Search

US-12627630-B2 - Techniques for rotating service endpoints in prefab regions

US12627630B2US 12627630 B2US12627630 B2US 12627630B2US-12627630-B2

Abstract

Techniques are disclosed for rotating service endpoints following the installation of a prefab region network at a destination site. A manager service can receive an indication that a region network of a distributed computing system has completed region build operations and, responsive to the indication, send a request to a domain name system service to generate a target zone including target domain names for second service endpoints within the region network The manager service can send an instruction to a certificate service to provide a dual-headed certificate in response to a certificate request from a service including a first service endpoint having an original domain name of an original zone and a second service endpoint having a target domain name of the target zone. The manager service can send an instruction to the service to stop accepting network traffic corresponding to the first service endpoint.

Inventors

  • Eden Grail Adogla
  • Thomas Werner Kuehnel
  • Zackery Vincent Paladino
  • Laura Ann Duffey
  • Kimberly A. Rodriguez
  • Neal Edward Tucker
  • Tristan Allen Burgess

Assignees

  • ORACLE INTERNATIONAL CORPORATION

Dates

Publication Date
20260512
Application Date
20231023

Claims (20)

  1. 1 . A computer-implemented method, comprising: receiving, by a manager service executing in a distributed computing system, an indication that a region network of the distributed computing system has completed region build operations in a data center, the region network previously configured in another data center to execute a service comprising a first service endpoint having an original domain name of an original zone; responsive to the indication, sending, by the manager service, a request to a domain name system (DNS) service to generate a target zone comprising target domain names for second service endpoints within the region network of the distributed computing system; sending, by the manager service, an instruction to a certificate service to provide a dual-headed certificate in response to a certificate request from the service executing within the region network of the distributed computing system, the service comprising the first service endpoint, a second service endpoint having a target domain name of the target zone, and the dual-headed certificate associated with the first service endpoint and the second service endpoint; and sending, by the manager service to the service executing within the region network of the distributed computing system, an endpoint migration instruction comprising information usable by the service to stop accepting network traffic corresponding to the first service endpoint.
  2. 2 . The computer-implemented method of claim 1 , wherein the endpoint migration instruction further comprises information usable by the service to remove the first service endpoint comprising the original domain name.
  3. 3 . The computer-implemented method of claim 1 , further comprising sending, by the manager service, an additional instruction to the service executing within the distributed computing system to obtain the dual-headed certificate from the DNS service.
  4. 4 . The computer-implemented method of claim 1 , further comprising: receiving, by the manager service, an indication from the service that network traffic within the distributed computing system is directed to the second service endpoint; and responsive to the indication, sending, by the manager service, an additional request to the DNS service to stop registering original domain names of the original zone.
  5. 5 . The computer-implemented method of claim 4 , further comprising sending, by the manager service, a further request to the DNS service to delete the original zone.
  6. 6 . The computer-implemented method of claim 1 , further comprising: prior to sending the endpoint migration instruction, waiting, by the manager service, a time duration exceeding a threshold time duration for network traffic within the distributed computing system to be directed to the second service endpoint; and responsive to the time duration exceeding the threshold time duration, sending, by the manager service, the endpoint migration instruction.
  7. 7 . The computer-implemented method of claim 1 , further comprising: sending, by the manager service, an additional instruction to the certificate service to have the dual-headed certificate signed by a certificate authority associated with the region network of the distributed computing system.
  8. 8 . A distributed computing system, comprising: one or more processors; and one or more memories storing computer-executable instructions that, when executed by the one or more processors, cause the distributed computing system to: receive, by a manager service executing in the distributed computing system, an indication that a region network of the distributed computing system has completed region build operations in a data center, the region network previously configured in another data center to execute a service comprising a first service endpoint having an original domain name of an original zone; responsive to the indication, send, by the manager service, a request to a domain name system (DNS) service to generate a target zone comprising target domain names for second service endpoints within the region network of the distributed computing system; send, by the manager service, an instruction to a certificate service to provide a dual-headed certificate in response to a certificate request from the service executing within the region network of the distributed computing system, the service comprising the first service endpoint, a second service endpoint having a target domain name of the target zone, and the dual-headed certificate associated with the first service endpoint and the second service endpoint; and send, by the manager service to the service executing within the region network of the distributed computing system, an endpoint migration instruction comprising information usable by the service to stop accepting network traffic corresponding to the first service endpoint.
  9. 9 . The distributed computing system of claim 8 , wherein the endpoint migration instruction further comprises information usable by the service to remove the first service endpoint comprising the original domain name.
  10. 10 . The distributed computing system of claim 8 , wherein the one or more memories store additional instructions that, when executed by the one or more processors, cause the distributed computing system to further send, by the manager service, an additional instruction to the service executing within the distributed computing system to obtain the dual-headed certificate from the DNS service.
  11. 11 . The distributed computing system of claim 8 , wherein the one or more memories store additional instructions that, when executed by the one or more processors, cause the distributed computing system to further: receive, by the manager service, an indication from the service that network traffic within the distributed computing system is directed to the second service endpoint; and responsive to the indication, send, by the manager service, an additional request to the DNS service to stop registering original domain names of the original zone.
  12. 12 . The distributed computing system of claim 11 , wherein the one or more memories store additional instructions that, when executed by the one or more processors, cause the distributed computing system to further send, by the manager service, a further request to the DNS service to delete the original zone.
  13. 13 . The distributed computing system of claim 8 , wherein the one or more memories store additional instructions that, when executed by the one or more processors, cause the distributed computing system to further: prior to sending the endpoint migration instruction, wait, by the manager service, a time duration exceeding a threshold time duration for network traffic within the distributed computing system to be directed to the second service endpoint; and responsive to the time duration exceeding the threshold time duration, send, by the manager service, the endpoint migration instruction.
  14. 14 . The distributed computing system of claim 8 , wherein the one or more memories store additional instructions that, when executed by the one or more processors, cause the distributed computing system to further: sending, by the manager service, an additional instruction to the certificate service to have the dual-headed certificate signed by a certificate authority associated with the region network of the distributed computing system.
  15. 15 . A non-transitory computer-readable medium storing computer-executable instructions that, when executed by one or more processors, cause a distributed computing system to: receive, by a manager service executing in the distributed computing system, an indication that a region network of the distributed computing system has completed region build operations in a data center, the region network previously configured in another data center to execute a service comprising a first service endpoint having an original domain name of an original zone; responsive to the indication, send, by the manager service, a request to a domain name system (DNS) service to generate a target zone comprising target domain names for second service endpoints within the region network of the distributed computing system; send, by the manager service, an instruction to a certificate service to provide a dual-headed certificate in response to a certificate request from the service executing within the region network of the distributed computing system, the service comprising the first service endpoint, a second service endpoint having a target domain name of the target zone, and the dual-headed certificate associated with the first service endpoint and the second service endpoint; and send, by the manager service to the service executing within the region network of the distributed computing system, an endpoint migration instruction comprising information usable by the service to stop accepting network traffic corresponding to the first service endpoint.
  16. 16 . The non-transitory computer-readable medium of claim 15 , wherein the endpoint migration instruction further comprises information usable by the service to remove the first service endpoint comprising the original domain name.
  17. 17 . The non-transitory computer-readable medium of claim 15 , storing additional instructions that, when executed by the one or more processors, cause the distributed computing system to further send, by the manager service, an additional instruction to the service executing within the distributed computing system to obtain the dual-headed certificate from the DNS service.
  18. 18 . The non-transitory computer-readable medium of claim 15 , storing additional instructions that, when executed by the one or more processors, cause the distributed computing system to further: receive, by the manager service, an indication from the service that network traffic within the distributed computing system is directed to the second service endpoint; and responsive to the indication, send, by the manager service, an additional request to the DNS service to stop registering original domain names of the original zone.
  19. 19 . The non-transitory computer-readable medium of claim 18 , storing additional instructions that, when executed by the one or more processors, cause the distributed computing system to further send, by the manager service, a further request to the DNS service to delete the original zone.
  20. 20 . The non-transitory computer-readable medium of claim 15 , storing additional instructions that, when executed by the one or more processors, cause the distributed computing system to further: prior to sending the endpoint migration instruction, wait, by the manager service, a time duration exceeding a threshold time duration for network traffic within the distributed computing system to be directed to the second service endpoint; and responsive to the time duration exceeding the threshold time duration, send, by the manager service, the endpoint migration instruction.

Description

CROSS REFERENCES TO RELATED APPLICATIONS The present application is related to the following applications, the entire contents of which are incorporated herein by reference for all purposes: (1) U.S. Non-Provisional application Ser. No. 18/122,674, filed on Mar. 16, 2023, entitled “TECHNIQUES FOR BUILDING CLOUD REGIONS AT A PREFAB FACTORY”;(2) U.S. Non-Provisional application Ser. No. 18/122,676, filed on Mar. 16, 2023, entitled “STATIC NETWORK FABRIC AT A PREFAB FACTORY”;(3) U.S. Non-Provisional application Ser. No. 18/122,677, now U.S. Pat. No. 12,493,457, filed on Mar. 16, 2023, entitled “MOBILE PREFAB FACTORY FOR BUILDING CLOUD REGIONS”;(4) U.S. Non-Provisional application Ser. No. 18/122,678, filed on Mar. 16, 2023, entitled “TECHNIQUES FOR A CABLE TERMINATION PROTECTION APPARATUS IN A PREFAB FACTORY”;(5) U.S. Non-Provisional application Ser. No. 18/122,675, now U.S. Pat. No. 12,481,795, filed on Mar. 16, 2023, entitled “TECHNIQUES FOR VALIDATING CLOUD REGIONS BUILT AT A PREFAB FACTORY”; and(6) U.S. Non-Provisional application Ser. No. 18/215,632, now U.S. Pat. No. 12,483,530, filed on Jun. 28, 2023, entitled “TECHNIQUES FOR ROTATING NETWORK ADDRESSES IN PREFAB REGIONS.” BACKGROUND A cloud infrastructure provider may operate one or more data centers in geographic areas around the world. A “region” is a logical abstraction around a collection of the computing, storage, and networking resources of the data centers of a given geographical area that are used to provide the cloud computing infrastructure. Building new regions can include provisioning the computing resources, configuring infrastructure, and deploying code to those resources, typically over network connections to the data centers. However, building regions with physical resources located at the final destination data center sites requires significant preparation work at the data centers that can complicate the logistics and scheduling of completing the building of a region. BRIEF SUMMARY Embodiments of the present disclosure relate to automatically building a region using a prefab factory. A prefab factory may be a facility dedicated to configuring computing devices, networking devices, and other physical resources for delivery to a destination site (e.g., a destination region-one or more data centers in a geographic area, a customer facility, etc.). Operations for building a region can include bootstrapping (e.g., provisioning and/or deploying) resources (e.g., infrastructure components, artifacts, etc.) for any suitable number of services available from the region when delivered to the destination. Once the physical resources have been configured at the prefab factory, they may be shipped to the destination site, installed at the destination data center, and have final configurations and other software resources deployed to the physical resources. Resources used for bootstrapping (e.g., software artifacts, software images, etc.) may be provided in a bootstrapping environment in an existing region (e.g., one or more data centers of a host region). The host region can be selected based on network proximity to the prefab factory, and in a complimentary fashion, the prefab factory may be sited to have high performance network connectivity to one or more host regions to support the bootstrapping environment. Building the region may be orchestrated by one or more cloud-based services that can manage the inventory of physical computing devices used to build regions in the prefab factory, generate and specify the configurations of regions to be built in the prefab factory, manage the bootstrapping of the regions, configure the regions for transmission to a destination site, and test and verify the physical resources after the physical resources have been installed at the destination site. A prefab region may be built to meet a specific customer's configuration preferences (built-to-order) or built to a common specification that may be further customized during installation at a specific customer's site (built-to-stock). One embodiment is directed to a computer-implemented method for rotating service endpoints within a region network after or during installation at a destination site. The method can be performed by a manager service executing on one or more computing devices of a distributed computing system. The method can include the manager service sending a request to a domain name system (DNS) service to generate a target zone for the service endpoint rotation operation. Like the manager service, the DNS service can be executing on one or more computing devices. A service endpoint can be an identifier usable to direct network traffic to one or more computing nodes hosting a service within a network, for a example a region network. The service endpoint can include both a domain name and a corresponding certificate attesting to the service's valid control and/or ownership of the domain name. The target zone can include target domain names for sec