WO2021136311A1

WO2021136311A1 - Method and device for communication between vpcs

Info

Publication number: WO2021136311A1
Application number: PCT/CN2020/141106
Authority: WO
Inventors: 赵海飞; 梁中校; 熊皓
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2019-12-30
Filing date: 2020-12-29
Publication date: 2021-07-08
Anticipated expiration: 2022-06-30
Also published as: CN113132201B; CN113132201A

Abstract

Provided are a method and device for communication between VPCs. The method comprises: a bridge virtual machine comprising a first network card bound to a first VPC and a second network card bound to a second VPC; and the bridge virtual machine receiving, on the basis of the first network card, a first message sent by a first virtual machine in the first VPC to a second virtual machine in the second VPC, performing network function processing on the message, and sending, on the basis of the second network card, the first message which has been subjected to network function processing to the second VPC. The communication between VPCs by means of the establishment of a virtual private network or a dedicated line is prevented. Provided is a new and more convenient communication method. Furthermore, network functions can further be configured on the bridge virtual machine. The method is different from the method of simply forwarding data via a virtual private network or a dedicated line. On the basis of the realization of communication between VPCs, the present application further improves a data processing function, and has a wider range of application scenarios and a strong applicability.

Description

A communication method and device between VPCs

相关申请的交叉引用Cross-references to related applications

本申请要求在2019年12月30日提交中国专利局、申请号为201911399727.0、申请名称为“一种VPC之间的通信方法及装置”的中国专利申请的优先权，其全部内容通过引用结合在本申请中。This application claims the priority of a Chinese patent application filed with the Chinese Patent Office on December 30, 2019, the application number is 201911399727.0, and the application name is "a communication method and device between VPCs", the entire contents of which are incorporated by reference In this application.

Technical field

本申请涉及通信技术领域，尤其涉及一种VPC之间的通信方法及装置。This application relates to the field of communication technology, and in particular to a communication method and device between VPCs.

Background technique

云计算是一种网络应用模式，是分布式处理、并行处理和网格计算的发展，是透过网络将庞大的计算处理程序自动分拆成无数个较小的子程序，再交由多部服务器所组成的庞大系统经计算分析之后将处理结果回传给用户。Cloud computing is a network application model. It is the development of distributed processing, parallel processing and grid computing. It automatically splits a huge computing processing program into countless smaller sub-programs through the network, and then hands them to multiple parts. The huge system composed of servers will return the processing results to the users after calculation and analysis.

随着数据中心的流行，数据中心的硬件资源可以以虚拟化设备的形式为企业提供云服务，企业无需购买设备布置自己的IT中心，可以在数据中心申请一组IT资源，数据中心即可为本企业提供云计算服务。企业在数据中心申请创建的软硬件设施构成一个虚拟私有云(Virtual Private Cloud)，虚拟私有云即是指为一个企业单独构建的，硬件、软件、网络等一系列资源统一在一起的一个综合称呼。With the popularity of data centers, the hardware resources of data centers can provide cloud services for enterprises in the form of virtualized equipment. Enterprises do not need to purchase equipment to deploy their own IT centers. They can apply for a set of IT resources in the data center. The company provides cloud computing services. The software and hardware facilities that the enterprise applies to create in the data center constitute a virtual private cloud (Virtual Private Cloud). A virtual private cloud refers to a comprehensive name that is built separately for an enterprise and a series of resources such as hardware, software, and network are unified. .

企业可以在公有云平台申请属于该企业的公有云资源，在该公有云资源中创建属于该企业的一个或多个虚拟私有云，以分配给不同的部分或团体使用。每个虚拟机私有云是一个隔离的、私密的虚拟网络。An enterprise can apply for public cloud resources belonging to the enterprise on the public cloud platform, and create one or more virtual private clouds belonging to the enterprise in the public cloud resources to allocate to different parts or groups. Each virtual machine private cloud is an isolated and private virtual network.

目前，同一VPC内的不同虚拟机之间可以互相连接(或通信)，而不同虚拟私有云内的虚拟机之间进行通信时，则需要通过建立虚拟专用网络(virtual private network，VPN)或专线的方式进行通信，当前实现VPC之间通信的方式单一。At present, different virtual machines in the same VPC can be connected (or communicated) with each other. When communicating between virtual machines in different virtual private clouds, it is necessary to establish a virtual private network (VPN) or leased line. The way to communicate, the current way to achieve communication between VPCs is single.

发明内容Summary of the invention

本申请提供一种VPC之间的通信方法及装置，以提供一种新型的实现VPC之间通信的方式。This application provides a communication method and device between VPCs, so as to provide a new way of implementing communication between VPCs.

第一方面，本申请提供一种VPC之间的通信方法，该方法应用于桥接虚拟机，该桥接虚拟机包括与第一VPC绑定的第一网卡和与第二VPC绑定的第二网卡，所述方法包括：In the first aspect, the present application provides a communication method between VPCs. The method is applied to a bridged virtual machine. The bridged virtual machine includes a first network card bound to a first VPC and a second network card bound to a second VPC. , The method includes:

桥接虚拟机基于第一网卡接收第一VPC中的第一虚拟机发送至第二VPC种的第二虚拟机的第一报文，并该报文进行网络功能处理，基于第二网卡将经网络功能处理后的第一报文发送至第二VPC。The bridged virtual machine receives the first message sent by the first virtual machine in the first VPC to the second virtual machine of the second VPC based on the first network card, and performs network function processing on the message. The first packet after the function processing is sent to the second VPC.

基于上述方案，实现了一种新的VPC之间的通信方式，避免目前只能通过建立虚拟专用网络或专线的方式进行VPC之间的通信，简化了不同VPC之间的通信流程。进一步，在该桥接虚拟机上还可以设置各种网络功能，本领域技术人员可知的是，网络功能可以是地址转换、路由或防火墙过滤等，因此，本申请实施例的桥接虚拟机在实现跨VPC之间的数据传输之外，还可以实现对数据的多种网络功能的处理，在实现简化VPC之间的通信时，数据处理功能也更加完善，适用场景更广，进一步，若桥接虚拟机设置有防火墙过滤时，还可以提高VPC之间通信的安全性。Based on the above solution, a new communication method between VPCs is realized, which avoids the current communication between VPCs only through the establishment of a virtual private network or a dedicated line, and simplifies the communication process between different VPCs. Further, various network functions can also be set on the bridged virtual machine. Those skilled in the art will know that the network function can be address translation, routing, firewall filtering, etc. Therefore, the bridged virtual machine in the embodiment of the present application is implementing a bridge In addition to data transmission between VPCs, it can also process multiple network functions for data. When simplifying the communication between VPCs, the data processing functions are also more complete and applicable to a wider range of scenarios. Further, if you bridge virtual machines When firewall filtering is set, the security of communication between VPCs can also be improved.

在一种可能的实现方式中，所述第一网卡设置有第一VPC的第一私网地址，所述第二网卡设置有第二VPC的第二私网地址；In a possible implementation manner, the first network card is provided with a first private network address of a first VPC, and the second network card is provided with a second private network address of a second VPC;

所述桥接虚拟机从所述第一网卡接收所述第一VPC中的第一虚拟机发送至第二VPC中的第二虚拟机的第一报文时，所述第一报文的源IP地址是所述第一虚拟机在所述第一VPC中的私网地址，目的IP地址是所述第一私网地址；When the bridged virtual machine receives a first packet sent from the first virtual machine in the first VPC to the second virtual machine in the second VPC from the first network card, the source IP of the first packet The address is the private network address of the first virtual machine in the first VPC, and the destination IP address is the first private network address;

所述桥接虚拟机对所述第一报文进行网络功能处理，并通过所述第二网卡将经网络功能处理后的第一报文发送至所述第二VPC时，包括：When the bridge virtual machine performs network function processing on the first message, and sends the first message processed by the network function to the second VPC through the second network card, it includes:

所述桥接虚拟机将所述第一报文的源IP地址修改为所述第二私网地址，将所述第一报文的目的IP地址修改为所述第二虚拟机在所述第二VPC中的私网地址，并通过第二网卡将修改后的第一报文发送至所述第二VPC。The bridging virtual machine modifies the source IP address of the first message to the second private network address, and modifies the destination IP address of the first message to the second virtual machine in the second private network address. The private network address in the VPC, and the modified first message is sent to the second VPC through the second network card.

基于上述方案，在桥接虚拟机上可设置地址转换规则，当设置有地址转换规则时，桥接虚拟机可以将来自第一虚拟机的第一报文进行地址转换后发送至第二VPC。该方式下，第一虚拟机向第二虚拟机发送报文时，可以直接发送至桥接虚拟机，可不经过路由器转发，缩短报文的传输时延，同时节省资源开销。Based on the above solution, address translation rules can be set on the bridge virtual machine. When the address translation rules are set, the bridge virtual machine can perform address translation on the first message from the first virtual machine and send it to the second VPC. In this manner, when the first virtual machine sends a message to the second virtual machine, it can be directly sent to the bridged virtual machine without forwarding through a router, which shortens the transmission delay of the message and saves resource overhead.

在一种可能的实现方式中，所述桥接虚拟机从所述第一网卡接收所述第一报文的源IP地址是所述第一虚拟机在所述第一VPC中的私网地址，目的IP地址是所述第二虚拟机在所述第二VPC中的私网地址；In a possible implementation, the source IP address of the bridged virtual machine receiving the first packet from the first network card is the private network address of the first virtual machine in the first VPC, The destination IP address is the private network address of the second virtual machine in the second VPC;

所述桥接虚拟机对所述第一报文进行网络功能处理，并通过所述第二网卡将经网络功能处理后的第一报文发送至所述第二VPC，包括：The bridge virtual machine performs network function processing on the first message, and sends the first message processed by the network function to the second VPC through the second network card, including:

所述桥接虚拟机根据所述第一报文的目的IP地址选择第二网卡，通过所述第二网卡将第一报文发送至所述第二VPC。The bridged virtual machine selects a second network card according to the destination IP address of the first message, and sends the first message to the second VPC through the second network card.

基于上述方案，桥接虚拟机上可以设置路由功能，本申请可以通过自定义路由的方式设置VPC之间的通信的路径，简化了通信流程，灵活性高。Based on the above solution, a routing function can be set on the bridging virtual machine. In this application, a communication path between VPCs can be set by a custom route, which simplifies the communication process and has high flexibility.

在一种可能的实现方式中，所述桥接虚拟机对所述第一报文进行网络功能处理，并通过所述第二网卡将经网络功能处理后的第一报文发送至所述第二VPC，包括：In a possible implementation manner, the bridge virtual machine performs network function processing on the first packet, and sends the first packet processed by the network function to the second network card through the second network card. VPC, including:

所述桥接虚拟机判断所述第一报文是否符合预设防火墙规则，如果是，通过所述第二网卡将经网络功能处理后的第一报文发送至所述第二VPC，如果不符合，则不发出该第一报文。The bridged virtual machine judges whether the first packet meets the preset firewall rules, and if so, sends the first packet processed by the network function to the second VPC through the second network card, if it does not meet , The first message is not sent.

基于上述方案，避免目前通过建立虚拟专用网络或专线的方式实现VPC之间的通信时，只能实现单纯的数据传输，而不能在该路径上配置安全规则的问题，本申请不仅简化了不同VPC内的虚拟机之间的通信方式，还能基于桥接虚拟机上部署的防火墙过滤功能提高了VPC之间通信的安全性。Based on the above solution, it avoids the problem that when the current communication between VPCs is realized through the establishment of a virtual private network or a dedicated line, only pure data transmission can be realized, and security rules cannot be configured on the path. This application not only simplifies different VPCs The communication method between virtual machines in the virtual machine can also improve the security of communication between VPCs based on the firewall filtering function deployed on the bridge virtual machine.

第二方面，本申请提供了一种VPC之间通信的设置方法，包括创建桥接虚拟机，所述桥接虚拟机设置有第一网卡和第二网卡；设置所述第一网卡与所述第一VPC绑定，所述第二网卡与第二VPC绑定，其中所述桥接虚拟机用于对所述第一VPC经所述第一网卡发送至所述第二VPC的报文进行网络功能处理，并用于对所述第二VPC经所述第二网卡发送至所述第一VPC的报文进行网络功能处理。In a second aspect, this application provides a method for setting up communication between VPCs, including creating a bridged virtual machine, the bridged virtual machine is provided with a first network card and a second network card; setting the first network card and the first network card VPC binding, the second network card is bound to the second VPC, wherein the bridge virtual machine is used to perform network function processing on the packets sent from the first VPC to the second VPC via the first network card , And used to perform network function processing on the message sent by the second VPC to the first VPC via the second network card.

在一种可能的实现方式中，所述网络功能处理包括网络地址转换NAT、路由以及防火墙过滤中的一者或任意组合。In a possible implementation manner, the network function processing includes one or any combination of network address translation NAT, routing, and firewall filtering.

第三方面，本申请还提供一种通信系统，包括第一VPC中的第一虚拟机、第二VPC中的第二虚拟机和桥接虚拟机；In a third aspect, the present application also provides a communication system, including a first virtual machine in a first VPC, a second virtual machine in a second VPC, and a bridge virtual machine;

所述第一虚拟机，用于发送第一报文；The first virtual machine is used to send a first message;

所述桥接虚拟机，用于从所述第一网卡接收所述第一VPC中的第一虚拟机发送至第二VPC中的第二虚拟机的第一报文，对所述第一报文进行网络功能处理，并通过所述第二网卡将经网络功能处理后的第一报文发送至所述第二VPC。The bridged virtual machine is configured to receive, from the first network card, a first message sent by a first virtual machine in the first VPC to a second virtual machine in a second VPC, and to respond to the first message Perform network function processing, and send the first packet processed by the network function to the second VPC through the second network card.

所述第二虚拟机，用于接收来自桥接虚拟机的经网络功能处理后的第一报文。The second virtual machine is configured to receive the first message processed by the network function from the bridge virtual machine.

在一种可能的实现方式中，所述桥接虚拟机的第一网卡设置有第一VPC的第一私网地址，所述第二网卡设置有第二VPC的第二私网地址；In a possible implementation manner, the first network card of the bridge virtual machine is set with a first private network address of the first VPC, and the second network card is set with a second private network address of the second VPC;

所述桥接虚拟机从所述第一网卡接收所述第一VPC中的第一虚拟机发送至第二VPC中的第二虚拟机的第一报文时，具体用于：所述桥接虚拟机从所述第一网卡接收所述第一报文，所述第一报文的源IP地址是所述第一虚拟机在所述第一VPC中的私网地址，目的IP地址是所述第一私网地址；When the bridged virtual machine receives the first message sent from the first virtual machine in the first VPC to the second virtual machine in the second VPC from the first network card, it is specifically used for: the bridged virtual machine The first message is received from the first network card, the source IP address of the first message is the private network address of the first virtual machine in the first VPC, and the destination IP address is the first VPC A private network address;

所述桥接虚拟机对所述第一报文进行网络功能处理，并通过所述第二网卡将经网络功能处理后的第一报文发送至所述第二VPC时，具体用于：所述桥接虚拟机将所述第一报文的源IP地址修改为所述第二私网地址，将所述第一报文的目的IP地址修改为所述第二虚拟机在所述第二VPC中的私网地址，通过第二网卡将修改后的第一报文发送至所述第二VPC。When the bridge virtual machine performs network function processing on the first message, and sends the first message processed by the network function to the second VPC through the second network card, it is specifically used for: The bridging virtual machine modifies the source IP address of the first message to the second private network address, and modifies the destination IP address of the first message to that the second virtual machine is in the second VPC And send the modified first message to the second VPC through the second network card.

在一种可能的实现方式中，所述桥接虚拟机从所述第一网卡接收所述第一VPC中的第一虚拟机发送至第二VPC中的第二虚拟机的第一报文时，具体用于：所述桥接虚拟机从所述第一网卡接收所述第一报文，所述第一报文的源IP地址是所述第一虚拟机在所述第一VPC中的私网地址，目的IP地址是所述第二虚拟机在所述第二VPC中的私网地址；In a possible implementation manner, when the bridged virtual machine receives from the first network card a first packet sent by the first virtual machine in the first VPC to the second virtual machine in the second VPC, Specifically, the bridged virtual machine receives the first message from the first network card, and the source IP address of the first message is the private network of the first virtual machine in the first VPC Address, the destination IP address is the private network address of the second virtual machine in the second VPC;

所述桥接虚拟机对所述第一报文进行网络功能处理，并通过所述第二网卡将经网络功能处理后的第一报文发送至所述第二VPC时，具体用于：所述桥接虚拟机根据所述第一报文的目的IP地址选择第二网卡，通过所述第二网卡将第一报文发送至所述第二VPC。When the bridge virtual machine performs network function processing on the first message, and sends the first message processed by the network function to the second VPC through the second network card, it is specifically used for: The bridging virtual machine selects a second network card according to the destination IP address of the first message, and sends the first message to the second VPC through the second network card.

在一种可能的实现方式中，所述桥接虚拟机对所述第一报文进行网络功能处理，并通过所述第二网卡将经网络功能处理后的第一报文发送至所述第二VPC时，具体用于：所述桥接虚拟机判断所述第一报文是否符合预设防火墙规则，如果是，通过所述第二网卡将经网络功能处理后的第一报文发送至所述第二VPC。In a possible implementation manner, the bridge virtual machine performs network function processing on the first packet, and sends the first packet processed by the network function to the second network card through the second network card. In the case of VPC, it is specifically used for: the bridged virtual machine determines whether the first message meets the preset firewall rules, and if so, sends the first message processed by the network function to the The second VPC.

第四方面，本申请提供一种通信装置，适用于第一计算节点或第一计算节点中的芯片，包括用于执行以上第一方面或第二方面各个步骤的单元或手段(means)。In a fourth aspect, the present application provides a communication device suitable for a first computing node or a chip in the first computing node, and includes a unit or means for executing each step of the above first aspect or second aspect.

第五方面，本申请提供一种通信装置，适用于终端设备或终端设备中的芯片，包括至少一个处理元件和至少一个存储元件，其中所述至少一个存储元件用于存储程序和数据，所述至少一个处理元件用于执行本申请第一方面或第二方面提供的方法。In a fifth aspect, the present application provides a communication device suitable for terminal equipment or a chip in the terminal equipment, including at least one processing element and at least one storage element, wherein the at least one storage element is used to store programs and data, the At least one processing element is used to execute the method provided in the first aspect or the second aspect of the present application.

第六方面，本申请提供一种通信装置，包括用于执行以上第一方面或第二方面的方法的至少一个处理元件(或芯片)。In a sixth aspect, the present application provides a communication device including at least one processing element (or chip) for executing the method of the above first aspect or second aspect.

第七方面，本申请提供一种计算机程序产品，该计算机程序产品包括计算机程序，当该计算机程序被计算机执行时，使得所述计算机执行以上任一方面的方法。In a seventh aspect, the present application provides a computer program product, the computer program product includes a computer program, and when the computer program is executed by a computer, the computer is caused to execute the method in any of the above aspects.

第八方面，本申请提供了一种计算机可读存储介质，该存储介质存储有计算机程序，当所述计算机程序被计算机执行时，使得所述计算机执行以上任一方面的方法。In an eighth aspect, the present application provides a computer-readable storage medium that stores a computer program, and when the computer program is executed by a computer, the computer executes the method in any of the above aspects.

Description of the drawings

图1为本申请提供的一种通信系统示意图之一；Figure 1 is one of the schematic diagrams of a communication system provided by this application;

图2为本申请提供的一种通信系统示意图之二；Figure 2 is a second schematic diagram of a communication system provided by this application;

图3为本申请提供的一种通信系统示意图之三；Figure 3 is the third schematic diagram of a communication system provided by this application;

图4为本申请提供的一种通信系统示意图之四；Figure 4 is a fourth schematic diagram of a communication system provided by this application;

图5为本申请提供的一种通信系统示意图之五；FIG. 5 is the fifth schematic diagram of a communication system provided by this application;

图6为本申请提供的一种通信系统示意图之六；Fig. 6 is a sixth schematic diagram of a communication system provided by this application;

图7为本申请提供的一种通信系统的具体示例；FIG. 7 is a specific example of a communication system provided by this application;

图8为一种本申请提供的一种创建桥接虚拟机的方法的流程图；FIG. 8 is a flowchart of a method for creating a bridged virtual machine provided by the present application;

图9为一种本申请提供的VPC之间的通信方法的流程图；FIG. 9 is a flowchart of a communication method between VPCs provided by the present application;

图10为本申请实施例提供的一种桥接虚拟机的设备示意图；FIG. 10 is a schematic diagram of a device for bridging virtual machines according to an embodiment of the application;

图11为本申请实施例提供的一种配置装置的设备示意图。FIG. 11 is a schematic diagram of a configuration device provided by an embodiment of the application.

Detailed ways

下面将结合本申请实施例中的附图，对本申请实施例中的技术方案进行描述。The technical solutions in the embodiments of the present application will be described below in conjunction with the drawings in the embodiments of the present application.

图1示出了本申请可能适用的一种在云数据中心部署的通信系统100，通信系统100包括控制器，虚拟私云VPC1和虚拟私云VPC2，其中，控制器用于配置虚拟机私云VPC1和虚拟私云VPC2。虚拟私云VPC1包括至少两个虚拟机，分别为VM1和VM2，虚拟私云VPC2包括至少两个虚拟机，分别为VM4和VM5。Figure 1 shows a communication system 100 deployed in a cloud data center to which this application may be applicable. The communication system 100 includes a controller, a virtual private cloud VPC1 and a virtual private cloud VPC2, where the controller is used to configure the virtual machine private cloud VPC1 And virtual private cloud VPC2. The virtual private cloud VPC1 includes at least two virtual machines, VM1 and VM2, respectively, and the virtual private cloud VPC2 includes at least two virtual machines, VM4 and VM5, respectively.

该通信系统还包括至少一个桥接虚拟机VM3，VM3可以创建于虚拟私云VPC1内，也可以创建于虚拟私云VPC2内。The communication system also includes at least one bridging virtual machine VM3, which can be created in the virtual private cloud VPC1 or in the virtual private cloud VPC2.

应理解的是，用户可由SDN控制器提供的用户界部署虚拟私云，在该虚拟私云中，用户可以自定义网段，划分子网，创建各种虚拟设备，例如，虚拟机、虚拟路由器、交互机等虚拟设备，并为各虚拟设备分配IP地址等。It should be understood that users can deploy virtual private clouds from the user world provided by the SDN controller. In this virtual private cloud, users can customize network segments, divide subnets, and create various virtual devices, such as virtual machines and virtual routers. , Interactive machines and other virtual devices, and assign IP addresses to each virtual device.

如图1所示的通信系统中，虚拟私云VPC1的网址为192.168.0.0/16，虚拟私云VPC1包括路由器1和子网1，子网1与虚拟私云VPC1的网段相同，子网1内包含VM1、VM2和交换机1，VM1和VM2的网卡接入交换机1。其中，VM1的IP地址为192.168.0.2，VM2的IP地址为192.168.0.3，交换机1的IP地址为192.168.0.13。In the communication system shown in Figure 1, the URL of the virtual private cloud VPC1 is 192.168.0.0/16, and the virtual private cloud VPC1 includes router 1 and subnet 1. Subnet 1 has the same network segment as the virtual private cloud VPC1, and subnet 1 It contains VM1, VM2 and switch 1, and the network cards of VM1 and VM2 are connected to switch 1. Among them, the IP address of VM1 is 192.168.0.2, the IP address of VM2 is 192.168.0.3, and the IP address of switch 1 is 192.168.0.13.

虚拟私云VPC2的网址为10.0.0.0/16，虚拟私云VPC2包括子网2和路由器2，子网2与虚拟私云VPC2的网段相同，子网2内包含VM4、VM5和交换机2，VM4和VM5的网卡接入交换机2。其中，VM4的IP地址为10.0.0.2，VM5的IP地址为10.0.0.3，交换机2的IP地址为10.0.0.13。各虚拟机图标下的数字为表示该虚拟机的网卡标识，例如VM1的网卡标识为9，VM2的网卡标识为8，以此类推。The URL of virtual private cloud VPC2 is 10.0.0.0/16. Virtual private cloud VPC2 includes subnet 2 and router 2. Subnet 2 has the same network segment as virtual private cloud VPC2. Subnet 2 contains VM4, VM5, and switch 2. The network cards of VM4 and VM5 are connected to switch 2. Among them, the IP address of VM4 is 10.0.0.2, the IP address of VM5 is 10.0.0.3, and the IP address of switch 2 is 10.0.0.13. The number under each virtual machine icon represents the network card identifier of the virtual machine. For example, the network card identifier of VM1 is 9, the network card identifier of VM2 is 8, and so on.

假设桥接虚拟机VM3创建于虚拟私云VPC1内，该VM3具有两块网卡，例如可命名为网卡1和网卡2，假设网卡1接入交换机1，网卡2接入交换机2，网卡1被分配的IP地址为192.168.0.4，网卡2被分配的IP地址为10.0.0.4。Assume that the bridge virtual machine VM3 is created in the virtual private cloud VPC1. The VM3 has two network cards, for example, it can be named network card 1 and network card 2. Assume that network card 1 is connected to switch 1, network card 2 is connected to switch 2, and network card 1 is assigned The IP address is 192.168.0.4, and the assigned IP address of NIC 2 is 10.0.0.4.

其中，路由器(包括路由器1和路由器2)用于实现不同网段的子网之间的数据传输，例如，路由器1用于将子网1的VM1发送至子网2的VM4的报文转发至路由器2，前提是，需要在路由器1和路由器2之间建立隧道或专线(如本文背景技术中介绍的跨VPC通信的方式)，在图1所示的通信系统中实现本申请提出的跨VPC通信时，可不通过路由器，由桥接虚拟机VM3进行数据转发，下面对桥接虚拟机VM3实现VPC1和VPC2通信的方式进行介绍说明：Among them, routers (including router 1 and router 2) are used to implement data transmission between subnets of different network segments. For example, router 1 is used to forward packets from VM1 of subnet 1 to VM4 of subnet 2 to Router 2, the premise is that a tunnel or dedicated line needs to be established between router 1 and router 2 (such as the cross-VPC communication method introduced in the background art of this article), and the cross-VPC proposed in this application is implemented in the communication system shown in Figure 1 When communicating, data can be forwarded by the bridge virtual machine VM3 without going through the router. The following describes how the bridge virtual machine VM3 implements the communication between VPC1 and VPC2:

应理解，VM3的网卡1可绑定至VPC1或VP2内的任意一个虚拟机，当VM3的网卡1接收到报文后，可将接收到的报文转发至该网卡1绑定的虚拟机上。同样的，VM3的网卡2也可绑定至VPC1或VP2内的任意一个虚拟机，当VM3的网卡2接收到报文后，可将接收到的报文转发至该网卡2绑定的虚拟机上。It should be understood that the network card 1 of VM3 can be bound to any virtual machine in VPC1 or VP2. After the network card 1 of VM3 receives a message, the received message can be forwarded to the virtual machine bound to the network card 1 . Similarly, NIC 2 of VM3 can also be bound to any virtual machine in VPC1 or VP2. When NIC 2 of VM3 receives a message, it can forward the received message to the virtual machine bound to NIC 2 on.

示例性的，假设VM3上部署了地址转换功能，且VM3上设置的地址映射规则为网卡1的IP地址与VM4的IP地址一一映射，网卡2的IP地址与VM2的IP地址一一映射，VPC1内的虚拟机设置的规则为，当该报文的目的端为VPC2内的某虚拟机时，将该报文发送给VM3的网卡1，即该报文的目的IP地址为网卡1的IP地址。Exemplarily, suppose that the address translation function is deployed on VM3, and the address mapping rule set on VM3 is one-to-one mapping between the IP address of network card 1 and the IP address of VM4, and the IP address of network card 2 is one-to-one mapping with the IP address of VM2. The rule set by the virtual machine in VPC1 is that when the destination of the message is a virtual machine in VPC2, the message is sent to NIC 1 of VM3, that is, the destination IP address of the message is the IP of NIC 1 address.

下面以VM1向VPC2内的虚拟机发送报文为例，对整个数据传输的过程进行介绍说明：The following takes VM1 to send a message to the virtual machine in VPC2 as an example to introduce the entire data transmission process:

1，VM1将报文发送给VM3的网卡1；1. VM1 sends the message to NIC 1 of VM3;

应理解的是，VM1要向VPC2内的虚拟机发送报文时，会将该报文发送给VM3的网卡1为用户配置的一具体规则，该规则可通过SDN控制器进行配置。其中，SDN控制器还可以响应用户的操作指令配置其他规则，例如，当VPC2内的虚拟机向VPC1内的虚拟机发送报文时，将该报文发送至VM3的网卡2，由网卡2将接收到的报文发送至网卡2绑定的VM2。It should be understood that when VM1 wants to send a message to the virtual machine in VPC2, it will send the message to the network card 1 of VM3 as a specific rule configured by the user, and the rule can be configured by the SDN controller. Among them, the SDN controller can also configure other rules in response to user operation instructions. For example, when a virtual machine in VPC2 sends a message to a virtual machine in VPC1, the message is sent to network card 2 of VM3, and network card 2 will The received message is sent to VM2 bound to network card 2.

2，VM3的网卡1接收来自VM1的报文；2. The network card 1 of VM3 receives the message from VM1;

3，VM3对该报文进行处理，并将处理后的报文通过网卡2发送给VM4。3. VM3 processes the message, and sends the processed message to VM4 through the network card 2.

4，VM4接收来自网卡2的报文。4. VM4 receives the message from the network card 2.

可选的，VM4还可以将该报文发送给VPC2内的任意一个虚拟机，例如，VM4将来自网卡1的报文发送给VPC2内的其他虚拟机，示例性的，转发给同一子网内的虚拟机，或VPC2内的所有虚拟机，也可以不转发给任何虚拟机。Optionally, VM4 can also send the message to any virtual machine in VPC2. For example, VM4 sends the message from network card 1 to other virtual machines in VPC2, and for example, forwards it to the same subnet. The virtual machine, or all virtual machines in VPC2, may not be forwarded to any virtual machine.

具体的，上述虚拟机1发送的报文中可包含两部分，分别为头(header)部分和数据(data)部分。其中，头部分可包含源IP地址和目的IP地址。Specifically, the message sent by the virtual machine 1 may include two parts, namely a header part and a data part. Among them, the header part can include the source IP address and the destination IP address.

对应的，上述数据报文的传输过程中，整个数据处理的流程可包括：Correspondingly, during the transmission of the aforementioned data message, the entire data processing flow may include:

报文1的源IP地址为VM1的IP地址(在VPC1内的IP地址)，即192.168.0.2，目的IP地址为VM3的网卡1的IP地址，即192.168.0.4。The source IP address of message 1 is the IP address of VM1 (the IP address in VPC1), that is, 192.168.0.2, and the destination IP address is the IP address of VM3's network card 1, that is, 192.168.0.4.

3，VM3对该报文进行网络功能处理，并通过网卡2将处理后的报文发送给VM4。3. VM3 performs network function processing on the message, and sends the processed message to VM4 through the network card 2.

具体的，在对报文进行处理时，VM3将接收到的报文的源IP地址修改网卡2的IP地址，即10.10.0.4，目的IP地址修改为VM4的IP地址(在VPC2内的IP地址)，即10.10.0.2。Specifically, when processing the message, VM3 modifies the source IP address of the received message to the IP address of network card 2, namely 10.10.0.4, and modifies the destination IP address to the IP address of VM4 (the IP address in VPC2). ), which is 10.10.0.2.

上述网络功能处理为地址转换NAT，对于数据的发送进程的地址转换可以称为DNAT，对应的，对于数据的接收进程的地址转换可以称为SNAT，VPC2内的虚拟机向VPC1内的虚拟机发送报文时，例如，VM4要向VM2发送报文，VM4基于用户设置的规则，首先将该报文发送至VM3的网卡2(该报文的源IP地址为VM4的IP地址，目的IP地址为网卡2的IP地址)，VM3通过网卡2接收到该报文后，VM3也可以对该报文进行回程的地址转换，例如，将该报文的源IP地址修改为网卡1的IP地址，目的IP地址修改为VM2的IP地址。下面以网卡2的IP地址与VM2的IP地址一一映射为例，对VPC2内的VM4向VPC1内的VM2发送报文的数据传输流程进行介绍：The above-mentioned network function is processed as address translation NAT. The address translation of the data sending process can be called DNAT. Correspondingly, the address translation of the data receiving process can be called SNAT. The virtual machine in VPC2 sends to the virtual machine in VPC1. When sending a message, for example, VM4 wants to send a message to VM2. Based on the rules set by the user, VM4 first sends the message to the network card 2 of VM3 (the source IP address of the message is the IP address of VM4, and the destination IP address is The IP address of NIC 2). After VM3 receives the message through NIC 2, VM3 can also perform the backhaul address translation of the message. For example, modify the source IP address of the message to the IP address of NIC 1. The destination Change the IP address to the IP address of VM2. Taking the one-to-one mapping between the IP address of NIC 2 and the IP address of VM2 as an example, the following describes the data transmission process of sending packets from VM4 in VPC2 to VM2 in VPC1:

1，VM4将报文1发送给VM3的网卡2；1. VM4 sends message 1 to network card 2 of VM3;

具体的，VM4发送的报文的源IP地址为VM4的IP地址(10.0.0.2)，目的IP地址为VM3的网卡2的IP地址(10.0.0.4)。Specifically, the source IP address of the message sent by VM4 is the IP address of VM4 (10.0.0.2), and the destination IP address is the IP address (10.0.0.4) of the network card 2 of VM3.

2，VM3基于网卡2接收来自VM4的报文，并基于地址映射规则对该报文进行处理，得到报文2，通过网卡1将处理后的报文2发送至VM2。2. VM3 receives the message from VM4 based on the network card 2, and processes the message based on the address mapping rules to obtain message 2, and sends the processed message 2 to VM2 through the network card 1.

其中，具体的处理过程为，由于网卡2的IP地址与VM2的IP地址一一映射，因此，VM3可将接收到的报文1的目的IP地址(网卡2的IP地址)，修改为网卡2对应的VM2的IP地址，得到报文2，即报文2的目的IP地址为VM2的IP地址(192.168.0.3)。Among them, the specific processing process is that since the IP address of the network card 2 is mapped to the IP address of VM2, VM3 can modify the destination IP address of the received message 1 (the IP address of the network card 2) to the network card 2. Corresponding to the IP address of VM2, message 2 is obtained, that is, the destination IP address of message 2 is the IP address of VM2 (192.168.0.3).

3，VM2接收网卡1发送的报文2。3. VM2 receives message 2 sent by network card 1.

以上为通过数据处理流程对于DNAT和SNAT的相关介绍，当VM3上同时设置了DNAT和SNAT时，也可以称为FULLNAT，应理解，VM3上可以只设置DNAT，也可以只设置SNAT。The above is an introduction to DNAT and SNAT through the data processing process. When DNAT and SNAT are set on VM3 at the same time, it can also be called FULLNAT. It should be understood that only DNAT or SNAT can be set on VM3.

通过上述方式，通过桥接虚拟机VM3的网卡1和网卡2，实现VPC1与VPC2之间的虚拟机之间报文的交互，避免通过在两VPC之间的路由器建立隧道或专线的方式实现跨VPC通信，本申请提供一种新型的跨VPC通信的方式。Through the above method, by bridging the NIC 1 and NIC 2 of the virtual machine VM3, the message interaction between the virtual machines between VPC1 and VPC2 is realized, and the cross-VPC is avoided by establishing a tunnel or a dedicated line on the router between the two VPCs. Communication, this application provides a new way of cross-VPC communication.

本申请提供的跨VPC通信还可以结合路由器来实现，如图2所示，为本申请提供的另一在云数据中心部署的通信系统200，通信系统200与通信系统100包含的虚拟设备以及各虚拟机设备的IP地址相同，其中，其他对于通信系统200的配置，与通信系统100相同之处请参见上述对于通信系统100的介绍，此处不再赘述。不同的是，在该通信系统200中，桥接虚拟机VM3的网卡1未接入交换机1，而是接入了路由器1，VM3的网卡2接入了路由器2。The cross-VPC communication provided by this application can also be implemented in conjunction with routers. As shown in FIG. 2, another communication system 200 deployed in a cloud data center provided by this application, the communication system 200 and the virtual devices included in the communication system 100, and each The IP addresses of the virtual machine devices are the same. For other configurations of the communication system 200 that are the same as those of the communication system 100, please refer to the above description of the communication system 100, which will not be repeated here. The difference is that in the communication system 200, the network card 1 of the bridging virtual machine VM3 is not connected to the switch 1, but is connected to the router 1, and the network card 2 of the VM3 is connected to the router 2.

示例性的，假设在VM3内未设置地址转换功能，VPC1内的虚拟机发送的报文的目的IP地址就是该报文的目的端的IP地址。同样的，下面对VM1向VPC2内的虚拟机VM4发送报文时，整个数据处理的过程进行介绍：Exemplarily, assuming that the address translation function is not set in VM3, the destination IP address of the message sent by the virtual machine in VPC1 is the IP address of the destination end of the message. Similarly, the following describes the entire data processing process when VM1 sends a message to virtual machine VM4 in VPC2:

1，VM1将报文发送至交换机1；1. VM1 sends the message to switch 1;

VM1发送的报文的源IP地址为VM1的IP地址，目的IP地址为VM4的IP地址。The source IP address of the message sent by VM1 is the IP address of VM1, and the destination IP address is the IP address of VM4.

2，交换机1将接收到的来自VM1的报文发送给路由器1；2. Switch 1 sends the received message from VM1 to router 1;

具体的，VM1发送的报文的源IP地址可为VM1的IP地址(192.168.0.2)，目的IP地址可为VM4的IP地址(10.0.0.2)，由于源IP地址和目的IP地址不处于同一网段，且路由器可实现不同网段之间的数据转发，因此，交换机1接收到该报文后，将该报文发送至路由器1。应理解的是，交换机1和路由器1可以通过运算得出源IP地址和目的IP地址不处于同一网段。路由器1接收到路由器1确定该报文的目的IP地址为VPC2内的虚拟机的IP地址时，将该报文发送至VM3的网卡1。Specifically, the source IP address of the message sent by VM1 can be the IP address of VM1 (192.168.0.2), and the destination IP address can be the IP address of VM4 (10.0.0.2), because the source and destination IP addresses are not the same Network segment, and routers can implement data forwarding between different network segments. Therefore, after switch 1 receives the message, it sends the message to router 1. It should be understood that the switch 1 and the router 1 can calculate that the source IP address and the destination IP address are not in the same network segment. When router 1 receives that router 1 determines that the destination IP address of the message is the IP address of the virtual machine in VPC2, it sends the message to network card 1 of VM3.

其中，可在路由器1内配置一条路由规则，若报文的目的IP地址为VPC2的私网地址 (例如，10.0.0.2)时，路由器1将该报文发送至VM3的网卡1。Among them, a routing rule can be configured in router 1. If the destination IP address of the message is the private network address of VPC2 (for example, 10.0.0.2), router 1 sends the message to network card 1 of VM3.

对应的，路由器1内还可以配置一条针对回程的路由规则，例如，当路由器1接收到的报文的目的IP地址为192.168.0.0/24时，转发至子网1。Correspondingly, a routing rule for the backhaul can also be configured in router 1. For example, when the destination IP address of the packet received by router 1 is 192.168.0.0/24, it is forwarded to subnet 1.

3，路由器1将该报文发送至桥接虚拟机VM3的网卡1；3. Router 1 sends the message to the network card 1 of the bridge virtual machine VM3;

4，VM3将来自路由器1的报文通过网卡2发送至路由器2；4. VM3 sends the message from router 1 to router 2 through network card 2;

具体的，VM3基于网卡1接收到来自路由器1的报文后，根据该报文的目的IP地址(10.0.0.2)，可通过网卡2将报文直接发送给路由器2。Specifically, based on the network card 1 receiving the message from the router 1, the VM3 can directly send the message to the router 2 through the network card 2 according to the destination IP address (10.0.0.2) of the message.

可选的，VM3还可以对报文进行网络功能处理，例如，上文介绍的地址转换，还可以进行防火墙过滤，具体请参见下文对于防火墙的介绍。Optionally, VM3 can also perform network function processing on packets, for example, the address translation described above, and firewall filtering can also be performed. For details, please refer to the description of firewalls below.

5，路由器2接收来自VM3的网卡2的报文，并将该报文转发给交换机2下接入的部分或全部虚拟机。5. The router 2 receives the message from the network card 2 of the VM3, and forwards the message to some or all of the virtual machines connected under the switch 2.

上述为桥接虚拟机基于路由器层面的数据转发，也就是，本申请桥接虚拟机可实现的路由功能。The foregoing is the data forwarding of the bridged virtual machine based on the router level, that is, the routing function that can be implemented by the bridged virtual machine of this application.

需要说明的是，上述介绍的桥接虚拟机设置有2个网卡仅为举例，本申请实施例中的桥接虚拟机还可以设置2个以上数量的网卡，以实现多个VPC(大于2个)下两两VPC之间的数据传输。It should be noted that the setting of two network cards in the bridged virtual machine described above is only an example, and the bridged virtual machine in the embodiment of this application can also be set with more than two network cards to implement multiple VPCs (more than 2). Data transfer between two VPCs.

接下来，对桥接虚拟机上设置大于2个网卡时的部署方式以及对应的通信方式进行介绍说明：Next, the deployment method and the corresponding communication method when more than 2 network cards are set on the bridge virtual machine are introduced:

示例性的，假设桥接虚拟机上设置有4个网卡，如图3所示的通信系统300，该通信系统在通信系统100的基础上，又增加了虚拟私云VPC3和VPC4，桥接虚拟机VM3设置有4块网卡，例如，包括第一网卡、第二网卡、第三网卡和第四网卡，其中，第一网卡与VPC1绑定，第二网卡与VPC2绑定，第三网卡与VPC3绑定，第四网卡与VPC4绑定。Exemplarily, suppose that 4 network cards are provided on the bridge virtual machine, as shown in the communication system 300 shown in FIG. 3. The communication system adds virtual private clouds VPC3 and VPC4 on the basis of the communication system 100, and bridges the virtual machine VM3. There are 4 network cards, for example, including the first network card, the second network card, the third network card, and the fourth network card. The first network card is bound to VPC1, the second network card is bound to VPC2, and the third network card is bound to VPC3. , The fourth network card is bound to VPC4.

假设，第一网卡的IP地址与VPC2内的VM4的IP地址一一映射，第二网卡的IP地址与VPC1内的VM2的IP地址一一映射，第三网卡的IP地址与VPC4内的VM7的IP地址一一映射，第四网卡的IP地址与VPC3内的VM6的IP地址一一映射。Assume that the IP address of the first network card is mapped to the IP address of VM4 in VPC2, the IP address of the second network card is mapped to the IP address of VM2 in VPC1, and the IP address of the third network card is mapped to that of VM7 in VPC4. The IP addresses are mapped one by one, and the IP address of the fourth network card is mapped one by one with the IP address of VM6 in VPC3.

在该通信系统300中，可基于桥接虚拟机VM3的网卡1和网卡2可以实现VPC1与VPC2之间的数据传输，基于VM3的网卡3和网卡4可以实现VPC3和VPC4之间的数据传输。In the communication system 300, the network card 1 and the network card 2 that can bridge the virtual machine VM3 can realize the data transmission between the VPC1 and the VPC2, and the network card 3 and the network card 4 based on the VM3 can realize the data transmission between the VPC3 and the VPC4.

作为又一种示例，在一些场景中，桥接虚拟机内也可部署路由规则，例如，对于VPC1的路由器1而言，要实现将VPC1的报文发送至VPC2时，对应的路由规则可以为将目的IP地址为VPC2的私网地址的报文发送至VM3的网卡1。若要实现将VPC1的报文发送至VPC3时，对应的路由规则可为将目的IP地址为VPC3的私网地址的报文也发送至VM3的网卡1。也就是，VM3的网卡1接收到的报文可能是发送至VPC2的，也可能是发送至VPC3的，则VM3上设置的路由规则可以为，目的IP地址为VPC2的私网地址的报文由网卡2发出，目的IP地址为VPC3的私网地址的报文由网卡3发出。As another example, in some scenarios, routing rules can also be deployed in the bridge virtual machine. For example, for router 1 of VPC1, when sending packets of VPC1 to VPC2, the corresponding routing rule can be The packet whose destination IP address is the private network address of VPC2 is sent to network card 1 of VM3. If you want to send the message of VPC1 to VPC3, the corresponding routing rule can be that the message whose destination IP address is the private network address of VPC3 is also sent to the network card 1 of VM3. That is, the message received by the NIC 1 of VM3 may be sent to VPC2, or it may be sent to VPC3, then the routing rule set on VM3 can be: the message whose destination IP address is the private network address of VPC2 is sent by The network card 2 sends a message with the destination IP address of the private network address of VPC3 being sent by the network card 3.

如图4所示的通信系统400，该通信系统在通信系统200的基础上，又增加了虚拟私云VPC3，桥接虚拟机VM3设置有3块网卡，例如，包括第一网卡、第二网卡和第三网卡，其中，第一网卡与VPC1绑定，第二网卡与VPC2绑定，第三网卡与VPC3绑定。The communication system 400 shown in FIG. 4 is based on the communication system 200 and adds a virtual private cloud VPC3. The bridging virtual machine VM3 is provided with 3 network cards, for example, including a first network card, a second network card, and The third network card, wherein the first network card is bound to VPC1, the second network card is bound to VPC2, and the third network card is bound to VPC3.

每个路由器上都配置有路由规则，同样的，桥接虚拟机VM3上也配置有路由规则，下面以路由器1和桥接虚拟机VM3为例，对路由器1和对应的VM3上配置的路由规则进行说明：Each router is configured with routing rules. Similarly, the bridging virtual machine VM3 is also configured with routing rules. The following takes router 1 and the bridging virtual machine VM3 as an example to describe the routing rules configured on router 1 and the corresponding VM3 :

对于VPC1的路由器1而言，要实现将VPC1的报文发送至VPC2时，对应的路由规则可以为将目的IP地址为VPC2的私网地址的报文发送至VM3的网卡1。若要实现将VPC1的报文发送至VPC3时，对应的路由规则可为将目的IP地址为VPC3的私网地址的报文也发送至VM3的网卡1。也就是，VM3的网卡1接收到的报文可能是发送至VPC2的，也可能是发送至VPC3的，则VM3上设置的路由规则可以为，目的IP地址为VPC2的私网地址的报文由网卡2发出，目的IP地址为VPC3的私网地址的报文由网卡3发出。For router 1 of VPC1, when sending packets of VPC1 to VPC2, the corresponding routing rule may be to send packets whose destination IP address is the private network address of VPC2 to network card 1 of VM3. If you want to send the message of VPC1 to VPC3, the corresponding routing rule can be that the message whose destination IP address is the private network address of VPC3 is also sent to the network card 1 of VM3. That is, the message received by the NIC 1 of VM3 may be sent to VPC2, or it may be sent to VPC3, then the routing rule set on VM3 can be: the message whose destination IP address is the private network address of VPC2 is sent by The network card 2 sends a message with the destination IP address of the private network address of VPC3 being sent by the network card 3.

同样的，对于VPC2内的路由器2和VPC3内的路由器3而言，可以参照对于路由器1和VM3配置的路由规则进行配置，此处不再赘述。Similarly, for router 2 in VPC2 and router 3 in VPC3, you can refer to the routing rules configured for router 1 and VM3 for configuration, which will not be repeated here.

基于上述路由规则，该通信系统300中，基于桥接虚拟机VM3的网卡1和网卡2可以实现VPC1与VPC2之间的数据传输，基于VM3的网卡1和网卡3可以实现VPC1和VPC3之间的数据传输，基于VM3的网卡2和网卡3可以实现VPC2和VPC3之间的数据传输。Based on the above routing rules, in the communication system 300, network card 1 and network card 2 based on bridging virtual machine VM3 can implement data transmission between VPC1 and VPC2, and network card 1 and network card 3 based on VM3 can implement data between VPC1 and VPC3 Transmission, VM3-based network card 2 and network card 3 can realize data transmission between VPC2 and VPC3.

作为一种可选的实施方式，桥接虚拟机VM3中还可以部署防火墙，以实现防火墙的任一功能。例如，通过防火墙设置安全策略，该安全策略是指防火墙按一定过滤规则检查数据流是否可以通过防火墙的基本安全控制机制，示例性的，防火墙发过滤规则可以是，VPC1可访问VPC2内的任一虚拟设备，或只能访问指定VPC2内指定IP地址的虚拟设备等。As an optional implementation manner, a firewall may also be deployed in the bridge virtual machine VM3 to implement any function of the firewall. For example, a security policy is set through a firewall. The security policy means that the firewall checks whether the data flow can pass through the basic security control mechanism of the firewall according to certain filtering rules. Illustratively, the firewall sends a filtering rule that VPC1 can access any of VPC2. Virtual device, or can only access the virtual device with the specified IP address in the specified VPC2, etc.

示例性的，部署了防火墙之后，VM3的网卡1接收到来自VPC1的报文后，可判断该报文是否符合预设防火墙规则，如果是，则通过网卡2将该报文发送至VPC2，否则，不发出该报文。对应的，VM3的网卡2接收到来自VPC2的报文后，同样可判断该报文是否符合预设防火墙规则，如果是，则通过网卡1将该报文发送至VPC1，否则，不发出该报文。Exemplarily, after the firewall is deployed, after the network card 1 of VM3 receives a message from VPC1, it can determine whether the message meets the preset firewall rules, if so, the message is sent to VPC2 through the network card 2, otherwise , Do not send the message. Correspondingly, after the network card 2 of VM3 receives the message from VPC2, it can also determine whether the message meets the preset firewall rules. If so, the message is sent to VPC1 through the network card 1, otherwise, the message is not sent Text.

本申请实施例中，部署防火墙的桥接虚拟机可以实现对，待传输数据的安全过滤，以此提高跨VPC通信的安全性，还可以实现防火墙的其他功能，可以参考基于现有防火墙机制的实现方式，此处不再赘述。In the embodiment of this application, the bridged virtual machine deployed with a firewall can realize the security filtering of the data to be transmitted, thereby improving the security of cross-VPC communication, and can also realize other functions of the firewall. You can refer to the implementation based on the existing firewall mechanism. Ways, I won’t repeat them here.

作为一种优化方案，为了提高通过桥接虚拟机进行跨VPC通信的可靠性，还可以将桥接虚拟机配置为冗余模式，配置时可以基于VRRP协议，也可以基于HA协议，此处为基于现有冗余配置机制的实现，具体配置方式不再赘述。如图5所示的通信系统500，该通信系统500是在图1的基础上，在VPC1和VPC2之间同时部署两台桥接虚拟机，应理解，两台桥接虚拟机同时仅有一台用于实际的数据传输，实际用于数据传输的桥接虚拟机为主桥接虚拟机，另一台作为备桥接虚拟机，简言之，冗余模式可以理解为一主一备模式，当主桥接虚拟机发生故障时，备桥接虚拟机可切换为主桥接虚拟机，以保证通信系统的正常运行。As an optimization solution, in order to improve the reliability of cross-VPC communication through bridged virtual machines, the bridged virtual machines can also be configured in redundant mode. The configuration can be based on the VRRP protocol or the HA protocol. There is a redundant configuration mechanism, the specific configuration method will not be repeated. The communication system 500 shown in Figure 5 is based on Figure 1. Two bridged virtual machines are deployed between VPC1 and VPC2 at the same time. It should be understood that only one of the two bridged virtual machines is used at the same time. In actual data transmission, the bridged virtual machine actually used for data transmission is the main bridged virtual machine, and the other is used as the standby bridged virtual machine. In short, the redundancy mode can be understood as a master-standby mode. When the main bridged virtual machine occurs In the event of a failure, the standby bridged virtual machine can be switched to the main bridged virtual machine to ensure the normal operation of the communication system.

因此，备桥接虚拟机的配置需与主桥接虚拟机的配置完全相同，以此实现无缝切换，也就是，主桥接虚拟机和备桥接虚拟机具有相同的硬件配置和网络配置，例如，相同的网卡数量，相同的IP地址，相同的地址映射规则，相同的路由规则等等。不同之处在于，主桥接虚拟机的mac地址与备桥接虚拟机的mac地址不同。Therefore, the configuration of the standby bridged virtual machine must be exactly the same as the configuration of the main bridged virtual machine to achieve seamless switching, that is, the main bridged virtual machine and the standby bridged virtual machine have the same hardware configuration and network configuration, for example, the same The number of network cards, the same IP address, the same address mapping rules, the same routing rules, etc. The difference is that the mac address of the primary bridge virtual machine is different from the mac address of the standby bridge virtual machine.

主桥接虚拟机发生故障后，备桥接虚拟机自动切换为主桥接虚拟机，示例性的，可以是，假设桥接虚拟机为冗余配置，当前主桥接虚拟机为VM3，备桥接虚拟机为VM3＇。当 VM3在运行时，可以周期性广播报文，以通知VM3＇主桥接虚拟机的状态正常，当VM3发生故障后，便不再广播该报文，VM3＇在预设时长内未检测到主桥接虚拟机广播的报文后，便切换为主桥接虚拟机，也就是，此时VM3＇作为主桥接虚拟机运行。After the primary bridge virtual machine fails, the standby bridge virtual machine automatically switches to the primary bridge virtual machine. For example, it can be assumed that the bridge virtual machine is in a redundant configuration. The current primary bridge virtual machine is VM3, and the standby bridge virtual machine is VM3. '. When VM3 is running, it can periodically broadcast messages to notify VM3' that the status of the master bridge virtual machine is normal. When VM3 fails, it will no longer broadcast the message. VM3' has not detected the master within the preset time. After the message broadcasted by the bridge virtual machine is switched, it is switched to the main bridge virtual machine, that is, at this time, VM3' runs as the main bridge virtual machine.

需要说明的是，对于冗余配置的两台桥接虚拟机而言，两台桥接虚拟机的IP地址为虚IP(VIP)而不具有实IP，虚IP是相对于实IP而言，实IP是指同一VPC下同一IP地址只对应同一虚拟设备时，则该IP为该主机的实IP。虚IP是指冗余模式下两个主机具有相同的IP地址，则该IP地址为两个共同所有的虚拟机设备的虚IP。因此，本申请实施例在实现桥接虚拟机的冗余配置时，本申请实施例中的虚拟设备还具有获取桥接虚拟机VIP的MAC地址的功能，以确保根据获取到的mac地址将报文发送至主桥接虚拟机。It should be noted that for two bridged virtual machines in redundant configuration, the IP addresses of the two bridged virtual machines are virtual IP (VIP) without real IP. The virtual IP is relative to the real IP. It means that when the same IP address in the same VPC only corresponds to the same virtual device, the IP is the real IP of the host. The virtual IP means that two hosts have the same IP address in the redundant mode, and the IP address is the virtual IP of the two virtual machine devices that are jointly owned. Therefore, when the embodiment of the application implements the redundant configuration of the bridged virtual machine, the virtual device in the embodiment of the application also has the function of obtaining the MAC address of the bridged virtual machine VIP to ensure that the message is sent according to the obtained mac address To the main bridge virtual machine.

以上为通过在桥接虚拟机上部署不同的网络功能实现本申请跨VPC通信的方案，一种可能的场景中，本申请实施例可以在跨VPC通信的基础上实现用户的线下IDC与云上VPC之间的通信，如图6所示，为本申请提供的另一通信系统600，该通信系统600包含，线下IDC，VPC1和VPC2。线下IDC包含至少一个终端设备10和路由器11，该终端设备可以是计算机、电脑，手机等。VPC2包含至少一个虚拟网关20，线下IDC内的路由器11与VPC2的虚拟网关20建立连接，例如，该连接可以是VPN连接或者建立隧道实现连接，VPC2与VPC1之间通过桥接虚拟机实现跨VPC连接。具体的，线下IDC的路由器通过专线与VPC2的虚拟网关(VPN)建立连接，VPC2和VPC1内部的具体结构可以参见图1、图2、图3、图4、图5或图6的描述，此处不再赘述。The above is the solution of implementing cross-VPC communication in this application by deploying different network functions on the bridge virtual machine. In a possible scenario, the embodiment of this application can realize the user's offline IDC and cloud on the basis of cross-VPC communication. The communication between VPCs, as shown in FIG. 6, is another communication system 600 provided for this application. The communication system 600 includes offline IDC, VPC1 and VPC2. The offline IDC includes at least one terminal device 10 and a router 11. The terminal device may be a computer, a computer, a mobile phone, and so on. VPC2 includes at least one virtual gateway 20. The router 11 in the offline IDC establishes a connection with the virtual gateway 20 of VPC2. For example, the connection can be a VPN connection or a tunnel is established to achieve a connection. VPC2 and VPC1 are bridged through virtual machines to achieve cross-VPC connection. Specifically, the offline IDC router establishes a connection with the virtual gateway (VPN) of VPC2 through a dedicated line. For the specific internal structure of VPC2 and VPC1, please refer to the description of Figure 1, Figure 2, Figure 3, Figure 4, Figure 5 or Figure 6. I won't repeat them here.

在该通过系统500中，线下IDC内可以与VPC1内的虚拟机进行通信，也可以与VPC2内的虚拟机进行通信。下面以线下IDC与VPC2内的虚拟机进行通信的过程进行详细介绍：In the pass-through system 500, the offline IDC can communicate with the virtual machine in VPC1, and can also communicate with the virtual machine in VPC2. The following describes the communication process between the offline IDC and the virtual machine in VPC2 in detail:

1，线下IDC的终端设备10向路由器11发送报文；1. The offline IDC terminal device 10 sends a message to the router 11;

终端设备10发送的报文的源IP地址为线下IDC为该终端设备10分配的IP地址，假设为10.0.0.2，目的IP地址为VPC1内VM2的IP地址192.168.0.3。The source IP address of the message sent by the terminal device 10 is the IP address assigned by the offline IDC to the terminal device 10, assuming it is 10.0.0.2. The destination IP address is the IP address 192.168.0.3 of VM2 in VPC1.

2，路由器11将该报文进行地址转换后发送给VPC2内的虚拟网关；2. The router 11 performs address conversion on the message and sends it to the virtual gateway in VPC2;

路由器11内可设置路由规则，若报文的目的IP地址为VPC1或VPC2的私网地址，则将该报文发送至VPC2的虚拟网关。Routing rules can be set in the router 11, and if the destination IP address of the message is the private network address of VPC1 or VPC2, the message is sent to the virtual gateway of VPC2.

进一步，当路由器11具有VPN功能时，还可以对待转发的IP报文进行加密处理，例如，路由器11基于预设算法对IP报文进行加密，并为加密后的IP报文添加VPN包头，该VPN包头的源IP地址为路由器11的公网地址，目的IP地址为VPC2内的虚拟网关的公网地址，以得到处理后的VPN报文，并经过专线将处理后的VPN报文发送至VPC2的虚拟网关。Further, when the router 11 has a VPN function, it can also perform encryption processing on the IP message to be forwarded. For example, the router 11 encrypts the IP message based on a preset algorithm and adds a VPN header to the encrypted IP message. The source IP address of the VPN packet header is the public network address of router 11, and the destination IP address is the public network address of the virtual gateway in VPC2 to obtain the processed VPN message, and send the processed VPN message to VPC2 through the dedicated line Virtual gateway.

应理解的是，基于专线或VPN进行通信的方式，需要基于两端设备的公网地址实现数据传输。It should be understood that communication based on dedicated lines or VPNs requires data transmission based on the public network addresses of the devices at both ends.

3，VPC2的虚拟网关接收来自线下IDC的路由器的VPN报文；3. The virtual gateway of VPC2 receives VPN packets from the offline IDC router;

假设VPC2的虚拟网关为VPN网关，该VPN网关接收到来自线下IDC的VPN报文后，对该VPN报文进行解封装，去掉该VPN报文的包头，得到加密的IP报文部分，并基于与路由器11内预设的加密算法相对应的预设的解密算法对该IP报文进行解密。Assume that the virtual gateway of VPC2 is a VPN gateway. After the VPN gateway receives a VPN message from an offline IDC, it decapsulates the VPN message, removes the header of the VPN message, and obtains the encrypted IP message part, and The IP packet is decrypted based on the preset decryption algorithm corresponding to the preset encryption algorithm in the router 11.

4，VPC2的虚拟网关基于解密后的报文的目的IP地址，将该报文发送至桥接虚拟机VM3的网卡2,；4. Based on the destination IP address of the decrypted message, the virtual gateway of VPC2 sends the message to the network card 2 of the bridge virtual machine VM3;

5，VM3基于网卡1将该报文发送至VPC1内的VM2。5. VM3 sends the message to VM2 in VPC1 based on network card 1.

需要说明的是，上述线下IDC和虚拟私云的通信仅为举例，本申请可以实现各种云下网络和云上网络的通信，本申请并不局限于IDC与虚拟私云的通信。It should be noted that the communication between the offline IDC and the virtual private cloud described above is only an example, and this application can implement communication between various offline and on-cloud networks, and this application is not limited to the communication between the IDC and the virtual private cloud.

上述方式，可以实现云下和云上网络的加密传输，提高了数据传输的安全性，同时，由于VPC1未与公网直接连接，则一定程度上还可以降低VPC1被入侵的风险，例如，在一种可能的场景中，用户可以将保密要求较高的数据，例如研发数据，保存于VPC1中，将与公网的数据交互部署于VPC2内，以实现将公网数据和研发数据的格力，从而降低由于公网数据和研发数据同时在同一个VPC内传输时可能带来的入侵风险。The above method can realize the encrypted transmission of the network under the cloud and on the cloud, which improves the security of data transmission. At the same time, since VPC1 is not directly connected to the public network, the risk of VPC1 being invaded can also be reduced to a certain extent. For example, in In a possible scenario, users can store data with high confidentiality requirements, such as R&D data, in VPC1, and deploy data interaction with the public network in VPC2 to realize the Gree of public network data and R&D data. This reduces the risk of intrusion that may be caused when public network data and R&D data are simultaneously transmitted in the same VPC.

如图7所示，为本申请提供的一种通信系统中各虚拟设备之间的连接方式的具体示例，该通信系统包括VPC1和VPC2，VPC1包含VM1和VM2，VPC2包含有VM3和VM4。其中，VM1、VM2和VM4都具有一块网卡，VM1和VM2的网卡接入逻辑网桥VNI ₁，VM3和VM4的网卡接入逻辑网桥VNI ₂。VM3具有两块网卡，其中，一块网卡接入逻辑网桥VNI ₁，另一块网卡接入逻辑网桥VNI ₂。 As shown in FIG. 7, a specific example of a connection mode between virtual devices in a communication system is provided for this application. The communication system includes VPC1 and VPC2. VPC1 includes VM1 and VM2, and VPC2 includes VM3 and VM4. Among them, VM1, VM2, and VM4 all have a network card, the network cards of VM1 and VM2 are connected to the logical bridge VNI ₁ , and the network cards of VM3 and VM4 are connected to the logical bridge VNI ₂ . VM3 has two network cards, one of which is connected to the logical bridge VNI ₁ , and the other is connected to the logical bridge VNI ₂ .

其中，上述虚拟设备(例如图1中的VPC1和VPC2的各虚拟机)的配置可以通过控制器(或称为配置装置)实现，例如，该控制器为SDN控制器，该SDN控制器可对应于图1中的控制器。假设通过SDN控制器创建有两个VPC网络，分别为VPC1和VPC2。Among them, the configuration of the aforementioned virtual devices (for example, the virtual machines of VPC1 and VPC2 in FIG. 1) can be implemented by a controller (or called a configuration device). For example, the controller is an SDN controller, and the SDN controller can correspond to The controller in Figure 1. Assume that there are two VPC networks created by the SDN controller, namely VPC1 and VPC2.

接下来，请参考图8所示，为本申请实施例中通过控制器实现VPC之间通信的配置方法的流程图，包括以下步骤：Next, please refer to FIG. 8, which is a flowchart of a configuration method for implementing communication between VPCs through a controller in an embodiment of this application, including the following steps:

S800：创建桥接虚拟机，为桥接虚拟机设置第一网卡和第二网卡；具体的，例如，在VPC1或VPC2内创建一桥接虚拟机，配置桥接虚拟机的网卡数量，例如可以是2块网卡，即第一网卡和第二网卡；S800: Create a bridge virtual machine, set the first network card and the second network card for the bridge virtual machine; specifically, for example, create a bridge virtual machine in VPC1 or VPC2, and configure the number of network cards of the bridge virtual machine, for example, it can be 2 network cards , Namely the first network card and the second network card;

S801：设置第一网卡与VPC1绑定，第二网卡与VPC2绑定，其中桥接虚拟机用于对VPC1经网卡1发送至VPC2的报文进行网络功能处理，并用于对VPC2经网卡2发送至VPC1的报文进行网络功能处理。S801: Set the first network card to be bound to VPC1, and the second network card to be bound to VPC2. The bridged virtual machine is used to perform network function processing on the packets sent from VPC1 to VPC2 via network card 1 and to send VPC2 to VPC2 via network card 2. The packets of VPC1 are processed by the network function.

需要说明的，若两个VPC不属于同一租户，则SDN控制器还可提供有VPC授权机制，授权后才可以实现VPC之间的通信。例如，VPC1所属用户通过SDN控制器提供的授权界面，可将VPC1的权限(例如访问权限)授权给VPC2，VPC2的所述用户通过SDN控制器提供的相同功能的授权界面，将VPC2的权限授权给VPC1，授权之后，便可基于上述桥接虚拟机的设置实现两VPC之间的通信。It should be noted that if the two VPCs do not belong to the same tenant, the SDN controller may also provide a VPC authorization mechanism, and the communication between the VPCs can be realized only after authorization. For example, the user belonging to VPC1 can authorize the permissions (such as access permissions) of VPC1 to VPC2 through the authorization interface provided by the SDN controller, and the user of VPC2 can authorize the permissions of VPC2 through the authorization interface of the same function provided by the SDN controller After VPC1 is authorized, the communication between the two VPCs can be realized based on the setting of the above-mentioned bridged virtual machine.

接下来，请参考图9所示，为本申请实施例中虚拟机之间通信的方法的交互流程图。该流程中的第一虚拟机、桥接虚拟机和第二虚拟机可分别为上述图1、图2、图3、图4、图5或图6中VPC1内的任一虚拟机、桥接虚拟机VM3和VPC2内的任一虚拟机，或者，第一虚拟机也可为上述图1、图2、图3、图4、图5或图6中VPC2内的任一虚拟机，则第二虚拟机为VPC1内的任一虚拟机。如图9所示，该方法包括：Next, please refer to FIG. 9, which is an interaction flowchart of a method for communication between virtual machines in an embodiment of this application. The first virtual machine, the bridged virtual machine, and the second virtual machine in this process can be any virtual machine or bridged virtual machine in VPC1 in Figure 1, Figure 2, Figure 3, Figure 4, Figure 5, or Figure 6, respectively. Any virtual machine in VM3 and VPC2, or the first virtual machine can also be any virtual machine in VPC2 in Figure 1, Figure 2, Figure 3, Figure 4, Figure 5, or Figure 6, then the second virtual machine The machine is any virtual machine in VPC1. As shown in Figure 9, the method includes:

S900.第一虚拟机发送第一报文；S900. The first virtual machine sends the first message;

S901.桥接虚拟机基于第一网卡接收该第一报文，并对第一报文进行网络功能处理，以得到第二报文；S901. The bridged virtual machine receives the first message based on the first network card, and performs network function processing on the first message to obtain a second message;

S902，桥接虚拟机基于第二网卡将第二报文发送至第二虚拟机；S902: The bridged virtual machine sends the second message to the second virtual machine based on the second network card.

S903.第二虚拟机接收桥接虚拟机发送的第二报文。S903. The second virtual machine receives the second packet sent by the bridging virtual machine.

关于桥接虚拟机对数据进行网络功能的处理过程，可参见上述记载，在此不再说明。Regarding the processing process of the bridged virtual machine's network function on the data, please refer to the above record, which will not be described here.

与上述构思相同，如图10所示，本申请提供一种装置1000，装置1000可应用于上述图9所示流程中的桥接虚拟机上。Similar to the above-mentioned concept, as shown in FIG. 10, the present application provides an apparatus 1000, which can be applied to the bridge virtual machine in the process shown in FIG. 9 above.

通信装置1000可包括处理器1001和存储器1002。进一步的，该装置还可包括第一通信接口1004和第二通信接口1005，该通信接口可为收发器。进一步的，该装置还可包括总线系统1003。The communication device 1000 may include a processor 1001 and a memory 1002. Further, the device may further include a first communication interface 1004 and a second communication interface 1005, and the communication interface may be a transceiver. Further, the device may also include a bus system 1003.

其中，处理器1001、存储器1002和第一通信接口1004和第二通信接口1005可通过总线系统1003相连，该存储器1002可用存储计算机程序，该处理器1001可用于执行该存储器1002存储的计算机程序，以控制第一通信接口1004和第二通信接口1005接收或发送信号，完成上述图9所示方法中以桥接虚拟机为主体的步骤。The processor 1001, the memory 1002, the first communication interface 1004 and the second communication interface 1005 can be connected via a bus system 1003, the memory 1002 can store computer programs, and the processor 1001 can be used to execute the computer programs stored in the memory 1002. In order to control the first communication interface 1004 and the second communication interface 1005 to receive or send signals, the steps of bridging virtual machines as the main body in the method shown in FIG. 9 are completed.

其中，存储器1002可以集成在处理器1001中，也可以是与处理器1001不同的物理实体。The memory 1002 may be integrated in the processor 1001, or may be a different physical entity from the processor 1001.

作为一种实现方式，第一通信接口1004和第二通信接口1005的功能可以考虑通过收发电路或收发的专用芯片实现。处理器1001可以考虑通过专用处理芯片、处理电路、处理器或通用芯片实现。As an implementation manner, the functions of the first communication interface 1004 and the second communication interface 1005 may be implemented by a transceiver circuit or a dedicated chip for transceiver. The processor 1001 may be implemented by a dedicated processing chip, a processing circuit, a processor, or a general-purpose chip.

作为另一种实现方式，可以考虑使用计算机的方式，来实现本申请实施例提供的第一计算节点或第一计算节点的功能。即将实现处理器1001、第一通信接口1004和第二通信接口1005功能的程序代码存储在存储器1002中，通用处理器可通过执行存储器中的代码来实现处理器1001、第一通信接口1004和第二通信接口1005的功能。As another implementation manner, a computer may be considered to implement the functions of the first computing node or the first computing node provided in the embodiments of the present application. The program codes for realizing the functions of the processor 1001, the first communication interface 1004, and the second communication interface 1005 are stored in the memory 1002. The general-purpose processor can implement the processor 1001, the first communication interface 1004, and the first communication interface 1004 by executing the codes in the memory. Second, the function of the communication interface 1005.

该通信装置1000所涉及的与本申请提供的技术方案相关的概念、解释和详细说明以及其他步骤，可参见前述方法或其它实施例中关于这些内容的描述，此处不作赘述。For the concepts, explanations, detailed descriptions, and other steps related to the technical solutions provided by the present application related to the communication device 1000, please refer to the descriptions of these contents in the foregoing method or other embodiments, which are not repeated here.

在本申请的一示例中，所述通信装置1000可用于执行上述图9所示流程中，以桥接虚拟机为执行主体的步骤。比如，第一通信接口1004可接收第一通信接口1004绑定的第一VPC内的第一虚拟机发送的报文；处理器1001可将第一通信接口1004和第二通信接口1005接收的报文进行网络功能处理；第二通信接口1005可发送第一虚拟机向第二通信接口1005绑定的第二VPC内的第二虚拟机的报文。In an example of the present application, the communication device 1000 can be used to execute the steps in the process shown in FIG. 9 described above with the bridged virtual machine as the execution subject. For example, the first communication interface 1004 can receive the message sent by the first virtual machine in the first VPC bound to the first communication interface 1004; the processor 1001 can transmit the messages received by the first communication interface 1004 and the second communication interface 1005 The message is processed by the network function; the second communication interface 1005 can send the message of the second virtual machine in the second VPC bound by the first virtual machine to the second communication interface 1005.

关于处理器1001、第一通信接口1004和第二通信接口1005的介绍，可参见上述图9所示流程的介绍，在此不再赘述。For the introduction of the processor 1001, the first communication interface 1004, and the second communication interface 1005, refer to the introduction of the process shown in FIG. 9 above, which is not repeated here.

与上述构思相同，如图11所示，本申请提供一种配置装置1100，配置装置1100可应用于上述图8所示流程中的控制器上。Similar to the above-mentioned concept, as shown in FIG. 11, the present application provides a configuration device 1100, which can be applied to the controller in the process shown in FIG. 8 above.

配置装置1100可包括处理器1101和存储器1102。进一步的，该装置还可包括通信接口1104，该通信接口可为收发器。进一步的，该装置还可包括总线系统1103。The configuration device 1100 may include a processor 1101 and a memory 1102. Further, the device may further include a communication interface 1104, and the communication interface may be a transceiver. Further, the device may also include a bus system 1103.

其中，处理器1101、存储器1102和通信接口1104可通过总线系统1103相连，该存储器1102可用存储计算机程序，该处理器1101可用于执行该存储器1102存储的计算机程序，以控制通信接口1104接收或发送信号，完成上述图8所示方法中以控制器为主体的步骤。The processor 1101, the memory 1102, and the communication interface 1104 can be connected via a bus system 1103. The memory 1102 can store a computer program. The processor 1101 can be used to execute the computer program stored in the memory 1102 to control the communication interface 1104 to receive or send Signal to complete the steps with the controller as the main body in the method shown in Figure 8 above.

其中，存储器1102可以集成在处理器1101中，也可以是与处理器1101不同的物理实体。The memory 1102 may be integrated in the processor 1101, or may be a different physical entity from the processor 1101.

作为一种实现方式，通信接口1104的功能可以考虑通过收发电路或收发的专用芯片实现。处理器1101可以考虑通过专用处理芯片、处理电路、处理器或通用芯片实现。As an implementation manner, the function of the communication interface 1104 may be implemented by a transceiver circuit or a dedicated chip for transceiver. The processor 1101 may be implemented by a dedicated processing chip, a processing circuit, a processor, or a general-purpose chip.

作为另一种实现方式，可以考虑使用计算机的方式，来实现本申请实施例提供的第一计算节点或第一计算节点的功能。即将实现处理器1101和通信接口1104功能的程序代码存储在存储器1102中，通用处理器可通过执行存储器中的代码来实现处理器1101和通信接口1104的功能。As another implementation manner, a computer may be considered to implement the functions of the first computing node or the first computing node provided in the embodiments of the present application. The program code for realizing the functions of the processor 1101 and the communication interface 1104 is stored in the memory 1102, and the general-purpose processor can realize the functions of the processor 1101 and the communication interface 1104 by executing the codes in the memory.

该通信装置1100所涉及的与本申请提供的技术方案相关的概念、解释和详细说明以及其他步骤，可参见前述方法或其它实施例中关于这些内容的描述，此处不作赘述。For the concepts, explanations, detailed descriptions, and other steps related to the technical solutions provided by the present application related to the communication device 1100, please refer to the descriptions of these contents in the foregoing method or other embodiments, which will not be repeated here.

在本申请的一示例中，所述通信装置1100可用于执行上述图8所示流程中，以控制器为执行主体的步骤。例如，处理器1101可创建桥接虚拟机，为桥接虚拟机设置第一网卡和第二网卡，并设置所述第一网卡与所述第一VPC绑定，所述第二网卡与第二VPC绑定，；In an example of the present application, the communication device 1100 can be used to execute the steps in the process shown in FIG. 8 with the controller as the execution subject. For example, the processor 1101 may create a bridge virtual machine, set a first network card and a second network card for the bridge virtual machine, and set the first network card to be bound to the first VPC, and the second network card to be bound to the second VPC. set,;

关于处理器1101和通信接口1104的介绍，可参见上述图8所示流程的介绍，在此不再赘述。For the introduction of the processor 1101 and the communication interface 1104, reference may be made to the introduction of the process shown in FIG. 8, which will not be repeated here.

基于以上实施例，本申请实施例还提供了一种计算机存储介质，该存储介质中存储软件程序，该软件程序在被一个或多个处理器读取并执行时可实现上述任意一个或多个实施例提供的方法。该计算机存储介质可以包括：U盘、移动硬盘、只读存储器、随机存取存储器、磁碟或者光盘等各种可以存储程序代码的介质。Based on the above embodiments, the embodiments of the present application also provide a computer storage medium, the storage medium stores a software program, and the software program can implement any one or more of the above when read and executed by one or more processors. The method provided by the embodiment. The computer storage medium may include: U disk, mobile hard disk, read-only memory, random access memory, magnetic disk or optical disk and other media that can store program codes.

基于以上实施例，本申请实施例还提供了一种计算机程序产品，所述计算机程序产品中包括计算机程序，当所述计算机程序被计算机执行时，使得所述计算机执行上述任意一个或多个实施例提供的方法。Based on the above embodiments, the embodiments of the present application also provide a computer program product. The computer program product includes a computer program. When the computer program is executed by a computer, the computer executes any one or more of the above implementations. The method provided by the example.

基于以上实施例，本申请实施例还提供了一种芯片，该芯片包括处理器，用于实现上述任意一个或多个实施例所涉及的功能，例如获取或处理上述方法中所涉及的信息或者消息。可选地，该芯片还包括存储器，该存储器，用于存储处理器所执行的程序和数据。该芯片，也可以包含芯片和其他分立器件。Based on the above embodiments, the embodiments of the present application also provide a chip, which includes a processor, which is used to implement the functions involved in any one or more of the above embodiments, such as acquiring or processing the information involved in the above methods or news. Optionally, the chip further includes a memory for storing programs and data executed by the processor. The chip may also include chips and other discrete devices.

应理解，在本申请实施例中，处理器可以是中央处理单元(central processing unit，CPU)，该处理器还可以是其他通用处理器、数字信号处理器(digital signal processor，DSP)、专用集成电路(application-specific integrated circuit，ASIC)、现成可编程门阵列(field programmable gate array，FPGA)或者其他可编程逻辑器件、晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器，也可以是任何常规的处理器等。It should be understood that in the embodiments of the present application, the processor may be a central processing unit (central processing unit, CPU), and the processor may also be other general-purpose processors, digital signal processors (digital signal processors, DSP), and dedicated integration Circuit (application-specific integrated circuit, ASIC), ready-made programmable gate array (field programmable gate array, FPGA) or other programmable logic devices, transistor logic devices, discrete hardware components, etc. The general-purpose processor may be a microprocessor or any conventional processor.

该存储器可以包括只读存储器和随机存取存储器，并向处理器提供指令和数据。存储器的一部分还可以包括非易失性随机存取存储器。The memory may include a read-only memory and a random access memory, and provides instructions and data to the processor. A part of the memory may also include a non-volatile random access memory.

该总线系统除包括数据总线之外，还可以包括电源总线、控制总线和状态信号总线等。但是为了清楚说明起见，在图中将各种总线都标为总线系统。在实现过程中，上述方法的各步骤可以通过处理器中的硬件的集成逻辑电路或者软件形式的指令完成。结合本申请实施例所公开的方法的步骤可以直接体现为硬件处理器执行完成，或者用处理器中的硬件及软件模块组合执行完成。软件模块可以位于随机存储器，闪存、只读存储器，可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。该存储介质位于存储器，处理器读取存储器中的信息，结合其硬件完成上述方法的步骤。为避免重复，这里不再详细描述。In addition to the data bus, the bus system may also include a power bus, a control bus, and a status signal bus. However, for the sake of clear description, various buses are marked as bus systems in the figure. In the implementation process, each step of the above method can be completed by an integrated logic circuit of hardware in the processor or instructions in the form of software. The steps of the method disclosed in combination with the embodiments of the present application may be directly embodied as execution and completion by a hardware processor, or execution and completion by a combination of hardware and software modules in the processor. The software module can be located in a mature storage medium in the field, such as random access memory, flash memory, read-only memory, programmable read-only memory, or electrically erasable programmable memory, registers. The storage medium is located in the memory, and the processor reads the information in the memory and completes the steps of the above method in combination with its hardware. To avoid repetition, it will not be described in detail here.

在本申请的各个实施例中，如果没有特殊说明以及逻辑冲突，不同的实施例之间的术语和/或描述具有一致性、且可以相互引用，不同的实施例中的技术特征根据其内在的逻辑关系可以组合形成新的实施例。In the various embodiments of this application, if there are no special instructions and logical conflicts, the terms and/or descriptions between different embodiments are consistent and can be mutually cited. The technical features in different embodiments are based on their inherent Logical relationships can be combined to form new embodiments.

可以理解的是，在本申请的实施例中涉及的各种数字编号仅为描述方便进行的区分，并不用来限制本申请的实施例的范围。上述各过程的序号的大小并不意味着执行顺序的先后，各过程的执行顺序应以其功能和内在逻辑确定。It can be understood that the various numerical numbers involved in the embodiments of the present application are only for easy distinction for description, and are not used to limit the scope of the embodiments of the present application. The size of the sequence number of the above-mentioned processes does not mean the order of execution, the order of execution of the processes should be determined by their functions and internal logic.

在一些可能的实施方式中，本申请实施例提供的信息同步的方法的各个方面还可以实现为一种程序产品的形式，其包括程序代码，当所述程序代码在计算机设备上运行时，所述程序代码用于使所述计算机设备执行本说明书中描述的根据本申请各种示例性实施方式的桥接虚拟机或SDN控制器的方法中的步骤。In some possible implementation manners, the various aspects of the information synchronization method provided in the embodiments of the present application can also be implemented in the form of a program product, which includes program code, and when the program code runs on a computer device, The program code is used to make the computer device execute the steps in the method for bridging a virtual machine or an SDN controller according to various exemplary embodiments of the present application described in this specification.

所述程序产品可以采用一个或多个可读介质的任意组合。可读介质可以是可读信号介质或者可读存储介质。可读存储介质例如可以是但不限于电、磁、光、电磁、红外线、或半导体的系统、装置或器件，或者任意以上的组合。可读存储介质的更具体的例子(非穷举的列表)包括：具有一个或多个导线的电连接、便携式盘、硬盘、随机存取存储器(RAM)、只读存储器(ROM)、可擦式可编程只读存储器(EPROM或闪存)、光纤、便携式紧凑盘只读存储器(CD-ROM)、光存储器件、磁存储器件、或者上述的任意合适的组合。The program product can use any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium may be, for example, but not limited to, an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, device, or device, or a combination of any of the above. More specific examples (non-exhaustive list) of readable storage media include: electrical connections with one or more wires, portable disks, hard disks, random access memory (RAM), read-only memory (ROM), erasable Type programmable read only memory (EPROM or flash memory), optical fiber, portable compact disk read only memory (CD-ROM), optical storage device, magnetic storage device, or any suitable combination of the above.

根据本申请的实施方式的用于配置参数的程序产品，其可以采用便携式紧凑盘只读存储器(CD-ROM)并包括程序代码，并可以在服务器设备上运行。然而，本申请的程序产品不限于此，在本文件中，可读存储介质可以是任何包含或存储程序的有形介质，该程序可以被信息传输、装置或者器件使用或者与其结合使用。The program product for configuring parameters according to the embodiment of the present application may adopt a portable compact disk read-only memory (CD-ROM) and include program code, and may run on a server device. However, the program product of this application is not limited to this. In this document, the readable storage medium can be any tangible medium that contains or stores a program, and the program can be used by or in combination with information transmission, devices, or devices.

可读信号介质可以包括在基带中或者作为载波一部分传播的数据信号，其中承载了可读程序代码。这种传播的数据信号可以采用多种形式，包括但不限于电磁信号、光信号或上述的任意合适的组合。可读信号介质还可以是可读存储介质以外的任何可读介质，该可读介质可以发送、传播或者传输用于由周期网络动作系统、装置或者器件使用或者与其结合使用的程序。The readable signal medium may include a data signal propagated in baseband or as a part of a carrier wave, and readable program code is carried therein. This propagated data signal can take many forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination of the foregoing. The readable signal medium may also be any readable medium other than a readable storage medium, and the readable medium may send, propagate, or transmit a program for use by or in combination with a periodic network action system, apparatus, or device.

可读介质上包含的程序代码可以用任何适当的介质传输，包括但不限于无线、有线、光缆、RF等，或者上述的任意合适的组合。The program code contained on the readable medium can be transmitted by any suitable medium, including but not limited to wireless, wired, optical cable, RF, etc., or any suitable combination of the foregoing.

可以以一种或多种程序设计语言的任意组合来编写用于执行本申请操作的程序代码，所述程序设计语言包括面向对象的程序设计语言，诸如Java、C++等，还包括常规的过程式程序设计语言，诸如“C”语言或类似的程序设计语言。程序代码可以完全地在用户计算设备上执行、部分地在用户设备上执行、作为一个独立的软件包执行、部分在用户计算设备上部分在远程计算设备上执行、或者完全在远程计算设备或服务器上执行。在涉及远程计算设备的情形中，远程计算设备可以通过任意种类的网络，包括局域网(LAN)或广域网(WAN)—连接到用户计算设备，或者，可以连接到外部计算设备。The program code used to perform the operations of this application can be written in any combination of one or more programming languages. The programming languages include object-oriented programming languages, such as Java, C++, etc., as well as conventional procedural programming languages. Programming language, such as "C" language or similar programming language. The program code can be executed entirely on the user's computing device, partly on the user's device, executed as an independent software package, partly on the user's computing device and partly executed on the remote computing device, or entirely on the remote computing device or server Executed on. In the case of a remote computing device, the remote computing device may be connected to a user computing device through any kind of network, including a local area network (LAN) or a wide area network (WAN), or may be connected to an external computing device.

本申请实施例针对信息同步的方法还提供一种计算设备可读存储介质，即断电后内容不丢失。该存储介质中存储软件程序，包括程序代码，当所述程序代码在计算设备上运行时，该软件程序在被一个或多个处理器读取并执行时可实现本申请实施例上面任何一种信息同步的方案。The embodiment of the present application also provides a computing device readable storage medium for the information synchronization method, that is, the content is not lost after a power failure. The storage medium stores a software program, including program code. When the program code runs on a computing device, the software program can implement any of the above embodiments of the present application when it is read and executed by one or more processors. Information synchronization scheme.

以上参照示出根据本申请实施例的方法、装置(系统)和/或计算机程序产品的框图和/或流程图描述本申请。应理解，可以通过计算机程序指令来实现框图和/或流程图示图的一个块以及框图和/或流程图示图的块的组合。可以将这些计算机程序指令提供给通用计算机、专用计算机的处理器和/或其它可编程数据处理装置，以产生机器，使得经由计算机处理器和/或其它可编程数据处理装置执行的指令创建用于实现框图和/或流程图块中所指定的功能/动作的方法。The foregoing describes the present application with reference to block diagrams and/or flowcharts illustrating methods, devices (systems) and/or computer program products according to embodiments of the present application. It should be understood that one block of the block diagram and/or flowchart diagram and a combination of the blocks in the block diagram and/or flowchart diagram can be implemented by computer program instructions. These computer program instructions can be provided to the processor of a general-purpose computer, a special-purpose computer, and/or other programmable data processing devices to produce a machine, so that the instructions executed via the computer processor and/or other programmable data processing device are created for A method of implementing the functions/actions specified in the block diagrams and/or flowchart blocks.

相应地，还可以用硬件和/或软件(包括固件、驻留软件、微码等)来实施本申请。更进一步地，本申请可以采取计算机可使用或计算机可读存储介质上的计算机程序产品的形式，其具有在介质中实现的计算机可使用或计算机可读程序代码，以由指令执行系统来使用或结合指令执行系统而使用。在本申请上下文中，计算机可使用或计算机可读介质可以是任意介质，其可以包含、存储、通信、传输、或传送程序，以由指令执行系统、装置或设备使用，或结合指令执行系统、装置或设备使用。Correspondingly, hardware and/or software (including firmware, resident software, microcode, etc.) can also be used to implement this application. Furthermore, this application may take the form of a computer program product on a computer-usable or computer-readable storage medium, which has a computer-usable or computer-readable program code implemented in the medium to be used or used by the instruction execution system. Used in conjunction with the instruction execution system. In the context of this application, a computer-usable or computer-readable medium can be any medium that can contain, store, communicate, transmit, or transmit a program for use by an instruction execution system, apparatus, or device, or in combination with an instruction execution system, Device or equipment use.

尽管结合具体特征及其实施例对本申请进行了描述，显而易见的，在不脱离本申请的精神和范围的情况下，可对其进行各种修改和组合。相应地，本说明书和附图仅仅是所附权利要求所界定的本申请的示例性说明，且视为已覆盖本申请范围内的任意和所有修改、变化、组合或等同物。显然，本领域的技术人员可以对本申请进行各种改动和变型而不脱离本申请的范围。这样，倘若本申请的这些修改和变型属于本申请权利要求及其等同技术的范围之内，则本申请也意图包括这些改动和变型在内。Although the application has been described in combination with specific features and embodiments, it is obvious that various modifications and combinations can be made without departing from the spirit and scope of the application. Accordingly, the specification and drawings are merely exemplary descriptions of the application as defined by the appended claims, and are deemed to cover any and all modifications, changes, combinations or equivalents within the scope of the application. Obviously, those skilled in the art can make various changes and modifications to the application without departing from the scope of the application. In this way, if these modifications and variations of this application fall within the scope of the claims of this application and their equivalent technologies, this application is also intended to include these modifications and variations.

Claims

A communication method between virtual private cloud VPCs, characterized in that the method is applied to a bridged virtual machine, and the bridged virtual machine includes a first network card bound to a first VPC and a second network card bound to a second VPC. Second network card, the method includes:

Receiving, by the bridged virtual machine from the first network card, a first message sent by the first virtual machine in the first VPC to the second virtual machine in the second VPC;

The bridge virtual machine performs network function processing on the first message, and sends the first message processed by the network function to the second VPC through the second network card.

The method according to claim 1, wherein the first network card is provided with a first private network address of a first VPC, and the second network card is provided with a second private network address of a second VPC,

The receiving, by the bridged virtual machine from the first network card, the first message sent by the first virtual machine in the first VPC to the second virtual machine in the second VPC includes:

The bridged virtual machine receives the first message from the first network card, and the source IP address of the first message is the private network address of the first virtual machine in the first VPC, and the destination network The protocol IP address is the first private network address;

The bridge virtual machine performs network function processing on the first message, and sends the first message processed by the network function to the second VPC through the second network card, including:

The bridging virtual machine modifies the source IP address of the first message to the second private network address, and modifies the destination IP address of the first message to the second virtual machine in the second private network address. The private network address in the VPC;

The bridged virtual machine sends the modified first message to the second VPC through the second network card.

The method of claim 1, wherein:

The bridged virtual machine receives the first message from the first network card, and the source IP address of the first message is the private network address of the first virtual machine in the first VPC, and the destination IP The address is the private network address of the second virtual machine in the second VPC;

The bridged virtual machine selects a second network card according to the destination IP address of the first message, and sends the first message to the second VPC through the second network card.

The method according to any one of claims 1 to 3, wherein the bridging virtual machine performs network function processing on the first message, and uses the second network card to process the first message processed by the network function. A message sent to the second VPC includes:

The bridged virtual machine judges whether the first message conforms to a preset firewall rule, and if so, sends the first message processed by the network function to the second VPC through the second network card.

A method for setting communication between VPCs, which is applied to a controller, and is characterized in that it includes:

Creating a bridged virtual machine, where the bridged virtual machine is provided with a first network card and a second network card;

Set the first network card to be bound to the first VPC, and the second network card to be bound to the second VPC, wherein the bridge virtual machine is used to send the first VPC to the first VPC via the first network card. The message of the second VPC performs network function processing, and is used to perform network function processing on the message sent by the second VPC to the first VPC via the second network card.

The method according to claim 5, wherein the network function processing includes one or any combination of network address translation (NAT), routing, and firewall filtering.

A communication system, characterized by comprising a first virtual machine in a first VPC, a second virtual machine in a second VPC, and a bridge virtual machine;

The first virtual machine is used to send a first message;

The bridged virtual machine is configured to receive, from the first network card, a first message sent by a first virtual machine in the first VPC to a second virtual machine in a second VPC, and to respond to the first message Perform network function processing, and send the first packet processed by the network function to the second VPC through the second network card;

The second virtual machine is configured to receive the first message processed by the network function from the bridge virtual machine.

The system according to claim 7, wherein the first network card of the bridge virtual machine is set with a first private network address of the first VPC, and the second network card is set with a second private network address of the second VPC ；

When the bridged virtual machine receives the first message sent from the first virtual machine in the first VPC to the second virtual machine in the second VPC from the first network card, it is specifically used to:

The bridged virtual machine receives the first message from the first network card, and the source IP address of the first message is the private network address of the first virtual machine in the first VPC, and the destination IP The address is the first private network address;

When the bridge virtual machine performs network function processing on the first message, and sends the first message processed by the network function to the second VPC through the second network card, it is specifically used for:

The bridging virtual machine modifies the source IP address of the first message to the second private network address, and modifies the destination IP address of the first message to the second virtual machine in the second private network address. The private network address in the VPC sends the modified first message to the second VPC through the second network card.

The system according to claim 7, wherein:

The system according to any one of claims 7-9, wherein the bridge virtual machine performs network function processing on the first message, and uses the second network card to process the network function processed second message When a message is sent to the second VPC, it is specifically used for:

A communication device, characterized in that it comprises a processor and a memory;

The memory stores a computer program;

The processor is configured to execute the computer program stored in the memory, so that the communication device implements the method according to any one of claims 1-4.

A configuration device, characterized in that it comprises a processor and a memory;

The memory stores a computer program;

The processor is configured to execute the computer program stored in the memory, so that the configuration device implements the method according to any one of claims 5-6.