Abstract: In accordance with a designation of a private alias endpoint as a routing target for traffic directed to a service from within an isolated virtual network of a provider network, a tunneling intermediary receives a baseline packet generated at a compute instance. The baseline packet indicates a public IP (Internet Protocol) address of the service as the destination, and a private IP address of the compute instance as the source. In accordance with a tunneling protocol, the tunneling intermediary generates an encapsulation packet comprising at least a portion of the baseline packet and a header indicating the isolated virtual network. The encapsulation packet is transmitted to a node of the service.

Abstract: A control-plane component of a virtual network interface (VNI) multiplexing service assigns one or more VNIs as members of a first interface group. A first VNI of the interface group is attached to a first compute instance. Network traffic directed to a particular endpoint address associated with the first interface group is to be distributed among members of the first interface group by client-side components of the service. The control-plane component propagates membership metadata of the first interface group to the client-side components. In response to a detection of an unhealthy state of the first compute instance, the first VNI is attached to a different compute instance by the control-plane component.

Abstract: Functionality is disclosed herein for regulating bandwidth that is available for network traffic flowing through a data communications network. In response to attack traffic being detected, one or more traffic regulators are set to control an available bandwidth to be used by the attack traffic. The one or more traffic regulators are adjusted until an attack is no longer detected. After the attack ends, the traffic regulator may be disabled or set to a different mode of operation.

Abstract: Methods and apparatus that allow clients to connect resource instances to virtual networks in provider network environments via private IP. Via private IP linking methods and apparatus, a client of a provider network can establish private IP communications between the client's resource instances on the provider network and the client's resource instances provisioned in the client's virtual network via links from the private IP address space of the virtual network to the private IP address space of the provider network. The provider network client resource instances remain part of the client's provider network implementation and may thus also communicate with other resource instances on the provider network and/or with entities on external networks via public IP while communicating with the virtual network resource instances via private IP.

Abstract: Methods and apparatus for private network peering in virtual network environments in which peerings between virtual client private networks on a provider network may be established by clients via an API to a peering service. The peering service and API 104 may allow clients to dynamically establish and manage virtual network transit centers on the provider network at which virtual ports may be established and configured, virtual peerings between private networks may be requested and, if accepted, established, and routing information for the peerings may be specified and exchanged. Once a virtual peering between client private networks is established, packets may be exchanged between the respective client private networks via the peering over the network substrate according to the overlay network technology used by the provider network, for example an encapsulation protocol technology.

Abstract: In accordance with a designation of a private alias endpoint as a routing target for traffic directed to a service from within an isolated virtual network of a provider network, a tunneling intermediary receives a baseline packet generated at a compute instance. The baseline packet indicates a public IP (Internet Protocol) address of the service as the destination, and a private IP address of the compute instance as the source. In accordance with a tunneling protocol, the tunneling intermediary generates an encapsulation packet comprising at least a portion of the baseline packet and a header indicating the isolated virtual network. The encapsulation packet is transmitted to a node of the service.

Abstract: Processes and systems are disclosed for leasing a producer virtual machine on behalf of a consumer virtual machine in an overlay network. The consumer host of the consumer virtual machine can communicate with a set of leasing agents to obtain the identity of a number of producer virtual machines capable of providing the consumer virtual machine with access to a service. When the consumer virtual machine attempts to communicate with a producer system, the consumer host can identify a producer host that hosts a target producer virtual machine and redirect a service request to the producer host.

Abstract: Functionality is disclosed herein for dynamically deploying an upstream network traffic filter in a network. The upstream network filter is dynamically deployed in a location that is closer to an entry point of an attack such that attack traffic reaches the upstream network filter before reaching a network traffic filter that is configured to perform network traffic filtering for a computing resource that is under attack. The upstream network traffic filter includes rules that are based on at least a portion of the rules that are applied by the network traffic filter.

Abstract: Systems and methods are described to provide fault tolerant folded Clos networks. A folded Clos network is disclosed including a set of tier 1 routers interconnected with a set of tier 2 routers. Tier 1 routers are configured to view a set of tier 2 routers as a single aggregate router. Accordingly, tier 1 routers are unaware of faults between tier 2 routers and additional tier 1 routers. A throwback router is connected to each tier 2 router to facilitate handling of data under such fault conditions. When a tier 2 router receives undeliverable data, the data is passed to a throwback router, which retransmits the data to an additional tier 2 router. Data that is retransmitted multiple times can be disregarded by the throwback router.

Abstract: Methods and apparatus for remapping IP addresses of a network to endpoints within a different network. A provider network may allocate IP addresses and resources to a customer. The provider network may allow the customer to remap an IP address to an endpoint on the customer's network. When a packet is received from a client addressed to the IP address, the provider network may determine that the IP address has been remapped to the endpoint. The provider network may translate the source and destination addresses of the packet and encode the packet for transmission over a private communications channel. The encoded packet may be sent to the endpoint via the private communications channel over an intermediate network. Response traffic may be routed to the client through the provider network, or may be directly routed to the client by the customer network.

Abstract: Private network address obfuscation and verification methods and apparatus that may obfuscate private network source addresses embedded in packet header addresses when sending packets from private networks onto or over external, public networks, and that verify incoming packets to the private networks using the obfuscated private network addresses embedded in the incoming packet header destination addresses. Obfuscating the private network addresses embedded in outgoing packets and verifying incoming packets according to the obfuscated content embedded in the destination addresses may help keep the private network addresses of endpoints on the private network hidden in the packet header content on public networks and difficult to detect by entities on the public networks, which may, for example, make malicious activities such as denial of service (DoS) attacks on the private network impractical.

Abstract: Techniques are disclosed for dividing a TCP handshake into multiple parts, in a system comprising an edge device, an intermediary computing node, and a destination computing node. A client sends a TCP SYN packet to the edge device, to establish a TCP connection with the destination computing node. The edge device performs the handshake, and then forwards an ACK packet to the intermediary computing node. The intermediary computing node uses that ACK packet to generate a second SYN packet, and uses that SYN packet to perform a TCP handshake with the destination computing node. Then, TCP sequence numbers are converted between what is expected by the client and destination in packets sent between the two.

Abstract: Methods and apparatus for transparent multipath utilization through encapsulation are disclosed. Respective encapsulation packets are generated for at least two different baseline packets transmitted between a source and destination linked by multiple network paths. Each encapsulation packet comprises contents of a corresponding baseline packet, and one or more data values selected in accordance with a path balancing policy. The data values added to one encapsulation packet may differ from those added to another. Different network paths to the destination may be selected for different encapsulation packets of a given transmission based at least in part on the added data values.

Abstract: Systems and methods are described to provide fault tolerant folded Clos networks. A folded Clos network is disclosed including a set of tier 1 routers interconnected with a set of tier 2 routers. Tier 1 routers are configured to view a set of tier 2 routers as a single aggregate router. Accordingly, tier 1 routers are unaware of faults between tier 2 routers and additional tier 1 routers. A throwback router is connected to each tier 2 router to facilitate handling of data under such fault conditions. When a tier 2 router receives undeliverable data, the data is passed to a throwback router, which retransmits the data to an additional tier 2 router. Data that is retransmitted multiple times can be disregarded by the throwback router.

Abstract: In accordance with a designation of a private alias endpoint as a routing target for traffic directed to a service from within an isolated virtual network of a provider network, a tunneling intermediary receives a baseline packet generated at a compute instance. The baseline packet indicates a public IP (Internet Protocol) address of the service as the destination, and a private IP address of the compute instance as the source. In accordance with a tunneling protocol, the tunneling intermediary generates an encapsulation packet comprising at least a portion of the baseline packet and a header indicating the isolated virtual network. The encapsulation packet is transmitted to a node of the service.

Abstract: Systems and methods are described to provide fault tolerant folded Clos networks. A folded Clos network is disclosed including a set of tier 1 routers interconnected with a set of tier 2 routers. Tier 1 routers are configured to view a set of tier 2 routers as a single aggregate router. Accordingly, tier 1 routers are unaware of faults between tier 2 routers and additional tier 1 routers. A throwback router is connected to each tier 2 router to facilitate handling of data under such fault conditions. When a tier 2 router receives undeliverable data, the data is passed to a throwback router, which retransmits the data to an additional tier 2 router. Data that is retransmitted multiple times can be disregarded by the throwback router.

Abstract: Processes and systems are disclosed for leasing a producer virtual machine on behalf of a consumer virtual machine in an overlay network. The consumer host of the consumer virtual machine can communicate with a set of leasing agents to obtain the identity of a number of producer virtual machines capable of providing the consumer virtual machine with access to a service. When the consumer virtual machine attempts to communicate with a producer system, the consumer host can identify a producer host that hosts a target producer virtual machine and redirect a service request to the producer host.