WO2021219104A1 - Hybrid cloud system, gatekeeper, network access method and storage medium - Google Patents

Hybrid cloud system, gatekeeper, network access method and storage medium Download PDF

Info

Publication number
WO2021219104A1
WO2021219104A1 PCT/CN2021/091185 CN2021091185W WO2021219104A1 WO 2021219104 A1 WO2021219104 A1 WO 2021219104A1 CN 2021091185 W CN2021091185 W CN 2021091185W WO 2021219104 A1 WO2021219104 A1 WO 2021219104A1
Authority
WO
WIPO (PCT)
Prior art keywords
address
domain name
request message
access request
gatekeeper
Prior art date
Application number
PCT/CN2021/091185
Other languages
French (fr)
Chinese (zh)
Inventor
谢东
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2021219104A1 publication Critical patent/WO2021219104A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network

Definitions

  • This application relates to the technical field of cloud services, and in particular to a hybrid cloud system, a gatekeeper, a network access method, and a storage medium.
  • a gatekeeper is usually set between the intranet and the external network (such as a public cloud).
  • the client in the internal network accesses the external network through the gatekeeper, the client's access request message can be sent to the external network through the transmission of the gatekeeper to realize the access to the external network.
  • IP Internet Protocol
  • the IP address needs to be configured in the gatekeeper as an allowed address in advance, so that the packets carrying the IP address can pass through
  • the gatekeeper can access the IP address through the message.
  • the IP address corresponding to the device's domain name may change. If the changed IP address is not configured in the gatekeeper as an allowed address, the gatekeeper will not allow the changed IP address to be carried. If the packet with the IP address passes through, the device cannot be accessed through the packet with the changed IP address.
  • This application provides a hybrid cloud system, a gatekeeper, a network access method, and a storage medium, which can solve the problem of high cost of current gatekeepers with dynamic DNS functions.
  • a hybrid cloud system in a first aspect, includes a first cloud system, a second cloud system, and a gatekeeper.
  • the first cloud system includes a client
  • the second cloud system includes a forwarding node and a service node.
  • the internal network port of the gate is connected to the first cloud system, and the external network port of the gatekeeper is connected to the second cloud system;
  • the client is used to send an access request message to the internal network port, and the source Internet Protocol IP address of the access request message is the client
  • the destination IP address is the IP address of the internal network port;
  • the gatekeeper is used to change the source IP address of the access request message to the IP address of the external network port, and the destination IP address of the access request message to forward
  • the IP address of the node sends the address-changed access request message to the forwarding node;
  • the forwarding node is used to send the address-changed access request message to the service node.
  • the gatekeeper can send the access request message to the forwarding node, and then send the access request message to the service node through the forwarding node, so that the client can access the service node.
  • the gatekeeper can send the access request message to the forwarding node, and then send the access request message to the service node through the forwarding node, so that the client can access the service node.
  • the scale and number of forwarding nodes can be deployed on demand according to application requirements to meet different application scenarios.
  • the second cloud system further includes a first domain name server
  • the access request message also carries the domain name of the service node
  • the first domain name server records the correspondence between the domain name of the service node and the IP address of the forwarding node.
  • the gatekeeper is also used to send a first domain name resolution request carrying the domain name of the business node to the first domain name server; the first domain name server is used to perform domain name resolution based on the domain name of the business node to obtain the IP address of the forwarding node and send it to the network
  • the gate sends the first domain name resolution response carrying the IP address of the forwarding node.
  • the gatekeeper may obtain the IP address of the forwarding node through the first domain name server. At this time, since the gatekeeper does not need to record the correspondence between the target information and the IP address of the forwarding node, the memory resources occupied by the gatekeeper for storing the correspondence can be reduced, and the cost of the gatekeeper can be further reduced.
  • the first cloud system further includes a second domain name server, and the second domain name server records the correspondence between the domain name of the business node and the IP address of the internal network port; the client is also used to send to the second domain name server the The second domain name resolution request for the domain name of the business node; the second domain name server is used to perform domain name resolution based on the domain name of the business node to obtain the IP address of the internal network port, and send the second domain name carrying the IP address of the internal network port to the client Domain name resolution response.
  • the second domain name server records the correspondence between the domain name of the business node and the IP address of the internal network port
  • the client is also used to send to the second domain name server the The second domain name resolution request for the domain name of the business node
  • the second domain name server is used to perform domain name resolution based on the domain name of the business node to obtain the IP address of the internal network port, and send the second domain name carrying the IP address of the internal network port to the client Domain name resolution response.
  • the client can obtain the IP address required for realizing access to the domain name through domain name resolution.
  • the forwarding node is specifically used to report the access request after the address change based on one or more of the domain name of the service node and the port number of the service node carried in the access request message after the address has been changed.
  • the document is sent to the business node.
  • the gatekeeper is also used to record the context information of the access request message.
  • the context information includes: the source IP address, source port number, destination IP address, and destination port number of the access request message.
  • the forwarding node is also used to receive the access response message sent by the service node based on the access request message, and send the access response message to the external network port, and the source IP address of the access response message is the IP address of the service node, The destination IP address is the IP address of the external network port.
  • the gatekeeper is also used to obtain the context information of the access response message.
  • the source IP address of the access response message is changed to the intranet Change the destination IP address of the access response message to the client's IP address recorded in the context information of the access request message, and send the access response message with the changed address to the client.
  • a network access method is provided, which is applied to a hybrid cloud system.
  • the hybrid cloud system includes a first cloud system, a second cloud system, and a gatekeeper.
  • the first cloud system includes a client
  • the second cloud system includes The forwarding node and the service node, the internal network port of the gatekeeper is connected to the first cloud system, and the external network port of the gatekeeper is connected to the second cloud system.
  • the method includes: the client sends an access request message to the internal network port.
  • the source Internet Protocol IP address is the client's IP address, and the destination IP address is the IP address of the internal network port; the gatekeeper changes the source IP address of the access request message to the IP address of the external network port, and changes the destination IP address of the access request message The address is changed to the IP address of the forwarding node, and the address-changed access request message is sent to the forwarding node; the forwarding node sends the address-changed access request message to the service node.
  • the second cloud system further includes a first domain name server
  • the access request message also carries the domain name of the business node
  • the first domain name server records the correspondence between the domain name of the business node and the IP address of the forwarding node.
  • the method further includes : The gatekeeper sends the first domain name resolution request carrying the domain name of the service node to the first domain name server; the first domain name server performs domain name resolution based on the domain name of the service node, obtains the IP address of the forwarding node, and sends the forwarding node to the gatekeeper The first domain name resolution response of the IP address.
  • the first cloud system further includes a second domain name server.
  • the second domain name server records the correspondence between the domain name of the business node and the IP address of the internal network port.
  • the method further includes: the client sends to the second domain name server the The second domain name resolution request of the domain name of the business node; the second domain name server performs domain name resolution based on the domain name of the business node, obtains the IP address of the internal network port, and sends the second domain name resolution response carrying the IP address of the internal network port to the client .
  • the forwarding node sends the address-changed access request message to the service node, including: the forwarding node is based on one or more of the domain name of the service node and the port number of the service node carried in the address-changed access request message.
  • the forwarding node is based on one or more of the domain name of the service node and the port number of the service node carried in the address-changed access request message.
  • One send the access request message after changing the address to the service node.
  • the method further includes: the gatekeeper records the context information of the access request message, and the context information includes: the source IP address, source port number, destination IP address, and destination port number of the access request message.
  • the method further includes: the forwarding node receives the access response message sent by the service node based on the access request message, and sends the access response message to the external network port, and the source IP address of the access response message is the IP of the service node
  • the destination IP address is the IP address of the external network port
  • the gatekeeper obtains the context information of the access response message, and when the context information of the access response message matches the context information of the access request message, the source of the response message will be accessed Change the IP address to the IP address of the internal network port, change the destination IP address of the access response message to the client's IP address recorded in the context information of the access request message, and send the access response message with the changed address to the client .
  • a gatekeeper is provided.
  • the internal network port of the gatekeeper is connected to the first cloud system, and the external network port of the gatekeeper is connected to the second cloud system.
  • the gatekeeper includes: a first transceiver module for receiving the first cloud
  • the source IP address is the IP address of the client
  • the destination IP address is the IP address of the internal network port
  • the second transceiver module is used to transfer the access request message
  • the source IP address is changed to the IP address of the external network port, the destination IP address of the access request message is changed to the IP address of the forwarding node, and the access request message with the changed address is sent to the forwarding node in the second cloud system, so that The forwarding node sends the access request message with the address changed to the service node.
  • the access request message also carries the domain name of the business node
  • the second transceiver module is also used to send a first domain name resolution request carrying the domain name of the business node to the first domain name server in the second cloud system, and
  • the first domain name resolution response carrying the IP address of the forwarding node sent by the first domain name server is received, and the first domain name server records the correspondence between the domain name of the service node and the IP address of the forwarding node.
  • the first transceiver module is also used to record context information of the access request message.
  • the context information includes: the source IP address, source port number, destination IP address, and destination port number of the access request message.
  • the second transceiver module is further configured to receive an access response message sent by the forwarding node.
  • the access response message is sent by the service node to the forwarding node based on the access request message, and the source IP address of the access response message is the service node
  • the destination IP address is the IP address of the gatekeeper’s external network port;
  • the first transceiver module is also used to obtain the context information of the access response message, when the context information of the access response message and the context of the access request message When the information matches, change the source IP address of the access response message to the IP address of the internal network port, and change the destination IP address of the access response message to the client's IP address recorded in the context information of the access request message, which will change The access response message after the address is sent to the client.
  • a network access method is provided.
  • the method is applied to a gatekeeper.
  • the internal network port of the gatekeeper is connected to a first cloud system, and the external network port of the gatekeeper is connected to a second cloud system.
  • the method includes: receiving the first cloud For the access request message sent by the client in the system, the source IP address of the access request message is the IP address of the client, and the destination IP address is the IP address of the internal network port; the source IP address of the access request message is changed to the external network port Change the destination IP address of the access request message to the IP address of the forwarding node, and send the access request message after the address change to the forwarding node in the second cloud system, so that the forwarding node will change the address of the access The request message is sent to the service node.
  • the access request message also carries the domain name of the business node
  • the method further includes: sending a first domain name resolution request carrying the domain name of the business node to the first domain name server in the second cloud system, and receiving the first domain name
  • the first domain name resolution response sent by the server carrying the IP address of the forwarding node, and the first domain name server records the correspondence between the domain name of the service node and the IP address of the forwarding node.
  • the method further includes: recording context information of the access request message, where the context information includes: the source IP address, source port number, destination IP address, and destination port number of the access request message.
  • the method further includes: receiving an access response message sent by the forwarding node, the access response message is sent by the service node to the forwarding node based on the access request message, and the source IP address of the access response message is the IP address of the service node ,
  • the destination IP address is the IP address of the external network port of the gatekeeper; to obtain the context information of the access response message, when the context information of the access response message matches the context information of the access request message, the source of the response message will be accessed Change the IP address to the IP address of the internal network port, change the destination IP address of the access response message to the client's IP address recorded in the context information of the access request message, and send the access response message with the changed address to the client .
  • a gatekeeper in a fifth aspect, includes: a first network port, a second network port, a processor, and a computer program stored in the memory. When the processor executes the computer program, the gatekeeper implements the first aspect Methods.
  • a storage medium is provided, and when instructions in the storage medium are executed by a processor, the method provided in the first aspect is implemented.
  • Fig. 1 is a schematic structural diagram of a hybrid cloud system provided by an embodiment of the present application
  • FIG. 2 is a schematic structural diagram of another hybrid cloud system provided by an embodiment of the present application.
  • FIG. 3 is a schematic structural diagram of another hybrid cloud system provided by an embodiment of the present application.
  • FIG. 4 is a schematic structural diagram of yet another hybrid cloud system provided by an embodiment of the present application.
  • Fig. 5 is a flowchart of a network access method provided by an embodiment of the present application.
  • Fig. 6 is a schematic structural diagram of a gatekeeper provided by an embodiment of the present application.
  • FIG. 7 is a flowchart of another network access method provided by an embodiment of the present application.
  • Fig. 8 is a schematic structural diagram of another gatekeeper provided by an embodiment of the present application.
  • a gatekeeper is an information security device used to connect two host systems.
  • One of the two host systems is located in the internal network and the other is located in the external network.
  • the gatekeeper has an internal network port, an external network port and a storage medium. Among them, by controlling the internal network port and the storage medium, the external network port and the storage medium are not connected at the same time, the gatekeeper can isolate the two host systems so that there is no direct physical connection or logical connection between the two host systems And the information exchange based on the information transmission protocol blocks the network connection to the internal network, making the external network unable to directly invade, attack and destroy the internal network, thereby ensuring the security of the host system located on the internal network.
  • the gatekeeper can transfer data from one host system to another host system in the form of data files. Take sending data from the internal network to the external network as an example to explain the process of data transmission by the gatekeeper.
  • the data transfer process is as follows: after the host system in the intranet sends the data to be transferred to the intranet port, the storage medium is connected to the intranet port, and the data to be transferred is copied from the intranet port to the storage medium, and the copy is completed Then disconnect the storage medium from the internal network port, then connect the external network port to the storage medium, copy the data to be transferred from the storage medium to the external network port, and disconnect the storage medium from the external network port after the copy is completed Connect, and then the external network port sends the data to be transmitted to the host system located in the external network to realize data transmission.
  • Domain name resolution is to point the domain name to the website space IP, which is a service that users can easily access the website through the registered domain name.
  • An IP address is a digital address that identifies a site on the network.
  • An IP address is usually a piece of data with a fixed length, which is difficult to remember.
  • the domain name is used instead of the IP address to identify the site address. Therefore, domain name resolution is the process of converting domain names to IP addresses.
  • the hybrid cloud system includes a first cloud system 10, a second cloud system 20 and a gatekeeper 30.
  • the first cloud system 10 includes a client 101.
  • the second cloud system 20 includes a forwarding node 201 and a service node 202.
  • the internal network port of the gatekeeper 30 is connected to the first cloud system 10
  • the external network port of the gatekeeper 30 is connected to the second cloud system 20.
  • the client 101 is used to send an access request message to the internal network port.
  • the source IP address of the access request message is the IP address of the client 101
  • the IP destination IP address is the IP address of the internal network port.
  • the gatekeeper 30 is configured to change the source IP address of the access request message to the IP address of the external network port, and obtain the information in the second cloud system 20 for forwarding the access request message according to the information in the access request message Forward the IP address of the node 201, change the destination IP address of the access request message to the IP address of the forwarding node 201, and send the access request message with the changed address to the forwarding node 201;
  • the forwarding node 201 is configured to send the access request message with the address changed to the service node 202.
  • the forwarding node 201 is configured in the second cloud system 20, so that the gatekeeper 30 can send the access request message to the forwarding node 201, and then pass the forwarding node 201 Sending the access request message to the service node 202 can realize the client 101's access to the service node 202.
  • the gatekeeper 30 is reduced, and the memory resources occupied by the gatekeeper 30 for storing DNS resolution addresses are reduced, so that the cost of the gatekeeper 30 can be reduced, and the scope of application of the gatekeeper 30 can be expanded.
  • the gatekeeper 30 since the configuration of the dynamic DNS resolution function in the gatekeeper 30 will destroy the principle of the gatekeeper 30 for static data exchange, and the gatekeeper 30 in the embodiment of the present application does not need to be configured with the function of dynamic DNS resolution, so it will not damage the network.
  • the principle of the gate 30 for static data exchange can ensure the scope of application of the hybrid cloud system.
  • the first cloud system 10 may be a private cloud system or a local data center, and the first cloud system 10 has high data security requirements.
  • the second cloud system 20 may be a public cloud system, a private cloud system, or a data center, and the requirements of the second cloud system 20 for data security are not higher than the requirements of the first cloud system 10 for data security.
  • the first cloud system 10 may be a private cloud system used by a government unit or a public security department that has higher requirements for data security
  • the second cloud system 20 may be a private cloud system that has higher requirements for data security.
  • the first cloud system 10 may be a private cloud system used by a government unit or a public security department that has higher requirements for data security
  • the second cloud system 20 may be a private cloud system used by the unit that has higher requirements for data security.
  • the first cloud system 10 may be a local data center used by a government unit or a public security department that has higher requirements on data security
  • the second cloud system 20 may be a local data center used by a unit that has higher requirements on data security.
  • the data center used by the associated unit may be a local data center used by a government unit or a public security department that has higher requirements on data security.
  • the client 101 can be used by a user in the first cloud system 10.
  • the client 101 can be used by staff in the public security department.
  • the client 101 can be used by the network manager of the first cloud system 10
  • the client 101 can be connected to the cloud management platform in the first cloud system 10, and the network manager can operate on the client 101 to achieve Management of the first cloud system 10.
  • the cloud service used to manage the first cloud system 10 can be deployed on the business node 202 in the second cloud system 20.
  • the network manager can access the business node 202 through the client 101, and realize the pairing according to the access result. Management of the first cloud system 10.
  • cloud services such as authentication, operation and maintenance, application programming interface gateway (APIG), and website portal (portal) may be deployed on the service node 202.
  • APIIG application programming interface gateway
  • portal website portal
  • the client 101 may be a host in the cloud management platform, and the host may also initiate an access request message for accessing the host in the second cloud system 20.
  • the implementation process of the gatekeeper 30 from receiving the access request message to sending the address-changed access request message to the forwarding node 201 can be as follows: the internal network port of the gatekeeper 30 receives the access request message, and then the gatekeeper 30
  • the storage medium is connected to the internal network port, the storage medium copies the access request message from the internal network port to the storage medium, and the connection between the two is disconnected after the copy is completed, and then the storage medium reports the access request message
  • the source IP address of the document is changed to the IP address of the external network port, and then the external network port establishes a connection with the storage medium.
  • the external network port copies the access request message from the storage medium to the storage medium, and disconnects it after the copy is completed.
  • the external network port Open the connection between the two, and then the external network port obtains the IP address of the forwarding node 201 in the second cloud system 20 for forwarding the access request message according to the information in the access request message, and reports the access request
  • the destination IP address of the document is changed to the IP address of the forwarding node 201.
  • the operation of changing the source IP address of the access request message to the IP address of the external network port can also be performed by the external network port.
  • the storage medium since the storage medium will not be directly connected to the second cloud system 20, when the storage medium performs the operation of changing the source IP address of the access request message to the IP address of the external network port, the IP address of the client 101 can be reduced The possibility of being leaked into the second cloud system 20 can further improve data security.
  • the gatekeeper 30 may obtain the IP address of the forwarding node 201, and the following two implementation manners will be used as examples for description.
  • the access request message may carry the domain name of the service node that it requests to access, and the gatekeeper 30 may obtain the IP address of the forwarding node 201 through DNS resolution.
  • the second cloud system 20 further includes a first domain name server 203, and the first domain name server 203 records the correspondence between the domain name of the service node and the IP address of the forwarding node 201.
  • the gatekeeper 30 is also used to send the first domain name resolution request carrying the domain name of the service node to the first domain name server 203.
  • the first domain name server 203 is used to perform domain name resolution based on the domain name of the service node by querying the correspondence between the domain name of the service node and the IP address of the forwarding node 201 to obtain the IP address of the forwarding node 201, and then send the forwarding information to the gatekeeper 30 The first domain name resolution response of the IP address of the node 201, so that the gatekeeper 30 can obtain the IP address of the forwarding node 201.
  • the access request message may carry at least one of the target information of the domain name of the service node and the port number of the service node that it requests to access, and the gatekeeper 30 may record the target information and the forwarding node The corresponding relationship of the IP address of 201, the gatekeeper 30 can query the corresponding relationship according to the target information to obtain the IP address of the forwarding node 201.
  • the gatekeeper 30 may record the correspondence between the domain name of the service node and the IP address of the forwarding node 201.
  • the gatekeeper 30 may use the service node The corresponding relationship is queried for the domain name of, to obtain the IP address of the forwarding node 201.
  • the gatekeeper 30 supports sending DNS resolution messages, it is possible to determine which method the gatekeeper 30 uses to obtain the IP address of the forwarding node 201. In addition, when the gatekeeper 30 uses DNS resolution to obtain the IP address of the forwarding node 201, since the gatekeeper 30 does not need to record the correspondence between the target information and the IP address of the forwarding node 201, it is possible to reduce the risk of the gatekeeper 30 storing the correspondence. The occupied memory resources can further reduce the cost of the gatekeeper 30.
  • the second cloud system 20 may include multiple forwarding nodes 201, and the multiple forwarding nodes 201 may jointly bear the forwarding pressure.
  • the second cloud system 20 includes multiple forwarding nodes 201, on the one hand, it can avoid low performance or system crash caused by the excessive forwarding pressure of a single forwarding node 201, and on the other hand, it can improve the forwarding in the second cloud system 20. Efficiency, which in turn improves access efficiency.
  • the gatekeeper 30 may first determine the target forwarding node 201 for forwarding the access request message to the service node 202 among the multiple forwarding nodes 201. Then, the access request message is sent to the target forwarding node 201.
  • the gatekeeper 30 may record the correspondence between different source IP addresses and multiple forwarding nodes 201. Before the gatekeeper 30 sends an access request message to the forwarding node 201, the gatekeeper 30 may also be based on Access the source IP address of the request message, query the correspondence between different source IP addresses and multiple forwarding nodes 201, obtain the target forwarding node 201 used to send the address-changed access request message to the service node 202, and then send the access request The destination IP address of the message is changed to the IP address of the target forwarding node 201, and the address-changed access request message is sent to the target forwarding node 201.
  • the forwarding node 201 can be implemented by a virtual machine, a container, or a physical server.
  • the network manager may rent a virtual machine in the second cloud system 20 and configure the virtual machine so that the virtual machine has the function of the forwarding node 201.
  • the forwarding node 201 may also be a proxy cloud service configured on a virtual machine.
  • the forwarding node 201 may be an Nginx proxy cloud service or an SLB proxy cloud service configured on a virtual machine.
  • the scale and number of the forwarding node 201 can be deployed on demand according to application requirements to meet different application scenarios.
  • the IP address of the forwarding node 201 usually does not change, for example, the IP address of the forwarding node 201 can be fixed during the system configuration process, or the IP address of the forwarding node 201 can be fixed through the cloud platform settings, so the forwarding is set by The node 201 can avoid the recheck or reconfiguration of the gatekeeper 30 caused by the IP address change, which effectively reduces the labor cost.
  • the implementation manner in which the forwarding node 201 sends the address-changed access request message to the service node 202 may include: forwarding node 201 based on the domain name and port of the business node carried in the address-changed access request message. One or more of the numbers send the access request message with the address changed to the service node 202.
  • the forwarding node 201 may send the access request message to the service node 202 by way of port mapping. That is, the forwarding node 201 can record the corresponding relationship between the port number and the IP address. After the forwarding node 201 receives the address-changed access request message sent by the external network port of the gatekeeper 30, the forwarding node 201 can obtain The target port of the access request message, and query the corresponding relationship between the port number and the IP address according to the target port, to obtain the IP address corresponding to the port number of the service node 202 that the client 101 requests to access, that is, to obtain the IP of the service node 202 Address, and then send the service request message to the service node 202 according to the IP address of the service node 202.
  • the access request message may carry the domain name of the service node that the client 101 requests to access.
  • the forwarding node 201 may send the access request message to the service node 202 by way of domain name mapping. That is, the forwarding node 201 can record the correspondence between the domain name number and the dynamic IP address.
  • the forwarding node 201 After the forwarding node 201 receives the address-changed access request message sent by the external network port of the gatekeeper 30, the forwarding node 201 can obtain The domain name of the service node carried in the access request message, and the corresponding relationship between the domain name and the dynamic IP address is queried according to the domain name of the service node to obtain the dynamic IP address corresponding to the domain name of the service node, that is, the IP address of the service node 202, Then, the service request message is sent to the service node 202 according to the IP address of the service node 202.
  • the access request message may carry the domain name of the service node that the client 101 requests to access.
  • the forwarding node 201 may also obtain the dynamic IP address corresponding to the domain name of the service node through domain name resolution, that is, obtain the domain name of the service node 202. According to the IP address, the service request message is sent to the service node 202 according to the IP address of the service node 202.
  • the forwarding node 201 since the forwarding node 201 is set in the second cloud system 20, the correspondence between the domain name and the IP address recorded in the forwarding node 201 can be updated in time, so that even if the IP address corresponding to the domain name changes, the access request can be reported.
  • the text is sent to the business node 202 that it requests to access, and compared with related technologies, there is no need to configure the gatekeeper 30 every time the IP address corresponding to the domain name changes, which effectively reduces labor costs and improves access efficiency.
  • the client 101 is unaware, and the user experience is improved.
  • the client 101 may obtain the IP address required to implement the domain name access through domain name resolution.
  • the first cloud system 10 further includes a second domain name server 102, and the second domain name server 102 records the correspondence between the domain name of the service node and the IP address of the internal network port of the gatekeeper 30.
  • the client 101 is also used to send a second domain name resolution request carrying the domain name of the business node that it requests to access to the second domain name server 102; the second domain name server 102 is used to based on the domain name of the business node, The corresponding relationship between the domain name and the IP address of the internal network port of the gatekeeper 30 performs domain name resolution to obtain the IP address of the internal network port, and sends a second domain name resolution response carrying the IP address of the internal network port to the client 101.
  • the client 101 is also used to construct an access request message based on the IP address of the internal network port.
  • the gatekeeper 30 may also record the context information of the access request message.
  • the context information includes: the source IP address, source port number, destination IP address, and destination port number of the access request message.
  • the context information may also include more information other than the source IP address, source port number, destination IP address, and destination port number, which are not specifically limited in the embodiment of the present application.
  • the context information may also include a transport layer protocol.
  • the forwarding node 201 and the gatekeeper 30 also have the following functions:
  • the forwarding node 201 is also used to receive the access response message sent by the service node 202 based on the access request message, and send the access response message to the external network port.
  • the source IP address of the access response message is the IP address of the service node 202
  • the destination IP address of the access response message is the IP address of the external network port;
  • the gatekeeper 30 is also used to obtain the context information of the access response message.
  • the source IP address of the access response message is changed to that of the internal network port.
  • IP address, the destination IP address of the access response message is changed to the IP address of the client 101 recorded in the context information of the access request message, and the access response message with the changed address is sent to the client 101.
  • the gatekeeper 30 receives the access response message and is to send the address-changed access response message to the client 101, refer to the process of the gatekeeper 30 from receiving the access request message to changing the address. The implementation process of sending the request message to the forwarding node 201 will not be repeated here.
  • the access request message and the access response message in the embodiment of the present application may both be hypertext transport protocol (hypertext transport protocol, http) messages.
  • Information such as the port number and domain name can be carried in the header of the http message.
  • the hybrid cloud system may further include devices such as switches and network address translation gateways.
  • a switch 103 may also be set between the client 101 and the internal network port of the gatekeeper 30, and a network may also be set between the forwarding node 201 and the service node 202.
  • Address translation gateway 204 in addition, the external network port of the gatekeeper 30 and the conversion node can also be connected through a dedicated line network or a software-defined wide area network (SD-WAN).
  • SD-WAN software-defined wide area network
  • the forwarding node is configured in the second cloud system, so that the gatekeeper can send the access request message to the forwarding node, and then the access request can be sent to the forwarding node through the forwarding node.
  • the message is sent to the business node, which can realize the client's access to the business node.
  • the general gatekeeper can be used in the system deployment, and the gatekeeper factor can be reduced.
  • the memory resources occupied by storing DNS resolution addresses make it possible to reduce the cost of the gatekeeper and expand the scope of application of the gatekeeper.
  • the gatekeeper in the embodiment of this application does not need to be configured with the function of dynamic DNS resolution, so it will not damage the gatekeeper’s ability to exchange static data.
  • the principle of data exchange can guarantee the scope of application of the hybrid cloud system.
  • the forwarding node since the forwarding node is deployed in the second cloud system, the scale and number of forwarding nodes can be deployed on demand according to application requirements to meet different application scenarios.
  • the implementation process of the network access method may include the following steps:
  • Step 501 The client sends a second domain name resolution request carrying the domain name of the service node to the second domain name server.
  • the client When the client accesses the network through the domain name, the client can obtain the IP address required for realizing the domain name access through domain name resolution. Therefore, the client can send a second domain name resolution request carrying the domain name of the service node to the second domain name server.
  • the second domain name server needs to be matched with the domain name server used by the first cloud system in advance, so that the second domain name server can be used to perform the domain name for the client. Parsing.
  • the second cloud system can be configured in the second domain name server
  • the IP addresses corresponding to the domain names of all the business nodes in the network are the IP addresses of the internal network port of the gatekeeper, so that the access request message can be correctly transmitted. For example, assuming that the IP address of the internal network port is 1.1.1.1, the IP addresses corresponding to the domain names of all business nodes in the second cloud system can be configured as 1.1.1.1 in the second domain name server.
  • Step 502 The second domain name server performs domain name resolution based on the domain name of the service node to obtain the IP address of the internal network port, and sends a second domain name resolution response carrying the IP address of the internal network port to the client.
  • the second domain name server After receiving the second domain name resolution request sent by the client, the second domain name server can obtain the domain name corresponding to the domain name of the service node according to the correspondence between the domain name of the service node and the IP address of the internal network port recorded by the second domain name server. The IP address of the network port.
  • Step 503 The client sends an access request message to the internal network port according to the IP address of the internal network port.
  • the source IP address of the access request message is the IP address of the client and the destination IP address is the IP address of the internal network port.
  • the client After the client receives the IP address of the internal network port carried in the second domain name resolution response, it can construct an access request message based on the IP address of the internal network port, and the source IP address of the access request message is the client's IP address , The destination IP address is the IP address of the internal network port.
  • the access request message may also carry the port number of the service node that the client requests to access. For example, suppose the port number of the business node that the client requests to access is 8080, the client's IP address is 10.20.0.100, and the IP address of the internal network port is 1.1.1.1, then the destination port of the access request packet is 8080, and the source IP The address is 10.20.0.100, and the destination IP address is 1.1.1.1.
  • Step 504 The internal network port of the gatekeeper records the context information of the access request message.
  • the internal network port of the gatekeeper After the internal network port of the gatekeeper receives the access request message sent by the client, it can record the context information of the access request message, so that the client can send the access response for the access request message to the client according to the context information Message.
  • the context information may include: the source IP address, source port number, destination IP address, and destination port number of the access request message.
  • the context information may also include more information other than the source IP address, source port number, destination IP address, and destination port number, which are not specifically limited in the embodiment of the present application.
  • the context information may also include a transport layer protocol.
  • Step 505 The storage medium of the gatekeeper is connected to the internal network port, the access request message is copied to the storage medium, and the source IP address of the access request message is changed to the IP address of the external network port.
  • the source IP address of the access request message can be changed from 10.20.0.100 is changed to 2.1.1.1.
  • Step 506 Connect the external network port of the gatekeeper to the storage medium, copy the access request message to the external network port, obtain the IP address of the forwarding node used to send the access request message to the service node, and transfer the access request message The destination IP address is changed to the IP address of the forwarding node, and the access request message with the changed address is sent to the forwarding node.
  • the IP address of the forwarding node that sends the access request message to the service node is 10.10.0.253.
  • the external network port copies the access request message to the storage external network port, you can Change the destination IP address of the access request message from 1.1.1.1 to 10.10.0.253.
  • Step 507 The forwarding node sends the address-changed access request message to the service node.
  • the implementation process of step 507 may include: the forwarding node sends the address-changed access request message to one or more of the domain name of the service node and the port number of the service node carried in the access request message after the address is changed.
  • Business node For the specific implementation process, please refer to the relevant description in the foregoing system embodiment accordingly, which will not be repeated here.
  • Step 508 The forwarding node receives the access response message sent by the service node based on the access request message, and sends the access response message to the external network port.
  • the source IP address of the access response message is the IP address of the service node
  • the destination IP address is The IP address of the external network port.
  • Step 509 The gatekeeper obtains the context information of the access response message, and when the context information of the access response message matches the context information of the access request message, the source IP address of the access response message is changed to the IP address of the internal network port , Change the destination IP address of the access response message to the client's IP address recorded in the context information of the access request message, and send the access response message with the changed address to the client.
  • the operation of changing the destination IP address of the access response message to the client's IP address recorded in the context information of the access request message can be performed by the internal network port of the gatekeeper.
  • the source IP address of the access request message is changed to the IP address of the external network port through the gatekeeper, and the destination IP address of the access request message is changed to forwarding The IP address of the node, the access request message after the address is changed to the forwarding node, and then the access request message is sent to the service node through the forwarding node, which can realize the client's access to the service node.
  • the embodiment of the application also provides a gatekeeper.
  • the internal network port of the gatekeeper is connected to the first cloud system, and the external network port of the gatekeeper is connected to the second cloud system.
  • the gatekeeper 60 includes:
  • the first transceiver module 601 is configured to receive an access request message sent by a client in the first cloud system, the source IP address of the access request message is the IP address of the client, and the destination IP address is the IP address of the internal network port;
  • the second transceiver module 602 is used to change the source IP address of the access request message to the IP address of the external network port, change the destination IP address of the access request message to the IP address of the forwarding node, and change the address of the access request The message is sent to the forwarding node in the second cloud system, so that the forwarding node sends the address-changed access request message to the service node.
  • the access request message also carries the domain name of the business node.
  • the second transceiver module 602 is also used to send the first domain name carrying the domain name of the business node to the first domain name server in the second cloud system. Resolve the request, and receive a first domain name resolution response carrying the IP address of the forwarding node sent by the first domain name server, and the first domain name server records the correspondence between the domain name of the service node and the IP address of the forwarding node.
  • the first transceiver module 601 is also used to record the context information of the access request message.
  • the context information includes: the source IP address, source port number, destination IP address, and destination port number of the access request message.
  • the second transceiver module 602 is further configured to receive an access response message sent by the forwarding node.
  • the access response message is sent by the service node to the forwarding node based on the access request message, and the source IP address of the access response message is the service
  • the IP address of the node, the destination IP address is the IP address of the external network port of the gatekeeper;
  • the first transceiver module 601 is also used to obtain the context information of the access response message, and when the context information of the access response message matches the context information of the access request message, change the source IP address of the access response message It is the IP address of the internal network port, the destination IP address of the access response message is changed to the client's IP address recorded in the context information of the access request message, and the access response message with the changed address is sent to the client.
  • the source IP address of the access request message is changed to the IP address of the external network port through the second transceiver module, and the destination IP address of the access request message is changed to The IP address of the forwarding node, and the access request message after the address change is sent to the forwarding node, so that the forwarding node can send the access request message to the service node, which can realize the client's access to the service node, compared with related technologies .
  • There is no need to configure dynamic DNS resolution function in the gatekeeper can use general gatekeeper in system deployment, and reduce the memory resources occupied by the gatekeeper by storing DNS resolution addresses, so that the cost of the gatekeeper can be reduced, and the cost of the gatekeeper can be expanded.
  • the embodiment of the present application also provides a network access method, which can be applied to a gatekeeper. As shown in Figure 7, the method may include:
  • Step 701 Receive an access request message sent by a client in the first cloud system, where the source IP address of the access request message is the IP address of the client, and the destination IP address is the IP address of the internal network port.
  • Step 702 Record the context information of the access request message.
  • the context information includes: the source IP address, source port number, destination IP address, and destination port number of the access request message.
  • Step 703 Change the source IP address of the access request message to the IP address of the external network port, change the destination IP address of the access request message to the IP address of the forwarding node, and send the access request message with the changed address to the first Second, the forwarding node in the cloud system enables the forwarding node to send the address-changed access request message to the service node.
  • the gatekeeper Before the gatekeeper changes the destination IP address of the access request message to the IP address of the forwarding node, it needs to obtain the IP address of the forwarding node first, and its implementation may include:
  • the access request message can carry the domain name of the service node that it requests to access, and the gatekeeper can obtain the IP address of the forwarding node through DNS resolution.
  • the second cloud system 20 further includes a first domain name server 203, and the first domain name server 203 records the correspondence between the domain name of the service node and the IP address of the forwarding node 201.
  • the gatekeeper 30 may send the first domain name resolution request carrying the domain name of the service node to the first domain name server 203, and receive the first domain name resolution response carrying the IP address of the forwarding node sent by the first domain name server 203.
  • the first domain name server 203 may perform domain name resolution based on the domain name of the service node by querying the correspondence between the domain name of the service node and the IP address of the forwarding node 201 to obtain the IP address of the forwarding node 201.
  • the access request message can carry at least one of the target information of the domain name and port number of the business node that it requests to access, and the gatekeeper can record the target information and the IP address of the forwarding node.
  • the gatekeeper can query the correspondence according to the target information to obtain the IP address of the forwarding node.
  • the gatekeeper can record the correspondence between the domain name of the service node and the IP address of the forwarding node.
  • the gatekeeper can query the domain name of the service node according to the domain name of the service node. Correspondence to obtain the IP address of the forwarding node.
  • Step 704 Receive the access response message sent by the forwarding node.
  • the access response message is sent by the service node to the forwarding node based on the access request message.
  • the source IP address of the access response message is the IP address of the service node, and the destination IP address is the network address.
  • the IP address of the external network port of the gate is the IP address of the external network port of the gate.
  • Step 705 Obtain the context information of the access response message, and when the context information of the access response message matches the context information of the access request message, change the source IP address of the access response message to the IP address of the internal network port, and change The destination IP address of the access response message is changed to the client's IP address recorded in the context information of the access request message, and the access response message with the changed address is sent to the client.
  • the source IP address of the access request message is changed to the IP address of the external network port, and the destination IP address of the access request message is changed to that of the forwarding node.
  • IP address the access request message after the address is changed to the forwarding node, so that the forwarding node can send the access request message to the service node, which can realize the client's access to the service node.
  • the dynamic DNS resolution function configured in the gatekeeper can use a general gatekeeper in system deployment and reduce the memory resources occupied by the gatekeeper for storing DNS resolution addresses, so that the cost of the gatekeeper can be reduced and the scope of application of the gatekeeper can be expanded.
  • the gatekeeper in the embodiment of this application does not need to be configured with the function of dynamic DNS resolution, so it will not damage the gatekeeper’s ability to exchange static data.
  • the principle of data exchange can guarantee the scope of application of the hybrid cloud system.
  • the forwarding node since the forwarding node is deployed in the second cloud system, the scale and number of forwarding nodes can be deployed on demand according to application requirements to meet different application scenarios.
  • the embodiment of the present application also provides another gatekeeper.
  • Figure 8 exemplarily provides a possible architecture diagram of the gatekeeper.
  • the gatekeeper 80 may include a processor 801, a memory 802, a first network port 803, a second network port 804, and a bus 805.
  • the number of processors 801 may be one or more, and FIG. 8 only illustrates one of the processors 801. If the gatekeeper has multiple processors 801, the types of multiple processors 801 may be different or may be the same. Optionally, multiple processors of the gatekeeper can also be integrated into a multi-core processor.
  • the processor 801 may be a hardware chip, which is used to complete the method for detecting lithium evolution of a rechargeable battery provided in the embodiment of the present application.
  • the hardware chip may be an application-specific integrated circuit (ASIC), a programmable logic device (PLD), or a combination thereof.
  • the above-mentioned PLD may be a complex programmable logic device (CPLD), a field-programmable gate array (FPGA), a generic array logic (GAL) or any combination thereof.
  • the processor 801 may also be a general-purpose processor, for example, a central processing unit (CPU), a network processor (NP), or a combination of a CPU and an NP.
  • the memory 802 stores computer instructions and data, and the memory 802 can store computer instructions and data required to implement the network access method provided in the present application.
  • the memory 802 may be volatile memory or non-volatile memory, or may include both volatile and non-volatile memory.
  • the non-volatile memory can be read-only memory (ROM), programmable read-only memory (programmable ROM, PROM), erasable programmable read-only memory (erasable PROM, EPROM), and electrically available Erase programmable read-only memory (electrically EPROM, EEPROM), flash memory (flash memory), hard disk (HDD) or solid-state drive (SSD).
  • the volatile memory may be random access memory (RAM), which is used as an external cache.
  • RAM random access memory
  • SRAM static random access memory
  • DRAM dynamic random access memory
  • SDRAM synchronous dynamic random access memory
  • Double data rate synchronous dynamic random access memory double data date SDRAM, DDR SDRAM
  • enhanced SDRAM enhanced synchronous dynamic random access memory
  • SLDRAM synchronous connection dynamic random access memory
  • direct rambus RAM direct rambus RAM
  • the first network port 803 may be any one or any combination of the following devices: a network interface (such as an Ethernet interface), a wireless network card, and other devices with a network access function.
  • the first network port 803 is used for data communication between the gatekeeper and other network nodes.
  • the second network port 804 may be any one or any combination of the following devices: a network interface (such as an Ethernet interface), a wireless network card, and other devices with a network access function.
  • the second network port 804 is used for data communication between the gatekeeper and other network nodes.
  • the gatekeeper can control the first network port, the second network port and the memory to perform the following steps: one of the first network port and the second network port establishes a connection with the memory after receiving the message, Copy the message to the memory. After the memory is disconnected from one of the first network port and the second network port, the other of the first network port and the second network port establishes a connection with the memory, and the message is copied to the first network port. The other of the first network port and the second network port, and the packet is transmitted through the other of the first network port and the second network port.
  • FIG. 8 also exemplarily plots the bus 805.
  • the bus 805 can connect the processor 801 with the memory 802 and the first network port 803. In this way, through the bus 805, the processor 801 can access the memory 802, and can also use at least one of the first network port 803 and the second network port 804 to exchange data with other network nodes.
  • the gatekeeper executes the computer instructions in the memory 802 to implement the network access method provided in this application.
  • the following steps may be performed: receiving an access request message sent by the client in the first cloud system, and the destination port of the access request message is the second cloud system that the client requests to access The port number of the business node, the source IP address is the IP address of the client, and the destination IP address is the IP address of the internal network port; the source IP address of the access request message is changed to the IP address of the external network port, and the The destination IP address is changed to the IP address of the forwarding node, and the address-changed access request message is sent to the forwarding node in the second cloud system, so that the forwarding node sends the address-changed access request message to the service node.
  • the gatekeeper executes the computer instructions in the memory 802, and the implementation process of executing this step can refer to the corresponding description in the foregoing method embodiment.
  • the embodiment of the present application also provides a storage medium, which is a non-volatile computer-readable storage medium, and when the instructions in the storage medium are executed by the processor, the network access method as in the embodiment of the present application is implemented.
  • the embodiments of the present application also provide a computer program product containing instructions.
  • the computer program product runs on a computer, the computer executes the network access method in the embodiments of the present application.
  • the program can be stored in a computer-readable storage medium.
  • the storage medium mentioned can be a read-only memory, a magnetic disk or an optical disk, etc.
  • the terms “first”, “second” and “third” are only used for descriptive purposes, and cannot be understood as indicating or implying relative importance.
  • the term “at least one” refers to one or more, and the term “plurality” refers to two or more, unless expressly defined otherwise.

Abstract

The present application relates to the technical field of cloud services, and disclosed is a hybrid cloud system. The hybrid cloud system comprises a first cloud system, a second cloud system, and a gatekeeper, the gatekeeper connecting the first cloud system and the second cloud system; a client in the first cloud system, which is used to send an access request message to an internal network port, wherein a source Internet Protocol (IP) address of the access request message is an IP address of the client, and a destination IP address is an IP address of the internal network port; the gatekeeper is used to change the source IP address of the access request message to an IP address of an external network port, change the destination IP address of the access request message to an IP address of a forwarding node, and send the access request message after the address is changed to the forwarding node; and the forwarding node in the second cloud system is used to send the access request message after the address is changed to a service node in the second cloud system. The present application reduces the cost of the gatekeeper on the basis of the implementation of dynamic DNS resolution.

Description

混合云系统、网闸、网络访问方法及存储介质Hybrid cloud system, gatekeeper, network access method and storage medium 技术领域Technical field
本申请涉及云服务技术领域,特别涉及一种混合云系统、网闸、网络访问方法及存储介质。This application relates to the technical field of cloud services, and in particular to a hybrid cloud system, a gatekeeper, a network access method, and a storage medium.
背景技术Background technique
目前,为了保证内网(例如私有云)的网络安全,通常在内网和外网(例如公有云)之间设置网闸。内网中的客户端通过该网闸访问外网时,可以通过网闸的传递将客户端的访问请求报文发送至外网,以实现对外网的访问。At present, in order to ensure the network security of the intranet (such as a private cloud), a gatekeeper is usually set between the intranet and the external network (such as a public cloud). When the client in the internal network accesses the external network through the gatekeeper, the client's access request message can be sent to the external network through the transmission of the gatekeeper to realize the access to the external network.
其中,为了保证客户端能够通过网闸访问某互联网协议(internet protocol,IP)地址,需要预先在网闸中配置该IP地址为允许达到的地址,以便于携带有该IP地址的报文能够通过网闸,从而通过该报文实现对IP地址进行访问。但是,在通过域名访问设备的场景中,设备的域名对应的IP地址可能发生变化,若未在网闸中配置变化后的IP地址为允许达到的地址,网闸就不允许携带有该变化后的IP地址的报文通过,则无法通过携带有该变化后的IP地址的报文实现对该设备的访问。Among them, in order to ensure that the client can access a certain Internet Protocol (IP) address through the gatekeeper, the IP address needs to be configured in the gatekeeper as an allowed address in advance, so that the packets carrying the IP address can pass through The gatekeeper can access the IP address through the message. However, in the scenario of accessing the device through a domain name, the IP address corresponding to the device's domain name may change. If the changed IP address is not configured in the gatekeeper as an allowed address, the gatekeeper will not allow the changed IP address to be carried. If the packet with the IP address passes through, the device cannot be accessed through the packet with the changed IP address.
虽然可以通过为网闸配置动态DNS功能解决该问题,但是具有动态DNS功能的网闸的成本较高,其适用范围受到限制。Although the problem can be solved by configuring the dynamic DNS function for the gatekeeper, the cost of the gatekeeper with the dynamic DNS function is higher and its scope of application is limited.
发明内容Summary of the invention
本申请提供了一种混合云系统、网闸、网络访问方法及存储介质,可以解决目前具有动态DNS功能的网闸的成本较高的问题。This application provides a hybrid cloud system, a gatekeeper, a network access method, and a storage medium, which can solve the problem of high cost of current gatekeepers with dynamic DNS functions.
第一方面,提供了一种混合云系统,该混合云系统包括第一云系统、第二云系统以及网闸,第一云系统包括客户端,第二云系统包括转发节点和业务节点,网闸的内网口连接第一云系统,网闸的外网口连接第二云系统;客户端,用于向内网口发送访问请求报文,访问请求报文的源互联网协议IP地址为客户端的IP地址,目的IP地址为内网口的IP地址;网闸,用于将访问请求报文的源IP地址更改为外网口的IP地址,将访问请求报文的目的IP地址更改为转发节点的IP地址,将更改地址后的访问请求报文发送至转发节点;转发节点,用于将更改地址后的访问请求报文发送至业务节点。In a first aspect, a hybrid cloud system is provided. The hybrid cloud system includes a first cloud system, a second cloud system, and a gatekeeper. The first cloud system includes a client, and the second cloud system includes a forwarding node and a service node. The internal network port of the gate is connected to the first cloud system, and the external network port of the gatekeeper is connected to the second cloud system; the client is used to send an access request message to the internal network port, and the source Internet Protocol IP address of the access request message is the client The destination IP address is the IP address of the internal network port; the gatekeeper is used to change the source IP address of the access request message to the IP address of the external network port, and the destination IP address of the access request message to forward The IP address of the node sends the address-changed access request message to the forwarding node; the forwarding node is used to send the address-changed access request message to the service node.
通过在第二云系统中配置转发节点,使得网闸可以将访问请求报文发送至转发节点,再通过转发节点将该访问请求报文发送至业务节点,能够实现客户端对业务节点的访问,相较于相关技术,无需在网闸中配置动态DNS解析功能,能够在系统部署中使用通用网闸,且减小网闸因存储DNS解析地址所占用的内存资源,使得能够降低网闸的成本,扩大网闸的适用范围。By configuring the forwarding node in the second cloud system, the gatekeeper can send the access request message to the forwarding node, and then send the access request message to the service node through the forwarding node, so that the client can access the service node. Compared with related technologies, there is no need to configure the dynamic DNS resolution function in the gatekeeper, and the general gatekeeper can be used in system deployment, and the memory resources occupied by the gatekeeper for storing DNS resolution addresses are reduced, so that the cost of the gatekeeper can be reduced. , To expand the scope of application of the gatekeeper.
并且,由于在网闸中配置动态DNS解析功能会破坏网闸对静态数据交换的原则性,而本申请实施例中的网闸无需配置有动态DNS解析的功能,因此不会破坏网闸对静态数据交 换的原则性,能够保证该混合云系统的适用范围。Moreover, since configuring the dynamic DNS resolution function in the gatekeeper will destroy the principle of the gatekeeper for static data exchange, and the gatekeeper in the embodiment of this application does not need to be configured with the function of dynamic DNS resolution, so it will not damage the gatekeeper’s ability to exchange static data. The principle of data exchange can guarantee the scope of application of the hybrid cloud system.
同时,由于该转发节点是在第二云系统中部署,使得转发节点的规模和数量可以根据应用需求进行按需部署,以满足不同的应用场景。At the same time, since the forwarding node is deployed in the second cloud system, the scale and number of forwarding nodes can be deployed on demand according to application requirements to meet different application scenarios.
在一种实现方式中,第二云系统还包括第一域名服务器,访问请求报文还携带有业务节点的域名,第一域名服务器记录有业务节点的域名与转发节点的IP地址的对应关系。网闸,还用于向第一域名服务器发送携带有业务节点的域名的第一域名解析请求;第一域名服务器,用于基于业务节点的域名进行域名解析,得到转发节点的IP地址,向网闸发送携带有转发节点的IP地址的第一域名解析响应。In an implementation manner, the second cloud system further includes a first domain name server, the access request message also carries the domain name of the service node, and the first domain name server records the correspondence between the domain name of the service node and the IP address of the forwarding node. The gatekeeper is also used to send a first domain name resolution request carrying the domain name of the business node to the first domain name server; the first domain name server is used to perform domain name resolution based on the domain name of the business node to obtain the IP address of the forwarding node and send it to the network The gate sends the first domain name resolution response carrying the IP address of the forwarding node.
当第二云系统包括第一域名服务器时,网闸可以通过该第一域名服务器获取转发节点的IP地址。此时,由于网闸无需记载有目标信息与转发节点的IP地址的对应关系,可以减小网闸因存储该对应关系所占用的内存资源,能够进一步降低网闸的成本。When the second cloud system includes the first domain name server, the gatekeeper may obtain the IP address of the forwarding node through the first domain name server. At this time, since the gatekeeper does not need to record the correspondence between the target information and the IP address of the forwarding node, the memory resources occupied by the gatekeeper for storing the correspondence can be reduced, and the cost of the gatekeeper can be further reduced.
可选的,第一云系统还包括第二域名服务器,第二域名服务器记录有业务节点的域名与内网口的IP地址的对应关系;客户端,还用于向第二域名服务器发送携带有业务节点的域名的第二域名解析请求;第二域名服务器,用于基于业务节点的域名进行域名解析,得到内网口的IP地址,向客户端发送携带有内网口的IP地址的第二域名解析响应。Optionally, the first cloud system further includes a second domain name server, and the second domain name server records the correspondence between the domain name of the business node and the IP address of the internal network port; the client is also used to send to the second domain name server the The second domain name resolution request for the domain name of the business node; the second domain name server is used to perform domain name resolution based on the domain name of the business node to obtain the IP address of the internal network port, and send the second domain name carrying the IP address of the internal network port to the client Domain name resolution response.
当第一云系统包括第二域名服务器时,客户端可以通过域名解析获取实现该域名访问所需的IP地址。When the first cloud system includes the second domain name server, the client can obtain the IP address required for realizing access to the domain name through domain name resolution.
在一种可实现方式中,转发节点,具体用于基于更改地址后的访问请求报文携带的业务节点的域名和业务节点的端口号中的一个或多个,将更改地址后的访问请求报文发送至业务节点。In an achievable manner, the forwarding node is specifically used to report the access request after the address change based on one or more of the domain name of the service node and the port number of the service node carried in the access request message after the address has been changed. The document is sent to the business node.
可选的,网闸,还用于记录访问请求报文的上下文信息,上下文信息包括:访问请求报文的源IP地址、源端口号、目的IP地址和目的端口号。Optionally, the gatekeeper is also used to record the context information of the access request message. The context information includes: the source IP address, source port number, destination IP address, and destination port number of the access request message.
相应的,转发节点,还用于接收业务节点基于访问请求报文发送的访问响应报文,将访问响应报文发送至外网口,访问响应报文的源IP地址为业务节点的IP地址,目的IP地址为外网口的IP地址。Correspondingly, the forwarding node is also used to receive the access response message sent by the service node based on the access request message, and send the access response message to the external network port, and the source IP address of the access response message is the IP address of the service node, The destination IP address is the IP address of the external network port.
此时,网闸,还用于获取访问响应报文的上下文信息,当访问响应报文的上下文信息与访问请求报文的上下文信息匹配时,将访问响应报文的源IP地址更改为内网口的IP地址,将访问响应报文的目的IP地址更改为访问请求报文的上下文信息中记载的客户端的IP地址,将更改地址后的访问响应报文发送至客户端。At this time, the gatekeeper is also used to obtain the context information of the access response message. When the context information of the access response message matches the context information of the access request message, the source IP address of the access response message is changed to the intranet Change the destination IP address of the access response message to the client's IP address recorded in the context information of the access request message, and send the access response message with the changed address to the client.
第二方面,提供了一种网络访问方法,该方法应用于混合云系统,混合云系统包括第一云系统、第二云系统以及网闸,第一云系统包括客户端,第二云系统包括转发节点和业务节点,网闸的内网口连接第一云系统,网闸的外网口连接第二云系统,方法包括:客户端向内网口发送访问请求报文,访问请求报文的源互联网协议IP地址为客户端的IP地址,目的IP地址为内网口的IP地址;网闸将访问请求报文的源IP地址更改为外网口的IP地址,将访问请求报文的目的IP地址更改为转发节点的IP地址,将更改地址后的访问请求报文发送至转发节点;转发节点将更改地址后的访问请求报文发送至业务节点。In a second aspect, a network access method is provided, which is applied to a hybrid cloud system. The hybrid cloud system includes a first cloud system, a second cloud system, and a gatekeeper. The first cloud system includes a client, and the second cloud system includes The forwarding node and the service node, the internal network port of the gatekeeper is connected to the first cloud system, and the external network port of the gatekeeper is connected to the second cloud system. The method includes: the client sends an access request message to the internal network port. The source Internet Protocol IP address is the client's IP address, and the destination IP address is the IP address of the internal network port; the gatekeeper changes the source IP address of the access request message to the IP address of the external network port, and changes the destination IP address of the access request message The address is changed to the IP address of the forwarding node, and the address-changed access request message is sent to the forwarding node; the forwarding node sends the address-changed access request message to the service node.
可选的,第二云系统还包括第一域名服务器,访问请求报文还携带有业务节点的域名,第一域名服务器记录有业务节点的域名与转发节点的IP地址的对应关系,方法还包括:网 闸向第一域名服务器发送携带有业务节点的域名的第一域名解析请求;第一域名服务器基于业务节点的域名进行域名解析,得到转发节点的IP地址,向网闸发送携带有转发节点的IP地址的第一域名解析响应。Optionally, the second cloud system further includes a first domain name server, the access request message also carries the domain name of the business node, and the first domain name server records the correspondence between the domain name of the business node and the IP address of the forwarding node. The method further includes : The gatekeeper sends the first domain name resolution request carrying the domain name of the service node to the first domain name server; the first domain name server performs domain name resolution based on the domain name of the service node, obtains the IP address of the forwarding node, and sends the forwarding node to the gatekeeper The first domain name resolution response of the IP address.
可选的,第一云系统还包括第二域名服务器,第二域名服务器记录有业务节点的域名与内网口的IP地址的对应关系,方法还包括:客户端向第二域名服务器发送携带有业务节点的域名的第二域名解析请求;第二域名服务器基于业务节点的域名进行域名解析,得到内网口的IP地址,向客户端发送携带有内网口的IP地址的第二域名解析响应。Optionally, the first cloud system further includes a second domain name server. The second domain name server records the correspondence between the domain name of the business node and the IP address of the internal network port. The method further includes: the client sends to the second domain name server the The second domain name resolution request of the domain name of the business node; the second domain name server performs domain name resolution based on the domain name of the business node, obtains the IP address of the internal network port, and sends the second domain name resolution response carrying the IP address of the internal network port to the client .
可选的,转发节点将更改地址后的访问请求报文发送至业务节点,包括:转发节点基于更改地址后的访问请求报文携带的业务节点的域名和业务节点的端口号中的一个或多个,将更改地址后的访问请求报文发送至业务节点。Optionally, the forwarding node sends the address-changed access request message to the service node, including: the forwarding node is based on one or more of the domain name of the service node and the port number of the service node carried in the address-changed access request message. One, send the access request message after changing the address to the service node.
可选的,该方法还包括:网闸记录访问请求报文的上下文信息,上下文信息包括:访问请求报文的源IP地址、源端口号、目的IP地址和目的端口号。Optionally, the method further includes: the gatekeeper records the context information of the access request message, and the context information includes: the source IP address, source port number, destination IP address, and destination port number of the access request message.
可选的,该方法还包括:转发节点接收业务节点基于访问请求报文发送的访问响应报文,将访问响应报文发送至外网口,访问响应报文的源IP地址为业务节点的IP地址,目的IP地址为外网口的IP地址;网闸获取访问响应报文的上下文信息,当访问响应报文的上下文信息与访问请求报文的上下文信息匹配时,将访问响应报文的源IP地址更改为内网口的IP地址,将访问响应报文的目的IP地址更改为访问请求报文的上下文信息中记载的客户端的IP地址,将更改地址后的访问响应报文发送至客户端。Optionally, the method further includes: the forwarding node receives the access response message sent by the service node based on the access request message, and sends the access response message to the external network port, and the source IP address of the access response message is the IP of the service node The destination IP address is the IP address of the external network port; the gatekeeper obtains the context information of the access response message, and when the context information of the access response message matches the context information of the access request message, the source of the response message will be accessed Change the IP address to the IP address of the internal network port, change the destination IP address of the access response message to the client's IP address recorded in the context information of the access request message, and send the access response message with the changed address to the client .
第三方面,提供了一种网闸,网闸的内网口连接第一云系统,网闸的外网口连接第二云系统,网闸包括:第一收发模块,用于接收第一云系统中客户端发送的访问请求报文,访问请求报文的,源IP地址为客户端的IP地址,目的IP地址为内网口的IP地址;第二收发模块,用于将访问请求报文的源IP地址更改为外网口的IP地址,将访问请求报文的目的IP地址更改为转发节点的IP地址,将更改地址后的访问请求报文发送至第二云系统中的转发节点,使得转发节点将更改地址后的访问请求报文发送至业务节点。In a third aspect, a gatekeeper is provided. The internal network port of the gatekeeper is connected to the first cloud system, and the external network port of the gatekeeper is connected to the second cloud system. The gatekeeper includes: a first transceiver module for receiving the first cloud For the access request message sent by the client in the system, the source IP address is the IP address of the client, and the destination IP address is the IP address of the internal network port; the second transceiver module is used to transfer the access request message The source IP address is changed to the IP address of the external network port, the destination IP address of the access request message is changed to the IP address of the forwarding node, and the access request message with the changed address is sent to the forwarding node in the second cloud system, so that The forwarding node sends the access request message with the address changed to the service node.
可选的,访问请求报文还携带有业务节点的域名,第二收发模块,还用于向第二云系统中的第一域名服务器发送携带有业务节点的域名的第一域名解析请求,并接收第一域名服务器发送的携带有转发节点的IP地址的第一域名解析响应,第一域名服务器记录有业务节点的域名与转发节点的IP地址的对应关系。Optionally, the access request message also carries the domain name of the business node, and the second transceiver module is also used to send a first domain name resolution request carrying the domain name of the business node to the first domain name server in the second cloud system, and The first domain name resolution response carrying the IP address of the forwarding node sent by the first domain name server is received, and the first domain name server records the correspondence between the domain name of the service node and the IP address of the forwarding node.
可选的,第一收发模块,还用于记录访问请求报文的上下文信息,上下文信息包括:访问请求报文的源IP地址、源端口号、目的IP地址和目的端口号。Optionally, the first transceiver module is also used to record context information of the access request message. The context information includes: the source IP address, source port number, destination IP address, and destination port number of the access request message.
可选的,第二收发模块,还用于接收转发节点发送的访问响应报文,访问响应报文由业务节点基于访问请求报文向转发节点发送,访问响应报文的源IP地址为业务节点的IP地址,目的IP地址为网闸的外网口的IP地址;第一收发模块,还用于获取访问响应报文的上下文信息,当访问响应报文的上下文信息与访问请求报文的上下文信息匹配时,将访问响应报文的源IP地址更改为内网口的IP地址,将访问响应报文的目的IP地址更改为访问请求报文的上下文信息中记载的客户端的IP地址,将更改地址后的访问响应报文发送至客户端。Optionally, the second transceiver module is further configured to receive an access response message sent by the forwarding node. The access response message is sent by the service node to the forwarding node based on the access request message, and the source IP address of the access response message is the service node The destination IP address is the IP address of the gatekeeper’s external network port; the first transceiver module is also used to obtain the context information of the access response message, when the context information of the access response message and the context of the access request message When the information matches, change the source IP address of the access response message to the IP address of the internal network port, and change the destination IP address of the access response message to the client's IP address recorded in the context information of the access request message, which will change The access response message after the address is sent to the client.
第四方面,提供了一种网络访问方法,该方法应用于网闸,网闸的内网口连接第一云 系统,网闸的外网口连接第二云系统,方法包括:接收第一云系统中客户端发送的访问请求报文,访问请求报文的源IP地址为客户端的IP地址,目的IP地址为内网口的IP地址;将访问请求报文的源IP地址更改为外网口的IP地址,将访问请求报文的目的IP地址更改为转发节点的IP地址,将更改地址后的访问请求报文发送至第二云系统中的转发节点,使得转发节点将更改地址后的访问请求报文发送至业务节点。In a fourth aspect, a network access method is provided. The method is applied to a gatekeeper. The internal network port of the gatekeeper is connected to a first cloud system, and the external network port of the gatekeeper is connected to a second cloud system. The method includes: receiving the first cloud For the access request message sent by the client in the system, the source IP address of the access request message is the IP address of the client, and the destination IP address is the IP address of the internal network port; the source IP address of the access request message is changed to the external network port Change the destination IP address of the access request message to the IP address of the forwarding node, and send the access request message after the address change to the forwarding node in the second cloud system, so that the forwarding node will change the address of the access The request message is sent to the service node.
可选的,访问请求报文还携带有业务节点的域名,方法还包括:向第二云系统中的第一域名服务器发送携带有业务节点的域名的第一域名解析请求,并接收第一域名服务器发送的携带有转发节点的IP地址的第一域名解析响应,第一域名服务器记录有业务节点的域名与转发节点的IP地址的对应关系。Optionally, the access request message also carries the domain name of the business node, and the method further includes: sending a first domain name resolution request carrying the domain name of the business node to the first domain name server in the second cloud system, and receiving the first domain name The first domain name resolution response sent by the server carrying the IP address of the forwarding node, and the first domain name server records the correspondence between the domain name of the service node and the IP address of the forwarding node.
可选的,该方法还包括:记录访问请求报文的上下文信息,上下文信息包括:访问请求报文的源IP地址、源端口号、目的IP地址和目的端口号。Optionally, the method further includes: recording context information of the access request message, where the context information includes: the source IP address, source port number, destination IP address, and destination port number of the access request message.
可选的,该方法还包括:接收转发节点发送的访问响应报文,访问响应报文由业务节点基于访问请求报文向转发节点发送,访问响应报文的源IP地址为业务节点的IP地址,目的IP地址为网闸的外网口的IP地址;获取访问响应报文的上下文信息,当访问响应报文的上下文信息与访问请求报文的上下文信息匹配时,将访问响应报文的源IP地址更改为内网口的IP地址,将访问响应报文的目的IP地址更改为访问请求报文的上下文信息中记载的客户端的IP地址,将更改地址后的访问响应报文发送至客户端。Optionally, the method further includes: receiving an access response message sent by the forwarding node, the access response message is sent by the service node to the forwarding node based on the access request message, and the source IP address of the access response message is the IP address of the service node , The destination IP address is the IP address of the external network port of the gatekeeper; to obtain the context information of the access response message, when the context information of the access response message matches the context information of the access request message, the source of the response message will be accessed Change the IP address to the IP address of the internal network port, change the destination IP address of the access response message to the client's IP address recorded in the context information of the access request message, and send the access response message with the changed address to the client .
第五方面,提供了一种网闸,网闸包括:第一网口、第二网口、处理器和存储器存储器中存储有计算机程序,处理器执行计算机程序时,网闸实现第一方面提供的方法。In a fifth aspect, a gatekeeper is provided. The gatekeeper includes: a first network port, a second network port, a processor, and a computer program stored in the memory. When the processor executes the computer program, the gatekeeper implements the first aspect Methods.
第六方面,提供了一种存储介质,当存储介质中的指令被处理器执行时,实现第一方面提供的方法。In a sixth aspect, a storage medium is provided, and when instructions in the storage medium are executed by a processor, the method provided in the first aspect is implemented.
附图说明Description of the drawings
图1是本申请实施例提供的一种混合云系统的结构示意图;Fig. 1 is a schematic structural diagram of a hybrid cloud system provided by an embodiment of the present application;
图2是本申请实施例提供的另一种混合云系统的结构示意图;Figure 2 is a schematic structural diagram of another hybrid cloud system provided by an embodiment of the present application;
图3是本申请实施例提供的又一种混合云系统的结构示意图;FIG. 3 is a schematic structural diagram of another hybrid cloud system provided by an embodiment of the present application;
图4是本申请实施例提供的再一种混合云系统的结构示意图;FIG. 4 is a schematic structural diagram of yet another hybrid cloud system provided by an embodiment of the present application;
图5是本申请实施例提供的一种网络访问方法的流程图;Fig. 5 is a flowchart of a network access method provided by an embodiment of the present application;
图6是本申请实施例提供的一种网闸的结构示意图;Fig. 6 is a schematic structural diagram of a gatekeeper provided by an embodiment of the present application;
图7是本申请实施例提供的另一种网络访问方法的流程图;FIG. 7 is a flowchart of another network access method provided by an embodiment of the present application;
图8是本申请实施例提供的另一种网闸的结构示意图。Fig. 8 is a schematic structural diagram of another gatekeeper provided by an embodiment of the present application.
具体实施方式Detailed ways
为使本申请的目的、技术方案和优点更加清楚,下面将结合附图对本申请实施方式作进一步地详细描述。In order to make the purpose, technical solutions, and advantages of the present application clearer, the implementation manners of the present application will be described in further detail below in conjunction with the accompanying drawings.
为便于理解,下面先对本申请实施例中涉及的名词进行解释。For ease of understanding, the terms involved in the embodiments of the present application will be explained below.
1、网闸1. Gatekeeper
网闸是用于连接两个主机系统的信息安全设备。该两个主机系统一个位于内网一个位 于外网。网闸具有内网口、外网口和存储介质。其中,通过控制内网口与存储介质、外网口与存储介质不同时连通,网闸能够将该两个主机系统进行隔离,使该两个主机系统之间不存在直接的物理连接、逻辑连接及依据信息传输协议的信息交换,阻断了对内网的网络连接,使得外网无法直接入侵、攻击和破坏内网,从而保证位于内网额主机系统的安全。A gatekeeper is an information security device used to connect two host systems. One of the two host systems is located in the internal network and the other is located in the external network. The gatekeeper has an internal network port, an external network port and a storage medium. Among them, by controlling the internal network port and the storage medium, the external network port and the storage medium are not connected at the same time, the gatekeeper can isolate the two host systems so that there is no direct physical connection or logical connection between the two host systems And the information exchange based on the information transmission protocol blocks the network connection to the internal network, making the external network unable to directly invade, attack and destroy the internal network, thereby ensuring the security of the host system located on the internal network.
并且,通过存储介质分别与内网口和外网口连接,网闸能够以数据文件的形式将一个主机系统的数据传递至另一个主机系统。以从内网向外网发送数据为例,对网闸实现数据传递的过程进行说明。其数据传递过程为:位于内网中的主机系统将待传递数据发送至内网口后,存储介质与内网口连接,将待传递数据从内网口拷贝至存储介质中,并在拷贝完成后断开存储介质与内网口的连接,然后,外网口与存储介质连接,将待传递数据从存储介质拷贝至该外网口中,并在拷贝完成后断开存储介质与外网口的连接,然后外网口将待传递数据发送至位于外网中的主机系统,以实现数据的传递。In addition, by connecting the storage medium to the internal network port and the external network port, the gatekeeper can transfer data from one host system to another host system in the form of data files. Take sending data from the internal network to the external network as an example to explain the process of data transmission by the gatekeeper. The data transfer process is as follows: after the host system in the intranet sends the data to be transferred to the intranet port, the storage medium is connected to the intranet port, and the data to be transferred is copied from the intranet port to the storage medium, and the copy is completed Then disconnect the storage medium from the internal network port, then connect the external network port to the storage medium, copy the data to be transferred from the storage medium to the external network port, and disconnect the storage medium from the external network port after the copy is completed Connect, and then the external network port sends the data to be transmitted to the host system located in the external network to realize data transmission.
2、域名解析2. Domain name resolution
域名解析是把域名指向网站空间IP,是用户通过注册的域名可以方便地访问到网站的一种服务。IP地址是网络上标识站点的数字地址,IP地址通常是一段具有固定长度的数据,较难记忆。为了方便记忆,采用域名来代替IP地址标识站点地址。因此,域名解析就是域名到IP地址的转换过程。Domain name resolution is to point the domain name to the website space IP, which is a service that users can easily access the website through the registered domain name. An IP address is a digital address that identifies a site on the network. An IP address is usually a piece of data with a fixed length, which is difficult to remember. In order to facilitate memory, the domain name is used instead of the IP address to identify the site address. Therefore, domain name resolution is the process of converting domain names to IP addresses.
本申请实施例提供了一种混合云系统。如图1所示,该混合云系统包括第一云系统10、第二云系统20以及网闸30。该第一云系统10包括客户端101。该第二云系统20包括转发节点201和业务节点202。并且,网闸30的内网口连接第一云系统10,网闸30的外网口连接第二云系统20。The embodiment of the present application provides a hybrid cloud system. As shown in FIG. 1, the hybrid cloud system includes a first cloud system 10, a second cloud system 20 and a gatekeeper 30. The first cloud system 10 includes a client 101. The second cloud system 20 includes a forwarding node 201 and a service node 202. In addition, the internal network port of the gatekeeper 30 is connected to the first cloud system 10, and the external network port of the gatekeeper 30 is connected to the second cloud system 20.
其中,客户端101,用于向内网口发送访问请求报文。该访问请求报文的源IP地址为客户端101的IP地址,IP目的IP地址为内网口的IP地址。Among them, the client 101 is used to send an access request message to the internal network port. The source IP address of the access request message is the IP address of the client 101, and the IP destination IP address is the IP address of the internal network port.
网闸30,用于将访问请求报文的源IP地址更改为外网口的IP地址,根据该访问请求报文中的信息,获取第二云系统20中用于转发该访问请求报文的转发节点201的IP地址,并将访问请求报文的目的IP地址更改为转发节点201的IP地址,将更改地址后的访问请求报文发送至转发节点201;The gatekeeper 30 is configured to change the source IP address of the access request message to the IP address of the external network port, and obtain the information in the second cloud system 20 for forwarding the access request message according to the information in the access request message Forward the IP address of the node 201, change the destination IP address of the access request message to the IP address of the forwarding node 201, and send the access request message with the changed address to the forwarding node 201;
转发节点201,用于将更改地址后的访问请求报文发送至业务节点202。The forwarding node 201 is configured to send the access request message with the address changed to the service node 202.
由上可知,在本申请实施例提供的混合云系统中,通过在第二云系统20中配置转发节点201,使得网闸30可以将访问请求报文发送至转发节点201,再通过转发节点201将该访问请求报文发送至业务节点202,能够实现客户端101对业务节点202的访问,相较于相关技术,无需在网闸30中配置动态DNS解析功能,能够在系统部署中使用通用网闸30,且减小网闸30因存储DNS解析地址所占用的内存资源,使得能够降低网闸30的成本,扩大网闸30的适用范围。并且,由于在网闸30中配置动态DNS解析功能会破坏网闸30对静态数据交换的原则性,而本申请实施例中的网闸30无需配置有动态DNS解析的功能,因此不会破坏网闸30对静态数据交换的原则性,能够保证该混合云系统的适用范围。It can be seen from the above that in the hybrid cloud system provided by the embodiment of the present application, the forwarding node 201 is configured in the second cloud system 20, so that the gatekeeper 30 can send the access request message to the forwarding node 201, and then pass the forwarding node 201 Sending the access request message to the service node 202 can realize the client 101's access to the service node 202. Compared with related technologies, there is no need to configure the dynamic DNS resolution function in the gatekeeper 30, and the general network can be used in system deployment. The gatekeeper 30 is reduced, and the memory resources occupied by the gatekeeper 30 for storing DNS resolution addresses are reduced, so that the cost of the gatekeeper 30 can be reduced, and the scope of application of the gatekeeper 30 can be expanded. Moreover, since the configuration of the dynamic DNS resolution function in the gatekeeper 30 will destroy the principle of the gatekeeper 30 for static data exchange, and the gatekeeper 30 in the embodiment of the present application does not need to be configured with the function of dynamic DNS resolution, so it will not damage the network. The principle of the gate 30 for static data exchange can ensure the scope of application of the hybrid cloud system.
在一种可实现方式中,第一云系统10可以为私有云系统或本地数据中心,该第一云系统10对数据安全性的要求较高。第二云系统20可以为公有云系统、私有云系统或数据中 心,该第二云系统20对数据安全性的要求不高于第一云系统10对数据安全性的要求。通过在该第一云系统10结合第二云系统20之间设置网闸30,能够实现该第一云系统10和第二云系统20之间的隔离,从而保证该第一云系统10的数据安全性。In an achievable manner, the first cloud system 10 may be a private cloud system or a local data center, and the first cloud system 10 has high data security requirements. The second cloud system 20 may be a public cloud system, a private cloud system, or a data center, and the requirements of the second cloud system 20 for data security are not higher than the requirements of the first cloud system 10 for data security. By setting the gatekeeper 30 between the first cloud system 10 and the second cloud system 20, the isolation between the first cloud system 10 and the second cloud system 20 can be achieved, thereby ensuring the data of the first cloud system 10 safety.
示例的,该第一云系统10可以为政府单位或公安部门等对数据安全性具有较高要求的单位所使用的私有云系统,第二云系统20可以为该对数据安全性具有较高要求的单位在公有云系统中租用的虚拟机构成的云系统,或者。该第一云系统10可以为政府单位或公安部门等对数据安全性具有较高要求的单位所使用的私有云系统,第二云系统20可以为该对数据安全性具有较高要求的单位的关联单位所使用的私有云系统。或者。该第一云系统10可以为政府单位或公安部门等对数据安全性具有较高要求的单位所使用的本地数据中心,第二云系统20可以为该对数据安全性具有较高要求的单位的关联单位所使用的数据中心。For example, the first cloud system 10 may be a private cloud system used by a government unit or a public security department that has higher requirements for data security, and the second cloud system 20 may be a private cloud system that has higher requirements for data security. A cloud system consisting of virtual machines rented by the company in a public cloud system, or. The first cloud system 10 may be a private cloud system used by a government unit or a public security department that has higher requirements for data security, and the second cloud system 20 may be a private cloud system used by the unit that has higher requirements for data security. The private cloud system used by the associated unit. or. The first cloud system 10 may be a local data center used by a government unit or a public security department that has higher requirements on data security, and the second cloud system 20 may be a local data center used by a unit that has higher requirements on data security. The data center used by the associated unit.
客户端101可以由第一云系统10中的用户使用。例如,当第一云系统10为公安部门所使用的私有云系统时,此时,该客户端101可以由公安部门中的工作人员使用。又例如,该客户端101可以由第一云系统10的网管使用,该客户端101可以连接到第一云系统10中的云管理平台,网管可以通过在该客户端101进行操作,以实现对第一云系统10的管理。并且,对第一云系统10进行管理所使用的云服务可以部署在第二云系统20中的业务节点202上,此时,网管可以通过客户端101访问业务节点202,并根据访问结果实现对第一云系统10的管理。可选的,业务节点202上可以部署有认证、运维、应用程序编程接口网关(Application Programming Interface gate,APIG)和网站入口(portal)等云服务。The client 101 can be used by a user in the first cloud system 10. For example, when the first cloud system 10 is a private cloud system used by the public security department, at this time, the client 101 can be used by staff in the public security department. For another example, the client 101 can be used by the network manager of the first cloud system 10, the client 101 can be connected to the cloud management platform in the first cloud system 10, and the network manager can operate on the client 101 to achieve Management of the first cloud system 10. In addition, the cloud service used to manage the first cloud system 10 can be deployed on the business node 202 in the second cloud system 20. At this time, the network manager can access the business node 202 through the client 101, and realize the pairing according to the access result. Management of the first cloud system 10. Optionally, cloud services such as authentication, operation and maintenance, application programming interface gateway (APIG), and website portal (portal) may be deployed on the service node 202.
或者,客户端101可以为云管理平台中的主机,该主机也可以发起对第二云系统20中的主机进行访问的访问请求报文。Alternatively, the client 101 may be a host in the cloud management platform, and the host may also initiate an access request message for accessing the host in the second cloud system 20.
其中,网闸30从接收访问请求报文到将更改地址后的访问请求报文发送至转发节点201的实现过程可以为:网闸30的内网口接收访问请求报文,然后网闸30中的存储介质与内网口建立连接,存储介质将访问请求报文从该内网口拷贝至该存储介质中,并在拷贝完成后断开两者之间的连接,然后存储介质将访问请求报文的源IP地址更改为外网口的IP地址,然后外网口建立与存储介质的连接,外网口将访问请求报文从该存储介质拷贝至该存储介质中,并在拷贝完成后断开两者之间的连接,然后外网口根据该访问请求报文中的信息,获取第二云系统20中用于转发该访问请求报文的转发节点201的IP地址,并将访问请求报文的目的IP地址更改为转发节点201的IP地址。Among them, the implementation process of the gatekeeper 30 from receiving the access request message to sending the address-changed access request message to the forwarding node 201 can be as follows: the internal network port of the gatekeeper 30 receives the access request message, and then the gatekeeper 30 The storage medium is connected to the internal network port, the storage medium copies the access request message from the internal network port to the storage medium, and the connection between the two is disconnected after the copy is completed, and then the storage medium reports the access request message The source IP address of the document is changed to the IP address of the external network port, and then the external network port establishes a connection with the storage medium. The external network port copies the access request message from the storage medium to the storage medium, and disconnects it after the copy is completed. Open the connection between the two, and then the external network port obtains the IP address of the forwarding node 201 in the second cloud system 20 for forwarding the access request message according to the information in the access request message, and reports the access request The destination IP address of the document is changed to the IP address of the forwarding node 201.
需要说明的是,将访问请求报文的源IP地址更改为外网口的IP地址的操作也可以由外网口执行。但是,由于存储介质不会与第二云系统20直接连接,当由存储介质执行将访问请求报文的源IP地址更改为外网口的IP地址的操作时,能够降低客户端101的IP地址被泄露至第二云系统20中的可能性,能够进一步提高数据的安全性。It should be noted that the operation of changing the source IP address of the access request message to the IP address of the external network port can also be performed by the external network port. However, since the storage medium will not be directly connected to the second cloud system 20, when the storage medium performs the operation of changing the source IP address of the access request message to the IP address of the external network port, the IP address of the client 101 can be reduced The possibility of being leaked into the second cloud system 20 can further improve data security.
可选的,网闸30获取转发节点201的IP地址的实现方式可以有多种,下面以以下两种可实现方式为例对其进行说明。Optionally, there may be multiple implementation manners for the gatekeeper 30 to obtain the IP address of the forwarding node 201, and the following two implementation manners will be used as examples for description.
在第一种可实现方式中,访问请求报文可以携带有其请求访问的业务节点的域名,网闸30可以通过DNS解析获取转发节点201的IP地址。此时,如图2所示,该第二云系统20还包括第一域名服务器203,第一域名服务器203记录有业务节点的域名与转发节点201的IP地址的对应关系。相应的,网闸30还用于向第一域名服务器203发送携带有业务节 点的域名的第一域名解析请求。第一域名服务器203用于基于业务节点的域名,通过查询业务节点的域名与转发节点201的IP地址的对应关系进行域名解析,得到转发节点201的IP地址,再向网闸30发送携带有转发节点201的IP地址的第一域名解析响应,以便于网闸30获取该转发节点201的IP地址。In the first possible implementation manner, the access request message may carry the domain name of the service node that it requests to access, and the gatekeeper 30 may obtain the IP address of the forwarding node 201 through DNS resolution. At this time, as shown in FIG. 2, the second cloud system 20 further includes a first domain name server 203, and the first domain name server 203 records the correspondence between the domain name of the service node and the IP address of the forwarding node 201. Correspondingly, the gatekeeper 30 is also used to send the first domain name resolution request carrying the domain name of the service node to the first domain name server 203. The first domain name server 203 is used to perform domain name resolution based on the domain name of the service node by querying the correspondence between the domain name of the service node and the IP address of the forwarding node 201 to obtain the IP address of the forwarding node 201, and then send the forwarding information to the gatekeeper 30 The first domain name resolution response of the IP address of the node 201, so that the gatekeeper 30 can obtain the IP address of the forwarding node 201.
在第二种可实现方式中,访问请求报文中可以携带有其请求访问的业务节点的域名和业务节点的端口号中的至少一个目标信息,网闸30中可以记载有目标信息与转发节点201的IP地址的对应关系,网闸30可以根据该目标信息查询该对应关系,以得到转发节点201的IP地址。例如,网闸30中可以记载有业务节点的域名与转发节点201的IP地址的对应关系,当网闸30获取访问请求报文所携带的业务节点的域名后,网闸30可以根据该业务节点的域名查询该对应关系,以得到转发节点201的IP地址。In the second achievable manner, the access request message may carry at least one of the target information of the domain name of the service node and the port number of the service node that it requests to access, and the gatekeeper 30 may record the target information and the forwarding node The corresponding relationship of the IP address of 201, the gatekeeper 30 can query the corresponding relationship according to the target information to obtain the IP address of the forwarding node 201. For example, the gatekeeper 30 may record the correspondence between the domain name of the service node and the IP address of the forwarding node 201. After the gatekeeper 30 obtains the domain name of the service node carried in the access request message, the gatekeeper 30 may use the service node The corresponding relationship is queried for the domain name of, to obtain the IP address of the forwarding node 201.
需要说明的是,可以根据网闸30是否支持发送DNS解析报文,决定网闸30使用何种方式获取转发节点201的IP地址。并且,当网闸30使用DNS解析获取转发节点201的IP地址时,由于网闸30无需记载有目标信息与转发节点201的IP地址的对应关系,可以减小网闸30因存储该对应关系所占用的内存资源,能够进一步降低网闸30的成本。It should be noted that, according to whether the gatekeeper 30 supports sending DNS resolution messages, it is possible to determine which method the gatekeeper 30 uses to obtain the IP address of the forwarding node 201. In addition, when the gatekeeper 30 uses DNS resolution to obtain the IP address of the forwarding node 201, since the gatekeeper 30 does not need to record the correspondence between the target information and the IP address of the forwarding node 201, it is possible to reduce the risk of the gatekeeper 30 storing the correspondence. The occupied memory resources can further reduce the cost of the gatekeeper 30.
并且,第二云系统20可以包括多个转发节点201,该多个转发节点201可以共同承担转发压力。当第二云系统20包括多个转发节点201时,一方面可以避免单个转发节点201的转发压力过大所导致的性能较低或系统崩溃,另一方面可以提高第二云系统20中的转发效率,进而提高访问效率。此时,网闸30在接收到访问请求报文之后,可以先在该多个转发节点201中确定用于向业务节点202转发访问请求报文的目标转发节点201。然后再向该目标转发节点201发送该访问请求报文。In addition, the second cloud system 20 may include multiple forwarding nodes 201, and the multiple forwarding nodes 201 may jointly bear the forwarding pressure. When the second cloud system 20 includes multiple forwarding nodes 201, on the one hand, it can avoid low performance or system crash caused by the excessive forwarding pressure of a single forwarding node 201, and on the other hand, it can improve the forwarding in the second cloud system 20. Efficiency, which in turn improves access efficiency. At this time, after the gatekeeper 30 receives the access request message, it may first determine the target forwarding node 201 for forwarding the access request message to the service node 202 among the multiple forwarding nodes 201. Then, the access request message is sent to the target forwarding node 201.
在一种可实现方式中,网闸30中可以记载有不同源IP地址与多个转发节点201的对应关系,在网闸30向转发节点201发送访问请求报文之前,网闸30还可以基于访问请求报文的源IP地址,查询不同源IP地址与多个转发节点201的对应关系,得到用于向业务节点202发送更改地址后的访问请求报文的目标转发节点201,然后将访问请求报文的目的IP地址更改为目标转发节点201的IP地址,并向该目标转发节点201发送更改地址后的访问请求报文。In an implementation manner, the gatekeeper 30 may record the correspondence between different source IP addresses and multiple forwarding nodes 201. Before the gatekeeper 30 sends an access request message to the forwarding node 201, the gatekeeper 30 may also be based on Access the source IP address of the request message, query the correspondence between different source IP addresses and multiple forwarding nodes 201, obtain the target forwarding node 201 used to send the address-changed access request message to the service node 202, and then send the access request The destination IP address of the message is changed to the IP address of the target forwarding node 201, and the address-changed access request message is sent to the target forwarding node 201.
其中,转发节点201可以通过虚拟机、容器或物理服务器实现。例如,网管可以在第二云系统20中租用的虚拟机,并对虚拟机进行配置,使得虚拟机具有该转发节点201的功能。并且,该转发节点201还可以为在虚拟机上配置的代理云服务。例如,转发节点201可以为在虚拟机上配置的Nginx代理云服务或SLB代理云服务。并且,由于该转发节点201是在第二云系统20中部署,使得转发节点201的规模和数量可以根据应用需求进行按需部署,以满足不同的应用场景。另外,由于转发节点201的IP地址通常不会变化,例如在系统配置过程中可以将转发节点201的IP地址固定化,或者通过云平台设置将转发节点201的IP地址固定化,因此通过设置转发节点201能够避免由于IP地址变化所导致的对网闸30的重查或重配,有效地减小了人力成本。Among them, the forwarding node 201 can be implemented by a virtual machine, a container, or a physical server. For example, the network manager may rent a virtual machine in the second cloud system 20 and configure the virtual machine so that the virtual machine has the function of the forwarding node 201. In addition, the forwarding node 201 may also be a proxy cloud service configured on a virtual machine. For example, the forwarding node 201 may be an Nginx proxy cloud service or an SLB proxy cloud service configured on a virtual machine. Moreover, since the forwarding node 201 is deployed in the second cloud system 20, the scale and number of the forwarding node 201 can be deployed on demand according to application requirements to meet different application scenarios. In addition, because the IP address of the forwarding node 201 usually does not change, for example, the IP address of the forwarding node 201 can be fixed during the system configuration process, or the IP address of the forwarding node 201 can be fixed through the cloud platform settings, so the forwarding is set by The node 201 can avoid the recheck or reconfiguration of the gatekeeper 30 caused by the IP address change, which effectively reduces the labor cost.
可选的,转发节点201将更改地址后的访问请求报文发送至业务节点202的实现方式可以包括:转发节点201基于更改地址后的访问请求报文携带的业务节点的域名和业务节点的端口号中的一个或多个,将更改地址后的访问请求报文发送至业务节点202。Optionally, the implementation manner in which the forwarding node 201 sends the address-changed access request message to the service node 202 may include: forwarding node 201 based on the domain name and port of the business node carried in the address-changed access request message. One or more of the numbers send the access request message with the address changed to the service node 202.
例如,转发节点201可以通过端口映射的方式将访问请求报文发送至业务节点202。也即是,转发节点201中可以记载有端口号与IP地址的对应关系,在转发节点201接收到网闸30的外网口发送的更改地址后的访问请求报文后,转发节点201可以获取该访问请求报文的目标端口,并根据该目标端口查询端口号与IP地址的对应关系,以得到客户端101请求访问的业务节点202的端口号对应的IP地址,即得到业务节点202的IP地址,再根据该业务节点202的IP地址将业务请求报文发送至业务节点202。For example, the forwarding node 201 may send the access request message to the service node 202 by way of port mapping. That is, the forwarding node 201 can record the corresponding relationship between the port number and the IP address. After the forwarding node 201 receives the address-changed access request message sent by the external network port of the gatekeeper 30, the forwarding node 201 can obtain The target port of the access request message, and query the corresponding relationship between the port number and the IP address according to the target port, to obtain the IP address corresponding to the port number of the service node 202 that the client 101 requests to access, that is, to obtain the IP of the service node 202 Address, and then send the service request message to the service node 202 according to the IP address of the service node 202.
又例如,访问请求报文中可以携带有客户端101请求访问的业务节点的域名,此时,转发节点201可以通过域名映射的方式将访问请求报文发送至业务节点202。也即是,转发节点201中可以记载有域名号与动态IP地址的对应关系,转发节点201接收到网闸30的外网口发送的更改地址后的访问请求报文后,转发节点201可以获取该访问请求报文携带的业务节点的域名,并根据该业务节点的域名查询域名与动态IP地址的对应关系,以得到业务节点的域名对应的动态IP地址,即得到业务节点202的IP地址,再根据该业务节点202的IP地址将业务请求报文发送至业务节点202。For another example, the access request message may carry the domain name of the service node that the client 101 requests to access. In this case, the forwarding node 201 may send the access request message to the service node 202 by way of domain name mapping. That is, the forwarding node 201 can record the correspondence between the domain name number and the dynamic IP address. After the forwarding node 201 receives the address-changed access request message sent by the external network port of the gatekeeper 30, the forwarding node 201 can obtain The domain name of the service node carried in the access request message, and the corresponding relationship between the domain name and the dynamic IP address is queried according to the domain name of the service node to obtain the dynamic IP address corresponding to the domain name of the service node, that is, the IP address of the service node 202, Then, the service request message is sent to the service node 202 according to the IP address of the service node 202.
又例如,访问请求报文中可以携带有客户端101请求访问的业务节点的域名,此时,转发节点201也可以通过域名解析获取业务节点的域名对应的动态IP地址,即得到业务节点202的IP地址,再根据该业务节点202的IP地址将业务请求报文发送至业务节点202。For another example, the access request message may carry the domain name of the service node that the client 101 requests to access. At this time, the forwarding node 201 may also obtain the dynamic IP address corresponding to the domain name of the service node through domain name resolution, that is, obtain the domain name of the service node 202. According to the IP address, the service request message is sent to the service node 202 according to the IP address of the service node 202.
并且,由于该转发节点201设置在第二云系统20中,可以及时地更新转发节点201中记载的域名与IP地址的对应关系,使得即使域名对应的IP地址发生变化,也能够将访问请求报文发送至其请求访问的业务节点202,且相较于相关技术,无需在每次域名对应的IP地址发生变化时对网闸30进行配置,有效地减小了人力成本且提高了访问效率,同时使客户端101无感知,提高了用户体验。Moreover, since the forwarding node 201 is set in the second cloud system 20, the correspondence between the domain name and the IP address recorded in the forwarding node 201 can be updated in time, so that even if the IP address corresponding to the domain name changes, the access request can be reported. The text is sent to the business node 202 that it requests to access, and compared with related technologies, there is no need to configure the gatekeeper 30 every time the IP address corresponding to the domain name changes, which effectively reduces labor costs and improves access efficiency. At the same time, the client 101 is unaware, and the user experience is improved.
可选的,客户端101通过域名进行网络访问时,客户端101可以通过域名解析获取实现该域名访问所需的IP地址。相应的,如图3所示,第一云系统10还包括第二域名服务器102,第二域名服务器102记录有业务节点的域名与网闸30内网口的IP地址的对应关系。此时,客户端101还用于向第二域名服务器102发送携带有其请求访问的业务节点的域名的第二域名解析请求;第二域名服务器102,用于基于业务节点的域名,根据业务节点的域名与网闸30内网口的IP地址的对应关系进行域名解析,得到该内网口的IP地址,向客户端101发送携带有内网口的IP地址的第二域名解析响应。相应的,客户端101还用于基于内网口的IP地址,构造访问请求报文。Optionally, when the client 101 accesses the network through a domain name, the client 101 may obtain the IP address required to implement the domain name access through domain name resolution. Correspondingly, as shown in FIG. 3, the first cloud system 10 further includes a second domain name server 102, and the second domain name server 102 records the correspondence between the domain name of the service node and the IP address of the internal network port of the gatekeeper 30. At this time, the client 101 is also used to send a second domain name resolution request carrying the domain name of the business node that it requests to access to the second domain name server 102; the second domain name server 102 is used to based on the domain name of the business node, The corresponding relationship between the domain name and the IP address of the internal network port of the gatekeeper 30 performs domain name resolution to obtain the IP address of the internal network port, and sends a second domain name resolution response carrying the IP address of the internal network port to the client 101. Correspondingly, the client 101 is also used to construct an access request message based on the IP address of the internal network port.
进一步的,为了便于业务节点202向客户端101发送访问响应报文,该网闸30还可以记录访问请求报文的上下文信息。其中,上下文信息包括:访问请求报文的源IP地址、源端口号、目的IP地址和目的端口号。或者,上下文信息还可以包括除源IP地址、源端口号、目的IP地址和目的端口号外的更多信息,本申请实施例对其不做具体限定。例如,上下文信息还可以包括传输层协议。Further, in order to facilitate the service node 202 to send an access response message to the client 101, the gatekeeper 30 may also record the context information of the access request message. Among them, the context information includes: the source IP address, source port number, destination IP address, and destination port number of the access request message. Alternatively, the context information may also include more information other than the source IP address, source port number, destination IP address, and destination port number, which are not specifically limited in the embodiment of the present application. For example, the context information may also include a transport layer protocol.
相应的,转发节点201和网闸30还具有以下功能:Correspondingly, the forwarding node 201 and the gatekeeper 30 also have the following functions:
转发节点201,还用于接收业务节点202基于访问请求报文发送的访问响应报文,将访问响应报文发送至外网口。其中,访问响应报文的源IP地址为业务节点202的IP地址,访问响应报文的目的IP地址为外网口的IP地址;The forwarding node 201 is also used to receive the access response message sent by the service node 202 based on the access request message, and send the access response message to the external network port. Wherein, the source IP address of the access response message is the IP address of the service node 202, and the destination IP address of the access response message is the IP address of the external network port;
网闸30,还用于获取访问响应报文的上下文信息,当访问响应报文的上下文信息与访问请求报文的上下文信息匹配时,将访问响应报文的源IP地址更改为内网口的IP地址,将访问响应报文的目的IP地址更改为访问请求报文的上下文信息中记载的客户端101的IP地址,将更改地址后的访问响应报文发送至客户端101。其中,在网闸30从接收访问响应报文待将更改地址后的访问响应报文发送至客户端101的实现过程,可以相应参考网闸30从接收访问请求报文到将更改地址后的访问请求报文发送至转发节点201的实现过程,此处不再赘述。The gatekeeper 30 is also used to obtain the context information of the access response message. When the context information of the access response message matches the context information of the access request message, the source IP address of the access response message is changed to that of the internal network port. IP address, the destination IP address of the access response message is changed to the IP address of the client 101 recorded in the context information of the access request message, and the access response message with the changed address is sent to the client 101. Among them, after the gatekeeper 30 receives the access response message and is to send the address-changed access response message to the client 101, refer to the process of the gatekeeper 30 from receiving the access request message to changing the address. The implementation process of sending the request message to the forwarding node 201 will not be repeated here.
其中,本申请实施例中的访问请求报文和访问响应报文均可以为超文本传输协议(hyper text transport protocol,http)报文。端口号和域名等信息可以携带在http报文的报文头中。Wherein, the access request message and the access response message in the embodiment of the present application may both be hypertext transport protocol (hypertext transport protocol, http) messages. Information such as the port number and domain name can be carried in the header of the http message.
另外,为实现报文在该混合云系统中的传输,该混合云系统还可以包括:交换机和网络地址转换网关等设备。例如,如图4所示,在该混合云系统中,客户端101与网闸30的内网口之间还可以设置有交换机103,在转发节点201和业务节点202之间还可以设置有网络地址转换网关204。并且,网闸30的外网口与转换节点之间还可以通过专线网络或软件定义广域网(SD-WAN)连接。In addition, in order to realize the transmission of messages in the hybrid cloud system, the hybrid cloud system may further include devices such as switches and network address translation gateways. For example, as shown in FIG. 4, in the hybrid cloud system, a switch 103 may also be set between the client 101 and the internal network port of the gatekeeper 30, and a network may also be set between the forwarding node 201 and the service node 202. Address translation gateway 204. In addition, the external network port of the gatekeeper 30 and the conversion node can also be connected through a dedicated line network or a software-defined wide area network (SD-WAN).
综上所述,在本申请实施例提供的混合云系统中,通过在第二云系统中配置转发节点,使得网闸可以将访问请求报文发送至转发节点,再通过转发节点将该访问请求报文发送至业务节点,能够实现客户端对业务节点的访问,相较于相关技术,无需在网闸中配置动态DNS解析功能,能够在系统部署中使用通用网闸,且减小网闸因存储DNS解析地址所占用的内存资源,使得能够降低网闸的成本,扩大网闸的适用范围。并且,由于在网闸中配置动态DNS解析功能会破坏网闸对静态数据交换的原则性,而本申请实施例中的网闸无需配置有动态DNS解析的功能,因此不会破坏网闸对静态数据交换的原则性,能够保证该混合云系统的适用范围。同时,由于该转发节点是在第二云系统中部署,使得转发节点的规模和数量可以根据应用需求进行按需部署,以满足不同的应用场景。To sum up, in the hybrid cloud system provided by the embodiment of the present application, the forwarding node is configured in the second cloud system, so that the gatekeeper can send the access request message to the forwarding node, and then the access request can be sent to the forwarding node through the forwarding node. The message is sent to the business node, which can realize the client's access to the business node. Compared with related technologies, there is no need to configure the dynamic DNS resolution function in the gatekeeper. The general gatekeeper can be used in the system deployment, and the gatekeeper factor can be reduced. The memory resources occupied by storing DNS resolution addresses make it possible to reduce the cost of the gatekeeper and expand the scope of application of the gatekeeper. Moreover, since configuring the dynamic DNS resolution function in the gatekeeper will destroy the principle of the gatekeeper for static data exchange, and the gatekeeper in the embodiment of this application does not need to be configured with the function of dynamic DNS resolution, so it will not damage the gatekeeper’s ability to exchange static data. The principle of data exchange can guarantee the scope of application of the hybrid cloud system. At the same time, since the forwarding node is deployed in the second cloud system, the scale and number of forwarding nodes can be deployed on demand according to application requirements to meet different application scenarios.
下面以图3所示的混合云系统为例,对本申请实施例提供的通过混合云实现网络访问的实现过程进行说明。如图5所示,该网络访问方法的实现过程可以包括以下步骤:The following takes the hybrid cloud system shown in FIG. 3 as an example to describe the implementation process of implementing network access through the hybrid cloud provided in the embodiments of the present application. As shown in Figure 5, the implementation process of the network access method may include the following steps:
步骤501、客户端向第二域名服务器发送携带有业务节点的域名的第二域名解析请求。Step 501: The client sends a second domain name resolution request carrying the domain name of the service node to the second domain name server.
客户端通过域名进行网络访问时,客户端可以通过域名解析获取实现该域名访问所需的IP地址,因此,客户端可以向第二域名服务器发送携带有业务节点的域名的第二域名解析请求。When the client accesses the network through the domain name, the client can obtain the IP address required for realizing the domain name access through domain name resolution. Therefore, the client can send a second domain name resolution request carrying the domain name of the service node to the second domain name server.
需要说明的是,在客户端发送第二域名解析请求之前,需要预先将第二域名服务器匹配为第一云系统的所使用的域名服务器,以便于能够使用该第二域名服务器为客户端进行域名解析。并且,由于客户端用于请求访问第二云系统中的所有业务节点的访问请求报文均需要通过网闸发送至第二云系统中,因此,可在第二域名服务器中配置第二云系统中所有业务节点的域名所对应的IP地址均为网闸的内网口的IP地址,以使得访问请求报文能够被正确传输。例如,假设内网口的IP地址为1.1.1.1,则可以在第二域名服务器中将第二云系统中所有业务节点的域名所对应的IP地址均配置为1.1.1.1。It should be noted that before the client sends the second domain name resolution request, the second domain name server needs to be matched with the domain name server used by the first cloud system in advance, so that the second domain name server can be used to perform the domain name for the client. Parsing. In addition, since the client's access request message for requesting access to all business nodes in the second cloud system needs to be sent to the second cloud system through the gatekeeper, the second cloud system can be configured in the second domain name server The IP addresses corresponding to the domain names of all the business nodes in the network are the IP addresses of the internal network port of the gatekeeper, so that the access request message can be correctly transmitted. For example, assuming that the IP address of the internal network port is 1.1.1.1, the IP addresses corresponding to the domain names of all business nodes in the second cloud system can be configured as 1.1.1.1 in the second domain name server.
步骤502、第二域名服务器基于业务节点的域名进行域名解析,得到内网口的IP地址,向客户端发送携带有内网口的IP地址的第二域名解析响应。Step 502: The second domain name server performs domain name resolution based on the domain name of the service node to obtain the IP address of the internal network port, and sends a second domain name resolution response carrying the IP address of the internal network port to the client.
第二域名服务器接收到客户端发送的第二域名解析请求后,可以根据该第二域名服务器记录的业务节点的域名与内网口的IP地址的对应关系,获取与业务节点的域名对应的内网口的IP地址。After receiving the second domain name resolution request sent by the client, the second domain name server can obtain the domain name corresponding to the domain name of the service node according to the correspondence between the domain name of the service node and the IP address of the internal network port recorded by the second domain name server. The IP address of the network port.
步骤503、客户端根据内网口的IP地址向内网口发送访问请求报文,该访问请求报文的源IP地址为客户端的IP地址,目的IP地址为内网口的IP地址。Step 503: The client sends an access request message to the internal network port according to the IP address of the internal network port. The source IP address of the access request message is the IP address of the client and the destination IP address is the IP address of the internal network port.
客户端接收到第二域名解析响应所携带的内网口的IP地址后,可以根据该内网口的IP地址构造访问请求报文,且该访问请求报文的源IP地址为客户端的IP地址,目的IP地址为内网口的IP地址。可选的,访问请求报文中还可以携带有客户端请求访问的业务节点的端口号。示例的,假设客户端请求访问的业务节点的端口号8080,客户端的IP地址为10.20.0.100,内网口的IP地址为1.1.1.1,则该访问请求报文的目的端口为8080,源IP地址为10.20.0.100,目的IP地址为1.1.1.1。After the client receives the IP address of the internal network port carried in the second domain name resolution response, it can construct an access request message based on the IP address of the internal network port, and the source IP address of the access request message is the client's IP address , The destination IP address is the IP address of the internal network port. Optionally, the access request message may also carry the port number of the service node that the client requests to access. For example, suppose the port number of the business node that the client requests to access is 8080, the client's IP address is 10.20.0.100, and the IP address of the internal network port is 1.1.1.1, then the destination port of the access request packet is 8080, and the source IP The address is 10.20.0.100, and the destination IP address is 1.1.1.1.
步骤504、网闸的内网口记录访问请求报文的上下文信息。Step 504: The internal network port of the gatekeeper records the context information of the access request message.
网闸的内网口在接收到客户端发送的访问请求报文后,可以记载该访问请求报文的上下文信息,以便于根据该上下文信息向客户端发送针对该访问请求报文发送的访问响应报文。其中,上下文信息可以包括:访问请求报文的源IP地址、源端口号、目的IP地址和目的端口号。或者,上下文信息还可以包括除源IP地址、源端口号、目的IP地址和目的端口号外的更多信息,本申请实施例对其不做具体限定。例如,上下文信息还可以包括传输层协议。After the internal network port of the gatekeeper receives the access request message sent by the client, it can record the context information of the access request message, so that the client can send the access response for the access request message to the client according to the context information Message. The context information may include: the source IP address, source port number, destination IP address, and destination port number of the access request message. Alternatively, the context information may also include more information other than the source IP address, source port number, destination IP address, and destination port number, which are not specifically limited in the embodiment of the present application. For example, the context information may also include a transport layer protocol.
步骤505、网闸的存储介质与内网口连接,将访问请求报文拷贝至存储介质中,并将访问请求报文的源IP地址更改为外网口的IP地址。Step 505: The storage medium of the gatekeeper is connected to the internal network port, the access request message is copied to the storage medium, and the source IP address of the access request message is changed to the IP address of the external network port.
该步骤505的实现过程可以相应参考前述系统实施例中的相关描述,此处不再赘述。For the implementation process of this step 505, reference may be made to the relevant description in the foregoing system embodiment, which is not repeated here.
示例的,假设外网口的IP地址为2.1.1.1,仍以步骤503中的例子为例,存储介质将访问请求报文拷贝至存储介质中之后,可以将访问请求报文的源IP地址由10.20.0.100更改为2.1.1.1。For example, assuming that the IP address of the external network port is 2.1.1.1, still taking the example in step 503 as an example, after the storage medium copies the access request message to the storage medium, the source IP address of the access request message can be changed from 10.20.0.100 is changed to 2.1.1.1.
步骤506、网闸的外网口与存储介质连接,将访问请求报文拷贝至外网口中,获取用于将访问请求报文发送至业务节点的转发节点的IP地址,将访问请求报文的目的IP地址更改为该转发节点的IP地址,并将更改地址后的访问请求报文发送至转发节点。Step 506: Connect the external network port of the gatekeeper to the storage medium, copy the access request message to the external network port, obtain the IP address of the forwarding node used to send the access request message to the service node, and transfer the access request message The destination IP address is changed to the IP address of the forwarding node, and the access request message with the changed address is sent to the forwarding node.
该步骤506的实现过程可以相应参考前述系统实施例中的相关描述,此处不再赘述。For the implementation process of this step 506, reference may be made to the relevant description in the foregoing system embodiment, which is not repeated here.
示例的,假设将访问请求报文发送至业务节点的转发节点的IP地址为10.10.0.253,仍以步骤503中的例子为例,外网口将访问请求报文拷贝至存外网口中之后,可以将访问请求报文的目的IP地址由1.1.1.1更改为10.10.0.253。For example, suppose that the IP address of the forwarding node that sends the access request message to the service node is 10.10.0.253. Still taking the example in step 503 as an example, after the external network port copies the access request message to the storage external network port, you can Change the destination IP address of the access request message from 1.1.1.1 to 10.10.0.253.
步骤507、转发节点将更改地址后的访问请求报文发送至业务节点。Step 507: The forwarding node sends the address-changed access request message to the service node.
该步骤507的实现过程可以包括:转发节点基于更改地址后的访问请求报文携带的业务节点的域名和业务节点的端口号中的一个或多个,将更改地址后的访问请求报文发送至业务节点。其具体实现过程请相应参考前述系统实施例中的相关描述,此处不再赘述。The implementation process of step 507 may include: the forwarding node sends the address-changed access request message to one or more of the domain name of the service node and the port number of the service node carried in the access request message after the address is changed. Business node. For the specific implementation process, please refer to the relevant description in the foregoing system embodiment accordingly, which will not be repeated here.
步骤508、转发节点接收业务节点基于访问请求报文发送的访问响应报文,将访问响应 报文发送至外网口,访问响应报文的源IP地址为业务节点的IP地址,目的IP地址为外网口的IP地址。Step 508: The forwarding node receives the access response message sent by the service node based on the access request message, and sends the access response message to the external network port. The source IP address of the access response message is the IP address of the service node, and the destination IP address is The IP address of the external network port.
步骤509、网闸获取访问响应报文的上下文信息,当访问响应报文的上下文信息与访问请求报文的上下文信息匹配时,将访问响应报文的源IP地址更改为内网口的IP地址,将访问响应报文的目的IP地址更改为访问请求报文的上下文信息中记载的客户端的IP地址,将更改地址后的访问响应报文发送至客户端。Step 509: The gatekeeper obtains the context information of the access response message, and when the context information of the access response message matches the context information of the access request message, the source IP address of the access response message is changed to the IP address of the internal network port , Change the destination IP address of the access response message to the client's IP address recorded in the context information of the access request message, and send the access response message with the changed address to the client.
其中,为保证数据的安全性,将访问响应报文的目的IP地址更改为访问请求报文的上下文信息中记载的客户端的IP地址的操作,可以由网闸的内网口执行。另外,在网闸从接收访问响应报文待将更改地址后的访问响应报文发送至客户端的实现过程,可以相应参考网闸从接收访问请求报文到将更改地址后的访问请求报文发送至转发节点的实现过程,此处不再赘述。Among them, to ensure data security, the operation of changing the destination IP address of the access response message to the client's IP address recorded in the context information of the access request message can be performed by the internal network port of the gatekeeper. In addition, in the implementation process of the gatekeeper from receiving the access response message and sending the address-changed access response message to the client, you can refer to the gatekeeper from receiving the access request message to sending the access request message after the address is changed. The implementation process to the forwarding node will not be repeated here.
综上所述,在本申请实施例提供的网络访问方法中,通过网闸将访问请求报文的源IP地址更改为外网口的IP地址,将访问请求报文的目的IP地址更改为转发节点的IP地址,将更改地址后的访问请求报文发送至转发节点,再通过转发节点将该访问请求报文发送至业务节点,能够实现客户端对业务节点的访问,相较于相关技术,无需在网闸中配置动态DNS解析功能,能够在系统部署中使用通用网闸,且减小网闸因存储DNS解析地址所占用的内存资源,使得能够降低网闸的成本,扩大网闸的适用范围。并且,由于在网闸中配置动态DNS解析功能会破坏网闸对静态数据交换的原则性,而本申请实施例中的网闸无需配置有动态DNS解析的功能,因此不会破坏网闸对静态数据交换的原则性,能够保证该混合云系统的适用范围。同时,由于该转发节点是在第二云系统中部署,使得转发节点的规模和数量可以根据应用需求进行按需部署,以满足不同的应用场景。To sum up, in the network access method provided by the embodiment of the present application, the source IP address of the access request message is changed to the IP address of the external network port through the gatekeeper, and the destination IP address of the access request message is changed to forwarding The IP address of the node, the access request message after the address is changed to the forwarding node, and then the access request message is sent to the service node through the forwarding node, which can realize the client's access to the service node. Compared with related technologies, There is no need to configure the dynamic DNS resolution function in the gatekeeper, and the general gatekeeper can be used in system deployment, and the memory resources occupied by the gatekeeper for storing DNS resolution addresses are reduced, so that the cost of the gatekeeper can be reduced and the application of the gatekeeper can be expanded Scope. Moreover, since configuring the dynamic DNS resolution function in the gatekeeper will destroy the principle of the gatekeeper for static data exchange, and the gatekeeper in the embodiment of this application does not need to be configured with the function of dynamic DNS resolution, so it will not damage the gatekeeper’s ability to exchange static data. The principle of data exchange can guarantee the scope of application of the hybrid cloud system. At the same time, since the forwarding node is deployed in the second cloud system, the scale and number of forwarding nodes can be deployed on demand according to application requirements to meet different application scenarios.
需要说明的是,本申请实施例提供的网络访问方法的步骤先后顺序可以进行适当调整,步骤也可以根据情况进行相应增减。任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到变化的方法,都应涵盖在本申请的保护范围之内,因此不再赘述。It should be noted that the sequence of steps of the network access method provided in the embodiments of the present application can be adjusted appropriately, and the steps can also be increased or decreased accordingly according to the situation. Any person familiar with the technical field can easily think of a method of change within the technical scope disclosed in this application, which should be covered by the protection scope of this application, and therefore will not be repeated.
本申请实施例还提供了一种网闸。所述网闸的内网口连接第一云系统,网闸的外网口连接第二云系统。如图6所示,该网闸60包括:The embodiment of the application also provides a gatekeeper. The internal network port of the gatekeeper is connected to the first cloud system, and the external network port of the gatekeeper is connected to the second cloud system. As shown in Figure 6, the gatekeeper 60 includes:
第一收发模块601,用于接收第一云系统中客户端发送的访问请求报文,访问请求报文的源IP地址为客户端的IP地址,目的IP地址为内网口的IP地址;The first transceiver module 601 is configured to receive an access request message sent by a client in the first cloud system, the source IP address of the access request message is the IP address of the client, and the destination IP address is the IP address of the internal network port;
第二收发模块602,用于将访问请求报文的源IP地址更改为外网口的IP地址,将访问请求报文的目的IP地址更改为转发节点的IP地址,将更改地址后的访问请求报文发送至第二云系统中的转发节点,使得转发节点将更改地址后的访问请求报文发送至业务节点。The second transceiver module 602 is used to change the source IP address of the access request message to the IP address of the external network port, change the destination IP address of the access request message to the IP address of the forwarding node, and change the address of the access request The message is sent to the forwarding node in the second cloud system, so that the forwarding node sends the address-changed access request message to the service node.
可选的,访问请求报文还携带有业务节点的域名,此时,第二收发模块602,还用于向第二云系统中的第一域名服务器发送携带有业务节点的域名的第一域名解析请求,并接收第一域名服务器发送的携带有转发节点的IP地址的第一域名解析响应,第一域名服务器记录有业务节点的域名与转发节点的IP地址的对应关系。Optionally, the access request message also carries the domain name of the business node. In this case, the second transceiver module 602 is also used to send the first domain name carrying the domain name of the business node to the first domain name server in the second cloud system. Resolve the request, and receive a first domain name resolution response carrying the IP address of the forwarding node sent by the first domain name server, and the first domain name server records the correspondence between the domain name of the service node and the IP address of the forwarding node.
可选的,第一收发模块601,还用于记录访问请求报文的上下文信息,上下文信息包括:访问请求报文的源IP地址、源端口号、目的IP地址和目的端口号。Optionally, the first transceiver module 601 is also used to record the context information of the access request message. The context information includes: the source IP address, source port number, destination IP address, and destination port number of the access request message.
可选的,第二收发模块602,还用于接收转发节点发送的访问响应报文,访问响应报文由业务节点基于访问请求报文向转发节点发送,访问响应报文的源IP地址为业务节点的IP地址,目的IP地址为网闸的外网口的IP地址;Optionally, the second transceiver module 602 is further configured to receive an access response message sent by the forwarding node. The access response message is sent by the service node to the forwarding node based on the access request message, and the source IP address of the access response message is the service The IP address of the node, the destination IP address is the IP address of the external network port of the gatekeeper;
相应的,第一收发模块601,还用于获取访问响应报文的上下文信息,当访问响应报文的上下文信息与访问请求报文的上下文信息匹配时,将访问响应报文的源IP地址更改为内网口的IP地址,将访问响应报文的目的IP地址更改为访问请求报文的上下文信息中记载的客户端的IP地址,将更改地址后的访问响应报文发送至客户端。Correspondingly, the first transceiver module 601 is also used to obtain the context information of the access response message, and when the context information of the access response message matches the context information of the access request message, change the source IP address of the access response message It is the IP address of the internal network port, the destination IP address of the access response message is changed to the client's IP address recorded in the context information of the access request message, and the access response message with the changed address is sent to the client.
综上所述,在本申请实施例提供的网闸中,通过第二收发模块将访问请求报文的源IP地址更改为外网口的IP地址,将访问请求报文的目的IP地址更改为转发节点的IP地址,将更改地址后的访问请求报文发送至转发节点,以便于转发节点将该访问请求报文发送至业务节点,能够实现客户端对业务节点的访问,相较于相关技术,无需在网闸中配置动态DNS解析功能,能够在系统部署中使用通用网闸,且减小网闸因存储DNS解析地址所占用的内存资源,使得能够降低网闸的成本,扩大网闸的适用范围。并且,由于在网闸中配置动态DNS解析功能会破坏网闸对静态数据交换的原则性,而本申请实施例中的网闸无需配置有动态DNS解析的功能,因此不会破坏网闸对静态数据交换的原则性,能够保证该混合云系统的适用范围。同时,由于该转发节点是在第二云系统中部署,使得转发节点的规模和数量可以根据应用需求进行按需部署,以满足不同的应用场景。In summary, in the gatekeeper provided in the embodiment of the present application, the source IP address of the access request message is changed to the IP address of the external network port through the second transceiver module, and the destination IP address of the access request message is changed to The IP address of the forwarding node, and the access request message after the address change is sent to the forwarding node, so that the forwarding node can send the access request message to the service node, which can realize the client's access to the service node, compared with related technologies , There is no need to configure dynamic DNS resolution function in the gatekeeper, can use general gatekeeper in system deployment, and reduce the memory resources occupied by the gatekeeper by storing DNS resolution addresses, so that the cost of the gatekeeper can be reduced, and the cost of the gatekeeper can be expanded. Scope of application. Moreover, since configuring the dynamic DNS resolution function in the gatekeeper will destroy the principle of the gatekeeper for static data exchange, and the gatekeeper in the embodiment of this application does not need to be configured with the function of dynamic DNS resolution, so it will not damage the gatekeeper’s ability to exchange static data. The principle of data exchange can guarantee the scope of application of the hybrid cloud system. At the same time, because the forwarding node is deployed in the second cloud system, the scale and number of forwarding nodes can be deployed on demand according to application requirements to meet different application scenarios.
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的网闸和模块的配置和具体工作过程,可以参考前述系统实施例和方法实施例中的对应内容,在此不再赘述。Those skilled in the art can clearly understand that, for the convenience and conciseness of the description, the configuration and specific working process of the gatekeeper and modules described above can refer to the corresponding content in the foregoing system embodiment and method embodiment. Go into details again.
本申请实施例还提供了一种网络访问方法,该网络访问方法可以应用于网闸。如图7所示,该方法可以包括:The embodiment of the present application also provides a network access method, which can be applied to a gatekeeper. As shown in Figure 7, the method may include:
步骤701、接收第一云系统中客户端发送的访问请求报文,访问请求报文的源IP地址为客户端的IP地址,目的IP地址为内网口的IP地址。Step 701: Receive an access request message sent by a client in the first cloud system, where the source IP address of the access request message is the IP address of the client, and the destination IP address is the IP address of the internal network port.
步骤702、记录访问请求报文的上下文信息,上下文信息包括:访问请求报文的源IP地址、源端口号、目的IP地址和目的端口号。Step 702: Record the context information of the access request message. The context information includes: the source IP address, source port number, destination IP address, and destination port number of the access request message.
步骤703、将访问请求报文的源IP地址更改为外网口的IP地址,将访问请求报文的目的IP地址更改为转发节点的IP地址,将更改地址后的访问请求报文发送至第二云系统中的转发节点,使得转发节点将更改地址后的访问请求报文发送至业务节点。Step 703: Change the source IP address of the access request message to the IP address of the external network port, change the destination IP address of the access request message to the IP address of the forwarding node, and send the access request message with the changed address to the first Second, the forwarding node in the cloud system enables the forwarding node to send the address-changed access request message to the service node.
其中,网闸将访问请求报文的目的IP地址更改为转发节点的IP地址之前,需要先获取转发节点的IP地址,其实现方式可以包括:Among them, before the gatekeeper changes the destination IP address of the access request message to the IP address of the forwarding node, it needs to obtain the IP address of the forwarding node first, and its implementation may include:
在第一种可实现方式中,访问请求报文可以携带有其请求访问的业务节点的域名,网闸可以通过DNS解析获取转发节点的IP地址。此时,如图2所示,该第二云系统20还包括第一域名服务器203,第一域名服务器203记录有业务节点的域名与转发节点201的IP地址的对应关系。相应的,网闸30可以向第一域名服务器203发送携带有业务节点的域名的第一域名解析请求,并接收第一域名服务器203发送的携带有转发节点的IP地址的第一域名解析响应。其中,第一域名服务器203可以基于业务节点的域名,通过查询业务节点 的域名与转发节点201的IP地址的对应关系进行域名解析,得到的转发节点201的IP地址。In the first possible implementation manner, the access request message can carry the domain name of the service node that it requests to access, and the gatekeeper can obtain the IP address of the forwarding node through DNS resolution. At this time, as shown in FIG. 2, the second cloud system 20 further includes a first domain name server 203, and the first domain name server 203 records the correspondence between the domain name of the service node and the IP address of the forwarding node 201. Correspondingly, the gatekeeper 30 may send the first domain name resolution request carrying the domain name of the service node to the first domain name server 203, and receive the first domain name resolution response carrying the IP address of the forwarding node sent by the first domain name server 203. Wherein, the first domain name server 203 may perform domain name resolution based on the domain name of the service node by querying the correspondence between the domain name of the service node and the IP address of the forwarding node 201 to obtain the IP address of the forwarding node 201.
在第二种可实现方式中,访问请求报文中可以携带有其请求访问的业务节点的域名和端口号中的至少一个目标信息,网闸中可以记载有目标信息与转发节点的IP地址的对应关系,网闸可以根据该目标信息查询该对应关系,以得到转发节点的IP地址。例如,网闸中可以记载业务节点的有域名与转发节点的IP地址的对应关系,当网闸获取访问请求报文所携带的业务节点的域名后,网闸可以根据该业务节点的域名查询该对应关系,以得到转发节点的IP地址。In the second achievable manner, the access request message can carry at least one of the target information of the domain name and port number of the business node that it requests to access, and the gatekeeper can record the target information and the IP address of the forwarding node. Correspondence, the gatekeeper can query the correspondence according to the target information to obtain the IP address of the forwarding node. For example, the gatekeeper can record the correspondence between the domain name of the service node and the IP address of the forwarding node. After the gatekeeper obtains the domain name of the service node carried in the access request message, the gatekeeper can query the domain name of the service node according to the domain name of the service node. Correspondence to obtain the IP address of the forwarding node.
步骤704、接收转发节点发送的访问响应报文,访问响应报文由业务节点基于访问请求报文向转发节点发送,访问响应报文的源IP地址为业务节点的IP地址,目的IP地址为网闸的外网口的IP地址。Step 704: Receive the access response message sent by the forwarding node. The access response message is sent by the service node to the forwarding node based on the access request message. The source IP address of the access response message is the IP address of the service node, and the destination IP address is the network address. The IP address of the external network port of the gate.
步骤705、获取访问响应报文的上下文信息,当访问响应报文的上下文信息与访问请求报文的上下文信息匹配时,将访问响应报文的源IP地址更改为内网口的IP地址,将访问响应报文的目的IP地址更改为访问请求报文的上下文信息中记载的客户端的IP地址,将更改地址后的访问响应报文发送至客户端。Step 705: Obtain the context information of the access response message, and when the context information of the access response message matches the context information of the access request message, change the source IP address of the access response message to the IP address of the internal network port, and change The destination IP address of the access response message is changed to the client's IP address recorded in the context information of the access request message, and the access response message with the changed address is sent to the client.
综上所述,在本申请实施例提供的网络访问方法中,通过将访问请求报文的源IP地址更改为外网口的IP地址,将访问请求报文的目的IP地址更改为转发节点的IP地址,将更改地址后的访问请求报文发送至转发节点,以便于转发节点将该访问请求报文发送至业务节点,能够实现客户端对业务节点的访问,相较于相关技术,无需在网闸中配置动态DNS解析功能,能够在系统部署中使用通用网闸,且减小网闸因存储DNS解析地址所占用的内存资源,使得能够降低网闸的成本,扩大网闸的适用范围。并且,由于在网闸中配置动态DNS解析功能会破坏网闸对静态数据交换的原则性,而本申请实施例中的网闸无需配置有动态DNS解析的功能,因此不会破坏网闸对静态数据交换的原则性,能够保证该混合云系统的适用范围。同时,由于该转发节点是在第二云系统中部署,使得转发节点的规模和数量可以根据应用需求进行按需部署,以满足不同的应用场景。To sum up, in the network access method provided by the embodiment of the present application, the source IP address of the access request message is changed to the IP address of the external network port, and the destination IP address of the access request message is changed to that of the forwarding node. IP address, the access request message after the address is changed to the forwarding node, so that the forwarding node can send the access request message to the service node, which can realize the client's access to the service node. Compared with related technologies, there is no need to The dynamic DNS resolution function configured in the gatekeeper can use a general gatekeeper in system deployment and reduce the memory resources occupied by the gatekeeper for storing DNS resolution addresses, so that the cost of the gatekeeper can be reduced and the scope of application of the gatekeeper can be expanded. Moreover, since configuring the dynamic DNS resolution function in the gatekeeper will destroy the principle of the gatekeeper for static data exchange, and the gatekeeper in the embodiment of this application does not need to be configured with the function of dynamic DNS resolution, so it will not damage the gatekeeper’s ability to exchange static data. The principle of data exchange can guarantee the scope of application of the hybrid cloud system. At the same time, since the forwarding node is deployed in the second cloud system, the scale and number of forwarding nodes can be deployed on demand according to application requirements to meet different application scenarios.
需要说明的是,本申请实施例提供的网络访问方法的步骤先后顺序可以进行适当调整,步骤也可以根据情况进行相应增减。任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到变化的方法,都应涵盖在本申请的保护范围之内,因此不再赘述。It should be noted that the sequence of steps of the network access method provided in the embodiments of the present application can be adjusted appropriately, and the steps can also be increased or decreased accordingly according to the situation. Any person familiar with the technical field can easily think of a method of change within the technical scope disclosed in this application, which should be covered by the protection scope of this application, and therefore will not be repeated.
并且,所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的实现过程,可以参考前述系统实施例和方法实施例中的对应过程,在此不再赘述。Moreover, those skilled in the art can clearly understand that for the convenience and conciseness of the description, the implementation process described above can refer to the corresponding process in the foregoing system embodiment and method embodiment, which will not be repeated here.
本申请实施例还提供了另一种网闸。图8示例性的提供了网闸的一种可能的架构图。如图8所示,该网闸80可以包括处理器801、存储器802、第一网口803、第二网口804和总线805。The embodiment of the present application also provides another gatekeeper. Figure 8 exemplarily provides a possible architecture diagram of the gatekeeper. As shown in FIG. 8, the gatekeeper 80 may include a processor 801, a memory 802, a first network port 803, a second network port 804, and a bus 805.
在网闸中,处理器801的数量可以是一个或多个,图8仅示意了其中一个处理器801。若网闸具有多个处理器801,多个处理器801的类型可以不同,或者可以相同。可选的,网闸的多个处理器还可以集成为多核处理器。处理器801可以是硬件芯片,用于完成本申请实施例提供的充电电池的析锂检测方法。该硬件芯片可以是专用集成电路(application- specific integrated circuit,ASIC),可编程逻辑器件(programmable logic device,PLD)或其组合。上述PLD可以是复杂可编程逻辑器件(complex programmable logic device,CPLD),现场可编程逻辑门阵列(field-programmable gate array,FPGA),通用阵列逻辑(generic array logic,GAL)或其任意组合。或者,处理器801也可以是通用处理器,例如,中央处理器(central processing unit,CPU),网络处理器(network processor,NP)或者CPU和NP的组合。In the gatekeeper, the number of processors 801 may be one or more, and FIG. 8 only illustrates one of the processors 801. If the gatekeeper has multiple processors 801, the types of multiple processors 801 may be different or may be the same. Optionally, multiple processors of the gatekeeper can also be integrated into a multi-core processor. The processor 801 may be a hardware chip, which is used to complete the method for detecting lithium evolution of a rechargeable battery provided in the embodiment of the present application. The hardware chip may be an application-specific integrated circuit (ASIC), a programmable logic device (PLD), or a combination thereof. The above-mentioned PLD may be a complex programmable logic device (CPLD), a field-programmable gate array (FPGA), a generic array logic (GAL) or any combination thereof. Alternatively, the processor 801 may also be a general-purpose processor, for example, a central processing unit (CPU), a network processor (NP), or a combination of a CPU and an NP.
存储器802存储计算机指令和数据,存储器802可以存储实现本申请提供的网络访问方法所需的计算机指令和数据。存储器802可以是易失性存储器或非易失性存储器,或可包括易失性和非易失性存储器两者。其中,非易失性存储器可以是只读存储器(read-only memory,ROM)、可编程只读存储器(programmable ROM,PROM)、可擦除可编程只读存储器(erasable PROM,EPROM)、电可擦除可编程只读存储器(electrically EPROM,EEPROM)、快闪存储器(flash memory),硬盘(hard disk drive,HDD)或固态硬盘(solid-state drive,SSD)。易失性存储器可以是随机存取存储器(random access memory,RAM),其用作外部高速缓存。通过示例性但不是限制性说明,许多形式的RAM可用,例如静态随机存取存储器(static RAM,SRAM)、动态随机存取存储器(DRAM)、同步动态随机存取存储器(synchronous DRAM,SDRAM)、双倍数据速率同步动态随机存取存储器(double data date SDRAM,DDR SDRAM)、增强型同步动态随机存取存储器(enhanced SDRAM,ESDRAM)、同步连接动态随机存取存储器(synchlink DRAM,SLDRAM)和直接内存总线随机存取存储器(direct rambus RAM,DR RAM)。The memory 802 stores computer instructions and data, and the memory 802 can store computer instructions and data required to implement the network access method provided in the present application. The memory 802 may be volatile memory or non-volatile memory, or may include both volatile and non-volatile memory. Among them, the non-volatile memory can be read-only memory (ROM), programmable read-only memory (programmable ROM, PROM), erasable programmable read-only memory (erasable PROM, EPROM), and electrically available Erase programmable read-only memory (electrically EPROM, EEPROM), flash memory (flash memory), hard disk (HDD) or solid-state drive (SSD). The volatile memory may be random access memory (RAM), which is used as an external cache. By way of exemplary but not restrictive description, many forms of RAM are available, such as static random access memory (static RAM, SRAM), dynamic random access memory (DRAM), synchronous dynamic random access memory (synchronous DRAM, SDRAM), Double data rate synchronous dynamic random access memory (double data date SDRAM, DDR SDRAM), enhanced synchronous dynamic random access memory (enhanced SDRAM, ESDRAM), synchronous connection dynamic random access memory (synchlink DRAM, SLDRAM) and direct Memory bus random access memory (direct rambus RAM, DR RAM).
第一网口803可以是以下器件的任一种或任一种组合:网络接口(如以太网接口)、无线网卡等具有网络接入功能的器件。第一网口803用于网闸与其他网络节点进行数据通信。The first network port 803 may be any one or any combination of the following devices: a network interface (such as an Ethernet interface), a wireless network card, and other devices with a network access function. The first network port 803 is used for data communication between the gatekeeper and other network nodes.
第二网口804可以是以下器件的任一种或任一种组合:网络接口(如以太网接口)、无线网卡等具有网络接入功能的器件。第二网口804用于网闸与其他网络节点进行数据通信。The second network port 804 may be any one or any combination of the following devices: a network interface (such as an Ethernet interface), a wireless network card, and other devices with a network access function. The second network port 804 is used for data communication between the gatekeeper and other network nodes.
其中,处理器执行计算机程序时,网闸可以控制第一网口、第二网口和存储器执行以下步骤:第一网口和第二网口中的一个在接收到报文后与存储器建立连接,将报文拷贝至存储器中,在存储器与第一网口和第二网口中的一个断开连接后,第一网口和第二网口中的另一个与存储器建立连接,将报文拷贝至第一网口和第二网口中的另一个中,并通过第一网口和第二网口中的另一个传输报文。Wherein, when the processor executes the computer program, the gatekeeper can control the first network port, the second network port and the memory to perform the following steps: one of the first network port and the second network port establishes a connection with the memory after receiving the message, Copy the message to the memory. After the memory is disconnected from one of the first network port and the second network port, the other of the first network port and the second network port establishes a connection with the memory, and the message is copied to the first network port. The other of the first network port and the second network port, and the packet is transmitted through the other of the first network port and the second network port.
图8还示例性地绘制出总线805。总线805可以将处理器801与存储器802、第一网口803连接。这样,通过总线805,处理器801可以访问存储器802,还可以利用第一网口803和第二网口804中的至少一个与其他网络节点进行数据交互。FIG. 8 also exemplarily plots the bus 805. The bus 805 can connect the processor 801 with the memory 802 and the first network port 803. In this way, through the bus 805, the processor 801 can access the memory 802, and can also use at least one of the first network port 803 and the second network port 804 to exchange data with other network nodes.
在本申请中,网闸执行存储器802中的计算机指令,可以实现本申请提供的网络访问方法。例如,网闸执行存储器802中的计算机指令,可以执行以下步骤:接收第一云系统中客户端发送的访问请求报文,访问请求报文的目的端口为客户端请求访问的第二云系统中业务节点的端口号,源IP地址为客户端的IP地址,目的IP地址为内网口的IP地址;将访问请求报文的源IP地址更改为外网口的IP地址,将访问请求报文的目的IP地址更改为转发节点的IP地址,将更改地址后的访问请求报文发送至第二云系统中的转发节点,使得转发节点将更改地址后的访问请求报文发送至业务节点。并且,网闸执行存储器802中的计算机指令,执行该步骤的实现过程可以相应参考上述方法实施例中对应的描述。In this application, the gatekeeper executes the computer instructions in the memory 802 to implement the network access method provided in this application. For example, when the gatekeeper executes the computer instructions in the memory 802, the following steps may be performed: receiving an access request message sent by the client in the first cloud system, and the destination port of the access request message is the second cloud system that the client requests to access The port number of the business node, the source IP address is the IP address of the client, and the destination IP address is the IP address of the internal network port; the source IP address of the access request message is changed to the IP address of the external network port, and the The destination IP address is changed to the IP address of the forwarding node, and the address-changed access request message is sent to the forwarding node in the second cloud system, so that the forwarding node sends the address-changed access request message to the service node. In addition, the gatekeeper executes the computer instructions in the memory 802, and the implementation process of executing this step can refer to the corresponding description in the foregoing method embodiment.
本申请实施例还提供了一种存储介质,该存储介质为非易失性计算机可读存储介质,当存储介质中的指令被处理器执行时,实现如本申请实施例中网络访问方法。The embodiment of the present application also provides a storage medium, which is a non-volatile computer-readable storage medium, and when the instructions in the storage medium are executed by the processor, the network access method as in the embodiment of the present application is implemented.
本申请实施例还提供了一种包含指令的计算机程序产品,当计算机程序产品在计算机上运行时,使得计算机执行本申请实施例中网络访问方法。The embodiments of the present application also provide a computer program product containing instructions. When the computer program product runs on a computer, the computer executes the network access method in the embodiments of the present application.
本领域普通技术人员可以理解实现上述实施例的全部或部分步骤可以通过硬件来完成,也可以通过程序来指令相关的硬件完成,所述的程序可以存储于一种计算机可读存储介质中,上述提到的存储介质可以是只读存储器,磁盘或光盘等。A person of ordinary skill in the art can understand that all or part of the steps in the above embodiments can be implemented by hardware, or by a program to instruct relevant hardware. The program can be stored in a computer-readable storage medium. The storage medium mentioned can be a read-only memory, a magnetic disk or an optical disk, etc.
在本申请实施例中,术语“第一”、“第二”和“第三”仅用于描述目的,而不能理解为指示或暗示相对重要性。术语“至少一个”是指一个或多个,术语“多个”指两个或两个以上,除非另有明确的限定。In the embodiments of the present application, the terms "first", "second" and "third" are only used for descriptive purposes, and cannot be understood as indicating or implying relative importance. The term "at least one" refers to one or more, and the term "plurality" refers to two or more, unless expressly defined otherwise.
本申请中术语“和/或”,仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。另外,本文中字符“/”,一般表示前后关联对象是一种“或”的关系。The term "and/or" in this application is merely an association relationship describing associated objects, which means that there can be three types of relationships. For example, A and/or B can mean that there is A alone, and both A and B exist. There are three cases of B. In addition, the character "/" in this text generally indicates that the associated objects before and after are in an "or" relationship.
以上所述仅为本申请的可选实施例,并不用以限制本申请,凡在本申请的构思和原则之内,所作的任何修改、等同替换、改进等,均应包含在本申请的保护范围之内。The above are only optional embodiments of this application and are not intended to limit this application. Any modification, equivalent replacement, improvement, etc. made within the concept and principle of this application shall be included in the protection of this application. Within range.

Claims (22)

  1. 一种混合云系统,其特征在于,所述混合云系统包括第一云系统、第二云系统以及网闸,所述第一云系统包括客户端,所述第二云系统包括转发节点和业务节点,所述网闸的内网口连接所述第一云系统,所述网闸的外网口连接所述第二云系统;A hybrid cloud system, characterized in that the hybrid cloud system includes a first cloud system, a second cloud system, and a gatekeeper, the first cloud system includes a client, and the second cloud system includes a forwarding node and a service Node, the internal network port of the gatekeeper is connected to the first cloud system, and the external network port of the gatekeeper is connected to the second cloud system;
    所述客户端,用于向所述内网口发送访问请求报文,所述访问请求报文的源互联网协议IP地址为所述客户端的IP地址,目的IP地址为所述内网口的IP地址;The client is configured to send an access request message to the internal network port, the source Internet Protocol IP address of the access request message is the IP address of the client, and the destination IP address is the IP of the internal network port address;
    所述网闸,用于将所述访问请求报文的源IP地址更改为所述外网口的IP地址,将所述访问请求报文的目的IP地址更改为所述转发节点的IP地址,将更改地址后的访问请求报文发送至所述转发节点;The gatekeeper is configured to change the source IP address of the access request message to the IP address of the external network port, and change the destination IP address of the access request message to the IP address of the forwarding node, Sending the address-changed access request message to the forwarding node;
    所述转发节点,用于将所述更改地址后的访问请求报文发送至所述业务节点。The forwarding node is configured to send the address-changed access request message to the service node.
  2. 根据权利要求1所述的混合云系统,其特征在于,所述第二云系统还包括第一域名服务器,所述访问请求报文还携带有所述业务节点的域名,所述第一域名服务器记录有所述域名与所述转发节点的IP地址的对应关系,The hybrid cloud system according to claim 1, wherein the second cloud system further comprises a first domain name server, the access request message also carries the domain name of the service node, and the first domain name server The correspondence between the domain name and the IP address of the forwarding node is recorded,
    所述网闸,还用于向所述第一域名服务器发送携带有所述域名的第一域名解析请求;The gatekeeper is further configured to send a first domain name resolution request carrying the domain name to the first domain name server;
    所述第一域名服务器,用于基于所述域名进行域名解析,得到所述转发节点的IP地址,向所述网闸发送携带有所述转发节点的IP地址的第一域名解析响应。The first domain name server is configured to perform domain name resolution based on the domain name to obtain the IP address of the forwarding node, and send a first domain name resolution response carrying the IP address of the forwarding node to the gatekeeper.
  3. 根据权利要求1或2所述的混合云系统,其特征在于,所述第一云系统还包括第二域名服务器,所述第二域名服务器记录有所述业务节点的域名与所述内网口的IP地址的对应关系;The hybrid cloud system according to claim 1 or 2, wherein the first cloud system further comprises a second domain name server, and the second domain name server records the domain name of the service node and the internal network port The corresponding relationship of the IP address;
    所述客户端,还用于向所述第二域名服务器发送携带有所述域名的第二域名解析请求;The client is further configured to send a second domain name resolution request carrying the domain name to the second domain name server;
    所述第二域名服务器,用于基于所述域名进行域名解析,得到所述内网口的IP地址,向所述客户端发送携带有所述内网口的IP地址的第二域名解析响应。The second domain name server is configured to perform domain name resolution based on the domain name to obtain the IP address of the internal network port, and send a second domain name resolution response carrying the IP address of the internal network port to the client.
  4. 根据权利要求1至3任一所述的混合云系统,其特征在于,The hybrid cloud system according to any one of claims 1 to 3, wherein:
    所述转发节点,具体用于基于所述更改地址后的访问请求报文携带的所述业务节点的域名和所述业务节点的端口号中的一个或多个,将所述更改地址后的访问请求报文发送至所述业务节点。The forwarding node is specifically configured to transfer the address-changed access based on one or more of the domain name of the service node and the port number of the service node carried in the address-changed access request message The request message is sent to the service node.
  5. 根据权利要求1至4任一所述的混合云系统,其特征在于,The hybrid cloud system according to any one of claims 1 to 4, wherein:
    所述网闸,还用于记录所述访问请求报文的上下文信息,所述上下文信息包括:所述访问请求报文的源IP地址、源端口号、目的IP地址和目的端口号。The gatekeeper is also used to record context information of the access request message, where the context information includes: the source IP address, source port number, destination IP address, and destination port number of the access request message.
  6. 根据权利要求5所述的混合云系统,其特征在于,The hybrid cloud system according to claim 5, wherein:
    所述转发节点,还用于接收所述业务节点基于所述访问请求报文发送的访问响应报文,将所述访问响应报文发送至所述外网口,所述访问响应报文的源IP地址为所述业务节点的IP地址,目的IP地址为所述外网口的IP地址;The forwarding node is further configured to receive an access response message sent by the service node based on the access request message, send the access response message to the external network port, and the source of the access response message The IP address is the IP address of the service node, and the destination IP address is the IP address of the external network port;
    所述网闸,还用于获取所述访问响应报文的上下文信息,当所述访问响应报文的上下文信息与所述访问请求报文的上下文信息匹配时,将所述访问响应报文的源IP地址更改为所述内网口的IP地址,将所述访问响应报文的目的IP地址更改为所述访问请求报文的上下文信息中记载的所述客户端的IP地址,将更改地址后的访问响应报文发送至所述客户端。The gatekeeper is also used to obtain the context information of the access response message. When the context information of the access response message matches the context information of the access request message, the access response message is The source IP address is changed to the IP address of the internal network port, and the destination IP address of the access response message is changed to the client's IP address recorded in the context information of the access request message. After the address is changed The access response message is sent to the client.
  7. 一种网络访问方法,其特征在于,所述方法应用于混合云系统,所述混合云系统包 括第一云系统、第二云系统以及网闸,所述第一云系统包括客户端,所述第二云系统包括转发节点和业务节点,所述网闸的内网口连接所述第一云系统,所述网闸的外网口连接所述第二云系统,所述方法包括:A network access method, characterized in that the method is applied to a hybrid cloud system, the hybrid cloud system includes a first cloud system, a second cloud system, and a gatekeeper, the first cloud system includes a client, the The second cloud system includes a forwarding node and a service node, the internal network port of the gatekeeper is connected to the first cloud system, and the external network port of the gatekeeper is connected to the second cloud system, and the method includes:
    所述客户端向所述内网口发送访问请求报文,所述访问请求报文的源互联网协议IP地址为所述客户端的IP地址,目的IP地址为所述内网口的IP地址;The client sends an access request message to the internal network port, the source Internet Protocol IP address of the access request message is the IP address of the client, and the destination IP address is the IP address of the internal network port;
    所述网闸将所述访问请求报文的源IP地址更改为所述外网口的IP地址,将所述访问请求报文的目的IP地址更改为所述转发节点的IP地址,将更改地址后的访问请求报文发送至所述转发节点;The gatekeeper changes the source IP address of the access request message to the IP address of the external network port, changes the destination IP address of the access request message to the IP address of the forwarding node, and changes the address The subsequent access request message is sent to the forwarding node;
    所述转发节点将所述更改地址后的访问请求报文发送至所述业务节点。The forwarding node sends the address-changed access request message to the service node.
  8. 根据权利要求7所述的方法,其特征在于,所述第二云系统还包括第一域名服务器,所述访问请求报文还携带有所述业务节点的域名,所述第一域名服务器记录有所述域名与所述转发节点的IP地址的对应关系,所述方法还包括:The method according to claim 7, wherein the second cloud system further comprises a first domain name server, the access request message also carries the domain name of the service node, and the first domain name server records The corresponding relationship between the domain name and the IP address of the forwarding node, the method further includes:
    所述网闸向所述第一域名服务器发送携带有所述域名的第一域名解析请求;Sending, by the gatekeeper, a first domain name resolution request carrying the domain name to the first domain name server;
    所述第一域名服务器基于所述域名进行域名解析,得到所述转发节点的IP地址,向所述网闸发送携带有所述转发节点的IP地址的第一域名解析响应。The first domain name server performs domain name resolution based on the domain name to obtain the IP address of the forwarding node, and sends a first domain name resolution response carrying the IP address of the forwarding node to the gatekeeper.
  9. 根据权利要求7或8所述的方法,其特征在于,所述第一云系统还包括第二域名服务器,所述第二域名服务器记录有所述业务节点的域名与所述内网口的IP地址的对应关系,所述方法还包括:The method according to claim 7 or 8, wherein the first cloud system further comprises a second domain name server, and the second domain name server records the domain name of the service node and the IP address of the internal network port The corresponding relationship of addresses, the method further includes:
    所述客户端向所述第二域名服务器发送携带有所述域名的第二域名解析请求;Sending, by the client, a second domain name resolution request carrying the domain name to the second domain name server;
    所述第二域名服务器基于所述域名进行域名解析,得到所述内网口的IP地址,向所述客户端发送携带有所述内网口的IP地址的第二域名解析响应。The second domain name server performs domain name resolution based on the domain name to obtain the IP address of the internal network port, and sends a second domain name resolution response carrying the IP address of the internal network port to the client.
  10. 根据权利要求7至9任一所述的方法,其特征在于,所述转发节点将所述更改地址后的访问请求报文发送至所述业务节点,包括:The method according to any one of claims 7 to 9, wherein the forwarding node sending the address-changed access request message to the service node comprises:
    所述转发节点基于所述更改地址后的访问请求报文携带的所述业务节点的域名和所述业务节点的端口号中的一个或多个,将所述更改地址后的访问请求报文发送至所述业务节点。The forwarding node sends the address-changed access request message based on one or more of the domain name of the service node and the port number of the service node carried in the address-changed access request message To the service node.
  11. 根据权利要求7至10任一所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 7 to 10, wherein the method further comprises:
    所述网闸记录所述访问请求报文的上下文信息,所述上下文信息包括:所述访问请求报文的源IP地址、源端口号、目的IP地址和目的端口号。The gatekeeper records the context information of the access request message, and the context information includes: the source IP address, source port number, destination IP address, and destination port number of the access request message.
  12. 根据权利要求11所述的方法,其特征在于,所述方法还包括:The method according to claim 11, wherein the method further comprises:
    所述转发节点接收所述业务节点基于所述访问请求报文发送的访问响应报文,将所述访问响应报文发送至所述外网口,所述访问响应报文的源IP地址为所述业务节点的IP地址,目的IP地址为所述外网口的IP地址;The forwarding node receives the access response message sent by the service node based on the access request message, and sends the access response message to the external network port, and the source IP address of the access response message is The IP address of the service node, and the destination IP address is the IP address of the external network port;
    所述网闸获取所述访问响应报文的上下文信息,当所述访问响应报文的上下文信息与所述访问请求报文的上下文信息匹配时,将所述访问响应报文的源IP地址更改为所述内网口的IP地址,将所述访问响应报文的目的IP地址更改为所述访问请求报文的上下文信息中记载的所述客户端的IP地址,将更改地址后的访问响应报文发送至所述客户端。The gatekeeper obtains the context information of the access response message, and when the context information of the access response message matches the context information of the access request message, changes the source IP address of the access response message Is the IP address of the internal network port, the destination IP address of the access response message is changed to the client's IP address recorded in the context information of the access request message, and the access response after the address is changed is reported The text is sent to the client.
  13. 一种网闸,其特征在于,所述网闸的内网口连接第一云系统,所述网闸的外网口 连接第二云系统,所述网闸包括:A gatekeeper, characterized in that an internal network port of the gatekeeper is connected to a first cloud system, and an external network port of the gatekeeper is connected to a second cloud system, and the gatekeeper includes:
    第一收发模块,用于接收所述第一云系统中客户端发送的访问请求报文,所述访问请求报文的源IP地址为所述客户端的IP地址,目的IP地址为所述内网口的IP地址;The first transceiver module is configured to receive an access request message sent by a client in the first cloud system, where the source IP address of the access request message is the IP address of the client, and the destination IP address is the intranet IP address of the port;
    第二收发模块,用于将所述访问请求报文的源IP地址更改为所述外网口的IP地址,将所述访问请求报文的目的IP地址更改为转发节点的IP地址,将更改地址后的访问请求报文发送至所述第二云系统中的转发节点,使得所述转发节点将所述更改地址后的访问请求报文发送至所述业务节点。The second transceiver module is configured to change the source IP address of the access request message to the IP address of the external network port, and change the destination IP address of the access request message to the IP address of the forwarding node, and change The access request message after the address is sent to the forwarding node in the second cloud system, so that the forwarding node sends the access request message after the address is changed to the service node.
  14. 根据权利要求13所述的网闸,其特征在于,所述访问请求报文还携带有所述业务节点的域名,The gatekeeper according to claim 13, wherein the access request message also carries the domain name of the service node,
    所述第二收发模块,还用于向所述第二云系统中的第一域名服务器发送携带有所述域名的第一域名解析请求,并接收所述第一域名服务器发送的携带有所述转发节点的IP地址的第一域名解析响应,所述第一域名服务器记录有所述域名与所述转发节点的IP地址的对应关系。The second transceiver module is further configured to send a first domain name resolution request carrying the domain name to a first domain name server in the second cloud system, and receive a first domain name resolution request sent by the first domain name server carrying the The first domain name resolution response of the IP address of the forwarding node, and the first domain name server records the correspondence between the domain name and the IP address of the forwarding node.
  15. 根据权利要求13或14所述的网闸,其特征在于,The gatekeeper according to claim 13 or 14, characterized in that:
    所述第一收发模块,还用于记录所述访问请求报文的上下文信息,所述上下文信息包括:所述访问请求报文的源IP地址、源端口号、目的IP地址和目的端口号。The first transceiver module is further configured to record context information of the access request message, where the context information includes: the source IP address, source port number, destination IP address, and destination port number of the access request message.
  16. 根据权利要求15所述的网闸,其特征在于,The gatekeeper according to claim 15, wherein:
    所述第二收发模块,还用于接收所述转发节点发送的访问响应报文,所述访问响应报文由所述业务节点基于所述访问请求报文向所述转发节点发送,所述访问响应报文的源IP地址为所述业务节点的IP地址,目的IP地址为所述网闸的外网口的IP地址;The second transceiver module is further configured to receive an access response message sent by the forwarding node, where the access response message is sent by the service node to the forwarding node based on the access request message, and the access The source IP address of the response message is the IP address of the service node, and the destination IP address is the IP address of the external network port of the gatekeeper;
    所述第一收发模块,还用于获取所述访问响应报文的上下文信息,当所述访问响应报文的上下文信息与所述访问请求报文的上下文信息匹配时,将所述访问响应报文的源IP地址更改为所述内网口的IP地址,将所述访问响应报文的目的IP地址更改为所述访问请求报文的上下文信息中记载的所述客户端的IP地址,将更改地址后的访问响应报文发送至所述客户端。The first transceiver module is further configured to obtain context information of the access response message, and when the context information of the access response message matches the context information of the access request message, report the access response message The source IP address of the message is changed to the IP address of the internal network port, and the destination IP address of the access response message is changed to the IP address of the client recorded in the context information of the access request message. The access response message after the address is sent to the client.
  17. 一种网络访问方法,其特征在于,所述方法应用于网闸,所述网闸的内网口连接第一云系统,所述网闸的外网口连接第二云系统,所述方法包括:A network access method, characterized in that the method is applied to a gatekeeper, the internal network port of the gatekeeper is connected to a first cloud system, and the external network port of the gatekeeper is connected to a second cloud system, and the method includes :
    接收所述第一云系统中客户端发送的访问请求报文,所述访问请求报文的源IP地址为所述客户端的IP地址,目的IP地址为所述内网口的IP地址;Receiving an access request message sent by a client in the first cloud system, where the source IP address of the access request message is the IP address of the client, and the destination IP address is the IP address of the internal network port;
    将所述访问请求报文的源IP地址更改为所述外网口的IP地址,将所述访问请求报文的目的IP地址更改为转发节点的IP地址,将更改地址后的访问请求报文发送至所述第二云系统中的转发节点,使得所述转发节点将所述更改地址后的访问请求报文发送至所述业务节点。Change the source IP address of the access request message to the IP address of the external network port, change the destination IP address of the access request message to the IP address of the forwarding node, and change the address of the access request message Sent to the forwarding node in the second cloud system, so that the forwarding node sends the address-changed access request message to the service node.
  18. 根据权利要求17所述的方法,其特征在于,所述访问请求报文还携带有所述业务节点的域名,所述方法还包括:The method according to claim 17, wherein the access request message also carries the domain name of the service node, and the method further comprises:
    向所述第二云系统中的第一域名服务器发送携带有所述域名的第一域名解析请求,并接收所述第一域名服务器发送的携带有所述转发节点的IP地址的第一域名解析响应,所述第一域名服务器记录有所述域名与所述转发节点的IP地址的对应关系。Send a first domain name resolution request carrying the domain name to the first domain name server in the second cloud system, and receive the first domain name resolution request carrying the IP address of the forwarding node sent by the first domain name server In response, the first domain name server records the correspondence between the domain name and the IP address of the forwarding node.
  19. 根据权利要求17或18所述的方法,其特征在于,所述方法还包括:The method according to claim 17 or 18, wherein the method further comprises:
    记录所述访问请求报文的上下文信息,所述上下文信息包括:所述访问请求报文的源IP地址、源端口号、目的IP地址和目的端口号。Record the context information of the access request message, where the context information includes: the source IP address, source port number, destination IP address, and destination port number of the access request message.
  20. 根据权利要求19所述的方法,其特征在于,所述方法还包括:The method according to claim 19, wherein the method further comprises:
    接收所述转发节点发送的访问响应报文,所述访问响应报文由所述业务节点基于所述访问请求报文向所述转发节点发送,所述访问响应报文的源IP地址为所述业务节点的IP地址,目的IP地址为所述网闸的外网口的IP地址;Receive an access response message sent by the forwarding node, where the access response message is sent by the service node to the forwarding node based on the access request message, and the source IP address of the access response message is the The IP address of the service node, and the destination IP address is the IP address of the external network port of the gatekeeper;
    获取所述访问响应报文的上下文信息,当所述访问响应报文的上下文信息与所述访问请求报文的上下文信息匹配时,将所述访问响应报文的源IP地址更改为所述内网口的IP地址,将所述访问响应报文的目的IP地址更改为所述访问请求报文的上下文信息中记载的所述客户端的IP地址,将更改地址后的访问响应报文发送至所述客户端。Acquire the context information of the access response message, and when the context information of the access response message matches the context information of the access request message, change the source IP address of the access response message to the internal The IP address of the network port, the destination IP address of the access response message is changed to the client's IP address recorded in the context information of the access request message, and the access response message with the changed address is sent to all The client.
  21. 一种网闸,其特征在于,所述网闸包括:第一网口、第二网口、处理器和存储器所述存储器中存储有计算机程序,所述处理器执行所述计算机程序时,所述网闸实现权利要求17至20任一所述的方法。A gatekeeper, characterized in that the gatekeeper comprises: a first network port, a second network port, a processor, and a memory; the memory stores a computer program; when the processor executes the computer program, the The gatekeeper implements the method described in any one of claims 17 to 20.
  22. 一种存储介质,其特征在于,当所述存储介质中的指令被处理器执行时,实现权利要求17至20任一所述的方法。A storage medium, characterized in that, when the instructions in the storage medium are executed by a processor, the method according to any one of claims 17 to 20 is implemented.
PCT/CN2021/091185 2020-04-30 2021-04-29 Hybrid cloud system, gatekeeper, network access method and storage medium WO2021219104A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010360536.XA CN113596184B (en) 2020-04-30 2020-04-30 Hybrid cloud system, gatekeeper, network access method and storage medium
CN202010360536.X 2020-04-30

Publications (1)

Publication Number Publication Date
WO2021219104A1 true WO2021219104A1 (en) 2021-11-04

Family

ID=78236878

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/091185 WO2021219104A1 (en) 2020-04-30 2021-04-29 Hybrid cloud system, gatekeeper, network access method and storage medium

Country Status (2)

Country Link
CN (1) CN113596184B (en)
WO (1) WO2021219104A1 (en)

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114039788A (en) * 2021-11-15 2022-02-11 绿盟科技集团股份有限公司 Strategy transmission method, network gate system, electronic equipment and storage medium
CN114124549A (en) * 2021-11-26 2022-03-01 绿盟科技集团股份有限公司 Method, system and device for safely accessing mails based on visible light system
CN114257580A (en) * 2021-12-22 2022-03-29 北京博思致新互联网科技有限责任公司 Non-inductive interaction method for border gatekeeper
CN114285668A (en) * 2021-12-30 2022-04-05 北京天融信网络安全技术有限公司 Network gate testing method and device, storage medium and electronic equipment
CN114301837A (en) * 2021-12-16 2022-04-08 山石网科通信技术股份有限公司 Routing data processing method and device
CN114363418A (en) * 2022-01-07 2022-04-15 北京金山云网络技术有限公司 Method and device for accessing intranet database, storage medium and electronic equipment
CN114389853A (en) * 2021-12-21 2022-04-22 航天信息股份有限公司 Data processing method and device
CN114430409A (en) * 2022-01-26 2022-05-03 网易(杭州)网络有限公司 Webpage access method, webpage access device, storage medium and electronic equipment
CN114500094A (en) * 2022-02-24 2022-05-13 新华三技术有限公司合肥分公司 Access method and device
CN114615082A (en) * 2022-04-07 2022-06-10 西安热工研究院有限公司 System and method for simulating TCP duplex safety communication by using forward and reverse network gates
CN114666539A (en) * 2022-03-07 2022-06-24 海南乾唐视联信息技术有限公司 Video stream calling method and device, electronic equipment and storage medium
CN115001846A (en) * 2022-06-28 2022-09-02 湖北天融信网络安全技术有限公司 Method, isolation device, device and medium for cross-network data transmission
CN115118701A (en) * 2022-06-29 2022-09-27 北京奇艺世纪科技有限公司 Data transmission method, device, system, equipment and storage medium

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114422411A (en) * 2022-01-11 2022-04-29 浪潮云信息技术股份公司 SD-WAN-based distributed cloud centralized monitoring method and system
CN116033030B (en) * 2023-01-06 2023-08-11 钛信(上海)信息科技有限公司 Container management method and device for hybrid cloud network deployment

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102215273A (en) * 2010-04-12 2011-10-12 杭州华三通信技术有限公司 Method and device for providing external network access for internal network user
US20140047081A1 (en) * 2010-09-30 2014-02-13 William Scott Edwards Cloud-based virtual machines and offices
CN104202439A (en) * 2014-07-22 2014-12-10 北京汉柏科技有限公司 Addressing and access method, gateway and system
US20170124340A1 (en) * 2015-10-30 2017-05-04 International Business Machines Corporation Hybrid cloud applications
CN107948150A (en) * 2017-11-22 2018-04-20 新华三技术有限公司 Message forwarding method and device
CN110351233A (en) * 2018-04-08 2019-10-18 蓝盾信息安全技术有限公司 A kind of two-way transparent transmission technology based on safety isolation network gate

Family Cites Families (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8019889B1 (en) * 2002-05-31 2011-09-13 Cisco Technology, Inc. Method and apparatus for making end-host network address translation (NAT) global address and port ranges aware
SG145592A1 (en) * 2007-03-06 2008-09-29 King Him Dennis Yar A private port smtp email system
BRPI0722316A2 (en) * 2007-12-20 2014-07-01 Ericsson Telefon Ab L M DISPLACEMENT METHOD ON AN IP-BASED MAIN NETWORK, KNOT IN A SUB-NETWORK WITHIN AN IP-BASED MAIN NETWORK, AND TERMINAL TO BE REGISTERED TO A SUB-NETWORK WITHIN THE IP BASED MAIN NETWORK
CN101447956B (en) * 2009-01-13 2012-01-04 杭州华三通信技术有限公司 Cross-GAP communication method and communication system using same
CN102195933B (en) * 2010-03-05 2013-11-06 杭州华三通信技术有限公司 Method for realizing call between isolated Internet protocol (IP) sub-networks and communication unit
JP5788294B2 (en) * 2011-11-08 2015-09-30 株式会社日立製作所 Network system management method
CN202737912U (en) * 2012-07-27 2013-02-13 中华人民共和国湖北出入境检验检疫局 System for accessing intranet OA from Internet based on L2TP and gatekeeper technology
WO2015088410A1 (en) * 2013-12-12 2015-06-18 Telefonaktiebolaget L M Ericsson (Publ) A method and network node for caching web content
CN104010051B (en) * 2014-06-05 2017-12-08 胡汉强 A kind of method and management server for accessing network
DE102015200061A1 (en) * 2015-01-07 2016-07-07 Siemens Aktiengesellschaft System for adherence to temporal access restrictions in a cloud environment
CN105991660B (en) * 2015-01-27 2020-05-08 杭州海康威视系统技术有限公司 System for resource sharing among multiple cloud storage systems
US10698711B2 (en) * 2015-07-01 2020-06-30 The American University In Cairo Cloud computing systems
CN106850383B (en) * 2016-12-13 2020-10-16 浙江宇视科技有限公司 Domain name transmission method and system
CN106790103A (en) * 2016-12-26 2017-05-31 数源移动通信设备有限公司 The special gateway of private network penetrates safety method
CN107508907A (en) * 2017-09-13 2017-12-22 北京明朝万达科技股份有限公司 A kind of data transmission method and device
CN108173810B (en) * 2017-12-07 2020-10-13 新华三信息安全技术有限公司 Method and device for transmitting network data
CN108040060B (en) * 2017-12-18 2021-04-27 杭州优云软件有限公司 Method and device for cross-gatekeeper communication
CN110247848B (en) * 2018-03-09 2021-08-20 华为技术有限公司 Method for sending message, network equipment and computer readable storage medium
CN109391635B (en) * 2018-12-17 2021-12-17 奇安信科技集团股份有限公司 Data transmission method, device, equipment and medium based on bidirectional gatekeeper
CN110365779B (en) * 2019-07-17 2022-04-01 腾讯科技(深圳)有限公司 Communication control method and device, electronic equipment and storage medium

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102215273A (en) * 2010-04-12 2011-10-12 杭州华三通信技术有限公司 Method and device for providing external network access for internal network user
US20140047081A1 (en) * 2010-09-30 2014-02-13 William Scott Edwards Cloud-based virtual machines and offices
CN104202439A (en) * 2014-07-22 2014-12-10 北京汉柏科技有限公司 Addressing and access method, gateway and system
US20170124340A1 (en) * 2015-10-30 2017-05-04 International Business Machines Corporation Hybrid cloud applications
CN107948150A (en) * 2017-11-22 2018-04-20 新华三技术有限公司 Message forwarding method and device
CN110351233A (en) * 2018-04-08 2019-10-18 蓝盾信息安全技术有限公司 A kind of two-way transparent transmission technology based on safety isolation network gate

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114039788B (en) * 2021-11-15 2023-05-26 绿盟科技集团股份有限公司 Policy transmission method, gateway system, electronic equipment and storage medium
CN114039788A (en) * 2021-11-15 2022-02-11 绿盟科技集团股份有限公司 Strategy transmission method, network gate system, electronic equipment and storage medium
CN114124549A (en) * 2021-11-26 2022-03-01 绿盟科技集团股份有限公司 Method, system and device for safely accessing mails based on visible light system
CN114301837A (en) * 2021-12-16 2022-04-08 山石网科通信技术股份有限公司 Routing data processing method and device
CN114389853A (en) * 2021-12-21 2022-04-22 航天信息股份有限公司 Data processing method and device
CN114257580A (en) * 2021-12-22 2022-03-29 北京博思致新互联网科技有限责任公司 Non-inductive interaction method for border gatekeeper
CN114285668A (en) * 2021-12-30 2022-04-05 北京天融信网络安全技术有限公司 Network gate testing method and device, storage medium and electronic equipment
CN114285668B (en) * 2021-12-30 2023-11-28 北京天融信网络安全技术有限公司 Gate testing method and device, storage medium and electronic equipment
CN114363418A (en) * 2022-01-07 2022-04-15 北京金山云网络技术有限公司 Method and device for accessing intranet database, storage medium and electronic equipment
CN114430409A (en) * 2022-01-26 2022-05-03 网易(杭州)网络有限公司 Webpage access method, webpage access device, storage medium and electronic equipment
CN114430409B (en) * 2022-01-26 2023-08-15 网易(杭州)网络有限公司 Webpage access method, webpage access device, storage medium and electronic equipment
CN114500094A (en) * 2022-02-24 2022-05-13 新华三技术有限公司合肥分公司 Access method and device
CN114500094B (en) * 2022-02-24 2024-03-12 新华三技术有限公司合肥分公司 Access method and device
CN114666539A (en) * 2022-03-07 2022-06-24 海南乾唐视联信息技术有限公司 Video stream calling method and device, electronic equipment and storage medium
CN114615082B (en) * 2022-04-07 2023-09-12 西安热工研究院有限公司 System and method for simulating TCP duplex safety communication by using forward and reverse gatekeepers
CN114615082A (en) * 2022-04-07 2022-06-10 西安热工研究院有限公司 System and method for simulating TCP duplex safety communication by using forward and reverse network gates
CN115001846A (en) * 2022-06-28 2022-09-02 湖北天融信网络安全技术有限公司 Method, isolation device, device and medium for cross-network data transmission
CN115118701A (en) * 2022-06-29 2022-09-27 北京奇艺世纪科技有限公司 Data transmission method, device, system, equipment and storage medium
CN115118701B (en) * 2022-06-29 2024-04-12 北京奇艺世纪科技有限公司 Data transmission method, device, system, equipment and storage medium

Also Published As

Publication number Publication date
CN113596184A (en) 2021-11-02
CN113596184B (en) 2023-08-08

Similar Documents

Publication Publication Date Title
WO2021219104A1 (en) Hybrid cloud system, gatekeeper, network access method and storage medium
WO2019201043A1 (en) Network communication method, system and device, and storage medium
US10284659B2 (en) Hybrid unicast/multicast DNS-based service discovery
US8910270B2 (en) Remote access to private network resources from outside the network
KR100953805B1 (en) Virtual private network structures reuse for mobile computing devices
EP3739826B1 (en) Communication method, system and apparatus
US20140366089A1 (en) Method, apparatus, signals, and medium for managing transfer of data in a data network
WO2020238835A1 (en) Control method for main master cluster and control node
US20190222656A1 (en) Communication Method and Apparatus
JP2002502152A (en) Proxy server for TCP / IP network address mobile terminal
US11888818B2 (en) Multi-access interface for internet protocol security
WO2019170114A1 (en) Method for sending packet, network device, and computer-readable storage medium
WO2009132594A1 (en) Method and system for forwarding data among private networks
WO2018214853A1 (en) Method, apparatus, medium and device for reducing length of dns message
WO2021063028A1 (en) Method and apparatus for providing network service for service, and computing device
CN112565484B (en) Method, system and storage medium for accessing local area network equipment by domain name seamless roaming
US20180227230A1 (en) Stateless information centric forwarding using dynamic filters
US20230031062A1 (en) Data processing method and apparatus, related device, and storage medium
CN102546308B (en) The method and system of neighbor uni-cast agency is realized based on duplicate address detection
US10742751B2 (en) User based mDNS service discovery
WO2021135493A1 (en) Method and apparatus for accessing home gateway, system processor and storage medium
WO2019001562A1 (en) Model loading method and apparatus, storage medium, and computer device
CN110278558B (en) Message interaction method and WLAN system
US20200383154A1 (en) Mobile network tool
WO2023227067A1 (en) Quantum network communication method and apparatus, electronic device and storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21796234

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21796234

Country of ref document: EP

Kind code of ref document: A1