CN117176673A - Method, system, device and computer equipment for realizing peer-to-peer connection between subnets - Google Patents
Method, system, device and computer equipment for realizing peer-to-peer connection between subnets Download PDFInfo
- Publication number
- CN117176673A CN117176673A CN202311257540.3A CN202311257540A CN117176673A CN 117176673 A CN117176673 A CN 117176673A CN 202311257540 A CN202311257540 A CN 202311257540A CN 117176673 A CN117176673 A CN 117176673A
- Authority
- CN
- China
- Prior art keywords
- virtual router
- virtual
- data packet
- subnet
- router
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 66
- 238000013507 mapping Methods 0.000 claims abstract description 74
- 230000015654 memory Effects 0.000 claims description 28
- 238000012795 verification Methods 0.000 claims description 17
- 206010047289 Ventricular extrasystoles Diseases 0.000 description 33
- 238000005129 volume perturbation calorimetry Methods 0.000 description 33
- 238000004891 communication Methods 0.000 description 14
- 238000010586 diagram Methods 0.000 description 12
- 238000002955 isolation Methods 0.000 description 10
- 230000008569 process Effects 0.000 description 10
- 230000005540 biological transmission Effects 0.000 description 7
- 238000005516 engineering process Methods 0.000 description 7
- 238000011161 development Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 239000007787 solid Substances 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
技术领域Technical field
本公开涉及计算机网络技术领域,具体涉及子网间实现对等连接方法、系统、装置、计算机设备。The present disclosure relates to the field of computer network technology, and specifically to methods, systems, devices, and computer equipment for realizing peer-to-peer connections between subnets.
背景技术Background technique
随着云计算技术的发展,越来越多的企业将业务迁移至云端,并采用交换机及相关设备实现云网络资源的共享。云计算的发展使得企业能够更加高效地管理和利用资源,同时降低了管理和维护的成本。由于企业对于网络安全、网络隔离的需求,产生了VPC(Virtual Private Cloud,虚拟私有云)技术,VPC内网络互通,VPC间网络隔离。为了在保证VPC间网络隔离的情况下,部分VPC之间的指定子网可以流量互通,对等连接技术应运而生。With the development of cloud computing technology, more and more enterprises are migrating their business to the cloud and using switches and related equipment to share cloud network resources. The development of cloud computing enables enterprises to manage and utilize resources more efficiently, while reducing management and maintenance costs. Due to the needs of enterprises for network security and network isolation, VPC (Virtual Private Cloud) technology has been developed. Networks within VPCs are interconnected and networks between VPCs are isolated. In order to ensure the network isolation between VPCs, designated subnets between some VPCs can communicate with each other, and peering connection technology came into being.
对等连接是一种基于物理网络设备的云计算网络解决方案,它可以提供更高的安全性和稳定性,在互相隔离的两个VPC之间构造一条网络隧道,允许VPC之间部分子网互相通信,兼顾隔离与互通的需求。然而,传统的对等连接解决方案中,用户通常需要在硬件网络设备上进行繁琐的配置和管理,操作复杂,需投入较多人力资源,使得企业的人力成本较高。Peering connection is a cloud computing network solution based on physical network equipment. It can provide higher security and stability. It constructs a network tunnel between two isolated VPCs and allows partial subnets between VPCs. Communicate with each other and take into account the needs of isolation and interoperability. However, in traditional peer-to-peer connection solutions, users usually need to perform tedious configuration and management on hardware network devices. The operations are complex and require a large investment in human resources, making the enterprise's labor costs high.
发明内容Contents of the invention
有鉴于此,本公开提供了一种子网间实现对等连接方法、系统、装置、计算机设备,以解决传统的对等连接解决方案中,用户通常需要在硬件网络设备上进行繁琐的配置和管理,操作复杂,需投入较多人力资源的问题。In view of this, the present disclosure provides a method, system, device, and computer device for implementing peer-to-peer connections between subnetworks to solve the problem that in traditional peer-to-peer connection solutions, users usually need to perform cumbersome configuration and management on hardware network devices. , the operation is complex and requires the investment of more human resources.
第一方面,本公开提供了一种子网间实现对等连接方法,该方法应用于云平台,该方法包括:In a first aspect, the present disclosure provides a method for implementing peer-to-peer connections between subnets. The method is applied to a cloud platform. The method includes:
获取用户下发的请求信息和网络配置信息;Obtain the request information and network configuration information issued by the user;
根据请求信息和网络配置信息得到本端虚拟私有云待连接的第一子网、第一子网所属第一网络和对端虚拟私有云待连接的第二子网、第二子网所属第二网络以及本端虚拟私有云虚拟路由器、对端虚拟私有云虚拟路由器,其中,第一子网和第二子网为实现对等连接的网络对象且第一子网和第二子网的网络地址不相重叠;According to the request information and network configuration information, the first subnet to which the local virtual private cloud is to be connected, the first network to which the first subnet belongs, and the second subnet to which the peer virtual private cloud is to be connected, and the second subnet to which the second subnet belongs are obtained. The network as well as the local virtual private cloud virtual router and the opposite virtual private cloud virtual router, where the first subnet and the second subnet are network objects that implement peer-to-peer connections and the network addresses of the first subnet and the second subnet do not overlap;
根据路由器映射关系确定第一交换机中与本端虚拟私有云虚拟路由器相对应的第一虚拟路由器,根据路由器映射关系确定第一交换机中与对端虚拟私有云虚拟路由器相对应的第二虚拟路由器,其中,路由器映射关系内存储有各个交换机内的每个虚拟路由器与本端虚拟私有云虚拟路由器或者对端虚拟私有云虚拟路由器之间的对应关系;Determine the first virtual router in the first switch corresponding to the local virtual private cloud virtual router according to the router mapping relationship, and determine the second virtual router in the first switch corresponding to the opposite end virtual private cloud virtual router according to the router mapping relationship, Among them, the router mapping relationship stores the corresponding relationship between each virtual router in each switch and the local virtual private cloud virtual router or the opposite end virtual private cloud virtual router;
将第一子网发出的数据包经过第一网络发送到第一虚拟路由器;Send the data packet sent from the first subnet to the first virtual router through the first network;
接收来自第二虚拟路由器回传的数据包;Receive the data packet returned from the second virtual router;
将数据包发送到第二网络的第二子网。Send the packet to the second subnet of the second network.
在本公开实施例中,利用叶脊架构得到云平台的本端虚拟私有云和对端虚拟私有云之间实现子网对等连接时需要依赖的第一交换机,并根据路由器映射关系确定第一交换机中与本端虚拟私有云虚拟路由器相对应的第一虚拟路由器,第一交换机中与对端虚拟私有云虚拟路由器相对应的第二虚拟路由器,进而完成本端虚拟私有云待连接的第一子网发出的数据包向第一交换机的第一虚拟路由器的传输,然后接收到第一交换机的第二虚拟路由器回传的数据包,并将其发送到第二网络的第二子网,进而既可以实现不同VPC之间互通,又可以细粒度的控制到具体互通的子网,既满足了VPC间网络隔离的安全性要求,又满足了VPC间指定子网之间互相通信的要求,进而解决了传统的对等连接解决方案中,用户通常需要在硬件网络设备上进行繁琐的配置和管理,浪费人力资源的问题。In the embodiment of the present disclosure, the leaf-spine architecture is used to obtain the first switch that needs to be relied upon to achieve subnet peer-to-peer connection between the local virtual private cloud and the opposite virtual private cloud of the cloud platform, and determine the first switch based on the router mapping relationship. The first virtual router in the switch corresponds to the local virtual private cloud virtual router, and the second virtual router in the first switch corresponds to the opposite virtual private cloud virtual router, thereby completing the first virtual private cloud to be connected. The data packet sent by the subnet is transmitted to the first virtual router of the first switch, and then the data packet returned by the second virtual router of the first switch is received and sent to the second subnet of the second network, and then It can not only realize intercommunication between different VPCs, but also control the specific interoperable subnets in a fine-grained manner, which not only meets the security requirements of network isolation between VPCs, but also meets the requirements of mutual communication between designated subnets between VPCs, and thus It solves the problem that in traditional peer-to-peer connection solutions, users usually need to perform cumbersome configuration and management on hardware network devices, which wastes human resources.
在一种可选的实施方式中,根据请求信息和网络配置信息得到本端虚拟私有云待连接的第一子网、第一子网所属第一网络和对端虚拟私有云待连接的第二子网、第二子网所属第二网络以及本端虚拟私有云虚拟路由器、对端虚拟私有云虚拟路由器,包括:In an optional implementation, the first subnet to which the local virtual private cloud is to be connected, the first network to which the first subnet belongs, and the second network to which the opposite end's virtual private cloud is to be connected are obtained according to the request information and the network configuration information. The subnet, the second network to which the second subnet belongs, the local virtual private cloud virtual router, and the peer virtual private cloud virtual router include:
根据请求信息确定本端虚拟私有云待连接的第一子网和对端虚拟私有云待连接的第二子网;Determine the first subnet to which the local virtual private cloud is to be connected and the second subnet to which the opposite end's virtual private cloud is to be connected based on the request information;
根据网络配置信息确定本端虚拟私有云虚拟路由器、对端虚拟私有云虚拟路由器、第一网络以及第二网络。Determine the local virtual private cloud virtual router, the opposite virtual private cloud virtual router, the first network, and the second network according to the network configuration information.
在一种可选的实施方式中,第一子网为至少一个,第二子网为至少一个。In an optional implementation, there is at least one first subnet and at least one second subnet.
第二方面,本公开实施例提供了一种子网间实现对等连接方法,该方法应用于第一交换机,该方法包括:In a second aspect, embodiments of the present disclosure provide a method for implementing peer-to-peer connections between subnetworks. The method is applied to the first switch. The method includes:
第一虚拟路由器接收来自本端虚拟私有云的第一网络发来的数据包,其中,第一交换机的第一虚拟路由器与本端虚拟私有云虚拟路由器存在映射关系,数据包为本端虚拟私有云的第一网络内待连接的第一子网发出的数据;The first virtual router receives a data packet sent from the first network of the local virtual private cloud. There is a mapping relationship between the first virtual router of the first switch and the local virtual private cloud virtual router. The data packet is the local virtual private cloud. Data sent by the first subnet to be connected in the first network of the cloud;
将数据包发送至第二交换机中的第三虚拟路由器,其中,第一虚拟路由器与第三虚拟路由器存在映射关系;Send the data packet to the third virtual router in the second switch, where there is a mapping relationship between the first virtual router and the third virtual router;
第二虚拟路由器接收来自第二交换机中的第四虚拟路由器回传的数据包,其中,第二虚拟路由器与第四虚拟路由器存在映射关系;The second virtual router receives the data packet returned from the fourth virtual router in the second switch, where there is a mapping relationship between the second virtual router and the fourth virtual router;
第二虚拟路由器将数据包发送至对端虚拟私有云。The second virtual router sends the data packet to the peer virtual private cloud.
在本公开实施例中,通过云平台与物理交换机之间的直接通信,降低了云平台对第三方SDN的依赖,提升了云平台的网络能力和产品竞争力。In the embodiment of the present disclosure, direct communication between the cloud platform and the physical switch reduces the cloud platform's dependence on third-party SDN and improves the cloud platform's network capabilities and product competitiveness.
第三方面,本公开实施例提供了一种子网间实现对等连接方法,该方法应用于第二交换机,该方法包括:In a third aspect, embodiments of the present disclosure provide a method for implementing peer-to-peer connections between subnets. The method is applied to the second switch. The method includes:
第三虚拟路由器接收第一交换机内的第一虚拟路由器转发来的数据包,其中,第三虚拟路由器与第一虚拟路由器存在映射关系,数据包为本端虚拟私有云的第一网络内待连接的第一子网发出的数据;The third virtual router receives the data packet forwarded by the first virtual router in the first switch. There is a mapping relationship between the third virtual router and the first virtual router, and the data packet is to be connected in the first network of the local virtual private cloud. Data sent by the first subnet;
将数据包经过第三虚拟路由器发送至防火墙;Send the data packet to the firewall through the third virtual router;
接收防火墙的验证通过指令以及回传的数据包;Receive the firewall's verification command and the returned data packet;
将数据包经过第四虚拟路由器发送至第一交换机的第二虚拟路由器,其中,第二虚拟路由器与第四虚拟路由器存在映射关系。The data packet is sent to the second virtual router of the first switch through the fourth virtual router, where there is a mapping relationship between the second virtual router and the fourth virtual router.
在本公开实施例中,基于硬件交换机、防火墙实现,相比于纯软实现,可以提供更可靠、更高效的网络传输能力。In the embodiments of the present disclosure, implementation based on hardware switches and firewalls can provide more reliable and efficient network transmission capabilities compared to pure software implementation.
第四方面,本公开实施例提供了一种子网间实现对等连接方法,该方法应用于防火墙,该方法包括:In the fourth aspect, embodiments of the present disclosure provide a method for implementing peer-to-peer connections between subnets. The method is applied to firewalls. The method includes:
接收第二交换机内的第三虚拟路由器发送的数据包,其中,数据包为本端虚拟私有云的第一网络内待连接的第一子网发出的数据;Receive a data packet sent by the third virtual router in the second switch, where the data packet is data sent by the first subnet to be connected in the first network of the local virtual private cloud;
获取数据包的源地址和目标地址;Get the source address and destination address of the data packet;
根据源地址和目标地址匹配预设规则,得到匹配结果,其中,预设规则用于表征原始源地址和原始目标地址;Match the preset rules according to the source address and the target address to obtain the matching result, where the preset rules are used to characterize the original source address and the original target address;
根据匹配结果下发验证通过指令和数据包,并将数据包发送至第二交换机的第四虚拟路由器。Issue verification-passing instructions and data packets according to the matching results, and send the data packets to the fourth virtual router of the second switch.
在本公开实施例中,使用防火墙验证数据包是否满足预设规则,进而将匹配结果作为转发数据包的条件,提高了VPC间指定网络互相通信的安全性。In the embodiment of the present disclosure, a firewall is used to verify whether the data packet meets the preset rules, and the matching result is used as a condition for forwarding the data packet, which improves the security of mutual communication between designated networks between VPCs.
第五方面,本公开实施例提供了一种子网间实现对等连接系统,该系统包括云平台、第一交换机、第二交换机以及防火墙;In the fifth aspect, embodiments of the present disclosure provide a peer-to-peer connection system between subnets. The system includes a cloud platform, a first switch, a second switch, and a firewall;
云平台获取用户下发的请求信息和网络配置信息;The cloud platform obtains the request information and network configuration information issued by the user;
云平台根据请求信息和网络配置信息得到本端虚拟私有云待连接的第一子网、第一子网所属第一网络和对端虚拟私有云待连接的第二子网、第二子网所属第二网络以及本端虚拟私有云虚拟路由器、对端虚拟私有云虚拟路由器,其中,第一子网和第二子网为实现对等连接的网络对象且第一子网和第二子网的网络地址不相重叠;The cloud platform obtains the first subnet to which the local virtual private cloud is to be connected and the first network to which the first subnet belongs and the second subnet to which the peer virtual private cloud is to be connected and the second subnet to which it belongs based on the request information and network configuration information. The second network, as well as the local virtual private cloud virtual router and the opposite virtual private cloud virtual router, where the first subnet and the second subnet are network objects that implement peer-to-peer connections, and the first subnet and the second subnet are Network addresses do not overlap;
云平台根据路由器映射关系确定第一交换机中与本端虚拟私有云虚拟路由器相对应的第一虚拟路由器,根据路由器映射关系确定第一交换机中与对端虚拟私有云虚拟路由器相对应的第二虚拟路由器,其中,路由器映射关系内存储有各个交换机内的每个虚拟路由器与本端虚拟私有云虚拟路由器或者对端虚拟私有云虚拟路由器之间的对应关系;The cloud platform determines the first virtual router in the first switch corresponding to the local virtual private cloud virtual router based on the router mapping relationship, and determines the second virtual router in the first switch corresponding to the opposite virtual private cloud virtual router based on the router mapping relationship. Router, wherein the router mapping relationship stores the corresponding relationship between each virtual router in each switch and the local virtual private cloud virtual router or the opposite end virtual private cloud virtual router;
云平台将本端虚拟私有云待连接的第一子网发出的数据包经过第一网络发送到第一虚拟路由器;The cloud platform sends the data packet sent by the first subnet to which the local virtual private cloud is to be connected to the first virtual router through the first network;
第一交换机的第一虚拟路由器接收数据包后,将数据包发送至第二交换机的第三虚拟路由器,其中,第三虚拟路由器与第一虚拟路由器存在映射关系;After receiving the data packet, the first virtual router of the first switch sends the data packet to the third virtual router of the second switch, where there is a mapping relationship between the third virtual router and the first virtual router;
第三虚拟路由器接收数据包后,将数据包经过第三虚拟路由器发送至防火墙;After receiving the data packet, the third virtual router sends the data packet to the firewall through the third virtual router;
防火墙接收数据包后,获取数据包的源地址和目标地址;After receiving the data packet, the firewall obtains the source address and destination address of the data packet;
防火墙根据源地址和目标地址匹配预设规则,得到匹配结果,其中,预设规则用于表征原始源地址和原始目标地址;The firewall matches the preset rules according to the source address and the destination address to obtain the matching result, where the preset rules are used to characterize the original source address and the original destination address;
防火墙根据匹配结果下发验证通过指令和数据包,并将数据包发送至第二交换机的第四虚拟路由器;The firewall issues verification instructions and data packets based on the matching results, and sends the data packets to the fourth virtual router of the second switch;
第四虚拟路由器接收数据包后,将数据包经过第四虚拟路由器发送至第一交换机的第二虚拟路由器,其中,第二虚拟路由器与第四虚拟路由器存在映射关系;After receiving the data packet, the fourth virtual router sends the data packet to the second virtual router of the first switch through the fourth virtual router, where there is a mapping relationship between the second virtual router and the fourth virtual router;
第二虚拟路由器接收数据包后,将数据包发送至对端虚拟私有云;After receiving the data packet, the second virtual router sends the data packet to the opposite virtual private cloud;
云平台的对端虚拟私有云虚拟路由器接收数据包后,将数据包发送到第二网络的第二子网。After receiving the data packet, the peer virtual private cloud virtual router of the cloud platform sends the data packet to the second subnet of the second network.
第六方面,本公开实施例提供了一种子网间实现对等连接装置,该装置为云平台,该装置包括:In a sixth aspect, embodiments of the present disclosure provide a device for implementing peer-to-peer connections between subnets. The device is a cloud platform, and the device includes:
第一获取模块,用于获取用户下发的请求信息和网络配置信息;The first acquisition module is used to acquire the request information and network configuration information issued by the user;
第一得到模块,用于根据请求信息和网络配置信息得到本端虚拟私有云待连接的第一子网、第一子网所属第一网络和对端虚拟私有云待连接的第二子网、第二子网所属第二网络以及本端虚拟私有云虚拟路由器、对端虚拟私有云虚拟路由器,其中,第一子网和第二子网为实现对等连接的网络对象且第一子网和第二子网的网络地址不相重叠;The first obtaining module is used to obtain the first subnet to which the local virtual private cloud is to be connected, the first network to which the first subnet belongs, and the second subnet to which the opposite end's virtual private cloud is to be connected based on the request information and the network configuration information. The second network to which the second subnet belongs, as well as the local virtual private cloud virtual router and the peer virtual private cloud virtual router, where the first subnet and the second subnet are network objects that implement peer-to-peer connections, and the first subnet and The network addresses of the second subnet do not overlap;
确定模块,用于根据路由器映射关系确定第一交换机中与本端虚拟私有云虚拟路由器相对应的第一虚拟路由器,根据路由器映射关系确定第一交换机中与对端虚拟私有云虚拟路由器相对应的第二虚拟路由器,其中,路由器映射关系内存储有各个交换机内的每个虚拟路由器与本端虚拟私有云虚拟路由器或者对端虚拟私有云虚拟路由器之间的对应关系;Determining module, configured to determine the first virtual router in the first switch corresponding to the local virtual private cloud virtual router according to the router mapping relationship, and determine the first virtual router in the first switch corresponding to the opposite end virtual private cloud virtual router according to the router mapping relationship. The second virtual router, wherein the router mapping relationship stores the corresponding relationship between each virtual router in each switch and the local virtual private cloud virtual router or the opposite virtual private cloud virtual router;
第一发送模块,用于将第一子网发出的数据包经过第一网络发送到第一虚拟路由器;The first sending module is used to send data packets sent by the first subnet to the first virtual router through the first network;
第一接收模块,用于接收来自第二虚拟路由器回传的数据包;The first receiving module is used to receive data packets returned from the second virtual router;
第二发送模块,用于将数据包发送到第二网络的第二子网。The second sending module is used to send the data packet to the second subnet of the second network.
第七方面,本公开实施例提供了一种子网间实现对等连接装置,该装置为第一交换机,该装置包括:In a seventh aspect, embodiments of the present disclosure provide a device for implementing peer-to-peer connections between subnets. The device is a first switch, and the device includes:
第二接收模块,用于第一虚拟路由器接收来自本端虚拟私有云的第一网络发来的数据包,其中,第一交换机的第一虚拟路由器与本端虚拟私有云虚拟路由器存在映射关系,数据包为本端虚拟私有云的第一网络内待连接的第一子网发出的数据;The second receiving module is used for the first virtual router to receive data packets sent from the first network of the local virtual private cloud, where there is a mapping relationship between the first virtual router of the first switch and the local virtual private cloud virtual router, The data packet is data sent by the first subnet to be connected in the first network of the local virtual private cloud;
第三发送模块,用于将数据包发送至第二交换机中的第三虚拟路由器,其中,第一虚拟路由器与第三虚拟路由器存在映射关系;The third sending module is used to send the data packet to the third virtual router in the second switch, where there is a mapping relationship between the first virtual router and the third virtual router;
第三接收模块,用于第二虚拟路由器接收来自第二交换机中的第四虚拟路由器回传的数据包,其中,第二虚拟路由器与第四虚拟路由器存在映射关系;The third receiving module is configured for the second virtual router to receive the data packet returned from the fourth virtual router in the second switch, where there is a mapping relationship between the second virtual router and the fourth virtual router;
第四发送模块,用于第二虚拟路由器将数据包发送至对端虚拟私有云。The fourth sending module is used for the second virtual router to send the data packet to the opposite end virtual private cloud.
第八方面,本公开实施例提供了一种子网间实现对等连接装置,该装置为第二交换机,该装置包括:In an eighth aspect, embodiments of the present disclosure provide a device for implementing peer-to-peer connections between subnets. The device is a second switch, and the device includes:
第四接收模块,用于第三虚拟路由器接收第一交换机内的第一虚拟路由器转发来的数据包,其中,第三虚拟路由器与第一虚拟路由器存在映射关系,数据包为本端虚拟私有云的第一网络内待连接的第一子网发出的数据;The fourth receiving module is used for the third virtual router to receive the data packet forwarded by the first virtual router in the first switch, where there is a mapping relationship between the third virtual router and the first virtual router, and the data packet is the local virtual private cloud. Data sent from the first subnet to be connected in the first network;
第五发送模块,用于将数据包经过第三虚拟路由器发送至防火墙;The fifth sending module is used to send the data packet to the firewall through the third virtual router;
第五接收模块,用于接收防火墙的验证通过指令以及回传的数据包;The fifth receiving module is used to receive the firewall's verification passing instructions and the returned data packets;
第六发送模块,用于将数据包经过第四虚拟路由器发送至第一交换机的第二虚拟路由器,其中,第二虚拟路由器与第四虚拟路由器存在映射关系。The sixth sending module is configured to send the data packet to the second virtual router of the first switch through the fourth virtual router, where there is a mapping relationship between the second virtual router and the fourth virtual router.
第九方面,本公开实施例提供了一种子网间实现对等连接装置,该装置为防火墙,该装置包括:In a ninth aspect, embodiments of the present disclosure provide a device for implementing peer-to-peer connections between subnets. The device is a firewall, and the device includes:
第六接收模块,用于接收第二交换机内的第三虚拟路由器发送的数据包,其中,数据包为本端虚拟私有云的第一网络内待连接的第一子网发出的数据;The sixth receiving module is configured to receive data packets sent by the third virtual router in the second switch, where the data packets are data sent by the first subnet to be connected in the first network of the local virtual private cloud;
第二获取模块,用于获取数据包的源地址和目标地址;The second acquisition module is used to obtain the source address and destination address of the data packet;
第二得到模块,用于根据源地址和目标地址匹配预设规则,得到匹配结果,其中,预设规则用于表征原始源地址和原始目标地址;The second obtaining module is used to match the preset rules according to the source address and the target address to obtain the matching result, where the preset rules are used to characterize the original source address and the original target address;
第七发送模块,用于根据匹配结果下发验证通过指令和数据包,并将数据包发送至第二交换机的第四虚拟路由器。The seventh sending module is configured to issue verification passing instructions and data packets according to the matching results, and send the data packets to the fourth virtual router of the second switch.
第十方面,本公开提供了一种计算机设备,包括:存储器和处理器,存储器和处理器之间互相通信连接,存储器中存储有计算机指令,处理器通过执行计算机指令,从而执行上述第一方面或其对应的任一实施方式的子网间实现对等连接方法。In a tenth aspect, the present disclosure provides a computer device, including: a memory and a processor. The memory and the processor are communicatively connected to each other. Computer instructions are stored in the memory. The processor executes the computer instructions to execute the first aspect. Or a method for implementing peer-to-peer connections between subnets in any of its corresponding embodiments.
第十一方面,本公开提供了一种计算机可读存储介质,该计算机可读存储介质上存储有计算机指令,计算机指令用于使计算机执行上述第一方面或其对应的任一实施方式的子网间实现对等连接方法。In an eleventh aspect, the present disclosure provides a computer-readable storage medium. Computer instructions are stored on the computer-readable storage medium. The computer instructions are used to cause a computer to execute the sub-steps of the above-mentioned first aspect or any of its corresponding implementations. A method to implement peer-to-peer connections between networks.
附图说明Description of drawings
为了更清楚地说明本公开具体实施方式或现有技术中的技术方案,下面将对具体实施方式或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图是本公开的一些实施方式,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly explain the specific embodiments of the present disclosure or the technical solutions in the prior art, the drawings that need to be used in the description of the specific embodiments or the prior art will be briefly introduced below. Obviously, the drawings in the following description The drawings illustrate some embodiments of the present disclosure. For those of ordinary skill in the art, other drawings can be obtained based on these drawings without exerting creative efforts.
图1是VPC内各个网络互通示意图;Figure 1 is a schematic diagram of the interconnection of various networks within the VPC;
图2是根据本公开一实施例的子网间实现对等连接方法的流程示意图;Figure 2 is a schematic flowchart of a method for implementing peer-to-peer connections between subnets according to an embodiment of the present disclosure;
图3是根据本公开实施例的创建VPC的过程界面示意图;Figure 3 is a schematic interface diagram of the process of creating a VPC according to an embodiment of the present disclosure;
图4是根据本公开实施例的创建对等连接的界面示意图;Figure 4 is a schematic diagram of an interface for creating a peer-to-peer connection according to an embodiment of the present disclosure;
图5是根据本公开实施例的创建关联子网的界面示意图;Figure 5 is a schematic diagram of an interface for creating an associated subnet according to an embodiment of the present disclosure;
图6是根据本公开实施例的子网间实现对等连接方法的系统完整示意图;Figure 6 is a complete schematic diagram of a system for implementing a peer-to-peer connection method between subnets according to an embodiment of the present disclosure;
图7是根据本公开另一实施例的子网间实现对等连接方法的流程示意图;Figure 7 is a schematic flowchart of a method for implementing peer-to-peer connections between subnets according to another embodiment of the present disclosure;
图8是根据本公开再一实施例的子网间实现对等连接方法的流程示意图;Figure 8 is a schematic flowchart of a method for implementing peer-to-peer connections between subnets according to yet another embodiment of the present disclosure;
图9是根据本公开又一实施例的子网间实现对等连接方法的流程示意图;Figure 9 is a schematic flowchart of a method for implementing peer-to-peer connections between subnets according to yet another embodiment of the present disclosure;
图10是根据本公开一实施例的子网间实现对等连接装置的结构框图;Figure 10 is a structural block diagram of a device for implementing peer-to-peer connections between subnets according to an embodiment of the present disclosure;
图11是根据本公开另一实施例的子网间实现对等连接装置的结构框图;Figure 11 is a structural block diagram of a device for implementing peer-to-peer connections between subnets according to another embodiment of the present disclosure;
图12是根据本公开再一实施例的子网间实现对等连接装置的结构框图;Figure 12 is a structural block diagram of a device for implementing peer-to-peer connections between subnets according to yet another embodiment of the present disclosure;
图13是根据本公开又一实施例的子网间实现对等连接装置的结构框图;Figure 13 is a structural block diagram of a device for implementing peer-to-peer connections between subnets according to yet another embodiment of the present disclosure;
图14是本公开实施例的计算机设备的硬件结构示意图。Figure 14 is a schematic diagram of the hardware structure of a computer device according to an embodiment of the present disclosure.
具体实施方式Detailed ways
为使本公开实施例的目的、技术方案和优点更加清楚,下面将结合本公开实施例中的附图,对本公开实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本公开一部分实施例,而不是全部的实施例。基于本公开中的实施例,本领域技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本公开保护的范围。In order to make the purpose, technical solutions and advantages of the embodiments of the present disclosure clearer, the technical solutions in the embodiments of the present disclosure will be clearly and completely described below in conjunction with the drawings in the embodiments of the present disclosure. Obviously, the described embodiments These are some embodiments of the present disclosure, but not all embodiments. Based on the embodiments in this disclosure, all other embodiments obtained by those skilled in the art without making creative efforts fall within the scope of protection of this disclosure.
当前的云计算技术中,由于企业对于网络安全、网络隔离的需求,产生了VPC(Virtual Private Cloud,虚拟私有云)技术,VPC用于构造一个隔离的网络环境,不同VPC之间网络不通。用户创建一个VPC后,会在该VPC内自动创建一个默认路由器。然后,用户可以继续在该VPC内创建网络,网络创建成功之后,会自动连接到默认路由器上,而连接到默认路由器上的不同网络是互通的。即VPC内网络互通,VPC间网络隔离,具体可参见图1所示的VPC内各个网络互通示意图。In current cloud computing technology, due to enterprises' needs for network security and network isolation, VPC (Virtual Private Cloud) technology has emerged. VPC is used to construct an isolated network environment, and the networks between different VPCs are blocked. After a user creates a VPC, a default router is automatically created within the VPC. Then, the user can continue to create a network within the VPC. After the network is successfully created, it will automatically connect to the default router, and different networks connected to the default router are interconnected. That is, network interconnection within VPCs and network isolation between VPCs. For details, see the schematic diagram of network interconnection within VPCs shown in Figure 1.
为了在保证VPC间网络隔离的情况下,部分VPC之间的指定子网可以流量互通,对等连接技术应运而生。传统的对等连接方案中,用户通常需要在硬件网络设备上进行繁琐的配置和管理,操作复杂,需投入较多人力资源,使得企业的人力成本较高。In order to ensure the network isolation between VPCs, designated subnets between some VPCs can communicate with each other, and peering connection technology came into being. In traditional peer-to-peer connection solutions, users usually need to perform tedious configuration and management on hardware network devices. The operations are complex and require a large investment in human resources, making the enterprise's labor costs high.
为了解决上述问题,本公开实施例提出一种子网间实现对等连接方法,如图2所示,该方法的执行主体可以是云平台,该方法的流程包括如下步骤:In order to solve the above problems, embodiments of the present disclosure propose a method for implementing peer-to-peer connections between subnets, as shown in Figure 2. The execution subject of the method may be a cloud platform. The process of the method includes the following steps:
步骤S201,获取用户下发的请求信息和网络配置信息。Step S201: Obtain the request information and network configuration information issued by the user.
可选地,在本公开实施例中,云平台作为与用户紧密关联,接收用户的请求信息和网络配置信息的平台侧,其会根据请求信息获取用户想要一VPC内一子网与另一VPC内一子网实现对等连接,完成数据通信的需求,同时也会获取到用户对这些子网信息的网络配置信息。Optionally, in the embodiment of the present disclosure, the cloud platform is closely related to the user and receives the user's request information and network configuration information. It will obtain the user's desired connection between one subnet in a VPC and another according to the request information. A subnet within the VPC implements peer-to-peer connections to meet data communication requirements. At the same time, the user's network configuration information for these subnets is also obtained.
可以理解的是,VPC为私有云,所以在本公开实施例中,将两个VPC称为VPC1(即本端虚拟私有云)和VPC2(即对端虚拟私有云);VPC1内的一子网可以称为VM1(即第一子网),VPC1内的一子网可以称为VM2(即第二子网);网络配置信息主要包括网络类型、网段和网段ID、路由器等。It can be understood that VPC is a private cloud, so in this disclosed embodiment, the two VPCs are called VPC1 (i.e., local virtual private cloud) and VPC2 (i.e., peer virtual private cloud); a subnet within VPC1 It can be called VM1 (i.e., the first subnet), and a subnet in VPC1 can be called VM2 (i.e., the second subnet); network configuration information mainly includes network type, network segment and network segment ID, router, etc.
步骤S202,根据请求信息和网络配置信息得到本端虚拟私有云待连接的第一子网、第一子网所属第一网络和对端虚拟私有云待连接的第二子网、第二子网所属第二网络以及本端虚拟私有云虚拟路由器、对端虚拟私有云虚拟路由器,其中,第一子网和第二子网为实现对等连接的网络对象且第一子网和第二子网的网络地址不相重叠。Step S202: Obtain the first subnet to which the local virtual private cloud is to be connected, the first network to which the first subnet belongs, and the second subnet and second subnet to which the opposite end's virtual private cloud is to be connected based on the request information and network configuration information. The second network to which it belongs, as well as the local virtual private cloud virtual router and the opposite virtual private cloud virtual router, where the first subnet and the second subnet are network objects that implement peer-to-peer connections and the first subnet and the second subnet The network addresses do not overlap.
可选地,具体创建VPC的过程为参见图3,图3内包括VPC添加子网时需要配置的名称、网络类型、物理网络、IP类型、IPV4地址等。进一步地,根据用户的请求信息添加子网,然后根据用户输入的网络配置信息确定各个子网的一些网络信息填入图3的对应位置即可。Optionally, see Figure 3 for the specific process of creating a VPC. Figure 3 includes the name, network type, physical network, IP type, IPV4 address, etc. that need to be configured when adding a subnet to the VPC. Further, subnets are added according to the user's request information, and then some network information of each subnet is determined according to the network configuration information input by the user and filled in the corresponding positions in Figure 3.
在获取到多个待连接的子网后,还需要创建对等连接,如图4所示,填写名称,选择本端虚拟数据中心、本端虚拟私有云、对端虚拟数据中心、对端虚拟私有云,两个VPC之间仅可以创建一个对等连接。After obtaining multiple subnets to be connected, you need to create a peer-to-peer connection, as shown in Figure 4. Fill in the name and select the local virtual data center, local virtual private cloud, peer virtual data center, peer virtual In a private cloud, only one peering connection can be created between two VPCs.
对等连接创建成功之后,云平台使用Java NETCONF库连接到交换机这类的物理网络设备,发送XML请求到交换机,后续交换机进行配置之后,云平台接受交换机的响应并作出相应处理。比如,云平台使用Java NETCONF库连接到IP地址为192.168.1.1的交换机,使用admin/admin作为用户名和密码。然后,云平台发送一个XML请求至IP地址为192.168.1.1的交换机,该请求获取名为eth-trunk1的接口的信息,并打印响应。最后,云平台断开与交换机的连接。After the peer-to-peer connection is successfully created, the cloud platform uses the Java NETCONF library to connect to physical network devices such as switches, and sends XML requests to the switches. After subsequent switch configurations, the cloud platform accepts the switch's response and processes it accordingly. For example, the cloud platform uses the Java NETCONF library to connect to the switch with the IP address 192.168.1.1, using admin/admin as the username and password. Then, the cloud platform sends an XML request to the switch with the IP address 192.168.1.1. The request obtains the information of the interface named eth-trunk1 and prints the response. Finally, the cloud platform disconnects from the switch.
同时,在对等连接创建成功后,还会在对等连接列表中会产生一条新数据,用于提示对等连接创建成功。At the same time, after the peer-to-peer connection is successfully created, a new piece of data will be generated in the peer-to-peer connection list to prompt that the peer-to-peer connection is successfully created.
到目前为止,两个VPC已经具备流量互通的基础,但是想要两端VPC内具体的两个子网连通,需要进一步的创建关联子网,如图5所示,在图5内填写本端子网(即第一子网)和对端子网(即第二子网)。So far, the two VPCs have the basis for traffic interoperability. However, if you want to connect the two specific subnets in the VPCs at both ends, you need to further create associated subnets, as shown in Figure 5. Fill in the local subnet in Figure 5. (i.e. the first subnet) and the peer subnet (i.e. the second subnet).
需要说明的是,第一子网可以是多个,第二子网也可以是多个,两端子网是多对多的关系。还有,第一子网和第二子网的网络地址不相重叠,即1.本/对端子网CIDR(Classless Inter-Domain Routing,无类别域间路由)不可以存在重叠。2.本端子网已关联的子网中,不可以存在与对端子网CIDR重叠的子网。3.本端虚拟私有云内其他子网中,不可以存在与对端子网CIDR重叠的子网。4.对端子网已关联的子网中,不可以存在与本端子网CIDR重叠的子网。5.对端虚拟私有云内其他子网中,不可以存在与本端子网CIDR重叠的子网。It should be noted that there can be multiple first subnets, and there can also be multiple second subnets. The subnets at both ends have a many-to-many relationship. In addition, the network addresses of the first subnet and the second subnet do not overlap, that is, 1. The CIDR (Classless Inter-Domain Routing, Classless Inter-Domain Routing) of the local/opposite subnet cannot overlap. 2. Among the subnets associated with this terminal's subnet, there cannot be a subnet that overlaps with the CIDR of the opposite terminal's subnet. 3. In other subnets within the local virtual private cloud, there cannot be a subnet that overlaps with the CIDR of the peer subnet. 4. In the subnet associated with the peer subnet, there cannot be a subnet that overlaps with the CIDR of this terminal's subnet. 5. In other subnets in the peer virtual private cloud, there cannot be subnets that overlap with the CIDR of the local subnet.
由上述可得,根据用户请求信息可以得到本端虚拟私有云(即VPC1)待连接的第一子网(即VM1),根据用户请求信息可以得到对端虚拟私有云(即VPC2)待连接的第二子网(即VM2)。It can be seen from the above that according to the user request information, the first subnet (ie VM1) to be connected to the local virtual private cloud (ie VPC1) can be obtained. According to the user request information, the to-be-connected subnet of the opposite end virtual private cloud (ie VPC2) can be obtained. The second subnet (i.e. VM2).
另外,根据用户输入的网络配置信息可以得到图3内的网段192.168.1.0/24,其为第一子网的第一网络(或者称为第一网络地址),根据用户输入的网络配置信息可以得到第二子网的第二网络(或者称为第二网络地址),网段可以为192.168.2.0/24。In addition, according to the network configuration information input by the user, the network segment 192.168.1.0/24 in Figure 3 can be obtained, which is the first network (or called the first network address) of the first subnet. According to the network configuration information input by the user, The second network (or second network address) of the second subnet can be obtained, and the network segment can be 192.168.2.0/24.
另外,每个VPC都会自动创建默认的路由器,比如本端虚拟私有云虚拟路由器、对端虚拟私有云虚拟路由器,当然本端虚拟私有云虚拟路由器、对端虚拟私有云虚拟路由器也可以是根据用户输入的网络配置信息生成的。In addition, each VPC will automatically create a default router, such as the local virtual private cloud virtual router and the opposite virtual private cloud virtual router. Of course, the local virtual private cloud virtual router and the opposite virtual private cloud virtual router can also be configured based on the user. Generated from the input network configuration information.
步骤S203,根据路由器映射关系确定第一交换机中与本端虚拟私有云虚拟路由器相对应的第一虚拟路由器,根据路由器映射关系确定第一交换机中与对端虚拟私有云虚拟路由器相对应的第二虚拟路由器,其中,路由器映射关系内存储有各个交换机内的每个虚拟路由器与本端虚拟私有云虚拟路由器或者对端虚拟私有云虚拟路由器之间的对应关系。Step S203: Determine the first virtual router in the first switch corresponding to the local virtual private cloud virtual router according to the router mapping relationship, and determine the second virtual router in the first switch corresponding to the opposite virtual private cloud virtual router according to the router mapping relationship. Virtual router, wherein the router mapping relationship stores the corresponding relationship between each virtual router in each switch and the local virtual private cloud virtual router or the opposite end virtual private cloud virtual router.
可选地,在本公开实施例中,由于云平台可以理解成接收用户一些信息的入口,而实际进行数据传输或者数据通信都应是交换机实现的,所以本公开实施例采用leaf-spine叶脊架构,该架构中包含leaf(叶)交换机(即第一交换机)以及spine交换机(其仅是将第一交换机传输的数据包发送到border(边界)交换机(即第二交换机)的中介,对本公开实现子网间实现对等连接没有较大的影响,故本公开实施例没有过多阐述)。需要说明的是,本公开实施例采用leaf-spine叶脊架构可以提高网络拓扑的灵活性和可扩展性,支持多对多的子网关联,满足不同业务场景的需求。Optionally, in this embodiment of the present disclosure, since the cloud platform can be understood as a portal for receiving some information from users, and the actual data transmission or data communication should be implemented by switches, the embodiment of this disclosure uses leaf-spine. Architecture, which includes a leaf switch (i.e., the first switch) and a spine switch (which is only an intermediary that sends data packets transmitted by the first switch to the border (border) switch (i.e., the second switch)). For this disclosure Implementing peer-to-peer connections between subnets does not have a major impact, so the embodiments of this disclosure will not elaborate too much). It should be noted that the leaf-spine architecture used in the embodiments of the present disclosure can improve the flexibility and scalability of the network topology, support many-to-many subnet associations, and meet the needs of different business scenarios.
由上述描述可知,本公开实施例为了实现第一子网与第二子网之间的对等连接,实现数据间的传送,需要经过第一交换机、第二交换机,而云平台在当前只与第一交换机进行连接,如图6所示,所以本公开实施例需要根据路由器映射关系在第一交换机中创建出与本端虚拟私有云虚拟路由器相对应的第一虚拟路由器(即图6中的VRF1(Virtual RouterForward,虚拟路由转发)),根据路由器映射关系在第一交换机中创建出与对端虚拟私有云虚拟路由器相对应的第二虚拟路由器(即图6中的VRF2)。As can be seen from the above description, in order to realize the peer-to-peer connection between the first subnet and the second subnet and realize the transmission of data, the embodiment of the present disclosure needs to go through the first switch and the second switch, and the cloud platform currently only communicates with The first switch is connected, as shown in Figure 6. Therefore, the embodiment of the present disclosure needs to create a first virtual router corresponding to the local virtual private cloud virtual router in the first switch according to the router mapping relationship (i.e., in Figure 6 VRF1 (Virtual Router Forward, virtual route forwarding) creates a second virtual router (ie, VRF2 in Figure 6) corresponding to the peer virtual private cloud virtual router in the first switch according to the router mapping relationship.
步骤S204,将第一子网发出的数据包经过第一网络发送到第一虚拟路由器。Step S204: Send the data packet sent by the first subnet to the first virtual router through the first network.
可选地,在确定出在第一交换机内与本端虚拟私有云虚拟路由器相对应的第一虚拟路由器之后,由于在VPC1内创建了一个第一网络(192.168.1.0/24),第一网络会对应第一交换机上的vlan(即图6中的vlan 1001 192.168.1.0/24),新建的第一网络会自动连接到默认路由器(即本端虚拟私有云虚拟路由器)上,然后就可以将第一子网发出的数据包经过第一网络发送到第一虚拟路由器。Optionally, after determining the first virtual router corresponding to the local virtual private cloud virtual router in the first switch, since a first network (192.168.1.0/24) is created in VPC1, the first network It will correspond to the vlan on the first switch (that is, vlan 1001 192.168.1.0/24 in Figure 6). The newly created first network will automatically connect to the default router (that is, the local virtual private cloud virtual router), and then you can The data packet sent by the first subnet is sent to the first virtual router through the first network.
步骤S205,接收来自第二虚拟路由器回传的数据包。Step S205: Receive the data packet returned from the second virtual router.
可选地,从图6可以得知,云平台是与第一交换机直接连接的,所以云平台的对端虚拟私有云会接收到来自第一交换机的第二虚拟路由器回传的数据包。Optionally, as can be seen from Figure 6, the cloud platform is directly connected to the first switch, so the peer virtual private cloud of the cloud platform will receive the data packet returned from the second virtual router of the first switch.
步骤S206,将数据包发送到第二网络的第二子网。Step S206: Send the data packet to the second subnet of the second network.
可选地,在对端虚拟私有云中,对端虚拟私有云虚拟路由器会将数据包发送到请求与第一子网建立连接的第二网络的第二子网内,进而实现了VPC1内的第一子网和VPC2内的第二子网相互连接的目标。Optionally, in the peer virtual private cloud, the peer virtual private cloud virtual router will send the data packet to the second subnet of the second network that requests to establish a connection with the first subnet, thereby realizing the The first subnet and the second subnet in VPC2 are connected to each other.
在本公开实施例中,利用叶脊架构得到云平台的本端虚拟私有云和对端虚拟私有云之间实现子网对等连接时需要依赖的第一交换机,并根据路由器映射关系确定第一交换机中与本端虚拟私有云虚拟路由器相对应的第一虚拟路由器,第一交换机中与对端虚拟私有云虚拟路由器相对应的第二虚拟路由器,进而完成本端虚拟私有云待连接的第一子网发出的数据包向第一交换机的第一虚拟路由器的传输,然后接收到第一交换机的第二虚拟路由器回传的数据包,并将其发送到第二网络的第二子网,进而既可以实现不同VPC之间互通,又可以细粒度的控制到具体互通的子网,既满足了VPC间网络隔离的安全性要求,又满足了VPC间指定子网之间互相通信的要求,进而解决了传统的对等连接解决方案中,用户通常需要在硬件网络设备上进行繁琐的配置和管理,浪费人力资源的问题。In the embodiment of the present disclosure, the leaf-spine architecture is used to obtain the first switch that needs to be relied upon to achieve subnet peer-to-peer connection between the local virtual private cloud and the opposite virtual private cloud of the cloud platform, and determine the first switch based on the router mapping relationship. The first virtual router in the switch corresponds to the local virtual private cloud virtual router, and the second virtual router in the first switch corresponds to the opposite virtual private cloud virtual router, thereby completing the first virtual private cloud to be connected. The data packet sent by the subnet is transmitted to the first virtual router of the first switch, and then the data packet returned by the second virtual router of the first switch is received and sent to the second subnet of the second network, and then It can not only realize intercommunication between different VPCs, but also control the specific interoperable subnets in a fine-grained manner, which not only meets the security requirements of network isolation between VPCs, but also meets the requirements of mutual communication between designated subnets between VPCs, and thus It solves the problem that in traditional peer-to-peer connection solutions, users usually need to perform cumbersome configuration and management on hardware network devices, which wastes human resources.
在一些可选的实施方式中,本公开实施例提出一种子网间实现对等连接方法,该方法的执行主体可以是第一交换机,如图7所示,该方法的流程包括如下步骤:In some optional implementations, embodiments of the present disclosure propose a method for implementing peer-to-peer connections between subnets. The execution subject of the method may be the first switch. As shown in Figure 7, the process of the method includes the following steps:
步骤S701,第一虚拟路由器接收来自本端虚拟私有云的第一网络发来的数据包,其中,第一交换机的第一虚拟路由器与本端虚拟私有云虚拟路由器存在映射关系,数据包为本端虚拟私有云的第一网络内待连接的第一子网发出的数据;Step S701: The first virtual router receives a data packet sent from the first network of the local virtual private cloud. There is a mapping relationship between the first virtual router of the first switch and the local virtual private cloud virtual router. The data packet is the local virtual private cloud. Data sent from the first subnet to be connected in the first network of the end virtual private cloud;
步骤S702,将数据包发送至第二交换机中的第三虚拟路由器,其中,第一虚拟路由器与第三虚拟路由器存在映射关系;Step S702: Send the data packet to the third virtual router in the second switch, where there is a mapping relationship between the first virtual router and the third virtual router;
步骤S703,第二虚拟路由器接收来自第二交换机中的第四虚拟路由器回传的数据包,其中,第二虚拟路由器与第四虚拟路由器存在映射关系;Step S703: The second virtual router receives the data packet returned from the fourth virtual router in the second switch, where there is a mapping relationship between the second virtual router and the fourth virtual router;
步骤S704,第二虚拟路由器将数据包发送至对端虚拟私有云。Step S704: The second virtual router sends the data packet to the opposite virtual private cloud.
可选地,在本公开实施例中,以第一交换机为执行主体。如图6所示,第一交换机的第一虚拟路由器VRF1,接收来自本端虚拟私有云的第一网络内待连接的第一子网发来的数据包,可以理解的是,由于第一交换机的第一虚拟路由器与本端虚拟私有云虚拟路由器存在映射关系,所以可以直接根据本端虚拟私有云虚拟路由器找到对应的第一虚拟路由器,进而实现第一虚拟路由器接收到数据包的操作。Optionally, in the embodiment of the present disclosure, the first switch is used as the execution subject. As shown in Figure 6, the first virtual router VRF1 of the first switch receives a data packet from the first subnet to be connected in the first network of the local virtual private cloud. It can be understood that because the first switch There is a mapping relationship between the first virtual router and the local virtual private cloud virtual router, so the corresponding first virtual router can be found directly according to the local virtual private cloud virtual router, and then the first virtual router receives the data packet.
如图6所示,第一交换机和第二交换机之间也是相互通信关系,所以第一交换机将数据包发送到与第一虚拟路由器存在映射关系的第二交换机中的第三虚拟路由器VRF3内。之后第一交换机的第二虚拟路由器VRF2接收来自第二交换机中的第四虚拟路由器VRF4回传的数据包,然后再通过第二虚拟路由器将数据包发送至对端虚拟私有云。As shown in Figure 6, the first switch and the second switch also communicate with each other, so the first switch sends the data packet to the third virtual router VRF3 in the second switch that has a mapping relationship with the first virtual router. Afterwards, the second virtual router VRF2 of the first switch receives the data packet returned from the fourth virtual router VRF4 in the second switch, and then sends the data packet to the opposite end virtual private cloud through the second virtual router.
在本公开实施例中,通过云平台与物理交换机之间的直接通信,降低了云平台对第三方SDN的依赖,提升了云平台的网络能力和产品竞争力。In the embodiment of the present disclosure, direct communication between the cloud platform and the physical switch reduces the cloud platform's dependence on third-party SDN and improves the cloud platform's network capabilities and product competitiveness.
在一些可选的实施方式中,本公开实施例提出一种子网间实现对等连接方法,该方法的执行主体可以是第二交换机,如图8所示,该方法的流程包括如下步骤:In some optional implementations, embodiments of the present disclosure propose a method for implementing peer-to-peer connections between subnets. The execution subject of the method may be the second switch. As shown in Figure 8, the process of the method includes the following steps:
步骤S801,第三虚拟路由器接收第一交换机内的第一虚拟路由器转发来的数据包,其中,第三虚拟路由器与第一虚拟路由器存在映射关系,数据包为本端虚拟私有云的第一网络内待连接的第一子网发出的数据;Step S801: The third virtual router receives the data packet forwarded by the first virtual router in the first switch. There is a mapping relationship between the third virtual router and the first virtual router, and the data packet is the first network of the local virtual private cloud. Data sent by the first subnet to be connected;
步骤S802,将数据包经过第三虚拟路由器发送至防火墙;Step S802: Send the data packet to the firewall through the third virtual router;
步骤S803,接收防火墙的验证通过指令以及回传的数据包;Step S803: Receive the firewall's verification pass instruction and the returned data packet;
步骤S804,将数据包经过第二交换机的第四虚拟路由器发送至第一交换机的第二虚拟路由器,其中,第二虚拟路由器与第四虚拟路由器存在映射关系。Step S804: Send the data packet to the second virtual router of the first switch via the fourth virtual router of the second switch, where there is a mapping relationship between the second virtual router and the fourth virtual router.
可选地,从图6可以得出,第二交换机分别与第一交换机、防火墙进行通信,具体地,在第二交换机(border交换机)上创建出与第一交换机的第一虚拟路由器相对应的第三虚拟路由器,这时第一虚拟路由器和第三虚拟路由器之间存在映射关系,并设置经过这些VRF的数据包,北向转发给防火墙。由于后续还需要经过第二交换机来接收防火墙的回包,这时还需要第二交换机上设置一接收防火墙回包的虚拟路由器,这时如果第二交换机上不存在,则创建一个VRF,即第二交换机的第四虚拟路由器,用于接收防火墙的回包。Optionally, it can be concluded from Figure 6 that the second switch communicates with the first switch and the firewall respectively. Specifically, a first virtual router corresponding to the first switch is created on the second switch (border switch). The third virtual router. At this time, there is a mapping relationship between the first virtual router and the third virtual router, and the data packets passing through these VRFs are set to be forwarded to the firewall in the north direction. Since it is necessary to receive the firewall return packet through the second switch, a virtual router for receiving the firewall return packet needs to be set up on the second switch. At this time, if it does not exist on the second switch, create a VRF, that is, the second switch will receive the firewall return packet. The fourth virtual router of the second switch is used to receive return packets from the firewall.
从图6中可以得出,第二交换机的第三虚拟路由器接收第一交换机内的第一虚拟路由器转发来的数据包,然后将该数据包经过第三虚拟路由器发送至防火墙,之后回接收到防火墙对该数据包验证通过的指令以及回传来的数据包,之后第二交换机利用第四虚拟路由器将接收到的回传数据包发送至第一交换机的第二虚拟路由器。可以理解的是,第二交换机的第四虚拟路由器和第一交换机的第二虚拟路由器之间是存在映射关系的,所以才可以在第四虚拟路由接收到该回传数据包后可以直接将该回传数据包发送到第二虚拟路由器上。It can be concluded from Figure 6 that the third virtual router of the second switch receives the data packet forwarded by the first virtual router in the first switch, and then sends the data packet to the firewall through the third virtual router, and then receives the data packet back. The firewall verifies the passed instruction of the data packet and the returned data packet, and then the second switch uses the fourth virtual router to send the received returned data packet to the second virtual router of the first switch. It can be understood that there is a mapping relationship between the fourth virtual router of the second switch and the second virtual router of the first switch, so the fourth virtual router can directly transfer the return data packet after receiving the return data packet. The return packet is sent to the second virtual router.
另外,只有在防火墙对数据包验证通过后才会将数据包回传给第二交换机,否则直接丢弃该数据包。In addition, only after the firewall passes the verification of the data packet, the data packet will be sent back to the second switch, otherwise the data packet will be discarded directly.
在本公开实施例中,基于硬件交换机、防火墙实现,相比于纯软实现,可以提供更可靠、更高效的网络传输能力。In the embodiments of the present disclosure, implementation based on hardware switches and firewalls can provide more reliable and efficient network transmission capabilities compared to pure software implementation.
在一些可选的实施方式中,本公开实施例提出一种子网间实现对等连接方法,该方法的执行主体可以是防火墙,如图9所示,该方法的流程包括如下步骤:In some optional implementations, embodiments of the present disclosure propose a method for implementing peer-to-peer connections between subnets. The execution subject of the method may be a firewall. As shown in Figure 9, the process of the method includes the following steps:
步骤S901,接收第二交换机内的第三虚拟路由器发送的数据包,其中,数据包为本端虚拟私有云的第一网络内待连接的第一子网发出的数据;Step S901: Receive a data packet sent by the third virtual router in the second switch, where the data packet is data sent by the first subnet to be connected in the first network of the local virtual private cloud;
步骤S902,获取数据包的源地址和目标地址;Step S902, obtain the source address and destination address of the data packet;
步骤S903,根据源地址和目标地址匹配预设规则,得到匹配结果,其中,预设规则用于表征原始源地址和原始目标地址;Step S903: Match the preset rules according to the source address and the target address to obtain a matching result, where the preset rules are used to characterize the original source address and the original target address;
步骤S904,根据匹配结果下发验证通过指令和数据包,并将数据包发送至第二交换机的第四虚拟路由器。Step S904: Issue a verification pass instruction and a data packet according to the matching result, and send the data packet to the fourth virtual router of the second switch.
可选地,根据上述实施例中,将关联子网:第一子网和第二子网设置成功后,根据这些子网的网段,在防火墙上下发正确的预设规则,这里的预设规则是这些子网的原始源地址和原始目标地址。然后防火墙在接收到第二交换机内的第三虚拟路由器发送的数据包后,可以查看数据包的源地址和目标地址是否落在了子网的原始源地址和原始目标地址内,若落在子网的原始源地址和原始目标地址内,则匹配结果为验证通过,回传数据包至第二交换机的第四虚拟路由器,否则匹配结果为验证失败,丢弃该数据包。Optionally, according to the above embodiment, the associated subnets: after the first subnet and the second subnet are set up successfully, correct preset rules are issued to the firewall according to the network segments of these subnets. The preset rules here are: The rules are the original source and original destination addresses for these subnets. Then, after receiving the data packet sent by the third virtual router in the second switch, the firewall can check whether the source address and destination address of the data packet fall within the original source address and original destination address of the subnet. If the original source address and the original destination address of the network are within the original source address and the original destination address of the network, the matching result is that the verification is passed, and the data packet is returned to the fourth virtual router of the second switch; otherwise, the matching result is that the verification fails and the data packet is discarded.
其中,本公开实施例的云平台下发到防火墙配置的过程是基于NETCONF(NetworkConfiguration Protocol,网络配置协议)实现。其中,利用NETCONF协议,通过云平台与第一交换机、第二交换机、防火墙的直接通信,降低了云平台对第三方SDN的依赖,提升了云平台的网络能力和产品竞争力。Among them, the process of the cloud platform delivering the firewall configuration according to the embodiment of the present disclosure is based on NETCONF (Network Configuration Protocol). Among them, the NETCONF protocol is used to directly communicate with the first switch, the second switch, and the firewall through the cloud platform, which reduces the cloud platform's dependence on third-party SDN and improves the cloud platform's network capabilities and product competitiveness.
在本公开实施例中,使用防火墙验证数据包是否满足预设规则,进而将匹配结果作为转发数据包的条件,提高了VPC间指定网络互相通信的安全性。In the embodiment of the present disclosure, a firewall is used to verify whether the data packet meets the preset rules, and the matching result is used as a condition for forwarding the data packet, which improves the security of mutual communication between designated networks between VPCs.
在一些可选的实施方式中,本公开实施例提出子网间实现对等连接系统,其特征在于,系统包括云平台、第一交换机、第二交换机以及防火墙;In some optional implementations, embodiments of the present disclosure propose a peer-to-peer connection system between subnets, which is characterized in that the system includes a cloud platform, a first switch, a second switch, and a firewall;
云平台获取用户下发的请求信息和网络配置信息;The cloud platform obtains the request information and network configuration information issued by the user;
云平台根据请求信息和网络配置信息得到本端虚拟私有云待连接的第一子网、第一子网所属第一网络和对端虚拟私有云待连接的第二子网、第二子网所属第二网络以及本端虚拟私有云虚拟路由器、对端虚拟私有云虚拟路由器,其中,第一子网和第二子网为实现对等连接的网络对象且第一子网和第二子网的网络地址不相重叠;The cloud platform obtains the first subnet to which the local virtual private cloud is to be connected and the first network to which the first subnet belongs and the second subnet to which the peer virtual private cloud is to be connected and the second subnet to which it belongs based on the request information and network configuration information. The second network, as well as the local virtual private cloud virtual router and the opposite virtual private cloud virtual router, where the first subnet and the second subnet are network objects that implement peer-to-peer connections, and the first subnet and the second subnet are Network addresses do not overlap;
云平台根据路由器映射关系确定第一交换机中与本端虚拟私有云虚拟路由器相对应的第一虚拟路由器,根据路由器映射关系确定第一交换机中与对端虚拟私有云虚拟路由器相对应的第二虚拟路由器,其中,路由器映射关系内存储有各个交换机内的每个虚拟路由器与本端虚拟私有云虚拟路由器或者对端虚拟私有云虚拟路由器之间的对应关系;The cloud platform determines the first virtual router in the first switch corresponding to the local virtual private cloud virtual router based on the router mapping relationship, and determines the second virtual router in the first switch corresponding to the opposite virtual private cloud virtual router based on the router mapping relationship. Router, wherein the router mapping relationship stores the corresponding relationship between each virtual router in each switch and the local virtual private cloud virtual router or the opposite end virtual private cloud virtual router;
云平台将本端虚拟私有云待连接的第一子网发出的数据包经过第一网络发送到第一虚拟路由器;The cloud platform sends the data packet sent by the first subnet to which the local virtual private cloud is to be connected to the first virtual router through the first network;
第一交换机的第一虚拟路由器接收数据包后,将数据包发送至第二交换机的第三虚拟路由器,其中,第三虚拟路由器与第一虚拟路由器存在映射关系;After receiving the data packet, the first virtual router of the first switch sends the data packet to the third virtual router of the second switch, where there is a mapping relationship between the third virtual router and the first virtual router;
第三虚拟路由器接收数据包后,将数据包经过第三虚拟路由器发送至防火墙;After receiving the data packet, the third virtual router sends the data packet to the firewall through the third virtual router;
防火墙接收数据包后,获取数据包的源地址和目标地址;After receiving the data packet, the firewall obtains the source address and destination address of the data packet;
防火墙根据源地址和目标地址匹配预设规则,得到匹配结果,其中,预设规则用于表征原始源地址和原始目标地址;The firewall matches the preset rules according to the source address and the destination address to obtain the matching result, where the preset rules are used to characterize the original source address and the original destination address;
防火墙根据匹配结果下发验证通过指令和数据包,并将数据包发送至第二交换机的第四虚拟路由器;The firewall issues verification instructions and data packets based on the matching results, and sends the data packets to the fourth virtual router of the second switch;
第四虚拟路由器接收数据包后,将数据包经过第四虚拟路由器发送至第一交换机的第二虚拟路由器,其中,第二虚拟路由器与第四虚拟路由器存在映射关系;After receiving the data packet, the fourth virtual router sends the data packet to the second virtual router of the first switch through the fourth virtual router, where there is a mapping relationship between the second virtual router and the fourth virtual router;
第二虚拟路由器接收数据包后,将数据包发送至对端虚拟私有云;After receiving the data packet, the second virtual router sends the data packet to the opposite virtual private cloud;
云平台的对端虚拟私有云虚拟路由器接收数据包后,将数据包发送到第二网络的第二子网。After receiving the data packet, the peer virtual private cloud virtual router of the cloud platform sends the data packet to the second subnet of the second network.
可选地,在本公开实施例中,以两个VPC之间实现指定子网的相互通信和数据传输为例,展开如下说明:Optionally, in this embodiment of the present disclosure, taking the mutual communication and data transmission of designated subnets between two VPCs as an example, the following description is carried out:
如图6所示,该子网间实现对等连接系统包括云平台、第一交换机、第二交换机以及防火墙,具体流程如下:As shown in Figure 6, the peer-to-peer connection system between subnets includes the cloud platform, the first switch, the second switch and the firewall. The specific process is as follows:
云平台接收到用户下发的请求信息,比如请求VPC1内的子网VM1与VPC2内的子网VM2实现通信,以及获取到用户下发的网络配置信息,比如网段、网络类型等,对等连接创建完毕后,当VPC1内VM1想要和VPC2内VM2通信,由VM1发出的数据包经由其所属的第一网络192.168.1.0/24,发送到第一交换机上的第一虚拟路由器。第一虚拟路由器再将数据包发送给第二交换机上的第三虚拟路由器。第三虚拟路由器再将数据包,发送给硬件防火墙。数据包如果未匹配到防火墙上的预设规则,则丢弃;匹配到预设规则,则会将数据包回传给第二交换机。The cloud platform receives the request information sent by the user, such as requesting subnet VM1 in VPC1 to communicate with subnet VM2 in VPC2, and obtains the network configuration information sent by the user, such as network segment, network type, etc., peer-to-peer After the connection is created, when VM1 in VPC1 wants to communicate with VM2 in VPC2, the data packet sent by VM1 is sent to the first virtual router on the first switch via the first network 192.168.1.0/24 to which it belongs. The first virtual router then sends the data packet to the third virtual router on the second switch. The third virtual router then sends the data packet to the hardware firewall. If the data packet does not match the preset rules on the firewall, it will be discarded; if it matches the preset rules, the data packet will be sent back to the second switch.
回传到第二交换机的第四虚拟路由器的数据包,匹配到路由之后,会发送给第一交换机上的第二虚拟路由器,第一交换机上的第二虚拟路由器再将数据包发送给第二网络192.168.2.0/24,接着发送给网络内的第二子网VM2。这样就实现了VM1和VM2之间的一次网络通信,反向VM2访问VM1数据包传送路径及原理相同。The data packet returned to the fourth virtual router of the second switch will be sent to the second virtual router on the first switch after matching the route. The second virtual router on the first switch will then send the data packet to the second virtual router. Network 192.168.2.0/24, and then sent to the second subnet VM2 within the network. In this way, a network communication between VM1 and VM2 is realized. The reverse VM2 accesses the VM1 data packet transmission path and the same principle.
本公开实施例基于交换机的能力,实现VPC之间流量互通。又基于硬件防火墙的能力,进一步实现细粒度的控制,可以控制两个VPC内任意网络之间互通,而不是连接到两个VPC默认路由器上的所有子网互通。既保证了隔离又实现了指定子网间流量互通,并且借由硬件网络设备的能力,提供比纯软实现更可靠、更高效的网络传输能力。This disclosed embodiment implements traffic interworking between VPCs based on the capabilities of the switch. Based on the capabilities of the hardware firewall, fine-grained control is further achieved, and the interoperability between any networks within the two VPCs can be controlled, instead of all subnets connected to the default routers of the two VPCs. It not only ensures isolation but also realizes traffic intercommunication between designated subnets, and leverages the capabilities of hardware network equipment to provide more reliable and efficient network transmission capabilities than pure software implementation.
基于上述各实施例的内容,作为一种可选实施例,如果需要实现多个VPC之间指定子网之间不能互相通信的话,这时只需要改动防火墙的预设规则,使得防火墙接收到的数据包的源地址和目标地址始终不能包含在原始源地址和原始目标地址内,或者在实现多个VPC之间指定子网之间相互通信后,每个VPC内剩余的子网之间就列为不能实现相互通信。Based on the contents of the above embodiments, as an optional embodiment, if it is necessary to realize that designated subnets between multiple VPCs cannot communicate with each other, then only the preset rules of the firewall need to be modified so that the firewall receives The source address and destination address of the data packet cannot always be included in the original source address and original destination address, or after the designated subnets between multiple VPCs are communicated with each other, the remaining subnets in each VPC are not listed. Because mutual communication cannot be achieved.
在本实施例中还提供了一种子网间实现对等连接装置,该装置用于实现上述实施例及优选实施方式,已经进行过说明的不再赘述。如以下所使用的,术语“模块”可以实现预定功能的软件和/或硬件的组合。尽管以下实施例所描述的装置较佳地以软件来实现,但是硬件,或者软件和硬件的组合的实现也是可能并被构想的。This embodiment also provides a device for implementing peer-to-peer connections between subnets. The device is used to implement the above embodiments and preferred implementations. What has already been described will not be described again. As used below, the term "module" may be a combination of software and/or hardware that implements a predetermined function. Although the apparatus described in the following embodiments is preferably implemented in software, implementation in hardware, or a combination of software and hardware, is also possible and contemplated.
本实施例提供一种子网间实现对等连接装置,该装置为云平台,如图10所示,该装置包括:This embodiment provides a device for realizing peer-to-peer connections between subnets. The device is a cloud platform. As shown in Figure 10, the device includes:
第一获取模块1001,用于获取用户下发的请求信息和网络配置信息;The first acquisition module 1001 is used to acquire the request information and network configuration information issued by the user;
第一得到模块1002,用于根据请求信息和网络配置信息得到本端虚拟私有云待连接的第一子网、第一子网所属第一网络和对端虚拟私有云待连接的第二子网、第二子网所属第二网络以及本端虚拟私有云虚拟路由器、对端虚拟私有云虚拟路由器,其中,第一子网和第二子网为实现对等连接的网络对象且第一子网和第二子网的网络地址不相重叠;The first obtaining module 1002 is used to obtain the first subnet to which the local virtual private cloud is to be connected, the first network to which the first subnet belongs, and the second subnet to which the opposite end's virtual private cloud is to be connected based on the request information and network configuration information. , the second network to which the second subnet belongs, as well as the local virtual private cloud virtual router and the opposite end virtual private cloud virtual router, where the first subnet and the second subnet are network objects that implement peer-to-peer connections and the first subnet Does not overlap with the network address of the second subnet;
确定模块1003,用于根据路由器映射关系确定第一交换机中与本端虚拟私有云虚拟路由器相对应的第一虚拟路由器,根据路由器映射关系确定第一交换机中与对端虚拟私有云虚拟路由器相对应的第二虚拟路由器,其中,路由器映射关系内存储有各个交换机内的每个虚拟路由器与本端虚拟私有云虚拟路由器或者对端虚拟私有云虚拟路由器之间的对应关系;Determining module 1003, configured to determine the first virtual router in the first switch corresponding to the local virtual private cloud virtual router according to the router mapping relationship, and determine the first virtual router in the first switch corresponding to the opposite end virtual private cloud virtual router according to the router mapping relationship. The second virtual router, wherein the router mapping relationship stores the corresponding relationship between each virtual router in each switch and the local virtual private cloud virtual router or the opposite end virtual private cloud virtual router;
第一发送模块1004,用于将第一子网发出的数据包经过第一网络发送到第一虚拟路由器;The first sending module 1004 is used to send data packets sent by the first subnet to the first virtual router through the first network;
第一接收模块1005,用于接收来自第二虚拟路由器回传的数据包;The first receiving module 1005 is used to receive data packets returned from the second virtual router;
第二发送模块1006,用于将数据包发送到第二网络的第二子网。The second sending module 1006 is used to send the data packet to the second subnet of the second network.
在本公开实施例中,利用叶脊架构得到云平台的本端虚拟私有云和对端虚拟私有云之间实现子网对等连接时需要依赖的第一交换机,并根据路由器映射关系确定第一交换机中与本端虚拟私有云虚拟路由器相对应的第一虚拟路由器,第一交换机中与对端虚拟私有云虚拟路由器相对应的第二虚拟路由器,进而完成本端虚拟私有云待连接的第一子网发出的数据包向第一交换机的第一虚拟路由器的传输,然后接收到第一交换机的第二虚拟路由器回传的数据包,并将其发送到第二网络的第二子网,进而既可以实现不同VPC之间互通,又可以细粒度的控制到具体互通的子网,既满足了VPC间网络隔离的安全性要求,又满足了VPC间指定子网之间互相通信的要求,进而解决了传统的对等连接解决方案中,用户通常需要在硬件网络设备上进行繁琐的配置和管理,浪费人力资源的问题。In the embodiment of the present disclosure, the leaf-spine architecture is used to obtain the first switch that needs to be relied upon to achieve subnet peer-to-peer connection between the local virtual private cloud and the opposite virtual private cloud of the cloud platform, and determine the first switch based on the router mapping relationship. The first virtual router in the switch corresponds to the local virtual private cloud virtual router, and the second virtual router in the first switch corresponds to the opposite virtual private cloud virtual router, thereby completing the first virtual private cloud to be connected. The data packet sent by the subnet is transmitted to the first virtual router of the first switch, and then the data packet returned by the second virtual router of the first switch is received and sent to the second subnet of the second network, and then It can not only realize intercommunication between different VPCs, but also control the specific interoperable subnets in a fine-grained manner, which not only meets the security requirements of network isolation between VPCs, but also meets the requirements of mutual communication between designated subnets between VPCs, and thus It solves the problem that in traditional peer-to-peer connection solutions, users usually need to perform cumbersome configuration and management on hardware network devices, which wastes human resources.
在一些可选的实施方式中,第一得到模块1002包括:In some optional implementations, the first obtaining module 1002 includes:
第一确定单元,用于根据请求信息确定本端虚拟私有云待连接的第一子网和对端虚拟私有云待连接的第二子网;The first determination unit is configured to determine the first subnet to which the local virtual private cloud is to be connected and the second subnet to which the opposite end virtual private cloud is to be connected based on the request information;
第二确定单元,用于根据网络配置信息确定本端虚拟私有云虚拟路由器、对端虚拟私有云虚拟路由器、第一网络以及第二网络。The second determination unit is configured to determine the local virtual private cloud virtual router, the opposite virtual private cloud virtual router, the first network, and the second network according to the network configuration information.
在一些可选的实施方式中,第一子网为至少一个,第二子网为至少一个。In some optional implementations, there is at least one first subnet and at least one second subnet.
本实施例提供一种子网间实现对等连接装置,该装置为第一交换机,如图11所示,该装置包括:This embodiment provides a device for implementing peer-to-peer connections between subnets. The device is a first switch. As shown in Figure 11, the device includes:
第二接收模块1101,用于第一虚拟路由器接收来自本端虚拟私有云的第一网络发来的数据包,其中,第一交换机的第一虚拟路由器与本端虚拟私有云虚拟路由器存在映射关系,数据包为本端虚拟私有云的第一网络内待连接的第一子网发出的数据;The second receiving module 1101 is used by the first virtual router to receive data packets from the first network of the local virtual private cloud, where there is a mapping relationship between the first virtual router of the first switch and the local virtual private cloud virtual router. , the data packet is data sent by the first subnet to be connected in the first network of the local virtual private cloud;
第三发送模块1102,用于将数据包发送至第二交换机中的第三虚拟路由器,其中,第一虚拟路由器与第三虚拟路由器存在映射关系;The third sending module 1102 is used to send the data packet to the third virtual router in the second switch, where there is a mapping relationship between the first virtual router and the third virtual router;
第三接收模块1103,用于第二虚拟路由器接收来自第二交换机中的第四虚拟路由器回传的数据包,其中,第二虚拟路由器与第四虚拟路由器存在映射关系;The third receiving module 1103 is configured for the second virtual router to receive the data packet returned from the fourth virtual router in the second switch, where there is a mapping relationship between the second virtual router and the fourth virtual router;
第四发送模块1104,用于第二虚拟路由器将数据包发送至对端虚拟私有云。The fourth sending module 1104 is used by the second virtual router to send the data packet to the opposite virtual private cloud.
本实施例提供一种子网间实现对等连接装置,该装置为第二交换机,如图12所示,该装置包括:This embodiment provides a device for implementing peer-to-peer connections between subnets. The device is a second switch. As shown in Figure 12, the device includes:
第四接收模块1201,用于第三虚拟路由器接收第一交换机内的第一虚拟路由器转发来的数据包,其中,第三虚拟路由器与第一虚拟路由器存在映射关系,数据包为本端虚拟私有云的第一网络内待连接的第一子网发出的数据;The fourth receiving module 1201 is used for the third virtual router to receive the data packet forwarded by the first virtual router in the first switch, where there is a mapping relationship between the third virtual router and the first virtual router, and the data packet is local virtual private Data sent by the first subnet to be connected in the first network of the cloud;
第五发送模块1202,用于将数据包经过第三虚拟路由器发送至防火墙;The fifth sending module 1202 is used to send the data packet to the firewall through the third virtual router;
第五接收模块1203,用于接收防火墙的验证通过指令以及回传的数据包;The fifth receiving module 1203 is used to receive the verification pass instruction of the firewall and the returned data packet;
第六发送模块1204,用于将数据包经过第四虚拟路由器发送至第一交换机的第二虚拟路由器,其中,第二虚拟路由器与第四虚拟路由器存在映射关系。The sixth sending module 1204 is configured to send the data packet to the second virtual router of the first switch through the fourth virtual router, where there is a mapping relationship between the second virtual router and the fourth virtual router.
本实施例提供一种子网间实现对等连接装置,该装置为防火墙,如图13所示,该装置包括:This embodiment provides a device for realizing peer-to-peer connections between subnets. The device is a firewall. As shown in Figure 13, the device includes:
第六接收模块1301,用于接收第二交换机内的第三虚拟路由器发送的数据包,其中,数据包为本端虚拟私有云的第一网络内待连接的第一子网发出的数据;The sixth receiving module 1301 is used to receive data packets sent by the third virtual router in the second switch, where the data packets are data sent by the first subnet to be connected in the first network of the local virtual private cloud;
第二获取模块1302,用于获取数据包的源地址和目标地址;The second acquisition module 1302 is used to obtain the source address and destination address of the data packet;
第二得到模块1303,用于根据源地址和目标地址匹配预设规则,得到匹配结果,其中,预设规则用于表征原始源地址和原始目标地址;The second obtaining module 1303 is used to match the preset rules according to the source address and the target address to obtain the matching result, where the preset rules are used to characterize the original source address and the original target address;
第七发送模块1304,用于根据匹配结果下发验证通过指令和数据包,并将数据包发送至第二交换机的第四虚拟路由器。The seventh sending module 1304 is configured to issue verification passing instructions and data packets according to the matching results, and send the data packets to the fourth virtual router of the second switch.
本实施例中的子网间实现对等连接装置是以功能单元的形式来呈现,这里的单元是指ASIC电路,执行一个或多个软件或固定程序的处理器和存储器,和/或其他可以提供上述功能的器件。In this embodiment, the device for realizing peer-to-peer connections between subnets is presented in the form of a functional unit, where the unit refers to an ASIC circuit, a processor and memory that executes one or more software or fixed programs, and/or other devices that can Devices that provide the above functionality.
上述各个模块和单元的更进一步的功能描述与上述对应实施例相同,在此不再赘述。Further functional descriptions of the above-mentioned modules and units are the same as those in the above-mentioned corresponding embodiments, and will not be described again here.
本公开实施例还提供一种计算机设备,具有上述图10或图11或图12或图13所示的子网间实现对等连接装置。An embodiment of the present disclosure also provides a computer device having the device for realizing peer-to-peer connection between subnets shown in the above-mentioned FIG. 10 or FIG. 11 or FIG. 12 or FIG. 13 .
请参阅图14,图14是本公开可选实施例提供的一种计算机设备的结构示意图,如图14所示,该计算机设备包括:一个或多个处理器10、存储器20,以及用于连接各部件的接口,包括高速接口和低速接口。各个部件利用不同的总线互相通信连接,并且可以被安装在公共主板上或者根据需要以其它方式安装。处理器可以对在计算机设备内执行的指令进行处理,包括存储在存储器中或者存储器上以在外部输入/输出装置(诸如,耦合至接口的显示设备)上显示GUI的图形信息的指令。在一些可选的实施方式中,若需要,可以将多个处理器和/或多条总线与多个存储器和多个存储器一起使用。同样,可以连接多个计算机设备,各个设备提供部分必要的操作(例如,作为服务器阵列、一组刀片式服务器、或者多处理器系统)。图14中以一个处理器10为例。Please refer to Figure 14. Figure 14 is a schematic structural diagram of a computer device provided by an optional embodiment of the present disclosure. As shown in Figure 14, the computer device includes: one or more processors 10, a memory 20, and a device for connecting The interfaces of each component include high-speed interfaces and low-speed interfaces. Various components communicate with each other using different buses and can be installed on a common motherboard or in other ways as needed. The processor may process instructions executed within the computer device, including instructions stored in or on memory to display graphical information of the GUI on an external input/output device, such as a display device coupled to the interface. In some alternative implementations, multiple processors and/or multiple buses may be used with multiple memories and multiple memories, if desired. Likewise, multiple computer devices may be connected, each device providing part of the necessary operation (eg, as a server array, a set of blade servers, or a multi-processor system). Figure 14 takes a processor 10 as an example.
处理器10可以是中央处理器,网络处理器或其组合。其中,处理器10还可以进一步包括硬件芯片。上述硬件芯片可以是专用集成电路,可编程逻辑器件或其组合。上述可编程逻辑器件可以是复杂可编程逻辑器件,现场可编程逻辑门阵列,通用阵列逻辑或其任意组合。The processor 10 may be a central processing unit, a network processor, or a combination thereof. The processor 10 may further include a hardware chip. The above-mentioned hardware chip can be an application-specific integrated circuit, a programmable logic device or a combination thereof. The above-mentioned programmable logic device may be a complex programmable logic device, a field programmable logic gate array, a general array logic or any combination thereof.
其中,存储器20存储有可由至少一个处理器10执行的指令,以使至少一个处理器10执行实现上述实施例示出的方法。The memory 20 stores instructions that can be executed by at least one processor 10, so that the at least one processor 10 executes the method shown in the above embodiment.
存储器20可以包括存储程序区和存储数据区,其中,存储程序区可存储操作系统、至少一个功能所需要的应用程序;存储数据区可存储根据一种小程序落地页的展现的计算机设备的使用所创建的数据等。此外,存储器20可以包括高速随机存取存储器,还可以包括非瞬时存储器,例如至少一个磁盘存储器件、闪存器件、或其他非瞬时固态存储器件。在一些可选的实施方式中,存储器20可选包括相对于处理器10远程设置的存储器,这些远程存储器可以通过网络连接至该计算机设备。上述网络的实例包括但不限于互联网、企业内部网、局域网、移动通信网及其组合。The memory 20 may include a stored program area and a stored data area, wherein the stored program area may store an operating system and an application program required for at least one function; the stored data area may store the use of the computer device according to the presentation of a small program landing page. The data created etc. In addition, the memory 20 may include high-speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid-state storage device. In some optional implementations, the memory 20 may optionally include memories remotely located relative to the processor 10 , and these remote memories may be connected to the computer device through a network. Examples of the above-mentioned networks include but are not limited to the Internet, intranets, local area networks, mobile communication networks and combinations thereof.
存储器20可以包括易失性存储器,例如,随机存取存储器;存储器也可以包括非易失性存储器,例如,快闪存储器,硬盘或固态硬盘;存储器20还可以包括上述种类的存储器的组合。The memory 20 may include a volatile memory, such as a random access memory; the memory may also include a non-volatile memory, such as a flash memory, a hard disk or a solid state drive; the memory 20 may also include a combination of the above types of memories.
该计算机设备还包括通信接口30,用于该计算机设备与其他设备或通信网络通信。The computer device also includes a communication interface 30 for the computer device to communicate with other devices or communication networks.
本公开实施例还提供了一种计算机可读存储介质,上述根据本公开实施例的方法可在硬件、固件中实现,或者被实现为可记录在存储介质,或者被实现通过网络下载的原始存储在远程存储介质或非暂时机器可读存储介质中并将被存储在本地存储介质中的计算机代码,从而在此描述的方法可被存储在使用通用计算机、专用处理器或者可编程或专用硬件的存储介质上的这样的软件处理。其中,存储介质可为磁碟、光盘、只读存储记忆体、随机存储记忆体、快闪存储器、硬盘或固态硬盘等;进一步地,存储介质还可以包括上述种类的存储器的组合。可以理解,计算机、处理器、微处理器控制器或可编程硬件包括可存储或接收软件或计算机代码的存储组件,当软件或计算机代码被计算机、处理器或硬件访问且执行时,实现上述实施例示出的方法。The embodiments of the present disclosure also provide a computer-readable storage medium. The above-mentioned method according to the embodiments of the present disclosure can be implemented in hardware, firmware, or can be recorded in the storage medium, or can be implemented as original storage downloaded through the network. Computer code in a remote storage medium or a non-transitory machine-readable storage medium and to be stored in a local storage medium such that the methods described herein may be stored on a computer using a general purpose computer, a special purpose processor, or programmable or special purpose hardware Such software processing on storage media. The storage medium may be a magnetic disk, an optical disk, a read-only memory, a random access memory, a flash memory, a hard disk or a solid state drive, etc.; further, the storage medium may also include a combination of the above types of memories. It can be understood that a computer, processor, microprocessor controller or programmable hardware includes a storage component that can store or receive software or computer code. When the software or computer code is accessed and executed by the computer, processor or hardware, the above implementations are implemented. The method illustrated.
虽然结合附图描述了本公开的实施例,但是本领域技术人员可以在不脱离本公开的精神和范围的情况下做出各种修改和变型,这样的修改和变型均落入由所附权利要求所限定的范围之内。Although the embodiments of the present disclosure have been described in conjunction with the accompanying drawings, those skilled in the art can make various modifications and variations without departing from the spirit and scope of the disclosure, and such modifications and variations fall within the scope of the appended rights. within the scope of the requirements.
Claims (12)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311257540.3A CN117176673A (en) | 2023-09-26 | 2023-09-26 | Method, system, device and computer equipment for realizing peer-to-peer connection between subnets |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311257540.3A CN117176673A (en) | 2023-09-26 | 2023-09-26 | Method, system, device and computer equipment for realizing peer-to-peer connection between subnets |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117176673A true CN117176673A (en) | 2023-12-05 |
Family
ID=88941253
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311257540.3A Pending CN117176673A (en) | 2023-09-26 | 2023-09-26 | Method, system, device and computer equipment for realizing peer-to-peer connection between subnets |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117176673A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN119603369A (en) * | 2024-11-27 | 2025-03-11 | 新华三信息安全技术有限公司 | Message forwarding method, electronic device and storage medium |
-
2023
- 2023-09-26 CN CN202311257540.3A patent/CN117176673A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN119603369A (en) * | 2024-11-27 | 2025-03-11 | 新华三信息安全技术有限公司 | Message forwarding method, electronic device and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114374581B (en) | Enterprise Virtual Private Network (VPN) to Virtual Private Cloud (VPC) adhesion | |
| CN112470436B (en) | Systems, methods, and computer-readable media for providing multi-cloud connectivity | |
| US9825822B1 (en) | Group networking in an overlay network | |
| CN112468383B (en) | Communication method and gateway, management method and device in hybrid cloud environment | |
| AU2015256010B2 (en) | Migration of applications between an enterprise-based network and a multi-tenant network | |
| CN106452857B (en) | Method for generating configuration information and network control unit | |
| US8667574B2 (en) | Assigning a network address for a virtual device to virtually extend the functionality of a network device | |
| CN111742525A (en) | Multicloud VPC Routing and Registration | |
| US20160226815A1 (en) | System and method for communicating in an ssl vpn | |
| CN109768908B (en) | A VXLAN configuration method, device and system | |
| US20170272274A1 (en) | Method and apparatus for interconnection between networks | |
| EP3588875B1 (en) | Web services across virtual routing and forwarding | |
| US20150163072A1 (en) | Virtual Port Extender | |
| CN115189920A (en) | Cross-network domain communication method and related device | |
| CN109922074B (en) | Method and apparatus for accessing out-of-band management network, management method, device, and medium | |
| US20250310240A1 (en) | Communication Method, Gateway, and Management Method and Apparatus in Hybrid Cloud Environment | |
| CN111698346A (en) | Private network address conversion method and device, private network gateway and storage medium | |
| CN118300981A (en) | A network address translation gateway configuration method and cloud management platform | |
| US20110276673A1 (en) | Virtually extending the functionality of a network device | |
| CN117176673A (en) | Method, system, device and computer equipment for realizing peer-to-peer connection between subnets | |
| US11425044B2 (en) | DHCP layer 2 relay in VXLAN overlay fabric | |
| CN109818869B (en) | Method for generating multicast traffic forwarding port and related equipment | |
| CN108512737B (en) | Data center IP layer interconnection method and SDN controller | |
| CN120567769A (en) | Route synchronization method, device, system, equipment and medium among multi-SDN clusters | |
| WO2024073113A1 (en) | System and method for creating a private service access network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |