Abstract: Systems and processes are described for establishing and using a secure channel. A shared secret may be used for authentication of session initiation messages as well as for generation of a private/public key pair for the session. A number of ways of agreeing on the shared secret are described and include pre-sharing the keys, reliance on a key management system, or via a token mechanism that uses a third entity such as a hub to manage authentication, for example. In some instances, the third party may also perform endpoint selection (e.g., load balancing) by providing a particular endpoint along with the token.

Abstract: Systems and processes are described for establishing and using a secure channel. A shared secret may be used for authentication of session initiation messages as well as for generation of a private/public key pair for the session. A number of ways of agreeing on the shared secret are described and include pre-sharing the keys, reliance on a key management system, or via a token mechanism that uses a third entity such as a hub to manage authentication, for example. In some instances, the third party may also perform endpoint selection (e.g., load balancing) by providing a particular endpoint along with the token.

Abstract: At a computing service, an indication of associations of a set of network interfaces with a gateway is obtained. Individual ones of the interfaces are configured in respective availability-based resource groups. In response to detecting that a message originates at a resource within a particular availability-based resource group, a network interface of the set is selected based at least partly on the source of availability-based resource group, and the message is transmitted to a network address assigned to the selected interface.

Abstract: Methods and apparatus that allow clients to specify custom network rules for their resource instances or network constructs in a provider network environment. Services and interfaces may be provided that allow a client to provide an executable module that implements custom rules for their resources, or alternatively to specify or select custom rules for their resources. The module may be installed on a host device, and may apply the custom rules to packets to and from the client's resources. Alternatively, the client-defined rules may be applied to packet flows according to the custom rules specified by the client and applied by a client rules service implemented on the provider network external to the host device or on a client resource instance on the host device. The custom network rules may, for example, extend or modify standard network rules for the client's resources on the host device.

Abstract: Systems and processes are described for establishing and using a secure channel. A shared secret may be used for authentication of session initiation messages as well as for generation of a private/public key pair for the session. A number of ways of agreeing on the shared secret are described and include pre-sharing the keys, reliance on a key management system, or via a token mechanism that uses a third entity such as a hub to manage authentication, for example. In some instances, the third party may also perform endpoint selection (e.g., load balancing) by providing a particular endpoint along with the token.

Abstract: Systems and processes are described for establishing and using a secure channel. A shared secret may be used for authentication of session initiation messages as well as for generation of a private/public key pair for the session. A number of ways of agreeing on the shared secret are described and include pre-sharing the keys, reliance on a key management system, or via a token mechanism that uses a third entity such as a hub to manage authentication, for example. In some instances, the third party may also perform endpoint selection (e.g., load balancing) by providing a particular endpoint along with the token.

Abstract: At a computing service, an indication of associations of a set of network interfaces with a gateway is obtained. Individual ones of the interfaces are configured in respective availability-based resource groups. In response to detecting that a message originates at a resource within a particular availability-based resource group, a network interface of the set is selected based at least partly on the source of availability-based resource group, and the message is transmitted to a network address assigned to the selected interface.

Abstract: Systems and processes are described for establishing and using a secure channel. A shared secret may be used for authentication of session initiation messages as well as for generation of a private/public key pair for the session. A number of ways of agreeing on the shared secret are described and include pre-sharing the keys, reliance on a key management system, or via a token mechanism that uses a third entity to manage authentication, for example. In some instances, the third party may also perform endpoint selection by providing a particular endpoint along with the token. The particular cipher suite applied in a particular implementation may be configurable. The process is applicable to either implicit key confirmation (e.g., handshake negotiation) or explicit key confirmation (e.g., full negotiation).

Abstract: The following description is directed to encrypting the characteristics of network traffic. In one example, a method can include receiving an unencrypted link layer packet including a first payload of a first size. The method can include encrypting the first payload of the unencrypted link layer packet. The method can include generating an encrypted link layer packet including a second payload. The second payload can include the encrypted payload and a variable length padding field so that the second payload of the encrypted link layer packet is a different size than the first size of the first payload. The encrypted link layer packet can then be transmitted.

Abstract: Data is split into a set of data packets and transmitted between a client computer system and a network service via a packet-switched network. The client computer system identifies a role, permission, group, or other credential that is associated with the data packets, and attaches a credential identifier such as a digital signature to the packets before they are transmitted over the network. A network service receives the data packets, and is configured to filter or route the data packets to a recipient using the attached credential identifier. The network service can adjust the filtering or routing process to occur within a data link, network, transport, or application layer. In some examples, the filtering or routing is provided from within a hypervisor.

Abstract: Systems and method for the management and processing of resource requests by a service provider, such as a content delivery network (“CDN”) service provider, on behalf of a content provider are provided. The CDN service provider can measure the performance associated with the delivery of resources to a requesting client computing devices from various computing devices associated with the CDN service provider. In one embodiment, a client computing device can execute code, such as scripts, that cause the client computing device to transmit requests to different computing devices associated with the CDN service provider's domain. Information associated with the processing of the responses can be used to measure CDN service provider latencies.

Abstract: Systems and processes are described for establishing and using a secure channel. A shared secret may be used for authentication of session initiation messages as well as for generation of a private/public key pair for the session. A number of ways of agreeing on the shared secret are described and include pre-sharing the keys, reliance on a key management system, or via a token mechanism that uses a third entity to manage authentication, for example. In some instances, the third party may also perform endpoint selection by providing a particular endpoint along with the token. The particular cipher suite applied in a particular implementation may be configurable. The process is applicable to either implicit key confirmation (e.g., handshake negotiation) or explicit key confirmation (e.g., full negotiation).

Abstract: Methods and apparatus that allow clients to specify custom network rules for their resource instances or network constructs in a provider network environment. Services and interfaces may be provided that allow a client to provide an executable module that implements custom rules for their resources, or alternatively to specify or select custom rules for their resources. The module may be installed on a host device, and may apply the custom rules to packets to and from the client's resources. Alternatively, the client-defined rules may be applied to packet flows according to the custom rules specified by the client and applied by a client rules service implemented on the provider network external to the host device or on a client resource instance on the host device. The custom network rules may, for example, extend or modify standard network rules for the client's resources on the host device.

Abstract: Systems and processes are described for establishing and using a secure channel. A shared secret may be used for authentication of session initiation messages as well as for generation of a private/public key pair for the session. A number of ways of agreeing on the shared secret are described and include pre-sharing the keys, reliance on a key management system, or via a token mechanism that uses a third entity to manage authentication, for example. In some instances, the third party may also perform endpoint selection by providing a particular endpoint along with the token. The particular cipher suite applied in a particular implementation may be configurable. The process is applicable to either implicit key confirmation (e.g., handshake negotiation) or explicit key confirmation (e.g., full negotiation).

Abstract: A physical host agent receives configuration information from a virtual computer system service specifying network traffic information to be extracted from network traffic for one or more virtual machines. The agent extracts the specified network traffic information from the network traffic for the one or more virtual machines and aggregates the network traffic information into one or more data segments for storage in a repository. A publishing sub-system of the service obtains the one or more data segments and compiles the one or more data segments into data logs for delivery to an analytics service to make the network traffic information available to customers.

Abstract: A system includes a first entropy-based random number generator (RNG) circuit configured to produce a bit stream and a key generator configured to generate encryption keys using bits from the bit stream. The system also includes an encryption engine configured to encrypt bits from the bit stream and a de-multiplexer configured to receive the bit stream from the first entropy-based RNG circuit and to provide a first set of bits from the bit stream to the key generator for generation of an encryption key and a second set of bits from the bit stream to the encryption engine for encryption to produce an encrypted output value.

Abstract: A computing system includes a programming interface of a control interface of a distributed computing environment, a service layer of the control interface, and a manager of the control interface. The programming interface is configured to receive a block of a block chain database. The block includes a ledger that includes a plurality of transactional data records. The service layer is configured to analyze the plurality of records to determine that one of the plurality of records is an indication of a request by a client for a service provided by a data interface of the distributed computing environment. The manager is configured to allocate access to execute the request in response to receiving the indication of the request.

Abstract: Methods and apparatus that allow clients to specify custom network rules for their resource instances or network constructs in a provider network environment. Services and interfaces may be provided that allow a client to provide an executable module that implements custom rules for their resources, or alternatively to specify or select custom rules for their resources. The module may be installed on a host device, and may apply the custom rules to packets to and from the client's resources. Alternatively, the client-defined rules may be applied to packet flows according to the custom rules specified by the client and applied by a client rules service implemented on the provider network external to the host device or on a client resource instance on the host device. The custom network rules may, for example, extend or modify standard network rules for the client's resources on the host device.

Abstract: Systems and method for the management and processing of resource requests by a service provider, such as a content delivery network (“CDN”) service provider, on behalf of a content provider are provided. The CDN service provider can measure the performance associated with the delivery of resources to a requesting client computing devices from various computing devices associated with the CDN service provider. In one embodiment, a client computing device can execute code, such as scripts, that cause the client computing device to transmit requests to different computing devices associated with the CDN service provider's domain. Information associated with the processing of the responses can be used to measure CDN service provider latencies.

Abstract: Data is split into a set of data packets and transmitted between a client computer system and a network service via a packet-switched network. The client computer system identifies a role, permission, group, or other credential that is associated with the data packets, and attaches a credential identifier such as a digital signature to the packets before they are transmitted over the network. A network service receives the data packets, and is configured to filter or route the data packets to a recipient using the attached credential identifier. The network service can adjust the filtering or routing process to occur within a data link, network, transport, or application layer. In some examples, the filtering or routing is provided from within a hypervisor.