Abstract: Aspects of the present application relate to systems, methods and non-transitory computer readable media for network virtualization in a rack-based switch. The method can include sending a communication from a first virtual machine (“VM”) instantiated on a first host machine to a first network virtualization Top of Rack (“ToR”) switch. The first network virtualization ToR can include a peripheral component interconnect express (“PCIe”) switch coupled to a plurality of host-side Ethernet ports, a virtualization device communicatingly coupled to the PCIe switch, which virtualization device can include a plurality of virtualization functions, and a switching ASIC coupled to the virtualization device and to a network-side Ethernet port. The method can include forming the communication into an Internet Protocol (“IP”) packet with a first virtualization function of the virtualization device, and sending the IP packet to a second VM with the switching ASIC.

Abstract: A network interface card, such as a SmartNIC, is used to provide encryption, such as network encryption virtual function (NEVF), for a virtual machine, so that a customer can control network keys in a virtual cloud network. The NEVF includes a memory device (e.g., SRAM) and a crypto processor (e.g., a crypto core). The memory device stores a crypto key. The crypto processor uses the crypto key to encrypt data to and from a virtual machine in the virtual cloud network. A key management system can be used to securely transfer crypto keys to the NEVF. Having one NEVF per virtual machine can enable a customer to manage the crypto key for a virtual cloud network.

Abstract: A network device can include packet processing circuitry to provide support for virtual functions. The packet processing circuitry can perform operations such as receiving data traffic from a virtual machine, determining an egress rule for the data traffic based on a rule table, and encapsulating the data traffic according to the egress rule.

Abstract: A system for automated generation of a schema based on a plurality of artifacts is provided. The system includes a centralized artifact repository storing the artifacts and metadata characterizing each artifact and a computing device. The computing device performs operations including receiving user input indicating an application container, obtaining, from the repository, the metadata for artifacts of the plurality of artifacts, providing, via the display, the metadata, receiving a user selection of an artifact of the plurality of artifacts for inclusion with the application container, storing the application container in association with the selected artifact in an application repository, receiving a schema request related to the application container, obtaining a schema format selection, based on the request, generating a schema based on the schema format selection, the application container, and the artifact associated with the application container, and providing the schema in the selected schema format.

Abstract: Aspects of the present application relate to systems, methods and non-transitory computer readable media for network virtualization in a rack-based switch. The method can include sending a communication from a first virtual machine (“VM”) instantiated on a first host machine to a first network virtualization Top of Rack (“ToR”) switch. The first network virtualization ToR can include a peripheral component interconnect express (“PCIe”) switch coupled to a plurality of host-side Ethernet ports, a virtualization device communicatingly coupled to the PCIe switch, which virtualization device can include a plurality of virtualization functions, and a switching ASIC coupled to the virtualization device and to a network-side Ethernet port. The method can include forming the communication into an Internet Protocol (“IP”) packet with a first virtualization function of the virtualization device, and sending the IP packet to a second VM with the switching ASIC.

Abstract: A network device can include packet processing circuitry to provide support for virtual functions. The packet processing circuitry can perform operations such as receiving data traffic from a virtual machine, determining an egress rule for the data traffic based on a rule table, and encapsulating the data traffic according to the egress rule.

Abstract: A network interface card, such as a SmartNIC, is used to provide encryption, such as network encryption virtual function (NEVF), for a virtual machine, so that a customer can control network keys in a virtual cloud network. The NEVF includes a memory device (e.g., SRAM) and a crypto processor (e.g., a crypto core). The memory device stores a crypto key. The crypto processor uses the crypto key to encrypt data to and from a virtual machine in the virtual cloud network. A key management system can be used to securely transfer crypto keys to the NEVF. Having one NEVF per virtual machine can enable a customer to manage the crypto key for a virtual cloud network.

Abstract: For end-to-end encryption of a virtual cloud network, a VPN tunnel from a customer device is terminated at a host network headend device using encryption keys secured in hardware and managed by the customer. The network headend device can be a card in a bare-metal server with one or more network virtualization devices. The network headend device is configured to receive a first key provisioned by a customer; receive a first data packet sent from a device of the customer; and decrypt the first data packet using the first key to obtain information. A network virtualization device is configured to receive the information from the network headend device; ascertain that the information is to be sent to a virtual machine in a virtual cloud network; ascertain that data in the virtual cloud network is configured to be encrypted; and encrypt the information with a second key to generate a second data packet before routing the second data packet to the virtual machine.

Abstract: A network device can include packet processing circuitry to provide support for virtual functions. The packet processing circuitry can perform operations such as receiving data traffic associated with a physical address, determining that the data traffic is associated with a guest of a host system by matching the data traffic with an ingress rule associated with a virtual function, and forwarding the data traffic to the virtual function.

Abstract: A network interface card, such as a SmartNIC, is used to provide encryption, such as network encryption virtual function (NEVF), for a virtual machine, so that a customer can control network keys in a virtual cloud network. The NEVF includes a memory device (e.g., SRAM) and a crypto processor (e.g., a crypto core). The memory device stores a crypto key. The crypto processor uses the crypto key to encrypt data to and from a virtual machine in the virtual cloud network. A key management system can be used to securely transfer crypto keys to the NEVF. Having one NEVF per virtual machine can enable a customer to manage the crypto key for a virtual cloud network.

Abstract: For end-to-end encryption of a virtual cloud network, a VPN tunnel from a customer device is terminated at a host network headend device using encryption keys secured in hardware and managed by the customer. The network headend device can be a card in a bare-metal server with one or more network virtualization devices. The network headend device is configured to receive a first key provisioned by a customer; receive a first data packet sent from a device of the customer; and decrypt the first data packet using the first key to obtain information. A network virtualization device is configured to receive the information from the network headend device; ascertain that the information is to be sent to a virtual machine in a virtual cloud network; ascertain that data in the virtual cloud network is configured to be encrypted; and encrypt the information with a second key to generate a second data packet before routing the second data packet to the virtual machine.

Abstract: A network device can include packet processing circuitry to provide support for virtual functions. The packet processing circuitry can perform operations such as receiving data traffic associated with a physical address, determining that the data traffic is associated with a guest of a host system by matching the data traffic with an ingress rule associated with a virtual function, and forwarding the data traffic to the virtual function.

Abstract: High-speed processing of packets to, and from, a virtualization environment can be provided while utilizing hardware-based segmentation offload and other such functionality. A hardware vendor such as a network interface card (NIC) manufacturer can enable the hardware to support open and proprietary stateless tunneling in conjunction with a protocol such as single root I/O virtualization (SR-IOV) in order to implement a virtualized overlay network. The hardware can utilize various rules, for example, that can be used by the NIC to perform certain actions, such as to encapsulate egress packets and decapsulate packets.

Abstract: A network interface card, such as a SmartNIC, is used to provide encryption, such as network encryption virtual function (NEVF), for a virtual machine, so that a customer can control network keys in a virtual cloud network. The NEVF includes a memory device (e.g., SRAM) and a crypto processor (e.g., a crypto core). The memory device stores a crypto key. The crypto processor uses the crypto key to encrypt data to and from a virtual machine in the virtual cloud network. A key management system can be used to securely transfer crypto keys to the NEVF. Having one NEVF per virtual machine can enable a customer to manage the crypto key for a virtual cloud network.

Abstract: For end-to-end encryption of a virtual cloud network, a VPN tunnel from a customer device is terminated at a host network headend device using encryption keys secured in hardware and managed by the customer. The network headend device can be a card in a bare-metal server with one or more network virtualization devices. The network headend device is configured to receive a first key provisioned by a customer; receive a first data packet sent from a device of the customer; and decrypt the first data packet using the first key to obtain information. A network virtualization device is configured to receive the information from the network headend device; ascertain that the information is to be sent to a virtual machine in a virtual cloud network; ascertain that data in the virtual cloud network is configured to be encrypted; and encrypt the information with a second key to generate a second data packet before routing the second data packet to the virtual machine.

Abstract: Aspects of the present application relate to systems, methods and non-transitory computer readable media for network virtualization in a rack-based switch. The method can include sending a communication from a first virtual machine (“VM”) instantiated on a first host machine to a first network virtualization Top of Rack (“ToR”) switch. The first network virtualization ToR can include a peripheral component interconnect express (“PCIe”) switch coupled to a plurality of host-side Ethernet ports, a virtualization device communicatingly coupled to the PCIe switch, which virtualization device can include a plurality of virtualization functions, and a switching ASIC coupled to the virtualization device and to a network-side Ethernet port. The method can include forming the communication into an Internet Protocol (“IP”) packet with a first virtualization function of the virtualization device, and sending the IP packet to a second VM with the switching ASIC.

Abstract: High-speed processing of packets to, and from, a virtualization environment can be provided while utilizing hardware-based segmentation offload and other such functionality. A hardware vendor such as a network interface card (NIC) manufacturer can enable the hardware to support open and proprietary stateless tunneling in conjunction with a protocol such as single root I/O virtualization (SR-IOV) in order to implement a virtualized overlay network. The hardware can utilize various rules, for example, that can be used by the NIC to perform certain actions, such as to encapsulate egress packets and decapsulate packets.

Abstract: Processes and systems are disclosed for selecting a producer system from a number of producer systems to lease to a consumer system. A leasing agent, in response to a request from the consumer system for access to a service at a producer system, can identify a producer system to lease to the lease requestor based, at least in part, on a selection weight associated with each producer system that the leasing agent is assigned. The selection weights can be modified based on status information associated with each of the producer systems. This status information may be obtain from the producer systems and/or from a consumer system that has previously accessed the producer system. The consumer system may provide the status information to the leasing agent as part of the consumer system's lease request.

Abstract: High-speed processing of packets to, and from, a virtualization environment can be provided while utilizing hardware-based segmentation offload and other such functionality. A hardware vendor such as a network interface card (NIC) manufacturer can enable the hardware to support open and proprietary stateless tunneling in conjunction with a protocol such as single root I/O virtualization (SR-IOV) in order to implement a virtualized overlay network. The hardware can utilize various rules, for example, that can be used by the NIC to perform certain actions, such as to encapsulate egress packets and decapsulate packets.

Abstract: Methods and apparatus for supporting cached volumes at storage gateways are disclosed. A storage gateway appliance is configured to cache at least a portion of a storage object of a remote storage service at local storage devices. In response to a client's write request, directed to at least a portion of a data chunk of the storage object, the appliance stores a data modification indicated in the write request at a storage device, and asynchronously uploads the modification to the storage service. In response to a client's read request, directed to a different portion of the data chunk, the appliance downloads the requested data from the storage service to the storage device, and provides the requested data to the client.