Abstract: Disclosed are various embodiments that provide highly available data-processing network functions for radio-based networks. In one embodiment, routing information is received from a plurality of instantiations of a data-processing network function of a radio-based network. Based at least in part on the routing information, a route to a first instantiation of the plurality of instantiations of the data-processing network function is advertised. Based at least in part on the routing information, a backup route to a second instantiation of the plurality of instantiations of the data-processing network function is advertised.

Abstract: Disclosed are various embodiments of a stateful network router. In one embodiment, a network data connection is intercepted between a first host and a second host on a network. First data packets from the network data connection sent by the first host to the second host are routed to a target network appliance. Second data packets from the network data connection sent by the second host to the first host are also to the target network appliance.

Abstract: Disclosed are various embodiments that provide highly available data-processing network functions for radio-based networks. In one embodiment, a tunnel host consistently routes network traffic associated with a range of network addresses in a radio-based network to a first instance of a data-processing network function instead of a second instance of the data-processing network function. A problem with the first instance of the data-processing network function is then detected. Additional network traffic associated with the range of network addresses is redirected from the first instance of the data-processing network function to the second instance of the data-processing network function.

Abstract: The present disclosure generally relates to a first network device in a primary region that can failover network traffic into a second network device in a failover region. The first network device can receive routing criteria identifying how traffic originating in the primary region should be routed. The first network device can transmit this routing criteria to the second network device in the failover region. Based on determining the occurrence of a failover event, the first network device may transmit network traffic originating in the primary region to the second network device in the failover region. The second network device can determine how to route the network traffic based on the routing criteria of the primary region. In some embodiments, the second network device can determine how to route the network traffic based on the routing criteria of the failover region.

Abstract: Techniques are described that enable users to configure the mirroring of network traffic sent to or received by computing resources associated with a virtual network of computing resources at a service provider network. The mirrored network traffic can be used for many different purposes including, for example, network traffic content inspection, forensic and threat analysis, network troubleshooting, data loss prevention, and the like. Users can configure such network traffic mirroring without the need to manually install and manage network capture agents or other such processes on each computing resource for which network traffic mirroring is desired. Users can cause mirrored network traffic to be stored at a storage service in the form of packet capture (or “pcap”) files, which can be used by any number of available out-of-band security and monitoring appliances including other user-specific monitoring tools and/or other services of the service provider network.

Abstract: Techniques are described that enable users to configure the mirroring of network traffic sent to or received by computing resources associated with a virtual network of computing resources at a service provider network. The mirrored network traffic can be used for many different purposes including, for example, network traffic content inspection, forensic and threat analysis, network troubleshooting, data loss prevention, and the like. Users can configure such network traffic mirroring without the need to manually install and manage network capture agents or other such processes on each computing resource for which network traffic mirroring is desired. Users can cause mirrored network traffic to be stored at a storage service in the form of packet capture (or “pcap”) files, which can be used by any number of available out-of-band security and monitoring appliances including other user-specific monitoring tools and/or other services of the service provider network.

Abstract: Technologies are disclosed for monitoring network traffic using traffic mirroring. According to some examples, traffic mirroring allows customers to monitor traffic at different sources within a VPC. For example, a source may be any Elastic Network Interface (ENI) in their VPC, including elastic network interfaces (ENIs) on virtual machine instances, Network Address Translation (NAT) Gateways, Load Balancers, VPC endpoints, Internal Gateways, Transit Gateways, and more. Filters can be utilized to determine the network traffic to mirror. A customer may also configure to monitor real-time traffic with a monitoring appliance of their choice. With traffic mirroring, data traffic may be identified and sent to one or more target devices. Customers may monitor traffic within a VPC for content inspection, forensic analysis, troubleshooting, record keeping, and the like.

Abstract: A determination is made that messages from a first constituent service of an application are to be processed at a second constituent service. Networking configuration settings are generated such that a message originating at the first constituent service is directed to a traffic processing agent established by a traffic management service. In response to a receipt of a message from the first constituent service at the agent, one or more packets are delivered to the second constituent service.

Abstract: Techniques for networking in provider network substrate extensions are described. A compute instance of an isolated virtual network is hosted by an extension of a provider network that is in communication with the provider network via a secure tunnel through a customer network. A request to establish communications between the isolated virtual network and the customer network is received at an interface to the provider network. A message to cause a gateway of the extension to route traffic between the isolated virtual network and the customer network is sent via the secure tunnel.

Abstract: Disclosed are various embodiments that provide highly available data-processing network functions for radio-based networks. In one embodiment, a tunnel host consistently routes network traffic associated with a range of network addresses in a radio-based network to a first instance of a data-processing network function instead of a second instance of the data-processing network function. A problem with the first instance of the data-processing network function is then detected. Additional network traffic associated with the range of network addresses is redirected from the first instance of the data-processing network function to the second instance of the data-processing network function.

Abstract: Indications of packet processing operations to be performed for packets of a resource group, as well as configuration settings of the group, are obtained. A packet that satisfies a requirement of the configuration settings and meets a fast path criterion is processed at a fast path node configured for the group. In response to determining that another packet does not satisfy a criterion for fast path processing, the other packet is transmitted to an exception path target.

Abstract: Respective destination groups are provided to routing intermediaries associated with a packet processing application. The destination group comprises a set of fast-path packet processing nodes of a packet processing service to which the routing intermediaries are to transmit packets to be processed. After a determination is made that the set of fast-path nodes to be included in the destination groups has changed, the destination groups are modified gradually during an update propagation interval.

Abstract: A determination is made that messages from a first constituent service of an application are to be processed at a second constituent service. Networking configuration settings are generated such that a message originating at the first constituent service is directed to a traffic processing agent established by a traffic management service. In response to a receipt of a message from the first constituent service at the agent, one or more packets are delivered to the second constituent service.

Abstract: Disclosed are various embodiments of a stateful network router. In one embodiment, a stateful network router intercepts a network data connection between a first host and a second host on a network. The stateful network router routes first data packets from the network data connection sent by the first host to the second host to a target. The stateful network router also routes second data packets from the network data connection sent by the second host to the first host to the target.

Abstract: A program to be executed to perform a packet processing operation on a packet associated with a resource group, as well as security settings of the resource group, are received. The program is transmitted to a set of fast path nodes which were assigned to the resource group based on the group's metadata. With respect to a particular packet, security operations based on the settings are performed and the program is executed at a fast path node. Based at least partly on the results of the program, a packet routing action corresponding to the received packet is performed.

Abstract: Techniques for providing a managed time service are described. A control plane of the managed time service can receive data indicating one or more network time protocol (NTP) hosts are active. The control plane can update a zonal domain name system (DNS) to include the one or more NTP hosts. The at least one compute resource accesses the one or more NTP hosts using the zonal DNS, and the one or more NTP hosts provide time data to the at least one compute resource. The control plane can receive performance data from the one or more NTP hosts and automatically scale the one or more NTP hosts based on the performance data.

Abstract: Technologies are disclosed for monitoring network traffic using traffic mirroring. According to some examples, traffic mirroring allows customers to monitor traffic at different sources within a VPC. For example, a source may be any Elastic Network Interface (ENI) in their VPC, including elastic network interfaces (ENIs) on virtual machine instances, Network Address Translation (NAT) Gateways, Load Balancers, VPC endpoints, Internal Gateways, Transit Gateways, and more. Filters can be utilized to determine the network traffic to mirror. A customer may also configure to monitor real-time traffic with a monitoring appliance of their choice. With traffic mirroring, data traffic may be identified and sent to one or more target devices. Customers may monitor traffic within a VPC for content inspection, forensic analysis, troubleshooting, record keeping, and the like.

Abstract: A program to be executed to perform a packet processing operation on a packet associated with a resource group, as well as security settings of the resource group, are received. The program is transmitted to a set of fast path nodes which were assigned to the resource group based on the group's metadata. With respect to a particular packet, security operations based on the settings are performed and the program is executed at a fast path node. Based at least partly on the results of the program, a packet routing action corresponding to the received packet is performed.

Abstract: Indications of packet processing operations to be performed for packets of a resource group, as well as configuration settings of the group, are obtained. A packet that satisfies a requirement of the configuration settings and meets a fast path criterion is processed at a fast path node configured for the group. In response to determining that another packet does not satisfy a criterion for fast path processing, the other packet is transmitted to an exception path target.

Abstract: A representation of packet processing operations is obtained from a client of a provider network. A set of packet processing nodes is configured at a premise external to the provider network, and the representation is transmitted to the premise. In response to a reception of a network packet, the set of packet processing nodes perform the packet processing operations at the external premise.