Abstract: Disclosed are various embodiments for estimating round-trip times to improve performance of networks. Multiple connections are opened to a network device. Round-trip times associated with sending packets to the network device via the connections are measured. Another connection to the same or a different network device is opened. A round-trip-time estimate for the other connection is initialized based at least in part on the measured round-trip times for the multiple connections, and in some embodiments, network device proximity data.

Abstract: An asset health monitoring system (AHMS) can assign a confidence indicator to some or all the monitored computing asset in a data center, such as computing systems or networking devices. In response to drops in the confidence indicators, the AHMS can automatically initiate testing of computing assets in order to raise confidence that the asset will perform correctly. Further, the AHMS can automatically initiate remediation procedures for computing assets that fail the confidence testing. By automatically triggering testing of assets and/or remediation procedures, the AHMS can increase reliability for the data center by preemptively identifying problems.

Abstract: Generally described, systems and methods are provided for monitoring and detecting causes of failures of network paths. The system collects performance information from a plurality of nodes and links in a network, aggregates the collected performance information across paths in the network, processes the aggregated performance information for detecting failures on the paths, analyzes each of the detected failures to determine at least one root cause, and initiates a remedial workflow for the at least one root cause determined. In some aspects, processing the aggregated information may include performing a statistical regression analysis or otherwise solving a set of equations for the performance indications on each of a plurality of paths. In another aspect, the system may also include an interface which makes available for display one or more of the network topology, the collected and aggregated performance information, and indications of the detected failures in the topology.

Abstract: Attempts to update confirmation information or firmware for a hardware device can be monitored using a secure counter that is configured to monotonically adjust a current value of the secure counter for each update or update attempt. The value of the counter can be determined every time the validity of the firmware is confirmed, and this value can be stored to a secure location. At subsequent times, such as during a boot process, the actual value of the counter can be determined and compared with the expected value. If the values do not match, such that the firmware may be in an unexpected state, an action can be taken, such as to prevent access to, or isolate, the hardware until such time as the firmware can be validated or updated to an expected state.

Abstract: An asset health monitoring system (AHMS) can assign a confidence indicator to some or all the monitored computing asset in a data center, such as computing systems or networking devices. In response to drops in the confidence indicators, the AHMS can automatically initiate testing of computing assets in order to raise confidence that the asset will perform correctly. Further, the AHMS can automatically initiate remediation procedures for computing assets that fail the confidence testing. By automatically triggering testing of assets and/or remediation procedures, the AHMS can increase reliability for the data center by preemptively identifying problems.

Abstract: The state of firmware for devices on a provisioned host machine can be validated independent of the host CPU(s) or other components exposed to the user. A port that is not fully exposed or accessible to the user can be used to perform a validation process on firmware without accessing a CPU of the host device. The firmware can be scanned and a hashing or similar algorithm can be used to determine validation information, such as hash values, for the firmware, which can be compared to validation information stored in a secure location. If the current and stored validation information do not match, one or more remedial actions can be taken to address the firmware being in an unknown or unintended state.

Abstract: Secure networking processes, such as packet encapsulation and decapsulation, can be executed upstream of a user or guest operating system provisioned on a host machine, where the user has substantially full access to that machine. The processing can be performed on a device such as a network interface card (NIC), which can have a separate network port for communicating with mapping systems or other devices across a cloud or secure network. A virtual image of the NIC can be provided to the user such that the user can still utilize at least some of the NIC functionality. In some embodiments, the NIC can work with a standalone processor or control host in order to offload much of the processing to the control host. The NIC can further handle headers and payload separately where possible, in order to improve the efficiency of processing the various packets.

Abstract: A computing system includes a chassis, one or more backplanes coupled to the chassis. Computing devices are coupled to the one or more backplanes. The one or more backplanes include backplane openings that allow air to pass from one side of the backplane to the other side of the backplane. Air channels are formed by adjacent circuit board assemblies of the computing devices and the one or more backplanes. Channel capping elements at least partially close the air channels.

Abstract: A computing system includes a chassis, one or more backplanes coupled to the chassis. Computing devices are coupled to the one or more backplanes. The one or more backplanes include backplane openings that allow air to pass from one side of the backplane to the other side of the backplane. Air channels are formed by adjacent circuit board assemblies of the computing devices and the one or more backplanes. Channel capping elements at least partially close the air channels.

Abstract: High-speed processing of packets to, and from, a virtualization environment can be provided while utilizing segmentation offload and other such functionality of commodity hardware. Virtualization information can be added to extension portions of protocol headers, for example, such that the payload portion is unchanged and, when physical address information is added to a frame, a frame can be processed using commodity hardware. In some embodiments, the virtualization information can be hashed and added to the payload or stream at, or relative to, various segmentation boundaries, such that the virtualization or additional header information will only be added to a subset of the packets once segmented, thereby reducing the necessary overhead. Further, the hashing of the information can allow for reconstruction of the virtualization information upon desegmentation even in the event of packet loss.

Abstract: In an environment such as a cloud computing environment where various guests can be provisioned on a host machine or other hardware device, it can be desirable to prevent those users from rebooting or otherwise restarting the machine or other resources using unauthorized information or images that can be obtained from across the network. A cloud manager can cause one or more network switches or other routing or communication processing components to deny communication access between user-accessible ports on a machine or device and the provisioning systems, or other specific network resources, such that the user cannot cause the host machine to pull information from those resources upon a restart or reboot of the machine. Further, various actions can be taken upon a reboot or attempted reboot, such as to isolate the host machine or even power off the specific machine.

Abstract: When providing a user with native access to at least a portion of device hardware, the user can be prevented from modifying firmware and other configuration information by controlling the mechanisms used to update that information. In some embodiments, an asymmetric keying approach can be used to encrypt or sign the firmware. In other cases access can be controlled by enabling firmware updates only through a channel or port that is not exposed to the customer, or by mapping only those portions of the hardware that are to be accessible to the user. In other embodiments, the user can be prevented from modifying firmware by only provisioning the user on a machine after an initial mutability period wherein firmware can be modified, such that the user never has access to a device when firmware can be updated. Combinations and variations of the above also can be used.

Abstract: The efficiency of scaling of a network of computing devices can be improved by grouping highly-connected portions into deployment units wherein devices only have to be aware of other devices in the respective deployment unit. The various deployment units can be connected by a backbone mechanism. In some embodiments, the backbone utilizes a torroidal connection scheme to connect the backbone switches and pass routing protocol information. Host traffic can still utilize connections between tiers, such that standard routing and networking protocols can be utilized. In other embodiments, logical interfaces can be initialized in each backbone switch, such that each switch itself can function as a point backbone. The devices of the various deployment units then can communicate with each other via the point backbones using standard networking and routing protocols.

Abstract: Various features are described for generating and analyzing data center topology graphs. The graphs can represent physical placement and connectivity of data center components. In some cases the graphs may include hierarchical representations of data center components and systems, and may also include environmental and operational characteristics of the computing devices and supporting systems which may be included in a data center. In addition, the graphs may be linked to each other though common components, so that data center topology may be analyzed in two or more dimensions rather than a single dimension. The linked graphs may be analyzed to identify potential points of failure and also to identify which data center components may be affected by a failure.

Abstract: Techniques are described for scaling of computing resources. A scaling service is utilized that allocates additional computing resources (e.g., processors, memory, etc.) to a virtual machine instance (or other compute instance) and/or de-allocates computing resources from a virtual machine instance according requests and/or thresholds. In addition to the foregoing, other aspects are described in the description, figures, and claims.

Abstract: Host machines and other devices performing synchronized operations can be dispersed across multiple racks in a data center to provide additional buffer capacity and to reduce the likelihood of congestion. The level of dispersion can depend on factors such as the level of oversubscription, as it can be undesirable in a highly connected network to push excessive host traffic into the aggregation fabric. As oversubscription levels increase, the amount of dispersion can be reduced and two or more host machines can be clustered on a given rack, or otherwise connected through the same edge switch. By clustering a portion of the machines, some of the host traffic can be redirected by the respective edge switch without entering the aggregation fabric. When provisioning hosts for a customer, application, or synchronized operation, for example, the levels of clustering and dispersion can be balanced to minimize the likelihood for congestion throughout the network.

Abstract: The deployment and scaling of a network of electronic devices can be improved by utilizing one or more network transpose boxes. Each transpose box can include a number of connectors and a meshing useful for implementing a specific network topology. When connecting devices of different tiers in the network, each device need only be connected to at least one of the connectors on the transpose box. The meshing of the transpose box can cause each device to be connected to any or all of the devices in the other tier as dictated by the network topology. When changing network topologies or scaling the network, additional devices can be added to available connectors on an existing transpose box, or new or additional transpose boxes can be deployed in order to handle the change with minimal cabling effort.

Abstract: Techniques are described for scaling of computing resources. A scaling service is utilized that allocates additional computing resources (e.g., processors, memory, etc.) to a virtual machine instance (or other compute instance) and/or de-allocates computing resources from a virtual machine instance according requests and/or thresholds. In addition to the foregoing, other aspects are described in the description, figures, and claims.

Abstract: Host machines and other devices performing synchronized operations can be dispersed across multiple racks in a data center to provide additional buffer capacity and to reduce the likelihood of congestion. The level of dispersion can depend on factors such as the level of oversubscription, as it can be undesirable in a highly connected network to push excessive host traffic into the aggregation fabric. As oversubscription levels increase, the amount of dispersion can be reduced and two or more host machines can be clustered on a given rack, or otherwise connected through the same edge switch. By clustering a portion of the machines, some of the host traffic can be redirected by the respective edge switch without entering the aggregation fabric. When provisioning hosts for a customer, application, or synchronized operation, for example, the levels of clustering and dispersion can be balanced to minimize the likelihood for congestion throughout the network.

Abstract: Operating profiles for consumers of computing resources may be automatically determined based on an analysis of actual resource usage measurements and other operating metrics. Measurements may be taken while a consumer, such as a virtual machine instance, uses computing resources, such as those provided by a host. A profile may be dynamically determined based on those measurements. Profiles may be generalized such that groups of consumers with similar usage profiles are associated with a single profile. Assignment decisions may be made based on the profiles, and computing resources may be reallocated or oversubscribed if the profiles indicate that the consumers are unlikely to fully utilize the resources reserved for them. Oversubscribed resources may be monitored, and consumers may be transferred to different resource providers if contention for resources is too high.