Abstract: Generally described, aspects of the present disclosure relate to a live update process of the virtual machine monitor during the operation of the virtual machine instances. An update to a virtual machine monitor can be a difficult process to execute because of the operation of the virtual machine instances. Generally, in order to update the virtual machine monitor, the physical computing device needs to be rebooted, which interrupts operation of the virtual machine instances. The live update process provides for a method of updating the virtual machine monitor without rebooting the physical computing device.

Abstract: Techniques for reconfiguring a server to perform various hardware functions are disclosed herein. In one embodiment, a client device sends an instance request to a compute service system for launching an instance. The instance request indicates a resource requirement for the instance. In response to the instance request, the compute service system selects a server from among a plurality of servers in the compute service system based on determining that the server is configurable to at least partially meet the resource requirement. The compute service system then sends a provisioning request to the selected server. The provisioning request includes information for programming a reconfigurable resource of an adapter device in the selected server according to a particular hardware function.

Abstract: Generally described, the present application relates to systems and methods for the managing virtual machines instances using a physical computing device and an offload device. The offload device can be a separate computing device that includes computing resources (e.g., processor and memory) separate from the computing resources of the physical computing device. The offload device can be connected to the physical computing device via a bus interface. The bus interface can be a high speed, high throughput, low latency interface such as a Peripheral Component Interconnect Express (PCIe) interface. The offload device can be used to offload virtualization and processing of virtual components from the physical computing device, thereby increasing the computing resources available to the virtual machine instances.

Abstract: Interfaces of a compute node on a printed circuit board can be secured by obfuscating the information communicated over the interfaces. Data to be communicated between the compute node and a device on the printed circuit board using an interface can be encrypted, and an address corresponding to the data to be communicated can be scrambled. In addition, the compute node can be the root of trust which can provide secure boot of different components using an on-chip mechanism, and without relying on external devices.

Abstract: Disclosed herein are techniques for migrating data from a source memory range to a destination memory while data is being written into the source memory range. An apparatus includes a control logic configured to receive a request for data migration and initiate the data migration using a direct memory access (DMA) controller, while the source memory range continues to accept write operations. The apparatus also includes a tracking logic coupled to the control logic and configured to track write operations performed to the source memory range while data is being copied from the source memory range to the destination memory. The control logic is further configured to initiate copying data associated with the tracked write operations to the destination memory.

Abstract: Systems and methods are described for selectively transitioning execution environments in an on-demand code execution system based on a timing of a next request to execute code within such environments. The system can predict, from a history of requests to the system, when a next call to execute code in an environment, such as a virtual machine instance, will occur. The system can then calculate and compare the relative costs of maintaining the environment in an executing state or of halting the environment and moving the environment to a lower tier of memory, each of which can be based on the predicted next call to execute code within the environment. If the relative cost of maintaining the environment in an executing state exceeds that of halting the environment and moving the environment to a lower tier of memory, the virtual machine is halted and transitioned to secondary memory.

Abstract: Disclosed herein are techniques for maintaining a secure execution environment on a server. In one embodiment, the server includes a non-volatile memory storing firmware, a programmable security logic coupled to the non-volatile memory, an adapter device coupled to the programmable security logic, and a processor communicatively coupled to the non-volatile memory via the programmable security logic. The adapter device and/or the programmable security logic can verify the firmware in the non-volatile memory while holding the processor and/or a baseboard management controller (BMC) in power reset, release the processor and the BMC from reset to boot the processor and the BMC after the firmware is verified, and then disable communications between the processor and the BMC and deny at least some requests to write to the non-volatile memory by the processor or the BMC.

Abstract: A request to launch a compute instance is received at a control plane of a provider network. At an outbound command communicator, an indication that a compute instance is to be established at a target host at a client premise is obtained. A first address is associated with the target host at the control plane and also assigned to the communicator. A message with a second address within a first network of the client premise as a destination is transmitted. The message comprises a command to establish the compute instance at the target host. The first address is assigned to the target host within a second network of the client premise. Processing of the command at the target host results in establishment of a compute instance.

Abstract: At a network manager of an extension resource group of a provider network, a message comprising a command to launch a compute instance is received at an address which is part of a first network configured at a premise external to the provider network. The extension resource group includes a first host at the external premise. Within a second network configured at the external premise, the first host is assigned an address within a second address range. Addresses within the second range are also assigned to hosts within the provider network. The command is transmitted to the first host, and a compute instance is instantiated.

Abstract: An Input/Output (I/O) adapter device is provided. The I/O adapter device comprises: a device interface configured to communicate with a first device and a second device communicatively coupled to the I/O adapter device; a host interface configured to support communication with a frontend driver of a host device via a software interface of the host device; a first emulated backend driver configured to communicate with the frontend driver through the host interface using the software interface and to communicate with the first device to provide the frontend driver with access to the first device; and a second emulated backend driver configured to communicate with the frontend driver through the host interface using the software interface and to communicate with the second device to provide the frontend driver with access to the second device.

Abstract: Generally described, aspects of the present disclosure relate to a live update process of the virtual machine monitor during the operation of the virtual machine instances. An update to a virtual machine monitor can be a difficult process to execute because of the operation of the virtual machine instances. Generally, in order to update the virtual machine monitor, the physical computing device needs to be rebooted, which interrupts operation of the virtual machine instances. The live update process provides for a method of updating the virtual machine monitor without rebooting the physical computing device.

Abstract: Disclosed are techniques regarding aspects of implementing client configurable logic within a computer system. The computer system can be a cloud infrastructure. The techniques can include providing an identifier in response to configuring client configurable logic within the computer system.

Abstract: An administrative agent running at a virtualization host of a network-accessible virtualized computing service determines that a first virtual machine is to be instantiated. The agent initiates at least a first configuration operation to enable connectivity for at least a portion of network traffic associated with the first virtual machine. The first configuration operation is performed at least in part using a first virtualization offloading card of the virtualization host. The agent causes a virtualization intermediary process of the virtualization host to launch one or more execution threads of the virtualization intermediary process to implement the first virtual machine. The intermediary process may be swapped to persistent storage, e.g., based on an analysis of resources of the virtualization host.

Abstract: A method for processing packet data in a service provider environment includes, by a network-enabled data processing device within a server computer of the service provider environment, receive packet data including header information and payload information. The packet header information can be separated from the payload information. The separated header information can be forwarded to a processor of the server computer for processing, without forwarding at least a portion of the payload information. Transforming instructions and at least one address of one or more storage locations can be received from the processor, based at least in part on the header information. The payload information can be transformed based on the transforming instructions. The transformed payload information can be stored in the one or more storage locations based on the at least one address.

Abstract: A system provides remote computing services using physical or virtualized computing resource instances on various host machines. An enhanced PCIe endpoint card connected to a given host machine may include a local processor (e.g., on an SOC device) that emulates PCIe compliant hardware (e.g., a USB controller) in software. A client receiving computing services from the system may redirect USB traffic from a locally-attached physical USB device (e.g., an input/output, storage, or security device) over the Internet to the enhanced PCIe endpoint card. The enhanced PCIe endpoint card may present an emulated USB controller to an application executing on the host (on the client's behalf) as a device that is locally attached at the given host machine, and the application may access the functionality of the physical USB device by exchanging commands or data with the emulated USB controller through a PCIe controller on the enhanced PCIe endpoint card.

Abstract: A multi-phase boot operation of a virtualization manager at a virtualization host is initiated at an offload card. In a first phase of the boot, a security key stored in a tamper-resistant location of the offload card is used. In a second phase, firmware programs are measured using a security module, and a first version of a virtualization coordinator is instantiated at the offload card. The first version of the virtualization coordinator obtains a different version of the virtualization coordinator and launches the different version at the offload card. Other components of the virtualization manager (such as various hypervisor components that do not run at the offload card) are launched by the different version of the virtualization controller.

Abstract: Generally described, aspects of the present disclosure relate to offload device virtual component checkpointing for fast recovery from virtual component software crashes by storing virtual component state configuration information and input/output (I/O) request identification information in non-volatile memory of a physical computing device physically separate from the offload device. In the event of a software crash of a virtual component, the crashed virtual component may be rebooted and reconfigured in accordance with the virtual component state configuration information and I/O request identification information stored in the non-volatile memory of the physical computing device.

Abstract: Generally described, the present application relates to systems and methods for the managing virtual machines instances using a physical computing device and an offload device. The offload device can be a separate computing device that includes computing resources (e.g., processor and memory) separate from the computing resources of the physical computing device. The offload device can be connected to the physical computing device via a bus interface. The bus interface can be a high speed, high throughput, low latency interface such as a Peripheral Component Interconnect Express (PCIe) interface. The offload device can be used to offload virtualization and processing of virtual components from the physical computing device, thereby increasing the computing resources available to the virtual machine instances.

Abstract: Disclosed are techniques regarding aspects of implementing client configurable logic within a computer system. The computer system can be a cloud infrastructure. The techniques can include providing an identifier in response to configuring client configurable logic within the computer system.

Abstract: An offloaded virtualization management component of a virtualization host receives an indication from a hypervisor of a portion of main memory of the host for which memory allocation decisions are not to be performed by the hypervisor. The offloaded virtualization management component assigns a subset of the portion to a particular guest virtual machine and provides an indication of the subset to the hypervisor.