Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

AutoNet: Automatic Reachability Policy Management in Public Cloud Networks

German Sviridov, Zheng Tao Shen, Jorge Cardoso

TL;DR

AutoNet addresses the challenging problem of proactive reachability policy management in public cloud VPCs, where manual configuration is error-prone and difficult to scale. It combines a three-tier network topology abstraction, topology pruning, and configuration quantization with a SAT-based encoding and MaxSAT-driven optimization to generate minimal-change configurations that satisfy high-level intents. The system achieves sub-second response times for medium-to-large deployments and scales linearly with network size, demonstrated on synthetic topologies and a real deployment with hundreds of ECSs. By translating tenant intents into weighted optimization and providing an end-to-end translation to concrete VPC configurations, AutoNet enables automated, cost-aware, and safe policy updates for complex cloud networks.

Abstract

Virtual Private Cloud (VPC) is the main network abstraction technology used in public cloud systems. VPCs are composed of a set of network services that permit the definition of complex network reachability properties among internal and external cloud entities such as tenants' VMs or some generic internet nodes. Although hiding the underlying complexity through a comprehensible abstraction layer, manually enforcing particular reachability intents in VPC networks is still notably error-prone and complex. In this paper, we propose AutoNet, a new model for assisting cloud tenants in managing reachability-based policies in VPC networks. AutoNet is capable of safely generating incremental VPC configurations while satisfying some metric-based high-level intent defined by the tenants. To achieve this goal, we leverage a MaxSAT-based encoding of the network configuration combined with several optimizations to scale to topologies with thousands of nodes. Our results show that the developed system is capable of achieving a sub-second response time for production VPC deployments while still providing fine-grained control over the generated configurations.

AutoNet: Automatic Reachability Policy Management in Public Cloud Networks

TL;DR

AutoNet addresses the challenging problem of proactive reachability policy management in public cloud VPCs, where manual configuration is error-prone and difficult to scale. It combines a three-tier network topology abstraction, topology pruning, and configuration quantization with a SAT-based encoding and MaxSAT-driven optimization to generate minimal-change configurations that satisfy high-level intents. The system achieves sub-second response times for medium-to-large deployments and scales linearly with network size, demonstrated on synthetic topologies and a real deployment with hundreds of ECSs. By translating tenant intents into weighted optimization and providing an end-to-end translation to concrete VPC configurations, AutoNet enables automated, cost-aware, and safe policy updates for complex cloud networks.

Abstract

Virtual Private Cloud (VPC) is the main network abstraction technology used in public cloud systems. VPCs are composed of a set of network services that permit the definition of complex network reachability properties among internal and external cloud entities such as tenants' VMs or some generic internet nodes. Although hiding the underlying complexity through a comprehensible abstraction layer, manually enforcing particular reachability intents in VPC networks is still notably error-prone and complex. In this paper, we propose AutoNet, a new model for assisting cloud tenants in managing reachability-based policies in VPC networks. AutoNet is capable of safely generating incremental VPC configurations while satisfying some metric-based high-level intent defined by the tenants. To achieve this goal, we leverage a MaxSAT-based encoding of the network configuration combined with several optimizations to scale to topologies with thousands of nodes. Our results show that the developed system is capable of achieving a sub-second response time for production VPC deployments while still providing fine-grained control over the generated configurations.
Paper Structure (24 sections, 7 equations, 5 figures, 1 table)

This paper contains 24 sections, 7 equations, 5 figures, 1 table.

Table of Contents

  1. Introduction
  2. Public cloud networking
  3. Virtual Private Cloud architecture
  4. Reachability policy management in VPC networks
  5. The difficulty of verifying reachability properties:
  6. The necessity of satisfying high-level objectives:
  7. AutoNet: Automatic reachability policy management for VPC networks
  8. Definition of reachability intent
  9. Network topology abstraction
  10. Network pre-processing
  11. Topology pruning
  12. Configuration quantization
  13. Network encoding
  14. Configuration generation
  15. Objective-aware configuration updates
  16. ...and 9 more sections

Figures (5)

  • Figure 1: Example of the most commong VPC services and their interconnect
  • Figure 2: Scalability of AutoNet for reachability policy enforcement in a random topology for varying number of ECSs
  • Figure 3: Scalability of AutoNet for reachability policy enforcement in a random topology for varying number of subnets and VPCs
  • Figure 4: Running times for intents in \ref{['tbl:intents']} for synthetic topologies. I4-1 and I4-2 represent the exclusive use of, respectively, EIPs and NAT-GW.
  • Figure 5: Running times for intents in \ref{['tbl:intents']} for a real VPC deployment.