs to an on-premise network of the customer and is associated with a cloud identifier such that the network location is represented as belonging to a virtual cloud network of the customer tenancy.
  19. 19. The one or more computer-readable storage media of claim 17 or 18, wherein the customer tenancy includes a virtual cloud network, and wherein the network location belongs to the virtual cloud network.
  20. 20. The one or more computer-readable storage media of any one of claims 17 to 19, wherein the identifier includes a data plane identifier (DPID) of the gateway. 78627459V.1 ORC23137498-WO-PCT-3 (IaaS #644.3)

Description

PATENT Attorney Docket No.: 088325-1428047-418220PC Client Reference No.: ORC23137498-WO-PCT-3 (IaaS #644.3) EGRESS TRAFFIC POLICY ENFORCEMENT AT TARGET SERVICE ON TRAFFIC FROM CUSTOMER NETWORK CROSS-REFERENCE TO RELATED APPLICATIONS [0001] This international patent application claims priority to U.S. Patent Application No. 18/375,366, filed on September 29, 2023, entitled “EGRESS TRAFFIC POLICY ENFORCEMENT AT TARGET SERVICE ON TRAFFIC FROM SERVICE TENANCY,” 18/375,374, filed on September 29, 2023, entitled “EGRESS TRAFFIC POLICY ENFORCEMENT AT TARGET SERVICE,” 18/375,387, filed on September 29, 2023, entitled “EGRESS TRAFFIC POLICY DEFINITION AND ENFORCEMENT AT TARGET SERVICE,” which claims the benefit and priority under 35 U.S.C.119(e) of U.S. Provisional Patent Application No.63/524,550, filed June 30, 2023, entitled, “EGRESS TRAFFIC POLICY ENFORCEMENT AT TARGET SERVICE,” and of U.S. Provisional Patent Application No. 63/524,539, filed June 30, 2023, entitled, “EGRESS TRAFFIC POLICY ENFORCEMENT AT TARGET SERVICE,” and 18/375,382, filed on September 29, 2023, entitled “EGRESS TRAFFIC POLICY ENFORCEMENT AT TARGET SERVICE ON TRAFFIC FROM CUSTOMER NETWORK,” which claims the benefit and priority under 35 U.S.C.119(e) of U.S. Provisional Patent Application No.63/524,539, filed June 30, 2023, the contents of which are herein incorporated by reference in their entirety for all purposes. FIELD [0002] The present disclosure relates to virtualized cloud environments. Techniques are described for egress traffic policy enforcement at a target service. BACKGROUND [0003] The last few years have seen a dramatic increase in the adoption of cloud services and this trend is only going to increase. Various different cloud environments are being provided by different cloud service providers (CSPs), each cloud environment providing a set of one or more cloud services. The set of cloud services offered by a cloud environment may include one or more different types of services including but not restricted to Software-as-a-Service (SaaS) ORC23137498-WO-PCT-3 (IaaS #644.3) services, Infrastructure-as-a-Service (IaaS) services, Platform-as-a-Service (PaaS) services, and others. [0004] As organizations increasingly rely on clous services for their operations, there is a growing need for improved security measures to control network traffic and ensure data integrity. BRIEF SUMMARY [0005] Some embodiments of the present disclosure relate to performing an action on traffic that originates from a network and is destined to a service of a service tenancy. Such traffic can be referred to as egress traffic because it egresses from the network. In an example, the network is a virtual cloud of a customer that is associated with a customer tenancy. In another example, the network is an on-premise network of the customer. In both examples, the egress traffic can correspond to a direct traffic flow because the traffic egresses directly from a network of the customer. In yet another example, the network belongs to a multi-customer tenancy that provides services to different customers. In this example, the egress traffic can correspond to an indirect traffic flow because the traffic egresses from the multi-customer tenancy on behalf of the customer. In all three examples, the customer can define an egress policy that specifies an action to be performed (e.g., allow traffic, disallow traffic, allow a write operation, etc.) based on a set of conditions being met. One of such conditions can indicate network location belonging to the network and from which the traffic egresses from the network. For example, the network location can correspond to a gateway (e.g., a service gateway). As such, if the traffic egresses from the network location, the action can be performed on the traffic. Enforcement of the egress policy can be performed by the service to which the traffic is destined. For example, the service can determine the action to be performed by making an application programming interface (API) call to a policy evaluator, where this call can indicate some or all of the values of the conditions (e.g., by including an identifier of the network location). The policy evaluation can respond with an indication of the action to be performed. [0006] In the direct traffic flow examples, the network location from which the traffic egresses out of the network (e.g., the service gateway) can tag the traffic with information not only about the network but also about the network location. For example, this information can include an identifier of the network, a source internet protocol (IP) address, and an identifier of the network ORC23137498-WO-PCT-3 (IaaS #644.3) location (e.g., a data plane identifier (DPID) that is different from a network address of the network location such as its IP address). This information can be included in one or more IP options fields in a packet that represents a portion of the traffic. [0007] In the indirect traffic flow exam