公开(公告)号：US20210160218A1

公开(公告)日：2021-05-27

申请号：US17145130

申请日：2021-01-08

Applicant: Amazon Technologies, Inc.

Inventor： Bashuman Deb ,  Andrew Bruce Dickinson ,  Christopher Ian Hendrie

IPC: H04L29/06 ,  H04L29/08 ,  H04L29/12

Abstract: Methods and apparatus for private network peering in virtual network environments in which peerings between virtual client private networks on a provider network may be established by clients via an API to a peering service. The peering service and API 104 may allow clients to dynamically establish and manage virtual network transit centers on the provider network at which virtual ports may be established and configured, virtual peerings between private networks may be requested and, if accepted, established, and routing information for the peerings may be specified and exchanged. Once a virtual peering between client private networks is established, packets may be exchanged between the respective client private networks via the peering over the network substrate according to the overlay network technology used by the provider network, for example an encapsulation protocol technology.

公开(公告)号：US20210152392A1

公开(公告)日：2021-05-20

申请号：US16953191

申请日：2020-11-19

Applicant: Amazon Technologies, Inc.

Inventor： Kevin Christopher Miller ,  Richard Alexander Sheehan ,  Douglas Stewart Laurence ,  Marwan Salah El-Din Oweis ,  Andrew Bruce Dickinson

IPC: H04L12/46 ,  G06F9/455

Abstract: In accordance with a designation of a private alias endpoint as a routing target for traffic directed to a service from within an isolated virtual network of a provider network, a tunneling intermediary receives a baseline packet generated at a compute instance. The baseline packet indicates a public IP (Internet Protocol) address of the service as the destination, and a private IP address of the compute instance as the source. In accordance with a tunneling protocol, the tunneling intermediary generates an encapsulation packet comprising at least a portion of the baseline packet and a header indicating the isolated virtual network. The encapsulation packet is transmitted to a node of the service.

公开(公告)号：US10862796B1

公开(公告)日：2020-12-08

申请号：US15409485

申请日：2017-01-18

Applicant: Amazon Technologies, Inc.

Inventor： Andrew Bruce Dickinson ,  Kevin Christopher Miller ,  Eric Wayne Schultze

IPC: H04L12/721 ,  H04L12/715 ,  H04L29/06

Abstract: A flow policy service that allows clients to define policies for packet flows to, from, and within their virtual networks on a provider network. Via the service, a client may define rules that specify appliances that inbound, outbound, and/or internal virtual network traffic should flow through. The rules may, for example, be attached to the virtual network, to subnets within the virtual network, and/or to resource instances within the virtual network. The rules may be specified in a descriptive, domain-specific language. The service determines how and where on the provider network to implement the rules in order to apply the specified policy. Thus, the actual implementation of the policy may be hidden from the client. The service may generate flow reports that may be used to confirm that traffic to, from, or within a virtual network is flowing through the correct network appliances according to the policy.

公开(公告)号：US10833992B1

公开(公告)日：2020-11-10

申请号：US16220703

申请日：2018-12-14

Applicant: Amazon Technologies, Inc.

Inventor： Andrew Bruce Dickinson

IPC: H04L29/06 ,  H04L12/745 ,  H04L12/741 ,  H04L12/725 ,  H04L12/46 ,  H04L12/713 ,  H04L12/931 ,  H04L12/721

Abstract: Route tables may be associated with ingress traffic for logically isolated networks. A routing device at the edge of a logically isolated network may receive a route to include in a route table that is associated with ingress traffic to the logically isolated network to forward the ingress traffic to a network appliance hosted in the logically isolated network. Network packets received at the edge routing device may have a destination of a computing resource hosted in the logically isolated network. The edge routing device may identify the route in the route table to override the destination in the network packet with the network appliance and forward the network packet to the network appliance according to the route.

公开(公告)号：US10735499B2

公开(公告)日：2020-08-04

申请号：US16362192

申请日：2019-03-22

Applicant: Amazon Technologies, Inc.

Inventor： Tobias Lars-Olov Holgers ,  Kevin Christopher Miller ,  Andrew Bruce Dickinson ,  David Carl Salyers ,  Xiao Zhang ,  Shane Ashley Hall ,  Christopher Ian Hendrie ,  Aniket Deepak Divecha ,  Ralph William Flora

IPC: H04L29/08 ,  H04L29/06 ,  G06F9/455

Abstract: A control-plane component of a virtual network interface (VNI) multiplexing service assigns one or more VNIs as members of a first interface group. A first VNI of the interface group is attached to a first compute instance. Network traffic directed to a particular endpoint address associated with the first interface group is to be distributed among members of the first interface group by client-side components of the service. The control-plane component propagates membership metadata of the first interface group to the client-side components. In response to a detection of an unhealthy state of the first compute instance, the first VNI is attached to a different compute instance by the control-plane component.

公开(公告)号：US10256993B2

公开(公告)日：2019-04-09

申请号：US15728277

申请日：2017-10-09

Applicant: Amazon Technologies, Inc.

Inventor： Kevin Christopher Miller ,  Richard Alexander Sheehan ,  Douglas Stewart Laurence ,  Marwan Salah El-Din Oweis ,  Andrew Bruce Dickinson

IPC: H04L9/00 ,  H04L12/46 ,  G06F9/455 ,  H04L29/12

Abstract: In accordance with a designation of a private alias endpoint as a routing target for traffic directed to a service from within an isolated virtual network of a provider network, a tunneling intermediary receives a baseline packet generated at a compute instance. The baseline packet indicates a public IP (Internet Protocol) address of the service as the destination, and a private IP address of the compute instance as the source. In accordance with a tunneling protocol, the tunneling intermediary generates an encapsulation packet comprising at least a portion of the baseline packet and a header indicating the isolated virtual network. The encapsulation packet is transmitted to a node of the service.

公开(公告)号：US10244044B2

公开(公告)日：2019-03-26

申请号：US15881545

申请日：2018-01-26

Applicant: Amazon Technologies, Inc.

Inventor： Tobias Lars-Olov Holgers ,  Kevin Christopher Miller ,  Andrew Bruce Dickinson ,  David Carl Salyers ,  Xiao Zhang ,  Shane Ashley Hall ,  Christopher Ian Hendrie ,  Aniket Deepak Divecha ,  Ralph William Flora

IPC: G06F15/16 ,  H04L29/08 ,  H04L29/06 ,  G06F9/455

Abstract: A control-plane component of a virtual network interface (VNI) multiplexing service assigns one or more VNIs as members of a first interface group. A first VNI of the interface group is attached to a first compute instance. Network traffic directed to a particular endpoint address associated with the first interface group is to be distributed among members of the first interface group by client-side components of the service. The control-plane component propagates membership metadata of the first interface group to the client-side components. In response to a detection of an unhealthy state of the first compute instance, the first VNI is attached to a different compute instance by the control-plane component.

公开(公告)号：US20190007366A1

公开(公告)日：2019-01-03

申请号：US15636523

申请日：2017-06-28

Applicant: Amazon Technologies, Inc.

Inventor： Michael Siaosi Voegele ,  Kevin Christopher Miller ,  Justin Canfield Crites ,  Andriy Palamarchuk ,  Andrew Bruce Dickinson ,  Christopher Carson Thomas ,  Rebecca Claire Weiss

IPC: H04L29/12 ,  H04L12/741 ,  H04L12/803 ,  H04L12/46

Abstract: A customer may request a service endpoint for a service in their virtual network on a provider network. In response, a service endpoint is generated in the customer's virtual network, a local IP address in the IP address range of the customer's virtual network is assigned to the service endpoint, and a DNS name is assigned to the service endpoint. Resources on the customer's virtual network resolve the DNS name of the service endpoint to obtain the local IP address of the service endpoint and send service requests for the service to the local IP address of the service endpoint. The service endpoint adds routing information to the service requests and sends the service requests over the network substrate to be routed to the service.

公开(公告)号：US09847970B1

公开(公告)日：2017-12-19

申请号：US14266619

申请日：2014-04-30

Applicant: Amazon Technologies, Inc.

Inventor： Joseph Paul Zipperer ,  Andrew Bruce Dickinson ,  Kirk Arlo Petersen

IPC: H04L29/06

CPC classification number: H04L63/1458

Abstract: Functionality is disclosed herein for regulating bandwidth that is available for network traffic flowing through a data communications network. In response to attack traffic being detected, one or more traffic regulators are set to control an available bandwidth to be used by the attack traffic. The one or more traffic regulators are adjusted until an attack is no longer detected. After the attack ends, the traffic regulator may be disabled or set to a different mode of operation.

公开(公告)号：US09832118B1

公开(公告)日：2017-11-28

申请号：US14542513

申请日：2014-11-14

Applicant: Amazon Technologies, Inc.

Inventor： Kevin Christopher Miller ,  Andrew Bruce Dickinson ,  Eric Wayne Schultze ,  Ian Roger Searle ,  Shane Ashley Hall ,  Deepak Mohan ,  David Brian Lennon

IPC: H04L12/713 ,  H04L12/741 ,  H04L12/46 ,  H04L29/06

CPC classification number: H04L45/586 ,  H04L45/74 ,  H04L45/745 ,  H04L63/0236 ,  H04L63/0272 ,  H04L63/101

Abstract: Methods and apparatus that allow clients to connect resource instances to virtual networks in provider network environments via private IP. Via private IP linking methods and apparatus, a client of a provider network can establish private IP communications between the client's resource instances on the provider network and the client's resource instances provisioned in the client's virtual network via links from the private IP address space of the virtual network to the private IP address space of the provider network. The provider network client resource instances remain part of the client's provider network implementation and may thus also communicate with other resource instances on the provider network and/or with entities on external networks via public IP while communicating with the virtual network resource instances via private IP.