Abstract: Techniques are described that enable users to configure the mirroring of network traffic sent to or received by computing resources associated with a virtual network of computing resources at a service provider network. The mirrored network traffic can be used for many different purposes including, for example, network traffic content inspection, forensic and threat analysis, network troubleshooting, data loss prevention, and the like. Users can configure such network traffic mirroring without the need to manually install and manage network capture agents or other such processes on each computing resource for which network traffic mirroring is desired. Users can cause mirrored network traffic to be stored at a storage service in the form of packet capture (or “pcap”) files, which can be used by any number of available out-of-band security and monitoring appliances including other user-specific monitoring tools and/or other services of the service provider network.

Abstract: Techniques are described that enable users to configure the mirroring of network traffic sent to or received by computing resources associated with a virtual network of computing resources at a service provider network. The mirrored network traffic can be used for many different purposes including, for example, network traffic content inspection, forensic and threat analysis, network troubleshooting, data loss prevention, and the like. Users can configure such network traffic mirroring without the need to manually install and manage network capture agents or other such processes on each computing resource for which network traffic mirroring is desired. Users can cause mirrored network traffic to be stored at a storage service in the form of packet capture (or “pcap”) files, which can be used by any number of available out-of-band security and monitoring appliances including other user-specific monitoring tools and/or other services of the service provider network.

Abstract: Technologies are disclosed for monitoring network traffic using traffic mirroring. According to some examples, traffic mirroring allows customers to monitor traffic at different sources within a VPC. For example, a source may be any Elastic Network Interface (ENI) in their VPC, including elastic network interfaces (ENIs) on virtual machine instances, Network Address Translation (NAT) Gateways, Load Balancers, VPC endpoints, Internal Gateways, Transit Gateways, and more. Filters can be utilized to determine the network traffic to mirror. A customer may also configure to monitor real-time traffic with a monitoring appliance of their choice. With traffic mirroring, data traffic may be identified and sent to one or more target devices. Customers may monitor traffic within a VPC for content inspection, forensic analysis, troubleshooting, record keeping, and the like.

Abstract: A determination is made that messages from a first constituent service of an application are to be processed at a second constituent service. Networking configuration settings are generated such that a message originating at the first constituent service is directed to a traffic processing agent established by a traffic management service. In response to a receipt of a message from the first constituent service at the agent, one or more packets are delivered to the second constituent service.

Abstract: Techniques for networking in provider network substrate extensions are described. A compute instance of an isolated virtual network is hosted by an extension of a provider network that is in communication with the provider network via a secure tunnel through a customer network. A request to establish communications between the isolated virtual network and the customer network is received at an interface to the provider network. A message to cause a gateway of the extension to route traffic between the isolated virtual network and the customer network is sent via the secure tunnel.

Abstract: Disclosed are various embodiments that provide highly available data-processing network functions for radio-based networks. In one embodiment, a tunnel host consistently routes network traffic associated with a range of network addresses in a radio-based network to a first instance of a data-processing network function instead of a second instance of the data-processing network function. A problem with the first instance of the data-processing network function is then detected. Additional network traffic associated with the range of network addresses is redirected from the first instance of the data-processing network function to the second instance of the data-processing network function.

Abstract: Indications of packet processing operations to be performed for packets of a resource group, as well as configuration settings of the group, are obtained. A packet that satisfies a requirement of the configuration settings and meets a fast path criterion is processed at a fast path node configured for the group. In response to determining that another packet does not satisfy a criterion for fast path processing, the other packet is transmitted to an exception path target.

Abstract: Respective destination groups are provided to routing intermediaries associated with a packet processing application. The destination group comprises a set of fast-path packet processing nodes of a packet processing service to which the routing intermediaries are to transmit packets to be processed. After a determination is made that the set of fast-path nodes to be included in the destination groups has changed, the destination groups are modified gradually during an update propagation interval.

Abstract: A determination is made that messages from a first constituent service of an application are to be processed at a second constituent service. Networking configuration settings are generated such that a message originating at the first constituent service is directed to a traffic processing agent established by a traffic management service. In response to a receipt of a message from the first constituent service at the agent, one or more packets are delivered to the second constituent service.

Abstract: Disclosed are various embodiments of a stateful network router. In one embodiment, a stateful network router intercepts a network data connection between a first host and a second host on a network. The stateful network router routes first data packets from the network data connection sent by the first host to the second host to a target. The stateful network router also routes second data packets from the network data connection sent by the second host to the first host to the target.

Abstract: A program to be executed to perform a packet processing operation on a packet associated with a resource group, as well as security settings of the resource group, are received. The program is transmitted to a set of fast path nodes which were assigned to the resource group based on the group's metadata. With respect to a particular packet, security operations based on the settings are performed and the program is executed at a fast path node. Based at least partly on the results of the program, a packet routing action corresponding to the received packet is performed.

Abstract: Techniques for providing a managed time service are described. A control plane of the managed time service can receive data indicating one or more network time protocol (NTP) hosts are active. The control plane can update a zonal domain name system (DNS) to include the one or more NTP hosts. The at least one compute resource accesses the one or more NTP hosts using the zonal DNS, and the one or more NTP hosts provide time data to the at least one compute resource. The control plane can receive performance data from the one or more NTP hosts and automatically scale the one or more NTP hosts based on the performance data.

Abstract: A program to be executed to perform a packet processing operation on a packet associated with a resource group, as well as security settings of the resource group, are received. The program is transmitted to a set of fast path nodes which were assigned to the resource group based on the group's metadata. With respect to a particular packet, security operations based on the settings are performed and the program is executed at a fast path node. Based at least partly on the results of the program, a packet routing action corresponding to the received packet is performed.

Abstract: Technologies are disclosed for monitoring network traffic using traffic mirroring. According to some examples, traffic mirroring allows customers to monitor traffic at different sources within a VPC. For example, a source may be any Elastic Network Interface (ENI) in their VPC, including elastic network interfaces (ENIs) on virtual machine instances, Network Address Translation (NAT) Gateways, Load Balancers, VPC endpoints, Internal Gateways, Transit Gateways, and more. Filters can be utilized to determine the network traffic to mirror. A customer may also configure to monitor real-time traffic with a monitoring appliance of their choice. With traffic mirroring, data traffic may be identified and sent to one or more target devices. Customers may monitor traffic within a VPC for content inspection, forensic analysis, troubleshooting, record keeping, and the like.

Abstract: Indications of packet processing operations to be performed for packets of a resource group, as well as configuration settings of the group, are obtained. A packet that satisfies a requirement of the configuration settings and meets a fast path criterion is processed at a fast path node configured for the group. In response to determining that another packet does not satisfy a criterion for fast path processing, the other packet is transmitted to an exception path target.

Abstract: A representation of packet processing operations is obtained from a client of a provider network. A set of packet processing nodes is configured at a premise external to the provider network, and the representation is transmitted to the premise. In response to a reception of a network packet, the set of packet processing nodes perform the packet processing operations at the external premise.

Abstract: A method for launching a plurality of computing instances may include obtaining a request to launch a plurality of computing instances. The request may indicate a first number and a target number of compute instances that is larger than the first number. The method may further include verifying that there is sufficient capacity, for example of a compute instance service, to launch at least the first number of compute instances. The request may be fulfilled by at least launching at least the first number of compute instances in a way that bypasses a rate limit that limits a rate at which compute instances can be launched. In some cases, the method may additionally include launching additional compute instances, as they become available, until the target number has been reached.

Abstract: Techniques are described that enable users to configure the mirroring of network traffic sent to or received by computing resources associated with a virtual network of computing resources at a service provider network. The mirrored network traffic can be used for many different purposes including, for example, network traffic content inspection, forensic and threat analysis, network troubleshooting, data loss prevention, and the like. Users can configure such network traffic mirroring without the need to manually install and manage network capture agents or other such processes on each computing resource for which network traffic mirroring is desired. Users can cause mirrored network traffic to be stored at a storage service in the form of packet capture (or “pcap”) files, which can be used by any number of available out-of-band security and monitoring appliances including other user-specific monitoring tools and/or other services of the service provider network.

Abstract: An overlay network can be extended to edge routers for a substrate network. A request to make an overlay network available may be received at a network manager for a substrate network. The network manager may update an edge router to add an overlay network route to the edge router. The edge router can then indicate that the network route is available for handling network traffic. When network traffic directed to the overlay network is received at the network route, the edge router can forward the network traffic to the overlay network according to the added network route.