CN115499434A - Cross-VPC flow forwarding method - Google Patents

Abstract

This application relates to a cross-VPC traffic forwarding method, and specifically relates to the field of cloud network technology. In this application, a VPC peer-to-peer gateway cluster is introduced for the VPC peer-to-peer connection between the first VPC and the second VPC. The first VPC can send the peer-to-peer connection traffic to the VPC peer after generating the peer-to-peer connection traffic. Peer-to-peer gateway cluster, after the VPC peer-to-peer gateway cluster receives the peer-to-peer connection traffic, it modifies the MAC address information of the peer-to-peer connection traffic from the first MAC address information related to the first VPC to the second MAC address related to the second VPC information, so as to send peering connection traffic to the second VPC based on the modified second MAC address information, so as to realize cross-VPC traffic forwarding.

Description

Cross-VPC traffic forwarding method

technical field

The invention relates to the technical field of cloud networks, in particular to a cross-VPC traffic forwarding method.

Background technique

In the field of cloud network technology, a virtual private cloud (Virtual Private Cloud, VPC) refers to an isolated and private virtual network environment on the cloud.

In related technologies, the intercommunication of virtual machines (Virtual Machines, VMs) in the same VPC is supported. For example, a VPC can include multiple different subnets, and virtual machines (Virtual Machines, VMs) under the same subnets in the same VPC can be supported. ), and supports the intercommunication of VMs across subnets in the same VPC. However, intercommunication of VMs across VPCs is not yet supported.

Contents of the invention

The present application provides a cross-VPC traffic forwarding method, and the technical solution is as follows.

On the one hand, a cross-VPC traffic forwarding method is provided, the method is executed by a VPC peer-to-peer gateway cluster in the VPC peer-to-peer connection network, and the VPC peer-to-peer connection network also includes a first VPC and a second VPC, so The methods described include:

receiving the peer-to-peer connection traffic sent by the first VPC, the media access control (Medium Access Control, MAC) address information of the peer-to-peer connection traffic is first MAC address information, and the first MAC address information is the same as the The MAC address of the first distributed virtual router (Distributed Virtual Router, DVR) in the first VPC, the MAC address of the first peer-to-peer port reserved by the first subnet in the first VPC;

Modifying the MAC address information of the peer-to-peer connection traffic from the first MAC address information to second MAC address information, the second MAC address information is consistent with the MAC address of the second DVR in the second VPC, the related to the MAC address of the second peer-to-peer port reserved by the second subnet in the second VPC;

sending the peer-to-peer connection traffic with the address information modified to the second VPC.

In one aspect, a cross-VPC traffic forwarding method is provided, the method is executed by a first VPC in a VPC peer-to-peer connection network, and the VPC peer-to-peer connection network further includes a VPC peer-to-peer gateway cluster and a second VPC, so The methods described include:

Generate peer-to-peer connection traffic, the MAC address information of the peer-to-peer connection traffic is third MAC address information, and the third MAC address information is related to the MAC address of the first DVR in the first VPC, the first VPC The MAC address of the first VM in is related;

Modifying the MAC address information of the peer-to-peer connection traffic from the third MAC address information to the first MAC address information, the first MAC address information is consistent with the MAC address of the first DVR in the first VPC, the related to the MAC address of the first peer-to-peer port reserved by the first subnet in the first VPC;

Sending the peering connection traffic with address information modified to the VPC peering gateway cluster, so that the VPC peering gateway cluster forwards the peering connection traffic to the second VPC.

In a possible implementation manner, the MAC address of the first peer port corresponds to a preset MAC address prefix, and the preset MAC address prefix is used to identify that the traffic belongs to Traffic forwarded across VPCs.

In one aspect, a cross-VPC traffic forwarding method is provided, the method is executed by a second VPC in the VPC peer-to-peer connection network, and the VPC peer-to-peer connection network also includes a VPC peer-to-peer gateway cluster and a first VPC, so The methods described include:

receiving the peer-to-peer connection traffic sent by the VPC peer-to-peer gateway cluster, the peer-to-peer connection traffic is received by the VPC peer-to-peer gateway cluster from the first VPC, and the MAC address information of the peer-to-peer connection traffic is Second MAC address information, the second MAC address information and the MAC address of the second DVR in the second VPC, the MAC of the second peer port reserved by the second subnet in the second VPC address related;

Modifying the MAC address information of the peer-to-peer connection traffic from the second MAC address information to fourth MAC address information, the fourth MAC address information is consistent with the MAC address of the second DVR in the second VPC, the The MAC address of the second VM in the second VPC is related;

sending the peer-to-peer connection traffic with address information modified to the second VM.

In a possible implementation manner, the MAC address of the second peer port corresponds to a preset MAC address prefix, and the preset MAC address prefix is used to identify that the traffic belongs to the Traffic forwarded across VPCs.

In yet another aspect, a cross-VPC traffic forwarding device is provided, the device is executed by a VPC peer-to-peer gateway cluster in the VPC peer-to-peer connection network, and the VPC peer-to-peer connection network further includes a first VPC and a second VPC, The device includes: a flow receiving module, an address information modification module and a flow sending module;

The traffic receiving module is configured to receive the peer-to-peer connection traffic sent by the first VPC, the MAC address information of the peer-to-peer connection traffic is first MAC address information, and the first MAC address information is the same as the first MAC address information. The MAC address of the first DVR in the VPC is related to the MAC address of the first peer port reserved by the first subnet in the first VPC;

The address information modification module is configured to modify the MAC address information of the peer-to-peer connection traffic from the first MAC address information to second MAC address information, and the second MAC address information is the same as that in the second VPC The MAC address of the second DVR and the MAC address of the second peer-to-peer port reserved by the second subnet in the second VPC are related;

The traffic sending module is configured to send the peer-to-peer connection traffic with address information modified to the second VPC.

In a possible implementation manner, the gateway nodes in the VPC peer-to-peer gateway cluster include: br-conjoin and br-south, an interface for communicating with the VPC is created on the br-south, and the br-conjoin A Veth Pair is established for each VPC with the br-south;

The address information modification module is used for:

After receiving the peer-to-peer connection traffic sent by the first VPC, the br-south sends the peer-to-peer connection traffic from the first Veth Pair corresponding to the first VPC to the br-south conjoin;

The br-conjoin modifies the source MAC address of the peer-to-peer connection traffic from the MAC address of the first DVR in the first VPC to the second pair reserved by the second subnet in the second VPC. The MAC address of the peer port, modify the destination MAC address of the peer connection traffic from the MAC address of the first peer port reserved by the first subnet in the first VPC to the MAC address of the peer port in the second VPC MAC address of the second DVR;

The traffic sending module is used for:

The br-conjoin sends the peer-to-peer connection traffic after the address information is modified from the second Veth Pair corresponding to the second VPC, and sends it to the br-south;

The br-south sends the peer-to-peer connection traffic with the address information modified to the second VPC.

In a possible implementation manner, the br-conjoin includes a subnet selection group flow table corresponding to the second VPC, and the subnet selection group flow table is used for subnet selection in the second VPC Make load balancing selection;

The address information modifying module is configured to modify the source MAC address of the peer-to-peer connection traffic from the MAC address of the first DVR in the first VPC to the MAC address of the first DVR in the second VPC in the br-conjoin Before the MAC address of the second peer port reserved by the second subnet, the br-conjoin uses the subnet selection group flow table to select the second subnet in the second VPC.

In a possible implementation manner, the br-south includes a DVR instance selection group flow table corresponding to the second DVR, and the DVR instance selection group flow table is used to perform load balancing options;

The traffic sending module is used for:

The br-south uses the DVR instance selection group flow table to select the target DVR instance of the second DVR;

The br-south sends the peer-to-peer connection traffic with the address information modified to the target DVR instance of the second DVR.

In a possible implementation manner, the MAC address of the first peer port and the MAC address of the second peer port correspond to a preset MAC address prefix, and the preset MAC address prefix is used in traffic During the flow table matching process, it is identified that the traffic belongs to cross-VPC forwarded traffic.

In yet another aspect, a cross-VPC traffic forwarding device is provided, the device is executed by a first VPC in a VPC peer-to-peer connection network, and the VPC peer-to-peer connection network further includes a VPC peer-to-peer gateway cluster and a second VPC, The device includes: a traffic generation module, an address information modification module and a traffic sending module;

The traffic generation module is configured to generate peer-to-peer connection traffic, the MAC address information of the peer-to-peer connection traffic is third MAC address information, and the third MAC address information is the same as that of the first DVR in the first VPC. The MAC address is related to the MAC address of the first VM in the first VPC;

The address information modification module is configured to modify the MAC address information of the peer-to-peer connection traffic from the third MAC address information to the first MAC address information, and the first MAC address information is the same as that in the first VPC The MAC address of the first DVR and the MAC address of the first peer-to-peer port reserved by the first subnet in the first VPC are related;

The traffic sending module is configured to send the peer-to-peer connection traffic with address information modified to the VPC peer-to-peer gateway cluster, so that the VPC peer-to-peer gateway cluster forwards the peer-to-peer connection traffic to the Second VPC.

In a possible implementation manner, the first DVR in the first VPC includes a peer-to-peer connection routing rule, and the peer-to-peer connection routing rule includes: when the destination IP address of the traffic belongs to the destination network segment of another VPC , the next hop is the IP address of the peer port reserved for the subnet from which the traffic comes;

The address information modification module is used for:

After the first DVR receives the peer-to-peer connection traffic sent by the first VM, based on the peer-to-peer connection routing rule, the source MAC address of the peer-to-peer connection traffic is transferred from the first VPC to Modify the MAC address of the first VM in the first VPC to the MAC address of the first DVR in the first VPC, and modify the destination MAC address of the peer-to-peer connection traffic from the MAC address of the first DVR in the first VPC to The MAC address of the first peer port reserved by the first subnet in the first VPC.

In a possible implementation manner, the VPC peer-to-peer gateway cluster includes at least one set of gateway node groups, each set of gateway node groups includes at least one gateway node, and the connection between the first VPC and the second VPC The peer-to-peer connection between is carried by the target gateway node group in the at least one set of gateway node groups;

The traffic sending module is used for:

The first DVR sends the peer-to-peer connection flow after the address information is modified to the br-tun in the first VPC, and the br-tun includes the gateway node selection group flow corresponding to the target gateway node group Table, the gateway node selection group flow table is used for load balancing selection of gateway nodes in the target gateway node group;

The br-tun uses the gateway node selection group flow table to select the target gateway node in the target gateway node group;

The br-tun sends the peer-to-peer connection traffic with the address information modified to the target gateway node.

In a possible implementation manner, the MAC address of the first peer port corresponds to a preset MAC address prefix, and the preset MAC address prefix is used to identify that the traffic belongs to Traffic forwarded across VPCs.

In yet another aspect, a cross-VPC traffic forwarding device is provided, the device is executed by a second VPC in the VPC peer-to-peer connection network, and the VPC peer-to-peer connection network further includes a VPC peer-to-peer gateway cluster, a first VPC, The device includes: a flow receiving module, an address information modification module and a flow sending module;

The traffic receiving module is configured to receive the peer-to-peer connection traffic sent by the VPC peer-to-peer gateway cluster, the peer-to-peer connection traffic is received by the VPC peer-to-peer gateway cluster from the first VPC, the peer The MAC address information of the waiting connection flow is the second MAC address information, and the second MAC address information is reserved with the MAC address of the second DVR in the second VPC and the second subnet in the second VPC. related to the MAC address of the second peer port;

The address information modification module is configured to modify the MAC address information of the peer-to-peer connection traffic from the second MAC address information to fourth MAC address information, and the fourth MAC address information is the same as that in the second VPC The MAC address of the second DVR and the MAC address of the second VM in the second VPC are related;

The traffic sending module is configured to send the peer-to-peer connection traffic with address information modified to the second VM.

In a possible implementation manner, the second DVR in the second VPC includes a direct routing rule, and the direct routing rule includes: the destination IP address of the traffic belongs to the destination network segment of the second VPC , the next hop is the directly connected network card corresponding to the subnet to which the second VM belongs;

The address information modification module is used for:

After receiving the peer-to-peer connection traffic sent by the VPC peer-to-peer gateway cluster, the second DVR transfers the source MAC address of the peer-to-peer connection traffic from the second VPC based on the direct routing rule. Modify the MAC address of the second peer-to-peer port reserved in the second subnet in the second VPC to the MAC address of the second DVR in the second VPC, and change the destination MAC address of the peer-to-peer connection traffic from the second The MAC address of the second DVR in the VPC is changed to the MAC address of the second VM in the second VPC.

In a possible implementation manner, the MAC address of the second peer port corresponds to a preset MAC address prefix, and the preset MAC address prefix is used to identify that the traffic belongs to the Traffic forwarded across VPCs.

In yet another aspect, a computer device is provided, the computer device includes a processor and a memory, at least one instruction, at least one program, code set or instruction set are stored in the memory, and the at least one instruction, at least one The program, code set or instruction set is loaded and executed by the processor to implement the above cross-VPC traffic forwarding method.

In yet another aspect, a computer-readable storage medium is provided, wherein at least one instruction is stored in the storage medium, and the at least one instruction is loaded and executed by a processor to implement the above cross-VPC traffic forwarding method.

In yet another aspect, a computer program product or computer program is provided, the computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instruction from the computer-readable storage medium, and the processor executes the computer instruction, so that the computer device executes the above-mentioned cross-VPC traffic forwarding method.

The technical solution provided by this application may include the following beneficial effects:

A VPC peer-to-peer gateway cluster is introduced for the VPC peer-to-peer connection between the first VPC and the second VPC. The first VPC can modify the MAC address of the peer-to-peer connection traffic after the peer-to-peer connection traffic is generated. The third MAC address information is changed to the first MAC address information to send the peering connection traffic to the VPC peering gateway cluster based on the modified first MAC address. After the VPC peering gateway cluster receives the peering connection traffic, it will The MAC address information of the waiting connection traffic is changed from the first MAC address information related to the first VPC to the second MAC address information related to the second VPC, so as to send the pair to the second VPC based on the modified second MAC address information. Waiting for connection traffic, after receiving the peering connection traffic, the second VPC modifies the MAC address of the peering connection traffic from the second MAC address information to the fourth MAC address information, so as to send the peering connection traffic to the destination VM to implement cross-VPC traffic forwarding.

Description of drawings

In order to more clearly illustrate the specific embodiments of the present application or the technical solutions in the prior art, the following will briefly introduce the accompanying drawings that need to be used in the description of the specific embodiments or prior art. Obviously, the accompanying drawings in the following description The drawings are some implementations of the present application, and those skilled in the art can obtain other drawings based on these drawings without creative work.

Fig. 1 is a schematic diagram of a virtual network inside a computing node according to an exemplary embodiment.

Fig. 2 is a schematic diagram of a virtual network inside a network node according to an exemplary embodiment.

Fig. 3 is a schematic diagram of east-west traffic under the same VPC and the same subnet according to an exemplary embodiment.

Fig. 4 is a schematic diagram of east-west traffic under different subnets of the same VPC according to an exemplary embodiment.

Fig. 5 is a schematic diagram of north-south traffic when accessing the Internet according to an exemplary embodiment.

Fig. 6 is a schematic diagram showing an existing VPC network implementation model according to an exemplary embodiment.

Fig. 7 is a schematic diagram of an improved VPC peer-to-peer connection network model according to an exemplary embodiment.

Fig. 8 is a flow chart of a method for cross-VPC traffic forwarding according to an exemplary embodiment.

Fig. 9 is a schematic diagram showing gateway nodes in a VPC peer-to-peer gateway cluster in a group form according to an exemplary embodiment.

Fig. 10 is a schematic diagram showing a network model of a gateway node according to an exemplary embodiment.

Fig. 11 is a flow chart of a cross-VPC traffic forwarding method according to an exemplary embodiment.

Fig. 12 is a schematic diagram showing flow table matching in br-tun according to an exemplary embodiment.

Fig. 13 is a schematic diagram showing flow table matching in br-south according to an exemplary embodiment.

Fig. 14 is a schematic diagram showing flow table matching in br-conjoin according to an exemplary embodiment.

Fig. 15 is a schematic diagram showing a traffic forwarding process across VPCs according to an exemplary embodiment.

Fig. 16 is a structural block diagram of a cross-VPC traffic forwarding device according to an exemplary embodiment.

Fig. 17 is a structural block diagram of a cross-VPC traffic forwarding device according to an exemplary embodiment.

Fig. 18 is a structural block diagram of a cross-VPC traffic forwarding device according to an exemplary embodiment.

Fig. 19 is a schematic diagram of a computer device provided according to an exemplary embodiment of the present application.

detailed description

The technical solutions of the present application will be clearly and completely described below in conjunction with the accompanying drawings. Apparently, the described embodiments are some of the embodiments of the present application, not all of them. Based on the embodiments in this application, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the scope of protection of this application.

It should be understood that the "indication" mentioned in the embodiments of the present application may be a direct indication, may also be an indirect indication, and may also mean that there is an association relationship. For example, A indicates B, which can mean that A directly indicates B, for example, B can be obtained through A; it can also indicate that A indirectly indicates B, for example, A indicates C, and B can be obtained through C; it can also indicate that there is an association between A and B relation.

In the description of the embodiments of the present application, the term "corresponding" may indicate that there is a direct or indirect correspondence between the two, or that there is an association between the two, or that it indicates and is indicated, configuration and is configuration etc.

In the embodiment of this application, "predefinition" can be realized by pre-saving corresponding codes, tables or other methods that can be used to indicate relevant information in devices (for example, including terminal devices and network devices). The implementation method is not limited.

Before describing the various embodiments shown in the application, the concepts involved in the application are firstly introduced.

Virtual Private Cloud (VPC)

VPC is introduced from the perspectives of computing nodes and network nodes.

Figure 1 shows the situation of the virtual network inside the computing node, which mainly includes the following elements:

VM: Virtual Machine (Virtual Machine), including cloud desktops, cloud hosts, and some virtual network function (Virtual Network Feature, VNF) network elements (such as vFW, virtual private network (Virtual Private Network, VPN), vCPE, etc.).

qbrxxx: LinuxBridge, used to provide security group functions for VMs.

·DHCP: Dynamic Host Configuration Protocol (Dynamic Host Configuration Protocol), usually a VPC will correspond to multiple DHCP instances (clusters), and automatically assign IP addresses, DNS and other addresses to VMs to provide network services. DHCP will be evenly distributed to each computing node by the control node according to a certain scheduling strategy.

·DVR: Distributed Virtual Router (Distributed Virtual Router), a VPC will correspond to a DVR. When a VM instance of this VPC exists on a computing node, a DVR will be created on the computing node accordingly. The DVR is the default gateway of the VM private network, and traffic involving cross-segment VM access (including east-west and north-south traffic) needs to be forwarded through the DVR at Layer 3. At the same time, DVR also provides a flexible and customizable routing rule interface, which facilitates the traction of different service traffic, which will be introduced in the following sections.

· FIP: File Transfer Protocol (File Transfer Protocol), which can be regarded as a local gateway. There will only be one computing node, which is shared by all tenants on this node. It is mainly used to support the direct transfer of VMs on this computing node Nodes access the external network (including the Internet). For example, a VM on the local computing node is individually bound to an elastic IP.

·br-int: OpenVswitch, through the internal virtual local area network (Virtual Local Area Network, VLAN) to achieve logical isolation between different VPCs in the node, and realize layer-2 forwarding through the flow table.

·br-tun: OpenVswitch, mainly used to realize the conversion between local VLAN and global Virtual Extended Local Area Network (VirtualeXtensible Local Area Network, VXLAN). The VXLAN logical sub-interface is bound to the br-tun bridge, and VXLAN tunnels are established with other computing nodes, network nodes, and virtual gateway nodes, and cross-node VPC network access is realized through the flow table.

·br-ex: OpenVswitch, bind a VLAN logical sub-interface to provide a channel for the VM of this node to access the external network.

·Service network card: Two 10G network cards are logically bundled to provide underlay bearer for cross-node mutual access of tenant networks.

Figure 2 shows the situation of the virtual network inside the network node, and the elements included are consistent with those described by the computing node except for the network address translation (Network Address Translation, NAT) gateway:

· NAT gateway: A VPC corresponds to a NAT instance. Considering high availability, two instances, active and standby, will be deployed on different network nodes. When the primary node fails, the standby node is switched to the primary node to continue carrying traffic. The NAT gateway mainly provides two business forms, Source Network Address Translation (SNAT) and Destination Network Address Translation (DNAT), and mainly provides address translation network services for VMs to access the Internet or be accessed by the Internet.

Traction of business traffic

It is mainly described from east-west traffic and north-south traffic, and only cross-node scenarios are introduced.

·East-west flow

In the case of the same VPC and the same subnet, as shown in Figure 3, no Layer 3 forwarding is involved, and the data is sent to the target computing node through the VXLAN tunnel.

In the case of different subnets of the same VPC, as shown in Figure 4, it involves three-layer forwarding, so it needs to go through the DVR, match the routing rules on the DVR, forward to another subnet, and then send it to the target computing node through the VXLAN tunnel.

·North-south flow

When accessing the Internet, there are many ways to realize this kind of business traffic, mainly including: NAT gateway way, vFW way, leased line way, IPsec VPN way, vCPE way. The realization of these mainly depends on the self-defined policy routing framework provided by DVR. The traffic of the VM accessing the Internet is first delivered to the DVR, and then the policy routing of the DVR decides which method to use. Fig. 5 shows the manner of the NAT gateway, and other manners are similar.

When accessing the intranet on the client side, there are also many ways to realize this kind of business traffic, mainly including: leased line mode, IPsec VPN mode, and vCPE mode. The realization of these mainly depends on the self-defined policy routing framework provided by DVR. The traffic of the VM accessing the intranet on the client side is first delivered to the DVR, and then the policy routing of the DVR decides which method to use.

In related technologies, intercommunication across VPCs is not yet supported. With reference to FIG. 6 , the existing VPC network implementation model is shown in FIG. 6 above. Among them, some technical details are as follows:

·In the DVR instance, there are only direct routing rules and default routing rules whose next hop is NAT gateway.

·In the VPC, Layer 2 forwarding is sufficient for intra-subnet communication, and Layer 3 forwarding is performed for cross-subnet communication through DVR matching routes.

·In the VPC, for north-south traffic (for example: access to the public network, access to the client side), the DVR matches the default routing rule with the next hop as the NAT gateway or the custom routing rule with the next hop as the VPN or virtual gateway.

In order to support cross-VPC intercommunication, this application provides a cross-VPC traffic forwarding method, which introduces a VPC peer-to-peer gateway cluster for the VPC peer-to-peer connection between the first VPC and the second VPC, and the first VPC can generate After peering connection traffic, modify the MAC address of the peering connection traffic from the third MAC address information to the first MAC address information, so as to send the peering connection traffic to the VPC based on the modified first MAC address Peer-to-peer gateway cluster, after receiving the peer-to-peer connection traffic, the VPC peer-to-peer gateway cluster modifies the MAC address information of the peer-to-peer connection traffic from the first MAC address information related to the first VPC to the second MAC address information related to the second VPC The address information is used to send the peer-to-peer connection flow to the second VPC based on the modified second MAC address information, and the second VPC modifies the MAC address of the peer-to-peer connection flow after receiving the peer-to-peer connection flow, and the second MAC The address information is modified to the fourth MAC address information, so as to send the peer-to-peer connection traffic to the destination VM, so as to realize cross-VPC traffic forwarding.

For example, with reference to FIG. 7 , VPC1 and VPC2 implement a peer-to-peer connection through a VPC peer-to-peer gateway cluster, and a VM in VPC1 can send traffic to a VM in VPC2.

In the following, the technical solution provided by the present application will be described in conjunction with the following several embodiments.

Fig. 8 is a flow chart of a method for cross-VPC traffic forwarding according to an exemplary embodiment. The method is applied in a VPC peer-to-peer connection network, and the VPC peer-to-peer connection network includes: a first VPC, a VPC peer-to-peer gateway cluster, and a second VPC. As shown in Figure 8, the cross-VPC traffic forwarding method may include the following steps:

Step 801: The first VPC generates peer-to-peer connection traffic, the MAC address information of the peer-to-peer connection traffic is the third MAC address information, and the third MAC address information is the same as the MAC address of the first DVR in the first VPC, the MAC address of the first VPC in the first VPC The MAC address of the first VM is related.

Among them, peering connection traffic is cross-VPC traffic. In this embodiment of the present application, the peering connection traffic is generated by the first VM in the first VPC and is expected to reach the second VM in the second VPC.

When forwarding traffic across VPCs, it involves layer-3 forwarding and needs to go through the DVR in the VPC. Therefore, when the peer-to-peer connection traffic is generated, it corresponds to the third MAC address information. In the third MAC address information, it indicates that the source MAC address of the peer-to-peer connection traffic is the MAC address of the first VM in the first VPC. The destination MAC address of the connection traffic is the MAC address of the first DVR in the first VPC.

Step 802: The first VPC modifies the MAC address information of the peer-to-peer connection traffic from the third MAC address information to the first MAC address information, and the first MAC address information is consistent with the MAC address of the first DVR in the first VPC, the first VPC related to the MAC address of the first peer port reserved by the first subnet in .

In the embodiment of the present application, a corresponding peer port is created for each subnet, and the peer port corresponds to a pair of IP/MAC addresses. After completing the forwarding of the peering connection traffic in the first VPC based on the initial third MAC address information and reaching the first DVR in the first VPC, the first DVR converts the MAC address information of the peering connection traffic from the third MAC address The information is modified to the first MAC address information, so as to realize the next step of traffic forwarding.

Wherein, in the first MAC address information, it indicates that the source MAC address of the peer-to-peer connection traffic is the MAC address of the first DVR in the first VPC, and the destination MAC address of the peer-to-peer connection traffic is the first DVR in the first VPC. MAC address of the first peer port reserved by the subnet.

Step 803: the first VPC sends the peer-to-peer connection traffic after the address information is modified to the VPC peer-to-peer gateway cluster.

Correspondingly, the VPC peer-to-peer gateway cluster receives the peer-to-peer connection traffic sent by the first VPC, and the MAC address information of the peer-to-peer connection traffic is the first MAC address information, and the first MAC address information and the first DVR in the first VPC The MAC address is related to the MAC address of the first peer port reserved by the first subnet in the first VPC.

Since the first DVR in the first VPC modifies the MAC address information of the peer-to-peer connection traffic from the third MAC address information to the first MAC address information, the first VPC can subsequently redirect the peer-to-peer connection traffic based on the first MAC address information. to the VPC peering gateway cluster.

Step 804: The VPC peer-to-peer gateway cluster modifies the MAC address information of the peer-to-peer connection traffic from the first MAC address information to the second MAC address information, and the second MAC address information is consistent with the MAC address of the second DVR in the second VPC, the second The MAC address of the second peer port reserved by the second subnet in the two VPCs is related.

In order to send the peering connection traffic to the second VPC, the VPC peering gateway cluster modifies the MAC address information of the peering traffic from the first MAC address information related to the first VPC to the first MAC address information related to the second VPC. Two MAC information.

Wherein, in the second MAC address information, it indicates that the source MAC address of the peer-to-peer connection traffic is the MAC address of the second peer-to-peer port reserved by the second subnet in the second VPC, and the purpose of the peer-to-peer connection traffic is The MAC address is the MAC address of the second DVR in the second VPC.

Step 805: The VPC peer-to-peer gateway cluster sends the peer-to-peer connection traffic with the address information modified to the second VPC.

Correspondingly, the second VPC receives the peer-to-peer connection traffic sent by the VPC peer-to-peer gateway cluster, and the MAC address information of the peer-to-peer connection traffic is the second MAC address information, and the second MAC address information is the same as that of the second DVR in the second VPC. The MAC address is related to the MAC address of the second peer port reserved by the second subnet in the second VPC.

Step 806: The second VPC modifies the MAC address information of the peer-to-peer connection traffic from the second MAC address information to the fourth MAC address information, and the fourth MAC address information is the same as the MAC address of the second DVR in the second VPC, the second VPC related to the MAC address of the second VM in the

After the peer-to-peer connection traffic reaches the second DVR in the second VPC, the second DVR modifies the MAC address information of the peer-to-peer connection traffic from the second MAC address information to the fourth MAC address information, so as to realize the next step forwarding of the traffic.

Wherein, in the fourth MAC address information, it indicates that the source MAC address of the peer-to-peer connection traffic is the MAC address of the second DVR in the second VPC, and the destination MAC address of the peer-to-peer connection traffic is the second DVR in the second VPC. The MAC address of the VM.

Step 807: the second VPC sends the peer-to-peer connection traffic with the address information modified to the second VM.

To sum up, the cross-VPC traffic forwarding method provided in this embodiment introduces a VPC peer-to-peer gateway cluster for the VPC peer-to-peer connection between the first VPC and the second VPC, and the first VPC can generate a peer-to-peer connection After the traffic flow, modify the MAC address of the peering connection traffic from the third MAC address information to the first MAC address information, so as to send the peering connection traffic to the VPC peering gateway based on the modified first MAC address After the cluster, the VPC peer-to-peer gateway cluster receives the peer-to-peer connection traffic, it modifies the MAC address information of the peer-to-peer connection traffic from the first MAC address information related to the first VPC to the second MAC address information related to the second VPC, Based on the modified second MAC address information, the peer-to-peer connection traffic is sent to the second VPC, and the second VPC modifies the MAC address of the peer-to-peer connection traffic after receiving the peer-to-peer connection traffic, and the second MAC address information modifies It is the fourth MAC address information, so as to send the peering connection traffic to the destination VM, so as to realize cross-VPC traffic forwarding.

In the following, the peer-to-peer port above will be further explained.

In a possible implementation manner, the MAC address of the first peer port and the MAC address of the second peer port correspond to a preset MAC address prefix, and the preset MAC address prefix is used in the flow table matching process of the traffic, Indicates that the traffic belongs to the traffic forwarded across VPCs.

For the VPC that establishes a peering connection, a Neutron Port is created under each subnet, and its device_owner is designed as "network:peering", referred to as a Peering Port (Peering Port). Modify the mechanism of assigning MAC to the native Neutron Port. For peer ports (by matching device_owner to "network:peering"), customize the fixed preset MAC address prefix such as fa:17:02:00:00:00.

Among them, the peer port has the following functions:

·The peer-to-peer port will be assigned an IP address, which will be used to configure peer-to-peer connection routing rules in the DVR instance, and its next hop is the reserved IP.

The peer port will assign a MAC address, such as fa:17:02:00:00:00 as the fixed preset MAC address prefix, the purpose of which is to match this MAC address by arranging the flow table on the ovs bridge Preset MAC address prefix to realize accurate identification of peer-to-peer connection traffic. At the same time, using a fixed preset MAC address prefix for flow table matching can also greatly reduce the number of flow table configurations.

Next, the VPC peer-to-peer gateway cluster described above will be further described.

In a possible implementation, the gateway nodes in the VPC peer-to-peer gateway cluster are grouped, and the VPC peer-to-peer gateway cluster includes at least one gateway node group, each gateway node group includes at least one gateway node, the first The peer-to-peer connection between the VPC and the second VPC is carried by a target gateway node group in at least one set of gateway node groups.

Exemplarily, with reference to FIG. 9 , the VPC peer-to-peer gateway cluster includes three gateway node groups: Group1, Groop2 and Group3. Wherein, Group1 includes 1 gateway node, Group2 includes 2 gateway nodes, and Group3 includes 3 gateway nodes.

Wherein, one group of gateway node groups can carry multiple peer-to-peer connections. When creating a peer-to-peer connection, the group that is the most idle (that is, carries the least number of peer-to-peer connections) will be selected as the gateway node group for this peer-to-peer connection. The gateway node group and the number of peer connections it hosts are recorded in the database.

Wherein, the gateway nodes in each gateway node group can be flexibly scaled up and down according to the change of business volume.

Among them, by monitoring the working status of the gateway members in the gateway node group, if a member is found to be faulty, it can be automatically set to the "disabled" state. At the same time, the administrator can also force a member of the group to be in the "disabled" state through the command line. Members in the "Disabled" state will no longer participate in the forwarding of peer-to-peer connection traffic, and will continue to carry traffic forwarding after returning to the "Available" state.

Among them, the gateway node group itself also has a state, which is "available" when it is created by default, and the group in the "available" state will participate in allocation and scheduling. The administrator can set it to the "disabled" state through the command line, and the group in the "disabled" state will not participate in the allocation and scheduling.

Among them, a certain peering connection can be migrated from one group to another group at the granularity of the group.

In a possible implementation, the gateway nodes in the VPC peer-to-peer gateway cluster include: br-conjoin, br-south, br-south has an interface for communicating with the VPC, and the connection between br-conjoin and br-south A Veth Pair is established for each VPC.

Combined with reference to Figure 10, it shows the abstract virtual network model in the gateway node, which is divided into several parts:

Two OVS bridges, namely br-conjoin and br-south.

A VXLAN sub-interface will be created on br-south to establish a VXLAN tunnel with the computing node where the VM resides.

·Between br-south and br-conjoin, a Veth Pair will be established for each VPC of the peer-to-peer connection, and bridged to two OVS bridges respectively.

Among them, the design of the above virtual network model is based on the following considerations:

The reason for using 2 OVS bridges instead of only 1 OVS bridge: to avoid traffic entering from a certain VXLAN sub-interface, and then go out from the same VXLAN sub-interface after the flow table processing, that is: the source port enters the source The port is out, which eventually leads to OVS packet loss.

The reason why Veth Pair is established for each VPC between two OVS bridges: When the br-south bridge receives the peer-to-peer connection traffic, it can extract the VXLAN tunnel ID value, and then realize different VPCs by matching the VXLAN tunnel ID value Differentiation of peer-to-peer traffic. However, the VXLAN tunnel ID will not continue to be passed to the br-conjoin bridge, that is, the br-conjoin bridge cannot see the VXLAN tunnel ID value. Therefore, by establishing a Veth Pair, directly match the corresponding input port (IN_PORT) to realize the distinction of different VPC peering connection traffic.

Next, the above-mentioned DVR will be further described.

In a possible implementation manner, in the DVR instance, a peer-to-peer connection routing rule is added to an existing policy routing table, where the next hop is the IP address of the reserved peer-to-peer port.

Exemplarily, refer to the following table, which lists the policy routing tables contained in the current DVR instance and the routing rules contained in each table. In order to realize the peer-to-peer connection, configure the peer-to-peer connection routing rule in the policy routing table of the local subnet table, and its next hop is the IP address of the peer-to-peer port corresponding to the subnet. According to the configured peer-to-peer connection routing rules, the VM can complete the Layer 3 routing and forwarding of the peer-to-peer connection traffic on the local computing node.

Fig. 11 is a flow chart of a cross-VPC traffic forwarding method according to an exemplary embodiment. The method is applied in a VPC peer-to-peer connection network, and the VPC peer-to-peer connection network includes: a first VPC, a VPC peer-to-peer gateway cluster, and a second VPC. As shown in Figure 11, the cross-VPC traffic forwarding method may include the following steps:

Step 1101: The first VM in the first VPC generates peering connection traffic, the source MAC address of the peering connection traffic is the MAC address of the first VM in the first VPC, and the destination MAC address of the peering connection traffic is the first VPC in the MAC address of the first DVR.

Step 1102: the first VM in the first VPC sends peering connection traffic to the first DVR in the first VPC.

Correspondingly, the first DVR in the first VPC receives the peer-to-peer connection traffic sent by the first VM in the first VPC, and the source MAC address of the peer-to-peer connection traffic is the MAC address of the first VM in the first VPC. The destination MAC address of the connection traffic is the MAC address of the first DVR in the first VPC.

Step 1103: The first DVR in the first VPC modifies the source MAC address of the peer-to-peer connection traffic from the MAC address of the first VM in the first VPC to the MAC address of the first DVR in the first VPC based on the peer-to-peer connection routing rule. MAC address, changing the destination MAC address of the peer-to-peer connection traffic from the MAC address of the first DVR in the first VPC to the MAC address of the first peer-to-peer port reserved by the first subnet in the first VPC.

Wherein, the first DVR in the first VPC includes peer-to-peer connection routing rules, and the peer-to-peer connection routing rules include: when the destination IP address of the traffic belongs to the destination network segment of another VPC, the next hop is the subnet where the traffic comes from The IP address of the reserved peer port.

Step 1104: the first DVR in the first VPC sends the peer-to-peer connection traffic with the address information modified to the target gateway in the VPC peer-to-peer gateway cluster.

Correspondingly, the target gateway in the VPC peer-to-peer gateway cluster receives the peer-to-peer connection traffic sent by the first DVR in the first VPC, and the source MAC address of the peer-to-peer connection traffic is the MAC address of the first DVR in the first VPC, The destination MAC address of the peer-to-peer connection traffic is the MAC address of the first peer-to-peer port reserved by the first subnet in the first VPC.

In a possible implementation, the VPC peer-to-peer gateway cluster includes at least one set of gateway node groups, each set of gateway node groups includes at least one gateway node, and the peer-to-peer connection between the first VPC and the second VPC is controlled by at least one The target gateway node group in the group gateway node group bears the weight; the first DVR sends the peer-to-peer connection traffic after the address information is modified to the br-tun in the first VPC, and the br-tun includes the gateway node selection corresponding to the target gateway node group Group flow table, gateway node selection group flow table is used to select the gateway node in the target gateway node group for load balancing; br-tun uses the gateway node selection group flow table to select the target gateway node in the target gateway node group; br-tun Send the peer-to-peer connection traffic with the address information modified to the target gateway node.

That is, add a gateway node selection group flow table that accurately identifies the peering connection traffic to the br-tun bridge of the computing node where the VM resides, and direct the peering connection traffic to the VPC peering gateway cluster in a load-balanced manner.

Exemplarily, with reference to FIG. 12 , the peer-to-peer connection traffic is forwarded to the br-tun for processing after being matched by the DVR route. In order to pull the peering connection traffic to the associated gateway node, the precise identification of the peering connection traffic is added in table=20: by matching the MAC prefix of the peer port (Peering Port in the figure) and the target of the peering route Network segment, when hit, go to the target gateway node group associated with this peer connection. In the Group flow table corresponding to the target gateway node group, a gateway node in the target gateway node group can be randomly selected by calculating the hash value of the packet, and the traffic is forwarded to it (through the VXLAN tunnel).

It is understandable that when the gateway node group expands or shrinks, the corresponding Group flow table will be updated here to take effect in time. If a gateway node member in the gateway node group fails or is disabled by the administrator, the corresponding Group flow table is also updated to take effect in time. When a peer-to-peer connection is migrated from one group to another, you only need to modify the diverted Group flow table here to take effect in time.

Step 1105: After receiving the peer-to-peer connection traffic sent by the first VPC, br-south in the target gateway sends the peer-to-peer connection traffic from the first Veth Pair corresponding to the first VPC to br-conjoin in the target gateway .

Correspondingly, br-conjoin in the target gateway receives the peer-to-peer connection traffic sent by br-south in the target gateway through the first Veth Pair, and the source MAC address of the peer-to-peer traffic is the first DVR in the first VPC The MAC address and the destination MAC address of the peering connection traffic are the MAC addresses of the first peering port reserved by the first subnet in the first VPC.

Exemplarily, with reference to FIG. 13, the peering connection traffic enters from the vxlan sub-interface, so it goes to table=4, and continues to match the flow table. Since the destination MAC address of the peering connection traffic hits the MAC prefix of the peer port, therefore Send traffic from the veth pair port of VPC1 that generates traffic to the br-conjoin bridge.

Step 1106: br-conjoin in the target gateway modifies the source MAC address of the peer-to-peer connection traffic from the MAC address of the first DVR in the first VPC to the second peer reserved by the second subnet in the second VPC For the MAC address of the port, the destination MAC address of the peering connection traffic is changed from the MAC address of the first peering port reserved by the first subnet in the first VPC to the MAC address of the second DVR in the second VPC.

In a possible implementation, br-conjoin includes a subnet selection group flow table corresponding to the second VPC, and the subnet selection group flow table is used for load balancing selection of subnets in the second VPC; in br- Before conjoin changes the source MAC address of the peering connection traffic from the MAC address of the first DVR in the first VPC to the MAC address of the second peer port reserved by the second subnet in the second VPC, br-conjoin Use the subnet selection group flow table to select the second subnet in the second VPC.

That is, add a subnet selection group flow table in br-conjoin, and direct the peering connection traffic to a subnet in the second VPC at the opposite end in a load-balanced manner.

Exemplarily, with reference to Figure 14, the peer-to-peer connection traffic enters from the veth pair port, and the destination MAC address of the peer-to-peer connection traffic matches the MAC prefix of the peer port, so it goes to table=1, matches the veth pair port and matches the destination network Segment, accurately identify which peering connection traffic is sent by which VPC in which peering connection. After table=1 is processed, turn to the Group flow table corresponding to the identified peer VPC, where the Group ID of the Group flow table is the VXLAN tunnel ID value of the peer VPC. In the Group flow table, the number of subnets in the peer VPC will correspond to the same number of buckets. In the specific buckets, the conversion of the MAC address and the conversion of the VXLAN tunnel ID value (replacing the egress) will be performed. When modifying the MAC address, modify the destination MAC address to the MAC address of the DVR in the peer VPC. The purpose of this is to divert the traffic to the DVR instance for processing.

Step 1107: br-conjoin in the target gateway sends the peer-to-peer connection traffic after address information modification from the second Veth Pair corresponding to the second VPC to br-south in the target gateway.

Correspondingly, br-south in the target gateway receives the peer-to-peer connection traffic sent by br-conjoin in the target gateway through the second Veth Pair, and the source MAC address of the peer-to-peer connection traffic is the second subnet in the second VPC The reserved MAC address of the second peer-to-peer port and the destination MAC address of the peer-to-peer connection traffic are the MAC addresses of the second DVR in the second VPC.

Step 1108: br-south in the target gateway sends the peer-to-peer connection traffic after address information modification to the second DVR in the second VPC.

Correspondingly, the second DVR in the second VPC receives the peer-to-peer connection traffic sent by br-south in the target gateway, and the source MAC address of the peer-to-peer connection traffic is the second subnet reserved in the second VPC. The MAC addresses of the two peering ports and the destination MAC address of the peering connection traffic are the MAC addresses of the second DVR in the second VPC.

In a possible implementation, br-south includes a DVR instance selection group flow table corresponding to the second DVR, and the DVR instance selection group flow table is used for load balancing selection of the DVR instance of the second DVR; br-south uses The DVR instance selection group flow table selects the target DVR instance of the second DVR; br-south sends the peer-to-peer connection traffic after the address information is modified to the target DVR instance of the second DVR.

That is, add a DVR instance selection group flow table in br-south, and direct the peer-to-peer connection traffic to a DVR instance of the second VPC at the opposite end in a load-balanced manner, thereby improving throughput and avoiding a single point of failure.

Exemplarily, with reference to FIG. 13 , match the VXLAN tunnel ID value (that is, vni in the figure), destination MAC=DVRMAC, then turn to the Group flow table, whose Group ID is the VXLAN tunnel ID value of the corresponding VPC. In the Group flow table, the configuration will be actually calculated according to the distributed computing nodes of the DVR of this VPC. For example, if the DVRs of the VPC are scattered on two computing nodes, two buckets will be configured, and the egress is the vxlan sub-interface established with the two computing nodes. The purpose of this is to make full use of the advantages of VPC DVR distributed clusters, send traffic to these distributed instances in a load-balanced manner, improve throughput, and avoid single point of failure

Step 1109: After the second DVR receives the peering connection traffic sent by the VPC peering gateway cluster, based on the direct routing rules, the source MAC address of the peering connection traffic is reserved by the second subnet in the second VPC Change the MAC address of the second peer port in the second VPC to the MAC address of the second DVR in the second VPC, and change the destination MAC address of the peer-to-peer connection traffic from the MAC address of the second DVR in the second VPC to the MAC address of the second DVR in the second VPC The MAC address of the second VM.

Wherein, the second DVR in the second VPC includes direct routing rules, and the direct routing rules include: when the destination IP address of the traffic belongs to the destination network segment of the second VPC, the next hop is the subnet to which the second VM belongs Corresponding direct network card.

Step 1110: the second DVR sends the peer-to-peer connection traffic after the address information is modified to the second VM.

To sum up, the cross-VPC traffic forwarding method provided in this embodiment, when reserving the peer port corresponding to the subnet, customizes its MAC address prefix to the preset MAC address prefix, which can greatly reduce the number of The number of flow table configurations for connection traffic.

At the same time, the peer-to-peer connection routing rules are added to the subnet policy routing table of the DVR, so that the VM can complete the layer-3 routing and forwarding of the peer-to-peer connection traffic at the local computing node.

At the same time, multiple gateway nodes are divided into a gateway node group, and gateway nodes are allocated for peer-to-peer connections at the granularity of "group", and the migration of peer-to-peer connections is implemented at the granularity of "group". At the same time, it can be flexibly expanded according to the business volume. Scale down the gateway node.

At the same time, after the peer-to-peer connection is associated with the group as the granularity, the traffic of this peer-to-peer connection will be directed to all gateway nodes in the group in a load-balanced manner. Individually update the corresponding group flow table to take effect quickly.

At the same time, when designing the network model of the gateway node, create two OVS bridges to avoid the problem of VXLAN traffic source import and export. At the same time, create a Veth Pair for each VPC and bridge the two OVS bridges. The peering connection traffic of different VPCs can be distinguished by matching the VethPair port.

At the same time, on the gateway node, the group flow table will be used to change the destination MAC address of the peer-to-peer connection traffic to the MAC address of the DVR of the peer VPC, and the group flow table will also be used to guide the peer-to-peer connection traffic to Multiple DVR instances of the peer VPC to improve throughput and avoid single point of failure.

In the following, an example is used to illustrate the cross-VPC traffic forwarding method provided by this application.

As shown in Figure 15, there are two VPCs that need to communicate with each other. After the peer-to-peer connection is established, VM1 in VPC1 and VM2 in VPC2 can realize network communication. For the convenience of describing the details, the specific IP and MAC addresses are given in the figure, as shown in the following table:

IP address MAC address VM1 10.10.1.10 fa:16:3e:11:22:33 VM2 10.10.2.10 fa:16:3e:44:55:66 DVR1 10.10.1.1 fa:16:3e:00:01:01 DVR2 10.10.2.1 fa:16:3e:00:02:01 Business network card 1 192.168.1.11 0a:16:3f:00:00:01 Business NIC 2 192.168.1.12 0a:16:3f:00:00:02 Business network card 3 192.168.1.13 0a:16:3f:00:00:03

The following is a detailed description of the forwarding details of the data flow in 12 steps, as follows:

1) VM1 sends traffic.

Among them, the message information of this flow is as follows: source IP=10.10.1.10, source MAC=fa:16:3e:11:22:33 (ie the MAC address of VM1), destination IP=10.10.2.10, destination MAC=fa :16:3e:00:01:01 (that is, the MAC address of DVR1).

2) The traffic is sent to the ovs bridge br-int, matches the flow table, and after hitting the flow table, sends the traffic to DVR1.

The matching of the flow table at br-int can refer to the implementation of the prior art, the details of which will not be elaborated here, and will not be elaborated in detail when the bridge is involved in the following.

3) After the traffic enters DVR1, it matches the peer-to-peer connection routing rules and forwards the traffic.

Peering connection routing rules in DVR1: destination = 10.10.2.0/24, next hop = 10.10.1.100.

The IP address of the peer port reserved by the subnet to which VM1 belongs = 10.10.1.100, and its MAC address is = fa:16:3d:a0:a0:01 (the MAC prefix of the peer port is fa:16:3d:00 :00:00/ff:ff:ff:00:00:00).

Now, because the flow matches the peer-to-peer connection routing rules, DVR1 continues to forward the flow. At this time, the message information of the flow is: source IP=10.10.1.10, source MAC=fa:16:3e:00:01:01( That is, the MAC address of DVR1), the destination IP=10.10.2.10, the destination MAC=fa:16:3d:a0:a0:01 (that is, the MAC address of the peer port reserved in the VPC1 subnet), that is, the DVR1 changed Source/destination MAC address.

4) The traffic comes out from DVR1 and reaches the ovs bridge br-int, and continues to match the flow table. After hitting the flow table, the traffic is forwarded to the ovs bridge br-tun.

5) The traffic reaches the ovs bridge br-tun, matches the flow table, and then transfers to the group flow table. The group flow table mainly performs load balancing for multiple peer gateways, selects one of the peer gateways, and sends the traffic to the pair Wait for the gateway.

With reference to Figure 12, the matching process is as follows: firstly, after the flow table matching table=0 hits, go to table=1, after table=1 hits, go to table=2, because the traffic is a unicast packet, so continue to flow To table=20, at table=20, exactly match the peer connection flow table: by matching the MAC prefix of the peer port (ie: fa:17:02:00:00:00) and the target network segment of the peer route , after hit, go to the group flow table.

This group flow table is mainly used for load balancing of multiple peer gateways, and eventually one of the peer gateways will be selected to send traffic to the peer gateway.

The traffic-encapsulated VXLAN packet is sent from service network card 1. At this time, the packet information is: source IP=192.168.1.11 (that is, the IP address of service network card 1), source MAC=0a:16:3f:00:00:01 (that is, service MAC address of network card 1), destination IP=192.168.1.13 (ie, IP address of service network card 2), purpose MAC=0a:16:3f:00:00:03 (ie, MAC address of service network card 2). At this time, because the VXLAN packets are encapsulated, the inner layer packet information of the VM is hidden.

6) The VXLAN message is sent from the service network card 1 to the service network card 3 of the peer gateway, and br-south decapsulates the VXLAN message, and then matches the br-south flow table, and sends the traffic from the vpcveth pair port to the br-conjoin network bridge.

Wherein, the packet information after decapsulation is: source IP=10.10.1.10, source MAC=fa:16:3e:00:01:01, destination IP=10.10.2.10, destination MAC=fa:16:3d:a0 :a0:01.

With reference to Figure 13, the process of matching the br-south flow table is as follows: first, match the flow table at table=0, because it enters from the vxlan sub-interface, so go to table=4, and continue to match the flow table, because the destination MAC is fa:16 :3d:a0:a0:01, hit the MAC prefix of the peer port, so the traffic is sent from the veth pair port of VPC1 to the br-conjoin bridge.

7) After the traffic reaches the br-conjoin bridge, continue to match the flow table, and then transfer to the group flow table. The group flow table mainly performs load balancing on multiple subnets of the peer VPC2, selects one of the subnets, and then modifies the source /destination MAC address, and send traffic back to the br-south bridge from the veth pair port of VPC2.

With reference to Figure 14, the matching process is as follows: first, match the flow table at table=0, go to table=1, match the flow table, and go to the group flow table (the VPC that establishes a peer-to-peer connection corresponds to a group flow table, here hit The group flow table corresponds to the peer VPC). This group flow table is mainly used to randomly select multiple subnets of the peer VPC. After selecting a subnet, modify the source MAC address and destination MAC address.

In this example, only one subnet is involved, so after the execution is completed, the message information is: source IP=10.10.1.10, source MAC=fa:16:3d:a0:a0:02 (that is, reserved by the VPC2 subnet MAC address of peer port), destination IP=10.10.2.10, destination MAC=fa:16:3e:00:02:01 (namely the MAC address of DVR2). After the packet is processed, it is sent back to the br-south bridge through the veth pair port of the peer VPC.

8) Continue to match the flow table on the br-south bridge, and then go to the group flow table. The group flow table is mainly used to balance the load of multiple DVR instances, select one of the DVR instances, and send the traffic to the calculation where the DVR instance is located. in the node.

With reference to Figure 13, the matching process is as follows: first match the flow table at table=0, enter from the veth pair port of the vpc bridge, so go to table=1, because the destination MAC is DVR MAC at this time, so go to the group flow table .

This group flow table is mainly used for load balancing and scheduling of multiple DVR instances of the VPC. Finally, the DVR instance of one of the computing nodes will be selected, and the traffic encapsulated VXLAN packets will be sent to the target computing node.

At this time, the VXLAN message from the service network card 3 is: source IP=192.168.1.13, source MAC=0a:16:3f:00:00:03, destination IP=192.168.1.12, destination MAC=0a:16:3f :00:00:02. Similarly, because of the VXLAN encapsulation, the inner message information of the VM is hidden.

9) The VXLAN message is sent from the service network card 3 to the service network card 2 of the target computing node. The br-tun bridge unpacks the vxlan message, matches the flow table, and sends the traffic to the br-int bridge after hitting the flow table .

Among them, the message information after decapsulation is: source IP=10.10.1.10, source MAC=fa:16:3d:a0:a0:02 (that is, the MAC address of the peer port reserved in the VPC2 subnet), destination IP =10.10.2.10, destination MAC=fa:16:3e:00:02:01 (that is, the MAC address of DVR2).

With reference to Figure 12, the matching process is as follows: first match the flow table at table=0, and enter from the VXLAN port, so go to table=4, continue to match the flow table, and finally send the traffic from the patch-int port to br-int bridge.

10) Continue to match the flow table on the br-int bridge, and send the traffic to the DVR2 instance.

11) In DVR2, match the direct routing rules and forward the traffic.

The message information received by DVR2 is: source IP=10.10.1.10, source MAC=fa:16:3d:a0:a0:02 (that is, the MAC address of the peer port reserved in the VPC2 subnet), destination IP=10.10 .2.10, destination MAC=fa:16:3e:00:02:01 (that is, the MAC address of DVR2).

Directly connected routing rules in DVR2: destination = 10.10.2.0/24, next hop = directly connected network card.

At this time, because the traffic matches the direct routing rule, therefore, three-layer forwarding is performed in DVR2, and the packet information at this time is: source IP=10.10.1.10, source MAC=fa:16:3e:00:02:01 (ie MAC address of DVR2), destination IP=10.10.2.10, destination MAC=fa:16:3e:44:55:66 (that is, the MAC address of VM2).

12) The traffic is sent to the br-int bridge, matched with the flow table, and finally forwarded to VM2.

The process of reverse traffic forwarding is similar and will not be repeated here.

It should be noted that the foregoing method embodiments may be implemented individually or in combination, which is not limited in the present application.

Fig. 16 is a structural block diagram of a cross-VPC traffic forwarding device according to an exemplary embodiment. The device is executed by a VPC peer-to-peer gateway cluster in the VPC peer-to-peer connection network, and the VPC peer-to-peer connection network also includes a first VPC and a second VPC, and the device includes: a traffic receiving module 1601 and an address information modification module 1602 and traffic sending module 1603;

The traffic receiving module 1601 is configured to receive the peer-to-peer connection traffic sent by the first VPC, the media access control MAC address information of the peer-to-peer connection traffic is first MAC address information, and the first MAC address information It is related to the MAC address of the first distributed virtual routing DVR in the first VPC and the MAC address of the first peer-to-peer port reserved by the first subnet in the first VPC;

The address information modification module 1602 is configured to modify the MAC address information of the peer-to-peer connection traffic from the first MAC address information to second MAC address information, and the second MAC address information is consistent with the second VPC The MAC address of the second DVR in the second VPC is related to the MAC address of the second peer-to-peer port reserved by the second subnet in the second VPC;

The traffic sending module 1603 is configured to send the peer-to-peer connection traffic with address information modified to the second VPC.

In a possible implementation manner, the gateway nodes in the VPC peer-to-peer gateway cluster include: br-conjoin and br-south, an interface for communicating with the VPC is created on the br-south, and the br-conjoin A Veth Pair is established for each VPC with the br-south;

The address information modifying module 1602 is configured to:

After receiving the peer-to-peer connection traffic sent by the first VPC, the br-south sends the peer-to-peer connection traffic from the first Veth Pair corresponding to the first VPC to the br-south conjoin;

The br-conjoin modifies the source MAC address of the peer-to-peer connection traffic from the MAC address of the first DVR in the first VPC to the second pair reserved by the second subnet in the second VPC. The MAC address of the peer port, modify the destination MAC address of the peer connection traffic from the MAC address of the first peer port reserved by the first subnet in the first VPC to the MAC address of the peer port in the second VPC MAC address of the second DVR;

The traffic sending module 1603 is configured to:

The br-conjoin sends the peer-to-peer connection traffic after the address information is modified from the second Veth Pair corresponding to the second VPC, and sends it to the br-south;

The br-south sends the peer-to-peer connection traffic with the address information modified to the second VPC.

In a possible implementation manner, the br-conjoin includes a subnet selection group flow table corresponding to the second VPC, and the subnet selection group flow table is used for subnet selection in the second VPC Make load balancing selection;

The address information modification module 1602 is configured to modify the source MAC address of the peer-to-peer connection traffic from the MAC address of the first DVR in the first VPC to the MAC address of the second VPC in the br-conjoin Before the MAC address of the second peer port reserved by the second subnet, the br-conjoin uses the subnet selection group flow table to select the second subnet in the second VPC.

In a possible implementation manner, the br-south includes a DVR instance selection group flow table corresponding to the second DVR, and the DVR instance selection group flow table is used to perform load balancing options;

The traffic sending module 1603 is configured to:

The br-south uses the DVR instance selection group flow table to select the target DVR instance of the second DVR;

The br-south sends the peer-to-peer connection traffic with the address information modified to the target DVR instance of the second DVR.

In a possible implementation manner, the MAC address of the first peer port and the MAC address of the second peer port correspond to a preset MAC address prefix, and the preset MAC address prefix is used in traffic During the flow table matching process, it is identified that the traffic belongs to cross-VPC forwarded traffic.

Fig. 17 is a structural block diagram of a cross-VPC traffic forwarding device according to an exemplary embodiment. The device is executed by the first VPC in the VPC peer-to-peer connection network. The VPC peer-to-peer connection network also includes a VPC peer-to-peer gateway cluster and a second VPC. The device includes: a traffic generation module 1701 and an address information modification module 1702 and traffic sending module 1703;

The traffic generation module 1701 is configured to generate peer-to-peer connection traffic, the media access control MAC address information of the peer-to-peer connection traffic is third MAC address information, and the third MAC address information is the same as that in the first VPC The MAC address of the first distributed virtual router DVR and the MAC address of the first virtual machine VM in the first VPC are related;

The address information modification module 1702 is configured to modify the MAC address information of the peer-to-peer connection traffic from the third MAC address information to the first MAC address information, and the first MAC address information is consistent with the first VPC The MAC address of the first DVR in the VPC is related to the MAC address of the first peer-to-peer port reserved by the first subnet in the first VPC;

The traffic sending module 1703 is configured to send the peer-to-peer connection traffic with address information modified to the VPC peer-to-peer gateway cluster, so that the VPC peer-to-peer gateway cluster forwards the peer-to-peer connection traffic to the VPC peer-to-peer gateway cluster Describe the second VPC.

In a possible implementation manner, the first DVR in the first VPC includes a peer-to-peer connection routing rule, and the peer-to-peer connection routing rule includes: when the destination IP address of the traffic belongs to the destination network segment of another VPC , the next hop is the IP address of the peer port reserved for the subnet from which the traffic comes;

The address information modification module 1702 is configured to:

After the first DVR receives the peer-to-peer connection traffic sent by the first VM, based on the peer-to-peer connection routing rule, the source MAC address of the peer-to-peer connection traffic is transferred from the first VPC to Modify the MAC address of the first VM in the first VPC to the MAC address of the first DVR in the first VPC, and modify the destination MAC address of the peer-to-peer connection traffic from the MAC address of the first DVR in the first VPC to The MAC address of the first peer port reserved by the first subnet in the first VPC.

In a possible implementation manner, the VPC peer-to-peer gateway cluster includes at least one set of gateway node groups, each set of gateway node groups includes at least one gateway node, and the connection between the first VPC and the second VPC The peer-to-peer connection between is carried by the target gateway node group in the at least one set of gateway node groups;

The traffic sending module 1703 is configured to:

The first DVR sends the peer-to-peer connection flow after the address information is modified to the br-tun in the first VPC, and the br-tun includes the gateway node selection group flow corresponding to the target gateway node group Table, the gateway node selection group flow table is used for load balancing selection of gateway nodes in the target gateway node group;

The br-tun uses the gateway node selection group flow table to select the target gateway node in the target gateway node group;

The br-tun sends the peer-to-peer connection traffic with the address information modified to the target gateway node.

In a possible implementation manner, the MAC address of the first peer port corresponds to a preset MAC address prefix, and the preset MAC address prefix is used to identify that the traffic belongs to Traffic forwarded across VPCs.

Fig. 18 is a structural block diagram of a cross-VPC traffic forwarding device according to an exemplary embodiment. The device is executed by the second VPC in the VPC peer-to-peer connection network, and the VPC peer-to-peer connection network also includes a VPC peer-to-peer gateway cluster and the first VPC, and the device includes: a traffic receiving module 1801 and an address information modification module 1802 and traffic sending module 1803;

The traffic receiving module 1801 is configured to receive the peer-to-peer connection traffic sent by the VPC peer-to-peer gateway cluster, the peer-to-peer connection traffic is received by the VPC peer-to-peer gateway cluster from the first VPC, the The media access control MAC address information of the peer-to-peer connection traffic is second MAC address information, and the second MAC address information is related to the MAC address of the second distributed virtual routing DVR in the second VPC, the second VPC related to the MAC address of the second peer-to-peer port reserved in the second subnet;

The address information modification module 1802 is configured to modify the MAC address information of the peer-to-peer connection traffic from the second MAC address information to fourth MAC address information, and the fourth MAC address information is consistent with the second VPC The MAC address of the second DVR in the VPC is related to the MAC address of the second virtual machine VM in the second VPC;

The traffic sending module 1803 is configured to send the peer-to-peer connection traffic with address information modified to the second VM.

In a possible implementation manner, the second DVR in the second VPC includes a direct routing rule, and the direct routing rule includes: the destination IP address of the traffic belongs to the destination network segment of the second VPC , the next hop is the directly connected network card corresponding to the subnet to which the second VM belongs;

The address information modification module 1802 is configured to:

After receiving the peer-to-peer connection traffic sent by the VPC peer-to-peer gateway cluster, the second DVR transfers the source MAC address of the peer-to-peer connection traffic from the second VPC based on the direct routing rule. Modify the MAC address of the second peer-to-peer port reserved in the second subnet in the second VPC to the MAC address of the second DVR in the second VPC, and change the destination MAC address of the peer-to-peer connection traffic from the second The MAC address of the second DVR in the VPC is changed to the MAC address of the second VM in the second VPC.

In a possible implementation manner, the MAC address of the second peer port corresponds to a preset MAC address prefix, and the preset MAC address prefix is used to identify that the traffic belongs to the Traffic forwarded across VPCs.

It should be noted that: the cross-VPC traffic forwarding device provided by the above embodiment is only illustrated by the division of the above functional modules. In practical applications, the above function distribution can be completed by different functional modules according to the needs. The internal structure of the system is divided into different functional modules to complete all or part of the functions described above. In addition, the device and the method embodiment provided by the above embodiment belong to the same idea, and the specific implementation process thereof is detailed in the method embodiment, and will not be repeated here.

Please refer to FIG. 19 , which is a schematic diagram of a computer device provided according to an exemplary embodiment of the present application, the computer device includes a memory and a processor, the memory is used to store a computer program, and the computer program is processed by the When the controller is executed, the above-mentioned cross-VPC traffic forwarding method is implemented.

Wherein, the processor may be a central processing unit (Central Processing Unit, CPU). The processor can also be other general-purpose processors, digital signal processors (Digital Signal Processor, DSP), application-specific integrated circuits (Application Specific Integrated Circuit, ASIC), field-programmable gate array (Field-Programmable Gate Array, FPGA) or other Chips such as programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or combinations of the above-mentioned types of chips.

As a non-transitory computer-readable storage medium, the memory can be used to store non-transitory software programs, non-transitory computer-executable programs and modules, such as program instructions/modules corresponding to the methods in the embodiments of the present invention. The processor executes various functional applications and data processing of the processor by running non-transitory software programs, instructions, and modules stored in the memory, that is, implements the methods in the above method implementation manners.

The memory may include a program storage area and a data storage area, wherein the program storage area may store an operating system and an application program required by at least one function; the data storage area may store data created by the processor, and the like. In addition, the memory may include high-speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid-state storage devices. In some embodiments, the memory may optionally include memory located remotely from the processor, and such remote memory may be connected to the processor through a network. Examples of the aforementioned networks include, but are not limited to, the Internet, intranets, local area networks, mobile communication networks, and combinations thereof.

In an exemplary embodiment, there is also provided a computer-readable storage medium for storing at least one computer program, and the at least one computer program is loaded and executed by a processor to implement all or part of the steps in the above method . For example, the computer-readable storage medium may be a read-only memory (Read-Only Memory, ROM), a random access memory (Random Access Memory, RAM), a read-only optical disc (Compact Disc Read-Only Memory, CD-ROM), Magnetic tapes, floppy disks, and optical data storage devices, etc.

Other embodiments of the present application will be readily apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any modification, use or adaptation of the application, these modifications, uses or adaptations follow the general principles of the application and include common knowledge or conventional technical means in the technical field not disclosed in the application . The specification and examples are to be considered exemplary only, with a true scope and spirit of the application indicated by the following claims.

It should be understood that the present application is not limited to the precise constructions which have been described above and shown in the accompanying drawings, and various modifications and changes may be made without departing from the scope thereof. The scope of the application is limited only by the appended claims.

Claims (10)

1. A cross-virtual private cloud VPC traffic forwarding method, characterized in that, the method is performed by a VPC peer-to-peer gateway cluster in the VPC peer-to-peer connection network, and the VPC peer-to-peer connection network also includes the first VPC, the second Two VPC, the method includes: receiving the peer-to-peer connection traffic sent by the first VPC, the media access control MAC address information of the peer-to-peer connection traffic is first MAC address information, and the first MAC address information is consistent with the first MAC address information in the first VPC The MAC address of a distributed virtual routing DVR is related to the MAC address of the first peer-to-peer port reserved by the first subnet in the first VPC; Modifying the MAC address information of the peer-to-peer connection traffic from the first MAC address information to second MAC address information, the second MAC address information is consistent with the MAC address of the second DVR in the second VPC, the related to the MAC address of the second peer-to-peer port reserved by the second subnet in the second VPC; sending the peer-to-peer connection traffic with the address information modified to the second VPC. 2. The method according to claim 1, wherein the gateway nodes in the VPC peer-to-peer gateway cluster include: br-conjoin, br-south, an interface for communicating with the VPC is created on the br-south, And a Veth Pair is established for each VPC between the br-conjoin and the br-south; The modifying the MAC address information of the peer-to-peer connection traffic from the first MAC address information to the second MAC address information includes: After receiving the peer-to-peer connection traffic sent by the first VPC, the br-south sends the peer-to-peer connection traffic from the first Veth Pair corresponding to the first VPC to the br-south conjoin; The br-conjoin modifies the source MAC address of the peer-to-peer connection traffic from the MAC address of the first DVR in the first VPC to the second pair reserved by the second subnet in the second VPC. The MAC address of the peer port, modify the destination MAC address of the peer connection traffic from the MAC address of the first peer port reserved by the first subnet in the first VPC to the MAC address of the peer port in the second VPC MAC address of the second DVR; The sending the peer-to-peer connection traffic after the address information is modified to the second VPC includes: The br-conjoin sends the peer-to-peer connection traffic after the address information is modified from the second Veth Pair corresponding to the second VPC, and sends it to the br-south; The br-south sends the peer-to-peer connection traffic with the address information modified to the second VPC. 3. The method according to claim 2, wherein the br-conjoin includes a subnet selection group flow table corresponding to the second VPC, and the subnet selection group flow table is used for the second VPC 2. The subnet in the VPC is selected for load balancing; In the br-conjoin, modify the source MAC address of the peer-to-peer connection traffic from the MAC address of the first DVR in the first VPC to the second reserved MAC address of the second subnet in the second VPC. Before the MAC address of the peer port, the method further includes: The br-conjoin selects the second subnet in the second VPC by using the subnet selection group flow table. 4. The method according to claim 2, wherein the br-south includes a DVR instance selection group flow table corresponding to the second DVR, and the DVR instance selection group flow table is used to select the group flow table for the second DVR. The DVR instance of the second DVR is selected for load balancing; The br-south sends the peer-to-peer connection traffic after address information modification to the second VPC, including: The br-south uses the DVR instance selection group flow table to select the target DVR instance of the second DVR; The br-south sends the peer-to-peer connection traffic with the address information modified to the target DVR instance of the second DVR. 5. The method of claim 1, wherein, The MAC address of the first peer port and the MAC address of the second peer port correspond to a preset MAC address prefix, and the preset MAC address prefix is used to identify the The traffic belongs to the traffic forwarded across VPCs. 6. A cross-virtual private cloud VPC traffic forwarding method, characterized in that, the method is executed by the first VPC in the VPC peer-to-peer connection network, and the VPC peer-to-peer connection network also includes a VPC peer-to-peer gateway cluster, the first VPC Two VPC, the method includes: Generate peer-to-peer connection traffic, the media access control MAC address information of the peer-to-peer connection traffic is third MAC address information, and the third MAC address information is the same as that of the first distributed virtual router DVR in the first VPC. The MAC address is related to the MAC address of the first virtual machine VM in the first VPC; Modifying the MAC address information of the peer-to-peer connection traffic from the third MAC address information to the first MAC address information, the first MAC address information is consistent with the MAC address of the first DVR in the first VPC, the related to the MAC address of the first peer-to-peer port reserved by the first subnet in the first VPC; Sending the peering connection traffic with address information modified to the VPC peering gateway cluster, so that the VPC peering gateway cluster forwards the peering connection traffic to the second VPC. 7. The method according to claim 6, wherein the first DVR in the first VPC includes peer-to-peer connection routing rules, and the peer-to-peer connection routing rules include: when the destination IP address of the traffic belongs to other For the destination network segment of the VPC, the next hop is the IP address of the peer port reserved for the subnet from which the traffic comes; The modifying the MAC address information of the peer-to-peer connection traffic from the third MAC address information to the first MAC address information includes: After the first DVR receives the peer-to-peer connection traffic sent by the first VM, based on the peer-to-peer connection routing rule, the source MAC address of the peer-to-peer connection traffic is transferred from the first VPC to Modify the MAC address of the first VM in the first VPC to the MAC address of the first DVR in the first VPC, and modify the destination MAC address of the peer-to-peer connection traffic from the MAC address of the first DVR in the first VPC to The MAC address of the first peer port reserved by the first subnet in the first VPC. 8. The method according to claim 7, wherein the VPC peer-to-peer gateway cluster includes at least one group of gateway node groups, each group of gateway node groups includes at least one gateway node, and the first VPC and The peer-to-peer connection between the second VPCs is carried by a target gateway node group in the at least one set of gateway node groups; The sending of the peer-to-peer connection traffic after address information modification to the VPC peer-to-peer gateway cluster includes: The first DVR sends the peer-to-peer connection flow after the address information is modified to the br-tun in the first VPC, and the br-tun includes the gateway node selection group flow corresponding to the target gateway node group Table, the gateway node selection group flow table is used for load balancing selection of gateway nodes in the target gateway node group; The br-tun uses the gateway node selection group flow table to select the target gateway node in the target gateway node group; The br-tun sends the peer-to-peer connection traffic with the address information modified to the target gateway node. 9. A cross-virtual private cloud VPC traffic forwarding method, characterized in that the method is executed by the second VPC in the VPC peer-to-peer connection network, and the VPC peer-to-peer connection network also includes a VPC peer-to-peer gateway cluster, a second VPC A VPC, the method comprising: receiving the peering connection traffic sent by the VPC peering gateway cluster, the peering connection traffic is received by the VPC peering gateway cluster from the first VPC, and the media access control of the peering connection traffic The MAC address information is the second MAC address information, and the second MAC address information is related to the MAC address of the second distributed virtual routing DVR in the second VPC and the second subnet reserved in the second VPC. related to the MAC address of the second peer port; Modifying the MAC address information of the peer-to-peer connection traffic from the second MAC address information to fourth MAC address information, the fourth MAC address information is consistent with the MAC address of the second DVR in the second VPC, the The MAC address of the second virtual machine VM in the second VPC is related; sending the peer-to-peer connection traffic with address information modified to the second VM. 10. The method according to claim 9, wherein the second DVR in the second VPC includes a direct routing rule, and the direct routing rule includes: the destination IP address of the traffic belongs to the first In the case of the destination network segment of the second VPC, the next hop is the directly connected network card corresponding to the subnet to which the second VM belongs; The modifying the MAC address information of the peer-to-peer connection traffic from the second MAC address information to the fourth MAC address information includes: After receiving the peer-to-peer connection traffic sent by the VPC peer-to-peer gateway cluster, the second DVR transfers the source MAC address of the peer-to-peer connection traffic from the second VPC based on the direct routing rule. Modify the MAC address of the second peer-to-peer port reserved in the second subnet in the second VPC to the MAC address of the second DVR in the second VPC, and change the destination MAC address of the peer-to-peer connection traffic from the second The MAC address of the second DVR in the VPC is changed to the MAC address of the second VM in the second VPC.

Images