Disaster-survivable cloud-network mapping

Cloud-computing services are provided to consumers through a network of servers and network equipment. Cloud-network (CN) providers virtualize resources [e.g., virtual machine (VM) and virtual network (VN)] for efficient and secure resource allocation. Disasters are one of the worst threats for CNs as they can cause massive disruptions and CN disconnection. A disaster may also induce post-disaster correlated, cascading failures which can disconnect more CNs. Survivable virtual-network embedding (SVNE) approaches have been studied to protect VNs against single physical-link/-node and dual physical-link failures in communication infrastructure, but massive disruptions due to a disaster and their consequences can make SVNE approaches insufficient to guarantee cloud-computing survivability. In this work, we study the problem of survivable CN mapping from disaster. We consider risk assessment, VM backup location, and post-disaster survivability to reduce the risk of failure and probability of CN disconnection and the penalty paid by operators due to loss of capacity. We formulate the proposed approach as an integer linear program and study two scenarios: a natural disaster, e.g., earthquake and a human-made disaster, e.g., weapons-of-mass-destruction attack. Our illustrative examples show that our approach reduces the risk of CN disconnection and penalty up to 90 % compared with a baseline CN mapping approach and increases the CN survivability up to 100 % in both scenarios.


Introduction
Reliable provisioning of cloud-computing services depends on robust resource allocation over a common physical infrastructure, formed by datacenters and communication networks [2][3][4].Physical infrastructure is often abstracted as "infrastructure as a service (IaaS)" layer which provides computational and communication resources to the upper service layers (e.g., platform as a service (PaaS) and software as a service (SaaS)) of the cloud-computing framework [5], [6].Cloud-network (CN) mapping is the combination of virtual-network (VN) mapping and virtual-machines (VMs) allocation (i.e., network and server virtualization) over a physical infrastructure.CN survivability is crucial for computational resource allocation in a consistent and secure environment for cloud-computing services [4,6,7].Figure 1 presents an example of two CNs consisting of interconnected VMs mapped over a optical network that interconnects datacenters (DC) of a cloud-infrastructure provider.Failures in the physical infrastructure can reduce the available resources (optical network and DCs) and disconnect multiple CNs.This may severely affect the upper-layer services [8].CN survivability for a small number of failures in the physical infrastructure has been modeled as a survivable virtual-network embedding (SVNE) problem defined as the resilient VN mapping over the physical infrastructure to avoid disconnection due to failures [9].Most SVNE studies considered single and multiple physical-link (-node) failures (e.g., datacenter and shared-risk group (SRG)), and a regional failure that may or may not be a disaster [9][10][11][12][13].
Disaster failure is an special case of SRG failure which may produce multiple failures in cascade, i.e., when a disaster occurs, some network elements may fail simultaneously in the first phase, and, later, other failures in different parts of the physical network (and upper layers) may occur (e.g., power outage, aftershocks after an earthquake, etc.).An important feature of cascading failures is that they tend to be more predictable from the damage and location of the initial failure, and this prediction can be used to reorganize the network to reduce disruptions [14].
An example of a disaster failure is the 2012 Hurricane Sandy, where post-disaster cascading failures (caused by flooding and power blackouts) shut down many datacenters and network nodes in the New York area [15], and caused disruption in communication services in the northeastern US [16].Given the scale of their impact in CNs, network operators should take measures to protect cloud-computing services from disaster and post-disaster failures despite their rare occurrences.
In this study, we consider a disaster-survivable CN mapping approach using risk assessment (similar to [17]), virtual-machine (VM) backup location, and post-disaster survivability constraints to substantially reduce risk of failure, penalty, and probability of CN disconnection in case of disaster and post-disaster failures.

Main Contributions
In this work, to the best of our knowledge, we study for the first time: -Integration of disaster and post-disaster survivable CN mapping with a risk-assessment model to reduce the risk of CN disconnection.-Use of a virtual-backup-node approach that can relocate VMs (i.e., VM backup location) to increase the cloudcomputing survivability in case of disasters.

Organization
The rest of this study is organized as follows.Section 2 presents a brief review on cloud-network protection schemes and related works.Section 3 presents the survivable CN mapping problem.Section 4 describes our approach with an example.Sections 5 introduces the variables and symbols and the ILP formulations of the baseline approach with risk minimization objective function.Section 6 introduces the ILP formulation of the proposed approach including VM backup location, and post-disaster survivability constraints.
An illustrative example is presented in Section 7, and our study concludes in Section 8.

Background and Related Works
A survey on network virtualization highlighting the importance of survivable virtual-network embedding (SVNE) is presented in [18].Ref. [14] surveyed works on disaster survivability, and pointed out works on disaster SVNE combined with VM location for datacenter networks.
Most studies on the SVNE problem suggested protection or restoration (e.g., reactive) approaches to deal with single physical-link (-node) failure.To deal with single physicallink failure, Ref. [19] proposed a fast rerouting approach to recover failed VN, and Ref. [20] suggested to mix protection and restoration with backup capacity sharing to maximize revenue.Ref. [21] studied the SVNE problem for IPover-WDM optical networks considering single and duallink failures, introducing cut-disjoint as a survivability constraint and a routing metric MINCUT.Cut-disjoint constraint avoids the mapping of two virtual links on the same physical resource if failures on both links disconnect the virtual topology (i.e., a cut of the topology).Ref. [22] used dedicated-path-protection and cut-disjoint approaches to increase the survivability.Ref. [23] showed the advantage of cut-disjoint approach over path-disjoint approach to provide protection in VN.
Refs. [12,24] proposed two versions of SVNE approach for physical-node failures (i.e., a datacenter failure in a regional failure) by adding backup node: l-backup node (one backup node for each VN), and k-backup nodes (1+1 node protection).Ref. [25] presented an extension of these approaches, considering the network-flow perspective to increase survivability.
Ref. [26] studied the SVNE problem in the context of grid-and cloud-computing survivability over optical networks, highlighting the importance of the survivable CN mapping (SCNM) problem which combines the SVNE problem and VM survivability.In this regard, the study in [13] suggested server capacity relocation and lightpath re-provisioning for virtualized datacenters to offer survivability.Ref. [10] presented a model that helps to reduce the disaster failure in cloud services (i.e., cloud contents) provisioned over optical datacenter networks using a SRGdisjoint approach.Refs.[27,28] studied the SCNM problem combining with anycast routing, where VN mapping and anycast routing are optimized together to provide CN survivability.Ref. [11] studied disaster survivability in CN mapping, suggesting a disaster-disjoint combined with nonsurvivable mapping to maximize revenue.
In this work, we address the SCNM problem for disaster failures using risk minimization, cut-disjoint constraint, virtual-machine (VM) backup location, and post-disaster survivability approaches.

Survivable CN Mapping (SCNM)
The survivable CN mapping (SCNM) problem combines SVNE and VM resiliency.To address this problem, we consider a baseline SCNM approach to provide CN resiliency for any single physical-link failure while minimizing resources (Min-Res).To extend the baseline approach for disaster survivability, we also consider minimization of the risk of damage given the occurrence of a disaster (Min-Risk).

SCNM Problem Statement
Inputs: -CN mapping requests and VM allocation requests with required communication and processing capacity.-Physical network with link and node capacity (i.e., datacenter capacity). Output: -Single physical-link failure survivable CN mapping.

Survivable Mapping Constraint
The survivable mapping constraint guarantees a survivable CN mapping for any single physical-link failure by enforcing cut-disjoint mapping as studied in [21][22][23].This constraint ensures that virtual links of the same cut (i.e., set of links whose simultaneous failures disconnects the virtual topology) do not share the same physical link.A simple example of SCNM approach is shown in Fig. 2. Two CNs where γ represents a CN request and Γ is the set of requests.

Disaster-Survivable CN Mapping with Risk Minimization (Min-Risk-DS)
The disaster-survivable CN mapping with risk minimization approach (Min-Risk-DS) extends Min-Res by including a disconnection constraint.Risk minimization offers two important advantages for the case of disaster survivability.The first advantage is the reduction of capacity (for backup) usage.The second advantage is the feasibility of the mapping in disaster zones (DZs) where the SRG-disjoint approach will not give a feasible mapping without additional resources for backup.

Risk assessment
Risk is defined as the expected value of an outcome seen as undesirable.
In this work, we analyze the risk of CN based on damage/loss caused by a disaster [17], as shown below: where the loss of CN γ (γ ∈ Γ ) represents the sum of two values: (1) the penalty for CN disconnection which is the sum of the total disconnection penalty which represent capacity lost from the CN (i.e., total bandwidth) multiplied by a CN disconnection coefficient (i.e., value defined in the service-level agreement (SLA) which indicates the additional cost paid by the network provider to the customer or tenant when their CN is disconnected), and (2) the penalty of virtual-links disconnection in term of capacity lost.Finally, the risk is calculated by multiplying the resulting loss (i.e., total penalty) of γ by the probability p n that disaster n can occur in the given disaster zone from the set of N possible disasters.Disasters are defined according to the approach used in [17] where the probability of a disaster and probability of damage are calculated based on hazard maps (see Section 7).

Example of risk minimization in CN mapping
To illustrate the impact of a disaster failure in CNs and the advantage of the Min-Risk-DS approach, we compare the mapping using Min-Res (Fig. 2(b)) with the mapping using Min-Risk-DS (Fig. 3(a)).Two disaster zones are included in Fig. 3, DZ1 and DZ2, with probability of occurrences (p n ) 0.3 and 0.5, respectively.Since DZ1 affects an entire node C, a SRG-disjoint approach will demand more resources for backup.To compare the two mappings, we calculate the total However, the risk minimization can force the use of more resources in case of having more DZs.Hence, in this example, we confirm the necessity of VM backup location for further reduction of the risk of CN disconnection which is introduced in Section 4.

Disaster and Post-Disaster Survivable CN Mapping with Risk Minimization (Min-Risk-D-PDS)
Min-Risk-D-PDS extends Min-Risk-DS by adding two new functions to increase the disaster and post-disaster survivability of CNs.Note that, in the mapping of Fig. 3(b), the risk is reduced by 10 units only and a disaster in DZ1 can still disconnect both CNs.To reduce the risk and increase CN survivability for case of disaster failures, Min-Risk-D-PDS introduces the concept of VM backup location (VBL) and post-disaster survivability (PDS).

Virtual Backup Node for VM Backup Location (VBL)
VBR maps one or more virtual backup node to relocate VMs of a CN, following three main steps: selection, connection, and sharing.For comparative purpose, we use the CN 1 nodes (3, 4, 6, 7) already used in Fig. 3 with one and two VM backup location (Fig. 4).These three steps are the main novelty and advantages of our proposed VBL approach over previous works in [11,12,25], in which risk of disaster and post-disaster survivability are not considered.

Selection of datacenter for VM backup location
The physical node (i.e., datacenter) selected as backup must not only have enough excess processing capacity but also should be located in a safer place to lower the risk of disconnection.

Connectivity of VM backup location
Every virtual backup node has to be connected using one virtual link to a set of working VMs in its own CN (Fig. 4(a)).The virtual links which connect the CN with its backup VM have 50% of the bandwidth of the working virtual link.

Physical node (i.e., datacenter) sharing for VM backup location
The selected physical node to provide VM backup location for one CN can be shared by another CN as working VM location and/or VM backup location.To increase the survivability to post-disaster failures, this approach will not allow to share the same physical node if both CNs can be disconnected by the same disaster.

Example of VM backup location
By adding VBL into Min-Risk-DS approach (Fig. 4(a)), the risk of disconnection of CN 1 (Fig. 3(b)) is reduced from 120 (note that we assume a penalty of disconnection of 400 and a p n is equal to 0.3, so 120 = 400×0.3)to 10 (30 of penalty × 0.3).Thanks to our approach, the CN does not get disconnectd, so the risk of CN disconnection is reduced by 92% with an additional capacity of 30 Mbps (assuming 5 Mbps for each backup-virtual link).
As an example of two VM backup locations, in Fig. 4(b), we add a third disaster zone, DZ3, with p 3 = 0.5, which increases the risk to 210 in the mapping of Fig. 4(a).Then, we map a second virtual backup node which reduces the risk to 28 or 91.4% because only independent virtual links can be affected by disaster and the CN may remain connected.Also, the CN may survive if a disaster and post-disaster disconnect two VMs and create additional physical-link failures.

Post-Disaster Survivability (PDS)
However, if a disaster in DZ1 occurs, a post-disastercorrelated cascading failure of the physical link A -B will still disconnect the CN of Fig. 4(a).Additionally, a postdisaster failure of physical links A -B and F -G will disconnect the CN of Fig. 4(b).Hence, post-disaster survivability (PDS) constraint is added in our model to increase the survivability during recovery periods, given the vulnerability of CNs to post-disaster failures [14,16].Our (PDS) approach consists of two functions: cut extension and a survivability constraint.

Cut extension
We implement a new algorithm called ExCuts, which is an extension of the approach proposed in [22].ExCuts extends the basic cuts of the CN 1 topology in three steps.To describe the steps, we use CN 1 (Fig. 5(a)) and one possible replacement of VM 3 by VM 1 (i.e., as virtual backup node).
Step i: ExCuts replaces the working VM 3 for VM 1 as possible relocation and builds a new topology (Fig. 5(c)).Step ii: ExCuts renumbers the basic cuts with virtual links of the resulting topology of Fig. 5(c).In Table 1, we show the basic and extended cuts of the resulting topology when VM 3 is disconnected and replaced by VM 1.
Step iii: ExCuts eliminates redundant cuts and repeats the three steps for each possible VM relocation of Fig. 5(cf).
In this example, we consider only one datacenter for VM backup location.However, ExCuts will generate new cuts considering all possible VM relocation given a disaster failure.

Survivability constraint
The extended cuts are input to the novel survivability constraint which enforces survivable mapping against any post-disaster single physical-link failure.The constraint applies the concept of cut-disjoint approach introduced in Section 3 but considering post-failure cuts to increase the post-disaster survivability.Figure 6 presents the cut extension of Fig. 5 for two VM backup locations.

Example of Min-Risk-D-PDS Approach
In the mapping of Fig. 4(a), if a disaster, e.g., in DZ1, occurs, the physical node C and its physical links will fail, but the CN will not be disconnected, because the failed VM in node 2 will be relocated into physical node A (VM in node 1).However, a post-disaster failure in physical link A -B will disconnect the CN, because virtual links 1 -5 and 1 -4 will be disconnected.Similarly, failure of any of physical-links B -E, F -G, and E -G may disconnect the CN.
Min-Risk-D-PDS obtains the mapping in Fig. 7(a), where the CN will not be disconnected by any single physical-link failure, disaster failure, or post-disaster single physical-link failure, and the expected loss of bandwidth and processing capacity will be reduced.

ILP Formulation of Min-Risk-DS
In this section, we present the ILP formulation of the baseline approach Min-Risk-DS which has three elements: Min-Risk formulation, CN mapping, and survivability constraints.Before we describe the formulation, we introduce the parameters and variables of the problem.

Objective function
The objective is to minimize the total capacity that can be lost if a disaster occurs.The risk as defined in Section 4 is the total penalty for capacity loss multiplied by the probability of occurrence.The total penalty for capacity lost is the sum of penalty for CN and virtual links' disconnections.The penalty for CN disconnection is calculated by To avoid the mapping of virtual links over long lightpaths, a resource-minimization formula is added with a coefficient ε.A very small value of ε will give more importance for risk minimization in the mapping over resources used.

Constraint to determine whether a virtual link is affected by a disaster
where M is a large number.

5.2.3
Constraint to determine a CN disconnection (i.e., cut failure) due to a disaster The CN is disconnected when the value of Q n c is 1, i.e., disaster n disconnects all the virtual links e (D n e ) belonging to a cut c.

CN Mapping Constraints
The basic constraints used in the mapping are: This constraint maps the CN γ, connecting the VMs u and v.
These constraints ensure that each virtual link is mapped on a lightpath, and it does not pass the same physical node more than once.

Survivability Contraint
The survivability constraint uses the basic cuts of the CN topology C γ .The constraint enforces that all links (m c ) of the cut c do not use the same physical link.

ILP Formulation of Min-Risk-D-PDS
Min-Risk-D-PDS is our comprehensive approach which extends the ILP formulation of the baseline approach Min-Risk-DS by adding the VM backup location (VBL) and post-disaster survivability (PDS) constraints.

Disaster-disjoint VM backup location constraint
This set of constraints enforces that two or more CNs do not share the same physical node as VM backup location if the CNs are affected by the same disaster (Eqs.( 10), (11), and ( 12)).Equation (10) identifies which disaster n disconnects the CN γ, giving value 1 to X n γ , 0 otherwise.
Equation ( 11) uses the value of X n γ and an auxiliary variable T n g,h to identify the disaster which disconnect CNs h and g.
Equation ( 12) restricts two CNs (g and h) to share the same physical node (b) for VM backup location if both CNs are disconnected by the same disaster.
Equation ( 14) bounds the number of VM backup location between 2 and certain maximum number.

Connecting the VM backup node for relocation
When VM backup location is selected, virtual links connect it to working VMs (Eq.( 15)).The connection follows two conditions: (i) When one or more VMs chose a VM backup location.In this regard, Z γ v,b is 1, meaning that working VM used by CN in physical node v chose to be relocated to physical node b.As a result, the variable K γ,e v,b will be 1, forcing the mapping of virtual link e into the physical network.
(ii) When the VM backup location mapped in b is already connected to v, (K γ,e v,b = 1), and the VM in physical node u is neighbor of v. Hence, a virtual link connects one working VM u with a VM backup location b of the same CN (K

Processing Capacity Required for VM Backup Location
This constraint manages the free capacity of each physical node used for VM backup location.If P b f ree is zero, the physical node (Y γ b =0) cannot be used (e.g., the required capacity of the CN (P γ u ) is higher or the free capacity (P b f ree ) is not enough.
PDS uses the same formulation presented in Eq. ( 9) with the extended cuts Ĉγ b as additional input.

Experimental Setup
We test our approaches on a 24-node US mesh opaque WDM optical network (Fig. 8(b)) with 32 wavelengths per link.Two types of disasters are considered: natural disasters (earthquake), and human-made disasters (weapons-ofmass-destruction (WMD) attacks), originally modeled in [17] and shown in Fig. 8(b).For earthquakes, the probability of occurrence and damage are obtained with seismic hazard maps.And for WMD attacks, the probability of attack and damage are based on cities population and importance [17].
We consider five full-mesh cloud networks (CNs), each consisting of four virtual nodes (i.e., VMs) distributed over 16 datacenters (Fig. 8(a)).We assume that each virtual link requires a full lightpath (i.e., wavelength channels), and each datacenter has enough processing capacity.

Survivable CN Mapping Approaches
We tested eight approaches: four minimizing resources (Min-Res) and four minimizing risk (Min-Risk).All approaches use a set of baseline survivability constraints (SC).  2 including our proposed approaches.

Evaluation and Comparative Methodologies
Our examples are evaluated using risk and penalty, disaster and post-disaster survivability, and resource usage analysis.

Risk and penalty
The risk of CN disconnection is evaluated using the first part of Eq. ( 3).The penalty for capacity loss is the total capacity that can be lost due to a disaster.

Disaster and post-disaster survivability analysis
The second analysis is the evaluation of the probability of CN disconnection (PoD).The PoD is calculated by an algorithm called cloud-network resiliency test algorithm (CNRT) which tests the vulnerability of the CN to all possible combinations of disaster and post-disaster failures.CNRT gets the mapping of each CN and simulates disaster damage over the physical infrastructure based on given disaster scenarios (Table 3).Then, the algorithm tests the connectivity of every VM and counts the number of possible failure scenarios caused by a disaster in which the CN is disconnected.With these numbers, CNRT obtains one PoD for each CN and type of failure using Eq. ( 17).

Numerical Analysis
To study the risk and penalty, we use the mapping of the five CNs presented in Fig. 8(a).However, we select CN 1 for earthquake and CN 3 for WMD to study the disaster and post-disaster scenarios, as these two CNs are more affected by the disasters.

Risk and penalty analysis
Figure 9 compares the expected risk of CN disconnection of different approaches.In Fig. 9 we observe that: (i) RISKA approach reduces the risk of CN disconnection and penalty by 2.75% to 3.77%.These results shows a low risk reduction without VBL constraint, and the limitation of SVNM based approaches to deal with disaster and post-disaster failures.
(ii) By adding the VM backup location (VBL), RISKA-1L approach reduces the risk of CN disconnection and penalty up to 87% for earthquake, and up to 88% for WMD.Also, RESA-1L approach reduces risk up to 85% for earthquake, and up to 87% for WMD.It confirms that VBL approach reduces considerably the CN disconnection and penalty for capacity loss.However, VBL works better with RISKA (risk and penalty reduction by 10% to 30%).(iii) PDS constraint slightly increases the risk because the extended cuts force virtual links to be mapped in longer lightpaths.However, PDS constraint increases survivability against post-disaster failures by 60% to 100% (Table 4).
(iv) The combination of PDS and VBL with two VM backup locations per CN obtains more reduction in risk and penalty.However, the risk and penalty reduction tend to be lower in earthquake case and higher for WMD for one VM backup location per CN.

Disaster and post-disaster survivability study
After risk and penalty analysis, we study the probability of disconnection (PoD) due to a disaster failure and three kind of post-disaster failures presented in Table 3.
Table 4 presents the PoD of CN 1 and CN 3. We observe that: (i) DF: CNs with VBL will completely survive any failure as any VM can be relocated from one datacenter to another i.e., PoD = 0.In addition, RISKA approach increases the survivability by 50% in WMD case compared to RESA approach.
(ii) DSLF: RISKA approach reduces PoD by 0% to 22% compared to RESA approach.And, RISKA-1L (i.e., with VBL) increases the survivability by 37% to 100% compared to RESKA-based approaches.PDS constraint increases the survivability to 100% independent of the number of VM backup locations and the objective function (RISKA or RESA).
(iii) DDLF: RISKA achieves a reduction of PoD by 2.3% in WMD case and 16% in earthquake case compared to RESA.However, when VBL is used, the reduction of PoD is higher (between 24% and 64%).PDS constraint has positive impact, because the reduction is higher for RISKA-PDS compared to other approaches without PDS constraints.
(iv) DFDF: VBL reduces the PoD remarkably by 78% to 100%.Also, including PDS constraint with RISKA-based approach does not enhance the performance significantly.However, RESA-based approaches with PDS achieve an important reduction of 33% in PoD.

Resource consumption analysis
In this analysis, we study the resources used to provide reduction in risk, penalty for capacity loss, and PoD.From the previous analysis and the results of Fig. 10, we observe that: (i) RISKA-based approaches require additional resources by 7.8% to 16% to reduce the risk and penalty and PoD.RISKA with VBL constraints increases resource usage by 16% to 37% for one VM backup location (RISKA-1L) to provide risk and penalty reduction by 85% to 87%, and a reduction of the PoD by 24% to 100% (i.e., increasing the survivability by 24% to 100%).This results confirms that SVNM cannot deal with disasters and their consequences.
(ii) PDS constraint with RISKA and VM backup location (RISKA-PDS) increase the resources by 25% to 50% in CN 1 (earthquake) and by 23% to 38% for CN 3 (WMD).However, the risk and penalty are reduced up to 88%, and the survivability increase up to 100% in cases of disaster and post-disaster failures.
(iii) Two VM backup locations require more resources, but increase the survivability for more severe disaster scenarios which may disconnect two VMs.

Conclusion
We studied the disaster and post-disaster survivable cloudnetwork (CN) mapping problem.We proposed a CN mapping approach Min-Risk-D-PDS using (i) VM backup location for each CN (VBL) and (ii) post-disaster survivability constraint (PDS), which offer an economically-sustainable disaster and post-disaster survivable CN mapping approach.
We formulated the Min-Risk-D-PDS as an integer linear program.We compared our approach with seven different approaches characterized by different combinations of VBL and PDS constraints with risk and resources minimization as objective function.
Results on a case study formed by five CNs mapped over a US network and two disaster cases (earthquake and WMD) showed that Min-Risk-D-PDS (RISKA-PDS) reduces the risk of CN disconnections and penalty for capacity loss by 85% to 90%.As a consequence, our approach increases the CN survivability by 60% and 100% against three kind of post-disaster failures with the cost of 23% to 50% of additional resources usage.Hence, our illustrative examples confirm the importance of VM backup location and post-disaster survivability constraints for CN survivability against any disaster and postdisaster correlated, cascading failures that may occur in the network.

Fig. 1
Fig. 1 Cloud networks and cloud services.

are considered: CN 1 =
{3, 4, 6, 7} and CN 2 = {1, 2, 5} mapped over an optical network with physical nodes (i.e., optical cross-connects (OXCs) connected to routers) {A, B, C, D, E, F, G, H}, where some physical nodes {A, B, C, F, G, H} connect datacenters.Each virtual link is mapped using a lightpath.Figure2(a) shows a non-survivable mapping where, if any of the physical links (shown in circles) fails (C -D or B -D or A -B), one or both CNs will be disconnected.Figure2(b) shows an example of SCNM where no single physical-link failure will disconnect a CN.
VBL has the flexibility to choose more than one physical node to relocate VMs based on the demand (Fig 4(b)).

Fig. 4
Fig. 4 Virtual backup node for VM backup location: (a) one VM backup location per CN, (b) two VM backup locations per CN.

Fig. 5
Fig. 5 Basic cuts, post-disaster cuts, and one VM backup location per CN.(a) CN with basic cuts, (b) CN with one VM backup location and (c -f) extended cuts for any replacement.

Fig. 6
Fig. 6 Post-disaster cuts for two VM backup locations per CN.(a) CN with two VM backup locations, and (b -g) extended cuts for the replacement of the two failed VMs.

Fig. 7
Fig. 7 Resulting mapping by Min-Risk-D-PDS with (a) one and (b) two VM backup locations.

5. 1
Variables and SymbolsGiven -G(V, E): Physical topology, where V is the set of physical nodes and E is the set of physical links.-V : Set of VM datacenter locations, V ⊂ V .-Gγ (V γ , Eγ): Topology of CN γ where V γ is the set of working VM locations (virtual nodes, V γ ⊂ V ), and E γ the set of virtual links of CN. -C γ : Set of basic cuts of CN topology γ.-Êγ : Set of virtual links including the links in E γ and virtual links from each node in V γ to each node in V −V γ -Ĉγ : Set of extended cuts of CN topology γ formed by a possible relocation of working VM of V γ to a physical node b with free processing capacity in V −V γ .-Γ= γ = < V γ , E γ ,C γ , Êγ ,Ĉγ , : Set of cloud networks (CNs).s n i, j : 1 if the physical link {i, j} is disconnected by disaster n, zero otherwise.-S n : s n i, j , , S n ⊂ E. p n : Probability of occurrence of disaster n. -N = {< S n , p n >}: Set of disasters zones (i.e., DZs).-P γ u : Processing capacity required to allocate VM u used by CN γ (u ∈ V γ ).-P v f ree : Excess processing capacity in physical node v. -F i, j : capacity of physical link (i, j).d: CN disconnection coefficient (1 ≥ d ≤ 10).b e : Bandwidth requirement of virtual link e. b c : Total capacity that can be lost if the links of the cut c are disconnected (i.e., the CN is disconnected).m c : Number of virtual links in cut c.Binary variables -D n e : 1 if virtual link e is disconnected by disaster n. -M e i, j : 1 if virtual link e is mapped on physical link (i, j).-K γ,e u,v : 1 if virtual link e from node u to v in γ. -Y γ b : 1 if b is assigned as as virtual backup node of γ. -Q n c : 1 if virtual links of the cut c is disconnected by disaster n. -X n γ : 1 if CN γ may be disconnected by disaster n. -T n g,h : is an auxiliary variable.-Z γ u,b : 1 if VM u can be relocated to datacenter b, b ∈ V .

. 2
Mapping of VM backup location constraintThis constraint gives the bound for the number of VM backup location per CN.It has two set of equations: VM backup location selection and bound on number of VM location per CN.Equation (13) chooses the less-risky VM backup location b for each CN γ.Equation (13a) ensures that the VM backup location b will not be chosen from the working VM V γ of CN γ.

Fig. 8 Table 2
Fig.8(a) CNs studied and (b) physical topology with disaster zones for earthquake and potential WMD attacks[17], and datacenter locations.

Fig. 10
Fig. 10 Resources used (in Mbps) by the mapping of (a) CN 1 in earthquake case (b) CN 3 in WMD case.

Table 3
Simulated failures

Table 4
Probability of Disconnection (PoD)