Elastic Cloud Services: Scaling Snowflake’s Control
Plane
Themis Melissaris Kunal Nabar
Snowflake Inc. Snowflake Inc.
Samir Rehmtulla Arthur Shi
Snowflake Inc. Snowflake Inc.
Ioannis Papapanagiotou
Gemini Trust
ABSTRACT
Snowflake’s "Data Cloud", provided as Software-as-a-Service
(SaaS), enables data storage, processing, and analytic solu-
tions in a performant, easy to use, and flexible manner. Al-
though cloud service providers provide the foundational
infrastructure to run and scale a variety of workloads, oper-
ating Snowflake on cloud infrastructure presents interesting
challenges. Customers expect Snowflake to be available at all
times and to run their workloads with high performance. Be-
hind the scenes, the software that runs customer workloads
needs to be serviced and managed. Additionally, failures in
individual components such as Virtual Machines (VM) need
to be handled without disrupting running workloads. As
a result, lifecycle management of compute artifacts, their
scheduling and placement, software rollout (and rollback),
replication, failure detection, automatic scaling, and load
balancing become extremely important.
In this paper, we describe the design and operation of
Snowflake’s Elastic Cloud Services (ECS) layer that man-
ages cloud resources at global scale to meet the needs of
the Snowflake Data Cloud. It provides the control plane to
enable elasticity, availability, fault tolerance and efficient ex-
ecution of customer workloads. ECS runs on multiple cloud
service providers and provides capabilities such as cluster
management, safe code rollout and rollback, management
of pre-started pools of running VMs, horizontal and vertical
autoscaling, throttling of incoming requests, VM placement,
load-balancing across availability zones and cross-cloud and
Permission to make digital or hard copies of all or part of this work for
personal or classroom use is granted without fee provided that copies are not
made or distributed for profit or commercial advantage and that copies bear
this notice and the full citation on the first page. Copyrights for components
of this work owned by others than ACM must be honored. Abstracting with
credit is permitted. To copy otherwise, or republish, to post on servers or to
redistribute to lists, requires prior specific permission and/or a fee. Request
permissions from
[email protected]
.
SoCC ’22, November 7–11, 2022, San Francisco, CA, USA
© 2022 Association for Computing Machinery.
ACM ISBN 978-1-4503-9414-7/22/11. . . $15.00
https://doi.org/10.1145/3542929.3563483
142
Rares Radut
Snowflake Inc.
Samartha Chandrashekar
Snowflake Inc.
cross-region replication. We showcase the effect of these ca-
pabilities through empirical results on systems that execute
millions of queries over petabytes of data on a daily basis.
ACM Reference Format:
Themis Melissaris, Kunal Nabar, Rares Radut, Samir Rehmtulla,
Arthur Shi, Samartha Chandrashekar, and Ioannis Papapanagiotou.
2022. Elastic Cloud Services: Scaling Snowflake’s Control Plane. In
SoCC ’22: ACM Symposium on Cloud Computing (SoCC ’22), Novem-
ber 7–11, 2022, San Francisco, CA, USA. ACM, New York, NY, USA,
16 pages. https://doi.org/10.1145/3542929.3563483
1 INTRODUCTION
Snowflake’s Data Cloud is a SaaS platform that supports mul-
tiple data workloads such as data warehousing, data lakes,
data science, data engineering, and others. This paper focuses
on Snowflake’s control plane, called Elastic Cloud Services
(ECS) that enables elasticity, availability, and performant
operation of customer workloads at scale. We present key
contributions of Snowflake’s ECS to individual functions of
control planes such as VM placement, cluster management,
safe software rollout & rollback, management of pools of run-
ning VMs, autoscaling, throttling, and load-balancing. To the
best of our knowledge, this is the only work that presents the
perspective of realizing and operating a production-ready
control plane.
Snowflake’s architecture consists of (1) Database Storage,
(2) Query Processing, and (3) Elastic Cloud Services (ECS) lay-
ers, summarized in Figure 1. The architecture of Snowflake
relies on decoupling compute from persistent storage to en-
sure that each can be scaled independently of the other [10].
Data ingested into Snowflake is organized into an optimized,
compressed, columnar format and stored in a Cloud’s Object
Storage (e.g. S3 on AWS). Snowflake organizes, structures,
and manages data and metadata, making them accessible
to users via SQL queries. The query processing layer serves
as the "data plane" made of "virtual warehouses". Massively
Parallel Processing (MPP) compute clusters composed of
multiple VMs provisioned by Snowflake handle the execu-
tion of customer jobs. These "virtual warehouses" come in
SoCC ’22, November 7–11, 2022, San Francisco, CA, USA T. Melissaris, K. Nabar, R. Radut, S. Rehmtulla, A. Shi, S. Chandrashekar, and I. Papapanagiotou
T-shirt sizes (S, M, L, etc.) corresponding to the amount of
compute power in the warehouse and consist of VMs with
software stacks managed by Snowflake to run customers’
jobs. Each virtual warehouse is an independent compute
cluster that does not share compute resources with other
virtual warehouses.
ECS is the "control plane" that provides the abstractions
and connective tissue across cloud service providers to sched-
ule and place customer jobs on the data plane as well as
ensure elasticity and availability. ECS operates a fleet of
VMs that help manage Snowflake’s infrastructure and are
managed independently of the data plane VMs who are re-
sponsible for running customer workloads. The data plane
and the control plane interact with each other to avoid sys-
tem overload. ECS includes a collection of services responsi-
ble for managing and orchestrating Snowflake components.
It runs on compute VMs provisioned from cloud service
providers and provides functionalities such as Infrastructure
Management, Metadata Management, Query parsing and
ties together different components of the Snowflake Data
Cloud to manage and process user requests. ECS VMs are
organized in clusters, identified by the code version the VMs
run on, the type of service they provide and the customer
accounts that the clusters serve. The ECS layer also supports
multi-tenancy, the ability of an ECS cluster to provide a given
control plane service to multiple customer accounts.
Leveraging cloud service providers to provide Software-as-
a-Service at scale has many benefits but also poses a number
of interesting challenges [19]:
Control plane that runs on multiple cloud providers:
Snowflake operates in multiple regions of cloud service pro-
viders such as Amazon Web Services, Microsoft Azure, and
Google Cloud Platform. By providing a consistent customer
experience irrespective of region and underlying cloud provi-
der, Snowflake enables customers to avoid the risks associ-
ated with using a single cloud service provider. To achieve
this, behind the scenes Snowflake deploys ECS on Virtual
Machines (VMs) as the atomic unit of compute since they
provide the lowest common denominator of functionality
across cloud providers.
Automatic and safe software management: As soft-
ware complexity and size rise, it is becoming increasingly
challenging to ensure that a specific software release does
not have unforeseen effects in production environments. At
the same time, the system needs to ensure that software re-
leases can happen online continuously without downtime,
while also ensuring that the software release is transparent to
Snowflake customers. While we apply a wide range of testing
[4], continuous integration and delivery methodologies [18]
to minimize erroneous behaviors, it is impossible to test all
permutations of possibilities at scale. It is therefore critical to
manage code deployments automatically by rolling out and
143
rolling back changes safely, without downtime to customer
workloads. Having the ability to instantly rollback ensures
continuity of service for customers and the ability to swiftly
revert from production incidents. An additional desired prop-
erty is to automatically update or revert code versions on
different computing entities, such as VMs, independently, as
workloads might be heterogeneous.
Managing resource lifecycle: It is certain that not all
VMs under management will be healthy and functional at
scale. To ensure correct operation, the system control plane
manages the lifecycle of cloud services across a fleet of com-
puting nodes and monitors individual nodes’ health. The
system needs to make decisions for every VM state change,
for example, when it is necessary to terminate unhealthy
VMs, to move VMs in and out of a cluster and to scale the
number of nodes in a cluster horizontally or vertically de-
pending on the workload. This must be done in a graceful
way as Data Cloud workloads can last from seconds to days.
Ensuring high availability: Cloud service providers set
a high standard for availability, typically bounded by a Ser-
vice Level Agreement. To reduce the blast radius of failures
to availability, cloud service providers use Availability Zones
(AZs) which are logical data centers in each cloud region
[1]. For SaaS platforms, the use of multiple cloud service
providers in conjunction with multiple AZs across multiple
cloud regions can be used to increase service availability, as
AZs are in theory isolated and fail independently of each
other [14]. Balancing VMs across availability zones is in-
tended to limit customer impact in the presence of any zonal
outage, as requests can be transparently redirected to a VM
in another zone. All Snowflake production deployments exist
in a cloud region with multiple availability zones and the
control plane is able to maintain zone balance at both the
cluster level and the deployment level.
Enabling dynamic autoscaling and throttling: The re-
source demands of workloads can often fluctuate. To account
for workloads with spiky or unpredictable behavior while
maintaining responsiveness, it is desirable for a cloud ser-
vice to have elasticity and automatically scale by adjusting
resources allocated to each application based on its needs
[11, 22]. Dynamic autoscaling automatically sizes clusters
factoring several system properties such as CPU load, net-
work throughput, request rejection rate or memory usage.
To ensure smooth operation of VMs within pre-defined re-
source limits, throttling of resources (such as CPU, memory
or network) can also be enforced. Dynamic autoscaling and
throttling operate in tandem in the presence of traffic. If a
cluster is overloaded with traffic, throttling is temporarily ac-
tivated and more VMs are subsequently activated. Likewise,
if a cluster is underutilized, it is over-provisioned and the con-
trol plane will reduce the number of VMs in the cluster. At
Snowflake scale, providing customers with capacity instantly
Elastic Cloud Services: Scaling Snowflake’s Control Plane
Figure 1: Presentation of the Snowflake architecture.
The Elastic Cloud Services (ECS) layer is a collection
of services that coordinate activities across Snowflake.
ECS is responsible for cluster management, Availabil-
ity Zone (AZ) balancing, autoscaling and throttling.
The Query Processing layer represents Snowflake’s ex-
ecution engine and the Database Storage layer orches-
trates data management.
poses a challenge, as cluster load can have fluctuations of
many orders of magnitude.
Section 2 presents the mechanisms for managing auto-
matic and safe code rollout, rollback, and targeted code man-
agement that are used to release code to production weekly.
Section 3 demonstrates how ECS manages availability across
different cloud service providers while limiting skew be-
tween Availability Zones with global zone balancing and
Section 4 showcases how ECS makes Snowflake’s Data Cloud
elastic with autoscaling and throttling. Section 5 discusses
related work and Section 6 concludes the paper.
2 ELASTIC CLOUD SERVICES
ECS ensures Snowflake is resilient to failure and to service
customers seamlessly without interruptions in service. ECS
is responsible for VM and cluster lifecycle, health manage-
ment and self-healing automation, code management, query
planning, account/service placement and topology, traffic
control, and resource management, including autoscaling,
throttling. It performs functions such as: deciding where
each customer job runs, keeping running VMs up to date
with applicable configurations, receiving metering data, logs,
and metrics emitted by the data plane, deploying new soft-
ware to the data plane, scaling the data plane, as well as the
creation and management of the data plane.
The VMs used in ECS can be run on cloud service providers
such as Amazon Web Services, Microsoft Azure, or Google
Cloud. Hence, ECS does not depend on specific cloud provider
interfaces but is portable across the underlying virtualized
Cloud infrastructure. ECS is stateless, ECS VMs will only
manage query planning and will only maintain pointers to
144
SoCC ’22, November 7–11, 2022, San Francisco, CA, USA
external object storage. All ECS metadata (e.g. Job metadata)
are persisted to FoundationDB. ECS VMs do not persist or
maintain customer data during their execution lifetime. All
data processing happens on VMs in the data plane, which
are customer specific and no data is shared across control
plane VMs. Snowflake queries only run on one data plane
VM. While virtual warehouses in the data plane are sized
and scaled by the customer based on their needs, ECS is
scaled and managed by Snowflake in a manner that is not
exposed to the customer. Customers can choose whether
their accounts are routed to a multi-tenant or a dedicated
ECS cluster of VMs in the ECS layer, and there will often be
great disparities in incoming query volume throughout the
day. In multi-tenant clusters, ECS maintains good customer
experience by leveraging ECS’s autoscaling and throttling
mechanisms. In addition, as Snowflake deployments scale,
the number of active ECS VMs has increased: there are more
customer queries to run, more files to be cleaned up, more
metadata to be purged, etc. A Snowflake deployment is a
distinct Virtual Private Cloud (VPC) that contains the major
parts of Snowflake software, including a scalable ECS tier.
2.1 ECS cluster management
The majority of ECS administration activities are performed
by a service called ECS Cluster Manager. The ECS Clus-
ter Manager is responsible for code upgrade/downgrade of
Snowflake deployments; Creation, update, and cleanup of
ECS clusters; Enforcement of mapping manifests and con-
straints of accounts to clusters and accounts to version; In-
teraction with our Cloud Provisioning Service to generate
and terminate cloud VMs across all Cloud providers, manage
every VM in their lifecycle, and perform corrective actions
in case of unhealthy VMs. Figure 2 shows how we create an
ECS-managed cluster. Arrows indicate assignment of cus-
tomer accounts and code versions to a cluster. The arrow of
the reverse proxy (Nginx) indicates how queries are routed
to VMs. The first step is to create an ECS cluster and reg-
ister a package with the latest Snowflake release. Then we
declaratively allocate a customer to the cluster and allow
the Cluster Manager to converge the actual system to the
declared topology. Once the customer is ready to execute
a query workload, we scale out the number of VMs in the
cluster to accommodate the needs for the corresponding
workload and update the topology on our reverse proxy (cur-
rently we leverage Nginx). The reverse proxy is responsible
for distributing load to ECS’s healthy VMs. ECS continuously
updates the control plane’s topology so that new work is not
routed via the reverse proxy to unhealthy VMs.
Most of these administrative actions happen through priv-
ileged SQL queries. Since the ECS Cluster Manager is declar-
ative, human operators only need to declare the correct state
SoCC ’22, November 7–11, 2022, San Francisco, CA, USA T. Melissaris, K. Nabar, R. Radut, S. Rehmtulla, A. Shi, S. Chandrashekar, and I. Papapanagiotou
Figure 2: Creation and Registration of an ECS Cluster.
Figure 3: Cloud Services Cluster rollout.
of the world without understanding the system’s internals to
prescribe iterative steps to accomplish the goal. For example,
operators do not have to know how to obtain more VMs, do
not have to clean up excess VMs, and do not have to track
VM health, etc. The ECS Cluster Manager fully automates
these responsibilities.
2.2 Automatic code management
Snowflake code rollout ensures fast delivery of new features
and improved Snowflake service to customers. There is a
single rollout for all Snowflake services. To achieve this,
Snowflake’s release process includes multiple layers of test-
ing, including unit testing, regression testing, integration
testing, performance and load testing on pre-production and
production-like environments and includes a gradual release
145
Figure 4: Cloud Services Cluster Rollback.
process to ensure that there is no impact on customers’ ser-
vice. ECS’s role in the release process is to ensure that code
rollout and rollback is fast and reliable to avoid impacting
customers.
2.2.1 Automatic and safe code rollout. We roll out a new
code version at Snowflake on a weekly cadence. We have
fully automated the process to minimize human error. ECS’s
Java code upgrades are orchestrated safely, e.g., if a customer
is running a query on an ECS VM, that VM cannot be shut
down until all its queries finish execution, as the customer
would otherwise see a query interruption. We manage online
upgrades with a rollout process. First, new ECS VMs are
provisioned with the new software version installed, and
some initialization work such as cache warming is done.
We then update the Nginx topology to route new queries
to the new VMs. Since customer queries can run for hours,
we keep the older VMs in the cluster running the previous
version until the workload terminates. Once older VMs in
the cluster have completed their work, they are removed,
and the upgrade is complete. Figure 3 presents the cluster
rollout process.
A separate rollout process takes place for the data plane
VMs. Once a binary containing a new code version is reg-
istered by the ECS Cluster Manager, the control plane will
enqueue binary download jobs onto each data plane VM in
batches. A query can be executed on the new code after the
new version is downloaded.
2.2.2 Automatic and safe code rollback. Rolling out a
new code version is inherently risky. While we hold a high
bar for testing, there are cases where bugs are only seen in
production. When this occurs, we have two ways to rollback:
(a) The fast rollback is in case of major issues related to the
release. We have a grace period during releases in which
both the old and new software versions run, with the old
set kept idle and out of topology. This allows us to perform
instantaneous rollback by updating the Nginx topology to
map requests to the old, stable software version. Figure 4
Elastic Cloud Services: Scaling Snowflake’s Control Plane SoCC ’22, November 7–11, 2022, San Francisco, CA, USA

showcases the fast rollback path. (b) We can also perform

a targeted rollback. Not all bugs hit customers equally, as
many customers have unique workloads. For example, a bug
may be released that affects only a handful of customers
due to their particular workload, but the other thousands
of accounts may be able to go forward with the new code
release. It is unnecessary to do full rollbacks for all customers
because of a single customer-facing issue, but we also do
not want to provide any customer with a subpar experience.
Thus, we support rollback on a per-account basis by explicitly
mapping only affected accounts to the old software version.

2.2.3 ECS VM Lifecycle and Cluster Pools. At scale, sev-

eral VMs can become unhealthy and need to be replaced to
maintain high service availability. Snowflake ECS incorpo-
rates mechanisms to monitor VM health on a per-cluster Figure 5: ECS Cluster State Machine.
level, with VMs self reporting indicators of their health.
Healthy VMs are part of the Active Pool, but can also belong
These self reporting indicators enable ECS to determine if
to the Free Pool so that they can be quickly swapped into
individual control plane VMs exceed load related metrics
clusters if any active VMs enter quarantine. The last state of
and consequently need to be lifecycled. ECS also has mech-
our state machine is the Graveyard, which includes VMs that
anisms to isolate VMs that showcase abnormal behavior,
have lived through the VM lifecycle and are released back
e.g. memory management, CPU, concurrency characteristics,
to the Cloud provider. We allow any non-Graveyard VM to
JVM failures, hardware failures and others, to enable fur-
enter the Holding Pool to provide flexibility to the operator
ther research and root cause analysis. Unhealthy VMs allow
when needing to debug something that was not in a working
queries to run to completion and then restart. More broadly,
cluster. VMs move from Free Pool to Quarantine when they
each VM has a lifecycle beginning with its provisioning and
have been marked terminal. This usually happens when they
ending with its release back to the cloud provider. ECS auto-
fail to provision or start within a parameterized time limit
matically quiesces, quarantines, and replaces unhealthy VMs
or when ECS decides that the free pool is over-provisioned.
to maintain a high level of availability. However, it is difficult
Figure 6 presents the process of ECS VM recycling. In the
to know exactly what caused a VM to enter a bad health
case of a software upgrade, ECS routes customer queries to
status and often requires an analysis of logs to diagnose.
VMs with the newer code version and moves the older ver-
Therefore, we have a holding mechanism to retain unhealthy
sion VMs to the Quarantine pool until the VMs complete any
VMs for diagnostics purposes. To recycle VMs after software
pending tasks. Old ECS VMs are then moved to the Grave-
upgrades, replace unhealthy VMs with healthy ones, and
yard state to be released to the cloud provider. To account
retain VMs encountering unusual health issues, we main-
for updates in VM health and transitions in cluster state, the
tain a few "VM pools". The movement between the pools is
ECS logic runs in set intervals.
automated based on a state machine presented in Figure 5.
We have observed that not all VMs will be healthy and
All VMs are provisioned by an abstraction layer across all
functional at scale. Some VMs can enter a bad state (JVM
supported cloud service providers (AWS, GCP, Azure, etc.)
Garbage Collection death spiral, full disk, broken disk, cor-
in our state machine. The provisioning layer abstracts away
rupt file system, too many file descriptors, etc.) and at which
specific CSP functionality, allowing the control plane to sub-
point they become dysfunctional and need to be rotated out.
mit requests to expand the VM fleet or decommission excess
These unhealthy VMs may still be running customer queries,
VMs. VMs are initially provisioned into a resource pool that
some of which may take hours to complete. Unhealthy VMs
retains VMs started, initialized and ready to be used, collec-
appear sporadically as there is an ever-expanding number
tively referred to as the Free Pool. The Free Pool capacity is
of Snowflake deployments, some of which are capable of
dynamic and depends on the rate with which VMs become
running thousands of ECS VMs. Furthermore, since not all
unhealthy and on cluster defined policy. Since the fulfillment
unhealthy states indicate VM issues, it is easier to restart the
of VMs directly to working clusters to satisfy the required
ECS server process than to procure a new VM from a cloud
capacity is challenging, the Free Pool allows clusters to uti-
provider. Figure 7 presents the ECS’s process of isolating
lize available VMs instantly. The Quarantine Pool represents
an unhealthy VM. When a VM is identified by ECS or self
all ECS VMs that need to be removed from their clusters to
reports itself as unhealthy, it begins quiescing and a Free
self-resolve any pending tasks assigned to them and restart.

146
SoCC ’22, November 7–11, 2022, San Francisco, CA, USA T. Melissaris, K. Nabar, R. Radut, S. Rehmtulla, A. Shi, S. Chandrashekar, and I. Papapanagiotou
Figure 6: ECS Cluster VM recycling.
Figure 7: ECS Cluster Instance Isolation.
Pool instance will move into the active cluster. ECS will then
move the VM into Quarantine.
3 BALANCING ACROSS AVAILABILITY
ZONES
Customers expect Snowflake to be always available. This
means designing ECS, which coordinates services and sched-
ules warehouses to run queries, to be resilient to failures.
One rare case is when a cloud service provider’s datacenter
suffers an unexpected outage.
All of the cloud service providers that Snowflake runs
on provide the notion of Availability Zones (AZs), which
are isolated datacenters in a single region where we can
provision resources. By keeping ECS VMs balanced across
these AZs, we ensure minimal customer impact in the event
of zonal failures, as requests are transparently redirected to
a VM in another zone, as presented in Figure 8. In the case
147
Figure 8: Availability zone outage and failover. Zone B
has an outage. Requests get transparently redirected
to zone C.
of balancing of ECS VMs across AZs there is no need for
data rebalancing as all the data is located and is accessible in
object storage.
Figure 9 presents scenarios of regional (clusters) and global
(deployments) load distribution across different AZs. On the
left the first scenario presents clusters in Zones A and B that
are balanced. However, globally across the deployment there
is imbalance, as Zone C has no VMs. The middle scenario
illustrates a balanced deployment where individual clusters
are not balanced (i.e., the green cluster only has VMs in Zone
A). The scenario on the right strikes a balance between global
and cluster balancing by calculating the difference between
the number of VMs in the most loaded zone and the least
loaded zone, which we will call AZ skew.
Minimizing AZ skew is more than striping VMs across
availability zones during provisioning. Within a single re-
gional deployment, ECS implements a multi-cluster architec-
ture where each cluster serves different groups of customers.
Each cluster can scale independently to respond to the cur-
rent load. To minimize the impact of an AZ outage on each
cluster and the deployment, we must zone balance at both
the cluster level and the deployment (global) level. A naive so-
lution entails assigning 𝑛 VMs from each AZ to each cluster.
However, this falls apart as the number of VMs in a cluster is
not always divisible by the number of AZs, and the number
of VMs in a cluster is small (typically less than eight) and
the number of clusters in a deployment is on the order of
hundreds.
Not only are these competing goals at times, but the free
pool used to draw VMs to scale clusters, may not have VMs
of that type in the zone we want. Since cloud provisioning
and preparing a new VM can take the order of minutes, ECS
maintains a free pool to trade VMs to and from clusters,
Elastic Cloud Services: Scaling Snowflake’s Control Plane SoCC ’22, November 7–11, 2022, San Francisco, CA, USA

allowing us to scale each cluster up or down within seconds.

An active VM may fail, and we may not have a free VM in
that zone to replace it, or suddenly we may need to scale up
a cluster to handle the increased load, and we only have free
VMs in zones that are heavily loaded by that cluster. Even
if we start well-balanced, the cluster and deployment can
become more imbalanced over time.
Furthermore, while we can rebalance a cluster by adding
a VM in one zone and removing it from another, this incurs
a cost overhead since the VM being removed needs to finish
executing queries. Therefore, we would also like to keep the (a) Zone C is the least loaded (b) Zone B is the most loaded
number of rebalancing actions to an acceptable level. At this for the green cluster and glob- for the yellow cluster and
ally. globally.
stage, our objective is to minimize AZ skew for each cluster
and the entire deployment, constrained by an acceptable Figure 10: Autoscaling in a zone-balanced manner.
number of rebalancing changes. We also want to prioritize
minimizing cluster skew over minimizing global skew to
avoid outage for any single cluster.

Figure 9: The scenario on the left shows balanced clus-

ters, but we have a global imbalance since we have
no VMs in zone C. The middle scenario illustrates a
balanced deployment, but individual clusters are not
balanced (i.e., the green cluster only has VMs in Zone
A). The scenario on the right strikes a balance between
global and cluster balancing.
Figure 11: If the free pool is depleted, we cannot main-
tain zone balancing (left). There are also cases where
cluster level zone balancing can worsen global zone
balance (right).

As shown in Figure 10, we modified our cluster manager

to scale clusters in a zone-balanced manner. When we scale a
cluster out, we pick the least loaded zone globally out of the
set of least loaded zones for that cluster. Likewise, when we
scale a cluster in, we pick the most loaded zone globally out of
the set of most loaded zones for that cluster. However, there
may be situations in which we are unable to maintain either
global zone balancing or even cluster-level zone balancing,
as demonstrated in Figure 11. Thus, an additional active zone
rebalancing task runs in the background, which examines Figure 12: Moving a VM from overloaded zone A to
the current state of the deployment and executes a series underloaded zone C.
of moves to balance it. It prioritizes moves in the following
divided by the number of available zones. Then, any move
order:
from a zone with more VMs than that level to a zone with
(1) Moves that improve both cluster level and global zone fewer VMs than that level cannot worsen cluster level balanc-
balancing ing as is shown in Figure 12. After that, we evaluate which
(2) Moves that improve cluster-level balancing criteria each move improves our deployment and select the
(3) Moves that improve global zone balancing best one. Moves are executed with minimal customer impact,
To generate the moves, we compute the balanced thresh- as the old VM is allowed to finish currently running jobs
old for a cluster, which is the number of VMs in that cluster while the new one accepts incoming queries. Additionally,

148
SoCC ’22, November 7–11, 2022, San Francisco, CA, USA T. Melissaris, K. Nabar, R. Radut, S. Rehmtulla, A. Shi, S. Chandrashekar, and I. Papapanagiotou

the cluster manager knows the number of VMs needed to

reach a target skew and provisions free VMs of the correct
category and zone.
After enabling this change on some small deployments,
we noticed that it was difficult to maintain full global zone
balance (skew ≤ 1) without making too many moves within
a certain period. For example, a cluster could scale up into a
specific zone to maintain cluster level zone balancing, but if
that zone was already heavily loaded globally, we might need
to rebalance another cluster to maintain global zone balanc-
ing. In addition, as mentioned above, churning through too
many VMs incurs overhead for us as VMs need to finish exe-
cuting running jobs. As a result, we added a global AZ skew
leniency threshold below which the zone balancer will only
consider cluster-level rebalancing moves. This parameter
allows us to trade skew leniency for VM churn rate. Figure 14: Enabling global zone balancing on a large
Our expectation for cluster zone balancing was that in Snowflake deployment; the global AZ skew decreases
steady-state, the AZ skew should be at most 1. If AZ skew is from over 45 down to less than 5.
greater than or equal to 2, one can move a VM from the most
loaded zone to the least loaded zone and decrease AZ skew.
Figure 13 illustrates that in a large Snowflake deployment,
most clusters stay balanced with an AZ skew of 0 or 1, and the
few that become unbalanced are rebalanced within the hour.
Figure 14 illustrates the trend when global zone balancing is
enabled on a highly AZ skewed deployment. The AZ skew
began above 45, but with the global zone balancing logic, we
see the AZ skew shrink rapidly down and remain at a value
less than 5.
Figure 15: ECS enables cross-cloud and cross-region
replication by setting up accounts and replicating pri-
mary databases to that account from Region A to Re-
gion B. Upon detection of an outage in Region A, recov-
ery is achieved via failover to the secondary databases
in Region B.
Figure 15 presents the mechanisms for enabling Snowflake’s
cross-cloud and cross-region replication. Data is replicated
Figure 13: AZ skew across a large Snowflake deploy- via egress networking across object storage across cloud
ment with many clusters remains less than or equal to providers (or regions of the same cloud provider) and kept in
one. When clusters end up with higher AZ skew, they sync on an ongoing basis. To enable cross cloud replication,
are quickly rebalanced. every deployment participating in the replication mesh has
a set of messaging queues, each of which maps to one repli-
cation peer deployment. New data from one deployment is
transmitted to the deployment’s replication peers via each
3.1 Cross-cloud and cross-region one of the deployment’s dedicated queues. The replication
replication peers then process the new data delivered by the deployment.
Snowflake also enables the replication of databases across The replication mesh is using specific CSP abstractions to
different regions of the same cloud provider as well as across achieve data replication for each cloud provider. For exam-
different cloud providers (AWS, Google Cloud Platform, or ple, in AWS deployments the replication mesh operates over
Microsoft Azure). When a Snowflake account in one region Replication S3 buckets distributed across Snowflake accounts.
is unavailable, another can be promoted to be primary to When a cloud region is unavailable, queries are routed to
continue business operations. This can happen across cloud a new warehouse that is spun up at one of the replicated
providers or regions. regions (on any cloud provider).

149
Elastic Cloud Services: Scaling Snowflake’s Control Plane
4 THROTTLING & AUTOSCALING
The traffic routed to each cluster varies widely by time of
day, sometimes in unpredictable ways without clear patterns.
Autoscaling and throttling are enabled by default for all cus-
tomers and concern Snowflake’s control plane. Providing a
consistent service experience and ensuring platform avail-
ability necessitates an elastic service layer. To create elas-
ticity, we implement Dynamic Throttling and Autoscaling
based on the following tenets:
Responsiveness: Queries should be processed smoothly
and immediately upon receipt. The period that queries block
before beginning or run slowly due to a shortage of resources
should be nearly non-existent in the aggregate. Snowflake’s
availability SLAs depend on the ability of our cloud services
layer to to add resources to clusters quickly enough to keep
the retry-on-throttle duration short for rejected requests.
This gives the appearance of instant capacity to customers.
Cost-efficiency: Deliver a reliable and performant service
using as few physical resources (VMs) as possible.
Cluster volatility: We aim to minimize the frequency
of configuration changes to clusters (oscillation). There is
a system-operation burden to provisioning/de-provisioning
compute resources in a cloud environment due to unpro-
ductive setup and teardown time, warming cold caches and
losing cached data, etc. For example, an algorithm that does
a scale-in (reduce VM count) and then immediately performs
a scale-out is highly undesirable - provisioning the new VM
for the scale-out, updating routing tables, warming caches,
and other tasks tend to bear a higher system burden than is
saved in terms of cost by removing a VM for only a short
duration
Throughput: The total number of successful queries that
client(s) can submit to the cluster. The system should scale
to meet demand.
Latency: The average duration for a query to complete.
This should be as low as possible. Given a static cluster size,
there is an inverse relationship between latency and through-
put: generally, one query can finish quickly, but when sub-
mission throughput is sufficiently high requests will start
piling up. Beyond that point query latency increases due to
queueing. A good autoscaling algorithm should keep latency
low even as the request volume increases.
4.1 Dynamic Throttling
A naive approach to throttling defines static limits on the
number of concurrent requests at various levels, such as
per-host, per-account, and per-user to avoid overwhelming
individual host VMs. This approach is unreliable: not all
requests have similar resourcing demands; some workloads
with a low query cardinality can run within static limits
but still cause load issues, while some high concurrency
150
SoCC ’22, November 7–11, 2022, San Francisco, CA, USA
workloads that would be throttled by static limits could be
composed of easy-to-compute requests that underutilize the
host’s hardware.
When a VM accepts more work than it can handle, CPU
and memory utilization become dangerously high and unde-
sirable knock-on effects begin to occur. For example, CPU
thrashing can limit request processing or cause commit fail-
ures for operational metadata that needs to be persisted. Ad-
ditionally, memory pressure can slowdown or halt program
execution.
Our solution is to implement resource-aware throttling,
which we call Dynamic Throttling. As opposed to setting
static concurrency limits in our system, we dynamically cal-
culate concurrency limits based on current host-level re-
source utilization every 30 seconds. When CPU load becomes
high in a VM (as measured by the Linux /proc/loadavg), the
host-local concurrency limits are immediately lowered and
adjusted until the CPU load returns to and remains at an
acceptable level. For example, if the load on a machine is
read at 2.0 and we have 200 queries, we adjust our future
incoming concurrency to be 100 queries which will in the
future get us closer to our desired 1.0 load.
Any further incoming requests will be rejected and re-
tried on other VMs with free resources. This is transparent
to customers and adds minimal latency, protecting our sys-
tems while preserving business continuity. If this VM-level
throttling results in rejections, a signal is transmitted to
the autoscaler and triggers a cluster scale-out. On the other
hand, if VM load is low, we recognize that we can take more
work on and increase limits to improve our cost-efficiency.
To ensure fairness, concurrency limits are computed at the
account- and user-level within each VM to avoid single users
or accounts in multitenant clusters from ever saturating con-
currency limits and temporarily denying service from other
customers.
To complement this VM-level throttling, we run a central-
ized autoscaler. When the aggregate resource load is high
across the active VMs in a cluster or if a quorum of the clus-
ter’s VMs is rejecting work, we will increase the number
of VMs in the cluster. Likewise, we reduce the cluster size
when no rejections are occurring and the cluster load is low
to reduce costs.
4.2 Autoscaling
The motivation for autoscaling from an availability and elas-
ticity perspective have already been described in previous
sections. Now we will examine the details of how Snowflake
implements cluster-level autoscaling.
The primary job of autoscaling is to accurately determine
the number of VMs that should comprise a cluster to serve its
workload efficiently. With the current autoscaling approach,
SoCC ’22, November 7–11, 2022, San Francisco, CA, USA T. Melissaris, K. Nabar, R. Radut, S. Rehmtulla, A. Shi, S. Chandrashekar, and I. Papapanagiotou

Figure 16: As current CPU load average oscillates, ECS makes decisions to scale in or out based on current load. The
red line represents "cluster size stability". As the load stays within that window , we will not change the number
of VMs in the cluster. As the number of current ECS VMs increases, the cluster size stability decreases. ECS has
mechanisms to avoid cluster size oscillations.

Snowflake’s ECS considers signals around memory pressure
and CPU load to make decisions. ECS’s autoscaler provides
a clear delineation of what constitutes unhealthy behavior
and its policies give ECS flexibility in comparison to the
state of the art to integrate with mechanisms for VM health
and independently evolve each of the autoscaler and the
isolation/health management.
ECS leverages rejecting gateways that will return a 503
HTTP status code to the caller with an expectation to retry,
and the rejection will be ingested into the autoscaler as an
indicator to scale up. All customer queries and work must
go through one of these gateways to provide the autoscaler
with accurate information on how to scale the cluster.
The number of desired VMs is calculated by the number
of current VMs multiplied by the ratio of the current load
over the desired load. As the cluster size increases, we are
more likely to scale on minor deviations in the normalized
CPU load average (load per core), Figure 16 shows a graph of
the scaling decisions that our autoscaling mechanism would
make based on CPU load average. The red section is the
"cluster size stability" section. As the load stays within that
window, we will not change the number of VMs in the cluster,
a mechanism that introduces stability. As we add more VMs,
the window becomes tighter. For example, if the current load
does not fall between some set acceptable window (e.g. 0.9
and 1.0), we use the desired VM count to compute a new
size for the cluster. Finally, to scale out we only look at the
1-minute load average and check if it is high. To scale in,
we look at the load average using different time windows
(1-minute, 5-minute, 15-minute), all of which have to be low
in order to avoid oscillation in the cluster.
4.3 Throttling & Autoscaling Evaluation
Our success evaluation criteria used for throttling was to
maintain responsiveness while ensuring the stability of our
VMs. We used a combination of synthetic testing and analysis
of results on real production servers to test this. Figure 17
illustrates a synthetic workload running a representative
benchmark. In this test environment, we disabled autoscaling.
Only Dynamic Throttling was active, and we configured the
cluster to have two VMs. The generated workload exceeded
the CPU capacity of two VMs. Dynamic throttling reacted to
the excessive load and reduced the gateway limits to maintain
the healthy state of the available VMs. In Figure 17a, we
report the CPU load of the two VMs. We observe that the
load exceeded the available CPU capacity. This is correlated
with the query count in Figure 17c. Figure 17b shows the
throttle coefficient of the throttled VM being lowered to
enforce a new gateway size, effectively applying a small
multiplier to our gateways. Finally, fewer queries are let

151
Elastic Cloud Services: Scaling Snowflake’s Control Plane
through after the throttler determines the new gateway limit.
In Figure 17c, the query throughput drops to a sustainable
amount, which also causes a drop in the associated load
the VMs face. Furthermore, after the initial estimation, the
coefficient in Figure 17b adjusts incrementally. It initially
drops lower to temper the workload further and helps keep
CPU load at approximately 1.0, our target. Figure 17d displays
our coefficient used for the account and user-specific limits.
To maintain fairness, we apply the limit evenly, causing all
accounts to reduce evenly, and therefore the account with the
highest job count will be the first to be limited. The limitation
of dynamic throttling is transient, and upon rejecting these
queries, we signal to the autoscaling framework to add VMs
to overload clusters. Our intent is to temper transient load
spikes and prevent them from causing downstream issues in
our system until we can accommodate their workload.
Now that we have the base algorithm, we enter the opti-
mization stage. There are a number of parameters we can
tweak to attempt to optimize for the features we desire. These
features that we seek effectively form the pillars of our throt-
tling technique. The three pillars of throttling are:
• Lower the load as soon as possible, but not overshoot;
• Minimize oscillation;
• Reduce throttle as soon as possible.
We reject queries as cheaply as possible and retry once more
VMs are available. We are effectively deferring load to a later
point in time by which the autoscaling will have increased
our computing capacity. Because we throttle to keep our
CPU load at a healthy level, the throttler must surface met-
rics about its rejection behavior as a signal to the autoscaler —
the CPU load signal ideally will not kick in if we throttle effec-
tively. These rejections are persisted in FoundationDB [51],
our operational metadata database, and aggregated globally
by our Autoscaling framework to make decisions. Once ca-
pacity has been added, we incrementally revert the throttling
coefficients to bring clusters back to a steady-state where
they are neither throttling nor overloaded, satisfying our
three throttling design pillars.
4.3.1 Example 1 — Snowflake internal analysis cluster: We
scaled in the cluster when enabling the features on our in-
ternal data analysis account. Figure 18 shows the cluster VM
count in the bottom chart. We reduced the cluster to two
VMs as the scaling framework recognizes we did not require
the compute resources of all four VMs. On Figure 19, two of
the lines, each representing a VM, drop to serving 0 queries
per second as they are removed from topology. The queries
per second and concurrent requests of the remaining two
VMs increase as we now have to maintain the same overall
cluster throughout with two VMs. The throttling coefficients
are expanded automatically with dynamic throttling, provid-
ing additional space for queries we can safely handle. This
152
SoCC ’22, November 7–11, 2022, San Francisco, CA, USA
removed manual work to scale VMs or limits. In addition,
it unlocked higher throughput on each VM. As a result, the
system recognizes when clusters are overprovisioned and
can reduce the number of VMs to optimize resource usage.
4.3.2 Example 2: Customer Query Concurrency increased.
Figure 20 shows a customer’s workload, the top chart shows
our account coefficient, which in this case will be greater
than 1 when we expand the respective customer’s gateways.
After the rollout around 3 pm, the rejection rate in the bottom
chart was reduced and concurrent requests increased which
can be seen in the center chart.
4.3.3 Example 3: Noisy Neighbor. We use autoscaling and
dynamic throttling to work around "noisy neighbor" issues.
Figure 21 is an example of a cluster we scaled up dramati-
cally to handle the increased workload. Prior to the noisy
neighbor, our traffic was low enough for the autoscaling
system to decide to reduce VM counts to two or three. The
successful queries per cluster showcase the effective through-
put after the autoscaling system increased the number of
VMs. Effectively, we were able to immediately quadruple the
throughput of the cluster.
4.3.4 Example 4: Deployment load. Dynamic Throttling also
reduced cases of high CPU load that VMs encounter. As
shown in Figure 22 after the release of Dynamic Throttling,
the 5-minute CPU load average charts lowered noticeably.
In particular almost no VM had a 5-minute CPU load higher
than our target threshold of 1.
4.4 Throttling and Autoscaling for Memory
Due to the heterogeneous nature of workloads, it is possible
for operations such as complex query compilations to require
significantly more memory than CPU - the worst of these
extremes would be a single query requiring more memory
than the VM even has. In this case, simply adding more
VMs to the cluster where none of the new VMs have more
physical memory will not accommodate the workload. The
most intuitive solution is to move the workload to a new set
of VMs, each with larger physical memory. This motivated a
concept of "vertical scaling", in which clusters may migrate
to new VM types with different levels of hardware resources
to best accommodate a workload. This is different from the
aforementioned model of adding or removing VMs of the
same type within a cluster, which we call "horizontal scaling".
Although it is highly unlikely that a single query uses the
entire available memory of a VM, there are benefits to mov-
ing a workload to a larger VM. One of the largest advantages
is the reduced cache redundancy within a cluster of VMs.
Metadata caches consume a significant portion of the avail-
able memory, and having a large number of VMs with small
amounts of memory results in each VM having a relatively
SoCC ’22, November 7–11, 2022, San Francisco, CA, USA T. Melissaris, K. Nabar, R. Radut, S. Rehmtulla, A. Shi, S. Chandrashekar, and I. Papapanagiotou

(a) CPU load for two VMs over time. (b) VM throttle coefficient over time for two VMs.

(c) Cluster throughput in queries/sec over time for ECS cluster. (d) Account and user throttle coefficient over time for two VMs.
Figure 17: As CPU load increases we deflect future load by dynamically throttling and reducing future concurrent
requests to an amount estimated to keep load safe.

Figure 18: Autoscaling reduces VM count therefore driving down unnecessary over-provisioning across Snowflake.

smaller cache and more likely to duplicate cache entries that
already exist on other VMs when compared to a cluster with
a smaller number of high memory VMs. The autoscaling sys-
tem implements memory-based vertical scaling by reading
JVM-level heap memory and throttling VMs that are close
to exhaustion. This acts as a signal to quiesce the old VMs
and migrate the cluster to a new set of larger VMs. This mi-
gration has sharply reduced occurrences of memory-related
isolation events (VM replaced due to OOM, full garbage col-
lection, etc.) by about 90%. Figure 23 illustrates that in the
first sample of clusters to enable vertical autoscaling begin-
ning the week of November 8, 2021, we have moved from a
highly variable rate of 15-30 isolations per day with spikes
of as many as 100 to a much more consistent rate of 0-2
isolations per day.

153
Elastic Cloud Services: Scaling Snowflake’s Control Plane
Figure 19: Dynamic throttling allows underutilized
VMs to increase the amount of work they can take
on. Two VMs bear the entire workload without excess
rejections.
Figure 20: Customer concurrency increases after en-
abling dynamic throttling.
Figure 21: Autoscaling adapting to bursts in traffic al-
lowing the cluster to increase its VM size resulting in
quadrupling of its initial throughput.
5 RELATED WORK
This section presents related work around Snowflake and
focuses on the Architecture of Snowflake’s Elastic Cloud
Services, including aspects of automatic code management,
cross-cloud operation, cloud elasticity, throttling and re-
source management. Prior work discusses topics around
Snowflake SQL and architecture [10] and recent changes
in the design and implementation of Snowflake, including
154
SoCC ’22, November 7–11, 2022, San Francisco, CA, USA
the storage architecture, data caching, query scheduling and
multitenancy [44].
Cloud Analytics Systems. Several systems have been de-
signed to offer analytics solutions, including cloud databases
like Amazon Redshift [17], Aurora [38], Athena [37], Google
BigQuery [36] (based on the architecture of Dremel [25]),
Vertica [43], Microsoft Azure Synapse Analytics [2] and the
Relational Cloud [9].
Other works present cluster management systems [20, 24,
32] that can also operate across clouds [5, 6, 12, 48]. Man-
aging the deployment of these systems safely at scale also
presents challenges [21, 49]. While these papers present the
system architecture and analytics related capabilities of these
systems, this is the only work, to the best of our knowledge,
that presents a distributed control-plane operating on multi-
ple cloud service providers. This paper focuses on the topics
of automatic code and resource management, in particular
autoscaling, and throttling.
Cloud service availability. Improving availability for
cloud services at global scale poses many challenges [26].
Related work has used modeling of availability guarantees
to investigate the efficacy of different techniques [42]. To
achieve high availability other works leveraged techniques
like load balancing using a combination of multiple avail-
ability zones and multiple cloud providers to achieve high
availability [27, 50]. Our work presents AZ skew data across
clusters of a Snowflake deployment and highlights the im-
pact of rolling out global load balancing in production.
Cloud resource management and autoscaling. Re-
source management techniques have been very prevalent
in academic literature over the past decades. With the pro-
liferation of the cloud, resources like CPU [46, 47] and net-
work bandwidth [15] can now be tightly coupled in resource
pools, and scale the workload independently to match de-
mand [11, 28, 29, 35]. Unlike existing systems like Kubernetes
that focus on containers and are limited in terms of vertical
scaling and cluster stability, ECS’ autoscaler was designed
to enable VM clusters to scale both horizontally and verti-
cally with high stability while enabling dynamic instance
replacement reactive to VM health. To better enable resource
management, multitenant systems introduced concepts for
memory sharing in virtual machines including ballooning
and idle-memory taxation [45]. Memshare [8] introduced
mechanisms for sharing cache capacity in multitenant sys-
tems to maximize the hit rate for applications. Other efforts
on cloud resource allocation focus on performance, cost and
fairness optimizations [16, 23, 31, 40, 41]. Our paper adds to
the existing work by introducing techniques that preserve
ECS elasticity for orders of magnitude higher load and by
providing empirical results from enabling autoscaling tech-
niques in production.
SoCC ’22, November 7–11, 2022, San Francisco, CA, USA T. Melissaris, K. Nabar, R. Radut, S. Rehmtulla, A. Shi, S. Chandrashekar, and I. Papapanagiotou

Figure 22: After Dynamic Throttling was rolled out, CPU overloading stops. The figure presents VM throttling
coefficients (top) and CPU load averages (bottom) per VM. Coefficient values less than 1.0 on the logarithmic
y-axis indicate hosts with reduced concurrency limits, and values greater than 1.0 indicate hosts with expanded
concurrency limits.

to achieve a good trade-off between resource usage and per-

formance [30] and Raghavan et al. discusses design and im-
plementation considerations of distributed rate limiters [34].

Figure 23: Memory based throttling and vertical scaling
drastically reduces memory isolations.
Resource throttling. Architectures that share resources
across multiple cores in CPUs and multiple tenants in a vir-
tual machine exacerbate resource management problems,
since resources like CPU, memory, or network utilization are
shared and lead to resource contention. Works like Cheng
et al. [7] restrict the number of concurrent memory tasks
to avoid interference among memory requests and throttle
down cores after estimating unfair resource usage in the
memory subsystem [13]. In the context of resource manage-
ment in the cloud, cloud service providers expose APIs for
resource throttling [3, 33, 39]. Other works automatically
partition and place rules at both hypervisors and switches
6 CONCLUSION
We present the design and architecture of Snowflake’s con-
trol plane. Elastic Cloud Services manages the Snowflake
fleet at scale and is responsible for VM and cluster lifecy-
cle, health management, self-healing automation, topology,
account service placement, traffic control, cross-cloud and
cross-region replication, and resource management. ECS’s
goal is to support a stable Snowflake service, resilient to
failures that transparently manage dynamic resource utiliza-
tion in a cost-efficient manner. We showcase how we have
been able to support automatic code management through
safe rollout/rollback, VM lifecycle and cluster pool manage-
ment as well as balance Snowflake’s deployments equally
across availability zones. We optimize resource management
through horizontal and vertical autoscaling. We have begun
initiatives to predictively scale clusters prior to hitting any
resource limits. After enabling throttling and autoscaling, we
observed many clusters that have cyclical workloads with
intervals ranging from minutes to weeks. We are currently
exploring applying different statistical methods on the tem-
poral data collected from different clusters in order to better
serve our customers needs while also minimizing costs.
We combine those capabilities with throttling such that
customers do not get impacted by underlying infrastructure
changes. We evaluated ECS capabilities in production and
present results at the scale of Snowflake’s Data Cloud.

155
Elastic Cloud Services: Scaling Snowflake’s Control Plane
REFERENCES
[1] Michael Armbrust, Armando Fox, Rean Griffith, Anthony D. Joseph,
Randy H. Katz, Andrew Konwinski, Gunho Lee, David A. Patterson,
Ariel Rabkin, Ion Stoica, and Matei Zaharia. 2009. Above the Clouds: A
Berkeley View of Cloud Computing. Technical Report UCB/EECS-2009-
28.
[2] Microsoft Azure. Retrieved: 2022-5-31. Azure Synapse Analytics. https:
//azure.microsoft.com/en-us/services/synapse-analytics.
[3] Microsoft Azure. Retrieved: 2022-5-31. Throttling Resource Manager
requests . https://docs.microsoft.com/en-us/azure/azure-resource-
manager/management/request-limits-and-throttling.
[4] V.R. Basili and R.W. Selby. 1987. Comparing the Effectiveness of Soft-
ware Testing Strategies. IEEE Transactions on Software Engineering
(1987). https://doi.org/10.1109/TSE.1987.232881
[5] Daniel Baur and Jörg Domaschka. 2016. Experiences from Building a
Cross-Cloud Orchestration Tool. In CrossCloud ’16. https://doi.org/10.
1145/2904111.2904116
[6] José Carrasco, Francisco Durán, and Ernesto Pimentel. 2018. Trans-
cloud: CAMP/TOSCA-based bidimensional cross-cloud. Comput. Stand.
Interfaces 58 (2018), 167–179.
[7] Hsiang-Yun Cheng, Chung-Hsiang Lin, Jian Li, and Chia-Lin Yang.
2010. Memory Latency Reduction via Thread Throttling. In MICRO-43.
53–64. https://doi.org/10.1109/MICRO.2010.39
[8] Asaf Cidon, Daniel Rushton, Stephen M. Rumble, and Ryan Stutsman.
2017. Memshare: a Dynamic Multi-tenant Key-value Cache. In (USENIX
ATC ’17). 321–334.
[9] Carlo Curino, Evan Jones, Raluca Popa, Nirmesh Malviya, Eugene
Wu, Samuel Madden, Hari Balakrishnan, and Nickolai Zeldovich. 2011.
Relational Cloud: A Database-as-a-Service for the Cloud. CIDR ’11,
235–240.
[10] Benoit Dageville, Thierry Cruanes, Marcin Zukowski, Vadim Antonov,
Artin Avanes, Jon Bock, Jonathan Claybaugh, Daniel Engovatov, Mar-
tin Hentschel, Jiansheng Huang, Allison W. Lee, Ashish Motivala,
Abdul Q. Munir, Steven Pelley, Peter Povinec, Greg Rahn, Spyridon Tri-
antafyllis, and Philipp Unterbrunner. 2016. The Snowflake Elastic Data
Warehouse. In Proceedings of the 2016 International Conference on Man-
agement of Data. 215–226. https://doi.org/10.1145/2882903.2903741
[11] Kubernetes Documentation. Retrieved: 2022-5-31. Horizontal
Pod Autoscaling. https://kubernetes.io/docs/tasks/run-application/
horizontal-pod-autoscale/.
[12] Ravi Teja Dodda, Chris Smith, and Aad van Moorsel. 2009. An Archi-
tecture for Cross-Cloud System Management. In IC3.
[13] Eiman Ebrahimi, Chang Joo Lee, Onur Mutlu, and Yale N. Patt. 2012.
Fairness via Source Throttling: A Configurable and High-Performance
Fairness Substrate for Multicore Memory Systems. ACM Trans. Comput.
Syst. 30, 2 (2012). https://doi.org/10.1145/2166879.2166881
[14] Daniel Ford, François Labelle, Florentina I. Popovici, Murray Stokely,
Van-Anh Truong, Luiz Barroso, Carrie Grimes, and Sean Quinlan.
2010. Availability in Globally Distributed Storage Systems. In OSDI’10.
61–74.
[15] Peter X. Gao, Akshay Narayan, Sagar Karandikar, Joao Carreira,
Sangjin Han, Rachit Agarwal, Sylvia Ratnasamy, and Scott Shenker.
2016. Network Requirements for Resource Disaggregation. In Proceed-
ings of the 12th USENIX Conference on Operating Systems Design and
Implementation. 249–264.
[16] Ali Ghodsi, Matei Zaharia, Benjamin Hindman, Andy Konwinski, Scott
Shenker, and Ion Stoica. 2011. Dominant Resource Fairness: Fair
Allocation of Multiple Resource Types. In NSDI’11. 323–336.
[17] Anurag Gupta, Deepak Agarwal, Derek Tan, Jakub Kulesza, Rahul
Pathak, Stefano Stefani, and Vidhya Srinivasan. 2015. Amazon Redshift
and the Case for Simpler Data Warehouses. In SIGMOD ’15. 1917–1923.
156
SoCC ’22, November 7–11, 2022, San Francisco, CA, USA
https://doi.org/10.1145/2723372.2742795
[18] Jenkins. Retrieved: 2022-5-31. Jenkins continuous integration and
continuous delivery . https://www.jenkins.io.
[19] Eric Jonas, Johann Schleier-Smith, Vikram Sreekanti, Chia-Che Tsai,
Anurag Khandelwal, Qifan Pu, Vaishaal Shankar, Joao Menezes Car-
reira, Karl Krauth, Neeraja Yadwadkar, Joseph Gonzalez, Raluca Ada
Popa, Ion Stoica, and David A. Patterson. 2019. Cloud Programming
Simplified: A Berkeley View on Serverless Computing. Technical Report
UCB/EECS-2019-3.
[20] Vangelis Koukis, Constantinos Venetsanopoulos, and Nectarios Koziris.
2013. okeanos: Building a Cloud, Cluster by Cluster. IEEE Internet
Computing 17, 3 (2013), 67–71. https://doi.org/10.1109/MIC.2013.43
[21] Ze Li, Qian Cheng, Ken Hsieh, Yingnong Dang, Peng Huang, Pankaj
Singh, Xinsheng Yang, Qingwei Lin, Youjiang Wu, Sebastien Levy, and
Murali Chintalapati. 2020. Gandalf: An Intelligent, End-To-End Ana-
lytics Service for Safe Deployment in Large-Scale Cloud Infrastructure.
In NSDI ’20. 389–402.
[22] Tania Lorido-Botrán, Jose Miguel-Alonso, and Jose Lozano. 2014. A
Review of Auto-scaling Techniques for Elastic Applications in Cloud
Environments. Journal of Grid Computing 12 (2014). https://doi.org/
10.1007/s10723-014-9314-7
[23] Jose Luis Lucas-Simarro, Rafael Moreno-Vozmediano, Rubén Montero,
and Ignacio Llorente. 2013. Scheduling strategies for optimal service
deployment across multiple clouds. Future Generation Computer Sys-
tems 29 (2013), 1431–1441. https://doi.org/10.1016/j.future.2012.01.007
[24] E. Michael Maximilien, Ajith Ranabahu, Roy Engehausen, and Laura C.
Anderson. 2009. IBM altocumulus: a cross-cloud middleware and
platform. In OOPSLA ’09 Companion.
[25] Sergey Melnik, Andrey Gubarev, Jing Jing Long, Geoffrey Romer, Shiva
Shivakumar, Matt Tolton, and Theo Vassilakis. 2010. Dremel: Interac-
tive Analysis of Web-Scale Datasets. Proc. VLDB Endow. 3, 1–2 (2010),
330–339. https://doi.org/10.14778/1920841.1920886
[26] Jeffrey C. Mogul, Rebecca Isaacs, and Brent Welch. 2017. Thinking
about Availability in Large Service Infrastructures. In Proc. HotOS XVI.
[27] R. Moreno-Vozmediano, R. S. Montero, E. Huedo, and I. M. Llorente.
2018. Orchestrating the Deployment of High Availability Services on
Multi-Zone and Multi-Cloud Scenarios. J. Grid Comput. 16, 1 (2018),
39–53.
[28] Rafael Moreno-Vozmediano, Rubén S. Montero, Eduardo Huedo, and
Ignacio M. Llorente. 2019. Efficient Resource Provisioning for Elastic
Cloud Services Based on Machine Learning Techniques. J. Cloud
Comput. 8, 1 (2019). https://doi.org/10.1186/s13677-019-0128-9
[29] Rafael Moreno-Vozmediano, Ruben S. Montero, and Ignacio M.
Llorente. 2009. Elastic Management of Cluster-Based Services in the
Cloud. In Proceedings of the 1st Workshop on Automated Control for
Datacenters and Clouds (ACDC ’09). 19–24. https://doi.org/10.1145/
1555271.1555277
[30] Masoud Moshref, Minlan Yu, Abhishek Sharma, and Ramesh Govindan.
2012. vCRIB: Virtualized Rule Management in the Cloud. In HotCloud
’12.
[31] Mihir Nanavati, Jake Wires, and Andrew Warfield. 2017. Decibel:
Isolation and Sharing in Disaggregated Rack-Scale Storage. In NSDI
’17. 17–33.
[32] Rene Peinl, Florian Holzschuher, and Florian Pfitzer. 2016. Docker
Cluster Management for the Cloud - Survey Results and Own Solution.
Journal of Grid Computing 14 (2016). https://doi.org/10.1007/s10723-
016-9366-y
[33] Google Cloud Platform. Retrieved: 2022-5-31. Rate-limiting strategies
and techniques. https://cloud.google.com/architecture/rate-limiting-
strategies-techniques.
[34] Barath Raghavan, Kashi Vishwanath, Sriram Ramabhadran, Kenneth
Yocum, and Alex C. Snoeren. 2007. Cloud Control with Distributed
SoCC ’22, November 7–11, 2022, San Francisco, CA, USA T. Melissaris, K. Nabar, R. Radut, S. Rehmtulla, A. Shi, S. Chandrashekar, and I. Papapanagiotou

Rate Limiting. SIGCOMM Comput. Commun. Rev. 37, 4 (aug 2007), 797–809. https://doi.org/10.1145/3183713.3196938
337–348. https://doi.org/10.1145/1282427.1282419 [44] Midhul Vuppalapati, Justin Miron, Rachit Agarwal, Dan Truong,
[35] Rodrigo da Rosa Righi, Vinicius Facco Rodrigues, Cristiano André Ashish Motivala, and Thierry Cruanes. 2020. Building An Elastic
da Costa, Guilherme Galante, Luis Carlos Erpen de Bona, and Tiago Query Engine on Disaggregated Storage. In NSDI ’20. 449–462.
Ferreto. 2016. AutoElastic: Automatic Resource Elasticity for High [45] Carl A. Waldspurger. 2003. Memory Resource Management in VMware
Performance Applications in the Cloud. IEEE Transactions on Cloud ESX Server. SIGOPS Oper. Syst. Rev. 36 (2003), 181–194. https://doi.
Computing 4, 1 (2016), 6–19. https://doi.org/10.1109/TCC.2015.2424876 org/10.1145/844128.844146
[36] Kazunori Sato. Retrieved: 2022-5-31. An Inside Look at Google Big- [46] Carl A. Waldspurger and William E. Weihl. 1994. Lottery Scheduling:
Query. https://cloud.google.com/files/BigQueryTechnicalWP.pdf. Flexible Proportional-Share Resource Management. In OSDI ’94.
[37] Amazon Web Services. Retrieved: 2022-5-31. Amazon Athena Server- [47] C. A. Waldspurger and E. Weihl. W. 1995. Stride Scheduling: Determin-
less Interactive Query Service. https://aws.amazon.com/athena. istic Proportional- Share Resource Management. Technical Report.
[38] Amazon Web Services. Retrieved: 2022-5-31. Amazon Aurora MySQL [48] Huaimin Wang, Peichang Shi, and Yiming Zhang. 2017. JointCloud: A
PostgreSQL Relational Database. https://aws.amazon.com/rds/aurora/. Cross-Cloud Cooperation Architecture for Integrated Internet Service
[39] Amazon Web Services. Retrieved: 2022-5-31. Throttle API requests for Customization. In ICDCS ’17. 1846–1855. https://doi.org/10.1109/
better throughput . https://docs.aws.amazon.com/apigateway/latest/ ICDCS.2017.237
developerguide/api-gateway-request-throttling.html. [49] Ingo Weber, Hiroshi Wada, Alan Fekete, Anna Liu, and Len Bass.
[40] David Shue, Michael J. Freedman, and Anees Shaikh. 2013. Fairness 2012. Automatic Undo for Cloud Management via AI Planning. In
and Isolation in Multi-Tenant Storage as Optimization Decomposition. HotDep ’12. https://www.usenix.org/conference/hotdep12/workshop-
SIGOPS Oper. Syst. Rev. 47, 1 (2013), 16–21. https://doi.org/10.1145/ program/presentation/Weber
2433140.2433145 [50] Xin Xie, Chentao Wu, Junqing Gu, Han Qiu, Jie Li, Minyi Guo, Xubin
[41] Ioan Stefanovici, Eno Thereska, Greg O’Shea, Bianca Schroeder, Hitesh He, Yuanyuan Dong, and Yafei Zhao. 2019. AZ-Code: An Efficient
Ballani, Thomas Karagiannis, Antony Rowstron, and Tom Talpey. 2015. Availability Zone Level Erasure Code to Provide High Fault Tolerance
Software-Defined Caching: Managing Caches in Multi-Tenant Data in Cloud Storage Systems. In MSST ’19. 230–243. https://doi.org/10.
Centers. In SoCC ’15. 174–181. https://doi.org/10.1145/2806777.2806933 1109/MSST.2019.00004
[42] Astrid Undheim, Ameen Chilwan, and Poul Heegaard. 2011. Differ- [51] Jingyu Zhou, Meng Xu, Alexander Shraer, Bala Namasivayam, Alex
entiated Availability in Cloud Computing SLAs. In 2011 IEEE/ACM Miller, Evan Tschannen, Steve Atherton, Andrew J. Beamon, Rusty
12th International Conference on Grid Computing. 129–136. https: Sears, John Leach, Dave Rosenthal, Xin Dong, Will Wilson, Ben Collins,
//doi.org/10.1109/Grid.2011.25 David Scherer, Alec Grieser, Young Liu, Alvin Moore, Bhaskar Mup-
[43] Ben Vandiver, Shreya Prasad, Pratibha Rana, Eden Zik, Amin Saeidi, pana, Xiaoge Su, and Vishesh Yadav. 2021. FoundationDB: A Distributed
Pratyush Parimal, Styliani Pantela, and Jaimin Dave. 2018. Eon Mode: Unbundled Transactional Key Value Store. 2653–2666.
Bringing the Vertica Columnar Database to the Cloud. In SIGMOD ’18.

157