AutoNet: Automatic Reachability Policy Management in Public Cloud Networks

TL;DR

AutoNet is a system that automates the management of reachability policies in public cloud VPC networks, ensuring high-level tenant intents are safely and efficiently implemented in complex, large-scale environments.

Contribution

AutoNet introduces a MaxSAT-based approach for automatically generating VPC configurations that satisfy tenant-defined reachability intents, scalable to large cloud topologies.

Findings

Achieves sub-second response times for large VPC configurations

Provides fine-grained control over network reachability policies

Successfully scales to thousands of nodes in cloud networks

Abstract

Virtual Private Cloud (VPC) is the main network abstraction technology used in public cloud systems. VPCs are composed of a set of network services that permit the definition of complex network reachability properties among internal and external cloud entities such as tenants' VMs or some generic internet nodes. Although hiding the underlying complexity through a comprehensible abstraction layer, manually enforcing particular reachability intents in VPC networks is still notably error-prone and complex. In this paper, we propose AutoNet, a new model for assisting cloud tenants in managing reachability-based policies in VPC networks. AutoNet is capable of safely generating incremental VPC configurations while satisfying some metric-based high-level intent defined by the tenants. To achieve this goal, we leverage a MaxSAT-based encoding of the network configuration combined with several optimizations to scale to topologies with thousands of nodes. Our results show that the developed system is capable of achieving a sub-second response time for production VPC deployments while still providing fine-grained control over the generated configurations.