Abstract: An opportunistic hypervisor determines that a guest virtual machine of a virtualization host has voluntarily released control of a physical processor. The hypervisor uses the released processor to identify and initiate a virtualization management task which has not been completed. In response to determining that at least a portion of the task has been performed, the hypervisor enters a quiescent state, releasing the physical processor to enable resumption of the guest virtual machine.

Abstract: A first message of a first type and having a first destination address is received in a provider network. The first destination address is associated with a virtual network address of the provider network and an address of a first device in an extension of the provider network, the extension of the provider network in communication with the provider network via at least a third-party network. A message state data store is updated based on at least a portion of the first message. A first payload of the first message is sent to the first device a first secure tunnel through the third-party network.

Abstract: A request to perform a workflow is received. A first instance is caused to be instantiated to perform a first portion of the workflow. First information and a handle associated with a second snapshot is received from the first instance. The first information is processed to produce a first result. A second instance is caused to be instantiated based on the handle to perform a second portion of the workflow. Second information is received from the second instance. The second information is processed to produce a second result, and an operation is performed dependent at least on the first result or the second result.

Abstract: A peripheral device may implement storage virtualization for non-volatile storage devices connected to the peripheral device. A host system connected to the peripheral device may host one or multiple virtual machines. The peripheral device may implement different virtual interfaces for the virtual machines or the host system that present a storage partition at a non-volatile storage device to the virtual machine or host system for storage. Access requests from the virtual machines or host system are directed to the respective virtual interface at the peripheral device. The peripheral device may perform data encryption or decryption, or may perform throttling of access requests. The peripheral device may generate and send physical access requests to perform the access requests received via the virtual interfaces to the non-volatile storage devices. Completion of the access requests may be indicated to the virtual machines via the virtual interfaces.

Abstract: Indications of packet processing operations to be performed for packets of a resource group, as well as configuration settings of the group, are obtained. A packet that satisfies a requirement of the configuration settings and meets a fast path criterion is processed at a fast path node configured for the group. In response to determining that another packet does not satisfy a criterion for fast path processing, the other packet is transmitted to an exception path target.

Abstract: A peripheral device may implement storage virtualization for non-volatile storage devices connected to the peripheral device. A host system connected to the peripheral device may host one or multiple virtual machines. The peripheral device may implement different virtual interfaces for the virtual machines or the host system that present a storage partition at a non-volatile storage device to the virtual machine or host system for storage. Access requests from the virtual machines or host system are directed to the respective virtual interface at the peripheral device. The peripheral device may perform data encryption or decryption, or may perform throttling of access requests. The peripheral device may generate and send physical access requests to perform the access requests received via the virtual interfaces to the non-volatile storage devices. Completion of the access requests may be indicated to the virtual machines via the virtual interfaces.

Abstract: Systems and methods are described for reducing latency to service requests to execute code on an on-demand code execution system by maintaining snapshots of virtual machine instances in a ready state to execute such code. A user may submit code to the on-demand code execution system, which code depends on other software, such as an operating system or runtime. The on-demand code execution system can generate a virtual machine instance provisioned with the other software, and initialize the instance into a state at which it is ready to execute the code. The on-demand code execution system can then generate a snapshot of the state of the instance, and halt the instance. When a request to execute the code is received, the snapshot can be used to quickly restore the instance. The code can then be executed within the instance, reducing the need to initialize the instance or maintain the instance in an executing state.

Abstract: An administrative agent running at a virtualization host of a network-accessible virtualized computing service determines that a first virtual machine is to be instantiated. The agent initiates at least a first configuration operation to enable connectivity for at least a portion of network traffic associated with the first virtual machine. The first configuration operation is performed at least in part using a first virtualization offloading card of the virtualization host. The agent causes a virtualization intermediary process of the virtualization host to launch one or more execution threads of the virtualization intermediary process to implement the first virtual machine. The intermediary process may be swapped to persistent storage, e.g., based on an analysis of resources of the virtualization host.

Abstract: A peripheral device includes one or more processors and a memory storing program instructions that when executed implement an extension manager of a virtualized computing service. The extension manager establishes a secure network channel for communications between the peripheral device, which is located at a premise external to a provider network, and a data center of the provider network. The extension manager assigns a network address of the substrate network of the service to a hardware server at the external premise. The substrate address is also assigned to an extension traffic intermediary at the data center. In response to a command directed to the virtualized computing service, one or more compute instance configuration operations are performed at the hardware server.

Abstract: Generally described, aspects of the present disclosure relate to a live update process of the virtual machine monitor during the operation of the virtual machine instances. An update to a virtual machine monitor can be a difficult process to execute because of the operation of the virtual machine instances. Generally, in order to update the virtual machine monitor, the physical computing device needs to be rebooted, which interrupts operation of the virtual machine instances. The live update process provides for a method of updating the virtual machine monitor without rebooting the physical computing device.

Abstract: Systems and methods are described for reducing latency to service requests to execute code on an on-demand code execution system by maintaining snapshots of virtual machine instances in a ready state to execute such code. A user may submit code to the on-demand code execution system, which code depends on other software, such as an operating system or runtime. The on-demand code execution system can generate a virtual machine instance provisioned with the other software, and initialize the instance into a state at which it is ready to execute the code. The on-demand code execution system can then generate a snapshot of the state of the instance, and halt the instance. When a request to execute the code is received, the snapshot can be used to quickly restore the instance. The code can then be executed within the instance, reducing the need to initialize the instance or maintain the instance in an executing state.

Abstract: A program to be executed to perform a packet processing operation on a packet associated with a resource group, as well as security settings of the resource group, are received. The program is transmitted to a set of fast path nodes which were assigned to the resource group based on the group's metadata. With respect to a particular packet, security operations based on the settings are performed and the program is executed at a fast path node. Based at least partly on the results of the program, a packet routing action corresponding to the received packet is performed.

Abstract: An offloaded virtualization management component of a virtualization host receives an indication from a hypervisor of a portion of main memory of the host for which memory allocation decisions are not to be performed by the hypervisor. The offloaded virtualization management component assigns a subset of the portion to a particular guest virtual machine and provides an indication of the subset to the hypervisor.

Abstract: Generally described, aspects of the present disclosure relate to offload device virtual component checkpointing for fast recovery from virtual component software crashes by storing virtual component state configuration information and input/output (I/O) request identification information in non-volatile memory of a physical computing device physically separate from the offload device. In the event of a software crash of a virtual component, the crashed virtual component may be rebooted and reconfigured in accordance with the virtual component state configuration information and I/O request identification information stored in the non-volatile memory of the physical computing device.

Abstract: A peripheral device includes one or more processors and a memory storing program instructions that when executed implement an extension manager of a virtualized computing service. The extension manager establishes a secure network channel for communications between the peripheral device, which is located at a premise external to a provider network, and a data center of the provider network. The extension manager assigns a network address of the substrate network of the service to a hardware server at the external premise. The substrate address is also assigned to an extension traffic intermediary at the data center. In response to a command directed to the virtualized computing service, one or more compute instance configuration operations are performed at the hardware server.

Abstract: A multi-phase boot operation of a virtualization manager at a virtualization host is initiated at an offload card. In a first phase of the boot, a security key stored in a tamper-resistant location of the offload card is used. In a second phase, firmware programs are measured using a security module, and a first version of a virtualization coordinator is instantiated at the offload card. The first version of the virtualization coordinator obtains a different version of the virtualization coordinator and launches the different version at the offload card. Other components of the virtualization manager (such as various hypervisor components that do not run at the offload card) are launched by the different version of the virtualization controller.

Abstract: A server computer toggles between a protected mode and an unprotected mode. In the protected mode, users are unable to access configuration information due to a Base Address Register (BAR) being cleared. However, a service provider can access a Trusted Platform Module (TPM) through an Application Program Interface (API) request. In an unprotected mode, the BAR is programmed so that users can access the configuration information, but the TPM is blocked. Blocking of the TPM is achieved by changing a configuration file, which changes an overall image of the card. With the modified image not matching an original image, the TPM blocks access to data, such as encryption keys. Separate interfaces can be used for user access (PCIe) and service provider access (Ethernet) to the server computer. The server computer can then be toggled back to the protected mode by switching the configuration file to the original configuration file.

Abstract: A set of virtual machine configurations is loaded in memory. A set of software instructions that, as a result of being executed, performs a data operation is received from a client device associated with a customer of a service provider. A request to execute the set of software instructions is received. The set of software instructions is executed in a virtual machine derived from a member of the set of virtual machine configurations, and results of the data operation are provided in response to the request.

Abstract: Disclosed are techniques regarding aspects of implementing client configurable logic within a computer system. The computer system can be a cloud infrastructure. The techniques can include providing an identifier in response to configuring client configurable logic within the computer system.

Abstract: A peripheral device includes one or more processors and a memory storing program instructions that when executed implement an extension manager of a virtualized computing service. The extension manager establishes a secure network channel for communications between the peripheral device, which is located at a premise external to a provider network, and a data center of the provider network. The extension manager assigns a network address of the substrate network of the service to a hardware server at the external premise. The substrate address is also assigned to an extension traffic intermediary at the data center. In response to a command directed to the virtualized computing service, one or more compute instance configuration operations are performed at the hardware server.