Abstract: A tag-based policy architecture enforces information technology (IT) policy in a virtualized computing environment using cryptographically-verifiable metadata to authenticate compute resources coupled to a computer network and to authorize access to protected resources of the network. The compute resources are illustratively virtual machine instances (VMIs) provided by a virtual data center (VDC) of the environment, whereas the protected resources are illustratively virtualized storage, network and/or other compute resources of the VDC. Each VMI includes an intermediary manager, e.g., metavisor. The tag-based policy architecture includes an infrastructure having a centralized policy decision end point (e.g., a control plane of the VDC) and distributed policy enforcement endpoints (e.g.

Abstract: In an embodiment, a secure boot method comprises writing a wrapped data encryption key (DEK) and a wrapped key encryption key (KEK) onto a label of a wrapped operating system image prior to uploading the wrapped operating system image to a virtual data center using one or more computing devices.

Abstract: In an approach, an intermediary guest manager operates within a virtual machine hosted by a host machine and managed by a hypervisor. The intermediary guest manager manages one or more guest operating systems operating within the virtual machine and implements one or more security services for the guest operating systems. The security services provided to the guest operating systems may include system call filtering, memory protections, secure memory dumps, and others. In some cases, the intermediary guest manager consults a threat defense policy which contains a number of records, where each record has one or more triggers representing suspicious activity and one or more actions to take in response to being triggered. When the intermediary guest manager identifies a request, such as a system call or memory access, that meets the trigger of a particular record, the intermediary guest manager executes the associated actions to remediate the suspicious activity.

Abstract: A technique implements data policy deployed in a tag-based policy architecture of a virtualized computing environment. Implementation of the data policy may include applying volume tags to data stored on virtualized storage resources, such as disks organized as volumes, based on instances that generate the data, contents of the data, and/or sensitivity of the data. The volume tags may be applied in a cryptographically strong manner to prevent tampering of the tagged data. To that end, the volume tags are cryptographically associated with the data, wherein such association is effected by binding the tags to a data encryption key stored on the volumes (disks) and used to encrypt/decrypt the data stored on the volumes.

Abstract: A tag-based policy architecture enforces information technology (IT) policy in a virtualized computing environment using cryptographically-verifiable metadata to authenticate compute resources coupled to a computer network and to authorize access to protected resources of the network. The compute resources are illustratively virtual machine instances (VMIs) provided by a virtual data center (VDC) of the environment, whereas the protected resources are illustratively virtualized storage, network and/or other compute resources of the VDC. Each VMI includes an intermediary manager, e.g., metavisor. The tag-based policy architecture includes an infrastructure having a centralized policy decision end point (e.g., a control plane of the VDC) and distributed policy enforcement endpoints (e.g.

Abstract: A tag-based policy architecture enforces information technology (IT) policy in a virtualized computing environment using cryptographically-verifiable metadata to authenticate compute resources coupled to a computer network and to authorize access to protected resources of the network. The compute resources are illustratively virtual machine instances (VMIs) provided by a virtual data center (VDC) of the environment, whereas the protected resources are illustratively virtualized storage, network and/or other compute resources of the VDC. Each VMI includes an intermediary manager, e.g., metavisor. The tag-based policy architecture includes an infrastructure having a centralized policy decision end point (e.g., a control plane of the VDC) and distributed policy enforcement endpoints (e.g.

Abstract: In an embodiment, a secure boot method comprises writing a wrapped data encryption key (DEK) and a wrapped key encryption key (KEK) onto a label of a wrapped operating system image prior to uploading the wrapped operating system image to a virtual data center using one or more computing devices.

Abstract: In an approach, an intermediary guest manager operates within a virtual machine hosted by a host machine and managed by a hypervisor. The intermediary guest manager manages one or more guest operating systems operating within the virtual machine and implements one or more security services for the guest operating systems. The security services provided to the guest operating systems may include system call filtering, memory protections, secure memory dumps, and others. In some cases, the intermediary guest manager consults a threat defense policy which contains a number of records, where each record has one or more triggers representing suspicious activity and one or more actions to take in response to being triggered. When the intermediary guest manager identifies a request, such as a system call or memory access, that meets the trigger of a particular record, the intermediary guest manager executes the associated actions to remediate the suspicious activity.

Abstract: In an approach, a secure boot process includes two phases. In the first phase an on premises device generates a data encryption key (DEK) with which to encrypt an operating system image and a key encryption key (KEK) with which to wrap the DEK. The on-premises device then utilizes a key management service to wrap the KEK with an account root key and writes the wrapped DEK and wrapped KEK onto a label of the encrypted operating system image. The encrypted operating system image is then uploaded to a virtual data center and merged with an intermediary guest manager image. When the encrypted machine image is used to generate a virtual machine instance, the intermediary guest manager utilizes the key management service to unwrap the KEK. The unwrapped KEK is then used to unwrap the wrapped DEK which is then used to launch the encrypted guest operating system.

Abstract: In an approach, an intermediary guest manager operates within a virtual machine hosted by a host machine and managed by a hypervisor. The intermediary guest manager manages one or more guest operating systems operating within the virtual machine and implements one or more security services for the guest operating systems. The security services provided to the guest operating systems may include system call filtering, memory protections, secure memory dumps, and others. In some cases, the intermediary guest manager consults a threat defense policy which contains a number of records, where each record has one or more triggers representing suspicious activity and one or more actions to take in response to being triggered. When the intermediary guest manager identifies a request, such as a system call or memory access, that meets the trigger of a particular record, the intermediary guest manager executes the associated actions to remediate the suspicious activity.

Abstract: A storage administrator may maintain location information in separate layers. A data storage system may identify the location of particular data by identifying the virtual location of data, such as the logical extent to which the data belongs. Object stores may maintain mappings of virtual locations to physical locations, such as mappings of extent identifiers to virtual storage objects and mappings of virtual storage objects to storage unit locations. When particular data is relocated to a new location, a storage administrator may update mappings used to translate virtual locations to physical locations, such as an extent-object mapping or an object-storage unit mapping. References to the virtual locations, such as references to logical extent identifiers, may not be updated in response to the relocation of data.

Abstract: A computer-implemented process receives a request to utilize one or more virtual data center (VDC) resources at a virtual data center and determines a particular service level applicable to request. Based on the particular service level and mapping information that indicates associations between VDC resource utilization policies and service levels, the process determines a particular VDC resource utilization policy corresponding to the request and causes completion of the request according to the particular VDC resource utilization policy. Another process determines that a resource utilization performance is incompatible with a requested service level and selects a new resource utilization based in part on the resource utilization performance information and mapping information. The process causes data distributed according to a prior resource utilization policy to be distributed according to the new resource utilization policy in one or more resources at a virtual data center.

Abstract: One or more services for enhancing guest utilization of a virtual machine and other VDC resources may be provided at the intermediary manager. In an embodiment, the intermediary manager intercepts a hypercall from a guest operating system that is separate from the intermediary manager. The intermediary manager determines that a particular intermediary service is associated with the hypercall and causes execution of service instructions associated with the particular intermediary service. The intermediary manager and guest operating systems may operate within a virtual machine hosted by a host machine and managed by a hypervisor. Embodiments may be useful in any of a virtualized enterprise computer system; a virtual machine infrastructure in a private data center; computing, storage or networking resources in a private cloud; computing, storage or networking resources of cloud service provider; and a hybrid cloud computing environment.

Abstract: A computer-implemented process receives a request to utilize one or more virtual data center (VDC) resources at a virtual data center and determines a particular service level applicable to request. Based on the particular service level and mapping information that indicates associations between VDC resource utilization policies and service levels, the process determines a particular VDC resource utilization policy corresponding to the request and causes completion of the request according to the particular VDC resource utilization policy. Another process determines that a resource utilization performance is incompatible with a requested service level and selects a new resource utilization based in part on the resource utilization performance information and mapping information. The process causes data distributed according to a prior resource utilization policy to be distributed according to the new resource utilization policy in one or more resources at a virtual data center.

Abstract: Performance information for storage units located at a virtual data center is determined by executing storage administrator logic whose execution is controlled by a management entity different than the virtual data center provider. Performance expectations are automatically determined based on the determined performance information. In response to determining that a particular storage unit is incompatible with performance expectations applicable to the particular storage unit, embodiments cause a reduction in utilization of the particular storage unit. Based on determined performance information, another embodiment determines that a performance pattern indicating a physical co-location of a first storage unit and a second storage unit has occurred.

Abstract: A computer-implemented process receives a request to utilize one or more virtual data center (VDC) resources at a virtual data center and determines a particular service level applicable to request. Based on the particular service level and mapping information that indicates associations between VDC resource utilization policies and service levels, the process determines a particular VDC resource utilization policy corresponding to the request and causes completion of the request according to the particular VDC resource utilization policy. Another process determines that a resource utilization performance is incompatible with a requested service level and selects a new resource utilization based in part on the resource utilization performance information and mapping information. The process causes data distributed according to a prior resource utilization policy to be distributed according to the new resource utilization policy in one or more resources at a virtual data center.

Abstract: One or more services for enhancing guest utilization of a virtual machine and other VDC resources may be provided at the intermediary manager. In an embodiment, the intermediary manager intercepts a hypercall from a guest operating system that is separate from the intermediary manager. The intermediary manager determines that a particular intermediary service is associated with the hypercall and causes execution of service instructions associated with the particular intermediary service. The intermediary manager and guest operating systems may operate within a virtual machine hosted by a host machine and managed by a hypervisor. Embodiments may be useful in any of a virtualized enterprise computer system; a virtual machine infrastructure in a private data center; computing, storage or networking resources in a private cloud; computing, storage or networking resources of cloud service provider; and a hybrid cloud computing environment.

Abstract: A storage administrator may maintain location information in separate layers. A data storage system may identify the location of particular data by identifying the virtual location of data, such as the logical extent to which the data belongs. Object stores may maintain mappings of virtual locations to physical locations, such as mappings of extent identifiers to virtual storage objects and mappings of virtual storage objects to storage unit locations. When particular data is relocated to a new location, a storage administrator may update mappings used to translate virtual locations to physical locations, such as an extent-object mapping or an object-storage unit mapping. References to the virtual locations, such as references to logical extent identifiers, may not be updated in response to the relocation of data.

Abstract: A computer-implemented process receives a request to utilize one or more virtual data center (VDC) resources at a virtual data center and determines a particular service level applicable to request. Based on the particular service level and mapping information that indicates associations between VDC resource utilization policies and service levels, the process determines a particular VDC resource utilization policy corresponding to the request and causes completion of the request according to the particular VDC resource utilization policy. Another process determines that a resource utilization performance is incompatible with a requested service level and selects a new resource utilization based in part on the resource utilization performance information and mapping information. The process causes data distributed according to a prior resource utilization policy to be distributed according to the new resource utilization policy in one or more resources at a virtual data center.

Abstract: A method and apparatus for allocating and pricing virtual resources is provided. According to one aspect, pricing information is obtained for a plurality of virtual resources offered by a plurality of providers. A set of selected virtual resources is determined for a first customer. An expected quantity is determined for at least one virtual resource for the first customer. A fixed charge is determined based on the pricing information, the set of selected virtual resources and at least one expected quantity. At least one unit rate is determined for at least one virtual resource based on the pricing information. The first customer is provided access to the set of selected virtual resources during a billing period, wherein the fixed charge is billed for the billing period. An overflow charge, if any, is determined the at least one unit rate and an actual usage during the billing period.