Abstract: A method may include generating a first cloud network associated with a first security level and including data associated with a service. The method may include generating a second cloud network associated with the first security level and deploying the service and the data associated with the service to the second cloud network and generating a first ingress channel to permit data to be transmitted to the second cloud network. Restricted data associated with a tenant may be deployed to the second cloud network. The method may include generating a third cloud network associated with the first security level and including the service and the data associated with the service and generating a second ingress channel to permit data to be transmitted to the third cloud network. A data sync may be implemented between the second and third cloud networks to deploy the restricted data to the third cloud network.

Abstract: Techniques are disclosed for rotating service endpoints following the installation of a prefab region network at a destination site. A manager service executing within a distributed computing system can send a request to a domain name system service to generate a target zone including target domain names for second service endpoints within a region network of the distributed computing system. The manager service can send an instruction to a certificate service to provide a dual-headed certificate in response to a certificate request from a service executing within the distributed computing system. The service can include a first service endpoint having an original domain name of an original zone managed by the DNS service and a second service endpoint having a target domain name of the target zone. The manager service can send an endpoint migration instruction to the service to stop accepting network traffic corresponding to the first service endpoint.

Abstract: The present embodiments relate to providing near real-time communications from a public network to a private network. A first computing device in a public network can obtain data packets to be provided to the private network from an application executing on the first computing device. A trust module executed by the first computing device can authenticate the user, application, and the data packets to be provided to the private network and add metadata relating to the sending user, recipient user, etc. The data packets can be forwarded to the private network via a cross-domain system (CDS). The metadata and the digital signature on the data packets can be verified by a trust module executing on a second computing device in the private network. The second computing device can receive the data packets and store the data packets for subsequent actions to be performed in the private network.

Abstract: Techniques are disclosed for rotating network addresses following the installation of a prefab region network at a destination site. A manager service executing within a distributed computing system can allocate a rotation network address pool to a root allocator service that may be configured to provide network addresses from network address pools to dependent nodes within the distributed computing system, with each dependent node associated with a corresponding first network address of the network address pools. The manager service can receive an indication that a second network address of the rotation network address pool is associated with a dependent node. In response, the manager service can execute and a migration operation for the dependent node to redirect network traffic within the distributed computing system from the first network address to the second network address.

Abstract: Techniques are disclosed for building a region at a prefab factory. A manager service can receive a build request. The manager service can generate, based on the build request, a physical build request for building physical resources within the prefab factory. The manager service can receive an indication that the physical resources corresponding to the physical build request have been built. In response, the manager service can implement a virtual bootstrap environment at a second data center communicatively connected to the prefab factory. The manager service can deploy software resources to the physical resources using the virtual bootstrap environment. The manager service can configure the physical resources for transmitting to a destination site by at least generating an inventory of the physical resources and generating a network configuration corresponding to a network topology of the physical resources in the prefab factory.

Abstract: Techniques are disclosed for a networking fabric in a data center for a prefab factory. The networking fabric can include a plurality of networking cables routed through the data center characterized by a static network fabric topology, with a set of networking cables of the plurality of networking cables configured to terminate at a location in the data center. A plurality of computing devices can be positioned at the location and configured to form a region network when communicatively connected to the set of networking cables according to a connection plan. The connection plan can be generated by a network service using a physical build request. The network service can determine the configuration of the plurality of computing devices and the static network fabric topology. The network service can generate the connection plan using the configuration and the static network fabric topology.

Abstract: Techniques are disclosed for a mobile prefab factory for building region data centers. The mobile prefab factory can include a containment enclosure configured to mount physical computing resources of a data center, a networking device, a power supply electrically connected to the networking device, and a plurality of computing devices of the physical computing resources communicatively connected to the networking device and electrically connected to the power supply. A manager service can configure the computing devices for transmission to the destination site by implementing a seed server device of the plurality of computing devices and implementing a software resource repository at the seed server device. While the containment enclosure is in transit, the seed server device can deploy software resources to the plurality of computing devices.

Abstract: Techniques are disclosed for validating a cloud region built at a prefab factory. A computing device of the cloud region can receive a network configuration from a manager service. The network configuration can correspond to a network topology of physical resources in the cloud region and can include a first identifier associated with a computing device, a second identifier associated with a neighboring computing device, and information associating the computing device with the neighboring computing device. The computing device can be configured for transmitting to a second data center and can boot into a test mode at the second data center and receive a new identifier from a server device. The computing device can verify the new identifier and send a validation request to the neighboring computing device. The computing device can validate a network connection to the neighboring computing device based on a response to the validation request.

Abstract: In some aspects, a network interface card (NIC) may receive, at a first node of a network interface card associated with a disconnected network, a message intended for the disconnected network and sent using a first communication protocol. The network interface card may send the message from the first node to a second node of the network interface card using a second communication protocol, the second communication protocol being configured for unidirectional communication. The network interface card may receive the message at the second node. The network interface card may send, from the second node, the message to a destination node of the disconnected network using a third communication protocol. Numerous other aspects are described.

Abstract: Novel techniques are disclosed for accessing resources in both CSP-provided infrastructure in a region and a remote infrastructure through various control planes associated with a virtual private label cloud (vPLC). In some embodiments, the CSP-provided infrastructure in a region and a remote infrastructure are connected through a communication channel. In some embodiments, a control plane associated with the CSP-provided infrastructure in a region can provide access to both infrastructures (i.e., the CSP-provided infrastructure in a region and the remote infrastructure). In some embodiments, a control plane associated with the vPLC in the CSP-provided infrastructure in a region can provide access to both infrastructures. Yet, in other embodiments, a control plane associated with the vPLC but located within the remote infrastructure can provide access to both infrastructures.

Abstract: Novel techniques are disclosed that enable the creation of a two-tier marketplace comprising a CSP marketplace and one or more marketplaces for virtual private label clouds (vPLCs). Each marketplace can be created and operated independently. In some embodiments, a publisher may publish a solution offering directly on a vPLC marketplace without involving the CSP marketplace. In other embodiments, a solution offering published on a marketplace may be automatically republished on another marketplace. Yet, in another embodiment, a customer subscribing to a vPLC marketplace can see a composite view of a directly published solution listing and a republished solution listing.

Abstract: Novel techniques for resource usage monitoring, billing, and enforcement for virtual private label clouds (vPLCs) are disclosed. In some embodiments, resource usage for a vPLC associated with a reseller is monitored at both reseller level and customer-of-reseller level using resource IDs, and stored as usage information in two levels and associated with a tenancy ID for the reseller (at the reseller level) and tenancy IDs for customers of the reseller (at the customer-of-reseller level). In some embodiments, a two-level billing process generates invoices using two-level pricing information and the generated invoices to either resellers or customers of resellers directly. In some embodiments, usage enforcement can be performed per vPLC or per customer tenancy of a reseller's customer.

Abstract: Novel techniques are disclosed for providing vPLC-specific metadata service including customized vPLC-specific metadata. In certain embodiments, each vPLC may generate a customized metadata using its corresponding vPLC-specific customization instructions. In some embodiments, a vPLC-specific metadata service may be performed using pre-generated customized vPLC-specific metadata, on-the-fly customized metadata, pre-generated CSP-format metadata, or combinations thereof.

Abstract: Novel techniques of resource allocation services for virtual private label cloud (vPLC) are disclosed. A vPLC is created for a reseller of a Cloud Services Provider (CSP) using CSP-provided infrastructure in a region such that the reseller can provide one or more reseller-offered cloud services to customers of the reseller. In certain embodiments, the resource allocation services check a first-level policy and a resource database to determine whether a requested resource is allowed and available to be allocated to a vPLC associated with a reseller. The resource allocation services may further check a second-level policy and the resource database to determine whether the requested resource is allowed and available to be allocated to a customer of the reseller. In some embodiments, the resource allocation services may allocate resources for a vPLC according to a partitioning requirement.

Abstract: Novel techniques are disclosed for enabling identity cloud service for virtual private label clouds (vPLCs). A vPLC is created for a reseller of a Cloud Services Provider (CSP) using CSP-provided infrastructure in a region such that the reseller can provide one or more reseller-offered cloud services to customers of the reseller. In some embodiments, the identity management may be configured with either a shared identity cloud service (IDCS) stack model or an independent IDCS stack model. In certain embodiments, two-tier vPLC-aware identity management functions are performed for resellers of the CSP and customers of the resellers.

Abstract: Novel techniques are disclosed for enabling customizable consoles of different virtual private label clouds (vPLCs). In some embodiments, one console server may execute multiple consoles for multiple vPLCs and CSP. In other embodiments, one console server may be dedicated to a vPLC-specific console. In certain embodiments, console customization including a customized set of console user interfaces (UIs) may be performed for each vPLC-specific console.

Abstract: Novel techniques are disclosed for virtualizing a cloud infrastructure in a region provided by a cloud service provider (CSP) to allow a reseller of the CSP to provide reseller-offered cloud services using a securely isolated portion of the CSP-provided infrastructure in the region and have a direct business relationship with the reseller'customers. In certain embodiments, the CSP-provided infrastructure in a region is organized into one or more data centers. In certain embodiments, the securely isolation portion of the CSP-provided infrastructure comprises at least one compute resource or a memory resource.

Abstract: Techniques for facilitating connectivity to vPLCs created in a CSP-provided infrastructure in a region. Within the CSP-provided infrastructure in a region, when the destination of a packet is determined to be an endpoint associated with a particular vPLC, the packet is tagged with information related to the particular vPLC. The vPLC-related information for the particular vPLC can include, for example, a vPLC identifier identifying the particular vPLC, an identifier identifying a customer associated with the endpoint, a virtual cloud network identifier identifying a virtual cloud network (VCN) belonging to the particular vPLC and where the endpoint is part of the VCN, and other vPLC-related information. The packet is then routed or communicated within the CSP-provided infrastructure in a region along with the tagged vPLC-related information. The vPLC-related information is used as part of the connectivity and for routing of packets within the CSP-provided infrastructure in a region.

Abstract: Novel techniques for creating service endpoints associated with different virtual private label clouds (vPLCs) for accessing a cloud service are disclosed. In certain embodiments, an endpoint management service (EMS) uses a novel architecture that enables the concurrent use of multiple vPLC-specific service endpoints with one endpoint per cloud service per vPLC to access the same cloud service running on multiple vPLC-specific resources. In some embodiments, each vPLC-specific service endpoint may be associated with a fully qualified domain name (FQDN) and an IP address.

Abstract: In some aspects, a computing device of the virtual cloud network may select one or more filters from a plurality of filters for a data pipeline, the plurality of filters comprising at least one of: a malware filter; a content filter; a signature filter; a content analyzer; a machine learning filter; or an artificial intelligence filter. A sequential order for the one or more selected filters in the data pipeline can be determined. A message may be received in the data pipeline from a network interface card (NIC), the network interface card being configured as a one-way transfer device. The message in the data pipeline may be filtered by passing the message through the one or more selected filters in the determined sequential order. The computing device of the virtual cloud network may provide logs of events occurring in the data pipeline via a logging network.