US Patent 10298720 Client-defined rules in provider network environments

Methods and apparatus that allow clients to specify custom network rules for their resource instances or network constructs in a provider network environment. Services and interfaces may be provided that allow a client to provide an executable module that implements custom rules for their resources, or alternatively to specify or select custom rules for their resources. The module may be installed on a host device, and may apply the custom rules to packets to and from the client's resources. Alternatively, the client-defined rules may be applied to packet flows according to the custom rules specified by the client and applied by a client rules service implemented on the provider network external to the host device or on a client resource instance on the host device. The custom network rules may, for example, extend or modify standard network rules for the client's resources on the host device.