公开(公告)号：US20230074913A1

公开(公告)日：2023-03-09

申请号：US18047239

申请日：2022-10-17

Applicant: Amazon Technologies, Inc.

Inventor： Daniel Todd Cohn ,  Eric Jason Brandwine ,  Andrew J. Doane

IPC: H04L41/0803 ,  G06F9/455 ,  H04L67/10 ,  H04L45/02 ,  H04L12/46 ,  H04L41/0806 ,  H04L41/12 ,  H04L45/00 ,  G06F9/50 ,  H04L61/10 ,  H04L41/0893

Abstract: Techniques are described for providing logical networking functionality for managed computer networks, such as for virtual computer networks provided on behalf of users or other entities. In some situations, a user may configure or otherwise specify a network topology for a virtual computer network, such as a logical network topology that separates multiple computing nodes of the virtual computer network into multiple logical sub-networks and/or that specifies one or more logical networking devices for the virtual computer network. After a network topology is specified for a virtual computer network, logical networking functionality corresponding to the network topology may be provided in various manners, such as without physically implementing the network topology for the virtual computer network. In some situations, the computing nodes may include virtual machine nodes hosted on one or more physical computing machines or systems, such as by or on behalf of one or more users.

公开(公告)号：US11563799B2

公开(公告)日：2023-01-24

申请号：US17371772

申请日：2021-07-09

Applicant: Amazon Technologies, Inc.

Inventor： Anthony Nicholas Liguori ,  Eric Jason Brandwine

IPC: H04L29/08 ,  H04L67/10 ,  H04L67/141 ,  H04L12/46 ,  H04L61/50

Abstract: A peripheral device includes one or more processors and a memory storing program instructions that when executed implement an extension manager of a virtualized computing service. The extension manager establishes a secure network channel for communications between the peripheral device, which is located at a premise external to a provider network, and a data center of the provider network. The extension manager assigns a network address of the substrate network of the service to a hardware server at the external premise. The substrate address is also assigned to an extension traffic intermediary at the data center. In response to a command directed to the virtualized computing service, one or more compute instance configuration operations are performed at the hardware server.

公开(公告)号：US11563681B2

公开(公告)日：2023-01-24

申请号：US16510739

申请日：2019-07-12

Applicant: Amazon Technologies, Inc.

Inventor： Swaminathan Sivasubramanian ,  Eric Jason Brandwine ,  Tate Andrew Certain ,  Bradley E. Marshall

IPC: G06F15/16 ,  H04L45/74 ,  H04L45/64 ,  H04L41/08 ,  H04L67/10 ,  H04L61/2514 ,  H04L61/103 ,  H04L101/686

Abstract: Techniques are described for managing communications for a managed virtual computer network overlaid on a distinct substrate computer network, including for communications involving computing nodes of the managed virtual computer network that use an alternative addressing scheme to direct network packets and other network communications to intended destination locations by using textual network node monikers instead of numeric IP addresses to represent computing nodes at a layer 3 or “network layer” of a corresponding computer networking stack in use by the computing nodes. The techniques are provided without modifying or configuring the network devices of the substrate computer network, by using configured modules to manage and modify communications from the logical edge of the substrate network.

公开(公告)号：US11494214B2

公开(公告)日：2022-11-08

申请号：US16368747

申请日：2019-03-28

Applicant: Amazon Technologies, Inc.

Inventor： Anthony Nicholas Liguori ,  Eric Jason Brandwine ,  Matthew Shawn Wilson

IPC: G06F9/455 ,  G06F21/53

Abstract: At a virtualization host, an isolated run-time environment is established within a compute instance. The configuration of the isolated run-time environment is analyzed by a security manager of the hypervisor of the host. After the analysis, computations are performed at the isolated run-time environment.

公开(公告)号：US20220217040A1

公开(公告)日：2022-07-07

申请号：US17705188

申请日：2022-03-25

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine ,  Clarissa Loree Cook Brandwine ,  Daniel T. Cohn ,  Andrew J. Doane ,  Carl J. Moses ,  Stephen E. Schmidt

IPC: H04L41/0803 ,  H04L12/46 ,  H04L45/586 ,  H04L9/40

Abstract: Techniques are described for providing users with access to computer networks, such as to enable users to interact with a remote configurable network service in order to create and configure computer networks that are provided by the configurable network service for use by the users. Computer networks provided by the configurable network service may be configured to be private computer networks that are accessible only by the users who create them, and may each be created and configured by a client of the configurable network service to be an extension to an existing computer network of the client, such as a private computer network extension to an existing private computer network of the client. If so, secure private access between an existing computer network and new computer network extension that is being provided may be enabled using one or more VPN connections or other private access mechanisms.

公开(公告)号：US11323479B2

公开(公告)日：2022-05-03

申请号：US16046582

申请日：2018-07-26

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Eric Jason Brandwine ,  Matthew James Wren

IPC: H04L29/06 ,  H04L9/32

Abstract: A system comprises a data storage service includes a web service interface operating as a proxy to the data storage service. Data obtained at the data storage service is analyzed by one or more criteria of a data loss prevention policy, the data is encrypted by a key that is inaccessible to a remote service, and then the encrypted data is transmitted to the remote service.

公开(公告)号：US11290320B2

公开(公告)日：2022-03-29

申请号：US16938999

申请日：2020-07-26

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine ,  Clarissa Loree Cook Brandwine ,  Daniel T. Cohn ,  Andrew J. Doane ,  Carl J. Moses ,  Stephen E. Schmidt

IPC: H04L12/24 ,  H04L12/46 ,  H04L29/06 ,  H04L41/0803 ,  H04L45/586

Abstract: Techniques are described for providing users with access to computer networks, such as to enable users to interact with a remote configurable network service in order to create and configure computer networks that are provided by the configurable network service for use by the users. Computer networks provided by the configurable network service may be configured to be private computer networks that are accessible only by the users who create them, and may each be created and configured by a client of the configurable network service to be an extension to an existing computer network of the client, such as a private computer network extension to an existing private computer network of the client. If so, secure private access between an existing computer network and new computer network extension that is being provided may be enabled using one or more VPN connections or other private access mechanisms.

公开(公告)号：US11216391B1

公开(公告)日：2022-01-04

申请号：US16015090

申请日：2018-06-21

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine

IPC: G06F13/10 ,  G06F9/54 ,  G06F13/36

Abstract: Techniques are described for the creation and use of input/output (I/O) filters used to perform actions relative to I/O requests passing through an I/O proxy device of a computer system. A computer system includes one or more hardware processing elements (for example, one or more central processing units (CPUs), graphics processing units (GPUs), or other types of processing elements), one or more data storage devices (for example, hard-disk drives, solid-state drives (SSDs), network-accessible block storage devices, and so forth), and an I/O proxy device that is interposed between at least one of the hardware processing elements and at least one of the one or more data storage devices. The interposition of an I/O proxy device between hardware processing elements and data storage devices enables the I/O proxy device to participate in the I/O data path, for example, to receive I/O messages and to perform various actions relative to such messages.

公开(公告)号：US11146538B2

公开(公告)日：2021-10-12

申请号：US16171227

申请日：2018-10-25

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Eric Jason Brandwine

IPC: H04L29/06 ,  H04L9/32 ,  H04L29/08

Abstract: Requests are pre-generated to include a cryptographic key to be used in fulfilling the requests. The requests may be encoded in uniform resource locators and may include authentication information to enable a service provider to whom the requests are submitted to determine whether the requests are authorized. The requests may be passed to various entities who can then submit the requests to the service provider. The service provider, upon receipt of a request, can verify the authentication information and fulfill the request using a cryptographic key encoded in the request.

公开(公告)号：US11075913B1

公开(公告)日：2021-07-27

申请号：US16566592

申请日：2019-09-10

Applicant: Amazon Technologies, Inc.

Inventor： Marvin M. Theimer ,  Eric Jason Brandwine ,  Marc J. Brooker ,  David Everard Brown ,  Christopher Richard Jacques de Kadt

IPC: G06F15/173 ,  G06F9/54 ,  H04L29/06 ,  G06F9/445 ,  G06F9/455

Abstract: Users intending to launch instances or otherwise access virtual resources in a multi-tenant environment can specify a launch configuration. For each type of instance or each type of user, at least one launch configuration is created that includes parameters and values to be used in instantiating an instance of that type, the values being optimized for the current environment and type of instance. Launch configurations can be optimized for different types of users, such as to account for security credentials and access levels. Such an approach enables users to launch instances by contacting the resource provider directly without need for a proxy, which can function as a choke point under heavy load. The use of an appropriate launch configuration can be enforced for any type of user at any level, such as at the sub-net level, by modifying a request that does not specify an appropriate launch configuration.