Abstract: An endpoint for accessing a group of cloud resources from a set of client devices outside the cloud is established. In response to detecting that, as a result of a configuration change, a particular cloud resource has joined the group, addressing information for the particular cloud resource is generated. An access verifier associated with the endpoint receives a packet directed from a client device using the addressing information. In response to determining, based on user identity metadata of the user and based on device status metadata of the client device, that the packet satisfies a security requirement, the packet is delivered to the particular cloud resource.

Abstract: An indication of a set of premises between which network traffic is to be routed via a private fiber backbone of a provider network is obtained. Respective virtual routers are configured for a first premise and a second premise, and connectivity is established between the virtual routers and routing information sources at the premises. Contents of at least one network packet originating at the first premise are transmitted to the second premise via the private fiber backbone using routing information obtained at the virtual routers from the routing information source at the second premise.

Abstract: Techniques for intelligent user-configured multi-location service deployment and scaling are described. Autoscaling configuration data is received, the autoscaling configuration data including an application redistribution trigger condition and a placement optimization constraint, the application redistribution trigger condition based on a variable associated with a state of an application, the application deployed across a first set of deployment zones of a plurality of deployment zones of a cloud provider network. The application redistribution trigger condition is determined to be satisfied. A redistribution placement plan is obtained that satisfies the placement optimization constraint and identifies a second set of deployment zones of the plurality of deployment zones of the cloud provider network across which to deploy the application. The application is redistributed across the second set of deployment zones.

Abstract: At a computing service, an indication of associations of a set of network interfaces with a gateway is obtained. Individual ones of the interfaces are configured in respective availability-based resource groups. In response to detecting that a message originates at a resource within a particular availability-based resource group, a network interface of the set is selected based at least partly on the source of availability-based resource group, and the message is transmitted to a network address assigned to the selected interface.

Abstract: Routing metadata, to be used at a transit gateway to transmit packets among a plurality of networks, is obtained from several routing information sources at a route processing node of a connectivity service. The node applies a rule to a subset of the metadata to generate at least a portion of a routing information base, with the first rule indicating a matching criterion for selecting the subset, as well as a mutation to be implemented with respect to the subset. A packet forwarding node of the connectivity service obtains at least a portion of a forwarding information base (FIB) generated by the node from the RIB, and transmits a data packet received at the transit gateway to a next hop destination indicated in the FIB.

Abstract: Systems and methods are provided for obtaining policy data associated with a private network implemented at least partly within a cloud provider network; establishing, based on the policy data, a first segment within the private network, wherein in a first geographic region of the cloud provider network, traffic associated with the first segment is isolated from traffic associated with a second segment of the private network, and wherein in a second geographic region of the cloud provider network, traffic associated with the first segment is isolated from traffic associated with a third segment of the private network; obtaining metadata indicating an isolated network of the cloud provider network is associated with the first segment; and enabling the isolated network to communicate, over the first segment, across the first geographic region and the second geographic region.

Abstract: Systems and methods are provided for creating and running an instance of a dynamic access control system (DACS). Trust providers may be defined in a trust broker of the DACS such that trust information associated with the trust providers can be used to create a custom data structure. Resources and resource groups may be defined in the DACS. Policies may be configured or coded in the DACS to map the custom data structure to recourses or resources groups. Additionally, policies may be configured or coded in the DACS to route the data structure and request to network segments or shared with other parties.

Abstract: Connectivity is enabled between a first and second isolated network using a virtual traffic hub that includes resources of a cloud computing environment. The connectivity may include respective first and second Virtual Private Network (VPN) connections between the hub and the first and second isolated network at respective premises external to the cloud computing environment. At least a portion of a first packet received at the hub from the first isolated network via the first VPN connection is transmitted from the hub to the second isolated network via the second VPN connection.

Abstract: Metadata indicating that a virtual traffic hub enabling connectivity between a plurality of isolated networks has been established is stored. A determination is made that a first entry of a first isolated network attached to the hub is to be represented in a second routing table of a second isolated network attached to the hub, e.g., to enable network packets originating at resources of the second isolated network to be transmitted via the hub to the first isolated network. A new entry corresponding to the first entry is included in the second routing table.

Abstract: Systems and methods are provided for obtaining policy data associated with a private network implemented at least partly within a cloud provider network; establishing, based on the policy data, a first segment within the private network, wherein in a first geographic region of the cloud provider network, traffic associated with the first segment is isolated from traffic associated with a second segment of the private network, and wherein in a second geographic region of the cloud provider network, traffic associated with the first segment is isolated from traffic associated with a third segment of the private network; obtaining metadata indicating an isolated network of the cloud provider network is associated with the first segment; and enabling the isolated network to communicate, over the first segment, across the first geographic region and the second geographic region.

Abstract: Connectivity is enabled between a first and second isolated network using a virtual traffic hub that includes resources of a cloud computing environment. The connectivity may include respective first and second Virtual Private Network (VPN) connections between the hub and the first and second isolated network at respective premises external to the cloud computing environment. At least a portion of a first packet received at the hub from the first isolated network via the first VPN connection is transmitted from the hub to the second isolated network via the second VPN connection.

Abstract: Metadata indicating that a virtual traffic hub enabling connectivity between a plurality of isolated networks has been established is stored. A determination is made that a first entry of a first isolated network attached to the hub is to be represented in a second routing table of a second isolated network attached to the hub, e.g., to enable network packets originating at resources of the second isolated network to be transmitted via the hub to the first isolated network. A new entry corresponding to the first entry is included in the second routing table.

Abstract: Network pathways are identified to transfer packets between a pair of regional virtual traffic hubs of a provider network. At a first hub of the pair, a first action is performed, resulting in a transmission of a packet received from a first isolated network to the second hub along a pathway selected using dynamic routing parameters. At the second hub, a second action is performed, resulting in the transmission of the packet to a destination within a second isolated network.

Abstract: Network pathways are identified to transfer packets between a pair of regional virtual traffic hubs of a provider network. At a first hub of the pair, a first action is performed, resulting in a transmission of a packet received from a first isolated network to the second hub along a pathway selected using dynamic routing parameters. At the second hub, a second action is performed, resulting in the transmission of the packet to a destination within a second isolated network.

Abstract: Systems and methods are provided for creating and running an instance of a dynamic access control system (DACS). Trust providers may be defined in a trust broker of the DACS such that trust information associated with the trust providers can be used to create a custom data structure. Resources and resource groups may be defined in the DACS. Policies may be configured or coded in the DACS to map the custom data structure to recourses or resources groups. Additionally, policies may be configured or coded in the DACS to route the data structure and request to network segments or shared with other parties.

Abstract: A message indicating an auxiliary task associated with traffic transmitted via a virtual router between a pair of isolated networks is received at an offloading device. A stack multiplexer at the offloading device selects a protocol stack instance to process the message. A result of the auxiliary task is obtained by the multiplexer from the selected protocol stack instance and transmitted to the virtual router, where it is used to transmit a packet between the isolated networks.

Abstract: Systems and methods are provided for obtaining policy data associated with a private network implemented at least partly within a cloud provider network; establishing, based on the policy data, a first segment within the private network, wherein in a first geographic region of the cloud provider network, traffic associated with the first segment is isolated from traffic associated with a second segment of the private network, and wherein in a second geographic region of the cloud provider network, traffic associated with the first segment is isolated from traffic associated with a third segment of the private network; obtaining metadata indicating an isolated network of the cloud provider network is associated with the first segment; and enabling the isolated network to communicate, over the first segment, across the first geographic region and the second geographic region.

Abstract: Systems and methods are provided for evaluation of communication paths through networks to determine whether communication is permitted across one or more internal network boundaries. The analysis may be used to determine whether a node in one isolated network (e.g., VPC, VPN, client on-premise network, etc.) is able to communicate with a node in another isolated network across region and/or segment boundaries. The automated analysis can allow users (e.g., network administrators) to see what high-level policies (e.g., Cloud WAN policies written in a declarative language) are interfering with or permitting communication between the nodes.

Abstract: Metadata indicating that a virtual traffic hub enabling connectivity between a plurality of isolated networks has been established is stored. A determination is made that a first entry of a first isolated network attached to the hub is to be represented in a second routing table of a second isolated network attached to the hub, e.g., to enable network packets originating at resources of the second isolated network to be transmitted via the hub to the first isolated network. A new entry corresponding to the first entry is included in the second routing table.

Abstract: Systems and methods are provided for creating and running an instance of a dynamic access control system (DACS). Trust providers may be defined in a trust broker of the DACS such that trust information associated with the trust providers can be used to create a custom data structure. Resources and resource groups may be defined in the DACS. Policies may be configured or coded in the DACS to map the custom data structure to recourses or resources groups. Additionally, policies may be configured or coded in the DACS to route the data structure and request to network segments or shared with other parties.