公开(公告)号：US20160191310A1

公开(公告)日：2016-06-30

申请号：US15061851

申请日：2016-03-04

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine ,  Kevin Christopher Miller

IPC: H04L12/24 ,  H04L12/46

CPC classification number: H04L41/0806 ,  H04L12/1836 ,  H04L12/1886 ,  H04L12/4641 ,  H04L41/0816 ,  H04L45/04 ,  H04L45/16 ,  H04L45/22

Abstract: Techniques are described for managing communications for a managed computer network by using a defined pool of alternative computing nodes of the managed computer network that are configured to operate as intermediate destinations to handle at least some communications that are sent by and/or directed to one or more other computing nodes of the managed computer network. For example, a manager module associated with a source computing node may select a particular alternative intermediate destination computing node from a defined pool to use for one or more particular communications from the source computing node to an indicated final destination, such as based on a configured logical network topology for the managed computer network and/or on one or more other selection criteria (e.g., to enable load balancing between the alternative computing nodes). The manager module then forwards those communications to the selected intermediate destination computing node for further handling.

Abstract translation: 描述了用于管理被管理计算机网络的通信的技术，其中使用被管理计算机网络的定义的备选计算节点池，其被配置为作为中间目的地进行操作，以处理至少一些通过和/或指向一个或多个 受管计算机网络的更多其他计算节点。 例如，与源计算节点相关联的管理器模块可以从定义的池中选择特定的备选中间目的地计算节点，以用于从源计算节点到所指示的最终目的地的一个或多个特定通信，诸如基于配置 用于被管理计算机网络的逻辑网络拓扑和/或一个或多个其他选择标准（例如，以实现替代计算节点之间的负载平衡）。 然后，管理器模块将这些通信转发到所选择的中间目的地计算节点以进一步处理。

公开(公告)号：US09342412B2

公开(公告)日：2016-05-17

申请号：US14629234

申请日：2015-02-23

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine ,  Kevin Christopher Miller ,  Andrew J. Doane

IPC: G06F15/177 ,  G06F11/20 ,  H04L29/12 ,  G06F9/455

CPC classification number: H04L67/1029 ,  G06F9/45533 ,  G06F9/45558 ,  G06F11/1484 ,  G06F11/2007 ,  G06F11/2038 ,  G06F11/2048 ,  G06F11/2097 ,  G06F2009/45562 ,  G06F2201/85 ,  H04L61/2007 ,  H04L61/2503 ,  H04L61/6068 ,  H04L67/1097

Abstract: Techniques are described for providing managed computer networks, such as for managed virtual computer networks overlaid on one or more other underlying computer networks. In some situations, the techniques include facilitating replication of a primary computing node that is actively participating in a managed computer network, such as by maintaining one or more other computing nodes in the managed computer network as replicas, and using such replica computing nodes in various manners. For example, a particular managed virtual computer network may span multiple broadcast domains of an underlying computer network, and a particular primary computing node and a corresponding remote replica computing node of the managed virtual computer network may be implemented in distinct broadcast domains of the underlying computer network, with the replica computing node being used to transparently replace the primary computing node in the virtual computer network if the primary computing node becomes unavailable.

公开(公告)号：US20160132347A1

公开(公告)日：2016-05-12

申请号：US14821560

申请日：2015-08-07

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine ,  Stephen E. Schmidt

IPC: G06F9/455

CPC classification number: G06F9/45558 ,  G06F9/4856 ,  G06F9/5077 ,  G06F9/5088 ,  G06F2009/4557 ,  H04L41/0896

Abstract: Systems and method for the management of virtual machine instances are provided. A network data transmission analysis system can use contextual information in the execution of virtual machine instances to isolate and migrate virtual machine instances onto physical computing devices. The contextual information may include information obtained in observing the execution of virtual machines instances, information obtained from requests submitted by users, such as system administrators. Still further, the network data transmission analysis system can also include information collection and retention for identified virtual machine instances.

Abstract translation: 提供了用于管理虚拟机实例的系统和方法。 网络数据传输分析系统可以在执行虚拟机实例时使用上下文信息来将虚拟机实例隔离并迁移到物理计算设备上。 上下文信息可以包括在观察虚拟机实例的执行时获得的信息，由诸如系统管理员的用户提交的请求获得的信息。 此外，网络数据传输分析系统还可以包括用于识别的虚拟机实例的信息收集和保留。

公开(公告)号：US09300639B1

公开(公告)日：2016-03-29

申请号：US13916915

申请日：2013-06-13

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine ,  Brian Irl Pratt

IPC: H04L9/08 ,  H04L29/06

CPC classification number: H04L63/0428 ,  H04L9/08 ,  H04L9/0822 ,  H04L9/0825 ,  H04L9/3213 ,  H04L63/062 ,  H04L63/0807 ,  H04L63/102 ,  H04L63/205 ,  H04L2209/603 ,  H04L2209/68

Abstract: A distributed computing environment utilizes a cryptography service. The cryptography service manages keys securely on behalf of one or more entities. The service may utilize multiple security modules. A coordinator may coordinate the security modules to ensure that the security modules operate with consistent operational parameters. A security module may propose a set of parameters for acceptance by the coordinator. If accepted, the coordinator may update the security modules in accordance with the proposal.

Abstract translation: 分布式计算环境利用加密服务。 密码服务代表一个或多个实体安全地管理密钥。 该服务可以利用多个安全模块。 协调员可以协调安全模块，以确保安全模块以一致的操作参数运行。 安全模块可以提出一组参数以供协调者接受。 如果接受，协调员可以根据提案更新安全模块。

公开(公告)号：US09300625B1

公开(公告)日：2016-03-29

申请号：US13733019

申请日：2013-01-02

Applicant: Amazon Technologies, Inc.

Inventor： Nachiketh Rao Potlapally ,  Eric Jason Brandwine ,  Patrick Brigham Cullen

IPC: H04L29/12 ,  H04L29/06

CPC classification number: H04L63/12 ,  G06Q10/00 ,  H04L61/20 ,  H04L63/04 ,  H04L63/0876 ,  H04L63/164

Abstract: Data payloads that may not be accessible to customer computing devices may be utilized to verify network address ownership. In some examples, a first payload may be provided to a computing device having an address. Additionally, a second payload may be received from the computing device. Based at least in part on a relationship between the first payload and the second payload, an action associated with the address may be performed.

Abstract translation: 客户计算设备可能无法访问的数据有效载荷可用于验证网络地址所有权。 在一些示例中，可以向具有地址的计算设备提供第一有效载荷。 另外，可以从计算设备接收第二有效载荷。 至少部分地基于第一有效载荷和第二有效载荷之间的关系，可以执行与地址相关联的动作。

公开(公告)号：US09286491B2

公开(公告)日：2016-03-15

申请号：US13932824

申请日：2013-07-01

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Eric Jason Brandwine ,  Matthew James Wren

IPC: H04L29/06 ,  G06F21/62

CPC classification number: G06F21/602 ,  G06F21/6218 ,  G06F21/6254

Abstract: A service proxy services as an application programming interface proxy to a service, which may involve data storage. When a request to store data is received by the service proxy, the service proxy encrypts the data and stores the data in encrypted form at the service. Similarly, when a request to retrieve data is received by the service proxy, the service proxy obtains encrypted data from the service and decrypts the data. The data may be encrypted using a key that is kept inaccessible to the service.

Abstract translation: 服务代理服务作为服务的应用程序编程接口代理，可能涉及数据存储。 当服务代理接收到存储数据的请求时，服务代理对数据进行加密并以加密形式将数据存储在服务中。 类似地，当服务代理接收到检索数据的请求时，服务代理从服务获取加密的数据并解密数据。 可以使用服务不可访问的密钥来加密数据。

公开(公告)号：US20160070929A1

公开(公告)日：2016-03-10

申请号：US14868006

申请日：2015-09-28

Applicant: Amazon Technologies, Inc.

Inventor： Nachiketh Rao Potlapally ,  Michael David Marr ,  Eric Jason Brandwine ,  Donald Lee Bailey, JR.

IPC: G06F21/64

CPC classification number: G06F21/55 ,  G06F21/57 ,  G06F21/602 ,  G06F21/64 ,  H04L9/0861 ,  H04L9/30

Abstract: A trusted computing host is described that provides various security computations and other functions in a distributed multitenant and/or virtualized computing environment. The trusted host computing device can communicate with one or more host computing devices that host virtual machines to provide a number of security-related functions, including but not limited to boot firmware measurement, cryptographic key management, remote attestation, as well as security and forensics management. The trusted computing host maintains an isolated partition for each host computing device in the environment and communicates with peripheral cards on host computing devices in order to provide one or more security functions.

Abstract translation: 描述了在分布式多租户和/或虚拟化计算环境中提供各种安全计算和其他功能的可信计算主机。 可信主机计算设备可以与主机虚拟机的一个或多个主机计算设备进行通信，以提供许多与安全相关的功能，包括但不限于启动固件测量，密码密钥管理，远程验证以及安全和取证 管理。 可信计算主机为环境中的每个主机计算设备维护隔离的分区，并与主机计算设备上的外围卡进行通信，以便提供一个或多个安全功能。

公开(公告)号：US20160021118A1

公开(公告)日：2016-01-21

申请号：US14866673

申请日：2015-09-25

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Eric Jason Brandwine ,  Nathan R. Fitch ,  Cristian M. Ilac ,  Eric D. Crahen

IPC: H04L29/06

CPC classification number: H04L63/102 ,  G06F21/335 ,  G06F2221/2137 ,  H04L9/083 ,  H04L9/0861 ,  H04L9/088 ,  H04L9/32 ,  H04L9/3242 ,  H04L9/3247 ,  H04L63/06 ,  H04L63/08 ,  H04L2209/38

Abstract: A delegation request is submitted to a session-based authentication service, fulfillment of which involves granting an entity an access privilege to a computing resource. A session key is received from the session-based authentication service. The session key having been generated based at least in part on a restriction and a secret credential shared with the session-based authentication service and usable at least in part to prove possession of the access privilege to the computing resource. The session key is provided to the entity without providing the shared secret credential.

Abstract translation: 委托请求被提交给基于会话的认证服务，其实现涉及授予实体对计算资源的访问权限。 从基于会话的认证服务接收会话密钥。 所述会话密钥至少部分地基于与所述基于会话的认证服务共享的限制和秘密凭证而生成，并且至少部分地可用于证明对所述计算资源拥有所述访问特权。 会话密钥提供给实体，而不提供共享的秘密凭证。

公开(公告)号：US09219679B2

公开(公告)日：2015-12-22

申请号：US14637211

申请日：2015-03-03

Applicant: Amazon Technologies, Inc.

Inventor： Kevin Christopher Miller ,  Eric Jason Brandwine ,  Andrew J. Doane

IPC: H04L12/28 ,  H04L12/707 ,  H04L12/727 ,  H04L12/721

CPC classification number: H04L41/0826 ,  H04L43/50 ,  H04L45/00 ,  H04L45/121 ,  H04L45/14 ,  H04L45/22

Abstract: Techniques are described for providing managed virtual computer networks that have a configured logical network topology with virtual networking devices, such as by a network-accessible configurable network service, with corresponding networking functionality provided for communications between multiple computing nodes of the virtual computer network by emulating functionality that would be provided by the virtual networking devices if they were physically present. In some situations, the networking functionality provided for a managed computer network of a client includes receiving routing communications directed to the virtual networking devices and using included routing cost information to update the configuration of the managed computer network, and/or includes determining actual cost information corresponding to use of an underlying substrate network and providing routing cost information to the client that reflects the determined actual cost information, so as to enable the client to modify the configuration of the managed computer network accordingly.

公开(公告)号：US20150350011A1

公开(公告)日：2015-12-03

申请号：US14822704

申请日：2015-08-10

Applicant: AMAZON TECHNOLOGIES, INC.

Inventor： Daniel T. Cohn ,  Eric Jason Brandwine ,  Andrew J. Doane

IPC: H04L12/24 ,  H04L29/08 ,  H04L12/751 ,  G06F9/455

CPC classification number: H04L41/0803 ,  G06F9/45558 ,  G06F9/5077 ,  G06F2009/45595 ,  G06F2209/5011 ,  H04L12/4641 ,  H04L41/0213 ,  H04L41/0806 ,  H04L41/0893 ,  H04L41/12 ,  H04L45/00 ,  H04L45/02 ,  H04L67/10

Abstract: Techniques are described for providing logical networking functionality for managed computer networks, such as for virtual computer networks provided on behalf of users or other entities. In some situations, a user may configure or otherwise specify a network topology for a virtual computer network, such as a logical network topology that separates multiple computing nodes of the virtual computer network into multiple logical sub-networks and/or that specifies one or more logical networking devices for the virtual computer network. After a network topology is specified for a virtual computer network, logical networking functionality corresponding to the network topology may be provided in various manners, such as without physically implementing the network topology for the virtual computer network. In some situations, the computing nodes may include virtual machine nodes hosted on one or more physical computing machines or systems, such as by or on behalf of one or more users.

Abstract translation: 描述了用于为被管理的计算机网络提供逻辑网络功能的技术，例如用于代表用户或其他实体提供的虚拟计算机网络。 在某些情况下，用户可以配置或以其他方式指定虚拟计算机网络的网络拓扑，例如将虚拟计算机网络的多个计算节点分成多个逻辑子网络的逻辑网络拓扑和/或指定一个或多个 用于虚拟计算机网络的逻辑网络设备。 在为虚拟计算机网络指定了网络拓扑之后，可以以各种方式提供与网络拓扑相对应的逻辑网络功能，例如不物理实现虚拟计算机网络的网络拓扑。 在一些情况下，计算节点可以包括托管在一个或多个物理计算机或系统上的虚拟机节点，诸如由一个或多个用户代表或代表一个或多个用户。