Abstract: In various embodiments, methods and systems for optimizing allocation of multi-priority service instances are provided. In embodiments, a quality metric associated with each candidate node to which a service instance could be allocated is determined. An eviction cost or a survival metric associated with at least a portion of the candidate nodes to which the service instance could be allocated are determined. The eviction costs generally indicate a cost to evict a service instance from a corresponding node such that another service instance can be allocated to that node. At least a portion of the quality metrics and either the eviction costs or the survival metrics are used to select a node from the candidate nodes to which to allocate the service instance.

Abstract: The present disclosure relates to systems, methods, and computer-readable media for generating a platform-neutral application model that provides a complete and accurate representation of functionality and topology for a cloud-native application. For example, systems disclosed herein analyze application data to identify platform neutral application features including resources, mesh connections, and quality of service (QoS) constraints associated with implementing a cloud-native application via a cloud computing system. The systems disclosed herein further construct a platform-neutral application model including identifiers of the application features. The platform-neutral application model facilitates convenient translation of applications between different platforms and further streamlines development and deployment of cloud-native applications across any number of platforms.

Abstract: The present disclosure relates to systems, methods, and computer-readable media for deploying cloud-native services across a plurality of cloud-computing platforms. For example, systems disclosed herein identify resource identifiers associated with cloud-computing services (e.g., types of services) to be deployed on one or more resources capable of executing or otherwise providing cloud-native services. The systems disclosed herein further generate resource bindings including deployment specifications that include data for deploying cloud-native services on corresponding platform resources (e.g., cloud resources, edge resources). Using the resource bindings, the systems disclosed herein can deploy cloud-native services across multiple platforms via control planes configured to manage operation of resources on the different platforms.

Abstract: In various embodiments, methods and systems for optimizing allocation of dynamic resources are provided. A user service request resource instance is received at an allocator. The user service request resource instance is based on a dynamic resource protocol that supports generating and communicating resource instances between components in a resource allocation platform. The dynamic resource protocol also defines a set of rules for translating and representing resources as logical resource types and logical units. At a node, a node resource instance is generated and communicated, based on the dynamic resource protocol, from the node to the allocator. The node resource instance specifically comprises a resource interaction matrix that indicates dependencies between resource types. A resource allocation instance is generated at the allocator for the user service request resource instance.

Abstract: In various embodiments, methods and systems for optimizing allocation of multi-priority service instances are provided. In embodiments, a packing quality metric associated with each candidate node to which a service instance could be allocated are determined. An eviction cost associated with at least a portion of the candidate nodes to which the service instance could be allocated are determined. The eviction costs generally indicate a cost to evict a service instance from a corresponding node such that another service instance can be allocated to that node. At least a portion of the packing quality metrics and the eviction costs are used to select a node from the candidate nodes to which to allocate the service instance.

Abstract: Techniques to secure computation data in a computing environment from untrusted code. These techniques involve an isolated environment within the computing environment and an application programming interface (API) component to execute a key exchange protocol that ensures data integrity and data confidentiality for data communicated out of the isolated environment. The isolated environment includes an isolated memory region to store a code package. The key exchange protocol further involves a verification process for the code package stored in the isolated environment to determine whether the one or more exchanged encryption keys have been compromised. If the signature successfully authenticates the one or more keys, a secure communication channel is established to the isolated environment and access to the code package's functionality is enabled. Other embodiments are described and claimed.

Abstract: Various methods and systems are provided for autonomous orchestration of secrets renewal and distribution. A secrets management service (“SMS”) can be utilized to store, renew and distribute secrets in a distributed computing environment. The secrets are initially deployed, after which, SMS can automatically renew the secrets according to a specified rollover policy, and polling agents can fetch updates from SMS. In various embodiments, SMS can autonomously rollover client certificates for authentication of users who access a security critical service, autonomously rollover storage account keys, track delivery of updated secrets to secrets recipients, deliver secrets using a secure blob, and/or facilitate autonomous rollover using secrets staging. In some embodiments, a service is pinned to the path where the service's secrets are stored. In this manner, secrets can be automatically renewed without any manual orchestration and/or the need to redeploy services.

Abstract: Various methods and systems are provided for autonomous orchestration of secrets renewal and distribution across scope boundaries. A cross-scope secrets management service (“SMS”) can be utilized to store, renew and distribute secrets across boundaries in a distributed computing environment such as regional boundaries. In some embodiments, locally scoped secrets management services subscribe to receive updates from the cross-scope secrets management service. As secrets are renewed, they are automatically propagated to a subscribing local scope and distributed by the local secrets management service. In various embodiments, SMS can autonomously rollover storage account keys, track delivery of updated secrets to secrets recipients, deliver secrets using a secure blob, and/or facilitate autonomous rollover using secrets staging. In some embodiments, a service is pinned to the path where the service's secrets are stored.

Abstract: Various methods and systems for autonomously upgrading deployed resources in a distributed computing environment are provided. An autonomous upgrade system identifies updates such as operating system image updates and virtual machine extension updates for deployment in the distributed computing environment. The autonomous upgrade system identifies eligible tenants, identifies deployed resources that may be impacted by the identified update, batches the resources and upgrades the batched resources. The autonomous upgrade system performs a diagnostic test on upgraded resources to determine whether an upgrade was successful. In some embodiments, the diagnostic test is performed by executing a diagnostic script that can be provided by a tenant. The autonomous upgrade system can stop or pause the upgrade if various success metrics are not satisfied. In some embodiments, the autonomous upgrade system tests and certifies newly published updates for deployment to the distributed computing environment.

Abstract: Techniques to secure computation data in a computing environment from untrusted code. These techniques involve an isolated environment within the computing environment and an application programming interface (API) component to execute a key exchange protocol that ensures data integrity and data confidentiality for data communicated out of the isolated environment. The isolated environment includes an isolated memory region to store a code package. The key exchange protocol further involves a verification process for the code package stored in the isolated environment to determine whether the one or more exchanged encryption keys have been compromised. If the signature successfully authenticates the one or more keys, a secure communication channel is established to the isolated environment and access to the code package's functionality is enabled. Other embodiments are described and claimed.

Abstract: Various methods and systems for autonomously upgrading deployed resources in a distributed computing environment are provided. An autonomous upgrade system identifies updates such as operating system image updates and virtual machine extension updates for deployment in the distributed computing environment. The autonomous upgrade system identifies eligible tenants, identifies deployed resources that may be impacted by the identified update, batches the resources and upgrades the batched resources. The autonomous upgrade system performs a diagnostic test on upgraded resources to determine whether an upgrade was successful. In some embodiments, the diagnostic test is performed by executing a diagnostic script that can be provided by a tenant. The autonomous upgrade system can stop or pause the upgrade if various success metrics are not satisfied. In some embodiments, the autonomous upgrade system tests and certifies newly published updates for deployment to the distributed computing environment.

Abstract: Systems, methods, and computer-readable storage media are provided for securely storing and accessing content within a public cloud. A processor manufacturer provides processors having secure enclave capability to a cloud provider. The provider makes available a listing of processor identifiers (CPUIDs) for processors available for storing content and having secure enclave capability. A content owner provides CPUIDs for desired processors from the listing to the manufacturer which provides the content owner with a processor-specific public code encryption key (CEK) for encrypting content to be stored on each processor identified. Each processor is constructed such that content encrypted with the public CEK may only be decrypted within a secure enclave thereof. The content owner encrypts the desired content with the public CEK and returns the encrypted content and the CPUID for the appropriate processor to the cloud provider. The cloud provider then stores the encrypted content on the particular processor.

Abstract: Techniques to secure computation data in a computing environment from untrusted code. These techniques involve an isolated environment within the computing environment and an application programming interface (API) component to execute a key exchange protocol that ensures data integrity and data confidentiality for data communicated out of the isolated environment. The isolated environment includes an isolated memory region to store a code package. The key exchange protocol further involves a verification process for the code package stored in the isolated environment to determine whether the one or more exchanged encryption keys have been compromised. If the signature successfully authenticates the one or more keys, a secure communication channel is established to the isolated environment and access to the code package's functionality is enabled. Other embodiments are described and claimed.

Abstract: In various embodiments, methods and systems for optimizing allocation of dynamic resources are provided. A user service request resource instance is received at an allocator. The user service request resource instance is based on a dynamic resource protocol that supports generating and communicating resource instances between components in a resource allocation platform. The dynamic resource protocol also defines a set of rules for translating and representing resources as logical resource types and logical units. At a node, a node resource instance is generated and communicated, based on the dynamic resource protocol, from the node to the allocator. The node resource instance specifically comprises a resource interaction matrix that indicates dependencies between resource types. A resource allocation instance is generated at the allocator for the user service request resource instance.

Abstract: Various methods and systems for autonomously upgrading deployed resources in a distributed computing environment are provided. An autonomous upgrade system identifies updates such as operating system image updates and virtual machine extension updates for deployment in the distributed computing environment. The autonomous upgrade system identifies eligible tenants, identifies deployed resources that may be impacted by the identified update, batches the resources and upgrades the batched resources. The autonomous upgrade system performs a diagnostic test on upgraded resources to determine whether an upgrade was successful. In some embodiments, the diagnostic test is performed by executing a diagnostic script that can be provided by a tenant. The autonomous upgrade system can stop or pause the upgrade if various success metrics are not satisfied. In some embodiments, the autonomous upgrade system tests and certifies newly published updates for deployment to the distributed computing environment.

Abstract: Various methods and systems for implementing an availability management system for implementing an availability management, in distributed computing systems, are provided. An availability management system implements an availability manager and an availability configuration interface to meet availability guarantees for tenant infrastructure. The availability management systems operates with availability zones, computing clusters, fault and upgrade domains to allocate and de-allocate virtual machine sets of virtual machine instances to a distributed computing system based on tenant-defined availability parameters. The availability parameters are used to generate an availability profile. The availability manager is configured to, based on an availability profile, allocate the virtual machine sets based an allocation scheme. The availability manager specifically performs scaling-out, scaling-in and rebalancing operations for allocating and de-allocating the virtual machine sets.

Abstract: Various methods and systems for implementing an availability management system for implementing an availability management, in distributed computing systems, are provided. An availability management system implements an availability manager and an availability configuration interface to meet availability guarantees for tenant infrastructure. The availability management systems operates with availability zones, computing clusters, fault and upgrade domains to allocate and de-allocate virtual machine sets of virtual machine instances to a distributed computing system based on tenant-defined availability parameters. The availability configuration interface of the availability management system supports receiving availability parameters that are used to generate an availability profile.

Abstract: Various methods and systems for implementing an availability management system for implementing an availability management, in distributed computing systems, are provided. An availability management system implements an availability manager and an availability configuration interface to meet availability guarantees for tenant infrastructure. The availability management systems operates with availability zones, computing clusters, fault and upgrade domains to allocate and de-allocate virtual machine sets of virtual machine instances to a distributed computing system based on tenant-defined availability parameters. The availability manager is configured to: based on an availability profile, allocate the virtual machine sets across the availability zones using an allocation scheme.

Abstract: In various embodiments, methods and systems for optimizing allocation of multi-priority service instances are provided. In embodiments, a packing quality metric associated with each candidate node to which a service instance could be allocated are determined. An eviction cost associated with at least a portion of the candidate nodes to which the service instance could be allocated are determined. The eviction costs generally indicate a cost to evict a service instance from a corresponding node such that another service instance can be allocated to that node. At least a portion of the packing quality metrics and the eviction costs are used to select a node from the candidate nodes to which to allocate the service instance.

Abstract: Systems, methods, and computer-readable storage media are provided for securely storing and accessing content within a public cloud. A processor manufacturer provides processors having secure enclave capability to a cloud provider. The provider makes available a listing of processor identifiers (CPUIDs) for processors available for storing content and having secure enclave capability. A content owner provides CPUIDs for desired processors from the listing to the manufacturer which provides the content owner with a processor-specific public code encryption key (CEK) for encrypting content to be stored on each processor identified. Each processor is constructed such that content encrypted with the public CEK may only be decrypted within a secure enclave thereof. The content owner encrypts the desired content with the public CEK and returns the encrypted content and the CPUID for the appropriate processor to the cloud provider. The cloud provider then stores the encrypted content on the particular processor.