CPC G06F 9/45558 (2013.01) [G06F 9/4856 (2013.01); G06F 9/5077 (2013.01); G06F 9/546 (2013.01)] | 20 Claims |
1. A computer-implemented method when executed by data processing hardware causes the data processing hardware to perform operations comprising:
receiving, from a first virtual machine operating at a first host machine, a request to communicate with a second virtual machine operating at a second host machine;
in response to the request:
generating a token for communication from the first virtual machine to the second virtual machine, wherein the token is based on (i) a secret key of the first virtual machine, (ii) an IP address of the second host machine, (iii) an identifier of a port on the second host machine reserved for receiving traffic directed to the second virtual machine, and (iv) an expiry indicating a validity of period of the token;
establishing a virtual network pair between the first virtual machine and the second virtual machine using the token, the virtual network pair creating a unidirectional Internet Protocol (IP) tunnel from the first virtual machine to the second virtual machine;
updating a routing table to include the established virtual network pair;
receiving a request to transmit a data packet from the first virtual machine to the second virtual machine;
retrieving, using the routing table:
a first IP address associated with the first virtual machine; and
a second IP address comprising the IP address of the second virtual machine;
encapsulating, using the first IP address and the second IP address, the data packet and the token;
transmitting the encapsulated data packet and the encapsulated token from the first virtual machine to the second virtual machine using the IP tunnel; and
sending subsequent packets from the first virtual machine to the second virtual machine using the IP tunnel until the expiry is no longer valid.
|