US 11,838,325 B2
Elastic policy scaling in multi-cloud fabrics
Rajagopalan Janakiraman, Cupertino, CA (US); Sivakumar Ganapathy, Fremont, CA (US); Prashanth Matety, Fremont, CA (US); and Patel Amitkumar Valjibhai, Fremont, CA (US)
Assigned to Cisco Technology, Inc., San Jose, CA (US)
Filed by Cisco Technology, Inc., San Jose, CA (US)
Filed on Oct. 20, 2021, as Appl. No. 17/506,553.
Application 17/506,553 is a continuation of application No. 16/105,822, filed on Aug. 20, 2018, granted, now 11,159,569.
Prior Publication US 2022/0046061 A1, Feb. 10, 2022
This patent is subject to a terminal disclaimer.
Int. Cl. H04L 9/40 (2022.01); H04L 12/46 (2006.01); H04L 12/66 (2006.01); H04L 41/0893 (2022.01); H04L 67/10 (2022.01)
CPC H04L 63/20 (2013.01) [H04L 12/46 (2013.01); H04L 12/4641 (2013.01); H04L 12/66 (2013.01); H04L 41/0893 (2013.01); H04L 63/0263 (2013.01); H04L 63/101 (2013.01); H04L 67/10 (2013.01); H04L 63/0272 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A computer implement method, comprising:
deploying a cluster of policy agents on a virtual private cloud that interconnects a plurality of virtual private clouds, the virtual private cloud and the plurality of virtual private clouds residing in a cloud associated with a multi-cloud fabric;
mapping endpoints in the plurality of virtual private clouds to the policy agents in the cluster based on one or more common attributes;
distributing security policies for traffic associated with the endpoints across the policy agents in the cluster based on the mapping of endpoints to the policy agents in the cluster, wherein the security policies comprise groups of security policies defined for traffic associated with respective subsets of the endpoints, and wherein each group of security policies is deployed on a respective policy agent that is mapped to a respective subset of the endpoints;
advertising, by each respective policy agent in the cluster to a respective first set of virtual gateways in the plurality of private virtual clouds, one or more routes associated with the respective subset of the endpoints mapped to the respective policy agent;
based on border gateway protocol (BGP) route maps, preventing each respective policy agent in the cluster from advertising, to a plurality of virtual gateways in the plurality of private virtual clouds, routes associated with a respective second set of virtual gateways in the plurality of private virtual clouds;
in response to the respective policy agent receiving traffic associated with one or more of the endpoints, applying, via the respective policy agent, one or more of the group of security policies deployed on the respective policy agent;
identifying a plurality of external prefixes associated with a set of endpoints residing outside of a particular spoke virtual private cloud from a plurality of spoke virtual private clouds;
aggregating the plurality of external prefixes into a single external prefix that falls outside of a scope of a respective prefix associated with the particular spoke virtual private cloud; and
configuring one or more endpoints in the particular spoke virtual private cloud to apply a permit rule for traffic matching the single external prefix.