Abstract: Techniques are described that enable users to configure the mirroring of network traffic sent to or received by computing resources associated with a virtual network of computing resources at a service provider network. The mirrored network traffic can be used for many different purposes including, for example, network traffic content inspection, forensic and threat analysis, network troubleshooting, data loss prevention, and the like. Users can configure such network traffic mirroring without the need to manually install and manage network capture agents or other such processes on each computing resource for which network traffic mirroring is desired. Users can cause mirrored network traffic to be stored at a storage service in the form of packet capture (or “pcap”) files, which can be used by any number of available out-of-band security and monitoring appliances including other user-specific monitoring tools and/or other services of the service provider network.

Abstract: A first service of a provider network obtains an identification of one or more substrate addressable devices included in an extension of the provider network. Based on the identification, a launch of one or more compute instances within the provider network is initiated. The one or more compute instances are to connect the provider network to the extension of the provider network across at least a third-party network by receiving a first control plane message directed to a first substrate addressable device of the one or more substrate addressable devices, by updating a message state data store based at least in part on the first control plane message, and by sending a second control plane message to the first substrate addressable device via a secure tunnel.

Abstract: Satellites provide communication between devices such as user terminals (UTs) and ground stations that are connected to points-of-presence (PoP) connected to other networks, such as the Internet. The PoP accepts downstream data addressed to the UT. A representation of the communication resources that are expected to be used to pass the downstream data from the PoP to the UT is determined and executed on one or more processors. The representations may include representations of traffic shapers, modems, and so forth at different points in the network. The representations may consider real-world and simulated feedback data. Within the representation, traffic shaping is employed to determine preshaped data that includes resource metadata designating the communication resources to be used. The preshaped data is passed along to the actual communication resources for subsequent delivery. The preshaping substantially improves performance of constrained communication resources.

Abstract: Techniques are described that enable users to configure the mirroring of network traffic sent to or received by computing resources associated with a virtual network of computing resources at a service provider network. The mirrored network traffic can be used for many different purposes including, for example, network traffic content inspection, forensic and threat analysis, network troubleshooting, data loss prevention, and the like. Users can configure such network traffic mirroring without the need to manually install and manage network capture agents or other such processes on each computing resource for which network traffic mirroring is desired. Users can cause mirrored network traffic to be stored at a storage service in the form of packet capture (or “pcap”) files, which can be used by any number of available out-of-band security and monitoring appliances including other user-specific monitoring tools and/or other services of the service provider network.

Abstract: Technologies are disclosed for monitoring network traffic using traffic mirroring. According to some examples, traffic mirroring allows customers to monitor traffic at different sources within a VPC. For example, a source may be any Elastic Network Interface (ENI) in their VPC, including elastic network interfaces (ENIs) on virtual machine instances, Network Address Translation (NAT) Gateways, Load Balancers, VPC endpoints, Internal Gateways, Transit Gateways, and more. Filters can be utilized to determine the network traffic to mirror. A customer may also configure to monitor real-time traffic with a monitoring appliance of their choice. With traffic mirroring, data traffic may be identified and sent to one or more target devices. Customers may monitor traffic within a VPC for content inspection, forensic analysis, troubleshooting, record keeping, and the like.

Abstract: Techniques for networking in provider network substrate extensions are described. A compute instance of an isolated virtual network is hosted by an extension of a provider network that is in communication with the provider network via a secure tunnel through a customer network. A request to establish communications between the isolated virtual network and the customer network is received at an interface to the provider network. A message to cause a gateway of the extension to route traffic between the isolated virtual network and the customer network is sent via the secure tunnel.

Abstract: A first message of a first type and having a first destination address is received in a provider network. The first destination address is associated with a virtual network address of the provider network and an address of a first device in an extension of the provider network, the extension of the provider network in communication with the provider network via at least a third-party network. A message state data store is updated based on at least a portion of the first message. A first payload of the first message is sent to the first device a first secure tunnel through the third-party network.

Abstract: A reverse network tracing mechanism is described. In an embodiment, a network information request is received that is addressed to a predetermined destination. It is determined that the network information request has an expired timer and a message is returned indicating that a return network path routing procedure has been initiated. After determining that the network information request has an unexpired timer, contents of the network information request are modified to enable identification of at least a portion of the return path from the predetermined destination to a source address of the network information request.

Abstract: Techniques for routing media streams in a provider network are described. A media routing service is disclosed that comprises one or more virtual media routers for routing media streams from one or more media sources to one or more downstream devices coupled to the provider network. The media routing service provides external entities (e.g., users) of the provider network with the ability to request for a virtual media router for routing media content and determines the appropriate set of computing resources necessary to provision and launch the virtual media router in the provider network. In certain embodiments, the media routing service processes routing commands generated by a client, generates routing information comprising source to destination mappings based on the routing commands, and securely distributes media content to identified downstream devices based on the routing information.

Abstract: A first message of a first type and having a first destination address is received in a provider network. The first destination address is associated with a virtual network address of the provider network and an address of a first device in an extension of the provider network, the extension of the provider network in communication with the provider network via at least a third-party network. A message state data store is updated based on at least a portion of the first message. A first payload of the first message is sent to the first device a first secure tunnel through the third-party network.

Abstract: A first service of a provider network obtains an identification of one or more substrate addressable devices included in an extension of the provider network. Based on the identification, a launch of one or more compute instances within the provider network is initiated. The one or more compute instances are to connect the provider network to the extension of the provider network across at least a third-party network by receiving a first control plane message directed to a first substrate addressable device of the one or more substrate addressable devices, by updating a message state data store based at least in part on the first control plane message, and by sending a second control plane message to the first substrate addressable device via a secure tunnel.

Abstract: Technologies are disclosed for monitoring network traffic using traffic mirroring. According to some examples, traffic mirroring allows customers to monitor traffic at different sources within a VPC. For example, a source may be any Elastic Network Interface (ENI) in their VPC, including elastic network interfaces (ENIs) on virtual machine instances, Network Address Translation (NAT) Gateways, Load Balancers, VPC endpoints, Internal Gateways, Transit Gateways, and more. Filters can be utilized to determine the network traffic to mirror. A customer may also configure to monitor real-time traffic with a monitoring appliance of their choice. With traffic mirroring, data traffic may be identified and sent to one or more target devices. Customers may monitor traffic within a VPC for content inspection, forensic analysis, troubleshooting, record keeping, and the like.

Abstract: Techniques are described that enable users to configure the mirroring of network traffic sent to or received by computing resources associated with a virtual network of computing resources at a service provider network. The mirrored network traffic can be used for many different purposes including, for example, network traffic content inspection, forensic and threat analysis, network troubleshooting, data loss prevention, and the like. Users can configure such network traffic mirroring without the need to manually install and manage network capture agents or other such processes on each computing resource for which network traffic mirroring is desired. Users can cause mirrored network traffic to be stored at a storage service in the form of packet capture (or “pcap”) files, which can be used by any number of available out-of-band security and monitoring appliances including other user-specific monitoring tools and/or other services of the service provider network.

Abstract: A dynamic configuration system can manage and configure switches or other network devices that come online in a network. When the dynamic configuration system determines that a network device has come online, the dynamic configuration system can identify the network device (e.g., based on its network location, neighbors, fingerprint, identifier, address or the like), select the appropriate configuration data for the network based on the desired network topology, and transmit the configuration data to the network device. The network device can then load the configuration data and function as a component of the desired network topology.

Abstract: A reverse network tracing mechanism is described. In an embodiment, a network information request is received that is addressed to a predetermined destination. It is determined that the network information request has an expired timer and a message is returned indicating that a return network path routing procedure has been initiated. After determining that the network information request has an unexpired timer, contents of the network information request are modified to enable identification of at least a portion of the return path from the predetermined destination to a source address of the network information request.

Abstract: A dynamic configuration system can manage and configure switches or other network devices that come online in a network. When the dynamic configuration system determines that a network device has come online, the dynamic configuration system can identify the network device (e.g., based on its network location, neighbors, fingerprint, identifier, address or the like), select the appropriate configuration data for the network based on the desired network topology, and transmit the configuration data to the network device. The network device can then load the configuration data and function as a component of the desired network topology.

Abstract: A dynamic configuration system can manage and configure switches or other network devices that come online in a network. When the dynamic configuration system determines that a network device has come online, the dynamic configuration system can identify the network device (e.g., based on its network location, neighbors, fingerprint, identifier, address or the like), select the appropriate configuration data for the network based on the desired network topology, and transmit the configuration data to the network device. The network device can then load the configuration data and function as a component of the desired network topology.

Abstract: A reverse network tracing mechanism is described. In an embodiment, a network information request is received that is addressed to a predetermined destination. It is determined that the network information request has an expired timer and a message is returned indicating that a return network path routing procedure has been initiated. After determining that the network information request has an unexpired timer, contents of the network information request are modified to enable identification of at least a portion of the return path from the predetermined destination to a source address of the network information request.