Cloud computing has been experiencing sharp development over the last years, leading to an increased demand for application migration to the cloud. Cloud providers, in an effort to attract more customers and earn their confidence, offer to tenants the illusion of an isolated network, exposing familiar abstractions. At the same time, creating this illusion poses challenging problems for the providers, as one tenant's traffic may interfere with another's in complicated, unpredictable ways.
First, new challenges have arisen in administering access-control rules (ACLs). On the one hand, installing ACLs at the server is incompatible with bare-metal support and introduces unnecessary performance overhead. On the other hand, offloading the most popular ACLs on the limited hardware memory in Top-of-Rack (ToR) switches should not be conducted naïvely, as the existence of wildcard rules presents inter-rule dependencies that must be respected.
Second, tenants' demands have evolved beyond requesting hardware resources; for instance, tenants may require bandwidth provisions between their resources or optimized access to a specific cloud service, e.g., a Mail server or a Database. Cloud providers have not adequately adapted to these expanding demands, therefore elevating hardware resources to "first class citizens," as non-hardware constraints are not considered during resource allocation, instead they are applied afterwards.
In this thesis we propose two architectures that facilitate cloud providers in managing their shared network resources in a flexible way. First, we demonstrate virtual flow tables, a ToR architecture that handles ACLs using a two-level memory hierarchy. The most popular ACLs are stored in the limited hardware memory, respecting any dependencies between wildcard rules, while the ToR's supervisor engine maintains access to the entire ACL rule-set. Second, we present a two-tiered architecture for scheduling cloud resources, consisting of a resource-agnostic scheduling layer and a resource-specific enforcement layer. Network resources and constraints are taken into consideration during resource scheduling, instead of afterwards, while resource provisioning, as well as general network-management policies, are delegated to the resource-specific tier.EPFL