JP6133804B2 - Network control device, communication system, network control method, and network control program - Google Patents

Description

  The present invention relates to a network control device, a communication system, a network control method, and a network control program.

  In recent years, cloud computing has become widespread, and a virtual environment is constructed using resources of a physical server installed in a data center to provide various services to users. In addition, a virtual L2 (layer 2) network is constructed across different data centers using virtual switches.

  For example, a description will be given by taking as an example a company (Z) that realizes a department server, an accounting server, an attendance / leaving management server, a file server, and the like by a virtual machine (hereinafter sometimes referred to as VM (Virtual Machine)). In the company (Z), the virtual machine (A) and the virtual machine (B) are operated at the data center (X) of the base (Sapporo), and the virtual machine (C) is operated at the data center (Y) of the base (Fukuoka). The virtual machine (D) is operated. Then, the data center (X) and the data center (Y) are connected by a virtual L2 network using a virtual switch such as Open vSwitch.

  In this way, in the company (Z), by realizing communication between virtual machines that operate in different data centers and provide each service, employees at each base can be made independent of the base, Provide various services.

  In some cases, live migration of virtual machines is performed between bases of such networks.

OpenStack Homepage, [online], [Search February 3, 2014], Internet <http://www.openstack.org/> Ishii et al., “Open Source laaS Cloud Platform OpenStack”, NTT Technical Journal Vol.23, No.8, 2011. Kitazume et al., “Network virtualization technology that supports cloud services”, NTT Technology Journal Vol.23, No.10, 2011. Nagahama et al., `` Proposal of path control method for avoiding redundant path in live migration between data centers '', IEICE Technical Report, IN2013-48, vol.113, No.140, pp.71-76, Jul.2013. Nagahama et al., "Migration performance evaluation of virtual machines in international communication networks", IEICE Technical Report, IN2012-40, vol.112, No.134, Jul.2012. Cisco ASA 5500 Series Configuration Guide (Using CLI8.2) Setting Connection Limits and Timeouts, [online], [Search February 3, 2014], Internet <http://www.cisco.com/ cisco / web / support / JP / docs / SEC / Multi-FunctionSecur / ASA5500AdaptiveSecurAppli / CG / 004 / conns_connlimits.html? bid = 0900e4b1825ae5e9>

  However, frequent access due to concentration of multiple users' web access, etc., or frequent access due to DoS attacks, DDoS attacks, etc. occurs on the virtual machine that is the target of live migration. If the processing load is large, live migration may take a long time to complete or live migration may not be completed. Accordingly, an object of the present invention is to solve the above-described problems and shorten the time for live migration of a virtual machine.

  In order to solve the above-described problems and achieve the object, the present invention provides an acquisition unit that acquires a communication amount of a virtual machine that is a target of live migration from a network device on a communication path of the virtual machine, and the acquisition unit. A determination unit that determines whether or not the acquired communication amount exceeds a predetermined setting value, and when the determination unit determines that the communication amount exceeds a predetermined setting value, And a device control unit that instructs the network device to restrict communication to the virtual machine.

  According to the present invention, the time for live migration of a virtual machine can be shortened.

FIG. 1 is a diagram illustrating an example of the overall configuration of a communication system according to an embodiment. FIG. 2 is a diagram illustrating an example of a logical configuration of a virtual L2 network that connects VMs and VMs. FIG. 3 is a diagram illustrating a hierarchical structure of physical servers that operate VMs. FIG. 4 is a functional block diagram of the network control device. FIG. 5 is a diagram illustrating an example of VM information. FIG. 6 is a diagram illustrating an example of network device information. FIG. 7 is a diagram illustrating an example of setting value information. FIG. 8 is a diagram illustrating an example of a screen for setting a set value. FIG. 9 is a diagram for explaining a flow of a network control process when receiving a DDoS (Distributed Denial of Service) attack. FIG. 10 is a flowchart illustrating a processing procedure of the network control apparatus. FIG. 11 is a diagram illustrating a computer that executes a network control program.

  Hereinafter, modes (embodiments) for carrying out the present invention will be described. In addition, this invention is not limited by this embodiment.

  As shown in FIG. 1, the communication system includes a base A, a base B, a network control device 10, a cloud controller (management device) 20, and a terminal 30. Each base and the terminal 30 are connected by a network such as the Internet or VPN (Virtual Private Network). A data center is set up in the base. Here, it is assumed that the data center 2A is installed at the site A and the data center 2B is installed at the site B.

  The terminal 30 is a terminal that accesses a virtual machine (VM) that operates in the data center 2A, the data center 2B, or the like and uses various services, such as a laptop computer or a smartphone.

  In each of the data center 2A and the data center 2B, one or more physical servers (not shown) are installed, and an HV (hypervisor) that accommodates / controls a VM is operated using physical resources of the physical server. The physical resources include a communication interface, a processor, a memory, a hard disk, and the like. The HV is virtual software that accommodates / controls the VM, and may include, for example, a virtual switch (see FIG. 3). Each of the data center 2A and the data center 2B includes a network device 40. Here, the network device 40 of the data center 2A is referred to as a network device 40A, and the network device 40 of the data center 2B is referred to as a network device 40B.

  As shown in FIG. 2, VMs are connected by a virtual L2 network 21. When this virtual L2 network 21 straddles between data centers, for example, a route via the virtual switch and virtual software switch of FIG. 3 and the physical network 22 (network connection device 40A, Internet / VPN and network connection device 40B) It is realized by the VPN technology that passes through.

  The network device 40 is a device that relays data communication of each VM in each data center. For example, the network device 40 relays data communication between each VM and the terminal 30. The network device 40 is, for example, a router installed at the boundary between the data center and the external network. The network device 40 may have functions of a firewall, a load balancer, and a packet shaper in addition to the above function as a router. The network device 40 may be a device that is separate from the physical server in which the VM is accommodated, may be a device that is virtually realized by the physical server, or may be a dedicated physical device. It may be a device.

  The VM is a virtual device that executes, for example, a Web server or a DB server, and performs data communication with the terminal 30 to provide various services. Each VM operates in the same segment even if the operating base is different. Further, each VM is migrated across data centers based on an instruction from the cloud controller 20. For example, the VM is migrated from the data center 2A to the data center 2B according to an instruction from the cloud controller 20. In the present embodiment, the VM migration is assumed to be live migration (where the entire VM is moved and moved to another physical server).

  The cloud controller 20 is a device that controls a VM. The control of the VM here is performed for the HV that controls the VM. For example, the cloud controller 20 instructs migration to a physical server that accommodates the VM. When the cloud controller 20 issues a migration instruction, the cloud controller 20 notifies the network device 10 that the migration has started.

  The network control device 10 instructs traffic restriction on the network device 40. Specifically, the network control apparatus 10 acquires the communication amount of the VM that is the target of live migration from the network apparatus 40 on the communication path of the VM. The network control device 10 monitors the network device 40 on the VM communication path, and the VM traffic (for example, the number of application requests such as http, the number of TCP sessions, pps (packet / sec), bps (bit / sec). ) Etc.).

  Then, the network control device 10 determines whether or not the acquired communication amount of the VM exceeds a predetermined setting value. For example, the network control device 10 determines whether or not the number of requests for applications such as http exceeds “1000 http / sec” as the VM traffic determination process. In addition to the number of requests for applications such as http, the number of TCP sessions, pps, bps, etc. may be used for the VM traffic determination process.

  Then, when it is determined that the amount of VM communication exceeds a predetermined set value, the network control device 10 instructs the network device 40 to restrict communication to the VM (in FIG. 1). “Traffic restriction instructions”). For example, for the network device 40 (for example, a border router) that accommodates the VM that is the target of live migration, the network control device 10 sets the communication amount addressed to the VM to “1000 http / sec” that is the same as the set value. Set to reduce so that: Upon receiving such an instruction, for example, the network device 40 reduces the amount of communication during communication, stops accepting new TCP sessions, and the like. As a result, communication to the VM is restricted, and the load on the VM is reduced. In this embodiment, the communication system includes the network control device 10 and the cloud controller 20. However, the present invention is not limited to this, and the functions of the network control device 10 are applied to the cloud controller 20. However, the network control device 10 may not be provided.

  By doing so, the load on the VM is reduced even during a live migration of the VM even when the load is high due to concentration of access to the VM. As a result, the time required for migration of the VM can be shortened.

  FIG. 3 is a diagram illustrating a hierarchical structure of physical servers that operate VMs. Here, an example in which a VM is operated by one physical server will be described as an example. The physical server 6 operates in the data center 2A, and the physical server 16 operates in the data center 2B. Each physical server is a general server device and includes hardware such as a processor and a memory.

  The physical server 6 of the data center 2A operates the virtualization software 6b on the hardware 6a to provide a virtual environment. The virtualization software 6b operates the virtual switch 6c. Similarly, the physical server 16 of the data center 2B operates the virtualization software 16b on the hardware 16a to provide a virtual environment. Further, the virtualization software 16b operates the virtual switch 16c to construct the virtual L2 network 21 illustrated in FIG. In other words, different data centers are connected to each other via the virtual L2 network 21.

  Then, each virtualization software of each physical server operates the VM in a state where the virtual L2 network 21 can be used. Specifically, the virtualization software 6b operates VM (A) and VM (B) using the physical resources of the physical server 6, and each VM is transferred to the virtual L2 network 21 via the virtual switch 6c. Connecting. Similarly, the virtualization software 16b operates VM (C) and VM (D) using the physical resources of the physical server 16, and connects each VM to the virtual L2 network 21 via the virtual switch 16c. .

  Next, the network control apparatus 10 will be described in detail with reference to FIG. The network control device 10 includes an input / output unit 11, a storage unit 12, and a control unit 13.

  The input / output unit 11 is an input / output interface that controls input / output of various information to / from an external device. The input / output unit 11 acquires, for example, information related to the VM traffic from the network device 40 or outputs a traffic restriction instruction to the network device 40. The input / output unit 11 may include a communication interface capable of communicating via a network in addition to an input / output interface with an external device.

  The storage unit 12 stores VM information, network device information, and setting value information.

  The VM information is information related to a VM in the communication system. For example, as illustrated in FIG. 5, the VM information is information indicating a base to which the VM belongs for each VM identification information. Specifically, for example, as VM information, VM identification information “VM1” and information “base A” indicating the base to which the VM belongs are associated with each other and stored in the storage unit 12. Is done.

  The network device information is information related to the network device 40 in the communication system. For example, as illustrated in FIG. 6, the network device information is information indicating a base to which the network device 40 belongs for each piece of identification information of the network device 40. As shown in FIG. 6, the network device information may include a value of the amount of traffic of the VM accommodated by each network device 40. For example, in the example of FIG. 6, the network device information includes the network device identification information “40A”, the information “A” indicating the location to which the network device belongs, and the communication amount of the VM accommodated by the network device “800 http”. Are associated with each other and stored in the storage unit 12. In the example of FIG. 6, a simplified description is given assuming that the network device accommodates one VM.

  The set value information is information used by the determination unit 132 (described later) to determine whether or not to limit traffic to the network device 40. This set value information is, for example, information that can be set by the user. For example, as shown in FIG. 7, it is a threshold value for determining whether or not to limit traffic to the network device 40 in association with a priority indicating whether to give priority to a user response or to give priority to live migration. The set value is stored. Here, it is assumed that the priority is given priority to the user response as the value is lower, and the live migration is given priority as the value is higher.

  Explaining with an example of FIG. 7, for example, as the setting value information, the priority “1” and the setting value “4000 http / sec” are associated with each other and stored in the storage unit 12. Further, for example, as the set value information, the priority “5” and the set value “0http / sec” are associated with each other and stored in the storage unit 12. As described above, when the priority value is low, priority is given to the user response, and therefore, a large amount of communication set as a threshold is set. Further, when the priority value is low, the user response is given priority, so the communication amount set as the threshold is set low.

  That is, in the example of the above priority “1”, when the VM traffic exceeds “4000 http / sec”, the network device 10 sets the communication traffic of the network device 40 accommodating the VM to “4000 http / sec”. This means that the network device 40 is instructed to restrict traffic so as to reduce the following. In the example of the priority “5”, it means that the network control device 10 instructs the network device 40 to restrict traffic so as to block all communication with the network device 40 that accommodates the VM. To do.

  The control unit 13 controls the entire network control apparatus 10. The control unit 13 includes a reception unit 130, an acquisition unit 131, a determination unit 132, and a device control unit 133.

  The accepting unit 130 accepts designation of a setting value via the input / output unit 11. Specifically, the reception unit 130 displays a screen on which setting values can be specified step by step for each VM, whether the user response is given priority or the migration is given priority. Accept by.

  Here, an example of a screen that can specify stepwise whether to give priority to a user response or to give priority to migration will be described with reference to FIG. As shown in FIG. 8, a bar is displayed in which setting values can be specified in five stages, and the user responds by sliding the circular pointer displayed on the bar left and right by operating the mouse or the like. It is possible to specify a setting value giving priority to migration or a setting value giving priority to migration. In the example of FIG. 8, the setting value giving priority to user response is set as the circular pointer is slid to the left, and the setting value giving priority to migration is set as the circular pointer is slid to the right.

  For example, in the screen example shown in (1) of FIG. 8, it is assumed that a circular pointer is slid to the left and a setting value giving priority to the user response is designated. Further, in the screen example shown in (2) of FIG. 8, it is assumed that a circular pointer is slid to the right and a setting value giving priority to migration is designated.

  In the example of FIG. 8, when the determination button displayed at the bottom of the screen is pressed by the user operating the mouse or the like, the specified setting value is applied. Here, in the screen example illustrated in FIG. 8, the setting value can be designated in five stages, and corresponds to the setting value information illustrated in FIG. That is, for example, when the determination button is pressed while the circular pointer is slid to the left, the set value “4000http / sec” corresponding to the priority “1” is applied. Further, for example, when the determination button is pressed while the circular pointer is slid to the right, the set value “0http / sec” corresponding to the priority “5” is applied.

  The acquisition unit 131 acquires the communication amount of the VM that is the target of live migration from the network device 40 on the communication path of the VM via the input / output unit 11. This traffic is, for example, the number of requests for applications such as http, the number of TCP sessions, pps, bps, and the like.

  Specifically, after the VM migration starts, the acquisition unit 131 uses the number of application requests such as http, the number of TCP sessions, pps, and bps as information on the VM traffic from the network device 40 on the VM communication path. Etc.

  The determination unit 132 determines whether the communication amount acquired by the acquisition unit 131 exceeds a predetermined set value. Specifically, the determination unit 132 determines whether the communication amount acquired by the acquisition unit 131 exceeds the set value received by the reception unit 130. For example, when “4000 http / sec” is designated as the setting value, the determination unit 132 determines whether the number of requests such as http for the VM exceeds “4000” per second.

  When the determination unit 132 determines that the VM communication amount exceeds the set value, the device control unit 133 instructs the network device 40 to limit communication to the VM. For example, when the VM traffic exceeds a specified value “4000 http / sec”, the device control unit 133 reduces the communication traffic of the network device 40 accommodating the VM to “4000 http / sec” or less. Thus, the network device 40 is instructed to restrict traffic. Note that the amount of communication to be reduced may not be the same as the specified value.

  Further, for example, when the determination unit 132 determines that the VM traffic exceeds the set value, the network device 40 is limited to communication packets being communicated out of communication with the VM. You may instruct | indicate to cancel reception of the new TCP session with respect to VM. In other words, by restricting communication packets during communication, it is possible to reduce the frequency of sending the memory content change to the migration destination while suppressing the VM traffic and suppressing the memory content change. Further, by canceling reception of a new TCP session, it is possible to suppress an increase in the VM traffic due to a new TCP session.

  Further, the device control unit 133 is a case where a predetermined set time (for example, 5 minutes) has elapsed since the network device 40 was instructed to restrict communication to the VM, and the live migration is performed. If not completed, the network device 40 is instructed to block all communication with the VM. Thereby, it is possible to complete the migration with certainty.

  In addition, the device control unit 133 releases the traffic restriction after the VM migration is completed. Specifically, when acquiring information indicating that the migration of the VM has been completed from the network device 40, the device control unit 133 instructs the network device 40 on the communication path of the VM to cancel the traffic restriction.

  Here, a series of flow of network control processing for the network device 40A will be described by taking as an example a case where live migration is performed while receiving a DDoS attack. FIG. 9 is a diagram for explaining a series of flow of network control processing when receiving a DDoS attack.

  As shown in FIG. 9, when receiving a DDos (Distributed Denial of Service) attack, the network bandwidth to a VM existing in the same network cannot be used. By migrating to 2B, a means for preventing the influence on other VMs can be considered. At this time, even if an attempt is made to migrate a VM under attack, since the attack traffic continues to be received, it may take a long time to complete live migration, or live migration may not be completed. Therefore, the network control apparatus 10 performs the network processing described below, so that the VM live migration time can be shortened.

  First, when the VM live migration is performed, the network control apparatus 10 periodically acquires the communication amount of the VM from the data center 2A existing in the data center and the network apparatus 40A such as an external border router. (Refer to (1) in FIG. 9).

  Then, the cloud controller 20 instructs the VM to perform live migration (see (2) in FIG. 9), and notifies the network control apparatus 10 that the migration has started. Subsequently, when the network control apparatus 10 receives a notification from the cloud controller 20 indicating that the migration has started (see (3) in FIG. 9), the network control apparatus 10 determines whether the VM traffic exceeds the set value, and the VM communication. If the amount exceeds the set value, the network device 40A is instructed to restrict traffic (see (4) in FIG. 9).

  Specifically, with the execution of live migration, the network control apparatus 10 reduces the amount of traffic (L4 packets, pps, bps, etc.) addressed to the VM in cooperation with the network apparatus 40A that accommodates the VM. As a result, the migration time can be shortened and the migration can be completed. If the router or the like cannot reduce the traffic, a packet shaper may be introduced and the traffic amount may be limited using the packet shaper. After the migration is completed, the cloud controller 20 switches the route to the network device 40B of the data center 2B that is the movement destination. In addition, the network control device 10 releases the traffic restriction for the network device 40A.

(Processing procedure)
Next, the processing procedure of the network control apparatus 10 will be described with reference to FIG. The following process is executed when a process start instruction is transmitted from the cloud controller 20 to the network control apparatus 10 after the VM migration is started, for example.

  First, the acquisition unit 131 of the network control apparatus 10 acquires the amount of VM communication from the network apparatus 40 (S1). Next, the determination unit 132 of the network control device 10 determines whether or not the communication amount acquired by the acquisition unit 131 exceeds a predetermined set value (S2). For example, when “4000 http / sec” is set as the setting value, the determination unit 132 determines whether the number of requests such as http for the VM exceeds “4000” per second.

  As a result, when it is determined that the communication amount does not exceed the predetermined set value (No in S2), the process is terminated without performing traffic restriction. When it is determined that the communication amount exceeds the predetermined set value (Yes in S2), the device control unit 133 of the network control device 10 restricts the network device 40 from communicating with the VM. Instruct (S3). For example, the device control unit 133 may instruct the network device 40 to restrict communication packets being communicated out of communication to the VM, or to stop accepting new TCP sessions to the VM. May be.

  Then, the device control unit 133 determines whether the migration of the VM has been completed (S4). As a result, when the device control unit 133 determines that the migration of the VM has been completed (Yes in S4), the traffic restriction on the network device 40 is released (S5).

  When the device control unit 133 determines in S4 that the migration of the VM has not been completed (No in S4), it determines whether or not a predetermined set time (for example, 5 minutes) has elapsed. (S6). As a result, when it is determined that a predetermined set time (for example, 5 minutes) has not elapsed (No in S6), the process returns to S2.

  If it is determined that a predetermined set time (for example, 5 minutes) has elapsed (Yes in S6), the network device 40 is instructed to block all communication with the VM (S7). Then, the device control unit 133 determines whether the migration of the VM has been completed (S8). As a result, when the device control unit 133 determines that the migration of the VM has been completed (Yes in S8), the traffic restriction for the network device 40 is released (S5), and the process is terminated.

  In this way, the network control apparatus 10 acquires the communication amount of the VM that is the target of live migration from the network device 40 on the communication path of the VM, and whether or not the acquired communication amount exceeds a predetermined setting value. Determine whether. As a result, the network control device 10 instructs the network device 40 to restrict communication to the VM when it is determined that the communication amount exceeds a predetermined set value. For this reason, even when the VM is in a high load state during the live migration of the VM, the load is reduced, so that the time required for the migration of the VM can be shortened. Further, since the network control apparatus 10 does not limit traffic before the start of migration and after the completion of migration, it is possible to make maximum use of the performance of the VM.

  For example, the network control apparatus 10 can solve the problem that the migration time becomes long when the VM that does not intervene the load balancer frequently communicates, and the problem that the migration is not completed. Further, for example, when a VM that has been subjected to a DDoS attack is moved to another base and the VM that has not been attacked is protected, it is effective in avoiding a situation in which the traffic cannot be saved due to the amount of traffic.

(System configuration etc.)
Further, each component of each illustrated apparatus is functionally conceptual, and does not necessarily need to be physically configured as illustrated. In other words, the specific form of distribution / integration of each device is not limited to that shown in the figure, and all or a part thereof may be functionally or physically distributed or arbitrarily distributed in arbitrary units according to various loads or usage conditions. Can be integrated and configured. For example, the determination unit 132 and the device control unit 133 may be integrated. Further, all or any part of each processing function performed in each device may be realized by a CPU and a program analyzed and executed by the CPU, or may be realized as hardware by wired logic.

  In addition, among the processes described in the present embodiment, all or part of the processes described as being automatically performed can be manually performed, or the processes described as being manually performed can be performed. All or a part can be automatically performed by a known method. In addition, the processing procedure, control procedure, specific name, and information including various data and parameters shown in the above-described document and drawings can be arbitrarily changed unless otherwise specified.

(program)
In addition, it is possible to create a program in which processing executed by the network control apparatus 10 according to the above-described embodiment is described in a language that can be executed by a computer. In this case, the same effect as the above-described embodiment can be obtained by the computer executing the program. Further, such a program may be recorded on a computer-readable recording medium, and the program recorded on the recording medium may be read by a computer and executed to execute the same processing as in the above embodiment. Hereinafter, an example of a computer that executes a network control program that realizes the same function as that of the network control apparatus 10 will be described.

  FIG. 11 is a diagram illustrating a computer that executes a network control program. As illustrated in FIG. 11, the computer 1000 includes, for example, a memory 1010, a CPU 1020, a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, and a network interface 1070. These units are connected by a bus 1080.

  The memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM (Random Access Memory) 1012. The ROM 1011 stores a boot program such as BIOS (Basic Input Output System). The hard disk drive interface 1030 is connected to the hard disk drive 1090. The disk drive interface 1040 is connected to the disk drive 1100. A removable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive 1100, for example. For example, a mouse 1110 and a keyboard 1120 are connected to the serial port interface 1050. For example, a display 1130 is connected to the video adapter 1060.

  Here, as shown in FIG. 11, the hard disk drive 1090 stores, for example, an OS 1091, an application program 1092, a program module 1093, and program data 1094. Each table described in the above embodiment is stored in the hard disk drive 1090 or the memory 1010, for example.

  Further, the network control program is stored in the hard disk drive 1090 as a program module in which commands executed by the computer 1000 are described, for example. Specifically, a program module describing each process executed by the network control apparatus 10 described in the above embodiment is stored in the hard disk drive 1090.

  Further, data used for information processing by the network control program is stored in the hard disk drive 1090 as program data, for example. Then, the CPU 1020 reads out the program module 1093 and the program data 1094 stored in the hard disk drive 1090 to the RAM 1012 as necessary, and executes the above-described procedures.

  The program module 1093 and the program data 1094 related to the network control program are not limited to being stored in the hard disk drive 1090. For example, the program module 1093 and the program data 1094 are stored in a removable storage medium and read by the CPU 1020 via the disk drive 1100 or the like. May be issued. Alternatively, the program module 1093 and the program data 1094 related to the network control program are stored in another computer connected via a network such as a LAN (Local Area Network) or a WAN (Wide Area Network), and are transmitted via the network interface 1070. May be read by the CPU 1020.

2 Data Center 10 Network Controller 11 Input / Output Unit 12 Storage Unit 13 Control Unit 20 Cloud Controller 21 Virtual L2 Network 30 Terminal 40 Network Device 130 Reception Unit 131 Acquisition Unit 132 Determination Unit 133 Device Control Unit

Claims (7)

An acquisition unit that acquires the traffic of a virtual machine that is a target of live migration from a network device on a communication path of the virtual machine;
A determination unit for determining whether or not the traffic acquired by the acquisition unit exceeds a predetermined set value;
If the determination unit determines that the communication amount exceeds a predetermined set value, the network unit is instructed to limit communication to the virtual machine, and the network device is instructed. If a predetermined time has elapsed after instructing to restrict communication to the virtual machine and the live migration has not been completed, all communication to the virtual machine is blocked. And a device control unit for instructing to do so.   When the communication amount is determined by the determination unit to exceed a predetermined set value, the device control unit communicates with the network device during communication with the virtual machine. The network control apparatus according to claim 1, wherein the network control apparatus is configured to instruct to restrict the network.   When the determination unit determines that the communication amount exceeds a predetermined set value, the device control unit cancels reception of a new session for the virtual machine to the network device. The network control device according to claim 1, wherein the network control device instructs the network control device. A reception unit that receives the setting value;
The said determination part determines whether the communication amount acquired by the said acquisition part exceeds the setting value received by the said reception part, It is any one of Claims 1-3 characterized by the above-mentioned. The network control device described. A communication system including a network control device that controls a network device in a communication path of a virtual machine that performs live migration,
An acquisition unit that acquires the traffic of a virtual machine that is a target of live migration from the network device;
A determination unit for determining whether or not the traffic acquired by the acquisition unit exceeds a predetermined set value;
If the determination unit determines that the communication amount exceeds a predetermined set value, the network unit is instructed to limit communication to the virtual machine, and the network device is instructed. If a predetermined time has elapsed after instructing to restrict communication to the virtual machine and the live migration has not been completed, all communication to the virtual machine is blocked. And a device control unit that instructs to do so. An acquisition step of acquiring the communication amount of the virtual machine that is the target of live migration from the network device of the communication path of the virtual machine;
A determination step of determining whether or not the traffic volume acquired by the acquisition step exceeds a predetermined set value;
If it is determined by the determination step that the communication amount exceeds a predetermined set value, the network device is instructed to limit communication to the virtual machine, and the network device is instructed. If a predetermined time has elapsed after instructing to restrict communication to the virtual machine and the live migration has not been completed, all communication to the virtual machine is blocked. And a device control step for instructing to do so. An acquisition step of acquiring the communication amount of the virtual machine that is the target of live migration from the network device of the communication path of the virtual machine;
A determination step of determining whether or not the traffic volume acquired by the acquisition step exceeds a predetermined set value;
If it is determined by the determination step that the communication amount exceeds a predetermined set value, the network device is instructed to limit communication to the virtual machine, and the network device is instructed. If a predetermined time has elapsed after instructing to restrict communication to the virtual machine and the live migration has not been completed, all communication to the virtual machine is blocked. A network control program for causing a computer to execute a device control step for instructing to do so.

Images