Abstract: A peripheral device includes one or more processors and a memory storing program instructions that when executed implement virtualization offloading components of a virtualized computing service, including a storage manager. The offloading components establish network connectivity with a control plane of the service. Based on detecting that a hardware server, in a separate enclosure, has been linked to the peripheral device, the hardware server is presented as a virtualization host of the service. The offloading components initiate compute instance configuration operations at the server in response to commands issued to the control plane, including at least one configuration operation initiated by the storage manager to enable access to a logical storage device from a compute instance.

Abstract: A first block storage server virtual machine to host a first volume using one or more storage devices of a computer system is executed by the computer system. A second virtual machine having access to a virtual block storage device is executed by the computer system. A block storage client is executed by the computer system. A first block storage operation is received by the block storage client from the second virtual machine, the first block storage operation to perform on the virtual block storage device. A message is sent by the block storage client to the first block storage server virtual machine to cause the first block storage server virtual machine to perform the block storage operation with the first volume.

Abstract: A first request to launch a first virtual machine to host a block storage server application is received. At least a portion of a storage capacity of one or more storage devices of a host computer system is provisioned to the first virtual machine as a provisioned storage device. The block storage server application is executed with the first virtual machine. As part of executing the block storage server application, a logical volume is created on the provisioned storage device in response to a second request from a block storage service of a provider network to create the logical volume, a third request to perform an input/output operation is received and performed with the logical volume.

Abstract: At a network manager of an extension resource group of a provider network, a message comprising a command to launch a compute instance is received at an address which is part of a first network configured at a premise external to the provider network. The extension resource group includes a first host at the external premise. Within a second network configured at the external premise, the first host is assigned an address within a second address range. Addresses within the second range are also assigned to hosts within the provider network. The command is transmitted to the first host, and a compute instance is instantiated.

Abstract: Notice of migration of a portion of a data volume from a first location to a second location is received by a first computer system from a second computer system, where the data volume is separated over a network from the first computer system. A third computer system, separated over a network from the first computer system, is caused to invalidate a mapping between the portion and the first location. An indication that the third computer system seeks access to the portion is identified. A third computer system is enabled, by providing a mapping between the portion and the second location, to access portion at the second location.

Abstract: Disclosed herein are techniques for maintaining a secure environment on a server. In one embodiment, the server includes a baseboard management controller (BMC), a first Ethernet port coupled with an adapter device network comprising a plurality of adapter devices, and a master adapter device including a second Ethernet port and a network switch, the network switch being controllable to be selectively coupled with at least one of the BMC, the first Ethernet port, or the second Ethernet port. The master adapter device may receive a network packet from at least one of: the first Ethernet port, the second Ethernet port, or the BMC, and determine, based on a forwarding policy, whether to forward the network packet. Based on a determination to forward the network packet, the master adapter device may determine a destination, and control the network switch to transmit the network packet to the destination.

Abstract: A first block storage server virtual machine to host a first volume using one or more storage devices of a computer system is executed by the computer system. A second virtual machine having access to a virtual block storage device is executed by the computer system. A block storage client is executed by the computer system. A first block storage operation is received by the block storage client from the second virtual machine, the first block storage operation to perform on the virtual block storage device. A message is sent by the block storage client to the first block storage server virtual machine to cause the first block storage server virtual machine to perform the block storage operation with the first volume.

Abstract: A first message of a first type and having a first destination address is received in a provider network. The first destination address is associated with a virtual network address of the provider network and an address of a first device in an extension of the provider network, the extension of the provider network in communication with the provider network via at least a third-party network. A message state data store is updated based on at least a portion of the first message. A first payload of the first message is sent to the first device a first secure tunnel through the third-party network.

Abstract: A first request to launch a first virtual machine to host a block storage server application is received. At least a portion of a storage capacity of one or more storage devices of a host computer system is provisioned to the first virtual machine as a provisioned storage device. The block storage server application is executed with the first virtual machine. As part of executing the block storage server application, a logical volume is created on the provisioned storage device in response to a second request from a block storage service of a provider network to create the logical volume, a third request to perform an input/output operation is received and performed with the logical volume.

Abstract: A first service of a provider network obtains an identification of one or more substrate addressable devices included in an extension of the provider network. Based on the identification, a launch of one or more compute instances within the provider network is initiated. The one or more compute instances are to connect the provider network to the extension of the provider network across at least a third-party network by receiving a first control plane message directed to a first substrate addressable device of the one or more substrate addressable devices, by updating a message state data store based at least in part on the first control plane message, and by sending a second control plane message to the first substrate addressable device via a secure tunnel.

Abstract: A program to be executed to perform a packet processing operation on a packet associated with a resource group, as well as security settings of the resource group, are received. The program is transmitted to a set of fast path nodes which were assigned to the resource group based on the group's metadata. With respect to a particular packet, security operations based on the settings are performed and the program is executed at a fast path node. Based at least partly on the results of the program, a packet routing action corresponding to the received packet is performed.

Abstract: Indications of packet processing operations to be performed for packets of a resource group, as well as configuration settings of the group, are obtained. A packet that satisfies a requirement of the configuration settings and meets a fast path criterion is processed at a fast path node configured for the group. In response to determining that another packet does not satisfy a criterion for fast path processing, the other packet is transmitted to an exception path target.

Abstract: A server includes a motherboard and a programmable logic device coupled to the motherboard. The server also includes a hardware device coupled to the motherboard and the programmable logic device. The server further includes a non-volatile memory storing firmware for the hardware device. The non-volatile memory is coupled to the motherboard and the programmable logic device. The server further includes a peripheral device coupled to the motherboard and the programmable logic device. The peripheral device receives firmware data from a management server. The peripheral device verifies that the firmware data corresponds to the hardware device. The peripheral device further holds the hardware device in reset mode. The peripheral device stores the firmware data on the non-volatile memory to update the firmware and releases the hardware device from reset mode after updating the firmware.

Abstract: A representation of packet processing operations is obtained from a client of a provider network. A set of packet processing nodes is configured at a premise external to the provider network, and the representation is transmitted to the premise. In response to a reception of a network packet, the set of packet processing nodes perform the packet processing operations at the external premise.

Abstract: At a network manager of an extension resource group of a provider network, a message comprising a command to launch a compute instance is received at an address which is part of a first network configured at a premise external to the provider network. The extension resource group includes a first host at the external premise. Within a second network configured at the external premise, the first host is assigned an address within a second address range. Addresses within the second range are also assigned to hosts within the provider network. The command is transmitted to the first host, and a compute instance is instantiated.

Abstract: First information about regions of storage space in a storage environment available for a volume is provided to a service provider, with the storage environment being external to the service provider. The service provider is notified that information usable to locate a storage destination of a portion of the volume is unavailable. Second information that includes the storage destination in the storage environment is obtained from the service provider. A data operation is performed at the storage destination, with the storage destination determined based at least in part from the second information.

Abstract: A first instance is caused to execute software code to perform a first portion of a workflow in response to receipt of a workflow request, and performance of the first portion results in submission of an operation request to an entity. A resume workflow request is received from the entity, where the resume workflow request includes a handle to a snapshot that corresponds to a state of execution of the software code and a response to the operation request to the entity. Using the handle to the snapshot and the response to the operation request, a second instance is caused to execute the software code from the first state to perform a second portion of the workflow. A workflow result is received from an instance that executes a last portion of the workflow, and the workflow is provided result in response to the workflow request.

Abstract: A request to perform a workflow is received. A first instance is caused to be instantiated to perform a first portion of the workflow. First information and a handle associated with a second snapshot is received from the first instance. The first information is processed to produce a first result. A second instance is caused to be instantiated based on the handle to perform a second portion of the workflow. Second information is received from the second instance. The second information is processed to produce a second result, and an operation is performed dependent at least on the first result or the second result.

Abstract: A set of virtual machine configurations is loaded in memory. A set of software instructions that, as a result of being executed, performs a data operation is received from a client device associated with a customer of a service provider. A request to execute the set of software instructions is received. The set of software instructions is executed in a virtual machine derived from a member of the set of virtual machine configurations, and results of the data operation are provided in response to the request.

Abstract: At a virtualization host, an isolated run-time environment is established within a compute instance. The configuration of the isolated run-time environment is analyzed by a security manager of the hypervisor of the host. After the analysis, computations are performed at the isolated run-time environment.