How Flow‑Based SDN Probes Transform Cloud Network Visibility and Security

Background Introduction

Providing a high‑quality SLA for a cloud is difficult; this article focuses on using Flow technology to achieve network virtualization, visualization, improve operational efficiency, and solve internal cloud network security issues.

Three Major Challenges of Business Cloud

Scale: clouds often span 100‑200 racks.

VTEP endpoints: performance and management issues on server/Tor switches.

Complex traffic models: determining layer‑2 vs layer‑3 communication.

Designing cloud networks must consider both production and monitoring networks.

Monitoring network core is an analysis platform that collects flow packets via probes and feeds them to analysis clusters; deployment difficulty varies by probe location.

North‑south traffic splitting is relatively easy.

Access‑layer mirroring is hard due to lack of pre‑reserved interfaces and potential service disruption.

Mirroring on Open vSwitch impacts tenant performance.

Probes should be non‑intrusive, open‑source, and lightweight.

Design Philosophy of Cloud Network Analysis

1. Cloud Network Analysis Requirements

Visualization: show virtual and physical topologies, map tenant traffic to physical switches, enable historical replay and instant anomaly display.

Scalability: elastic, open architecture that integrates with existing analysis tools without custom development.

Fast Root‑Cause Identification: clearly separate business and operations boundaries to quickly pinpoint issues.

Intelligence: automated reporting, ability to handle tens of thousands of IPs, detect subtle malicious behaviors, and support DPI‑linked analytics.

2. Technical Selection

Probe choice (sFlow, NetFlow/IPFIX, mirroring) based on speed of fault localization.

Data storage capable of handling massive east‑west traffic before forwarding to back‑end analysis.

Support for existing analysis tools to avoid forcing customers to rewrite plugins.

Cloud awareness: correlate virtual resource migration with traffic to identify root causes.

Flow is chosen for its lightweight nature (few hundred bytes per flow), suitability for behavior analysis, and privacy preservation by avoiding payload inspection.

Software‑Defined Probe

Using SDN, intelligent probes (Traffic Intelligence) are deployed in the production network; Flow data is collected, cached, correlated, and ultimately visualized.

Collected data is stored in Elasticsearch and exposed via a RESTful API, allowing users or partners to build applications on top of the analysis results.

Example: analysis of several months of Flow data from a Shanghai client identified 22 attack patterns. A low‑volume attack was detected where traffic only flowed in one direction, indicating a network attack, while normal traffic showed balanced flows.

The platform can detect both high‑volume DDoS attacks and low‑volume malicious scans, demonstrating the value of Flow‑based analysis in large cloud environments.