CN119603356A - A cloud platform and its configuration method and configuration device - Google Patents
A cloud platform and its configuration method and configuration device Download PDFInfo
- Publication number
- CN119603356A CN119603356A CN202411579678.XA CN202411579678A CN119603356A CN 119603356 A CN119603356 A CN 119603356A CN 202411579678 A CN202411579678 A CN 202411579678A CN 119603356 A CN119603356 A CN 119603356A
- Authority
- CN
- China
- Prior art keywords
- module
- security service
- security
- subnet
- cloud host
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0803—Configuration setting
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/59—Network arrangements, protocols or services for addressing or naming using proxies for addressing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/141—Setup of application sessions
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
本申请提供一种云平台及其配置方法和配置装置。所述云平台新增了用于连通安全子网和第一子网的第一代理模块,以及用于连通安全子网和第二子网的第二代理模块,在第一云主机和第二云主机的IP地址相同的情况下,第一云主机能够通过第一代理模块获取安全服务模块的安全服务,第二云主机通过第二代理模块获取安全服务模块的安全服务。解决了不同VPC实例内云主机IP地址相同时,安全服务客户端与服务端之间的连通问题。
The present application provides a cloud platform and its configuration method and configuration device. The cloud platform is newly provided with a first proxy module for connecting the security subnet and the first subnet, and a second proxy module for connecting the security subnet and the second subnet. When the IP addresses of the first cloud host and the second cloud host are the same, the first cloud host can obtain the security service of the security service module through the first proxy module, and the second cloud host can obtain the security service of the security service module through the second proxy module. This solves the connectivity problem between the security service client and the server when the IP addresses of the cloud hosts in different VPC instances are the same.
Description
Technical Field
The present application relates to the field of communications technologies, and in particular, to a cloud platform, and a configuration method and a configuration device thereof.
Background
Cloud is a current mainstream technology, and in order to meet the security protection requirement of a tenant cloud host in the cloud, a cloud manufacturer supports security services on the cloud. The security services are divided into an exclusive type and a shared type, and the shared type security services are security service Server clusters deployed in a security area of a cloud platform, and cloud hosts under each VPC (Virtual Private Cloud ) in the cloud platform share security capability provided by the security service Server clusters together.
The VPC in the cloud is an isolated network environment running on the infrastructure of a public cloud service provider. It allows users to create and manage independent virtual networks in a cloud environment, similar to traditional data center networks, but with the flexibility and scalability of cloud computing. The VPC has the characteristics of network isolation and supporting network customization, and users can freely define subnets and set IP address ranges in the VPC. Thus, a user may create subnet instances of the same network segment in different VPCs. While the secure zone gateway opens to a different VPC router, for the secure service servers within the secure zone it means a cloud host with the same IP address, but does not know which one to address.
How to solve the normal communication problem of the cloud host with the same address under different VPCs and the security service Server cluster in the security area, and enable the security capability is a technical problem to be solved in the field.
Disclosure of Invention
In order to overcome the problems in the related art, the application provides a cloud platform, a configuration method and a configuration device thereof.
According to a first aspect of an embodiment of the present application, there is provided a cloud platform, including:
At least one security service module deployed in the security subnet;
the cloud computing system comprises a first cloud host deployed on a first subnet of a first VPC instance and a second cloud host deployed on a second subnet of a second VPC instance, wherein the IP address of the first cloud host is the same as the IP address of the second cloud host;
A first proxy module for communicating the secure subnet with the first subnet, and a second proxy module for communicating the secure subnet with the second subnet;
the first cloud host acquires the security service of the security service module through the first proxy module, and the second cloud host acquires the security service of the security service module through the second proxy module.
According to a second aspect of the embodiment of the present application, there is provided a cloud platform configuration method, including:
Creating a first proxy module for communicating a security subnet with a first subnet under a first VPC instance and a second proxy module for communicating a security subnet with a second subnet under a second VPC instance, wherein the security subnet is deployed with at least one security service module, the first subnet is deployed with a first cloud host, the second subnet is deployed with a second cloud host, and the IP address of the first cloud host is the same as the IP address of the second cloud host;
and configuring the security service module, or configuring the first cloud host and the second cloud host, so that the first cloud host obtains the security service of the security service module through the first proxy module, and the second cloud host obtains the security service of the security service module through the second proxy module.
According to a third aspect of an embodiment of the present application, there is provided a cloud platform configuration apparatus, including:
The system comprises a creation module, a first proxy module and a second proxy module, wherein the creation module is used for creating a first proxy module used for communicating a security subnet with a first subnet under a first VPC instance and a second proxy module used for communicating a security subnet with a second subnet under a second VPC instance, wherein the security subnet is deployed with at least one security service module, the first subnet is deployed with a first cloud host, the second subnet is deployed with a second cloud host, and the IP address of the first cloud host is the same as the IP address of the second cloud host;
The configuration module is used for configuring the security service module or configuring the first cloud host and the second cloud host so that the first cloud host can acquire the security service of the security service module through the first proxy module, and the second cloud host can acquire the security service of the security service module through the second proxy module.
The technical scheme provided by the embodiment of the application can comprise the following beneficial effects:
In the embodiment of the application, a first proxy module for communicating the security sub-network with the first sub-network and a second proxy module for communicating the security sub-network with the second sub-network are newly added in the cloud host, and under the condition that the IP addresses of the first cloud host and the second cloud host are the same, the first cloud host can acquire the security service of the security service module through the first proxy module, and the second cloud host can acquire the security service of the security service module through the second proxy module. The method and the system solve the problem of communication between the security service client and the service end when the IP addresses of the cloud hosts in different VPC instances are the same.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application as claimed.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and together with the description, serve to explain the principles of the application.
Fig. 1 is a first schematic diagram of a cloud platform according to an embodiment of the present application;
Fig. 2 is a second schematic diagram of a cloud platform according to an embodiment of the present application;
Fig. 3 is a schematic diagram of host security of a cloud platform according to an embodiment of the present application;
FIG. 4 is a schematic diagram of a fort machine of a cloud platform according to an embodiment of the present application;
Fig. 5 is a schematic diagram of database audit of a cloud platform according to an embodiment of the present application;
Fig. 6 is a schematic diagram of a cloud platform configuration method according to an embodiment of the present application;
Fig. 7 is a schematic structural diagram of a cloud platform configuration device according to an embodiment of the present application.
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples do not represent all implementations consistent with the application. Rather, they are merely examples of apparatus and methods consistent with aspects of the application as detailed in the accompanying claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this specification and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any or all possible combinations of one or more of the associated listed items.
It should be understood that although the terms first, second, third, etc. may be used herein to describe various information, these information should not be limited by these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the application. Depending on the context of the user, the terms "if" or "if" as used herein may be used interpreted as "at." or "when.
The traditional cloud platform enables two regional routes to be reachable by opening a network between a security area gateway and a service area VPC router, so that network intercommunication between a security service Server and a cloud host in the VPC is realized, and the routes are reachable. However, since the network segments of the VPCs are customized by the user, a situation may occur in which different VPC network segments overlap, which in turn results in the same IP address of the cloud host under different VPCs. In this case, the security service Server of the conventional cloud platform may not know which cloud host is addressed.
Aiming at the problems, the application provides a cloud platform, a configuration method and a configuration device thereof, which are used for solving the problem of normal communication between a cloud host with the same address under different VPCs and a security service Server cluster in a security area, so that security capability is enabled.
The embodiments of the present application will be described in detail.
An embodiment of the present application provides a cloud platform, as shown in fig. 1, including:
The security zone comprises at least one security service module deployed on a security subnet;
the service area comprises a first cloud host deployed on a first subnet of a first VPC instance and a second cloud host deployed on a second subnet of a second VPC instance, wherein the IP address of the first cloud host is the same as the IP address of the second cloud host;
And the communication area comprises a first proxy module for communicating the safety subnetwork with the first subnetwork and a second proxy module for communicating the safety subnetwork with the second subnetwork.
The first cloud host acquires the security service of the security service module through the first proxy module, and the second cloud host acquires the security service of the security service module through the second proxy module.
Specifically, the application adds a communication area of security and service on the basis of the traditional cloud platform, one end of the communication area is connected with a security subnet of the security area, and the other end is connected with a service subnet in each VPC instance. As a specific implementation mode, for each VPC instance, the application creates a virtual machine in the communication area, and realizes the proxy function of the security service through the virtual machine.
The application divides the security service modules into two types according to the flow direction, namely a first security service module and a second security service module, wherein the flow direction of the first security service module is from a service end to a client end, and the flow direction of the second security service module is from the client end to the service end.
If the security service module is a first security service module from the service end to the client end in the flow direction, as a specific implementation manner, the present application implements the first proxy module and the second proxy module through Gost. Gost is a network tool for creating various network proxies and forwarding services. It supports a variety of protocols including the Socks5 network proxy protocol. The application creates the Socks5 agent through Gost, which is used for monitoring the port of the safety subnet, forwarding TCP traffic or UDP traffic, and can further set the identity verification information such as user name, password and the like.
Therefore, in fig. 1, if the security service module is a first security service module from a service end to a client end in a traffic direction, the first proxy module and the second proxy module are Gost modules, the first proxy instance and the second proxy instance are deployed on the security service module, and the configuration is performed such that the opposite port number of the first proxy instance in the security service module is configured as the port number of the first proxy module connected to the security subnet, and the opposite port number of the second proxy instance in the security service module is configured as the port number of the second proxy module connected to the security subnet.
If the security service module is a second security service module from the client to the server in the flow direction, as a specific implementation manner, the application realizes the first proxy module and the second proxy module through the Nginx. Nginx is a reverse proxy service that supports forwarding client requests to a back-end server, supporting a layer 4 proxy, forwarding TCP requests or UDP requests. The Nginx supports the configuration of the port and the server end address and port of the agent through the form of configuration files. The application realizes the port of the first proxy module and the second proxy module proxy security service module by configuring Nginx.
Therefore, in FIG. 1, when the security service module is a second security service module from the client to the server in the traffic direction, the first agent module and the second agent module are Nginx modules, the first agent module is deployed on the first cloud host, the second agent module is deployed on the second cloud host, and the configuration is performed in such a way that the opposite end IP address of the first agent module in the first cloud host is configured as the IP address of the first agent module connected to the first subnet, and the opposite end IP address of the second agent module in the second cloud host is configured as the IP address of the second agent module connected to the second subnet.
As described above, at least one security service module is deployed under the security subnet in the present application, and when a plurality of security service modules are deployed under the security subnet, different security service modules provide different security services, such as host security, database audit, fort, etc. In this case, different cloud hosts only need to acquire security services from corresponding security service modules according to their own security requirements.
Therefore, as a specific implementation manner, if the security subnet is deployed with a plurality of security service modules, the first cloud host obtains the security service of the third security service module through the first proxy module, and the second cloud host obtains the security service of the fourth security service module through the second proxy module, where the third security service module is a security service module determined according to the service requirement of the first cloud host, and the fourth security service module is a security service module determined according to the service requirement of the second cloud host. It is understood that the number of the security service modules in the third security service module and the fourth security service module is any integer greater than or equal to 1, and the security service modules in the third security service module and the fourth security service module may be partially or even completely the same, which is not limited in the present application.
As described above, the security service module of the security subnet deployment in the present application includes any one or more of a host security module, a database audit module, and a fort module. The following describes different security services:
host security is a product used to protect computer systems from malicious attacks, supporting antivirus and antimalware. The working mode is a client-server mode, the host installs a client program, and the client program is in one-way link with the server, including sending the virus killing result to the server, or inquiring the protection strategy from the server. The server side provides a protection strategy configuration function, a protection result statistics display function and the like.
Database auditing is a product that records, monitors, and analyzes the operation and access behavior of a database to ensure the security and compliance of the data. The working mode is a client-server mode, a host computer where the data is located installs a client program, and a single item of the client program links with a server, including uploading database access behavior data to the server, and the like, and the server generates an analysis report, and the like.
The bastion machine is a security device for managing and controlling external access, and provides centralized access control and audit functions for core resources inside an enterprise. It processes various access requests through a unified portal, thereby improving system security and compliance. When the user needs to access the asset, the asset access is completed through the proxy of the fort machine.
In connection with the above embodiments, the implementation of the present application will be further described below by taking specific applications as examples.
As shown in fig. 2, two virtual machines proxy are created in a secure and service communication area (hereinafter referred to as secure and service communication area), one virtual machine communicates a secure subnet with a first service subnet of a first VPC instance, and the other virtual machine communicates a secure subnet with a second service subnet of a second VPC instance. The IP addresses of the first cloud host VM1 under the first service subnet of the first VPC instance and the second cloud host VM1 under the second service subnet of the second VPC instance are the same. Three security service modules are deployed under the security subnet, namely a host security module, a fort machine module and a database audit module.
As shown in fig. 2, gost services and nmginx services are installed in two virtual machine proxy. When the security service server actively accesses the cloud host in the VPC instance, the security service server accesses the cloud host through Gost service agents. The Nginx service in the proxy of the virtual machine has the capability of proxy security service server, and when the cloud host in the VPC instance actively accesses the security service server, the virtual machine proxy's VPC side address is accessed to realize the access to the security service server.
As shown in fig. 3, the host security service implementation steps are as follows:
(31) Virtual machine proxyvpc is created in the secure and service connectivity area (e.g., VPC instance 1 has created a corresponding virtual machine, without repeated creation), the network card address of the service subnet of the connected VPC instance is configured to be 192.168.1.6, and the network card configuration address of the connected secure subnet is 9.9.9.3.
(32) An nmginx service is installed on the virtual machine proxyvpc.
(33) And adding configuration in a configuration file of the proxy server Nginx, defining a monitored TCP port and a monitored UDP port, and designating a target IP and a target port to which forwarding is carried out. The method comprises the following steps:
the 7443 ports listening for TCP and UDP forward traffic to 9.9.9.13:7443, the 80 ports listening for TCP and UDP forward traffic to 9.9.9.13:80, and the other ports (9686, 9685, 9683, 9682) are similarly configured, listening for and forwarding to the corresponding destination.
(34) And downloading a host security client agent program, and installing the agent program in the cloud host VM1 under the VPC instance 1.
(35) The upper server address in the configuration file of the agent program is modified to 192.168.1.6.
(36) After the above steps are completed, the installation agent program in the cloud host VM1 under the VPC instance 1 can complete connection with the server, so as to complete protection of the cloud host VM 1.
As shown in fig. 4, the fort service implementation steps are as follows:
(41) Virtual machine proxyvpc is created in the security and service communication area, the network card address of the service subnet of the connected VPC instance is 192.168.1.6, and the network card configuration address of the connected security subnet is 9.9.9.3.
(42) The service is installed Gost in the virtual machine proxyvpc.
(43) The Socks5 proxy service is run and listens on port 3389 via TCP protocol. After the user needs to input the correct user name and password for authentication, the network connection can be performed through the proxy. Gost the service configuration is as follows:
The name of the designated service is service-0, the address and port to which the service listens are set, where it is the local 3389 port that listens. The type of the designated handler is SOCKS5 proxy. Identity authentication information is configured, the user name is 'root', and the password is 'Aab 123 @'. Setting the protocol type of the interception as tcp.
(44) The agent instance is configured on the fort machine and is named as a vpc1 agent, the address is 9.9.9.3, the port is 3389, the protocol type is socks5, the user name is root, and the password is Aab123 @.
(45) Asset a is created on the bastion machine with an address of 192.168.1.2, asset a being associated with a vpc1 proxy.
(46) After the above steps are completed, the secure enclave machine can normally access asset a.
As shown in fig. 5, the database audit implementation steps are as follows:
(51) Virtual machine proxyvpc is created in the security and service connected area (e.g., VPC instance 1 has created a corresponding virtual machine, without repeated creation), the network card address of the service subnet of the VPC instance is configured to 192.168.1.6, and the network card configuration address of the security subnet of the security connected area is 9.9.9.3.
(52) An nmginx service is installed on the virtual machine proxyvpc.
(53) Adding configuration in Nginx, defining multiple server blocks for listening and forwarding traffic. The method comprises the following steps:
Each server block defines a server configuration for listening to a particular port and protocol (TCP or UDP) and forwarding traffic to the specified IP address and port. The first and second server blocks monitor the 1443 ports of TCP and UDP, forward traffic to 9.9.9.15:1443, the third and fourth server blocks monitor the 9265 ports of TCP and UDP, forward traffic to 9.9.9.15:9265, and the fifth and sixth server blocks monitor the 9266 ports of TCP and UDP, forward traffic to 9.9.9.15:9266.
(54) And downloading a database audit client agent program, and installing the agent program in the cloud host VM1 under the VPC instance 1.
(55) The upper server address in the configuration file of the agent program is modified to 192.168.1.6.
(56) After the steps are finished, the agent program installed in the cloud host VM1 under the VPC example 1 can be connected with the server, and then protection of the cloud host is finished.
According to the technical scheme, the cloud platform is provided, the communication area for communicating the service area and the safety area is newly added, and three layers of communication are converted into four layers of communication, so that the defect of three layers of communication is overcome, and particularly, the problem that when the IP addresses of cloud hosts in different VPC instances are the same, the safety service client is communicated with the service end is solved.
Based on the same inventive concept, the application also provides a cloud platform configuration method, a flow chart of which is shown in fig. 6, which specifically comprises the following steps:
Step 610, creating a first proxy module for communicating a security subnet with a first subnet under a first VPC instance, and a second proxy module for communicating a security subnet with a second subnet under a second VPC instance, where the security subnet is deployed with at least one security service module, the first subnet is deployed with a first cloud host, the second subnet is deployed with a second cloud host, and an IP address of the first cloud host is the same as an IP address of the second cloud host;
Step 620, configuring the security service module, or configuring the first cloud host and the second cloud host, so that the first cloud host obtains the security service of the security service module through the first proxy module, and the second cloud host obtains the security service of the security service module through the second proxy module.
As a specific implementation manner, when the security service module is a first security service module from a service end to a client end in a traffic direction, the first proxy module and the second proxy module are Gost modules, and the method specifically configures the security service module by:
The opposite port number of the first proxy instance in the security service module is configured as the port number of the first proxy module connected with the security subnet, and the opposite port number of the second proxy instance in the security service module is configured as the port number of the second proxy module connected with the security subnet.
As a specific implementation manner, the protocol types of the first proxy instance and the second proxy instance in the security service module are configured as the socks5 protocol.
As a specific implementation manner, when the security service module is a second security service module from a client to a server in a traffic direction, the first proxy module and the second proxy module are nginnx modules, and the method specifically configures the first cloud host and the second cloud host by:
The opposite end IP address of the first agent module in the first cloud host is configured as the IP address of the first agent module connected with the first subnet, and the opposite end IP address of the second agent module in the second cloud host is configured as the IP address of the second agent module connected with the second subnet.
As a specific implementation manner, if the security subnet is deployed with a plurality of security service modules, the method specifically configures the security service modules, or configures the first cloud host and the second cloud host:
And configuring the security service module, or configuring the first cloud host and the second cloud host, so that the first cloud host obtains the security service of a third security service module through the first proxy module, and the second cloud host obtains the security service of a fourth security service module through the second proxy module, wherein the third security service module is a security service module determined according to the service requirement of the first cloud host, and the fourth security service module is a security service module determined according to the service requirement of the second cloud host.
As a specific implementation mode, the security service module deployed by the security subnet comprises any one or more of a host security module, a database audit module and a fort machine module.
Based on the same inventive concept, the application also provides a cloud platform configuration device, the structure diagram of which is shown in fig. 7, which specifically comprises:
A creation module 710, configured to create a first proxy module for communicating a secure subnet with a first subnet under a first VPC instance, and a second proxy module for communicating a secure subnet with a second subnet under a second VPC instance, where the secure subnet is deployed with at least one secure service module, the first subnet is deployed with a first cloud host, the second subnet is deployed with a second cloud host, and an IP address of the first cloud host is the same as an IP address of the second cloud host;
The configuration module 720 is configured to configure the security service module, or configure the first cloud host and the second cloud host, so that the first cloud host obtains the security service of the security service module through the first proxy module, and the second cloud host obtains the security service of the security service module through the second proxy module.
As a specific implementation manner, when the security service module is a first security service module from a service end to a client end in a traffic direction, the first proxy module and the second proxy module are Gost modules, and the configuration module 720 specifically configures the security service module by:
The opposite port number of the first proxy instance in the security service module is configured as the port number of the first proxy module connected with the security subnet, and the opposite port number of the second proxy instance in the security service module is configured as the port number of the second proxy module connected with the security subnet.
As a specific implementation manner, the protocol types of the first proxy instance and the second proxy instance in the security service module are configured as the Socks5 protocol.
As a specific implementation manner, when the security service module is the second security service module from the client to the server in the traffic direction, the first proxy module and the second proxy module are nginnx modules, and the configuration module 720 specifically configures the first cloud host and the second cloud host by:
The opposite end IP address of the first agent module in the first cloud host is configured as the IP address of the first agent module connected with the first subnet, and the opposite end IP address of the second agent module in the second cloud host is configured as the IP address of the second agent module connected with the second subnet.
As a specific implementation manner, if the security subnet is deployed with multiple security service modules, the configuration module 720 specifically configures the security service modules, or configures the first cloud host and the second cloud host:
And configuring the security service module, or configuring the first cloud host and the second cloud host, so that the first cloud host obtains the security service of a third security service module through the first proxy module, and the second cloud host obtains the security service of a fourth security service module through the second proxy module, wherein the third security service module is a security service module determined according to the service requirement of the first cloud host, and the fourth security service module is a security service module determined according to the service requirement of the second cloud host.
As a specific implementation mode, the security service module deployed by the security subnet comprises any one or more of a host security module, a database audit module and a fort machine module.
The foregoing description of the preferred embodiments of the application is not intended to be limiting, but rather to enable any modification, equivalent replacement, improvement or the like to be made within the spirit and principles of the application.
Claims (11)
1. A cloud platform, the cloud platform comprising:
At least one security service module deployed in the security subnet;
the cloud computing system comprises a first cloud host deployed on a first subnet of a first VPC instance and a second cloud host deployed on a second subnet of a second VPC instance, wherein the IP address of the first cloud host is the same as the IP address of the second cloud host;
A first proxy module for communicating the secure subnet with the first subnet, and a second proxy module for communicating the secure subnet with the second subnet;
the first cloud host acquires the security service of the security service module through the first proxy module, and the second cloud host acquires the security service of the security service module through the second proxy module.
2. The cloud platform of claim 1, wherein when the security service module is a first security service module from a service end to a client end in a traffic direction, the first proxy module and the second proxy module are Gost modules, a port number of a first proxy instance in the security service module is configured as a port number of the first proxy module connected to the security subnet, and a port number of a second proxy instance in the security service module is configured as a port number of the second proxy module connected to the security subnet.
3. The cloud platform of claim 2, wherein the protocol types of the first proxy instance and the second proxy instance in the security service module are configured as socks5 protocol.
4. The cloud platform of claim 1, wherein when the security service module is a second security service module from a client to a server in a traffic direction, the first proxy module and the second proxy module are nginnx modules, an opposite IP address of a first agent module in the first cloud host is configured to be an IP address of the first agent module connected to the first subnet, and an opposite IP address of a second agent module in the second cloud host is configured to be an IP address of the second agent module connected to the second subnet.
5. The cloud platform according to any one of claims 1 to 4, wherein if the security subnet is deployed with a plurality of security service modules, the first cloud host obtains a security service of a third security service module through the first proxy module, and the second cloud host obtains a security service of a fourth security service module through the second proxy module, where the third security service module is a security service module determined according to a service requirement of the first cloud host, and the fourth security service module is a security service module determined according to a service requirement of the second cloud host.
6. The cloud platform of claim 5, wherein said security subnet deployed security service module comprises any one or more of a host security module, a database auditing module, and a bastion module.
7. The cloud platform configuration method is characterized by comprising the following steps of:
Creating a first proxy module for communicating a security subnet with a first subnet under a first VPC instance and a second proxy module for communicating a security subnet with a second subnet under a second VPC instance, wherein the security subnet is deployed with at least one security service module, the first subnet is deployed with a first cloud host, the second subnet is deployed with a second cloud host, and the IP address of the first cloud host is the same as the IP address of the second cloud host;
and configuring the security service module, or configuring the first cloud host and the second cloud host, so that the first cloud host obtains the security service of the security service module through the first proxy module, and the second cloud host obtains the security service of the security service module through the second proxy module.
8. The method according to claim 7, wherein when the security service module is a first security service module from a service end to a client end in a traffic direction, the first proxy module and the second proxy module are Gost modules, the method specifically configures the security service module by:
The opposite port number of the first proxy instance in the security service module is configured as the port number of the first proxy module connected with the security subnet, and the opposite port number of the second proxy instance in the security service module is configured as the port number of the second proxy module connected with the security subnet.
9. The method of claim 7, wherein when the security service module is a second security service module from a client to a server in a traffic direction, the first proxy module and the second proxy module are nginnx modules, the method specifically configures the first cloud host and the second cloud host by:
The opposite end IP address of the first agent module in the first cloud host is configured as the IP address of the first agent module connected with the first subnet, and the opposite end IP address of the second agent module in the second cloud host is configured as the IP address of the second agent module connected with the second subnet.
10. The method according to any of claims 7 to 9, wherein if the security subnet is deployed with a plurality of security service modules, the method specifically configures the security service modules or configures the first cloud host and the second cloud host by:
And configuring the security service module, or configuring the first cloud host and the second cloud host, so that the first cloud host obtains the security service of a third security service module through the first proxy module, and the second cloud host obtains the security service of a fourth security service module through the second proxy module, wherein the third security service module is a security service module determined according to the service requirement of the first cloud host, and the fourth security service module is a security service module determined according to the service requirement of the second cloud host.
11. A cloud platform configuration device, comprising:
The system comprises a creation module, a first proxy module and a second proxy module, wherein the creation module is used for creating a first proxy module used for communicating a security subnet with a first subnet under a first VPC instance and a second proxy module used for communicating a security subnet with a second subnet under a second VPC instance, wherein the security subnet is deployed with at least one security service module, the first subnet is deployed with a first cloud host, the second subnet is deployed with a second cloud host, and the IP address of the first cloud host is the same as the IP address of the second cloud host;
The configuration module is used for configuring the security service module or configuring the first cloud host and the second cloud host so that the first cloud host can acquire the security service of the security service module through the first proxy module, and the second cloud host can acquire the security service of the security service module through the second proxy module.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202411579678.XA CN119603356A (en) | 2024-11-05 | 2024-11-05 | A cloud platform and its configuration method and configuration device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202411579678.XA CN119603356A (en) | 2024-11-05 | 2024-11-05 | A cloud platform and its configuration method and configuration device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN119603356A true CN119603356A (en) | 2025-03-11 |
Family
ID=94841596
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202411579678.XA Pending CN119603356A (en) | 2024-11-05 | 2024-11-05 | A cloud platform and its configuration method and configuration device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN119603356A (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120324572A1 (en) * | 2011-06-16 | 2012-12-20 | Telefonaktiebolaget L M Ericsson (Publ) | Systems and methods that perform application request throttling in a distributed computing environment |
| CN116582587A (en) * | 2023-03-09 | 2023-08-11 | 天翼云科技有限公司 | Method and device for managing and controlling public cloud across regions |
| CN116800712A (en) * | 2019-05-10 | 2023-09-22 | 华为云计算技术有限公司 | Virtual private cloud and cloud data center communication and configuration method and related device |
| WO2024049905A1 (en) * | 2022-09-04 | 2024-03-07 | Aviatrix Systems, Inc. | Controller for coordinating flow separation of intra-vpc or inter-vpc communications |
| WO2024141061A1 (en) * | 2022-12-30 | 2024-07-04 | 华为云计算技术有限公司 | Method, apparatus, and system for configuring serverless function on basis of cloud computing technology |
| CN118573441A (en) * | 2024-05-30 | 2024-08-30 | 新华三网络信息安全软件有限公司 | Access method and system for security service |
-
2024
- 2024-11-05 CN CN202411579678.XA patent/CN119603356A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120324572A1 (en) * | 2011-06-16 | 2012-12-20 | Telefonaktiebolaget L M Ericsson (Publ) | Systems and methods that perform application request throttling in a distributed computing environment |
| CN116800712A (en) * | 2019-05-10 | 2023-09-22 | 华为云计算技术有限公司 | Virtual private cloud and cloud data center communication and configuration method and related device |
| WO2024049905A1 (en) * | 2022-09-04 | 2024-03-07 | Aviatrix Systems, Inc. | Controller for coordinating flow separation of intra-vpc or inter-vpc communications |
| WO2024141061A1 (en) * | 2022-12-30 | 2024-07-04 | 华为云计算技术有限公司 | Method, apparatus, and system for configuring serverless function on basis of cloud computing technology |
| CN116582587A (en) * | 2023-03-09 | 2023-08-11 | 天翼云科技有限公司 | Method and device for managing and controlling public cloud across regions |
| CN118573441A (en) * | 2024-05-30 | 2024-08-30 | 新华三网络信息安全软件有限公司 | Access method and system for security service |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11831496B2 (en) | Providing access to configurable private computer networks | |
| CN113950816B (en) | System and method for providing a multi-cloud micro-service gateway using a side car agency | |
| US9712624B2 (en) | Secure virtual network platform for enterprise hybrid cloud computing environments | |
| US10382401B1 (en) | Cloud over IP for enterprise hybrid cloud network and security | |
| CN103023898B (en) | A kind of method and device of accessing VPN service end Intranet resource | |
| US9699034B2 (en) | Secure cloud fabric to connect subnets in different network domains | |
| TWI395435B (en) | Open network connection | |
| US20020038339A1 (en) | Systems and methods for packet distribution | |
| US20020035639A1 (en) | Systems and methods for a packet director | |
| US20020032798A1 (en) | Systems and methods for packet sequencing | |
| US20020032766A1 (en) | Systems and methods for a packeting engine | |
| US20020032797A1 (en) | Systems and methods for service addressing | |
| US7733795B2 (en) | Virtual network testing and deployment using network stack instances and containers | |
| US20120084406A1 (en) | Logical Networks | |
| CN106487556B (en) | Service function SF deployment method and device | |
| CN115296848B (en) | Multi-local area network environment-based fort system and fort access method | |
| US20070274314A1 (en) | System and method for creating application groups | |
| EP3836487B1 (en) | Internet access behavior management system and device | |
| JP2005236394A (en) | Network system and network control method | |
| CN119603356A (en) | A cloud platform and its configuration method and configuration device | |
| EP4595406A1 (en) | System and method for creating a private service access network | |
| CN116708554A (en) | A network agent method and system capable of switching egress IP | |
| WO2024116119A1 (en) | System and method for building application-specific internetworking nodes with reduced security vulnerabilities | |
| WO2002021804A1 (en) | Systems and methods for packet distribution | |
| HK40045206B (en) | Internet access behavior management system and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |