Many companies and other organizations operate computer networks that interconnect numerous computing systems to support their operations and the services they provide to their end customers distributed worldwide. For example, data centers housing significant numbers of interconnected computing systems have become commonplace, such as private data centers that are operated by and on behalf of a single organization, and public data centers that are operated by entities as businesses to provide computing resources to customers. In many cases providers set up large networks that may logically span several regions or even countries, and may include numerous data centers with varying levels of services and facilities available, utilized together to provide a unified set of services to their end customers.
In some cases, dedicated private network links, which are sometimes referred to as backbone links, may be set up between a set of major data centers and other sites of a provider network. For example, a set of core services (such as a back-end database for a content distribution service) may be implemented physically at one data center or a small group of data centers, and made accessible to clients of the provider via more numerous remote points of presence (RPOPs) distributed throughout the world. The RPOPs may receive incoming traffic (such as service requests) from client devices over networks external to the provider's private network, i.e., the RPOPs may server as access points for customers to the provider's private network. The RPOPs may be configured to use the backbone links as needed to communicate back and forth with the core service data centers to respond to client requests. Alternate paths between the RPOPs and the core data centers, such as paths that include links managed by IP transit providers and other third parties may also be available. Since the backbone links are managed by and for the service provider alone, and are not accessible directly from external networks, the service provider may have finer control on the quality of service of network transmissions over the backbone links. For example, in some cases it may be much faster on average to send messages over the backbone links than over alternate paths, or the variation in message transmission times may be kept lower on the backbone links than on external links generally available to users other than the provider network's own servers.
In many cases, the backbone links may be more expensive than the alternate paths, however. Even though the bandwidth capacity of individual backbone paths may be high, in some cases the maximum bandwidth available over the backbone links may be less than the aggregate bandwidth available over a combination of alternate paths over external networks. The service provider may have to consider the different costs and service characteristics of the backbone links versus the alternate paths while managing the traffic needed to support the services provided to its clients. The task of traffic management may become even more complicated in the presence of network attacks and intrusions, such as distributed denial of service attacks, which can potentially consume large amounts of bandwidth at least temporarily. While devices such as scrubber appliances and other network intrusion detectors may be available to respond to various kinds of network attacks, such devices are often expensive and it may be cost prohibitive to deploy such devices widely.
While embodiments are described herein by way of example for several embodiments and illustrative drawings, those skilled in the art will recognize that embodiments are not limited to the embodiments or drawings described. It should be understood, that the drawings and detailed description thereto are not intended to limit embodiments to the particular form disclosed, but on the contrary, the intention is to cover all modifications, equivalents and alternatives falling within the spirit and scope as defined by the appended claims. The headings used herein are for organizational purposes only and are not meant to be used to limit the scope of the description or the claims. As used throughout this application, the word “may” is used in a permissive sense (i.e., meaning having the potential to), rather than the mandatory sense (i.e., meaning must). Similarly, the words “include,” “including,” and “includes” mean including, but not limited to.