Analytical Model for Elastic Scaling of Cloud-Based Firewalls

This paper shows how to properly achieve elasticity for network firewalls deployed in a cloud environment. Elasticity is the ability to adapt to workload changes by provisioning and de-provisioning resources in an autonomic manner, such that at each point in time the available resources match the current demand as closely as possible. Elasticity for cloud-based firewalls aims to satisfy an agreed-upon performance measure using only the minimal number of cloud firewall instances. Our contribution lies in determining the number of firewall instances that should be dynamically adjusted in accordance with the incoming traffic load and the targeted rules within the firewall rulebase. To do so, we develop an analytical model based on the principles of Markov chains and queueing theory. The model captures the behavior of a cloud-based firewall service comprising a load balancer and a variable number of virtual firewalls. From the analytical model, we then derive closed-form formulas to determine the minimal number of virtual firewalls required to meet the response time specified in the service level agreement. The model takes as input key system parameters including workload, processing capacity of load balancer and virtual machines, as well as the depth of the targeted firewall rules. We validate our model using discrete-event simulation, and real-world experiments conducted on Amazon Web Services cloud. We also provide numerical examples to show how our model can be used in practice by cloud performance/security engineers to achieve proper elasticity under fluctuating traffic load and variable depth of targeted firewall rules.