Search

US-12627568-B2 - Mobile virtual endpoint eco-system

US12627568B2US 12627568 B2US12627568 B2US 12627568B2US-12627568-B2

Abstract

Aspects of the subject disclosure may include, for example, obtaining provisioning information associated with a service provider where the provisioning information includes a mapping of identifications of a group of end user devices to cloud-based services of the service provider; determining, according to the provisioning information, that an end user device of the group of end user devices is permitted to access a service endpoint associated with a particular cloud-based service of the cloud-based services of the service provider; and facilitating the particular cloud-based service for the end user device utilizing a private network connection, the service endpoint and a private endpoint associated with the service provider. Other embodiments are disclosed.

Inventors

  • Oliver Spatscheck
  • Michael R. Albrecht
  • Daniel Flynn

Assignees

  • AT&T INTELLECTUAL PROPERTY I, L.P.

Dates

Publication Date
20260512
Application Date
20240117

Claims (20)

  1. 1 . A system, comprising: a processing system including a processor; and a memory that stores executable instructions that, when executed by the processing system, facilitate performance of operations, the operations comprising: obtaining provisioning information associated with a service provider, the provisioning information including a mapping of end user identifications of a group of end users to cloud-based services of the service provider; obtaining, from a gateway of a mobile core network via a private network connection with the gateway of the mobile core network, network traffic transmitted by an end user device; determining, according to the provisioning information, that the network traffic is permitted to access a private endpoint of the service provider; directing the network traffic to the private endpoint based on the determining; and facilitating providing the network traffic to a service endpoint of the service provider, wherein a first cloud-based service of the service provider corresponding to the service endpoint exports the private endpoint to the processing system and attaches, to the private endpoint, a listing of end user device identifiers for inclusion in the mapping of end user identifications, and a second cloud-based service of the service provider corresponding to another service endpoint of the service provider exports another private endpoint to the processing system and attaches, to the other private endpoint, another listing of end user device identifiers for inclusion in the mapping of end user identifications, thereby facilitating differentiated end user device access to different cloud-based services of the service provider.
  2. 2 . The system of claim 1 , wherein the end user identifications include device identifiers, and wherein the provisioning information includes a private link service identification and one or more DNS names corresponding to the cloud-based services.
  3. 3 . The system of claim 1 , wherein the obtaining the provisioning information is via an application programming interface, and wherein the operations further comprise identifying an attachment to a network by the end user device utilizing an authentication, authorization, and accounting management function.
  4. 4 . The system of claim 1 , wherein the operations further comprise storing the provisioning information in a database.
  5. 5 . The system of claim 1 , wherein the operations further comprise performing predictive capacity management.
  6. 6 . The system of claim 1 , wherein the operations further comprise performing end to end network monitoring including application Service Level Agreement monitoring.
  7. 7 . The system of claim 1 , wherein the operations further comprise performing intrusion detection, DDOS detection or a combination thereof.
  8. 8 . The system of claim 1 , wherein the operations further comprise providing an application programming interface that enables the service provider to automatically remove an end user device from an allowed list responsive to an anomaly being detected.
  9. 9 . The system of claim 1 , wherein the obtaining the network traffic is based at least in part on a UE Route Selection Policy.
  10. 10 . A method comprising: obtaining, by a processing system including a processor, provisioning information associated with a service provider, the provisioning information including a mapping of identifications of a group of end user devices to cloud-based services of the service provider; determining, by the processing system according to the provisioning information, that an end user device of the group of end user devices is permitted to access a service endpoint associated with a particular cloud-based service of the cloud-based services of the service provider; and facilitating, by the processing system, the particular cloud-based service for the end user device utilizing a private network connection, the service endpoint and a private endpoint associated with the service provider, wherein the private network connection interconnects the processing system with a gateway of a mobile core network of a network provider, wherein network traffic from the end user device relating to the particular cloud-based service is received by the processing system from the gateway of the mobile core network via the private network connection, and wherein the particular cloud-based service of the service provider exports the private endpoint to the processing system and attaches, to the private endpoint, a listing of end user device identifiers for inclusion in the mapping of identifications, and another cloud-based service of the service provider corresponding to another service endpoint exports another private endpoint to the processing system and attaches, to the other private endpoint, another listing of end user device identifiers for inclusion in the mapping of identifications, thereby facilitating differentiated end user device access to different cloud-based services of the service provider.
  11. 11 . The method of claim 10 , wherein the group of end user devices are equipment of the service provider.
  12. 12 . The method of claim 10 , further comprising: determining, according to the provisioning information, that the end user device is not permitted to access a second service endpoint associated with a second cloud-based service of the cloud-based services of the service provider; and prohibiting, by the processing system, the end user device from accessing a second private endpoint associated with the second cloud-based service of the service provider.
  13. 13 . The method of claim 10 , further comprising: determining, according to other provisioning information associated with a second service provider, that the end user device is permitted to access a particular service endpoint associated with a cloud-based service of the second service provider; and facilitating, by the processing system, the cloud-based service of the second service provider for the end user device utilizing the private network connection, the particular service endpoint and a particular private endpoint associated with the second service provider.
  14. 14 . The method of claim 10 , wherein the identifications include an MSISDN, IMEI, an IMSI, or a combination thereof, and wherein the provisioning information includes a private link service identification and one or more DNS names corresponding to the cloud-based services.
  15. 15 . The method of claim 10 , wherein the obtaining the provisioning information is via an application programming interface.
  16. 16 . The method of claim 10 , further comprising storing the provisioning information in a database.
  17. 17 . The method of claim 10 , further comprising performing predictive capacity management, Service Level Agreement monitoring, intrusion detection, DDOS detection, or a combination thereof.
  18. 18 . The method of claim 10 , wherein the facilitating the particular cloud-based service is based at least in part on UE Route Selection Policy.
  19. 19 . A non-transitory machine-readable medium, comprising executable instructions that, when executed by a processing system including a processor of a service provider, facilitate performance of operations, the operations comprising: providing provisioning information to equipment of a network provider, the provisioning information including a mapping of identifications associated with a group of end users to cloud-based services of the service provider; and responsive to a determination by the equipment of the network provider according to the provisioning information that an end user of the group of end users is permitted to access a private endpoint of the service provider, providing, over a private network connection via a service endpoint of the service provider, a particular cloud-based service of the service provider to an end user device of the end user, wherein a second private network connection interconnects a gateway of a mobile core network of the network provider with the equipment of the network provider, wherein network traffic from the end user device relating to the particular cloud-based service is received by the equipment of the network provider from the gateway of the mobile core network via the second private network connection, and wherein the particular cloud-based service of the service provider exports the private endpoint to the equipment of the network provider and attaches, to the private endpoint, a listing of end user device identifiers for inclusion in the mapping of identifications, and another cloud-based service of the service provider corresponding to another service endpoint of the service provider exports another private endpoint to the equipment of the network provider and attaches, to the other private endpoint, another listing of end user device identifiers for inclusion in the mapping of identifications, thereby facilitating differentiated end user device access to different cloud-based services of the service provider.
  20. 20 . The non-transitory machine-readable medium of claim 19 , wherein the operations further comprise removing a particular end user from an allowed list associated with the provisioning information responsive to an anomaly being detected.

Description

CROSS REFERENCE TO RELATED APPLICATIONS This application claims the benefit of priority to U.S. Patent Application Ser. No. 63/486,388 filed on Feb. 22, 2023. All sections of the aforementioned application are incorporated herein by reference in their entirety. FIELD OF THE DISCLOSURE The subject disclosure relates to a mobile virtual endpoint eco-system. BACKGROUND Users seek secure and reliable communications. Private networks can be built using Multiprotocol Label Switching (MPLS), Virtual Private Network (VPN), Access Point Name (APN), Data Network Name (DNN) and/or Internet Protocol Security (IPSEC) technologies. However, building these private networks is cumbersome, slow, difficult to manage, error prone and generally costly to operate. BRIEF DESCRIPTION OF THE DRAWINGS Reference will now be made to the accompanying drawings, which are not necessarily drawn to scale, and wherein: FIG. 1 is a block diagram illustrating an exemplary, non-limiting embodiment of a communications network in accordance with various aspects described herein. FIG. 2A is a block diagram illustrating an example, non-limiting embodiment of a system functioning within the communication network of FIG. 1 in accordance with various aspects described herein. FIG. 2B is a block diagram illustrating an example, non-limiting embodiment of a system functioning within the communication network of FIG. 1 in accordance with various aspects described herein. FIG. 2C is a block diagram illustrating an example, non-limiting embodiment of a system functioning within the communication network of FIG. 1 in accordance with various aspects described herein. FIG. 2D depicts an illustrative embodiment of a method in accordance with various aspects described herein. FIG. 3 is a block diagram illustrating an example, non-limiting embodiment of a virtualized communication network in accordance with various aspects described herein. FIG. 4 is a block diagram of an example, non-limiting embodiment of a computing environment in accordance with various aspects described herein. FIG. 5 is a block diagram of an example, non-limiting embodiment of a mobile network platform in accordance with various aspects described herein. FIG. 6 is a block diagram of an example, non-limiting embodiment of a communication device in accordance with various aspects described herein. DETAILED DESCRIPTION The subject disclosure describes, among other things, illustrative embodiments for managing access to cloud-based services over a private network connection based on identification. As an example, services offered by a cloud provider can be accessed according to identifications such as a list of wireless equipment identifiers (e.g., MSIDSN, IEMI, IMSI, and so forth). The network or communication service provider can then ensure that only such devices can reach the service securely and reliably over a network controlled by the network provider. Other identification techniques can be applied which may or may not be associated with devices, including identification of users that are independent of devices. In one or more embodiments, commercial services can pair their services with wireless devices/equipment in the field, such as a delivery company ensuring that the tablet the drivers are provided can only reach or access the particular services that the driver needs, which can be done securely, reliably and independent of the state of the Internet. In one or more embodiments, commercial services can have private connections with their customers' wireless device, such as an investment company providing a secure and reliable way of reaching its financial management application on a wireless device independent of DDOS attacks (or other undesired conditions) of their Internet-facing infrastructure. In one or more embodiments, multiple applications could utilize the exemplary embodiments resulting in building an entire eco-system of fine grain secure communication which can change or otherwise influence how the Internet works. In one or more embodiments, device capabilities including UE Route Selection Policy (URSP) can be utilized to facilitate managing access to cloud-based services over a private network connection based on identification. In one or more embodiments, a cloud-based service can export a service endpoint (e.g., via Microsoft® Azure) and attach a list of wireless equipment identifiers (e.g., MSIDSN, IMSI, IMEI or other identifiers) to the service endpoint. The network communications provider would then be responsible to ensure that only those authorized devices can communicate with the service endpoint exposed by the application service provider (providing the cloud-based service) while maintaining control of the full network path. Various embodiments described herein reference endpoints, such as private and service endpoints, that facilitate cloud-computing services. Other functionality which can be offered by various entities (e.g., Amazon Web Services, Google Clou