US 11,671,400 B2
Defining and using service rules that reference endpoint group identifiers
Zhengsheng Zhou, Beijing (CN); Abhishek Raut, San Jose, CA (US); Jianjun Shen, Redwood City, CA (US); and Donghai Han, Beijing (CN)
Assigned to VMWARE, INC., Palo Alto, CA (US)
Filed by VMware, Inc., Palo Alto, CA (US)
Filed on Jun. 10, 2020, as Appl. No. 16/897,695.
Claims priority of application No. PCT/CN2020/082785 (WO), filed on Apr. 1, 2020.
Prior Publication US 2021/0314361 A1, Oct. 7, 2021
Int. Cl. H04L 61/50 (2022.01); H04L 49/00 (2022.01); H04L 61/103 (2022.01); H04L 12/66 (2006.01); H04L 45/42 (2022.01); G06F 9/455 (2018.01); G06F 9/50 (2006.01); G06F 9/54 (2006.01); H04L 9/40 (2022.01); H04L 41/0893 (2022.01); H04L 41/18 (2022.01); H04L 41/5041 (2022.01); H04L 41/50 (2022.01); H04L 67/10 (2022.01); H04L 12/46 (2006.01); H04L 67/1001 (2022.01); H04L 45/586 (2022.01)
CPC H04L 61/50 (2022.05) [G06F 9/45558 (2013.01); G06F 9/5083 (2013.01); G06F 9/54 (2013.01); G06F 9/547 (2013.01); H04L 12/4641 (2013.01); H04L 12/66 (2013.01); H04L 41/0893 (2013.01); H04L 41/18 (2013.01); H04L 41/5048 (2013.01); H04L 41/5077 (2013.01); H04L 45/42 (2013.01); H04L 45/586 (2013.01); H04L 49/70 (2013.01); H04L 61/103 (2013.01); H04L 63/0209 (2013.01); H04L 63/0218 (2013.01); H04L 63/0263 (2013.01); H04L 63/0272 (2013.01); H04L 63/20 (2013.01); H04L 67/10 (2013.01); H04L 67/1001 (2022.05); G06F 9/5077 (2013.01); G06F 2009/4557 (2013.01); G06F 2009/45562 (2013.01); G06F 2009/45595 (2013.01)] 15 Claims
OG exemplary drawing
 
1. A non-transitory machine readable medium storing a program for specifying service rules for middlebox service nodes to perform in a set of one or more datacenters, the program comprising sets of instructions for:
receiving an intent-based API (Application Programming Interface) request that specifies a set of one or more service policies by reference to one dynamic group of endpoint machines, said API request referring to resources that are defined by reference to (i) a first Custom Resource Definition (CRD) that defines a security policy as a first custom-specified resource in the data center set and (ii) a second CRD that defines the dynamic endpoint-machine group as a second custom-specified resource in the datacenter set, said API request identifying a set of two or more virtual interfaces (VIFs) that are members of the dynamic endpoint-machine group;
specifying, for each specified service policy, at least one service rule to implement the service policy, at least one specified service rule comprising a match criteria set defined by reference to the one dynamic group of endpoint machines, wherein the API request refers to the first and second CRDs in defining the set of service policies; and
distributing, to the middle box service nodes, a set of one or more specified service rules along with a list of member VIFs of the dynamic endpoint-machine group referred to by the specified service rules, said middlebox service nodes using the distributed set of service rules to process data messages associated with the machines in the dynamic endpoint-machine group.