Abstract: A method of and system for utilizing an access token to authenticate a client device for accessing a resource server include generating a session key for a communication session between the device and a resource server, deriving a nonce from the session key, and transmitting a request to an identity platform for authenticating the device to access the resource server, where the request includes the nonce. Upon confirmation of authentication, the method and system may include receiving an access token from the identity platform, the access token including information that confirms authentication of the device, and transmitting the access token to the resource server to enable access to the resource server, where the access token includes the nonce.

Abstract: A method of and system for utilizing an access token to authenticate a client device for accessing a resource server include generating a session key for a communication session between the device and a resource server, deriving a nonce from the session key, and transmitting a request to an identity platform for authenticating the device to access the resource server, where the request includes the nonce. Upon confirmation of authentication, the method and system may include receiving an access token from the identity platform, the access token including information that confirms authentication of the device, and transmitting the access token to the resource server to enable access to the resource server, where the access token includes the nonce.

Abstract: Technologies are disclosed for providing name resolution services to components executing in a virtualized environment. A name resolution request generated by a component executing within a virtualized environment is intercepted and forwarded from the virtualized environment to a host operating system (“OS”). A user process is then executed that requests that the host OS resolve a name specified by the intercepted name resolution request. Once the user process has received a response to the name resolution request made to the host OS, a response to the original name resolution request made by the component executing within the virtualized environment can be generated based on the response received by the user process. The response to the original name resolution request can then be provided to the component executing in the virtualized environment that requested name resolution.

Abstract: A network firewall is disclosed that operates between a virtualized environment and the processing system that provides the virtualized environment. The network firewall filters network traffic generated by and destined for program components executing in the virtualized environment. The network firewall can be located in a hypervisor, a flow steering engine, or at another location between the virtualized environment and the processing system. The network firewall utilizes a firewall policy that can be shared with a network firewall on the processing system that filters network traffic originating at or destined for the processing system. The network firewall can filter network traffic based upon a unique identifier assigned to a virtualized environment, upon port numbers assigned to program components in a virtualized environment, or upon profiles assigned to network interfaces. The network firewall can also filter loopback traffic between a guest operating system (OS) and a host OS.

Abstract: Technologies are disclosed for enabling virtual private network (VPN) support in a virtualized environment. The presence or creation of a host VPN adapter on a host processing system providing a virtualized environment is detected and, in response thereto, a virtual network adapter is created in the virtualized environment. A guest operating system (OS) creates a guest VPN adapter in the virtualized environment. A software component is inserted between the guest VPN adapter and the virtual network adapter. The software component adds Ethernet frames to point-to-point protocol (PPP) packets received from the guest VPN adapter and removes Ethernet frames from packets received from the virtual network adapter.

Abstract: Technologies are disclosed for providing compatible network resources to program components executing in a virtualized environment. Virtual network adapters are created in a virtualized environment that correspond to network interfaces present on a host processing system. A virtual network interface is created in the virtualized environment and exposed to program components executing in the virtualized environment. Network packets are routed between the program components executing in the virtualized environment, the virtual network interface, the active virtual network adapter, and the network interface on the host processing system corresponding to the active virtual network adapter. Network control messages generated by program components executing in a virtualized environment are intercepted and forwarded to a host processing system for processing.

Abstract: A method of and system for utilizing an access token to authenticate a client device for accessing a resource server include generating a session key for a communication session between the device and a resource server, deriving a nonce from the session key, and transmitting a request to an identity platform for authenticating the device to access the resource server, where the request includes the nonce. Upon confirmation of authentication, the method and system may include receiving an access token from the identity platform, the access token including information that confirms authentication of the device, and transmitting the access token to the resource server to enable access to the resource server, where the access token includes the nonce.

Abstract: Embodiments relate to a host encrypting network communications of virtual machines (VMs) in ways that minimize exposure of the network communications in cleartext form. The host captures and registers a measure of a secure state of the host. The measure is registered with a guardian service communicable via a network. The guardian service also securely stores keys of the VMs. Each VM's key is associated with authorization information indicating which machines are authorized to obtain the corresponding VM's key. The host obtains access to a VM's key based on a confirmation that its state matches the registered measured state and based on the authorization information of the VM indicating that the host is authorized to access the key. The VM's key is then used to transparently encrypt/decrypt network communications of the VM as they pass through a virtualization layer on the host that executes the VMs.

Abstract: A method of tunneling a data packet through a network communicatively coupled to a datacenter is provided. The datacenter is uniquely addressed within the network. The datacenter has a different internal address space than the network. Transformation rules are recorded for a programmable packet filter in the datacenter. The data packet is received in the programmable packet filter of a host computing device in the datacenter. The received data packet is converted in the programmable packet filter of the host computing device between a stateless tunneling data packet and a datacenter data packet according to the recorded transformation rules. The datacenter data packet is uniquely addressed within the internal address space of the datacenter. The received data packet bypasses any virtual machine processing in the host computing device during the converting. The converted data packet is transmitted from the programmable packet filter in the datacenter.

Abstract: A method of tunneling a data packet through a network communicatively coupled to a datacenter is provided. The datacenter is uniquely addressed within the network. The datacenter has a different internal address space than the network. Transformation rules are recorded for a programmable packet filter in the datacenter. The data packet is received in the programmable packet filter of a host computing device in the datacenter. The received data packet is converted in the programmable packet filter of the host computing device between a stateless tunneling data packet and a datacenter data packet according to the recorded transformation rules. The datacenter data packet is uniquely addressed within the internal address space of the datacenter. The received data packet bypasses any virtual machine processing in the host computing device during the converting. The converted data packet is transmitted from the programmable packet filter in the datacenter.

Abstract: Embodiments relate to a host encrypting network communications of virtual machines (VMs) in ways that minimize exposure of the network communications in cleartext form. The host captures and registers a measure of a secure state of the host. The measure is registered with a guardian service communicable via a network. The guardian service also securely stores keys of the VMs. Each VM's key is associated with authorization information indicating which machines are authorized to obtain the corresponding VM's key. The host obtains access to a VM's key based on a confirmation that its state matches the registered measured state and based on the authorization information of the VM indicating that the host is authorized to access the key. The VM's key is then used to transparently encrypt/decrypt network communications of the VM as they pass through a virtualization layer on the host that executes the VMs.