Network connectivity policies are crucial for assuring the security and availability of large-scale datacenter. Managing these policies is fraught with complexity and operator errors. The difficulties are exacerbated when deploying large scale offerings of public cloud services where multiple tenants are hosted within customized isolation boundaries. In these large-scale settings it is impractical to depend on human effort or trial and error to maintain the correctness and consistency of policies.
We describe an approach for automatically validating network connectivity policies and its implementation in a tool called SecGuru. SecGuru can check selected properties of policies, e.g., is some traffic permitted or denied, and it can compare two policies yielding a semantic diff to summarize drifts. We use bit-vector logic to encode policies and semantic diffs; and the theorem prover Z3 as the underlying solver. A key contribution is a new algorithm for compactly enumerating symbolic diffs. We finally describe the experience of using SecGuru in Azure, a public cloud provider. Azure uses SecGuru for continuously monitoring policy configurations and alerting on errors, and also as a regression test suite to check policies before deployment. As a result of using SecGuru, today Azure proactively detects and avoids policy misconfigurations that lead to security and availability issues.