Abstract: The disclosed system implements techniques to enable a tenant of a cloud-based platform to effectively and efficiently apply a policy that copies data packets communicated to or from a virtual machine in the tenant's own virtual network. When applied, the policy mirrors data traffic associated with a workload executing on a virtual machine in the tenant's virtual network. To mirror the data traffic, a copy of a data packet is streamed to another virtual machine so that network analytics can be performed (e.g., performance analytics, security analytics, etc.). In various examples, the policy can be a role-based mirroring policy that defines a plurality of roles in association with a role-based access model that scales operations and that provides improved security for a tenant's virtual network.

Abstract: Distributed computing systems, devices, and associated methods of packet routing are disclosed herein. In one embodiment, a method includes receiving, from a computing network, a packet at a packet processor of a server. The method also includes matching the received packet with a flow in a flow table contained in the packet processor and determining whether the action indicates that the received packet is to be forwarded to a NIC buffer in the outbound processing path of the packet processor instead of the NIC. The method further includes in response to determining that the action indicates that the received packet is to be forwarded to the NIC buffer, forwarding the received packet to the NIC buffer and processing the packet in the NIC buffer to forward the packet to the computer network without exposing the packet to the main processor.

Abstract: Distributed computing systems, devices, and associated methods of packet routing are disclosed herein. In one embodiment, a computing device includes a field programmable gate array (“FPGA”) that includes an inbound processing path and outbound processing path in opposite processing directions. The inbound processing path can forward a packet received from the computer network to a buffer on the FPGA instead of the NIC. The outbound processing path includes an outbound multiplexer having a rate limiter circuit that only forwards the received packet from the buffer back to the computer network when a virtual port corresponding to the packet has sufficient transmission allowance. The outbound multiplexer can also periodically increment the transmission allowance based on a target bandwidth for the virtual port.

Abstract: Distributed computing systems, devices, and associated methods of packet routing are disclosed herein. In one embodiment, a method includes receiving, from a computing network, a packet at a packet processor of a server. The method also includes matching the received packet with a flow in a flow table contained in the packet processor and determining whether the action indicates that the received packet is to be forwarded to a NIC buffer in the outbound processing path of the packet processor instead of the NIC. The method further includes in response to determining that the action indicates that the received packet is to be forwarded to the NIC buffer, forwarding the received packet to the NIC buffer and processing the packet in the NIC buffer to forward the packet to the computer network without exposing the packet to the main processor.

Abstract: Distributed computing systems, devices, and associated methods of packet routing are disclosed herein. In one embodiment, a method includes receiving, from a computing network, a packet at a packet processor of a server. The method also includes matching the received packet with a flow in a flow table contained in the packet processor and determining whether the action indicates that the received packet is to be forwarded to a NIC buffer in the outbound processing path of the packet processor instead of the NIC. The method further includes in response to determining that the action indicates that the received packet is to be forwarded to the NIC buffer, forwarding the received packet to the NIC buffer and processing the packet in the NIC buffer to forward the packet to the computer network without exposing the packet to the main processor.

Abstract: The disclosed system implements techniques to enable a tenant of a cloud-based platform to effectively and efficiently apply a policy that copies data packets communicated to or from a virtual machine in the tenant's own virtual network. When applied, the policy mirrors data traffic associated with a workload executing on a virtual machine in the tenant's virtual network. To mirror the data traffic, a copy of a data packet is streamed to another virtual machine so that network analytics can be performed (e.g., performance analytics, security analytics, etc.). In various examples, the policy can be a role-based mirroring policy that defines a plurality of roles in association with a role-based access model that scales operations and that provides improved security for a tenant's virtual network.

Abstract: A facility for enrolling a software implementer in a code signing. In one example facility, the facility receives information identifying the implementer, and credentials authenticating the implementer. The facility generates secret state for the implementer. Based on at least one or both of (1) at least a portion of the received credentials and (2) at least a portion of the generated secret state, the facility generates for the implementer a key pair comprising a private key and a public key, and persistently stores the secret state.

Abstract: Distributed computing systems, devices, and associated methods of packet routing are disclosed herein. In one embodiment, a method includes receiving, from a computing network, a packet at a packet processor of a server. The method also includes matching the received packet with a flow in a flow table contained in the packet processor and determining whether the action indicates that the received packet is to be forwarded to a NIC buffer in the outbound processing path of the packet processor instead of the NIC. The method further includes in response to determining that the action indicates that the received packet is to be forwarded to the NIC buffer, forwarding the received packet to the NIC buffer and processing the packet in the NIC buffer to forward the packet to the computer network without exposing the packet to the main processor.

Abstract: Distributed computing systems, devices, and associated methods of packet routing are disclosed herein. In one embodiment, a computing device includes a field programmable gate array (“FPGA”) that includes an inbound processing path and outbound processing path in opposite processing directions. The inbound processing path can forward a packet received from the computer network to a buffer on the FPGA instead of the NIC. The outbound processing path includes an outbound multiplexer having a rate limiter circuit that only forwards the received packet from the buffer back to the computer network when a virtual port corresponding to the packet has sufficient transmission allowance. The outbound multiplexer can also periodically increment the transmission allowance based on a target bandwidth for the virtual port.

Abstract: A facility for enrolling a software implementer in a code signing. In one example facility, the facility receives information identifying the implementer, and credentials authenticating the implementer. The facility generates secret state for the implementer. Based on at least one or both of (1) at least a portion of the received credentials and (2) at least a portion of the generated secret state, the facility generates for the implementer a key pair comprising a private key and a public key, and persistently stores the secret state.

Abstract: In one embodiment, to determine what tasks may be offloaded to a peripheral hardware device (e.g., to be performed in hardware on the peripheral device, rather than on the CPU(s) of the host computer), an indication from the at least one peripheral hardware device may be provided, without the peripheral hardware device first being queried to determine the task offload capabilities provided by the peripheral hardware device. In another embodiment, a data packet may be sent to the at least one peripheral device with an indication to the at least one peripheral device to perform at least one task offloading capability on the data packet, without first sending a command to the at least one peripheral device to enable the at least one task offloading capability.

Abstract: Filtering data packets in a manner that promotes efficient flow of data through a communication path. A filter stack includes one or more filter instances that may filter data packets that pass through the filter stack. The filter stack is associated with one or more protocol stacks that function in communication paths between a computing device and a network. When filtering instances are inserted to or removed from a filter stack, associated protocol stacks may remain capable of transferring data. An abstract interface facilitates inserting and removing filter instances by passing data to filter drivers that create filter instances. A filter driver may create multiple filter instances. Filtering operations associated with filter instances may be bypassed based on the direction of data flow, control flow, and characteristics of packets.

Abstract: Filtering data packets in a manner that promotes efficient flow of data through a communication path. A filter stack includes one or more filter instances that may filter data packets that pass through the filter stack. The filter stack is associated with one or more protocol stacks that function in communication paths between a computing device and a network. When filtering instances are inserted to or removed from a filter stack, associated protocol stacks may remain capable of transferring data. An abstract interface facilitates inserting and removing filter instances by passing data to filter drivers that create filter instances. A filter driver may create multiple filter instances. Filtering operations associated with filter instances may be bypassed based on the direction of data flow, control flow, and characteristics of packets.