Abstract: This present disclosure provides for a work distribution service, which is a multi-region, reliable service for dynamically sharding key ranges. The work distribution service offers exclusive ownership with leases, load balancing and routing information for owner discovery. Using the work distribution service, services can easily scale horizontally by sharding their workloads.

Abstract: Keyed Event Queue (KEQ) is a multi-region, dynamically-scaled message broker for managing a large number of independent strictly-ordered message queues. In this regard, a first request having a first plurality of associated events may be enqueued in a first queue, while a second request having a second plurality of associate events is enqueued in the second queue. The first and second queues are processed independently, such that any issues or failures that may arise with respect to the first plurality of events do not block the second plurality of events from being executed.

Abstract: Methods and systems are disclosed that provide in-session splitting of network traffic sessions for monitoring of traffic between network clients and network servers. This in-session splitting is based upon monitoring traffic sessions for one or more events and then initiating a proxied session based upon detection of the one or more events. For further embodiments, the creation of the proxied session is implemented based upon detection of a request for a secure link within the session traffic, and the proxied session is then implemented such that original session participants are not aware of the proxied session. The encrypted secure communications between the network client and the network server are split into two connections that decrypted and re-encrypted so that the contents of the secure link can be analyzed to identify network threats and/or other desired network related activities.

Abstract: Systems and methods are disclosed for drop detection and protection with respect to packet monitoring in virtual processing environments. Tap agents monitor and capture packets from the network traffic associated with network applications running within these virtual processing environments. Sequence numbers are added in packet encapsulation before tap packets are forwarded to tool agents. The tool agents then use the sequence numbers to detect packet drops within the tap packets. After drop detection, the tool agents send drop detection messages to an agent controller, and the agent controller generates and sends reconfiguration messages to the tap agents based upon the drop detection messages. The tool agents can also send drop detection messages directly to the tap agents. The tap agents adjust their operations based upon the reconfiguration messages and/or the drop detection messages to reduce packet drops within subsequent tap packets communications.

Abstract: Systems and methods are disclosed for location based deployment of test agents in a cloud environment based upon deployment information for previously placed customer processing nodes. The cloud environment is hosted by servers operating to provide cloud services within two or more server zones. A test controller receives deployment information about applications operating with the cloud environment, analyzes the deployment information to determine locations within the cloud environment for deployment of test agents where the locations are associated with a plurality of the applications, sends resource requests to a cloud management controller to deploy the test agents at the locations, and receives test results from the test agents deployed by the cloud management controller at the locations based upon the resource requests. Monitor agents operating along with applications deployed in the cloud can also be used to provide the deployment information to the test controller.

Abstract: Methods and systems are disclosed that pre-classify network traffic monitored within virtual machine (VM) platforms. Client packet monitor applications operate within client VM platforms to monitor network packets, generate monitored packets representing traffic of interest, determine packet classifications for the monitored packets based upon packet contents, identify tags associated with the packet classifications, encapsulate monitored packets with encapsulation headers including the tags to form encapsulated packets, and forward the encapsulated packets to tool VM platforms. Tool packet monitor applications operate within the tool VM platforms to receive the encapsulated packets, identify packet classifications associated with the tags, remove the encapsulation headers from the encapsulated packets, and forward de-encapsulated packets to network destinations based upon the packet classifications.

Abstract: Network tool optimizers for server cloud networks and related methods are disclosed. In part, master filters are defined to segregate and control user traffic, and user filters are defined to forward the user traffic to cloud-based network tools or tool instances. A master user interface and user interfaces for each user are provided so that the master filters and user filters can be defined and managed. A filter rules compiler within the cloud-based network tool optimizer then combines the master filters with the user filters, resolves conflicts in favor of the master filters, and generates filter engine rules that are applied to filter engines within the network tool optimizer for the cloud network. The filter engines then forward packets received at input ports for the network tool optimizer to output ports for the network tool optimizer that are coupled to network tools or tool instances within the cloud network.

Abstract: Systems and methods are disclosed for location based deployment of test agents in a cloud environment based upon deployment information for previously placed customer processing nodes. The cloud environment is hosted by servers operating to provide cloud services within two or more server zones. A test controller receives deployment information about applications operating with the cloud environment, analyzes the deployment information to determine locations within the cloud environment for deployment of test agents where the locations are associated with a plurality of the applications, sends resource requests to a cloud management controller to deploy the test agents at the locations, and receives test results from the test agents deployed by the cloud management controller at the locations based upon the resource requests. Monitor agents operating along with applications deployed in the cloud can also be used to provide the deployment information to the test controller.

Abstract: Metadata associated with client application instances running in virtual machine (VM) platforms within virtual processing environments is collected by monitor applications also running within the VM platforms. The instance metadata is transmitted to and received by a monitor control platform which in turn stores the instance metadata within a monitor instance registry. The instance metadata is updated through solicited or unsolicited updates. The instance metadata is used to identify groups of application instances, and these groups are used to determine targets instances for monitoring or management actions based upon later detected network events such as network security or threat events. Further, trust scores can be determined for components of the metadata stored in the instance registry, and composite trust scores can be generated and used to identify on or more groups of application instances.

Abstract: Methods and systems are disclosed that provide active firewall control for network traffic sessions within virtual processing platforms. Client agent instances run within virtual machine (VM) platforms (e.g., hypervisor, container, etc.) within virtual processing environments and enforce access, proxy, and/or other firewall rules with respect to network traffic sessions for application instances also running within the VM platforms. For certain embodiments, the agent instances collect information about applications and services running within the VM platforms and use this collected information to automatically enforce firewall rules. Additional disclosed embodiments redirect packets from “bad” network sources to a proxied application instance that interacts with the “bad” network source. This proxied interaction allows an agent instance monitoring the proxied session to analyze and assess the actual activity by the “bad” network source without putting the original data or network service at risk.

Abstract: Systems and methods are disclosed for drop detection and protection with respect to packet monitoring in virtual processing environments. Tap agents monitor and capture packets from the network traffic associated with network applications running within these virtual processing environments. Sequence numbers are added in packet encapsulation before tap packets are forwarded to tool agents. The tool agents then use the sequence numbers to detect packet drops within the tap packets. After drop detection, the tool agents send drop detection messages to an agent controller, and the agent controller generates and sends reconfiguration messages to the tap agents based upon the drop detection messages. The tool agents can also send drop detection messages directly to the tap agents. The tap agents adjust their operations based upon the reconfiguration messages and/or the drop detection messages to reduce packet drops within subsequent tap packets communications.

Abstract: Systems and methods are disclosed for packet deduplication for network packet monitoring in virtual processing environments. Tap agents are installed and run with respect to network applications operating with virtual processing environments. These tap agents capture packet traffic associated within these network applications, and deduplication rules are applied so that duplicate packet capture is avoided at the tap agents themselves. In particular, deduplication rules are applied to tap agents where two network applications for which packets are being captured are talking to each other so that one of the tap agents is set to the designated agent for packet capture. Without this designation, packets captured at by the two associated packet agents would represent the same packet flow from both ends thereby leading to duplicate packet capture.

Abstract: Systems and methods are disclosed that provide direct network traffic monitoring within virtual machine (VM) platforms operating in virtual processing environments. The disclosed embodiments in part provide direct network packet monitoring through client packet monitor applications that run within client VM platforms to obtain packet traffic and to forward this traffic directly to tool packet monitor applications operating within tool VM platforms. Further, the tool VM platforms can receive multiple incoming streams of network packets from various client VM platforms, and these incoming streams can change over time due to changes in the number of client VM platforms running within the virtual processing environment. Preferably, the network packet streams are communicated using encapsulation tunnels and related encapsulation headers, such as GRE tunnels using GRE identifiers in related encapsulation headers.

Abstract: Systems and methods are disclosed for packet deduplication for network packet monitoring in virtual processing environments. Tap agents are installed and run with respect to network applications operating with virtual processing environments. These tap agents capture packet traffic associated within these network applications, and deduplication rules are applied so that duplicate packet capture is avoided at the tap agents themselves. In particular, deduplication rules are applied to tap agents where two network applications for which packets are being captured are talking to each other so that one of the tap agents is set to the designated agent for packet capture. Without this designation, packets captured at by the two associated packet agents would represent the same packet flow from both ends thereby leading to duplicate packet capture.

Abstract: Network tool optimizer devices and related methods are disclosed that provide selective scanning of network packet traffic using cloud-based virtual machine tool platforms. Rather than require local network analysis tool resources, the disclosed embodiments identify subsets of packet traffic of interest, and these subsets are forwarded to a cloud-based server system where cloud-based virtual machine tool platforms are used to process the subsets of traffic of interest. Results from this processing are then provided back to adjust the operation of the network tool optimizers. Some further embodiments use local capture buffers and remote cloud replay buffers to stored subsets of traffic locally for later communication to cloud server systems where cloud-based tools analyze replays of the captured network traffic. Some further embodiments also use results from cloud-based tools to initiate local virtual machine tool platforms that are used to further analyze traffic of interest.

Abstract: Methods and systems are disclosed that provide in-session splitting of network traffic sessions for monitoring of traffic between network clients and network servers. This in-session splitting is based upon monitoring traffic sessions for one or more events and then initiating a proxied session based upon detection of the one or more events. For further embodiments, the creation of the proxied session is implemented based upon detection of a request for a secure link within the session traffic, and the proxied session is then implemented such that original session participants are not aware of the proxied session. The encrypted secure communications between the network client and the network server are split into two connections that decrypted and re-encrypted so that the contents of the secure link can be analyzed to identify network threats and/or other desired network related activities.

Abstract: Systems and methods are disclosed for instance based management and control for virtual machine (VM) platforms in virtual processing environments. Metadata associated with client application instances running in VM platforms are collected by monitor applications also running within the VM platforms. The instance metadata is transmitted to and received by a monitor control platform which in turn stores the instance metadata within a monitor instance registry. The instance metadata is updated through solicited or unsolicited updates. The instance metadata is used to identify groups of application instances, and these groups are used to determine targets instances for monitoring or management actions based upon later detected network events such as network security or threat events. Further, trust scores can be determined for components of the metadata stored in the instance registry, and composite trust scores can be generated and used to identify on or more groups of application instances.

Abstract: Methods and systems are disclosed that provide active firewall control for network traffic sessions within virtual processing platforms. Client agent instances run within virtual machine (VM) platforms (e.g., hypervisor, container, etc.) within virtual processing environments and enforce access, proxy, and/or other firewall rules with respect to network traffic sessions for application instances also running within the VM platforms. For certain embodiments, the agent instances collect information about applications and services running within the VM platforms and use this collected information to automatically enforce firewall rules. Additional disclosed embodiments redirect packets from “bad” network sources to a proxied application instance that interacts with the “bad” network source. This proxied interaction allows an agent instance monitoring the proxied session to analyze and assess the actual activity by the “bad” network source without putting the original data or network service at risk.

Abstract: Network tool optimizers for server cloud networks and related methods are disclosed. In part, master filters are defined to segregate and control user traffic, and user filters are defined to forward the user traffic to cloud-based network tools or tool instances. A master user interface and user interfaces for each user are provided so that the master filters and user filters can be defined and managed. A filter rules compiler within the cloud-based network tool optimizer then combines the master filters with the user filters, resolves conflicts in favor of the master filters, and generates filter engine rules that are applied to filter engines within the network tool optimizer for the cloud network. The filter engines then forward packets received at input ports for the network tool optimizer to output ports for the network tool optimizer that are coupled to network tools or tool instances within the cloud network.

Abstract: Network tool optimizers for server cloud networks and related methods are disclosed. In part, master filters are defined to segregate and control user traffic, and user filters are defined to forward the user traffic to cloud-based network tools or tool instances. A master user interface and user interfaces for each user are provided so that the master filters and user filters can be defined and managed. A filter rules compiler within the cloud-based network tool optimizer then combines the master filters with the user filters, resolves conflicts in favor of the master filters, and generates filter engine rules that are applied to filter engines within the network tool optimizer for the cloud network. The filter engines then forward packets received at input ports for the network tool optimizer to output ports for the network tool optimizer that are coupled to network tools or tool instances within the cloud network.