Abstract: In accordance with a designation of a private alias endpoint as a routing target for traffic directed to a service from within an isolated virtual network of a provider network, a tunneling intermediary receives a baseline packet generated at a compute instance. The baseline packet indicates a public IP (Internet Protocol) address of the service as the destination, and a private IP address of the compute instance as the source. In accordance with a tunneling protocol, the tunneling intermediary generates an encapsulation packet comprising at least a portion of the baseline packet and a header indicating the isolated virtual network. The encapsulation packet is transmitted to a node of the service.

Abstract: Disclosed are various embodiments of a stateful network router. In one embodiment, a network data connection is intercepted between a first host and a second host on a network. First data packets from the network data connection sent by the first host to the second host are routed to a target network appliance. Second data packets from the network data connection sent by the second host to the first host are also to the target network appliance.

Abstract: In accordance with a designation of a private alias endpoint as a routing target for traffic directed to a service from within an isolated virtual network of a provider network, a tunneling intermediary receives a baseline packet generated at a compute instance. The baseline packet indicates a public IP (Internet Protocol) address of the service as the destination, and a private IP address of the compute instance as the source. In accordance with a tunneling protocol, the tunneling intermediary generates an encapsulation packet comprising at least a portion of the baseline packet and a header indicating the isolated virtual network. The encapsulation packet is transmitted to a node of the service.

Abstract: Methods and apparatus for private network peering in virtual network environments in which peerings between virtual client private networks on a provider network may be established by clients via an API to a peering service. The peering service and API 104 may allow clients to dynamically establish and manage virtual network transit centers on the provider network at which virtual ports may be established and configured, virtual peerings between private networks may be requested and, if accepted, established, and routing information for the peerings may be specified and exchanged. Once a virtual peering between client private networks is established, packets may be exchanged between the respective client private networks via the peering over the network substrate according to the overlay network technology used by the provider network, for example an encapsulation protocol technology.

Abstract: Route tables may be associated with ingress traffic for logically isolated networks. A routing device at the edge of a logically isolated network may receive a route to include in a route table that is associated with ingress traffic to the logically isolated network to forward the ingress traffic to a network appliance hosted in the logically isolated network. Network packets received at the edge routing device may have a destination of a computing resource hosted in the logically isolated network. The edge routing device may identify the route in the route table to override the destination in the network packet with the network appliance and forward the network packet to the network appliance according to the route.

Abstract: Methods and apparatus that allow clients to connect resource instances to virtual networks in provider network environments via private IP. Via private IP linking methods and apparatus, a client of a provider network can establish private IP communications between the client's resource instances on the provider network and the client's resource instances provisioned in the client's virtual network via links from the private IP address space of the virtual network to the private IP address space of the provider network. The provider network client resource instances remain part of the client's provider network implementation and may thus also communicate with other resource instances on the provider network and/or with entities on external networks via public IP while communicating with the virtual network resource instances via private IP.

Abstract: Methods and apparatus that allow clients to connect resource instances to virtual networks in provider network environments via private IP. Via private IP linking methods and apparatus, a client of a provider network can establish private IP communications between the client's resource instances on the provider network and the client's resource instances provisioned in the client's virtual network via links from the private IP address space of the virtual network to the private IP address space of the provider network. The provider network client resource instances remain part of the client's provider network implementation and may thus also communicate with other resource instances on the provider network and/or with entities on external networks via public IP while communicating with the virtual network resource instances via private IP.

Abstract: Disclosed are various embodiments of a stateful network router. In one embodiment, a stateful network router intercepts a network data connection between a first host and a second host on a network. The stateful network router routes first data packets from the network data connection sent by the first host to the second host to a target. The stateful network router also routes second data packets from the network data connection sent by the second host to the first host to the target.

Abstract: Methods and apparatus for private network peering in virtual network environments in which peerings between virtual client private networks on a provider network may be established by clients via an API to a peering service. The peering service and API 104 may allow clients to dynamically establish and manage virtual network transit centers on the provider network at which virtual ports may be established and configured, virtual peerings between private networks may be requested and, if accepted, established, and routing information for the peerings may be specified and exchanged. Once a virtual peering between client private networks is established, packets may be exchanged between the respective client private networks via the peering over the network substrate according to the overlay network technology used by the provider network, for example an encapsulation protocol technology.

Abstract: In accordance with a designation of a private alias endpoint as a routing target for traffic directed to a service from within an isolated virtual network of a provider network, a tunneling intermediary receives a baseline packet generated at a compute instance. The baseline packet indicates a public IP (Internet Protocol) address of the service as the destination, and a private IP address of the compute instance as the source. In accordance with a tunneling protocol, the tunneling intermediary generates an encapsulation packet comprising at least a portion of the baseline packet and a header indicating the isolated virtual network. The encapsulation packet is transmitted to a node of the service.

Abstract: Route tables may be associated with ingress traffic for logically isolated networks. A routing device at the edge of a logically isolated network may receive a route to include in a route table that is associated with ingress traffic to the logically isolated network to forward the ingress traffic to a network appliance hosted in the logically isolated network. Network packets received at the edge routing device may have a destination of a computing resource hosted in the logically isolated network. The edge routing device may identify the route in the route table to override the destination in the network packet with the network appliance and forward the network packet to the network appliance according to the route.

Abstract: Methods and apparatus for private network peering in virtual network environments in which peerings between virtual client private networks on a provider network may be established by clients via an API to a peering service. The peering service and API 104 may allow clients to dynamically establish and manage virtual network transit centers on the provider network at which virtual ports may be established and configured, virtual peerings between private networks may be requested and, if accepted, established, and routing information for the peerings may be specified and exchanged. Once a virtual peering between client private networks is established, packets may be exchanged between the respective client private networks via the peering over the network substrate according to the overlay network technology used by the provider network, for example an encapsulation protocol technology.

Abstract: Bypass flow may be enabled for network traffic between devices. A source device may include a flow identifier in an outbound packet that is sent to a destination device. An inbound packed sent from the destination device may include information that describes a network path between the source device and the destination device. Subsequent outbound packets bound for the destination device may be rewritten based on the information describing the network path to bypass one or more network devices in the network path.

Abstract: A flow policy service that allows clients to define policies for packet flows to, from, and within their virtual networks on a provider network. Logic may be embedded in a flow policy that dictates what happens to a packet as it enters the network, or after the packet leaves an appliance. Via the service, a client may define conditional rules that specify different paths that packets should follow on the provider network according to conditional evaluations of information about the packets, for example source and/or destination endpoints of the packets, or output codes from appliances that process the packets.

Abstract: A flow policy service that allows clients to define policies for packet flows to, from, and within their virtual networks on a provider network. Via the service, a client may define rules that specify appliances that inbound, outbound, and/or internal virtual network traffic should flow through. The rules may, for example, be attached to the virtual network, to subnets within the virtual network, and/or to resource instances within the virtual network. The rules may be specified in a descriptive, domain-specific language. The service determines how and where on the provider network to implement the rules in order to apply the specified policy. Thus, the actual implementation of the policy may be hidden from the client. The service may generate flow reports that may be used to confirm that traffic to, from, or within a virtual network is flowing through the correct network appliances according to the policy.

Abstract: In accordance with a designation of a private alias endpoint as a routing target for traffic directed to a service from within an isolated virtual network of a provider network, a tunneling intermediary receives a baseline packet generated at a compute instance. The baseline packet indicates a public IP (Internet Protocol) address of the service as the destination, and a private IP address of the compute instance as the source. In accordance with a tunneling protocol, the tunneling intermediary generates an encapsulation packet comprising at least a portion of the baseline packet and a header indicating the isolated virtual network. The encapsulation packet is transmitted to a node of the service.

Abstract: Route tables may be associated with ingress traffic for logically isolated networks. A routing device at the edge of a logically isolated network may receive a route to include in a route table that is associated with ingress traffic to the logically isolated network to forward the ingress traffic to a network appliance hosted in the logically isolated network. Network packets received at the edge routing device may have a destination of a computing resource hosted in the logically isolated network. The edge routing device may identify the route in the route table to override the destination in the network packet with the network appliance and forward the network packet to the network appliance according to the route.

Abstract: Techniques are described for managing customer-specified routing policies for network-accessible computing resources. In some situations, the customer-specified routing policies may be based at least in part on DNS (“Domain Name System”) information specified by a customer, such as if the customer specifies one or more target destinations to use with an indicated DNS domain name that are different from the destination IP address(es) provided for that DNS domain name by DNS servers—if so, the managing of such a DNS-based routing policy for that customer may include identifying when network-accessible computing resources provided to the customer send electronic communications to that DNS domain name, and causing those electronic communications to be redirected to the customer-specified target destination(s). Such customer-specified target destinations may include, in different situations, final destinations, intermediate destinations, etc., as well as identify particular routes.

Abstract: Techniques are disclosed for determining for determining parameters for a Transmission Control Protocol (TCP) connection between two computing nodes before the connection is established. In embodiments, the latency of data transmission between two computing nodes and the throughput capacity of a network link are measured, and from this data, TCP parameters for a future network connection between two computing nodes are determined. This information is sent to a TCP stack that stores it in its route table. Then, the TCP stack uses TCP parameters based on the information stored in the route table.

Abstract: A control-plane component of a virtual network interface (VNI) multiplexing service assigns one or more VNIs as members of a first interface group. A first VNI of the interface group is attached to a first compute instance. Network traffic directed to a particular endpoint address associated with the first interface group is to be distributed among members of the first interface group by client-side components of the service. The control-plane component propagates membership metadata of the first interface group to the client-side components. In response to a detection of an unhealthy state of the first compute instance, the first VNI is attached to a different compute instance by the control-plane component.