Abstract: Various embodiments of apparatuses and methods for multi-cast, multiple unicast, and unicast distribution of messages with time synchronized delivery are described. In some embodiments, the disclosed system and methods include a reference timekeeper providing a reference clock to one or more host computing devices. The one or more host computing devices host compute instances, and also contain respective isolated timing hardware outside the control of the compute instances. The isolated timing hardware of the one or more host computing devices then receive respective packets, and obtain the same time to deliver the respective packets. Each isolated timing hardware provides either the packet, or information to access the packet, to its respective destination compute instance subsequent to determining that the same specified time to deliver the packet has occurred. Thus, the respective packets are delivered near simultaneously to the one or more destination compute instances.

Abstract: A peripheral device may implement storage virtualization for non-volatile storage devices connected to the peripheral device. A host system connected to the peripheral device may host one or multiple virtual machines. The peripheral device may implement different virtual interfaces for the virtual machines or the host system that present a storage partition at a non-volatile storage device to the virtual machine or host system for storage. Access requests from the virtual machines or host system are directed to the respective virtual interface at the peripheral device. The peripheral device may perform data encryption or decryption, or may perform throttling of access requests. The peripheral device may generate and send physical access requests to perform the access requests received via the virtual interfaces to the non-volatile storage devices. Completion of the access requests may be indicated to the virtual machines via the virtual interfaces.

Abstract: Systems and methods are described for reducing latency to service requests to execute code on an on-demand code execution system by maintaining snapshots of virtual machine instances in a ready state to execute such code. A user may submit code to the on-demand code execution system, which code depends on other software, such as an operating system or runtime. The on-demand code execution system can generate a virtual machine instance provisioned with the other software, and initialize the instance into a state at which it is ready to execute the code. The on-demand code execution system can then generate a snapshot of the state of the instance, and halt the instance. When a request to execute the code is received, the snapshot can be used to quickly restore the instance. The code can then be executed within the instance, reducing the need to initialize the instance or maintain the instance in an executing state.

Abstract: Various embodiments of apparatuses and methods for multi-cast, multiple unicast, and unicast distribution of messages with time synchronized delivery are described. In some embodiments, the disclosed system and methods include a reference timekeeper providing a reference clock to one or more host computing devices. The one or more host computing devices host compute instances, and also contain respective isolated timing hardware outside the control of the compute instances. The isolated timing hardware of the one or more host computing devices then receive respective packets, and obtain the same time to deliver the respective packets. Each isolated timing hardware provides either the packet, or information to access the packet, to its respective destination compute instance subsequent to determining that the same specified time to deliver the packet has occurred. Thus, the respective packets are delivered near simultaneously to the one or more destination compute instances.

Abstract: Various embodiments of apparatuses and methods for trusted and/or attested packet timestamping are described. In some embodiments, the disclosed system and methods include a reference timekeeper providing a reference clock to host computing devices. The host computing devices host compute instances using a first set of computing resources, and also contain isolated timing hardware utilizing a different set of computing resources. The isolated timing hardware sets a hardware clock based on a signal corresponding to the reference clock from the reference timekeeper. The isolated timing hardware then receives a packet from a particular compute instance, creates a timestamp for the packet based at least in part on the hardware clock, where the timestamp is outside the control of the compute instances, and sends the packet and the timestamp through a data network to transmit to a packet destination.

Abstract: A peripheral device includes one or more processors and a memory storing program instructions that when executed implement an extension manager of a virtualized computing service. The extension manager establishes a secure network channel for communications between the peripheral device, which is located at a premise external to a provider network, and a data center of the provider network. The extension manager assigns a network address of the substrate network of the service to a hardware server at the external premise. The substrate address is also assigned to an extension traffic intermediary at the data center. In response to a command directed to the virtualized computing service, one or more compute instance configuration operations are performed at the hardware server.

Abstract: At a virtualization host, an isolated run-time environment is established within a compute instance. The configuration of the isolated run-time environment is analyzed by a security manager of the hypervisor of the host. After the analysis, computations are performed at the isolated run-time environment.

Abstract: A networking manager of an extension server of a virtualized computing service detects that a data link layer frame has been obtained at the extension server. The networking manager delivers at least a portion of contents of the frame to a compute instance running at the extension server in response to determining that a destination media access control (MAC) address of the frame matches a MAC address of a local-premise-access virtual network interface attached to the compute instance. The local-premise-access virtual network interface is not assigned an Internet Protocol (IP) address from a range of IP addresses managed by the virtualized computing service.

Abstract: A first service of a provider network obtains an identification of one or more substrate addressable devices included in an extension of the provider network. Based on the identification, a launch of one or more compute instances within the provider network is initiated. The one or more compute instances are to connect the provider network to the extension of the provider network across at least a third-party network by receiving a first control plane message directed to a first substrate addressable device of the one or more substrate addressable devices, by updating a message state data store based at least in part on the first control plane message, and by sending a second control plane message to the first substrate addressable device via a secure tunnel.

Abstract: A first block storage server virtual machine to host a first volume using one or more storage devices of a computer system is executed by the computer system. A second virtual machine having access to a virtual block storage device is executed by the computer system. A block storage client is executed by the computer system. A first block storage operation is received by the block storage client from the second virtual machine, the first block storage operation to perform on the virtual block storage device. A message is sent by the block storage client to the first block storage server virtual machine to cause the first block storage server virtual machine to perform the block storage operation with the first volume.

Abstract: Disclosed are various embodiments for a container execution environment. In one embodiment, a container is executed in a virtual machine instance running on a computing device. A container control plane is executed separately from the virtual machine instance in an off-load device operably coupled to the computing device via a hardware interconnect interface. The container is managed using the container control plane executing on the off-load device.

Abstract: A first instance is caused to execute software code to perform a first portion of a workflow in response to receipt of a workflow request, and performance of the first portion results in submission of an operation request to an entity. A resume workflow request is received from the entity, where the resume workflow request includes a handle to a snapshot that corresponds to a state of execution of the software code and a response to the operation request to the entity. Using the handle to the snapshot and the response to the operation request, a second instance is caused to execute the software code from the first state to perform a second portion of the workflow. A workflow result is received from an instance that executes a last portion of the workflow, and the workflow is provided result in response to the workflow request.

Abstract: A peripheral device includes one or more processors and a memory storing program instructions that when executed implement an extension manager of a virtualized computing service. The extension manager establishes a secure network channel for communications between the peripheral device, which is located at a premise external to a provider network, and a data center of the provider network. The extension manager assigns a network address of the substrate network of the service to a hardware server at the external premise. The substrate address is also assigned to an extension traffic intermediary at the data center. In response to a command directed to the virtualized computing service, one or more compute instance configuration operations are performed at the hardware server.

Abstract: A peripheral device includes one or more processors and a memory storing program instructions that when executed implement virtualization offloading components of a virtualized computing service, including a storage manager. The offloading components establish network connectivity with a control plane of the service. Based on detecting that a hardware server, in a separate enclosure, has been linked to the peripheral device, the hardware server is presented as a virtualization host of the service. The offloading components initiate compute instance configuration operations at the server in response to commands issued to the control plane, including at least one configuration operation initiated by the storage manager to enable access to a logical storage device from a compute instance.

Abstract: A data storage manager may manage storage locations for blocks of a storage volume. The blocks of the storage volume may be assigned to a logical volume exposed to a computing instance supported by a host. Furthermore, the data storage manager may also generate and maintain a set of rules that specify the locations of blocks of the storage volume, and provides the set of rules to the host. The set of rules may be included in a data structure enabling the host to access the blocks based at least in part on the information included in the set of rules.

Abstract: At a virtualization host, an isolated run-time environment is established within a compute instance. The configuration of the isolated run-time environment is analyzed by a security manager of the hypervisor of the host. After the analysis, computations are performed at the isolated run-time environment.

Abstract: Security can be provided for data stored using resources that are deployed in an environment managed by a third party. Physical and logical detection mechanisms can be used to monitor various security aspects, and the resulting security data can be used to identify potential threats to these resources. In some embodiments, suspicious activity can cause resources such as data servers to be automatically and remotely rebooted such that keys stored in volatile memory on those data servers will be lost from those servers, such that an attacker will be unable to decrypt data stored on those servers. Once a determination of safety is made, the keys can be provided to the respective data servers such that data operations can resume.

Abstract: A first instance is caused to execute software code to perform a first portion of a workflow in response to receipt of a workflow request, and performance of the first portion results in submission of an operation request to an entity. A resume workflow request is received from the entity, where the resume workflow request includes a handle to a snapshot that corresponds to a state of execution of the software code and a response to the operation request to the entity. Using the handle to the snapshot and the response to the operation request, a second instance is caused to execute the software code from the first state to perform a second portion of the workflow. A workflow result is received from an instance that executes a last portion of the workflow, and the workflow is provided result in response to the workflow request.

Abstract: At a network manager of an extension resource group of a provider network, a message comprising a command to launch a compute instance is received at an address which is part of a first network configured at a premise external to the provider network. The extension resource group includes a first host at the external premise. Within a second network configured at the external premise, the first host is assigned an address within a second address range. Addresses within the second range are also assigned to hosts within the provider network. The command is transmitted to the first host, and a compute instance is instantiated.

Abstract: A first one or more messages is received, the one or more messages including a request for a storage expansion device for an extension of a provider network, an identifier of the extension of the provider network, and a set of one or more identifiers associated with objects to load to the storage expansion device. For each identifier in the set, an object associated with the identifier is copied from an object store of the provider network to the storage expansion device. A shipment of the storage expansion device to a specified location is initiated. The extension of the provider network is caused to launch an instance to communicate with the storage expansion device upon connection of the storage expansion device to the extension of the provider network.