CN107995144A - A kind of access control method and device based on secure group - Google Patents
A kind of access control method and device based on secure group Download PDFInfo
- Publication number
- CN107995144A CN107995144A CN201610944504.8A CN201610944504A CN107995144A CN 107995144 A CN107995144 A CN 107995144A CN 201610944504 A CN201610944504 A CN 201610944504A CN 107995144 A CN107995144 A CN 107995144A
- Authority
- CN
- China
- Prior art keywords
- secure group
- virtual machine
- access control
- group
- secure
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Business, Economics & Management (AREA)
- General Business, Economics & Management (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The embodiment of the invention discloses a kind of access control method and device based on secure group.This method includes:Receive the configuring request at least two targeted security groups;Determine target virtual machine;Establish access control relation of the target virtual machine respectively between each targeted security group.Access control using scheme provided in an embodiment of the present invention, the communication efficiency between virtual machine can be improved.
Description
Technical field
The present invention relates to information security field, more particularly to a kind of access control method and device based on secure group.
Background technology
Secure group is a kind of virtual firewall, and for setting the NS software of one or more virtual machine, it is weight
The network security isolating means wanted, configure on host, for dividing security domain beyond the clouds.By setting between each secure group
Access rule, can build complexity multilayer Access Control System, reach system general safety.Existing secure group can be by safety
The conditions such as group, IP (Internet Protocol, Internet protocol) address, port, communication protocol, intranet and extranet access control;
For different virtual machines, can be operated in as needed in same secure group, can not also in same secure group, and
Virtual machine in same secure group, acquiescence are intercommunications;Wherein, a secure group can correspond to one or more virtual machine, but
One virtual machine can only correspond to a secure group, that is, a virtual machine can only establish access control pass with a secure group
System, i.e. a virtual machine can only access according to a secure group to be realized with other virtual machines.
Based on the above situation, since the virtual machine in same secure group is intercommunication, so two in same secure group
It can directly communicate between virtual machine, then can not directly be led in the manner described above without the virtual machine in same secure group
Letter.
In the prior art, for the communication between the virtual machine in different secure groups, visited generally by secure group is set
Control rule is asked to realize, can be that the setting of each secure group is awarded for virtual machine access control between secure group and IP specifically
The rule of control is weighed, when the first virtual machine in the first secure group needs to communicate with the second virtual machine in the second secure group
When, can be first by the access control rule progress corresponding with the second secure group of the corresponding access control rule of the first secure group
Match somebody with somebody, in the case of successful match, just allow the first virtual machine to communicate with the second virtual machine.
It can be realized in same secure group between virtual machine according to aforesaid way, is logical between virtual machine in different secure groups
Letter, still, usually contains multiple hosts in a VPC (Virtual Private Cloud, virtual proprietary network), and one
More virtual machines can be disposed on platform host, when virtual machine quantity is very big, and demand is complicated, to be realized empty in different secure groups
Communication between plan machine for each secure group, it is necessary to configure substantial amounts of access control rule, with the corresponding visit of each secure group
Ask control regular quantity increase, the time of consumption increases required for rule match, thus can not quickly realize in different secure groups
Communication between virtual machine, causes the communication efficiency between virtual machine low.
The content of the invention
The purpose of the embodiment of the present invention is to provide a kind of access control method and device based on secure group, to improve void
Communication efficiency between plan machine.Concrete technical scheme is as follows:
In a first aspect, an embodiment of the present invention provides a kind of access control method based on secure group, applied to host,
The described method includes:
Receive the configuring request at least two targeted security groups;
Determine target virtual machine;
Establish access control relation of the target virtual machine respectively between each targeted security group.
Alternatively, after configuring request of the reception at least two targeted security groups, further include:
Obtain the access control rule of each targeted security group;
According to the logical relation between the access control rule of the targeted security group, the rule obtained is merged
Processing, generation target access control rule.
Alternatively, the access control method based on secure group that the embodiment of the present invention is provided, further includes:
Receive object message;
Judge to whether there is identical secure group in first kind secure group and the second class secure group, wherein, the first kind
There are access control relation, the second class secure group between the source virtual machine of secure group and the object message to be and the mesh
There are access control relation between the purpose virtual machine of mark message;
If in the presence of to the purpose virtual machine transmission object message.
Alternatively, the access control method based on secure group that the embodiment of the present invention is provided, further includes:
If identical secure group is not present in the first kind secure group and the second class secure group, for the purpose
Virtual machine and the source virtual machine, conversate matching;
If session successful match, perform it is described to the purpose virtual machine send the object message the step of.
Alternatively, the access control method based on secure group that the embodiment of the present invention is provided, further includes:
It is virtual for the source according to the first kind secure group and the second class secure group if it fails to match for session
Machine and the purpose virtual machine, carry out secure group access control rule matching;
If it fails to match for secure group access control rule, the object message is abandoned;
If secure group access control rule successful match, perform described to the purpose virtual machine transmission object message
The step of.
Alternatively, after described the step of performing the transmission object message to the purpose virtual machine, also wrap
Include:
Establish the session between the source virtual machine and the purpose virtual machine.
Alternatively, the step for judging to whether there is identical secure group in first kind secure group and the second class secure group
Suddenly, including:
Whether the transmitting path for judging the object message is first object path, and the first object path is by described
Other hosts beyond host are sent to local virtual machine;
If so, parsing the object message, and according to analysis result, matching result identification information is obtained, judges described
Whether it is the first preset value with result identification information, if so, judging to deposit in the first kind secure group and the second class secure group
In identical secure group, if not, judging identical secure group is not present in the first kind secure group and the second class secure group.
Alternatively, before described the step of sending the object message to the purpose virtual machine, further include:
Whether the transmitting path for judging the object message is the second destination path, and second destination path is by local
Virtual machine send to other hosts beyond the host;
If so, the second preset value is write the object message, wherein, second preset value is for showing described the
There are the value of identical secure group in a kind of secure group and the second class secure group.
Second aspect, an embodiment of the present invention provides a kind of access control apparatus based on secure group, applied to host,
Described device includes:
Configuring request receiving module, for receiving the configuring request at least two targeted security groups;
Virtual machine determining module, for determining target virtual machine;
Access control relation establishes module, for establish the target virtual machine respectively with each targeted security group it
Between access control relation.
Alternatively, the access control apparatus based on secure group that the embodiment of the present invention is provided, further includes:
Rule obtains module, for receiving matching somebody with somebody at least two targeted security groups in the configuring request receiving module
After putting request, the access control rule of each targeted security group is obtained;
Rule generation module, for the logical relation between the rule according to the targeted security group, to the rule obtained
Then merge processing, generation target access control rule.
Alternatively, the access control apparatus based on secure group that the embodiment of the present invention is provided, further includes:
Message receiving module, for receiving object message;
Secure group judgment module, for judging to whether there is identical safety in first kind secure group and the second class secure group
Group, wherein, there are access control relation between the first kind secure group and the source virtual machine of the object message, described second
Class secure group is there are access control relation between the purpose virtual machine of the object message;
Message sending module, it is empty to the purpose in the case of being in the result of the secure group judgment module
Plan machine sends the object message.
Alternatively, the access control apparatus based on secure group that the embodiment of the present invention is provided, further includes:
Session matching module, it is empty for the source in the case of being no in the result of the secure group judgment module
Plan machine and the purpose virtual machine, conversate matching;If session successful match, the message sending module is triggered.
Alternatively, the access control apparatus based on secure group that the embodiment of the present invention is provided, further includes:
Rule match module, in the case that in the session matching module, it fails to match, pacifies according to the first kind
Second class secure group described in Quan Zuyu, for the source virtual machine and the purpose virtual machine, carries out secure group access control rule
Then match;If secure group access control rule successful match, triggers the message sending module;If secure group access control rule
It fails to match, triggers packet loss module;
The packet loss module, for abandoning the object message.
Alternatively, the access control apparatus based on secure group that the embodiment of the present invention is provided, further includes:
Session establishment module, for the message sending module to the purpose virtual machine send the object message it
Afterwards, the session between the source virtual machine and the purpose virtual machine is established.
Alternatively, the secure group judgment module, is specifically used for:
Whether the transmitting path for judging the object message is first object path, and the first object path is by described
Other hosts beyond host are sent to local virtual machine;
If so, parsing the object message, and according to analysis result, matching result identification information is obtained, judges described
Whether it is the first preset value with result identification information, if so, judging to deposit in the first kind secure group and the second class secure group
In identical secure group, if not, judging identical secure group is not present in the first kind secure group and the second class secure group.
Alternatively, the access control apparatus based on secure group that the embodiment of the present invention is provided, further includes:
Information writing module, for before the message sending module sends the object message, judging the target
Whether the transmitting path of message is the second destination path, and second destination path is to be sent by native virtual machine to the host
Other hosts beyond machine;If so, the second preset value is write into the object message, wherein, second preset value is use
In showing that there are the value of identical secure group in the first kind secure group and the second class secure group.
In the access control method based on secure group that the embodiment of the present invention is provided, reception is directed at least two targets
The configuring request of secure group, then, it is determined that target virtual machine, and establishes target virtual machine respectively between each targeted security group
Access control relation.As can be seen that using above-mentioned technical proposal, a virtual machine can be caused to quote multiple secure groups, this
Sample, as long as refer to an identical secure group between two virtual machines, when they access mutually, will give tacit consent to intercommunication, be not required to
The configuration of secure group rule and matching are carried out, so that the communication between different virtual machine is quickly realized, between raising virtual machine
Communication efficiency.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing
There is attached drawing needed in technology description to be briefly described, it should be apparent that, drawings in the following description are only this
Some embodiments of invention, for those of ordinary skill in the art, without creative efforts, can be with
Other attached drawings are obtained according to these attached drawings.
The first flow diagram for the access control method based on secure group that Fig. 1 is provided by the embodiment of the present invention;
Second of flow diagram of the access control method based on secure group that Fig. 2 is provided by the embodiment of the present invention;
The third flow diagram for the access control method based on secure group that Fig. 3 is provided by the embodiment of the present invention;
4th kind of flow diagram of the access control method based on secure group that Fig. 4 is provided by the embodiment of the present invention;
5th kind of flow diagram of the access control method based on secure group that Fig. 5 is provided by the embodiment of the present invention;
6th kind of flow diagram of the access control method based on secure group that Fig. 6 is provided by the embodiment of the present invention;
7th kind of flow diagram of the access control method based on secure group that Fig. 7 is provided by the embodiment of the present invention;
The first structure diagram for the access control apparatus based on secure group that Fig. 8 is provided by the embodiment of the present invention;
Second of structure diagram of the access control apparatus based on secure group that Fig. 9 is provided by the embodiment of the present invention;
The third structure diagram for the access control apparatus based on secure group that Figure 10 is provided by the embodiment of the present invention;
4th kind of structure diagram of the access control apparatus based on secure group that Figure 11 is provided by the embodiment of the present invention;
5th kind of structure diagram of the access control apparatus based on secure group that Figure 12 is provided by the embodiment of the present invention;
6th kind of structure diagram of the access control apparatus based on secure group that Figure 13 is provided by the embodiment of the present invention;
7th kind of structure diagram of the access control apparatus based on secure group that Figure 14 is provided by the embodiment of the present invention.
Embodiment
Below in conjunction with the attached drawing in the embodiment of the present invention, the technical solution in the embodiment of the present invention is carried out clear, complete
Site preparation describes, it is clear that described embodiment is only part of the embodiment of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, those of ordinary skill in the art are obtained every other without creative efforts
Embodiment, belongs to the scope of protection of the invention.
In order to improve the communication efficiency between virtual machine, an embodiment of the present invention provides a kind of access control based on secure group
Method and device processed.
A kind of access control method based on secure group provided first below the embodiment of the present invention is introduced.
As shown in Figure 1, a kind of access control method based on secure group provided in an embodiment of the present invention, applied to host
Machine, includes the following steps:
S101, receives the configuring request at least two targeted security groups.
In practical application, for configuring request in addition to the information for carrying targeted security group, can also carry will configure multiple safety
The information of the target virtual machine of group;Wherein, targeted security group is created or created on VPC in real time, tool
Body is not construed as limiting.
S102, determines target virtual machine.
It should be noted that it can be determined according to the destination virtual machine information carried in the configuring request received in S101
Target virtual machine;Any virtual machine for needing to quote multiple secure groups on host directly can also be determined as destination virtual
Machine, for example, the virtual machine 1 on host need to quote multiple secure groups, with during communicating with other virtual machines
The access control method based on secure group provided using the embodiment of the present invention, then virtual machine 1 can be determined as mesh
Mark virtual machine.
S103, establishes access control relation of the target virtual machine respectively between each targeted security group.
It should be noted that receiving the configuring request for being directed at least two targeted security groups and target virtual machine is determined
Afterwards, it is necessary to establish access control relation of the target virtual machine respectively between each targeted security group, that is, realize target virtual machine
Reference at least two targeted security groups.In practical application, targeted security can be combined and generate new secure group, then
Establish the access control relation between target virtual machine and new secure group.
In the access control method based on secure group that example shown in Fig. 1 provides, receive and pacify at least two targets
The configuring request organized entirely, then, it is determined that target virtual machine, and establishes target virtual machine respectively between each targeted security group
Access control relation.As can be seen that using above-mentioned technical proposal, a virtual machine can be caused to quote multiple secure groups, in this way,
As long as two virtual machines refer to an identical secure group, when they access mutually, intercommunication will be given tacit consent to, it is not necessary to carry out
The configuration of secure group rule and matching, so as to quickly realize the communication between different virtual machine, improve the communication effect between virtual machine
Rate.
For example, in VPC d1, secure group 1 has been created, secure group 2, secure group 3, secure group 4, secure group 5, its
ID (Identification, identity) is respectively 1,2,3,4,5.
In the prior art, virtual machine can only quote a secure group, for the virtual machine A on host 1 in VPC d1
With the virtual machine B on host 2, it is assumed that virtual machine A quotes secure group 1, and virtual machine B quotes secure group 2, and wherein secure group 1 is wrapped
Access control rule containing 5 out (outbound) directions, secure group 2 include the access control rule in 6 in (inbound) directions, and
Secure group 1 does not allow virtual machine A to send message to virtual machine B, and secure group 2 does not allow virtual machine B to receive the report for carrying out self virtualizing machine A
Text, therefore, if wanting to send a message P from virtual machine A to virtual machine B now, it is necessary to add one first in secure group 1
The access control rule in out directions, adds the access control rule in an in direction, so that virtual machine A quilts in secure group 2
Allow to send message to virtual machine B, and received by virtual machine B;In communication process, host 1 receives what is sent on virtual machine A
After message P, each rule of the secure group 1 in out (outbound) direction can be matched, whether see allows virtual machine A to be sent out to virtual machine B
Deliver newspaper literary P, is transmitted after successful match;And host 2 (enters the station) after message P is received, it is necessary to match secure group 2 in
Each rule in direction, after successful match, is sent to virtual machine B.
And technical solution provided in an embodiment of the present invention is applied, secure group 6 can be pre-created, its ID is 6, specific implementation
Can be:vgwadm sg add 6domain d1;Then matching somebody with somebody for secure group 1, secure group 3 and secure group 6 is sent to host 1
Request is put, and virtual machine A is determined as target virtual machine, host 1 establishes virtual machine A difference after configuring request is received
With the access control relation between secure group 1, secure group 3 and secure group 6, that is, realize virtual machine A to secure group 1,3 and of secure group
The reference of secure group 6;The configuring request of secure group 2 and secure group 6 is sent to host 2, and virtual machine B is determined as target void
Plan machine, host 2 establish access controls of the virtual machine B respectively between secure group 2 and secure group 6 after configuring request is received
Relation processed, that is, realize references of the virtual machine B to secure group 2 and secure group 6;Wherein, the mark of virtual machine can be MAC (Media
Access Control, physical address) address, specifically, the MAC Address for assuming virtual machine A is fe:17:3e:27:03:22,
The MAC Address of virtual machine B is fe:16:3e:27:9c:22, then, in practical applications, for virtual machine A and virtual machine B, tool
The secure group of body quotes implementation method can be as follows:
vgwadm sg set 1,3,6domain d1dev fe:17:3e:27:03:22;
vgwadm sg set 2,6domain d1dev fe:16:3e:27:9c:22;
In this way, just all there are secure group 6 in the secure group that secure group and virtual machine B that virtual machine A is quoted are quoted, therefore,
When virtual machine A and virtual machine B are communicated, intercommunication will be given tacit consent to, without access control rule addition and
Match somebody with somebody, the communication efficiency being effectively improved between virtual machine A and virtual machine B.
It is emphasized that in practical application, can also configure so that virtual machine A quotes secure group 1 and secure group 2, or
Person quotes secure group 1, secure group 2 and secure group 3 etc., is not construed as limiting herein;The secure group that same virtual machine B is quoted also is not limited to
In secure group 2 and secure group 6, only need have identical secure group in the secure group of virtual machine A and virtual machine B references, in addition,
Above-mentioned examples cited are only the instantiation of the present invention, do not form limitation of the invention.
Further, on the basis of embodiment illustrated in fig. 1, as shown in Fig. 2, one kind that the embodiment of the present invention is provided
Access control method based on secure group, applied to host, can also include:
S104, obtains the access control rule of each targeted security group.
Wherein, when targeted security assembles and is equipped with access control rule, the access control of each secure group can also be obtained
Rule, to merge processing.
It is understood that the access control rule of secure group generally comprises in (inbound) directions and/or the out of virtual machine
The rule in (outbound) direction, and different secure groups can have different access control rules, access control rule can and be pacified
Full group creates together, can also be directed to the secure group created and be added.
S105, according to the logical relation between the access control rule of targeted security group, closes the rule obtained
And handle, generation target access control rule.
It should be noted that after the access control rule of each targeted security group is obtained, can be advised according to access control
Logical relation between then, merges obtained rule processing, generation target access control rule, rather than by targeted security
The access control rule of group is directly superimposed, wherein, specific merging method belongs to the prior art, and details are not described herein again, in addition,
It is understood that the logical relation between rule is tactful related to targeted security group.In this way, very maximum probability it can reduce mesh
The quantity of the corresponding access control rule of virtual machine is marked, so that when carrying out the matching of secure group access control rule, reduces matching
Number, improve matching speed.
For example, it is assumed that the access control rule in directions is configured for secure group 1, gives tacit consent to and all IP address is put
OK;The access control rule in directions is configured for secure group 2, it is allowed to which IP address 192.168.2.1 is accessed by 80 ports;
The access control rule in directions is configured for secure group 3, it is allowed to IP address 192.168.2.102 is accessed by 80 ports,
In practical application, specific implementation can be as follows:
vgwadm sg set 1domain d1rule in 0.0.0.0/0ip;
vgwadm sg set 2domain d1rule in 192.168.2.1/80ip;
vgwadm sg set 3domain d1rule in 192.168.2.102/80ip;
, can be according to secure group 1, secure group 2 after the configuring request of secure group 1, secure group 2 and secure group 3 is received
Logical relation between the access control rule of secure group 3 merges, wherein, secure group 1 is given tacit consent to equal to all IP address
Let pass, and without the requirement of port, and secure group 2 allows IP address 192.168.2.1 to access by 80 ports, safety
Group 3 allows IP address 192.168.2.102 to access by 80 ports, and the allowed band of secure group 1 contains secure group 2
With the allowed band of secure group 3, then, in practical application, the union of three can be taken to be advised to merge generation target access control
Then, then target access control rule is identical with secure group 1, i.e., secure group 1, secure group 2 and secure group 3 merge the new peace of generation
The access control rule organized entirely, lets pass all IP address for acquiescence, concrete configuration method can be as follows:
vgwadm sg set 1,2,3domain d1rule in 0.0.0.0/0ip;
Since rule of the secure group 1 in directions is that acquiescence lets pass all IP address, restraining force is relatively low, then root
According to actual demand, secure group 2, secure group 3 union with the intersection of secure group 1 respectively, generation secure group 1, safety can also be taken
Group 2 and secure group 3 merge generation new secure group access control rule, as allow IP address 192.168.2.1 and
192.168.2.102 being accessed by 80 ports, concrete configuration method can be as follows:
vgwadm sg set 1,2,3domain d1rule in 192.168.2.1/80ip;
vgwadm sg set 1,2,3domain d1rule in 192.168.2.102/80ip;
It is emphasized that above-mentioned examples cited are only two instantiations of the present invention, do not form to the present invention's
Limit.In practical application, the strategy and other factors of secure group can also be considered, the conjunction for the control rule that accesses
And specific merging method is not limited thereto.
On the basis of embodiment illustrated in fig. 1, the access control method based on secure group of embodiment illustrated in fig. 2 offer
In, the access control rule of each targeted security group can also be obtained, then according to the access control rule of targeted security group it
Between logical relation, merge processing to the rule obtained, generation target access control rule;Using the technical solution energy
The quantity of the corresponding access control rule of target virtual machine is enough reduced, so that when carrying out the matching of secure group access control rule,
Matched number is reduced, improves matching speed, further improves the communication efficiency between virtual machine.
Further, on the basis of embodiment illustrated in fig. 2, as shown in figure 3, one kind that the embodiment of the present invention is provided
Access control method based on secure group, applied to host, can also include:
S106, receives object message.
Wherein, object message is generally the virtual machine hair on the message sent on native virtual machine or other exterior hosts
The message brought, and the message sent on native virtual machine include the message sent to other local virtual machines and to it is exterior its
The message that virtual machine on his host is sent.
In a kind of implementation of the present invention, from the message that sends over of other hosts of outside and to other exterior places
The message that host is sent can be VXLAN (Virtual eXtensible Local Area Network, virtual extended local
Net) message.
S107, judges first kind secure group with whether there is identical secure group in the second class secure group, if so, performing
S108。
Wherein, there are access control relation, the second class peace between first kind secure group and the source virtual machine of the object message
There are access control relation between Quan Zuwei and the purpose virtual machine of the object message.
It should be noted that the technical solution provided using embodiment illustrated in fig. 1, it is more to can be configured that virtual machine is quoted
A secure group, and the virtual machine in same secure group is intercommunication, therefore, can be first after host receives object message
First judge in the second class secure group that the first kind secure group that the source virtual machine of the object message is quoted is quoted with purpose virtual machine
With the presence or absence of identical secure group, specifically, it can be determined that whether first kind secure group in the ID of the second class secure group with having phase
Deng ID, if it does, it is intercommunication that can give tacit consent to source virtual machine and purpose virtual machine, directly being sent to purpose virtual machine should
Object message, it is of course also possible to be judged for other unique identification informations of secure group, is not limited thereto.
For example, it is assumed that the corresponding secure group ID of first kind secure group is respectively 1,3,4, and the second class secure group corresponds to
Secure group ID be respectively 2,3,5, wherein, first kind secure group is with all there are ID being 3 corresponding safety in the second class secure group
Group, therefore, it is possible to determine that there are identical secure group in first kind secure group and the second class secure group.
Wherein, first kind secure group can read from local security group profile and obtain;, can be pre- in practical application
The safe group information of source virtual machine and purpose virtual machine is first symmetrically configured, is stored in source host and destination host respectively
In the safe group profile of machine, i.e. the safety of purposeful virtual machine is also preserved in the safe group profile of source host
Group information, the safe group information of source virtual machine, therefore, the second class are also preserved in the safe group profile of destination host
Secure group can also read from local security group profile and obtain, and be not limited thereto.
It should be noted that when the object message is the message that the virtual machine on other exterior hosts sends over,
Local host is destination, in practical application, to reduce matching times, only can carry out the matching of secure group in source,
Judge that first kind secure group is sent out with whether there is identical secure group in the second class secure group, and by matching result write-in message
Destination is sent to, on this, will be described in detail in following embodiment;And destination, i.e., local host receive this
After object message, can according to the information carried in message, directly judge in first kind secure group and the second class secure group whether
There are identical secure group, specifically, whether there is identical peace in the judgement first kind secure group and the second class secure group
The step of full group, it can include:
Whether the transmitting path for judging object message is first object path;
If so, parsing the object message, and according to analysis result, matching result identification information is obtained, judges matching result
Whether identification information is the first preset value, if so, judging that there are identical safety in first kind secure group and the second class secure group
Group, if not, judging identical secure group is not present in first kind secure group and the second class secure group.
Wherein, first object path is to be sent by other hosts beyond the host to local virtual machine.
It is understood that object message can be the VXLAN messages that the virtual machine on other exterior hosts is sent;Receive
During to such object message, the object message can be parsed, and matching result identification information is obtained according to analysis result, and then
Judge whether matching result identification information is the first preset value, thus judge in first kind secure group and the second class secure group whether
There are identical secure group;Wherein, the first preset value is for showing that there are phase in first kind secure group and the second class secure group
With the value of secure group, can be arranged in advance, it is emphasized that, the first preset value is that will not cause what is conflicted with other values
Value.
In practical application, packet marking skb- can be utilized>Mark comes safe to carry group of matching result, about settled skb-
>Mark is VGW_SEC_GROUP_NULL, i.e., when 0, shows in source secure group successful match;Work as skb->Mark is VGW_
SEC_GROUP_NOT_MATCH, i.e., when 240, show that it fails to match in source secure group;Source, will when sending VXLAN messages
skb->In mark write-in VXLAN messages packet header, so that destination host directly obtains secure group when receiving message
With result.Certainly, how in messages specific safe to carry group of matching result, be not limited thereto.
For example, local host receives the VXLAN message A that the virtual machine on other hosts is sent, solution
After analysing the message, skb- is obtained>Mark, and its value is 0, may indicate that first kind secure group and there are phase in the second class secure group
Same secure group.
S108, the object message is sent to purpose virtual machine.
Wherein, S107 implementing results are yes that is, there are identical secure group in first kind secure group and the second class secure group
When, it may indicate that source virtual machine and purpose virtual machine are intercommunications, then, directly the target can be sent to purpose virtual machine
Message.
Furthermore, it is necessary to, it is emphasized that if source virtual machine or purpose virtual machine do not quote secure group, i.e. first kind safety
Group or the second class secure group are sky, then give tacit consent to clearance message, directly send the object message to purpose virtual machine.
On the basis of embodiment illustrated in fig. 2, using the technical solution of embodiment illustrated in fig. 3 offer, target report is being received
Wen Hou, judges first kind secure group with whether there is identical secure group in the second class secure group, if so, just virtual to purpose
Machine sends the object message, wherein, there are access control relation between first kind secure group and the source virtual machine of the object message,
Second class secure group is there are access control relation between the purpose virtual machine of the object message;Compared with prior art, when
There are during a large amount of virtual machines in VPC networks, without for source virtual machine and a large amount of access control rules of purpose virtual machine configuration, and work as
When having identical secure group in the secure group that source virtual machine and purpose virtual machine are quoted, during inter-virtual machine communication just without into
Line discipline matches, and gives tacit consent to intercommunication, improves the communication efficiency between virtual machine.
Further, on the basis of embodiment illustrated in fig. 3, as shown in figure 4, one kind that the embodiment of the present invention is provided
Access control method based on secure group, applied to host, can also include:
S109, for source virtual machine and purpose virtual machine, conversate matching, if successful match, performs S108.
It should be noted that when the implementing result of S107 is no, i.e., in first kind secure group and the second class secure group not
There are during identical secure group, it can be directed to source virtual machine and purpose virtual machine conversate matching, if session successful match,
S108 is performed, i.e., sends the object message to purpose virtual machine.
Wherein it is possible to understand, secure group is stateful, and session matching is it can be appreciated that secure group state is examined
Survey, it is used to detect connection relation between session, in the presence of session connection, session successful match, show source virtual machine with
Purpose virtual machine is intercommunication, and the object message can be sent to purpose virtual machine.
If it fails to match for session, on the basis of shown in Fig. 4, as shown in figure 5, one kind that the embodiment of the present invention is provided is based on
The access control method of secure group, applied to host, can also include:
S110, according to first kind secure group and the second class secure group, for source virtual machine and purpose virtual machine, carries out safety
Group access controls rule match;If successful match, S108 is performed, if it fails to match, performs S111.
It should be noted that when S109 implementing results are that it fails to match, then can be according to first kind secure group and second
Class secure group, for source virtual machine and purpose virtual machine, carries out secure group access control rule matching, if successful match, to
Purpose virtual machine sends the object message, otherwise, performs S111, abandons the object message.Wherein, on for source virtual machine and
Purpose virtual machine carries out secure group access control rule matching, specifically, being right respectively for source virtual machine and purpose virtual machine
The access control rule that the secure group answered merges generation is matched, and belongs to the prior art on specific matching process, herein not
Repeat again.
S111, abandons the object message.
Wherein, when S110 implementing results is it fails to match, show it is disconnected between source virtual machine and purpose virtual machine,
The transmission of message can not be carried out, therefore the object message can be made discard processing.
For example, local host receives message B, and the secure group ID that corresponding source virtual machine is quoted is respectively 1,2,3,
The secure group ID that purpose virtual machine is quoted is respectively 4,5,6, it can be seen that the secure group that source virtual machine and purpose virtual machine are quoted
In identical secure group, therefore the matching that conversates is not present, lookup matching is carried out in the relevant entries of local host, if meeting
It fails to match for words, then access control rule match, if rule match also have failed, dropping packets B.
On the basis of embodiment illustrated in fig. 3, in the access control method based on secure group that Fig. 4 embodiments are provided
In, if first kind secure group, with identical secure group is not present in the second class secure group, can also conversate matching, if session
With success, then the object message is sent to purpose virtual machine, compared with prior art, when there are a large amount of virtual machines in VPC networks
When, without for source virtual machine and a large amount of access control rules of purpose virtual machine configuration, when session successful match, between virtual machine
Just follow-up rule match need not be carried out in communication process, directly carries out the processing of message, improves the communication effect between virtual machine
Rate.
Further, on the basis of embodiment illustrated in fig. 5, as shown in fig. 6, one kind that the embodiment of the present invention is provided
Access control method based on secure group, applied to host, after S108, can also include:
S112, establishes the session between source virtual machine and purpose virtual machine.
It should be noted that secure group access control rule successful match, after sending object message to purpose virtual machine, table
Communicated between bright source virtual machine and purpose virtual machine, i.e., be intercommunication between source virtual machine and purpose virtual machine, then
To be recorded to this, the session between source virtual machine and purpose virtual machine is established, updates secure group state, and is stored in local,
When communicating next time, just need to only conversate matching, without the control rule match that accesses again.
In practical application, the session between source virtual machine and purpose virtual machine can be created according to five-tuple, wherein, five-tuple
Including source IP address, source port, purpose IP address, destination interface and transport layer protocol, it can distinguish different sessions, and
Corresponding session is unique, belongs to the prior art on specifically how to establish session according to five-tuple, details are not described herein again.
On the basis of embodiment illustrated in fig. 5, in the access control method based on secure group that Fig. 6 embodiments are provided
In, if according to first kind secure group and the second class secure group, for source virtual machine and purpose virtual machine, carry out safe group access control
Rule match processed, successful match, then source virtual machine and purpose can be established after object message is sent to purpose virtual machine
Session between virtual machine, and local is stored in, in subsequent communications, just need to only conversate matching, without being visited again
Ask control rule match, improve inter-virtual machine communication efficiency.
Further, on the basis of embodiment illustrated in fig. 3, as shown in fig. 7, one kind that the embodiment of the present invention is provided
Access control method based on secure group, applied to host, before S108, can also include:
S113, whether the transmitting path for judging object message is the second destination path, if so, performing S114.
Wherein, the second destination path is other hosts sent by local virtual machine to beyond the host.
It should be noted that if the transmitting path of the object message received is by beyond local virtual machine to host
Other hosts, may indicate that what the object message reported for local virtual machine, to send to other exterior hosts
Virtual machine across host message, and at this time, local host is as source host;Wherein, the tool of message transmitting path
Body determination methods belong to the prior art, and details are not described herein again.
S114, the object message is write by the second preset value.
Wherein, the second preset value is for showing that there are identical secure group in first kind secure group and the second class secure group
Value.
It should be noted that for what is given on native virtual machine, the message sent to other exterior hosts, such as VXLAN
Message, can there are identical secure group, i.e. secure group successful match in first kind secure group and the second class secure group is judged
Afterwards, by agreement showing that there are the second preset value write-in of identical secure group in first kind secure group and the second class secure group
Purpose virtual machine is sent to after the object message, so that destination host is after the object message is received, it is not necessary to again
Secure group matching is carried out, but secure group matching result is directly obtained according to the message after parsing.
In practical application, packet marking skb- can be utilized>Mark comes safe to carry group of matching result, about settled skb-
>Mark is VGW_SEC_GROUP_NULL, i.e., when 0, shows secure group successful match, by skb->Mark writes VXLAN message bags
In head, purpose virtual machine is re-send to.Certainly, how in messages specific safe to carry group of matching result, be not limited thereto.
It is understood that S113 implementing results are no, and when local host is source host, show the target report
Text is what is sent on native virtual machine, is sent to the message of other local virtual machines, i.e. source virtual machine and purpose virtual machine belongs to same
One host, at this time, local host are also destination host, then, source virtual machine and purpose void can be directed to respectively
Plan machine, after judging in the secure group that source virtual machine and purpose virtual machine are quoted respectively there are identical secure group, directly to mesh
Virtual machine send the object message.
On the basis of embodiment illustrated in fig. 3, the technical solution that is provided using embodiment illustrated in fig. 7 can also be to mesh
Virtual machine send object message before, judge whether purpose virtual machine belongs to the host, if it is not, will be used to showing that the first kind to be pacified
The second preset value in full group and the second class secure group there are identical secure group writes the object message, so that destination host
Machine, according to the analysis result of message, it is matched result it is not necessary to carry out once again to directly obtain secure group after message is received
Secure group matches, and reduces matching times, further improves inter-virtual machine communication efficiency.
It is emphasized that in the access control method based on secure group provided for Fig. 4 and embodiment illustrated in fig. 5,
For more accurately transmit source relevant matches as a result, can also to purpose virtual machine send message before, it will words matching or
The matched result write-in object message of person's access control rule, specifically, can use skb->Mark carries matching result letter
During breath, after session matching or access control rule successful match, by skb->Mark is arranged to VGW_SEC_GROUP_NOT_
MATCH, i.e., 240, destination show that it fails to match in source secure group when reading 240, but session matching or access
Control rule match success.
Corresponding to above method embodiment, an embodiment of the present invention provides a kind of access control apparatus based on secure group,
As shown in figure 8, described device includes:
Configuring request receiving module 801, for receiving the configuring request at least two targeted security groups;
Virtual machine determining module 802, for determining target virtual machine;
Access control relation establishes module 803, for establish the target virtual machine respectively with each targeted security
Access control relation between group.
In the access control method based on secure group that example shown in Fig. 8 provides, receive and pacify at least two targets
The configuring request organized entirely, then, it is determined that target virtual machine, and establishes target virtual machine respectively between each targeted security group
Access control relation.As can be seen that using above-mentioned technical proposal, a virtual machine can be caused to quote multiple secure groups, in this way,
As long as refer to an identical secure group between two virtual machines, when they access mutually, intercommunication will be given tacit consent to, it is not necessary into
The configuration of row secure group rule and matching, so as to quickly realize the communication between different virtual machine, improve the communication between virtual machine
Efficiency.
Further, built comprising configuring request receiving module 801, virtual machine determining module 802, access control relation
On the basis of formwork erection block 803, as shown in figure 9, a kind of access control apparatus based on secure group that the embodiment of the present invention is provided
It can also include:
Rule obtains module 804, and at least two targeted securities are directed to for being received in the configuring request receiving module 801
After the configuring request of group, the access control rule of each targeted security group is obtained;
Rule generation module 805, it is right for the logical relation between the access control rule according to the targeted security group
The rule obtained merges processing, generation target access control rule.
On the basis of embodiment illustrated in fig. 8, the access control method based on secure group of embodiment illustrated in fig. 9 offer
In, the access control rule of each targeted security group can also be obtained, then according to the access control rule of targeted security group it
Between logical relation, merge processing to the rule obtained, generation target access control rule;Using the technical solution energy
The quantity of the corresponding access control rule of target virtual machine is enough reduced, so that when carrying out the matching of secure group access control rule,
Matched number is reduced, improves matching speed, further improves the communication efficiency between virtual machine.
Further, built comprising configuring request receiving module 801, virtual machine determining module 802, access control relation
Formwork erection block 803, rule obtains module 804, and on the basis of rule generation module 805, as shown in Figure 10, the embodiment of the present invention is carried
A kind of access control apparatus based on secure group supplied can also include:
Message receiving module 806, for receiving object message;
Secure group judgment module 807, for judging in first kind secure group and the second class secure group with the presence or absence of identical
Secure group, wherein, it is described there are access control relation between the first kind secure group and the source virtual machine of the object message
Second class secure group is there are access control relation between the purpose virtual machine of the object message;
Message sending module 808, in the result of the secure group judgment module 807 in the case of being, to described
Purpose virtual machine sends the object message.
On the basis of embodiment illustrated in fig. 9, using the technical solution of embodiment illustrated in fig. 10 offer, target report is being received
Wen Hou, judges first kind secure group with whether there is identical secure group in the second class secure group, if so, just virtual to purpose
Machine sends the object message, wherein, there are access control relation between first kind secure group and the source virtual machine of the object message,
Second class secure group is there are access control relation between the purpose virtual machine of the object message;Compared with prior art, when
There are during a large amount of virtual machines in VPC networks, the technical solution that is provided using embodiment illustrated in fig. 3, without for source virtual machine and mesh
The a large amount of access control rules of virtual machine configuration, and when having identical safety in the secure group that source virtual machine and purpose virtual machine are quoted
During group, rule match just need not be carried out during inter-virtual machine communication, gives tacit consent to intercommunication, improves the communication effect between virtual machine
Rate.
Wherein, the secure group judgment module 807, specifically can be used for:
Whether the transmitting path for judging the object message is first object path, and the first object path is by described
Other hosts beyond host are sent to local virtual machine;
If so, parsing the object message, and according to analysis result, matching result identification information is obtained, judges described
Whether it is the first preset value with result identification information, if so, judging to deposit in the first kind secure group and the second class secure group
In identical secure group, if not, judging identical secure group is not present in the first kind secure group and the second class secure group.
Further, built comprising configuring request receiving module 801, virtual machine determining module 802, access control relation
Formwork erection block 803, rule acquisition module 804, rule generation module 805, message receiving module 806, secure group judgment module 807,
On the basis of message sending module 808, as shown in figure 11, a kind of access control based on secure group that the embodiment of the present invention is provided
Device processed can also include:
Session matching module 809, in the case of being no in the judging result of the secure group judgment module 807, pin
To the source virtual machine and the purpose virtual machine, conversate matching;If session successful match, trigger the message and send mould
Block 808.
On the basis of embodiment illustrated in fig. 10, in the access control method based on secure group that Figure 11 embodiments are provided
In, if first kind secure group, with identical secure group is not present in the second class secure group, can also conversate matching, if session
With success, then the object message is sent to purpose virtual machine, compared with prior art, when there are a large amount of virtual machines in VPC networks
When, without for source virtual machine and a large amount of access control rules of purpose virtual machine configuration, when session successful match, between virtual machine
Just follow-up rule match need not be carried out in communication process, directly carries out the processing of message, improves the communication effect between virtual machine
Rate.
Further, built comprising configuring request receiving module 801, virtual machine determining module 802, access control relation
Formwork erection block 803, rule acquisition module 804, rule generation module 805, message receiving module 806, secure group judgment module 807,
Message sending module 808, on the basis of session matching module 809, as shown in figure 12, a kind of base that the embodiment of the present invention is provided
It can also include in the access control apparatus of secure group:
Rule match module 810, in the case that it fails to match in the session matching module 809, according to described
A kind of secure group and the second class secure group, for the source virtual machine and the purpose virtual machine, carry out safe group access
Control rule match;If secure group access control rule successful match, triggers the message sending module 808;If secure group is visited
Ask control rule match failure, triggering packet loss module 811;
The packet loss module 811, for abandoning the object message.
Further, built comprising configuring request receiving module 801, virtual machine determining module 802, access control relation
Formwork erection block 803, rule acquisition module 804, rule generation module 805, message receiving module 806, secure group judgment module 807,
Message sending module 808, session matching module 809, rule match module 810, on the basis of packet loss module 811, such as schemes
Shown in 13, a kind of access control apparatus based on secure group that the embodiment of the present invention is provided can also include:
Session establishment module 812, for sending the target to the purpose virtual machine in the message sending module 808
After message, the session between the source virtual machine and the purpose virtual machine is established.
On the basis of embodiment illustrated in fig. 12, technical solution that 13 embodiment of application drawing is provided, if according to the first kind
Secure group and the second class secure group, for source virtual machine and purpose virtual machine, carry out secure group access control rule matching, matching
Success, then the session between source virtual machine and purpose virtual machine can be established after object message is sent to purpose virtual machine,
And local is stored in, in subsequent communications, just need to only conversate matching, and rule match is controlled without accessing again,
Improve inter-virtual machine communication efficiency.
Further, built comprising configuring request receiving module 801, virtual machine determining module 802, access control relation
Formwork erection block 803, rule acquisition module 804, rule generation module 805, message receiving module 806, secure group judgment module 807,
On the basis of message sending module 808, as shown in figure 14, a kind of access control based on secure group that the embodiment of the present invention is provided
Device processed can also include:
Information writing module 813, for before the message sending module 808 sends the object message, judging institute
Whether the transmitting path for stating object message is the second destination path, second destination path be by local virtual machine send to
Other hosts beyond the host;If so, the second preset value is write into the object message, wherein, described second is pre-
If value is for showing that there are the value of identical secure group in the first kind secure group and the second class secure group.
On the basis of embodiment illustrated in fig. 10, using embodiment illustrated in fig. 14 provide technical solution, can also to
Before purpose virtual machine sends object message, judge whether purpose virtual machine belongs to the host, if it is not, will be used to show the first kind
The second preset value in secure group and the second class secure group there are identical secure group writes the object message, so that destination place
Host, according to the analysis result of message, it is matched result it is not necessary to carry out one again to directly obtain secure group after message is received
Secondary secure group matching, reduces matching times, further improves inter-virtual machine communication efficiency.
It should be noted that herein, relational terms such as first and second and the like are used merely to a reality
Body or operation are distinguished with another entity or operation, are deposited without necessarily requiring or implying between these entities or operation
In any this actual relation or order.Moreover, term " comprising ", "comprising" or its any other variant are intended to
Non-exclusive inclusion, so that process, method, article or equipment including a series of elements not only will including those
Element, but also including other elements that are not explicitly listed, or further include as this process, method, article or equipment
Intrinsic key element.In the absence of more restrictions, the key element limited by sentence "including a ...", it is not excluded that
Also there are other identical element in process, method, article or equipment including the key element.
Each embodiment in this specification is described using relevant mode, identical similar portion between each embodiment
Divide mutually referring to what each embodiment stressed is the difference with other embodiment.It is real especially for device
For applying example, since it is substantially similar to embodiment of the method, so description is fairly simple, related part is referring to embodiment of the method
Part explanation.
Can one of ordinary skill in the art will appreciate that realizing that all or part of step in above method embodiment is
To instruct relevant hardware to complete by program, the program can be stored in computer read/write memory medium,
The storage medium designated herein obtained, such as:ROM/RAM, magnetic disc, CD etc..
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the scope of the present invention.It is all
Any modification, equivalent replacement, improvement and so within the spirit and principles in the present invention, are all contained in protection scope of the present invention
It is interior.
Claims (16)
- A kind of 1. access control method based on secure group, it is characterised in that applied to host, including:Receive the configuring request at least two targeted security groups;Determine target virtual machine;Establish access control relation of the target virtual machine respectively between each targeted security group.
- 2. according to the method described in claim 1, it is characterized in that, receive matching somebody with somebody at least two targeted security groups described After putting request, further include:Obtain the access control rule of each targeted security group;According to the logical relation between the access control rule of the targeted security group, place is merged to the rule obtained Reason, generation target access control rule.
- 3. according to the method described in claim 2, it is characterized in that, further include:Receive object message;Judge to whether there is identical secure group in first kind secure group and the second class secure group, wherein, the first kind safety There are access control relation, the second class secure group between the source virtual machine of group and the object message to be and the target report There are access control relation between the purpose virtual machine of text;If in the presence of to the purpose virtual machine transmission object message.
- 4. according to the method described in claim 3, it is characterized in that, further include:If identical secure group is not present in the first kind secure group and the second class secure group, for the source virtual machine With the purpose virtual machine, conversate matching;If session successful match, perform it is described to the purpose virtual machine send the object message the step of.
- 5. according to the method described in claim 4, it is characterized in that, further include:If it fails to match for session, according to the first kind secure group and the second class secure group, for the source virtual machine and The purpose virtual machine, carries out secure group access control rule matching;If it fails to match for secure group access control rule, the object message is abandoned;If secure group access control rule successful match, the step that the object message is sent to the purpose virtual machine is performed Suddenly.
- It is 6. according to the method described in claim 5, it is characterized in that, described to purpose virtual machine transmission institute in the execution After the step of stating object message, further include:Establish the session between the source virtual machine and the purpose virtual machine.
- 7. according to the method described in claim 3, it is characterized in that, in the judgement first kind secure group and the second class secure group The step of with the presence or absence of identical secure group, including:Whether the transmitting path for judging the object message is first object path, and the first object path is by the host Other hosts beyond machine are sent to local virtual machine;If so, parsing the object message, and according to analysis result, matching result identification information is obtained, judges the matching knot Whether fruit identification information is the first preset value, if so, judging that there are phase in the first kind secure group and the second class secure group Same secure group, if not, judging identical secure group is not present in the first kind secure group and the second class secure group.
- 8. according to the method described in claim 3, it is characterized in that, the target report is sent to the purpose virtual machine described Before the step of text, further include:Whether the transmitting path for judging the object message is the second destination path, and second destination path is by local void Plan machine is sent to other hosts beyond the host;If so, the second preset value is write into the object message, wherein, second preset value is for showing the first kind There are the value of identical secure group in secure group and the second class secure group.
- 9. a kind of access control apparatus based on secure group, it is characterised in that applied to host, described device includes:Configuring request receiving module, for receiving the configuring request at least two targeted security groups;Virtual machine determining module, for determining target virtual machine;Access control relation establishes module, for establishing the target virtual machine respectively between each targeted security group Access control relation.
- 10. device according to claim 9, it is characterised in that described device further includes:Rule obtains module, for being asked in configuring request receiving module reception for the configuration of at least two targeted security groups After asking, the access control rule of each targeted security group is obtained;Rule generation module, for the logical relation between the access control rule according to the targeted security group, to being obtained Rule merge processing, generation target access control rule.
- 11. device according to claim 10, it is characterised in that described device further includes:Message receiving module, for receiving object message;Secure group judgment module, for judging to whether there is identical secure group in first kind secure group and the second class secure group, Wherein, there are access control relation, second class between the first kind secure group and the source virtual machine of the object message Secure group is there are access control relation between the purpose virtual machine of the object message;Message sending module, in the case of being in the result of the secure group judgment module, to the purpose virtual machine Send the object message.
- 12. according to the devices described in claim 11, it is characterised in that described device further includes:Session matching module, in the case of being no in the result of the secure group judgment module, for the source virtual machine With the purpose virtual machine, conversate matching;If session successful match, the message sending module is triggered.
- 13. device according to claim 12, it is characterised in that described device further includes:Rule match module, in the case that it fails to match in the session matching module, according to the first kind secure group With the second class secure group, for the source virtual machine and the purpose virtual machine, secure group access control rule is carried out Match somebody with somebody;If secure group access control rule successful match, triggers the message sending module;If secure group access control rule matches Failure, triggers packet loss module;The packet loss module, for abandoning the object message.
- 14. device according to claim 13, it is characterised in that described device further includes:Session establishment module, after sending the object message to the purpose virtual machine in the message sending module, Establish the session between the source virtual machine and the purpose virtual machine.
- 15. device according to claim 10, it is characterised in that the secure group judgment module, is specifically used for:Whether the transmitting path for judging the object message is first object path, and the first object path is by the host Other hosts beyond machine are sent to local virtual machine;If so, parsing the object message, and according to analysis result, matching result identification information is obtained, judges the matching knot Whether fruit identification information is the first preset value, if so, judging that there are phase in the first kind secure group and the second class secure group Same secure group, if not, judging identical secure group is not present in the first kind secure group and the second class secure group.
- 16. device according to claim 10, it is characterised in that further include:Information writing module, for before the message sending module sends the object message, judging the object message Transmitting path whether be the second destination path, second destination path is to be sent by local virtual machine to the host Other hosts in addition;If so, the second preset value is write the object message, wherein, second preset value be for Show that there are the value of identical secure group in the first kind secure group and the second class secure group.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610944504.8A CN107995144B (en) | 2016-10-26 | 2016-10-26 | Access control method and device based on security group |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610944504.8A CN107995144B (en) | 2016-10-26 | 2016-10-26 | Access control method and device based on security group |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107995144A true CN107995144A (en) | 2018-05-04 |
| CN107995144B CN107995144B (en) | 2020-11-06 |
Family
ID=62029019
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610944504.8A Active CN107995144B (en) | 2016-10-26 | 2016-10-26 | Access control method and device based on security group |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107995144B (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108718320A (en) * | 2018-06-14 | 2018-10-30 | 浙江远望信息股份有限公司 | A method of forming data packet communication white list to close rule data packet intersection with similar configuration internet of things equipment |
| CN111224922A (en) * | 2018-11-26 | 2020-06-02 | 顺丰科技有限公司 | Distributed security group module access control method and system |
| CN111277611A (en) * | 2020-02-25 | 2020-06-12 | 深信服科技股份有限公司 | Virtual machine networking control method and device, electronic equipment and storage medium |
| CN113810283A (en) * | 2021-09-16 | 2021-12-17 | 中国联合网络通信集团有限公司 | Network security configuration method, device, server and storage medium |
| WO2022194262A1 (en) * | 2021-03-19 | 2022-09-22 | 华为技术有限公司 | Security communication method and apparatus |
| CN115794316A (en) * | 2023-02-03 | 2023-03-14 | 青软创新科技集团股份有限公司 | Method, apparatus, medium, and program product for building a cloud computing experimental environment |
| WO2024037619A1 (en) * | 2022-08-18 | 2024-02-22 | 华为云计算技术有限公司 | Cloud computing technology-based virtual instance creation method and cloud management platform |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110247047A1 (en) * | 2010-04-02 | 2011-10-06 | Sergio Loureiro | Method for securing data and/or applications in a cloud computing architecture |
| CN103581183A (en) * | 2013-10-30 | 2014-02-12 | 华为技术有限公司 | Virtualization security isolation method and device |
| CN104007997A (en) * | 2013-02-22 | 2014-08-27 | 中兴通讯股份有限公司 | Virtual machine security group configuration method and device |
-
2016
- 2016-10-26 CN CN201610944504.8A patent/CN107995144B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110247047A1 (en) * | 2010-04-02 | 2011-10-06 | Sergio Loureiro | Method for securing data and/or applications in a cloud computing architecture |
| CN104007997A (en) * | 2013-02-22 | 2014-08-27 | 中兴通讯股份有限公司 | Virtual machine security group configuration method and device |
| CN103581183A (en) * | 2013-10-30 | 2014-02-12 | 华为技术有限公司 | Virtualization security isolation method and device |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108718320A (en) * | 2018-06-14 | 2018-10-30 | 浙江远望信息股份有限公司 | A method of forming data packet communication white list to close rule data packet intersection with similar configuration internet of things equipment |
| CN108718320B (en) * | 2018-06-14 | 2021-03-30 | 浙江远望信息股份有限公司 | Method for forming data packet communication white list by intersection of compliance data packets of similar same-configuration Internet of things equipment |
| CN111224922A (en) * | 2018-11-26 | 2020-06-02 | 顺丰科技有限公司 | Distributed security group module access control method and system |
| CN111277611A (en) * | 2020-02-25 | 2020-06-12 | 深信服科技股份有限公司 | Virtual machine networking control method and device, electronic equipment and storage medium |
| CN111277611B (en) * | 2020-02-25 | 2022-11-22 | 深信服科技股份有限公司 | Virtual machine networking control method and device, electronic equipment and storage medium |
| WO2022194262A1 (en) * | 2021-03-19 | 2022-09-22 | 华为技术有限公司 | Security communication method and apparatus |
| CN113810283A (en) * | 2021-09-16 | 2021-12-17 | 中国联合网络通信集团有限公司 | Network security configuration method, device, server and storage medium |
| WO2024037619A1 (en) * | 2022-08-18 | 2024-02-22 | 华为云计算技术有限公司 | Cloud computing technology-based virtual instance creation method and cloud management platform |
| CN115794316A (en) * | 2023-02-03 | 2023-03-14 | 青软创新科技集团股份有限公司 | Method, apparatus, medium, and program product for building a cloud computing experimental environment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107995144B (en) | 2020-11-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107995144A (en) | A kind of access control method and device based on secure group | |
| CN105591926B (en) | A kind of flow rate protecting method and device | |
| CN103179100B (en) | A kind of method and apparatus preventing domain name system Tunnel Attack | |
| CN103650436B (en) | Service path distribution method, router and business perform entity | |
| US8082578B2 (en) | Intelligent firewall | |
| CN105634956B (en) | A kind of message forwarding method, device and system | |
| CN104247332B (en) | Handle the method and system of the flow on the communication between virtual machine and network | |
| CN107493280A (en) | Method, intelligent gateway and the certificate server of user authentication | |
| CN107623661A (en) | Block system, the method and device of access request, server | |
| CN108092934A (en) | Safety service system and method | |
| CN107210929A (en) | The load balancing of the Internet protocol security tunnel | |
| US10979367B2 (en) | Device and method of forwarding data packets in a virtual switch of a software-defined wide area network environment | |
| CN108683632A (en) | Firewall security policy method of adjustment and device | |
| TW201407405A (en) | Firewalls for filtering communications in a dynamic computer network | |
| CN106341333B (en) | Applied to the packet loss position method and apparatus in VXLAN | |
| CN107104929A (en) | The methods, devices and systems of defending against network attacks | |
| CN103036875B (en) | A kind of user identity processing means and identification device | |
| CN106713057B (en) | For carrying out the method, apparatus and system of Tunnel testing | |
| CN104253820A (en) | Software defined network safety control system and control method | |
| CN104717212B (en) | Protection method and system for cloud virtual network security | |
| CN107438068A (en) | A kind of method and device of preventing ARP aggression | |
| CN109547502A (en) | Firewall ACL management method and device | |
| CN109587167A (en) | A kind of method and apparatus of Message processing | |
| CN107835145A (en) | The method and distributed system of a kind of anti-replay-attack | |
| CN107819888A (en) | A kind of method, apparatus and network element for distributing relay address |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |