| CPC H04L 63/0263 (2013.01) [G06F 9/45558 (2013.01); H04L 63/0236 (2013.01); H04L 63/101 (2013.01); G06F 2009/45595 (2013.01)] | 19 Claims |
|
1. A computer-implemented method comprising:
obtaining, at a firewall-controller system, a firewall rule for a firewall device to evaluate traffic communicated with a computing resource of a user, the firewall rule being defined in a first programming language, the firewall-controller system being a control plane system that is remote from the firewall device and the computing resource;
prior to the firewall rule being sent to the firewall device:
compiling, using a compiler associated with the firewall-controller system, the firewall rule from the first programming language into intermediate representation (IR) code in a second programming language; and
compiling, using the compiler, the IR code from the second programming language into byte code in a third programming language; and
sending the byte code representing the firewall rule from the firewall-controller system and to the firewall device that evaluates traffic communicated with the computing resource, the firewall device being configured to execute the byte code to implement the firewall,
wherein at least one of:
the computing resource comprises a virtual network of the user and the firewall rule comprises a network access control list (ACL) for the virtual network; or
the computing resource comprises a virtual machine (VM) instance and the firewall rule comprises a virtual firewall that filters network traffic for the VM instance.
|