fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/TNSM.2014.2362357, IEEE Transactions on Network and Service Management
1
Abstract—Clouds and CDNs are systems that tend to separate for moving around large shares of traffic served by thousands
the content being requested by users from the physical servers of datacenters to the end-users scattered worldwide [2]. A
capable of serving it. From the network point of view, monitoring particular feature Clouds and CDNs have in common is that,
and optimizing performance for the traffic they generate is a
challenging task, given the same resource can be located in from the network point of view, they both separate the web-
multiple places, which can in turn change at any time. The service or content from the actual server serving it. This
first step in understanding Cloud and CDN systems is thus the dramatically complicates the task of monitoring the web-
engineering of a monitoring platform. In this paper, we propose a services and the provided quality. Indeed, for instance, in
novel solution which combines passive and active measurements, the case of the CDN, the originating server offering a given
and whose workflow has been tailored to specifically characterize
the traffic generated by Cloud and CDN infrastructures. content can delegate its distribution to surrogate servers, or
We validate our platform by performing a longitudinal charac- caches. Similarly for Clouds, the separation between content
terization of the very well known Cloud and CDN infrastructure and the server generating it is brought by the virtualization
provider Amazon Web Services (AWS). By observing the traffic layer. In addition, virtual servers are often hidden by front-
generated by more than 50,000 Internet users of an Italian ISP, end servers, e.g., load balancers. This leads to a tangle that is
we explore the EC2, S3 and CloudFront AWS services, unveiling
their infrastructure, the pervasiveness of web-services they host, very hard to understand.
and their traffic allocation policies as seen from our vantage Given the penetration of Cloud- and CDN-based web-
points. Most importantly, we observe their evolution over a two- services, it is crucial to continuously monitor these systems. In
year long period. this paper we address the problem of shedding light on Cloud
The solution provided in this paper can be of interest for
and CDN infrastructures. We provide guidelines to build a
i) developers aiming at building measurement tools for Cloud
Infrastructure Providers, ii) developers interested in failure and distributed measurement platform that leverages passive and
anomaly detection systems, and iii) third-party SLA certificators active measurements, continuously or on-demand, at a wide
who can design systems to independently monitor performance. variety of scales, and is specifically tailored to i) appraise the
At last, we believe the results about AWS presented in this paper distributed infrastructure of Clouds and CDNs, and ii) assess
are interesting as they are among the first to unveil properties
and characterize the web-services relying on them.
of AWS as seen from the operator point of view.
Despite the prominent relevance of Clouds and CDNs in
nowadays Internet scenario, practically no study has focused
I. I NTRODUCTION on the aspect of building a comprehensive measurement frame-
Last years witnessed the growth of Cloud infrastructures work to monitor them from the perspective of an Internet
that provide computing, storage and offloading capabilities on Service Provider (ISP). The measurement platforms that have
remote datacenters, offering the opportunity to companies to been proposed in the last years, such as PerfSONAR [3]
run their web-services at very competitive costs. Following and RIPE Atlas [4], are broad and not flexible enough to
the definitions provided in [1], the Infrastructure Providers be adapted to monitor exclusively Clouds and CDNs. Other
(IP) offer the ”iron”, i.e., the hardware infrastructure, and solutions such as CloudCmp [5] and C-Mart [6], focus on
Infrastructure as a Service (IaaS) products represent the comparing the performance of different Cloud providers by
virtualization technology needed to exploit such hardware. In running benchmarks. Cloud providers often offer APIs (e.g.,
other words, through virtualization, a large set of computing Amazon CloudWatch1 ) to provide a detailed view on the
resources, such as storing and processing capacities can be Cloud’s internal state (e.g., per-instance CPU utilization, disk
split, assigned, and dynamically sized to satisfy customers’ read/write rates, etc.). The measurement platform we design
demand. Customers, or tenants, are companies that offer in this paper complements existing monitoring approaches,
their web-services without carrying on costs and risks of adding a detailed user-side perspective on the network traffic
building and managing their own physical infrastructure. Many generated by the web-services running on the Cloud or CDN.
popular companies like Dropbox and Netflix to name a few, Moreover, differently from in-IaaS performance evaluation
successfully rely on IaaSes to provide their web-services. frameworks, our platform can answer other kinds of questions:
Content Delivery Networks (CDNs) represent another crit- how much traffic does a Cloud/CDN generate? which kind
ical service of the contemporary Internet and are responsible of web-services does it run? how well do the web-services
The research leading to these results has received funding from the
perform in terms of QoS? how geo-diverse is their deploy-
European Union under the FP7 Grant Agreement n. 318627 (Integrated Project
”mPlane”) and from the BigData@Polito project. 1 http://aws.amazon.com/cloudwatch/
1932-4537 (c) 2013 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/TNSM.2014.2362357, IEEE Transactions on Network and Service Management
2
ment? are there problems due to the network, to the datacenter, the physical servers which are hosting given web-services is
or to a particular virtual instance? how do Cloud and CDN indeed a crucial task to investigate the traffic generated by
infrastructures evolve over time? To answer those questions, Clouds and CDNs.
one has to properly identify i) which web-services run on the • We validate such platform by running a comprehensive anal-
targeted IaaS, ii) where the datacenters are, and iii) define ysis of Amazon Web Services. Some of the main observations
proper measurement indexes. we obtain from the results of such analysis are i) some of AWS
Answering such kind of questions constitutes a big chal- datacenters have notably improved their performance between
lenge, and measurements are the first step to shed light on 2012 and 2013, ii) most of the tenants tend to concentrate
the obscure functioning of Clouds and CDNs, and to open the their web-services on a single datacenter, thus increasing the
possibility for a better design and management. latency experienced by farther end-users, and possibly the cost
We instantiate the general measurement framework envi- for the network.
sioned by the mPlane project [7], [8] to specifically monitor
Cloud/CDN-based web-services. Thus, we first present how
we adapt the mPlane components and workflow for this B. Possible Use-cases
specific monitoring task. Second, we detail the metrics and
The measurement platform for Cloud and CDN traffic which
the methodologies we adopted to evaluate the performance,
we propose in this paper may be useful for a plethora of IT
the QoS and the network cost of web-services relying on
figures: i) Researchers are interested in understanding how
Cloud and CDN systems. Third, we describe how the whole
Clouds and CDNs work, how they perform, and how their
measurement process can be made automatic at every step,
design can be improved. ii) Tenants need a (preferentially
from the collection of passive measurement of traffic to the
third-party) assessment of performance to make informed
presentation of results.
decisions when choosing the best IaaS on the market to roll
We validate our measurement platform to characterize Ama-
out their web-service; Once deployed, they need to verify the
zon Web Services (AWS), the leading Cloud Infrastructure
Service Level Agreement (SLA) they subscribed to, possibly
Provider. AWS includes a complete range of IaaS products.
from the user-side perspective. E.g., they aim at evaluating
The most well-know are Elastic Compute Cloud (EC2)2 which
the reactiveness and reliability of virtual instances hosting
provides resizeable compute capacity in the Cloud by means
their web-services, or the goodput of the CDN caches serving
of virtualized servers, and Simple Storage Service (S3)3 which
their contents. Moreover, they need tools to accelerate the
offers a service to store/retrieve files into/from the Cloud.
QoS troubleshooting process, and to capture the root cause
Less known, AWS integrates a CDN, named CloudFront4 , to
behind a QoS degradation (which may also reside out of the
distribute content to end-users with low latency and high data
Cloud/CDN, i.e., in the network or in the client). iii) ISPs can
transfer speeds. Our analysis relies on network traffic that has
exploit measurements to optimize their networks for specific
been collected from our University campus and from three
web-services their customer are interested in, and even offer a
large Points of Presence (PoPs) of an Italian country-wide
third-party cross-Cloud-provider monitoring service to tenants
ISP. In total we observed the traffic of more than 50,000 users
interested at understanding how their web-services perform
for a two-year long period. We dig into various time portions
from the point of view of the end-users. iv) Finally, end-
of our dataset to analyze the evolution over time of AWS,
users can be offered automatic failure and anomaly detection
to reveal, e.g., the number of datacenters5 , their locations,
systems which so far rely on communities’ reports [9] or active
and performance as perceived by the ISP customers. Second,
measurements [10].
we investigate several popular Cloud/CDN-based web-services
that run on AWS to show their dynamics and how they perform
with respect to the overall performance of the datacenters they The rest of this paper is organized as follows: Sec. II
rely on. presents the measurement architecture and its components. In
Secs. III, IV-A and IV-B we describe the methodology, the
A. Our Contributions techniques and the metrics, respectively, we design specifically
for the analysis of Cloud and CDN traffic. Sec. IV-C overviews
In a nutshell, the contribution of this paper can be resumed
the data collection procedure and the datasets we employ for
in the following:
this study. In Sec. V we present the measurement results about
• We provide the guidelines to design and engineer a platform
the AWS infrastructure, and the web-services running on it.
to passively and actively monitor Cloud and CDN infrastruc-
Sec. VI presents the performance results. Finally, Sec. VII
tures in a continuous manner.
summaries the related work, and Sec. VIII concludes the paper.
• We present and exploit some novel active measurement
technique (e.g., HTTP-knocking) to overcome the separation
between web-services and servers that is caused by virtualiza- II. M EASUREMENT A RCHITECTURE
tion (surrogate caches) in Cloud (CDN) systems. Identifying
In this section we first provide a high level overview of the
2 http://aws.amazon.com/ec2/
3 http://aws.amazon.com/s3/
distributed measurement architecture proposed by the mPlane
4 http://aws.amazon.com/cloudfront/ project (more details on the generic infrastructure are available
5 Datacenters are named Availability Zones in AWS terminology. We use in [7], [8]). Then, we describe how we implement and deploy
both terms interchangeably in the remainder of the paper. mPlane components for this study.
1932-4537 (c) 2013 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/TNSM.2014.2362357, IEEE Transactions on Network and Service Management
3
Figure 1: The mPlane measurement architecture and its components (left-hand side of the figure): probes continuously collect
traffic measurements, which are periodically exported to the repository (red arrows). The repository consolidate, filter and
aggregate the measurements for further analysis. The Supervisor orchestrates other components, instruments the probes to
launch active measurements and the repository to launch further data processing (dotted blue arrows). The right-hand side
of the figure reports the monitoring workflow (black arrows refer to interactions among different components): 1) Passive
probes collect traffic measurements and export them to the repository, 2) the Supervisor instruments the repository to filter
the Cloud/CDN traffic we are interested into, 3) active measurements are run to augment the information collected by passive
probes, 4) aggregate measures, performance indexes, location of the servers, etc. are executed, and 5) the Supervisor launches
sophisticated algorithms with different high level aims.
1932-4537 (c) 2013 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/TNSM.2014.2362357, IEEE Transactions on Network and Service Management
4
compute index distributions and produce aggregated time- B. The Measurement Workflow
series.
In Fig. 1 we depict the steps which compose our monitoring
3) Supervisor: since we do not employ any advanced anal-
workflow. Each operation is mapped to the proper measure-
ysis for this study, the Supervisor’s main task consists of
ment component.
instrumenting the probes to run passive and active mea-
surements, and the repository to periodically download Step 1 - Passive monitoring (Tstat + DN-Hunter): Passive
the measurement data. Tstat probes provide the continuous collection of traffic logs.
This data constitutes the basic brick for our analysis. To iden-
III. A NALYSIS M ETHODOLOGY FOR C LOUD AND CDN tify the content retrieved by end-users from a server belonging
TRAFFIC to a certain organization, we exploit a Tstat extension, named
In our design, we follow the principle of preferentially DN-Hunter [13]. It snoops DNS responses obtained by clients
exploiting passive measurements, and limiting active measure- when resolving hostnames into IP addresses, and then uses this
ments as much as possible. The major benefit of exploiting information to annotate TCP/UDP flows with the the original
passive measurements is that they not alter the working server hostname. Following the example described above, end-
point of the system which faces only the actual workload user’s client accessing www.acmegame.com has first to resolve
generated by users. As such, they allow us to characterize the the server hostname into a list of IP addresses by contacting
actual performance of web-services being accessed by regular the DNS resolver. Then, the client contacts one of the returned
customers. IP addresses to fetch the actual content. DN-Hunter records
all DNS responses, and then it associates the server hostname
A. Background to the TCP flows originated by the same client and directed to
one IP address of servers returned in a given response, i.e.,
We have to face several challenges when passively monitor-
associating www.acmegame.com to the observed TCP flow.
ing Clouds and CDNs: the separation between web-service (or
This key feature allows us to gather information about the
content) and server, and the wide variety of applications make
original web-service name contacted by clients. Details on
it hard to identify which web-service end-users access, and in
DN-Hunter are out of the scope of this paper, and can be
which datacenter the server hosting the web-service resides.
found in [13].
In Clouds and CDNs indeed, virtualization, load-balancing
and migration techniques do not allow to simply rely on Step 2 - Target service filtering: The definition of the set
information collected from the Network Layer to identify the of Clouds or CDNs to consider for the analysis is given by
web-service, i.e., the server IP address and the name of the the analyst through the Supervisor. This set is used to filter
Organization that officially registered it often give very limited the raw data. In our validation, we preserve only those flows
information on what is being served. For instance, different whose server IP addresses are registered to Amazon according
web-services can share the same IP address, e.g., as done to the MaxMind database7 . The output is a subset of Tstat
by CDNs. In addition, the increasing adoption of TLS/SSL logs, where only traffic related to the targeted organizations is
encryption by content providers [2] makes the classic Deep present.
Packet Inspection (DPI) approach ineffective. Step 3 - Augmenting information by active probes: We
Consider the same server hosting www.acmegame.com and next augment the information about servers and infrastructure
www.acmeshop.com; both are delivered only via HTTPS, and by means of active measurements. This operation is executed
run on the AcmeCloud infrastructure. Via passive monitoring, by active probes, marked with “A” in Fig.1, installed within
the only useful information that can be obtained is related the monitored network to guarantee that no bias is introduced
to the IP addresses of instances hosting them; supposing IP into the results. In parallel, and for each discovered server
addresses are officially registered to AcmeCloud, we can dis- IP address, active probes i) execute the HTTP-knocking8 ,
cover that both are handled by AcmeCloud. However, we can ii) perform a DNS reverse lookup to retrieve the “Type-A”
not infer any indication about the web-service just by looking record [14], i.e., the original name of IP address as registered
at information from the Network and Transport Layers. by the targeted organization, and iii) run traceroute to retrieve
Similarly, identifying which datacenter is being used, and network path information, such as number of traversed hops
its location is not trivial. This information is important to or autonomous systems. We can also plug extra modules to
understand eventual performance issues, e.g., related to high retrieve additional information.
latency due to the distance between the user and the datacenter. Step 4 - Geolocation and performance collection: The
Indeed, it is well-known that most of publicly available geolo- repository runs a geolocation routine to identify the server’s
cation databases are not reliable when querying information of physical location. The geolocation of IP addresses is a well-
Cloud or CDN providers [12]. Furthermore, this information known problem. Common public databases, such as RIPE [4],
becomes often outdated given the constant evolution of Cloud ARIN [15] or MaxMind, are not reliable when seeking for in-
infrastructures. formation about the physical location of CDN edge servers and
All these observations make the monitoring of traffic gen-
7 http://www.maxmind.com//en/organization
erated by Cloud and CDN systems a complicated task. In
8 Probes perform a HTTP HEAD requests to server. The Server field
the following we describe the techniques we engineer to
of the HTTP response is inspected to classify the hosted IaaS product.
overcome such hurdles, and how we embed them to work in For instance, AmazonS3 or CloudFront is returned for AWS S3 and
the measurement platform described in Sec. II-B. CloudFront servers, respectively.
1932-4537 (c) 2013 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/TNSM.2014.2362357, IEEE Transactions on Network and Service Management
5
d = TResponse − TAck . in one TCP segment to avoid the bias introduced by multiple segment requests.
∆R (1) 11 Observe that installing the probes in PoPs on the path between user’s
access networks and the servers allows us to gauge estimations of the round
9 Notice that the probe measures the timestamps at vantage points close to \
trip time RT T CS and number of hops AS c CS that exclude the eventual noise
the users. Therefore, for some metric X (as RT TCS ) we can only gauge its introduced by the access network (see Fig 2). For instance, we filter out extra
estimated measure X̂. delays introduced by lossy WiFi or ADSL channels.
1932-4537 (c) 2013 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/TNSM.2014.2362357, IEEE Transactions on Network and Service Management
6
Bytes
β RT T and β km represent good indices to understand how large
is the distance packets have to travel before reaching their 1e+10 EC2
CloudFront
destination. As the RTT linearly increases with the physical S3
distance between clients and servers [18], we expect them to be 04/06 04/20 05/04 05/18 06/01 06/15
2013 2013 2013 2013 2013 2013
tightly related. Instead, β AS allows us to roughly understand
Time
how large is (in terms of hops) the distance traveled before
reaching the Cloud provider’s network (AWS in our case), or (a) Exchanged data volume.
conversely, how many Autonomous Systems the content has 1
EC2
to pass through before it is delivered. 0.8 CloudFront
Penetration Index
S3
For the sake of simplicity, we employed β RT T and β AS in
0.6
our characterization of Amazon AWS.
0.4
0.2
C. Datasets
0
For this study, we rely on a measurement layer composed 04/06 04/20 05/04 05/18 06/01 06/15
by three passive probes installed in the operational network of 2013 2013 2013 2013 2013 2013
Time
an Italian nation-wide ISP. One further probe was installed in
Politecnico’s campus network. In the following we present a (b) Penetration index.
study of a snapshot of the measurements that form a “static”
Figure 3: Evolution over time of different diffusion indexes
dataset.
for EC2, S3 and CloudFront services in 3Months-2013 trace.
Our dataset consists of traffic measurements which we
collected since March 2012 to September 2013, observing Our measurements show that EC2, CloudFront and S3 servers
end-users normally accessing the Internet. In the following, use different ranges of IP addresses, thus easing their identi-
we restrict our analysis on traffic collected during two entire fication. Furthermore IP addresses are statically assigned for
weeks: 1st to 7th April 2012 (1Week-2012), and 10th to 16th S3 and CloudFront servers. As such, we can easily split traffic
June 2013 (1Week-2013). We complement these one week long among EC2, S3 and CloudFront.
traces with a longer one, namely 3Months-2013, which spans Considering server geolocation, the standard International
a period of three months, from April to June 2013 during Air Transport Association (IATA) airport location identifiers
which we consider one day for each week. Table I resumes are used in the Type-A records of AWS servers, e.g., for
the details about considered traces. CloudFront the Type-A name is in the form server-a-b-c-
Trace Period Observed Days Connections d.AIR.r.cloudfront.net, where AIR is the IATA airport code
1Week-2012 01/04/12-07/04/12 7 days 7.02 M of the nearest large airport. We verify their accuracy with
1Week-2013 10/06/13-16/06/13 7 days 12.2 M
3Months-2013 01/04/13-26/06/13 12 days 21.6 M the multilateration technique described in [17]. This notably
simplifies the geolocation operation in our processing. In
Table I: Measurement traces considered in this study. the remainder of this paper, we use IATA codes to identify
In order to minimize the bias due to changes in the datacenters instead of conventional names of AWS Availability
measurement scenario, we present results collected from the Zones.
same vantage point, i.e., by one of our three ISP probes where Next, we present a high level characterization of the traffic
more than 16,000 users are present. Results from other vantage and workload AWS generate. For each day in the 3Months-
points show identical characteristics so that the findings we 2013 trace, we compute the volumes of data (in bytes)
present are general and not biased by the observation point. exchanged with AWS servers and the fraction of customers
We acknowledge that some of the results in this paper are that contacted at least one AWS service, i.e., the penetration
the point of view of a single ISP. Naturally, we expect that index of AWS.
some observations can change if we analyze traffic in another Plots of Fig. 3 report our results. Interestingly, both plots of
ISP or geographical region. Fig. 3 show that the footprint of AWS is rather stable in time,
indicating that the growth rate of EC2, S3 and CloudFront
is quite marginal for the considered period: On a daily basis,
V. C HARACTERIZATION OF AWS
about 60% of end-users access some EC2 hosted web-service,
As explained in Sec. III, we parse the server hostname exchanging about 50GB of traffic. S3 comes second, with
and the HTTP response to a HTTP-knocking test to extract approximatively 25% of end-users accessing directly to S3
information about the IaaS product and geolocation of servers. services, and exchanging a volume of about 35GB per day.
12 The number of traversed AS is obtained running a traceroute from the
Scaling this to the total number of ISP customers, EC2 and
probes and checking the AS of returned routers. For the number of hops we S3 generate about 10TB of daily traffic, corresponding to about
simply count the number of traversed routers. 3% of total web traffic.
1932-4537 (c) 2013 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/TNSM.2014.2362357, IEEE Transactions on Network and Service Management
7
0.75
100000
Flows
CDF
0.5 DUB
IAD
10000 NRT
0.25 SIN
EC2 CloudFront S3 SEA
SJC
06/11 06/12 06/13 06/14 06/15 06/16 0
2013 2013 2013 2013 2013 2013 0 100 200 300 400 500
Time MinRTT [ms]
0.75 0.75
CDF
CDF
0.5 DUB
0.5 IAD
NRT
0.25 SIN
0.25 EC2 SEA
CloudFront SJC
S3 0
0 0 100 200 300 400 500
0 50000 100000 150000 200000
MinRTT [ms]
Flow Size [B]
(b) 2013
(b) Distribution of the flow size.
Figure 5: Distributions of the minimum RT T measured in our
Figure 4: Flow information for for EC2, S3 and CloudFront
EC2 datasets for different datacenters.
services. 1Week-2013 trace.
A. EC2 and S3
Even if we expect CloudFront and S3 to handle large files,
Tables II and III report information about EC2 and S3, in
EC2 is the service with the largest footprint. To better show
2012 and 2013, respectively. Each row in the table represents
this, top plot in Fig. 4a presents the evolution over time of
traffic exchanged with a different datacenter, that we identify
the number of flows for EC2, S3 and CloudFront. Fig. 4b
with its IATA code. For each of them, we detail the number
details instead the Cumulative Distribution Function (CDF) of
of observed server IP addresses, the shares of traffic, the share
the flow size. As shown, the number of flows handled by S3
of hosted web-services13 , the network costs β RT T and β AS .
and CloudFront are one and two orders of magnitude lower
To ease the visualization we highlight the most significant
that EC2, but they carry larger payload than EC2 (the average
information using bold fonts.
amount of data are 39kB, 257kB and 383kB for EC2, S3 and
Several observations hold. First, the number of server IP
CloudFront, respectively).
addresses for EC2 is much larger than S3 and CloudFront. This
Further, around 50% of CloudFront flows present a size
is due to the nature of EC2 itself, that, allocates indipentend
smaller than 10kB, mostly probably being CSS or JavaScript
EC2 instances, each one, in general, equipped with a different
files employed for the rendering of web-pages. 20% of flows,
public IP address. For S3 the same server can deliver different
which present a size larger than 100kB, carry binary data, e.g.,
contents by using different URIs. Allocating multiple IP
Flash objects or images. Differences between size of contents
addresses is thus useless in this case.
served by different caches are negligible. S3 flows show in
Second, the datacenters located in Virginia (IAD) and
general the same size distribution as CloudFront flows. The
Ireland (DUB) are the most used from the perspective of an
average size of contents distributed by CloudFront and S3 is
ISP located in Italy. We highlight in bold font the most notable
78kB for both. EC2 flows are smaller in general, being the
statistics about these two datacenters. California (SJC) comes
60% of them less than 1kB. These could carry small XML
third, handling about 8% and 7% of EC2 web-services in 2012
files or JSON messages directed to APIs. For these files,
and 2013, but only less than 2% of traffic.
the TCP three-way-handshake and tear-down procedures last
The number of server IP addresses we observe in 2012 (for
longer than the data transfer.
both EC2 and S3) and 2013 highlights that AWS resources
Summary 1: CloudFront and S3 host contents which present a
have doubled in one year. Clearly, this has performance
larger size with respect to EC2. However, given the popularity
implications, as we will show later.
of web-services relying on EC2, the overall amount of traffic Interestingly, both the large unbalance in the number of
EC2 generates is larger than S3 and CloudFront. instances (number of IP addresses in EC2 column) and the
We now focus on the spatial allocation of traffic and share of web-services shows that the IAD datacenter is by far
resources among different AWS datacenters. We detail the the most popular among tenants running EC2 instances: IAD
traffic they generate, the number of web-services they host, generates more than 85% of the total amount of EC2 traffic,
and the costs for the network. We consider both 1Week-2012 13 We identify a web-service with the domain name of the hosting server
and 1Week-2013 traces. returned by DN-Hunter.
1932-4537 (c) 2013 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/TNSM.2014.2362357, IEEE Transactions on Network and Service Management
8
ID #IPs Exchanged Data Web-services β RT T [ms] β AS ID #IPs Exchanged Data Web-services β RT T [ms] β AS
EC2 S3 EC2 S3 EC2 EC2 S3 EC2 S3 EC2 S3 EC2 EC2 S3
IAD 6603 100 86.03% 65.57% 68.95% 113.97 116.18 3 IAD 12697 199 87.71% 15.28% 59.61% 106.52 118.19 3
DUB 1218 11 12.29% 32.86% 20.21% 48.73 43.77 3 DUB 4042 39 10.20% 81.89% 26.79% 38.14 44.83 3
SJC 620 7 1.60% – 7.94% 182.14 174.81 4 SJC 984 24 0.78% 1.60% 5.96% 172.29 184.81 3
NAR 20 0 – – 0.47% – – 4 NAR 361 0 – – 1.44% 318.16 – 3
SIN 75 0 0.03% – 1.62% 228.10 – 3 SIN 188 18 – – 1.26% 297.18 303.11 3
SEA 0 0 – – 0.81% – – 4 SEA 768 0 1.0% – 4.95% 184.81 – 3
Table II: Amazon’s datacenters hosting EC2 and S3 we located Table III: Amazon’s datacenters hosting EC2 and S3 we located
in 1Week-2012. in 1Week-2013.
i.e., roughly 7 times more than the volume handled by the reflects the fact that Amazon (and the monitored ISP) had
DUB datacenter. This confirms that IAD datacenter is much very good peering agreements with many providers in 2012,
larger than all the others.14 and possibly improved them further in 2013.
Consider now the CDF of the minimum RT T among At last, left plots in Figs. 6 and 7 report the evolution over
each flow depicted in Figs. 5a and 5b for 2012 and 2013, time of the share of volumes of data traffic seen from the
respectively. The minimum RT T CDF is very sharp, reflecting top three datacenters for EC2, for 2012 and 2013 datasets
the network distance from the vantage point to the datacenter. respectively. Each point refers to a 4h long time interval,
As expected, DUB is the closest for European users (Dublin, covering an entire week. Other datasets and periods of time
IR, RT T < 30ms), followed by IAD (Dulles, VA, RT T > show very similar trends.
100ms), US West-Coast datacenters in SJC (San Jose, CA, Starting from the leftmost plot, we show that EC2 IAD
RT T > 160ms) and SEA (Seattle, WA, RT T > 170ms). zone consistently provides much larger amount of traffic with
Asian datacenters have very high RT T , with NRT (Narita, respect to DUB and SJC. The gap between IAD and DUB has
JP) being close to 300ms. Curiously, the minimum RT T even widened in 2013 with respect to 2012, confirming that
towards SIN (Singapore, SG) datacenter is affected by some IAD datacenter is the most employed by tenants.
very heterogeneous multipath routing policy which we do not Center plot refers to S3. The today preference for the DUB
observe in 2012, but is clearly evident in 2013. We double- datacenter is confirmed.
check this against traceroute data and find it to be still present Summary 2: We first observe that Amazon has notably
at the time of the writing of this paper. increased the resources for the datacenters hosting EC2 and
Clearly, the RT T plays important role when considering S3 between 2012 and 2013. Second, from a European ISP
application performance and Quality of Experience (QoE). perspective, IAD and DUB datacenters are the two most em-
From a network point of view, the cost of transferring data ployed by Amazon to offer EC2 and S3; however, we observe
is also important. β RT T cost, indeed, looks sizeable for IAD, that there is a large unbalance between IAD and DUB, as
being from 230% to 490% more expensive than the DUB the majority of EC2 and S3 web-services were hosted by IAD
datacenter. One may expect DUB to be the best candidate in 2012. Interestingly, in 2013 DUB has become the leading
to host EC2 instances for serving Italian (and European) datacenter for S3 traffic in 2013. At last, in 2013, Amazon
end-users. Our intuition is that, for the sake of a simpler has improved its peering agreements with many providers,
management, tenants are oriented to deploy their web-services thus reducing the number of ASes traversed by its traffic.
on one datacenter only. IAD represents their first choice Interestingly, the authors of [19] lead to similar observations,
because of its lower price.15 but from a different country (US).
This bias is also explained by the lack of location-aware
load-balancing policy for EC2. Indeed, AWS offer load-
balancing-based forwarders for incoming traffic, but none of B. EC2 Web-service Analysis
these are based on the geolocation of end-users. Thus load- Table IVa and Table IVb report the most popular web-
balancing is effective among servers inside a give zone. This services EC2 hosts, considering the number of flows and
comes at the expenses of network cost, and, possibly, user exchanged volume, respectively. In general, the type of web-
experience. service is quite heterogeneous. We observe that social games
Comparing 2012 with 2013, we observe no substantial (Zynga, Farmville, Wooga and PlayFish), and by advertising
change in shares for EC2. However, a huge shift has happened companies (InviteMedia, 360yield) generated the largest por-
for S3 services: DUB generates more than 81% of traffic in tion of flows in 2012. In 2013, most of social gaming web-
2013, while it was below 33% in 2012. Indeed, tenants can services such as PlayFish and Zynga severely downscaled their
now exploit S3 load-balancers to route end-users’ requests activity. This reflects the popularity of web-services among
towards the closest datacenter, thus improving the latencies (Italian) end-users. The only online social gaming web-service
and saving bandwidth.16 which is present in a leading position in both 2012 and 2013
Focusing now on β AS , we see that no major differences datasets is Wooga.
are present when routing traffic to different datacenters. This Most of web-services generate traffic exclusively from a sin-
14 http://aws.amazon.com/about-aws/globalinfrastructure/
gle datacenter, suggesting that the tenants do not replicate them
15 http://aws.amazon.com/ec2/pricing/ among different Availability Zones, as also shown in [19]. The
16 Tenants can upload S3 files to multiple Availability Zones, and Amazon only notable web-services which rely on multiple datacenters
provides load balancing automatically among them. are InviteMedia and 360yield.
1932-4537 (c) 2013 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/TNSM.2014.2362357, IEEE Transactions on Network and Service Management
9
1 1
0 .1 .2 .3 .4 .5 .6 .7 .8 .9 1
0 0 0 0 0 0 0 0 0
0.8 0.8
MXP
Fraction
Fraction
Fraction
0.6 IAD 0.6
IAD FRA1
DUB DUB
SJC CDG
SJC 0.4 0.4 Others
0.2 0.2
0 0
00:00 00:00 00:00 00:00 00:00 00:00 00:00 00:00 00:00 00:00 00:00 00:00 00:00 00:00 00:00 00:00 00:00 00:00 00:00 00:00 00:00 00:00 00:00 00:00
04/01 04/02 04/03 04/04 04/05 04/06 04/07 04/08 04/01 04/02 04/03 04/04 04/05 04/06 04/07 04/08 04/01 04/02 04/03 04/04 04/05 04/06 04/07 04/08
Time Time Time
FRA1
Fraction
Fraction
Fraction
0.6 IAD 0.6 IAD 0.6
FRA2
DUB DUB
CDG
0.4 SJC 0.4 SJC 0.4 Others
0 0 0
00:00 00:00 00:00 00:00 00:00 00:00 00:00 00:00 00:00 00:00 00:00 00:00 00:00 00:00 00:00 00:00 00:00 00:00 00:00 00:00 00:00 00:00 00:00 00:00
06/10 06/11 06/12 06/13 06/14 06/15 06/16 06/17 06/10 06/11 06/12 06/13 06/14 06/15 06/16 06/17 06/10 06/11 06/12 06/13 06/14 06/15 06/16 06/17
Time Time Time
2012 dataset
2013 dataset
1932-4537 (c) 2013 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/TNSM.2014.2362357, IEEE Transactions on Network and Service Management
10
ID #IPs Exchanged Data (%) β RT T [ms] β AS ID #IPs Exchanged Data (%) β RT T [ms] β AS
MXP 232 98.03% 21.26 3 FRA 797 87.76% 17.40 3
SFO 253 0.83% 175.21 4 CDG 597 11.04% 24.50 3
ANR 151 0.56% 41.48 3 AMS 755 0.84% 23.03 3
LHR 182 0.17% 31.60 3 LHR 653 0.42% 36.22 3
FRA 245 0.17% 21.87 2 NRT 453 < 0.01% 309.56 3
DUB 222 0.05% 49.76 3 JFK 371 < 0.01% 109.54 4
< 0.01%
Caches
Caches
CDG 246 0.13% 38.43 3 DFW 315 153.81 3
AMS 205 0.04% 29.88 3 LAX 293 < 0.01% 193.93 3
EWR 208 < 0.01% 109.53 3 SIN 291 < 0.01% 333.34 3
NRT 115 < 0.01% – 4 SFO 255 < 0.01% 170.82 3
SEA 64 < 0.01% – 4 HKG 240 < 0.01% 330.36 3
SIN 51 < 0.01% – 3 IAD 216 < 0.01% 107.86 3
IAD 2 < 0.01% 102.75 3 JAX 164 < 0.01% 147.02 3
SJC – < 0.01% – 4 MXP 43 < 0.01% 41.48 3
Table V: Summary of Amazon’s top 14 CloudFront Table VI: Summary of Amazon’s top 14 CloudFront
caches we located in 1Week-2012. caches we located in 1Week-2013.
CDF
allows us to identify possibly different CloudFront caches. 0.7
from caches far away from end-users’ position. This may be (a) 2012
because of some end-users employing alternative DNS servers, 1
different from those provided by their ISP. For instance, both 0.9
OpenDNS and Google DNS servers direct requests from the 0.8
CDF
in [20]. 0.6
DUB
Fig. 7c depicts a further difference between 1Week-2013 0.5 SJC
IAD
0.4
and 1Week-2012. The plot shows that the load distribution is 0 100 200 300 400 500
not strongly polarized towards one cache as in Fig. 6c where Response Time [ms]
the preference for the MXP cache is very strong. Fig. 7c (b) 2013
shows that cache FRA1 handles a large fraction of CloudFront
traffic until the midnight of June 14, but a drastic shift appears Figure 8: Distribution of response time ∆R for EC2 service
since June 15, when FRA1 apparently disappears leaving space in different periods.
to FRA2 and CDG. While it is impossible to know why
200
this happened, we can conclude that CloudFront policies are IAD
DUB
dynamic, in contrast with the static allocation of the EC2/S3
Q-Response Time [ms] 2013
SJC
services. Furthermore, this highlights the need for persistent 150
monitoring of traffic to highlight sudden changes.
Summary 4: CloudFront cache in MXP has been replaced
100
by FRA in 2013. Interestingly, however, despite the physical
distance between end-users and the caches serving them has
increased, the RTT and the number of ASes measured in the 50
flows has decreased. Furthermore, we observe that the load
distribution among CloudFront caches is dynamic, and can
drastically change from a day to another. 0
0 50 100 150 200
Q-Response Time [ms] 2012
VI. P ERFORMANCE M ONITORING Figure 9: Q-Q plot of response time ∆R (2012 vs 2013) for
In this section we characterize the performance of AWS EC2.
separately for each Availability Zone and, then, we focus on
some specific web-services.
top popular datacenters. Focusing on 2012 dataset, IAD shows
A. Availability Zone and Cache Response Time response time larger than 100ms in 30% of the cases, resulting
Figs. 8a and 8b depict the distribution of the response time the worst performing datacenter. In some cases, we observe
∆R for EC2, in 2012 and 2013, respectively. We show the badly engineered web-services that run on congested instances.
1932-4537 (c) 2013 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/TNSM.2014.2362357, IEEE Transactions on Network and Service Management
11
500 1
IAD
DUB 0.9
CDF
0.7
200
0.6 ARN
100 MXP
0.5 SFO
FRA
0 0.4
20:00 00:00 04:00 08:00 12:00 16:00 20:00 0 50 100 150 200
Time Response Time [ms]
400
0.8
300
CDF
0.7
200
0.6
100 FRA2
0.5 FRA1
CDG
0 0.4
00:00 04:00 08:00 12:00 16:00 20:00 0 50 100 150 200
Time Response Time [ms]
1932-4537 (c) 2013 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/TNSM.2014.2362357, IEEE Transactions on Network and Service Management
12
200 1
0.9
CDF
150 0.7
static
0.6 aggregate
wooga-DUB js
100 wooga-IAD 0.5 instagram
lastampa-DUB img
0.4
samsungosp-DUB 0 50 100 150 200
Response Time [ms]
50
(a) CDF (2012).
60
0 instagram
0 50 100 150 200 static
6000
5000
0
4000 0 20 40 60
Q-Response Time [ms] 2012
3000
1932-4537 (c) 2013 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/TNSM.2014.2362357, IEEE Transactions on Network and Service Management
13
acquired in Italy since its integration with Facebook which Since AWS is playing a key role in contemporary Internet,
has started in mid 2012. it has gained a large interest within the research commu-
While it is hard to find the root cause of an evidence, the nity. In particular, many works investigated the possibility
ability to monitor the performance of web-services running of exploiting AWS EC2 for research purposes [24], [25],
on Cloud and CDN infrastructures is a first step to understand [26]. Others instead focus on evaluating the performance
implications and eventually trigger further investigations. of AWS computing and networking virtual resources [27],
Summary 7: Despite the aggregated reactiveness of EC2 has [28]. However, most of the previous works focus on the
improved in 2013, the most popular services show a consider- benchmarking of AWS IaaSes and infrastructure, and they all
able performance decrease. A similar observation holds for the rely on “active” probing. To the best of our knowledge, the
goodput of the two EC2 web-services which are responsible only work which aims at characterizing Amazon Web Services
for generating the largest share of traffic. Finally, CloudFront is [19], in which the authors base their study on DNS records
suffers from lower reactiveness when serving user-generated and one passive trace. However, even if they consider other
contents. In particular, the performance of Instagram has Cloud infrastructure providers in their study, they do not go
dramatically worsened in 2013. beyond the characterization of Amazon EC2 and Windows
Azure, and they provide no actual performance study.However,
our results confirm many of their observations about Amazon
VII. R ELATED W ORK EC2.
To the best of our knowledge, we are the first to provide
Many measurement tools and platforms have been proposed an evaluation of actual AWS workload and performance by
in the last years, such as PerfSONAR [3] and RIPE Atlas [4]. means of pure “passive” observation of traffic coming for a
RIPE Atlas only considers the case of active measurements, real operational network. Plus, our measurement architecture
thus highly limiting its monitoring capabilities. While the let us gauge the performance of web-services Cloud tenants
measurement architecture we rely on, i.e., mPlane, might run, and their impact on end-users. Finally, we are the first to
look similar to the one of PerfSONAR, the complete mPlane analyze the evolution of a Cloud/CDN provider over a two-
platform goes beyond, since it includes analysis of the gathered year long period.
data to diagnose service and network problems. Furthermore,
mPlane differs from those tools since it is specifically designed VIII. C ONCLUSIONS
to adapt to the measurement task, making it extremely flex- Monitoring the traffic generated by Clouds and CDNs is
ible. Moreover, the reasoner is a key component that allows hard as virtualization and content delegation deeply separates
structured, iterative, and automated analysis. web-services from server, making it hard to understand what
To the best of our knowledge, this is the first work which is actually delivered by whom.
proposes a measurement platform based on passive obser- To help untangle this web, in this paper we proposed a
vation of traffic for the monitoring of Clouds and CDNs. flexible measurement platform, whose design was specifically
However, some frameworks which aim at monitoring and tailored to monitor traffic data generated by Clouds and CDNs.
comparing the performance of different Cloud providers have We validated the effectiveness of our architecture by pre-
been proposed in the past. Notable examples are [5], [22], [6]. senting a characterization of Amazon Web Services (AWS)
All of them reside in the IaaS, and rely on active benchmarking traffic from passive measurements. By digging into the traffic
to evaluate different performance metrics and rank Cloud generated by EC2, S3 and CloudFront over a period of two
providers accordingly to their results. Often IaaSes offer APIs years, we show some interesting findings. For instance, there is
themselves to provide a server-side monitoring interface on a big workload unbalance among different datacenters hosting
the internal state on the Cloud. E.g., Amazon CloudWatch both EC2 and S3 products; in particular, the datacenter in
or Azure Diagnostics let tenants monitor the virtual resource Virginia is responsible for 85% of the total traffic sent to Italian
utilization and the performance of their deployments. Another end-users, despite the availability of a datacenter in Ireland.
approach is to collect reports made available directly from the We observed that in 98% of the cases tenants concentrate
tenants, as in SMICloud [23], or from users’ [9]. Our platform their content mostly on one datacenter, thus increasing the cost
is different, yet complementary to these systems, as, first, it sustained by the network to carry data to faraway end-users.
operates from a perspective close to users’, i.e., the monitoring Considering AWS performance, we show that the datacenter
platform is outside the monitored system. Second, it provides in Ireland serves web-services more reactively and at higher
information that above solutions can not gauge: For instance, transfer speeds than the datacenter in Virginia. However this
a tenant may be interested in understanding the impact of the latter was greatly upgraded between 2012 and 2013. We also
datacenter choice on users’ QoS. found that CloudFront shows excellent performance, but i)
To provide an idea about the benefits of our monitoring ar- Italian users are mainly served in 2013 by caches outside of
chitecture, we focus the study in this paper on AWS, the most Italy, and ii) it still presents issues that are typical of other
popular distributed Cloud infrastructure which incorporates CDN systems, especially when serving user-generated content.
many services in its eco-system, from Cloud computing to We believe our proposal, the methodologies it implements,
content delivery, in other words, the best candidate to provide and the results we obtained from its validation can be useful
an example of what our measurement architecture is capable for tenants, service-level agreement certificators, ISPs, as well
of doing. as for the research community.
1932-4537 (c) 2013 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/TNSM.2014.2362357, IEEE Transactions on Network and Service Management
14
1932-4537 (c) 2013 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.