Software network functions (NFs) are software applications that process packets from a network traffic stream. Examples of NF services include network intrusion detection systems (IDS), protocol or WAN optimizers, firewalls, Network Address Translators (NATs), and so forth.
Packets of the network stream are processed by one or more NF instances of an NF service. For example, if traffic is processed by both a firewall and a load balancer, there may be three firewall instances and two load balancer instances. Each NF instance is allocated some amount of resources (primarily CPU cores and bytes of memory). Given a fixed resource allocation, an NF instance can process a limited number of packets per second without introducing latency or dropping an unacceptable number of packets. If the input traffic rate exceeds this rate, an NF is said to be in an overload state. That is, when an NF instance cannot or will not (e.g., due to a policy or licensing decision) process packets at the rate at which it receives the packets, it is in an overload state. In contrast, when an NF instance receives packets at a rate that is significantly less than the rate at which it can process packets, it is in an underload state. When an NF is in an overload state, network traffic latency may be undesirably increased and/or packets of the network traffic stream may be dropped. To mitigate such potentially unacceptable effects, multiple instances of the NF are needed.
The problem of scaling NF instances in a network arises in the context of many scalable software services; e.g., web services. A typical approach in many such contexts is to monitor a CPU load of a processor implementing an NF instance. If the CPU load of that processor exceeds a pre-defined threshold for a given duration, an additional NF instance is provisioned (e.g., installed and/or running as software, as dedicated hardware, or otherwise implemented). However, some NFs implement a polling routine that checks for new network data from the network traffic stream at a high frequency. Because of the high-frequency polling rate, the CPU running that NF will indicate a utilization of 100%. Thus, CPU load may not always be relied upon as an indicator of NF overload or underload.