Automated Service Function Chaining Across Datacentres


Federated clouds provide the ability to manage and share resources from multiple clouds and combine them into a common distributed infrastructure. A virtual network management system is necessary in the federated cloud environment for setting up a virtual infrastructure, where network services can be deployed and managed across different network platforms and architectures.

Network service functions such as firewalls, load balancers, Deep Packet Inspection (DPI), compression, encryption and others are widely deployed in datacenters. These functions can be deployed both in physical and virtual forms. When deployed in virtual form, they are usually addressed as Virtualized Network Functions (VNF). Most of the datacenter traffic has to be treated by more than one service function. A composition of service functions is referred to as Service Function Chain (SFC). SFC is defined by the datacenter management in a service manifest and is deployed in the datacenter infrastructure. Then, data flows are forwarded through those SFCs according to the network policies.

Architectural Description

Figure 1 presents the architectural view of the use case. There are various network functions deployed in the network. From the perspective of the virtual network user, there is a service in the virtual network and the user is not aware of the specific instances of the service appliances or VNFs deployed in different clouds. The user defines through the global manifest which network services should be traversed by its traffic. For example, in Figure 1, the traffic between DB and application servers should go through firewall (FW). The infrastructure management on its side, is aware of the specific network service appliances or VNF instances, e.g. FW1 and FW2 in Cloud 1 (C1) and Cloud 2 (C2) accordingly, and automatically configures the physical network to forward the traffic through the corresponding service instances.


IBM 1.jpg

The deployment and configuration of SFCs composed from the required VNFs across different clouds is managed by a BEACON Network Manager. This component is responsible for enforcing a coherent global network security policy across the network federation. Figure 2 shows a federated cloud network distributed across two clouds. The global federated network policy is defined in a service manifest, then the VNF and SFC configurations are derived from the global policy and specified for each cloud. Finally, the SFCs are deployed across clouds.

In order to implement the proposed architecture in federated heterogeneous networks, the BEACON Network Manager must coordinate SFC network controllers and classifiers, so they will speak the same language and deploy and control VNFs in an efficient way. The application administrator defines in a Service Manifest the requirements for load balancing and firewall use. Then, the BEACON Network Manager orchestrates the deployment by automatically translating these requirements to the specific cloud network policies, which trigger deployment and configuration of the inbound and outbound SFCs in each cloud separately. The application traffic is then forwarded automatically through the deployed SFCs.


The use case of automated network service function chaining allows the applications deployed in a federated cloud to consume network services efficiently across datacenters. In addition, this use case allows the cloud infrastructure providers that own various types of costly service function equipment to consolidate their equipment and reduce costs. In order to enable automated service functions allocation and provisioning in federated cloud environments, it is necessary to provide mechanisms for efficient coordination of SFC network deployments and VNFs control. This additional orchestration is done by the BEACON Network Manager.