Abstract: Techniques are described for providing users with access to computer networks, such as to enable users to interact with a remote configurable network service in order to create and configure computer networks that are provided by the configurable network service for use by the users. Computer networks provided by the configurable network service may be configured to be private computer networks that are accessible only by the users who create them, and may each be created and configured by a client of the configurable network service to be an extension to an existing computer network of the client, such as a private computer network extension to an existing private computer network of the client. If so, secure private access between an existing computer network and new computer network extension that is being provided may be enabled using one or more VPN connections or other private access mechanisms.

Abstract: Embodiments of the present disclosure are directed to, among other things, providing resource allocation advice, configuration recommendations, and/or migration advice regarding data storage, access, placement, and/or related web services. In some examples, a web service may utilize or otherwise control a client instance to control, access, or otherwise manage resources of a distributed system. Based at least in part on one or more resource usage checks and/or configuration checks, resource usage information and/or configuration information of an account utilizing a web service, and/or user preferences and/or settings, resource allocation advice, system configuration recommendations, and/or migration advice may be provided to a user of an account. Additionally, in some examples, one or more remediation operations may be performed automatically.

Abstract: Techniques are described for managing communications between multiple computing nodes, such as for computing nodes that are part of managed virtual computer networks provided on behalf of users or other entities. In some situations, one or more of the computing nodes of a managed virtual computer network is configured to perform actions to extend capabilities of the managed virtual computer network to other computing nodes that are not part of the managed virtual computer network, such as by forwarding communications between computing nodes of the managed virtual computer network and the other external computing nodes so as to enable the other external computing nodes to participate in the managed virtual computer network. In some situations, the computing nodes may include virtual machine nodes hosted on one or more physical computing machines or systems, such as by or on behalf of one or more users.

Abstract: The deployment of content and computing resources for implementing a distributed software application can be optimized based upon customer location. The volume and geographic origin of incoming requests for a distributed software application are determined. Based upon the volume and geographic origin of the incoming requests, content and/or one or more instances of the distributed software application may be deployed to a geographic region generating a significant volume of requests for the distributed software application. Content and/or instances of a distributed software application might also be speculatively deployed to a geographic region in an attempt to optimize the performance, cost, or other attribute of a distributed software application.

Abstract: Systems and methods are provided for managing objects. In one implementation, a computer-implemented method is provided. The method includes receiving a query comprising a tag and executing the query. An object identifier is retrieved from a data table, based on the tag. The method further returns a result of the query. The result includes the object identifier that was retrieved from the data table. The method further performing an action related to an object having the retrieved object identifier.

Abstract: Client requests may be directed through a secret holding proxy system such that the secret holding proxy system may insert a secret into a client request before arriving at the destination. The insertion of a secret may include inserting a digital signature, token or other information that includes a secret or information based upon a secret, which may include secret exchange or authentication protocols. The secret holding proxy system may also remove secrets and/or transform incoming messages such that the client may transparently receive the underlying content of the message.

Abstract: In certain embodiments, a system comprises a memory and a processor communicatively coupled to the memory. The memory includes executable instructions that upon execution cause the system to generate, at a first time, a first snapshot capturing data stored in storage units of a storage device. The executable instructions upon execution cause the system to receive an indication to delete at least a portion of the data in the storage units and captured by the first snapshot, and to mark, in response to receiving the indication, the one or more storage units that store the at least a first portion of the data as available. The executable instructions upon execution cause the system to generate, at a second time subsequent to the first time, a second snapshot that omits the one or more storage units marked as available.

Abstract: The deployment of content and computing resources for implementing a distributed software application can be optimized based upon customer location. The volume and geographic origin of incoming requests for a distributed software application are determined. Based upon the volume and geographic origin of the incoming requests, content and/or one or more instances of the distributed software application may be deployed to a geographic region generating a significant volume of requests for the distributed software application. Content and/or instances of a distributed software application might also be speculatively deployed to a geographic region in an attempt to optimize the performance, cost, or other attribute of a distributed software application.

Abstract: Techniques are described for facilitating use of software components by software applications in a configurable manner. In some situations, the software components are fee-based components that are made available by providers of the components for use by others in exchange for fees defined by the components providers, and in at least some situations, the software components may have various associated restrictions or other non-price conditions related to their use. The described techniques facilitate use of such software components by software applications in a configured manner. Furthermore, in at least some situation, the execution of such software applications is managed by an application deployment system that controls and tracks the execution of the software application on one or more computing nodes, including to manage the execution of any software components that are part of the software application.

Abstract: In a resource-on-demand environment, dynamically created server instances are allowed to boot from encrypted boot volumes. Access keys to the boot volumes are provided from a key provider that authenticates new instances based on possession of a security token that has been previously shared between the key provider and the new instance through an out-of-band communication.

Abstract: The deployment of content and computing resources for implementing a distributed software application can be optimized based upon customer location. The volume and geographic origin of incoming requests for a distributed software application are determined. Based upon the volume and geographic origin of the incoming requests, content and/or one or more instances of the distributed software application may be deployed to a geographic region generating a significant volume of requests for the distributed software application. Content and/or instances of a distributed software application might also be speculatively deployed to a geographic region in an attempt to optimize the performance, cost, or other attribute of a distributed software application.

Abstract: A first identity claim and a first attempt to prove password possession are received. As a result of determining that the first attempt to prove password possession is a match to a password in a set of passwords, but that the first identity claim is a mismatch to an identity that corresponds to the password, an authentication process that includes incrementing a counter associated with the password is performed. A second identity claim and a second attempt to prove password possession is received. As a result of determining that the second attempt to prove password possession is a match to the password, an authentication process that includes incrementing the counter associated with the password only if the second identity claim is a mismatch to the first identity claim is performed.

Abstract: Update preferences might be utilized to specify that an update to an application should not be applied until the demand for the application falls below a certain threshold. Demand for the application is monitored. The update to the application is applied when the actual demand for the application falls below the specified threshold. The threshold might be set such that updates are deployed during the off-peak periods of demand encountered during a regular demand cycle, such as a diurnal, monthly, or yearly cycle.

Abstract: Disclosed are various embodiments for allocating computing resources. A request to allocate a computing resource in a collection of networked computing devices is obtained. It is determined whether the request can be fulfilled according to a current configuration of the networked computing devices. A reconfiguration of one or more of the networked computing devices to a different configuration is initiated in order to fulfill the request. The reconfiguration is initiated when a value associated with the request exceeds a cost associated with fulfilling the request. The reconfiguration is initiated in response to determining that the request cannot be fulfilled according to the current configuration.

Abstract: When requesting network services, clients often supply authentication information such as digital signatures. A network provider may from time to time change its authentication scheme. Clients are notified of the change and are provided with an updated authentication specification. Upon receiving the updated authentication specification, a client updates its authentication logic accordingly, and subsequently prepares and provides authentication information in accordance with the new authentication scheme.

Abstract: In certain embodiments, a system includes one or more memory units and one or more processing units. The memory units store blocks that each include a number of identifiers. The memory units include executable instructions that upon execution by the processing units cause the system to receive a request to allocate an identifier to an entity. The request includes data identifying the entity. A target block of identifiers is identified. The target block includes more unallocated identifiers than any other block. The target block is split into first and second blocks. The identifiers of the second block are each higher than any identifier of the first block. The second block is assigned to the entity, and a lowest identifier of the second block is allocated to the entity.

Abstract: Identity certificates such as SSL certificates can be issued in such a way that their use can be disabled upon short notice. In one embodiment, private signing information associated with a certificate is used by an infrastructure service on behalf of an entity, without making the private signing information accessible to the entity. In another embodiment, short-term certificates are dynamically issued to an application based on a previous certificate authorization.

Abstract: Client requests may be directed through a secret holding proxy system such that the secret holding proxy system may insert a secret into a client request before arriving at the destination. The insertion of a secret may include inserting a digital signature, token or other information that includes a secret or information based upon a secret, which may include secret exchange or authentication protocols. The secret holding proxy system may also remove secrets and/or transform incoming messages such that the client may transparently receive the underlying content of the message.

Abstract: Functionality is disclosed herein for providing a resource monitoring environment that restricts access to computing resource data in a service provider network. The resource monitoring environment processes requests to access computing resource data, and denies requests not signed or authorized by a customer of a service provider network or other entity. Access to the computing resource data includes access to non-obfuscated data and/or access to encrypted computing resource data encrypted by way of a public encryption key held by a customer of the service provider network or other entity instead of a requestor of the computing resource data.

Abstract: Systems and methods are provided for managing objects. In one implementation, a computer-implemented method is provided. The method includes receiving a query comprising a tag and executing the query. An object identifier is retrieved from a data table, based on the tag. The method further returns a result of the query. The result includes the object identifier that was retrieved from the data table. The method further performing an action related to an object having the retrieved object identifier.