Field of the Invention
The invention relates to a method, an appliance, and a computer program product of translating network attributes of packets in a multi-tenant environment.
Description of the Prior Art
In a cloud services environment, Software as a Service (SaaS) usually encounters the problem of Multi-Tenancy. Because SaaS is provided by the way of lease, the supplier could not provide every customer with a physical machine, which would produce a considerable waste of the cost and resources.
However for a tenant in a multi-tenant framework, it must be ensured that configuration, customization, security, bandwidth, independent CPU/memory resources and so on are independent to and not influenced by other tenants. These are very essential for SaaS services; otherwise, when something happens to a tenant, other tenants might be affected accordingly.
There have been many ways to employ a multi-tenant framework, such as:                1. A site with different profiles for different customers. This way entails separate configurations with a shared resource.        2. One computer supports multiple platforms. This approach entails separate configurations while some of the resources are separate (for example, different partitions are divided such a crashed one will not affect the other) but CPU and bandwidth are shared.        3. Virtual machines (VM) are adopted for different tenants. This manner entails separate configurations and less interaction while most of the resources are still shared.        
In a multi-tenant environment, two virtual machines (VM) for different tenants may share exactly the same network configurations (including MAC address, IP address, VLAN tags and so on). As illustrated in FIG. 1, a multi-tenant environment 100 includes two tenants (101, 102), as referred to tenant A and tenant B, respectively. The virtual machine host VMA 103 for tenant A and the virtual machine host VMB 104 for tenant B share the same IP address. Through network connection devices 105 and 106 respectively, VMA 103 and VMB 104 are connected to a packet processing module device 107, in order to, for example, conduct the packet inspection, so as to implement a security policy (as IPS, firewalls, and so on), or to provide traffic control (as load balancing).
Network connection devices 105 and 106 may be the devices capable of controlling network packet flow, such as switches, routers, etc. For the details not directly related to the present invention, please refer to Cisco Catalyst 3550 Series Switch from Cisco Systems, Inc. Tenant A and tenant B are not limited to a particular appliance or server, and each of tenant A and tenant B may contain an unlimited number of appliance, server, or the combination thereof. For example, tenant A and tenant B may represent a local area network (LAN), respectively.
An appliance, typically referred to as an Internet Appliance, is a device with built-in network capability and a particular function. As opposed to general-purpose computers, appliances are designed to carry out particular transactions according to particular purposes or particular services, with higher performance.
Tenants A and B may be a Virtual Local Area Network (VLAN). For internal resources of enterprise or organization, a network administrator is capable of logically grouping apparatus in different physical LANs with virtual LAN technology, so as to provide more complete protection of information security.
Please refer to the article: “IBM SmartCloud Enterprise tip: Build multiple VPNs and VLANs: VPN and VLAN features and capabilities in IBM SmartCloud Enterprise 2.0: and IBM SmartCloud Enterprise tip: Span virtual local area networks Provision and configure an instance that spans a public and private VLAN”, published by Andrew Jones and others at the applicant's official website.
However, each tenant may deploy different policies with respect to the same IP address. For firewalls which have the same IP address, for example, tenants A and B may want to implement different rules: opening port 80 to allow webpages browsing for tenant A, and opening port 21 to allow transferring files with File Transfer Protocol (FTP) for tenant B. Therefore, it is difficult for a single packet processing module to analyze packets from different tenants sharing the same IP address. Prior arts modify a conventional packet processing module by adding a so-called multi-tenant awareness ability, so as to distinguish packets from different tenants with the same IP address. For example, the network overlay technology, which relies on the identity information of new tenant by packet encapsulation, was available for such purpose. By means of this technology, a conventional product of packet processing module needs to be modified to identify and parse the covered packet. Another solution is to use an IPS or a packet processing module to process or to examine packets for each tenant.
For some very old packet processing modules (so-called “legacy products”), it is an impractical waste of resources to modify them to support a multi-tenant framework. It is also very expensive to provide an IPS or a packet processing module for each tenant.
Thus it is advantageous to have a mechanism to make a conventional packet processing module, without modification, to operate in a multi-tenant environment and support at least one tenant and accordingly overcome the deficiency of the prior arts.