[go: up one dir, main page]

CN119892399A - Private network NAT (network Address translation) cross-virtual private cloud interconnection access method and device - Google Patents

Private network NAT (network Address translation) cross-virtual private cloud interconnection access method and device Download PDF

Info

Publication number
CN119892399A
CN119892399A CN202411798979.1A CN202411798979A CN119892399A CN 119892399 A CN119892399 A CN 119892399A CN 202411798979 A CN202411798979 A CN 202411798979A CN 119892399 A CN119892399 A CN 119892399A
Authority
CN
China
Prior art keywords
tenant
binding
port
host
request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202411798979.1A
Other languages
Chinese (zh)
Inventor
葛淼龙
施凯东
邓权航
景相宜
白鹏源
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Cloud Technology Co Ltd
Original Assignee
China Telecom Cloud Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Cloud Technology Co Ltd filed Critical China Telecom Cloud Technology Co Ltd
Priority to CN202411798979.1A priority Critical patent/CN119892399A/en
Publication of CN119892399A publication Critical patent/CN119892399A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/2517Translation of Internet protocol [IP] addresses using port numbers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2596Translation of addresses of the same type other than IP, e.g. translation from MAC to MAC addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to a cloud computing network and discloses a private network NAT (network Address translation) cross-virtual private cloud interconnection access method and device, wherein the method is executed by a target NAT gateway, the target NAT gateway corresponds to a first tenant, the method comprises the steps of obtaining a binding request of a second tenant, binding the port of the second tenant to the target NAT gateway by the binding request, recording a binding relationship if the binding request of the second tenant is allowed by the first tenant, and indicating that the port of the second tenant is allowed to be selected by the first tenant when an access rule is configured by the binding relationship. The method and the system realize flexible concurrent access among cross tenants, simultaneously keep the safety isolation among private clouds, and improve the network performance and expansibility.

Description

Private network NAT (network Address translation) cross-virtual private cloud interconnection access method and device
Technical Field
The invention relates to the technical field of cloud computing networks, in particular to a private network NAT cross-virtual private cloud interconnection access method and device.
Background
In the current state of the art, the problem of IP address conflict is solved by accessing the rotor network IP in cross-tenant access and then accessing the local end VPC, but the IP address conflict cannot be directly used for carrying out SNAT and DNAT by using the IP of the VPC in the remote private network, peer-to-peer connection is needed, network delay is increased, network bandwidth is reduced, high availability of the network is affected, operation and maintenance difficulty is increased, and safety risks possibly brought. The peer-to-peer connection provides high-speed point-to-point connection in the private network, address conversion is not needed, safety is good, but the number of the connections is limited, a large bandwidth is needed, configuration is complex, and the VPC cannot communicate without direct connection. The private network NAT realizes one-to-many dynamic connection, has simple configuration and small bandwidth consumption, keeps VPC isolated to realize communication, but does not support point-to-point static connection. Therefore, the prior art has the technical defects of increased network delay, reduced network bandwidth, affected network high availability, increased operation and maintenance difficulty, increased security risk, increased investment cost and the like.
Disclosure of Invention
In view of the above, the invention provides a private network NAT cross-virtual private cloud interconnection access method and device, which realize flexible concurrent access among cross-tenants, simultaneously maintain security isolation among private clouds, and promote network performance and expansibility.
The private network NAT cross-virtual private cloud interconnection access method is executed by a target NAT gateway, the target NAT gateway corresponds to a first tenant, the method comprises the steps of obtaining a binding request of a second tenant, binding the port of the second tenant to the target NAT gateway by the binding request, recording a binding relationship if the binding request of the second tenant is allowed by the first tenant, and indicating that the port of the second tenant is allowed to be selected by the first tenant when an access rule is configured by the binding relationship.
In an alternative embodiment, the binding request includes a local port and a remote NAT identification.
In an alternative embodiment, if the first tenant allows the binding request of the second tenant, recording the binding relationship includes:
Sending port binding information to a first tenant, wherein the port binding information comprises a binding task ID and a policy ID;
and receiving a result message returned by the first tenant, wherein the result message comprises an allow/reject instruction and a corresponding reason code.
In an alternative embodiment, the method further comprises:
establishing a first mapping relation, wherein the first mapping relation is used for indicating a first port for mapping a target port to a first host, wherein the target port is a port of a second host;
Acquiring a first request message of an access target port;
And according to the first mapping relation, converting the target address of the first request message to a first port of the first host computer so as to forward the request message to the first host computer.
In an alternative implementation manner, the source IP and the source MAC in the outer layer of the first request message are physical network card information of the host sending the first request message, and the source IP and the source MAC in the inner layer of the first request message are gateway information of the subnet of the host sending the first request message.
In an alternative embodiment, the method further comprises:
the second mapping relation is used for mapping the source address from the third host to the external address;
Acquiring a second request message which is initiated by a third host and accesses an external network;
Converting the source IP and the source MAC in the Overlay of the second request message to external addresses according to the second request message;
and using the converted source address, and packaging a virtual link of a host of the tenant where the target NAT gateway is located so as to forward the second request message.
In an alternative implementation manner, the outer layer Underray source address after the second request message is encapsulated is the physical network card information of the third host, and the inner layer Overlay source address is the logical network card information of the third host.
In a second aspect, the present invention provides a private network NAT cross-virtual private cloud interconnection access device, where the device includes:
the system comprises a request acquisition module, a target NAT gateway, a request processing module and a target NAT gateway, wherein the request acquisition module is used for acquiring a binding request of a second tenant;
and the binding record module is used for recording a binding relation if the first tenant allows the binding request of the second tenant, and the binding relation is used for indicating that the first tenant allows to select the port of the second tenant when the access rule is configured.
In a third aspect, the present invention provides a computer device, including a memory and a processor, where the memory and the processor are communicatively connected to each other, and the memory stores computer instructions, and the processor executes the computer instructions, so as to execute the private network NAT cross-virtual private cloud interconnection access method of the first aspect or any embodiment corresponding to the first aspect.
In a fourth aspect, the present invention provides a computer readable storage medium, where computer instructions are stored on the computer readable storage medium, where the computer instructions are configured to cause a computer to execute a private network NAT cross-virtual private cloud interconnection access method according to the first aspect or any one of the embodiments corresponding to the first aspect.
In a fifth aspect, the present invention provides a computer program product, including computer instructions, where the computer instructions are configured to cause a computer to execute a private network NAT cross-virtual private cloud interconnection access method according to the first aspect or any implementation manner corresponding to the first aspect.
The technical scheme provided by the invention can comprise the following beneficial effects:
The private network NAT cross-virtual private cloud interconnection access method is executed by a target NAT gateway, and the target NAT gateway corresponds to a first tenant. The binding request of the second tenant is obtained, and the binding request is used for binding the port of the second tenant to the target NAT gateway, so that the binding request is a first step of cross-tenant access, a foundation is laid for subsequent SNAT and DNAT operations, and flexible resource allocation and dynamic network expansion are realized. The first tenant approves the binding request of the second tenant, unauthorized access is avoided, and the security of cross-tenant access is ensured. Recording the binding relationship provides a selection basis for the first tenant when configuring the access rule. According to the scheme, through the binding relation, the first tenant can select the port of the second tenant when the access rule is configured, so that flexible concurrent access among cross tenants is realized, meanwhile, the safety isolation among private clouds is kept, and the network performance and expansibility are improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are needed in the description of the embodiments or the prior art will be briefly described, and it is obvious that the drawings in the description below are some embodiments of the present invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flowchart of a private network NAT cross-virtual private cloud interconnection access method provided by an embodiment of the present invention;
FIG. 2 is a flow diagram illustrating the binding of a port of a control plane remote vpc to a local vpc private network NAT according to an exemplary embodiment;
FIG. 3 is a flowchart of a DNAT implementation method according to an exemplary embodiment;
FIG. 4 is a flowchart illustrating a SNAT implementation method according to an example embodiment;
Fig. 5 is a schematic structural diagram of a private network NAT cross-virtual private cloud interconnection access device according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of a computer device according to an alternative embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
It should be understood that the "indication" mentioned in the embodiments of the present invention may be a direct indication, an indirect indication, or an indication having an association relationship. For example, the indication B may indicate that a directly indicates B, for example, B may be obtained by a, or may indicate that a indirectly indicates B, for example, a indicates C, B may be obtained by C, or may indicate that a and B have an association relationship.
In the description of the embodiments of the present invention, the term "corresponding" may indicate that there is a direct correspondence or an indirect correspondence between the two, or may indicate that there is an association between the two, or may indicate a relationship between the two and the indicated, configured, etc.
In the embodiment of the present invention, the "predefining" may be implemented by pre-storing corresponding codes, tables or other manners that may be used to indicate relevant information in devices (including, for example, terminal devices and network devices), and the present invention is not limited to the specific implementation manner thereof.
According to an embodiment of the present invention, a private network NAT cross-virtual private cloud interconnection access method embodiment is provided, and it should be noted that, the steps illustrated in the flowchart of the drawings may be performed in a computer system such as a set of computer executable instructions, and, although a logical order is illustrated in the flowchart, in some cases, the steps illustrated or described may be performed in an order different from that illustrated herein.
In this embodiment, a private network NAT cross-virtual private cloud interconnection access method is provided, fig. 1 is a flowchart of a private network NAT cross-virtual private cloud interconnection access method according to an embodiment of the present invention, as shown in fig. 1, the method is executed by a target NAT gateway, where the target NAT gateway corresponds to a first tenant, and the flow of the method includes the following steps:
Step S101, a binding request of a second tenant is obtained, wherein the binding request is used for binding a port of the second tenant to a target NAT gateway.
A NAT (Network Address Translation ) gateway is a network device that is used to translate addresses between private and public networks. NAT allows devices in an internal network (private network) to use private IP addresses while communicating with external networks (e.g., the internet) to translate these private IP addresses to public IP addresses. In this embodiment, the target NAT gateway refers to a NAT gateway corresponding to the first tenant, and is configured to process network address translation and access control related to the first tenant, and perform operations related to the first tenant.
The target NAT gateway receives the binding request from the second tenant. The binding request is used to bind the port of the second tenant to the target NAT gateway. The first tenant may access the second tenant through the target NAT gateway without going through additional network elements or performing complex routing configurations. Wherein, the first tenant refers to an independent entity having own private resources (such as virtual machines, servers, storage, etc.) in the network environment. The second tenant is another independent entity, and unlike the first tenant, the resources of the second tenant may be located in a different virtual private cloud. The port of the second tenant refers to a specific interface for network communication in the second tenant private resource.
Step S102, if the first tenant allows the binding request of the second tenant, the binding relationship is recorded, wherein the binding relationship is used for indicating that the first tenant allows to select the port of the second tenant when the access rule is configured.
If the first tenant allows the second tenant's binding request, the target NAT gateway will record this binding relationship. The binding relationship is an association or mapping relationship established between the first tenant and the second tenant after the first tenant allows the binding request of the second tenant. The binding relationship indicates that when the target NAT gateway configures the access rule, the first tenant is allowed to select the port of the second tenant as the access target, a safe and controllable channel is provided for cross-tenant communication, which ports can be accessed, the access authority and conditions are clearly defined, and the binding relationship is helpful for maintaining the security and stability of the network.
In sum, through the binding relationship, the first tenant can select the port of the second tenant when configuring the access rule, so that the flexible concurrent access among the cross tenants is realized, meanwhile, the safety isolation among the private clouds is maintained, and the network performance and the expansibility are improved.
Optionally, before the step S101, the policy ID is confirmed based on the policy name, the tenant ID, and the target NAT ID. Wherein the policy name is an identifier for identifying the target NAT gateway access policy. The tenant ID is an identifier for uniquely identifying the tenant requesting the binding, ensuring that which tenant initiated the binding request can be accurately identified. The target NAT ID is an identifier for uniquely identifying the target NAT gateway, indicating which NAT gateway is the target of the request binding. The policy ID is a unique identifier generated after verifying and accepting the binding request and represents a record of this binding operation at the policy control level. The implementation mode determines which tenants have permission to bind to the target NAT gateway, and returns a strategy ID to identify the binding operation, so that the security of network resources is ensured.
In an alternative embodiment, the binding request in step S101 includes a local port and a remote NAT identifier.
The local port refers to a specific port that the second tenant wishes to bind to the first tenant NAT gateway. In network communications, a port is a logical address that is used to distinguish between different services and applications. The remote NAT identification is an identifier for uniquely identifying the NAT gateway of the first tenant, including the IP address, name, or other attribute that can uniquely identify the NAT gateway.
In this embodiment, the local port designates a specific port to which the second tenant wants to bind, and the remote NAT identifier is used to uniquely identify the NAT gateway of the first tenant, which is the basis for establishing a private network NAT binding relationship across tenants.
In an alternative embodiment, if the first tenant allows the binding request of the second tenant in step S102, recording the binding relationship includes:
Step S1021, a port binding message is sent to the first tenant, wherein the port binding message comprises a binding task ID and a policy ID.
The binding task ID is a unique identifier that identifies the current binding request and associated process flow. The policy ID is a unique identifier of the private network NAT access policy set by the first tenant. By providing the policy ID, it can be verified whether the binding request of the second tenant complies with the access rules and security policies set by the first tenant. By providing the binding task ID and policy ID, the accuracy of the request is ensured.
Step S1022, receiving a result message returned by the first tenant, wherein the result message comprises an allow/reject instruction and a corresponding reason code.
The allow/reject instruction indicates whether the first tenant agrees to the binding request of the second tenant. If the first tenant rejects the binding request, the reason code will provide the specific reason for the rejection. The second tenant may learn the reason for the rejection according to the reason code and may take corresponding measures to solve the problem or adjust the request. By receiving the permit/reject instruction and the reason code, the validity of the binding relationship can be ensured, and a foundation is provided for subsequent network communication.
As shown in fig. 2, the process of binding a port (port) of a remote vpc (private cloud) of a control plane to a private NAT of a local vpc is as follows:
Tenant a and tenant B are located at two VPCs, respectively. Tenant A has private network NAT resources. Tenant B invokes a binding private network NAT interface, requesting a binding port to tenant A's NAT. The binding interface first verifies the policy and obtains policy information from tenant A. And judging whether the binding request is legal or not according to the strategy. If the verification and the judgment are passed, the tenant A is prompted to accept or reject the port binding to the private network NAT, and if the record binding relationship is accepted. According to the recorded binding relationship, when the access rule is configured on the NAT of the tenant A, the port of the B can be selected.
In an alternative embodiment, the method further comprises:
Step S201, a first mapping relationship is established, wherein the first mapping relationship is used for indicating mapping of a target port to a first port of a first host, the target port is a port of a second host, and the first host is a host in a private network of a target NAT gateway.
A DNAT translation rule, i.e. destination network address translation, is defined as a technique for translating the destination address of a packet from an external address to an internal address. And establishing a first mapping relation for guiding forwarding and address conversion of the data packet. This mapping maps the target port (i.e., the port of the second host) to the first port of the first host. The first host refers to a host in the private network of the target NAT gateway, and the target port is originally a port belonging to the second host, but after mapping, the request to access the port is redirected to the first port of the first host.
Step S202, a first request message of an access target port is obtained.
A network request is obtained that attempts to access a previously defined destination port.
Step S203, according to the first mapping relationship, the destination address of the first request message is converted to the first port of the first host, so as to forward the request message to the first host.
And according to the mapping relation established before, performing address conversion on the acquired request message, and forwarding the request message to a correct host. Specifically, the destination address of the request message is modified, the original destination port (the port of the second host) is changed into the first port of the first host, and then the modified message is forwarded to the first host.
For example, as shown in FIG. 3, DNAT rules are established on the private network NAT-A instance, such as mapping the destination Port Port-B8080 to the internal host A8080. Any request attempting to access Port-B8080 will be redirected by the NAT device to the 8080 Port of internal host a. When host A (or other external host) initiates an access request to Port-B8080, this request message is obtained by the NAT device. On the NAT-A example, the destination address of the request message accessing Port-B8080 is translated into the 8080 Port of internal host A according to predefined DNAT rules (e.g., mapping Port-B8080 to internal host A8080). The NAT-A then forwards the modified message to the internal host A to complete the end-to-end access request.
The embodiment is a complete process of DNAT conversion, which comprises the steps of firstly establishing a mapping relation, then capturing an access request, and finally carrying out address conversion and forwarding the request according to the mapping relation, so that an external user can indirectly access a host in a private network of the NAT gateway by accessing a specific external port (target port) without directly exposing the real address of the internal host.
In an alternative implementation manner, the source IP and the source MAC in the outer layer of the first request message are physical network card information of the host sending the first request message, and the source IP and the source MAC in the inner layer of the first request message are gateway information of the subnet of the host sending the first request message.
The first request message is encapsulated into two layers, an outer layer (Underlay header) and an inner layer (Overlay header) during transmission.
The source IP and source MAC of the outer layer (underway header) contain physical network card information of the host that sends the first request message. A physical network card is a physical interface where a host connects directly to a network, having a unique MAC address and an IP address that is typically assigned by a subnet. This information is used to route and forward at the network bottom layer (the underway network) to ensure that the message can reach the correct next hop device.
The source IP and source MAC of the inner layer (Overlay header) include gateway information of the subnet where the host sending the first request message is located. In Overlay networks, messages are typically routed through logical gateways, which may not directly correspond to physical network devices. Thus, the source IP and source MAC in the inner header are actually logical representations of the subnet in which the host is located in the Overlay network for routing and forwarding at the Overlay level.
The source IP and source MAC information in the outer layer and inner layer Overlay header of the request message in this embodiment are important identifiers when the message is transmitted and routed in the network, and they together determine how the message is correctly processed and forwarded.
In an alternative embodiment, the method further comprises:
step S301, a second mapping relation is established, wherein the second mapping relation is used for mapping the source address from the third host to the external address.
SNAT, source network address translation, is a technique for translating the source address of a packet from an internal address to an external address. A second mapping relationship is proposed to map the source address from the third host (internal host) to an external address. When the third host accesses the external network, the real internal IP address is hidden, and a public or external IP address is used for replacing the external network, so that address conversion and hiding are realized.
Step S302, a second request message which is initiated by a third host and accesses the external network is obtained.
And when the third host needs to access the external network, sending a second request message. The second request message includes information such as a source IP address and a source MAC address of the third host, and a destination IP address and a destination MAC address.
Step S303, converting the source IP and the source MAC in the Overlay of the second request message to external addresses according to the second request message.
After receiving the request message from the third host, converting the source IP address and the source MAC address of the Overlay part in the request message into external addresses according to the second mapping relation established before. When the request message reaches the external network, the external network gets the converted external address instead of the real internal address of the third host.
Step S304, the converted source address is used, and the virtual link of the host of the tenant where the target NAT gateway is located is encapsulated, so as to forward the second request message.
After the address conversion is completed, the converted request message is packaged with virtual link information of the host of the tenant where the target NAT gateway is located, and the message is forwarded, so that the request message can be ensured to correctly reach the target network or the server through the virtual link.
For example, as shown in FIG. 4, a SNAT rule SNAT-1 is created on the private network NAT-A instance, mapping the source address from the internal host B (third host) to the external address Port-C. Host B (third host) initiates a request message to access the Internet. After the message arrives at NAT-A, converting the source IP and MAC in the Overlay into Port-C according to SNAT-1 rule. NAT-A uses the source address Port-C after translating, and encapsulate vlan of host A, send the message across vpc. A server on the Internet receives a request with a Port-C source address and sends a response. And the response message reaches the NAT-A public network interface, searches the session table, restores the original Overlay source address and sends the original Overlay source address to the internal host B. And the host B receives the response message converted by SNAT and completes the access.
The implementation mode is a SNAT process, which realizes the hiding and conversion of the source address when the internal host accesses the external network, and ensures the correct forwarding and receiving of the request message.
In an alternative implementation manner, the outer layer Underray source address after the second request message is encapsulated is the physical network card information of the third host, and the inner layer Overlay source address is the logical network card information of the third host.
The outer layer Underlay source address is used to identify the physical source of the message in the network. The outer layer underway source address is the physical network card information of the third host. A physical network card is an interface where a host connects directly to a physical network (e.g., ethernet), and its address is typically the unique identity of the host in the physical network.
The Overlay source address is used to logically identify the source of the message. In a cloud environment, overlay networks are typically used to build virtual networks over physical networks to enable VPC interconnection across the physical networks. The Overlay source address of the inner layer is the logic network card information of the third host. The logical network card is a virtual interface of the host in the Overlay network, and its address is allocated inside the Overlay network, so as to logically distinguish between different VPCs and hosts.
The embodiment reflects the address information of the message in the packaging and transmitting process and the effect of the address information on physical and logical network layers, and ensures the safe and efficient transmission of the message between the VPCs.
The embodiment of the present invention further provides a download process control device, which is used to implement the foregoing embodiments and preferred embodiments, and is not described in detail. As used below, the term "module" may be a combination of software and/or hardware that implements a predetermined function. While the means described in the following embodiments are preferably implemented in software, implementation in hardware, or a combination of software and hardware, is also possible and contemplated.
An embodiment of the present invention provides a downloading process control device, and fig. 5 is a schematic structural diagram of the downloading process control device provided by the embodiment of the present invention, where the device includes:
a request acquisition module 501, configured to acquire a binding request of a second tenant, where the binding request is used to bind a port of the second tenant to a target NAT gateway;
The binding record module 502 is configured to record a binding relationship if the first tenant allows the binding request of the second tenant, where the binding relationship is used to indicate that the first tenant allows to select the port of the second tenant when configuring the access rule.
In an alternative embodiment, the request acquisition module 501 is further configured to:
local port and remote NAT identification.
In an alternative embodiment, the binding record module 502 includes:
The first binding record unit is used for sending port binding information to the first tenant, wherein the port binding information comprises a binding task ID and a strategy ID;
The second binding record unit is used for receiving a result message returned by the first tenant, and the result message comprises an allow/reject instruction and a corresponding reason code.
In an alternative embodiment, the apparatus further comprises a target mapping module, the target mapping module comprising:
the system comprises a first target mapping unit, a first target port mapping unit, a first target NAT gateway, a second target NAT gateway and a target NAT gateway, wherein the first target mapping unit is used for establishing a first mapping relation which is used for indicating mapping of a target port to a first port of a first host;
The second target mapping unit is used for acquiring a first request message of the access target port;
And the third target mapping unit is used for converting the target address of the first request message to the first port of the first host according to the first mapping relation so as to forward the request message to the first host.
In an alternative embodiment, the object mapping module is further configured to:
The source IP and the source MAC in the first request message outer layer underlayment header are the physical network card information of the host computer sending the first request message, and the source IP and the source MAC in the first request message inner layer underlayment header are the gateway information of the sub-network of the host computer sending the first request message.
In an alternative embodiment, the apparatus further comprises a source mapping module comprising:
the first mapping unit is used for establishing a first mapping relation, and the first mapping relation is used for mapping the source address from the first host to the external address;
The second source mapping unit is used for acquiring a second request message which is initiated by the third host and accesses the external network;
the third source mapping unit is used for converting the source IP and the source MAC in the Overlay of the second request message to external addresses according to the second request message;
And the fourth source mapping unit is used for using the converted source address and encapsulating a virtual link of a host of the tenant where the target NAT gateway is located so as to forward the second request message.
In an alternative embodiment, the source mapping module is further configured to:
the outer layer Underray source address packaged by the second request message is the physical network card information of the third host, and the inner layer Overlay source address is the logic network card information of the third host.
Further functional descriptions of the above respective modules and units are the same as those of the above corresponding embodiments, and are not repeated here.
The download process control device in this embodiment is presented in the form of a functional unit, where the unit refers to an ASIC (Application SPECIFIC INTEGRATED Circuit) Circuit, a processor and a memory that execute one or more software or firmware programs, and/or other devices that can provide the above functions.
The embodiment of the invention also provides a computer device, which is provided with the private network NAT cross-virtual private cloud interconnection access device shown in the figure 5.
Referring to fig. 6, fig. 6 is a schematic structural diagram of a computer device according to an alternative embodiment of the present invention, and as shown in fig. 6, the computer device includes one or more processors 10, a memory 20, and interfaces for connecting components, including a high-speed interface and a low-speed interface. The various components are communicatively coupled to each other using different buses and may be mounted on a common motherboard or in other manners as desired. The processor may process instructions executing within the computer device, including instructions stored in or on memory to display graphical information in a graphical user interface on an external input/output device, such as a display device coupled to the interface. In an alternative embodiment, multiple processors and/or multiple buses may be used, if desired, along with multiple memories and multiple memories. Also, multiple computer devices may be connected, each providing a portion of the necessary operations (e.g., as a server array, a set of blade servers, or a multiprocessor system). One processor 10 is illustrated in fig. 6.
The processor 10 may be a central processor, a network processor, or a combination thereof. The processor 10 may further include a hardware chip, among others. The hardware chip may be an application specific integrated circuit, a programmable logic device, or a combination thereof. The programmable logic device may be a complex programmable logic device, a field programmable gate array, a general-purpose array logic, or any combination thereof.
Wherein the memory 20 stores instructions executable by the at least one processor 10 to cause the at least one processor 10 to perform a method for implementing the embodiments described above.
The memory 20 may include a storage program area that may store an operating system, application programs required for at least one function, and a storage data area that may store data created according to the use of the computer device, etc. In addition, the memory 20 may include high-speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid-state storage device. In an alternative embodiment, memory 20 may optionally include memory located remotely from processor 10, such remote memory being connectable to the computer device through a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The memory 20 may comprise volatile memory, such as random access memory, or nonvolatile memory, such as flash memory, hard disk or solid state disk, or the memory 20 may comprise a combination of the above types of memory.
The computer device further comprises input means 30 and output means 40. The processor 10, memory 20, input device 30, and output device 40 may be connected by a bus or other means, for example in fig. 5.
The embodiments of the present invention also provide a computer readable storage medium, and the method according to the embodiments of the present invention described above may be implemented in hardware, firmware, or as a computer code which may be recorded on a storage medium, or as original stored in a remote storage medium or a non-transitory machine readable storage medium downloaded through a network and to be stored in a local storage medium, so that the method described herein may be stored on such software process on a storage medium using a general purpose computer, a special purpose processor, or programmable or special purpose hardware. The storage medium may be a magnetic disk, an optical disk, a read-only memory, a random-access memory, a flash memory, a hard disk, a solid state disk, or the like, and further, the storage medium may further include a combination of the above types of memories. It will be appreciated that a computer, processor, microprocessor controller or programmable hardware includes a storage element that can store or receive software or computer code that, when accessed and executed by the computer, processor or hardware, implements the methods illustrated by the above embodiments.
Portions of the present invention may be implemented as a computer program product, such as computer program instructions, which when executed by a computer, may invoke or provide methods and/or aspects in accordance with the present invention by way of operation of the computer. Those skilled in the art will appreciate that the existence of computer program instructions in a computer-readable medium includes, but is not limited to, source files, executable files, installation package files, and the like, and accordingly, the manner in which computer program instructions are executed by a computer includes, but is not limited to, the computer directly executing the instructions, or the computer compiling the instructions and then executing the corresponding compiled programs, or the computer reading and executing the instructions, or the computer reading and installing the instructions and then executing the corresponding installed programs. Herein, a computer-readable medium may be any available computer-readable storage medium or communication medium that can be accessed by a computer.
Although embodiments of the present invention have been described in connection with the accompanying drawings, various modifications and variations may be made by those skilled in the art without departing from the spirit and scope of the invention, and such modifications and variations fall within the scope of the invention as defined by the appended claims.

Claims (10)

1. A private network NAT cross-virtual private cloud interconnection access method is characterized in that the method is executed by a target NAT gateway, the target NAT gateway corresponds to a first tenant, and the method comprises the following steps:
The method comprises the steps of obtaining a binding request of a second tenant, wherein the binding request is used for binding a port of the second tenant to the target NAT gateway;
and if the first tenant allows the binding request of the second tenant, recording a binding relationship, wherein the binding relationship is used for indicating that the first tenant allows to select the port of the second tenant when the access rule is configured.
2. The method of claim 1, wherein the binding request includes a local port and a remote NAT identification.
3. The method of claim 2, wherein recording the binding relationship if the first tenant allows the binding request of the second tenant comprises:
Sending a port binding message to the first tenant, wherein the port binding message comprises a binding task ID and a policy ID;
And receiving a result message returned by the first tenant, wherein the result message comprises an allowing/rejecting instruction and a corresponding reason code.
4. A method according to any one of claims 1 to 3, wherein the method further comprises:
Establishing a first mapping relation, wherein the first mapping relation is used for indicating a first port for mapping a target port to a first host, the target port is a port of a second host, and the first host is a host in a private network of the target NAT gateway;
acquiring a first request message for accessing the target port;
And according to the first mapping relation, converting the target address of the first request message to a first port of the first host so as to forward the request message to the first host.
5. The method of claim 4, wherein the source IP and the source MAC in the outer layer of the first request message are physical network card information of the host sending the first request message, and the source IP and the source MAC in the inner layer of the first request message are gateway information of a subnet of the host sending the first request message.
6. A method according to any one of claims 1 to 3, wherein the method further comprises:
The second mapping relation is used for mapping the source address from the third host to the external address;
Acquiring a second request message which is initiated by a third host and accesses an external network;
Converting the source IP and the source MAC in the Overlay of the second request message to the external address according to the second request message;
And using the converted source address, and packaging a virtual link of a host of the tenant where the target NAT gateway is located so as to forward the second request message.
7. The method of claim 6, wherein the second request packet has an outer layer Underlay source address that is physical network card information of the third host, and an inner layer Overlay source address that is logical network card information of the third host.
8. A private network NAT cross-virtual private cloud interconnection access device, the device comprising:
the system comprises a request acquisition module, a target NAT gateway, a request processing module and a target NAT gateway, wherein the request acquisition module is used for acquiring a binding request of a second tenant, and the binding request is used for binding a port of the second tenant to the target NAT gateway;
and the binding record module is used for recording a binding relation if the first tenant allows the binding request of the second tenant, wherein the binding relation is used for indicating that the first tenant allows to select the port of the second tenant when the access rule is configured.
9. The computer equipment is characterized by comprising a memory and a processor, wherein the memory and the processor are in communication connection, the memory stores computer instructions, and the processor executes the computer instructions so as to execute the private network NAT cross-virtual private cloud interconnection access method according to any one of claims 1 to 7.
10. A computer-readable storage medium having stored thereon computer instructions for causing a computer to perform the private network NAT cross-virtual private cloud interconnection access method of any of claims 1 to 7.
CN202411798979.1A 2024-12-06 2024-12-06 Private network NAT (network Address translation) cross-virtual private cloud interconnection access method and device Pending CN119892399A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202411798979.1A CN119892399A (en) 2024-12-06 2024-12-06 Private network NAT (network Address translation) cross-virtual private cloud interconnection access method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202411798979.1A CN119892399A (en) 2024-12-06 2024-12-06 Private network NAT (network Address translation) cross-virtual private cloud interconnection access method and device

Publications (1)

Publication Number Publication Date
CN119892399A true CN119892399A (en) 2025-04-25

Family

ID=95433985

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202411798979.1A Pending CN119892399A (en) 2024-12-06 2024-12-06 Private network NAT (network Address translation) cross-virtual private cloud interconnection access method and device

Country Status (1)

Country Link
CN (1) CN119892399A (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7411917B1 (en) * 2003-03-26 2008-08-12 Network Equipment Technologies, Inc. Method and system for providing registration-based SIP NAT traversal
CN111327720A (en) * 2020-02-21 2020-06-23 北京百度网讯科技有限公司 Network address conversion method, device, gateway equipment and storage medium
CN114884653A (en) * 2022-04-02 2022-08-09 华南理工大学 Multi-tenant oriented cross-tenant access method, system, device and medium
CN115499434A (en) * 2022-07-29 2022-12-20 天翼云科技有限公司 Cross-VPC flow forwarding method
CN117880257A (en) * 2023-12-14 2024-04-12 天翼云科技有限公司 Method and system for solving continuous delivery on cloud of cross-tenant VPC
WO2024078427A1 (en) * 2022-10-09 2024-04-18 华为云计算技术有限公司 Serverless function configuration system, method and apparatus
CN118300981A (en) * 2022-12-28 2024-07-05 华为云计算技术有限公司 A network address translation gateway configuration method and cloud management platform

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7411917B1 (en) * 2003-03-26 2008-08-12 Network Equipment Technologies, Inc. Method and system for providing registration-based SIP NAT traversal
CN111327720A (en) * 2020-02-21 2020-06-23 北京百度网讯科技有限公司 Network address conversion method, device, gateway equipment and storage medium
CN114884653A (en) * 2022-04-02 2022-08-09 华南理工大学 Multi-tenant oriented cross-tenant access method, system, device and medium
CN115499434A (en) * 2022-07-29 2022-12-20 天翼云科技有限公司 Cross-VPC flow forwarding method
WO2024078427A1 (en) * 2022-10-09 2024-04-18 华为云计算技术有限公司 Serverless function configuration system, method and apparatus
CN118300981A (en) * 2022-12-28 2024-07-05 华为云计算技术有限公司 A network address translation gateway configuration method and cloud management platform
CN117880257A (en) * 2023-12-14 2024-04-12 天翼云科技有限公司 Method and system for solving continuous delivery on cloud of cross-tenant VPC

Similar Documents

Publication Publication Date Title
US11470001B2 (en) Multi-account gateway
US20160226815A1 (en) System and method for communicating in an ssl vpn
JP2022079638A (en) Virtual network verification service
US11722565B1 (en) System and method for non-disruptive migration of software components to a public cloud system
US9705844B2 (en) Address management in a connectivity platform
WO2020180776A1 (en) Network access controller operation
CN113364660B (en) Data packet processing method and device in LVS load balancing
US20250088561A1 (en) Method for Communication Between Public Cloud-Based VPCS and Related Product
CN118300981A (en) A network address translation gateway configuration method and cloud management platform
CN114095556B (en) Home private cloud construction method and private cloud system
CN118784565A (en) A communication method and device between cloud platform virtual private networks
CN110324244B (en) Routing method based on Linux virtual server and server
CN105939316A (en) Message forwarding method and device
US20250193081A1 (en) Virtual Instance Creation Method Based on Cloud Computing Technology and Cloud Management Platform
CN118368243B (en) Method, device, equipment, storage medium and program product for realizing traffic scheduling
CN119892399A (en) Private network NAT (network Address translation) cross-virtual private cloud interconnection access method and device
US7536479B2 (en) Local and remote network based management of an operating system-independent processor
US10505892B2 (en) Method for transmitting at least one IP data packet, related system and computer program product
CN113595848B (en) Communication tunnel establishing method, device, equipment and storage medium
CN117792985A (en) Data communication method, device, data processor and computer storage medium
CN117176673A (en) Method, system, device and computer equipment for realizing peer-to-peer connection between subnets
CN113923149B (en) Network access method, device, network system, electronic equipment and storage medium
CN115665167B (en) Method for building an intelligent Internet of Things system based on peer-to-peer network and related equipment
CN118118532B (en) Communication method and device
CN111510511A (en) Data reporting network creating method, data reporting method and related equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination