If datacenter architecture is the skeleton and redundancy the immune system, then traffic patterns are the circulatory system—the flows of data that animate the entire infrastructure. Every design decision, from topology to capacity planning, ultimately serves to move data efficiently from where it originates to where it's needed.

But not all traffic is equal. Data moves in distinct patterns, each with different characteristics, requirements, and challenges:

• North-South traffic: Data flowing into and out of the datacenter (users to servers and back)
• East-West traffic: Data flowing between servers within the datacenter (internal communication)
• Storage traffic: Data moving between compute and storage systems
• Control plane traffic: Management, monitoring, and orchestration data

Understanding these patterns is essential because the network that handles north-south traffic efficiently may be entirely wrong for east-west patterns, and vice versa. The revolution in datacenter networking over the past decade—the shift from three-tier to leaf-spine—was driven precisely by a fundamental change in traffic patterns: the explosion of east-west communication in distributed systems.

North-South traffic refers to data flows that cross the datacenter boundary—traffic entering from or exiting to external networks. This includes user requests from the internet, API calls to external services, connections to partner networks, and WAN traffic to other datacenter locations.

Characteristics of North-South Traffic

Ingress (Client → Datacenter):

• User requests, typically HTTP/HTTPS
• API calls from external services
• Data uploads from customers
• Generally asymmetric: ingress < egress for most applications

Egress (Datacenter → Client):

• Responses to user requests
• Content delivery (video, images, files)
• API responses to external systems
• Often constitutes the majority of north-south bandwidth

Traffic Flow Path

North-south traffic traverses multiple network layers:

1. Internet/WAN Edge: Border routers, edge firewalls, DDoS mitigation
2. Perimeter Services: Load balancers, WAFs, API gateways
3. Internal Fabric: Leaf-spine network to reach origin servers
4. Compute/Storage: Application processing, database queries
5. Return Path: Response traverses layers in reverse

North-South Traffic Patterns

Diurnal patterns: User traffic follows human activity cycles—peaks during business hours (for enterprise apps) or evenings (for consumer media). Understanding these patterns enables:

• Scheduled maintenance during low-traffic windows
• Capacity planning for peak periods
• Cost optimization (autoscaling, spot instances)

Geographic patterns: Traffic volume varies by region based on:

• User population distribution
• Application relevance by geography
• Time zone effects on peak hours

Session behavior: North-south traffic is typically session-oriented:

• Users open sessions (TCP connections) that persist across multiple requests
• Sessions may be stateful, requiring affinity to specific servers
• Session duration affects load balancer and connection tracking design

East-West traffic refers to data flows between servers within the datacenter. While invisible to end users, this internal traffic often constitutes 70-80% of total datacenter bandwidth in modern distributed systems.

Sources of East-West Traffic

Distributed computing:

• MapReduce/Spark shuffles: Moving data between worker nodes
• Distributed databases: Replication, sharding, query fanout
• Microservices: Service-to-service API calls

Storage operations:

• Distributed storage systems: Data replication, erasure coding
• Object storage: Read/write operations from compute to storage
• Backup and snapshot replication

Cluster operations:

• Container orchestration: Image pulls, network overlays
• Service mesh: Sidecar proxy communication
• Service discovery: Health checks, registration

ML/AI workloads:

• Parameter servers: Gradient synchronization during training
• Model serving: Feature retrieval, ensemble aggregation
• Data pipelines: ETL between storage and compute

Characteristics of East-West Traffic

Volume: Typically 3-10x greater than north-south traffic in modern deployments

Latency sensitivity: Internal services often have tight latency budgets

• A single user request may trigger 100+ internal API calls
• Each internal call adds latency to user-facing response
• 95th/99th percentile latencies matter more than averages

Traffic patterns:

• Many-to-many: Mesh patterns where any server may talk to any other
• Bursty: Synchronized operations create traffic spikes
• Unpredictable locality: Workload placement may not align with network topology

Connection patterns:

• High connection count: Each service connects to many other services
• Short-lived connections: Some patterns create/destroy connections rapidly
• Long-lived connections: Persistent connections for frequent communication

Different application architectures generate dramatically different traffic patterns. Understanding these patterns is essential for network capacity planning and optimization.

Monolithic Applications

Traffic characteristics:

• Primarily north-south: Users connect to a few large servers
• Minimal east-west: Most processing happens within single servers
• Database connections: Concentrated traffic to specific database servers
• Simpler but concentrated load: Fewer, larger traffic flows

Microservices Architecture

Traffic characteristics:

• Explosion of east-west traffic: Each request fans out to multiple services
• API gateway pattern: Ingress through centralized entry point
• Service mesh: Heavy sidecar proxy traffic
• Unpredictable patterns: Service dependencies may be complex and dynamic

Traffic amplification: A single user request may multiply internally:

• 1 user request → API gateway
• 1 gateway call → Auth service, 3 business services
• Each business service → Database, cache, other services
• Total internal calls: 15-100x ingress

Big Data / Analytics (MapReduce, Spark)

Traffic characteristics:

• Shuffle phase: Massive all-to-all communication between workers
• Bursty and synchronized: All nodes shuffle simultaneously
• Barrier-synchronized: Fastest nodes wait for slowest
• Incast pattern: Many nodes send to few coordinators

Example MapReduce shuffle:

• Cluster of 1,000 nodes, each with 1 GB shuffle data
• Each node sends data to ~1,000 destinations
• Total shuffle traffic: 1 TB distributed across network
• Network becomes the bottleneck if undersized

Distributed Storage (HDFS, Ceph, Object Storage)

Traffic characteristics:

• Replication traffic: Each write replicated to 3+ nodes
• Erasure coding: Write traffic multiplied by encoding ratio
• Rebalancing: Moving data when nodes added/removed
• Recovery: Rebuilding data from parity after failures

Machine Learning Training

Traffic characteristics:

• Parameter synchronization: All workers exchange gradients every iteration
• All-reduce patterns: Collective communication primitives
• GPU-to-GPU communication: RDMA for lowest latency
• Scale-dependent: Traffic grows with model size and cluster size

You can't optimize what you can't measure. Traffic analysis provides the visibility needed to understand patterns, plan capacity, and troubleshoot problems.

Traffic Measurement Technologies

SNMP Counters:

• Basic interface statistics: bytes in/out, packets, errors, discards
• Available on virtually all network equipment
• Low overhead, low granularity
• 1-5 minute polling intervals typical

Flow Telemetry (NetFlow, sFlow, IPFIX):

• Per-flow statistics: source, destination, port, protocol, bytes, packets
• Provides traffic matrix visibility (who's talking to whom)
• Higher overhead; sampling often used for high-speed links
• Essential for traffic engineering and security analysis

Deep Packet Inspection (DPI):

• Application-layer visibility: what protocols, what content
• Highest fidelity but highest overhead
• Privacy and encryption challenges
• Used selectively for troubleshooting

Streaming Telemetry:

• Modern replacement for SNMP polling
• Push-based: network devices stream data continuously
• Sub-second granularity possible
• gRPC/gNMI protocols gaining adoption

Key Traffic Metrics

Bandwidth utilization:

• Current throughput as percentage of capacity
• Peak, average, and 95th percentile measurements
• Per-link and aggregate views
• Capacity planning threshold: 50-70% typical

Traffic matrix:

• Source-destination pair traffic volumes
• Reveals communication patterns and hotspots
• Essential for topology optimization
• Changes over time (application-dependent)

Flow characteristics:

• Flow size distribution (mice vs. elephants)
• Flow duration distribution
• Connection rate (new flows per second)
• Informs load balancing and buffer sizing

Latency measurements:

• Round-trip time between points
• Per-hop latency breakdowns
• Queue depths and buffering delays
• Critical for latency-sensitive applications

Traffic engineering (TE) is the science of optimizing how traffic flows through the network. While ECMP provides automatic load distribution, sophisticated environments use explicit traffic engineering to improve performance beyond what default routing achieves.

Traffic Engineering Goals

1. Load balancing: Distribute traffic evenly across available paths
2. Congestion avoidance: Route around hotspots and bottlenecks
3. Latency optimization: Use shortest/fastest paths for latency-sensitive traffic
4. Failure recovery: Reroute traffic around failed components
5. Cost optimization: Use cheaper paths when performance allows

Traffic Engineering Techniques

ECMP (Equal-Cost Multi-Path):

• Simplest TE: distribute across equal-cost paths
• Works well when paths are truly equal
• Limitations: hash polarization, elephant flows, unequal path congestion

Weighted ECMP (WCMP):

• Assign different weights to different paths
• Route more traffic through higher-capacity or less-loaded paths
• Addresses heterogeneous path capacity

Segment Routing (SR) / SR-MPLS / SRv6:

• Source-routed explicit paths
• Traffic follows specified segment list, not just shortest path
• Enables fine-grained traffic control without per-flow state in network
• Increasingly popular in provider and large DC networks

Centralized vs. Distributed TE

Distributed TE (traditional):

• Each router makes independent decisions
• Relies on routing protocols (BGP, OSPF) for path selection
• Simple but suboptimal: routers don't see global picture

Centralized TE (SDN-enabled):

• Central controller has global network view
• Computes optimal paths considering all traffic
• Programs forwarding rules directly to switches
• Better global optimization but requires controller reliability

Traffic Engineering for East-West

Leaf-spine networks provide natural TE through ECMP, but optimizations include:

Flow scheduling:

• Identify elephant flows and assign them to less-loaded paths
• Technologies: Hedera, CONGA, LetFlow

Workload placement:

• Place communicating workloads close together (same rack, pod)
• Reduces traffic on the fabric, improves latency
• Kubernetes affinity/anti-affinity rules

Application-aware routing:

• Route latency-sensitive traffic on shortest paths
• Route bulk transfers on paths with available capacity
• Requires traffic classification and policy framework

Not all congestion is visible at the scale of minutes or seconds. Micro-bursts—short traffic spikes lasting microseconds to milliseconds—can cause packet drops and latency spikes even when average utilization is low.

Understanding Micro-bursts

Cause: Network links have finite capacity, but traffic arrives in bursts. When multiple flows simultaneously send data:

• 100 Gbps link = 10 nanoseconds to transmit 1 byte
• 10 flows each send 1,000 bytes at the same microsecond
• Switch buffer must absorb 10 KB in the time it takes to send 1 KB
• If buffer is too small: packet drops

Why averages lie:

• Link at 30% average utilization over 5 minutes
• But during micro-bursts: 300% instantaneous demand
• Drops and latency occur during bursts
• Standard monitoring doesn't see microsecond-scale events

Detecting Micro-bursts

• Switch buffer utilization counters (not available on all hardware)
• Per-port drop counters (symptom, not cause)
• Streaming telemetry with sub-second granularity
• Specialized tooling: microburst detection features in some switches

The Incast Problem

Definition: Incast occurs when many sources simultaneously send data to one destination, overwhelming the receiver's incoming link or switch buffer.

Common incast scenarios:

• Fan-in from distributed systems: Worker nodes respond to coordinator simultaneously
• Storage reads: Single client reads from many storage servers
• Barrier synchronization: All nodes finish and report at the same time
• Multicast responses: Query to many nodes, all respond instantly

Impact:

• Massive packet drops at receiver switch
• TCP retransmission timeouts (catastrophic delay)
• Some flows get through while others timeout
• Application performance degrades severely

Mitigating Micro-bursts and Incast

Hardware approaches:

• Deep buffer switches: More capacity to absorb bursts (but expensive)
• Cut-through switching: Reduces latency, minimizes buffering needs
• Priority queuing: Protect latency-sensitive traffic

Protocol approaches:

• DCTCP (Data Center TCP): Reacts to congestion before drops
• ECN (Explicit Congestion Notification): Signal congestion without drops
• RDMA/RoCE: Lossless transport with flow control

Application approaches:

• Jitter responses: Add small random delays to avoid synchronized sending
• Request throttling: Limit concurrent requests to avoid incast
• Smaller request sizes: More manageable bursts

Traffic patterns directly inform network design decisions. Understanding your traffic characteristics guides choices in topology, capacity, placement, and features.

Pattern → Design Mapping

High east-west traffic →

• Non-blocking leaf-spine topology
• Low oversubscription (1:1 to 2:1)
• Deep buffer switches for bursts
• ECMP with good hash distribution

Latency-sensitive traffic →

• Minimize hop count (leaf-spine, not multi-tier)
• Cut-through switching
• Low-latency optics
• QoS for priority traffic

Large flow (elephant) dominated →

• Flow-aware load balancing
• Higher link speeds (fewer flows per link)
• Traffic engineering for explicit path control
• Monitoring for elephant detection

Bursty/synchronized traffic →

• Deep buffer switches
• Congestion-aware protocols (DCTCP, ECN)
• Application-level jitter
• Admission control

Workload Placement for Traffic Optimization

Beyond network design, placing workloads intelligently reduces traffic:

Rack-local placement:

• Place communicating services in the same rack
• Traffic stays within TOR switch (zero fabric hops)
• Example: Database server in same rack as app servers using it

Pod-level affinity:

• Place related workloads in the same pod
• Traffic crosses only pod spines, not super-spines
• Reduces fabric load, improves latency

Anti-affinity for redundancy:

• Avoid placing all replicas in the same failure domain
• Trade-off: More cross-pod traffic for higher availability

Topology-aware scheduling:

• Kubernetes topology spread constraints
• Custom schedulers considering network locality
• Balancing affinity benefits against distribution needs

Capacity Planning from Traffic Analysis

1. Measure current traffic: Volume, patterns, peak/average ratios
2. Project growth: Based on user growth, feature changes, new workloads
3. Model network utilization: Map traffic to topology, identify hotspots
4. Plan expansion: Add capacity before utilization exceeds thresholds
5. Validate after changes: Confirm improvements in production

Understanding traffic patterns is fundamental to datacenter networking. We've explored the characteristics of north-south and east-west traffic, how applications shape traffic demands, measurement and analysis techniques, and how traffic considerations drive network design and optimization.

Module Complete:

Congratulations! You've completed Module 1: Datacenter Overview. You now understand the comprehensive foundation of modern datacenter networking—from physical architecture through topology, scalability, redundancy, and traffic patterns. This knowledge prepares you for deeper exploration of cloud networking, virtualization, load balancing, and the advanced topics covered in the remaining modules of this chapter.