Abstract: Techniques are described for providing logical networking functionality for managed computer networks, such as for virtual computer networks provided on behalf of users or other entities. In some situations, a user may configure or otherwise specify a network topology for a virtual computer network, such as a logical network topology that separates multiple computing nodes of the virtual computer network into multiple logical sub-networks and/or that specifies one or more logical networking devices for the virtual computer network. After a network topology is specified for a virtual computer network, logical networking functionality corresponding to the network topology may be provided in various manners, such as without physically implementing the network topology for the virtual computer network. In some situations, the computing nodes may include virtual machine nodes hosted on one or more physical computing machines or systems, such as by or on behalf of one or more users.

Abstract: Techniques are described for providing logical networking functionality for managed computer networks, such as for virtual computer networks provided on behalf of users or other entities. In some situations, a user may configure or otherwise specify a network topology for a virtual computer network, such as a logical network topology that separates multiple computing nodes of the virtual computer network into multiple logical sub-networks and/or that specifies one or more logical networking devices for the virtual computer network. After a network topology is specified for a virtual computer network, logical networking functionality corresponding to the network topology may be provided in various manners, such as without physically implementing the network topology for the virtual computer network. In some situations, the computing nodes may include virtual machine nodes hosted on one or more physical computing machines or systems, such as by or on behalf of one or more users.

Abstract: Techniques are described for managing communications between multiple computing nodes, such as computing nodes that are separated by one or more physical networks. In some situations, the techniques may be used to provide a virtual network between multiple computing nodes that are separated by one or more intermediate physical networks, such as from the edge of the one or more intermediate physical networks by modifying communications that enter and/or leave the intermediate physical networks. In some situations, the computing nodes may include virtual machine nodes hosted on one or more physical computing machines or systems, such as by or on behalf of one or more users (e.g., users of a program execution service). The managing of the communications may include determining whether communications sent to managed computing nodes are authorized, and providing the communications to the computing nodes only if they are determined to be authorized.

Abstract: Techniques are described for managing communications between multiple computing nodes, such as computing nodes that are separated by one or more physical networks. In some situations, the techniques may be used to provide a virtual network between multiple computing nodes that are separated by one or more intermediate physical networks, such as from the edge of the one or more intermediate physical networks by modifying communications that enter and/or leave the intermediate physical networks. In some situations, the computing nodes may include virtual machine nodes hosted on one or more physical computing machines or systems, such as by or on behalf of one or more users (e.g., users of a program execution service). The managing of the communications may include determining whether communications sent to managed computing nodes are authorized, and providing the communications to the computing nodes only if they are determined to be authorized.

Abstract: Techniques are described for providing users with access to computer networks, such as to enable users to create and configure computer networks that are provided by a remote configurable network service for the users' use. Computer networks provided by the configurable network service may be configured to be private computer networks that are accessible only by the users who create them, and may each be created and configured by a client of the configurable network service to be an extension to an existing computer network of the client, such as a private computer network extension to an existing private computer network of the client. In addition, access to remote resource services may be configured and provided from such computer networks in various manners, such as to automatically include access control information to limit access to particular resources to computing nodes at the location of that provided computer network.

Abstract: Techniques are described for managing communications between multiple computing nodes, such as computing nodes that are separated by one or more physical networks. In some situations, the techniques may be used to provide a virtual network between multiple computing nodes that are separated by one or more intermediate physical networks, such as from the edge of the one or more intermediate physical networks by modifying communications that enter and/or leave the intermediate physical networks. In some situations, the computing nodes may include virtual machine nodes hosted on one or more physical computing machines or systems, such as by or on behalf of one or more users (e.g., users of a program execution service). The managing of the communications may include determining whether communications sent to managed computing nodes are authorized, and providing the communications to the computing nodes only if they are determined to be authorized.

Abstract: Techniques are described for managing communications between multiple computing nodes, such as computing nodes that are separated by one or more physical networks. In some situations, the techniques may be used to provide a virtual network between multiple computing nodes that are separated by one or more intermediate physical networks, such as from the edge of the one or more intermediate physical networks by modifying communications that enter and/or leave the intermediate physical networks. In some situations, the computing nodes may include virtual machine nodes hosted on one or more physical computing machines or systems, such as by or on behalf of one or more users (e.g., users of a program execution service). The managing of the communications may include determining whether communications sent to managed computing nodes are authorized, and providing the communications to the computing nodes only if they are determined to be authorized.

Abstract: Techniques are described for managing communications between multiple computing nodes, such as computing nodes that are separated by one or more physical networks. In some situations, the techniques may be used to provide a virtual network between multiple computing nodes that are separated by one or more intermediate physical networks, such as from the edge of the one or more intermediate physical networks by modifying communications that enter and/or leave the intermediate physical networks. In some situations, the computing nodes may include virtual machine nodes hosted on one or more physical computing machines or systems, such as by or on behalf of one or more users (e.g., users of a program execution service). The managing of the communications may include determining whether communications sent to managed computing nodes are authorized, and providing the communications to the computing nodes only if they are determined to be authorized.

Abstract: Techniques are described for managing communications between multiple computing nodes, such as computing nodes that are separated by one or more physical networks. In some situations, the techniques may be used to provide a virtual network between multiple computing nodes that are separated by one or more intermediate physical networks, such as from the edge of the one or more intermediate physical networks by modifying communications that enter and/or leave the intermediate physical networks. In some situations, the computing nodes may include virtual machine nodes hosted on one or more physical computing machines or systems, such as by or on behalf of one or more users (e.g., users of a program execution service). The managing of the communications may include determining whether communications sent to managed computing nodes are authorized, and providing the communications to the computing nodes only if they are determined to be authorized.

Abstract: Techniques are described for managing communications between multiple computing nodes, such as computing nodes that are separated by one or more physical networks. In some situations, the techniques may be used to provide a virtual network between multiple computing nodes that are separated by one or more intermediate physical networks, such as from the edge of the one or more intermediate physical networks by modifying communications that enter and/or leave the intermediate physical networks. In some situations, the computing nodes may include virtual machine nodes hosted on one or more physical computing machines or systems, such as by or on behalf of one or more users (e.g., users of a program execution service). The managing of the communications may include determining whether communications sent to managed computing nodes are authorized, and providing the communications to the computing nodes only if they are determined to be authorized.

Abstract: Techniques are described for providing users with access to computer networks, such as to enable users to create and configure computer networks that are provided by a remote configurable network service for the users' use. Computer networks provided by the configurable network service may be configured to be private computer networks that are accessible only by the users who create them, and may each be created and configured by a client of the configurable network service to be an extension to an existing computer network of the client, such as a private computer network extension to an existing private computer network of the client. In addition, access to remote resource services may be configured and provided from such computer networks in various manners, such as to automatically include access control information to limit access to particular resources to computing nodes at the location of that provided computer network.

Abstract: Techniques are described for managing communications between multiple computing nodes, such as computing nodes that are separated by one or more physical networks. In some situations, the techniques may be used to provide a virtual network between multiple computing nodes that are separated by one or more intermediate physical networks, such as from the edge of the one or more intermediate physical networks by modifying communications that enter and/or leave the intermediate physical networks. In some situations, the computing nodes may include virtual machine nodes hosted on one or more physical computing machines or systems, such as by or on behalf of one or more users (e.g., users of a program execution service). The managing of the communications may include determining whether communications sent to managed computing nodes are authorized, and providing the communications to the computing nodes only if they are determined to be authorized.

Abstract: A Hardware Abstraction Layer (HAL) for a target computing device that is equipped with an Application Specific Integrated Circuit (ASIC) or other hardware element that provides forwarding and/or switching capability is used to analyze an abstract candidate device model. The abstract candidate device model is received from a controller and specifies intended forwarding behavior for the target device. The HAL analyzes the abstract candidate device model based on its knowledge of the architecture of the ASIC or other hardware element providing forwarding or switching capability to the target device. If the behavior is supported by the target device's architecture, the model may be implemented in a specific manner supported by that architecture and used to control forwarding behavior on the target device.

Abstract: A Hardware Abstraction Layer (HAL) for a target computing device that is equipped with an Application Specific Integrated Circuit (ASIC) or other hardware element that provides forwarding and/or switching capability is used to analyze an abstract candidate device model. The abstract candidate device model is received from a controller and specifies intended forwarding behavior for the target device. The HAL analyzes the abstract candidate device model based on its knowledge of the architecture of the ASIC or other hardware element providing forwarding or switching capability to the target device. If the behavior is supported by the target device's architecture, the model may be implemented in a specific manner supported by that architecture and used to control forwarding behavior on the target device.

Abstract: A Hardware Abstraction Layer (HAL) for a target computing device that is equipped with an Application Specific Integrated Circuit (ASIC) or other hardware element that provides forwarding and/or switching capability is used to analyze an abstract candidate device model. The abstract candidate device model is received from a controller and specifies intended forwarding behavior for the target device. The HAL analyzes the abstract candidate device model based on its knowledge of the architecture of the ASIC or other hardware element providing forwarding or switching capability to the target device. If the behavior is supported by the target device's architecture, the model may be implemented in a specific manner supported by that architecture and used to control forwarding behavior on the target device.

Abstract: A routing controller in a communication network may be responsible for issuing routing rules to forwarding devices in the network. Exemplary embodiments allow forwarding functionality to be implemented by the forwarding devices in a device-specific manner. The routing controller may specify a routing rule to be implemented by the forwarding device, and may provide a default or suggested implementation of the function in the specification of the rule. If the forwarding device does not have a predetermined implementation of the function that is specific to the routing device, the forwarding device may use the default implementation provided by the routing controller. However, if the forwarding device does have a predetermined implementation of the function, the forwarding device may override the implementation described in the specification and use the predetermined implementation instead.

Abstract: A controller in a communication network may be responsible for generating a device model that defines intended forwarding behavior of a network. The device model may be generated using a target-independent universal language of network primitives. The controller may assign a first set of parameters to the device model to generate a first parameterized device model. The controller may assign a second set of parameters to the device model to generate a second parameterized device model. The controller may send the first parameterized device model or the second parameterized device model to a target device. The target device may statically or dynamically translate the received parameterized device model(s) to implementation. The controller is not required to generate a new device model for each modification made to the network: the controller may parameterized a generic device model to reflect the modifications.

Abstract: A negotiation process is conducted between a controller and a target forwarding or switching device with respect to an abstract candidate device model for a forwarding plane. The abstract candidate device model is provided by a controller and indicates intended forwarding or switching behavior for the target device that a controller desires to have implemented on the target device. The intended behavior is specified in terms of mandatory and non-mandatory behavior. A hardware abstraction layer (HAL) for the target device analyzes the abstract candidate device model and decides whether the mandatory and optional behavior that is specified by the model is supported given the architecture of the target. The HAL informs the controller whether the intended behavior is supported by the target. Additional behavior may be proposed and accepted or not before the model is finalized. The finalized model may then be implemented and used to control forwarding behavior on the target device.

Abstract: A routing controller in a communication network may be responsible for issuing routing rules to forwarding devices in the network. Exemplary embodiments allow forwarding functionality to be implemented by the forwarding devices in a device-specific manner. The routing controller may specify a routing rule to be implemented by the forwarding device, and may provide a default or suggested implementation of the function in the specification of the rule. If the forwarding device does not have a predetermined implementation of the function that is specific to the routing device, the forwarding device may use the default implementation provided by the routing controller. However, if the forwarding device does have a predetermined implementation of the function, the forwarding device may override the implementation described in the specification and use the predetermined implementation instead.

Abstract: A routing controller in a communication network may be responsible for generating a device model that defines intended forwarding behavior of the network. The device model may be generated using a target-independent universal language of network primitives. The controller may send the device model to a target device. The device controller may include one or more known identifiers associated with one or more portions of the model. The target device may know the mapping between the known identifiers and the capabilities of the target device. Upon receiving the device model from the controller, the target device may retrieve the known mapping to statically translate the device model to implementation. The static translation of the device model provides reusability of the previously determined mappings. The target device is not required to have a translator for dynamically translating the device model each time that the device model is received from the controller.