Abstract: The present disclosure relates generally to establishing a connection between a client and an endpoint in a manner that reduces network latency. In an example, a network layer proxy receives a request of a client for an endpoint connection establishment, the request including endpoint information. The network layer proxy sends, to an application layer proxy, the endpoint information, the endpoint information sent using a connection-less protocol. Thereafter, the network layer proxy receives, from the application layer proxy, a network address of an endpoint selected by the application layer proxy based on the endpoint information and application layer information. The network layer proxy sends a response to the client such that a connection is established to the endpoint using a connection-based protocol and such that the connection bypasses the application layer proxy.

Abstract: A computer program product, system, and computer implemented method for application-level redirect trapping and creation of NAT mapping to work with routing infrastructure for private connectivity in cloud and customer networks. The approach disclosed herein generally comprises a method of leveraging a reverse connection endpoint and IP address mapping controller to capture redirection messages from a private cloud or network (e.g., a service consumer network or a service consumer hybrid cloud). This allows at least the IP address mapping controller to manage a cloud networking infrastructure to provide for a service provider network (e.g., a public cloud) to support applications that overcome the isolation requirements of a private cloud or network to perform useful work. For example, without saddling the private cloud or network user with a heavy pre-configuration burden, the approach disclosed herein supports redirection to dynamically determined IP addresses at the private cloud or network.

Abstract: A computer program product, system, and computer implemented method for application-level redirect trapping and creation of NAT mapping to work with routing infrastructure for private connectivity in cloud and customer networks. The approach disclosed herein generally comprises a method of leveraging a reverse connection endpoint and IP address mapping controller to capture redirection messages from a private cloud or network (e.g., a service consumer network or a service consumer hybrid cloud). This allows at least the IP address mapping controller to manage a cloud networking infrastructure to provide for a service provider network (e.g., a public cloud) to support applications that overcome the isolation requirements of a private cloud or network to perform useful work. For example, without saddling the private cloud or network user with a heavy pre-configuration burden, the approach disclosed herein supports redirection to dynamically determined IP addresses at the private cloud or network.

Abstract: A computer program product, system, and computer implemented method for application-level redirect trapping and creation of NAT mapping to work with routing infrastructure for private connectivity in cloud and customer networks. The approach disclosed herein generally comprises a method of leveraging a reverse connection endpoint and IP address mapping controller to capture redirection messages from a private cloud or network (e.g., a service consumer network or a service consumer hybrid cloud). This allows at least the IP address mapping controller to manage a cloud networking infrastructure to provide for a service provider network (e.g., a public cloud) to support applications that overcome the isolation requirements of a private cloud or network to perform useful work. For example, without saddling the private cloud or network user with a heavy pre-configuration burden, the approach disclosed herein supports redirection to dynamically determined IP addresses at the private cloud or network.

Abstract: Embodiments establish a pool of tunnel connections using a secure protocol. A pool of tunnels can be initiated from endpoint connection managers to cloud connection managers, where a request is received from the endpoint connection managers by the cloud connection managers. A request from a cloud client to communicate with a secure computing device using a first of the endpoint connection managers is received at a first of the cloud connection managers. One of the pool of tunnels that is connected to the first endpoint connection manager is identified. The identified tunnel is configured to connect the cloud client and the first endpoint connection manager.

Abstract: Embodiments establish a pool of tunnel connections using a secure protocol. A pool of tunnels can be initiated from endpoint connection managers to cloud connection managers, where a request is received from the endpoint connection managers by the cloud connection managers. A request from a cloud client to communicate with a secure computing device using a first of the endpoint connection managers is received at a first of the cloud connection managers. One of the pool of tunnels that is connected to the first endpoint connection manager is identified. The identified tunnel is configured to connect the cloud client and the first endpoint connection manager.

Abstract: Described is an improved approach to ensure high availability for established sessions (e.g., application layer sessions) over network connections that negotiates and renegotiates encryption keys (e.g., TLS/SSL) at clean boundaries to ensure in-transit data are properly handled during migration of an application (e.g., a reverse proxy server instance). Connected TCP sessions may be handed off to another application (e.g., from existing proxy server to new/upgraded proxy server) and after establishing a new TLS session with a new encryption key, data transfer may be resumed between a client and a server using the new/upgraded application in a client-server architecture.

Abstract: A process or thread is implemented to issue a command which executes without use of a processor that issues the command, retain control of the processor to check whether the issued command has completed, and when the issued command has not completed repeat the checking without relinquishing the processor, until a limiting condition is satisfied. The limiting condition may be determined specifically for a current execution of the command, based on one or more factors, such as durations of executions of the command after start of the process or thread and/or an indicator of delay in a current execution of the command. When the limiting condition is satisfied, the processor is relinquished by the process or thread issuing a sleep command, after setting an interrupt. After the command completes, the limiting condition is determined anew based on the duration of the current execution, for use in a next execution.

Abstract: Described is an improved approach to ensure high availability for established sessions (e.g., application layer sessions) over network connections that negotiates and renegotiates encryption keys (e.g., TLS/SSL) at clean boundaries to ensure in-transit data are properly handled during migration of an application (e.g., a reverse proxy server instance). Connected TCP sessions may be handed off to another application (e.g., from existing proxy server to new/upgraded proxy server) and after establishing a new TLS session with a new encryption key, data transfer may be resumed between a client and a server using the new/upgraded application in a client-server architecture.

Abstract: A process or thread is implemented to issue a command which executes without use of a processor that issues the command, retain control of the processor to check whether the issued command has completed, and when the issued command has not completed repeat the checking without relinquishing the processor, until a limiting condition is satisfied. The limiting condition may be determined specifically for a current execution of the command, based on one or more factors, such as durations of executions of the command after start of the process or thread and/or an indicator of delay in a current execution of the command. When the limiting condition is satisfied, the processor is relinquished by the process or thread issuing a sleep command, after setting an interrupt. After the command completes, the limiting condition is determined anew based on the duration of the current execution, for use in a next execution.

Abstract: An integrated firewall provides security in a multi-tenant environment having a connection-based switched fabric directly connecting database servers which provide a plurality of database services with application servers hosting database service consumers each having a different database service consumer identity. The firewall functionality integrated into each database server provides access control by discarding communication packets which do not include a database service consumer identity and using the database service consumer identity in combination with an access control list to control access from the database service consumers to the database services. The access control includes address resolution access control, connection establishment access control, and data exchange access control based on said access control list.

Abstract: Systems, methods, and other embodiments are disclosed that are configured to generate a hierarchy of access rules in a protocol stack. Access rules corresponding to a first layer in a protocol stack are analyzed. The access rules determine, at the first layer, whether network sources are permitted access to a computing device. Dependent access rules are generated based at least in part on a combination of the access rules from the first layer. The dependent access rules are pushed down to a second layer in the protocol stack by implementing the dependent access rules at the second layer to determine, at the second layer, whether the network sources are permitted access to the computing device.

Abstract: An integrated firewall provides security in a multi-tenant environment having a connection-based switched fabric directly connecting database servers which provide a plurality of database services with application servers hosting database service consumers each having a different database service consumer identity. The firewall functionality integrated into each database server provides access control by discarding communication packets which do not include a database service consumer identity and using the database service consumer identity in combination with an access control list to control access from the database service consumers to the database services. The access control includes address resolution access control, connection establishment access control, and data exchange access control based on said access control list.

Abstract: An integrated firewall provides security in a multi-tenant environment having a connection-based switched fabric directly connecting database servers which provide a plurality of database services with application servers hosting database service consumers each having a different database service consumer identity. The firewall functionality integrated into each database server provides access control by discarding communication packets which do not include a database service consumer identity and using the database service consumer identity in combination with an access control list to control access from the database service consumers to the database services. The access control includes address resolution access control, connection establishment access control, and data exchange access control based on said access control list.

Abstract: A security solution provides secure communication in a multi-tenant environment which includes a connection-based fabric, storage cells holding data associated with different tenants, database servers which provide a plurality of database services using said data, application servers hosting database service consumers. The fabric is configured into partitions isolating the storage cells from the database service consumers. The application servers securely associate unique database service consumer identities with each database service consumer and all communications with the database servers. The database servers reject all communications from the application servers which do not include an identity and use an access control list to control access from the database service consumers to the database services using address resolution access control, connection establishment access control, and data exchange access control based on said access control list.

Abstract: Techniques and systems that allow receiving a data stream and a location value. The location value, in one embodiment, is indicative of a location in the data stream at which the data stream has been aborted. This value may be determined by a sending entity and sent to a receiving entity. In various embodiments, the receiving entity may compute the remaining amount of data to be received in the data stream, and then receive that amount of data. In some embodiments, a checkpoint value may be used in conjunction with the location value to indicate an abort location for a data stream. A checkpoint value may correspond to an amount of data between successive checkpoints in the data stream. In some embodiments, upon aborting a data stream, a receiving entity receives data until a next checkpoint in the data stream.

Abstract: Systems, methods, and other embodiments are disclosed that are configured to generate a hierarchy of access rules in a protocol stack. Access rules corresponding to a first layer in a protocol stack are analyzed. The access rules determine, at the first layer, whether network sources are permitted access to a computing device. Dependent access rules are generated based at least in part on a combination of the access rules from the first layer. The dependent access rules are pushed down to a second layer in the protocol stack by implementing the dependent access rules at the second layer to determine, at the second layer, whether the network sources are permitted access to the computing device.

Abstract: An integrated firewall provides security in a multi-tenant environment having a connection-based switched fabric directly connecting database servers which provide a plurality of database services with application servers hosting database service consumers each having a different database service consumer identity. The firewall functionality integrated into each database server provides access control by discarding communication packets which do not include a database service consumer identity and using the database service consumer identity in combination with an access control list to control access from the database service consumers to the database services. The access control includes address resolution access control, connection establishment access control, and data exchange access control based on said access control list.

Abstract: A security solution provides secure communication in a multi-tenant environment which includes a connection-based fabric, storage cells holding data associated with different tenants, database servers which provide a plurality of database services using said data, application servers hosting database service consumers. The fabric is configured into partitions isolating the storage cells from the database service consumers. The application servers securely associate unique database service consumer identities with each database service consumer and all communications with the database servers. The database servers reject all communications from the application servers which do not include an identity and use an access control list to control access from the database service consumers to the database services using address resolution access control, connection establishment access control, and data exchange access control based on said access control list.

Abstract: Techniques are provided to allow users to define a global service that is offered across multiple replicated databases. Database clients connect to and use a global service just as they do with regular services on a single database today. Upon receiving a connection request, a collection of components, referred to collectively as the Global Data Service framework (GDS framework), automatically chooses the best database server instances to which to connect a client. Once those connections have been established, the clients determine which database server instance, of those database server instances to which they are connected, to send requests to based, at least in part, on advisory messages sent to the clients by the GDS framework.