公开(公告)号：US10516652B1

公开(公告)日：2019-12-24

申请号：US15445459

申请日：2017-02-28

Applicant: AMAZON TECHNOLOGIES, INC.

Inventor： Omer Hashmi ,  Andrew Hemstreet Redmon

IPC: H04L29/06 ,  G06F9/455

Abstract: A system (and method) includes a plurality of compute devices configured to execute an endpoint node and a provisioning service. The endpoint node is configured to establish an encrypted communication channel over a public network. The provisioning service is configured to retrieve configuration parameters from a database. The configuration parameters define a security association for the encrypted communication channel and include an encryption key and an identifier of an encryption algorithm. The provisioning service is configured to transmit the configuration parameters to the endpoint node for use in implementation of a security association for the encrypted communication channel.

公开(公告)号：US10397232B2

公开(公告)日：2019-08-27

申请号：US14750868

申请日：2015-06-25

Applicant: Amazon Technologies, Inc.

Inventor： Omer Hashmi ,  Katherine Yichen Chung

IPC: H04L29/08 ,  H04L29/06 ,  G06F9/455 ,  G06F9/50

Abstract: Techniques are described for providing users with access to perform commands on network-accessible computing resources. In some situations, permissions are established for user(s) to execute command(s) on computing node(s) provided by an online service, such as by maintaining various permission information externally to those provided computing nodes for use in controlling users' ability to access, use, and/or modify the provided computing nodes. An interface component may use such external permissions information to determine if a particular user is authorized to execute one or more particular commands on one or more particular computing nodes, and to initiate simultaneous and independent execution of the command(s) on the computing node(s) when authorized. The interface component may further aggregate results from each computing node that executed the command(s), prior to providing the results to the user.

公开(公告)号：US10326710B1

公开(公告)日：2019-06-18

申请号：US14843881

申请日：2015-09-02

Applicant: Amazon Technologies, Inc.

Inventor： Omer Hashmi ,  Mark Edward Stalzer

IPC: G06F15/173 ,  H04L12/911 ,  G06F9/455

Abstract: Methods and apparatus that automatically propagate access rules for access groups within clients' virtual networks on a provider network. A peering protocol may be used to advertise routes from a gateway of a client's external network to a virtual gateway of the client's virtual network via direct and/or virtual connections. The advertised routes may be automatically propagated into the virtual network so that traffic can flow between the source address ranges of the advertised routes and the virtual network. Access group information may be included as metadata with at least some route advertisements. Access rules for access groups on the virtual network may be automatically created or updated according to the metadata included with the advertised routes to allow access from network addresses on the client's external network to the client's resources in the access groups.

公开(公告)号：US20160381032A1

公开(公告)日：2016-12-29

申请号：US14750868

申请日：2015-06-25

Applicant: Amazon Technologies, Inc.

Inventor： Omer Hashmi ,  Katherine Yichen Chung

IPC: H04L29/06

CPC classification number: H04L63/102 ,  G06F9/45512 ,  G06F9/45533 ,  G06F9/468 ,  H04L63/10 ,  H04L67/10 ,  H04L67/306

Abstract: Techniques are described for providing users with access to perform commands on network-accessible computing resources. In some situations, permissions are established for user(s) to execute command(s) on computing node(s) provided by an online service, such as by maintaining various permission information externally to those provided computing nodes for use in controlling users' ability to access, use, and/or modify the provided computing nodes. An interface component may use such external permissions information to determine if a particular user is authorized to execute one or more particular commands on one or more particular computing nodes, and to initiate simultaneous and independent execution of the command(s) on the computing node(s) when authorized. The interface component may further aggregate results from each computing node that executed the command(s), prior to providing the results to the user.

Abstract translation: 描述了为用户提供对网络可访问的计算资源执行命令的访问的技术。 在某些情况下，建立用户在由在线服务提供的计算节点上执行命令的权限，例如通过将所提供的计算节点外部的各种许可信息保持在用于控制用户的能力 访问，使用和/或修改所提供的计算节点。 接口组件可以使用这样的外部许可信息来确定特定用户是否被授权在一个或多个特定计算节点上执行一个或多个特定命令，并且启动计算节点上的命令的同时且独立的执行 s）授权时。 在向用户提供结果之前，接口组件可以进一步聚合来自执行命令的每个计算节点的结果。

公开(公告)号：US20240187332A1

公开(公告)日：2024-06-06

申请号：US18537691

申请日：2023-12-12

Applicant: Amazon Technologies, Inc.

Inventor： Paul John Tillotson ,  Bashuman Deb ,  Thomas Spendley ,  Omer Hashmi ,  Baihu Qian ,  Alexander Justin Penney

IPC: H04L45/02 ,  H04L12/46 ,  H04L45/302 ,  H04L47/2483

CPC classification number: H04L45/04 ,  H04L12/4633 ,  H04L45/306 ,  H04L47/2483 ,  H04L2212/00

Abstract: Metadata indicating that a virtual traffic hub enabling connectivity between a plurality of isolated networks has been established is stored. A determination is made that a first entry of a first isolated network attached to the hub is to be represented in a second routing table of a second isolated network attached to the hub, e.g., to enable network packets originating at resources of the second isolated network to be transmitted via the hub to the first isolated network. A new entry corresponding to the first entry is included in the second routing table.

公开(公告)号：US11855893B2

公开(公告)日：2023-12-26

申请号：US17456548

申请日：2021-11-24

Applicant: Amazon Technologies, Inc.

Inventor： Anoop Dawani ,  Bashuman Deb ,  Baihu Qian ,  Omer Hashmi ,  Nick Matthews ,  Shridhar Kulkarni ,  Thomas Nguyen Spendley ,  Steve Ge ,  Justin Lin Hsieh ,  Guru Kannan ,  Alok Mishra

IPC: H04L45/745 ,  H04L12/66 ,  H04L12/46

CPC classification number: H04L45/745 ,  H04L12/4641 ,  H04L12/66

Abstract: Systems and methods are provided for management of network segments that cross geographic regions and/or other types of network divisions in a cloud-based network environment. A cloud-based network provider's geographically-dispersed network infrastructure may serve as the core of a client's private wide area network, and the client may define isolated segments to which other networks (virtual private clouds, virtual private networks, etc.) may be attached. The various segments may remain logically isolated from each other even when implemented across some or all of the same regions—and using the same physical and/or virtual routing components—as other segments of the same client and/or other clients.

公开(公告)号：US11831600B2

公开(公告)日：2023-11-28

申请号：US17091995

申请日：2020-11-06

Applicant: Amazon Technologies, Inc.

Inventor： Paul John Tillotson ,  Bashuman Deb ,  Thomas Spendley ,  Omer Hashmi ,  Baihu Qian ,  Alexander Justin Penney

IPC: H04L61/4511 ,  H04L41/12 ,  H04L12/46 ,  H04L61/3015 ,  G06F9/455 ,  H04L47/2483

CPC classification number: H04L61/4511 ,  G06F9/45558 ,  H04L12/4645 ,  H04L41/12 ,  H04L47/2483 ,  H04L61/3025 ,  G06F2009/45587 ,  G06F2009/45595

Abstract: Connectivity is enabled between a first and second isolated network using a virtual traffic hub that includes a decision master node responsible for determining a routing action for a packet received at the hub. At the hub, a determination is made that a particular domain name system (DNS) message being directed to a first resource in the first isolated network is to include an indication of a second resource in the second isolated network. The second resource is assigned a network address within a private address range of the second isolated network, which overlaps with a private address range being used in the first isolated network. The hub causes a transformed version of the network address to be included in the DNS message delivered to the first resource.

公开(公告)号：US11799755B2

公开(公告)日：2023-10-24

申请号：US17456549

申请日：2021-11-24

Applicant: Amazon Technologies, Inc.

Inventor： Anoop Dawani ,  Bashuman Deb ,  Baihu Qian ,  Omer Hashmi ,  Nick Matthews ,  Shridhar Kulkarni ,  Thomas Nguyen Spendley ,  Indira Radhika Pulla ,  David Jonathan Adams ,  Nicholas Ryan Lombardi ,  Brandon Michael LaRue ,  Aaron Scott DeBruin ,  Ramin Ali Dousti

IPC: H04L45/00 ,  H04L45/02 ,  H04L45/302 ,  H04L45/44 ,  H04L9/40 ,  H04L45/50 ,  H04L45/021 ,  H04L41/0895 ,  H04L49/00

CPC classification number: H04L45/04 ,  H04L45/02 ,  H04L45/306 ,  H04L45/44 ,  H04L45/566 ,  H04L41/0895 ,  H04L45/021 ,  H04L45/507 ,  H04L49/3009 ,  H04L63/0272

Abstract: Systems and methods are provided for management of network segments that cross geographic regions and/or other types of network divisions in a cloud-based network environment. Gateway may manage traffic across regions using routing metadata that includes a segment identifier. The gateways may also signal their routes across regions based on segment data, and implement the signaled routes using segment-based routing policies. Route selection may be performed using optimization data.

公开(公告)号：US20230077765A1

公开(公告)日：2023-03-16

申请号：US17929649

申请日：2022-09-02

Applicant: Amazon Technologies, Inc.

Inventor： Paul John Tillotson ,  Bashuman Deb ,  Thomas Spendley ,  Omer Hashmi ,  Baihu Qian ,  Alexander Justin Penney

IPC: H04L45/02 ,  H04L12/46 ,  H04L47/2483 ,  H04L45/302

Abstract: Metadata indicating that a virtual traffic hub enabling connectivity between a plurality of isolated networks has been established is stored. A determination is made that a first entry of a first isolated network attached to the hub is to be represented in a second routing table of a second isolated network attached to the hub, e.g., to enable network packets originating at resources of the second isolated network to be transmitted via the hub to the first isolated network. A new entry corresponding to the first entry is included in the second routing table.

公开(公告)号：US20220321469A1

公开(公告)日：2022-10-06

申请号：US17218031

申请日：2021-03-30

Applicant: Amazon Technologies, Inc.

Inventor： Baihu Qian ,  Omer Hashmi ,  Thomas Nguyen Spendley ,  Bashuman Deb ,  Shridhar Kulkarni ,  Paul John Tillotson ,  Indira Radhika Pulla ,  Ramin Ali Dousti ,  Nicholas Ryan Lombardi ,  Steve Ge ,  Nick Matthews ,  Anoop Dawani

IPC: H04L12/713 ,  H04L12/707 ,  H04L12/717 ,  H04L12/733 ,  H04L12/46

Abstract: A pair of virtual routers is configured. In response to programmatic requests, dynamic transfer of routing information between the routers in accordance with configuration settings indicated by a client is enabled. The routing information is associated with a set of isolated networks to which the virtual routers are attached. A network packet originating at an address in a first isolated network is transmitted to an address in a second isolated network using a route determined from routing information transmitted between the virtual routers according to the configuration settings.