2, United States Patent oy oy ~ 3) en @y (3) on Ganguly et al. INTELLIGENT NETWORK PROVISIONING AND MAINTE: Applicant: Amazon Technologies, Ine, Seattle, WA (US) Inventors: Arijt Ganguly, Kiskland, WA (US): Andrew B. Dickinson, Seattle, WA (US); Christopher J. Lefelhoez Bothell, WA (US); Manish Agarwal Redmond, WA (US): Ian R. Searle Bellevue, WA (US), Erie Jason. Brandwine, Hoymarket, VA (US) Assignee: Amazon Technologies, Ine, Reno, NV ws) Notice: Subject to any disclaimer, the term ofthis patent is extended or adjusted under 35 USC. 184() by 296 days, Appl. No. 15/269,507 Filed: Sep. 19, 2016 Related U.S. Application Data Continuation of application No. 13/461,596, fled on May 1, 2012, now Pat. No, 9;480,967, 1. Cl Hos 2908, (2006.01) OSL, 12/66 (2006.01), Most 2912 (2008.01) HO, 1246 (2006.01) Host 12724 (2005.01) US. CL CPC. Mode 67/141 (2013.01), Hose 124641 (201301), 041, 12766 (201301), HOSE 41/0813 (2013.01); HOdL 612007 (2013.01) ‘HOAL 67146 (2013.01) USO! 1B] 1038256 (10) Patent No.: (4s) Date of Patent: US 10,382,561 B1 Aug. 13, 2019 (58) Fleld of Classification Search cre Hal, 63/126; HOML. 63/1458 See application file for complete search history. 66) References Cited US. PATENT DOCUMENTS. 7444398 BL 102008 Mathews aeiave Be 12009. Sein 7Saa.a6k BL 62000 Begley et a S3ason2 B2 12013 Suh al Ssiasok 282013 Hl e080 BP 42014 Rope ta. (Continved) (OTHER PUBLICATIONS US. Appl No. 1546147, led May 1, 2012, Tiled: Remotely Configure! Network Appliances and Services, (Continved) Hitesh Patel Kilpatrick Townsend & Primary Examiner (74) Attornes, Agent, oF Firm Stockton [LP 6 A network gateway is implemented on behalf ofa customer cnlty. The network gateway may be implemented using a istrbuted computer system and the network gateway may fenneet a network of Ihe customer entity toa public com ‘munications network. The network gateway may inelude network-telated services without the need for adding spe- cialized hardware, The network gateway may” be provi Sioned programmatically in response to instrctions revived ffom the customer entity, The network gateway ‘may be pravisionable and accessible over several different {ypesof data connections. The network gateway, by virtue of being implemented on a distributed computer system, is scalable Upon demand without addtional input by the evs: ABSTRACT 19 Claims, 9 Drawing Sheets * penenrech a ae "hice neem rhUS 10,382,561 BI Page 2 66) USS. PATENT DOCUMENTS. 9.036504 BL* 9.050938 2 20040098490 zoowom09s AL donsorve40? anos oosses 20070130326 sonvotsoo 20070261112 20080148981 anno 0043745 20100030951 201000100899 AL 20100217837 AL aoroo2ses4s Al 2o1vo022812 AL 2o1v0133719 Ale 2o1V0191610 AL References Cited s201s 62015 Soa 112004 roto 2007 2007 12007 62008 2009 22010 42010 2010 92010 voit salt 2011 Miller Hoa 4v0816 wast Doerr al nk ea Dunit ta Ruse al anne ta Raphael etal ang etal ‘Toa ‘Goer 20577 neat arenes eta Sakata Hoa Wes 709226 Bradbury ea Ansar al Bersin OAL 14641 s0338 va dr Lindon ot Santoro OAL 29112066 709/208 Agana tal 201U0197275 AL $2011 Chasin et Boiuinn2s6a? AL 9/2011 Dilley ea DOIWO23189 AL 920t1 Puc tal DOILOSLATSS 81122011 Narayanarwamy ea doid01ss913 AL 72012 Manner et gnome Al 820 Reaye al 20140280398 AL 9.2018 Siith ea (OTHER PUBLICATIONS US. Appl. No. 13461566, Hled May 1, 2012, Tiled: Network Gateway Services and Extensions US. Appl No, [9461 59%, fil! May 1, 2012, Tied: ltlignt ‘Network Service Provisioning and Maintenanes. US. Appl. No. 13461,66, led May", 2012, Tiled: Fesby CConfgtable Reme Network Lents US, Appl No. 13461596, "Final Ofoe Acton” dated Ape 4 2015, 2 pape. US. Sp No 1346159, “Non-Final Oe Action, dated Avg, 1, 2014, 25 pages. US. Appl No. 13461596, "Non-Final Oice Action, dated Dec. 9, 2018, 36 pases. US. Appl No- 13461596, “Notice of Allowance, dated Jun. 6, 2016, 1 popes * cited by examinerU.S. Patent Aug, 13, 2019 Sheet 1 of 9 US 10,382,561 B1 re 196 192 a Computing Resource Provider Customer Entiy 12 Lite Sh eaacenter 704 "eh Datacenter 118 — 108 Ue Come) " FIG. 1U.S. Patent Aug. 13,2019 Sheet 2 of 9 US 10,382,561 B1 Va 202 206 Cc Customer Entity ‘Computing Resource Provider 216 Lene] |.—_-+I Network Gateway /~->-—~2"4 216 SH Sener Public 210 Network Extemal External User User 22 FIG.2U.S. Patent Aug. 13,2019 Sheet 3 of 9 US 10,382,561 B1 re 302 306 Cc Computing Resource Provider Third-Party Network Service Provider 316\_ 8 Cust Cust. Cust. Entity Entity Entity 316 FIG. 3U.S. Patent Aug. 13,2019 Sheet 4 of 9 US 10,382,561 B1 Internet Connection Provisioning and Setup y * Set up your local network configuration to use the following addresses: Gateway: 123.4567.8 Subnet Mask: 255.255.255.248 Primary DNS: 67.89.123.4 Map puble IP ranges to lcal hosts 1 piece eg eee) Subnet Mask: [——] ! [Z| Map subse oF IP rangeto diferent regions Us East’ [—_] us wes: (— Mev | Asia a Reset Finish Cancel FIG, 4a,U.S. Patent Aug, 13, 2019 Sheet 5 of 9 US 10,382,561 B1 Internet Connection Services Note: After Internet Connection Setup is complete, the Provider 2 DDoS Protection Setup will be shown 3412 DDoS Protection ; Providers i O Provider 1 i @ Provider 2 mare info ; Note: After Internet Connection Setup is complete, the Provider 1 Firewall Setup will be shown 1414 Firewall ; Providers i @ Provider 1 mare info i © Provider 2 i EZ spam Fier i Providers: : © Provider 1 more info i © Proviger2 i Note’ Alter Intemet Connection Setup is complete, the | Provider Spam Fiter Setup willbe shown, | Reset Finish_] [_Cancel FIG. 48U.S. Patent Aug. 13,2019 Sheet 6 of 9 US 10,382,561 B1 500 me Establish connectivity h soz Y Receive request to provision network gateway [Y 504 v Provision network gateway hu 506 y Receive request to advertise user resource(s) h__ 508 y Configure network gateway to advertise resource(s) pe 510 v Receive request to apply network-related services fv 512 y Configure network gateway to apply requested network-related services JL 514 FIG. 5U.S. Patent Aug, 13, 2019 Sheet 7 of 9 US 10,382,561 B1 600 Receive request to implement network-related service JX 602 ¥ ‘Query for service implementation instructions and other implementation information [% 604 y Receive service implementation instructions F__ ggg y Receive implementation information — }_ gg ¥ Implement network-related service AL gag FIG. 6U.S. Patent Aug. 13,2019 Sheet 8 of 9 US 10,382,561 B1 700 ra Receive information relevant to operation }_ 702 Y Determine current capabilities in relation to received information Pe 704 Y Determine whether optimization is necessary PL. 795 Y Determine optimization plan nh 708 1 Tanti resources capable of implementing optimization plan __[© 710 v Implement optimization plan he 712 FIG.7U.S. Patent Aug. 13,2019 Sheet 9 of 9 US 10,382,561 B1 aa 202 Web Application H) 804 Server Server a Fig. 8US 10,382,561 BI 1 INTELLIGENT NETWORK SERVICE. PROVISIONING AND MAINTENANCE (CROSS-REFERENCE TO RELATED [APPLICATIONS ‘This application isa Continsation of U.S. patent appli= ‘ation Set. No, 13/861, 59, iled May 1, 2012, issued to US, Pat, No. 9450:967 oa Sep. 20, 2016, and entitled “INTEL LIGENT NETWORK SERVICE PROVISIONING AND MAINTENANCE”, and incorporates by reference forall purposes the full diselosure of U.S. patent application Ser No. 13/461,478, fled May 1, 2012, issued to U.S. Pat. No. 9,294,437 on Mar. 22, 2016, and entitled “REMOTELY CONFIGURED NETWORK’ APPLIANCES AND SER- VICES”, USS. patent application Ser. No. 13/461,566, filed May 1, 3012, issued 10 U.S. Pat. No. 9,288,182 on Mar. 15, 2016, ad entitled “NETWORK GATEWAY SERVICES AND EXTENSIONS”, and U.S. patent application Ser. No. 13/461,661, filed May 1, 2012, issued to US. Pat. No. 9.438.556 on Sep. 6, 2016, vated “FLEXIBLY CON- FIGURABLE REMOTE NETWORK IDENTITIES”. BACKGROUND As an inereasing number of applications and services are being made available over newworks such a the Internet, ‘customer entities and associated data are. increasingly ‘exposed 10 security threats such as unsolicited e-mail (Cspam’), distributed denial of service (DDoS) attacks trojans, worms, viruses, and the like. In onder 10 alleviate such problems, customer entities, enterprise and otherwise have tumed to dedicated hardware that n networking teams, 5s positioned topographically near to network ingressegress points, to implement services such as spam control, fire- walling, DDoS protection, and other servies for protecting networks t0 enable the networks to funetion effectively. Such hardware is often expensive and dificult t© properly ‘configure, maintain and support. As such, the addition oF maintenance of sich hardware ean often ave a sigaiieant ‘impact on an organization, possibly being disruptive andor “decreasing productivity. Additionally, hardware-based threat ‘management solutions typically do nat automatically scale their capabilities up and down based on demand, perceived threat level, andor the like BRIEF DESCRIPTION OF THE DRAWINGS Various embodiments in accordance with the present disclosure will be described with reference to the drawings, in whit FIG. 1 illustrates an example of a network configuration that can be used in accordance with at east one embodiment FIG. 2 illustrate, from a customer's perspective, a net work configuration used in accordance with at least one ‘embodiment FIG. 3 illustrates, from a third party network-related servi provider’s perspective, a network configuration used in accordance with at lest one embodiment: FIG. 4A illustrates an example ofa user interfsee (UI) that ‘can be displayed to'a customer entity where the customer ‘entity may specify a configuration, various applications and services the customer entity wishes to use in aevordance ‘with at least one embodiment; FIG. 4B illustrates an example ofa user interee (UT) that ‘can be displayed to-a customer entity where the ewstomer ‘entity may specily 4 configuration, various applications and 0 o 2 services the customer entity wishes to use in accordance ‘ith at least one embodiment FIG. $ illustrates an example process for enabling access toa network and/or networkerelated services via gateway in accordance with at leat one embodiment FIG. 6 ilhistmates an example process for enabling third party network-related service providers to provide network- related services in accordance with a least one embodiment; FIG, 7 illustrates an information flow char for optimizing computing resources in accordance with at least one embodiment: and PIG. & illustrates an environment in. which various ‘embodiments can be implemented. DETAILED DESCRIPTION ‘Systems and methods in aecondance with vatious embodi sof the present disclosure may overcome one or more of the aforementioned and other deficiencies experienced ia conventional approaches to providing access to data in an clectronic environment. In particular, various embodiments provide network connectivity and related services that tenable customer entities to access s computing resource provider that provides one oF more comptting resources ‘through computing resource services, suc as Web services. For example, a customer entity may provision, through such ‘computing resource service, a network connection contige ‘ured with networkrelated services, seh that the network- related services are implemented and provided to the cus- tomer enlty utilizing the computing resources. Computing resource services may include one or more computing resources accessible andor provisionable across a network through an application programming interface (API), user interlace (U1), or other interface where the one oF more ‘computing resources age scalable and expandable to provide the capacity needed for the customer entity or the imsple- meatal services. In some embodiments, the network connection between the customer entity and the computing resources may be a iret or Intrnet-like connection, such as 2 connection made via a fiber-optic link, owisted-pair copper cabling such as Category Se, wireless protocol such as Wifi, or other connection linking. the customer entity and computing resources over a local oF wide-area network, In-some ‘embodiments, the network connection between the customer entity and the computing resources may occur over the Internet or similar public network, with or without the benefit of a data securing mechanism such as a Viral Private Network (VPN) tunnel Tn some embodiments, the computing rexourees are fur- ther connected to the Tntemet of other communications network. Systems and methods in sceordance with various embodiments provide the ability to provision and configure the computing resourees to provide a network of Intemet gnleway (or other ingrest aad egress point for network ‘ralic) to the connected customer entity. Some embodiments inclide the implementation, va the computing esources, of various newwork-related services provided to the customer entity via the network connection. Such network-related sorvices, in some embodiments, serve to monitor, socure, filter, and/or protect the data retrieved (e.g, by the customer enlty’s request) from the Inferet or other network by the computing resources, prior to further submitting. the retrieved data to the requesting customer entity. In some embodiments, the network-related services monitor, secure,US 10,382,561 BI 3 ‘ter and/or protect data sent by the customer entity prior t0 submitting such date over the Internet or other’ public network, ‘Somie embodiments provide forthe network-related ser- vices to be provided by thint partes, ie, entities that do not ‘own, sinister and/or contro the computing resources that implement the network-related services. The third party network-reated services, in some embodiments, include services such as distributed denial of service (DDoS) pro- tection, firewall, spam control, data encryption, or simil network-related services, In some embodiment, such net- work-related services may include functionality ordinarily Jmplemented in a physical network appliance, such as @ physical firewall device, In some embodiments, the imple- mentation of the services may be handled through an API, Ul, of other interface, Systems and methods in accordance with various embodi ‘meats provide the ability to intelligently provision, scale and maintain the network-relaed services andor the network oF Interact gateway implemented using the computing resources. For example, in some embodiments, provisioning ‘of the gateway andor network-related services is compurter- ‘implemented and programmatic in nature, via APIs. Simi larly, in some embodiments, the gateway andor network- related services have _programmatically-implemented ‘extemal andior internal monitoring in place and mainte hance, service requests, and the Tike are all. performed programmatically (or otherwise automatically) tothe gret- ‘est extent possible. In some embodiments, upon a change in ‘demand, systems and/or methods are in place for determin= ing whether a greater or lesser level of computing resources js necessary to perform the gateway and/or network-related services, determining what specific computing resources are necessary to address the change in demand, then sealing, transparently to the customer entity. the level of computing resources allocated 10 implementing the gateway and/or network-reated services ‘Various other applications functions, and advantages are presented helow with respect to the various embodiments, It should be understood thatthe description and figures pro- vide a number of examples, but the alternatives and vari tions possible within the scope of the various embodiments are not fly described. Alternatives and variations, however, ‘would be apparent to one of ordinary skil inthe art in ight ‘of the lachings and suggestions contained herei FIG. 1 illustrates an example of a network configuration 100 for implementing aspects in accordance with various ‘embodiments, In this example, a customer entity 102 is, ‘connected through a network 104 to access 2 computing resource provider 106. At least one host or server 106 is further connected through a second nctwork 108 toa public network 11. In some embodiments, the customer ently 102 may ‘comprise one or more datacenters 112, each having therein ‘one or more networks of computing resources. However, it js appreciated that a customer entity may comprise single Workstation, a cluster of workstations, a single server, 2 cluster of servers, a datacenter, multiple datacenters (as ilustated), a distributed computing resource, or any level of ‘complexity in beeween. The customer entity may have one Internet address, multiple Intemet adresses, or entre Inter- net adress ranges (e@., Internet Protocol version 4 (IPv4) ‘or Intemet Protocol version 6 (1P¥6) address blocks) that it ihes to allocate to a particular division of its network infrastructure. For example, such division may depend upon a server's eas a web server or application server, on the oographie location of a remote User requesting services 0 o 4 resident on the customer entity's servers, and/or the need for balancing load scoss disparate customer ently servers. Tn some embodiments, he network 104 comprises one or more deviees for connecting the customer entity 102 and the computing resource provider 106. The connection may ‘occur over a public network suc asthe Intent, and may or ‘may not involve a securing mechanism such a8 a viral Private network tunnel. Ina exemplary embodiment, the connection occurs over a private network oF a direct cone rection, Sich a direct conection may occur via fiberoptic cabling, copper cabling, or wireless Iransmissions (such as WiFi, by satellite link, over a cellular or mobile data network such as GSM, LTE, EVDO, CDMA, WiMax, ‘Wiro and the like), or by any other appropriate connection type. The network may be multiplexed for spoed or redun- daney (Le, distributed over multiple constituent networks or connections), o consummated via & single point-to-point topology “In some embodiments, the computing resource provider 106 comprise at least one host or server 114, In an embodi- ‘ment, the computing resource provider inclides several commodity servers configured ina distributed system. The ‘strbuted system, in pat or whole, is configured to operate ‘asa network gateway 116 forthe connected customer entity. The network gateway 116 serves as an ingressfearess point {or data retrieved from aadior sen o external hosts on, € 2, the Internet 10 via the second network 108. The second network may bea connection oF connections of any suitable type. Thus, in an embodiment, the computing resource provider and distributed system operates as a remote net- ‘work gateway for a connected estomer entity. In embodi- ‘ments where the customer entity comprises a computing resource provisioned from the same computing resource provider that spawned the network gateway, the network Connection 104 may be virtual rather than physically mani- Tested In some embodiments, computing resources of the com- puting resource provider 196 are configurable by the eus- fomer entity andor the computing resource provider to extend the implemented network gateway 116 with network ‘elated services 118, Such network-elated services include Aistributec denial of service (DDoS) attack prevention and ritgation, data fiewalling, e-mail spam control, data eneryption, and other services for managing and/or manip lating netvork talc, The network-related services may be ofthe computing resource provider's own design, or may be ‘Seveloped andlor implemented by a third party, It will be ‘appreciated that such third-party network-related services as implemented using the computing resource provider pro- vide, in some embodiments, similar functionality t that of hardware devices implementing networkerelated services of like Kind, without need for the customer entity to own, ‘maintain, of otherwise provision such hardware devices. la ‘accordance with an embodiment, the nebwork-related ser vices may monitor, alter, augment, or selectively reject data in part or whole, passing between the customer entity and the public network through the implemented network gate- way: IG. 2 illustrates, fom s customer entity"s perspective, aa ‘example of a network configuration 200 for implementing aspects of various embodiments, The neowork configuration 1200 may incorporate aspects of the previously desribed ‘network configuration 100, In an embexliment, the eustomer enlty 202 connects through the network 204 to access ‘computing resource provider 206. Computing resource pro- vider 206i further connected through a scoond network 208 to a public network 210, which in tim is connected 10US 10,382,561 BI 5 ‘extemal users 212, External users may include end user ‘computing devices, web servers, and hosts connected to the Interaet oF other suitable communications network. In some ‘embodiments, the computing resource provider is config ured to operate as a network gateway 214 that serves as an ‘ingress and egress point for data retrieved from andor sent to extemal users 212 via the public network 210, e, the Interact. In some embodiments, the customer entity may ‘comprise a portion ofthe computing resources of the come Ping resource provider, rither than physically separate ‘entity. For example, in an embodiment, the customer entity has control overa portion ofthe computing resources ofthe ‘computing resource provider, and wishes to use a network zateway, implemented using similar computing esourees of the same computing resource provider, to connect the com- puting resources under its contol to the Intemet. ‘As previously. mentioned, in an embodiment, the cuss tomer entity 202 may have servers 216 serving diferent purposes, such as web servers, storage servers or aplication Servers, As may be appreciated, the customer eality may ‘wish to advertise the availability of such serves to different subsets of extemal users 212 on a variety of enters, jnchiding hut not limited to geographic locaton, latency, ‘available bandwidth, comesponding region, or the security ‘credentials ofthe requesting extemal user. Toward this end, > when connected to the computing resource provider 106, the ‘customer entity may provide public identifiers, such as an IPv4 oF IPV6 address of a range of such adresses, to the ‘computing resource provider to advertise to extemal users ‘on the customer entity's beball, The customer entity may specify in any combination, the server or servers, oF any portion of fnetionality implemented by the server or serv- ‘ers, to which a given public identifier or identifiers maps. In some embodiments, the computing resource provider detects various operating parameters of an extemal user oF users ‘connected to the computing resource provider over the Jinernet, and subsequently advertises the customer entty- specified identifier range tothe extemal user as appropriate For example, ifthe customer entity specifies that one cluster fof servers bears a given identifier and specifies to the ‘computing resource provider that all extemal users in 9 Specific geographic area connect o that cluster of servers hy default, the computing resource provider routes connected ‘external users accordingly. As another example if the eus ‘omer eatity comprises a portion or instance of the comput- ing resources ofthe computing resouree provider, the cus- tomer entity may specify that a given computing resource under its control be made availble to specific subset of ‘extemal users, The extemal users may be related to the ‘customer entity, the computing resource provide, both, or neither, FIG. 3 illustrates, fom a third party service provider penpective, an example of « network configuration 300 fo Implementing aspects in accordance with varios embod ments. Network configuration 300 may, in some embed ments, be analogous to previously described network con- figurations 100 and 200, In some embodiments third party service provider 302 connects through network 304 10 ‘computig resource provider 306, Computing resource pro- vider 306 is further connected through a network or net- works 308 ca customer entity or eustomer entities 310, In some embodiments, the customer entity or customer entities utilize the computing resource provider as a network gate- ‘way 312 as proviously described. In some embodiments, a5, previously discussed, the computing resource provider is ‘Configurable to extend the implemented network gateway with networkrelated services 314, whieh may be of the o 6 ‘computing resource provider's own design or that of third party. Such services, as mentioned, include distributed ‘enial of service (DDoS) stack prevention and mitigation, data firowalling, e-mail spam contro, data eneryption, and other services of like Kind. In embodiments where third patties provide the network-related services, such services ‘may reside upon the third party service provider's hardware land accessed by the computing resource provider over the network 304 through an interface, such as an APL or web service, or preferably, implemented by the computing resource provider itself Steh an approach realizes the ‘benefits of the computing resource provider, ex, scalability level of suppoa, low latency’ relative to connected customer entities 310, and so forth. In addition, the third party servi provider benefits from decreased overhead and wider public acceptance and implementation, thereby increasing revenue In some embodiments, the customer entity may request the rework-related services directly through the third party service provider, eg by a network connection 316, while Uilizing Uke computing resource provider as a network gateway as previously deseribed, Tn some embodiments where the computing, resource provider implements the network-rclated services, the third party service provider provides the computing resource provider with algorithms ia the form of code executable by ‘computing resources ofthe computing resource provider to elfet the service, as well as any data or metadsts required to emble the computing resource provider wo develop, ‘implement and market the instant service. In an embod ‘ment, the network-related service may run as a separate viral computer system instance upon the computing resource provider's hardware and is called upon by net work gateway upon request. In some embodiments, the ‘computing resource provider provides a software develop- ‘meat kt (SDK) or similar. dus enabling anyone with access to the SDK, for example the third party service provider, 10 develop code and algorithms, e.,"phagins that are inbe ently compatible with the computing resource provider's architecture. For example, the computing resource provider ‘exposes an SDK toa third party service provider, who then Sovelops a plugin implementing a network-rlated service However, itis contemplated that any code executable by the computing resources may be used, egardless of whether suel code was developed using a computing resource pro- Vider-provided SDK or similar framework, Upon subi sion of the plugin fo the computing resource provider, in some embodiments, the computing resource provider makes the plugin available to customer entities 310 that desire the ‘implemented network-elaed service, Upon a customer en {y's request for the nenwork-telated service, the plugin is activated, thereby extending the network gateway with the retwork-telated. service's Tunetionality, and data is. pro- cessed by the computing resources implementing the one oF ‘more algorithms comprising the networkerelated service. It ‘ill be appreciated that such an implementation is extensible to as many requesting customer entities as the computing resource provider is eapable or willing to suppor. ‘A customer entity ean be provided with at application andr interface that allow the customer enlity fo cess and utilize various aspects of the present disclosure. FIGS. 44 ‘and 4B illustrate an example ofa user interface (UD 400 that can be displayed to ® customer entity where the customer entity may speeity and configure the services the customer tenlty wishes to use In this example, a two-step interface is shown, witha provisioning page 402 as shown in PIG. 4A, followed by a fervice selection page 404 a¢ shown in FIG. 4B, 1 should be noted, however, hat the UT shown in FIGS.US 10,382,561 BI 1 4A and 4B are provided for the purpose of illustration and that various other types of interfaces are considered as being within the scope of the present disclosure, For example, the UL may be graphical as shown in FIGS. 4 and 4B, but have substantially differnt elements, graphical design, or usee Interaction design. As a further example, the UI may be a ‘command fine interface "An authorized user of customer entity, wherein the ‘customer entity may, for example, be a similar customer celity as customer eaiies 102, 202, and 310, can be provided with an application andr interface tht allow the ‘uhorized user to aecess and utilize various aspects of the present disclosure, FIGS. 4 and 4B illustrate an example of ‘user interface (UI) 400 that can be displayed to an authorized user where the authorized user may configure and Speci the services the customer entity wishes to use ln this ‘example, a network gateway provisioning UI 402 is shown, Jn FIG. 4A, and a service selection Ul 404 is shown in FIG. 4B. The network gateway provisioning UL and the service Selection UI may be part of the same user interfice work- 2 flow, or alternatively, may be separate workflows. In some ‘embodiments, the network gateway provisioning Ul is pro- vided hy a computing resource provid that implement the ateway fo be provisioned, The service selection UI may be provided by the gateway-implementing computing resource provider, third party providing the network-related servi ‘or any other appropriate entity On the newwork gateway provisioning UI, the authorized user is provided with userselectable UI elements 406-410 ‘enabling the authorized user to selet newark eateway and, ‘conncction provisioning options, as well as view important Jocal cootighraton information In this example, 2 number ‘of options are visible, inckading implementing a network ateway and displaying configuration information 406, the ‘option to map specific public identifiers to customer ealty hosts 408, and the option to further refine dhe mapping ofthe subset of identifiers to specific regions of extemal users 410. Various embodiments may have different combinations and ‘or different types of provisioning options not shown here. In adkition, it is contemplated that ater provisioning is com> plete, an ahorized user may retum to a similar UL or Uls 'o adjust selected options, view configuration information, ‘or any wlher appropriate task. On the service selection Ut, the authorized user is pro- vided with user-selectable Ul elements 412-416 enabling the authorized user to select from a number of available net= ‘work-related services thatthe customer entity may wish to apply’ to their provisioned connection andlor network gate ‘ay. In this example, a numberof services are available for selection, including DDoS mitigation 412 for preventing andlor mitigating DDoS attacks upon the customer ent, firewalling 414 that allows the authorized user to configure criteria for filtering, rejecting or passing data, and a spa fiker 416 for monitoring e-mail and rejeting unsolicited, ‘dangerous and/or unwanted e-mail. In some embodiments, 3 ‘computing resource provider furnishes the page and displays fone or more available service providers, including third party providers, for each service type to be presented for Selection by the authorized user. In some embodiments, a service provider furnishes the Ul and enables section of ‘one or more service types andor serviews. Such selections may have contextual information that i viewable through @ more info link 10 an informational popup oF other toch- niques for conveying such information. For selected services requiring further configuration by the authorized use, appropriate Us for configuring the services may he embed- ‘de int the service selection page, presented sequentially as 0 o 8 separate pages after the selections, or in another fashion a sulled practioner would consider. In addition, it is con- templated that after service selection is complete, an autho- rod user may return toa similar Ulor Uls to adjust selected ‘options, view contiguration information, o ay other appeo- priate task, FIG. 5 illustrates an example of a customer entity ated process $00 for enabling access to one of more net- ‘works via one or more computing resourees in a distributed system in accordance wit some embodiments. Some or all ‘of the process $00 (or any other processes described herein, fr variations andlor combinations thereof) may be per ormed under the control of one or more computer systems configured with executable instructions and may be imple- seated as code (eg. executable instructions, one or more ‘computer programs, oF one or more applications) executing collectively on one of more processors, by hardware, or combinations thereof. The code may be stored on a com- puter-readable storage medium, for example, in the form of 4 computer program comprising « plurality of insteuetions ‘executable by one or more processors. The computer-read- fable stomige medium may he non-transitry. In an embodi- ‘en, the process S00 is performed by’ computing resource provider, such a the computing resource provider described fhove in connection with FIG. 1, However, it should be ‘noted that the process $00 may be performed by any suitable Uevice or collectively by any suitable set of deviees In the illustrated example process, a customer entity establishes connectivity with a computing resource provider S02. customer entity may establish connectivity using any appropriate device or technology’ that permits data to pass between the customer entity and the computing resource rovider, For example, the connectivity established eaa be a Girect connection, a5 previously mentioned. In some embodiments, the connectivity may be established over @ public network such as the Intemt, either unsecured or secured, Secured connectivity, for example, may be estab- lished using, and subsequent tothe verification of, a set of security credentials for aevessing the computing resource provider. The security credentials may inchide a cemtificat fr shared secret key (eg, asymmetric keys such as RSA keys, symmetric keys). In some embodiments, the connee- tivity established may be programmatic in nature, eg. ifthe customer eality requests connectivity between instances of the same distributed computing resource. In this example, once connectivity his boen established, ‘pon receiving a request from the customer entity to peo sion a network gateway 804, a network gateway is pro sionod using the distributed system of computing resurces 506 with which the customer entity established a connection in step 502, thereby further connecting the eustomer entity toa second network. As previously mentioned, for example in connection with the UI illustrated in FIGS. 44 and 4B, such a roqnest may be received through an API, a Ul, or any other appropriate type of interface or serves. Thoreaitor also as previously mentioned in connection with FIG. 1, the slateway is provisioned using available computing resources ‘nd in some embodiments, the provisioned uateway serves as the customer entity's egress and ingress point toa public retwork, such as the Intemet, coanevted #0 the computing resources. The request to provision the network gateway may oceur by any method, including a query via a user interface, via an API call, or by any other appropriate interface type. Such a request may originate fom any associated party, including the connccted customer entity and the computing resource provider.US 10,382,561 BI 9 ‘Upon receiving @ request from the customer entity (0 ‘advertise a public identifier such as an IPv4 oe TPv6 adress ‘on behalf of a customer entity’ resources based on customer cetity-specified criteria 508, the provisioned gateway is, configured 19 route extemal users (eg, Intemet users) miccting those eritera tothe customer enlity’s host or hosts mapped to the public identifier $10. For example, the ‘computing resource provider may divide its computing resourees into regions, The regions may be divided aecord- ing (© one oF more criteria and/or characteristi(s) of the ‘connecting external users or of the resources of the com- puting resource provider, the criteria and/or characteristic(s) including but not limited to geographic location, perore mance capabilities such as throughput or latency. uptime, availabilty, security capabilities, or other logical groupings Furthermore, the regions may consist of multiple subste- ions that are grouped along similar criteria andlor charae- teristc(9). External users comecting 10 a_computing Fesource or resources corresponding with one ofthe regions may be outed, for example, to the customer entity-provided public identifier associated with a eustomer entity. web erver dedicate to serving the aforementioned region, Such outing may occur over any appropriate medium and in any appropriate manner, including but not limited to an TPSec Tunnel. The eusiomer entity resource may be manifested as host, physical server, muipe servers, a portion of @ server a portion ofa distributed system, a type of computing funetionality (e.g. a given Web service), or any other mechanism for sending, storing, processing andor receiving data, Such resources may be a computing resource provide ‘e's resources, an instance thereof, o altemativey, local 10 the customer entity. The request t0 advertise customer sity’ resourees may occur by any method, including but limited to a query via a user interlace, via a web service ‘and/or via an API eal. Sueh a request may originate from ‘ny associated party, including the connecting customer ‘entity and the computing resource provider. ‘Upon receiving a customer entity's request to apply network-related services 812, the computing resources are ‘configure to apply the elected network-related services to data passing through the computing resourees andor imple= mented network gateway $14. As mentioned, for example in ‘connection with FIG, 3, such services may have been developed by any pany (e.g. @ third party) and may be available to the computing resources andlor implemented network gateway in any manner. including but not Fimited t0 reteoval from a remote server through a network (Such as 2 server under the control of a third party network service provider) from storage Toeal to the computing resources, fndior held in andom-access memory (RAM). It is com templated that the services may be provided by andior ‘implemented using resources of ether «thi party network service provider or the computing resoure provider. As one ‘example, a third party network service provider may imple- ment such services upon an instance of subset of resources provided by the computing resouree provider but under the ‘contol ofthe third party network service provider, In this ‘example, since the network gateway is the customer entity's Internet ingress and egress point, all data is subject to the implemented network-elated services. However, embod ments are contemplated where only a subset of network teal is subjected to the netwoek-related services, oF df= ferent network-telted services are configured to teat dis- parate streams of data. The determination of which data pply to which services, as well as the level and nature of| teal subject to-a given service, may’ be determined by any 0 o 10 appropriate process, whether automatic oF mantal, and either by the customer eaity oF computing resouree pro- vider FIG. 6 illustrates an example of process 600 for proving access to a set of network-related services in accordance ‘with some embodiments, Such network-related services may be implemented, for example, as discussed in connection with FIG. 3 ln the example ilstrated i the present FIG. 6 8 nerworkrelated service provider requests implementation fof a network-related service by a computing resource pro- vider 602. Such a request may be manifsted by any ‘appropriate proces, including but not limited vo submission ‘vera network or by local request, and via a UI, e-mail, or programmatic techniques such as APIs or Web services ‘Upon receiving the request, the computing resource provider queries the service provider for service implementation etails 602 and additional implementation information 604, if necessary. In fet, the service provider submits (and the computing resource provider receives) the service imple- ‘mentation devals 606 and the requested addtional inple- ‘mentation information 608, The queries and submissions ‘may be trinsmitted via the same or different channels oF sthods as the initial request. The received data (i, the service implementation details and additional implementa. ‘ion information) may be in any form appropriate to the specific implementation of the process, including but not Jimitad to source code, binaries, pseudocode or inthe form ofa markup language different from that required or used by the final implementation, Such data may inchide an encod- ‘ng oF other manifestation of at Teast one algorithm related to the network-reated service. As mentioned, the ceived data may be inthe form of “ready-to-run” code, such as 2 “plugin” implemented with or without the benefit of ‘computing resource provider-rovided SDK. In this example, once the requisite data has been received by the computing resource provider, the computing resource provider implements the network-related service using one ‘or more computing resources connected to at least one fetwork 610, thercby making it available over the a least ‘one network to customer entities wishing fuse the service Implementation may take many forms, including standalone availabilty as a Web service, availability in conjunction ‘witha network gateway as previously discussed in connee- ‘ion With atleast FIG. 3, or a a dosinload over & network, ‘The network may be private (eg... VPN, Intranet, or direct connection) or publi (eg., Interne, ‘As will be appreciated, the steps outlined herein may occur as a diserete sequence, or muliple steps may be combined into a single ation” Por example, a single Web service call publish a nenwork-related service may inelude the request, the query, and the submission as a single step. In some embodiments, 4 network-elated service provider say perform the steps Uhrough a user interface. In some tembotinients, the networkerelated service provider and the computing resource provider are the same, FIG. 7 ilstrates an example of process 700 for optimiz= ing a network-related service using a distributed or shared computing resource. For example, the resource receives information relevant (0 the operation of a network-related service implemented on the resource 702. In some embed ‘meals, network-elated serviews include a network gateway as discussed in connection with FIGS. 1 and 2, andr other network-related services a¢ discussed in connection with FIG. 3. The operational information may be determined by external monitors, from reports by the customer entity, orby the computing resource itself, The information can inclde ‘but i 10t limited to, neowork bandwidth, processing load,US 10,382,561 BI u data storage requirements, aad the like, Such informatio may be received periodically, continuously, or sporadically (eat, as the result of an extemal monitor detecting son- clition requiring ation). The resource then determines its ‘current capabilites in relation to the received information 704. Such a determination may be triggered by the receipt of information in step 702, or in an alternative embodiment, independent and/or continuous and therefore unrelated to the receipt of information in step 702 ‘Based om the information received in steps 702 and 704 the resource thea determines whether optimization of the network-related service's implementation is necessary 706. AAs will be contemplated, the determination may oeeur based ‘on one of multiple criteria as previously discussed. Ifthe resource detemines that optimization is necessary in step 706, the resource determines an optimization plan 708, The ‘optimization plan may take one of several forms. For euimple, if network tnllic exceeds the computing resource's ability t© process it in light of implemented network-reated services, the resource may’ detenine that asitional computing resources are necessary, and thus the implementation plan may be a workflow for adding the rexjiste resources. Conversely if the resource determines that the available computational reserve is disproportion- ately lange relative to that of other uses or instances of the resource, the resouree may detemine what resources may safely be released for other uses. In some embodiments, where the information gathered in steps 702 and 704 ind ceate-@ lapse in functionality, the optimization plan may include steps to temporarily restore functionality (eg. by finding an sppropriate resource to bypass the filed or poor'y performing component) and, in some embodiments, alert a technician. In some embodiments, a resource comprises ‘disparate functional units with differing capabilities, and thus the resource must determine wit constituent resources are best able to implement the optimization plan 710. Upon. determining the appropriate resources necessary 10 imple= ‘ment the plan the resource exceutes oF implements the pan 712 upon the constituent resource or resourses detemined in step 710, As previously mentioned, in some embodiments, the’ implementation may involve scaling the level of resources committed up oF down, changing the type of some fr al of the allocated resources to # more applicable oF ‘optimal type, temporarily “filing over” to the determined resources and using the determined resources to kick of @ remediation plan (eg. automatically submiting 2 problem report such that a technician is alerted), andor suspending the service entirely IG. 8 illusrates an example of an environment 800 fo implementing aspecis in accordance with various embodi ments. As will be appreciated, although a Web-based env ronment is used for purposes of explanation, ferent envi ronments may be used, as appropriate, to implement various ‘embodiments, The environment includes an electronic client ‘device 802, which can include any appropriate device oper- able to send and receive requests, messages, or information ‘over an appropriate network 84 and convey information back to user of the device. Examples of such client devices include personal computes, cell phones, handheld messag- ing devices, laptop computer, set-top boxes, personal data ‘assistants, electronic book readers, and the lke. The network ‘ean inchide any appropriate network, including an intranet, the Invemet, a celular network, a Toca atea network, or any ‘other such network or combination thereof. Components used for such a system can depend atleast in part upon the type of network andor environment selected, Protocols and ‘components for communicating via sueh a network are well, 0 o 12 ‘known and will not be discussed herein in detail, Coma fication over the network can be enabled by wired oF Wireless coanestions, and combinations thereof, In this ‘example, the network includes the Inter, the environ- ‘meat includes a Web server 806 for receiving requests and serving content in response thereto, although for other retworks an alternative device serving @ similar purpose could be used as would be apparent tone of ordinary ski in the ae ‘The illustrative environment includes atleast one spp cation server 808 an! data store 810. It should be under ‘ood hat there can he several aplication servers, layers, oF ‘other elements, processes, or components, which maybe chained or otherwise configured, which ‘ean interact 10 perform tasks such as obtaining data from an appropriate ‘ata store, As sed herein the tem “data store” refers any device or combination of devices capable of storing, access ing. and retieving data, which may include any combination and numberof data servers, databases, data storage devices, tnd data storage media, in any standard, distributed, oF clustered environment. The application server ean include any appropriate hardware and software for integrating with the data store as nade to execute aspects of one or more ‘pplicatons for the elieat device, handling a majority’ ofthe data access and business logic for an application, The application server provides access control serviees in coop- eration with the data store, and is able to generate content sch as text, graphics, audio, andor video to be transferred to the user, sohich may be served to the user by the Web servor in the form of HTML, XML, or another appropiate structured language in this example. The handling of all requests and responses, as well as the delivery of content between the client device 802 andthe application server 80, an be handled by the Web server It should be understood that the Web and application serves are not required and are merely example components, as structured code discussed herein ean be executed on any appropriate device or host machine as discussed elsewhere herein, “The data store 810 can include several sepamte data tables, databases, or other data storage mechanisms and smedia for storing data relating to a particular aspoct. For ‘example, the data store illustrated includes mechanisms for Soring production data 812 and user information 816, whic ‘canbe used to serve content forthe production side The data Sore alo is showa fo include a mechanism for storing log ata 814, which can be used for reporting analysis, or other such purposes. It should be understood that there can be ‘many other aspeets that may need to be stored in the data sor, such as for page image information and to access right information, which can be stored in any ofthe above listed ‘mechanisms as appropriate or in additional mechanisms ia the data store 810. The data store 810 is operable, trough logic associated therewith, to receive instrvtions fom the application server 808 and obtain, update, or otherwise process data in response thereto. In one example. a user ‘might submit @ search request fora certsin type of item. in this case, the data store might access the user information 10 verify the identity of the user, and can aceess the catalog ‘etal information to obtain information about items of that type. The information then ean be retuned tothe user, such as in a results listing on a Web page thatthe user is able 10 view via a browser on the user device 802. Information for ‘ particular item of interest can be viewed in a dedicated page of window of the browser Fach server typically will inclide an operating system that provides executable program instructions forthe general ‘administration and operation of that server, and typicallyUS 10,382,561 BI 13 will include a computer-eadable medium storing instrve- tions that, when executed by a processor ofthe server, allow the server fo perlonn its intended funetons, Suitable imple- ‘mentations forthe operating system and general fanetion- ality of the serves ate known or commercially availabe, tnd are readily implemented by persons having ordinary ‘ill in the art, particularly in light ofthe disclosure herein The environment in one embodiment is distibated ‘computing environment wilizing several computer systems land components tht are interconnected via communication Tinks, using one of more computer networks oF direst ‘eonnctions, However, it will be appreciated by those of ‘ondary skill in the at that such a system could operate ‘equally well ina system having fewer or a greater number ‘of components than age illustrated in FIG. 8. Thus, the depiction of the system 800 in FIG. 8 should be taken as being illustrative in nature, and not limiting o the scope of the disclosure ‘The various embodiments further can be implemented in 4 wide varity of operating environments, which in some ses ean inehade one or more user computers, comping ‘devices, or processing devices which ean be used to operate ny of a nutber of applications, User or cient devices can include any of a number of general purpose personal com- puters, such as desktop of laptop computers running & standard operating system, as well 2s cellular, wireless, and handheld devices running mobile software and eapable of supporting @ number of networking and messaging proto- cols. Such a system also ean include a number of worksta- tions running any of a variety of commercally-available ‘operating systems and other known applications for pur poses such as development and database management ‘These devices also can include other electronic devices, uch as dummy terminals, thin-lients, gaming systems, and other devices capable of communicating via # network ‘Most embodiments utilize atleast one network that would be familiar to those skilled in the art for supporting com rnunications using any of a variety of eommercally-avail able protocols, such a TCP/IP, OSI, PTP, UPnP, NFS, CIPS, ‘and AppleTalk, The network ean be, for example, a local area network, a wide-area network, a viru private net ‘work the Intemet, an intranet, an extranet, 8 public switched telephone network, an infrared network, a wireless nctwork. and any combination thereof In embodiments utilizing a Web server, the Web server ‘can run any of a variety of server or mid-tier applications, including HTTP servers, PTP servers, CGI servers, data servers, Java servers, and business application servers. The server(s) also may be capable of executing programs or scripts in response requests from user devices, such as hy ‘executing one or more Web applications that may be imple mented as one oF more seripis oF programs written in any programming language, ucla Java, C.Ci/o¢ C++, or any Scripting language, such as Per, Python, or TCL, as well as ‘combinations thereof The server(s) may also inelnde data- bse servers, ineluding without limitation those commer cially available from Oracle®, Microsoft®, Sybase, and TBM. The environment can include a variety of data stores and ‘other memory and storage media a discussed above. These ‘ean reside in a variety of locations, sueh as on a storage medium local to (andlor resident in) one or more of the ‘computers or remote from any or all ofthe computers across the noswork. In a particular set of embodiments, the infor mation may reside in a storagearea network SAN") familiar to those skied in the at. Similarly, any nocessary fies for performing the functions artibuted to the eomput- 0 o 14 er, servers or other nework devices may’ be stored locally andlor remotely. as appropriate. Where a system includes computerized devices, each sucl deviee ean inelude bard- ‘ware elements that may be eletricaly coupled via a bus, the elements including, for example, at least one central pr cessing unit (CPU), atleast one input device (eg, a mouse Keyboard, controller, touch screen, or Keypad), and at least ‘one ontpat device (eg, display device, printer or speak). Such a system may also incinde one or more storage devices, such as disk drives, optical storage devices, and solid-state storage devices such as random access memory ("RAM") or read-only memory CROM"), as well as removable media devices, memory eants, flash card, ec ‘Such devices also can include a computer-eadable stor- ‘age media reader, a communications deviee (ea modem, ‘network cand (wireless or wired), an infrared communi- tation device, ete.), and working’ memory as deseribed hove. The computer readable storage mesa reader can be ‘connected with, or configured to receive, a computer-read- able storage medium, representing remote, local, Axe fndior removable storage devices as well as storage media {or temporarily andior more permanently containing, stor ing, transmitting, and retrieving computer-eadable informa- tion, The system and various devices also typically will include a number of software applications, modules, ser vices, oF other elements located within atleast one working memory device, including an operating system and sppli- cation programs, such as a client application or Web brovise. It should be appreciated that alternate embodiments ‘may have nnmerous variations from that described above. For example, customized hardware might also be sed andor particular elements might be implemented in hard- ‘ware, software (including portable software, such as app- Jets), or both, Further, connection to other computing devices such as network inpuloutput devices may be employed. ‘Storage media and computer readable media for contin ‘ng cade, oF portions of cade, ean include any appropiate ‘media known or used inthe aft, including storage mea and ‘communication media, such as but not limited o volatile and ‘non-volatile, removable and non-remavable media imple- ‘mented in any method or technology for storage andior (ransmission of information such as computer readable instructions, data structures, program modules, or other data, including RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disk (DVD) or other optical store, magnetic cassettes, magnetie tape ‘magnetic disk storage or other magnetic storage devices, oF ‘ny other medium Which can be used to store the desired information and which ean be accessed by the a system device, Based on the disclosure and teachings provided hoerein,« person of ordinary skill inthe art will appreciate cther ways and/or methods 10 implement the various tembodiments ‘The specification and drawings are, accordingly, 10 be regarded in an illustrative rather than a restrietive sens. Tt will, however, be evident that various modifications and changes may be made thereunto without departing from the broader spirit and seope ofthe invention as set forth in the claims. ‘Other variations sre within the spirit of the preseat disclosure, Thus, while the disclosed techniques are suscep- tible to various modifications and alternative constructions, certain illustrated embodiments thereof are shown in the drawings and have been deseribed above in det. I should be understood, however, that there sno intention to iit the invention o the specific form or forms disclosed, but on theUS 10,382,561 BI 15 ‘contrary, the intention isto cover all modifications, alterna. tive constructions, and equivalents falling within the spirit ‘and scope of the invention, a8 defined in the appended claims Al references, including publications, patent applica tions, and patent, cited herein are herchy ineomporated by reference to the same extent as if each reference were individually and specifically indicated to he incorporated by reference and were sot forth in its entirety here. The use of the terms “a” and “an” and “the” and similar referents in the context of desesibing the invention (espe- Cully in the context of the following claims) are 10 be ‘construed to cover both the singular and the plural, unless ‘otherwise indicated herein or clearly contradicted by con- text. The terms “comprising,” “having,” “including,” and "are to be construed as open-ended tems (Le inchuding, but not limited 1,”) unless otherwise noted. The tem “wonnected” st be consrued as arly oF ‘wholly contained within, attached to, or joined! together ‘even if there is somthing intervening. Rec ‘of values herein re merely intended to serve as a shorthand method of referring individually to each separste value falling within the range, unless otherwise indicated herein, ‘and each separate value is incorporated into the speifiation as if it were individually recited heecin. All_ methods ‘described herein can be performed in any suitable order unless otherwise indicated herein or otherwise clearly con- teadieted by context. The use of any and all examples, or ‘exemplary language (eg., “such as”) provided herein, is ‘ended merely to better illuminate embostiments of the jnvention and does not pose a limitation on the scope of the ‘vention unless othervise claimed, No language in the specification should he consinied as indicating any non- ‘claimed element as essential tthe practice ofthe invention, Preferred embodiments are described herein, including the best mode known to the inventors for carrying out various embodiments, Variations of those prefered embod ments may become apparent fo those of ordinary skill in the fac upon reading the foregoing description. The inventors ‘expect skilled artisans to employ such variations as appro= Prate, and the inventors intend for the invention to be Practiced otherwise than as specifically described herein. Accordingly, this invention includes all modifications and ‘equivalents of the subject matier recited in the claims ‘appended hereto us permitted by applicable kaw. Moreover ‘any combination of the above-described elements ia all, possible variations thereof is encompassed by the invention unless otherwise indicated herein o otherwise clearly con- teadieted by context ‘What i claimed is: 1. A computer-implemented! method for enabling access 10 one oF more networks, comprising: ‘stablishing, by one or more computer systems configured with executable instmctions, a network connection with at least one private customer entity nonwork, the network connection comprising a direct physical con- rection betseea the private customer entity network and the one or more computer systems, the private customer entity network comprising. a plurality of con- nected computing resources; recciving, over the network connection, a roquest 10 ‘connect to a public network with respect to the private testomer entity network: provisioning, by the one or more computer systems, 3 virtual compiter system instance as a network gateway to connect the at least one private customer entity ton of ranges 2 0 o 16 network to the public network via the provisioned Virtual computer system instance; assigning a publi internet protocol address to the vrtal ‘computer system instance, wherein the public internet pting resource of the plurality of connected computing resources ofthe private customer entity network; and aadvenising the public internet protocol address to a public notwork as being associated with the private customer cently network, such that internet trae directed to the private customer entity network atthe public internet protocol address is received by the virtual computer system instance and routed to the at least one private customer ently network via the network connection ‘over the diet physical connection. 2. The computer-implemented method of elainy 1, further ‘comprising: receiving, over the network connection, «publication ‘request ffom the private customer entity network t0 advertise at least one resource under contol of the private customer entity networks and advenising the atleast one resource as being associated with the publi internet protocol address, 3. The computer-implemented method of claim 2, wherein the intemet trae is processed by the viral ‘computer system instance in accordance with at least one service implemented) on the viral computer system 4. The computer-implemented method of claim 1, ‘wherein the one of more computer systems is further con. Tigured to provide a user interface Tor emote management oF provisioning or reconfiguration of the network gateway’ t0 the at least one private customer entity network. '. One or more nor-ransitory computer-eadable storage media having collectively stored thereon executable inst tions that, when exsedted by one or more processors of @ ‘computing resource provider's computer system, ease the feomputer system to atleast receive, from at least one private customer entity network ‘via a direct physical connection hetween the atleast ‘one private customer entity network and the computing resource provider's compute system, a request to make available atleast one resource operate By the at least ‘one private customer eality network via a public net ‘wor, the at last one resource being one of a phueaiy ‘of connected computing resources of the at least one peivate customer entity networks and provision a viral computer system instance asa network ‘gateway to connect the at least one resource operated by the a least one private customer entity network to the public network via the virtual computer system assign a public identifier to the virtual computer system instance: adverse the publie identifier as being associated withthe at Teast one resource of the plurality of comnected ‘computing resources operated by the atleast one pri- vate eustomer enfity network; and ‘operate, on behalf of the at least one private customer ‘entity network, the network gateway t0 serve as a ‘Dublic network acess point forthe at least one resource ‘operated by the at least one private customer entity network stich that trafic received by the network ‘gateway in relation tothe public identifier is routed to the private customer entity network via the direct physical connectionUS 10,382,561 BI storage media of claim 8, wherein trafic originating from at Teast one external user connected to the public network is directed to the viral comptter system instance when requesting access tothe atleast one resource 7. The one of more non-ransitory computer-readsble storage media of elaim 5, wherein the roquest is received hy thea least one private cestomer entity network invoking 2a application programming interface provide by the compul- ing resource provider '8. The one of more non-tramsitory computer-readable storage medio of claim 5, wherein the executable intrue- tions farther cause the computer system f0 at leas: receive code for implementing at least one networks related services from a third party’ and ‘execute, upon selection by the atleast one private cuss tomer entity network of the atleast one newtork-related services, the received code via the virtual computer system instance 9. The one of more non-trnsitory computer-readuble storage modia of claim 8, whorein the received code is ‘excctted on setwork rafic received at the network gateway. 10, The one of more non-irnsitory computer-eadable storage media of claim 5, further including executable instructions that, when executed by the one oF more proces: sors ofthe computing resource provider’s computer systen Jurther cause the computer system to at leas ‘determine a demand associated with atleast one resource ‘operated by the at least one private customer entity network; and configure the virtual computer system instance in sooo dance with the determined demand. 1. The one oF more non-irnsitory computer-eadable storage media of elaim 10, wherein configuring the viral ‘computer system instance in accordance with the determined demand comprises asyning more or ess computer resourees to the virtual compar system instance 12, The one of more non-ransitory computer-eadable storage media of claim 8, wherein the at last one resource js accessed via an endpoint in a private network of the at ast one private customer entity network. 13. A computer system for enabling public access to one ‘or mor: private networks, comprising: fone oF more processors: and ‘memory, inluding insirucions executable by the one oF ‘more processors to cause the computer system Wat Teast receive, from 9 customer entity network device con- ‘ected 10 the computer system through a direst physical connection t a private customer entity network, request for connectivity to a public com 0 18 munications network, the request including an ind cation of at lest one serviee to apply to newwork trac flowing to or from the private customer entity network, the private customer entity network com- prising plurality of connected computing resources that are connected ta the customer entity network device: instantiate vet computer system instance to set as {network gateway f0 the public communications network on behalf of the private customer entity network: assign a publi ‘advertise the public identifier as being associated with the customer enlily aetwork device in the public ‘communications network: and ‘manage network trallic from the public communiea- tions newwork received atthe virtual computer sys tem instance, such that at least a portion of the network wafic is routed to the private customer “entity network va the direct physical connection and subjected to the at least one service. 14, The computer system of elaim 13, wherein the request submitted by the customer entity network deviee further comprises at least one resource of the private customer tenlty network 4 be made available vi the public eomnn- ications nework 18. The computer system of claim 13, wherein the com- puter system extends atleast one capability ofthe viral ‘computer system instance with at least one network-elated service requested by the customer enity network device. 16, The computer system of clsim 13, wherein network ‘ral received at the Virtual computer system instance from at least one extemal entity via the publi communications network is routed fo a resouree of the private customer cnlity netsvor, 17. The computer system of claim 13, wherein advertising the public ideattier as being associated with the customer entity network device comprises advertising the public iden- tier as being associated with at least one resource under ‘control of the private customer entity network. 18, The computer system of claim 13, wherein a pro soning request is received by the computer system via the iret physical connection with the private eustomer entity network. 19, The computer system of claim 18, wherein the receive request inclndes a selection ofa particular service provider for implementing at least one network-elated identiie tothe viral computer system