US 12,255,949 B2
Segmentation server cluster for managing a segmentation policy
Antonio Pedro Alexandre Rainha Dias, Sunnyvale, CA (US); Joel E. Vanderkwaak, Mountain View, CA (US); Bryan Patrick Pelham, Pleasanton, CA (US); Mukesh Gupta, Fremont, CA (US); Juraj George Fandli, Campbell, CA (US); Charles Zou Liu, Sunnyvale, CA (US); Thukalan V. Verghese, San Carlos, CA (US); and Paul James Kirner, Palo Alto, CA (US)
Assigned to Illumio, Inc., Sunnyvale, CA (US)
Filed by Illumio, Inc., Sunnyvale, CA (US)
Filed on Aug. 27, 2018, as Appl. No. 16/113,706.
Claims priority of provisional application 62/561,179, filed on Sep. 20, 2017.
Prior Publication US 2019/0089773 A1, Mar. 21, 2019
Int. Cl. H04L 67/101 (2022.01); G06F 9/50 (2006.01)
CPC H04L 67/101 (2013.01) [G06F 9/5077 (2013.01); G06F 9/5083 (2013.01)] 19 Claims
OG exemplary drawing
 
1. A method for managing a segmentation policy, the method comprising:
obtaining a segmentation policy by a leader segmentation server, the segmentation policy comprising a set of permissive rules that specify permitted communications between a plurality of workloads, wherein communications between the plurality of workloads that are not explicitly allowed by the permissive rules are blocked;
pairing a first subset of paired workloads of the plurality of workloads with a first member segmentations server, wherein pairing includes storing workloads descriptions associated with each of the first subset of paired workloads;
distributing, by the leader segmentation server, the segmentation policy to the first member segmentation server paired with the first plurality of paired workloads;
generating, by the first member segmentation server from the segmentation policy, first management instructions for controlling communications of the first subset of paired workloads, the first management instructions including a first subset of the permissive rules of the segmentation policy that specify permitted communications to or from the first subset of paired workloads;
distributing, by the first member segmentation server, the first management instructions to first operating system instances executing the first subset of paired workloads to enable the first operating system instances to configure respective local traffic filters of the first operating system instances to allow the communications permitted by the first management instructions and block communications that are not explicitly allowed by the first management instructions;
pairing a new workload with the first member segmentation server;
in response to the new workload being paired to the first member segmentation server, replicating copies of the workload descriptions associated with the first subset of paired workloads to the leader segmentation server and to a second member segmentation server;
in response to the new workload being paired to the first member segmentation server, generating, by the first member segmentation server, updated first management instructions for controlling communications of the first subset of paired workloads with the new workload in accordance with the segmentation policy, the updated first management instructions specifying permitted communications between the first subset of paired workloads and the new workload; and
distributing, by the first member segmentation server, the updated first management instructions to the first operating system instances to enable the first operating system instances to configure the respective local traffic filters to allow the communications permitted by the updated first management instructions and block communications that are not explicitly allowed by the first management instructions.