CN118696301A - Observability framework for multi-cloud infrastructure - Google Patents

Abstract

Techniques for exporting observability data associated with execution of a service from a first cloud environment to a second cloud environment are described. The service is executed in the first cloud environment for a customer of the second cloud environment. Observability data associated with execution of the service is collected in the first cloud environment for the customer of the second cloud environment. The observability data includes one or more metrics associated with execution of the service. The observability data collected from the first cloud environment is transmitted to the second cloud environment to enable users associated with the customers of the second cloud environment to access the observability data via the second cloud environment.

Description

Observability framework for multi-cloud infrastructure

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a non-provisional application and claims the benefit of each of the provisional applications listed below. The entire contents of each of the provisional applications listed below are incorporated herein by reference for all purposes.

(1) U.S. Provisional Application No. 63/306,007, filed on February 2, 2022;

(2) U.S. Provisional Application No. 63/306,918, filed on February 4, 2022;

(3) U.S. Provisional Application No. 63/321,614, filed on March 18, 2022;

(4) U.S. Provisional Application No. 63/333,965, filed on April 22, 2022;

(5) U.S. Provisional Application No. 63/336,811, filed on April 29, 2022;

(6) U.S. Provisional Application No. 63/339,297, filed on May 6, 2022;

(7) U.S. Provisional Application No. 63/350,212, filed on June 8, 2022; and

(8) U.S. Provisional Application No. 63/416,784, filed on October 17, 2022.

Technical Field

The present disclosure relates to cloud architecture, and more particularly to techniques for linking two cloud environments so that users of one cloud environment can use services provided by another cloud environment.

Background Art

The adoption rate of cloud services has increased dramatically over the past few years and this trend will only increase. Various cloud environments are provided by different cloud service providers (CSPs), and each cloud environment provides a set of one or more cloud services. The set of cloud services provided by the cloud environment may include one or more different types of services, including but not limited to software as a service (SaaS) services, infrastructure as a service (IaaS) services, platform as a service (PaaS) services, etc.

Although there are currently a variety of different cloud environments available, each cloud environment provides a closed ecosystem for its subscribing customers. Therefore, customers of a cloud environment are limited to using the services provided by that cloud environment. For customers who subscribe to a cloud environment provided by one CSP, there is no easy way to use the services provided in a different cloud environment provided by a different CSP via that cloud environment. The embodiments discussed herein address these and other problems. The embodiments discussed herein address these and other problems.

Summary of the invention

The present disclosure relates generally to improved cloud architectures, and more specifically to techniques for linking two clouds so that users of one cloud environment can use services provided by another different cloud environment. Various embodiments are described herein, including methods, systems, non-transitory computer-readable storage media storing programs, codes, or instructions executable by one or more processors, etc. Some embodiments may be implemented using a computer program product that includes a computer program/instructions that, when executed by a processor, causes the processor to perform any of the methods described in the present disclosure.

Embodiments of the present disclosure provide a multi-cloud control plane (MCCP) framework that provides the ability to deliver services of a specific cloud network (e.g., Oracle Cloud Infrastructure (OCI)) to users on other clouds (e.g., in Microsoft Azure). The MCCP framework allows users (of (one or more) other cloud environments) to access services of a cloud environment (e.g., PaaS services) while providing a user experience that is as close as possible to that user's native cloud environment (one or more). The key value proposition of MCCP is that customers will be able to experience the full data plane capabilities of services in external clouds.

One embodiment of the present disclosure is directed to a method, comprising: executing a service provided by the first cloud environment in a first cloud environment, the service being executed for a customer of a second cloud environment; collecting in the first cloud environment observability data associated with executing the service in the first cloud environment for a customer of the second cloud environment, the observability data comprising one or more metrics associated with the execution; and transmitting the observability data collected from the first cloud environment to the second cloud environment so that a user associated with the customer of the second cloud environment can access the observability data via the second cloud environment.

One aspect of the present disclosure provides a computing device including one or more data processors and a non-transitory computer-readable storage medium containing instructions, which, when executed on the one or more data processors, causes the computing device to perform part or all of one or more methods disclosed herein.

Another aspect of the present disclosure provides a computer program product tangibly embodied in a non-transitory machine-readable storage medium, comprising instructions configured to cause one or more data processors to perform part or all of one or more methods disclosed herein.

The foregoing and other features and embodiments will become more fully apparent upon reference to the following description, claims and accompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

The features, embodiments, and advantages of the present disclosure may be better understood when the following detailed description is read with reference to the accompanying drawings.

1 is a high-level diagram of a distributed environment illustrating a virtual or overlay cloud network hosted by a cloud service provider infrastructure, according to certain embodiments.

2 depicts a simplified architectural diagram of physical components in a physical network within a CSPI, according to certain embodiments.

3 illustrates an example arrangement within a CSPI, in which a host machine is connected to multiple network virtualization devices (NVDs), according to some embodiments.

4 depicts connectivity between a host machine and an NVD for providing I/O virtualization to support multitenancy, according to some embodiments.

5 depicts a simplified block diagram of a physical network provided by CSPI according to certain embodiments.

Figure 6 depicts a simplified high-level diagram of a distributed environment according to certain embodiments, which distributed environment includes multiple cloud environments provided by different cloud service providers (CSPs), where the cloud environment includes a specific cloud environment that provides a specialized infrastructure that enables one or more cloud services provided by the specific cloud environment to be used by customers of other cloud environments.

FIG7 depicts an exemplary high-level architecture of a multi-cloud control plane (MCCP) according to some embodiments.

8A and 8B depict an exemplary process for linking two user accounts in different cloud environments, according to some embodiments.

9 depicts an exemplary system diagram illustrating components of a multi-cloud control plane (MCCP) in accordance with some embodiments.

FIG. 10A illustrates an exemplary relationship diagram of a link-resource object in accordance with some embodiments.

10B depicts a flow diagram illustrating an example process of linking two user accounts in different cloud environments in accordance with certain embodiments.

10C illustrates a flow diagram illustrating an example process for using a cloud-link resource object when deploying resources in accordance with certain embodiments.

FIG. 11 depicts an exemplary observability framework for deriving observability data in accordance with some embodiments.

12 depicts a flow diagram illustrating a process performed when exporting observability data in accordance with certain embodiments.

13 depicts a swim lane diagram illustrating an ongoing process for deriving observability data in accordance with some embodiments.

FIG. 14 depicts another exemplary observability framework for exporting audit log information in accordance with some embodiments.

15 depicts a swim lane diagram illustrating an ongoing process for exporting audit log information in accordance with some embodiments.

16A-16L depict exemplary graphical user interfaces generated for a multi-cloud console, according to certain embodiments.

17 depicts a flow diagram illustrating a process performed in generating an example graphical user interface for a multi-cloud console in accordance with certain embodiments.

FIG. 18 is a block diagram illustrating one mode for implementing a cloud infrastructure as a service system according to at least one embodiment.

FIG. 19 is a block diagram illustrating another mode for implementing a cloud infrastructure as a service system according to at least one embodiment.

FIG. 20 is a block diagram illustrating another mode for implementing a cloud infrastructure as a service system according to at least one embodiment.

FIG. 21 is a block diagram illustrating another mode for implementing a cloud infrastructure as a service system according to at least one embodiment.

22 is a block diagram illustrating an example computer system in accordance with at least one embodiment.

DETAILED DESCRIPTION

In the following description, for the purpose of explanation, specific details are set forth in order to provide a thorough understanding of certain embodiments. However, it is apparent that various embodiments can be practiced without these specific details. The drawings and descriptions are not intended to be limiting. The word "exemplary" is used herein to mean "serving as an example, instance, or illustration." Any embodiment or design described herein as "exemplary" is not necessarily to be construed as preferred or superior to other embodiments or designs.

The present disclosure relates generally to improved cloud architectures, and more specifically to techniques for linking two clouds so that users of one cloud environment can use services provided by another different cloud environment. Various embodiments are described herein, including methods, systems, non-transitory computer-readable storage media storing programs, codes, or instructions executable by one or more processors, etc. Some embodiments may be implemented using a computer program product that includes a computer program/instructions that, when executed by a processor, causes the processor to perform any of the methods described in the present disclosure.

Embodiments of the present disclosure provide a multi-cloud control plane (MCCP) framework that provides the ability to deliver services of a specific cloud network (e.g., Oracle Cloud Infrastructure (OCI)) to users on other clouds (e.g., in Microsoft Azure). The MCCP framework allows users (of (one or more) other cloud environments) to access services of a cloud environment (e.g., PaaS services) while providing a user experience that is as close as possible to that user's native cloud environment (one or more). The key value proposition of MCCP is that customers will be able to experience the full data plane capabilities of services in external clouds.

MCCP enables users of the second cloud infrastructure (e.g., Azure users) to use resources (e.g., database resources) provided by the first cloud infrastructure (e.g., OCI) in a manner that is transparent to the users. Specifically, the services provided by the first cloud infrastructure appear as "native" services in the second cloud infrastructure. This allows customers of the second cloud infrastructure to natively access services provided by the first cloud infrastructure. As will be described below with reference to FIGS. 6-17 , MCCP is a collection of microservices executed in the first cloud infrastructure that expose the resources of the first cloud infrastructure for use by external cloud users (e.g., users of the second cloud infrastructure). Each of these microservices acts as a proxy that provides communication with the resources provided by the first cloud infrastructure.

Cloud Network Example

The term cloud service is generally used to refer to services that are made available on demand (e.g., via a subscription model) to users or customers by a cloud service provider (CSP) using systems and infrastructure (cloud infrastructure) provided by the CSP. Typically, the servers and systems that make up the CSP's infrastructure are separate from the customer's own on-premises servers and systems. Therefore, customers can take advantage of cloud services provided by a CSP without having to purchase separate hardware and software resources for the service. Cloud services are designed to provide subscribing customers with simple, scalable access to applications and computing resources without requiring customers to invest in the infrastructure used to provide the service.

There are several cloud service providers that offer various types of cloud services. There are various different types or models of cloud services including Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), etc.

A customer can subscribe to one or more cloud services provided by a CSP. A customer can be any entity, such as an individual, organization, enterprise, etc. When a customer subscribes to or registers for a service provided by a CSP, a lease or account is created for the customer. The customer can then access one or more subscribed cloud resources associated with the account via this account.

As mentioned above, Infrastructure as a Service (IaaS) is a specific type of cloud computing service. In the IaaS model, the CSP provides infrastructure (called Cloud Service Provider Infrastructure or CSPI) that customers can use to build their own customizable networks and deploy customer resources. Therefore, the customer's resources and network are hosted in a distributed environment by the infrastructure provided by the CSP. This is different from traditional computing, in which the customer's resources and network are hosted by the infrastructure provided by the customer.

CSPI may include interconnected high-performance computing resources, including various host machines, memory resources, and network resources that form a physical network, which is also referred to as a substrate network or underlying network. The resources in CSPI may be spread across one or more data centers, which may be geographically spread across one or more geographic regions. Virtualization software may be executed by these physical resources to provide a virtualized distributed environment. Virtualization creates an overlay network (also referred to as a software-based network, a software-defined network, or a virtual network) on a physical network. The CSPI physical network provides an underlying foundation for creating one or more overlay or virtual networks on top of a physical network. A physical network (or substrate network or underlying network) includes physical network devices, such as physical switches, routers, computers, and host machines. An overlay network is a logical (or virtual) network that runs on top of a physical substrate network. A given physical network may support one or more overlay networks. Overlay networks typically use encapsulation technology to distinguish traffic belonging to different overlay networks. A virtual or overlay network is also referred to as a virtual cloud network (VCN). Virtual networks are implemented by creating a network abstraction layer that can run on top of a physical network using software virtualization technology (e.g., hypervisors, virtualization functions implemented by network virtualization devices (NVDs) (e.g., smartNICs), top-of-rack (TOR) switches, smart TORs that implement one or more functions performed by NVDs, and other mechanisms). Virtual networks can take many forms, including peer-to-peer networks, IP networks, etc. Virtual networks are typically layer 3 IP networks or layer 2 VLANs. This method of virtual or overlay networking is often referred to as a virtual or overlay layer 3 network. Examples of protocols developed for virtual networks include IP-in-IP (or Generic Routing Encapsulation (GRE)), Virtual Extensible LAN (VXLAN—IETF RFC 7348), Virtual Private Networks (VPNs) (e.g., MPLS Layer 3 Virtual Private Networks (RFC 4364)), VMware's NSX, GENEVE (Generic Network Virtualization Encapsulation), etc.

For IaaS, the infrastructure (CSPI) provided by the CSP can be configured to provide virtualized computing resources over a public network (e.g., the Internet). In the IaaS model, cloud computing service providers can host infrastructure components (e.g., servers, storage devices, network nodes (e.g., hardware), deployment software, platform virtualization (e.g., hypervisor layer), etc.). In some cases, IaaS providers can also supply various services to accompany those infrastructure components (e.g., billing, monitoring, logging, security, load balancing, and clustering, etc.). Therefore, since these services can be policy-driven, IaaS users can implement policies to drive load balancing to maintain application availability and performance. CSPI provides infrastructure and a set of complementary cloud services that enable customers to build and run a wide range of applications and services in a highly available, hosted, distributed environment. CSPI provides high-performance computing resources and capabilities and storage capacity in a flexible virtual network that can be securely accessed from various networked locations (such as from a customer's pre-set network). When a customer subscribes to or signs up for an IaaS service provided by a CSP, the tenancy created for that customer is a secure and isolated partition within CSPI where the customer can create, organize, and manage their cloud resources.

Customers can build their own virtual networks using the computing, storage, and networking resources provided by CSPI. One or more customer resources or workloads, such as computing instances, can be deployed on these virtual networks. For example, customers can use the resources provided by CSPI to build one or more customizable and private virtual networks, called virtual cloud networks (VCNs). Customers can deploy one or more customer resources, such as computing instances, on customer VCNs. Computing instances can take the form of virtual machines, bare metal instances, and the like. Therefore, CSPI provides infrastructure and a set of complementary cloud services that enable customers to build and run a wide range of applications and services in a highly available virtual hosted environment. Customers do not manage or control the underlying physical resources provided by CSPI, but have control over operating systems, storage, and deployed applications; and may also have limited control over selected networking components (e.g., firewalls).

The CSP may provide a console that enables customers and network administrators to use CSPI resources to configure, access, and manage resources deployed in the cloud. In some embodiments, the console provides a web-based user interface that can be used to access and manage CSPI. In some implementations, the console is a web-based application provided by the CSP.

CSPI can support single-tenancy or multi-tenancy architecture. In a single-tenancy architecture, software (e.g., application, database) or hardware component (e.g., host machine or server) serves a single customer or tenant. In a multi-tenancy architecture, software or hardware component serves multiple customers or tenants. Therefore, in a multi-tenancy architecture, CSPI resources are shared among multiple customers or tenants. In the case of multi-tenancy, precautions are taken and protections are implemented in CSPI to ensure that each tenant's data is isolated and remains invisible to other tenants.

In a physical network, a network endpoint ("endpoint") refers to a computing device or system that is connected to a physical network and communicates back and forth with the network to which it is connected. A network endpoint in a physical network can be connected to a local area network (LAN), a wide area network (WAN), or other types of physical networks. Examples of traditional endpoints in a physical network include modems, hubs, bridges, switches, routers and other network devices, physical computers (or host machines), etc. Each physical device in a physical network has a fixed network address that can be used to communicate with the device. This fixed network address can be a layer 2 address (e.g., a MAC address), a fixed layer 3 address (e.g., an IP address), etc. In a virtualized environment or virtual network, endpoints can include various virtual endpoints, such as virtual machines hosted by components of the physical network (e.g., hosted by a physical host machine). These endpoints in a virtual network are addressed by overlay addresses, such as overlay layer 2 addresses (e.g., overlay MAC addresses) and overlay layer 3 addresses (e.g., overlay IP addresses). Network overlays achieve flexibility by allowing network administrators to move around overlay addresses associated with network endpoints using software management (e.g., via software that implements a control plane for a virtual network). Thus, unlike a physical network, in a virtual network, an overlay address (e.g., an overlay IP address) can be moved from one endpoint to another using network management software. Since the virtual network is built on top of the physical network, communication between components in the virtual network involves the virtual network and the underlying physical network. To facilitate such communication, components of CSPI are configured to learn and store mappings that map overlay addresses in the virtual network to actual physical addresses in the substrate network, and vice versa. These mappings are then used to facilitate communication. Customer traffic is encapsulated to facilitate routing in the virtual network.

Thus, a physical address (e.g., a physical IP address) is associated with a component in a physical network, and an overlay address (e.g., an overlay IP address) is associated with an entity in a virtual or overlay network. A physical IP address is an IP address associated with a physical device (e.g., a network device) in a substrate or physical network. For example, each NVD has an associated physical IP address. An overlay IP address is an overlay address associated with an entity in an overlay network, such as an overlay address associated with a computing instance in a customer's virtual cloud network (VCN). Two different customers or tenants, each with their own private VCN, can potentially use the same overlay IP address in their VCNs without knowing each other. Both physical IP addresses and overlay IP addresses are types of real IP addresses. They are separate from virtual IP addresses. A virtual IP address is typically a single IP address that represents or maps to multiple real IP addresses. A virtual IP address provides a one-to-many mapping between a virtual IP address and multiple real IP addresses. For example, a load balancer can use a VIP to map or represent multiple servers, each with its own real IP address.

The cloud infrastructure or CSPI is physically hosted in one or more data centers in one or more regions of the world. The CSPI may include components in a physical or substrate network and virtualized components (e.g., virtual networks, computing instances, virtual machines, etc.) located in a virtual network built on top of the physical network components. In some embodiments, the CSPI is organized and hosted in domains, regions, and availability domains. A region is typically a localized geographic area containing one or more data centers. Regions are generally independent of each other and can be far apart, for example, across countries or even continents. For example, a first region may be in Australia, another in Japan, another in India, and so on. CSPI resources are divided between regions so that each region has its own independent subset of CSPI resources. Each region can provide a set of core infrastructure services and resources, such as computing resources (e.g., bare metal servers, virtual machines, containers and related infrastructure, etc.); storage resources (e.g., block volume storage, file storage, object storage, archive storage); networking resources (e.g., virtual cloud network (VCN), load balancing resources, connections to pre-set networks), database resources; edge networking resources (e.g., DNS); and access management and monitoring resources, etc. Each region generally has multiple paths connecting it to other regions in the domain.

Generally speaking, an application is deployed in the region where it is most frequently used (i.e., on the infrastructure associated with that region) because it is faster to use nearby resources than to use distant resources. Applications may also be deployed in different regions for various reasons, such as redundancy to mitigate the risk of region-wide events (such as large weather systems or earthquakes), to meet different requirements of legal jurisdictions, tax domains, and other business or social standards, etc.

Data centers within a region can be further organized and subdivided into availability domains (ADs). An availability domain can correspond to one or more data centers located within a region. A region can consist of one or more availability domains. In this distributed environment, CSPI resources are either region-specific, such as a virtual cloud network (VCN), or availability domain-specific, such as a compute instance.

ADs within a region are isolated from each other, fault-tolerant, and configured so that it is extremely unlikely that they will fail simultaneously. This is achieved by ADs not sharing critical infrastructure resources (such as networking, physical cables, cable paths, cable entry points, etc.), making it unlikely that a failure at one AD within a region will affect the availability of other ADs within the same region. ADs within the same region can be connected to each other via a low-latency, high-bandwidth network, which makes it possible to provide high-availability connections to other networks (e.g., the Internet, customer's on-premises network, etc.) and build replication systems in multiple ADs to achieve both high availability and disaster recovery. Cloud services use multiple ADs to ensure high availability and prevent resource failures. As the infrastructure provided by the IaaS provider grows, more regions and ADs can be added, along with additional capacity. Traffic between availability domains is typically encrypted.

In some embodiments, regions are grouped into domains. A domain is a logical collection of regions. Domains are isolated from each other and do not share any data. Regions in the same domain can communicate with each other, but regions in different domains cannot. A customer's lease or account with a CSP exists within a single domain and can be spread across one or more regions belonging to that domain. Typically, when a customer subscribes to an IaaS service, a lease or account is created for that customer in a customer-specified region within a domain (called the "home" region). A customer can extend the customer's lease to one or more other regions within a domain. A customer cannot access regions that are not in the domain where the customer's lease is located.

An IaaS provider may offer multiple domains, each domain meeting the needs of a specific set of customers or users. For example, a business domain may be provided for business customers. As another example, for customers within a specific country, a domain may be provided for that country. As yet another example, a government domain may be provided for a government, and so on. For example, a government domain may meet the needs of a specific government and may have a higher level of security than a business domain. For example, Oracle Cloud Infrastructure (OCI) currently offers a domain for a business region and two domains (e.g., FedRAMP-authorized and IL5-authorized) for a government cloud region.

In some embodiments, AD can be subdivided into one or more fault domains. Fault domains are groupings of infrastructure resources within an AD to provide anti-affinity. Fault domains allow the distribution of computing instances so that they are not located on the same physical hardware within a single AD. This is called anti-affinity. A fault domain refers to a group of hardware components (computers, switches, etc.) that share a single point of failure. The computing pool is logically divided into fault domains. Therefore, a hardware failure or computing hardware maintenance event that affects one fault domain does not affect instances in other fault domains. Depending on the embodiment, the number of fault domains per AD may vary. For example, in some embodiments, each AD contains three fault domains. Fault domains act as logical data centers within an AD.

When a customer subscribes to an IaaS service, resources from CSPI are provisioned to the customer and associated with the customer's lease. Customers can use these provisioned resources to build private networks and deploy resources on these networks. Customer networks hosted by CSPI in the cloud are called virtual cloud networks (VCNs). Customers can use CSPI resources allocated to customers to set up one or more virtual cloud networks (VCNs). VCNs are virtual or software-defined private networks. Customer resources deployed in a customer's VCN may include computing instances (e.g., virtual machines, bare metal instances) and other resources. These computing instances may represent various customer workloads, such as applications, load balancers, databases, and the like. Computing instances deployed on VCNs can communicate with publicly accessible endpoints ("public endpoints"), with other instances in the same VCN or other VCNs (e.g., other VCNs of customers or VCNs that do not belong to customers), with customer's pre-set data centers or networks, and with service endpoints and other types of endpoints through public networks (such as the Internet).

CSPs can use CSPI to provide various services. In some cases, customers of CSPI can themselves behave like service providers and use CSPI resources to provide services. Service providers can expose service endpoints characterized by identification information (e.g., IP addresses, DNS names, and ports). Customers' resources (e.g., computing instances) can use a particular service by accessing the service endpoints exposed by the service for that particular service. These service endpoints are generally endpoints that are publicly accessible to users via a public communication network (such as the Internet) using a public IP address associated with the endpoint. Publicly accessible network endpoints are sometimes also referred to as public endpoints.

In some embodiments, a service provider may expose a service via an endpoint for the service (sometimes referred to as a service endpoint). Customers of the service may then use this service endpoint to access the service. In some implementations, the service endpoint provided for a service may be accessed by multiple customers that intend to consume the service. In other implementations, a dedicated service endpoint may be provided to a customer so that only the customer can access the service using the dedicated service endpoint.

In certain embodiments, when a VCN is created, it is associated with a private overlay Classless Inter-Domain Routing (CIDR) address space, which is a range of private overlay IP addresses (e.g., 10.0/16) assigned to the VCN. The VCN includes associated subnets, routing tables, and gateways. The VCN resides within a single region, but can span one or more or all of the availability domains in that region. A gateway is a virtual interface configured for the VCN and enables the transmission of traffic to and from the VCN to one or more endpoints outside the VCN. One or more different types of gateways can be configured for the VCN to enable communications to and from different types of endpoints.

A VCN can be subdivided into one or more subnetworks, such as one or more subnets. Thus, a subnet is a unit or subdivision of a configuration that can be created within a VCN. A VCN can have one or more subnets. Each subnet within a VCN is associated with a contiguous range of overlay IP addresses (e.g., 10.0.0.0/24 and 10.0.1.0/24) that do not overlap with other subnets in that VCN and represent a subset of the address space within the address space of the VCN.

Each computing instance is associated with a virtual network interface card (VNIC), which enables the computing instance to participate in the subnet of the VCN. VNIC is a logical representation of a physical network interface card (NIC). In general, a VNIC is an interface between an entity (e.g., a computing instance, a service) and a virtual network. VNICs exist in subnets, have one or more associated IP addresses, and associated security rules or policies. VNICs are equivalent to layer 2 ports on switches. VNICs are attached to subnets within computing instances and VCNs. The VNICs associated with computing instances enable the computing instance to become part of the subnet of the VCN, and enable the computing instance to communicate (e.g., send and receive packets) with endpoints located on the same subnet as the computing instance, with endpoints in different subnets in the VCN, or with endpoints outside the VCN. Therefore, the VNICs associated with computing instances determine how the computing instance is connected to endpoints inside and outside the VCN. When a computing instance is created and added to a subnet within the VCN, a VNIC for the computing instance is created and associated with the computing instance. For a subnet that includes a group of computing instances, the subnet includes VNICs corresponding to the group of computing instances, and each VNIC is attached to a computing instance within the group of computing instances.

A private overlay IP address is assigned to each computing instance via the VNIC associated with the computing instance. This private overlay network IP address is assigned to the VNIC associated with the computing instance when the computing instance is created and is used to route traffic to and from the computing instance. All VNICs in a given subnet use the same routing table, security list, and DHCP options. As described above, each subnet within the VCN is associated with a continuous range of overlay IP addresses (e.g., 10.0.0.0/24 and 10.0.1.0/24), which do not overlap with other subnets in the VCN and represent a subset of the address space within the address space of the VCN. For a VNIC on a specific subnet of the VCN, the private overlay IP address assigned to the VNIC is an address from the continuous range of overlay IP addresses allocated for the subnet.

In some embodiments, in addition to the private overlay IP address, the computing instance may optionally be assigned additional overlay IP addresses, such as, for example, one or more public IP addresses if in a public subnet. These multiple addresses are either assigned on the same VNIC or on multiple VNICs associated with the computing instance. However, each instance has a primary VNIC, which is created during instance startup and is associated with the overlay private IP address assigned to the instance-this primary VNIC cannot be deleted. Additional VNICs, called auxiliary VNICs, can be added to existing instances in the same availability domain as the primary VNIC. All VNICs are in the same availability domain as the instance. The auxiliary VNIC can be located in a subnet in the same VCN as the primary VNIC, or in a different subnet in the same VCN or in a different VCN.

If the compute instances are in a public subnet, they can optionally be assigned public IP addresses. When creating a subnet, you can specify the subnet as either a public subnet or a private subnet. A private subnet means that the resources (e.g., compute instances) and associated VNICs in the subnet cannot have public overlay IP addresses. A public subnet means that the resources in the subnet and associated VNICs can have public IP addresses. Customers can specify that a subnet exists in a single availability domain or across multiple availability domains in a region or domain.

As described above, a VCN can be subdivided into one or more subnets. In some embodiments, a virtual router (VR) configured for the VCN (referred to as a VCN VR or simply a VR) enables communication between subnets of the VCN. For a subnet within a VCN, the VR represents a logical gateway for the subnet, which enables the subnet (i.e., the computing instance on the subnet) to communicate with endpoints on other subnets within the VCN and with other endpoints outside the VCN. The VCN VR is a logical entity that is configured to route traffic between a VNIC in the VCN and a virtual gateway ("gateway") associated with the VCN. The gateway is further described below with respect to FIG. 1. The VCNVR is a layer 3/IP layer concept. In one embodiment, there is a VCN VR for the VCN, wherein the VCN VR potentially has an unlimited number of ports addressed by an IP address, and each subnet of the VCN has one port. In this way, the VCN VR has a different IP address for each subnet in the VCN to which the VCN VR is attached. The VR is also connected to various gateways configured for the VCN. In some embodiments, specific overlay IP addresses in an overlay IP address range for a subnet are reserved for ports of a VCN VR for that subnet. For example, consider a VCN with two subnets, with associated address ranges of 10.0/16 and 10.1/16, respectively. For the first subnet in the VCN with address range 10.0/16, addresses in this range are reserved for ports of the VCN VR for that subnet. In some cases, the first IP address in the range may be reserved for the VCN VR. For example, for a subnet with an overlay IP address range of 10.0/16, IP address 10.0.0.1 may be reserved for ports of the VCN VR for that subnet. For a second subnet in the same VCN with address range 10.1/16, the VCN VR may have a port with IP address 10.1.0.1 for the second subnet. The VCN VR has a different IP address for each subnet in the VCN.

In some other embodiments, each subnet within a VCN may have its own associated VR that may be addressed by the subnet using a reserved or default IP address associated with the VR. For example, the reserved or default IP address may be the first IP address in a range of IP addresses associated with the subnet. The VNICs in the subnet may communicate (e.g., send and receive packets) with the VRs associated with the subnet using this default or reserved IP address. In such embodiments, the VR is the entry/exit point for the subnet. A VR associated with a subnet within the VCN may communicate with other VRs associated with other subnets within the VCN. The VR may also communicate with a gateway associated with the VCN. The VR functions of the subnet run on or are performed by one or more NVDs that perform the VNIC functions of the VNICs in the subnet.

Routing tables, security rules, and DHCP options can be configured for a VCN. A routing table is a virtual routing table for a VCN and includes rules for routing traffic from subnets within the VCN to destinations outside the VCN through gateways or specially configured instances. A VCN's routing table can be customized to control how packets are forwarded/routed to and from the VCN. DHCP options refer to configuration information that is automatically provided to an instance when the instance starts.

The security rules configured for a VCN represent the overlay firewall rules for the VCN. Security rules can include ingress and egress rules and specify the type of traffic allowed in and out of instances within the VCN (e.g., based on protocol and port). Customers can choose whether a given rule is stateful or stateless. For example, a customer can allow incoming SSH traffic from anywhere to a group of instances by setting up a stateful ingress rule with source CIDR 0.0.0.0/0 and destination TCP port 22. Security rules can be implemented using network security groups or security lists. A network security group consists of a set of security rules that apply only to resources in that group. On the other hand, a security list includes rules that apply to all resources in any subnet that uses the security list. A default security list with default security rules can be provided for a VCN. The DHCP options configured for a VCN provide configuration information that is automatically provided to instances in the VCN when the instances are launched.

In some embodiments, configuration information for a VCN is determined and stored by a VCN control plane. For example, configuration information for a VCN may include information about address ranges associated with the VCN, subnets within the VCN and associated information, one or more VRs associated with the VCN, compute instances in the VCN and associated VNICs, NVDs that perform various virtualized network functions associated with the VCN (e.g., VNICs, VRs, gateways), state information for the VCN, and other VCN-related information. In some embodiments, a VCN distribution service publishes configuration information, or portions thereof, stored by the VCN control plane to the NVD. The distributed information may be used to update information (e.g., forwarding tables, routing tables, etc.) stored by the NVD and used to forward packets to and from compute instances in the VCN.

In some embodiments, the creation of VCNs and subnets is handled by a VCN control plane (CP) and the launch of compute instances is handled by a compute control plane. The compute control plane is responsible for allocating physical resources to the compute instances and then calling the VCN control plane to create and attach VNICs to the compute instances. The VCN CP also sends VCN data maps to a VCN data plane that is configured to perform packet forwarding and routing functions. In some embodiments, the VCN CP provides a distribution service that is responsible for providing updates to the VCN data plane. Examples of VCN control planes are also depicted in FIGS. 6 , 7 , 8 , and 9 (see reference numerals 616 , 716 , 816 , and 916 ) and are described below.

Customers can create one or more VCNs using resources hosted by CSPI. Compute instances deployed on customer VCNs can communicate with different endpoints. These endpoints can include endpoints hosted by CSPI and endpoints external to CSPI.

Various different architectures for implementing cloud-based services using CSPI are depicted in Figures 1, 2, 3, 4, 5, and 18-22, and are described below. Figure 1 is a high-level diagram of a distributed environment 100, showing an overlay or customer VCN hosted by CSPI according to certain embodiments. The distributed environment depicted in Figure 1 includes multiple components in an overlay network. The distributed environment 100 depicted in Figure 1 is merely an example and is not intended to unduly limit the scope of the claimed embodiments. Many variations, substitutions, and modifications are possible. For example, in some embodiments, the distributed environment depicted in Figure 1 may have more or fewer systems or components than those shown in Figure 1, may combine two or more systems, or may have different system configurations or arrangements.

As shown in the example depicted in FIG. 1 , a distributed environment 100 includes a CSPI 101 that provides services and resources that customers can subscribe to and use to build their virtual cloud network (VCN). In some embodiments, CSPI 101 provides IaaS services to subscribing customers. Data centers within CSPI 101 can be organized into one or more regions. An example region “Region US” 102 is shown in FIG. 1 . A customer has configured a customer VCN c/o Oracle International Corporation for region 102. Customers can deploy various computing instances on VCN 104, where computing instances can include virtual machines or bare metal instances. Examples of instances include applications, databases, load balancers, etc.

In the embodiment depicted in FIG. 1 , customer VCN 104 includes two subnets, “Subnet-1” and “Subnet-2,” each with its own CIDR IP address range. In FIG. 1 , the coverage IP address range for Subnet-1 is 10.0/16, and the address range for Subnet-2 is 10.1/16. VCN virtual router 105 represents a logical gateway for the VCN that enables communication between subnets of VCN 104 and with other endpoints outside the VCN. VCN VR 105 is configured to route traffic between VNICs in VCN 104 and gateways associated with VCN 104. VCN VR 105 provides ports for each subnet of VCN 104. For example, VR 105 may provide a port with IP address 10.0.0.1 for Subnet-1 and a port with IP address 10.1.0.1 for Subnet-2.

Multiple computing instances can be deployed on each subnet, where the computing instances can be virtual machine instances and/or bare metal instances. The computing instances in the subnet can be hosted by one or more host machines within CSPI 101. The computing instances participate in the subnet via the VNIC associated with the computing instance. For example, as shown in FIG1 , the computing instance C1 becomes part of subnet-1 via the VNIC associated with the computing instance. Similarly, the computing instance C2 becomes part of subnet-1 via the VNIC associated with C2. In a similar manner, multiple computing instances (which can be virtual machine instances or bare metal instances) can be part of subnet-1. Via its associated VNIC, each computing instance is assigned a private overlay IP address and MAC address. For example, in FIG1 , the overlay IP address of the computing instance C1 is 10.0.0.2, the MAC address is M1, and the private overlay IP address of the computing instance C2 is 10.0.0.3, and the MAC address is M2. Each compute instance in subnet-1 (including compute instances C1 and C2) has a default route to VCN VR 105 using IP address 10.0.0.1, which is the IP address of the port of VCN VR 105 for subnet-1.

Multiple computing instances can be deployed on Subnet-2, including virtual machine instances and/or bare metal instances. For example, as shown in FIG1 , computing instances D1 and D2 become part of Subnet-2 via VNICs associated with the respective computing instances. In the embodiment shown in FIG1 , the overlay IP address of computing instance D1 is 10.1.0.2, the MAC address is MM1, and the private overlay IP address of computing instance D2 is 10.1.0.3, the MAC address is MM2. Each computing instance in Subnet-2 (including computing instances D1 and D2) has a default route to VCN VR 105 using IP address 10.1.0.1, which is the IP address of the port of VCN VR 105 for Subnet-2.

VCN A 104 may also include one or more load balancers. For example, a load balancer may be provided for a subnet, and the load balancer may be configured to load balance traffic across multiple compute instances on the subnet. A load balancer may also be provided to load balance traffic across subnets in the VCN.

A particular computing instance deployed on VCN 104 can communicate with a variety of different endpoints. These endpoints can include endpoints hosted by CSPI 200 and endpoints external to CSPI 200. Endpoints hosted by CSPI 101 can include: endpoints on the same subnet as a particular computing instance (e.g., communication between two computing instances in subnet-1); endpoints on different subnets but within the same VCN (e.g., communication between a computing instance in subnet-1 and a computing instance in subnet-2); endpoints in different VCNs in the same region (e.g., communication between a computing instance in subnet-1 and an endpoint in a VCN in the same region 106 or 110, communication between a computing instance in subnet-1 and an endpoint in a service point 110 in the same region); or endpoints in VCNs in different regions (e.g., communication between a computing instance in subnet-1 and an endpoint in a VCN in a different region 108). Compute instances in a subnet hosted by CSPI 101 can also communicate with endpoints that are not hosted by CSPI 101 (i.e., external to CSPI 101). These external endpoints include endpoints in a customer's on-premises network 116, endpoints in other remote cloud-hosted networks 118, public endpoints 114 accessible via a public network (such as the Internet), and other endpoints.

Use VNICs associated with source and destination computing instances to facilitate communication between computing instances on the same subnet. For example, computing instance C1 in subnet-1 may want to send a packet to computing instance C2 in subnet-1. For a packet originating from a source computing instance and whose destination is another computing instance in the same subnet, the packet is first processed by the VNIC associated with the source computing instance. The processing performed by the VNIC associated with the source computing instance may include determining the destination information of the packet from the packet header, identifying any policy (e.g., security list) configured for the VNIC associated with the source computing instance, determining the next hop of the packet, performing any packet encapsulation/decapsulation functions as needed, and then forwarding/routing the packet to the next hop, with the purpose of facilitating communication of the packet to its intended destination. When the destination computing instance is in the same subnet as the source computing instance, the VNIC associated with the source computing instance is configured to identify the VNIC associated with the destination computing instance and forward the packet to the VNIC for processing. The VNIC associated with the destination computing instance is then executed and the packet is forwarded to the destination computing instance.

For packets to be transmitted from a compute instance in a subnet to an endpoint in a different subnet in the same VCN, communication is facilitated by the VNICs associated with the source and destination compute instances and the VCN VRs. For example, if compute instance C1 in subnet-1 in Figure 1 wants to send a packet to compute instance D1 in subnet-2, the packet is first processed by the VNIC associated with compute instance C1. The VNIC associated with compute instance C1 is configured to route the packet to VCN VR 105 using the default route or port 10.0.0.1 of the VCN VR. VCN VR 105 is configured to route the packet to subnet-2 using port 10.1.0.1. The VNIC associated with D1 then receives and processes the packet and the VNIC forwards the packet to compute instance D1.

For packets to be transmitted from a compute instance in VCN 104 to an endpoint outside of VCN 104, communication is facilitated by a VNIC associated with the source compute instance, a VCN VR 105, and a gateway associated with VCN 104. One or more types of gateways may be associated with VCN 104. A gateway is an interface between a VCN and another endpoint, where the other endpoint is outside of the VCN. A gateway is a layer 3/IP layer concept and enables a VCN to communicate with an endpoint outside of the VCN. Thus, a gateway facilitates the flow of traffic between a VCN and other VCNs or networks. A variety of different types of gateways may be configured for a VCN to facilitate different types of communications with different types of endpoints. Depending on the gateway, communications may be over a public network (e.g., the Internet) or over a private network. Various communication protocols may be used for these communications.

For example, compute instance C1 may want to communicate with an endpoint outside of VCN 104. The packet may first be processed by a VNIC associated with source compute instance C1. The VNIC processing determines that the destination of the packet is outside of C1's subnet-1. The VNIC associated with C1 may forward the packet to VCN VR 105 for VCN 104. VCN VR 105 then processes the packet and, as part of the processing, determines a specific gateway associated with VCN 104 as a next hop for the packet based on the packet's destination. VCN VR 105 may then forward the packet to the identified specific gateway. For example, if the destination is an endpoint within a customer's on-premises network, the packet may be forwarded by VCN VR 105 to a dynamic routing gateway (DRG) gateway 122 configured for VCN 104. The packet may then be forwarded from the gateway to the next hop to facilitate delivery of the packet to its final intended destination.

A variety of different types of gateways may be configured for a VCN. Examples of gateways that may be configured for a VCN are depicted in FIG. 1 and described below. Examples of gateways associated with a VCN are also depicted in FIG. 18 , FIG. 19 , FIG. 20 , and FIG. 21 (e.g., gateways referenced by reference numerals 1834 , 1836 , 1838 , 1934 , 1936 , 1938 , 2034 , 2036 , 2038 , 2134 , 2136 , and 2138 ) and described below. As shown in the embodiment depicted in FIG. 1 , a dynamic routing gateway (DRG) 122 may be added to or associated with a customer VCN 104 and provide a path for private network traffic communications between the customer VCN 104 and another endpoint, which may be a customer's on-premise network 116 , a VCN 108 in a different region of the CSPI 101 , or another remote cloud network 118 not hosted by the CSPI 101 . The customer premise network 116 can be a customer network or a customer data center built using the customer's resources. Access to the customer premise network 116 is generally very limited. For customers who have both a customer premise network 116 and one or more VCNs 104 deployed or hosted in the cloud by CSPI 101, customers may want their premise network 116 and their cloud-based VCN 104 to communicate with each other. This enables customers to build an extended hybrid environment that covers the customer's VCN 104 hosted by CSPI 101 and their premise network 116. DRG 122 enables this communication. In order to enable such communication, a communication channel 124 is established, wherein one endpoint of the channel is located in the customer premise network 116, and the other endpoint is located in CSPI 101 and connected to the customer VCN 104. The communication channel 124 can pass through a public communication network (such as the Internet) or a private communication network. A variety of different communication protocols can be used, such as IPsec VPN technology on a public communication network (such as the Internet), Oracle's FastConnect technology that uses a private network instead of a public network, and the like. The equipment or devices that form one endpoint of the communication channel 124 in the customer premises network 116 are referred to as customer premises equipment (CPE), such as CPE 126 depicted in FIG.

In some embodiments, a remote peer connection (RPC) can be added to the DRG, which allows a customer to peer one VCN with another VCN in a different region. Using this RPC, a customer VCN 104 can connect to a VCN 108 in another region using a DRG 122. DRG 122 can also be used to communicate with other remote cloud networks 118 that are not hosted by CSPI 101 (such as Microsoft Azure Cloud, Amazon AWS Cloud, etc.).

As shown in FIG1 , an Internet Gateway (IGW) 120 may be configured for a customer VCN 104, which enables computing instances on the VCN 104 to communicate with public endpoints 114 accessible via a public network such as the Internet. The IGW 120 is a gateway that connects the VCN to a public network such as the Internet. The IGW 120 enables public subnets within a VCN such as VCN 104 (where resources in the public subnet have public overlay IP addresses) to directly access public endpoints 112 on a public network 114 such as the Internet. Using the IGW 120, connections may be initiated from a subnet within the VCN 104 or from the Internet.

A network address translation (NAT) gateway 128 may be configured for a customer's VCN 104 and enables cloud resources in the customer's VCN that do not have dedicated public overlay IP addresses to access the Internet, and it does so without exposing those resources to direct incoming Internet connections (e.g., L4-L7 connections). This enables private subnets within a VCN (such as Private Subnet-1 in VCN 104) to privately access public endpoints on the Internet. In a NAT gateway, connections can only be initiated from a private subnet to the public Internet, and connections cannot be initiated from the Internet to a private subnet.

In some embodiments, a service gateway (SGW) 126 may be configured for a customer VCN 104 and provide a path for private network traffic between the VCN 104 and service endpoints supported in the service network 110. In some embodiments, the service network 110 may be provided by a CSP and may provide a variety of services. An example of such a service network is Oracle's service network, which provides a variety of services available to customers. For example, a computing instance (e.g., a database system) in a private subnet of a customer VCN 104 may back up data to a service endpoint (e.g., an object storage) without requiring a public IP address or access to the Internet. In some embodiments, a VCN may have only one SGW, and connections may only be initiated from a subnet within the VCN, not from the service network 110. If a VCN is peered with another, resources in the other VCN generally cannot access the SGW. Resources in a pre-set network connected to a VCN with FastConnect or VPN Connect may also use the service gateway configured for that VCN.

In some embodiments, the SGW 126 uses the concept of a service classless inter-domain routing (CIDR) label, which is a string that represents all regional public IP address ranges for a service or group of services of interest. Customers use the service CIDR label when they configure the SGW and related routing rules to control traffic to the service. Customers can optionally use it when configuring security rules, without having to adjust the security rules if the public IP addresses of the services change in the future.

A Local Peer Gateway (LPG) 132 is a gateway that can be added to a customer VCN 104 and enables the VCN 104 to peer with another VCN in the same region. Peering refers to the VCNs communicating using private IP addresses without the traffic traversing a public network such as the Internet or without routing the traffic through the customer's on-premises network 116. In a preferred embodiment, the VCN has a separate LPG for each peering it establishes. Local peering or VCN peering is a common practice for establishing network connectivity between different applications or infrastructure management functions.

Service providers (such as providers of services in service network 110) can provide access to services using different access models. According to the public access model, the service can be exposed as a public endpoint that is publicly accessible to a computing instance in a customer VCN via a public network (such as the Internet), and/or can be privately accessed via SGW 126. According to a specific private access model, the service can be accessed as a private IP endpoint in a private subnet in the customer's VCN. This is called private endpoint (PE) access and enables a service provider to expose its services as instances in a customer's private network. Private endpoint resources represent services within a customer's VCN. Each PE appears as a VNIC (called a PE-VNIC, with one or more private IPs) in a subnet selected by the customer in the customer's VCN. Therefore, PE provides a way to present services in a private customer VCN subnet using VNICs. Since the endpoint is exposed as a VNIC, all features associated with the VNIC (such as routing rules, security lists, etc.) can now be used for the PE VNIC.

Service providers can register their services to enable access through PE. Providers can associate policies with services, which limits the visibility of the service to customer tenancies. Providers can register multiple services under a single virtual IP address (VIP), especially for multi-tenant services. There can be multiple such private endpoints (in multiple VCNs) representing the same service.

The compute instances in the private subnet can then access the service using the private IP address of the PE VNIC or the service DNS name. The compute instances in the customer VCN can access the service by sending traffic to the private IP address of the PE in the customer VCN. The private access gateway (PAGW) 130 is a gateway resource that can be attached to a service provider VCN (e.g., a VCN in the service network 110) that acts as an entry/exit point for all traffic from/to the private endpoints of the customer subnet. PAGW 130 enables providers to scale the number of PE connections without utilizing their internal IP address resources. Providers only need to configure one PAGW for any number of services registered in a single VCN. Providers can represent services as private endpoints in multiple VCNs for one or more customers. From the customer's perspective, the PE VNIC is not attached to the customer's instance, but appears to be attached to the service that the customer wants to interact with. Traffic to the private endpoint is routed to the service via PAGW 130. These are referred to as customer-to-service private connections (C2S connections).

The PE concept can also be used to extend private access to services to the customer's on-premises networks and data centers by allowing traffic to flow through FastConnect/IPsec links and private endpoints in the customer's VCN. Private access to services can also be extended to the customer's peer VCNs by allowing traffic to flow between LPG 132 and the PE in the customer's VCN.

The customer can control routing in the VCN at the subnet level, so the customer can specify which subnets in the customer's VCN (such as VCN 104) use each gateway. The routing table of the VCN is used to decide whether to allow traffic to leave the VCN through a particular gateway. For example, in a specific instance, the routing table for a public subnet within a customer VCN 104 can send non-local traffic through IGW 120. The routing table for a private subnet within the same customer VCN 104 can send traffic destined for CSP services through SGW 126. All remaining traffic can be sent via NAT gateway 128. The routing table only controls traffic leaving the VCN.

The security list associated with the VCN is used to control the traffic that enters the VCN via the gateway via an inbound connection. All resources in the subnet use the same routing table and security list. The security list can be used to control specific types of traffic that are allowed to enter and exit the instances in the subnet of the VCN. Security list rules can include ingress (inbound) and egress (outbound) rules. For example, an ingress rule can specify a range of allowed source addresses, and an egress rule can specify a range of allowed destination addresses. Security rules can specify specific protocols (e.g., TCP, ICMP), specific ports (e.g., 22 for SSH, 3389 for Windows RDP), etc. In some embodiments, the operating system of the instance can enforce its own firewall rules that comply with the security list rules. Rules can be stateful (e.g., tracking connections and automatically allowing responses without explicit security list rules for response traffic) or stateless.

Access from a customer VCN (i.e., through resources or compute instances deployed on VCN 104) can be categorized as public access, private access, or dedicated access. Public access refers to an access model that uses a public IP address or NAT to access a public endpoint. Private access enables customer workloads (e.g., resources in a private subnet) in VCN 104 with private IP addresses to access services without traversing a public network such as the Internet. In certain embodiments, CSPI 101 enables customer VCN workloads with private IP addresses to access (public service endpoints of) services using a service gateway. Thus, the service gateway provides a private access model by establishing a virtual link between a customer's VCN and a public endpoint of a service that resides outside of the customer's private network.

Additionally, CSPI can provide dedicated public access using technologies such as FastConnect public peering, where a customer on-premises instance can use a FastConnect connection to access one or more services in a customer's VCN without traversing a public network such as the Internet. CSPI can also provide dedicated private access using FastConnect private peering, where a customer on-premises instance with a private IP address can use a FastConnect connection to access the customer's VCN workloads. FastConnect is a network connectivity alternative to using the public Internet to connect a customer's on-premises network to CSPI and its services. FastConnect provides a simple, flexible, and cost-effective way to create dedicated and private connections with higher bandwidth options and a more reliable and consistent network experience compared to Internet-based connections.

FIG. 1 and the accompanying description above describe various virtualized components in an example virtual network. As described above, the virtual network is built on an underlying physical or substrate network. FIG. 2 depicts a simplified architecture diagram of physical components in a physical network within CSPI 200 that provides an underlying layer for the virtual network, according to certain embodiments. As shown, CSPI 200 provides a distributed environment that includes components and resources (e.g., computing, storage, and network resources) provided by a cloud service provider (CSP). These components and resources are used to provide cloud services (e.g., IaaS services) to subscribing customers (i.e., customers who have subscribed to one or more services provided by the CSP). Based on the services subscribed by the customer, a subset of the resources of CSPI 200 (e.g., computing, storage, and network resources) is provisioned to the customer. The customer can then build its own cloud-based (i.e., CSPI-hosted) customizable and private virtual network using the physical computing, storage, and networking resources provided by CSPI 200. As indicated above, these customer networks are referred to as virtual cloud networks (VCNs). Customers can deploy one or more customer resources, such as computing instances, on these customer VCNs. The computing instances can be in the form of virtual machines, bare metal instances, and the like. CSPI 200 provides infrastructure and a set of complementary cloud services that enable customers to build and run a wide range of applications and services in a highly available hosting environment.

In the example embodiment depicted in FIG. 2 , the physical components of CSPI 200 include one or more physical host machines or physical servers (e.g., 202 , 206 , 208 ), network virtualization devices (NVDs) (e.g., 210 , 212 ), top-of-rack (TOR) switches (e.g., 214 , 216 ), and physical networks (e.g., 218 ), and switches in physical network 218 . The physical host machines or servers may host and execute various computing instances that participate in one or more subnets of a VCN. The computing instances may include virtual machine instances and bare metal instances. For example, the various computing instances depicted in FIG. 1 may be hosted by the physical host machines depicted in FIG. 2 . The virtual machine computing instances in a VCN may be executed by one host machine or multiple different host machines. The physical host machines may also host virtual host machines, container-based hosts or functions, etc. The VNICs and VCN VRs depicted in FIG. 1 may be executed by the NVD depicted in FIG. 2 . The gateways depicted in FIG. 1 may be executed by the host machines and/or by the NVD described in FIG. 2 .

A host machine or server may execute a hypervisor (also referred to as a virtual machine monitor or VMM) that creates and enables a virtualized environment on the host machine. A virtualized or virtualized environment facilitates cloud-based computing. One or more computing instances may be created, executed, and managed on the host machine by a hypervisor on the host machine. The hypervisor on the host machine enables the physical computing resources (e.g., computing, memory, and network resources) of the host machine to be shared between the various computing instances executed by the host machine.

For example, as depicted in FIG. 2 , host machines 202 and 208 execute hypervisors 260 and 266, respectively. These hypervisors can be implemented using software, firmware, or hardware, or a combination thereof. Typically, a hypervisor is a process or software layer located above the operating system (OS) of a host machine, and the OS is then executed on the hardware processor of the host machine. The hypervisor provides a virtualized environment by enabling the physical computing resources of the host machine (e.g., processing resources such as processors/cores, memory resources, network resources) to be shared between various virtual machine computing instances executed by the host machine. For example, in FIG. 2 , a hypervisor 260 can be located above the OS of the host machine 202 and enables the computing resources of the host machine 202 (e.g., processing, memory, and network resources) to be shared between computing instances (e.g., virtual machines) executed by the host machine 202. A virtual machine can have its own operating system (referred to as a guest operating system), which can be the same or different from the OS of the host machine. The operating system of a virtual machine executed by a host machine can be the same or different from the operating system of another virtual machine executed by the same host machine. Thus, a hypervisor enables multiple operating systems to be executed simultaneously while sharing the same computing resources of the host machine.The host machines depicted in Figure 2 may have the same or different types of hypervisors.

The computing instance can be a virtual machine instance or a bare metal instance. In Figure 2, computing instance 268 on host machine 202 and computing instance 274 on host machine 208 are examples of virtual machine instances. Host machine 206 is an example of a bare metal instance provided to a customer.

In some cases, the entire host machine can be supplied to a single customer, and one or more computing instances (or virtual machines or bare metal instances) hosted by the host machine all belong to the same customer. In other cases, the host machine can be shared between multiple customers (i.e., multiple tenants). In this multi-tenancy scenario, the host machine can host virtual machine computing instances belonging to different customers. These computing instances can be members of different VCNs of different customers. In certain embodiments, the bare metal computing instance is hosted by a bare metal server without a hypervisor. When supplying a bare metal computing instance, a single customer or tenant maintains control of the physical CPU, memory, and network interface of the host machine hosting the bare metal instance, and the host machine is not shared with other customers or tenants.

As previously described, each computing instance that is part of a VCN is associated with a VNIC that enables the computing instance to become a member of a subnet of the VCN. The VNIC associated with the computing instance facilitates the communication of packets or frames to and from the computing instance. The VNIC is associated with the computing instance when the computing instance is created. In some embodiments, for a computing instance executed by a host machine, the VNIC associated with the computing instance is executed by an NVD connected to the host machine. For example, in FIG. 2 , the host machine 202 executes a virtual machine computing instance 268 associated with a VNIC 276, and the VNIC 276 is executed by an NVD 210 connected to the host machine 202. As another example, a bare metal instance 272 hosted by a host machine 206 is associated with a VNIC 280 executed by an NVD 212 connected to the host machine 206. As yet another example, a VNIC 284 is associated with a computing instance 274 executed by a host machine 208, and the VNIC 284 is executed by an NVD 212 connected to the host machine 208.

For compute instances hosted by a host machine, the NVD connected to the host machine also executes VCN VRs corresponding to the VCNs of which the compute instances are members. For example, in the embodiment depicted in FIG. 2 , NVD 210 executes VCN VR 277 corresponding to the VCN of which compute instance 268 is a member. NVD 212 may also execute one or more VCN VRs 283 corresponding to the VCNs corresponding to the compute instances hosted by host machines 206 and 208.

The host machine may include one or more network interface cards (NICs) that enable the host machine to connect to other devices. The NIC on the host machine may provide one or more ports (or interfaces) that enable the host machine to communicatively connect to another device. For example, the host machine may connect to the NVD using one or more ports (or interfaces) provided on the host machine and on the NVD. The host machine may also connect to other devices, such as another host machine.

2 , host machine 202 is connected to NVD 210 using link 220, which extends between port 234 provided by NIC 232 of host machine 202 and port 236 of NVD 210. Host machine 206 is connected to NVD 212 using link 224, which extends between port 246 provided by NIC 244 of host machine 206 and port 248 of NVD 212. Host machine 208 is connected to NVD 212 using link 226, which extends between port 252 provided by NIC 250 of host machine 208 and port 254 of NVD 212.

The NVDs, in turn, are connected to top-of-rack (TOR) switches via communication links, which are connected to a physical network 218 (also referred to as a switching fabric). In some embodiments, the links between the host machines and the NVDs and between the NVDs and the TOR switches are Ethernet links. For example, in FIG2 , NVDs 210 and 212 are connected to TOR switches 214 and 216 using links 228 and 230, respectively. In some embodiments, links 220, 224, 226, 228, and 230 are Ethernet links. A collection of host machines and NVDs connected to a TOR is sometimes referred to as a rack.

The physical network 218 provides a communication architecture that enables the TOR switches to communicate with each other. The physical network 218 can be a multi-layer network. In some embodiments, the physical network 218 is a multi-layer Clos network of switches, where the TOR switches 214 and 216 represent leaf-level nodes of the multi-layer and multi-node physical switching network 218. Different Clos network configurations are possible, including but not limited to 2-layer networks, 3-layer networks, 4-layer networks, 5-layer networks, and general "n"-layer networks. An example of a Clos network is depicted in Figure 5 and described below.

There may be various different connection configurations between the host machine and the NVD, such as a one-to-one configuration, a many-to-one configuration, a one-to-many configuration, etc. In a one-to-one configuration implementation, each host machine is connected to its own separate NVD. For example, in FIG2 , the host machine 202 is connected to the NVD 210 via the NIC 232 of the host machine 202. In a many-to-one configuration, multiple host machines are connected to one NVD. For example, in FIG2 , the host machines 206 and 208 are connected to the same NVD 212 via the NICs 244 and 250, respectively.

In a one-to-many configuration, one host machine is connected to multiple NVDs. FIG. 3 shows an example within CSPI 300 where a host machine is connected to multiple NVDs. As shown in FIG. 3 , host machine 302 includes a network interface card (NIC) 304 that includes multiple ports 306 and 308. Host machine 300 is connected to a first NVD 310 via port 306 and link 320, and to a second NVD 312 via port 308 and link 322. Ports 306 and 308 may be Ethernet ports, and links 320 and 322 between host machine 302 and NVDs 310 and 312 may be Ethernet links. NVD 310 is in turn connected to a first TOR switch 314 and NVD 312 is connected to a second TOR switch 316. Links between NVDs 310, 312 and TOR switches 314, 316 may be Ethernet links. TOR switches 314 and 316 represent layer 0 switching devices in a multi-layer physical network 318.

3 provides two separate physical network paths from the physical switch network 318 to the host machine 302: a first path through the TOR switch 314 to the NVD 310 and then to the host machine 302, and a second path through the TOR switch 316 to the NVD 312 and then to the host machine 302. The separate paths provide enhanced availability (referred to as high availability) of the host machine 302. If a problem occurs in one of the paths (e.g., a link in one of the paths is broken) or a device (e.g., a particular NVD is not running), then the other path can be used for communications to/from the host machine 302.

3, the host machine is connected to two different NVDs using two different ports provided by the host machine's NIC. In other embodiments, the host machine may include multiple NICs that enable the host machine to connect to multiple NVDs.

Referring back to FIG. 2 , an NVD is a physical device or component that performs one or more network and/or storage virtualization functions. An NVD may be any device having one or more processing units (e.g., a CPU, a network processing unit (NPU), an FPGA, a packet processing pipeline, etc.), a memory including a cache, and a port. Various virtualization functions may be performed by software/firmware executed by one or more processing units of the NVD.

NVD can be implemented in a variety of different forms. For example, in some embodiments, NVD is implemented as an interface card called smartNIC or an intelligent NIC with an onboard embedded processor. SmartNIC is a device separate from the NIC on the host machine. In Figure 2, NVD 210 and 212 can be implemented as smartNICs connected to host machine 202 and host machines 206 and 208, respectively.

However, smartNIC is only one example of an NVD implementation. Various other implementations are possible. For example, in some other implementations, NVD or one or more functions performed by NVD may be incorporated into or performed by one or more host machines, one or more TOR switches, and other components of CSPI 200. For example, NVD may be implemented in a host machine, where the functions performed by NVD are performed by the host machine. As another example, NVD may be part of a TOR switch, or a TOR switch may be configured to perform the functions performed by NVD, which enables the TOR switch to perform various complex packet conversions for a public cloud. A TOR that performs the functions of NVD is sometimes referred to as a smart TOR. In other implementations that provide virtual machine (VM) instances to customers instead of bare metal (BM) instances, the functions performed by NVD may be implemented inside the hypervisor of the host machine. In some other implementations, some of the functions of NVD may be offloaded to a centralized service running on a group of host machines.

In certain embodiments, such as when implemented as a smartNIC as shown in FIG. 2 , the NVD may include multiple physical ports that enable it to connect to one or more host machines and one or more TOR switches. Ports on the NVD may be classified as host-facing ports (also referred to as “south ports”) or network-facing or TOR-facing ports (also referred to as “north ports”). The host-facing ports of the NVD are ports for connecting the NVD to host machines. Examples of host-facing ports in FIG. 2 include port 236 on NVD 210 and ports 248 and 254 on NVD 212. The network-facing ports of the NVD are ports for connecting the NVD to TOR switches. Examples of network-facing ports in FIG. 2 include port 256 on NVD 210 and port 258 on NVD 212. As shown in FIG. 2 , NVD 210 is connected to TOR switch 214 using link 228 extending from port 256 of NVD 210 to TOR switch 214. Similarly, NVD 212 is connected to TOR switch 216 using link 230 extending from port 258 of NVD 212 to TOR switch 216 .

NVD receives packets and frames (e.g., packets and frames generated by a compute instance hosted by the host machine) from a host machine via a host-facing port, and after performing necessary packet processing, may forward the packets and frames to a TOR switch via a network-facing port of NVD. NVD may receive packets and frames from a TOR switch via a network-facing port of NVD, and after performing necessary packet processing, may forward the packets and frames to a host machine via a host-facing port of NVD.

In some embodiments, there may be multiple ports and associated links between the NVD and the TOR switch. These ports and links may be aggregated to form a link aggregate group (referred to as a LAG) of multiple ports or links. Link aggregation allows multiple physical links between two endpoints (e.g., between the NVD and the TOR switch) to be treated as a single logical link. All physical links in a given LAG may operate in full-duplex mode at the same speed. LAG helps increase the bandwidth and reliability of the connection between the two endpoints. If one of the physical links in the LAG fails, the traffic is dynamically and transparently reassigned to one of the other physical links in the LAG. The aggregated physical links deliver higher bandwidth than each individual link. Multiple ports associated with the LAG are treated as a single logical port. Traffic may be load balanced across multiple physical links of the LAG. One or more LAGs may be configured between two endpoints. The two endpoints may be located between the NVD and the TOR switch, between the host machine and the NVD, and so on.

NVD implements or performs network virtualization functions. These functions are performed by software/firmware executed by NVD. Examples of network virtualization functions include, but are not limited to: packet encapsulation and decapsulation functions; functions for creating VCN networks; functions for implementing network policies, such as VCN security lists (firewall) functionality; functions for facilitating routing and forwarding of packets to and from computing instances in the VCN; and the like. In some embodiments, upon receiving a packet, NVD is configured to execute a packet processing pipeline for processing the packet and determining how to forward or route the packet. As part of this packet processing pipeline, NVD may execute one or more virtual functions associated with an overlay network, such as executing a VNIC associated with a computer instance in the VCN, executing a virtual router (VR) associated with the VCN, encapsulation and decapsulation of packets to facilitate forwarding or routing in a virtual network, execution of certain gateways (e.g., local peer gateways), implementation of security lists, network security groups, network address translation (NAT) functionality (e.g., translating public IPs to private IPs on a host-by-host basis), throttling functions, and other functions.

In some embodiments, the packet processing data path in NVD may include multiple packet pipelines, each packet pipeline consisting of a series of packet transformation stages. In some embodiments, after receiving a packet, the packet is parsed and classified into a single pipeline. The packet is then processed in a linear manner, one stage after another, until the packet is discarded or sent out through the interface of NVD. These stages provide basic functional packet processing building blocks (e.g., verifying headers, enforcing throttling, inserting new layer 2 headers, enforcing L4 firewalls, VCN encapsulation/decapsulation, etc.) so that new pipelines can be built by combining existing stages, and new functionality can be added by creating new stages and plugging them into existing pipelines.

NVD can perform both control plane and data plane functions corresponding to the control plane and data plane of VCN. Examples of VCN control planes are also depicted in Figures 18, 19, 20, and 21 (see reference numerals 1816, 1916, 2016, and 2116) and described below. Examples of VCN data planes are depicted in Figures 18, 19, 20, and 21 (see reference numerals 1818, 1918, 2018, and 2118) and described below. Control plane functions include functions for configuring a network for controlling how data is forwarded (e.g., setting routes and routing tables, configuring VNICs, etc.). In some embodiments, a VCN control plane is provided that centrally calculates all overlay-to-substrate mappings and publishes them to NVD and virtual network edge devices (such as various gateways, such as DRGs, SGWs, IGWs, etc.). Firewall rules can also be published using the same mechanism. In some embodiments, NVD only obtains mappings associated with the NVD. Data plane functions include functions for actually routing/forwarding packets based on configurations established using the control plane. The VCN data plane is implemented by encapsulating the customer's network packets before they traverse the substrate network. The encapsulation/decapsulation functionality is implemented on the NVD. In some embodiments, the NVD is configured to intercept all network packets in and out of the host machine and perform network virtualization functions.

As indicated above, NVD performs various virtualization functions, including VNIC and VCN VR. NVD can execute VNICs associated with compute instances hosted by one or more host machines connected to the VNICs. For example, as depicted in FIG. 2 , NVD 210 executes functionality of VNIC 276 associated with compute instance 268 hosted by host machine 202 connected to NVD 210. As another example, NVD 212 executes VNIC 280 associated with bare metal compute instance 272 hosted by host machine 206, and executes VNIC 284 associated with compute instance 274 hosted by host machine 208. Host machines can host compute instances belonging to different VCNs (which belong to different customers), and NVDs connected to the host machines can execute VNICs corresponding to the compute instances (i.e., perform VNIC-related functionality).

The NVD also executes a VCN virtual router corresponding to the VCN of the compute instance. For example, in the embodiment depicted in FIG. 2 , NVD 210 executes a VCN VR 277 corresponding to the VCN to which compute instance 268 belongs. NVD 212 executes one or more VCN VRs 283 corresponding to one or more VCNs to which the compute instances hosted by host machines 206 and 208 belong. In some embodiments, the VCN VR corresponding to the VCN is executed by all NVDs connected to the host machine hosting at least one compute instance belonging to the VCN. If the host machine hosts compute instances belonging to different VCNs, then the NVDs connected to the host machine can execute VCN VRs corresponding to those different VCNs.

In addition to the VNIC and VCN VR, NVD may also execute various software (e.g., daemons) and include one or more hardware components that facilitate various network virtualization functions performed by NVD. For simplicity, these various components are grouped together as a "packet processing component" shown in FIG. 2. For example, NVD 210 includes a packet processing component 286 and NVD 212 includes a packet processing component 288. For example, a packet processing component for NVD may include a packet processor configured to interact with the port and hardware interface of NVD to monitor all packets received by NVD and transmitted using NVD and store network information. Network information may, for example, include network flow information and per-flow information (e.g., per-flow statistics) that identify different network flows handled by NVD. In some embodiments, network flow information may be stored on a per-VNIC basis. The packet processor may perform packet-by-packet manipulation and implement stateful NAT and L4 firewalls (FW). As another example, the packet processing component may include a replication agent configured to copy information stored by NVD to one or more different replication target repositories. As yet another example, the packet processing component may include a logging agent configured to perform logging functions of the NVD.The packet processing component may also include software for monitoring the performance and health of the NVD and possibly also monitoring the status and health of other components connected to the NVD.

FIG. 1 illustrates components of an example virtual or overlay network, including a VCN, a subnet within the VCN, a computing instance deployed on the subnet, a VNIC associated with the computing instance, a VR for the VCN, and a set of gateways configured for the VCN. The overlay components depicted in FIG. 1 may be executed or hosted by one or more of the physical components depicted in FIG. 2 . For example, a computing instance in the VCN may be executed or hosted by one or more host machines depicted in FIG. 2 . For a computing instance hosted by a host machine, a VNIC associated with the computing instance is typically executed by an NVD connected to the host machine (i.e., VNIC functionality is provided by an NVD connected to the host machine). The VCN VR functionality for the VCN is executed by all NVDs connected to a host machine that hosts or executes a computing instance as part of the VCN. Gateways associated with the VCN may be executed by one or more different types of NVDs. For example, some gateways may be executed by smartNICs, while other gateways may be executed by one or more host machines or other implementations of the NVD.

As described above, a compute instance in a customer VCN can communicate with a variety of different endpoints, where the endpoint can be in the same subnet as the source compute instance, in a different subnet but in the same VCN as the source compute instance, or the endpoint is external to the source compute instance's VCN. These communications are facilitated using VNICs associated with the compute instances, VCN VRs, and gateways associated with the VCN.

For communication between two computing instances on the same subnet in a VCN, VNICs associated with the source and destination computing instances are used to facilitate communication. The source and destination computing instances can be hosted by the same host machine or different host machines. Packets originating from the source computing instance can be forwarded from the host machine hosting the source computing instance to the NVD connected to the host machine. On the NVD, packets are processed using a packet processing pipeline, which can include the execution of the VNIC associated with the source computing instance. Since the destination endpoint of the packet is located in the same subnet, the execution of the VNIC associated with the source computing instance causes the packet to be forwarded to the NVD that executes the VNIC associated with the destination computing instance, which then processes the packet and forwards it to the destination computing instance. The VNICs associated with the source and destination computing instances can be executed on the same NVD (e.g., when the source and destination computing instances are hosted by the same host machine) or on different NVDs (e.g., when the source and destination computing instances are hosted by different host machines connected to different NVDs). The VNIC can use the routing/forwarding table stored by the NVD to determine the next hop of the packet.

For packets to be transmitted from a compute instance in a subnet to an endpoint in a different subnet in the same VCN, packets originating from the source compute instance are transmitted from the host machine hosting the source compute instance to an NVD connected to the host machine. On the NVD, the packet is processed using a packet processing pipeline, which may include the execution of one or more VNICs and VRs associated with the VCN. For example, as part of the packet processing pipeline, the NVD executes or calls functionality corresponding to the VNIC associated with the source compute instance (also referred to as executing the VNIC). The functionality executed by the VNIC may include checking the VLAN tag on the packet. Since the destination of the packet is outside the subnet, the VCN VR functionality is next called and executed by the NVD. The VCN VR then routes the packet to the NVD executing the VNIC associated with the destination compute instance. The VNIC associated with the destination compute instance then processes the packet and forwards the packet to the destination compute instance. The VNICs associated with the source and destination compute instances may be executed on the same NVD (e.g., when the source and destination compute instances are hosted by the same host machine) or on different NVDs (e.g., when the source and destination compute instances are hosted by different host machines connected to different NVDs).

If the destination of the packet is outside the VCN of the source compute instance, then the packet originating from the source compute instance is transmitted from the host machine hosting the source compute instance to the NVD connected to the host machine. The NVD executes the VNIC associated with the source compute instance. Since the destination endpoint of the packet is outside the VCN, the packet is then processed by the VCN VR for the VCN. The NVD calls the VCN VR functionality, which may cause the packet to be forwarded to the NVD that executes the appropriate gateway associated with the VCN. For example, if the destination is an endpoint within the customer's provisioned network, the packet can be forwarded by the VCN VR to the NVD that executes the DRG gateway configured for the VCN. The VCN VR can be executed on the same NVD as the NVD that executes the VNIC associated with the source compute instance, or by a different NVD. The gateway can be executed by the NVD, which can be a smartNIC, a host machine, or other NVD implementation. The packet is then processed by the gateway and forwarded to the next hop, which facilitates the transmission of the packet to its intended destination endpoint. 2 , a packet originating from compute instance 268 may be transmitted from host machine 202 to NVD 210 via link 220 (using NIC 232). On NVD 210, VNIC 276 is invoked because it is the VNIC associated with source compute instance 268. VNIC 276 is configured to inspect information encapsulated in the packet and determine a next hop for forwarding the packet with the intent of facilitating delivery of the packet to its intended destination endpoint, and then forward the packet to the determined next hop.

The computing instances deployed on the VCN can communicate with various different endpoints. These endpoints can include endpoints hosted by CSPI 200 and endpoints external to CSPI 200. The endpoints hosted by CSPI 200 can include instances in the same VCN or other VCNs, which can be the customer's VCNs or VCNs that do not belong to the customer. Communication between endpoints hosted by CSPI 200 can be performed over physical network 218. The computing instances can also communicate with endpoints that are not hosted by CSPI 200 or are external to CSPI 200. Examples of these endpoints include endpoints within a customer's on-premise network or data center, or public endpoints that can be accessed via a public network (such as the Internet). Communication with endpoints external to CSPI 200 can be performed over a public network (e.g., the Internet) (not shown in FIG. 2) or a private network (not shown in FIG. 2) using various communication protocols.

The architecture of CSPI 200 depicted in FIG2 is merely an example and is not intended to be limiting. In alternative embodiments, variations, alternatives, and modifications are possible. For example, in some implementations, CSPI 200 may have more or fewer systems or components than those shown in FIG2 , may combine two or more systems, or may have a different system configuration or arrangement. The systems, subsystems, and other components depicted in FIG2 may be implemented in software (e.g., code, instructions, programs) executed by one or more processing units (e.g., processors, cores) of the respective systems, using hardware, or a combination thereof. The software may be stored on a non-transitory storage medium (e.g., on a memory device).

FIG. 4 depicts connectivity between a host machine and NVD for providing I/O virtualization to support multi-tenancy in accordance with certain embodiments. As depicted in FIG. 4 , a host machine 402 executes a hypervisor 404 that provides a virtualized environment. The host machine 402 executes two virtual machine instances, VM1 406 belonging to customer/tenant #1 and VM2 408 belonging to customer/tenant #2. The host machine 402 includes a physical NIC 410 connected to NVD 412 via a link 414. Each computing instance is attached to a VNIC executed by NVD 412. In the embodiment in FIG. 4 , VM1 406 is attached to VNIC-VM1 420 and VM2 408 is attached to VNIC-VM2 422.

4, NIC 410 includes two logical NICs, logical NIC A 416 and logical NIC B 418. Each virtual machine is attached to and configured to work with its own logical NIC. For example, VM1 406 is attached to logical NIC A 416 and VM2 408 is attached to logical NIC B 418. Although host machine 402 includes only one physical NIC 410 shared by multiple tenants, each tenant's virtual machines believe they have their own host machine and network card due to the logical NICs.

In some embodiments, each logical NIC is assigned its own VLAN ID. Thus, a particular VLAN ID is assigned to logical NIC A 416 for tenant #1, and a different VLAN ID is assigned to logical NIC B 418 for tenant #2. When a packet is transmitted from VM1 406, a tag assigned to tenant #1 is appended to the packet by the hypervisor, and the packet is then transmitted from the host machine 402 to the NVD 412 over link 414. In a similar manner, when a packet is transmitted from VM2 408, a tag assigned to tenant #2 is appended to the packet by the hypervisor, and the packet is then transmitted from the host machine 402 to the NVD 412 over link 414. Thus, a packet 424 transmitted from the host machine 402 to the NVD 412 has an associated tag 426 that identifies the particular tenant and the associated VM. On NVD, for a packet 424 received from a host machine 402, a tag 426 associated with the packet is used to determine whether the packet is processed by VNIC-VM1 420 or VNIC-VM2 422. The packet is then processed by the corresponding VNIC. The configuration depicted in FIG4 enables each tenant's compute instance to believe that they have their own host machine and NIC. The setup depicted in FIG4 provides I/O virtualization to support multi-tenancy.

FIG. 5 depicts a simplified block diagram of a physical network 500 according to certain embodiments. The embodiment depicted in FIG. 5 is structured as a Clos network. A Clos network is a specific type of network topology that is designed to provide connection redundancy while maintaining high bisection bandwidth and maximum resource utilization. A Clos network is a non-blocking, multi-stage or multi-layer switching network, in which the number of stages or layers can be two, three, four, five, etc. The embodiment depicted in FIG. 5 is a 3-layer network, including layers 1, 2, and 3. A TOR switch 504 represents a layer 0 switch in a Clos network. One or more NVDs are connected to a TOR switch. A layer 0 switch is also referred to as an edge device of a physical network. A layer 0 switch is connected to a layer 1 switch, also referred to as a leaf switch. In the embodiment depicted in FIG. 5, a group of "n" layer 0 TOR switches are connected to a group of "n" layer 1 switches and form a pod. Each layer 0 switch in a pod is interconnected to all layer 1 switches in the pod, but there is no switch connectivity between pods. In some embodiments, two pods are referred to as blocks. Each block is served by or connected to a set of "n" layer 2 switches (sometimes called spine switches). There can be several blocks in the physical network topology. The layer 2 switches are in turn connected to "n" layer 3 switches (sometimes called super spine switches). Communication of packets on the physical network 500 is typically performed using one or more layer 3 communication protocols. Typically, all layers of the physical network (except the TOR layer) are n-way redundant, thus allowing high availability. Policies can be specified for clusters and blocks to control the visibility of switches to each other in the physical network, thereby enabling scaling of the physical network.

A Clos network is characterized by a fixed maximum number of hops from one layer 0 switch to another layer 0 switch (or from an NVD connected to a layer 0 switch to another NVD connected to a layer 0 switch). For example, in a 3-layer Clos network, a packet takes at most seven hops to reach from one NVD to another NVD, where the source and destination NVDs are connected to the leaf layer of the Clos network. Similarly, in a 4-layer Clos network, a packet takes at most nine hops to reach from one NVD to another NVD, where the source and destination NVDs are connected to the leaf layer of the Clos network. Therefore, the Clos network architecture maintains consistent latency throughout the network, which is important for communications within and between data centers. The Clos topology scales horizontally and is cost-effective. The bandwidth/throughput capacity of the network can be easily increased by adding more switches at various layers (e.g., more leaf switches and spine switches) and by increasing the number of links between switches in adjacent layers.

In some embodiments, each resource within the CSPI is assigned a unique identifier, called a cloud identifier (CID). This identifier is included as part of the resource's information and can be used to manage the resource, for example, via the console or through an API. An example syntax for a CID is:

ocid1.<resource type>.<domain>.[region][.future use].<unique ID>

in,

ocid1: a text string indicating the version of the CID;

Resource Type: The type of resource (e.g., instance, volume, VCN, subnet, user, group, etc.);

Domain: The domain in which the resource resides. Example values are "c1" for the commercial domain, "c2" for the government cloud domain, or "c3" for the federal government cloud domain. Each domain can have its own domain name;

Region: The region where the resource is located. This section may be empty if the region does not apply to the resource;

Future Use: Reserved for future use.

Unique ID: The unique portion of the ID. The format can vary depending on the type of resource or service.

Multi-cloud Introduction

Figure 6 depicts a simplified high-level diagram of a distributed environment 600 including multiple cloud environments provided by different cloud service providers (CSPs) according to certain embodiments, wherein the cloud environments include a specific cloud environment that provides a specialized infrastructure that enables one or more cloud services provided by the specific cloud environment to be used by customers of other cloud environments. As depicted in Figure 6, various different cloud environments (also referred to as "clouds") may be provided by different cloud service providers (CSPs), each cloud environment or cloud providing one or more cloud services that may be subscribed to by one or more customers of the cloud environment. The set of cloud services provided by the cloud environments provided by the CSPs may include one or more different types of cloud services, including, but not limited to, Software as a Service (SaaS) services, Infrastructure as a Service (IaaS) services, Platform as a Service (PaaS) services, Database as a Service (DBaaS) services, and the like. Examples of cloud environments provided by various CSPs include those provided by Oracle Corporation. Cloud Infrastructure (OCI), provided by Microsoft Corporation Azure, Google Cloud ^TM provided by Google LLC, Amazon Web Services provided by Amazon Corporation Etc. The cloud services provided by a particular cloud environment may be different from the set of cloud services provided by another cloud environment.

In a typical cloud environment, a CSP provides a cloud service provider infrastructure (CSPI), which is used to provide one or more cloud services provided by the cloud environment to its customers. The CSPI provided by the CSP may include various types of hardware and software resources, including computing resources, memory resources, networking resources, consoles for accessing cloud services, and the like. Customers of a cloud environment provided by a CSP may subscribe to one or more of the cloud services provided by the cloud environment. The CSP may provide various subscription models to its customers. After a customer subscribes to a cloud service provided by the cloud environment, one or more users may be associated with the subscribing customer, and these users may use the cloud services subscribed by the customer. In some embodiments, when a customer subscribes to a cloud service provided by a particular cloud environment, a customer account or customer lease is created for the customer. One or more users may then be associated with the customer lease, and these users may then use the services subscribed by the customer under the customer lease. Information about services subscribed by a customer, users associated with a customer lease, and the like is typically stored within the cloud environment and associated with the customer lease.

For example, three different cloud environments provided by three different CSPs are depicted in FIG6 . These include cloud environment A (Cloud A) 610 provided by CSP A, cloud environment B (Cloud B) 640 provided by CSP B, and cloud environment C (Cloud C) 660 provided by CSP C. Cloud A 610 includes infrastructure CSPI_A 612 provided by CSP A, and this infrastructure can be used to provide a set of services “Service A” 614 provided by Cloud A 610. One or more customers (e.g., Customer A1 616-1, Customer A2 616-2) can subscribe to one or more services in Service A 614 provided by Cloud A 610. One or more users 618-1 can be associated with Customer A1 616-1 and can use the services subscribed by Customer A1 616-1 in Cloud A 610. In a similar manner, one or more users 618-2 may be associated with customer A2 616-2 and may use services subscribed by customer A2 616-2 in cloud A 610. In various use cases, the services subscribed by customer A1 616-1 may be different from the services subscribed by customer A2 616-2.

6 , cloud B 640 includes infrastructure CSPI_B 642 provided by CSP B, and this infrastructure can be used to provide a set of services “Service B” 644 provided by cloud B 640. One or more customers (e.g., customer B1 646-1) can subscribe to one or more services in Service B 644. One or more users 648-1 can be associated with customer B1 646-1 and can use the services subscribed by customer B1 646-1 in cloud B 640.

6 , cloud C 660 includes infrastructure CSPI_C 662 provided by CSP C, and this infrastructure can be used to provide a set of services “Service C” 664 provided by cloud C 660. One or more customers (e.g., customer C1 666-1) can subscribe to one or more services in service C 664. One or more users 668-1 can be associated with customer C1 666-1 and can use the services subscribed by customer C1 666-1 in cloud C 660. It is noted that service A 614, service B 644, and service C 664 can be different from each other.

In existing cloud implementations, each cloud provides a closed ecosystem for its subscribing customers and associated users. Therefore, customers of a cloud environment and their associated users are limited to using the services provided by the cloud to which the customer subscribes. For example, customer B1 646-1 and its user 648-1 are limited to using service B 644 provided by cloud B 640, and cannot use their account in cloud B 640 to access services from a different cloud environment, such as services in service A 614 provided by cloud A 610 or services in service C 664 provided by cloud C 660. The teachings described herein overcome this limitation. As described in the present disclosure, various techniques are described that enable the creation of a link between two cloud environments, which enables services provided by a first cloud environment provided by a first CSP to be used by customers (and associated users) of a different second cloud environment provided by a second, different CSP using the customer's account in the second cloud environment.

For example, in the embodiment depicted in FIG6 , the infrastructure CSPI_A 612 provided by CSP A includes, in addition to other infrastructure 620, special infrastructure 622 (referred to as multi-cloud enabling infrastructure 622 or MEI 622 or multi-cloud infrastructure 622) that enables one or more services 614 provided by cloud A to be used by customers and associated users of other clouds, such as clouds B 640 and C 660, using customer accounts in those other clouds. In some embodiments, customers of clouds B and C do not have to open separate accounts with cloud A to use one or more of the services 614 provided by cloud A 610. Customer B1 646-1 and associated users 648-1 of cloud B 640 can use one or more services 614 provided by cloud A 610 using their customer accounts or tenancies in cloud B 640. As another example, customer C1 666 - 1 and associated user 668 - 1 of cloud C 660 can use their customer accounts or leases in cloud C 660 to use one or more services 614 provided by cloud A 610 .

In certain embodiments, MEI 622 enables the creation of links between cloud A 610 and other clouds, where these links can be used by customers of other clouds and their associated users to access and use services provided by cloud A 610. This is symbolically shown in FIG. 6 as a link 670 created between cloud A 610 and cloud B 640, and a link 672 created between cloud A 610 and cloud C 660. Via link 670, customers of cloud B 640 can access or use one or more services 614 provided by cloud A 610. Similarly, via link 672, customers of cloud C 660 can access or use one or more services 614 provided by cloud A 610.

There are different ways to implement MEI 612. In some embodiments, MEI 612 may include components that enable links to different clouds. For example, in FIG6 , MEI 622 includes an infrastructure component 624 responsible for enabling a link 670 with cloud B 640, and an infrastructure component 626 for enabling a link 672 with cloud C 660. In a similar manner, MEI 622 may include other components that enable and facilitate links with other clouds. In some embodiments, components of MEI 622 may also facilitate links with multiple different clouds.

There are several reasons why a customer of one cloud may want or desire to use cloud services provided by a different cloud. Using FIG. 6 as an example, there are several reasons why customer B1 646-1 of cloud B 640 may want to use cloud services 614 provided by cloud A 610. In one use case scenario, this may occur because cloud A 610 provides cloud services with functionality that cloud B 640 does not provide. As another use case scenario, clouds A and B may provide similar services, but the service provided by cloud A 610 may be better (e.g., more features/functionality, faster, etc.) than the corresponding service provided by cloud B 640. As another use case scenario, customer B1 646-1 of cloud B 640 may want to use cloud services provided by cloud A 610 because the price of the service is cheaper than that provided by cloud B 640. In some cases, there may be geographic restrictions or other reasons why customer B1 646-1 of cloud B 640 may want to use cloud services provided by cloud A 610. For example, cloud A 610 may provide a desired service in a geographic area not provided by cloud B 640, or cloud B 640 may not provide a particular service in a geographic area where a customer requires service. There may be several other use case scenarios why a customer of one cloud may want to use services provided by a different cloud.

In some embodiments, the MEI 622 provides the capability and performs functions to create a link between cloud A 610 and another cloud, and via the link, enables users associated with customers of another cloud to access and use services provided by cloud A 610 from the other cloud itself in a seamless manner. For example, the MEI 622 enables a user 648-1 associated with customer B1 646-1 of cloud 640 to access services in service A 614 provided by cloud A 610 in a seamless manner. In some embodiments, a user interface (e.g., a console) that the user 648-1 can access from within cloud B 640 can be provided, which enables the user to see a list of services 614 provided by cloud A 610 and select a specific service that the user 648-1 wishes to access. In response to the user selection, the MEI 622 is responsible for performing the process of establishing a link 670 between clouds A and B to enable access to the requested service. The process for setting up the link 670 is substantially automatically performed by the MEI 622. Customer B1 646-1 or associated user 648-1 does not have to worry about performing any system, networking or other configuration changes required to facilitate the creation, maintenance and use of link 670 between clouds A 610 and B 640. There is no burden on the user or customer when creating a link between clouds. Using the techniques described in this disclosure, the link is created in a fast and efficient manner.

MEI 622 can use various technologies to make the creation and use of links seamless for users and customers, thereby providing an enhanced user experience. In some embodiments, MEI 622 makes the user interface (e.g., graphical user interface GUI, etc.) and processing flow (such as for requesting services from cloud A 610 and for accessing the requested services from cloud A 610) interacted by customer B1 and related user 648-1 substantially similar to the interface and processing flow that the customer/user will experience in cloud B 640. In this way, customers or users who may be accustomed to the interface and processing flow of cloud B 640 do not have to learn new interfaces and processing flows to access services 614 from cloud A 610. MEI 622 can present different interfaces and processing flows for users of different cloud environments. For example, a first set of user interfaces and processes substantially similar to the user interface and process of cloud B can be presented to users from cloud B 640, while another set of user interfaces and processes substantially similar to the user interface and process of cloud C can be presented to users accessing cloud A 610 from cloud C 660. This is done to simplify accessing services 614 of Cloud A 610 from other clouds and thus enhance the user's experience.

As another example, each cloud environment typically includes an identity management system configured to provide security for the cloud environment. The identity management system is configured to protect resources in the cloud environment, including resources provided by the CSP and resources of subscribing cloud customers deployed in the cloud environment. Functions performed by the identity management system include, for example, managing identity credentials (e.g., usernames, passwords, etc.) associated with subscribing customers and associated users of the cloud, using identity credentials to regulate user access to cloud resources and services based on permission/access policies configured for the cloud environment, and other functions. Different clouds may use different identity management systems and associated technologies. For example, the identity management system and associated processes in cloud A 610 may be completely different from the identity management system and associated processes in cloud B 640, which in turn may be completely different from the identity management system and associated processes in cloud C 660. In some embodiments, despite differences in identity management systems and associated processes between different cloud environments, the techniques described herein enable users associated with customers of a first cloud to access cloud services provided by different clouds using the same identity credentials associated with customers and users in the first cloud.

For example, in the embodiment depicted in FIG. 6 , cloud B 640 provided by CSP B may include an identity management system that assigns or distributes identity credentials to its subscribing customers and associated users, such as customer B1 646-1 and associated user 648-1. These identity credentials are associated with a lease created for customer B1 646-1 in cloud B 640. In certain embodiments, the MEI 622 provided by cloud A 610 enables user 648-1 associated with cloud B customer B1 646-1 to access services from service A 614 in cloud A 610 using identity credentials associated with user 648-1 and customer B1 646-1 in cloud B 640. This greatly enhances the user experience for user 648-1, as they do not have to create new identity credentials specific to cloud A 610 simply to access services 614 in cloud A 610. The MEI 622 facilitates such access.

As an example, customer B1 of cloud B 640 may select to use a service, such as database as a service (DBaaS), from a set of services 614 provided by cloud A 610. In response to this selection, MEI 622 causes a link 670 to be automatically created between cloud A 610 and cloud B 640 to enable user 648-1 associated with customer B1 646-1 to use the DBaaS service provided by cloud A 610. The automatic establishment of link 670 is facilitated by MEI 622. After link 670 is established, user 648-1 may use the DBaaS service in cloud A 610 via cloud B 640. As part of using this service, user 648-1 may send a request to create a database resource to cloud A 610 via cloud B 640. In response, CSPI_A 612 may create the requested database in cloud A 610. In some embodiments, the created database may be provisioned in a virtual network (e.g., a virtual cloud network or VCN) created for customer B1 in cloud A 610 and accessible to user 648-1 via cloud B 640. User 648-1 may then send requests from cloud B 640 to cloud A 610 to use the provisioned database. These requests may include, for example, requests to write data to the database, update data stored in the database, delete data in the database, delete a database, create an additional database, and the like. In some use cases, these requests may originate from user 648-1 via cloud B 640 or from a service 644 provided by cloud B 640. In this manner, the MEI 622 provided by cloud A 610 enables users associated with customers of different clouds provided by different CSPs to seamlessly access services provided by cloud A 610.

The distributed environment 600 depicted in Figure 6 is merely an example and is not intended to overly limit the scope of the claimed embodiments. Many variations, substitutions, and modifications are possible. For example, in alternative embodiments, the distributed environment 600 may have more or less cloud environments. The cloud environment may also have more or less systems and components, or may have different configurations or arrangements of systems and components. The systems and components depicted in Figure 6 may be implemented in software (e.g., code, instructions, programs) executed by one or more processing units (e.g., processors, cores) of the corresponding system, using hardware or a combination thereof. The software may be stored on a non-transient storage medium (e.g., on a memory device).

Multi-Cloud Control Plane (MCCP)

FIG7 depicts a high-level architecture of a multi-cloud control plane (MCCP) according to some embodiments. As shown in FIG7 , the high-level architecture 700 includes a first cloud environment provided by a first cloud service provider (e.g., OCI) 720 and a second cloud environment provided by a second cloud service provider 710 (i.e., Azure). The first cloud environment 720 includes a first cloud infrastructure 720A that provides a variety of services to users of the first cloud environment 720. In addition, the first cloud environment 720 includes a multi-cloud infrastructure 720B that provides the ability to deliver services of the first cloud infrastructure 720A (e.g., Oracle Cloud Infrastructure (OCI)) to users of other cloud environments (e.g., second cloud infrastructure 710A). The multi-cloud infrastructure 720B allows users to access services on other clouds (e.g., Oracle PaaS services) with a user experience as close as possible to the user's native cloud environment, while providing simple integration between cloud environments.

The second cloud infrastructure 710A includes a second cloud portal 711, an active directory 712, a resource manager 713, a customer subscription 715, and a subscription to a first cloud provider 717. The second cloud portal 711 is a centralized access point where customers of the second environment 710 can log in and manage their cloud deployments and instances. It should be noted that the second cloud portal may provide options for monitoring and operating services provided by the second cloud infrastructure. The active directory 712 is a service provided by the second cloud infrastructure 710A that provides administrators with the ability to manage end-user identities and access privileges. Its services may include core directories, access management, and identity protection. The resource manager 713 is a deployment and management service for the second cloud infrastructure, that is, it provides users with a management layer for performing operations (e.g., create, update, delete, etc.) on resources deployed in the customer subscription 715. It should be noted that a customer subscription may also be referred to as a virtual network (VNET) in which customer applications are deployed and executed. The subscription of the first cloud provider 717 in the second cloud infrastructure 710A includes express routes and spoke and hub VNETs, which provide network connections to be established with the second cloud infrastructure 710A (e.g., from a pre-set location, from an external cloud environment). It should be noted that such connections may not be routed through the public Internet, thereby providing users with higher reliability, faster speeds, consistent latency, and higher security.

The first cloud infrastructure 720A includes a control plane 724, a customer lease 726, and a multi-cloud infrastructure 720B. The control plane 724 of the first cloud infrastructure 720A is the native control plane of the first cloud environment, which provides management and orchestration across cloud environments. Configuration baselines are set here, user and role access is provided, and application residency is provided so that they can be executed with related services. The multi-cloud infrastructure 720B includes a multi-cloud platform data plane 722 and a multi-cloud platform data plane 728. As previously described, the multi-cloud infrastructure 720B provides functions that enable users of other cloud environments (e.g., the second cloud environment 710) to access the services provided by the first cloud environment with a user experience as close as possible to the user's native cloud environment (e.g., the second cloud environment 710), while providing simple integration between cloud environments.

The MCCP architecture of FIG. 7 also includes a multi-cloud console 721 (different from the second cloud portal 711), which allows users authenticated in the second cloud infrastructure 710 to perform control plane operations on resources of the first cloud infrastructure 720 exposed via the multi-cloud infrastructure 720B. In some embodiments, as shown in FIG. 7, all user 705 requests transmitted to the multi-cloud console 721 are directed to the multi-cloud infrastructure included in the first cloud environment. It should be recognized that the user 705 can transmit a request (e.g., a CRUD request) for resources provided by the first cloud infrastructure directly to the multi-cloud console 721. The multi-cloud console 721 is configured to process requests with a syntax or format similar to that used locally by the second cloud infrastructure. In other words, the multi-cloud console 721 has a similar look and feel, and uses terms similar to the second cloud portal 711 included in the second cloud infrastructure 710A. In some embodiments, a link (e.g., a weblink) that directs the user to the multi-cloud console 721 can be provided in the second cloud console 711.

The multi-cloud infrastructure 720B included in the first cloud infrastructure 720A includes a plurality of microservices, such as an authority module 722A, an agent module 722B, a platform service module 722C, a cloud-link adapter 722D, an adapter pool 722E (including adapter 1, adapter 2, adapter 3, and adapter 4), and a network link adapter 722F. The adapter pool 722E may include adapters such as an Exa-data cloud service adapter, an autonomous database shared adapter, an autonomous database dedicated adapter, and a virtual machine database adapter.

Each adapter included in the adapter pool 722E is responsible for exposing a unique set of underlying resources (provided by the first cloud infrastructure 720A) to users of other cloud environments (e.g., the second cloud environment). Specifically, each adapter in the adapter pool 722E maps to a specific product or resource provided by the first cloud infrastructure 720A. It should be noted that the actual resources are created by the native control plane 724 of the first cloud infrastructure. For example, with respect to Database as a Service (DBaaS), the DBaaS control plane included in the control plane 724 is configured to instantiate an Exa database resource in a customer lease 726 of the first cloud environment.

Incoming requests received by the multi-cloud infrastructure 720B are processed by the permission module 722A to perform authentication and access control. Each request includes a token associated with the user's account in the second cloud infrastructure. The permission module extracts the token and verifies the token in conjunction with the active directory 712 (i.e., the identity provider system of the second cloud infrastructure 710A). After successful verification, the permission module 722A can check the role (i.e., a set of privileges) associated with the user. It should be noted that the role can be associated with one or more tasks/operations permitted for the role. According to one embodiment, the permission module 722A is responsible for authenticating the incoming request of the MCCP and authorizing whether the user is allowed to perform the requested operation based on the role associated with the token. In some embodiments, the permission module 722A can perform the above-mentioned authentication processing by utilizing the custom authentication features of the service platform (i.e., the SPLAT associated with the first cloud infrastructure). SPLAT accepts the incoming request and forwards it to the permission module 722A, which further parses the incoming request to determine the permission decision and returns a success or failure message to the SPLAT. If successful, SPLAT passes the request to routing agent 722B, while if unsuccessful, SPLAT returns an error response directly to the caller.

The proxy module 722B (also referred to as a routing proxy module) included in the multi-cloud infrastructure 720B is a component that receives an incoming request from the multi-cloud console 721 and routes the request to a specific adapter included in the adapter pool 722E. According to one embodiment, the proxy module 722B accepts a pre-authenticated request from the service platform (i.e., SPLAT) of the first cloud infrastructure and routes the request to an appropriate adapter based on the path information included in the incoming request. In some implementations, the proxy module 722B extracts an identifier corresponding to a service provider (from the incoming request) and routes the request to an appropriate adapter in the adapter pool 722E.

The cloud-link adapter 722D included in the multi-cloud infrastructure 720B is responsible for handling lifecycle operations of resources provided by the first cloud infrastructure. The cloud-link adapter 722D is configured to create a mapping (or a relationship created in the registration process) between the active directory tenant (and its associated subscription) of the second cloud infrastructure and the corresponding lease/account of the user in the first cloud infrastructure. In other words, the cloud-link adapter 722D generates a mapping of a first identifier associated with the lease of the user in the first cloud infrastructure to a second identifier associated with the account of the user in the second cloud infrastructure.

In some embodiments, the cloud-link adapter 722D performs translation between an external cloud identifier (e.g., a second identifier associated with an account of a user in the second cloud infrastructure) and a first identifier (associated with a tenancy of a user in the first cloud infrastructure) so that operations through the multi-cloud control plane 722 can be mapped to appropriate underlying resources in the first cloud infrastructure. In some embodiments, the cloud-link adapter generates a data object to store the above-mentioned mapping information. Additionally, the cloud-link adapter 722D also generates a resource principal associated with the data object. Based on the token (and its associated role) included in the request, one or more permissions are assigned to the resource principal. The user accesses downstream services provided by the first cloud infrastructure from the second cloud infrastructure based on the resource principal. The cloud-link adapter 722D can store the data object and the associated resource principal in the root compartment of the tenancy of the user in the first cloud infrastructure. Alternatively or additionally, the cloud-link adapter 722D can also store the data object and the resource principal locally on the platform service module 722C of the multi-cloud infrastructure so that other adapters included in the multi-cloud infrastructure can access it seamlessly.

The network link module (also referred to as a network adapter) 722F is responsible for creating a network link between a customer subscription 715 (in the second cloud infrastructure) and a corresponding customer lease/account (in the first cloud infrastructure) 726. According to some embodiments, the network link module 722F obtains a token (from the platform services module 722C) and creates (1) a first peering relationship between the multi-cloud platform data plane 728 and the customer lease 726 (in the first cloud environment), and (2) a second peering relationship between the customer subscription 715 and a subscription of a first cloud service provider 717 included in the second cloud infrastructure (in the second cloud environment).

The network link module 722F is also configured to establish network connectivity between the first cloud environment and the second cloud environment, that is, the network link module 722F can configure the interconnect 719 to communicatively couple the two cloud environments. It should be appreciated that after the network link is formed between the two cloud environments, applications executed in the customer's subscription (e.g., in the VNET of the second cloud infrastructure) are able to access resources, such as Exa database resources deployed in the customer's lease 726 of the first cloud infrastructure. In addition, as shown in Figure 7, within the lease 726, telemetry functionality is provided. This functionality involves maintaining logs, metrics, and other performance parameters related to the resources deployed in the customer's lease and their corresponding usage. According to some embodiments, the MCCP generates a mirror of the logs and metrics associated with different resources in the first cloud environment, and publishes the metrics, logs, events, etc., for further processing, for example, in a dashboard (e.g., in an application insight module included in the customer subscription 715 of the second cloud environment).

In some embodiments, a platform service module 722C included in the multi-cloud infrastructure is configured to store credentials associated with services provided to a first cloud infrastructure provided to a second cloud infrastructure. The platform service module 722C provides, for example, tokens/resource principals to different adapters included in the adapter pool 722E so that the adapters can communicate with the native control plane 724 of the first cloud infrastructure. By some embodiments, the platform service module 722C exposes APIs called by different adapters to perform tasks, such as:

• Sell the adapter a minimum scoped access token (issued by the second cloud infrastructure). For example, the network adapter 722F requires an access token to perform the above-mentioned network peering operations.

Provide a resource principal that the adapter will use to call a downstream service to create a resource in the customer tenancy of the first cloud infrastructure.

Trigger the replication of observability data (logs, metrics, events) from a first cloud infrastructure to a second cloud infrastructure.

As previously described, the adapter pool includes multiple adapters, each of which is responsible for exposing a unique set of underlying resources of the first cloud infrastructure to the user of the second cloud infrastructure, that is, each adapter maps to a specific product or resource provided by the first cloud environment. For example, the Exa database adapter acts as an agent for the second cloud infrastructure user to create and utilize Exa database resources. Exa database is a preconfigured combination of hardware and software that provides an infrastructure for executing a database. According to some embodiments, Exa database includes a set of resources: (a) Exadata infrastructure (i.e., hardware), (b) VM cloud cluster, (c) container database, and (d) pluggable database. According to some embodiments, the multi-cloud infrastructure provides (users of the second cloud infrastructure) the ability to analyze each level of the stacked infrastructure. Moreover, MCCP provides users with the flexibility of only issuing a create command for the workflow (via the multi-cloud console 721), after which MCCP automatically creates a single resource at each level of the stack. It should be recognized that although the adapter pool 722F depicted in Figure 7 includes four different adapters, this in no way limits the scope of the MCCP architecture 700. The MCCP architecture may include other adapters, such as specialized adapters designed for use with specific cloud service providers based on the requirements of the cloud service provider.

Figures 8A and 8B depict exemplary flow diagrams for linking two user accounts in different cloud environments according to some embodiments. The two user accounts may correspond to a first user account (e.g., a lease) in a first cloud infrastructure and a second user account in a second cloud infrastructure. Figure 8A depicts a process for linking two user accounts, where the user's lease is first created in the first cloud infrastructure and then linked to the user's account in the second cloud infrastructure. Figure 8B depicts a process for linking two user accounts, where the user's lease has already been created in the first cloud infrastructure, i.e., the lease already exists.

8A depicts the data flow performed when a user (such as a system administrator) representing a customer makes a call from the second cloud infrastructure to the multi-cloud infrastructure (included in the first cloud infrastructure) to register a service provided in the first cloud infrastructure. A special console (referred to herein as the multi-cloud console) can be provided for users of the second cloud infrastructure to open an account within the first cloud infrastructure and link the user's account in the first cloud infrastructure to the user's account in the second cloud infrastructure. It should be noted that linking the accounts in the first and second cloud infrastructures enables the user to utilize one or more services provided by the first cloud infrastructure (from the second cloud infrastructure). In some embodiments, the user registers for the service using the multi-cloud console. In response to the registration, a URL that enables the user to log in to the multi-cloud console can be sent to the user. The multi-cloud console exposes a UI and API similar to the UI and API of the second cloud infrastructure.

The multi-cloud console may provide various UIs (e.g., GUIs) that provide user-selectable options that enable a user of the second cloud infrastructure to open an account in the first cloud infrastructure and further link the user's account in the first and second cloud infrastructures. For example, the multi-cloud console may provide a registration UI that enables a user to create an account/lease in the first cloud infrastructure and link the user's account (in the first cloud infrastructure) to the user's account in the second cloud infrastructure. Once the processing triggered in response to the registration/linking request is completed, the user's accounts in the respective cloud infrastructures are linked together. As part of the processing, the multi-cloud console enables a user (e.g., a system administrator) to log into the second cloud infrastructure and request: (a) to create an account for the user (in the first cloud infrastructure) and link the user's account; or (b) for an account that the user already has in the first cloud infrastructure, request to link the user's first cloud infrastructure account to the user's second cloud infrastructure account.

Thus, in certain use cases, there are two possibilities: (a) the user already has an existing account or lease in the first cloud infrastructure, and now, via the multi-cloud console registration UI, the user requests to create a link between the user's accounts (details of this process will be described below with reference to FIG. 8B ), or (b) the user requests to both create a new account in the first cloud infrastructure and link the newly created account with the user's account in the second cloud infrastructure. Details of this process will be described below with reference to FIG. 8A . It should be appreciated that the linking of accounts enables the user to use resources in the first cloud via the second cloud. For example, via the second cloud, the user can request to create or provision resources in the first cloud, utilize and manage resources in the first cloud, delete resources in the first cloud, etc.

As shown in FIG8A , in step 1 , in response to input provided by a user to a multi-cloud console (e.g., a registration UI of the multi-cloud console) requesting the creation of a new account for a user in a first cloud infrastructure and linking it to a user account in a second cloud infrastructure, the multi-cloud console calls an account service (in the first cloud infrastructure) to create the new account. Note that the call includes a token generated by the second cloud infrastructure. The token generated by the second cloud infrastructure and included in the call to the account service enables the account or tenancy created in the first cloud infrastructure to be linked to the user's account in the second cloud infrastructure.

In step 2, as part of the process of setting up a new account for the user, the account service may call an authority/proxy module included in the multi-cloud control plane (e.g., authority module 722A included in the multi-cloud infrastructure of FIG. 7 ) to verify the token. The authority/proxy module verifies the token (as described above with reference to FIG. 7 ) and can only continue further processing after successfully verifying the token. After successfully verifying the token, the account service creates a new account for the user in the first cloud infrastructure. As part of creating the new account, a native user may be created and associated with the newly created account. However, it is noted that the credentials of this native user are not used. Rather, the identity of the user in the second cloud infrastructure is used to manage the account and its resources (from the second cloud infrastructure) in the first cloud infrastructure.

After the account service in the first cloud infrastructure successfully creates the new account, in step 3, the account service calls the cloud-link adapter (included in the multi-cloud infrastructure) to create a link (also referred to as a cloud-link) between the user's account in the second cloud infrastructure and the newly created account in the first cloud infrastructure. In some embodiments, the cloud-link adapter exposes APIs to the account service and the multi-cloud console. These APIs can be called by the account service (or by the multi-cloud console) to request the linking of the account. Note that in some embodiments, a token is not included in the call of step 3 because the call to request the linking is not made by the user, but rather instructed by the account service. In this case, the cloud-link adapter does not perform another authentication requiring another token because it relies on the account service having already performed the necessary authentication for the user as part of the process of setting up the account using the token received in step 1.

In some embodiments, the process of linking the two accounts performed by the cloud-link adapter in step 3 includes:

(a) The cloud-link adapter creates a data object (also referred to herein as a cloud-link resource object, which is used to store metadata information identifying the two accounts being linked.) For example, the data object stores metadata information including a mapping of a first identifier associated with a tenancy (i.e., an account) created in a first cloud infrastructure and a second identifier associated with a user account for a second cloud service provider.

(b) The cloud-link adapter creates a new compartment for storing and containing resources on the first cloud infrastructure side that the user can/will manage using the multi-cloud console. In some embodiments, the cloud-link resource object is created in the root directory of the customer's account in the first cloud infrastructure.

(c) The cloud-link adapter creates a new resource principal (referred to herein as a cloud-link resource principal) for the resource that the user of the second cloud infrastructure desires to use.

(d) The cloud-link adapter may perform one or more federation setups that facilitate linking a domain in the first cloud infrastructure to an active directory (e.g., active directory 712 of the second cloud infrastructure as shown in FIG7 ). The process of federating accounts of the first cloud infrastructure and the second cloud infrastructure allows users/user groups in the second cloud infrastructure to authenticate in the first cloud infrastructure, and allows users/user groups from the first cloud infrastructure to authenticate in the second cloud infrastructure.

In some embodiments, based on the user's credentials/token in the account of the second cloud infrastructure, the permission is associated with the cloud-link resource principal. When the user uses the multi-cloud console to request a new account or request to link the user's account in the first cloud infrastructure to the user's account in the second cloud infrastructure, the user provides consent to establish the resource principal. In addition, as shown in step 4, the cloud-link resource principal is transmitted to the downstream service to enable the user to utilize the downstream service(s) from the second cloud infrastructure (e.g., one or more services provided by the first cloud infrastructure).

Turning to FIG. 8B , a process related to linking an existing account or lease in a first cloud infrastructure to a user's account in a second cloud infrastructure is depicted. As shown in FIG. 8B , a user requests to link the user's account in the first cloud infrastructure and the second cloud infrastructure via a registration UI provided by the multi-cloud console. In response, in step 1 , the multi-cloud console calls a cloud-link adapter to link the account. This call can be made using one of the APIs exposed by the cloud-link adapter to the registration UI. In some embodiments, the information passed to the cloud-link adapter in step 1 includes information identifying the user account in the second cloud infrastructure and the user account in the first cloud infrastructure, a token issued by the second cloud infrastructure, and the like.

In step 2, the cloud-link adapter calls a permission/proxy module included in the multi-cloud infrastructure to authenticate the token received in step 1. As part of this authentication, the permission/proxy module determines whether the user making the request has sufficient permissions on the second cloud infrastructure side to make the link request. As part of the verification, the roles and permissions set on the second cloud infrastructure side can be checked. In response to the user being successfully authenticated, the cloud-link adapter retrieves the resource subject associated with the resource that the user desires to use from the data object previously created for the user. In addition, as shown in step 3, the cloud link resource subject is transmitted to the downstream service to enable the user to utilize (one or more) downstream services from the second cloud infrastructure (e.g., one or more services provided by the first cloud infrastructure).

FIG9 depicts an exemplary system diagram illustrating components of a multi-cloud control plane (MCCP) according to some embodiments. MCCP 900 includes a service platform (SPLAT) 910, a routing agent 915, a cloud-link adapter 920, a database adapter 925, a network adapter 930, and an MCCP platform 935. After a user successfully completes the registration process as described above with reference to FIG8A and FIG8B, the user can use the multi-cloud console 905 to issue a command to access, create, or update resources in the user's tenancy in the first cloud infrastructure. For ease of explanation, hereinafter, a scenario is described in which a user uses the multi-cloud console to issue a request to create an Exa database resource.

In some embodiments, a user accesses the multi-cloud console 905 and provides login information, such as the user's credentials in the second cloud infrastructure. The multi-cloud console 905 provides multiple options, such as creating resources, accessing resources, updating resources, etc. Such options can be provided to the user in the form of selectable icons (e.g., buttons) in the multi-cloud console 905. When the user performs a selection (e.g., creating a resource), an API call to the service platform 910 is triggered. It should be recognized that the request issued to the service platform 910 is not a native call to the first cloud infrastructure. More specifically, the call is a REST type call including an authorization header that includes a token associated with the user in the second cloud infrastructure.

The REST call including the token is further forwarded to the routing proxy module 915 which performs authentication and access control operations. According to some embodiments, the routing proxy module 915 performs authentication operations by extracting the token included in the REST call. The routing proxy module 915 verifies the token by comparing the signature (used to sign the request) with the publicly available signature of the second cloud infrastructure to ensure that the request originates from a valid customer associated with the second cloud infrastructure. Additionally, the routing proxy module 915 may also check the role (i.e., privilege) associated with the token, for example, whether the role corresponds to an ExadataDB administrator, etc. Based on the role, the routing proxy module 915 may route the request to the appropriate adapter included in the MCCP framework 900.

According to one embodiment, the routing proxy module 915 compares the role (associated with the token) to a list of preconfigured roles published and assigned (as part of the API specification) for each adapter. For example, if the role associated with the token corresponds to "Exadata DB Administrator", then the request can be understood as a request to create an Exa database, and the request is therefore forwarded to the database adapter 925. In addition, according to some embodiments, the routing proxy module 915 can analyze the information included in the REST call, such as the provider ID, the requested resource type, etc., and based on the analyzed information, the routing proxy module 915 can forward the request to the appropriate adapter.

In some embodiments, the request obtained by the routing agent module 915 may not include information identifying the user's tenancy in the first cloud infrastructure where the resource is to be deployed. Therefore, the routing agent module 915 communicates with the cloud-link adapter 920 to obtain mapping information of the user account in the second cloud infrastructure to the user's tenancy in the first cloud infrastructure. If the mapping information exists, the routing agent module 915 obtains information related to the user's tenancy in the first cloud infrastructure and passes the information to the database adapter 925. In this way, the database adapter 925 is aware of the user's tenancy in the first cloud infrastructure where the resource is to be created/deployed. However, if the cloud-link adapter 920 determines that the mapping information does not exist, the routing agent module 915 can simply issue an "unauthorized access" message as a response to the request to create the database resource, which is transmitted back to the user.

It should be noted that in some embodiments, the cloud-link adapter 920 creates a data object (referred to herein as a cloud link resource object) for storing metadata information identifying the two linked accounts. For example, the data object stores metadata information including a mapping of a first identifier associated with a lease (i.e., an account) in the first cloud infrastructure and a second identifier associated with an account of a user of the second cloud service provider. In addition, the cloud-link adapter 920 also creates a resource principal (referred to herein as a cloud link resource principal) for a resource (e.g., a database) that a user of the second cloud infrastructure desires to create/manage. The cloud-link adapter 920 can maintain the data object as well as the resource principal within the root compartment of the user's lease in the first cloud infrastructure. In some embodiments, the cloud-link adapter 920 can also locally store the data object and/or resource principal in the MCCP platform 935.

In some embodiments, the database adapter 925 may (instruct or) communicate with the network adapter 930 to create a network link between the user account in the second cloud infrastructure and the user's tenancy in the first cloud infrastructure. For example, the network adapter 930 may obtain a token associated with the user from the native service 945 in the second cloud infrastructure module and create: (1) a first peering relationship between the data plane of the MCCP and the user's tenancy in the first cloud infrastructure (in the first cloud environment), and (2) a second peering relationship between the user's account and a subscription of the first cloud provider included in the second cloud infrastructure (in the second cloud environment).

The network adapter 930 is also configured to establish network connectivity between the first cloud infrastructure and the second cloud infrastructure, i.e., the network adapter 930 may configure an interconnect (e.g., interconnect 719 in FIG. 7 ) that communicatively couples the two cloud environments. It should be appreciated that after a network link is formed between a user's tenancy in the first cloud infrastructure and a user's account in the second cloud infrastructure, applications executing in the user's subscription/account are able to access resources, e.g., an Exa database deployed in the tenancy of the first cloud infrastructure. In addition, the creation of the peering relationship supplies metrics accessible in the second cloud infrastructure (e.g., in a dashboard application executing in the user's subscription in the second cloud infrastructure), such as database usage metrics.

In some embodiments, the database adapter 925 can obtain a resource principal stored locally in the MCCP platform 935. The database adapter 925 can transmit a request (including the resource principal) to one or more downstream services 940 included in the first cloud infrastructure to create a resource in the user's lease in the first cloud infrastructure. In other words, the downstream service 940 included in the first cloud infrastructure uses the identity (i.e., the resource principal) obtained from the MCCP platform 935 to create/deploy the required resources, such as an Exa database, in the user's lease in the first cloud infrastructure. After the user issues a request to create an Exa database, the user can intermittently poll the MCCP 900 to obtain the status of the request. After the downstream service 940 of the first cloud infrastructure creates the resource in the user's lease in the first cloud infrastructure and the network adapter 930 establishes a peering relationship, the MCCP 900 can notify the user that the request has been successfully completed.

Establishing a lease in a cloud environment

As described above with reference to FIG. 7 , a cloud-link adapter 722D included in the multi-cloud infrastructure 720B is responsible for handling lifecycle operations of resources provided by the first cloud infrastructure. The cloud-link adapter 722D is configured to create a mapping between an active directory tenant (and its associated subscription) of the second cloud infrastructure and a corresponding lease/account of the user in the first cloud infrastructure. In other words, the cloud-link adapter generates a mapping of a first identifier associated with the user's lease in the first cloud infrastructure and a second identifier associated with the user's account in the second cloud infrastructure. It is noted that linking the user's lease in the first cloud infrastructure to the user's account in the second cloud infrastructure enables the user to utilize the user's identity information associated with the second cloud infrastructure to use services provided by the first cloud infrastructure.

According to some embodiments, cloud-link adapter 722D creates a data object (referred to herein as a cloud-link resource object or link-resource object) that includes information linking a user's lease in a first cloud infrastructure to the user's account in a second cloud infrastructure. FIG. 10A illustrates an exemplary relationship diagram of link-resource objects according to some embodiments. As shown in relationship diagram 1000, cloud-link resource object 1010 links a lease in a first cloud environment 1015 (e.g., customer lease 726 of FIG. 7 ) to an active directory tenant in a second cloud environment 1017. The active directory tenant in the second cloud environment is associated with a user's subscription/account in the second cloud environment (e.g., customer subscription 715 of FIG. 7 ).

It can be noted that the user subscription in the second cloud environment 1016 has a 1:1 relationship with the user's lease in the first cloud environment 1015. The cloud-link resource object 1010 includes a mapping of a first identifier associated with the user's lease in the first cloud infrastructure (e.g., lease name in the first cloud environment) to a second identifier associated with the user's account in the second cloud infrastructure (e.g., lease ID in the second cloud environment and associated subscription). In addition, the cloud-link resource object 1010 also stores location information 1018 related to the region/location of the first cloud environment and the second cloud environment, where linking between the user account in the two cloud environments is enabled.

Figure 10B depicts a flowchart illustrating an example process of linking two user accounts in different cloud environments according to certain embodiments. For example, the process depicted in Figure 10B can be used to link a user's Azure account (i.e., an account in the second cloud environment) with a user's Oracle account (i.e., an account in the first cloud environment). When a customer creates a lease 1072 in the second cloud environment 1070, an active directory 1073 is associated with the lease 1072. Note that a customer can create a lease in the second cloud environment via a second cloud portal (e.g., portal 711 of Figure 7). Active directory 1073 is used to manage identities associated with a customer's lease 1072, including managing identities associated with users associated with a customer's lease 1072. In Figure 10B, active directory 1073 is shown for a particular customer's lease 1073.

In some embodiments, the active directory 1073 stores the following pieces of information for identity management within the second cloud environment:

(1) Application information - including information identifying one or more applications that have been registered with the lease 1072 in the second cloud environment and can be used by users associated with the lease 1072. For example, in FIG. 10B, the active directory 1073 stores information identifying the multi-cloud application 1009 that has been registered for the customer's lease 1072. For each application, one or more roles for the application can be specified. For example, in FIG. 10C, the roles associated with the multi-cloud application 1009 can include a first role (role 1) corresponding to an administrator role and a second role (role 2) corresponding to a reader. It should be noted that a role can be associated with one or more users. As shown in FIG. 10B, the user 1008 includes a first user (user A) associated with role 1 and a second user (user B) associated with role 2. The access privileges of role 2 can be different from the access privileges of role 1 (e.g., can be less). For example, role 1 can allow various operations (e.g., CRUD operations) on a resource (e.g., a database), while role 2 can only allow read operations on the resource.

(2) User information - includes information identifying a set of one or more users associated with the lease 1072 in the second cloud environment. For example, as shown in FIG. 10B , the customer's lease 2072 includes users 1008, which includes two users, namely, user A and user B. As described below, user A may correspond to an administrative user who may request to create a new account for the customer (in the first cloud environment) and link the new account to the customer's lease 2072. In addition, user A may also request to link an existing account in the first cloud environment to an account in the second cloud environment.

(3) Group Information (Groups 1006) - One or more groups 1006 may be configured for a tenancy 1072, and information identifying these groups 1006 is included in the active directory 1073 for the tenancy 1072. For example, as shown in FIG10B , the group information 1006 includes an administrative group that includes user A. Note that a group may include one or more users associated with a tenancy 1072, and a particular user may belong to different groups.

(4) Role Information (AD Roles 1007) - includes information identifying one or more roles that have been configured for the lease 1072. AD roles 1007 are considered global roles. Each AD role identifies the tasks/operations/activities that are allowed under the role. In the example in FIG. 10B , the "Administrator" role has been configured for the lease 1072. A role can be associated with one or more users. When a role is associated with a user, the role identifies the tasks/operations/activities that are allowed for the user. For example, in FIG. 10B , user A is shown as being associated with the "Administrator" role in AD roles 1007. If the "Administrator" role is associated with a user identified in the group of users 2008, then the user is considered an "Administrator" and is allowed to perform tasks/operations/activities allowed under the Administrator role. Users in the group of users 2008 can be associated with one or more roles in AD roles 1007. Roles in AD roles 1007 can be associated with groups. When a particular role is associated with a group, one or more users in the group are allowed to perform the tasks/operations/activities allowed for the role.

Next, a process that may be performed to link a user's lease in the first cloud environment 1020 to a user's account in the second cloud environment 1070 is described with reference to FIG. 10B . The process depicted in FIG. 10B and described below is provided as an example and is not meant to be limiting. In some implementations, the process may be different.

In step 1, the process may be initiated when a user (e.g., user A in FIG. 10B ) issues a call (i.e., a request) from a lease 1072 (in the second cloud environment) to the first cloud environment requesting the creation of a new lease in the first cloud environment and further requesting the linking of the newly created lease in the first cloud environment to an account 1072 associated with the user. It may be appreciated that user A may initiate such a call by using a multi-cloud console (e.g., console 721 depicted in FIG. 7 ). The request may be processed by an account service component 1021 within the first cloud environment. In some embodiments, user A may initiate the call by calling an API provided by the account service 1021. As part of the call, user A may provide identity information of a user corresponding to the second cloud environment. Such identity information may be in the form of a token (e.g., a bearer token generated by the second cloud environment). The token may provide relevant information about the user issuing the request, such as identity-related information of the user in the active directory 1073 of the second cloud environment. The identity-related information may include information about the roles and group affiliations of the user issuing the request within the active directory 1073.

In response to receiving the request, account service 1021 may proceed to verify the request. In some embodiments, account service 1021 may transmit the request to a multi-cloud infrastructure 1050 included in the first cloud environment 1020. Specifically, as described above with reference to FIG. 7, a permission module 1036 included in the multi-cloud infrastructure 1050 may verify the request. The token received in the request may be used to verify the user. Thus, the identity associated with the user making the request (e.g., user A) is used to verify the user. As part of the verification, a process may be performed to verify that user A is indeed a member of the customer's account 1072 or a user associated with the account. In addition, the verification process may include verifying one or more roles associated with the user to determine whether the user has sufficient privileges to issue a request related to creating a new lease in the first cloud environment.

Once the verification of the user is successful, in step 3, the account service 1021 proceeds to create a new lease/account 1022 in the first cloud environment 1020. The lease 1022 may have certain default configurations. For example, a domain 1023 is associated with the lease 1022. Similar to the active directory 1073 on the second cloud environment, the domain 1023 associated with the lease in the first cloud environment facilitates identity management. The domain 1023 may include users, groups, etc. associated with the lease 1022. In some embodiments, by default, when creating the account/lease 1022, the domain 1023 may include an "administrator" group 1024, which includes users, such as "User 1" shown in Figure 10B. The identity of User 1 may be created for the user who made the request (i.e., User A). However, as discussed below, one of the reasons for linking the user's lease in the first cloud infrastructure with the user's account in the second cloud infrastructure is to enable the user to use the resources in the first cloud environment using the user's identity information in the second cloud environment, so that the user does not have to remember or even know the "User 1" identity created on the first cloud environment side. Thus, user A can access the multi-cloud console (using identity information associated with the second cloud environment) and trigger a request to create a lease in the first cloud environment.

Once the lease 1022 has been created in the first cloud environment, a process is performed to link the newly created lease 1022 with the account 1072 associated with the user. In the example implementation depicted in FIG10B , at step 4, the account service 1021 transmits a request to perform a linking process to a cloud-link adapter 1030 included in the multi-cloud infrastructure 1050. Such a request may include in its payload information about the two accounts to be linked, a token generated by the second cloud environment, etc. As described below, as part of the linking-related process, a process may be performed to enable the user to access endpoints/APIs provided by the first cloud environment (e.g., to access, use, and manage resources in the lease associated with the user in the first cloud environment) by using the user's login/identity information in the second cloud environment.

Steps 5 and 6 performed by the cloud-link adapter 1030 are related to the linking process. In step 5, the cloud-link adapter 1030 creates a data object (i.e., a link-resource object/or a cloud-link resource object) 1031 representing a link between two accounts. Specifically, as shown in FIG. 10A , the link-resource object includes information linking a user's lease in the first cloud infrastructure to the user's account in the second cloud infrastructure. The link-resource object enables the user to utilize one or more services provided by the first cloud environment. In some embodiments, linking the lease of the user in the first cloud environment to the user's account in the second cloud environment includes storing in the link-resource object a mapping of a first identifier associated with the lease of the user in the first cloud environment to a second identifier associated with the user's account in the second cloud environment. In some embodiments, the cloud-link resource object 1031 created in step 5 is stored in a compartment (e.g., a root compartment) associated with the lease 1022 included in the first cloud environment.

In step 6, the cloud-link adapter 1030 creates a resource principal (also referred to herein as a cloud-link resource principal) 1032 associated with the cloud-link resource object 1031. When the user (from the second cloud environment) transmits a request to the multi-cloud infrastructure (e.g., via the multi-cloud console) to create/manage resources in the user's lease in the first cloud environment, the multi-cloud infrastructure uses the token included in the request to authenticate the user. Since the token is generated by the second cloud environment, it cannot be recognized by the services provided by the first cloud environment. Therefore, the cloud-link adapter 1030 creates a resource principal (which serves as a deputy or effective identity information corresponding to the resource and is generated by the multi-cloud infrastructure included in the first cloud environment), and the downstream services of the first cloud environment use the resource principal to execute the request.

In order for the resource principal to enable downstream execution in a seamless manner, permissions are associated with the resource principal based on the user's credentials/token in the second cloud environment. Consent to establish the resource principal is provided by the user when the user issues a request to the multi-cloud infrastructure via the multi-cloud console. In addition, in some embodiments, the resource principal enables the first cloud environment 1020 to access the user's account in the second cloud environment. For example, the resource principal can be used to establish a federation between two user accounts in different cloud environments.

In addition, in step 7, as shown in FIG10B , a federation may be established between the accounts of users in the first cloud environment and the second cloud environment. As a result of the federation, users and groups associated with the active directory 1073 in the second cloud environment are synchronized to the tenancy 1022 included in the first cloud environment. For example, as shown in FIG10B , an administrator group 1025 is generated in the tenancy of the first cloud environment by copying the information included in the administrator group 1006 included in the second cloud environment. In addition, policies may be created and associated with the synchronized group, which provide permissions (e.g., full access) for users of the group to access resources/services of the first cloud environment.

Referring to FIG. 10C , a flowchart illustrating an example process of using a cloud-link resource object when deploying resources according to certain embodiments is depicted. The process depicted in FIG. 10C and described below is provided as an example and is not meant to be limiting. In some embodiments, the process may be different. After a customer's account in a first cloud environment (e.g., lease 1022) is successfully linked to a customer's lease/account in a second cloud environment (e.g., lease 1072), a user may initiate a process of creating, using, and managing resources provided by the first cloud environment. In some embodiments, a user may initiate a request to a multi-cloud console to create a resource in a lease associated with the user in the first cloud environment. Such a request is routed by the multi-cloud console to a multi-cloud infrastructure included in the first cloud environment. Alternatively, in some embodiments, a user may call or access one or more endpoints provided by a multi-cloud infrastructure. For example, user A may use a token generated in the second cloud environment to call an API provided by the multi-cloud infrastructure. User A may use a publicly accessible REST API to issue such an API call to a multi-cloud infrastructure endpoint.

As shown in FIG10C , user A initiates a call requesting that a resource be deployed in a lease associated with the user in the first cloud environment (step 1). Such a request can be routed from the multi-cloud console to the account service module 1021 included in the first cloud environment. As part of the request, user A can provide a token (generated by the second cloud environment) that identifies user A and/or any other relevant account, group, or customer information. In general, when a user calls an endpoint provided by the first cloud environment from a customer's account 1072 (in the second cloud environment) to perform an operation on a resource, on the first cloud environment side, before performing the requested operation, the first cloud environment performs verification to: (a) check whether the user requesting the operation is the correct user associated with the customer's account 1072, and (b) check that the user is associated with a role that allows the user to perform the requested operation.

In step 2, after user A issues a request to create a new resource (e.g., a database resource), the account service 1021 forwards the request to the multi-cloud infrastructure 1050 to verify the request by checking whether user A is associated with a specific role on the second cloud environment side, where the role allows the user to create the requested resource. The verification process performed in step 2 of FIG. 10C is similar to the verification process performed in step 2 of FIG. 10B. For example, the permission module of the multi-cloud infrastructure 1050 checks whether the user is associated with an administrative role created under the multi-cloud application 1009 in the customer's lease 1072, and further checks that the administrative role allows the creation of the resource. If the multi-cloud infrastructure determines that user A is associated with an administrative role in the active directory 1073 and the role allows the creation of resources (e.g., a database), then the user is considered to have been successfully verified. It should be noted that in the above verification process, in order for the multi-cloud infrastructure to obtain information about the role associated with a given token, the permission module included in the multi-cloud infrastructure can communicate with the active directory in the second cloud environment to obtain the information.

After successfully authenticating the user, the proxy module included in the multi-cloud infrastructure can transmit the token (which is included in the request made via the multi-cloud console) to an adapter (e.g., a database adapter corresponding to the service requested by the user). The database adapter 1037 in turn queries the cloud-link adapter 1030 (in step 4) to obtain mapping information of the user account in the two cloud environments. The cloud-link adapter 1030 can then identify (based on the token) the appropriate lease 1022 associated with the token (e.g., customer identity, user identity, etc.). Therefore, an API call that includes the user's identity information (e.g., token) relative to the second cloud environment and does not include specific identity information related to the first cloud environment can be used to find the corresponding lease 1022 in the first cloud environment. After identifying the specific lease 1022 linked to the lease/account 1072 in the second cloud environment, the cloud-link adapter 1030 can also retrieve the cloud-link resource principal associated with the cloud-link resource object from the lease 1022. The cloud-link adapter 1030 transmits the retrieved information back to the database adapter 1037.

In step 5, the database adapter 1037 transmits a request to a corresponding downstream service (e.g., DBaaS 1060) provided by the first cloud environment. The request is related to creating a resource (e.g., a database) in a lease associated with the user in the first cloud environment. It can be appreciated that the request includes a resource principal (obtained by the database adapter in step 4). The DBaaS service 1060 can then determine whether to allow the creation of a database for the user in the first cloud environment based on the resource principal (i.e., based on the policy associated with the resource principal). It should be noted that according to some embodiments, the same resource principal stored in the customer's lease 1022 in the first cloud environment can be used for all users associated with the customer's account 1072.

Additionally, in step 6, after the DBaaS service 1060 successfully authorizes the user, the DBaaS service 1060 proceeds to create the desired resources (e.g., databases) in the lease associated with the user in the first cloud environment. In some embodiments, after the resources are deployed in the customer lease in the first cloud environment, the multi-cloud infrastructure provides a web link corresponding to the created resources to the user in the second cloud environment. For example, the web link may be displayed in an application executed by the user in the second cloud environment (in a subscription/account). In this manner, the user may directly (in the second cloud environment) monitor performance evaluation parameters (e.g., database usage metrics) associated with the resources deployed in the first cloud environment.

Therefore, an embodiment of the present disclosure provides a process of connecting two cloud environments using a cloud-link resource object so that users of the first cloud can use services from the second cloud from within the user interface of the first cloud. Users can authenticate to the first cloud and then access the services of the second cloud without having to authenticate or provide identity information separately at the second cloud. Moreover, the user's access level and permission (e.g., administrator level and reader level) at the first cloud can be effectively converted into downstream access permissions (e.g., cloud-link resource subject) at the second cloud. A cloud-link data object that stores metadata linking two cloud accounts (and details the user's access level) can be used to automatically allow users to access the second cloud and the allowed second cloud resources without the user providing further authentication or identity information. In addition, an embodiment provides a framework for establishing a lease or account for a user at the second cloud without the user directly establishing an account or setting up a second set of credentials. In other words, a second account can be automatically created on behalf of the user (to the second cloud) without user participation.

Multi-Cloud Control Plane (MCCP) - Observability

As described above with reference to FIG. 7 , the architecture of the multi-cloud control plane 700 enables customers of an external cloud environment (provided by an external cloud service provider) to deploy resources (e.g., database resources), execute services, etc. in the first cloud environment by utilizing the multi-cloud infrastructure (included in the first cloud environment) and the multi-cloud console 721. As described with reference to FIG. 10A-FIG. 10C , in order for customers of the second cloud environment to use the services provided by the first cloud environment, the customer lease in the first cloud environment is linked to the customer's account/subscription in the second cloud environment. In other words, a cloud-link resource object is created that stores metadata information for identifying two tenants of the customer in the linked different cloud environments. For example, the cloud-link resource object stores metadata information that includes a mapping of a first identifier associated with a lease (i.e., an account) created in the first cloud infrastructure and a second identifier associated with the user's account in the second cloud service provider. In addition, the cloud-link adapter (722D of FIG. 7 ) creates a resource principal (referred to herein as a cloud-link resource principal) for the resources that the user of the second cloud infrastructure wants to use.

According to some embodiments, the observability framework enables observability data associated with resources created in a first cloud environment to be transmitted (e.g., via a high-bandwidth network link) to a second cloud environment. It can be appreciated that such observability data needs to be transmitted to the second cloud environment so that customers can manage and control (e.g., troubleshoot) customer resources deployed in the first cloud environment from within the second cloud environment. The resources deployed in the first cloud environment can correspond to a type of database, such as an Exa database, a shared autonomous database, a dedicated autonomous database, or a virtual machine database.

It is noted that the observability data may include one or more metrics associated with the execution of the resource (e.g., average processor utilization associated with the type of database, average execution count associated with the type of database, or average transaction count associated with the type of database). In addition, the observability data may include one or more events occurring in an audit log or a data plane of the first cloud environment. The one or more events may include a failover of a resource associated with the service, deployment of a backup resource in the first cloud environment, or a critical event associated with the capacity of a resource.

Below, a detailed description of an observability framework is provided that enables exporting observability data related to resources from a first cloud environment to a second cloud environment. At a high level, and according to some embodiments, the export of observability data includes the following three-step provisioning process:

Step 1 (One-time setup: during service build) - This step involves configuring a function (referred to herein as the "metrics-function handler" or "metric handler") for publishing observability data to the monitoring service of the second cloud environment. This function will be used as the destination for all Service-Connector Hubs (SCHs) for exporting observability data. SCHs are defined herein as services of the first cloud environment that enable the movement/transportation of data between services.

Step 2 (Cloud-Link Setup: During creation of a Cloud-Link that associates the customer's subscription/account in the second cloud environment with the customer's tenancy in the first cloud environment) - When the customer creates a Cloud-Link: (a) a resource principal is created as part of creating a Cloud-Link resource object for the customer of the second cloud environment; (b) the Cloud-Link adapter obtains customer consent and configures the resource principal with roles necessary to manage resources, including roles for managing network resources, publishing metrics, and creating application insights; and (c) the Cloud-Link adapter persists customer-specific credentials (i.e., Cloud-Link resource objects, resource principals, etc.) in the customer vault included in the customer's tenancy in the first cloud environment.

Step 3 (Observability Setup: During creation of a multi-cloud resource (e.g., a database) - After the customer creates a multi-cloud database instance, the database adapter performs two functions: (1) provisions the database with metrics that are emitted into the monitoring service of the first cloud environment (i.e., causes metrics from the database to be generated into the monitoring service), and (2) invokes the multi-cloud platform control plane, which creates an observability instance data object (also referred to herein as an instance-observability resource or observability configuration) that includes a plurality of properties. In some embodiments, the observability instance data object may include the following plurality of properties: a first identifier of a resource deployed in the first cloud environment, a compartment identifier of the first customer tenancy hosting the resource, a second identifier of the second customer tenancy of the second cloud environment, and a cloud-link object associated with the resource, the cloud-link object including information linking the first customer tenancy in the first cloud environment to the second customer tenancy in the second cloud environment. As described below with reference to FIG. 11 , the instance-observability resource sets up all components required to export observability data.

FIG11 depicts an exemplary observability framework for exporting observability data according to some embodiments. For illustration, the observability framework in FIG11 is described with reference to a first cloud environment 1101 that provides one or more services to customers of a second cloud environment 1102. In such a setting, the observability framework enables observability data (corresponding to resources deployed in the first cloud environment) to be transported to the second cloud environment.

As shown in FIG11 , the observability framework included in the first cloud environment 1101 includes a database adapter 1103, a multi-cloud service control plane 1109, a service connector hub 1113, and a customer tenancy 1111. In some embodiments, a customer 1105 of the second cloud environment 1102 issues a request to create a resource (e.g., a database resource) to the multi-cloud console 1110. As described above with reference to FIG7 , such a request is ultimately processed by the database adapter 1103, which deploys a database instance 1107 in the customer's tenancy in the first cloud environment (via a downstream service of the first cloud environment).

In response to the database instance 1107 being deployed in the customer tenancy, the database adapter 1103 transmits a request to the multi-cloud service control plane 1109. The request corresponds to creating an observability configuration for the database instance 1107. In response to receiving the request from the database adapter 1103, the multi-cloud service control plane 1109 sets up a workflow that configures multiple components of the observability framework (e.g., the service connector hub 1113). In other words, a workflow is initiated to collect observability data associated with executing a service (e.g., a database instance) in the first cloud environment 1101 for a customer of the second cloud environment 1102.

In some embodiments, the multi-cloud service control plane 1109 initiates a workflow to create a service connector hub 1113 to be associated with a resource (e.g., a database instance). Additionally, the multi-cloud service control plane 1109 creates an access policy to be associated with the customer's tenancy 1111 in the first cloud environment. The access policy enables the service connector hub 1113 deployed in the first cloud environment 1101 to retrieve observability data corresponding to the resource associated with the service. Note that the service provided by the first cloud environment may correspond to a database service, and the execution of the service may correspond to instantiating a type of database in the tenancy of the customer 1111 in the first cloud environment 1101. Additionally, in some embodiments, note that the multi-cloud service control plane 1109 instantiates a unique SCH (in the tenancy of the database adapter) for each multi-cloud resource deployed in the first cloud environment. Note that the SCH is a component configured to collect/read metric information for the resource and transmit the collected information to the second cloud environment 1102.

The workflow initiated by the multi-cloud service control plane 1109 further instantiates a resource group 1117 in a customer tenancy 1115 of the second cloud environment 1102. It can be appreciated that the resource 1117 is instantiated per resource instance in the second cloud environment and includes a plurality of resources, each of which is configured to persist at least some portion of the observability data. For example, the resource group 1117 includes the following components: (i) an analysis workspace 1121 configured to store the generated data plane events as logs so that they are searchable, such as "database automatic backup started" or "autonomous database-critical" events, (ii) an application insight component 1123 configured to store all metric-related information generated by the resource instances, and (iii) an event grid component 1125 configured to publish all generated data plane events so that customers of the second cloud environment can trigger automation.

In this manner, an observability framework is established to collect, in a first cloud environment, observability data associated with execution of services in the first cloud environment for customers of a second cloud environment, and to transmit the observability data collected from the first cloud environment to the second cloud environment (e.g., via a high-bandwidth network link) so that users associated with the customers of the second cloud environment can access the observability data via the second cloud environment.

Figure 12 depicts a flowchart illustrating a process performed when exporting observability data according to certain embodiments. The process depicted in Figure 12 can be implemented in software (e.g., code, instructions, program) executed by one or more processing units (e.g., processors, cores) of the corresponding system, using hardware or a combination thereof. The software can be stored on a non-transitory storage medium (e.g., on a memory device). The methods presented in Figure 12 and described below are intended to be illustrative and non-restrictive. Although Figure 12 depicts various processing steps that occur in a particular order or sequence, this is not intended to be limiting. In certain alternative embodiments, these steps may be performed in a different order, or some steps may also be performed in parallel.

The process begins in step 1205, where a service is executed in a first cloud environment for a customer of a second cloud environment. In step 1210, the process collects observability data associated with the execution of the service in the first cloud environment. For example, as described above with reference to FIG. 11, the SCH component 1113 associated with the resource instance in FIG. 11 can be configured to collect observability data. It can be appreciated that the observability data can include one or more metrics associated with the execution of the service.

Thereafter, the process moves to step 1215, where the observability data collected from the first cloud environment is transmitted to the second cloud environment (e.g., to a resource group previously created in the second cloud environment for resources deployed in the first cloud environment). The transmission of the observability data from the first cloud environment to the second cloud environment enables users associated with customers of the second cloud environment to access the observability data in the second cloud environment.

Turning now to FIG. 13 , a swim lane diagram illustrating a continuous process for exporting observability data (e.g., metrics) according to some embodiments is depicted. The swim lane diagram depicts interactions between a service connector hub 1301, a metric processor 1303, a multi-cloud service control plane 1305, a data repository 1307 for a multi-cloud infrastructure, a first cloud environment 1309, an identity system 1311 for a second cloud environment, and a monitoring service 1313 for the second cloud environment. According to some embodiments, the metric processor 1303 is a component of the observability framework that maps metrics (associated with resources deployed in the first cloud environment) to metrics of the second cloud environment. The metric processor 1303 is a serverless component that is deployed on each adapter included in an adapter pool (e.g., adapter pool 722E of FIG. 7 ). The metric processor 1303 is also configured to retrieve appropriate observability data (based on customer credentials) and publish the retrieved data in an appropriate destination (e.g., in an appropriate resource group instantiated per resource).

The process depicted in Figure 13 begins in step 1, where the SCH connector hub 1301 triggers a call to the metrics processor 1303. The metrics processor 1303 in turn performs a grouping process (in step 2), where it groups all resources (e.g., databases) based on an identifier associated with each database. Additionally, in step 3, the metrics processor 1303 transmits a request (for each resource) to the multi-cloud service control plane 1305 to obtain the observability instance data object corresponding to the resource. Note that this request corresponds to a check performed by the metrics processor 1303 to determine whether the resource is a multi-cloud resource.

In step 4, the multi-cloud service control plane 1305 retrieves, for each resource identifier, a corresponding observability instance (OI) data object stored in the multi-cloud infrastructure data repository 1307. In step 6, after obtaining the OI data object for each identifier in step 5, the multi-cloud service control plane 1305 forwards the retrieved information (of step 5) to the metrics processor 1303. After verifying (based on the resource's observability instance data object) that the particular resource is a multi-cloud resource, the metrics processor in step 7 transmits a request to the multi-cloud service control plane 1305 to obtain a token that can be used in the second cloud environment.

Furthermore, the multi-cloud service control plane 1305 (in steps 8 and 9) obtains a cloud-link resource principal associated with the resource and stored in, for example, a root compartment of a lease of a customer in a first cloud environment. After obtaining the resource principal, the multi-cloud service control plane 1305 transmits a request to the identity system of the second cloud environment 1311 to obtain a token (e.g., an identity token) that can be used in the second cloud environment. It should be noted that the identity token can be used to publish metric information (obtained from the first cloud environment) to a resource group included in the second cloud environment. As shown in Figure 13, the identity token is obtained by the multi-cloud service control plane 1305 in step 11 and further forwarded to the metric processor 1305 in step 12.

In some embodiments, the metric processor performs a filtering operation in step 13. Specifically, the filtering operation involves filtering information obtained only from multi-cloud resources. In doing so, the metric processor 1303 ensures that information related to the out-of-band database (i.e., non-multi-cloud resources) is prevented from leaking to the second cloud environment. In step 14, after performing the filtering operation, the metric processor publishes/transmits metric information related to each resource deployed in the first cloud environment to be migrated to the second cloud environment. After completing steps 1-14 shown in Figure 13, the process is iteratively repeated to perform an ongoing process of exporting one or more metric information.

Additionally, it is noted that the process can be repeated after fixed time intervals, for example, every few minutes. Moreover, it can be appreciated that the observability framework depicted in Figure 12 and the ongoing process for exporting metric-related observability data can also be used to export data plane event-related data from a first cloud environment to a second cloud environment. For example, one or more management rules can be created in a customer tenancy in the first cloud environment to collect and publish events in an event grid component (e.g., component 1125 of Figure 11) included in a resource group in the second cloud environment. The one or more events can include events such as failover of resources associated with the service, deployment of backup resources in the first cloud environment, critical events associated with the capacity of the resources (e.g., a database is full), and the like.

Figure 14 illustrates another exemplary observability framework for exporting audit log information according to some embodiments. Customers interact with the multi-cloud console to perform control plane operations on their multi-cloud resources. For example, customers can perform operations such as creating a database, listing existing databases, or deleting a database. Such operations generate audit logs. In some embodiments, the audit logs will be available to customers as events and as searchable logs. The observability framework depicted in Figure 14 enables the export of audit log information to the customer's cloud environment. For illustration, Figure 14 is described with reference to a first cloud environment 1101, which provides one or more services to customers of a second cloud environment 1102. In such a setting, the observability framework of Figure 14 enables observability data (e.g., audit log information corresponding to operations performed by customers on resources deployed in the first cloud environment) to be transmitted to the second cloud environment.

As shown in FIG. 14 , the observability framework included in the first cloud environment 1401 includes a cloud-link adapter 1403, a multi-cloud service control plane 1409, an event control plane 1413, and a customer lease 1411. In some embodiments, a customer 1405 of the second cloud environment 1402 issues a request to create a resource (e.g., a database resource) to the multi-cloud console 1410. As described above with reference to FIG. 7 , before the resources are deployed, a cloud-link object (i.e., a link-resource object) is created by the cloud-link adapter 1403. The link-resource object includes information linking the lease of a user in the first cloud environment to an account of a user in the second cloud environment. The link-resource object enables a customer to utilize services provided by the first cloud infrastructure.

In response to cloud-link adapter 1403 establishing a link between the customer's lease in the first cloud environment and the customer's account in the second cloud environment, cloud-link adapter 1403 transmits to multi-cloud service control plane 1409 a request to initiate a workflow to export audit log information to the second cloud environment. Multi-cloud service control plane 1409 sets up a workflow to configure multiple components of the observability framework (e.g., event control plane 1413). In some embodiments, multi-cloud service control plane 1109 initiates a workflow to create event management rules in event control plane 1413, where the management rules correspond to the types of events to be captured in the first cloud environment. Note that the managed rules for such events are instantiated in the lease of cloud-link adapter 1403.

In addition, the multi-cloud service control plane 1109 creates one or more access policies that will be associated with the customer lease 1411 in the first cloud environment. The access policies enable the multi-cloud service to handle events (associated with the customer) according to the managed rules. In this way, audit log information (related to the customer) is captured in the first cloud environment.

The workflow initiated by the multi-cloud service control plane 1409 further instantiates a resource group 1417 in a customer tenancy 1415 in the second cloud environment 1402. It can be appreciated that the resource group 1417 is instantiated per cloud-link instance (e.g., per customer) in the second cloud environment. The resource group 1417 includes the following components: (i) an analysis workspace 1421 configured to store the generated data plane events as logs so that they are searchable, such as "database automatic backup started" or "autonomous database-critical" events, and (ii) an event grid component 1125 configured to publish all generated data plane events so that customers of the second cloud environment can trigger automation. In this way, the observability framework is set up to collect audit log information associated with customers in the first cloud environment, and further transmit the audit log information collected from the first cloud environment to the second cloud environment (e.g., via a high-bandwidth network link). By doing so, users associated with customers of the second cloud environment are enabled to access observability data (e.g., audit log information) in the second cloud environment.

15 depicts a swim lane diagram illustrating an ongoing process for exporting audit log information according to some embodiments. The swim lane diagram depicts the interaction between a service connector hub 1501, a metrics processor 1503, a multi-cloud service control plane 1505, a data repository 1507 for a multi-cloud infrastructure, an analytics workspace 1509 in a second cloud environment, an event grid resource 1511 in a second cloud environment, and a retry flow 1513.

The process depicted in Figure 15 begins in step 1, where the SCH connector hub 1501 triggers a call to the metrics processor 1503. The metrics processor 1503 in turn performs a grouping process (in step 2), where it groups customers based on the identifier of the cloud-link associated with each customer. Additionally, in step 3, the metrics processor 1503 transmits a request (for each resource of each customer) to the multi-cloud service control plane 1505 to obtain the observability instance data object corresponding to the resource. Note that this request corresponds to a check performed by the metrics processor 1503 to determine whether the resource is a multi-cloud resource.

In step 4, the multi-cloud service control plane 1505 retrieves the corresponding observability instance (OI) data object for each resource identifier, which is stored in the multi-cloud infrastructure data repository 1507. In step 6, after obtaining the OI data object for each identifier in step 5, the multi-cloud service control plane 1505 forwards the retrieved information (of step 5) to the metrics processor 1503. After verifying that the particular resource is a multi-cloud resource (based on the observability instance data object of the resource), the metrics processor 1503 transmits a request to the multi-cloud service control plane 1305 in step 7 to obtain a key that can be used in the second cloud environment.

In turn, the multi-cloud service control plane 1505 obtains the key from the analysis workspace 1509 in the second cloud environment (in steps 8 and 9). After obtaining the key, the multi-cloud service control plane 1505 forwards the key (which can be used in the second cloud environment) to the metric processor 1503 (step 10). In some embodiments, the metric processor performs a filtering operation in step 11. Specifically, the filtering operation involves filtering out non-multi-cloud events. In doing so, the metric processor 1503 ensures that out-of-band events (i.e., events related to non-multi-cloud resources) are prevented from leaking to the second cloud environment. In step 12, after performing the filtering operation, the metric processor 1503 publishes/transmits the events that occurred in the first cloud environment to the second cloud environment. In step 13, the metric processor 1503 transmits a request to the retry stream 1513 to retry the transmission of any events that failed to be transmitted to the second cloud environment. After completing steps 1-13 as depicted in Figure 15, the process is iteratively repeated to perform a continuous process of exporting audit information. Furthermore, it is noted that this process may be repeated after fixed time intervals, for example, once every tens of minutes.

Graphical User Interface

As described above with reference to FIG7 , the multi-cloud console 721 provides a gateway for users of an external cloud environment (e.g., the second cloud environment 710) to communicate with the multi-cloud infrastructure 720B included in the first cloud environment 720. Via the console 721, users of the second cloud environment 710 can instantiate resources (e.g., databases) in a customer tenancy of the first cloud environment. Next, a description of different graphical user interfaces generated for the multi-cloud console is provided.

The multi-cloud infrastructure 720B provides one or more services provided by the first cloud infrastructure (of the first cloud environment) to the users of the second cloud environment 710. According to some embodiments, a multi-cloud console designed specifically for the users of the second cloud environment is generated to communicate with the first cloud environment. Therefore, the goal of generating/designing a graphical user interface for the multi-cloud console 721 is that the graphical user interface should provide a look and feel similar to the native graphical user interface provided by the second cloud environment to the users of the second cloud environment. In addition, it can be appreciated that the multi-cloud infrastructure of FIG. 7 can generate and provide a set of one or more graphical user interfaces for each of the multiple external cloud environments (e.g., the second cloud environment) provided by multiple external cloud service providers (e.g., the second cloud service provider). Based on the native graphical user interface provided by the external cloud environment, a set of one or more graphical user interfaces is generated for the external cloud environment in the multiple external cloud environments. In addition, after receiving a request from a specific external cloud environment, the multi-cloud infrastructure can be configured to provide one or more graphical user interfaces generated specifically for the specific external cloud environment.

In order to generate a graphical user interface for the multi-cloud console that provides a look and feel similar to that provided by a native graphical user interface (i.e., an interface provided by an external cloud provider), the multi-cloud infrastructure obtains design rules of the native graphical user interface. These design rules may include information related to the layout of the native graphical user interface, the font size of text information included in the native graphical user interface, and/or the background color of the native graphical user interface, etc. It can be appreciated that the multi-cloud infrastructure can obtain design rules associated with the native graphical user interface of the external cloud service provider in a variety of ways.

For example, a method of obtaining design rules may correspond to a visual analysis technique, wherein an administrator of a first cloud environment may visually analyze one or more native graphical user interfaces of an external cloud environment to derive information related to the design rules of (one or more) native graphical user interfaces. Alternatively, in some embodiments, the first cloud environment may utilize a machine learning model to automatically derive information related to the design rules of (one or more) native graphical user interfaces of an external cloud environment. For example, machine learning visual techniques, automatic tools (such as web crawlers, etc.) may be utilized to automatically identify (and extract) GUI elements associated with the native graphical user interface of an external cloud environment. The extracted design rule information may be used by the multi-cloud infrastructure of the first cloud environment to generate one or more graphical user interfaces specifically for users of the external cloud environment (e.g., provided on a console generated for the external cloud environment). Next, with reference to FIGS. 16A-16L, a detailed description of a set of one or more graphical user interfaces generated for a specific external cloud environment is provided, for example, provided to a multi-cloud console designed for a specific external cloud environment.

FIG. 16A depicts an exemplary graphical user interface generated for an external cloud environment provided by an external cloud service provider. It is noteworthy that a set of one or more graphical user interfaces can be generated for the external cloud environment, wherein the graphical user interface depicted in FIG. 16A is the first graphical user interface in the set of one or more graphical user interfaces. As previously described, the first graphical user interface is generated based on one or more design rules associated with the native graphical user interface of the external cloud environment. This is done to make the visual presentation of the first graphical user interface similar to the visual presentation of the native graphical user interface associated with the external cloud environment. Therefore, a familiar (GUI) use is provided for users of the external cloud environment.

As shown in FIG. 16A , the first graphical user interface 1600 includes a name tag 1610 “Services for a first external cloud environment”. A user may log into the multi-cloud console (associated with the first external cloud environment) using his/her credentials. Such credentials 1605 may be displayed at a predetermined location on the first graphical user interface. It may be appreciated that the user's credential information is associated with the first external cloud environment. Additionally, as shown in FIG. 16A , the first graphical user interface includes a first plurality of resource creation icons 1607, each corresponding to a specific service provided by the first cloud environment. The service offerings include options to create resources such as autonomous databases, Exadata databases, and the like.

The first graphical user interface also includes a second plurality of navigation icons 1609, each corresponding to a function associated with managing resources. The navigation icons include: (i) deployment - providing a list of resources in the process of being deployed, (ii) billing icon - associated with providing functions for managing matters related to billing of a user's account, (iii) subscription management icon - associated with providing a means for a user to manage his/her account, and (iv) support icon - providing a means for a user to submit a support ticket. In addition, the graphical user interface 1600 includes one or more web links 1608 related to a plurality of services provided by the first cloud environment.

FIG. 16B depicts an exemplary graphical user interface associated with a user's (one or more) autonomous database resources. Upon clicking on the icon "Autonomous Database" (included in the plurality of services 1607 of FIG. 16A), the graphical user interface depicted in FIG. 16B will be presented to the user. As shown in FIG. 16B, the sub-name label 1621 of the graphical user interface 1620 is "Autonomous Database". In this graphical user interface, the user is provided with a plurality of options 1622 for creating an autonomous database, refreshing the display of the list of (one or more) autonomous databases associated with the user, the option to delete a database, and a search bar for searching for a particular database. In addition, as shown in FIG. 16B, the graphical user interface also lists all autonomous databases 1625 associated with the user. Metadata associated with each database may also be displayed. It will be appreciated that the metadata may include information related to the name of the database, the user's subscription, the resource group to which the resource belongs, the location information of the resource, and the current state of the resource.

FIG. 16C depicts an exemplary graphical user interface associated with creating (one or more) autonomous database resources for a user. Upon clicking the icon "Create" (included in option 1622 of FIG. 16B), the graphical user interface of FIG. 16C may be presented to the user. As shown in FIG. 16C, the create autonomous database graphical user interface 1630 includes a plurality of tabs 1631, including "Basic," "Configuration," "Networking," "Security," "Tags," and "Review + Create." Note that these tabs are associated with the construction of the database. The graphical user interface 1630 also includes a project details section 1632 that provides details associated with both: a construction 1632A associated with the first external cloud environment, and a construction 1632B associated with the first cloud environment hosting the multi-cloud infrastructure. According to some embodiments, the control plane of the multi-cloud infrastructure queries both the control plane of the first external cloud environment and the control plane of the first cloud environment (e.g., simultaneously) to provide information associated with the construction 1632A of the first external cloud environment (such as a subscription ID, a resource group ID, etc.), and information associated with the construction 1632B of the first cloud environment (such as the name of the user, the region of deployment, etc.).

Turning to FIG. 16D , a graphical user interface 1635 illustrating configuration of a resource (e.g., an autonomous database) in accordance with some embodiments is depicted. The graphical user interface 1635 includes a title or name 1637 of the graphical user interface 1635. It can be appreciated that upon clicking on the “Configuration” tab (included in option 1631 of FIG. 16C ), the graphical user interface 1635 depicted in FIG. 16D will be presented to the user. As shown in FIG. 16D , the configuration screen captures information related to the type of workload, CPU count, database version, name of the database (i.e., parameters related to the database), storage capacity of the database, and other metadata information related to the resource being created. FIG. 16E depicts another graphical user interface 1638 illustrating networking information for an autonomous database in accordance with some embodiments. Upon clicking on the “Networking” tab (included in option 1631 of FIG. 16C ), the graphical user interface depicted in FIG. 16E will be presented to the user. In addition, by pressing the “Next” icon at the bottom of the graphical user interface of FIG. 16D , the user can be directed to the graphical user interface 1638 of FIG. 16E . As shown in FIG. 16E , the networking-related parameters of the database may include options for accessing the database, such as via secure access from anywhere (i.e., a DB portal facing the public Internet) or secure access from an allowed IP address (e.g., a public DB portal, which may restrict certain IP addresses). The networking-related information also includes an option for requiring a client to authenticate before accessing the database (e.g., selecting an icon for an option requiring authentication).

FIG. 16F depicts a graphical user interface 1641 illustrating security-related information of an autonomous database according to some embodiments. Upon clicking the “Security” tab (included in option 1631 of FIG. 16C ), the graphical user interface 1641 depicted in FIG. 16F is presented to the user. In addition, by pressing the “Next” icon at the bottom of the graphical user interface of FIG. 16E , the user can be directed to the graphical user interface of FIG. 16F . The graphical user interface depicted in FIG. 16F includes login credentials 1642 , e.g., a username and password box, for the user to enter relevant login information to access the resource. FIG. 16G depicts another graphical user interface 1645 illustrating tag information associated with a resource. In some embodiments, a tag is a name/value pair, e.g., a name-value pair 1646 that enables resource classification and provides a consolidated view across resources. For example, tags can be created for a department of an organization (e.g., a human resources department), and all bills/invoices from the department can be consolidated based on the tags associated with the department.

FIG16H depicts another graphical user interface 1651 illustrating summary information of an autonomous database. Specifically, FIG16H provides information related to several options 1631 of FIG16C. The information depicted in the graphical user interface of FIG16G includes details of each option of the resource as described above with reference to FIG16B-FIG16G (e.g., basic information, configuration information, networking information, security information, tag information, etc.). After successfully reviewing the information on the graphical user interface 1651 depicted in FIG16H, the user can initiate the creation of the resource by utilizing the create icon located at the bottom of the graphical user interface 1651.

After the database is created (e.g., via pressing the create icon in FIG. 16H ), the user will be provided with the graphical user interface 1655 of FIG. 16I . As shown in FIG. 16I , the graphical user interface 1655 depicts metadata information 1656 related to the creation state of the database. In one example, as shown in FIG. 16I , the state is depicted as "provisioning," along with information for two cloud environments (e.g., a first cloud environment (such as Oracle's OCI) and a first external cloud environment (e.g., Microsoft's Azure cloud environment)). Specifically, the information included in 1656 includes configurations from the two cloud environments. For example, as shown in FIG. 16I , the metadata information includes an auto-scaling feature that corresponds to the number of CPUs to be allocated to the database resources being created.

In addition, the graphical user interface 1655 of FIG. 16I includes further metadata information related to the connection string associated with the resource. In some embodiments, the connection string corresponds to a web link associated with the resource deployed in the first cloud environment. The connection string enables users associated with the customer tenancy in the first external cloud environment to access the resource (deployed in the first cloud environment) from the first external cloud environment. As shown in FIG. 16I, the connection string metadata information is temporarily blank because the database is in a provisioned state. After the resource is created, and as shown in FIG. 16J, the connection string metadata information will be populated with the web link corresponding to the created resource.

FIG. 16J depicts a graphical user interface illustrating information displayed when creating a resource according to some embodiments. As shown in FIG. 16J , the status of the resource is depicted as “active” in metadata information section 1663. In addition, metadata information section 1665 includes connection string information associated with the resource. In addition, the graphical user interface as depicted in FIG. 16J includes panel 1666 displayed on the left side of the graphical user interface. Panel 1666 includes multiple tabs, including an “Overview” tab, a “Tag Settings” tab, a “Networking Resources” tab, and a “Backup” tab. After clicking the Backup tab, a list of backup resources for the newly created resource can be provided to the user.

FIG. 16K depicts an exemplary graphical user interface 1671 illustrating the creation of a dashboard application corresponding to a newly created/provisioned resource. In some embodiments, a dashboard application is created in a first external cloud environment and corresponds to a workspace in which resources (deployed in the first cloud environment) can be monitored and tasks for daily operations (e.g., setting alarms related to resource usage, alarms related to failover of resources, etc.) can be quickly initiated. According to some embodiments, after creating a resource (e.g., a database), an API of the first external cloud environment is called to create a dashboard application for the newly created resource. In some embodiments, the dashboard is a read-only dashboard and includes information related to the customer. For example, as shown in FIG. 16K, connection string information 1672 associated with a resource is inserted into this API, thereby providing customers of another cloud environment (e.g., the first external cloud environment) with the flexibility to access resources deployed in the first cloud environment without having to access the structures/credentials associated with the first cloud environment.

Turning to FIG. 16L , another exemplary graphical user interface 1680 illustrating the display of one or more metrics associated with the newly created resource is depicted. According to some embodiments, several metrics associated with the performance of the newly created resource (e.g., execution count, average CPU utilization, transaction count, etc.) are displayed in the constructed dashboard application. For example, as shown in FIG. 16L , graphs 1671 , 1673 , and 1675 are displayed in the graphical user interface 1680 for each of the one or more metrics. In some implementations, each metric can be displayed in a separate display window/pane (as shown in FIG. 16L ), where the window is associated with a filter 1677 (displayed in the upper left corner of the window), where the filter is used to configure the display of the metric based on user input, for example, to configure the display of the metric for a certain time period selected by the user.

Turning to Figure 17, a flowchart illustrating a process performed when generating an exemplary graphical user interface for a multi-cloud console according to certain embodiments is depicted. The process depicted in Figure 17 can be implemented in software (e.g., code, instructions, programs) executed by one or more processing units (e.g., processors, cores) of the corresponding system, using hardware or a combination thereof. The software can be stored on a non-transitory storage medium (e.g., on a memory device). The methods presented in Figure 17 and described below are intended to be illustrative and non-limiting. Although Figure 17 depicts various processing steps occurring in a particular order or sequence, this is not intended to be limiting. In some alternative embodiments, these steps may be performed in a different order, or some steps may also be performed in parallel.

The process depicted in FIG. 17 begins in step 1710, where a multi-cloud infrastructure included in a first cloud environment provided by a first cloud service provider generates a set of one or more graphical user interfaces for each of a plurality of external cloud environments provided by a plurality of external cloud service providers. For example, with reference to FIG. 7 , a multi-cloud infrastructure 720B included in a first cloud environment 720 generates one or more graphical user interfaces (as depicted in FIG. 16A-FIG. 16L) for an external cloud environment (e.g., a second cloud environment 710 of FIG. 7 ). It can be appreciated that a set of one or more graphical user interfaces for an external cloud environment is generated based on a native graphical user interface provided by the external cloud environment. This is done to provide a user of the second cloud environment with a look and feel similar to that provided by a native graphical user interface of the second cloud environment (e.g., a native graphical user interface associated with the second cloud portal 711 of FIG. 7 ).

Subsequently, the process proceeds to step 1715, where, in response to the first cloud environment receiving the request (transmitted from the first external cloud environment), a response to the request is provided. The response may include a first graphical user interface (e.g., the graphical user interface of FIG. 16A ) from a set of one or more graphical user interfaces generated for the first external cloud environment. In some embodiments, via a first graphical user interface that can be displayed on a console (e.g., the multi-cloud console 721 of FIG. 7 ), a user of the first external cloud environment (e.g., the second cloud environment 720 of FIG. 7 ) can create, manage, update, delete, and the like one or more resources deployed in the first cloud environment. In other words, a user of the first external cloud environment can manage resources deployed in the first cloud environment without explicitly remembering or using any credentials of the first cloud environment.

Examples of cloud infrastructure

As noted above, Infrastructure as a Service (IaaS) is a specific type of cloud computing. IaaS can be configured to provide virtualized computing resources over a public network (e.g., the Internet). In the IaaS model, a cloud computing provider can host infrastructure components (e.g., servers, storage devices, network nodes (e.g., hardware), deployment software, platform virtualization (e.g., hypervisor layer), etc.). In some cases, IaaS providers can also provide various services to accompany these infrastructure components (e.g., billing, monitoring, logging, security, load balancing, and clustering, etc.). Therefore, since these services may be policy-driven, IaaS users may be able to implement policies to drive load balancing to maintain the availability and performance of applications.

In some cases, IaaS customers can access resources and services over a wide area network (WAN) such as the Internet, and can use the cloud provider's services to install the remaining elements of the application stack. For example, a user can log in to the IaaS platform to create a virtual machine (VM), install an operating system (OS) on each VM, deploy middleware such as a database, create storage buckets for workloads and backups, and even install enterprise software into that VM. The customer can then use the provider's services to perform a variety of functions, including balancing network traffic, troubleshooting application problems, monitoring performance, managing disaster recovery, and more.

In most cases, the cloud computing model will require the involvement of a cloud provider. A cloud provider may, but need not, specialize in (e.g., provide, rent, sell) third-party IaaS services. An entity may also choose to deploy a private cloud, thereby becoming its own infrastructure service provider.

In some examples, IaaS deployment is the process of placing a new application or a new version of an application onto a prepared application server, etc. It may also include the process of preparing the server (e.g., installing libraries, daemons, etc.). This is typically managed by the cloud provider, below the hypervisor layer (e.g., servers, storage, network hardware, and virtualization). Thus, the customer may be responsible for handling (OS), middleware, and/or application deployment (e.g., on a self-service virtual machine (e.g., that can be started on demand), etc.).

In some examples, IaaS provisioning can refer to obtaining computers or virtual hosts for use, and even installing required libraries or services on them. In most cases, deployment does not include provisioning, and provisioning may need to be performed first.

In some cases, there are two distinct problems with IaaS provisioning. First, there is the initial challenge of provisioning the initial set of infrastructure before anything is running. Second, once everything has been provisioned, there is the challenge of evolving the existing infrastructure (e.g., adding new services, changing services, removing services, etc.). In some cases, both of these challenges can be addressed by enabling configuration that defines the infrastructure in a declarative manner. In other words, the infrastructure (e.g., which components are required and how they interact) can be defined by one or more configuration files. Thus, the overall topology of the infrastructure (e.g., which resources depend on which resources, and how they work together) can be described in a declarative manner. In some cases, once the topology is defined, workflows can be generated to create and/or manage the different components described in the configuration files.

In some examples, the infrastructure may have many interconnected elements. For example, there may be one or more virtual private clouds (VPCs) (e.g., a potential on-demand pool of configurable and/or shared computing resources), also referred to as a core network. In some examples, one or more security group rules may also be provisioned to define how to set up security for the network and one or more virtual machines (VMs). Other infrastructure elements may also be provisioned, such as load balancers, databases, etc. The infrastructure may evolve gradually as more and more infrastructure elements are desired and/or added.

In some cases, continuous deployment techniques can be employed to enable deployment of infrastructure code across various virtual computing environments. In addition, the described techniques can enable infrastructure management within these environments. In some examples, a service team can write code that is expected to be deployed to one or more but typically many different production environments (e.g., across various geographic locations, sometimes across the world). However, in some examples, the infrastructure on which the code will be deployed must first be established. In some cases, provisioning can be done manually, resources can be provisioned using provisioning tools, and/or code can be deployed using deployment tools once the infrastructure is provisioned.

18 is a block diagram 1800 illustrating an example schema of an IaaS architecture in accordance with at least one embodiment. A service operator 1802 can be communicatively coupled to a secure host lease 1804 that can include a virtual cloud network (VCN) 1806 and a secure host subnet 1808. In some examples, the service operator 1802 can use one or more client computing devices, which can be portable handheld devices (e.g., Cellular phone, computing tablets, personal digital assistants (PDAs), or wearable devices (e.g., Google head mounted display), running software such as Microsoft Windows ) and/or various mobile operating systems (such as iOS, Windows Phone, Android, BlackBerry 8, Palm OS, etc.), and supports Internet, email, short message service (SMS), or other communication protocols. Alternatively, the client computing device may be a general-purpose personal computer, including, for example, a computer running various versions of Microsoft Apple The client computing device may be a personal computer and/or laptop computer running various commercially available or UNIX-like operating systems, including but not limited to any of the various GNU/Linux operating systems (such as, for example, Google Chrome OS). Alternatively or additionally, the client computing device may be any other electronic device, such as a thin client computer, an Internet-enabled gaming system (e.g., with or without gesture input device), and/or a personal messaging device capable of communicating over a network that can access VCN 1806 and/or the Internet.

VCN 1806 may include a local peer gateway (LPG) 1810, which may be communicatively coupled to a secure shell (SSH) VCN 1812 via LPG 1810 contained in SSH VCN 1812. SSH VCN 1812 may include an SSH subnet 1814, and SSH VCN 1812 may be communicatively coupled to control plane VCN 1816 via LPG 1810 contained in control plane VCN 1816. Also, SSH VCN 1812 may be communicatively coupled to data plane VCN 1818 via LPG 1810. Control plane VCN 1816 and data plane VCN 1818 may be contained in a service lease 1819, which may be owned and/or operated by an IaaS provider.

The control plane VCN 1816 may include a control plane demilitarized zone (DMZ) layer 1820 that acts as a perimeter network (e.g., a portion of a corporate network between a corporate intranet and an external network). DMZ-based servers may have limited liability and help control security vulnerabilities. In addition, the DMZ layer 1820 may include one or more load balancer (LB) subnets 1822, a control plane application layer 1824 that may include (one or more) application subnets 1826, and a control plane data layer 1828 that may include (one or more) database (DB) subnets 1830 (e.g., (one or more) front-end DB subnets and/or (one or more) back-end DB subnets). The LB subnet(s) 1822 included in the control plane DMZ layer 1820 may be communicatively coupled to the application subnet(s) 1826 included in the control plane application layer 1824 and the Internet gateway 1834 that may be included in the control plane VCN 1816, and the application subnet(s) 1826 may be communicatively coupled to the DB subnet(s) 1830 included in the control plane data layer 1828 and the service gateway 1836 and the network address translation (NAT) gateway 1838. The control plane VCN 1816 may include the service gateway 1836 and the NAT gateway 1838.

The control plane VCN 1816 may include a data plane mirror application layer 1840, which may include application subnet(s) 1826. The application subnet(s) 1826 contained in the data plane mirror application layer 1840 may include a virtual network interface controller (VNIC) 1842 that may execute a compute instance 1844. The compute instance 1844 may communicatively couple the application subnet(s) 1826 of the data plane mirror application layer 1840 to the application subnet(s) 1826 that may be contained in the data plane application layer 1846.

The data plane VCN 1818 may include a data plane application layer 1846, a data plane DMZ layer 1848, and a data plane data layer 1850. The data plane DMZ layer 1848 may include (one or more) LB subnets 1822, which may be communicatively coupled to (one or more) application subnets 1826 of the data plane application layer 1846 and an Internet gateway 1834 of the data plane VCN 1818. The (one or more) application subnets 1826 may be communicatively coupled to a service gateway 1836 of the data plane VCN 1818 and a NAT gateway 1838 of the data plane VCN 1818. The data plane data layer 1850 may also include (one or more) DB subnets 1830, which may be communicatively coupled to (one or more) application subnets 1826 of the data plane application layer 1846.

The internet gateway 1834 of the control plane VCN 1816 and the data plane VCN 1818 may be communicatively coupled to the metadata management service 1852, and the metadata management service 1852 may be communicatively coupled to the public Internet 1854. The public Internet 1854 may be communicatively coupled to the NAT gateway 1838 of the control plane VCN 1816 and the data plane VCN 1818. The service gateway 1836 of the control plane VCN 1816 and the data plane VCN 1818 may be communicatively coupled to the cloud service 1856.

In some examples, service gateway 1836 of control plane VCN 1816 or data plane VCN 1818 can make application programming interface (API) calls to cloud services 1856 without going through public internet 1854. API calls from service gateway 1836 to cloud services 1856 can be one-way: service gateway 1836 can make API calls to cloud services 1856, and cloud services 1856 can send requested data to service gateway 1836. However, cloud services 1856 may not initiate API calls to service gateway 1836.

In some examples, secure host lease 1804 can be directly connected to service lease 1819, which can otherwise be isolated. Secure host subnet 1808 can communicate with SSH subnet 1814 through LPG 1810, which can enable two-way communication on otherwise isolated systems. Connecting secure host subnet 1808 to SSH subnet 1814 can enable secure host subnet 1808 to access other entities within service lease 1819.

Control plane VCN 1816 may allow a user of service lease 1819 to set up or otherwise provision desired resources. Desired resources provisioned in control plane VCN 1816 may be deployed or otherwise used in data plane VCN 1818. In some examples, control plane VCN 1816 may be isolated from data plane VCN 1818, and a data plane mirror application layer 1840 of control plane VCN 1816 may communicate with a data plane application layer 1846 of data plane VCN 1818 via a VNIC 1842, which may be included in both data plane mirror application layer 1840 and data plane application layer 1846.

In some examples, a user or customer of the system may make a request, such as a create, read, update, or delete (CRUD) operation, through the public internet 1854, which may transmit the request to the metadata management service 1852. The metadata management service 1852 may transmit the request to the control plane VCN 1816 through the internet gateway 1834. The request may be received by the LB subnet(s) 1822 contained in the control plane DMZ layer 1820. The LB subnet(s) 1822 may determine that the request is valid, and in response to the determination, the LB subnet(s) 1822 may transmit the request to the application subnet(s) 1826 contained in the control plane application layer 1824. If the request is validated and a call to the public internet 1854 is required, the call to the public internet 1854 may be transmitted to the NAT gateway 1838, which may make the call to the public internet 1854. The storage that the request may desire to be stored may be stored in the DB subnet(s) 1830.

In some examples, data plane mirror application layer 1840 may facilitate direct communication between control plane VCN 1816 and data plane VCN 1818. For example, it may be desirable to apply changes, updates, or other appropriate modifications to the configuration to the resources contained in data plane VCN 1818. Control plane VCN 1816 may communicate directly with the resources contained in data plane VCN 1818 via VNIC 1842 and may thereby perform changes, updates, or other appropriate modifications to the configuration.

In some embodiments, control plane VCN 1816 and data plane VCN 1818 may be included in service lease 1819. In this case, a user or customer of the system may not own or operate control plane VCN 1816 or data plane VCN 1818. Alternatively, an IaaS provider may own or operate control plane VCN 1816 and data plane VCN 1818, both of which may be included in service lease 1819. This embodiment may enable isolation of networks that may prevent a user or customer from interacting with the resources of other users or other customers. Furthermore, this embodiment may allow a user or customer of the system to store databases privately without relying on the public Internet 1854 for storage, which may not have the desired level of threat prevention.

In other embodiments, the LB subnet(s) 1822 contained in the control plane VCN 1816 can be configured to receive signals from the service gateway 1836. In this embodiment, the control plane VCN 1816 and the data plane VCN 1818 can be configured to be called by customers of the IaaS provider without calling the public Internet 1854. Customers of the IaaS provider may desire this embodiment because the database(s) used by the customer can be controlled by the IaaS provider and can be stored on the service lease 1819, which may be isolated from the public Internet 1854.

FIG19 is a block diagram 1900 illustrating another example mode of an IaaS architecture according to at least one embodiment. A service operator 1902 (e.g., service operator 1802 of FIG18 ) may be communicatively coupled to a secure host lease 1904 (e.g., secure host lease 1804 of FIG18 ), which may include a virtual cloud network (VCN) 1906 (e.g., VCN 1806 of FIG18 ) and a secure host subnet 1908 (e.g., secure host subnet 1808 of FIG18 ). VCN 1906 may include a local peer gateway (LPG) 1910 (e.g., LPG 1810 of FIG18 ), which may be communicatively coupled to a secure shell (SSH) VCN 1912 (e.g., SSH VCN 1812 of FIG18 ) via LPG 1810 contained in SSH VCN 1912. SSH VCN 1912 may include SSH subnet 1914 (e.g., SSH subnet 1814 of FIG. 18 ), and SSH VCN 1912 may be communicatively coupled to control plane VCN 1916 (e.g., control plane VCN 1816 of FIG. 18 ) via LPG 1910 contained in control plane VCN 1916. Control plane VCN 1916 may be contained in service lease 1919 (e.g., service lease 1819 of FIG. 18 ), and data plane VCN 1918 (e.g., data plane VCN 1818 of FIG. 18 ) may be contained in customer lease 1921 that may be owned or operated by a user or customer of the system.

The control plane VCN 1916 may include a control plane DMZ layer 1920 (e.g., the control plane DMZ layer 1820 of FIG. 18 ), which may include (one or more) LB subnets 1922 (e.g., the (one or more) LB subnets 1822 of FIG. 18 ), a control plane application layer 1924 (e.g., the control plane application layer 1824 of FIG. 18 ) may include (one or more) application subnets 1926 (e.g., the (one or more) application subnets 1826 of FIG. 18 ), and a control plane data layer 1928 (e.g., the control plane data layer 1828 of FIG. 18 ) may include (one or more) database (DB) subnets 1930 (e.g., similar to the (one or more) DB subnets 1830 of FIG. 18 ). The LB subnet(s) 1922 included in the control plane DMZ layer 1920 may be communicatively coupled to the application subnet(s) 1926 included in the control plane application layer 1924 and the internet gateway 1934 (e.g., the internet gateway 1834 of FIG. 18 ) that may be included in the control plane VCN 1916, and the application subnet(s) 1926 may be communicatively coupled to the DB subnet(s) 1930 included in the control plane data layer 1928 and the service gateway 1936 (e.g., the service gateway of FIG. 18 ) and the network address translation (NAT) gateway 1938 (e.g., the NAT gateway 1838 of FIG. 18 ). The control plane VCN 1916 may include the service gateway 1936 and the NAT gateway 1938.

The control plane VCN 1916 may include a data plane mirroring application layer 1940 (e.g., data plane mirroring application layer 1840 of FIG. 18 ) that may include application subnet(s) 1926. The application subnet(s) 1926 included in the data plane mirroring application layer 1940 may include a virtual network interface controller (VNIC) 1942 (e.g., VNIC of 1842 ) that may execute a compute instance 1944 (e.g., similar to compute instance 1844 of FIG. 18 ). The compute instance 1944 may facilitate communication between the application subnet(s) 1926 of the data plane mirroring application layer 1940 and the application subnet(s) 1926 that may be included in a data plane application layer 1946 (e.g., data plane application layer 1846 of FIG. 18 ) via the VNIC 1942 included in the data plane mirroring application layer 1940 and the VNIC 1942 included in the data plane application layer 1946.

The internet gateway 1934 included in the control plane VCN 1916 can be communicatively coupled to a metadata management service 1952 (e.g., metadata management service 1852 of FIG. 18 ), which can be communicatively coupled to a public internet 1954 (e.g., public internet 1854 of FIG. 18 ). The public internet 1954 can be communicatively coupled to a NAT gateway 1938 included in the control plane VCN 1916. The service gateway 1936 included in the control plane VCN 1416 can be communicatively coupled to a cloud service 1956 (e.g., cloud service 1856 of FIG. 18 ).

In some examples, the data plane VCN 1918 may be contained in a customer lease 1921. In this case, the IaaS provider may provide a control plane VCN 1916 for each customer, and the IaaS provider may provision each customer with a unique compute instance 1944 contained in a service lease 1919. Each compute instance 1944 may allow communication between the control plane VCN 1916 contained in the service lease 1919 and the data plane VCN 1918 contained in the customer lease 1921. The compute instance 1944 may allow resources provisioned in the control plane VCN 1916 contained in the service lease 1919 to be deployed or otherwise used in the data plane VCN 1918 contained in the customer lease 1921.

In other examples, a customer of the IaaS provider may have a database that exists in the customer tenancy 1921. In this example, the control plane VCN 1916 may include a data plane mirror application layer 1940, which may include (one or more) application subnets 1926. The data plane mirror application layer 1940 may reside in the data plane VCN 1918, but the data plane mirror application layer 1940 may not be in the data plane VCN 1918. That is, the data plane mirror application layer 1940 may access the customer tenancy 1921, but the data plane mirror application layer 1940 may not exist in the data plane VCN 1918 or be owned or operated by the customer of the IaaS provider. The data plane mirror application layer 1940 may be configured to make calls to the data plane VCN 1918, but may not be configured to make calls to any entity contained in the control plane VCN 1916. A customer may desire to deploy or otherwise use resources provisioned in control plane VCN 1916 in data plane VCN 1918, and data plane mirror application layer 1940 may facilitate the customer's desired deployment or other use of resources.

In some embodiments, a customer of an IaaS provider may apply filters to the data plane VCN 1918. In this embodiment, the customer may determine what the data plane VCN 1918 may access, and the customer may restrict access to the public Internet 1954 from the data plane VCN 1918. The IaaS provider may not apply filters or otherwise control access to any external network or database by the data plane VCN 1918. The customer applying filters and controls to the data plane VCN 1918 contained in the customer lease 1921 may help isolate the data plane VCN 1918 from other customers and the public Internet 1954.

In some embodiments, cloud services 1956 may be called by service gateway 1936 to access services that may not exist on public Internet 1954, control plane VCN 1916, or data plane VCN 1918. The connection between cloud services 1956 and control plane VCN 1916 or data plane VCN 1918 may not be real-time or continuous. Cloud services 1956 may exist on different networks owned or operated by IaaS providers. Cloud services 1956 may be configured to receive calls from service gateway 1936 and may be configured not to receive calls from public Internet 1954. Some cloud services 1956 may be isolated from other cloud services 1956, and control plane VCN 1916 may be isolated from cloud services 1956 that may not be in the same region as control plane VCN 1916. For example, control plane VCN 1916 may be located in "Region 1", and cloud service "Deployment 13" may be located in Region 1 and "Region 2". If a service gateway 1936 contained in a control plane VCN 1916 located in region 1 makes a call to deployment 13, the call may be transmitted to deployment 13 in region 1. In this example, control plane VCN 1916 or deployment 13 in region 1 may not be communicatively coupled or otherwise in communication with deployment 13 in region 2.

FIG20 is a block diagram 2000 illustrating another example mode of an IaaS architecture according to at least one embodiment. A service operator 2002 (e.g., service operator 1802 of FIG18 ) may be communicatively coupled to a secure host lease 2004 (e.g., secure host lease 1804 of FIG18 ), which may include a virtual cloud network (VCN) 2006 (e.g., VCN 1806 of FIG18 ) and a secure host subnet 2008 (e.g., secure host subnet 1808 of FIG18 ). VCN 2006 may include an LPG 2010 (e.g., LPG 1810 of FIG18 ), which may be communicatively coupled to an SSH VCN 2012 (e.g., SSH VCN 1812 of FIG18 ) via the LPG 2010 contained in the SSH VCN 2012. SSH VCN 2012 may include SSH subnet 2014 (e.g., SSH subnet 1814 of FIG. 18 ), and SSH VCN 1812 may be communicatively coupled to control plane VCN 2016 (e.g., control plane VCN 1816 of FIG. 18 ) via LPG 2010 included in control plane VCN 2016 and coupled to data plane VCN 2018 (e.g., data plane 1818 of FIG. 18 ) via LPG 2010 included in data plane VCN 2018. Control plane VCN 2016 and data plane VCN 2018 may be included in service lease 2019 (e.g., service lease 1819 of FIG. 18 ).

The control plane VCN 1816 may include a control plane DMZ layer 1820 (e.g., the control plane DMZ layer 1820 of FIG. 18 ) that may include (one or more) load balancer (LB) subnets 1822 (e.g., the (one or more) LB subnets 1822 of FIG. 18 ), a control plane application layer 2024 (e.g., the control plane application layer 1824 of FIG. 18 ) that may include (one or more) application subnets 2026 (e.g., similar to the (one or more) application subnets 1826 of FIG. 18 ), and a control plane data layer 2028 (e.g., the control plane data layer 1828 of FIG. 18 ) that may include (one or more) DB subnets 2030. The LB subnet(s) 2022 included in the control plane DMZ layer 2020 may be communicatively coupled to the application subnet(s) 2026 included in the control plane application layer 2024 and the internet gateway 1834 (e.g., the internet gateway 1834 of FIG. 18 ) that may be included in the control plane VCN 2016, and the application subnet(s) 2026 may be communicatively coupled to the DB subnet(s) 1830 included in the control plane data layer 1828 and the service gateway 1836 (e.g., the service gateway of FIG. 18 ) and the network address translation (NAT) gateway 1838 (e.g., the NAT gateway 1838 of FIG. 18 ). The control plane VCN 2016 may include the service gateway 2036 and the NAT gateway 2038.

The data plane VCN 2018 may include a data plane application layer 2046 (e.g., the data plane application layer 1846 of FIG. 18 ), a data plane DMZ layer 2048 (e.g., the data plane DMZ layer 1848 of FIG. 18 ), and a data plane data layer 2050 (e.g., the data plane data layer 1850 of FIG. 18 ). The data plane DMZ layer 2048 may include (one or more) trusted application subnets 2060 and (one or more) untrusted application subnets 2062 that may be communicatively coupled to the data plane application layer 2046 and (one or more) LB subnets 2022 of the Internet gateway 2034 included in the data plane VCN 2018. The (one or more) trusted application subnets 2060 may be communicatively coupled to the service gateway 2036 included in the data plane VCN 2018, the NAT gateway 2038 included in the data plane VCN 2018, and (one or more) DB subnets 2030 included in the data plane data layer 2050. The untrusted application subnet(s) 2062 may be communicatively coupled to the service gateway 2036 included in the data plane VCN 2018 and the DB subnet(s) 2030 included in the data plane data layer 2050. The data plane data layer 2050 may include the DB subnet(s) 2030 that may be communicatively coupled to the service gateway 2036 included in the data plane VCN 2018.

The untrusted application subnet(s) 2062 may include one or more primary VNICs 2064(1)-(N) that may be communicatively coupled to tenant virtual machines (VMs) 2066(1)-(N). Each tenant VM 2066(1)-(N) may be communicatively coupled to a respective application subnet 2067(1)-(N) that may be contained in a respective container egress VCN 2068(1)-(N), which may be contained in a respective customer tenancy 2070(1)-(N). A respective secondary VNIC 2072(1)-(N) may facilitate communication between the untrusted application subnet(s) 2062 contained in the data plane VCN 2018 and the application subnets contained in the container egress VCN 2068(1)-(N). Each container egress VCN 2068 ( 1 )-(N) may include a NAT gateway 2038 that may be communicatively coupled to a public Internet 2054 (eg, public Internet 1854 of FIG. 18 ).

An internet gateway 2034 included in the control plane VCN 2016 and included in the data plane VCN 2018 may be communicatively coupled to a metadata management service 2052 (e.g., metadata management system 1852 of FIG. 18 ), which may be communicatively coupled to a public internet 2054. The public internet 2054 may be communicatively coupled to a NAT gateway 2038 included in the control plane VCN 2016 and included in the data plane VCN 2018. A service gateway 2036 included in the control plane VCN 2016 and included in the data plane VCN 2018 may be communicatively coupled to a cloud service 2056.

In some embodiments, data plane VCN 2018 may be integrated with customer lease 2070. In some cases, such integration may be useful or desirable for customers of the IaaS provider, such as where support may be desired when executing code. A customer may provide code to run that may be destructive, may communicate with other customer resources, or may otherwise cause undesirable effects. In response to this, the IaaS provider may determine whether to run code given to the IaaS provider by the customer.

In some examples, a customer of an IaaS provider may grant temporary network access to the IaaS provider and request functionality attached to a data plane layer application 2046. Code running the functionality may be executed in a VM 2066(1)-(N), and the code may not be configured to run anywhere else on the data plane VCN 2018. Each VM 2066(1)-(N) may be connected to a customer tenancy 2070. The corresponding container 2071(1)-(N) contained in the VM 2066(1)-(N) may be configured to run the code. In this case, there may be double isolation (e.g., the container 2071(1)-(N) runs the code, where the container 2071(1)-(N) may be contained at least in a VM 2066(1)-(N) contained in (one or more) untrusted application subnets 2062), which may help prevent incorrect or otherwise undesirable code from damaging the IaaS provider's network or damaging the network of a different customer. Containers 2071(1)-(N) may be communicatively coupled to customer lease 2070 and may be configured to transmit or receive data from customer lease 2070. Containers 2071(1)-(N) may not be configured to transmit or receive data from any other entity in data plane VCN 2018. After running the code is complete, the IaaS provider may terminate or otherwise dispose of containers 2071(1)-(N).

In some embodiments, the trusted application subnet(s) 2060 may run code that may be owned or operated by the IaaS provider. In this embodiment, the trusted application subnet(s) 2060 may be communicatively coupled to the DB subnet(s) 2030 and configured to perform CRUD operations in the DB subnet(s) 2030. The untrusted application subnet(s) 2062 may be communicatively coupled to the DB subnet(s) 2030, but in this embodiment, the untrusted application subnet(s) may be configured to perform read operations in the DB subnet(s) 2030. The containers 2071(1)-(N) that may be included in each customer's VM 2066(1)-(N) and that may run code from the customer may not be communicatively coupled to the DB subnet(s) 2030.

In other embodiments, the control plane VCN 2016 and the data plane VCN 2018 may not be coupled in direct communication. In this embodiment, there may be no direct communication between the control plane VCN 2016 and the data plane VCN 2018. However, communication may occur indirectly through at least one method. The LPG 2010 may be established by an IaaS provider, which may facilitate communication between the control plane VCN 2016 and the data plane VCN 2018. In another example, the control plane VCN 2016 or the data plane VCN 2018 may call the cloud service 2056 via the service gateway 2036. For example, the call from the control plane VCN 2016 to the cloud service 2056 may include a request for a service that can communicate with the data plane VCN 2018.

FIG21 is a block diagram 2100 illustrating another example mode of an IaaS architecture according to at least one embodiment. A service operator 2102 (e.g., service operator 1802 of FIG18 ) may be communicatively coupled to a secure host lease 2104 (e.g., secure host lease 1804 of FIG18 ), which may include a virtual cloud network (VCN) 2106 (e.g., VCN 1806 of FIG18 ) and a secure host subnet 2108 (e.g., secure host subnet 1808 of FIG18 ). VCN 2106 may include an LPG 2110 (e.g., LPG 1810 of FIG18 ), which may be communicatively coupled to an SSH VCN 2112 (e.g., SSH VCN 1812 of FIG18 ) via the LPG 2110 contained in the SSH VCN 2112. SSH VCN 2112 may include SSH subnet 2114 (e.g., SSH subnet 1814 of FIG. 18 ), and SSH VCN 2112 may be communicatively coupled to control plane VCN 2116 (e.g., control plane VCN 1816 of FIG. 18 ) via LPG 2110 included in control plane VCN 2116 and coupled to data plane VCN 2118 (e.g., data plane 1818 of FIG. 18 ) via LPG 2110 included in data plane VCN 2118. Control plane VCN 2116 and data plane VCN 2118 may be included in service lease 2119 (e.g., service lease 1819 of FIG. 18 ).

The control plane VCN 2116 may include a control plane DMZ layer 2120 (e.g., control plane DMZ layer 1820 of FIG. 18 ) that may include (one or more) LB subnets 2122 (e.g., (one or more) LB subnets 1822 of FIG. 18 ), a control plane application layer 2124 (e.g., control plane application layer 1824 of FIG. 18 ) that may include (one or more) application subnets 2126 (e.g., (one or more) application subnets 1826 of FIG. 18 ), and a control plane data layer 2128 (e.g., control plane data layer 1828 of FIG. 18 ) that may include (one or more) DB subnets 2130 (e.g., (one or more) DB subnets 2030 of FIG. 20 ). The LB subnet(s) 2122 included in the control plane DMZ layer 2120 may be communicatively coupled to the application subnet(s) 2126 included in the control plane application layer 2112 and the internet gateway 2134 (e.g., the internet gateway 1834 of FIG. 18 ) that may be included in the control plane VCN 2116, and the application subnet(s) 2126 may be communicatively coupled to the DB subnet(s) 2130 included in the control plane data layer 2128 and the service gateway 2136 (e.g., the service gateway of FIG. 18 ) and the network address translation (NAT) gateway 2138 (e.g., the NAT gateway 1838 of FIG. 18 ). The control plane VCN 2116 may include the service gateway 2136 and the NAT gateway 2138.

The data plane VCN 2118 may include a data plane application layer 2146 (e.g., the data plane application layer 1846 of FIG. 18 ), a data plane DMZ layer 2148 (e.g., the data plane DMZ layer 2148 of FIG. 18 ), and a data plane data layer 2150 (e.g., the data plane data layer 1850 of FIG. 18 ). The data plane DMZ layer 2148 may include (one or more) trusted application subnets 2160 (e.g., the (one or more) trusted application subnets 2060 of FIG. 20 ) and (one or more) untrusted application subnets 2162 (e.g., the (one or more) untrusted application subnets 2062 of FIG. 20 ) that may be communicatively coupled to the data plane application layer 2146 and (one or more) LB subnets 2122 of the Internet gateway 2134 included in the data plane VCN 2118. The trusted application subnet(s) 2160 may be communicatively coupled to the service gateway 2136 included in the data plane VCN 2118, the NAT gateway 2138 included in the data plane VCN 2118, and the DB subnet(s) 2130 included in the data plane data layer 2150. The untrusted application subnet(s) 2162 may be communicatively coupled to the service gateway 2136 included in the data plane VCN 2118 and the DB subnet(s) 2130 included in the data plane data layer 2150. The data plane data layer 2150 may include the DB subnet(s) 2130 that may be communicatively coupled to the service gateway 2136 included in the data plane VCN 2118.

The untrusted application subnet(s) 2162 may include primary VNICs 2164(1)-(N) that may be communicatively coupled to tenant virtual machines (VMs) 2166(1)-(N) residing within the untrusted application subnet(s) 2162. Each tenant VM 2166(1)-(N) may run code in a corresponding container 2167(1)-(N) and may be communicatively coupled to an application subnet 2126 that may be contained in a data plane application layer 2146 contained in a container egress VCN 2168. Corresponding secondary VNICs 2172(1)-(N) may facilitate communications between the untrusted application subnet(s) 2162 contained in the data plane VCN 2118 and the application subnets contained in the container egress VCN 2168. The container egress VCN may include a NAT gateway 2138 that may be communicatively coupled to a public Internet 2154 (e.g., public Internet 1854 of FIG. 18).

An internet gateway 2134 included in the control plane VCN 2116 and included in the data plane VCN 2118 may be communicatively coupled to a metadata management service 2152 (e.g., metadata management system 1852 of FIG. 18 ), which may be communicatively coupled to a public internet 2154. The public internet 2154 may be communicatively coupled to a NAT gateway 2138 included in the control plane VCN 2116 and included in the data plane VCN 2118. A service gateway 2136 included in the control plane VCN 2116 and included in the data plane VCN 2118 may be communicatively coupled to a cloud service 2156.

In some examples, the mode illustrated by the architecture of block diagram 2100 of FIG. 21 may be considered an exception to the mode illustrated by the architecture of block diagram 2000 of FIG. 20 and may be desirable to customers of the IaaS provider if the IaaS provider cannot communicate directly with the customer (e.g., a disconnected region). The customer may access the corresponding container 2167(1)-(N) contained in each customer's VM 2166(1)-(N) in real time. The container 2167(1)-(N) may be configured to make calls to the corresponding secondary VNIC 2172(1)-(N) contained in the application subnet(s) 2126 of the data plane application layer 2146, which may be contained in the container egress VCN 2168. The secondary VNIC 2172(1)-(N) may transmit the call to the NAT gateway 2138, which may transmit the call to the public Internet 2154. In this example, containers 2167(1)-(N), which may be accessed by customers in real time, may be isolated from control plane VCN 2116 and may be isolated from other entities contained in data plane VCN 2118. Containers 2167(1)-(N) may also be isolated from resources from other customers.

In other examples, a customer can use containers 2167(1)-(N) to call cloud service 2156. In this example, a customer can run code in containers 2167(1)-(N) to request a service from cloud service 2156. Containers 2167(1)-(N) can transmit the request to secondary VNICs 2172(1)-(N), which can transmit the request to a NAT gateway, which can transmit the request to the public Internet 2154. The public Internet 2154 can transmit the request to LB subnet(s) 2122 contained in control plane VCN 2116 via Internet gateway 2134. In response to determining that the request is valid, the LB subnet(s) can transmit the request to application subnet(s) 2126, which can transmit the request to cloud service 2156 via service gateway 2136.

It should be appreciated that the IaaS architectures 1800, 1900, 2000, 2100 depicted in the various figures may have other components in addition to those depicted. In addition, the embodiments shown in the various figures are merely some examples of cloud infrastructure systems that may be combined with embodiments of the present disclosure. In some other embodiments, the IaaS system may have more or fewer components than shown in the various figures, may combine two or more components, or may have a different configuration or component arrangement.

In certain embodiments, the IaaS system described herein may include application suites, middleware, and database service offerings delivered to customers in a self-service, subscription-based, elastically scalable, reliable, highly available, and secure manner. An example of such an IaaS system is Oracle Cloud Infrastructure (OCI) provided by the assignee.

FIG. 22 illustrates an example computer system 2200 in which various embodiments of the present disclosure may be implemented. System 2200 may be used to implement any of the computer systems described above. As shown, computer system 2200 includes a processing unit 2204 that communicates with multiple peripheral subsystems via a bus subsystem 2202. These peripheral subsystems may include a processing acceleration unit 2206, an I/O subsystem 2208, a storage subsystem 2218, and a communication subsystem 2224. Storage subsystem 2218 includes a tangible computer-readable storage medium 2222 and a system memory 2210.

The bus subsystem 2202 provides a mechanism for allowing the various components and subsystems of the computer system 2200 to communicate with each other by intention. Although the bus subsystem 2202 is schematically shown as a single bus, the alternative embodiment of the bus subsystem can utilize multiple buses. The bus subsystem 2202 can be any of several types of bus structures, including a memory bus or a memory controller, a peripheral bus, and a local bus using any various bus architectures. For example, this architecture can include an industrial standard architecture (ISA) bus, a microchannel architecture (MCA) bus, an enhanced ISA (EISA) bus, a video electronics standard association (VESA) local bus, and a peripheral component interconnect (PCI) bus, which can be implemented as a Mezzanine bus manufactured by the IEEE P1386.1 standard.

The processing unit 2204, which may be implemented as one or more integrated circuits (e.g., conventional microprocessors or microcontrollers), controls the operation of the computer system 2200. One or more processors may be included in the processing unit 2204. These processors may include single-core or multi-core processors. In certain embodiments, the processing unit 2204 may be implemented as one or more independent processing units 2232 and/or 2234, wherein a single-core or multi-core processor is included in each processing unit. In other embodiments, the processing unit 2204 may also be implemented as a quad-core processing unit formed by integrating two dual-core processors into a single chip.

In various embodiments, the processing unit 2204 can execute various programs in response to the program code and can maintain multiple concurrently executed programs or processes. At any given time, some or all of the program code to be executed may reside in (one or more) processors 2204 and/or in the storage subsystem 2218. Through appropriate programming, (one or more) processors 2204 can provide the various functions described above. The computer system 2200 can additionally include a processing acceleration unit 2206, which can include a digital signal processor (DSP), a special processor, and the like.

I/O subsystem 2208 may include user interface input devices and user interface output devices. User interface input devices may include a keyboard, a pointing device such as a mouse or trackball, a touch pad or touch screen incorporated into a display, a scroll wheel, a click wheel, a dial, buttons, switches, a keyboard, an audio input device with a voice command recognition system, a microphone, and other types of input devices. User interface input devices may include, for example, motion sensing and/or gesture recognition devices such as Microsoft Motion sensors that enable users to control apps such as Microsoft 360 game controller. The user interface input device may also include an eye gesture recognition device, such as detecting eye activity from the user (e.g., a "wink" when taking a picture and/or making a menu selection) and translating eye gestures to the input device (e.g., Google ) in Google In addition, the user interface input device may include a device that enables the user to communicate with the voice recognition system (e.g., Navigator) interactive voice recognition sensing device.

The user interface input device may also include, but is not limited to, a three-dimensional (3D) mouse, a joystick or pointing stick, a game panel and a drawing board, and audio/video equipment such as a speaker, a digital camera, a digital video camera, a portable media player, a webcam, an image scanner, a fingerprint scanner, a barcode reader 3D scanner, a 3D printer, a laser rangefinder, and a sight tracking device. In addition, the user interface input device may include, for example, a medical imaging input device such as a computer tomography, a magnetic resonance imaging, a positron emission tomography, a medical ultrasound device. The user interface input device may also include, for example, an audio input device such as a MIDI keyboard, a digital musical instrument, etc.

The user interface output devices may include a display subsystem, indicator lights, or non-visual displays such as audio output devices, etc. The display subsystem may be a cathode ray tube (CRT), a flat panel device such as using a liquid crystal display (LCD) or plasma display, a projection device, a touch screen, etc. In general, the use of the term "output device" is intended to include all possible types of devices and mechanisms for outputting information from the computer system 2200 to a user or other computers. For example, the user interface output devices may include, but are not limited to, various display devices that visually convey text, graphics, and audio/video information, such as monitors, printers, speakers, headphones, car navigation systems, plotters, voice output devices, and modems.

Computer system 2200 may include a storage subsystem 2218 containing software elements, shown as currently located in system memory 2210. System memory 2210 may store program instructions that may be loaded and executed on processing unit 2204, as well as data generated during execution of these programs.

Depending on the configuration and type of computer system 2200, system memory 2210 may be volatile (such as random access memory (RAM)) and/or non-volatile (such as read-only memory (ROM), flash memory, etc.). RAM typically contains data and/or program modules that are immediately accessible to and/or currently being operated and executed by processing unit 2204. In some implementations, system memory 2210 may include multiple different types of memory, such as static random access memory (SRAM) or dynamic random access memory (DRAM). In some implementations, a basic input/output system (BIOS), such as one that contains basic routines that help transfer information between elements of computer system 2200 during startup, may typically be stored in ROM. By way of example, but not limitation, system memory 2210 also illustrates application programs 2212 that may include client applications, web browsers, middle-tier applications, relational database management systems (RDBMS), etc., program data 2214, and an operating system 2216. By way of example, operating system 2216 may include various versions of Microsoft Apple and/or Linux operating systems, various commercially available or UNIX-like operating systems (including but not limited to various GNU/Linux operating systems, Google operating systems, etc.) and/or such as iOS, Phone, OS, 17OS and OS operating system's mobile operating system.

The storage subsystem 2218 may also provide a tangible computer-readable storage medium for storing basic programming and data structures that provide the functionality of some embodiments. Software (programs, code modules, instructions) that provide the above-described functionality when executed by the processor may be stored in the storage subsystem 2218. These software modules or instructions may be executed by the processing unit 2204. The storage subsystem 2218 may also provide a repository for storing data used in accordance with the present disclosure.

The storage subsystem 2200 may also include a computer-readable storage medium reader 2220 that may be further connected to a computer-readable storage medium 2222. Together with the system memory 2210 and, optionally, in conjunction therewith, the computer-readable storage medium 2222 may comprehensively represent remote, local, fixed, and/or removable storage devices and storage media for temporarily and/or more permanently containing, storing, transmitting, and retrieving computer-readable information.

The computer-readable storage medium 2222 containing the code or portions of the code may also include any suitable media known or used in the art, including storage media and communication media, such as, but not limited to, volatile and non-volatile, removable and non-removable media implemented in any method or technology for storage and/or transmission of information. This may include tangible computer-readable storage media, such as RAM, ROM, electrically erasable programmable ROM (EEPROM), flash memory or other memory technology, CD-ROM, digital versatile disk (DVD) or other optical storage, cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or other tangible computer-readable media. This may also include non-tangible computer-readable media, such as data signals, data transmissions, or any other media that can be used to transmit the desired information and can be accessed by the computing system 2200.

By way of example, computer-readable storage media 2222 may include a hard drive that reads from or writes to non-removable nonvolatile magnetic media, a magnetic disk drive that reads from or writes to removable nonvolatile magnetic disks, and a magnetic disk drive that reads from or writes to removable nonvolatile optical disks (such as CD ROMs, DVDs, and optical drives). Computer readable storage media 2222 may include, but are not limited to, The computer readable storage medium 2222 may include a solid-state drive (SSD) based on non-volatile memory (such as a flash memory-based SSD, an enterprise flash drive, a solid-state ROM, etc.), a volatile memory-based SSD (such as a solid-state RAM, a dynamic RAM, a static RAM), a DRAM-based SSD, a magnetoresistive RAM (MRAM) SSD, and a hybrid SSD using a combination of DRAM and flash memory-based SSDs. The disk drive and its associated computer-readable media may provide non-volatile storage of computer-readable instructions, data structures, program modules, and other data for the computer system 2200.

The communication subsystem 2224 provides an interface to other computer systems and networks. The communication subsystem 2224 is used as an interface for receiving data from other systems and sending data from the computer system 2200 to other systems. For example, the communication subsystem 2224 can enable the computer system 2200 to be connected to one or more devices via the Internet. In some embodiments, the communication subsystem 2224 may include a radio frequency (RF) transceiver component for accessing a wireless voice and/or data network (e.g., using cellular phone technology, advanced data network technology such as 3G, 4G or EDGE (Enhanced Data Rates for Global Evolution), Wi-Fi (IEEE 802.11 series standards), or other mobile communication technologies, or any combination thereof), a global positioning system (GPS) receiver component and/or other components. In some embodiments, as an addition or replacement of a wireless interface, the communication subsystem 2224 may provide a wired network connection (e.g., Ethernet).

In some embodiments, the communication subsystem 2224 may also receive input communications in the form of structured and/or unstructured data feeds 2226 , event streams 2228 , event updates 2230 , and the like on behalf of one or more users who may use the computer system 2200 .

For example, the communication subsystem 2224 may be configured to receive data feeds 2226 in real time from users of social networks and/or other communication services, such as feed, Updates, web feeds such as Rich Site Summary (RSS) feeds, and/or real-time updates from one or more third-party information sources.

Additionally, the communication subsystem 2224 may also be configured to receive data in the form of a continuous data stream, which may include event streams 2228 and/or event updates 2230, which may be continuous or unbounded in nature, real-time events without explicit termination. Examples of applications that generate continuous data may include, for example, sensor data applications, financial quote machines, network performance measurement tools (e.g., network monitoring and traffic management applications), clickstream analysis tools, automotive traffic monitoring, and the like.

The communication subsystem 2224 can also be configured to output structured and/or unstructured data feeds 2226, event streams 2228, event updates 2230, etc. to one or more databases, which can communicate with one or more streaming data source computers coupled to the computer system 2200.

Computer system 2200 may be one of various types, including a handheld portable device (e.g., Cellular phone, computing tablets, PDAs), wearable devices (e.g. Glass head mounted display), PC, workstation, mainframe, kiosk, server rack, or any other data processing system.

Due to the ever-changing nature of computers and networks, the description of the computer system 2200 depicted in the figure is intended only as a specific example. Many other configurations with more or fewer components than the system depicted in the figure are possible. For example, customized hardware may also be used and/or specific elements may be implemented with hardware, firmware, software (including applets), or a combination thereof. In addition, connections to other computing devices such as network input/output devices may also be employed. Based on the disclosure and teachings provided herein, one of ordinary skill in the art will recognize other ways and/or methods of implementing various embodiments.

Although specific embodiments of the present disclosure have been described, various modifications, changes, alternative constructions and equivalent forms are also included in the scope of the present disclosure. The embodiments of the present disclosure are not limited to operating in certain specific data processing environments, but can be freely operated in multiple data processing environments. In addition, although the embodiments of the present disclosure have been described using a specific series of transactions and steps, it should be clear to those skilled in the art that the scope of the present disclosure is not limited to the described series of transactions and steps. The various features and aspects of the above-mentioned embodiments can be used alone or in combination.

In addition, although the embodiments of the present disclosure have been described using a specific combination of hardware and software, it should be appreciated that other combinations of hardware and software are also within the scope of the present disclosure. The embodiments of the present disclosure can be implemented using only hardware, or only software, or using a combination thereof. The various processes described herein can be implemented in any combination on the same processor or on different processors. Thus, in the case where a component or module is described as being configured to perform certain operations, such configurations can be accomplished by, for example, designing an electronic circuit to perform the operation, by programming a programmable electronic circuit (such as a microprocessor) to perform the operation, or any combination thereof. Processes can communicate using a variety of techniques, including but not limited to conventional techniques for inter-process communication, and different pairs of processes can use different techniques, or the same pair of processes can use different techniques at different times.

The description and drawings are therefore to be regarded as illustrative rather than restrictive. However, additions, subtractions, deletions and other modifications and changes may be made without departing from the broader spirit and scope set forth in the claims. Therefore, although specific disclosed embodiments have been described, these are not intended to be limiting. Various modifications and equivalent forms are within the scope of the following claims.

The use of the terms "one" and "an" and "the" and similar references in the context of describing the disclosed embodiments (especially in the context of the following claims) is to be interpreted as covering the singular and the plural, unless otherwise indicated herein or clearly contradicted by the context. Unless otherwise stated, the terms "include", "have", "include (including)" and "include (containing)" are to be interpreted as open terms (i.e., meaning "including but not limited to"). The term "connected" should be interpreted as being partially or completely contained in, attached to or connected together, even if there is something in the middle. Unless otherwise indicated herein, the enumeration of the value range herein is intended only to be used as a shorthand method for individually citing each individual value falling within the range, and each individual value is incorporated into the specification as if it were individually listed herein. Unless otherwise indicated herein or clearly contradicted by the context, all methods described herein can be performed in any suitable order. The use of any and all examples or exemplary language (e.g., "such as") provided herein is intended only to better illustrate the embodiments of the present disclosure and is not intended to limit the scope of the present disclosure, unless otherwise stated. No language in the specification should be construed as indicating any non-claimed element as essential to the practice of the disclosure.

Disjunctive language, such as the phrase "at least one of X, Y, or Z," is intended to be understood in the context generally used to indicate that an item, term, or the like, can be X, Y, or Z, or any combination thereof (e.g., X, Y, and/or Z), unless expressly stated otherwise. Thus, such disjunctive language is generally not intended to, and should not, imply that certain embodiments require that at least one of X, at least one of Y, or at least one of Z each be present.

Preferred embodiments of the present disclosure are described herein, including the best mode known to the inventor for implementing the present disclosure. Variations of those preferred embodiments will become apparent to those of ordinary skill in the art after reading the above description. The inventor expects that the skilled person will be able to appropriately adopt such variations and the inventor expects to practice the present disclosure in a manner different from that specifically described herein. Thus, the present disclosure includes all modifications and equivalent forms of the subject matter recorded in the appended claims where permitted by applicable law. In addition, unless otherwise indicated herein or otherwise clearly contradictory to the context, the present disclosure includes any combination of the above-mentioned elements in all possible variations thereof.

All references cited herein, including publications, patent applications and patents, are incorporated herein by reference to the same extent, as if each reference is individually and specifically indicated to be incorporated by reference and set forth in full herein. In the aforementioned specification, various aspects of the present disclosure are described with reference to their specific embodiments, but it will be appreciated by those skilled in the art that the present disclosure is not limited thereto. Each feature and aspect disclosed above can be used individually or in combination. In addition, without departing from the broader spirit and scope of this specification, embodiments can be used in any number of environments and applications other than those described herein. Thus, this specification and accompanying drawings should be considered illustrative rather than restrictive.

Claims (20)

1. A method comprising: executing, in a first cloud environment, a service provided by the first cloud environment, the service being executed for a customer of a second cloud environment; collecting, in the first cloud environment, observability data associated with executing the service in the first cloud environment for the customer of the second cloud environment, the observability data comprising one or more metrics associated with the execution; and The observability data collected from the first cloud environment is transmitted to the second cloud environment to enable users associated with the customers of the second cloud environment to access the observability data via the second cloud environment. 2. The method of claim 1, wherein the service provided by the first cloud environment corresponds to a database service, and executing the service corresponds to instantiating a type of database in the customer's tenancy in the first cloud environment. 3. The method of claim 1, further comprising: In response to executing the service provided by the first cloud environment, a workflow for performing the collecting and the transmitting is initiated, wherein the workflow includes a process, the process comprising: An access policy is created to be associated with a first customer tenancy in the first cloud environment, the access policy enabling a service connector deployed in the first cloud environment to retrieve the observability data corresponding to resources associated with the service. 4. The method of claim 3, wherein the workflow comprises a process, the process comprising: A resource group including a plurality of resources is instantiated in a second customer tenancy of the second cloud environment, wherein each resource is configured to persist at least some of the observability data. 5. The method of claim 3, further comprising: Creating an observable instance data object for the resource associated with the service, comprising a plurality of properties, the plurality of properties comprising: a first identifier of the resource deployed in the first cloud environment, an identifier of a cubicle leased by said first client hosting said resource, a second identifier of a second customer tenancy of the second cloud environment, and A cloud-link object associated with the resource, the cloud-link object comprising information linking the first customer lease in the first cloud environment to the second customer lease in the second cloud environment. 6. The method of claim 3, further comprising: A metric-function processor is instantiated that is configured to map the one or more metrics obtained from the service connector deployed in the first cloud environment to an application in the second cloud environment. 7. The method of claim 6, wherein the service connector is instantiated for each resource deployed in the first cloud environment, and the metric-function processor is instantiated for each adapter associated with the service. 8. The method of claim 5, further comprising: verifying, based on the observability instance data object, whether the resource is a multi-cloud resource; and In response to successful verification: Obtaining a resource principal associated with the cloud-link object; retrieving a token usable in the second cloud environment from the second cloud environment based on the resource principal; and The one or more metrics are transmitted to the second cloud environment based on the token. 9. The method of claim 4, wherein the plurality of resources comprises: an analysis workspace configured to store log information associated with the service, an insight application configured to store the one or more metrics, and An event grid is configured to store information corresponding to data plane events in the first cloud environment. 10. The method of claim 1, wherein the observability data further comprises an audit log or one or more events occurring in a data plane of the first cloud environment, the one or more events comprising a failover of resources associated with the service, deployment of backup resources in the first cloud environment, or a critical event associated with the capacity of the resources. 11. The method of claim 2, wherein the type of database is one of: an Exa database, a shared autonomous database, a dedicated autonomous database, or a virtual machine database, and wherein the one or more metrics associated with execution of the type of database include an average processor utilization associated with the type of database, an average execution count associated with the type of database, or an average transaction count associated with the type of database. 12. One or more computer-readable non-transitory media storing computer-executable instructions that, when executed by one or more processors, cause: executing, in a first cloud environment, a service provided by the first cloud environment, the service being executed for a customer of a second cloud environment; collecting, in the first cloud environment, observability data associated with executing the service in the first cloud environment for the customer of the second cloud environment, the observability data comprising one or more metrics associated with the execution; and The observability data collected from the first cloud environment is transmitted to the second cloud environment to enable users associated with the customers of the second cloud environment to access the observability data via the second cloud environment. 13. One or more computer-readable non-transitory media storing computer-executable instructions as described in claim 12, wherein the service provided by the first cloud environment corresponds to a database service, and executing the service corresponds to instantiating a type of database in the customer's lease in the first cloud environment. 14. The one or more computer-readable non-transitory media storing computer-executable instructions of claim 12, further comprising instructions that, when executed by one or more processors, cause the following operations to be performed: In response to executing the service provided by the first cloud environment, a workflow for performing the collecting and the transmitting is initiated, wherein the workflow includes a process, the process comprising: An access policy is created to be associated with a first customer tenancy in the first cloud environment, the access policy enabling a service connector deployed in the first cloud environment to retrieve the observability data corresponding to resources associated with the service. 15. The one or more computer-readable non-transitory media storing computer-executable instructions of claim 14, wherein the workflow comprises a process comprising: A resource group including a plurality of resources is instantiated in a second customer tenancy of the second cloud environment, wherein each resource is configured to persist at least some of the observability data. 16. The one or more computer-readable non-transitory media storing computer-executable instructions of claim 14, further comprising instructions that, when executed by one or more processors, cause the following operations to be performed: Creating an observable instance data object for the resource associated with the service, comprising a plurality of properties, the plurality of properties comprising: a first identifier of the resource deployed in the first cloud environment, an identifier of a cubicle leased by said first client hosting said resource, a second identifier of a second customer tenancy of the second cloud environment, and A cloud-link object associated with the resource, the cloud-link object comprising information linking the first customer lease in the first cloud environment to the second customer lease in the second cloud environment. 17. The one or more computer-readable non-transitory media storing computer-executable instructions of claim 14, further comprising instructions that, when executed by one or more processors, cause the following operations to be performed: A metric-function processor is instantiated that is configured to map the one or more metrics obtained from the service connector deployed in the first cloud environment to an application in the second cloud environment. 18. One or more computer-readable non-transitory media storing computer-executable instructions as described in claim 17, wherein the service connector is instantiated for each resource deployed in the first cloud environment and the metric-function processor is instantiated for each adapter associated with the service. 19. The one or more computer-readable non-transitory media storing computer-executable instructions of claim 16, further comprising instructions that, when executed by one or more processors, cause the following operations to be performed: verifying, based on the observability instance data object, whether the resource is a multi-cloud resource; and In response to successful verification: Obtaining a resource principal associated with the cloud-link object; retrieving a token usable in the second cloud environment from the second cloud environment based on the resource principal; and The one or more metrics are transmitted to the second cloud environment based on the token. 20. A computing device comprising: one or more processors; and a memory including instructions that, when executed by the one or more processors, cause the computing device to at least: executing, in a first cloud environment, a service provided by the first cloud environment, the service being executed for a customer of a second cloud environment; collecting, in the first cloud environment, observability data associated with executing the service in the first cloud environment for the customer of the second cloud environment, the observability data comprising one or more metrics associated with the execution; and The observability data collected from the first cloud environment is transmitted to the second cloud environment to enable users associated with the customers of the second cloud environment to access the observability data via the second cloud environment.