CN118871892A - Multi-Cloud Infrastructure Database Adapter - Google Patents

Abstract

Techniques for providing an adapter in a first cloud infrastructure (FCI) associated with a service provided by the FCI are described. The adapter enables one or more users associated with one or more accounts in a second cloud infrastructure (SCI) to request the service, wherein the SCI is different from the FCI. The adapter receives a first request to create a resource in the FCI from a first user associated with a first account in the SCI. The adapter executes a workflow to provision the resource using the service, wherein the workflow includes processing including: retrieving a resource principal associated with the resource and transmitting a second request to the service provided by the FCI. The second request includes the resource principal and corresponds to the creation of the resource.

Description

Multi-cloud infrastructure database adapter

Cross Reference to Related Applications

The present application is a non-provisional application and claims benefit from each provisional application below. The entire contents of each of the provisional applications listed below are incorporated herein by reference for all purposes.

(1) U.S. provisional application No.63/306,007 filed 2/2022;

(2) U.S. provisional application No.63/306,918, filed 2/4/2022;

(3) U.S. provisional application No.63/321,614, filed 3/18 at 2022;

(4) U.S. provisional application No.63/333,965, filed on 22, 4, 2022;

(5) U.S. provisional application No.63/336,811, filed on 4/29 of 2022;

(6) U.S. provisional application Ser. No.63/339,297, filed 5/6/2022;

(7) U.S. provisional application No.63/357,541, filed on 6/30 of 2022; and

(8) U.S. provisional application No.63/388,925 filed on 7.13.2022.

Technical Field

The present disclosure relates to cloud architecture, and more particularly to techniques for linking two cloud environments so that a user of one cloud environment may use services provided by the other cloud environment.

Background

The adoption rate of cloud services has increased dramatically over the past few years and this trend has only increased. Different Cloud Service Providers (CSPs) provide a variety of different cloud environments, each providing a set of one or more cloud services. The set of cloud services provided by the cloud environment may include one or more different types of services including, but not limited to, software as a service (SaaS) services, infrastructure as a service (IaaS) services, platform as a service (PaaS) services, and the like.

While various cloud environments are currently available, each provides a closed ecosystem for its subscribing clients. As a result, clients of the cloud environment are limited to using services provided by the cloud environment. For customers subscribing to a cloud environment provided by a CSP, there is no easy way to use services provided in different cloud environments provided by different CSPs via the cloud environment. The embodiments discussed herein address these and other issues. The embodiments discussed herein address these and other issues.

Disclosure of Invention

The present disclosure relates generally to improved cloud architecture, and more particularly to techniques for linking two clouds so that a user of one cloud environment may use services provided by a different cloud environment. Various embodiments are described herein, including methods, systems, non-transitory computer-readable storage media storing programs, code, or instructions executable by one or more processors, and the like. Some embodiments may be implemented using a computer program product comprising a computer program/instructions which, when executed by a processor, cause the processor to perform any of the methods described in the present disclosure.

Embodiments of the present disclosure provide a multi-cloud control plane (MCCP) framework that provides the ability to deliver services of a particular cloud network (e.g., oracle Cloud Infrastructure (OCI)) to users on other clouds (e.g., in Microsoft Azure). The MCCP framework allows a user (of other cloud environment (s)) to access a service of the cloud environment (e.g., paaS service) while providing a user experience that is as close as possible to the user's native cloud environment(s). A key value claim of MCCP is the complete data plane capability that a customer will be able to experience a service in an external cloud.

One embodiment of the present disclosure is directed to a method comprising: providing, in a first cloud infrastructure, an adapter associated with a service provided by the first cloud infrastructure, the adapter enabling one or more users associated with one or more accounts in a second cloud infrastructure to request the service, wherein the second cloud infrastructure is different from the first cloud infrastructure; receiving, by the adapter, a first request to create a resource in the first cloud infrastructure from a first user associated with a first account in the second cloud infrastructure; and executing, by the adapter, a workflow to use the service provisioning resource, wherein the workflow includes a process comprising: retrieving a resource principal associated with the resource; and transmitting a second request to a service provided by the first cloud infrastructure, the second request requesting creation of a resource, wherein the second request includes a resource principal.

An aspect of the present disclosure provides a computing device comprising one or more data processors and a non-transitory computer-readable storage medium containing instructions that, when executed on the one or more data processors, cause the computing device to perform part or all of one or more methods disclosed herein.

Another aspect of the present disclosure provides a computer program product tangibly embodied in a non-transitory machine-readable storage medium, comprising instructions configured to cause one or more data processors to perform part or all of one or more methods disclosed herein.

The foregoing and other features and embodiments will become more apparent when reference is made to the following description, claims and accompanying drawings.

Drawings

The features, embodiments, and advantages of the present disclosure may be better understood when the following detailed description is read with reference to the accompanying drawings.

Fig. 1 is a high-level diagram illustrating a distributed environment of a virtual or overlay cloud network hosted by a cloud service provider infrastructure, in accordance with some embodiments.

Fig. 2 depicts a simplified architectural diagram of physical components in a physical network within a CSPI, in accordance with some embodiments.

FIG. 3 illustrates an example arrangement within a CSPI in which a host machine is connected to multiple Network Virtualization Devices (NVDs), in accordance with certain embodiments.

FIG. 4 depicts connectivity between a host machine and NVD for providing I/O virtualization to support multi-tenancy (multitenancy), in accordance with certain embodiments.

Fig. 5 depicts a simplified block diagram of a physical network provided by a CSPI, in accordance with some embodiments.

Fig. 6 depicts a simplified high-level diagram of a distributed environment including multiple cloud environments provided by different Cloud Service Providers (CSPs), where a cloud environment includes a particular cloud environment providing a specialized infrastructure that enables one or more cloud services provided by the particular cloud environment to be used by customers of other cloud environments, in accordance with certain embodiments.

Fig. 7 depicts an exemplary high-level architecture of a multi-cloud control plane (MCCP) according to some embodiments.

Fig. 8A and 8B depict an exemplary process for linking two user accounts in different cloud environments, according to some embodiments.

Fig. 9A depicts an exemplary system diagram illustrating components of a multi-cloud control plane (MCCP) according to some embodiments.

Fig. 9B illustrates an exemplary flowchart depicting steps performed by the cloudy infrastructure, in accordance with certain embodiments.

FIG. 10A illustrates a system diagram of a database adapter, according to some embodiments.

FIG. 10B illustrates an exemplary request submitted to a database adapter in accordance with certain embodiments.

FIG. 10C illustrates an exemplary response provided by a database adapter, in accordance with certain embodiments.

FIG. 11 illustrates an exemplary flowchart depicting steps performed by a database adapter in accordance with certain embodiments.

Fig. 12 is a block diagram illustrating one mode for implementing a cloud infrastructure as a service system in accordance with at least one embodiment.

Fig. 13 is a block diagram illustrating another mode for implementing a cloud infrastructure as a service system in accordance with at least one embodiment.

Fig. 14 is a block diagram illustrating another mode for implementing a cloud infrastructure as a service system in accordance with at least one embodiment.

Fig. 15 is a block diagram illustrating another mode for implementing a cloud infrastructure as a service system in accordance with at least one embodiment.

FIG. 16 is a block diagram illustrating an example computer system in accordance with at least one embodiment.

Detailed Description

In the following description, for purposes of explanation, specific details are set forth in order to provide a thorough understanding of certain embodiments. It may be evident, however, that various embodiments may be practiced without these specific details. The drawings and description are not intended to be limiting. The word "exemplary" is used herein to mean "serving as an example, instance, or illustration. Any embodiment or design described herein as "exemplary" is not necessarily to be construed as preferred or advantageous over other embodiments or designs.

The present disclosure relates generally to improved cloud architecture, and more particularly to techniques for linking two clouds so that a user of one cloud environment may use services provided by a different cloud environment. Various embodiments are described herein, including methods, systems, non-transitory computer-readable storage media storing programs, code, or instructions executable by one or more processors, and the like. Some embodiments may be implemented using a computer program product comprising a computer program/instructions which, when executed by a processor, cause the processor to perform any of the methods described in the present disclosure.

Embodiments of the present disclosure provide a multi-cloud control plane (MCCP) framework that provides the ability to deliver services of a particular cloud network (e.g., oracle Cloud Infrastructure (OCI)) to users on other clouds (e.g., in Microsoft Azure). The MCCP framework allows a user (of other cloud environment (s)) to access a service of the cloud environment (e.g., paaS service) while providing a user experience that is as close as possible to the user's native cloud environment(s). A key value claim of MCCP is the complete data plane capability that a customer will be able to experience a service in an external cloud.

The MCCP enables a user of the second cloud infrastructure (e.g., azure user) to use resources (e.g., database resources) provided by the first cloud infrastructure (e.g., OCI) in a manner transparent to the user. In particular, services provided by a first cloud infrastructure appear as "native" services in a second cloud infrastructure. This allows the customer of the second cloud infrastructure to access the services provided by the first cloud infrastructure natively. As will be described below with reference to fig. 6-11, MCCP is a collection of micro services executing in a first cloud infrastructure that exposes resources of the first cloud infrastructure for use by external cloud users (e.g., users of a second cloud infrastructure). Each micro-service acts as a proxy providing communication with resources provided by the first cloud infrastructure.

Example of cloud networks

The term cloud service is generally used to refer to a service that is made available to users or customers on demand (e.g., via a subscription model) by a Cloud Service Provider (CSP) using the systems and infrastructure (cloud infrastructure) provided by the CSP. Typically, the servers and systems that make up the CSP infrastructure are separate from the customer's own provisioning servers and systems. Thus, customers can utilize cloud services provided by CSPs without purchasing separate hardware and software resources for the services. Cloud services are designed to provide subscribing clients with simple, extensible access to applications and computing resources without requiring the clients to invest in purchasing infrastructure for providing the services.

There are several cloud service providers that offer various types of cloud services. There are various different types or models of cloud services, including software as a service (SaaS), platform as a service (PaaS), infrastructure as a service (IaaS), and the like.

A customer may subscribe to one or more cloud services provided by the CSP. The customer may be any entity, such as an individual, organization, business, etc. When a customer subscribes to or registers for a service provided by the CSP, a lease or account will be created for the customer. The customer may then access one or more cloud resources of the subscription associated with the account via this account.

As described above, infrastructure as a service (IaaS) is a specific type of cloud computing service. In the IaaS model, CSPs provide an infrastructure (referred to as a cloud service provider infrastructure or CSPI) that customers can use to build their own customizable networks and deploy customer resources. Thus, the customer's resources and network are hosted in a distributed environment by the CSP's provided infrastructure. This is in contrast to traditional computing, where the customer's resources and network are hosted by the customer's provided infrastructure.

The CSPI may include interconnected high-performance computing resources, including various host machines, memory resources, and network resources that form a physical network, also referred to as a baseboard or underlay network. Resources in the CSPI may be spread over one or more data centers, which may be geographically spread over one or more geographic areas. Virtualization software may be executed by these physical resources to provide a virtualized distributed environment. Virtualization creates an overlay network (also referred to as a software-based network, a software-defined network, or a virtual network) on a physical network. The CSPI physical network provides an underlying foundation for creating one or more overlay or virtual networks over the physical network. The physical network (or substrate network or underlay network) includes physical network devices such as physical switches, routers, computers, and host machines. An overlay network is a logical (or virtual) network that runs on top of a physical substrate network. A given physical network may support one or more overlay networks. Overlay networks typically use encapsulation techniques to distinguish traffic belonging to different overlay networks. Virtual or overlay networks are also known as Virtual Cloud Networks (VCNs). Virtual networks are implemented using software virtualization techniques (e.g., hypervisors), virtualization functions implemented by Network Virtualization Devices (NVDs) (e.g., smartNIC), top-of-rack (TOR) switches, intelligent TORs that implement one or more functions performed by NVDs, and other mechanisms) to create a network abstraction layer that can run over a physical network. Virtual networks may take many forms, including peer-to-peer networks, IP networks, and the like. The virtual network is typically a layer 3IP network or a layer 2VLAN. This method of virtual or overlay networking is often referred to as a virtual or overlay 3 network. Examples of protocols developed for virtual networks include IP-in-IP (or Generic Routing Encapsulation (GRE)), virtual extensible LAN (VXLAN-IETF RFC 7348), virtual Private Networks (VPNs) (e.g., MPLS layer 3 virtual private networks (RFC 4364)), NSX of VMware, GENEVE, and the like.

For IaaS, the infrastructure provided by CSP (CSPI) may be configured to provide virtualized computing resources over a public network (e.g., the internet). In the IaaS model, cloud computing service providers may host infrastructure components (e.g., servers, storage devices, network nodes (e.g., hardware), deployment software, platform virtualization (e.g., hypervisor layer), etc.). In some cases, the IaaS provider may also offer various services to accompany those infrastructure components (e.g., billing, monitoring, logging, security, load balancing, clustering, etc.). Thus, as these services may be policy driven, iaaS users may be able to implement policies to drive load balancing to maintain application availability and performance. CSPI provides an infrastructure and a set of complementary cloud services that enable customers to build and run a wide range of applications and services in a highly available hosted distributed environment. CSPI provides high performance computing resources and capabilities as well as storage capacity in a flexible virtual network that is securely accessible from various networking locations, such as from a customer's pre-set network. When a customer subscribes to or registers for an IaaS service provided by the CSP, the lease created for that customer is a secure and sequestered partition within the CSPI in which the customer can create, organize and manage their cloud resources.

Customers may build their own virtual network using the computing, memory, and networking resources provided by the CSPI. One or more customer resources or workloads, such as computing instances, may be deployed on these virtual networks. For example, a customer may use resources provided by the CSPI to build one or more customizable and private virtual networks, referred to as Virtual Cloud Networks (VCNs). A customer may deploy one or more customer resources, such as computing instances, on a customer VCN. The computing instances may take the form of virtual machines, bare metal instances, and the like. Thus, the CSPI provides an infrastructure and a set of complementary cloud services that enable customers to build and run a wide range of applications and services in a highly available virtual hosted environment. Customers do not manage or control the underlying physical resources provided by the CSPI, but have control over the operating system, storage, and deployed applications; and possibly also limited control of selected networking components (e.g., firewalls).

CSP may provide a console that enables clients and network administrators to use CSPI resources to configure, access, and manage resources deployed in the cloud. In some embodiments, the console provides a web-based user interface that may be used to access and manage the CSPI. In some implementations, the console is a web-based application provided by the CSP.

The CSPI may support single-lease or multi-lease architectures. In a single tenancy architecture, software (e.g., applications, databases) or hardware components (e.g., host machines or servers) serve a single customer or tenant. In a multi-tenancy architecture, software or hardware components serve multiple customers or tenants. Thus, in a multi-tenancy architecture, the CSPI resources are shared among multiple customers or tenants. In the multi-tenancy case, precautions are taken and safeguards are implemented in the CSPI to ensure that each tenant's data is isolated and remains invisible to other tenants.

In a physical network, an endpoint ("endpoint") refers to a computing device or system that connects to and communicates back and forth with the network to which it is connected. Network endpoints in a physical network may be connected to a Local Area Network (LAN), wide Area Network (WAN), or other type of physical network. Examples of traditional endpoints in a physical network include modems, hubs, bridges, switches, routers and other network devices, physical computers (or host machines), and the like. Each physical device in the physical network has a fixed network address available for communication with the device. This fixed network address may be a layer 2 address (e.g., a MAC address), a fixed layer 3 address (e.g., an IP address), etc. In a virtualized environment or virtual network, endpoints may include various virtual endpoints, such as virtual machines hosted by components of a physical network (e.g., by physical host machines). These endpoints in the virtual network are addressed by overlay addresses, such as overlay 2 addresses (e.g., overlay MAC addresses) and overlay 3 addresses (e.g., overlay IP addresses). Network coverage enables flexibility by allowing a network administrator to move around an overlay address associated with a network endpoint using software management (e.g., via software implementing a control plane for a virtual network). Thus, unlike physical networks, in virtual networks, an overlay address (e.g., an overlay IP address) may be moved from one endpoint to another endpoint using network management software. Because the virtual network builds on top of the physical network, communication between components in the virtual network involves the virtual network and the underlying physical network. To facilitate such communications, components of the CSPI are configured to learn and store mappings that map overlay addresses in the virtual network to actual physical addresses in the baseboard network, and vice versa. These mappings are then used to facilitate communications. Customer traffic is encapsulated to facilitate routing in the virtual network.

Thus, a physical address (e.g., a physical IP address) is associated with a component in the physical network, and an overlay address (e.g., an overlay IP address) is associated with an entity in the virtual or overlay network. The physical IP address is an IP address associated with a physical device (e.g., a network device) in the substrate or physical network. For example, each NVD has an associated physical IP address. The overlay IP address is an overlay address associated with an entity in the overlay network, such as an overlay address associated with a computing instance in a Virtual Cloud Network (VCN) of a customer. Two different customers or tenants each having their own private VCN can potentially use the same overlay IP address in their VCN without having to know each other. Both the physical IP address and the overlay IP address are types of real IP addresses. They are separate from the virtual IP address. The virtual IP address is typically a single IP address that represents or maps to multiple real IP addresses. The virtual IP address provides a one-to-many mapping between the virtual IP address and a plurality of real IP addresses. For example, the load balancer may use VIP to map or represent multiple servers, each with its own real IP address.

The cloud infrastructure or CSPI is physically hosted in one or more data centers in one or more areas of the world. The CSPI may include components in a physical or substrate network and virtualized components located in a virtual network built upon the physical network components (e.g., virtual networks, computing instances, virtual machines, etc.). In certain embodiments, the CSPI is organized and hosted in domains, regions, and availability domains. An area is typically a localized geographic area containing one or more data centers. The regions are generally independent of each other and may be far apart, e.g., across a country or even continent. For example, the first region may be in australia, another in japan, another in india, etc. The CSPI resources are divided among the regions such that each region has its own independent subset of CSPI resources. Each region may provide a set of core infrastructure services and resources, such as computing resources (e.g., bare machine servers, virtual machines, containers, and related infrastructure, etc.); storage resources (e.g., block volume storage, file storage, object storage, archive storage); networking resources (e.g., virtual Cloud Network (VCN), load balancing resources, connections to a pre-set network), database resources; edge networking resources (e.g., DNS); and access to management and monitoring resources, etc. Each region typically has multiple paths connecting it to other regions in the field.

In general, an application is deployed in an area where it is most frequently used (i.e., on the infrastructure associated with the area) because resources in the vicinity are used faster than resources in the far away. Applications may also be deployed in different areas for various reasons, such as redundancy to mitigate risk of regional-wide events (such as large weather systems or earthquakes) to meet different requirements of legal jurisdictions, tax domains, and other business or social standards, and the like.

Data centers within an area may be further organized and subdivided into Availability Domains (ADs). The availability domain may correspond to one or more data centers located within the area. An area may be comprised of one or more availability domains. In such a distributed environment, the CSPI resources are either region-specific, such as a Virtual Cloud Network (VCN), or availability domain-specific, such as a computing instance.

The ADs within the area are isolated from each other, fault tolerant, and configured such that they are highly unlikely to fail simultaneously. This is achieved by the ADs not sharing critical infrastructure resources (such as networking, physical cables, cable paths, cable entry points, etc.) so that a failure at one AD within a region is less likely to affect the availability of other ADs within the same region. ADs within the same area may be connected to each other through low latency, high bandwidth networks, which may allow for high availability connections to other networks (e.g., the internet, customer's preset network, etc.) and building replication systems in multiple ADs to achieve both high availability and disaster recovery. Cloud services use multiple ADs to ensure high availability and prevent resource failures. As the infrastructure provided by IaaS providers grows, more area and ADs and additional capacity can be added. Traffic between availability domains is typically encrypted.

In some embodiments, the regions are grouped into domains. A domain is a logical collection of regions. The domains are isolated from each other and do not share any data. Areas in the same domain may communicate with each other, but areas in different domains cannot. The customer's lease or account with the CSP exists in a single domain and may be spread across one or more areas belonging to that domain. Typically, when a customer subscribes to an IaaS service, a lease or account is created for the customer in an area designated by the customer within the domain (referred to as the "home" area). The customer may extend the customer's lease to one or more other areas within the domain. The customer cannot access an area that is not in the area of the customer's rental lot.

The IaaS provider may offer a plurality of domains, each domain meeting the needs of a particular set of customers or users. For example, business fields may be provided for business clients. As another example, for customers within a particular country, the domain may be provided in that country. As yet another example, government may be provided with government domains, and so forth. For example, a government domain may meet the needs of a particular government and may have a higher level of security than a business domain. For example, oracle Cloud Infrastructure (OCI) currently provides a domain for business areas and two domains (e.g., fedRAMP-authorized and IL 5-authorized) for government cloud areas.

In some embodiments, an AD may be subdivided into one or more fault domains. The fault domain is a grouping of infrastructure resources within the AD to provide anti-affinity (anti-affinity). The failure domain allows for the distribution of computing instances such that they are not located on the same physical hardware within a single AD. This is called counteraffinity. A failure domain refers to a group of hardware components (computers, switches, etc.) that share a single point of failure. The computing pool is logically divided into fault domains. Thus, a hardware failure or computing hardware maintenance event affecting one failure domain does not affect instances in other failure domains. The number of fault domains per AD may vary depending on the embodiment. For example, in some embodiments, each AD contains three fault domains. The failure domain acts as a logical data center within the AD.

When a customer subscribes to the IaaS service, resources from the CSPI are provisioned to the customer and associated with the customer's lease. Clients can use these provisioned resources to build private networks and deploy resources on these networks. Customer networks hosted in the cloud by CSPI are referred to as Virtual Cloud Networks (VCNs). A customer may set up one or more Virtual Cloud Networks (VCNs) using CSPI resources allocated for the customer. VCNs are virtual or software defined private networks. Customer resources deployed in a customer's VCN may include computing instances (e.g., virtual machines, bare metal instances) and other resources. These computing instances may represent various customer workloads, such as applications, load balancers, databases, and the like. Computing instances deployed on a VCN may communicate with publicly accessible endpoints ("public endpoints"), with other instances in the same VCN or other VCNs (e.g., other VCNs of customers or VCNs not belonging to customers), with customer's preset data centers or networks, and with service endpoints and other types of endpoints through a public network such as the internet.

CSP may use CSPI to provide various services. In some cases, the customers of the CSPI may themselves behave like a service provider and provide services using CSPI resources. The service provider may expose service endpoints characterized by identification information (e.g., IP address, DNS name, and port). The customer's resources (e.g., computing instances) may use the particular service by accessing the service endpoints exposed by the service for the particular service. These service endpoints are typically endpoints that a user can publicly access via a public communications network, such as the internet, using a public IP address associated with the endpoint. Publicly accessible network endpoints are sometimes referred to as public endpoints.

In some embodiments, a service provider may expose a service via an endpoint for the service (sometimes referred to as a service endpoint). The customer of the service may then use this service endpoint to access the service. In some embodiments, a service endpoint that provides a service may be accessed by multiple clients that intend to consume the service. In other embodiments, a dedicated service endpoint may be provided for a customer such that only the customer may use the dedicated service endpoint to access a service.

In some embodiments, when the VCN is created, it is associated with a private overlay classless inter-domain routing (CIDR) address space, which is a series of private overlay IP addresses (e.g., 10.0/16) assigned to the VCN. The VCN includes associated subnets, routing tables, and gateways. The VCNs reside within a single area, but may span one or more or all of the area's availability domain. The gateway is a virtual interface configured for the VCN and enables traffic to be communicated to and from the VCN to one or more endpoints external to the VCN. One or more different types of gateways may be configured for the VCN to enable communications to and from different types of endpoints.

The VCN may be subdivided into one or more subnetworks, such as one or more subnetworks. Thus, a subnet is a configured unit or subdivision that can be created within a VCN. The VCN may have one or more subnets. Each subnet within a VCN is associated with a contiguous range of overlay IP addresses (e.g., 10.0.0.0/24 and 10.0.1.0/24) that do not overlap with other subnets in the VCN and represent a subset of the address space within the address space of the VCN.

Each computing instance is associated with a Virtual Network Interface Card (VNIC), which enables the computing instance to participate in a subnet of the VCN. VNICs are logical representations of physical Network Interface Cards (NICs). Generally, a VNIC is an interface between an entity (e.g., a computing instance, a service) and a virtual network. The VNICs exist in a subnet with one or more associated IP addresses and associated security rules or policies. The VNICs correspond to layer 2 ports on the switch. The VNICs are attached to the computing instance and to a subnet within the VCN. The VNICs associated with the computing instance enable the computing instance to be part of a subnet of the VCN and enable the computing instance to communicate (e.g., send and receive packets) with endpoints that are on the same subnet as the computing instance, with endpoints in different subnets in the VCN, or with endpoints external to the VCN. Thus, the VNICs associated with the computing instance determine how the computing instance connects with endpoints internal and external to the VCN. When a computing instance is created and added to a subnet within a VCN, a VNIC for the computing instance is created and associated with the computing instance. For a subnet that includes a set of computing instances, the subnet contains VNICs corresponding to the set of computing instances, each VNIC attached to a computing instance within the set of computing instances.

Each computing instance is assigned a private overlay IP address via the VNIC associated with the computing instance. This private overlay network IP address is assigned to the VNIC associated with the computing instance and is used to route traffic to and from the computing instance when the computing instance is created. All VNICs in a given subnetwork use the same routing table, security list, and DHCP options. As described above, each subnet within a VCN is associated with a contiguous range of overlay IP addresses (e.g., 10.0.0.0/24 and 10.0.1.0/24) that do not overlap with other subnets in the VCN and represent a subset of the address space within the address space of the VCN. For a VNIC on a particular subnet of a VCN, the private overlay IP address assigned to that VNIC is an address from a contiguous range of overlay IP addresses allocated for the subnet.

In some embodiments, in addition to private overlay IP addresses, the computing instance may optionally be assigned additional overlay IP addresses, such as, for example, one or more public IP addresses if in a public subnet. The plurality of addresses are assigned either on the same VNIC or on a plurality of VNICs associated with the computing instance. But each instance has a master VNIC that is created during instance startup and is associated with an overlay private IP address assigned to the instance—this master VNIC cannot be deleted. Additional VNICs, referred to as secondary VNICs, may be added to existing instances in the same availability domain as the primary VNIC. All VNICs are in the same availability domain as this example. The auxiliary VNICs may be located in a subnet in the same VCN as the main VNIC or in a different subnet in the same VCN or a different VCN.

If the computing instance is in a public subnet, it may optionally be assigned a public IP address. When creating a subnet, the subnet may be designated as a public subnet or a private subnet. A private subnet means that resources (e.g., compute instances) and associated VNICs in the subnet cannot have a public overlay IP address. A public subnet means that resources in a subnet and associated VNICs may have a public IP address. A customer may specify that a subnet exists in a single availability domain or across multiple availability domains in a region or domain.

As described above, the VCN may be subdivided into one or more subnets. In some embodiments, a Virtual Router (VR) configured for a VCN (referred to as a VCN VR or simply VR) enables communication between subnets of the VCN. For a subnet within a VCN, VR represents a logical gateway for that subnet that enables that subnet (i.e., the computing instance on that subnet) to communicate with endpoints on other subnets within the VCN as well as with other endpoints outside the VCN. The VCN VR is a logical entity configured to route traffic between VNICs in the VCN and virtual gateways ("gateways") associated with the VCN. The gateway is further described below with respect to fig. 1. VCN VR is a layer 3/IP layer concept. In one embodiment, there is one VCN VR for the VCN, where the VCN VR potentially has an unlimited number of ports addressed by the IP address, one port for each subnet of the VCN. In this way, the VCN VR has a different IP address for each subnet in the VCN to which the VCN VR is attached. The VR is also connected to various gateways configured for the VCN. In some embodiments, a particular overlay IP address in the overlay IP address range for a subnet is reserved for a port of a VCN VR for that subnet. Consider, for example, that a VCN has two subnets, with associated address ranges of 10.0/16 and 10.1/16, respectively. For the first subnet in the VCN with an address range of 10.0/16, addresses within this range are reserved for ports of the VCN VR for that subnet. In some cases, the first IP address within range may be reserved for VCN VR. For example, for a subnet covering an IP address range of 10.0/16, an IP address of 10.0.0.1 may be reserved for ports of the VCN VR for that subnet. For a second subnet in the same VCN with an address range of 10.1/16, the VCN VR may have a port for the second subnet with an IP address of 10.1.0.1. The VCN VR has a different IP address for each subnet in the VCN.

In some other embodiments, each subnet within the VCN may have its own associated VR that is addressable by the subnet using a reserved or default IP address associated with the VR. For example, the reserved or default IP address may be the first IP address in the range of IP addresses associated with the subnet. The VNICs in the subnet may use this default or reserved IP address to communicate (e.g., send and receive packets) with the VR associated with the subnet. In such an embodiment, the VR is the entry/exit point of the subnet. The VR associated with a subnet within the VCN may communicate with other VRs associated with other subnets within the VCN. The VR may also communicate with a gateway associated with the VCN. The VR functions of the subnetworks are run on or performed by one or more NVDs that perform the VNIC functions of the VNICs in the subnetworks.

The VCN may be configured with routing tables, security rules, and DHCP options. The routing table is a virtual routing table for the VCN and includes rules for routing traffic from a subnet within the VCN to a destination external to the VCN through a gateway or specially configured instance. The routing tables of the VCNs may be customized to control how packets are forwarded/routed to and from the VCNs. DHCP options refer to configuration information that is automatically provided to an instance at instance start-up.

The security rules configured for the VCN represent overlay firewall rules for the VCN. Security rules may include ingress and egress rules and specify the type of traffic (e.g., protocol and port based) that is allowed to enter and exit instances within the VCN. The client may choose whether a given rule is stateful or stateless. For example, a client may allow incoming SSH traffic from anywhere to a set of instances by setting up stateful ingress rules with source CIDR 0.0.0.0/0 and destination TCP port 22. The security rules may be implemented using a network security group or security list. A network security group consists of a set of security rules that apply only to the resources in the group. In another aspect, the security list includes rules applicable to all resources in any subnet that uses the security list. The VCN may be provided with a default security list with default security rules. The DHCP options configured for the VCN provide configuration information that is automatically provided to the instances in the VCN at instance start-up.

In some embodiments, configuration information for the VCN is determined and stored by the VCN control plane. For example, configuration information for a VCN may include information about: address ranges associated with the VCN, subnets and associated information within the VCN, one or more VRs associated with the VCN, computing instances in the VCN and associated VNICs, NVDs (e.g., VNICs, VRs, gateways) that perform various virtualized network functions associated with the VCN, status information for the VCN, and other VCN related information. In certain embodiments, the VCN distribution service publishes configuration information, or portions thereof, stored by the VCN control plane to the NVD. The distributed information may be used to update information (e.g., forwarding tables, routing tables, etc.) stored by the NVD and used to forward packets to and from the computing instances in the VCN.

In some embodiments, creation of VCNs and subnets is handled by a VCN Control Plane (CP) and launching of computing instances is handled by a computing control plane. The compute control plane is responsible for allocating physical resources for the compute instance and then invoking the VCN control plane to create and attach the VNICs to the compute instance. The VCN CP also sends the VCN data map to a VCN data plane configured to perform packet forwarding and routing functions. In some embodiments, the VCN CP provides a distribution service responsible for providing updates to the VCN data plane. Examples of VCN control planes are also depicted in fig. 6, 7, 8, and 9 (see reference numerals 616, 716, 816, and 916) and described below.

A customer may create one or more VCNs using resources hosted by the CSPI. Computing instances deployed on a client VCN may communicate with different endpoints. These endpoints may include endpoints hosted by the CSPI and endpoints external to the CSPI.

Various different architectures for implementing cloud-based services using CSPI are depicted in fig. 1,2, 3, 4, 5, and 12-16, and described below. Fig. 1 is a high-level diagram of a distributed environment 100, illustrating an overlay or customer VCN hosted by a CSPI, in accordance with certain embodiments. The distributed environment depicted in fig. 1 includes a plurality of components in an overlay network. The distributed environment 100 depicted in FIG. 1 is merely an example and is not intended to unduly limit the scope of the claimed embodiments. Many variations, alternatives, and modifications are possible. For example, in some embodiments, the distributed environment depicted in fig. 1 may have more or fewer systems or components than those shown in fig. 1, may combine two or more systems, or may have different system configurations or arrangements.

As shown in the example depicted in fig. 1, distributed environment 100 includes CSPI 101 that provides services and resources that customers can subscribe to and use to build their Virtual Cloud Network (VCN). In some embodiments, CSPI 101 provides IaaS services to subscribing clients. Data centers within CSPI 101 may be organized into one or more areas. An example region "region US"102 is shown in FIG. 1. The customer has configured customer VCN c/o Oracle International Inc. for the area 102. A customer may deploy various computing instances on the VCN 104, where the computing instances may include virtual machine or bare machine instances. Examples of instances include applications, databases, load balancers, and the like.

In the embodiment depicted in fig. 1, customer VCN 104 includes two subnets, namely, "subnet-1" and "subnet-2," each having its own CIDR IP address range. In FIG. 1, the overlay IP address range for subnet-1 is 10.0/16 and the address range for subnet-2 is 10.1/16.VCN virtual router 105 represents a logical gateway for the VCN that enables communication between the subnetworks of VCN 104 and with other endpoints external to the VCN. The VCN VR 105 is configured to route traffic between the VNICs in the VCN 104 and gateways associated with the VCN 104. The VCN VR 105 provides a port for each subnet of the VCN 104. For example, VR 105 may provide a port for subnet-1 with IP address 10.0.0.1 and a port for subnet-2 with IP address 10.1.0.1.

Multiple computing instances may be deployed on each subnet, where the computing instances may be virtual machine instances and/or bare machine instances. Computing instances in a subnet may be hosted by one or more host machines within CSPI 101. The computing instance participates in the subnet via the VNIC associated with the computing instance. For example, as shown in fig. 1, computing instance C1 becomes part of subnet-1 via the VNIC associated with the computing instance. Likewise, computing instance C2 becomes part of subnet-1 via the VNIC associated with C2. In a similar manner, multiple computing instances (which may be virtual machine instances or bare machine instances) may be part of subnet-1. Each computing instance is assigned a private overlay IP address and a MAC address via its associated VNIC. For example, in fig. 1, the overlay IP address of computing instance C1 is 10.0.0.2, the mac address is M1, and the private overlay IP address of computing instance C2 is 10.0.0.3, the mac address is M2. Each compute instance in subnet-1 (including compute instance C1 and C2) has a default route to VCN VR 105 using IP address 10.0.0.1, which is the IP address for the port of VCN VR 105 for subnet-1.

Multiple computing instances may be deployed on subnet-2, including virtual machine instances and/or bare machine instances. For example, as shown in fig. 1, computing instances D1 and D2 become part of subnet-2 via VNICs associated with the respective computing instances. In the embodiment shown in fig. 1, the overlay IP address of computing instance D1 is 10.1.0.2, the mac address is MM1, and the private overlay IP address of computing instance D2 is 10.1.0.3, the mac address is MM2. Each computing instance in subnet-2 (including computing instances D1 and D2) has a default route to VCN VR 105 using IP address 10.1.0.1, which is the IP address for the port of VCN VR 105 of subnet-2.

The VCN a 104 may also include one or more load balancers. For example, a load balancer may be provided for a subnet and may be configured to load balance traffic across multiple compute instances on the subnet. A load balancer may also be provided to load balance traffic across subnets in the VCN.

A particular computing instance deployed on VCN 104 may communicate with a variety of different endpoints. These endpoints may include endpoints hosted by CSPI 200 and endpoints external to CSPI 200. Endpoints hosted by CSPI 101 may include: an endpoint that is on the same subnet as a particular compute instance (e.g., communication between two compute instances in subnet-1); endpoints located on different subnets but within the same VCN (e.g., communications between a compute instance in subnet-1 and a compute instance in subnet-2); endpoints in different VCNs in the same region (e.g., communication between a compute instance in subnet-1 and an endpoint in a VCN in the same region 106 or 110, communication between a compute instance in subnet-1 and an endpoint in a service mesh point 110 in the same region); or endpoints in VCNs in different areas (e.g., communications between computing instances in subnet-1 and endpoints in VCNs in different areas 108). Computing instances in a subnet hosted by CSPI 101 may also communicate with endpoints that are not hosted by CSPI 101 (i.e., external to CSPI 101). These external endpoints include endpoints in customer's preset network 116, endpoints in other remote cloud-hosted networks 118, public endpoints 114 accessible via a public network (such as the internet), and other endpoints.

Communication between computing instances on the same subnet is facilitated using VNICs associated with the source computing instance and the destination computing instance. For example, compute instance C1 in subnet-1 may want to send a packet to compute instance C2 in subnet-1. For a packet that originates from a source computing instance and whose destination is another computing instance in the same subnet, the packet is first processed by the VNIC associated with the source computing instance. The processing performed by the VNICs associated with the source computing instance may include determining destination information for the packet from a packet header, identifying any policies (e.g., security lists) configured for the VNICs associated with the source computing instance, determining a next hop for the packet, performing any packet encapsulation/decapsulation functions as needed, and then forwarding/routing the packet to the next hop for purposes of facilitating communication of the packet to its intended destination. When the destination computing instance and the source computing instance are located in the same subnet, the VNIC associated with the source computing instance is configured to identify the VNIC associated with the destination computing instance and forward the packet to the VNIC for processing. The VNIC associated with the destination computing instance is then executed and the packet is forwarded to the destination computing instance.

For packets to be transmitted from computing instances in a subnet to endpoints in different subnets in the same VCN, communication is facilitated by VNICs associated with source and destination computing instances and VCN VR. For example, if computing instance C1 in subnet-1 in FIG. 1 wants to send a packet to computing instance D1 in subnet-2, then the packet is first processed by the VNIC associated with computing instance C1. The VNIC associated with computing instance C1 is configured to route packets to VCN VR 105 using a default route or port 10.0.0.1 of the VCN VR. The VCN VR 105 is configured to route packets to subnet-2 using port 10.1.0.1. The VNIC associated with D1 then receives and processes the packet and the VNIC forwards the packet to computing instance D1.

For packets to be communicated from a computing instance in VCN 104 to an endpoint external to VCN 104, communication is facilitated by a VNIC associated with the source computing instance, VCN VR 105, and a gateway associated with VCN 104. One or more types of gateways may be associated with VCN 104. A gateway is an interface between a VCN and another endpoint that is external to the VCN. The gateway is a layer 3/IP layer concept and enables the VCN to communicate with endpoints external to the VCN. Thus, the gateway facilitates traffic flow between the VCN and other VCNs or networks. Various different types of gateways may be configured for the VCN to facilitate different types of communications with different types of endpoints. Depending on the gateway, the communication may be through a public network (e.g., the internet) or through a private network. Various communication protocols may be used for these communications.

For example, computing instance C1 may want to communicate with endpoints external to VCN 104. The packet may be first processed by the VNIC associated with the source computing instance C1. The VNIC processing determines that the destination of the packet is outside of subnet-1 of C1. The VNIC associated with C1 may forward the packet to the VCN VR 105 for VCN 104. The VCN VR 105 then processes the packet and, as part of the processing, determines a particular gateway associated with the VCN 104 as the next hop for the packet based on the packet's destination. The VCN VR 105 may then forward the packet to the identified particular gateway. For example, if the destination is an endpoint within a customer's pre-set network, the packet may be forwarded by the VCN VR 105 to a Dynamic Routing Gateway (DRG) gateway 122 configured for the VCN 104. The packet may then be forwarded from the gateway to the next hop to facilitate delivery of the packet to its final intended destination.

Various different types of gateways may be configured for the VCN. An example of a gateway that may be configured for a VCN is depicted in fig. 1 and described below. Examples of gateways associated with VCNs are also depicted in fig. 12, 13, 14, and 15 (e.g., gateways referenced by reference numerals 1234, 1236, 1238, 1334, 1336, 1338, 1434, 1436, 1438, 1534, 1536, and 1538) and described below. As shown in the embodiment depicted in fig. 1, dynamic Routing Gateway (DRG) 122 may be added to or associated with customer VCN 104 and provide a path for private network traffic communications between customer VCN 104 and another endpoint, which may be customer's pre-set network 116, VCN 108 in a different area of CSPI 101, or other remote cloud network 118 not hosted by CSPI 101. The customer preset network 116 may be a customer network or customer data center constructed using the customer's resources. Access to the customer preset network 116 is typically very limited. For customers having both customer premise network 116 and one or more VCNs 104 deployed or hosted by CSPI 101 in the cloud, customers may want their premise network 116 and their cloud-based VCNs 104 to be able to communicate with each other. This enables customers to build an extended hybrid environment encompassing customers' VCNs 104 hosted by CSPI 101 and their preset network 116.DRG 122 enables such communication. To enable such communications, a communication channel 124 is established, with one endpoint of the channel located in customer preset network 116 and the other endpoint located in CSPI 101 and connected to customer VCN 104. The communication channel 124 may be over a public communication network (such as the internet) or a private communication network. Various different communication protocols may be used, such as IPsec VPN technology on a public communication network (such as the internet), fastConnect technology of Oracle using a private network instead of a public network, etc. The devices or equipment in customer premise network 116 that form one endpoint of communication channel 124 are referred to as Customer Premise Equipment (CPE), such as CPE 126 depicted in fig. 1. On the CSPI 101 side, the endpoint may be a host machine executing DRG 122.

In some embodiments, a remote peer-to-peer connection (RPC) may be added to the DRG, which allows a customer to peer (peer) one VCN with another VCN in a different area. Using such RPCs, the client VCN 104 may connect with the VCN 108 in another area using the DRG 122. DRG 122 may also be used to communicate with other remote cloud networks 118 that are not hosted by CSPI 101 (such as MicrosoftAzure clouds, amazon AWS clouds, etc.).

As shown in fig. 1, an Internet Gateway (IGW) 120 may be configured for the client VCN 104 that enables computing instances on the VCN 104 to communicate with public endpoints 114 accessible through a public network such as the internet. IGW 120 is a gateway that connects the VCN to a public network such as the internet. IGW 120 enables public subnets within a VCN, such as VCN 104, where resources in the public subnets have public overlay IP addresses, to directly access public endpoints 112 on public network 114, such as the internet. Using IGW 120, a connection may be initiated from a subnet within VCN 104 or from the internet.

The Network Address Translation (NAT) gateway 128 may be configured for the customer's VCN 104 and enable cloud resources in the customer's VCN that do not have a private public overlay IP address to access the internet, and it does so without exposing those resources to a direct incoming internet connection (e.g., an L4-L7 connection). This enables private subnets within the VCN (such as private subnet-1 in VCN 104) to privately access public endpoints on the internet. In NAT gateways, connections to the public internet can only be initiated from the private subnetwork, and not from the internet.

In some embodiments, a Service Gateway (SGW) 126 may be configured for customer VCN 104 and provide a path for private network traffic between VCN 104 and service endpoints supported in service network 110. In some embodiments, the services network 110 may be provided by a CSP and may provide various services. An example of such a service network is the Oracle service network, which provides various services available to customers. For example, computing instances (e.g., database systems) in a private subnet of the client VCN 104 may backup data to a service endpoint (e.g., object store) without requiring a public IP address or access to the internet. In some embodiments, the VCN may have only one SGW and the connection may be initiated only from a subnet within the VCN and not from the serving network 110. If a VCN is peered with another, resources in the other VCN typically cannot access the SGW. Resources in a provisioning network connected to a VCN with FastConnect or VPN Connect may also use a service gateway configured for that VCN.

In some embodiments, SGW 126 uses the concept of a service generic-free inter-domain routing (CIDR) tag, which is a string that represents all regional public IP address ranges for a service or group of services of interest. Customers use the service CIDR tag when they configure the SGW and associated routing rules to control traffic to the service. The client may optionally use the security rule in configuring it without having to adjust the security rule when the public IP address of the service changes in the future.

A local peer-to-peer gateway (LPG) 132 is a gateway that may be added to a customer VCN 104 and enable the VCN 104 to peer with another VCN in the same area. Peering refers to the VCN communicating using a private IP address without the traffic traversing a public network (such as the internet) or without the traffic being routed through the customer's preset network 116. In the preferred embodiment, the VCN has a separate LPG for each peering it establishes. Local peering or VCN peering is a common practice for establishing network connectivity between different applications or infrastructure management functions.

A service provider, such as a provider of services in the services network 110, may provide access to services using different access models. According to the public access model, services may be exposed as public endpoints in a customer's VCN that are publicly accessible via a public network (such as the Internet), and/or may be privately accessible via SGW 126. Depending on the particular private access model, the service may be accessed as a private IP endpoint in a private subnet in the customer's VCN. This is called Private Endpoint (PE) access and enables a service provider to expose its services as instances in a customer's private network. The private endpoint resources represent services within the customer's VCN. Each PE appears as a VNIC (referred to as a PE-VNIC, having one or more private IPs) in a subnet selected by the customer in the customer's VCN. Thus, the PE provides a way to use the VNIC to present services in a private customer VCN subnet. Since the endpoint is exposed as a VNIC, all features associated with the VNIC (such as routing rules, security lists, etc.) may now be used for the PE VNIC.

Service providers may register their services to enable access through the PE. The provider may associate policies with the service that limit the visibility of the service to customer leases. A provider may register multiple services under a single virtual IP address (VIP), especially for multi-tenant services. There may be multiple such private endpoints (in multiple VCNs) representing the same service.

The computing instance in the private subnet may then access the service using the private IP address or service DNS name of the PE VNIC. The computing instance in the client VCN may access the service by sending traffic to the private IP address of the PE in the client VCN. Private Access Gateway (PAGW) 130 is a gateway resource that may be attached to a service provider VCN (e.g., a VCN in service network 110) that acts as an ingress/egress point for all traffic from/to a customer subnet private endpoint. PAGW 130 enables a provider to extend the number of PE connections without utilizing its internal IP address resources. The provider need only configure one PAGW for any number of services registered in a single VCN. A provider may represent a service as a private endpoint in multiple VCNs for one or more customers. From the customer's perspective, the PE VNICs are not attached to the customer's instance, but rather appear to be attached to the service with which the customer wishes to interact. Traffic destined for the private endpoint is routed to the service via PAGW. These are called customer-to-service private connections (C2S connections).

The PE concept can also be used to extend private access to services to customer premises networks and data centers by allowing traffic to flow through FastConnect/IPsec links and private endpoints in the customer VCN. Private access to services can also be extended to the customer's peer VCN by allowing traffic to flow between LPG 132 and PEs in the customer's VCN.

The customer may control routing in the VCN at the subnet level, so the customer may specify which subnets in the customer's VCN (such as VCN 104) use each gateway. The routing table of the VCN is used to decide whether to allow traffic to leave the VCN through a particular gateway. For example, in a particular example, a routing table for a common subnet within customer VCN 104 may send non-local traffic through IGW 120. Routing tables for private subnets within the same customer VCN 104 may send traffic destined for CSP services through SGW 126. All remaining traffic may be sent via NAT gateway 128. The routing table only controls traffic leaving the VCN.

The security list associated with the VCN is used to control traffic entering the VCN via the gateway via the inbound connection. All resources in the subnetwork use the same routing table and security list. The security list may be used to control the particular type of traffic that is allowed to enter and exit instances in the sub-network of the VCN. Security list rules may include ingress (inbound) and egress (outbound) rules. For example, an ingress rule may specify an allowed source address range, while an egress rule may specify an allowed destination address range. The security rules may specify a particular protocol (e.g., TCP, ICMP), a particular port (e.g., 22 for SSH, 3389 for Windows RDP), etc. In some implementations, the operating system of the instance can enforce its own firewall rules that conform to the security list rules. Rules may be stateful (e.g., track connections and automatically allow responses without explicit security list rules for response traffic) or stateless.

Accesses from a customer's VCN (i.e., through resources or computing instances deployed on the VCN 104) may be categorized as public, private, or private. Public access refers to an access model that uses public IP addresses or NATs to access public endpoints. Private access enables customer workloads in the VCN 104 (e.g., resources in a private subnet) with private IP addresses to access services without traversing a public network such as the internet. In some embodiments, CSPI 101 enables a customer VCN workload with a private IP address to access (the public service endpoint of) a service using a service gateway. Thus, the service gateway provides a private access model by establishing a virtual link between the customer's VCN and the public endpoint of a service residing outside the customer's private network.

In addition, the CSPI may provide private public access using techniques such as FastConnect public peering, where customer preset instances may access one or more services in the customer's VCN using FastConnect connections without traversing a public network such as the internet. The CSPI may also provide private access using FastConnect private peering, where a customer preset instance with a private IP address may access the customer's VCN workload using FastConnect connection. FastConnect is a network connectivity alternative to connecting a customer's preset network to the CSPI and its services using the public internet. FastConnect provide a simple, flexible, and economical way to create private and private connections with higher bandwidth options and a more reliable and consistent network experience than internet-based connections.

FIG. 1 and the accompanying description above describe various virtualized components in an example virtual network. As described above, the virtual network is built on the underlying physical or substrate network. Fig. 2 depicts a simplified architectural diagram of physical components in a physical network within CSPI 200 that provides an underlying layer for a virtual network, in accordance with some embodiments. As shown, CSPI 200 provides a distributed environment including components and resources (e.g., computing, memory, and network resources) provided by a Cloud Service Provider (CSP). These components and resources are used to provide cloud services (e.g., iaaS services) to subscribing clients (i.e., clients that have subscribed to one or more services provided by CSPs). Clients are provisioned with a subset of the resources (e.g., computing, memory, and network resources) of CSPI 200 based on the services subscribed to by the clients. The customer may then build its own cloud-based (i.e., CSPI-hosted) customizable and private virtual network using the physical computing, memory, and networking resources provided by CSPI 200. As indicated previously, these customer networks are referred to as Virtual Cloud Networks (VCNs). Clients may deploy one or more client resources, such as computing instances, on these client VCNs. The computing instance may be in the form of a virtual machine, a bare metal instance, or the like. CSPI 200 provides an infrastructure and a set of complementary cloud services that enable customers to build and run a wide range of applications and services in a highly available hosted environment.

In the example embodiment depicted in fig. 2, the physical components of CSPI 200 include one or more physical host machines or physical servers (e.g., 202, 206, 208), network Virtualization Devices (NVDs) (e.g., 210, 212), top of rack (TOR) switches (e.g., 214, 216) and physical networks (e.g., 218), and switches in physical network 218. The physical host machine or server may host and execute various computing instances that participate in one or more subnets of the VCN. The computing instances may include virtual machine instances and bare machine instances. For example, the various computing instances depicted in fig. 1 may be hosted by the physical host machine depicted in fig. 2. The virtual machine computing instances in the VCN may be executed by one host machine or a plurality of different host machines. The physical host machine may also host a virtual host machine, a container-based host or function, or the like. The VNICs and VCN VRs depicted in fig. 1 may be performed by the NVD depicted in fig. 2. The gateway depicted in fig. 1 may be performed by a host machine and/or by the NVD depicted in fig. 2.

The host machine or server may execute a hypervisor (also referred to as a virtual machine monitor or VMM) that creates and enables virtualized environments on the host machine. Virtualized or virtualized environments facilitate cloud-based computing. One or more computing instances may be created, executed, and managed on a host machine by a hypervisor on the host machine. The hypervisor on the host machine enables the physical computing resources (e.g., computing, memory, and network resources) of the host machine to be shared among the various computing instances executed by the host machine.

For example, as depicted in FIG. 2, host machines 202 and 208 execute hypervisors 260 and 266, respectively. These hypervisors may be implemented using software, firmware, or hardware, or a combination thereof. Typically, a hypervisor is a process or software layer that sits on top of the Operating System (OS) of a host machine, which in turn executes on the hardware processor of the host machine. The hypervisor provides a virtualized environment by enabling the physical computing resources of the host machine (e.g., processing resources such as processors/cores, memory resources, network resources) to be shared among the various virtual machine computing instances executed by the host machine. For example, in fig. 2, hypervisor 260 may be located above the OS of host machine 202 and enable computing resources (e.g., processing, memory, and network resources) of host machine 202 to be shared among computing instances (e.g., virtual machines) executed by host machine 202. The virtual machine may have its own operating system (referred to as a guest operating system), which may be the same as or different from the OS of the host machine. The operating system of a virtual machine executed by a host machine may be the same as or different from the operating system of another virtual machine executed by the same host machine. Thus, the hypervisor enables multiple operating systems to be executed simultaneously while sharing the same computing resources of the host machine. The host machines depicted in fig. 2 may have the same or different types of hypervisors.

The computing instance may be a virtual machine instance or a bare machine instance. In FIG. 2, computing instance 268 on host machine 202 and computing instance 274 on host machine 208 are examples of virtual machine instances. The host machine 206 is an example of a bare metal instance provided to a customer.

In some cases, an entire host machine may be provisioned to a single customer, and one or more computing instances (either virtual machines or bare metal instances) hosted by the host machine all belong to the same customer. In other cases, the host machine may be shared among multiple guests (i.e., multiple tenants). In such a multi-tenancy scenario, the host machine may host virtual machine computing instances belonging to different guests. These computing instances may be members of different VCNs for different customers. In some embodiments, bare metal computing instances are hosted by bare metal servers without hypervisors. When a bare metal computing instance is provisioned, a single customer or tenant maintains control of the physical CPU, memory, and network interfaces of the host machine hosting the bare metal instance, and the host machine is not shared with other customers or tenants.

As previously described, each computing instance that is part of a VCN is associated with a VNIC that enables the computing instance to be a member of a subnet of the VCN. The VNICs associated with the computing instance facilitate the communication of packets or frames to and from the computing instance. The VNIC is associated with the computing instance when the computing instance is created. In some embodiments, for a computing instance executed by a host machine, a VNIC associated with the computing instance is executed by an NVD connected to the host machine. For example, in fig. 2, host machine 202 executes virtual machine computing instance 268 associated with VNIC 276, and VNIC 276 is executed by NVD 210 connected to host machine 202. As another example, bare metal instances 272 hosted by host machine 206 are associated with VNICs 280 that are executed by NVDs 212 connected to host machine 206. As yet another example, the VNICs 284 are associated with computing instances 274 that are executed by the host machine 208, and the VNICs 284 are executed by NVDs 212 connected to the host machine 208.

For a computing instance hosted by a host machine, an NVD connected to the host machine also executes a VCN VR corresponding to the VCN of which the computing instance is a member. For example, in the embodiment depicted in fig. 2, NVD 210 executes VCN VR 277 corresponding to the VCN of which computing instance 268 is a member. NVD 212 may also execute one or more VCN VRs 283 corresponding to VCNs corresponding to computing instances hosted by host machines 206 and 208.

The host machine may include one or more Network Interface Cards (NICs) that enable the host machine to connect to other devices. The NIC on the host machine may provide one or more ports (or interfaces) that enable the host machine to be communicatively connected to another device. For example, the host machine may connect to the NVD using one or more ports (or interfaces) provided on the host machine and on the NVD. The host machine may also be connected to other devices, such as another host machine.

For example, in fig. 2, host machine 202 is connected to NVD 210 using link 220, link 220 extending between port 234 provided by NIC 232 of host machine 202 and port 236 of NVD 210. The host machine 206 is connected to the NVD 212 using a link 224, the link 224 extending between a port 246 provided by the NIC 244 of the host machine 206 and a port 248 of the NVD 212. Host machine 208 is connected to NVD 212 using link 226, link 226 extending between port 252 provided by NIC 250 of host machine 208 and port 254 of NVD 212.

The NVD is in turn connected via communication links to top of rack (TOR) switches that are connected to a physical network 218 (also referred to as a switching fabric). In certain embodiments, the links between the host machine and the NVD and between the NVD and the TOR switch are Ethernet links. For example, in fig. 2, NVDs 210 and 212 are connected to TOR switches 214 and 216 using links 228 and 230, respectively. In some embodiments, links 220, 224, 226, 228, and 230 are ethernet links. The collection of host machines and NVDs connected to TOR is sometimes referred to as a rack.

The physical network 218 provides a communication architecture that enables TOR switches to communicate with each other. The physical network 218 may be a multi-layer network. In some embodiments, the physical network 218 is a multi-layer Clos network of switches, where TOR switches 214 and 216 represent leaf level nodes of the multi-layer and multi-node physical switching network 218. Different Clos network configurations are possible, including but not limited to layer 2 networks, layer 3 networks, layer 4 networks, layer 5 networks, and general "n" layer networks. An example of a Clos network is depicted in fig. 5 and described below.

There may be a variety of different connection configurations between the host machine and the NVD, such as a one-to-one configuration, a many-to-one configuration, a one-to-many configuration, and the like. In one-to-one configuration implementations, each host machine is connected to its own separate NVD. For example, in fig. 2, host machine 202 is connected to NVD 210 via NIC 232 of host machine 202. In a many-to-one configuration, multiple host machines are connected to one NVD. For example, in fig. 2, host machines 206 and 208 are connected to the same NVD 212 via NICs 244 and 250, respectively.

In a one-to-many configuration, one host machine is connected to multiple NVDs. FIG. 3 shows an example within CSPI 300 where a host machine is connected to multiple NVDs. As shown in fig. 3, host machine 302 includes a Network Interface Card (NIC) 304, NIC 304 including a plurality of ports 306 and 308. Host machine 300 is connected to first NVD 310 via port 306 and link 320, and to second NVD 312 via port 308 and link 322. Ports 306 and 308 may be ethernet ports and links 320 and 322 between host machine 302 and NVDs 310 and 312 may be ethernet links. The NVD 310 is in turn connected to a first TOR switch 314 and the NVD 312 is connected to a second TOR switch 316. The link between NVDs 310, 312 and TOR switches 314, 316 may be ethernet links. TOR switches 314 and 316 represent layer 0 switching devices in a multi-layer physical network 318.

The arrangement depicted in fig. 3 provides two separate physical network paths from the physical switch network 318 to the host machine 302: the first path passes through TOR switch 314 to NVD310 to host machine 302 and the second path passes through TOR switch 316 to NVD 312 to host machine 302. The separate path provides enhanced availability (referred to as high availability) of the host machine 302. If one of the paths (e.g., a link in one of the paths is broken) or one of the devices (e.g., a particular NVD is not running) is in question, then the other path may be used for communication to/from host machine 302.

In the configuration depicted in fig. 3, the host machine connects to two different NVDs using two different ports provided by the NIC of the host machine. In other embodiments, the host machine may include multiple NICs that enable the host machine to connect to multiple NVDs.

Referring back to fig. 2, an nvd is a physical device or component that performs one or more network and/or storage virtualization functions. The NVD may be any device having one or more processing units (e.g., CPU, network Processing Unit (NPU), FPGA, packet processing pipeline, etc.), memory containing cache, and ports. Various virtualization functions may be performed by software/firmware executed by one or more processing units of the NVD.

NVD may be implemented in a variety of different forms. For example, in certain embodiments, the NVD is implemented as an interface card called smartNIC or as a smart NIC with an on-board embedded processor. smartNIC are devices separate from the NIC on the host machine. In FIG. 2, NVDs 210 and 212 may be implemented as smartNIC connected to host machine 202 and host machines 206 and 208, respectively.

SmartNIC is but one example of an NVD implementation. Various other embodiments are possible. For example, in some other implementations, the NVD or one or more functions performed by the NVD may be incorporated into or performed by one or more host machines, one or more TOR switches, and other components of CSPI 200. For example, the NVD may be implemented in a host machine, where the functions performed by the NVD are performed by the host machine. As another example, the NVD may be part of a TOR switch, or the TOR switch may be configured to perform functions performed by the NVD, which enable the TOR switch to perform various complex packet conversions for the public cloud. TOR performing the function of NVD is sometimes referred to as intelligent TOR. In other embodiments where a Virtual Machine (VM) instance is provided to the client instead of a Bare Metal (BM) instance, the functions performed by the NVD may be implemented within the hypervisor of the host machine. In some other implementations, some of the functionality of the NVD may be offloaded to a centralized service running on a set of host machines.

In certain embodiments, such as when implemented as smartNIC as shown in fig. 2, the NVD may include a plurality of physical ports that enable it to connect to one or more host machines and one or more TOR switches. Ports on NVD may be classified as host-oriented ports (also referred to as "south ports") or network-oriented or TOR-oriented ports (also referred to as "north ports"). The host-facing port of the NVD is a port for connecting the NVD to a host machine. Examples of host-facing ports in fig. 2 include port 236 on NVD 210 and ports 248 and 254 on NVD 212. The network-facing port of the NVD is a port for connecting the NVD to the TOR switch. Examples of network-facing ports in fig. 2 include port 256 on NVD 210 and port 258 on NVD 212. As shown in fig. 2, NVD 210 connects to TOR switch 214 using link 228 extending from port 256 of NVD 210 to TOR switch 214. Similarly, NVD 212 connects to TOR switch 216 using link 230 extending from port 258 of NVD 212 to TOR switch 216.

The NVD receives packets and frames (e.g., packets and frames generated by computing instances hosted by the host machine) from the host machine via the host-oriented ports, and after performing the necessary packet processing, the packets and frames may be forwarded to the TOR switch via the network-oriented ports of the NVD. The NVD may receive packets and frames from the TOR switch via the network-oriented ports of the NVD, and after performing the necessary packet processing, may forward the packets and frames to the host machine via the host-oriented ports of the NVD.

In some embodiments, there may be multiple ports and associated links between the NVD and the TOR switch. These ports and links may be aggregated to form a link aggregation group (referred to as LAG) of multiple ports or links. Link aggregation allows multiple physical links between two endpoints (e.g., between NVD and TOR switches) to be considered a single logical link. All physical links in a given LAG may operate in full duplex mode at the same speed. LAG helps to increase the bandwidth and reliability of the connection between two endpoints. If one of the physical links in the LAG fails, traffic is dynamically and transparently reassigned to one of the other physical links in the LAG. The aggregated physical link delivers a higher bandwidth than each individual link. The multiple ports associated with the LAG are considered to be a single logical port. Traffic may be load balanced across multiple physical links of the LAG. One or more LAGs may be configured between the two endpoints. The two endpoints may be located between the NVD and TOR switches, between the host machine and the NVD, and so on.

The NVD implements or performs network virtualization functions. These functions are performed by software/firmware executed by the NVD. Examples of network virtualization functions include, but are not limited to: packet encapsulation and decapsulation functions; a function for creating a VCN network; functions for implementing network policies, such as VCN security list (firewall) functionality; a function to facilitate routing and forwarding of packets to and from computing instances in the VCN; etc. In some embodiments, upon receiving a packet, the NVD is configured to execute a packet processing pipeline for processing the packet and determining how to forward or route the packet. As part of this packet processing pipeline, the NVD may perform one or more virtual functions associated with the overlay network, such as executing a VNIC associated with a computer instance in the VCN, executing a Virtual Router (VR) associated with the VCN, encapsulation and decapsulation of packets to facilitate forwarding or routing in the virtual network, execution of certain gateways (e.g., local peer gateways), implementation of security lists, network security groups, network Address Translation (NAT) functionality (e.g., translating public IP to private IP on a host-by-host basis), throttling functions, and other functions.

In some embodiments, the packet processing data path in the NVD may include a plurality of packet pipelines, each consisting of a series of packet transformation stages. In some embodiments, after receiving a packet, the packet is parsed and classified into a single pipeline. The packets are then processed in a linear fashion, stage by stage, until the packets are dropped or sent out over the NVD interface. These stages provide basic functional packet processing building blocks (e.g., validate headers, force throttling, insert new layer 2 headers, force L4 firewalls, VCN encapsulation/decapsulation, etc.) so that new pipelines can be built by combining existing stages and new functionality can be added by creating new stages and inserting them into existing pipelines.

The NVD may perform both control plane and data plane functions corresponding to the control plane and data plane of the VCN. Examples of VCN control planes are also depicted in fig. 12, 13, 14, and 15 (see reference numerals 1216, 1316, 1416, and 1516) and described below. Examples of VCN data planes are depicted in fig. 12, 13, 14, and 15 (see reference numerals 1218, 1318, 1418, and 1518) and described below. The control plane functions include functions for configuring the network (e.g., setting up routing and routing tables, configuring VNICs, etc.) that control how data is forwarded. In some embodiments, a VCN control plane is provided that centrally computes all overlay-to-baseboard mappings and publishes them to NVDs and virtual network edge devices (such as various gateways, such as DRG, SGW, IGW, etc.). Firewall rules may also be published using the same mechanism. In certain embodiments, the NVD only obtains a mapping related to the NVD. The data plane functions include functions to actually route/forward packets based on a configuration set up using a control plane. The VCN data plane is implemented by encapsulating the customer's network packets before they traverse the baseboard network. Encapsulation/decapsulation functionality is implemented on the NVD. In certain embodiments, the NVD is configured to intercept all network packets in and out of the host machine and perform network virtualization functions.

As indicated above, the NVD performs various virtualization functions, including VNICs and VCN VR. The NVD may execute a VNIC associated with a computing instance hosted by one or more host machines connected to the VNIC. For example, as depicted in fig. 2, NVD 210 performs the functionality of VNIC 276 associated with computing instance 268 hosted by host machine 202 connected to NVD 210. As another example, NVD 212 executes VNICs 280 associated with bare metal computing instances 272 hosted by host machine 206 and executes VNICs 284 associated with computing instances 274 hosted by host machine 208. The host machine may host computing instances belonging to different VCNs (which belong to different customers), and an NVD connected to the host machine may execute a VNIC corresponding to the computing instance (i.e., perform VNIC-related functionality).

The NVD also executes a VCN virtual router corresponding to the VCN of the computing instance. For example, in the embodiment depicted in fig. 2, NVD 210 executes VCN VR 277 corresponding to the VCN to which computing instance 268 belongs. NVD 212 executes one or more VCN VRs 283 corresponding to one or more VCNs to which computing instances hosted by host machines 206 and 208 belong. In some embodiments, the VCN VR corresponding to the VCN is executed by all NVDs connected to a host machine hosting at least one computing instance belonging to the VCN. If a host machine hosts computing instances belonging to different VCNs, then an NVD connected to the host machine may execute VCN VR corresponding to those different VCNs.

In addition to the VNICs and VCN VRs, the NVD may execute various software (e.g., daemons) and include one or more hardware components that facilitate various network virtualization functions performed by the NVD. For simplicity, these various components are grouped together as a "packet processing component" shown in fig. 2. For example, NVD 210 includes a packet processing component 286 and NVD 212 includes a packet processing component 288. For example, a packet processing component for an NVD may include a packet processor configured to interact with ports and hardware interfaces of the NVD to monitor all packets received by and transmitted using the NVD and store network information. The network information may include, for example, network flow information and per-flow information (e.g., per-flow statistics) identifying different network flows handled by the NVD. In some embodiments, network flow information may be stored on a per VNIC basis. The packet processor may perform packet-by-packet manipulation and implement stateful NAT and L4 Firewalls (FWs). As another example, the packet processing component may include a replication agent configured to replicate information stored by the NVD to one or more different replication target repositories. As yet another example, the packet processing component may include a logging agent configured to perform a logging function of the NVD. The packet processing component may also include software for monitoring the performance and health of the NVD and possibly also the status and health of other components connected to the NVD.

FIG. 1 illustrates components of an example virtual or overlay network, including a VCN, a subnet within the VCN, a computing instance deployed on the subnet, a VNIC associated with the computing instance, a VR for the VCN, and a set of gateways configured for the VCN. The overlay component depicted in fig. 1 may be executed or hosted by one or more of the physical components depicted in fig. 2. For example, computing instances in a VCN may be executed or hosted by one or more host machines depicted in fig. 2. For a computing instance hosted by a host machine, a VNIC associated with the computing instance is typically executed by an NVD connected to the host machine (i.e., VNIC functionality is provided by an NVD connected to the host machine). The VCN VR functions for a VCN are performed by all NVDs connected to a host machine that hosts or executes computing instances that are part of the VCN. The gateway associated with the VCN may be implemented by one or more different types of NVDs. For example, some gateways may be performed by smartNIC, while other gateways may be performed by one or more host machines or other implementations of NVDs.

As described above, the computing instances in the client VCN may communicate with various different endpoints, where the endpoints may be within the same subnet as the source computing instance, in different subnets but within the same VCN as the source computing instance, or the endpoints are external to the VCN of the source computing instance. These communications are facilitated using a VNIC associated with the computing instance, a VCN VR, and a gateway associated with the VCN.

For communication between two computing instances on the same subnet in a VCN, the VNICs associated with the source and destination computing instances are used to facilitate the communication. The source and destination computing instances may be hosted by the same host machine or by different host machines. Packets originating from a source computing instance may be forwarded from a host machine hosting the source computing instance to an NVD connected to the host machine. On the NVD, packets are processed using a packet processing pipeline, which may include execution of VNICs associated with the source computing instance. Because the destination endpoint of the packet is located within the same subnet, execution of the VNIC associated with the source computing instance causes the packet to be forwarded to the NVD executing the VNIC associated with the destination computing instance, which then processes the packet and forwards it to the destination computing instance. VNICs associated with source and destination computing instances may execute on the same NVD (e.g., when the source and destination computing instances are hosted by the same host machine) or on different NVDs (e.g., when the source and destination computing instances are hosted by different host machines connected to the different NVDs). The VNIC may use the routing/forwarding table stored by the NVD to determine the next hop for the packet.

For packets to be transferred from a computing instance in a subnet to an endpoint in a different subnet in the same VCN, packets originating from a source computing instance are transferred from a host machine hosting the source computing instance to an NVD connected to the host machine. On the NVD, packets are processed using a packet processing pipeline, which may include execution of one or more VNICs and VR associated with the VCN. For example, as part of a packet processing pipeline, the NVD executes or invokes functionality (also referred to as executing VNICs) corresponding to the VNICs associated with the source computing instance. The functionality performed by the VNIC may include looking at the VLAN tag on the packet. The VCN VR functionality is next invoked and executed by the NVD because the destination of the packet is outside the subnet. The VCN VR then routes the packet to an NVD that executes the VNIC associated with the destination computing instance. The VNIC associated with the destination computing instance then processes the packet and forwards the packet to the destination computing instance. VNICs associated with source and destination computing instances may execute on the same NVD (e.g., when the source and destination computing instances are hosted by the same host machine) or on different NVDs (e.g., when the source and destination computing instances are hosted by different host machines connected to the different NVDs).

If the destination of the packet is outside of the VCN of the source computing instance, the packet originating from the source computing instance is transmitted from the host machine hosting the source computing instance to an NVD connected to the host machine. The NVD executes the VNIC associated with the source computing instance. Since the destination endpoint of the packet is outside the VCN, the packet is then processed by the VCN VR for that VCN. The NVD invokes VCN VR functionality, which may cause the packet to be forwarded to the NVD executing the appropriate gateway associated with the VCN. For example, if the destination is an endpoint within a customer's preset network, the packet may be forwarded by the VCN VR to the NVD executing a DRG gateway configured for the VCN. The VCN VR may be executed on the same NVD as the NVD executing the VNIC associated with the source computing instance, or by a different NVD. The gateway may be implemented by an NVD, which may be smartNIC, a host machine, or other NVD implementation. The packet is then processed by the gateway and forwarded to the next hop, which facilitates delivery of the packet to its intended destination endpoint. For example, in the embodiment depicted in fig. 2, packets originating from computing instance 268 may be transmitted from host machine 202 to NVD 210 over link 220 (using NIC 232). On NVD 210, VNIC 276 is invoked because it is the VNIC associated with source computing instance 268. VNIC 276 is configured to examine the information encapsulated in the packet and determine the next hop for forwarding the packet in order to facilitate delivery of the packet to its intended destination endpoint, and then forward the packet to the determined next hop.

Computing instances deployed on a VCN may communicate with a variety of different endpoints. These endpoints may include endpoints hosted by CSPI 200 and endpoints external to CSPI 200. Endpoints hosted by CSPI 200 may include instances in the same VCN or other VCNs, which may be customer VCNs or VCNs that do not belong to customers. Communication between endpoints hosted by CSPI 200 may be performed through physical network 218. The computing instance may also communicate with endpoints that are not hosted by CSPI 200 or external to CSPI 200. Examples of such endpoints include endpoints within a customer's preset network or a data center, or public endpoints accessible through a public network such as the internet. Communication with endpoints external to CSPI 200 may be performed over a public network (e.g., the internet) (not shown in fig. 2) or a private network (not shown in fig. 2) using various communication protocols.

The architecture of CSPI 200 depicted in fig. 2 is merely an example and is not intended to be limiting. In alternative embodiments, variations, alternatives, and modifications are possible. For example, in some embodiments, CSPI 200 may have more or fewer systems or components than those shown in fig. 2, may combine two or more systems, or may have different system configurations or arrangements. The systems, subsystems, and other components depicted in fig. 2 may be implemented in software (e.g., code, instructions, programs) executed by one or more processing units (e.g., processors, cores) of the respective system, using hardware, or a combination thereof. The software may be stored on a non-transitory storage medium (e.g., on a memory device).

FIG. 4 depicts connectivity between a host machine and an NVD for providing I/O virtualization to support multi-tenancy in accordance with certain embodiments. As depicted in fig. 4, host machine 402 executes hypervisor 404 that provides a virtualized environment. The host machine 402 executes two virtual machine instances, VM1 406 belonging to guest/tenant #1 and VM2 408 belonging to guest/tenant # 2. Host machine 402 includes a physical NIC 410 connected to NVD 412 via link 414. Each computing instance is attached to a VNIC executed by NVD 412. In the embodiment in FIG. 4, VM1 406 is attached to VNIC-VM1 420 and VM2 408 is attached to VNIC-VM2422.

As shown in fig. 4, NIC 410 includes two logical NICs, logical NIC a 416 and logical NIC B418. Each virtual machine is attached to its own logical NIC and is configured to work with its own logical NIC. For example, VM1 406 is attached to logical NIC A416 and VM2 408 is attached to logical NIC B418. Although host machine 402 includes only one physical NIC 410 shared by multiple tenants, each tenant's virtual machine believes that they have their own host machine and NIC due to the logical NIC.

In some embodiments, each logical NIC is assigned its own VLAN ID. Thus, a particular VLAN ID is assigned to logical NIC a 416 for tenant #1, and a different VLAN ID is assigned to logical NIC B418 for tenant # 2. When a packet is transferred from VM1 406, a label assigned to tenant #1 is appended to the packet by the hypervisor, which is then transferred from host machine 402 to NVD 412 over link 414. In a similar manner, when a packet is transmitted from VM2 408, a label assigned to tenant #2 is appended to the packet by the hypervisor, which is then transmitted from host machine 402 to NVD 412 over link 414. Thus, packets 424 transmitted from host machine 402 to NVD 412 have associated labels 426 identifying the particular tenant and associated VM. On the NVD, for a packet 424 received from host machine 402, a tag 426 associated with the packet is used to determine whether the packet is processed by VNIC-VM1 420 or VNIC-VM2 422. The packets are then processed by the corresponding VNICs. The configuration depicted in fig. 4 enables each tenant's computing instance to trust that they own host machine and NIC. The arrangement depicted in FIG. 4 provides I/O virtualization to support multi-tenancy.

Fig. 5 depicts a simplified block diagram of a physical network 500 according to some embodiments. The embodiment depicted in fig. 5 is structured as a Clos network. Clos networks are a specific type of network topology designed to provide connection redundancy while maintaining high split bandwidth and maximum resource utilization. Clos networks are a type of non-blocking, multi-stage or multi-layer switching network, where the number of stages or layers may be two, three, four, five, etc. The embodiment depicted in fig. 5 is a layer 3 network, including layers 1, 2, and 3.TOR switches 504 represent layer 0 switches in a Clos network. One or more NVDs are connected to the TOR switch. Layer 0 switches are also known as edge devices of a physical network. The layer 0 switch is connected to a layer 1 switch, also known as a leaf switch. In the embodiment depicted in fig. 5, a set of "n" tier 0TOR switches are connected to a set of "n" tier 1 switches and form a group (pod). Each layer 0 switch in a cluster is interconnected to all layer 1 switches in the cluster, but there is no connectivity of switches between clusters. In some embodiments, two clusters are referred to as a block. Each block is serviced by or connected to a set of "n" layer 2 switches (sometimes referred to as a backbone switch). There may be several blocks in the physical network topology. The layer 2 switches are in turn connected to "n" layer 3 switches (sometimes referred to as super trunk switches). Communication of packets over the physical network 500 is typically performed using one or more layer 3 communication protocols. Typically, all layers of the physical network (except the TOR layer) are n-way redundant, thus allowing for high availability. Policies may be specified for the clusters and blocks to control the visibility of switches to each other in the physical network, thereby enabling scaling of the physical network.

The Clos network is characterized by a fixed maximum number of hops from one layer 0 switch to another layer 0 switch (or from an NVD connected to a layer 0 switch to another NVD connected to a layer 0 switch). For example, in a 3-layer Clos network, a maximum of seven hops are required for packets to reach from one NVD to another, with the source and target NVDs connected to the leaf layers of the Clos network. Also, in a 4-layer Clos network, a maximum of nine hops are required for packets to reach from one NVD to another, with the source and target NVDs connected to the leaf layers of the Clos network. Thus, the Clos network architecture maintains consistent latency throughout the network, which is important for communication between and within the data center. The Clos topology is horizontally extended and cost-effective. The bandwidth/throughput capacity of the network can be easily increased by adding more switches (e.g., more leaf switches and trunk switches) at each layer and by increasing the number of links between switches at adjacent layers.

In some embodiments, each resource within the CSPI is assigned a unique identifier, referred to as a Cloud Identifier (CID). This identifier is included as part of the information of the resource and may be used to manage the resource, e.g., via a console or through an API. An example syntax for CID is:

ocid1 < resource type > < field > [ area ] [ future use ] < unique ID >

Wherein,

Ocid1: a text string indicating a version of the CID;

Resource type: types of resources (e.g., instance, volume, VCN, subnet, user, group, etc.);

Domain: the domain in which the resource is located. Exemplary values are "c1" for the business domain, "c2" for the government cloud domain, or "c3" for the federal government cloud domain, etc. Each domain may have its own domain name;

Area: the area where the resource is located. If the region is not suitable for the resource, then this portion may be empty;

Future use: reserved for future use.

Unique ID: a unique portion of the ID. The format may vary depending on the type of resource or service.

Multi-cloud introduction

Fig. 6 depicts a simplified high-level diagram of a distributed environment 600 including multiple cloud environments provided by different Cloud Service Providers (CSPs), where a cloud environment includes a particular cloud environment providing a specialized infrastructure that enables one or more cloud services provided by the particular cloud environment to be used by customers of other cloud environments, in accordance with certain embodiments. As depicted in fig. 6, various different cloud environments (also referred to as "clouds") may be provided by different Cloud Service Providers (CSPs), each cloud environment or cloud providing one or more cloud services that may be subscribed to by one or more customers of the cloud environment. The set of cloud services provided by the CSP-provided cloud environment may include one or more different types of cloud services including, but not limited to, software as a service (SaaS) services, infrastructure as a service (IaaS) services, platform as a service (PaaS) services, database as a service (dbas) services, and the like. Examples of cloud environments provided by various CSPs include those provided by Oracle CorporationCloud Infrastructure (OCI), supplied by Microsoft CorporationAzure, google Cloud ^TM supplied by Google LLC, amazon Web Services supplied by Amazon CorporationEtc. The cloud services provided by a particular cloud environment may be different from a set of cloud services provided by another cloud environment.

In a typical cloud environment, CSPs provide a cloud services infrastructure (CSPI) that is used to provide one or more cloud services provided by the cloud environment to its customers. CSPs provided by CSPs may include various types of hardware and software resources including computing resources, memory resources, networking resources, consoles for accessing cloud services, and the like. Clients of a cloud environment provided by a CSP may subscribe to one or more of the cloud services provided by the cloud environment. CSP can provide its customers with various subscription models. After a customer subscribes to cloud services provided by the cloud environment, one or more users may be associated with the subscribing customer and these users may use the cloud services to which the customer subscribes. In some implementations, when a customer subscribes to a cloud service provided by a particular cloud environment, a customer account or customer lease will be created for the customer. One or more users may then be associated with the customer lease, and these users may then use the services subscribed to by the customer under the customer lease. Information about services subscribed to by the customer, users associated with the customer lease, etc. is typically stored within the cloud environment and associated with the customer lease.

For example, three different cloud environments provided by three different CSPs are depicted in fig. 6. These include cloud environment a (cloud a) 610 provided by CSP a, cloud environment B (cloud B) 640 provided by CSP B, and cloud environment C (cloud C) 660 provided by CSP C. Cloud a610 includes an infrastructure cspi_a 612 provided by CSP a, and this infrastructure can be used to provide a set of services "service a"614 provided by cloud a 610. One or more clients (e.g., client A1 616-1, client A2 616-2) may subscribe to one or more of the services a 614 provided by cloud a 610. One or more users 618-1 may be associated with client A1 616-1 and may use services subscribed to by client A1 616-1 in cloud A610. In a similar manner, one or more users 618-2 may be associated with client A2616-2 and may use the services subscribed to by client A2616-2 in cloud A610. In various use cases, the service subscribed to by client A1 616-1 may be different from the service subscribed to by client A2 616-2.

As depicted in fig. 6, cloud B640 includes an infrastructure cspi_b 642 provided by CSP B, and this infrastructure can be used to provide a set of services "service B"644 provided by cloud B640. One or more clients (e.g., client B1 646-1) may subscribe to one or more of the services B644. One or more users 648-1 may be associated with customer B1 646-1 and may use services subscribed to by customer B1 646-1 in cloud B640.

As depicted in fig. 6, cloud C660 includes an infrastructure cspi_c 662 provided by CSP C, and this infrastructure can be used to provide a set of services "service C"664 provided by cloud C660. One or more clients (e.g., client C1 666-1) may subscribe to one or more of the services C664. One or more users 668-1 may be associated with customer C1 666-1 and may use services subscribed to by customer C1 666-1 in cloud C660. Note that the service a 614, the service B644, and the service C664 may be different from each other.

In existing cloud implementations, each cloud provides a closed ecosystem for its subscribing clients and related users. Thus, clients of the cloud environment and their associated users are limited to using the services provided by the cloud to which the clients subscribe. For example, customer B1 646-1 and its user 648-1 are limited to using service B644 provided by cloud B640, and cannot use their account in cloud B640 to access services from different cloud environments, such as services in service a 614 provided by cloud a 610 or services in service C664 provided by cloud C660. The teachings described herein overcome this limitation. As described in this disclosure, various techniques are described that enable creation of a link between two cloud environments that enables services provided by a first cloud environment provided by a first CSP to be used by customers (and related users) of a different second cloud environment provided by a second, different CSP using the customers' accounts in the second cloud environment.

For example, in the embodiment depicted in fig. 6, the infrastructure cspi_a 612 provided by CSP a includes, among other infrastructure 620, a special infrastructure 622 (referred to as a multi-cloud-enabled infrastructure 622 or MEI 622 or multi-cloud infrastructure 622), which special infrastructure 622 enables one or more services 614 provided by cloud a to be used by customers and related users of other clouds (such as clouds B640 and C660) using customer accounts in those other clouds. In some implementations, the customers of cloud B and C do not have to open separate accounts at cloud a to use one or more of the services 614 provided by cloud a 610. Customer B1 646-1 and related users 648-1 of cloud B640 may use their customer accounts or leases in cloud B640 to use one or more services 614 provided by cloud a 610. As another example, customer C1 666-1 and related users 668-1 of cloud C660 may use their customer accounts or leases in cloud C660 to use one or more services 614 provided by cloud a 610.

In some implementations, MEI 622 enables creation of links between cloud a 610 and other clouds, where these links may be used by customers of the other clouds and their associated users to access and use services provided by cloud a 610. This is symbolically shown in fig. 6 as link 670 created between cloud a 610 and cloud B640, and link 672 created between cloud a 610 and cloud C660. Via link 670, a customer of cloud B640 may access or use one or more services 614 provided by cloud a 610. Likewise, via link 672, a customer of cloud C660 may access or use one or more services 614 provided by cloud a 610.

There are different ways in which MEI 612 can be implemented. In some embodiments, MEI 612 may include components that enable links to be established with different clouds. For example, in fig. 6, MEI 622 includes an infrastructure component 624 responsible for enabling link 670 with cloud B640 and an infrastructure component 626 for enabling link 672 with cloud C660. In a similar manner, MEI 622 may include other components that enable and facilitate links with other clouds. In some embodiments, components of MEI 622 may also facilitate links with multiple different clouds.

There are several reasons why a customer of one cloud may want or desire to use cloud services provided by different clouds. Taking fig. 6 as an example, there are a number of reasons that customer B1 646-1 of cloud B640 may want to use cloud service 614 provided by cloud a 610. In one use case scenario, this may occur because cloud a610 provides cloud services with functionality not provided by cloud B640. As another use case scenario, clouds a and B may provide similar services, but the services provided by cloud a610 may be better (e.g., more features/functionality, faster, etc.) than the corresponding services provided by cloud B640. As another use case scenario, customer B1 646-1 of cloud B640 may want to use the cloud service provided by cloud a610 because the price of the service is cheaper than that provided by cloud B640. In some cases, customer B1 646-1, which may have cloud B640, may want to use the cloud services geographic restrictions provided by cloud a610 or other reasons. For example, cloud a610 may provide a desired service in a geographic area where cloud B640 does not provide a service, or cloud B640 does not provide a particular service in a geographic area where a customer requires a service. There may also be several other use case scenarios why a customer of one cloud may want to use services provided by a different cloud.

In some embodiments, MEI 622 provides the capability and performs the functions to create a link between cloud a 610 and another cloud and via that link, enable users associated with customers of the other cloud to access and use services provided by cloud a 610 from the other cloud itself in a seamless manner. For example, MEI 622 enables user 648-1 associated with customer B1 646-1 of cloud 640 to access services in service a 614 provided by cloud a 610 in a seamless manner. In some implementations, a user interface (e.g., a console) may be provided that the user 648-1 may access from within cloud B640, which enables the user to see a list of services 614 provided by cloud a 610 and select a particular service that the user 648-1 wishes to access. In response to user selection, MEI 622 is responsible for performing the process of establishing link 670 between clouds a and B to enable access to the requested service. The process for setting up the link 670 is substantially automatically performed by the MEI 622. Customer B1 646-1 or associated user 648-1 does not have to worry about performing any system, networking, or other configuration changes necessary to facilitate creation, maintenance, and use of link 670 between cloud a 610 and B640. There is no burden on the user or customer in creating the link between the clouds. Links are created in a fast and efficient manner using the techniques described in this disclosure.

MEI 622 can use various techniques to make the creation and use of links seamless to users and clients, thereby providing an enhanced user experience. In some implementations, MEI 622 causes the user interface (e.g., graphical user interface GUI, etc.) and process flow (such as for requesting services from cloud a610 and for accessing requested services from cloud a 610) interacted with by customer B1 and related user 648-1 to be substantially similar to the interface and process flow that customer/user would experience in cloud B640. In this way, a customer or user who may be accustomed to the interface and process flow of cloud B640 does not have to learn a new interface and process flow to access service 614 from cloud a 610. MEI 622 can present different interfaces and process flows to users of different cloud environments. For example, a first set of user interfaces and flows substantially similar to those of cloud B may be presented to the user from cloud B640, while another set of user interfaces and flows substantially similar to those of cloud C may be presented to the user accessing cloud a610 from cloud C660. This is done to simplify accessing the service 614 of cloud a610 from other clouds and thus enhance the user's experience.

As another example, each cloud environment generally includes an identity management system configured to provide security of the cloud environment. The identity management system is configured to protect resources in the cloud environment, including resources provided by CSPs and resources of subscribing cloud clients deployed in the cloud environment. The functions performed by the identity management system include, for example, managing identity credentials (e.g., usernames, passwords, etc.) associated with subscribing clients and related users of the cloud, using the identity credentials to regulate user access to cloud resources and services based on permissions/access policies configured for the cloud environment, and other functions. Different clouds may use different identity management systems and associated technologies. For example, the identity management system and associated processes in cloud a 610 may be completely different from the identity management system and associated processes in cloud B640, and the identity management system and associated processes in cloud B640 may in turn be completely different from the identity management system and associated processes in cloud C660. In some implementations, although there are differences in identity management systems and associated processes between different cloud environments, the techniques described herein enable users associated with clients of a first cloud to access cloud services provided by different clouds using the same identity credentials associated with the clients and users in the first cloud.

For example, in the embodiment depicted in FIG. 6, cloud B640 provided by CSP B may include an identity management system that assigns or distributes identity credentials to its subscribing customers and related users (such as customer B1 646-1 and related user 648-1). These identity credentials are associated with the lease created in cloud B640 for client B1 646-1. In some implementations, MEI 622 provided by cloud A610 enables user 648-1 associated with cloud B customer B1 646-1 to access services from services A614 in cloud A610 using identity credentials associated with user 648-1 and customer B1 646-1 in cloud B640. This greatly enhances the user experience of user 648-1 because they do not have to create new identity credentials specific to cloud a 610 just to access service 614 in cloud a 610. MEI 622 facilitates such access.

As an example, customer B1 of cloud B640 may select to use a service, such as database as a service (DBaaS), from a set of services 614 provided by cloud a 610. In response to this selection, MEI 622 causes link 670 to be automatically created between cloud a 610 and cloud B640 to enable user 648-1 associated with customer B1 646-1 to use the DBaaS service provided by cloud a 610. The automatic setup of link 670 is facilitated by MEI 622. After setting up link 670, user 668-1 may use the DBaaS service in cloud a 610 via cloud B640. As part of using this service, user 668-1 may send a request to create database resources to cloud a 610 via cloud B640. In response, cspi_a 612 may create the requested database in cloud a 610. In some implementations, the created database can be provisioned in a virtual network (e.g., a virtual cloud network or VCN) created in cloud a 610 for customer B1, and user 668-1 can be accessed via cloud B640. User 668-1 may then send a request from cloud B640 to cloud a 610 to use the provisioned database. These requests may include, for example, requests to write data to a database, update data stored in a database, delete data in a database, delete a database, create additional databases, and the like. In some use cases, these requests may originate from user 668-1 via cloud B640 or from service 644 provided by cloud B640. In this way, MEI 622 provided by cloud a 610 enables users associated with customers of different clouds provided by different CSPs to seamlessly access services provided by cloud a 610.

The distributed environment 600 depicted in fig. 6 is only an example and is not intended to unduly limit the scope of the claimed embodiments. Many variations, alternatives, and modifications are possible. For example, in alternative embodiments, distributed environment 600 may have more or fewer cloud environments. The cloud environment may also have more or fewer systems and components, or may have different configurations or arrangements of systems and components. The systems and components depicted in fig. 6 may be implemented in software (e.g., code, instructions, programs) executed by one or more processing units (e.g., processors, cores) of the respective systems, using hardware, or a combination thereof. The software may be stored on a non-transitory storage medium (e.g., on a memory device).

Multi-cloud control plane (MCCP)

Fig. 7 depicts a high-level architecture of a multi-cloud control plane (MCCP) according to some embodiments. As shown in fig. 7, the high-level architecture 700 includes a first cloud environment provided by a first cloud service provider (e.g., OCI) 720 and a second cloud environment provided by a second cloud service provider 710 (i.e., azure). The first cloud environment 720 includes a first cloud infrastructure 720A that provides a plurality of services to users of the first cloud environment 720. Further, the first cloud environment 720 includes a multi-cloud infrastructure 720B that provides the ability to deliver services of the first cloud infrastructure 720A (e.g., oracle Cloud Infrastructure (OCI)) to users of other cloud environments (e.g., the second cloud infrastructure 710A). The multi-cloud infrastructure 720B allows users to access services (e.g., oracle PaaS services) on other clouds with a user experience that is as close as possible to the user's native cloud environment, while providing simple integration between cloud environments.

The second cloud infrastructure 710A includes a second cloud portal 711, an active directory 712, a resource manager 713, customer subscriptions 715, subscriptions of a first cloud provider 717. The second cloud portal 711 is a centralized access point that clients of the second environment 710 can log in and manage their cloud deployments and instances. It is noted that the second cloud portal may provide options for monitoring and operating services provided by the second cloud infrastructure. Active directory 712 is a service provided by second cloud infrastructure 710A that provides an administrator with the ability to manage end user identities and access privileges. Its services may include core directory, access management, and identity protection. The resource manager 713 is a deployment and management service of the second cloud infrastructure, i.e., provides a management layer for users to perform operations (e.g., create, update, delete, etc.) on resources deployed in the client subscription 715. It is noted that customer subscriptions may also be referred to as Virtual Networks (VNETs) in which customer applications are deployed and executed. Subscriptions of first cloud provider 717 in second cloud infrastructure 710A include fast routing (express route) and spoke and hub (spoke and hub) VNETs that provision network connections to be established with second cloud infrastructure 710A (e.g., from a preset location, from an external cloud environment). It is noted that such connections may not be routed through the public internet, thereby providing higher reliability, faster speed, consistent latency, and higher security for the user.

First cloud infrastructure 720A includes control plane 724, customer lease 726, and multi-cloud infrastructure 720B. The control plane 724 of the first cloud infrastructure 720A is a native control plane of the first cloud environment that provides management and orchestration across cloud environments. Configuration baselines are set here, user and role access are provided, and applications reside so that they can be executed along with the relevant services. The cloudy infrastructure 720B includes a cloudy platform data plane 722 and a cloudy platform data plane 728. As previously described, the multi-cloud infrastructure 720B provides functionality that enables users of other cloud environments (e.g., the second cloud environment 710) to access services provided by the first cloud environment with a user experience of the native cloud environment (e.g., the second cloud environment 710) that is as close as possible to the users, while providing simple integration between cloud environments.

The MCCP architecture of fig. 7 also includes a multi-cloud console 721 (unlike the second cloud portal 711) that allows users authenticated in the second cloud infrastructure 710 to perform control plane operations on the resources of the first cloud infrastructure 720 exposed via the multi-cloud infrastructure 720B. In some implementations, as shown in fig. 7, all user 705 requests transmitted to the cloudy console 721 are directed to the cloudy infrastructure included in the first cloud environment. It should be appreciated that the user 705 may transmit a request (e.g., CRUD request) for resources provided by the first cloud infrastructure directly to the multi-cloud console 721. The multi-cloud console 721 is configured to process requests having a syntax or format similar to that used locally by the second cloud infrastructure. In other words, the multi-cloud console 721 has a similar look and feel, and uses similar terminology as the second cloud portal 711 included in the second cloud infrastructure 710A. In some implementations, a link (e.g., weblink) may be provided in the second cloud console 711 that directs the user to the multi-cloud console 721.

The multi-cloud infrastructure 720B included in the first cloud infrastructure 720A includes a plurality of micro services such as a rights module 722A, a proxy module 722B, a platform services module 722C, a cloud-link adapter 722D, an adapter pool 722E (including adapter 1, adapter 2, adapter 3, and adapter 4), and a network link adapter 722F. Adapter pool 722E may include adapters such as Exa-data cloud service adapters, autonomic database sharing adapters, autonomic database specific adapters, and virtual machine database adapters.

Each adapter included in adapter pool 722E is responsible for exposing a unique set of underlying resources (provided by first cloud infrastructure 720A) to users of other cloud environments (e.g., second cloud environments). Specifically, each adapter in adapter pool 722E maps to a particular product or resource provided by first cloud infrastructure 720A. Note that the actual resources are created by the native control plane 724 of the first cloud infrastructure. For example, with respect to database-as-a-service (DBaaS), a DBaaS control plane included in control plane 724 is configured to instantiate Exa database resources in customer tenancy 726 of the first cloud environment.

Incoming requests received by multi-cloud infrastructure 720B are processed by rights module 722A to perform authentication and access control. Each request includes a token associated with an account of a user in the second cloud infrastructure. The rights module extracts the token and verifies the token in conjunction with the active directory 712 (i.e., the identity provider system of the second cloud infrastructure 710A). Upon verification success, the rights module 722A may examine the role (i.e., set of privileges) associated with the user. It is noted that a role may be associated with one or more tasks/operations licensed for that role. According to one embodiment, the rights module 722A is responsible for authenticating an incoming request for MCCP and authorizing whether the user is allowed to perform the requested operation based on the role associated with the token. In some implementations, the rights module 722A can perform the authentication process described above by utilizing custom authentication features of the service platform (i.e., SPLAT associated with the first cloud infrastructure). The SPLAT accepts the incoming request and forwards it to the permission module 722A, which permission module 722A further parses the incoming request to determine a permission decision and returns a success or failure message to the SPLAT. If successful, the SPLAT passes the request to the routing agent 722B, and if failed, the SPLAT returns an error response directly to the caller.

An agent module 722B (also referred to as a routing agent module) included in the multi-cloud infrastructure 720B is a component that receives incoming requests from the multi-cloud console 721 and routes the requests to the particular adapters included in the adapter pool 722E. According to one embodiment, the proxy module 722B accepts a pre-authenticated request from the service platform (i.e., SPLAT) of the first cloud infrastructure and routes the request to the appropriate adapter based on path information included in the incoming request. In some implementations, the proxy module 722B extracts an identifier (from an incoming request) corresponding to the service provider and routes the request to the appropriate adapter in the adapter pool 722E.

Cloud-link adapter 722D included in multi-cloud infrastructure 720B is responsible for handling lifecycle operations of resources provided by the first cloud infrastructure. Cloud-link adapter 722D is configured to create a mapping (or relationship created in the registration process) between the active catalog tenant of the second cloud infrastructure (and its associated subscription) and the corresponding lease/account of the user in the first cloud infrastructure. In other words, cloud-link adapter 722D generates a mapping of a first identifier associated with a lease of a user in a first cloud infrastructure to a second identifier associated with an account of a user in a second cloud infrastructure.

In some implementations, cloud-link adapter 722D performs translations between external cloud identifiers (e.g., second identifiers associated with accounts of users in the second cloud infrastructure) and first identifiers (associated with tenants of users in the first cloud infrastructure) to enable mapping to appropriate underlying resources in the first cloud infrastructure through operation of cloudiness control plane 722. In some embodiments, the cloud-link adapter generates a data object to store the mapping information described above. Additionally, cloud-link adapter 722D also generates a resource body associated with the data object. The resource principal is assigned one or more permissions based on the tokens (and their associated roles) included in the request. A user accesses downstream services provided by a first cloud infrastructure from a second cloud infrastructure based on a resource principal (resource-principal). Cloud-link adapter 722D may store data objects and associated resource principals in the root compartment of the lease of the user in the first cloud infrastructure. Alternatively or additionally, cloud-link adapter 722D may also save data objects and resource principals locally on platform services module 722C of the multi-cloud infrastructure for seamless access by other adapters included in the multi-cloud infrastructure.

A network link module (also referred to as a network adapter) 722F is responsible for creating a network link between the customer subscription 715 (in the second cloud infrastructure) and the corresponding customer lease/account 726 (in the first cloud infrastructure). According to some embodiments, network link module 722F obtains the token (from platform services module 722C) and creates (1) a first peering relationship (in a first cloud environment) between multi-cloud platform data plane 728 and customer lease 726, and (2) a second peering relationship (in a second cloud environment) between customer subscription 715 and the subscription of first cloud service provider 717 included in the second cloud infrastructure.

The network link module 722F is also configured to establish network connectivity between the first cloud environment and the second cloud environment, i.e., the network link module 722F can configure the interconnect 719 to communicatively couple the two cloud environments. It should be appreciated that after a network link is formed between the two cloud environments, an application executing in a customer's subscription (e.g., in a VNET of the second cloud infrastructure) can access a resource, such as Exa database resources deployed in customer lease 726 of the first cloud infrastructure. Additionally, as shown in FIG. 7, within lease 726, telemetry functionality is provided. This functionality involves maintaining logs, metrics, and other performance parameters related to resources deployed in customer leases and their corresponding use cases. According to some embodiments, the MCCP generates an image of the logs and metrics associated with different resources in the first cloud environment and publishes the metrics, logs, events, etc., for further processing, e.g., in a dashboard (e.g., in an application insight module included in the client subscription 715 of the second cloud environment).

In some embodiments, platform services module 722C included in the multi-cloud infrastructure is configured to store credentials associated with services provided to the first cloud infrastructure of the second cloud infrastructure. Platform services module 722C provides, for example, a token/resource body for the different adapters included in adapter pool 722E so that the adapters can communicate with native control plane 724 of the first cloud infrastructure. By some embodiments, platform services module 722C exposes APIs called by different adapters to perform tasks, such as:

sell the minimum range of access tokens to the adapter (issued by the second cloud infrastructure). For example, network adapter 722F requests the access token to perform the network peering operations described above.

Providing a resource principal that the adapter will use to invoke downstream services to create resources in customer leases of the first cloud infrastructure.

Triggering replication of observability data (logs, metrics, events) from the first cloud infrastructure to the second cloud infrastructure.

As previously described, the adapter pool includes a plurality of adapters, each adapter responsible for exposing a unique set of underlying resources of the first cloud infrastructure to users of the second cloud infrastructure, i.e., each adapter maps to a particular product or resource provided by the first cloud environment. For example, exa database adapter serves as a proxy for the second cloud infrastructure user to create and utilize Exa database resources. Exa the database is a preconfigured combination of hardware and software that provides the infrastructure for executing the database. According to some embodiments, exa database includes a set of resources: (a) an Exadata infrastructure (i.e., hardware), (b) a VM cloud cluster, (c) a container database, and (d) a pluggable database. According to some embodiments, the multi-cloud infrastructure provides the ability (of users of the second cloud infrastructure) to analyze each level of stacked infrastructure. Moreover, the MCCP provides flexibility for the user, who only needs to issue a create command for a workflow (via the multi-cloud console 721), after which the MCCP automatically creates a single resource at each level of the stack. It should be appreciated that while the adapter pool 722F depicted in fig. 7 includes four different adapters, this in no way limits the scope of the MCCP architecture 700. The MCCP architecture may include other adapters, for example, dedicated adapters that are dedicated for use by a particular cloud service provider based on the requirements of the cloud service provider.

Fig. 8A and 8B depict an exemplary flow chart for linking two user accounts in different cloud environments, according to some embodiments. The two user accounts may correspond to a first user account in a first cloud infrastructure (e.g., lease) and a second user account in a second cloud infrastructure. FIG. 8A depicts a process of linking two user accounts, where a lease for a user is first created in a first cloud infrastructure and then linked to an account for the user in a second cloud infrastructure. Fig. 8B depicts a process of linking two user accounts, where a lease for a user has been created in a first cloud infrastructure, i.e., the lease already exists.

Fig. 8A depicts a data flow performed when a user (such as a system administrator) representing a customer makes a call from a second cloud infrastructure to a multi-cloud infrastructure (included in a first cloud infrastructure) to register for services provided in the first cloud infrastructure. A special console (referred to herein as a multi-cloud console) may be provided for users of the second cloud infrastructure to open accounts within the first cloud infrastructure and link accounts of users in the first cloud infrastructure to accounts of users in the second cloud infrastructure. It is noted that linking accounts in the first and second cloud infrastructures enables users to utilize one or more services provided by the first cloud infrastructure (from the second cloud infrastructure). In some embodiments, the user uses a multi-cloud console registration service. In response to the registration, a URL may be sent to the user that enables the user to log into the multi-cloud console. The multi-cloud console exposes UIs and APIs similar to those of the second cloud infrastructure.

The multi-cloud console may provide various UIs (e.g., GUIs) that provide user-selectable options that enable a user of the second cloud infrastructure to open accounts in the first cloud infrastructure and further link user accounts in the first and second cloud infrastructures. For example, the multi-cloud console may provide a registration UI that enables a user to create an account/lease in a first cloud infrastructure and link an account of the user (in the first cloud infrastructure) to an account of the user in a second cloud infrastructure. Once the process triggered in response to the registration/linking request is completed, the user's accounts in the respective cloud infrastructure are linked together. As part of the processing, the multi-cloud console enables a user (e.g., a system administrator) to log into the second cloud infrastructure and request: (a) Creating an account of the user (in the first cloud infrastructure) and linking the account of the user; or (b) for an account that the user already owns in the first cloud infrastructure, requesting to link the first cloud infrastructure account of the user to the second cloud infrastructure account of the user.

Thus, in some use cases, there are two possibilities: (a) The user already has an existing account or lease in the first cloud infrastructure and now via the multi-cloud console registration UI, the user requests to create a link between the user's accounts (details regarding this process will be described below with reference to fig. 8B), or (B) the user requests to create a new account in both the first cloud infrastructure and link the newly created account with the user's account in the second cloud infrastructure. Details regarding this process will be described below with reference to fig. 8A. It should be appreciated that linking of accounts enables a user to use resources in a first cloud via a second cloud. For example, via the second cloud, the user may request that resources be created or provisioned in the first cloud, that resources in the first cloud be utilized and managed, that resources in the first cloud be deleted, and so on.

As shown in fig. 8A, in step 1, in response to a request provided by a user to a multi-cloud console (e.g., a registration UI of the multi-cloud console), create a new account for the user in a first cloud infrastructure and link it to an input of the user account in a second cloud infrastructure, the multi-cloud console invokes an account service (in the first cloud infrastructure) to create the new account. Note that the call includes a token generated by the second cloud infrastructure. A token generated by the second cloud infrastructure and included in the call to the account service enables an account or lease created in the first cloud infrastructure to be linked to an account of a user in the second cloud infrastructure.

In step 2, as part of the process of setting up a new account for the user, the account service may invoke a rights/proxy module included in the cloudy control plane (e.g., rights module 722A included in the cloudy infrastructure of fig. 7) to validate the token. The rights/proxy module validates the token (as described above with reference to fig. 7) and can continue further processing only after successful validation of the token. Upon successful verification of the token, the account service creates a new account for the user in the first cloud infrastructure. As part of creating the new account, a native user may be created and associated with the newly created account. Note, however, that this native user's credentials are not used. More specifically, the identity of the user in the second cloud infrastructure is used to manage the account in the first cloud infrastructure and its resources (from the second cloud infrastructure).

After the account service in the first cloud infrastructure successfully creates a new account, the account service invokes a cloud-link adapter (included in the multi-cloud infrastructure) to create a link (also referred to as a cloud-link) between the user's account in the second cloud infrastructure and the newly created account in the first cloud infrastructure, step 3. In some implementations, the cloud-link adapter exposes APIs to account services and multi-cloud consoles. These APIs may be invoked by an account service (or by a multi-cloud console) to request a link to an account. It is noted that in some embodiments, the token is not included in the call of step 3, because the call requesting the link is not issued by the user, but is indicated by the account service. In this case, the cloud-link adapter does not perform another authentication requiring another token, because it relies on the account service having performed the necessary authentication for the user as part of the process of setting up an account using the token received in step 1.

In some embodiments, the process of linking two accounts performed by the cloud-link adapter in step 3 includes:

(a) The cloud-link adapter creates a data object (also referred to herein as a cloud-link resource object for storing metadata information identifying the two accounts linked). For example, the data object stores metadata information that includes a mapping of a first identifier associated with a lease (i.e., an account) created in a first cloud infrastructure and a second identifier associated with a user account for a second cloud service provider.

(B) The cloud-link adapter creates a new compartment for storing and containing resources on the first cloud infrastructure side that the user can/will manage using the multi-cloud console. In some implementations, the cloud-link resource object is created under a root directory of an account of the customer in the first cloud infrastructure.

(C) The cloud-link adapter creates a new resource body (referred to herein as a cloud-link resource body) for the resources that the user of the second cloud infrastructure desires to use.

(D) The cloud-link adapter may perform one or more federated setups that facilitate linking domains in a first cloud infrastructure to an active directory (e.g., the active directory 712 of a second cloud infrastructure as shown in fig. 7). The process of joining the accounts of the first cloud infrastructure and the second cloud infrastructure allows users/groups of users in the second cloud infrastructure to authenticate in the first cloud infrastructure and allows users/groups from the first cloud infrastructure to authenticate in the second cloud infrastructure.

In some implementations, permissions are associated with the cloud-link resource host based on credentials/tokens of the user in an account of the second cloud infrastructure. When a user requests a new account using a multi-cloud console or requests linking of the user's account in a first cloud infrastructure to the user's account in a second cloud infrastructure, the user provides consent to set up a resource principal. In addition, as shown in step 4, the cloud-link resource body is transmitted to the downstream service to enable the user to utilize the downstream service(s) from the second cloud infrastructure (e.g., the service(s) provided by the first cloud infrastructure).

Turning to fig. 8B, processing related to linking an existing account or lease in a first cloud infrastructure to an account of a user in a second cloud infrastructure is depicted. As shown in fig. 8B, the user requests to link accounts of the user in the first cloud infrastructure and the second cloud infrastructure via a registration UI provided by the multi-cloud console. In response, in step 1, the multi-cloud console invokes the cloud-link adapter to link the account. Such a call may be made using one of the APIs exposed by the cloud-link adapter to the registration UI. In certain implementations, the information passed to the cloud-link adapter in step 1 includes information identifying the user account in the second cloud infrastructure as well as the user account in the first cloud infrastructure, tokens issued by the second cloud infrastructure, and the like.

In step 2, the cloud-link adapter invokes a rights/proxy module included in the multi-cloud infrastructure to authenticate the token received in step 1. As part of this authentication, the rights/proxy module determines whether the requesting user has sufficient rights on the second cloud infrastructure side to issue the link request. As part of the verification, roles and permissions set on the second cloud infrastructure side may be checked. In response to the user being successfully authenticated, the cloud-link adapter retrieves a resource principal associated with the resource that the user desires to use from the data objects previously created for the user. In addition, as shown in step 3, the cloud link resource body is transmitted to the downstream service to enable the user to utilize the downstream service(s) from the second cloud infrastructure (e.g., the service(s) provided by the first cloud infrastructure).

Fig. 9A depicts an exemplary system diagram illustrating components of a multi-cloud control plane (MCCP) according to some embodiments. The MCCP 900 includes a Service Platform (SPLAT) 910, a routing agent 915, a cloud-link adapter 920, a database adapter 925, a network adapter 930, and an MCCP platform 935. After the user has successfully completed the registration process as described above with reference to fig. 8A and 8B, the user may issue a command to access, create, or update a resource in the lease of the user in the first cloud infrastructure using multi-cloud console 905. For ease of illustration, a scenario is described below in which a user makes a request to create Exa a database resource using a multi-cloud console.

In some implementations, the user accesses the multi-cloud console 905 and provides login information, e.g., credentials of the user in the second cloud infrastructure. The multi-cloud console 905 provides a number of options, such as creating resources, accessing resources, updating resources, and the like. Such options may be provided to the user in the form of selectable icons (e.g., buttons) in the multi-cloud console 905. When the user performs a selection (e.g., creates a resource), an API call to the service platform 910 is triggered. It should be appreciated that the request issued to the service platform 910 is not a native call to the first cloud infrastructure. More specifically, the call is a REST-type call that includes an authorization header that includes a token associated with the user in the second cloud infrastructure.

The REST call including the token is further forwarded to a routing agent module 915 which performs authentication and access control operations. According to some embodiments, the routing agent module 915 performs authentication operations by extracting tokens included in REST calls. The routing agent module 915 verifies the token by comparing the signature (used to sign the request) to a publicly available signature of the second cloud infrastructure to ensure that the request originated from a valid client associated with the second cloud infrastructure. Additionally, the routing agent module 915 may also check a role (i.e., privilege) associated with the token, e.g., whether the role corresponds to an Exadata DB administrator or the like. Based on the roles, the routing agent module 915 can route requests to the appropriate adapters included in the MCCP framework 900.

According to one embodiment, the routing agent module 915 compares the roles (associated with the tokens) to a list of preconfigured roles issued and assigned (as part of the API specification) for each adapter. For example, if the role associated with the token corresponds to "Exadata DB administrator," then the request may be understood as a request to create Exa a database, thus forwarding the request to database adapter 925. Further, according to some embodiments, the routing agent module 915 may analyze information included in REST calls, such as provider ID, type of resource requested, etc., and based on the analyzed information, the routing agent module 915 may forward the request to the appropriate adapter.

In some implementations, the request obtained by the routing agent module 915 may not include information identifying the lease of the user in the first cloud infrastructure in which the resource is to be deployed. Thus, the routing agent module 915 communicates with the cloud-link adapter 920 to obtain mapping information of user accounts in the second cloud infrastructure to user leases in the first cloud infrastructure. If mapping information exists, routing agent module 915 retrieves information related to the lease of the user in the first cloud infrastructure and passes the information to database adapter 925. In this way, database adapter 925 is aware of user leases in the first cloud infrastructure where the resource is to be created/deployed. If, however, cloud-link adapter 920 determines that mapping information is not present, routing agent module 915 may simply issue an "unauthorized access" message as a response to the request to create the database resource, which is transmitted back to the user.

It is noted that in some implementations, cloud-link adapter 920 creates a data object (referred to herein as a cloud link resource object) for storing metadata information identifying the two accounts linked. For example, the data object stores metadata information including a mapping of a first identifier associated with a lease (i.e., an account) in a first cloud infrastructure to a second identifier associated with an account of a user of a second cloud service provider. In addition, cloud-link adapter 920 also creates a resource principal (referred to herein as a cloud link resource principal) for resources (e.g., databases) that users of the second cloud infrastructure desire to create/manage. Cloud-link adapter 920 may maintain data objects and resource principals within a root compartment leased by a user in the first cloud infrastructure. In some embodiments, cloud-link adapter 920 may also store data objects and/or resource principals locally in MCCP platform 935.

In some embodiments, database adapter 925 may communicate with network adapter 930 to create a network link between a user account in the second cloud infrastructure and a user lease in the first cloud infrastructure. For example, the network adapter 930 may obtain the token associated with the user from the native service 945 in the second cloud infrastructure module and create: (1) A first peering relationship (in a first cloud environment) between a data plane of the MCCP and a lease of a user in a first cloud infrastructure, and (2) a second peering relationship (in a second cloud environment) between an account of the user and a subscription of a first cloud provider included in a second cloud infrastructure.

The network adapter 930 is also configured to establish network connectivity between the first cloud infrastructure and the second cloud infrastructure, i.e., the network adapter 930 may configure an interconnect (e.g., interconnect 719 in fig. 7) communicatively coupling the two cloud environments. It should be appreciated that after a network link is formed between a user lease in a first cloud infrastructure and a user account in a second cloud infrastructure, an application executing in the user's subscription/account can access a resource, such as a Exa database deployed in the lease of the first cloud infrastructure. Furthermore, the creation of peering relationships provides metrics, such as database usage metrics, that are accessible in the second cloud infrastructure (e.g., in dashboard applications executing in subscriptions of users in the second cloud infrastructure).

In some implementations, the database adapter 925 can obtain a body of resources that are stored locally in the MCCP platform 935. The database adapter 925 may transmit a request (including a resource principal) to one or more downstream services 940 included in the first cloud infrastructure to create a resource in the lease of the user in the first cloud infrastructure. In other words, the downstream service 940 included in the first cloud infrastructure creates/deploys the required resources, e.g., exa database, in the user tenancy in the first cloud infrastructure using the identities (i.e., resource principals) obtained from the MCCP platform 935. After a user issues a request to create Exa a database, the user may intermittently poll the MCCP 900 to obtain the status of the request. After the downstream service 940 of the first cloud infrastructure creates resources in the user lease in the first cloud infrastructure and the network adapter 930 establishes the peering relationship, the MCCP 900 may inform the user that the request has completed successfully.

Fig. 9B illustrates an exemplary flowchart depicting steps performed by the cloudy infrastructure, in accordance with certain embodiments. The process depicted in fig. 9B may be implemented in software (e.g., code, instructions, programs), hardware, or a combination thereof, that is executed by one or more processing units (e.g., processors, cores) of the respective system. The software may be stored on a non-transitory storage medium (e.g., on a memory device). The method presented in fig. 9B and described below is intended to be illustrative and non-limiting. While fig. 9B depicts various process steps occurring in a particular order or sequence, this is not intended to be limiting. In some alternative embodiments, the steps may be performed in a different order, or some steps may be performed in parallel.

The process begins in step 975, where a first cloud service provider provides a set of one or more cloud services using a first cloud infrastructure. In step 980, a multi-cloud infrastructure is provided within the first cloud infrastructure. The multi-cloud infrastructure enables a user associated with an account with the second cloud service provider to use a first service from the set of one or more cloud services from the second cloud infrastructure. In other words, the multi-cloud infrastructure forms a gateway for users of other cloud service providers to utilize one or more cloud services provided by the first cloud infrastructure from its native cloud environment. It may be appreciated that the first service may correspond to creating and utilizing database resources deployed in the first cloud infrastructure (e.g., in tenants associated with the user and created in the first cloud infrastructure).

The process then moves to step 985, where the cloudy infrastructure creates a link between the account (of the user) for the second cloud service provider and the lease created in the first cloud infrastructure to enable the user to use the first service. In some implementations, the multi-cloud infrastructure generates a data object that stores metadata information corresponding to the link. The metadata information may include a mapping of a first identifier associated with a lease created in the first cloud infrastructure to a second identifier associated with an account (of a user) for the second cloud service provider.

Database adapter

According to some embodiments of the present disclosure, a fleet (fleet) of services is provided by CSP (e.g., first cloud infrastructure 720A provided by a first cloud service provider of fig. 7) to users of other cloud infrastructures (e.g., second cloud infrastructure 710A provided by a second cloud service provider). One such service corresponds to the ability to deliver database as a service (DBaaS) offerings for users in other cloud providers. These services are provided via a cloud provider-specific portal or console that allows users to access and manage resources deployed in the first cloud infrastructure. For example, referring to fig. 7, the multi-cloud console 721 supplies users in the second cloud infrastructure 710A to deploy, access, and manage resources (e.g., databases) in the first cloud infrastructure 720A. The purpose of providing DBaaS services is to provide users with an experience that is as close as possible to their native cloud service provider.

In general, any service of the first cloud infrastructure that needs to provide its management capabilities in the multi-cloud console may not be able to do it directly using its existing APIs and constructs. There is a need for a translation layer that will shape the control plane APIs and resources of the target service through cloud provider constructs. Thus, as shown in fig. 7, an adapter pool 722E (one adapter for each service type provided by the first cloud infrastructure) is implemented and integrated into the multi-cloud infrastructure. In this disclosure, the term adapter is defined to correspond to any multi-cloud infrastructure service that provides API(s) for consumption by users of the multi-cloud console. One such adapter included in the pool of adapters is a database adapter. The database adapter provides highly differentiated services (of the first cloud infrastructure) to users of the second cloud infrastructure. Some examples of database adapters are as follows: (i) Exa-CS adapter for Exadata cloud services, (ii) VMDB adapter for virtual machine database system, (iii) ADB-D adapter for autonomous databases on dedicated Exadata infrastructure, (iv) ADB-S adapter for autonomous databases on shared Exadata infrastructure, and (v) MYSQL HEATWAVE adapter.

A detailed description of the architecture of the database adapter is provided below. For simplicity, we assume that the user making the call to the multi-cloud console is the user of the second cloud environment. It will be appreciated that users of different cloud environments may also utilize the feature(s) provided by the database adapter.

Fig. 10A illustrates an exemplary architecture of a database adapter 1000 in accordance with some embodiments. The database adapter is configured to provide the exact status of the downstream resource(s). As will be described below, in some embodiments, the database adapter maintains minimum required states of resources and avoids storing and managing detailed resource states that are preferentially stored in downstream services. The database adapter deploys to a separate dedicated lease and maintains its own deployment pipeline. It is noted that the database adapter may be accessible via proxy endpoints included in the multi-cloud infrastructure.

Referring to fig. 7, it is noted that the database adapter may be one of the adapters included in the pool of adapters 722E included in the multi-cloud infrastructure. Note that adapter pool 722E provides a bridge for users of the second cloud infrastructure to utilize services provided by the first cloud infrastructure. As shown in fig. 14, the control plane of the database adapter exposes a different API for each external cloud provider to communicate with the DBaaS services provided by the first cloud infrastructure. For example, the database adapter exposes an API 1005 for users of the second cloud infrastructure (of fig. 7) to utilize DBaaS services.

The API 1005A provided for the user of the second cloud infrastructure includes one or more modules that provide different services to the user of the second cloud infrastructure for resources provisioned in the first cloud infrastructure. For example, the API 1005 includes a first module 1005A that provides operations such as "GET" and "LIST" and a second module 1005B that provides operations such as "CREATE", "UPDATE" and "DELETE". As will be described below, module 1005A processes "GET" and "LIST" requests, which are synchronous calls, acting as channels to the downstream services 1020 of the first cloud infrastructure, while module 1005B processes "CREATE", "UPDATE" and "DELETE" requests, which are asynchronous calls. The asynchronous call accepts the request and begins the workflow in the background to complete the operation.

The API 1005 also communicates with a network adapter 1025 to obtain peer-to-peer information. For example, when a user sends a request to create a resource (e.g., a database resource) in a first cloud infrastructure (from a second cloud infrastructure), the request may include an ID (e.g., an ID of a VCN) to provision the resource. Network link adapter 1025 peers the VCN created in the lease on the first cloud infrastructure side with the user's account in the second cloud infrastructure (e.g., azure VNET). In addition, the API 1005 may also communicate with the MCCP platform 1030 to retrieve resource principal session tokens (i.e., the identity of the resource), as described below.

Database adapter 1000 includes a key-value database 1010 (also referred to as a key-value store) configured to store canonical representations of resources provided by downstream services of the first cloud infrastructure. Specifically, key-value database 1010 holds adapter resources. An adapter resource is a lightweight object (e.g., a data object) of a target resource that stores mapping information of a first identifier of an account of a user (in a second cloud infrastructure) to a resource identifier of the resource. The data object may also include metadata information reflecting a status specific to the cloud provider.

Thus, for example, upon receiving a GET request (processed by module 1005A), the database adapter retrieves mapping information (i.e., information that maps the user's account in the second cloud infrastructure to a resource identifier) to process the request. In some implementations, information related to a resource identifier is used as a pointer to a resource and a set of auxiliary resources associated with the resource. With this pointer, information for a particular resource is obtained from downstream service 1020 (which includes multiple services, such as DBaaS, VCN, etc.). It can be appreciated that information for a particular resource is obtained from downstream service 1020 (via use of pointers in data objects stored in key-value database 1010) and communicated to a user.

According to some embodiments, the operations (e.g., "CREATE", "UPDATE", and "DELETE" i.e., C/U/D/operations) provided in API 1005B schedule/execute unique workflows to execute in workflow-as-service (WFaaS) module 1015 of database adapter 1000. WFaaS the workflow handles asynchronous operation of C/U/D requests and coordinates operation across downstream services 1020. For example, in one embodiment, upon receiving a request of the C/U/D type, the corresponding workflow is supplied via WFaaS 1015. Details of the request are temporarily stored in key-value database 1010. After the workflow is scheduled, the workflow creates primary (and required secondary resources) in the downstream service 1020. After the downstream resource is created, temporary information (related to the request) stored in key-value database 1010 may be deleted.

It is noted that the C/U/D type workflows communicate with the network adapter 1025 and the MCCP platform 1030 to retrieve virtual network information (e.g., lease information (of a user) in a first cloud infrastructure where a resource is to be deployed) and to retrieve a resource principal session token (RSPT) associated with the resource, respectively. In some implementations, a proxy module (e.g., proxy module 722B of fig. 7) included in the multi-cloud infrastructure acts as a front gate for all incoming API requests to database adapter 1000. The agent negotiates a session with an endpoint of the database adapter. The incoming request (i.e., a request from a user of the second cloud infrastructure forwarded to the proxy via the multi-cloud console) contains information such as a token generated by the second cloud infrastructure and information related to the account of the user in the second cloud infrastructure.

As previously described, the proxy module performs authentication of the token and authorization of the API request before routing the API request to the database adapter. In some implementations, the proxy also includes a resource context along with the original request. The resource context is a security token signed by the shared region key to ensure end-to-end message integrity while carrying claims required to fulfill the request. It can be appreciated that the resource context ensures that the database adapter operates under the body of cloud-link resources in the customer tenancy of the first cloud infrastructure. The database adapter may use the resource context to retrieve the resource principal session token from the MCCP platform 1030 (RPST). The database adapter may then issue a request to a service downstream of the first cloud infrastructure 1020, wherein the request includes RPST and/or information related to the lease of the user in the first cloud infrastructure to which the resource is to be deployed.

In some implementations, the database adapter 1000 of the present disclosure supplies secondary resources in addition to primary resources requested by users of the second cloud infrastructure. For example, database adapter 1000 may supply: (i) Creating a network link that peeks the lease of the first user in the first cloud infrastructure with the first account of the first user in the second cloud infrastructure, and (ii) provisioning the observability resource that enables the metric information of the resource created in the first cloud infrastructure to be transferred to the first account of the first user in the second cloud infrastructure. Further, it can be appreciated that the database adapter of the present disclosure stores resource information in a cloud-independent manner. Specifically, the database adapter creates a data object (in the K-V store 1010) for each requested downstream resource. Within the data object, the database adapter stores only provider-specific details (e.g., mapping information of a first identifier of a first account of a first user to a resource identifier of a resource in a second cloud infrastructure). Detailed information of the resource state (described below with reference to fig. 10C) is maintained by the downstream service, which may be accessed by the database adapter via pointers stored in the data objects.

FIG. 10B illustrates an exemplary request submitted to a database adapter in accordance with certain embodiments. Fig. 10B illustrates an exemplary request (e.g., GET request) issued by a user of a second cloud infrastructure to obtain information about database resources of the user deployed in the first cloud infrastructure. It is noted that in some embodiments, a user may submit a request to the multi-cloud console 721 of fig. 7 to obtain information about a resource. The multi-cloud console may in turn generate the request depicted in fig. 10B and transmit the request to the multi-cloud infrastructure for further processing. According to some embodiments, the request includes a subscription ID (e.g., an ID of an account of the user in the second cloud infrastructure), a resource group name, and a name of a resource included in the first cloud infrastructure. In one embodiment, the entire request depicted in fig. 10B is used as an identifier of the user's account in the second cloud infrastructure, which is mapped to the resource ID of the downstream resource.

FIG. 10C illustrates an exemplary response provided by a database adapter to the request of FIG. 10B, in accordance with certain embodiments. As shown in fig. 10C, mapping information 1075 relating to the identifier 1070 of the user's account in the second cloud infrastructure to the resource identifier 1085 of the resource is maintained in a data object stored in the key-value database. Note that the request depicted in fig. 10B corresponds to an identifier 1070 of the user's account in the second cloud infrastructure. When the API module 1005B of the database adapter 1000 initially obtains a "CREATE" request to deploy a resource (e.g., a database), the resource identifier portion 1085 included in the mapping information 1075 is initially set to NULL. After the downstream service deploys the resource in the first cloud infrastructure, the database adapter is configured to update the data object with the resource identifier of the resource. Note that the resource identifier 1085 serves as a pointer to provide a link to the detailed information 1080 of the resource maintained by the downstream service. The detailed information may include data related to a location of the resource, a name of the resource, a state of the resource, a number of processors associated with the resource, a size of the resource, network-link information of the resource, and the like. In this way, the da of the present disclosure avoids storing detailed information of the resource and relies on the resource identifier (i.e., pointer) to retrieve detailed status information of the resource from the downstream service(s) of the first cloud infrastructure.

As described previously with reference to fig. 10A, the API 1005 includes a first module 1005A that provides operations such as "GET" and "LIST" and a second module 1005B that provides operations such as "CREATE", "UPDATE" and "DELETE". Module 1005A processes "GET" and "LIST" requests, which are synchronous calls, acting as channels to the downstream services 1020 of the first cloud infrastructure, while module 1005B processes "CREATE", "UPDATE" and "DELETE" requests, which are asynchronous calls. The asynchronous call accepts the request and begins the workflow in the background to complete the operation. The core steps performed for the operations performed by modules 1005A and 1005B are described below, respectively.

For a "GET" request, the steps include:

The database adapter performs a lookup of the downstream resource ID based on the ID of the user's account in the data object stored in the K-V repository (i.e., the ID of the account in the second cloud infrastructure). If no entity is Found, the database adapter denies the request, for example, with message "404Not Found".

If an entity is found, and if the state is "creating" or "invalidating," then the resource details are retrieved from the data objects stored in the K-V store.

If an entity is found, and if the state is other than "creating" or "invalidating," then the database adapter invokes the downstream service by passing the resource identifier. Resource details are retrieved from the downstream service to provide the user with an accurate status of the resource.

For a "LIST" request, the steps include:

The database adapter performs a list operation for the key-value store and a list for the downstream service.

The database adapter filters the list retrieved from the downstream service to ensure that the result contains only resources created by the database adapter and excludes resources that the user might directly create in the lease of the first cloud infrastructure.

For a resource whose state is "creating" or "invalidating," resource details are retrieved from the data objects in the key-value store. For other resources, resource details are obtained from downstream entries to provide their exact state.

For an "UPDATE" request, the steps include:

The database adapter verifies the existence of the resource with the particular ID (i.e., the ID of the resource that is expected to be updated). If such resources do Not exist, the database adapter denies the request, for example, with message "404Not Found".

The database adapter updates the entity in the data objects stored in the key-value store with state "in-update", stores the update details, and enqueues WFaaS workflows for updating downstream resources.

Sensitive parts of the update details, such as database passwords, are stored encrypted. When the workflow is complete, the update details are deleted.

The workflow performs a series of steps to update the required resources (typically just the primary resources).

For a "DELETE" request, the steps include:

the database adapter verifies the existence of the resource with the particular ID (i.e., the ID of the resource that is desired to be deleted). If such resources do Not exist, the database adapter denies the request, for example, with message "404Not Found".

The database adapter "is terminating" updating the entity in the data object stored in the key-value store with state and adding WFaaS workflows to the queue for deleting downstream resources.

The workflow performs a series of steps to delete the primary and support resources.

The workflow deletes the resource entity from the data object stored in the key-value store, after which the mapping information of the terminated resource will no longer exist in the data object and the name of the resource can be reused for the new resource to be created.

For a "CREATE" request, the steps include:

The database adapter verifies that there are no resources with the same ID as the resource being created. If such resources are present, the database adapter denies the request, for example, with message "409Conflict".

The new entity created by the database adapter in the key-value store, i.e., the data object (state "being created"), stores the creation details and adds WFaaS workflows for supplying downstream resources to the queue.

Sensitive parts of the creation details, such as database passwords, are stored encrypted. When the workflow is completed, the creation details are deleted.

The workflow performs a series of steps to provision the support resources and the primary resources. Specifically, the workflow: (i) retrieve a resource principal associated with the resource, (ii) retrieve lease information for the resource to be deployed, (iii) transmit a request (including the resource principal and lease related information) to a downstream service to perform the request, (iv) create a network that peeks the lease of a first user in a first cloud infrastructure with a first account of the first user in a second cloud infrastructure, and (v) invoke the MCCP platform to provision the observability resource, i.e., an auxiliary resource that enables metric information of the resource created in the first cloud infrastructure to be transferred to the first account of the first user in the second cloud infrastructure.

The workflow updates the data object with the identity of the newly created downstream resource.

FIG. 11 illustrates an exemplary flowchart depicting steps performed by a database adapter in accordance with certain embodiments. The processes depicted in fig. 11 may be implemented in software (e.g., code, instructions, programs), hardware, or a combination thereof, that is executed by one or more processing units (e.g., processors, cores) of the respective systems. The software may be stored on a non-transitory storage medium (e.g., on a memory device). The method presented in fig. 11 and described below is intended to be illustrative and non-limiting. Although fig. 11 depicts various process steps occurring in a particular order or sequence, this is not intended to be limiting. In some alternative embodiments, the steps may be performed in a different order, or some steps may be performed in parallel.

The process begins in step 1105, where an adapter associated with a service is provided in a first cloud infrastructure. The adapter enables one or more users associated with one or more accounts in the second cloud infrastructure to request the service. In step 1110, the adapter receives a first request from a first user associated with a first account in a second cloud infrastructure. The first request corresponds to a request to create a resource in the first cloud infrastructure.

After receiving the first request, in step 1115, the adapter executes a workflow to provision the resource using the service. For example, referring to FIG. 10A, the control plane of adapter 1005 issues an asynchronous request to WFaaS module 1015 to execute a workflow.

The process then proceeds to step 1120, where a data object is created in a key-value store (e.g., K-V store 1010 of FIG. 10A) associated with the adapter. The data object is configured to store mapping information of a first identifier of a first account of a first user in the second cloud infrastructure to a resource identifier of the resource. In step 1125, the adapter obtains identification information of the lease associated with the user in the first cloud infrastructure. In step 1130, the adapter obtains a resource principal previously created and associated with the resource. The information obtained in steps 1125 and 1130 may be obtained by the adapter from a platform services module (e.g., platform 1030 of fig. 10A).

In step 1135, the adapter transmits a second request to a service provided by the first cloud infrastructure. The second request includes a body of resources and corresponds to a request sent by the adapter (to the service) to create the resources requested by the user. In some implementations, the adapter can correspond to a database adapter, the service can correspond to a database as a service (DBaaS), and the resource requested by the user of the second cloud infrastructure can correspond to the database. Further, the DBaaS may create/deploy a database in the lease of the user in the first cloud infrastructure. After creating the resource in the lease of the user in the first cloud infrastructure, in step 1140, the adapter updates the data object (created in step 1120) with information about the resource identifier of the resource deployed by the service.

Example of cloud infrastructure

As noted above, infrastructure as a service (IaaS) is a particular type of cloud computing. The IaaS may be configured to provide virtualized computing resources over a public network (e.g., the internet). In the IaaS model, cloud computing providers may host infrastructure components (e.g., servers, storage devices, network nodes (e.g., hardware), deployment software, platform virtualization (e.g., hypervisor layer), etc.). In some cases, the IaaS provider may also provide various services to accompany these infrastructure components (e.g., billing, monitoring, documentation, security, load balancing, clustering, etc.). Thus, as these services may be policy driven, iaaS users may be able to implement policies to drive load balancing to maintain availability and performance of applications.

In some cases, the IaaS client may access resources and services through a Wide Area Network (WAN), such as the internet, and may use the cloud provider's services to install the remaining elements of the application stack. For example, a user may log onto the IaaS platform to create Virtual Machines (VMs), install an Operating System (OS) on each VM, deploy middleware such as databases, create buckets for workloads and backups, and even install enterprise software into that VM. The customer may then use the provider's services to perform various functions including balancing network traffic, solving application problems, monitoring performance, managing disaster recovery, and the like.

In most cases, the cloud computing model will require participation of the cloud provider. The cloud provider may, but need not, be a third party service that specifically provides (e.g., provisions, rents, sells) IaaS. An entity may also choose to deploy a private cloud, thereby becoming its own infrastructure service provider.

In some examples, the IaaS deployment is a process of placing a new application or a new version of an application onto a prepared application server or the like. It may also include a process of preparing a server (e.g., installation library, daemon, etc.). This is typically managed by the cloud provider, below the hypervisor layer (e.g., servers, storage, network hardware, and virtualization). Thus, the guest may be responsible for processing (OS), middleware, and/or application deployment (e.g., on a self-service virtual machine (e.g., that may be started on demand), etc.).

In some examples, iaaS provisioning may refer to obtaining computers or virtual hosts for use, even installing the required libraries or services on them. In most cases, the deployment does not include provisioning, and provisioning may need to be performed first.

In some cases, there are two different challenges for IaaS provisioning. First, there are initial challenges to provisioning an initial infrastructure set before anything runs. Second, once everything has been provisioned, there is a challenge to evolve the existing infrastructure (e.g., add new services, change services, remove services, etc.). In some cases, both of these challenges may be addressed by enabling the configuration of the infrastructure to be defined in a declarative manner. In other words, the infrastructure (e.g., which components are needed and how they interact) may be defined by one or more configuration files. Thus, the overall topology of the infrastructure (e.g., which resources depend on which resources, and how they work in concert) can be described in a declarative manner. In some cases, once the topology is defined, workflows may be generated that create and/or manage the different components described in the configuration file.

In some examples, an infrastructure may have many interconnected elements. For example, there may be one or more Virtual Private Clouds (VPCs) (e.g., potential on-demand pools of configurable and/or shared computing resources), also referred to as core networks. In some examples, one or more security group rules may also be supplied to define how to set security of the network and one or more Virtual Machines (VMs). Other infrastructure elements, such as load balancers, databases, etc., may also be supplied. As more and more infrastructure elements are desired and/or added, the infrastructure may evolve gradually.

In some cases, continuous deployment techniques may be employed to enable deployment of infrastructure code across various virtual computing environments. Furthermore, the described techniques may enable infrastructure management within these environments. In some examples, a service team may write code that is desired to be deployed to one or more, but typically many, different production environments (e.g., across various different geographic locations, sometimes across the entire world). In some examples, however, the infrastructure on which the code is to be deployed must first be set up. In some cases, provisioning may be done manually, resources may be provisioned with a provisioning tool, and/or code may be deployed with a deployment tool once the infrastructure is provisioned.

Fig. 12 is a block diagram 1200 illustrating an example mode of the IaaS architecture in accordance with at least one embodiment. The service operator 1202 may be communicatively coupled to a secure host lease 1204 that may include a Virtual Cloud Network (VCN) 1206 and a secure host subnet 1208. In some examples, the service operator 1202 may use one or more client computing devices, which may be portable handheld devices (e.g.,Cellular telephone,Computing tablet, personal Digital Assistant (PDA)) or wearable device (e.g., google)Head mounted display), running software (such as Microsoft Windows) And/or various mobile operating systems (such as iOS, windows Phone, android, blackBerry, palm OS, etc.), and supports the internet, email, short Message Service (SMS), SMS,Or other communication protocol. Alternatively, the client computing device may be a general purpose personal computer, including, for example, microsoft running various versions of MicrosoftAppleAnd/or a personal computer and/or a laptop computer of a Linux operating system. The client computing device may be running a variety of commercially available devicesOr a UNIX-like operating system, including but not limited to a workstation computer of any of a variety of GNU/Linux operating systems such as, for example, google Chrome OS. Alternatively or additionally, the client computing device may be any other electronic device, such as a thin client computer, an internet-enabled gaming system (e.g., with or withoutMicrosoft Xbox game console of the gesture input device), and/or a personal messaging device capable of communicating over a network that has access to the VCN 1206 and/or the internet.

The VCN 1206 may include a local peer-to-peer gateway (LPG) 1210 that may be communicatively coupled to a Secure Shell (SSH) VCN 1212 via the LPG 1210 contained in the SSH VCN 1212. The SSH VCN 1212 may include an SSH subnetwork 1214, and the SSH VCN 1212 may be communicatively coupled to the control plane VCN 1216 via the LPG 1210 contained in the control plane VCN 1216. Further, the SSH VCN 1212 may be communicatively coupled to a data plane VCN 1218 via the LPG 1210. The control plane VCN 1216 and the data plane VCN 1218 may be included in a service lease 1219 that may be owned and/or operated by the IaaS provider.

The control plane VCN 1216 may include a control plane demilitarized zone (DMZ) layer 1220 that acts as a peripheral network (e.g., part of a corporate network between a corporate intranet and an external network). DMZ-based servers can assume limited responsibility and help control security vulnerabilities. Further, DMZ layer 1220 can include one or more Load Balancer (LB) subnetworks 1222, control plane application layer 1224 that can include application subnetwork(s) 1226, control plane data layer 1228 that can include Database (DB) subnetwork(s) 1230 (e.g., front end DB subnetwork(s) and/or back end DB subnetwork (s)). The LB subnetwork(s) 1222 included in the control plane DMZ layer 1220 may be communicatively coupled to the application subnetwork(s) 1226 included in the control plane application layer 1224 and the internet gateway 1234 that may be included in the control plane VCN 1216, and the application subnetwork(s) 1226 may be communicatively coupled to the DB subnetwork(s) 1230 included in the control plane data layer 1228 and the serving gateway 1236 and Network Address Translation (NAT) gateway 1238. Control plane VCN 1216 may include a serving gateway 1236 and a NAT gateway 1238.

The control plane VCN 1216 may include a data plane mirror application layer 1240, which may include application subnet(s) 1226. The application subnet(s) 1226 included in the data plane mirror application layer 1240 can include Virtual Network Interface Controllers (VNICs) 1242 that can execute computing instances 1244. Compute instance 1244 may communicatively couple application subnet(s) 1226 of data plane mirror application layer 1240 to application subnet(s) 1226 that may be included in data plane application layer 1246.

Data plane VCN 1218 may include a data plane application layer 1246, a data plane DMZ layer 1248, and a data plane data layer 1250. Data plane DMZ layer 1248 may include LB subnet(s) 1222 that may be communicatively coupled to application subnet(s) 1226 of data plane application layer 1246 and internet gateway 1234 of data plane VCN 1218. The application subnet(s) 1226 may be communicatively coupled to a serving gateway 1236 of the data plane VCN 1218 and a NAT gateway 1238 of the data plane VCN 1218. Data plane data layer 1250 may also include DB subnetwork(s) 1230 that may be communicatively coupled to application subnetwork(s) 1226 of data plane application layer 1246.

The internet gateway 1234 of the control plane VCN 1216 and the data plane VCN 1218 may be communicatively coupled to a metadata management service 1252, and the metadata management service 1252 may be communicatively coupled to the public internet 1254. Public internet 1254 may be communicatively coupled to NAT gateway 1238 of control plane VCN 1216 and data plane VCN 1218. The service gateway 1236 of the control plane VCN 1216 and the data plane VCN 1218 may be communicatively coupled to the cloud service 1256.

In some examples, service gateway 1236 of control plane VCN 1216 or data plane VCN 1218 may make Application Programming Interface (API) calls to cloud service 1256 without going through public internet 1254. The API call from service gateway 1236 to cloud service 1256 may be unidirectional: service gateway 1236 may make an API call to cloud service 1256, and cloud service 1256 may send the requested data to service gateway 1236. Cloud service 1256 may not initiate an API call to service gateway 1236.

In some examples, secure host lease 1204 may be directly connected to service lease 1219, and service lease 1219 may be otherwise quarantined. The secure host subnetwork 1208 can communicate with the SSH subnetwork 1214 through the LPG 1210, the LPG 1210 can enable bi-directional communication over an otherwise isolated system. Connecting the secure host subnetwork 1208 to the SSH subnetwork 1214 can enable the secure host subnetwork 1208 to access other entities within the service lease 1219.

The control plane VCN 1216 may allow a user of the service lease 1219 to set or otherwise provision desired resources. The desired resources provisioned in the control plane VCN 1216 may be deployed or otherwise used in the data plane VCN 1218. In some examples, control plane VCN 1216 may be isolated from data plane VCN 1218, and data plane mirror application layer 1240 of control plane VCN 1216 may communicate with data plane application layer 1246 of data plane VCN 1218 via VNIC 1242, VNIC 1242 may be contained in both data plane mirror application layer 1240 and data plane application layer 1246.

In some examples, a user or customer of the system may make a request, such as a create, read, update, or delete (CRUD) operation, through the public internet 1254 that may communicate the request to the metadata management service 1252. Metadata management service 1252 may communicate the request to control plane VCN 1216 via internet gateway 1234. The request may be received by LB subnet(s) 1222 contained in the control plane DMZ layer 1220. The LB subnet(s) 1222 may determine that the request is valid, and in response to the determination, the LB subnet(s) 1222 may transmit the request to the application subnet(s) 1226 included in the control plane application layer 1224. If the request is authenticated and calls to the public internet 1254 are required, the call to the public internet 1254 may be transmitted to the NAT gateway 1238 which may make calls to the public internet 1254. The memory in which the request may desire to store may be stored in DB subnetwork(s) 1230.

In some examples, data plane mirror application layer 1240 may facilitate direct communication between control plane VCN 1216 and data plane VCN 1218. For example, it may be desirable to apply changes, updates, or other suitable modifications to the configuration to the resources contained in the data plane VCN 1218. Via VNIC 1242, control plane VCN 1216 may communicate directly with resources contained in data plane VCN 1218, and thus changes, updates, or other appropriate modifications to the configuration may be performed.

In some embodiments, control plane VCN 1216 and data plane VCN 1218 may be included in service lease 1219. In this case, a user or customer of the system may not own or operate the control plane VCN 1216 or the data plane VCN 1218. Alternatively, the IaaS provider may own or operate the control plane VCN 1216 and the data plane VCN 1218, both of which may be contained in the service lease 1219. This embodiment may enable isolation of networks that may prevent a user or customer from interacting with other users or other customers' resources. Furthermore, this embodiment may allow users or clients of the system to store databases privately without relying on the public internet 1254 for storage that may not have the desired threat prevention level.

In other embodiments, LB subnet(s) 1222 contained in control plane VCN 1216 may be configured to receive signals from serving gateway 1236. In this embodiment, the control plane VCN 1216 and the data plane VCN 1218 may be configured to be invoked by customers of the IaaS provider without invoking the public internet 1254. This embodiment may be desirable to customers of the IaaS provider because the database(s) used by the customers may be controlled by the IaaS provider and may be stored on the service lease 1219, which 1219 may be isolated from the public internet 1254.

Fig. 13 is a block diagram 1300 illustrating another example mode of the IaaS architecture in accordance with at least one embodiment. Service operator 1302 (e.g., service operator 1202 of fig. 12) may be communicatively coupled to a secure host lease 1304 (e.g., secure host lease 1204 of fig. 12), which secure host lease 1304 may include a Virtual Cloud Network (VCN) 1306 (e.g., VCN 1206 of fig. 12) and a secure host subnet 1308 (e.g., secure host subnet 1208 of fig. 12). The VCN 1306 may include a local peer-to-peer gateway (LPG) 1310 (e.g., LPG 1210 of fig. 12) that may be communicatively coupled to a Secure Shell (SSH) VCN 1312 (e.g., SSH VCN 1212 of fig. 12) via an LPG 1310 contained in the SSH VCN 1312. The SSH VCN 1312 may include an SSH subnetwork 1314 (e.g., SSH subnetwork 1214 of fig. 12), and the SSH VCN 1312 may be communicatively coupled to the control plane VCN 1316 via an LPG 1310 contained in the control plane VCN 1316 (e.g., control plane VCN 1216 of fig. 12). The control plane VCN 1316 may be included in a service lease 1319 (e.g., service lease 1219 of fig. 12) and the data plane VCN 1318 (e.g., data plane VCN 1218 of fig. 12) may be included in a customer lease 1321 that may be owned or operated by a user or customer of the system.

The control plane VCN 1316 may include a control plane DMZ layer 1320 (e.g., control plane DMZ layer 1220 of fig. 12), which may include LB subnet(s) 1322 (e.g., LB subnet(s) 1222 of fig. 12), a control plane application layer 1324 (e.g., control plane application layer 1224 of fig. 12) which may include application subnet(s) 1326 (e.g., application subnet(s) 1226 of fig. 12), a control plane data layer 1328 (e.g., control plane data layer 1228 of fig. 12) which may include Database (DB) subnet(s) 1330 (e.g., similar to DB subnet(s) 1230 of fig. 12). The LB subnet(s) 1322 included in the control plane DMZ layer 1320 may be communicatively coupled to the application subnet(s) 1326 included in the control plane application layer 1324 and the internet gateway 1334 (e.g., the internet gateway 1234 of fig. 12) that may be included in the control plane VCN 1316, and the application subnet(s) 1326 may be communicatively coupled to the DB subnet(s) 1330 and the serving gateway 1336 (e.g., the serving gateway of fig. 12) and the Network Address Translation (NAT) gateway 1338 (e.g., the NAT gateway 2438 of fig. 12) included in the control plane data layer 1328. Control plane VCN 1316 may include a serving gateway 1336 and a NAT gateway 1338.

The control plane VCN 1316 may include a data plane mirror application layer 1340 (e.g., data plane mirror application layer 1240 of fig. 12) that may include application subnet(s) 1326. The application subnet(s) 1326 included in the data plane mirror application layer 1340 can include Virtual Network Interface Controllers (VNICs) 1342 (e.g., VNICs of 1242) that can execute computing instance 1344 (e.g., similar to computing instance 1244 of fig. 12). The computing instance 1344 may facilitate communication between the application subnet(s) 1326 of the data plane mirror application layer 1340 and the application subnet(s) 1326 that may be included in the data plane application layer 1346 (e.g., the data plane application layer 1246 of fig. 12) via the VNIC 1342 included in the data plane mirror application layer 1340 and the VNIC 1342 included in the data plane application layer 1346.

The internet gateway 1334 included in the control plane VCN 1316 may be communicatively coupled to a metadata management service 1352 (e.g., the metadata management service 1252 of fig. 12), which metadata management service 1352 may be communicatively coupled to the public internet 1354 (e.g., the public internet 1254 of fig. 12). Public internet 1354 may be communicatively coupled to NAT gateway 1338 included in control plane VCN 1316. The service gateway 1336 included in the control plane VCN 1316 may be communicatively coupled to a cloud service 1356 (e.g., cloud service 1256 of fig. 12).

In some examples, the data plane VCN 1318 may be contained in a customer lease 1321. In this case, the IaaS provider may provide a control plane VCN 1316 for each customer, and the IaaS provider may set a unique computing instance 1344 contained in the service lease 1319 for each customer. Each computing instance 1344 may allow communication between a control plane VCN 1316 contained in service lease 1319 and a data plane VCN 1318 contained in customer lease 1321. The compute instance 1344 may allow resources provisioned in the control plane VCN 1316 contained in the service lease 1319 to be deployed or otherwise used in the data plane VCN 1318 contained in the customer lease 1321.

In other examples, a customer of the IaaS provider may have a database residing in customer lease 1321. In this example, the control plane VCN 1316 may include a data plane mirror application layer 1340, which may include application subnet(s) 1326. The data plane mirror application layer 1340 may reside in the data plane VCN 1318, but the data plane mirror application layer 1340 may not reside in the data plane VCN 1318. That is, the data plane mirror application layer 1340 may access the customer lease 1321, but the data plane mirror application layer 1340 may not exist in the data plane VCN 1318 or be owned or operated by the customer of the IaaS provider. The data plane mirror application layer 1340 may be configured to make calls to the data plane VCN 1318, but may not be configured to make calls to any entity contained in the control plane VCN 1316. The customer may desire to deploy or otherwise use resources provisioned in the control plane VCN 1316 in the data plane VCN 1318, and the data plane mirror application layer 1340 may facilitate the customer's desired deployment or other use of resources.

In some embodiments, a customer of the IaaS provider may apply a filter to the data plane VCN 1318. In this embodiment, the customer may determine what the data plane VCN 1318 may access, and the customer may restrict access to the public internet 1354 from the data plane VCN 1318. The IaaS provider may not be able to apply filters or otherwise control access of the data plane VCN 1318 to any external networks or databases. The application of filters and controls by customers to the data plane VCN 1318 contained in customer lease 1321 may help isolate the data plane VCN 1318 from other customers and public internet 1354.

In some embodiments, cloud services 1356 may be invoked by service gateway 1336 to access services that may not exist on public internet 1354, control plane VCN 1316, or data plane VCN 1318. The connection between the cloud service 1356 and the control plane VCN 1316 or the data plane VCN 1318 may not be real-time or continuous. Cloud services 1356 may reside on different networks owned or operated by the IaaS provider. The cloud service 1356 may be configured to receive calls from the service gateway 1336 and may be configured to not receive calls from the public internet 1354. Some cloud services 1356 may be isolated from other cloud services 1356, and control plane VCN 1316 may be isolated from cloud services 1356 that may not be in the same area as control plane VCN 1316. For example, the control plane VCN 1316 may be located in "zone 1" and the cloud service "deployment 12" may be located in both zone 1 and "zone 2". If a service gateway 1336 contained in the control plane VCN 1316 located in region 1 makes a call to deployment 12, the call may be transmitted to deployment 12 in region 1. In this example, the control plane VCN 1316 or deployment 12 in region 1 may not be communicatively coupled or otherwise in communication with deployment 12 in region 2.

Fig. 14 is a block diagram 1400 illustrating another example mode of the IaaS architecture in accordance with at least one embodiment. The service operator 1402 (e.g., the service operator 1202 of fig. 12) may be communicatively coupled to a secure host lease 1404 (e.g., the secure host lease 1204 of fig. 12), which secure host lease 1404 may include a Virtual Cloud Network (VCN) 1406 (e.g., the VCN 1206 of fig. 12) and a secure host subnet 1408 (e.g., the secure host subnet 1208 of fig. 12). VCN 1406 may include an LPG 1410 (e.g., LPG 1210 of fig. 12) that may be communicatively coupled to SSH VCN 1412 via LPG 1410 contained in SSH VCN 1412 (e.g., SSH VCN 1212 of fig. 12). The SSH VCN 1412 may include an SSH subnetwork 1414 (e.g., SSH subnetwork 1214 of fig. 12), and the SSH VCN 1412 may be communicatively coupled to the control plane VCN 1416 via an LPG 1410 contained in the control plane VCN 1416 (e.g., control plane VCN 1216 of fig. 12) and to the data plane VCN 1418 via an LPG 1410 contained in the data plane VCN 1418 (e.g., data plane 1218 of fig. 12). The control plane VCN 1416 and the data plane VCN 1418 may be included in a service lease 1419 (e.g., service lease 1219 of fig. 12).

The control plane VCN 1416 may include a control plane DMZ layer 1420 (e.g., control plane DMZ layer 1220 of fig. 12) that may include Load Balancer (LB) subnet(s) 1422 (e.g., LB subnet(s) 1222 of fig. 12), a control plane application layer 1424 (e.g., control plane application layer 1224 of fig. 12) that may include application subnet(s) 1426 (e.g., similar to application subnet(s) 1226 of fig. 12), and a control plane data layer 1428 (e.g., control plane data layer 1228 of fig. 12) that may include DB subnet(s) 1430. The LB subnet(s) 1422 included in the control plane DMZ layer 1420 may be communicatively coupled to the application subnet(s) 1426 included in the control plane application layer 1424 and the internet gateway 1434 (e.g., the internet gateway 1234 of fig. 12) that may be included in the control plane VCN 1416, and the application subnet(s) 1426 may be communicatively coupled to the DB subnet(s) 1430 and the service gateway 1436 (e.g., the service gateway of fig. 12) and the Network Address Translation (NAT) gateway 1438 (e.g., the NAT gateway 2438 of fig. 12) included in the control plane data layer 1428. The control plane VCN 1416 may include a service gateway 1436 and a NAT gateway 1438.

Data plane VCN 1418 may include a data plane application layer 1446 (e.g., data plane application layer 1246 of fig. 12), a data plane DMZ layer 1448 (e.g., data plane DMZ layer 1248 of fig. 12), and a data plane data layer 1450 (e.g., data plane data layer 1250 of fig. 12). The data plane DMZ layer 1448 may include trusted application subnet(s) 1460 and untrusted application subnet(s) 1462 that may be communicatively coupled to the data plane application layer 1446 and LB subnet(s) 1422 of the internet gateway 1434 contained in the data plane VCN 1418. Trusted application subnet(s) 1460 may be communicatively coupled to service gateway 1436 contained in data plane VCN 1418, NAT gateway 1438 contained in data plane VCN 1418, and DB subnet(s) 1430 contained in data plane data layer 1450. The untrusted application subnet(s) 1462 may be communicatively coupled to the service gateway 1436 contained in the data plane VCN 1418 and the DB subnet(s) 1430 contained in the data plane data layer 1450. Data plane data layer 1450 may include DB subnetwork(s) 1430 which may be communicatively coupled to service gateway 1436 included in data plane VCN 1418.

The untrusted application subnet(s) 1462 may include one or more primary VNICs 1464 (1) - (N) that may be communicatively coupled to tenant Virtual Machines (VMs) 1466 (1) - (N). Each tenant VM 1466 (1) - (N) may be communicatively coupled to a respective application subnet 1467 (1) - (N) that may be included in a respective container outlet VCN 1468 (1) - (N), which may be included in a respective customer lease 1470 (1) - (N). The respective auxiliary VNICs 1472 (1) - (N) may facilitate communications between the untrusted application subnet(s) 1462 contained in the data plane VCN 1418 and the application subnets contained in the container egress VCN 1468 (1) - (N). Each container egress VCN 1468 (1) - (N) may include a NAT gateway 1438, which NAT gateway 1438 may be communicatively coupled to the public internet 1454 (e.g., public internet 1254 of fig. 12).

An internet gateway 1434 included in the control plane VCN 1416 and included in the data plane VCN 1418 may be communicatively coupled to a metadata management service 1452 (e.g., the metadata management system 1252 of fig. 12), which metadata management service 1452 may be communicatively coupled to the public internet 1454. Public internet 1454 may be communicatively coupled to NAT gateway 1438 contained in control plane VCN 1416 and contained in data plane VCN 1418. The service gateway 1436 contained in the control plane VCN 1416 and contained in the data plane VCN 1418 may be communicatively coupled to the cloud service 1456.

In some embodiments, the data plane VCN 1418 may be integrated with a customer lease 1470. In some cases, such as where support may be desired while executing code, such integration may be useful or desirable to customers of the IaaS provider. The customer may provide code that may be destructive, may communicate with other customer resources, or may otherwise cause undesirable effects to operate. In response thereto, the IaaS provider may determine whether to run the code given to the IaaS provider by the customer.

In some examples, a customer of the IaaS provider may grant temporary network access to the IaaS provider and request functionality attached to the data plane layer application 1446. Code that runs this functionality may be executed in VM 1466 (1) - (N), and the code may not be configured to run anywhere else on data plane VCN 1418. Each VM 1466 (1) - (N) may be connected to a guest lease 1470. The respective containers 1471 (1) - (N) contained in VMs 1466 (1) - (N) may be configured to run code. In this case, there may be dual isolation (e.g., containers 1471 (1) - (N) running code, where containers 1471 (1) - (N) may be at least contained in VMs 1466 (1) - (N) contained in untrusted application subnet(s) 1462), which may help prevent incorrect or otherwise undesirable code from damaging the IaaS provider's network or damaging the network of a different customer. Containers 1471 (1) - (N) may be communicatively coupled to customer lease 1470 and may be configured to transmit or receive data from customer lease 1470. Containers 1471 (1) - (N) may not be configured to transmit or receive data from any other entity in data plane VCN 1418. After the run code is complete, the IaaS provider may terminate or otherwise dispose of containers 1471 (1) - (N).

In some embodiments, trusted application subnet(s) 1460 may run code that may be owned or operated by the IaaS provider. In this embodiment, trusted application subnet(s) 1460 may be communicatively coupled to DB subnet(s) 1430 and configured to perform CRUD operations in DB subnet(s) 1430. The untrusted application subnet(s) 1462 may be communicatively coupled to the DB subnet(s) 1430, but in this embodiment the untrusted application subnet(s) may be configured to perform read operations in the DB subnet(s) 1430. Containers 1471 (1) - (N), which may be contained in VMs 1466 (1) - (N) of each guest and may run code from the guest, may not be communicatively coupled with DB subnetwork(s) 1430.

In other embodiments, control plane VCN 1416 and data plane VCN 1418 may not be directly communicatively coupled. In this embodiment, there may be no direct communication between the control plane VCN 1416 and the data plane VCN 1418. Communication may occur indirectly through at least one method. LPG 1410 can be established by IaaS providers, which can facilitate communication between control plane VCN 1416 and data plane VCN 1418. In another example, the control plane VCN 1416 or the data plane VCN 1418 may invoke the cloud service 1456 via the service gateway 1436. For example, a call from the control plane VCN 1416 to the cloud service 1456 may include a request for a service that may communicate with the data plane VCN 1418.

Fig. 15 is a block diagram 1500 illustrating another example mode of an IaaS architecture in accordance with at least one embodiment. Service operator 1502 (e.g., service operator 1202 of fig. 12) may be communicatively coupled to secure host lease 1504 (e.g., secure host lease 1204 of fig. 12), which secure host lease 1504 may include Virtual Cloud Network (VCN) 1506 (e.g., VCN 1206 of fig. 12) and secure host subnet 1508 (e.g., secure host subnet 1208 of fig. 12). The VCN 1506 may include an LPG 1510 (e.g., the LPG 1210 of fig. 12), and the LPG 1510 may be communicatively coupled to the SSH VCN 1512 via the LPG 1510 contained in the SSH VCN 1512 (e.g., the SSH VCN 1212 of fig. 12). The SSH VCN 1512 may include an SSH subnetwork 1514 (e.g., SSH subnetwork 1214 of fig. 12), and the SSH VCN 1512 may be communicatively coupled to the control plane VCN 1516 via an LPG 1510 contained in the control plane VCN 1516 (e.g., control plane VCN 1216 of fig. 12) and to the data plane VCN 1518 via an LPG 1510 contained in the data plane VCN 1518 (e.g., data plane 1218 of fig. 12). Control plane VCN 1516 and data plane VCN 1518 may be included in service tenancy 1519 (e.g., service tenancy 1219 of fig. 12).

Control plane VCN 1516 may include control plane DMZ layer 1520 (e.g., control plane DMZ layer 1220 of fig. 12) which may include LB subnet(s) 1522 (e.g., LB subnet(s) 1222 of fig. 12), control plane application layer 1524 (e.g., control plane application layer 1224 of fig. 12) which may include application subnet(s) 1526 (e.g., application subnet(s) 1226 of fig. 12), control plane data layer 1528 (e.g., control plane data layer 1228 of fig. 12) which may include DB subnet(s) 1530 (e.g., DB subnet(s) 1430 of fig. 14). The LB subnet(s) 1522 contained in the control plane DMZ layer 1520 may be communicatively coupled to the application subnet(s) 1526 contained in the control plane application layer 1512 and the internet gateway 1534 (e.g., the internet gateway 1234 of fig. 12) that may be contained in the control plane VCN 1516, and the application subnet(s) 1526 may be communicatively coupled to the DB subnet(s) 1530 and the service gateway 1536 (e.g., the service gateway of fig. 12) and the Network Address Translation (NAT) gateway 1538 (e.g., the NAT gateway 1238 of fig. 12) contained in the control plane data layer 1528. Control plane VCN 1516 may include a serving gateway 1536 and a NAT gateway 1538.

Data plane VCN 1518 may include data plane application layer 1546 (e.g., data plane application layer 1246 of fig. 12), data plane DMZ layer 1548 (e.g., data plane DMZ layer 1248 of fig. 12), and data plane data layer 1550 (e.g., data plane data layer 1250 of fig. 12). Data plane DMZ layer 1548 may include trusted application subnet(s) 1560 (e.g., trusted application subnet(s) 1460 of fig. 14) and untrusted application subnet(s) 1562 (e.g., untrusted application subnet(s) 1462 of fig. 14) and LB subnet 1522 of internet gateway 1534 contained in data plane VCN 1518, which may be communicatively coupled to data plane application layer 1546. Trusted application subnet(s) 1560 may be communicatively coupled to service gateway 1536 contained in data plane VCN 1518, NAT gateway 1538 contained in data plane VCN 1518, and DB subnet(s) 1530 contained in data plane data layer 1550. Untrusted application subnet(s) 1562 may be communicatively coupled to service gateway 1536 included in data plane VCN 1518 and DB subnet(s) 1530 included in data plane data layer 1550. Data plane data layer 1550 may include DB subnetwork(s) 1530 that may be communicatively coupled to service gateway 1536 included in data plane VCN 1518.

The untrusted application subnet(s) 1562 may include a master VNIC 1564 (1) - (N) that may be communicatively coupled to a tenant Virtual Machine (VM) 1566 (1) - (N) residing within the untrusted application subnet(s) 1562. Each tenant VM 1566 (1) - (N) may run code in a respective container 1567 (1) - (N) and be communicatively coupled to an application subnet 1526 that may be contained in a data plane application layer 1546 contained in a container outlet VCN 1568. The respective auxiliary VNICs 1572 (1) - (N) may facilitate communications between untrusted application subnet(s) 1562 contained in data plane VCN 1518 and application subnets contained in container egress VCN 1568. The container egress VCN may include a NAT gateway 1538 that may be communicatively coupled to a public internet 1554 (e.g., public internet 1254 of fig. 12).

An internet gateway 1534 included in control plane VCN 1516 and in data plane VCN 1518 may be communicatively coupled to a metadata management service 1552 (e.g., metadata management system 1252 of fig. 12), which metadata management service 1552 may be communicatively coupled to the public internet 1554. Public internet 1554 may be communicatively coupled to NAT gateway 1538 contained in control plane VCN 1516 and contained in data plane VCN 1518. Service gateway 1536, which is contained in control plane VCN 1516 and in data plane VCN 1518, may be communicatively coupled to cloud service 1556.

In some examples, the pattern shown by the architecture of block 1500 of fig. 15 may be considered an exception to the pattern shown by the architecture of block 1400 of fig. 14, and if the IaaS provider cannot directly communicate with the customer (e.g., disconnected areas), such a pattern may be desirable to the customer of the IaaS provider. The guests may access respective containers 1567 (1) - (N) contained in each guest's VM 1566 (1) - (N) in real-time. Containers 1567 (1) - (N) may be configured to invoke respective auxiliary VNICs 1572 (1) - (N) contained in application subnet(s) 1526 of data plane application layer 1546, which data plane application layer 1546 may be contained in container egress VCN 1568. The auxiliary VNICs 1572 (1) - (N) may transmit calls to the NAT gateway 1538, which NAT gateway 1538 may transmit to the public internet 1554. In this example, containers 1567 (1) - (N), which may be accessed by clients in real-time, may be isolated from control plane VCN 1516 and may be isolated from other entities contained in data plane VCN 1518. Containers 1567 (1) - (N) may also be isolated from resources from other clients.

In other examples, a customer may use containers 1567 (1) - (N) to invoke cloud service 1556. In this example, a customer may run code in containers 1567 (1) - (N) that requests services from cloud service 1556. Containers 1567 (1) - (N) may transmit the request to auxiliary VNICs 1572 (1) - (N), and auxiliary VNICs 1572 (1) - (N) may transmit the request to a NAT gateway, which may transmit the request to public internet 1554. The public internet 1554 may transmit the request via the internet gateway 1534 to the LB subnet(s) 1522 contained in the control plane VCN 1516. In response to determining that the request is valid, the LB subnet(s) may transmit the request to the application subnet(s) 1526, which application subnet(s) 1526 may transmit the request to cloud service 1556 via service gateway 1536.

It should be appreciated that the IaaS architecture 1200, 1300, 1400, 1500 depicted in the figures may have other components than those depicted. Additionally, the embodiments shown in the figures are merely some examples of cloud infrastructure systems that may incorporate embodiments of the present disclosure. In some other embodiments, the IaaS system may have more or fewer components than shown in the figures, may combine two or more components, or may have a different configuration or arrangement of components.

In certain embodiments, the IaaS system described herein may include application suites, middleware, and database service products that are delivered to customers in a self-service, subscription-based, elastically extensible, reliable, highly available, and secure manner. An example of such an IaaS system is the Oracle Cloud Infrastructure (OCI) offered by the present assignee.

FIG. 16 illustrates an example computer system 1600 in which various embodiments may be implemented. System 1600 may be used to implement any of the computer systems described above. As shown, computer system 1600 includes a processing unit 1604 that communicates with multiple peripheral subsystems via bus subsystem 1602. These peripheral subsystems may include a processing acceleration unit 1606, an I/O subsystem 1608, a storage subsystem 1618, and a communication subsystem 1624. Storage subsystem 1618 includes tangible computer-readable storage media 1622 and system memory 1610.

Bus subsystem 1602 provides a mechanism for letting the various components and subsystems of computer system 1600 communicate with each other as intended. Although bus subsystem 1602 is shown schematically as a single bus, alternative embodiments of the bus subsystem may utilize multiple buses. Bus subsystem 1602 may be any of several types of bus structures including a memory bus or memory controller, a peripheral bus, and a local bus using any of a variety of bus architectures. Such architectures can include Industry Standard Architecture (ISA) bus, micro Channel Architecture (MCA) bus, enhanced ISA (EISA) bus, video Electronics Standards Association (VESA) local bus, and Peripheral Component Interconnect (PCI) bus, which can be implemented as Mezzanine bus manufactured by the IEEE P1386.1 standard, for example.

The processing unit 1604, which may be implemented as one or more integrated circuits (e.g., a conventional microprocessor or microcontroller), controls the operation of the computer system 1600. One or more processors may be included in the processing unit 1604. These processors may include single-core or multi-core processors. In some embodiments, processing unit 1604 may be implemented as one or more separate processing units 1632 and/or 1634, where a single-core or multi-core processor is included in each processing unit. In other embodiments, processing unit 1604 may also be implemented as a four-core processing unit formed by integrating two dual-core processors into a single chip.

In various embodiments, processing unit 1604 may execute various programs in response to program code and may maintain multiple concurrently executing programs or processes. At any given time, some or all of the program code to be executed may reside in the processor(s) 1604 and/or in the storage subsystem 1618. The processor(s) 1604 may provide the various functions described above by suitable programming. The computer system 1600 may additionally include a processing acceleration unit 1606, which may include a Digital Signal Processor (DSP), a special-purpose processor, and so forth.

The I/O subsystem 1608 may include a user interface input device and a user interface output device. The user interface input devices may include a keyboard, a pointing device such as a mouse or trackball, a touch pad or touch screen incorporated into a display, a scroll wheel, a click wheel, dials, buttons, switches, a keyboard, an audio input device with a voice command recognition system, a microphone, and other types of input devices. The user interface input device may include, for example, a motion sensing and/or gesture recognition device, such as Microsoft WindowsMotion sensors that enable users to control, for example, microsoft, through a natural user interface using gestures and voice commands360 To the input device of the game controller and interact therewith. The user interface input device may also include an eye gesture recognition device, such as detecting eye activity from a user (e.g., "blinking" when taking a photograph and/or making a menu selection) and converting the eye gesture to an input device (e.g., google) Google of input in (a)A blink detector. In addition, the user interface input device may include a device that enables a user to communicate with the voice recognition system via voice commands (e.g.,Navigator) interactive voice recognition sensing device.

User interface input devices may also include, but are not limited to, three-dimensional (3D) mice, joysticks or sticks, game pads and drawing tablets, as well as audio/video devices such as speakers, digital cameras, digital video cameras, portable media players, webcams, image scanners, fingerprint scanners, bar code reader 3D scanners, 3D printers, laser rangefinders and gaze tracking devices. Further, the user interface input device may include, for example, a medical imaging input device such as a computed tomography, magnetic resonance imaging, positron emission tomography, medical ultrasound device. The user interface input device may also include, for example, an audio input device such as a MIDI keyboard, digital musical instrument, or the like.

The user interface output device may include a display subsystem, an indicator light, or a non-visual display such as an audio output device, or the like. The display subsystem may be a Cathode Ray Tube (CRT), a flat panel device such as one using a Liquid Crystal Display (LCD) or a plasma display, a projection device, a touch screen, or the like. In general, use of the term "output device" is intended to include all possible types of devices and mechanisms for outputting information from computer system 1600 to a user or other computer. For example, user interface output devices may include, but are not limited to, various display devices that visually convey text, graphics, and audio/video information, such as monitors, printers, speakers, headphones, car navigation systems, plotters, voice output devices, and modems.

Computer system 1600 may include a storage subsystem 1618, including software elements, shown as being currently located in system memory 1610. The system memory 1610 may store program instructions that are loadable and executable on the processing unit 1604 as well as data generated during the execution of these programs.

Depending on the configuration and type of computer system 1600, system memory 1610 may be volatile (such as Random Access Memory (RAM)) and/or nonvolatile (such as Read Only Memory (ROM), flash memory, etc.). RAM typically contains data and/or program modules that are immediately accessible to and/or presently being operated on and executed by processing unit 1604. In some implementations, system memory 1610 may include a variety of different types of memory, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM). In some implementations, a basic input/output system (BIOS), such as the basic routines that help to transfer information between elements within computer system 1600, during start-up, may be stored in ROM. By way of example, and not limitation, system memory 1610 also illustrates application programs 1612 that may include a client application, a web browser, a middle tier application, a relational database management system (RDBMS), and the like, program data 1614, and an operating system 1616. By way of example, operating system 1616 may include various versions of Microsoft WindowsAppleAnd/or Linux operating system, various commercially availableOr UNIX-like operating systems (including but not limited to various GNU/Linux operating systems, googleOS, etc.) and/or such as iOS,Phone、OS、16OSMobile operating system of OS operating system.

Storage subsystem 1618 may also provide a tangible computer-readable storage medium for storing basic programming and data structures that provide the functionality of some embodiments. Software (programs, code modules, instructions) that when executed by a processor provide the functionality described above may be stored in storage subsystem 1618. These software modules or instructions may be executed by processing unit 1604. Storage subsystem 1618 may also provide a repository for storing data used in accordance with the present disclosure.

Storage subsystem 1600 may also include a computer-readable storage media reader 1620 that may be further connected to a computer-readable storage media 1622. In conjunction with and optionally in conjunction with system memory 1610, computer-readable storage medium 1622 may comprehensively represent remote, local, fixed, and/or removable storage devices plus storage media for temporarily and/or more permanently containing, storing, transmitting, and retrieving computer-readable information.

Computer-readable storage media 1622 containing code or portions of code may also include any suitable media known or used in the art including storage media and communication media such as, but not limited to, volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage and/or transmission of information. This may include tangible computer-readable storage media such as RAM, ROM, electrically Erasable Programmable ROM (EEPROM), flash memory or other memory technology, CD-ROM, digital Versatile Disks (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or other tangible computer-readable media. This may also include non-tangible computer-readable media, such as data signals, data transmissions, or any other medium that can be used to transmit desired information and that can be accessed by computing system 1600.

For example, computer-readable storage media 1622 may include a hard disk drive that reads from or writes to non-removable, nonvolatile magnetic media, a magnetic disk drive that reads from or writes to a removable, nonvolatile magnetic disk, and a removable, nonvolatile optical disk (such as a CD ROM, DVD, and a CD-ROM diskA disk or other optical medium) to which a data signal is read or written. Computer-readable storage media 1622 can include, but is not limited to,Drives, flash memory cards, universal Serial Bus (USB) flash drives, secure Digital (SD) cards, DVD discs, digital audio tape, and the like. The computer-readable storage medium 1622 may also include a non-volatile memory based Solid State Drive (SSD) (such as flash memory based SSD, enterprise flash drive, solid state ROM, etc.), a volatile memory based SSD (such as solid state RAM, dynamic RAM, static RAM), a DRAM based SSD, a Magnetoresistive RAM (MRAM) SSD, and a hybrid SSD that uses a combination of DRAM and flash memory based SSDs. The disk drives and their associated computer-readable media may provide nonvolatile storage of computer readable instructions, data structures, program modules and other data for computer system 1600.

Communication subsystem 1624 provides an interface to other computer systems and networks. Communication subsystem 1624 serves as an interface for receiving data from and transmitting data to computer system 1600. For example, communication subsystem 1624 may enable computer system 1600 to connect to one or more devices via the internet. In some embodiments, communication subsystem 1624 may include Radio Frequency (RF) transceiver components for accessing wireless voice and/or data networks (e.g., advanced data network technology using cellular telephone technology, such as 3G, 4G, or EDGE (enhanced data rates for global evolution), wi-Fi (IEEE 802.11 family standards), or other mobile communication technologies, or any combination thereof), global Positioning System (GPS) receiver components, and/or other components. In some embodiments, communication subsystem 1624 may provide a wired network connection (e.g., ethernet) in addition to or in lieu of a wireless interface.

In some embodiments, communication subsystem 1624 may also receive input communications in the form of structured and/or unstructured data feeds 1626, event streams 1628, event updates 1630, and the like, on behalf of one or more users who may use computer system 1600.

For example, the communication subsystem 1624 may be configured to receive data feeds 1626, such as in real-time, from users of social networks and/or other communication servicesFeeding(s),Updates, web feeds such as Rich Site Summary (RSS) feeds, and/or real-time updates from one or more third-party information sources.

In addition, communication subsystem 1624 may also be configured to receive data in the form of a continuous data stream, which may include event stream 1628 and/or event update 1630, which may be continuous or unbounded in nature, without explicitly terminated real-time events. Examples of applications that generate continuous data may include, for example, sensor data applications, financial quoters, network performance measurement tools (e.g., network monitoring and traffic management applications), click stream analysis tools, automobile traffic monitoring, and so forth.

The communication subsystem 1624 may also be configured to output structured and/or unstructured data feeds 1626, event streams 1628, event updates 1630, and the like, to one or more databases, which may be in communication with one or more streaming data source computers coupled to the computer system 1600.

Computer system 1600 can be one of various types, including hand-held portable devices (e.g.,Cellular telephone,A computing tablet, PDA), a wearable device (e.g.,Glass head mounted display), a PC, a workstation, a mainframe, a kiosk, a server rack, or any other data processing system.

Due to the ever-changing nature of computers and networks, the description of computer system 1600 depicted in the drawings is intended only as a specific example. Many other configurations are possible with more or fewer components than the system depicted in the figures. For example, custom hardware may also be used and/or particular elements may be implemented in hardware, firmware, software (including applets), or combinations thereof. In addition, connections to other computing devices, such as network input/output devices, may also be employed. Based on the disclosure and teachings provided herein, one of ordinary skill in the art will recognize other ways and/or methods to implement various embodiments.

While particular embodiments have been described, various modifications, alterations, alternative constructions, and equivalents are also included within the scope of the disclosure. Embodiments are not limited to operation within certain specific data processing environments, but may be free to operate within multiple data processing environments. Furthermore, while embodiments have been described using a particular series of transactions and steps, it should be apparent to those skilled in the art that the scope of the present disclosure is not limited to the described series of transactions and steps. The various features and aspects of the embodiments described above may be used alone or in combination.

In addition, while embodiments have been described using a particular combination of hardware and software, it should be recognized that other combinations of hardware and software are also within the scope of the present disclosure. Embodiments may be implemented in hardware alone, or in software alone, or in a combination thereof. The various processes described herein may be implemented in any combination on the same processor or on different processors. Thus, where a component or module is described as being configured to perform certain operations, such configuration may be accomplished by, for example, designing the electronic circuitry to perform the operations, performing the operations by programming programmable electronic circuitry (such as a microprocessor), or any combination thereof. The processes may communicate using a variety of techniques, including but not limited to conventional techniques for inter-process communication, and different pairs of processes may use different techniques, or the same pair of processes may use different techniques at different times.

The specification and drawings are, accordingly, to be regarded in an illustrative rather than a restrictive sense. It will be evident that various additions, subtractions, deletions and other modifications and changes may be made thereunto without departing from the broader spirit and scope as set forth in the claims. Thus, while specific disclosed embodiments have been described, these are not intended to be limiting. Various modifications and equivalents are intended to be within the scope of the following claims.

The use of the terms "a" and "an" and "the" and similar referents in the context of describing the disclosed embodiments (especially in the context of the following claims) are to be construed to cover both the singular and the plural, unless otherwise indicated herein or clearly contradicted by context. Unless otherwise indicated, the terms "comprising," "having," "including," and "containing" are to be construed as open-ended terms (i.e., meaning "including, but not limited to"). The term "connected" should be interpreted as including in part or in whole, attached to, or connected together, even though something is intermediate. Recitation of ranges of values herein are merely intended to serve as a shorthand method of referring individually to each separate value falling within the range, unless otherwise indicated herein, and each separate value is incorporated into the specification as if it were individually recited herein. All methods described herein can be performed in any suitable order unless otherwise indicated herein or otherwise clearly contradicted by context. The use of any and all examples, or exemplary language (e.g., "such as") provided herein, is intended merely to better illuminate the embodiments and does not pose a limitation on the scope of the disclosure unless otherwise claimed. No language in the specification should be construed as indicating any non-claimed element as essential to the practice of the disclosure.

Disjunctive language, such as the phrase "at least one of X, Y or Z," unless explicitly stated otherwise, is intended to be understood within the context of what is commonly used to mean that an item, term, etc., may be X, Y or Z, or any combination thereof (e.g., X, Y and/or Z). Thus, such disjunctive language is generally not intended nor should it suggest that certain embodiments require at least one of X, at least one of Y, or at least one of Z to each be present.

Preferred embodiments of this disclosure are described herein, including the best mode known for carrying out the disclosure. Variations of those preferred embodiments may become apparent to those of ordinary skill in the art upon reading the foregoing description. One of ordinary skill in the art should be able to employ such variations as appropriate and may practice the disclosure in a manner other than that specifically described herein. Accordingly, this disclosure includes all modifications and equivalents of the subject matter recited in the claims appended hereto as permitted by applicable law. Moreover, unless otherwise indicated herein, the present disclosure includes any combination of the above elements in all possible variations thereof.

All references, including publications, patent applications, and patents, cited herein are hereby incorporated by reference to the same extent as if each reference were individually and specifically indicated to be incorporated by reference and were set forth in its entirety herein. In the foregoing specification, aspects of the present disclosure have been described with reference to specific embodiments thereof, but those skilled in the art will recognize that the present disclosure is not limited thereto. The various features and aspects of the disclosure described above may be used alone or in combination. Moreover, embodiments may be utilized in any number of environments and applications other than those described herein without departing from the broader spirit and scope of the specification. The specification and drawings are, accordingly, to be regarded in an illustrative rather than a restrictive sense.

Claims (20)

1. A method comprising: providing, in a first cloud infrastructure, an adapter associated with a service provided by the first cloud infrastructure, the adapter enabling one or more users associated with one or more accounts in a second cloud infrastructure to request the service, wherein the second cloud infrastructure is different from the first cloud infrastructure; receiving, by the adapter, a first request from a first user associated with a first account in a second cloud infrastructure to create a resource in the first cloud infrastructure; and A workflow is executed by the adapter to provision the resource using the service, wherein the workflow includes a process comprising: retrieving a resource principal associated with the resource; and A second request is transmitted to a service provided by the first cloud infrastructure, the second request requesting creation of the resource, wherein the second request includes the resource subject. 2. The method of claim 1, further comprising: obtaining identification information of a lease associated with the first user; and The identification information of the lease is sent in a second request, wherein the service creates the resource in the lease associated with the first user. 3. The method of claim 1, further comprising: A data object is created in a key-value store associated with the adapter, the data object being configured to store mapping information of a first identifier of a first account of a first user in the second cloud infrastructure to a resource identifier of the resource. 4 . The method of claim 3 , wherein the workflow is further configured to update the data object with a resource identifier of the resource in response to the service provisioning the resource. 5. The method of claim 1, wherein the workflow is further configured to: Provisioning auxiliary resources associated with the first request, the auxiliary resources comprising at least: (i) creating a network link that peers a lease of a first user in a first cloud infrastructure with a first account of the first user in a second cloud infrastructure, and (ii) provisioning observability resources that enable metric information of resources created in the first cloud infrastructure to be transmitted to the first account of the first user in the second cloud infrastructure. 6. The method of claim 1, wherein the first request comprises at least a resource group name and a subscription identifier of the first user for the second cloud infrastructure, the first request serving as a first identifier of the first user in the second cloud infrastructure. 7. The method of claim 3, further comprising: receiving, by the adapter, a third request requesting information related to resources created in the first cloud infrastructure; extracting a resource identifier of the resource from a data object stored in the key-value store based on the third request; and Information related to the resource is retrieved from the service based on the resource identifier. 8. The method of claim 7, wherein the information related to the resource comprises: The location of the resource, The size of the resource, the state of the resource, the version of the resource, and The processor count associated with the resource. 9 . The method of claim 1 , wherein the adapter receives a first request from a first user of the second cloud infrastructure via a multi-cloud console, wherein the multi-cloud console generates the first request. 10. The method of claim 1, wherein the first cloud infrastructure is different from the second cloud infrastructure, and the resource is a database. 11. The method of claim 10, wherein the database is one of: an Exa database, a shared autonomous database, a dedicated autonomous database, or a virtual machine database. 12. One or more computer-readable non-transitory media storing computer-executable instructions that, when executed by one or more processors, cause: providing, in a first cloud infrastructure, an adapter associated with a service provided by the first cloud infrastructure, the adapter enabling one or more users associated with one or more accounts in a second cloud infrastructure to request the service, wherein the second cloud infrastructure is different from the first cloud infrastructure; receiving, by the adapter, a first request from a first user associated with a first account in a second cloud infrastructure to create a resource in the first cloud infrastructure; and A workflow is executed by the adapter to provision the resource using the service, wherein the workflow includes a process comprising: retrieving a resource principal associated with the resource; and A second request is transmitted to a service provided by the first cloud infrastructure, the second request requesting creation of the resource, wherein the second request includes the resource subject. 13. The one or more computer-readable non-transitory media storing computer-executable instructions of claim 12, further comprising instructions that when executed by one or more processors cause the following operations to be performed: obtaining identification information of a lease associated with the first user; and The identification information of the lease is sent in a second request, wherein the service creates the resource in the lease associated with the first user. 14. The one or more computer-readable non-transitory media storing computer-executable instructions of claim 12, further comprising instructions that when executed by one or more processors cause the following operations to be performed: A data object is created in a key-value store associated with the adapter, the data object being configured to store mapping information of a first identifier of a first account of a first user in the second cloud infrastructure to a resource identifier of the resource. 15. The one or more computer-readable non-transitory media storing computer-executable instructions of claim 14, wherein the workflow is further configured to update the data object with a resource identifier of the resource in response to the service provisioning the resource. 16. The one or more computer-readable non-transitory media storing computer-executable instructions of claim 12, wherein the workflow is further configured to: Provisioning auxiliary resources associated with the first request, the auxiliary resources comprising at least: (i) creating a network link that peers a lease of a first user in a first cloud infrastructure with a first account of the first user in a second cloud infrastructure, and (ii) provisioning observability resources that enable metric information of resources created in the first cloud infrastructure to be transmitted to the first account of the first user in the second cloud infrastructure. 17. One or more computer-readable non-transitory media storing computer-executable instructions as described in claim 12, wherein the first request includes at least a resource group name and a subscription identifier of the first user for the second cloud infrastructure, and the first request serves as a first identifier of the first user in the second cloud infrastructure. 18. The one or more computer-readable non-transitory media storing computer-executable instructions of claim 14, further comprising instructions that when executed by one or more processors cause the following operations to be performed: receiving, by the adapter, a third request requesting information related to resources created in the first cloud infrastructure; extracting a resource identifier of the resource from a data object stored in the key-value store; and Information related to the resource is retrieved from the service based on the resource identifier. 19. The one or more computer-readable non-transitory media storing computer-executable instructions of claim 12, wherein the adapter receives a first request from a first user of the second cloud infrastructure via a multi-cloud console, wherein the multi-cloud console generates the first request. 20. A computing device comprising: one or more processors; and a memory including instructions that, when executed by the one or more processors, cause the computing device to at least: providing, in a first cloud infrastructure, an adapter associated with a service provided by the first cloud infrastructure, the adapter enabling one or more users associated with one or more accounts in a second cloud infrastructure to request the service, wherein the second cloud infrastructure is different from the first cloud infrastructure; receiving, by the adapter, a first request from a first user associated with a first account in a second cloud infrastructure to create a resource in the first cloud infrastructure; and A workflow is executed by the adapter to provision the resource using the service, wherein the workflow includes a process comprising: retrieving a resource principal associated with the resource; and A second request is transmitted to a service provided by the first cloud infrastructure, the second request requesting creation of the resource, wherein the second request includes the resource subject.