Abstract: A first computing device of a distributed cloud computing network receives an IP packet that is destined to an origin server of an origin network. The first computing device processes the received IP packet and encapsulates the IP packet inside an outer packet to generate an encapsulated packet, where the outer packet has a source IP address that is advertised as an anycast IP address at the distributed cloud computing network, and a destination IP address of an origin router of the origin network. The encapsulated packet is transmitted to the origin router.

Abstract: A method involves receiving data identifying a set of information technology (IT) resources of an IT infrastructure and generating a first IT resource dependency graph using the set of IT resources. First INCLUDES and EXCLUDES configuration data indicating one or more IT resources that should either be included or excluded from an IT resource group is received. Initial selection statuses for IT resources in the first dependency graph are set based on the first INCLUDES and EXCLUDES configuration data. A breadth-first search of the first dependency graph is performed to generate the IT resource group based on the initial selection status for the IT resources in the first dependency graph, and the IT infrastructure is updated or managed using the IT resource group.

Abstract: A first compute server of a distributed cloud computing network receives a request from a first client device for an object to be handled by an object worker that includes a single instantiation of a piece of code that solely controls reading and writing access to the first object. A determination is made that the object worker is instantiated for the object and is currently running in the first compute server, and the piece of code processes the first request. The first compute server receives a message to be processed by the first object worker from a second compute server. The message includes a second request for the object from a second client device connected to the second compute server. The piece of code processes the message and transmits a reply to the second compute server.

Abstract: A management server retrieves access logs associated with a plurality of identities and generates a plurality of behavioral scores for the plurality of identities. The behavioral score for a particular identity increases responsive to access approvals and decreases responsive to access denials for that particular identity. A proxy server receives a first request to access a resource associated with a first identity of the plurality of identities and determines a zero trust access policy for the resource. When a first behavioral score for the first identity satisfies a behavioral score threshold for the zero trust access policy, the proxy server provides the resource. The proxy server receives a second request to access the resource associated with a second identity. When a second behavioral score for the second identity fails to satisfy the behavioral score threshold, the proxy server performs an action defined in the zero trust access policy.

Abstract: A map of IP addresses of a distributed cloud computing network to one or more groupings is stored. The IP addresses are anycast IP addresses for which compute servers of the distributed cloud computing network share. These IP addresses are to be used as source IP addresses when transmitting traffic to destinations external to the cloud computing network. The map is made available to external destinations. Traffic is received at the distributed cloud computing network that is destined to an external destination. An IP address is selected based on the characteristic(s) applicable for the traffic and the map. The distributed cloud computing network transmits the traffic to the external destination using the selected IP address.

Abstract: A server of a distributed cloud computing network receives, over a tunnel established between a customer-premises equipment and the compute server, traffic from an Internet-of-Things (IoT) device that is connected to the CPE. The server enforces an egress traffic policy to determine whether the traffic is permitted to be transmitted to the destination. If the traffic is not permitted to be transmitted to the destination, the server drops the traffic. If the traffic is permitted to be transmitted to the destination, the server transmits the traffic to the destination.

Abstract: A compute server receives a request that triggers execution of a code piece out of multiple code pieces. A single process at the compute server executes the code piece, which is run in an isolated execution environment. Each other code piece runs in other isolated execution environments respectively and executed by the single process. The code piece, when executed, modifies a response to the request. The response is generated based at least in part on the executed code piece. The generated response is transmitted.

Abstract: A system for cross-domain identity management (SCIM) proxy service is described. A first SCIM endpoint receives, from a first SCIM client, a first message that includes a SCIM resource. The first SCIM endpoint is associated with a customer of the SCIM proxy service. The SCIM proxy service is configured as a first SCIM service provider for the first SCIM client. The first message is validated. The first SCIM proxy service determines that a third-party application is in scope for the SCIM resource, where the SCIM proxy service is configured as a second SCIM client for the third-party application. The SCIM proxy service transforms the SCIM resource to create a transformed SCIM resource that is applicable for the third-party application. The SCIM proxy service transmits a second message to a second SCIM endpoint of the third-party application, the second message including the transformed SCIM resource.

Abstract: A machine learning (ML) based web application firewall (WAF) is described. Transformation(s) are applied to raw data including normalizing and generating a signature over the normalized data. The signature and the normalized data are vectorized to create a first and second vector of integers respectively. The first and second vector of integers are input into an ML model, which outputs a score that indicates a probability of the raw data being of a type that is malicious. A traffic processing rule is enforced that instructs a WAF to block traffic when the score is above a threshold that indicates the raw data is of the type that is malicious.

Abstract: A client device receives a challenge request from a server to prove that internet traffic was initiated by a human user through verifying a physical interaction between a human user and a hardware component. The client device causes a prompt to be displayed to perform the physical interaction with the hardware component. A cryptographic attestation is received that includes an attestation signature that is generated after confirmation that the physical interaction was performed with the hardware component. A zero-knowledge proof of the attestation signature is generated and transmitted to the server for verification. The client device receives the requested content responsive to the server verifying the validity of the zero-knowledge proof.

Abstract: Sequential consistency across a distributed cloud computing network is described. A database includes a primary database and multiple read replica databases. Write queries are transmitted to the primary database, and commit tokens are provided to the read replica databases and the clients. Commit tokens are included in requests from clients. If a request for a read operation received at a read replica database does not include a token that is later than a commit token of the most recent update to the read replica database, the read replica database performs the read operation. If a request for a read operation received at a read replica database includes a token that is later than a commit token of the most recent update to the read replica database, the read replica database delays servicing the read update until it receives an update from the primary database with an updated commit token.

Abstract: Methods and apparatuses for automatic determination of a content security policy for a network resource are described. A proxy server receives from a first authenticated client device a first request for a first network resource, retrieves the first network resource and transmits a first response to the first client device that includes a content tracker that causes the client device to report information on additional network resources identified when the first client device interprets the first network resource. A content security policy is determined based on the reported information. The proxy server receives, from a second client device, a second request for the first network resource. The proxy server transmits, to the second client device, a second response that includes the content security policy that is determined based on the information on the additional network resources.

Abstract: Techniques for providing mobile device content delivery acceleration for mobile applications are discussed herein. Some embodiments may provide for a mobile accelerator system including a plurality of point-of-presences (POPs) and a control tower system. The control tower system may be configured to control mobile data transfer acceleration between a mobile device and the content server via the plurality of POPs of the mobile accelerator system. Each mobile application executing on the mobile device may be registered, validated, and then associated with a device POP that forms a dedicated connection with an entry POP of the plurality of POPs. Mobile data transfer acceleration for each mobile application may be selectively activated or deactivated, such as based on user configurations at the application level, domain name level, and/or country level.

Abstract: A remote browsing session is initiated between a remote browser client executing on a client device and a remote browser host executing on a remote browser server. The remote browser host receives from the client device, encrypted remote browser data of remote browser data that affects the remote browser session. The remote browser client does not have access to a decryption key for the encrypted remote browser data. The encrypted remote browser data is decrypted to reveal the remote browser data. The remote browser host is configured with the remote browser data. The remote browser host manages updates to the remote browser data during the remote browsing session. Periodically, updates to the remote browser data are encrypted and transmitted to the remote browser client for storage.

Abstract: A method of path MTU determination in Generic Routing Encapsulation (GRE) tunnel is presented. A source network device (ND) transmits, to a destination ND that is a second endpoint of the GRE tunnel, a first outer packet including a first inner packet, where the first inner packet includes a first inner header that is used to deliver the first inner packet to the source network device, a first inner GRE header, and a first payload. The source ND receives the first inner packet. The source ND transmits a second outer packet including a second inner packet that includes a second payload that has a size greater than a size of the first payload. The source ND determines that the second inner packet is not received and determines a path MTU between the source ND and the destination ND based on a size of the first and the second outer packets.

Abstract: A unified network service that connects multiple disparate private networks and end user client devices operating on separate networks is described. The multiple disparate private networks and end user client devices connect to a distributed cloud computing network that provides routing services, security services, and performance services, and that can be controlled consistently regardless of the connection type. The unified network service provides uniform access control at the L3 layer (e.g., at the IP layer) or at a higher layer using user identity information (e.g., a zero-trust model). The disparate private networks are run on top of the distributed cloud computing network. The virtual routing layer of the distributed cloud computing network allows customers of the service to have private resources visible only to client devices (e.g.

Abstract: An IPSec tunnel request for establishing an IPSec tunnel from a customer router to an anycast IP address of a distributed cloud computing network is received. The same anycast IP address is shared among compute servers of the distributed cloud computing network. A handshake is performed with the customer router from a first compute server including generating security associations for encrypting and decrypting IPSec traffic. The security associations are propagated to each compute server and are used for encrypting and decrypting traffic.

Abstract: A client device instantiates an isolator application. A request to instantiate a remote application in a server device is sent by the isolator application instance. The isolator application instance receives, from the remote application instance, draw commands and position information that correspond to the draw commands. The isolator application instance renders one or more portions of output based on the draw commands and the position information.

Abstract: A method involves receiving, at a Global Resource Catalog (GRC) controller, credentials for one or more target networks within a distributed cloud network. For each target network, the GRC controller uses a respective network access methodology associated with that target network to identify and store a first set of target network resources associated with that network at a GRC database. The GRC controller links or groups a second set of target network resources of the first set of target network resources in the GRC database based on target network resource dependencies determined by the GRC controller. The GRC controller updates the second set of target network resources in the GRC database based on a received event or at a scheduled interval. A distributed cloud network is then updated based on the second set of target network resources stored at the GRC database.

Abstract: A first compute server of a distributed cloud computing network executes an application that controls reading and writing access to associated persistent data. The first compute server performs a write operation to the persistent data on local storage, notifies a piece of code that controls outgoing messages from the application that the write operation is pending, and transmits write information for the write operation to a set of other compute servers. If an acknowledgement of the write information is received from a quorum of the other compute servers, the application notifies the piece of code that the write operation is confirmed. Periodically the write information is transmitted to an external storage system. If a confirmation that the write information has been written is received from the storage system, the first compute server transmits a write confirmation notice to the other compute servers, which can then delete the write information.