Abstract: A map of IP addresses of a distributed cloud computing network to one or more groupings is stored. The IP addresses are anycast IP addresses for which compute servers of the distributed cloud computing network share. These IP addresses are to be used as source IP addresses when transmitting traffic to destinations external to the cloud computing network. The map is made available to external destinations. Traffic is received at the distributed cloud computing network that is destined to an external destination. An IP address is selected based on the characteristic(s) applicable for the traffic and the map. The distributed cloud computing network transmits the traffic to the external destination using the selected IP address.

Abstract: A server of a distributed cloud computing network receives, over a tunnel established between a customer-premises equipment and the compute server, traffic from an Internet-of-Things (IoT) device that is connected to the CPE. The server enforces an egress traffic policy to determine whether the traffic is permitted to be transmitted to the destination. If the traffic is not permitted to be transmitted to the destination, the server drops the traffic. If the traffic is permitted to be transmitted to the destination, the server transmits the traffic to the destination.

Abstract: A compute server receives a request that triggers execution of a code piece out of multiple code pieces. A single process at the compute server executes the code piece, which is run in an isolated execution environment. Each other code piece runs in other isolated execution environments respectively and executed by the single process. The code piece, when executed, modifies a response to the request. The response is generated based at least in part on the executed code piece. The generated response is transmitted.

Abstract: A system for cross-domain identity management (SCIM) proxy service is described. A first SCIM endpoint receives, from a first SCIM client, a first message that includes a SCIM resource. The first SCIM endpoint is associated with a customer of the SCIM proxy service. The SCIM proxy service is configured as a first SCIM service provider for the first SCIM client. The first message is validated. The first SCIM proxy service determines that a third-party application is in scope for the SCIM resource, where the SCIM proxy service is configured as a second SCIM client for the third-party application. The SCIM proxy service transforms the SCIM resource to create a transformed SCIM resource that is applicable for the third-party application. The SCIM proxy service transmits a second message to a second SCIM endpoint of the third-party application, the second message including the transformed SCIM resource.

Abstract: A machine learning (ML) based web application firewall (WAF) is described. Transformation(s) are applied to raw data including normalizing and generating a signature over the normalized data. The signature and the normalized data are vectorized to create a first and second vector of integers respectively. The first and second vector of integers are input into an ML model, which outputs a score that indicates a probability of the raw data being of a type that is malicious. A traffic processing rule is enforced that instructs a WAF to block traffic when the score is above a threshold that indicates the raw data is of the type that is malicious.

Abstract: A client device receives a challenge request from a server to prove that internet traffic was initiated by a human user through verifying a physical interaction between a human user and a hardware component. The client device causes a prompt to be displayed to perform the physical interaction with the hardware component. A cryptographic attestation is received that includes an attestation signature that is generated after confirmation that the physical interaction was performed with the hardware component. A zero-knowledge proof of the attestation signature is generated and transmitted to the server for verification. The client device receives the requested content responsive to the server verifying the validity of the zero-knowledge proof.

Abstract: Sequential consistency across a distributed cloud computing network is described. A database includes a primary database and multiple read replica databases. Write queries are transmitted to the primary database, and commit tokens are provided to the read replica databases and the clients. Commit tokens are included in requests from clients. If a request for a read operation received at a read replica database does not include a token that is later than a commit token of the most recent update to the read replica database, the read replica database performs the read operation. If a request for a read operation received at a read replica database includes a token that is later than a commit token of the most recent update to the read replica database, the read replica database delays servicing the read update until it receives an update from the primary database with an updated commit token.

Abstract: Methods and apparatuses for automatic determination of a content security policy for a network resource are described. A proxy server receives from a first authenticated client device a first request for a first network resource, retrieves the first network resource and transmits a first response to the first client device that includes a content tracker that causes the client device to report information on additional network resources identified when the first client device interprets the first network resource. A content security policy is determined based on the reported information. The proxy server receives, from a second client device, a second request for the first network resource. The proxy server transmits, to the second client device, a second response that includes the content security policy that is determined based on the information on the additional network resources.

Abstract: Techniques for providing mobile device content delivery acceleration for mobile applications are discussed herein. Some embodiments may provide for a mobile accelerator system including a plurality of point-of-presences (POPs) and a control tower system. The control tower system may be configured to control mobile data transfer acceleration between a mobile device and the content server via the plurality of POPs of the mobile accelerator system. Each mobile application executing on the mobile device may be registered, validated, and then associated with a device POP that forms a dedicated connection with an entry POP of the plurality of POPs. Mobile data transfer acceleration for each mobile application may be selectively activated or deactivated, such as based on user configurations at the application level, domain name level, and/or country level.

Abstract: A remote browsing session is initiated between a remote browser client executing on a client device and a remote browser host executing on a remote browser server. The remote browser host receives from the client device, encrypted remote browser data of remote browser data that affects the remote browser session. The remote browser client does not have access to a decryption key for the encrypted remote browser data. The encrypted remote browser data is decrypted to reveal the remote browser data. The remote browser host is configured with the remote browser data. The remote browser host manages updates to the remote browser data during the remote browsing session. Periodically, updates to the remote browser data are encrypted and transmitted to the remote browser client for storage.

Abstract: A method of path MTU determination in Generic Routing Encapsulation (GRE) tunnel is presented. A source network device (ND) transmits, to a destination ND that is a second endpoint of the GRE tunnel, a first outer packet including a first inner packet, where the first inner packet includes a first inner header that is used to deliver the first inner packet to the source network device, a first inner GRE header, and a first payload. The source ND receives the first inner packet. The source ND transmits a second outer packet including a second inner packet that includes a second payload that has a size greater than a size of the first payload. The source ND determines that the second inner packet is not received and determines a path MTU between the source ND and the destination ND based on a size of the first and the second outer packets.

Abstract: A unified network service that connects multiple disparate private networks and end user client devices operating on separate networks is described. The multiple disparate private networks and end user client devices connect to a distributed cloud computing network that provides routing services, security services, and performance services, and that can be controlled consistently regardless of the connection type. The unified network service provides uniform access control at the L3 layer (e.g., at the IP layer) or at a higher layer using user identity information (e.g., a zero-trust model). The disparate private networks are run on top of the distributed cloud computing network. The virtual routing layer of the distributed cloud computing network allows customers of the service to have private resources visible only to client devices (e.g.

Abstract: An IPSec tunnel request for establishing an IPSec tunnel from a customer router to an anycast IP address of a distributed cloud computing network is received. The same anycast IP address is shared among compute servers of the distributed cloud computing network. A handshake is performed with the customer router from a first compute server including generating security associations for encrypting and decrypting IPSec traffic. The security associations are propagated to each compute server and are used for encrypting and decrypting traffic.

Abstract: A client device instantiates an isolator application. A request to instantiate a remote application in a server device is sent by the isolator application instance. The isolator application instance receives, from the remote application instance, draw commands and position information that correspond to the draw commands. The isolator application instance renders one or more portions of output based on the draw commands and the position information.

Abstract: A method involves receiving, at a Global Resource Catalog (GRC) controller, credentials for one or more target networks within a distributed cloud network. For each target network, the GRC controller uses a respective network access methodology associated with that target network to identify and store a first set of target network resources associated with that network at a GRC database. The GRC controller links or groups a second set of target network resources of the first set of target network resources in the GRC database based on target network resource dependencies determined by the GRC controller. The GRC controller updates the second set of target network resources in the GRC database based on a received event or at a scheduled interval. A distributed cloud network is then updated based on the second set of target network resources stored at the GRC database.

Abstract: A first compute server of a distributed cloud computing network executes an application that controls reading and writing access to associated persistent data. The first compute server performs a write operation to the persistent data on local storage, notifies a piece of code that controls outgoing messages from the application that the write operation is pending, and transmits write information for the write operation to a set of other compute servers. If an acknowledgement of the write information is received from a quorum of the other compute servers, the application notifies the piece of code that the write operation is confirmed. Periodically the write information is transmitted to an external storage system. If a confirmation that the write information has been written is received from the storage system, the first compute server transmits a write confirmation notice to the other compute servers, which can then delete the write information.

Abstract: Methods and apparatuses for enabling compatibility between multiple versions of an application programming interface (API) are described. When a first API request is received at a compute server, the compute server determines whether the first API request is of a first version of an API that is different from a second version of the API used in an origin server to which the first API request is destined. In response to determining that the first API request is of the first version of the API that is different from the second version of the API used in the origin server to which the first API request is destined, an API compatibility enabler is executed to convert the first API request into a second API request in the second version of the API. The second API request is fulfilled instead of the first API request.

Abstract: A proxy server receives a first request from a first user to access a resource hosted by a cloud-based server. The proxy server inserts a first tenant control header into the first request specifying a tenant identifier. The tenant identifier indicates a tenant permitted to access the resource. The proxy server then transmits the first request with the inserted first tenant control header to the cloud-based server. In response to receiving a first response indicating a rejection of the first request with the inserted first tenant control header, the proxy server transmits the first request again to the cloud-based server but without the first tenant control header. The proxy server then logs the first request as an access request using a non-permitted tenant identifier.

Abstract: A compute server of a distributed cloud computing network receives a request for an object that is to be handled by an object worker, where the object worker includes a single instantiation of a piece of code that solely controls reading/writing to the object. The object worker is instantiated at the compute server. The compute server enforces an access policy to determine whether the request is allowed to be processed by the object worker. If the request is allowed to be processed by the object worker, the object worker processes the request. If the request is not allowed to be processed by the object worker, the request is blocked.

Abstract: An intermediary server receives a request from a client that identifies an asset that is handled by an origin server. The intermediary server generates an informational response that includes one or more link header fields that reference one or more pieces of content respectively that are predicted by the intermediary server to be linked within a final response for the asset. The intermediary server transmits the generated informational response to the client prior to a final response for the request. The intermediary server transmits the request to the origin server and receives a final response to the request. The intermediary server transmits the final response to the request to the client.