Search

US-20260128986-A1 - STATELESS ADDRESS TRANSLATION FOR MULTI-TENANT CLOUD ENVIRONMENTS

US20260128986A1US 20260128986 A1US20260128986 A1US 20260128986A1US-20260128986-A1

Abstract

Methods and systems for stateless address translation in multi-tenant cloud environments are provided. Network traffic is received from a first tenant of a multi-tenant system. The received network traffic is associated with first source and destination host addresses of a first host allocated to the first tenant and a first destination host associated with the network traffic. The first source and destination host addresses are provided as an input to a bi-directional address translation function that translates given host addresses to networking addresses and converts given host addresses to networking addresses and given networking addresses to host addresses. One or more outputs of the bi-directional address translation function are obtained, which include a first source networking address and a first destination networking address. The received network traffic of the first tenant is forwarded to a recipient device of the multi-tenant system via a network channel associated with the first tenant based on the first source networking address and a first destination networking address.

Inventors

  • Liel Shoshan Hanegbi
  • Tzah Oved
  • Ron Yuval Efraim
  • Mael Kimmerlin

Assignees

  • MELLANOX TECHNOLOGIES, LTD.

Dates

Publication Date
20260507
Application Date
20251027

Claims (20)

  1. 1 . A networking device: a memory; and a set of one or more processors coupled to the memory, wherein the set of one or more processors is to perform operations comprising: receiving network traffic from a first tenant of a multi-tenant system, wherein the received network traffic is associated with a first source host address of a first source host allocated to the first tenant and a first destination host address of a first destination host associated with the network traffic; providing the first source host address and the first destination host address as an input to a bi-directional address translation function, wherein the bi-directional address translation function translates given host addresses to networking addresses and given networking addresses to host addresses; obtaining one or more outputs of the bi-directional address translation function, wherein the one or more outputs comprise a first source networking address associated with the first source host and a first destination networking address associated with the first destination host; and forwarding the received network traffic of the first tenant to the first destination host via a network channel associated with the first tenant based on the first source networking address and the first destination networking address.
  2. 2 . The networking device of claim 1 , wherein the operations further comprise: receiving additional network traffic directed to the first tenant, wherein the additional network traffic is associated with at least a second destination networking address; providing the second destination networking address as an additional input to the bi-directional address translation function; obtaining one or more additional outputs of the bi-directional address translation function, the one or more additional outputs comprising the first source host address associated with the networking device; and forwarding the received additional network traffic to the first host based on the first source host address.
  3. 3 . The networking device of claim 1 , wherein the operations further comprise: receiving additional network traffic associated with a second tenant associated with at least one of the first host or a second host, wherein the additional network traffic is associated with a second source host address of a second source host and a second destination host address of a second destination host associated with the network traffic; providing the second source host address and the second destination host address as an additional input to the bi-directional address translation function; obtaining one or more additional outputs of the bi-directional address translation function, the one or more additional outputs comprise a second source networking address associated with the first host and a second destination networking address associated with the second destination host; and forwarding the additional network traffic to an additional recipient device via an additional network channel associated with the second tenant based on the second source networking address and the second destination networking address.
  4. 4 . The networking device of claim 1 , wherein the bi-directional address translation function comprises at least one of a bit masking function, a prefix modification function, or a bit value flipping function.
  5. 5 . The networking device of claim 1 , wherein the operations further comprise: receiving an instruction from a networking controller to initiate an isolation mode at the networking device; transmitting a response to the received instruction indicating that the isolation mode at the networking device is initiated; and responsive to transmitting the response, receiving the bi-directional address translation function from the networking controller.
  6. 6 . The networking device of claim 5 , wherein the instruction from the networking controller comprises a firmware command for the networking device.
  7. 7 . The networking device of claim 5 , wherein the transmitted response to the received instruction comprises an indication of a set of networking device addresses associated with the networking device, and wherein at least one portion of the received bi-directional address translation function references one or more of the set of networking device addresses.
  8. 8 . The networking device of claim 1 , forwarding the received network traffic of the first host via the network channel comprises: updating a header of one or more network packets of the received network traffic to include the first source networking address as a source for the received network traffic and the first destination networking address as an endpoint for the received network traffic.
  9. 9 . The networking device of claim 8 , wherein the updated header comprises a tunnel header of the one or more network packets and the endpoint comprises a tunnel endpoint.
  10. 10 . The networking device of claim 1 , wherein the networking device has a first networking device type, and wherein an amount of power consumed by the networking device falls below a threshold amount of power, wherein the threshold amount of power corresponds to an amount of power consumed by networking devices having a second networking device type.
  11. 11 . The networking device of claim 10 , wherein the first networking device type is a simple NIC type and the second networking device type is an intelligent NIC type.
  12. 12 . The networking device of claim 1 , wherein the first source networking device comprises a first tunnel identifier and the first destination networking device comprises a second tunnel identifier.
  13. 13 . The networking device of claim 1 , wherein the networking device is comprised in at least one of: a control system for an autonomous or semi-autonomous machine; a perception system for an autonomous or semi-autonomous machine; a system for performing simulation operations; a system for performing digital twin operations; a system for performing light transport simulation; a system for performing collaborative content creation for three-dimensional (3D) assets; a system for performing deep learning operations; a system implemented using an edge device; a system implemented using a robot; a system for performing conversational AI operations; a system for performing operations using one or more large language models (LLMs); a system for performing operations using one or more small language models (SLMs); a system for performing operations using one or more vision language models (VLMs); a system for performing operations using one or more multi-modal language models (MMLMs); a system for performing synthetic data generation; a system for generating synthetic data using AI; a system for presenting at least one of virtual reality content, augmented reality content, or mixed reality content; a system incorporating one or more virtual machines (VMs); a system using or deploying one or more inference microservices; a system that incorporates one or more machine learning models deployed in a service or microservice along with an OS-level virtualization package; a system implemented at least partially in a data center; or a system implemented at least partially using cloud computing resources.
  14. 14 . A method comprising: receiving network traffic from a first tenant of a multi-tenant system, wherein the received network traffic is associated with a first source host address of a first source host allocated to the first tenant and a first destination host address of a first destination host associated with the network traffic; providing the first source host address and the first destination host address as an input to a bi-directional address translation function, wherein the bi-directional address translation function translates given host addresses to networking addresses and given networking addresses to host addresses; obtaining one or more outputs of the bi-directional address translation function, wherein the one or more outputs comprise a first source networking address associated with the first source host and a first destination networking address associated with the first destination host; and forwarding the received network traffic of the first tenant to the first destination host via a network channel associated with the first tenant based on the first source networking address and the first destination networking address.
  15. 15 . The method of claim 14 , further comprising: receiving additional network traffic directed to the first tenant, wherein the additional network traffic is associated with at least a second destination networking address; providing the second destination networking address as an additional input to the bi-directional address translation function; obtaining one or more additional outputs of the bi-directional address translation function, the one or more additional outputs comprising the first source host address associated with the networking device; and forwarding the received additional network traffic to the first host based on the first source host address.
  16. 16 . The method of claim 14 , further comprising: receiving additional network traffic associated with a second tenant associated with at least one of the first host or a second host, wherein the additional network traffic is associated with a second source host address of a second source host and a second destination host address of a second destination host associated with the network traffic; providing the second source host address and the second destination host address as an additional input to the bi-directional address translation function; obtaining one or more additional outputs of the bi-directional address translation function, the one or more additional outputs comprise a second source networking address associated with the first host and a second destination networking address associated with the second destination host; and forwarding the additional network traffic to an additional recipient device via an additional network channel associated with the second tenant based on the second source networking address and the second destination networking address.
  17. 17 . The method of claim 14 , wherein the bi-directional address translation function comprises at least one of a bit masking function, a prefix modification function, or a bit value flipping function.
  18. 18 . The method of claim 14 , further comprising: receiving an instruction from a networking controller to initiate an isolation mode at the networking device; transmitting a response to the received instruction indicating that the isolation mode at the networking device is initiated; and responsive to transmitting the response, receiving the bi-directional address translation function from the networking controller.
  19. 19 . The method of claim 18 , wherein the instruction from the networking controller comprises a firmware command for the networking device.
  20. 20 . A non-transitory computer readable medium comprising instructions that, when executed by a set of one or more processors, cause the set of one or more processors to perform operations comprising: receiving network traffic from a first tenant of a multi-tenant system, wherein the received network traffic is associated with a first source host address of a first source host allocated to the first tenant and a first destination host address of a first destination host associated with the network traffic; providing the first source host address and the first destination host address as an input to a bi-directional address translation function, wherein the bi-directional address translation function translates given host addresses to networking addresses and given networking addresses to host addresses; obtaining one or more outputs of the bi-directional address translation function, wherein the one or more outputs comprise a first source networking address associated with the first source host and a first destination networking address associated with the first destination host; and forwarding the received network traffic of the first tenant to the first destination host via a network channel associated with the first tenant based on the first source networking address and the first destination networking address.

Description

RELATED APPLICATIONS This application claims benefit of the U.S. Provisional Patent Application 63/716,859 filed Nov. 6, 2024, the contents of which are incorporated in their entirety by reference herein. TECHNICAL FIELD Aspects and implementations of the present disclosure relate to methods and systems for stateless address translation in multi-tenant cloud environments. BACKGROUND In a multi-tenant system, bare metal isolation refers to the enforcement of strict network and resource separation between different tenants that are each allocated dedicated computing resources (referred to as bare metal hosts). Unlike virtualized environments, where the cloud provider can rely on hypervisors to enforce isolation, bare metal tenancy presents unique challenges, as the provider does not control the tenant's operating system or stack software. Accordingly, networking devices of the multi-tenant system are configured to prevent network traffic originating from one tenant's host from reaching resources or network domains of another tenant. BRIEF DESCRIPTION OF THE DRAWINGS Aspects and implementations of the present disclosure will be understood more fully from the detailed description given below and from the accompanying drawings of various aspects and implementations of the disclosure, which, however, should not be taken to limit the disclosure to the specific aspects or implementations, but are for explanation and understanding only. FIG. 1 is a block diagram of an example system architecture, according to at least one embodiment; FIG. 2 is a block diagram of an example networking device and an example network controller of a multi-tenant system, according to at least one embodiment; FIG. 3 illustrates a flow diagram of an example method for stateless address translation in multi-tenant cloud environments, according to at least one embodiment; FIG. 4 illustrates a flow diagram of another example method for stateless address translation in multi-tenant cloud environments, according to at least one embodiment; FIG. 5A illustrates hardware structures for inference and/or training logic, according to at least one embodiment; FIG. 5B illustrates hardware structures for inference and/or training logic, according to at least one embodiment; FIG. 6 illustrates an example data center system, according to at least one embodiment; FIG. 7 illustrates a computer system, according to at least one embodiment; FIG. 8 illustrates a computer system, according to at least one embodiment; FIG. 9 illustrates at least portions of a graphics processor, according to one or more embodiments; FIG. 10 illustrates at least portions of a graphics processor, according to one or more embodiments; FIG. 11 is an example data flow diagram for an advanced computing pipeline, in accordance with at least one embodiment; FIG. 12 is a system diagram for an example system for training, adapting, instantiating and deploying machine learning models in an advanced computing pipeline, in accordance with at least one embodiment; and FIGS. 13A and 13B illustrate a data flow diagram for a process to train a machine learning model, as well as client-server architecture to enhance annotation tools with pre-trained annotation models, in accordance with at least one embodiment; DETAILED DESCRIPTION OF THE DRAWINGS Aspects of the present disclosure generally relate to stateless address translation in multi-tenant cloud environments. In modern cloud computing environments, systems may allocate system resources (e.g., computing resources, such as servers) to different tenants. Such resources are referred to as bare-metal hosts. Each tenant may run its own operating system and applications directly on the resources of the bare-metal hosts, without the abstraction layer of a hypervisor or a virtual machine. This approach is referred to as bare-metal tenancy and is increasingly popular for workloads that involve high performance, low latency, or specific hardware constraints. However, bare-metal tenancy introduces significant challenges for network security and management, particularly in multi-tenant data centers where many tenants may share the same physical infrastructure. For example, it is a challenge for systems to enforce strict isolation between tenants and ensure that network traffic from one tenant cannot access or interfere with the resources for another. Bare-metal isolation refers to mechanisms or techniques by a system that prevent network traffic originating from a first tenant's host from reaching the network domains or resources of a second tenant. In virtualized environments, isolation can be enforced by a hypervisor, which can control and filter network traffic at a software level. As a cloud system provider does not access or control a tenant's operating system or applications, the system provider is unable to rely on host-based controls for network isolation. Accordingly, the enforcement of tenant boundaries shifts to the network infrastructure, an