For some implementations, the service chain is a security service chain for a subscriber and at least the service B is a security service. For the disclosed method, the stream affinity code is included in an added header as an added IP header as IP source and destination. Many implementations further include the packet carrying a service chain for a subscriber in an added packet header and service B being among services specified in the service chain.

For some implementations of the disclosed method, instances of service A and service B run in containers and the containers are hosted in pods. In many cases, instances of service A and service B are implemented on virtual machines, bare metal servers or custom hardware. For the disclosed method, the failure of service instance BA is detected by a monitoring agent, including monitoring service instance BA, for packet processing activity, and causing updating of the service map for service B to remove the service instance BA from availability should it be inactive for a configurable predetermined amount of time. In one example, the configurable predetermined amount of time may be 15 seconds. In another case, 30 seconds of inactivity may cause the service instance to be considered “failed”.

Some implementations of the disclosed method further include service instance BB processing the second packet and based on the processing, identifying a next service, among at least two additional services to which the subscriber has subscribed, that should next handle the packet, and routing the processed second packet to the identified next service upon egress from service instance BB.