Techniques discussed herein relate to updating an edge device (e.g., a computing device distinct from and operating remotely with respect to a data center). The edge device can operate execute a first operating system (OS). A manifest specifying files a second OS to be provisioned to the edge device may be obtained. One or more data files corresponding to a difference between a first set of data files associated with the first OS and a second set of data files associated with the second OS may be identified. A snapshot of the first OS may be generated and stored in memory of the edge device. The edge device can then be configured with the second OS by modifying the snapshot. The booting order of the edge device may be modified to boot utilizing the second OS.

Techniques are disclosed for provisioning and managing a virtual edge device that is configured to emulate a physical edge device that executes within an isolated computing environment. The isolated computing environment may be separate from a centralized cloud computing environment that provides a plurality of services for executing customer workloads. In one example, a computer system receives a request to provision a virtual edge device. The computer system identifies a physical computing device to be provisioned as the virtual edge device based on the request. The computer system generates a set of data containers that containerizes a set of services configured to execute subsequent workloads, and then the system provisions the physical computing system with the set of data containers. In response to the customer request, the computer system provides a user interface operable for accessing and managing the virtual edge device.

Techniques are disclosed for migrating one or more services from an edge device to a cloud computing environment. In one example, a migration service receives a request to migrate a first set of services from the edge device to the cloud computing environment. The migration service identifies a hardware profile of a computing device (or devices) of the cloud computing environment that matches the edge device, and then configures the computing device to execute a second set of services that corresponds to the first set of services. The migration service establishes a communication channel between the edge device and the computing device, and then executes a set of migration operations such that the second set of services is configured to execute as the first set of services. The computing device may operate in a virtual bootstrap environment or dedicated region of the cloud computing environment.

Techniques are described for implementing a virtual smart network interface card to facilitate data transmission in an edge device providing cloud-computing operations. An edge device can implement a private virtual network that includes a private virtual network data plane. The edge device can execute a virtual machine to be connected to the private virtual network. To establish the connection, the edge device can generate a virtual network interface that includes a first endpoint and a second endpoint and is hosted within the private virtual network data plane. The edge device can associate the first endpoint with the virtual machine and associate the second endpoint with an orchestration module of the private virtual network data plane. The virtual machine can then send a data packet to the orchestration module via the virtual network interface.

Techniques discussed herein relate to providing composable edge devices. In some embodiments, a user request specifying a set of services to be executed at a cloud-computing edge device may be received by a computing device operated by a cloud computing provider. A manifest may be generated in accordance with the user request. The manifest may specify a configuration for the cloud-computing edge device. Another request can be received specifying the same or a different set of services to be executed at another edge device. Another manifest which specifies the configuration for that edge device may be generated and subsequently used to provision the request set of services on that device. In this manner, manifests can be used to compose the platform to be utilized at any given edge device.

Techniques are described for implementing a secure enclave within an edge device (e.g., an edge device of a computing cluster of edge devices). In some embodiments, a service enclave comprising a plurality of services can be implemented. The plurality of services can be implemented within respective containers and communicatively connected to one another via a virtual substrate network of the cloud-computing edge device. The virtual substrate network may be dedicated to network traffic between services of the plurality of services. A first service of the enclave may generate and transmit a message to a second service of the enclave for processing. One or more operations may be executed by the second service based on reception of the message.

Techniques are described for implementing secure communications between edge devices providing cloud computing services in an edge environment. A computing cluster can include a plurality of cloud-computing edge devices. The computing cluster can implement a distributed control plane for performing operations related to managing cloud infrastructure resources within the computing cluster. The cloud-computing edge devices can be connected to an intra-node switch to form a substrate network. The data related to control plane operations may be transmitted over the substrate from one edge device to another, such that control plane operations can be performed at any suitable edge device in the cluster. The edge devices can use an encryption protocol to encrypt the data transmitted over the substrate network via the intra-node switch.

An implementation of the present application provides a computer-implemented method to increase the security of a blockchain-implemented transaction, the transaction including participation from a plurality of participating nodes, each participating node participating as a message originator, selector, and propagator. The method, implemented at a participating node, includes: receiving ciphertext from a prior node and determining whether the participating node is a selector node for said ciphertext received from the prior node. When the participating node is the selector node for said ciphertext, the method includes selecting a subset of said ciphertext, decrypting the selected subset of said ciphertext to provide opted ciphertext and transmitting said opted ciphertext to the next node. When the participating node is other than the selector node for said ciphertext, the method includes decrypting said ciphertext received from the prior node and transmitting the decrypted ciphertext to the next node.

The disclosure provides a key generation method and apparatus. The key generation method comprises: encrypting a first key factor generated by a first device with an initial key, and sending the encrypted first key factor to a second device through a first secure channel, wherein the initial key is a key preset for the first device and the second device; receiving, through the first secure channel, a second key factor encrypted with the initial key, wherein the second key factor is generated by the second device; decrypting the second key factor encrypted with the initial key and received through the first secure channel, so as to obtain the second key factor; and generating a shared key between the first device and the second device according to the first key factor and the second key factor. According to the disclosed embodiments, a gateway device is unable to acquire a shared key negotiated between a first device and a second device, ensuring the security of data transmitted there between, and further reducing the risk of data being illegally captured during transmission.

In one example in accordance with the present disclosure, a system may comprise a a combination engine to combine an encrypted device identification and a routing indicator resulting in a combined device identification. The system may also include an encryption engine to encrypt the combined device identification and a transmission engine to transmit the encrypted combined device identification.