Abstract: Architecture that provides Internet Protocol security (IPsec) certificate exchange based on certificate attributes. An IPsec endpoint can validate the security context of another IPsec endpoint certificate by referencing certificate attributes. By facilitating IPsec certificate exchange using certificate attributes rather than solely certificate roots, it is now possible to build multiple isolated network zones using a single certificate authority rather than requiring one certificate authority per zone. Moreover, the ability to use certificate attributes during the IPsec certificate exchange can be leveraged for more focused communications such as QoS (quality of service). Certificate attributes can be utilized to identify the security context of the endpoint. The IPsec certificate use can be locked down to a single IP or group of IPs.

Abstract: Computerized methods, systems, and computer-readable media for promoting cooperation between a first and second virtual network overlay (“overlay”) are provided. The first overlay is governed by a first authority domain and includes members assigned virtual IP addresses from a first address range. The second overlay is governed by a second authority domain, which is associated with a second federation mechanism, for negotiating on behalf of the second overlay. The second federation mechanism is capable of negotiating with, or soliciting delegation of authority from, a first federation mechanism that is associated with the first authority domain. When negotiations are successful or authority is delegated, the second federation mechanism establishes a communication link between the second overlay and the first overlay or joins a member of the second overlay to the first overlay. Joining involves allocating a guest IP address from the first address range to the member.

Abstract: Architecture that creates and applies a virtual firewall profile for each network to which a multi-homed device is connected. In one implementation, the virtual profiles can be based on address ranges of the networks. This ensures seamless concurrent connectivity of the multi-homed device to multiple networks.

Abstract: Architecture that facilitates the virtual specification of a connection between physical endpoints. A network can be defined as an abstract connectivity model expressed in terms of the connectivity intent, rather than any specific technology. The connectivity model is translated into configuration settings, policies, firewall rules, etc., to implement the connectivity intent based on available physical networks and devices capabilities. The connectivity model defines the connectivity semantics of the network and controls the communication between the physical nodes in the physical network. The resultant virtual network may be a virtual overlay that is independent of the physical layer. Alternatively, the virtual overlay can also include elements and abstracts of the physical network(s). Moreover, automatic network security rules (e.g., Internet Protocol security-IPSec) can be derived from the connectivity model of the network.

Abstract: A virtual machine comprises a unique identifier that is associated with one or more encryption keys. A management server encrypts the virtual machine's virtual hard disk(s) using the one or more associated encryption keys. The management server further provides the one or more encryption keys to a limited number of one or more servers in a system. Only those one or more servers that have been provided the one or more encryption keys can be used to load, access, and/or operate the virtual machine. The management server can thus differentiate which virtual machines can be operated on which servers by differentiating which servers can receive which encryption keys. In one implementation, a management server encrypts all virtual machines in the system, but encrypts virtual machines with sensitive data with a limited set of encryption keys, and further provides those encryption keys to a limited set of trusted servers.

Abstract: In embodiments of virtual machine migration, a virtual machine migration system includes a storage array that maintains data. A first host computer includes at least one virtual machine with a virtual drive that is mapped to a logical unit number (LUN) of the storage array, and the LUN corresponds to a LUN mask that associates the LUN with the first host computer. A virtual manager is executable on the first host computer, and is implemented to unmask the LUN to migrate the virtual machine from the first host computer to a second host computer that is configurable as a host of the virtual machine. The virtual manager can log the first host computer out of the LUN and the second host computer can log into the LUN to access the data in the storage array.

Abstract: In a multi-tenant environment, machines across the Internet, belonging to a particular subscription are securely enrolled with the tenant's subscription. Authentication of the machines is delegated to each of the tenant's own on-premise authentication mechanism The trust relationship with the tenant's authentication service is used to validate the security token presented by the machine being authenticated. Once authenticated, the machine has authorization (e.g. SSL machine cert for identity, security token, etc.,) to access the subscription. Each tenant within the multi-tenant environment can provide its own level of authentication. The machine presents the security token to the multi-tenant environment for requests for resources (e.g. services/content) from a user. When a request is received from a machine to access a resource, the multi-tenant environment determines from the issued token whether or not the machine is authorized to access the requested resources.

Abstract: Computerized methods, systems, and computer-readable media for promoting cooperation between a first and second virtual network overlay (“overlay”) are provided. The first overlay is governed by a first authority domain and includes members assigned virtual IP addresses from a first address range. The second overlay is governed by a second authority domain, which is associated with a second federation mechanism, for negotiating on behalf of the second overlay. The second federation mechanism is capable of negotiating with, or soliciting delegation of authority from, a first federation mechanism that is associated with the first authority domain. When negotiations are successful or authority is delegated, the second federation mechanism establishes a communication link between the second overlay and the first overlay or joins a member of the second overlay to the first overlay. Joining involves allocating a guest IP address from the first address range to the member.

Abstract: Computerized methods, systems, and computer-readable media for promoting cooperation between a first and second virtual network overlay (“overlay”) are provided. The first overlay is governed by a first authority domain and includes members assigned virtual IP addresses from a first address range. The second overlay is governed by a second authority domain, which is associated with a second federation mechanism, for negotiating on behalf of the second overlay. The second federation mechanism is capable of negotiating with, or soliciting delegation of authority from, a first federation mechanism that is associated with the first authority domain. When negotiations are successful or authority is delegated, the second federation mechanism establishes a communication link between the second overlay and the first overlay or joins a member of the second overlay to the first overlay. Joining involves allocating a guest IP address from the first address range to the member.

Abstract: Architecture that facilitates communications between two network nodes of the different networks by providing a routing mechanism that uses alternative modalities driven entirely by policies that are authored and stored in a computing cloud and enforced on the client. This allows the selection of one network path over another path based on criteria such as, physical location of the hosts and service level agreements (SLAs) to be provided, for example. With respect for path selection, a packet can be routed through a datacenter closest to the hosts. With respect to SLAs, there may be different SLAs available to different clients. For clients with the highest bandwidth/uptime or other guarantees, a network path different from other types of clients can be selected. Additionally, connectivity can be allowed or disallowed based on other kinds of policy rules such as a virtual circle to which the hosts may belong.

Abstract: A computer-implemented system configured to describe the relationship between a first Namespace and a second Namespace is provided. The system includes a containment relationship identifying a direct relationship between a first object of the first Namespace and a second object of the first Namespace. Moreover, the system includes a junction relationship linking the second object of the first Namespace to a first object of the second Namespace. In one embodiment, the system is configured to facilitate the recovery of information based on the descriptions of the Namespaces that is maintained.

Abstract: In embodiments of virtual machine migration, a virtual machine migration system includes a storage array that maintains data. A first host computer includes at least one virtual machine with a virtual drive that is mapped to a logical unit number (LUN) of the storage array, and the LUN corresponds to a LUN mask that associates the LUN with the first host computer. A virtual manager is executable on the first host computer, and is implemented to unmask the LUN to migrate the virtual machine from the first host computer to a second host computer that is configurable as a host of the virtual machine. The virtual manager can log the first host computer out of the LUN and the second host computer can log into the LUN to access the data in the storage array.

Abstract: Virtual machine migration is described. In embodiment(s), a virtual machine can be migrated from one host computer to another utilizing LUN (logic unit number) masking. A virtual drive of the virtual machine can be mapped to a LUN of a storage array. A LUN mask associates the LUN with a host computer. The LUN mask can be changed to unmask the LUN to a second computer to migrate the virtual machine from the host computer to the second computer.

Abstract: A computer-implemented system configured to describe the relationship between a first Namespace and a second Namespace is provided. The system includes a containment relationship identifying a direct relationship between a first object of the first Namespace and a second object of the first Namespace. Moreover, the system includes a junction relationship linking the second object of the first Namespace to a first object of the second Namespace. In one embodiment, the system is configured to facilitate the recovery of information based on the descriptions of the Namespaces that is maintained.

Abstract: In a multi-tenant environment, machines across the Internet, belonging to a particular subscription are securely enrolled with the tenant's subscription. Authentication of the machines is delegated to each of the tenant's own on-premise authentication mechanism The trust relationship with the tenant's authentication service is used to validate the security token presented by the machine being authenticated. Once authenticated, the machine has authorization (e.g. SSL machine cert for identity, security token, etc.,) to access the subscription. Each tenant within the multi-tenant environment can provide its own level of authentication. The machine presents the security token to the multi-tenant environment for requests for resources (e.g. services/content) from a user. When a request is received from a machine to access a resource, the multi-tenant environment determines from the issued token whether or not the machine is authorized to access the requested resources.

Abstract: A virtual machine comprises a unique identifier that is associated with one or more encryption keys. A management server encrypts the virtual machine's virtual hard disk(s) using the one or more associated encryption keys. The management server further provides the one or more encryption keys to a limited number of one or more servers in a system. Only those one or more servers that have been provided the one or more encryption keys can be used to load, access, and/or operate the virtual machine. The management server can thus differentiate which virtual machines can be operated on which servers by differentiating which servers can receive which encryption keys. In one implementation, a management server encrypts all virtual machines in the system, but encrypts virtual machines with sensitive data with a limited set of encryption keys, and further provides those encryption keys to a limited set of trusted servers.

Abstract: A computer-implemented system configured to describe the relationship between a first Namespace and a second Namespace is provided. The system includes a containment relationship identifying a direct relationship between a first object of the first Namespace and a second object of the first Namespace. Moreover, the system includes a junction relationship linking the second object of the first Namespace to a first object of the second Namespace. In one embodiment, the system is configured to facilitate the recovery of information based on the descriptions of the Namespaces that is maintained.

Abstract: A computer-implemented system configured to describe the relationship between a first Namespace and a second Namespace is provided. The system includes a containment relationship identifying a direct relationship between a first object of the first Namespace and a second object of the first Namespace. Moreover, the system includes a junction relationship linking the second object of the first Namespace to a first object of the second Namespace. In one embodiment, the system is configured to facilitate the recovery of information based on the descriptions of the Namespaces that is maintained.

Abstract: Computerized methods, systems, and computer-readable media for promoting cooperation between a first and second virtual network overlay (“overlay”) are provided. The first overlay is governed by a first authority domain and includes members assigned virtual IP addresses from a first address range. The second overlay is governed by a second authority domain, which is associated with a second federation mechanism, for negotiating on behalf of the second overlay. The second federation mechanism is capable of negotiating with, or soliciting delegation of authority from, a first federation mechanism that is associated with the first authority domain. When negotiations are successful or authority is delegated, the second federation mechanism establishes a communication link between the second overlay and the first overlay or joins a member of the second overlay to the first overlay. Joining involves allocating a guest IP address from the first address range to the member.

Abstract: A computer-implemented system configured to describe the relationship between a first Namespace and a second Namespace is provided. The system includes a containment relationship identifying a direct relationship between a first object of the first Namespace and a second object of the first Namespace. Moreover, the system includes a junction relationship linking the second object of the first Namespace to a first object of the second Namespace. In one embodiment, the system is configured to facilitate the recovery of information based on the descriptions of the Namespaces that is maintained.