FaaS: Federation-as-a-Service

This document is the main high-level architecture specification of the SUNFISH cloud federation solution. Its main objective is to introduce the concept of Federation-as-a-Service (FaaS) and the SUNFISH platform. FaaS is the new and innovative cloud federation service proposed by the SUNFISH project. The document defines the functionalities of FaaS, its governance and precise objectives. With respect to these objectives, the document proposes the high-level architecture of the SUNFISH platform: the software architecture that permits realising a FaaS federation. More specifically, the document describes all the components forming the platform, the offered functionalities and their high-level interactions underlying the main FaaS functionalities. The document concludes by outlining the main implementation strategies towards the actual implementation of the proposed cloud federation solution.

💡 Research Summary

The paper presents “Federation‑as‑a‑Service” (FaaS), a novel service‑oriented model for cloud federation developed within the SUNFISH project, and details the high‑level architecture that enables its realization. Traditional cloud federation approaches suffer from intricate setup procedures, heterogeneous interfaces, conflicting policies, and weak security guarantees. FaaS addresses these shortcomings by treating federation as a continuously offered service rather than a one‑off project, thereby abstracting complexity and providing automated governance, policy enforcement, and resource sharing.

SUNFISH’s architecture is organized into four logical layers. The Infrastructure Layer abstracts physical, virtual, storage, and network resources and exposes them through standard cloud APIs (OpenStack, AWS, Azure) and container orchestration (Kubernetes). The Service Layer offers a catalog of micro‑services such as resource registries, data transformation adapters, and service discovery mechanisms; each service can be dynamically enabled or disabled based on declarative policies. The Orchestration Layer centers on the Federation Orchestrator, which coordinates workflow execution, policy evaluation, SLA management, and monitoring/logging. Workflows automate federation lifecycle actions (join, leave, resource allocation, deployment), while a policy engine interprets policies written in a domain‑specific language (DSL) and enforces them at runtime. SLA management monitors service‑level commitments across the federation, and monitoring components provide real‑time visibility of the federation’s health.

The Governance Layer provides the mechanisms for identity federation, confidential computing, zero‑trust access control, dynamic token exchange, audit logging, and compliance. Policies governing security, data sharing, cost allocation, and other aspects are authored in the same DSL and automatically applied by the policy engine, ensuring consistent enforcement across all participants.

Inter‑component interactions are described through high‑level sequence diagrams. For instance, when a new cloud provider wishes to join the federation, the orchestrator first validates its identity, then the policy engine checks whether the provider’s resources satisfy federation policies. Upon successful validation, the resources are registered in the catalog and become discoverable by other members.

Security is a cornerstone of the design. Identity federation is combined with end‑to‑end encryption (confidential computing) to protect data in transit and at rest. Zero‑trust principles enforce the principle of least privilege for every request, and dynamic token exchange automates mutual authentication between services.

To achieve interoperability, SUNFISH adopts an adapter pattern. Each cloud provider implements an adapter that maps its native API to a standardized interface, enabling seamless integration with existing federation frameworks such as EDG and OCCI. This approach also supports metadata‑driven service discovery, allowing participants to locate and consume services without manual configuration.

Implementation proceeds in staged milestones. The first stage delivers a prototype of the core orchestrator and policy engine, validated in a file‑based simulation environment. The second stage deploys these components in a real multi‑cloud testbed to evaluate performance, reliability, and security under realistic workloads. The final stage focuses on open‑source release, standardization activities, and joint pilots with industry partners to demonstrate commercial viability.

In summary, the paper defines FaaS as a service‑centric paradigm that abstracts federation complexity, provides automated and standardized governance, and ensures secure, interoperable multi‑cloud collaboration. By detailing the layered architecture, component responsibilities, interaction flows, and a concrete implementation roadmap, it offers a practical blueprint for organizations seeking to harness the benefits of federated cloud environments while mitigating the traditional challenges associated with ad‑hoc federation solutions.