US 12,381,878 B1
Architecture for selective use of private paths between cloud services
Kshitij Gupta, Seattle, WA (US); Prashant Kumar Singh, Seattle, WA (US); Robert Laks, Seattle, WA (US); Ravi S Nagayach, Aurora, IL (US); and Dharani Sankar Vijayakumar, Palo Alto, CA (US)
Assigned to Amazon Technologies, Inc., Seattle, WA (US)
Filed by Amazon Technologies, Inc., Seattle, WA (US)
Filed on Jun. 27, 2023, as Appl. No. 18/342,624.
Int. Cl. H04L 61/4511 (2022.01); H04L 9/40 (2022.01)
CPC H04L 63/10 (2013.01) [H04L 61/4511 (2022.05); H04L 63/101 (2013.01); H04L 63/108 (2013.01); H04L 63/126 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A system comprising:
a cloud provider network in communication with a public internet;
an on-demand code execution service comprising a first set of one or more computing devices within a virtual private cloud of the cloud provider network, wherein the on-demand code execution service is configured to provide on-demand execution of function code;
a plurality of network-based services comprising a second set of one or more computing devices configured to provide computing services via both the cloud provider network and the public internet; and
an endpoint manager configured to provide an opt-in option for a private path to the plurality of network-based services via private internet protocol (IP) addresses not accessible via the public internet, wherein the endpoint manager comprises a third set of one or more computing devices configured to:
receive, from a function invoker, a first request to opt-in to the private path for communications from functions invoked by the function invoker on the on-demand code execution service;
receive, from the function invoker, a second request to invoke a function;
determine, based on the first request to opt-in to the private path, that all communications initiated by the invoked function to a network-based service of the plurality of network-based services are to remain within the cloud provider network until the communications reach the network-based service via the private IP addresses; and
configure the on-demand code execution service to:
execute code associated with the invoked function within a virtual execution environment of the on-demand code execution service; and
route a communication, initiated by the invoked function executing in the virtual execution environment and destined for the network-based service, to a virtual private cloud endpoint associated with the on-demand code execution service, wherein the virtual private cloud endpoint is configured to route the communication to the network-based service only via the private IP addresses such that the communication does not travel over the public internet.