Abstract: An instance secrets management isolated runtime environment is launched at a virtualization server, and utilizes a subset of memory assigned to a compute instance. The subset of memory is inaccessible from entities external to the runtime environment. A secrets manager of the runtime environment provides a security artifact to an application, running at the compute instance, which has requested access to a resource. The artifact is generated by the secrets manager using a security secret associated with the compute instance; the secret is not accessible to programs external to the runtime environment. In response to a determination that the artifact is valid, the application obtains access to the resource.

Abstract: Methods, systems, and computer-readable media for single-packet authorization using proof of work are disclosed. An access control service receives, from a client, a single-packet authorization (SPA) request. The (SPA) request comprises output of a proof-of-work task, wherein completion of the proof-of-work task requires computational resources or memory resources of the client. The access control service performs verification of the output of the proof-of-work task using fewer computational or memory resources of the access control service than were used by the client. In response to determining that verification of the output of the proof-of-work task succeeds, the access control service performs authentication of the SPA request. In response to determining that authentication of the SPA request succeeds, the access control service allows access by the client device to a service.

Abstract: A network address assigned to a virtual network interface of a packet transformation node of a flow management service is identified. A packet of a particular network flow associated with an application implemented at an isolated virtual network is sent to the network address. Using a rewrite directive generated at a rewriting decisions node of the service and cached at the packet transformation node, a transformed packet corresponding to a packet received at the packet transformation node is generated and transmitted to a destination.

Abstract: Techniques for API-based endpoint discovery and centralized load balancing involving provider substrate extension resources are described. A discovery coordinator service located within a provider network can identify one or more endpoints from a set of potentially distributed endpoints for a client to utilize, where endpoints may be located within provider substrate extensions of the provider network. The discovery coordinator service can analyze the loads of these endpoints, via client lease information, to identify nearby, low-load resources that may be most optimal for the client to use via providing minimal latency of access.

Abstract: A system and method for the management of client computing device DNS queries and subsequent resource requests within a content delivery network service provider domain are provided. The management of the DNS queries can include the selection of computing devices corresponding to various Point of Presence locations for processing DNS queries. Additionally, the management of the content requests can include the selection of computing devices corresponding to resource cache components corresponding to various Point of Presence locations for providing requested content. The selection of the computing devices can incorporate logic related to geographic criteria, testing criteria, and the like.

Abstract: Techniques are described for managing preloading of data for client computing systems. A client computing system may provide one or more persistent data storage caches on local storage, such as to support a particular software program executing on the client computing system (e.g., a Web browser program, with the persistent data storage cache designed to store browser cookies and other data for later access by the Web browser program). Additional data may be stored in such a persistent data storage cache by preloading those data groups before they are requested by the client computing system (e.g., based on interactions of a user of the client computing system with an executing program on the client computing system). Particular data groups to preload may be selected in various manners, including to provide a specified type of minimum functionality to a client computing system based on the preloaded data groups.

Abstract: A system and method for the management of client computing device DNS queries and subsequent resource requests within a content delivery network service provider domain are provided. The management of the DNS queries can include the selection of computing devices corresponding to various Point of Presence locations for processing DNS queries. Additionally, the management of the content requests can include the selection of computing devices corresponding to resource cache components corresponding to various Point of Presence locations for providing requested content. The selection of the computing devices can incorporate logic related to geographic criteria, testing criteria, and the like.

Abstract: The present disclosure generally relates to managing a failover service. The failover service can receive a list of regions and a list of rules that must be satisfied for a region to be considered available for failover. The failover service can then determine the regions that satisfy each rule of the list of rules and are available for failover. The failover service can then deliver this information to a client. The failover service can determine the regions that do not satisfy one or more of the rules from the list of rules and deliver this information to a client. The failover service can perform automatic remediation to the unavailable failover regions and client remediation to the unavailable failover regions.

Abstract: A network address assigned to a virtual network interface of a packet transformation node of a flow management service is identified. A packet of a particular network flow associated with an application implemented at an isolated virtual network is sent to the network address. Using a rewrite directive generated at a rewriting decisions node of the service and cached at the packet transformation node, a transformed packet corresponding to a packet received at the packet transformation node is generated and transmitted to a destination.

Abstract: A system and method for the management of client computing device DNS queries and subsequent resource requests within a content delivery network service provider domain are provided. The management of the DNS queries can include the selection of computing devices corresponding to various Point of Presence locations for processing DNS queries. Additionally, the management of the content requests can include the selection of computing devices corresponding to resource cache components corresponding to various Point of Presence locations for providing requested content. The selection of the computing devices can incorporate logic related to geographic criteria, testing criteria, and the like.

Abstract: The present disclosure generally relates to managing a failover service for regions in an active-active configuration. The failover service can receive a list of regions and a list of rules that must be satisfied for a region to be considered available for failover. For each primary region of a plurality of primary regions, the failover service can then determine the regions that satisfy each rule of the list of rules and are available for failover. The failover service can then deliver this information to a client. The failover service can determine the regions that do not satisfy one or more of the rules from the list of rules and deliver this information to a client. The failover service can perform automatic remediation and client remediation to the unavailable failover regions.

Abstract: The present disclosure generally relates to managing a failover service. The regional management service can receive a list of primary regions and a list of rules for each primary region that must be satisfied for a primary region to be considered available for failover from the respective primary region. The regional management service can then determine the primary regions that satisfy each rule of the list of rules for one or more primary regions and are available for failover of the respective primary regions. The regional management service can then deliver this information to a client. The regional management service can determine the primary regions that do not satisfy one or more of the rules from the list of rules for one or more primary regions and deliver this information to a client. The regional management service can perform automatic remediation and client remediation to the unavailable primary regions.

Abstract: The present disclosure generally relates to managing a failover service. The failover service can receive a list of regions and a list of rules that must be satisfied for a region to be considered available for failover. The failover service can then determine the regions that satisfy each rule of the list of rules and are available for failover. The failover service can then deliver this information to a client. The failover service can determine the regions that do not satisfy one or more of the rules from the list of rules and deliver this information to a client. The failover service can perform automatic remediation to the unavailable failover regions and client remediation to the unavailable failover regions.

Abstract: The first computing system may interface with an operator of the application and a plurality of hosts of the application distributed between different partitions. The second and third computing systems may host first and second portion of the application in first and second partitions, respectively. The second and third computing systems may poll the first computing system to identify first and second value, respectively, representing state conditions of the first and second partitions, respectively, wherein the first and second partition state conditions are the active state, the passive state, and the fenced state. The second and third computing systems may receive responses from the first computing system comprising the first and second values, respectively, and based on the respective values, initiate a transition to the corresponding partition state condition. The first computing system may assign one of the first and second values to indicate which is the active state.

Abstract: A system and method for the management of client computing device DNS queries and subsequent resource requests within a content delivery network service provider domain are provided. The management of the DNS queries can include the selection of computing devices corresponding to various Point of Presence locations for processing DNS queries. Additionally, the management of the content requests can include the selection of computing devices corresponding to resource cache components corresponding to various Point of Presence locations for providing requested content. The selection of the computing devices can incorporate logic related to geographic criteria, testing criteria, and the like.

Abstract: Managed multicast communications may be implemented across isolated networks. A virtual traffic hub may be implemented that connects different isolated networks. A control plane for the virtual traffic hub may accept requests to enable a multicast group between different isolated networks connected to the virtual traffic hub. The multicast group may then be enabled at the virtual traffic hub so that requests to add members to the multicast group and data packets directed to the multicast group can be handled according to multicast protocols by the virtual traffic hub.

Abstract: Systems and methods are described for providing escalation-resistant network-accessible services by providing the service through a set of service instances, each executing in an environment with privileges scoped based on a user requesting to access the service. Each service instance can be implemented by code on a serverless code system, executed in response to a user request to access the service. Because the code is executed in an environment with privileges scoped to those of a requesting user, the code itself need not attempt to limit the privileges or a requesting user. For that reason, potential for privilege escalations of the service are reduced, even if vulnerabilities in the code might otherwise allow for such escalations.

Abstract: The present disclosure generally relates to managing a failover service. The regional management service can receive a list of primary regions and a list of rules for each primary region that must be satisfied for a primary region to be considered available for failover from the respective primary region. The regional management service can then determine the primary regions that satisfy each rule of the list of rules for one or more primary regions and are available for failover of the respective primary regions. The regional management service can then deliver this information to a client. The regional management service can determine the primary regions that do not satisfy one or more of the rules from the list of rules for one or more primary regions and deliver this information to a client. The regional management service can perform automatic remediation and client remediation to the unavailable primary regions.

Abstract: The present disclosure generally relates to managing a failover service. The failover service can receive a list of regions and a list of rules that must be satisfied for a region to be considered available for failover. The failover service can then determine the regions that satisfy each rule of the list of rules and are available for failover. The failover service can then deliver this information to a client. The failover service can determine the regions that do not satisfy one or more of the rules from the list of rules and deliver this information to a client. The failover service can perform automatic remediation to the unavailable failover regions and client remediation to the unavailable failover regions.

Abstract: The present disclosure generally relates to managing a failover service for regions in an active-active configuration. The failover service can receive a list of regions and a list of rules that must be satisfied for a region to be considered available for failover. For each primary region of a plurality of primary regions, the failover service can then determine the regions that satisfy each rule of the list of rules and are available for failover. The failover service can then deliver this information to a client. The failover service can determine the regions that do not satisfy one or more of the rules from the list of rules and deliver this information to a client. The failover service can perform automatic remediation and client remediation to the unavailable failover regions.