Search

JP-7857445-B2 - Change Impact Simulation Analysis

JP7857445B2JP 7857445 B2JP7857445 B2JP 7857445B2JP-7857445-B2

Inventors

  • アダブ,ガールギー
  • リウ,ホイ
  • グプタ,ビシャル
  • アガーウォール,ビカス
  • カイ,カン
  • ヂャン,シャオユ

Assignees

  • グーグル エルエルシー

Dates

Publication Date
20260512
Application Date
20250115
Priority Date
20201202

Claims (20)

  1. A method executed by a computer, which, when executed by data processing hardware, causes the data processing hardware to perform an operation, wherein the operation is: Based on the workflow of the production network model, a simulation network model is generated that includes one or more parameter changes to the production network model. The workflow of the production network model described above is reproduced as a simulated network flow within the simulated network model, This includes generating a report showing the differences between the production network model and the simulation network model based on reproducing the workflow of the production network model as the simulation network flow within the simulation network model, wherein the report shows the effect or action of one or more parameter changes on the production network model, and the action further includes Based on the report showing the difference between the aforementioned production network model and the aforementioned simulation network model, Receiving acceptance of the change of one or more parameters included in the simulation network model, A method comprising implementing the one or more parameter changes in the production network model.
  2. The aforementioned operation further, Receiving production network logs including the workflow of the aforementioned production network model, The method according to claim 1, further comprising generating a simulation network log based on the simulation network flow.
  3. A method executed by a computer, which, when executed by data processing hardware, causes the data processing hardware to perform an operation, wherein the operation is: Based on the workflow of the production network model, a simulation network model is generated that includes one or more parameter changes to the production network model. The workflow of the production network model described above is reproduced as a simulated network flow within the simulated network model, Based on reproducing the workflow of the production network model as the simulated network flow within the simulated network model, a report showing the difference between the production network model and the simulated network model is generated. Based on the report showing the difference between the aforementioned production network model and the aforementioned simulation network model, Receiving acceptance of the change of one or more parameters included in the simulation network model, To implement the above-mentioned change of one or more parameters in the production network model, Receiving production network logs including the workflow of the aforementioned production network model, This includes generating a simulation network log based on the aforementioned simulation network flow, To generate a report showing the difference between the production network model and the simulation network model, The aforementioned production network log is compared with the aforementioned simulation network log, A method comprising identifying the difference between the production network log and the simulation network log.
  4. The method according to claim 2 or 3, wherein the production network log is one of either a virtual private connection flow log or a firewall rule log.
  5. A method executed by a computer, which, when executed by data processing hardware, causes the data processing hardware to perform an operation, wherein the operation is: Based on the workflow of the production network model, a simulation network model is generated that includes one or more parameter changes to the production network model. The workflow of the production network model described above is reproduced as a simulated network flow within the simulated network model, Based on reproducing the workflow of the production network model as the simulated network flow within the simulated network model, a report showing the difference between the production network model and the simulated network model is generated. Based on the report showing the difference between the aforementioned production network model and the aforementioned simulation network model, Receiving acceptance of the change of one or more parameters included in the simulation network model, To implement the above-mentioned change of one or more parameters in the production network model, A method comprising determining the effect of the changes to one or more parameters on the production network model.
  6. The method according to claim 5, wherein determining the impact of the change of one or more parameters includes determining the impact on at least one of the following: network reachability, firewall shadow rules/predicted firewall hit rate, search intent rules, security compliance rules, or resource quotas/utilization.
  7. A method executed by a computer, which, when executed by data processing hardware, causes the data processing hardware to perform an operation, wherein the operation is: Based on the workflow of the production network model, a simulation network model is generated that includes one or more parameter changes to the production network model. The workflow of the production network model described above is reproduced as a simulated network flow within the simulated network model, Based on reproducing the workflow of the production network model as the simulated network flow within the simulated network model, a report showing the difference between the production network model and the simulated network model is generated. Based on the report showing the difference between the aforementioned production network model and the aforementioned simulation network model, Receiving acceptance of the change of one or more parameters included in the simulation network model, This includes implementing the one or more parameter changes in the aforementioned production network model, A method for generating the simulation network model, comprising incorporating the one or more parameter changes into the production network model in fixed amounts.
  8. The method according to any one of claims 1 to 7, further comprising receiving one or more invariant parameters of the production network model.
  9. A method executed by a computer, which, when executed by data processing hardware, causes the data processing hardware to perform an operation, wherein the operation is: Based on the workflow of the production network model, a simulation network model is generated that includes one or more parameter changes to the production network model. The workflow of the production network model described above is reproduced as a simulated network flow within the simulated network model, Based on reproducing the workflow of the production network model as the simulated network flow within the simulated network model, a report showing the difference between the production network model and the simulated network model is generated. Based on the report showing the difference between the aforementioned production network model and the aforementioned simulation network model, Receiving acceptance of the change of one or more parameters included in the simulation network model, To implement the above-mentioned change of one or more parameters in the production network model, A method comprising modifying the configuration of the network if the effects of the changes to one or more parameters on the network are acceptable.
  10. A method executed by a computer, which, when executed by data processing hardware, causes the data processing hardware to perform an operation, wherein the operation is: Based on the workflow of the production network model, a simulation network model is generated that includes one or more parameter changes to the production network model. The workflow of the production network model described above is reproduced as a simulated network flow within the simulated network model, Based on reproducing the workflow of the production network model as the simulated network flow within the simulated network model, a report showing the difference between the production network model and the simulated network model is generated. Based on the report showing the difference between the aforementioned production network model and the aforementioned simulation network model, Receiving acceptance of the change of one or more parameters included in the simulation network model, This includes implementing the one or more parameter changes in the aforementioned production network model, A method comprising analyzing the simulated network flow within the simulated network model to determine whether the simulated network model affects the network intent of the production network model.
  11. Data processing hardware and A system comprising memory hardware that communicates with the data processing hardware, wherein the memory hardware, when executed by the data processing hardware, stores instructions that cause the data processing hardware to execute the method according to any one of claims 1 to 10.
  12. A method executed by a computer, which, when executed by data processing hardware, causes the data processing hardware to perform an operation, wherein the operation is: Based on the workflow of the production network model, a simulation network model is generated that includes parameter changes to the production network model. The workflow of the production network model described above is reproduced as a simulated network flow within the simulated network model, This includes generating a report showing the differences between the production network model and the simulation network model based on reproducing the workflow of the production network model as the simulation network flow within the simulation network model, wherein the report shows the effect or action of the parameter change on the production network model, and the operation further includes Receiving a rejection of the parameter change included in the simulation network model, A method performed by a computer, which includes, based on receiving a rejection of the parameter change, rejecting the implementation of the parameter change in the production network model.
  13. A method executed by a computer, which, when executed by data processing hardware, causes the data processing hardware to perform an operation, wherein the operation is: Based on the workflow of the production network model, a simulation network model is generated that includes parameter changes to the production network model. The workflow of the production network model described above is reproduced as a simulated network flow within the simulated network model, Based on reproducing the workflow of the production network model as the simulated network flow within the simulated network model, a report showing the difference between the production network model and the simulated network model is generated. Receiving a rejection of the parameter change included in the simulation network model, Based on receiving a rejection of the parameter change, the production network model rejects the implementation of the parameter change . Receiving a second parameter change in the aforementioned simulation network model, Adjusting the simulation network model to include the second parameter change from the production network model, The workflow of the production network model is reproduced as a second simulation network flow within the adjusted simulation network model. Based on reproducing the workflow of the production network model as the second simulation network flow in the adjusted simulation network model, a second report is generated showing the difference between the production network model and the adjusted simulation network model. Receiving acceptance of the second parameter change included in the adjusted simulation network model, A method comprising implementing the second parameter change in the production network model based on receiving acceptance of the second parameter change.
  14. The aforementioned operation further, Receiving production network logs including the workflow of the aforementioned production network model, The method according to claim 12 or 13, further comprising generating a simulation network log based on the simulation network flow.
  15. A method executed by a computer, which, when executed by data processing hardware, causes the data processing hardware to perform an operation, wherein the operation is: Based on the workflow of the production network model, a simulation network model is generated that includes parameter changes to the production network model. The workflow of the production network model described above is reproduced as a simulated network flow within the simulated network model, Based on reproducing the workflow of the production network model as the simulated network flow within the simulated network model, a report showing the difference between the production network model and the simulated network model is generated. Receiving a rejection of the parameter change included in the simulation network model, Based on receiving a rejection of the parameter change, the production network model rejects the implementation of the parameter change. Receiving production network logs including the workflow of the aforementioned production network model, This includes generating a simulation network log based on the aforementioned simulation network flow, To generate a report showing the difference between the production network model and the simulation network model, The aforementioned production network log is compared with the aforementioned simulation network log, A method comprising identifying the difference between the production network log and the simulation network log.
  16. The method according to claim 14 or 15, wherein the production network log is one of the virtual private connection flow logs or firewall rule logs.
  17. A method executed by a computer, which, when executed by data processing hardware, causes the data processing hardware to perform an operation, wherein the operation is: Based on the workflow of the production network model, a simulation network model is generated that includes parameter changes to the production network model. The workflow of the production network model described above is reproduced as a simulated network flow within the simulated network model, Based on reproducing the workflow of the production network model as the simulated network flow within the simulated network model, a report showing the difference between the production network model and the simulated network model is generated. Receiving a rejection of the parameter change included in the simulation network model, Based on receiving a rejection of the parameter change, the production network model rejects the implementation of the parameter change . A method comprising determining the impact of the parameter changes on the production network model.
  18. Determining the effects of the parameter changes is: Network reachability, Firewall shadow rules, predicted firewall hit rate, Search intent rules, The method according to claim 17, comprising determining an impact on security compliance rules or at least one of resource quotas or utilization rates.
  19. The method according to any one of claims 12 to 18, further comprising receiving one or more invariant parameters of the production network model.
  20. A method executed by a computer, which, when executed by data processing hardware, causes the data processing hardware to perform an operation, wherein the operation is: Based on the workflow of the production network model, a simulation network model is generated that includes parameter changes to the production network model. The workflow of the production network model described above is reproduced as a simulated network flow within the simulated network model, Based on reproducing the workflow of the production network model as the simulated network flow within the simulated network model, a report showing the difference between the production network model and the simulated network model is generated. Receiving a rejection of the parameter change included in the simulation network model, Based on receiving a rejection of the parameter change, the production network model rejects the implementation of the parameter change . A method comprising receiving a modification of the parameter change in response to a rejection of the parameter change.

Description

This disclosure relates to change impact simulation analysis in cloud networks. This is a schematic diagram illustrating an example system for performing change impact simulation analysis in a cloud network.Figure 1 is a schematic diagram showing exemplary components of the virtual machine in the system.This is a flowchart illustrating an exemplary workflow for using the network change simulator of the system in Figure 1.This flowchart illustrates an example of how to perform a change impact simulation analysis.This is a schematic diagram showing an exemplary computing device that may be used to carry out the systems and methods described herein. Detailed Explanation: A Virtual Private Cloud (VPC) is an on-demand, configurable pool of shared computing resources allocated within a public cloud environment to isolate a user from other cloud users. This isolation may be achieved through the allocation of private Internet Protocol (IP) subnets and/or virtual communication structures. A VPC can run one or more virtual machines (VMs) and communicate with the user's on-premises network or other remote resources via a virtual private network (VPN) to ensure secure access to the VPC environment. Because some VPC environments are very large and complex (including numerous VMs, network gateways, load balancers, etc.), operating and maintaining a VPC often requires a considerable network configuration. An example implementation described herein relates to a network change simulator that allows a user to specify one or more changes to network parameters (e.g., firewall rules, VPC peering, provisioning or deprovisioning of network resources) and simulate at least one production workflow through a VPC. The network change simulator provides configuration information for each simulated route, including, for example, routing rules and firewall rules. Here, the network change simulator builds a simulated network model by progressively incorporating the proposed parameter changes into the VPC's production network model. Next, the network change simulator simulates a workflow logged from the VPC within the simulated network model, compares the results of the simulated workflow to the production workflow, and generates output (e.g., a report) showing the impact or effect of the proposed configuration, events, and/or network changes on the VPC. VPC users or administrators can use the output to decide whether to proceed with incorporating the proposed parameter changes based on the acceptableness of the impact on the VPC. Referring to Figure 1, in several implementations, the exemplary system 10 includes a user device 20, which is associated with each user 12 and communicates with the cloud network 200 via a network 30 (e.g., the internet) and an on-premises network 40 (i.e., the local network that the user device 20 uses to connect to network 30). The on-premises network 40 includes a network gateway 42 (e.g., a router) that acts as a forwarding host for the on-premises network 40. The user device 20 may correspond to any computing device such as a desktop workstation, laptop workstation, or mobile device (e.g., a smartphone or tablet). The user device 20 includes computing resources 22 (e.g., data processing hardware) and/or storage resources 24 (e.g., memory hardware). The cloud network 200 may be a single computer, multiple computers, or a distributed system (e.g., a cloud environment) having scalable/elastic resources 202, including computing resources 204 (e.g., data processing hardware) and/or storage resources 206 (e.g., memory hardware). A datastore (i.e., a remote storage device) may be overlaid on the storage resource 206 to enable scalable use of the storage resource 206 by one or more clients or computing resources 204. The cloud network 200 is configured to implement and run one or more virtual machines (VMs) 250, 250a-n. One or more VMs run securely in a virtual private cloud (VPC) environment or VPC 208 associated with or operated by user 12. VPC 208 may include various other network elements such as load balancers, gateways, frontends, and backends. In the example shown in Figure 2, the distributed system 200 consists of a collection of resources 110 (for example, hardware resource 110h), a virtual machine monitor (VM), and a virtual machine monitor (VM). M) 220 includes a VM layer 240 running one or more VMs 250, and an application layer 260. Each hardware resource 110h may include one or more physical central processing units (pCPUs) 204 ("physical processors 204") and memory hardware 206. Although each hardware resource 110h is shown to have a single physical processor 204, any hardware resource 110h may have It may include multiple physical processors 204. The operating system 212 can run on a collection 210 of resources 110. In some examples, VMM220 corresponds to a hypervisor 220 (e.g., a computing engine) that includes at least one of the software, firmware, or hardware configured to create and run VM250. T