Data centers housing significant numbers of interconnected computing systems have become commonplace, such as private data centers that are operated by and on behalf of a single organization, and public data centers that are operated by entities as businesses that provide access to computing resources to customers under various business models. For example, some public data center operators provide network access, power, and secure installation facilities for hardware owned by various customers, while other public data center operators provide “full service” facilities that also include the actual hardware resources used by their customers. However, as the scale and scope of typical data centers has increased, the task of provisioning, administering, and managing the physical computing resources has become increasingly complicated.
The advent of virtualization technologies for commodity hardware has provided a partial solution to the problem of managing large-scale computing resources for many customers with diverse needs, allowing various computing resources to be efficiently and securely shared between multiple customers. For example, virtualization technologies such as those provided by VMWare, XEN, or User-Mode Linux may allow a single physical computing machine to be shared among multiple users by providing each user with one or more virtual machines hosted by the single physical computing machine, with each such virtual machine being a software simulation acting as a distinct logical computing system that provides users with the illusion that they are the sole operators and administrators of a given hardware computing resource, while also providing application isolation and security among the various virtual machines. Furthermore, some virtualization technologies are capable of providing virtual resources that span one or more physical resources, such as a single virtual machine with multiple virtual processors that actually spans multiple distinct physical computing systems.
However, one problem that arises in the context of data centers that virtually or physically host large numbers of applications or systems for a set of diverse customers involves providing network isolation for the systems operated by or on behalf of each customer, such as to allow communications between those systems (if desired by the customer) while restricting undesired communications to those systems from other systems. Traditional firewall technologies may be employed to provide limited benefits, but problems persist. For example, firewalls are typically configured to filter incoming network traffic at or near the destination of the traffic, but this allows malicious applications to cause resource outages by flooding a given network with traffic, even if the firewalls were able to perfectly block all such incoming network traffic. In addition, firewalls do not typically include facilities for dynamically modifying filtering rules to reflect the types of highly dynamic resource provisioning that may occur in the context of a large-scale data center hosting many thousands of virtual machines. Thus, as new applications and systems come online and others go offline, for example, traditional firewalls lack the ability to dynamically determine appropriate filtering rules required to operate correctly, instead necessitating time-consuming and error-prone manual configuration of such filtering rules.
Thus, given such problems, it would be beneficial to provide techniques that allow users to efficiently specify communications policies that are automatically enforced via management of data transmissions for multiple computing nodes, such as for multiple hosted virtual machines operating in one or more data centers or other computing resource facilities.