research-article

A Scalable VPN Gateway for Multi-Tenant Cloud Services

Authors:

Mina Tahmasbi Arashloo,

Pavel Shirshov,

Jennifer RexfordAuthors Info & Claims

ACM SIGCOMM Computer Communication Review, Volume 48, Issue 1

Pages 49 - 55

https://doi.org/10.1145/3211852.3211860

Published: 27 April 2018 Publication History

Abstract

Major cloud providers offer networks of virtual machines with private IP addresses as a service on the cloud. To isolate the address space of different customers, customers are required to tunnel their traffic to a Virtual Private Network (VPN) gateway, which is typically a middlebox inside the cloud that internally tunnels each packet to the correct destination. To improve performance, an increasing number of enterprises connect directly to the cloud provider's network at the edge, to a device we call the provider's edge (PE). PE is a chokepoint for customer's traffic to the cloud, and therefore a natural candidate for implementing network functions concerning customers' virtual networks, including the VPN gateway, to avoid a detour to middleboxes inside the cloud.

At the scale of today's cloud providers, VPN gateways need to maintain information for around a million internal tunnels. We argue that no single commodity device can handle these many tunnels while providing a high enough port density to connect to hundreds of cloud customers at the edge. Thus, in this paper, we propose a hybrid architecture for the PE, consisting of a commodity switch, connected to a commodity server which uses Data-Plane Development Kit (DPDK) for fast packet processing. This architecture enables a variety of network functions at the edge by offering the benefits of both hardware and software data planes. We implement a scalable VPN gateway on our proposed PE and show that it matches the scale requirements of today's cloud providers while processing packets close to line rate.

References

[1]

Cloud Computing Trends: 2016 State of the Cloud Survey. http://www.rightscale.com/blog/cloud-industry-insights/cloud-computing-trends-2016-state-cloud-survey#enterpriseworkloads. Accessed: January 2018.

[2]

DPDK. http://dpdk.org/. Accessed: January 2018.

[3]

Enterprise Adoption Driving Strong Growth of Public Cloud Infrastructure as a Service, According to IDC. https://www.idc.com/getdoc.jsp?containerId=prUS41599716. Accessed: January 2018.

[4]

ExpressRoute. https://azure.microsoft.com/en-us/services/expressroute. Accessed: January 2018.

[5]

Google Cloud Interconnect. https://cloud.google.com/interconnect/. Accessed: January 2018.

[6]

IxNetwork. https://www.ixiacom.com/products/ixnetwork. Accessed: January 2018.

[7]

Next-Generation Enterprise Branch Network Communications in a Cloud-Connect Environment. https://www.globalservices.bt.com/static/assets/pdf/campaign/Network%20like%20never%20before/IDC_Analyst_Connections_Briefing_Document.pdf. Accessed: January 2018.

[8]

Roundup of Cloud Computing Forecasts and Market Estimates, 2016. http://www.forbes.com/sites/louiscolumbus/2016/03/13/roundup-of-cloud-computing-forecasts-and-market-estimates-2016/#1c86a8c774b0. Accessed: January 2018.

[9]

The World's Fastet & Most Programmable Networks. https://barefootnetworks.com/resources/worlds-fastest-most-programmable-networks/. Accessed: January 2018.

[10]

AWS Direct Connect. https://aws.amazon.com/directconnect. Accessed: January 2018.

[11]

P. Bosshart, D. Daly, G. Gibb, M. Izzard, N. McKeown, J. Rexford, C. Schlesinger, D. Talayco, A. Vahdat, G. Varghese, and D. Walker. P4: Programming protocol-independent packet processors. ACM SIGCOMM CCR, 2014.

Digital Library

[12]

A. Bremler-Barr, Y. Harchol, and D. Hay. OpenBox: a software-defined framework for developing, deploying, and managing network functions. In SIGCOMM, 2016.

Digital Library

[13]

B. Davie, T. Koponen, J. Pettit, B. Pfaff, M. Casado, N. Gude, A. Padmanabhan, T. Petty, K. Duda, and A. Chanda. A Database Approach to SDN Control Plane Design. ACM SIGCOMM Computer Communication Review, 2017.

Digital Library

[14]

R. Gandhi, H. H. Liu, Y. C. Hu, G. Lu, J. Padhye, L. Yuan, and M. Zhang. Duet: Cloud scale Load Balancing with Hardware and Software. In SIGCOMM, 2014.

Digital Library

[15]

L. Jose, L. Yan, G. Varghese, and N. McKeown. Compiling Packet Programs to Reconfigurable Switches. In NSDI, 2015.

Digital Library

[16]

N. Katta, O. Alipourfard, J. Rexford, and D. Walker. Cacheflow: Dependency-aware rule-caching for software-defined networks. In SOSR, 2016.

Digital Library

[17]

J. Kim, K. Jang, K. Lee, S. Ma, J. Shim, and S. Moon. NBA (network balancing act): A high-performance packet processing framework for heterogeneous processors. In EuroSys, 2015.

Digital Library

[18]

T. Koponen, K. Amidon, P. Balland, M. Casado, A. Chanda, B. Fulton, I. Ganichev, J. Gross, P. Ingram, E. J. Jackson, et al. Network Virtualization in Multi-tenant Datacenters. In NSDI, 2014.

Digital Library

[19]

B. Li, K. Tan, L. L. Luo, Y. Peng, R. Luo, N. Xu, Y. Xiong, and P. Cheng. ClickNP: Highly flexible and high-performance network processing with reconfigurable hardware. In SIGCOMM, 2016.

Digital Library

[20]

S. Narayana, A. Sivaraman, V. Nathan, P. Goyal, V. Arun, M. Alizadeh, V. Jeyakumar, and C. Kim. Language-Directed Hardware Design for Network Performance Monitoring. In SIGCOMM, 2017.

Digital Library

[21]

B. Pfaff, J. Pettit, T. Koponen, E. J. Jackson, A. Zhou, J. Rajahalme, J. Gross, A. Wang, J. Stringer, P. Shelar, et al. The Design and Implementation of Open vSwitch. In NSDI, 2015.

Digital Library

[22]

S. Radhakrishnan, Y. Geng, V. Jeyakumar, A. Kabbani, G. Porter, and A. Vahdat. SENIC: Scalable NIC for End-Host Rate Limiting. In NSDI, 2014.

Digital Library

[23]

A. Saeed, N. Dukkipati, V. Valancius, C. Contavalli, A. Vahdat, et al. Carousel: Scalable Traffic Shaping at End Hosts. In SIGCOMM, 2017.

Digital Library

[24]

C. Schlesinger, M. Greenberg, and D. Walker. Concurrent NetCore: From policies to pipelines. In ICFP, 2014.

Digital Library

Cited By

Pan TLiu KWei XQiao YHu JLi ZLiang JCheng TSu WLu JHong YWang ZXu ZDai CWang PJia XLu JSong EZeng JLyu BZhai EZhang JHuang TCai DZhu SVanbever LZhang I(2024)LuoShenProceedings of the 21st USENIX Symposium on Networked Systems Design and Implementation10.5555/3691825.3691874(877-892)Online publication date: 16-Apr-2024
https://dl.acm.org/doi/10.5555/3691825.3691874
Fu CWang BWang WMu RSun YXin GZhang Y(2024)A Generic High-Performance Architecture for VPN GatewaysElectronics10.3390/electronics1311203113:11(2031)Online publication date: 23-May-2024
https://doi.org/10.3390/electronics13112031
Lu JPan THe SMiao MZhou GQi YZhang SSong ESun XZhao HLyu BZhu S(2024)CloudSentry: Two-Stage Heavy Hitter Detection for Cloud-Scale Gateway Overload ProtectionIEEE Transactions on Parallel and Distributed Systems10.1109/TPDS.2023.330185235:4(616-633)Online publication date: 1-Apr-2024
https://dl.acm.org/doi/10.1109/TPDS.2023.3301852
Show More Cited By

Index Terms

A Scalable VPN Gateway for Multi-Tenant Cloud Services
1. Networks
  1. Network components
    1. Middle boxes / network appliances
  2. Network services
    1. Cloud computing

Recommendations

High-density Multi-tenant Bare-metal Cloud
ASPLOS '20: Proceedings of the Twenty-Fifth International Conference on Architectural Support for Programming Languages and Operating Systems

Virtualization is the cornerstone of the infrastructure-as-a-service (IaaS) cloud, where VMs from multiple tenants share a single physical server. This increases the utilization of data-center servers, allowing cloud providers to provide cost-efficient ...
Building scalable, secure, multi-tenant cloud services on IBM Bluemix

While an infrastructure-as-a-service cloud provides an economic alternative to managing information technology on premises, it does not provide ready-to-use advanced functionalities for solution management. A platform-as-a-service cloud (PaaS), on the ...
Architecture for Inter-cloud Services Using IPsec VPN
ACCT '12: Proceedings of the 2012 Second International Conference on Advanced Computing & Communication Technologies

Cloud computing provides computation, software, data access, and storage services that do not require end-user knowledge of the physical location and configuration of the system that delivers the services. Cloud platform services, delivers a computing ...

Comments

Information & Contributors

Information

Published In

cover image ACM SIGCOMM Computer Communication Review

ACM SIGCOMM Computer Communication Review Volume 48, Issue 1

January 2018

80 pages

ISSN:0146-4833

DOI:10.1145/3211852

Issue’s Table of Contents

Copyright © 2018 Authors.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 27 April 2018

Published in SIGCOMM-CCR Volume 48, Issue 1

Check for updates

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

14
Total Citations
View Citations
406
Total Downloads

Downloads (Last 12 months)38
Downloads (Last 6 weeks)4

Reflects downloads up to 07 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Pan TLiu KWei XQiao YHu JLi ZLiang JCheng TSu WLu JHong YWang ZXu ZDai CWang PJia XLu JSong EZeng JLyu BZhai EZhang JHuang TCai DZhu SVanbever LZhang I(2024)LuoShenProceedings of the 21st USENIX Symposium on Networked Systems Design and Implementation10.5555/3691825.3691874(877-892)Online publication date: 16-Apr-2024
https://dl.acm.org/doi/10.5555/3691825.3691874
Fu CWang BWang WMu RSun YXin GZhang Y(2024)A Generic High-Performance Architecture for VPN GatewaysElectronics10.3390/electronics1311203113:11(2031)Online publication date: 23-May-2024
https://doi.org/10.3390/electronics13112031
Lu JPan THe SMiao MZhou GQi YZhang SSong ESun XZhao HLyu BZhu S(2024)CloudSentry: Two-Stage Heavy Hitter Detection for Cloud-Scale Gateway Overload ProtectionIEEE Transactions on Parallel and Distributed Systems10.1109/TPDS.2023.330185235:4(616-633)Online publication date: 1-Apr-2024
https://dl.acm.org/doi/10.1109/TPDS.2023.3301852
Rottenstreich OYallouz J(2024)Edge-Disjoint Tree Allocation for Multi-Tenant Cloud Security in Datacenter TopologiesIEEE/ACM Transactions on Networking10.1109/TNET.2024.336417332:4(2858-2874)Online publication date: Aug-2024
https://doi.org/10.1109/TNET.2024.3364173
Xu KJiang DLi YWang XZhang DXie G(2024)MaPComputer Networks: The International Journal of Computer and Telecommunications Networking10.1016/j.comnet.2024.110590251:COnline publication date: 1-Sep-2024
https://dl.acm.org/doi/10.1016/j.comnet.2024.110590
Zhao GLiu JZhai YXu HHe H(2023)Alleviating the Impact of Abnormal Events Through Multi-Constrained VM PlacementIEEE Transactions on Parallel and Distributed Systems10.1109/TPDS.2023.324868134:5(1508-1523)Online publication date: 1-May-2023
https://dl.acm.org/doi/10.1109/TPDS.2023.3248681
Xu TWang XTian CXiong YLin YYe B(2023)CLIP: Accelerating Features Deployment for Programmable SwitchIEEE INFOCOM 2023 - IEEE Conference on Computer Communications10.1109/INFOCOM53939.2023.10228857(1-10)Online publication date: 17-May-2023
https://doi.org/10.1109/INFOCOM53939.2023.10228857
Sun JWo TLiu XMa TMou XLan JZhang NNiu J(2023)Scalable inter-domain network virtualizationJournal of Network and Computer Applications10.1016/j.jnca.2023.103701218(103701)Online publication date: Sep-2023
https://doi.org/10.1016/j.jnca.2023.103701
Wang JZhao GXu HZhai YZhang QHuang HYang Y(2022)A Robust Service Mapping Scheme for Multi-Tenant CloudsIEEE/ACM Transactions on Networking10.1109/TNET.2021.313329330:3(1146-1161)Online publication date: Jun-2022
https://doi.org/10.1109/TNET.2021.3133293
Pan TYu NJia CPi JXu LQiao YLi ZLiu KLu JLu JSong EZhang JHuang TZhu SKuipers FCaesar M(2021)SailfishProceedings of the 2021 ACM SIGCOMM 2021 Conference10.1145/3452296.3472889(194-206)Online publication date: 9-Aug-2021
https://dl.acm.org/doi/10.1145/3452296.3472889
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Issue’s Table of Contents