Tag-based policy architecture

Assignee

• VMware LLC · US

Inventors

• Jason A. Lango · Mountain View, US
• Grant Callaghan · San Jose, US
• Marcel Moolenaar · Mountain View, US
• Vinay Wagh · San Jose, US
• Rohan Desai · San Diego, US
• Matthew Page · Round Rock, US
• Gary Menezes · San Jose, US
• Antoine Pourchet · Sunnyvale, US
• Ramya Olichandran · Sunnyvale, US

Key dates

Classification

• Technology area (CPC G)Physics
• CPC primaryG06F9/455
• WIPO fieldDigital communication
• WIPO sectorElectrical engineering

Abstract

A tag-based policy architecture enforces information technology (IT) policy in a virtualized computing environment using cryptographically-verifiable metadata to authenticate compute resources coupled to a computer network and to authorize access to protected resources of the network. The compute resources are illustratively virtual machine instances (VMIs) provided by a virtual data center (VDC) of the environment, whereas the protected resources are illustratively virtualized storage, network and/or other compute resources of the VDC. Each VMI includes an intermediary manager, e.g., metavisor. The tag-based policy architecture includes an infrastructure having a centralized policy decision end point (e.g., a control plane of the VDC) and distributed policy enforcement endpoints (e.g., metavisors of the VMIs) to provide end-to-end passing of the cryptographically-verifiable metadata to (i) authorize instantiation of the VM is at the control plane, and (ii) enforce access to the virtualized resources at the metavisors.