RU2788969C2 - Communication system in virtual private cloud, method for configuration of system, and controller - Google Patents

Abstract

FIELD: communication.

SUBSTANCE: invention relates to the field of communication in a virtual private cloud (hereinafter – VPC). The system contains at least one virtual machine (hereinafter – VM) and a system gateway connected with the possibility of communication to each VM; at least one physical machine (hereinafter – PM), and a switch connected with the possibility of communication to each PM. In this case, the system gateway is connected with the possibility of communication to the switch; the system gateway and the switch are made with the possibility of provision of communication between VM and PM related to the same VPC, based on preset information about configuration. Information about configuration contains a separation tag corresponding to VPC, wherein one VPC corresponds to one separation tag, and forwarding records corresponding to resources contained in VPC; the specified resources include: one or several VM and/or one or several PM.

EFFECT: elimination of conflicts between different resources of different VPC.

15 cl, 5 dwg

Description

This application claims priority according to Chinese Patent Application No. 201811463985.6 filed with the National Intellectual Property Office of China on November 30, 2018. and entitled "Virtual Private Cloud Communication System, System Configuration Method and Controller", incorporated herein by reference in its entirety.

Technical field

The present application relates to the field of virtual private cloud technology, in particular to a virtual private cloud communication system, a system configuration method, and a controller.

State of the art

A virtual private cloud (VCHO, English Virtual private cloud (VPC)) is a dynamically configurable collection of public cloud computing resources that transfers data between private enterprises and cloud computing service providers using encryption protocols, tunneling protocols and other security procedures.

The HFO system is implemented using tunnels or similar network protocols and allows the client to have granular control over which of the respective cloud resources can be allocated to the client, thereby providing the ability to provide distributed resources to different clients on request, while providing high flexibility, segregation and security. Most computing resources in a well-known virtual private cloud provided by cloud computing service providers are provided to customers in virtual machines (VM, English virtual machines (VM)). The scheme abstracts and divides the original physical machine (the central computer of virtual machines) into smaller units and places them in virtual private clouds shared by clients using virtualization technologies for the CPU (central processing unit, English Central Processing Unit, (CPU)), storage device, disk and other resources.

In the case of creating multiple VMs on a single physical machine, the above scheme can create the problem that VMs compete for initial resources (eg, CPU scheduling, I/O read/write, and network bandwidth). In the case of creating only one VM on a physical machine, the performance of the VM will be better. At the same time, due to the use of virtualization technology, the original advantage of the physical machine in performance still cannot be achieved, and the performance of resources as a whole cannot be maximized. In addition, with the growth of the artificial intelligence industry, the need for a graphics processing unit (GPU) is very high, and the advantage of GPU resource virtualization is much less tangible.

With this in mind, tasks that require large expenditures on the part of the GPU, such as processing images, sound and video data, can be distributed in a physical machine (FM, English physical machine (PM)), and some programs for processing control data can be distributed in a VM . Such a balanced distribution of resources is achieved through FM and CM.

Nowadays, internal customer connectivity and customer separation from each other in a super-large-scale cloud environment is of particular importance. In known schemes, communication and isolation is carried out by a VLAN (virtual local area network, English Virtual Local Area Network (VLAN)). However, due to the limited number of VLAN IDs, the number of VFOs that can be built should not exceed the upper limit of the number of VLAN IDs. Therefore, in the field of cloud computing services, if there are a large number of customers, i.e. if the number of VFOs to be built is much larger than the upper limit of the number of VLAN IDs, then, for the cloud computing service provider, the known method of separating clients by VLAN IDs is not applicable in the cloud computing application environment.

The essence of the invention

In view of the above, the object of the invention of the present application is to provide a virtual private cloud communication system, a method for configuring it, and a controller configured to establish a gateway-based communication connection without being limited by an upper limit on the number of VLAN IDs. In addition, the number of VMs and FMs allocated to customers can be increased as the number of customers grows, thus creating a large-scale cloud environment and meeting current customer acquisition needs.

According to a first aspect, in one embodiment, the present application provides a virtual private cloud communication system, comprising: at least one virtual machine (VM) and a system gateway communicatively coupled to each of the VMs;

at least one physical machine (PM) and a switch communicatively connected to each of the PMs;

moreover, the system gateway is connected with the possibility of communication with the switch;

the system gateway and the switch are configured to enable communication between the VM and the PM belonging to the same virtual private cloud (VPC) based on predetermined configuration information.

The configuration information optionally contains a shard flag corresponding to the HFO;

the configuration information further comprises forwarding records corresponding to the resources included in the HFO;

resources include: one or more VMs and/or one or more FMs.

The system optionally further comprises a controller.

The controller is communicatively connected to the system gateway and the switch, respectively.

The controller is configured to configure information for the system gateway and the switch, respectively, to generate configuration information and send the configuration information to the system gateway and the switch, respectively.

The controller is optionally also configured to:

generating a shard mark corresponding to each virtual private cloud (VPC) depending on the VPC;

obtaining IP addresses of resources related to the same virtual private cloud (VPC), wherein the resources include one or more VMs and/or one or more PMs;

creating forwarding records based on resource IP addresses;

generating configuration information corresponding to the HFO based on the forwarding records and the pegging mark.

The controller is optionally also configured to:

creating a forwarding entry(s) for one or more VMs based on the IP address of one or more VMs, and/or

creating forwarding record(s) of one or more FMs based on the IP address of one or more FMs.

The controller is optionally also configured to:

managing resources in a virtual private cloud (VCHO) based on configuration information, wherein the resources include said one or more VMs and/or one or more PMs, wherein the management includes: adding resources and/or deleting resources.

The controller is optionally also configured to:

receiving a resource management operation request at the HFO, the management operation request comprising a shard flag corresponding to the HFO to be managed; and

changing the configuration information corresponding to the HFO to be managed in the system gateway and the switch according to the partition mark.

The controller is optionally also configured to:

adding, on request to add a resource, a forwarding entry corresponding to the IP address of the resource; and/or

deleting, upon request of deleting a part of the resources, forwarding records corresponding to the IP addresses of the specified part of the resources; and/or

deleting the configuration information corresponding to the HMO to be managed upon the deletion request of all resources.

The system gateway is optionally configured to:

receiving a first message VM, and the first message contains the label separation;

finding configuration information corresponding to the shard mark in the first message from the shard mark, and forwarding the first message to the corresponding switch based on the found configuration information;

the system gateway is also configured to:

receiving a second message of the switch, and the second message contains the mark of separation;

finding configuration information corresponding to the shard mark in the second message from the shard mark, and forwarding the second message to the target VM based on the found configuration information.

The switch is optionally configured to:

receiving a third PM message, the third message containing a slicing mark;

finding configuration information corresponding to the shard mark in the third message from the shard mark, and forwarding the third message to the corresponding system gateway based on the found configuration information;

the switch is also configured to:

receiving a fourth message of the system gateway, the fourth message containing a slicing mark;

finding configuration information corresponding to the shard mark in the fourth message from the shard mark, and forwarding the fourth message to the target PM based on the found configuration information.

The system gateway is optionally implemented by running the appropriate software on the server.

According to a second aspect, in one embodiment of the invention, the present application also provides a method for configuring a virtual private cloud communication system applied to a controller in the virtual private cloud communication system disclosed in the first aspect and any of its possible implementations, wherein the controller is connected with the ability to communicate with the system gateway and the switch, respectively, and the method includes the steps of:

configuring information for the system gateway and the switch, respectively, to generate configuration information; and

sending the configuration information to the system gateway and the switch, respectively;

wherein the configuration information comprises a shard mark corresponding to the HFO and forwarding records corresponding to the resources included in the HFO, the resources including one or more VMs and/or one or more PMs.

At the stage in which the configuration information is generated, it is optional:

generating a shard label corresponding to each virtual private cloud (VPC) depending on the VPC;

obtaining IP addresses of resources related to the same virtual private cloud (VCHO), the resources including one or more VMs and/or one or more PMs;

create forwarding records based on resource IP addresses; and

generating configuration information related to the HFO based on the forwarding records and the shard mark.

In the step that creates forwarding records based on resource IP addresses, it is optional:

create forwarding record(s) for one or more VMs based on the IP address of one or more VMs, and/or

create forwarding record(s) of one or more FMs based on the IP address of one or more FMs.

The method optionally further includes the steps of:

perform resource management in a virtual private cloud (VCHO) based on the configuration information, the resources include one or more VMs and/or one or more PMs, wherein the management includes: adding resources and/or deleting resources.

The method optionally further includes the steps of:

receiving a request for a resource management operation in the HFO, the management operation request containing a shard flag corresponding to the HFO to be managed; and

changing the configuration information related to the HFO to be managed in the system gateway and the switch according to the sharding mark.

The control operation request includes one or more of the following: a resource addition request, a resource part deletion request, and an all resource deletion request, wherein the method further includes:

adding, upon the resource addition request, a forwarding record corresponding to the resource's IP address; and/or

deleting, upon request for deleting the resource portion, forwarding records corresponding to the IP addresses of said resource portion; and/or

deleting the configuration information corresponding to the HMO to be managed upon the deletion request of all resources.

According to a third aspect, in one of the embodiments of the invention according to the present application, a controller is also provided, containing a memory device and a processor. The storage device contains a computer program that can be executed by the processor, while the processor executes the specified computer program to implement the method disclosed in the first aspect and any of its possible implementations.

According to a fourth aspect, in one embodiment, the present application provides a computer-readable storage medium with a computer program stored therein, when executed by a processor, the processor implements the method disclosed above.

According to a fifth aspect, in one embodiment of the invention of the present application, an application program is also provided that implements, when executed, a method for configuring a communication system in a virtual private cloud, proposed according to the second aspect of the embodiment of the invention of the present application.

Embodiments of the invention according to the present application provide the following beneficial effects:

In the embodiment of the invention according to the present application, the communication system in a virtual private cloud includes at least one virtual machine (VM) and a system gateway connected with the ability to communicate with each of the VMs; and at least one physical machine (PM) and a switch communicatively connected to each of the PMs; moreover, the system gateway is connected with the possibility of communication with the switch; the system gateway and the switch are configured to enable communication between the VM and the PM belonging to the same virtual private cloud (VPC) based on predetermined configuration information. In this scheme, network access from the physical machine area formed by the FM is through a switch, while the virtual machine area formed by the VM is connected to the switch corresponding to the physical machine area through the system gateway, thereby establishing a connection between the FM of the physical machine area and VM area of the virtual machine and communication between VM and FM. Therefore, the communication connection created based on the gateway of the present application will not be limited by the upper limit of the number of VLAN IDs, and the number of VMs and FMs allocated to clients can be increased as the number of clients grows, thereby forming a large-scale cloud environment and meeting current needs, related to attracting new customers.

Further, other features and advantages of the invention according to the present application will be disclosed, while some of them will become obvious from this disclosure or become clear when implementing the present application. The purpose and other advantages of the invention according to the present application are realized and achieved through the specific structures indicated in the description, claims and drawings.

For greater clarity and understanding, the above objects, features and advantages of the invention according to the present application are detailed below in the description of the preferred embodiments and in the accompanying drawings.

Brief description of the drawings

The following briefly describes the drawings of technical solutions of the embodiments of the invention according to the present application and the prior art, necessary to create a clearer idea of these technical solutions. Of course, the drawings below refer only to some embodiments of the invention according to the present application; those skilled in the art will also be able to create other drawings from them without any creative effort.

FIG. 1 is a diagram of the structure of a communication system in a virtual private cloud according to one of the embodiments of the invention of the present application;

FIG. 2 is a diagram of the structure of another communication system in a virtual private cloud according to one of the embodiments of the invention of the present application;

FIG. 3 is a diagram of a communication connection of a virtual private cloud communication system according to one embodiment of the invention of the present application;

FIG. 4 is a block diagram of a method for configuring a system according to one of the embodiments of the invention according to the present application;

FIG.5 is a diagram of the structure of the controller according to one of the embodiments of the invention according to the present application.

Implementation of the invention

To provide greater clarity and understanding of the objectives, technical solutions and advantages of the invention of the present application, it will be disclosed in more detail below on the examples of the attached drawings and embodiments. Of course, only some embodiments of the invention according to the present application are disclosed. All other embodiments of the invention of the present application, which will be created by experts in the art on the basis of the disclosed options without the application of creative efforts, are included in the scope of protection defined by this application.

In the solutions known to date, communication and isolation is carried out via VLAN. However, due to limitations due to the number of VLAN IDs and the hardware structure of the switch, VMs and FMs allocated to customers cannot form a large-scale cloud environment and, as a result, meet the current needs of attracting new customers, i.e. with a constant increase in the number of customers. In view of the foregoing, in one embodiment, the present application provides a virtual private cloud communication system, a method for configuring the system, and a controller that establishes a communication connection between a VM and a PM based on a gateway. Since, in this case, the VLAN is no longer used to isolate the local area network, it is not limited by an upper limit on the number of VLAN identifiers. The number of VMs and FMs allocated to customers can be increased as the number of customers grows, thus creating a large-scale cloud environment and meeting the current needs of attracting new customers.

In order to provide an understanding of the present application, a virtual private cloud communication system according to one of the embodiments of the invention of the present application will first be disclosed in detail.

FIG. 1 depicts a structure diagram of a communication system in a virtual private cloud according to one of the embodiments of the invention of the present application. The communication system in the virtual private cloud in FIG. 1 comprises at least one virtual machine (VM) 10 and a system gateway 12 communicatively coupled to each of the VMs; and at least one physical machine (PM) 13 and a switch 14 communicatively connected to each of the PMs. The system gateway is communicatively connected to the switch. The system gateway and switch serve to enable communication between the VM 10 and FM 13 located in the same virtual private cloud (VPC) based on predefined configuration information. The above FM is a physical machine that is not the central computer of the VM.

The switch 14 is a three-layer switch and is configured to further transmit data based on the tunneling protocol. The VM is created in the physical machine as a central computer for implementing the resource virtualization technology and is configured to, among other things, store control data processing programs. The FM (other than the central computer where the VM is located) is configured to, among other things, store information related to tasks that are expensive on the part of the GPU, such as processing images, sound, video data, and the like. Between the area of the virtual machine formed by the VM and the area of the physical machine formed by the FM, data can be exchanged, and the VM and FM belong to the same client.

In a possible embodiment, the above system gateway is implemented by running the appropriate software on a server (eg, an X86 type server). Since a communication system in a virtual private cloud may have thousands of clients, the system gateway can be implemented based on an X86-type server cluster to form a system gateway cluster.

It should be noted that the number of VMs, the number of PMs, the number of system gateways, and the number of switches are determined depending on the actual situations, and FIG. 1 is no more than an example.

The network is accessed from the physical machine area formed by the FM through a switch, and the virtual machine area formed by the VM is connected to the switch corresponding to the physical machine area through the system gateway, thereby establishing a connection between the FM of the physical machine area and the VM of the virtual machine area. machines and communication between VM and FM. Therefore, the communication connection created based on the gateway of the present application will not be limited by the upper limit of the number of VLAN IDs, and the number of VMs and FMs allocated to clients can be increased as the number of clients grows, thereby forming a large-scale cloud environment and meeting the current needs related to with attracting new customers.

Given the possible overlap of IP addresses configured by different clients for resources (including VM and/or FM) in their HFO, configuration information is stored in the controller. The configuration information contains a slicing flag for slicing the HFO. One HFO corresponds to one isolation mark.

After receiving a request to create a resource from a client, a logical operation is performed and separation marks corresponding to different HFOs of different clients are assigned to enable the distinction between VM and PM in different HFOs with the possibility of isolating different HFOs from each other and eliminating the possibility of their interference with each other . In this regard, the above configuration information contains a separation mark corresponding to the above HFO. In addition, the configuration information also contains a forwarding entry for the resource included in the corresponding HFO. Thus, the system gateway and the switch can communicate between the VM and the PM in the same HFO based on the forwarding entry and the shard mark.

For example, the IP addresses of VM-A and FM-A of client A are 10.0.1.2/24 and 10.0.1.3/24 respectively, and the label is 100. The IP addresses of VM-B and FM-B of client B are also 10.0.1.2/ 24 and 10.0.1.3/24, respectively, and the label is 200. Let's assume that the VMs of these two clients are in the same central computer in the virtual machine area, and the FMs of these two clients are respectively connected to the same topic. same switch. The communication path between VM-A and FM-A and the communication path between VM-B and FM-B passes through the same central computer, through the system gateway, to the same switch. In both communication paths, in the process of communication, the system gateway and the switch are collectively used. If the isolation technology is not applied, a conflict may occur on the communication paths during communication between the VM and FM of client A and between the VM and FM of client B, leading to a violation of the communication process.

Since clients can set IP addresses for their own machines, client A and client B can set the same IP addresses for their VM and FM. To avoid confusing client A's machine with client B's, the service provider must distinguish between the machines of the two clients.

These tasks are solved by the fact that the controller can assign the isolation label of the RFO of each client, and then the controller simultaneously issues the isolation label and forwarding records for the FM and VM to each system gateway and switch. When the VMs of client A and client B subsequently communicate with their FMs at the same time, the controller can partition the communication paths by including partition marks in forwarding records.

The virtual private cloud communication system of FIG. 1 is improved according to the above embodiments. As shown in FIG. 2, the present application also proposes another virtual private cloud communication system comprising a controller 20. The controller is communicatively connected to the system gateway and the switch, respectively, configures information for the system gateway and the switch to generate configuration information, and sends configuration information to the system gateway and switch respectively, thereby facilitating subsequent data transmission.

In an exemplary embodiment, the controller is connected to the central computer in which the VM is located and to the external management system corresponding to the FM, and performs resource configuration and information configuration through the central computer and the external management system according to the requirements of the client, and obtains configuration information. The external management system is a management system for initializing the FM (for example, reinstalling the operating system). Specifically, the process goes like this:

(a1) Receiving a resource creation request from a client.

For example, the client can directly call the corresponding API (Application Programming Interface) through the client terminal (which can be a mobile terminal or computer) or call the corresponding API by logging into the web console (from the English WEB (World Wide Web - "World Wide Web") and enter information about the actual needs, such as the required type of CPU scheduling, storage capacity, network card, etc., to generate a resource creation request and send it to the controller.

(a2) Allocating resources to the client according to a resource creation request, the resources forming the client's HSP.

The HFO resources include the VM and/or the FM, that is, the VM and/or the FM form the client's HFO.

Upon receiving the resource creation request, the controller performs a logic operation to determine the required resources and allocates the available resources in the resource pool (hosts and PMs) through the host control unit and the external control system. If the controller determines the availability of resources corresponding to the needs, then the controller performs a configuration operation to allocate the appropriate number of VMs and/or FMs. VM and/or FM form an HMO related to the client. If there are no resources that meet the needs, the controller sends information to the user in response to the request, for example, "insufficient resources".

For example, upon receiving a resource creation request from a client, the controller may select, depending on the CPU scheduling type, storage capacity, and NIC transmission rate included in the resource creation request, an FM corresponding to the request from the resource pool as the target host computer. This is the logical computational process discussed above. Next, the controller can create a VM on the target central computer. In an embodiment of the present invention, the resource pool includes a plurality of PM types. Some FMs can serve as central computers, and some FMs can serve to process images, sound and video data. These PSAs may include GPUs, so if a client has a need to use a GPU, such as a need to perform image, audio, and video processing, these GPUs can be directly allocated to the client as PSAs. That is, FM containing only HP can be accepted as one of the types of FM. The control unit in the central computer means the unit for managing the configuration parameters of the VM in the FM as the central computer. An external management system is a management system for initializing the FM (for example, reinstalling the operating system). The external control system may operate independently of the network in FIG. 2 and may interact with the controller. It should be understood that since the control unit controls the VM in the central computer and the external control system manages the FM, the controller can select the FM corresponding to the need of the client from the resource pool as the central computer by interacting with the control unit and the external control system.

(a3) Generating a sharding label corresponding to each VSP, depending on the VSP.

The isolation mark may consist of numbers, letters and/or special characters, and the like.

(a4) Obtaining the IP addresses of resources belonging to the same VPN VPN.

Resources include VM and/or FM. IP addresses include VM IP addresses and FM IP addresses. That is, the received IP addresses are the IP addresses of the VM and/or FM related to the same HFO.

In particular, in the process of configuring the client terminal, the network segment where the FM and VM are located can be configured according to the needs of the user. For example, configure the IP address on the VM and the FM in the HFO by calling the corresponding API and send the corresponding information about the IP address to the controller.

If the VM is connected with the ability to communicate with the system gateway, the VM can automatically obtain its corresponding IP address. If the FM communicates with the system gateway through the switch, the FM can also automatically obtain its corresponding IP address. In particular, the configuration of the IP address discussed above can be implemented by a DHCP (Dynamic Host Configuration Protocol) server in the system gateway. When the VM and FM are powered on, the VM and FM, as clients of the DHCP server, communicate with the DHCP server to obtain their corresponding IP addresses.

(a5) Create forwarding records based on resource IP addresses.

The process of creating forwarding entries includes: creating a VM forwarding entry based on the VM IP address and/or creating an FM forwarding entry based on the FM IP address.

Thus, the above process allows the corresponding transfer records to be created, after which data can be directly transferred according to the transfer records.

The FM forwarding entry includes the source IP address of the sending physical machine and the destination IP address of the destination physical machine, while the VM forwarding entry includes the source IP address of the sending virtual machine and the destination IP address of the destination virtual machine.

(a6) Generating configuration information corresponding to the HFO based on the forwarding records and the pegging mark.

Upon receipt of the customer's RFO partition mark and the VM forwarding entry and/or PM forwarding entry in the RFO, configuration information is generated (configuration information contains information of the VM forwarding entry and/or PM forwarding record and the partition mark). After generating the configuration information, the controller sends the configuration information to the system gateway and the switch for use in data transmission (ie, forwarding of the transmitted data unit).

In order to meet the diverse needs of customers, simplify the control and management of the HPC, and improve their skills, in an exemplary embodiment, the controller is also configured to manage resources in the VPN virtual private cloud based on configuration information. Said resource management includes adding resources and/or removing resources. Thus, clients can add VMs or PMs to or remove VMs and PMs from the HFO via the controller.

In particular, in this implementation process, the controller is also configured to: (1) receive a resource management operation request in the HFO; moreover, the control operation request contains the label of the separation corresponding to the subject of the management of the FSO; (2) changes, according to the partition mark, configuration information corresponding to the RFO to be managed in the system gateway and the switch.

Resources in an HFO can be managed by changing the configuration information. For example, in order to extend the RFO resources, the configuration information corresponding to the extended resources can be added to the system gateway and the switch for communication between the extended VMs and PMs.

In an exemplary embodiment, the control operation request may include, among other things, a request to add a resource, a request to remove a portion of resources, and a request to remove all resources. The controller is also configured to add a forwarding entry corresponding to the IP address of the resource upon request to add the resource; and/or deleting forwarding records corresponding to the IP addresses of the resource portion upon requesting the deletion of the resource portion; and/or deleting the configuration information corresponding to the HMO to be managed upon the deletion of all resources request.

For example, the process for a controller to process a request to add a resource includes:

(b1) Receiving an add resource request sent by a client with respect to resources in the HFO.

The add resource request contains a checkout flag corresponding to the TSO to be added.

For example, the client may, through the client terminal (which may be a mobile terminal or computer), call the appropriate API directly, or call the appropriate API by logging into the web console to select a VM or FM and add it to the HFO.

(b2) Adding a forwarding entry corresponding to the IP address of the resource upon the add resource request.

After adding resources (VM and/or FM) to the HFO to be added, transfer records are created for the corresponding VM and/or FM, and forwarding records are added to the configuration information of the HFO to be added.

(b3) Send updated configuration information to the system gateway and switch.

In particular, the configuration information may be generated as disclosed in steps (a1) to (a6) above.

The process of processing by the controller of a request to delete a part of the resources includes the steps in which:

in steps (b1) and (b3) disclosed above: deleting the forwarding records corresponding to the resources to be added to the HFO from the existing configuration information, and then sending the updated configuration information to the system gateway and the switch.

In the case of a request to remove all resources, the controller can directly control the system gateway and the switch to remove the configuration information of the RFO to be controlled, in this case, by the sharding flag in the request to remove all resources.

In an exemplary embodiment, upon receiving the deletion request for all resources or the deletion request for part of the resources, the controller changes the state of the VM and FM from configured to non-configured by the central computer corresponding to the VM and the external control system corresponding to the FM to enable the following steps to be performed.

Thus, the separation mark allows the RFO of different clients to be separated so that they do not interfere with each other, thereby creating a security functionality in accordance with the security technique for each RFO; however, during the delete and add operations, it is possible to update only the configuration information of the HFO related to the client without affecting the configuration information of other clients, which increases the flexibility of adding and deleting VMs and PMs to the HFO by clients.

In particular cases of implementation, the function of the system gateway when transferring data between the VM and FM is essentially as follows.

When transmitting in the direction from VM to FM, the system gateway is configured to: receive the first VM message containing the separation mark; finding configuration information corresponding to the shard mark from the shard mark in the first message; and forwarding the first message to the appropriate switch based on the found configuration information.

When transmitting in the direction from PM to VM, the system gateway is also configured to: receive a second message of the switch containing the isolation mark; finding configuration information corresponding to the shard mark from the shard mark in the second message; and forwarding a second message to the target VM based on the found configuration information.

The function of the switch is as follows.

When transmitting in the direction from PM to VM, the switch is configured to: receive a third PM message containing a separation mark; finding configuration information corresponding to the shard mark from the shard mark in the third message; and forwarding the third message to the corresponding system gateway based on the found configuration information.

When transmitting in the direction from VM to FM, the switch is also configured to: receive the fourth message of the system gateway containing the separation mark; finding configuration information corresponding to the shard mark from the shard mark in the fourth message; and forwarding the fourth message to the target PM based on the found configuration information.

In order to facilitate the acquisition of relevant data from the public network, in another embodiment, the communication system in the virtual private cloud may also be connected to a public network, such as the Internet. In the exemplary embodiment of FIG. 3, the VMs in the virtual private cloud system are connected to the public network through a network gateway 30. The PMs in the virtual private cloud system are connected to the public network through an appropriate switch, the system gateway, and in turn, the network gateway 30 .

The above description of the system is mainly about two parts: the implementation of the system gateway, its configuration and management, and the management of the configuration of the FM switch. At the same time, in the virtual private cloud communication system of the present application, communication between physical machines and communication between FM and other network elements (including VM and the Internet) also plays an important role in the network forwarding process. With the growth of the scale of the cloud environment, the load between communication devices will increase linearly. The switch is a device that operates at a speed corresponding to the data transmission medium, while its load is mainly taken into account when configuring and managing in a large-scale cloud environment. The system gateway is a gateway implemented by running software on an X86 type server, and its performance is lower than that of a switch. The load of the system gateway is taken into account mainly when forwarding over the network.

In terms of switch management and configuration, if physical machines form a physical machine area in a super-large cloud environment, the number of forwarding entries in the switch multiplies. In addition, it is known from the experience of preventing flooding between devices that there will be a flood of broadcast packets in the area of the physical machine with a corresponding traffic flow. In this case, if the switch is configured to forward only two layers, i.e. Since it is a two-level forwarding device, then in order to enable communication at three levels between FMs, the functions of the gateways required for all FMs will be performed by the system gateway, i.e. communication must take place through the system gateway, which creates a high load on the system gateway. With this in mind, the switches in the communication system in a virtual private cloud are three-layer switches with the ability to work using the tunneling protocol and three-level forwarding, while the forwarding records are synchronized between the switches using EVPN technology (Ethernet Virtual Private Network - Ethernet virtual private network) to transfer the functions of the gateways required by the FM from the system gateway to the specified switches. Further, communication between FM can occur directly through the switch.

As for the performance of the system gateway in terms of forwarding, it is entirely dependent on the implementation of the software architecture. Due to the large and cumbersome network protocol stack of the Linux family of operating systems, forwarding in the Linux kernel is not satisfactory in terms of network forwarding processing. The Data Plane Development Kit (DPDK) technology allows the implementation of network forwarding logic in client space in a Linux system and allows the system gateway forwarder to directly use the NIC by bypassing the Linux network protocol stack to obtain and mandrels of transmitted data units, which can significantly improve data processing performance and throughput. Therefore, further - in the process of sending messages - you can use the DPDK technology.

The virtual private cloud system of the present application creates a communication connection between a physical machine area, a virtual machine area, and a public network (for example, the Internet) with the possibility of forming resources in the virtual machine area and the physical machine area of a large-scale VFO, not limited by the upper limit of the number of VLAN identifiers. At the same time, it can create an RFP protection functionality in accordance with the security methodology, which allows the client to flexibly allocate virtual machine and physical machine resources depending on its business needs.

Based on the system embodiments disclosed above, the present application also proposes an embodiment of a method for configuring a communication system in a virtual private cloud. The method is applied to the controller in the system embodiments disclosed above. The method for configuring a communication system in a virtual private cloud in FIG. 4 includes the steps of:

S401: configuring information for a system gateway and a switch, respectively, to generate configuration information; and

S402: send configuration information to the system gateway and switch, respectively,

moreover, the configuration information contains the label of the separation corresponding to the FSO, and forwarding records corresponding to the resources included in the FSO; resources include: VM and/or FM.

In step 402, in which the configuration information is generated: a sharding label corresponding to each virtual private cloud (VPC) is generated depending on the VPC; obtain IP addresses of resources related to the same virtual private cloud (VPC); create forwarding records based on resource IP addresses; and generating configuration information corresponding to the HFR according to the forwarding records and the shard mark.

At the stage at which forwarding records are created based on resource IP addresses: a VM forwarding record is created based on the VM IP address and/or a FM forwarding record is created based on the FM IP address.

In addition, the method disclosed above further includes the step of: performing resource management in a virtual private cloud (VPC) based on the configuration information; resource management includes: adding resources and/or removing resources.

In addition, the method disclosed above further includes the step of: receiving a request for a resource management operation in the HPF, wherein the control operation request contains a shard flag corresponding to the RFO to be managed; and changing, according to the partition mark, the configuration information corresponding to the HFO to be managed in the system gateway and the switch.

In addition, the control operation request includes one or more of the following: a resource addition request, a resource part deletion request, and an all resource deletion request. The method disclosed above further includes the steps of: adding a forwarding entry corresponding to the IP address of the resource upon the request to add the resource; and/or delete, upon request to remove the resource portion, forwarding records corresponding to the IP addresses of the resource portion; and/or deleting the configuration information corresponding to the HMO to be managed upon the deletion request of all resources.

In addition, as described for managing and configuring the switch in the above-described embodiment, the switch of the communication system in the virtual private cloud is a three-layer switch and is configured to operate on a tunneling protocol. The method further includes the step of: synchronizing forwarding records between switches for FM using EVPN technology to transfer the functions of the gateway required by FM from the system gateway to the switch. Thereafter, communication for forwarding between FMs can be performed directly through the switch, thereby effectively reducing the forwarding burden on the system gateway.

In one of the embodiments of the invention according to the present application FIG.5 also proposed a controller 100, containing: a processor 40, a storage device 41, a bus 42 and a communication interface 43. The processor 40, the communication interface 43, and the storage device 41 are connected via a bus 42. The processor 40 is configured to execute executable modules contained in the storage device 41, such as a computer program.

The storage device 41 may include random access memory (RAM) or also include non-volatile memory (ENZU, non-volatile memory (NVM)), for example, at least one disk storage device. The communication connection between the network elements of the system and at least one of the other network elements is implemented through at least one communication interface 43 (may be wired or wireless), for example, in the Internet, wide area network, local area network, citywide area network, etc. .P.

The bus 42 may be an Industrial Standard Architecture (ISA) bus, a Peripheral Component Interconnect (PCI) bus, an Extended Industrial Standard Architecture bus. EISA)) or something similar. The bus may include an address bus, a data bus, a control bus, or the like. In FIG. 5, the tire is indicated by a single double-sided arrow, which does not mean that there is only one tire or one type of tire.

The storage device 41 serves to store the program. The processor 40 executes the program upon receiving the execution instruction. The method executed by the device disclosed in the sequence disclosed in any of the embodiments disclosed above of the present application may be applied to the processor 40 or be implemented by the processor 40.

The processor 40 may be an integrated circuit chip with a signal processing function. During implementation, each step of the method disclosed above may be executed by a logic integrated circuit implemented in hardware or software as instructions in the processor 40. The processor 40 may be a general purpose processor, including a central processing unit (scheduling CPU), a network processor (SP, English network processor (NP)) or something similar. It can also be a digital signal processor (DSP, English digital signal processor (DSP)), a specialized integrated circuit (SIS, English application specific integrated circuit (ASIC)), a user-programmable gate array (FPVM, English field- programmable gate array (FPGA)) or other programmable logic devices, logic elements on discrete components or transistorized logic devices, discrete hardware components. The methods, steps or logical blocks disclosed in the embodiments of the invention according to the present application can be implemented or executed. A general purpose processor may be a microprocessor, any known processor, or the like. The steps of the method disclosed in embodiments of the invention according to the present application may be executed directly by a hardware encoding processor or by hardware and software modules in any combination in an encoding processor. The program module may be located on a known storage medium, such as random access memory, flash memory, read only memory, programmable read only memory, electrically erasable programmable memory, a register, or the like. The storage medium is located in the storage device 41, while the processor 40 reads the information in the storage device 41 and performs the steps of the method disclosed above in cooperation with its hardware.

The method for configuring a virtual private cloud communication system and the controller of the embodiments of the present application have the same technical features as the virtual private cloud communication system proposed in the embodiments disclosed above, whereby they solve the same technical problems and provide the same same technical effects.

In one embodiment, the present application also provides a computer-readable storage medium with a computer program stored therein, executable to implement the method for configuring a virtual private cloud communication system disclosed in the method embodiments above.

The computer software product for performing the method proposed in one of the embodiments of the invention according to the present application includes a non-volatile computer-readable storage medium that stores program codes executable by the processor. The method for configuring a communication system in a virtual private cloud disclosed in the method embodiments may be implemented by executing instructions included in these program codes. A specific implementation option is disclosed in the method embodiments and will not be disclosed again.

Those skilled in the art will appreciate that for convenience and brevity of the disclosure, the specific operation of the method and controller can be learned from the description of the corresponding process in the system embodiments disclosed above, and therefore will not be re-disclosed.

The sequence diagram and block diagram in the accompanying drawings depict a possible implementation of the method and system architecture, functions and operations of a computer software product according to several embodiments of the invention of the present application. Each block in the sequence diagram and block diagram represents one module, piece of code, or program segment containing one or more executable instructions to implement the specified logical functions. It should also be noted that in some alternative implementations, the functions presented in the blocks may be implemented in a different order from that shown in the drawings. For example, the implementation of two successive blocks in practice may occur essentially in parallel, and in some cases in reverse order, depending on the functions in question. It should also be noted that each block in the sequence diagram and block diagram, as well as the combination of blocks in the sequence diagram and block diagram, may be implemented in a dedicated hardware system that performs the specified functions or actions, or be implemented by a combination of specifically dedicated hardware and computer instructions.

It should be noted that in the description of the present application, the relative orientation or location, expressed in terms of "central", "upper", "lower", "left", "right", "vertical", "horizontal", "inner", "outer ", etc., are indicated on the basis of relative orientation or location in the drawings solely for the convenience of disclosure in this application and simplifying the description, but do not indicate or imply that devices or elements must necessarily be oriented in a certain way, or be structurally performed and operate while being oriented in a certain way, that is, should not be construed as limiting the present application. In addition, the terms "first", "second", and "third" are purely descriptive and do not indicate or imply relative importance. Unless otherwise indicated, the relative steps, numerical expressions, and values of the steps and components in the embodiments do not limit the scope of the present application.

It should be understood that the system and method disclosed in the embodiments of the invention of the present application may be implemented in other ways. The device embodiments disclosed above are illustrative only. For example, nodes are delimited in logical functions. In practice, nodes can be delimited in other ways. For example, many nodes or components can be combined or included in another system, while some features can be ignored or not performed. In addition, the connection, direct connection, or communication connection depicted or disclosed above may be an indirect connection or communication connection between communication interfaces, devices, or nodes, and may also be electrical connections, mechanical connections, or other forms of connections.

Assemblies illustrated as separate components may or may not be physically separate. Components depicted as nodes may or may not be physical nodes, and may be located in a single node or distributed across multiple nodes. Some or all of the nodes may be selected from the nodes disclosed above, depending on the actual needs to achieve the goal of deciding on the options for implementation.

In addition, all functional units in the embodiments of the invention according to the present application may be included in one processing unit, or each of them may be a separate unit, or two or more units may be included in one unit.

If the function is implemented as a software functional unit and is sold or used as a stand-alone product, the integrated unit may be stored on a non-volatile computer-readable medium executable by a processor. With this in mind, the technical solution of the present disclosure, either a part that contributes to the prior art, or a part of the technical solution, can be implemented essentially as a software product. This computer software product is stored on a single storage medium and contains several instructions that cause a computing device (which may be a personal computer, a server, a network device, or the like) to perform all or part of the steps of the method according to an embodiment of the present disclosure. The storage medium includes a medium configured to store program code, for example, a flash drive with a Universal Serial Bus (USB) interface, a mobile hard disk drive, read-only memory (ROM), random access memory (RAM), magnetic disk or optical disk.

In conclusion, it should be noted that the embodiments disclosed above are nothing more than preferred embodiments of the present application, intended to illustrate the technical solution of the present application, but not to limit it. The scope of protection of the present application is not limited to them. Although the application is disclosed on the examples of these embodiments, it should be understood that a person skilled in the art will be able to modify the technical solutions disclosed therein without departing from the technical scope disclosed in this application, or to suggest changes or equivalent replacements of some technical features. These modifications, changes or substitutions do not lead to a deviation of the respective technical solutions from the essence and scope of the technical solutions of the embodiments of the invention of the present application and should be protected within the scope of this application. Thus, the scope of protection of the present application is to be realized based on the scope of protection defined by the claims.

The embodiments disclosed above are nothing more than preferred embodiments of the invention of the present application and are not intended to limit the scope of protection therein. Any modifications, alternative solutions, improvements, etc. without departing from the spirit and principle of the invention of the present application should be included in the scope of protection for it.

Claims (62)

1. A communication system in a virtual private cloud, comprising: at least one virtual machine (VM) and a system gateway connected to communicate with each of the VMs; at least one physical machine (PM) and a switch communicatively connected to each of the PMs; moreover, the system gateway is connected with the possibility of communication with the switch; the system gateway and the switch are configured to enable communication between the VM and the PM belonging to the same virtual private cloud (VPC) based on predetermined configuration information; the configuration information contains a shard mark corresponding to the SPB, with one SPB corresponding to one shard mark, and forwarding records corresponding to the resources contained in the SPB; said resources include: one or more VMs and/or one or more FMs; wherein the system gateway is configured to: receiving a first message from the VM, the first message containing a shard mark; finding, at the specified partition mark, configuration information corresponding to the partition mark in the first message, and forwarding the first message to the corresponding switch based on the found configuration information; wherein the system gateway is also configured to: receiving a second message from the switch, the second message containing a slicing mark; finding, at the specified shard mark, configuration information corresponding to the shard mark in the second message, and forwarding the second message to the target VM based on the found configuration information, and the switch is configured to: receiving a third message from the PM, and the third message contains the mark separation; finding, at the specified partition mark, configuration information corresponding to the partition mark in the third message, and forwarding the third message to the corresponding system gateway based on the found configuration information; wherein the switch is also configured to: receiving a fourth message from the system gateway, the fourth message containing a shard mark; finding, at said shard mark, configuration information corresponding to the shard mark in the fourth message, and forwarding the fourth message to the target PM based on the found configuration information. 2. The system according to claim 1, further comprising a controller; wherein the controller is communicatively connected to the system gateway and the switch, respectively; the controller is configured to configure information for the system gateway and the switch, respectively, to generate configuration information and send said configuration information to the system gateway and the switch, respectively. 3. The system according to claim 2, characterized in that the controller is also configured to: generating a shard mark corresponding to each virtual private cloud (VPC) depending on the VPC; obtaining IP addresses of resources related to the same virtual private cloud (VCHO), said resources including one or more VMs and/or one or more PMs; creating forwarding records based on resource IP addresses; generating configuration information corresponding to the HFO based on the forwarding records and the pegging mark. 4. The system according to claim 3, characterized in that the controller is also configured to: create a forwarding entry or forwarding entries for one or more VMs based on the IP address of one or more VMs and/or creating a forwarding entry or forwarding entries of one or more FMs based on the IP address of one or more FMs. 5. The system according to claim 2, characterized in that the controller is also configured to: managing resources in a virtual private cloud (VPC) based on configuration information, wherein said resources include said one or more VMs and/or one or more PMs, wherein the control includes: adding resources and/or deleting resources. 6. The system according to claim 5, characterized in that the controller is also configured to: receiving a control operation request for resources in the HPF, the control operation request comprising a shard flag corresponding to the HPF to be controlled; and changing the configuration information corresponding to the HFO to be managed in the system gateway and the switch according to the partition mark. 7. The system according to claim 6, characterized in that the controller is also configured to: adding, upon request to add a resource, a forwarding entry corresponding to the IP address of the specified resource; and/or deleting, upon request of deleting a part of the resources, forwarding records corresponding to the IP addresses of the specified part of the resources; and/or deleting the configuration information corresponding to the HMO to be managed upon the deletion request of all resources. 8. The system according to any one of paragraphs. 1-7, characterized in that the system gateway is implemented by operating the corresponding software on the server. 9. The method of configuring a communication system in a virtual private cloud, applied to the controller in the system according to any one of paragraphs. 1-8, wherein the controller is communicatively connected to a system gateway and a switch, respectively; wherein the method includes the steps of: configuring information for the system gateway and the switch, respectively, to generate configuration information; and sending the configuration information to the system gateway and the switch, respectively; moreover, the specified configuration information contains a label corresponding to the FSO, and forwarding records corresponding to the resources contained in the FSO, and these resources include one or more VM and/or one or more PM; while generating configuration information includes the following steps: generating a shard mark corresponding to each virtual private cloud (VPC) depending on the VPC, with one VPC corresponding to one shard label; obtaining IP addresses of resources related to the same virtual private cloud (VCHO), said resources including one or more VMs and/or one or more PMs; create forwarding records based on the IP addresses of the specified resources; and generating configuration information corresponding to the HFO based on the forwarding records and the shard mark. 10. The method according to claim 9, characterized in that at the stage at which forwarding records are created based on the IP addresses of the resources: create a forwarding entry or forwarding entries of one or more VMs based on the IP address of one or more VMs and/or create a forwarding entry or forwarding entries of one or more FMs based on the IP address of one or more FMs. 11. The method of claim 9, further comprising: managing resources in a virtual private cloud (VPC) based on configuration information, wherein the resources include one or more VMs and/or one or more FMs, wherein the control includes: adding resources and/or deleting resources. 12. The method of claim 11, further comprising: receiving a control operation request for resources in the HFO, wherein the control operation request contains a shard flag corresponding to the HFO to be controlled; and changing the configuration information corresponding to the HFO to be managed in the system gateway and the switch according to the partition mark. 13. The method of claim. 12, wherein the control operation request includes one or more of the following: a resource addition request, a resource part deletion request, and an all resource deletion request, the method further comprising: add, upon request to add a resource, a forwarding record corresponding to the IP address of the specified resource; and/or deleting, upon request for deleting the resource portion, forwarding records corresponding to the IP addresses of said resource portion; and/or deleting the configuration information corresponding to the HMO to be managed upon the deletion request of all resources. 14. A controller containing a memory device and a processor, and the memory device contains a computer program that can be executed by the processor, while the possibility is provided for the processor to execute a computer program for implementing the method according to any one of paragraphs. 9-13. 15. A computer-readable storage medium with a computer program stored therein, during the execution of which by the processor, the processor implements the method according to any one of paragraphs. 9-13.

Images