CN110611588B

CN110611588B - Network creation method, server, computer readable storage medium and system

Info

Publication number: CN110611588B
Application number: CN201910822937.XA
Authority: CN
Inventors: 杨旭荣
Original assignee: Sangfor Technologies Co Ltd
Current assignee: Sangfor Technologies Co Ltd
Priority date: 2019-09-02
Filing date: 2019-09-02
Publication date: 2022-04-29
Anticipated expiration: 2039-09-02
Also published as: CN110611588A

Abstract

The embodiment of the invention discloses a network creation method, which comprises the following steps: receiving a first subnet section sent by a client; creating a first virtual router, a second virtual router and a first distributed virtual switch, wherein the first virtual router is in communication connection with the second virtual router through the first distributed virtual switch; configuring the first virtual router to be in communication connection with a private network corresponding to the client, and configuring the second virtual router to be in communication connection with a public network; and counting the network segment number of the first subnet network segment, and creating a second distributed virtual switch with the network segment number, wherein the second distributed virtual switch with the network segment number is respectively in communication connection with the first virtual router. The embodiment of the invention also discloses a server, a computer readable storage medium and a system.

Description

Network creation method, server, computer readable storage medium and system

Technical Field

The present invention relates to the field of internet technologies, and in particular, to a network creation method, a server, a computer-readable storage medium, and a system.

Background

With the rapid development of the internet technology, the cloud technology is also rapidly developed. In the Cloud technology, in order to meet the requirement of a user to construct an isolated Virtual network environment capable of managing configuration and policy on a Cloud platform, a Virtual Private Cloud (VPC) technology is proposed by technicians. The VPC not only improves the security of resources in the user cloud, but also simplifies the network deployment of the user.

However, in the existing VPC implementation scheme, operations such as network planning, connection relationship definition, and security rule configuration are required in the implementation process, and the technical requirement on a user is high, which results in a complex VPC implementation process and a low intelligence degree.

Disclosure of Invention

In view of this, embodiments of the present invention are expected to provide a network creation method, a server, a computer-readable storage medium, and a system, so as to solve the problems of complex VPC implementation process and low intelligence degree in the prior art, simplify the VPC implementation process, and improve the intelligence degree of the VPC implementation process.

In order to achieve the purpose, the technical scheme of the invention is realized as follows:

in one aspect, a method of network creation, the method comprising:

receiving a first subnet section sent by a client;

creating a first virtual router, a second virtual router and a first distributed virtual switch, wherein the first virtual router is in communication connection with the second virtual router through the first distributed virtual switch;

configuring the first virtual router to be in communication connection with a private network corresponding to the client, and configuring the second virtual router to be in communication connection with a public network;

and counting the network segment number of the first subnet network segment, and creating a second distributed virtual switch with the network segment number, wherein the second distributed virtual switch with the network segment number is respectively in communication connection with the first virtual router.

Optionally, before the receiving the first subnet segment sent by the client, the method further includes:

receiving a first request instruction sent by the client; the first request instruction is used for requesting a server to create a Virtual Private Cloud (VPC) tenant, and the first request instruction carries the identity information of the client;

responding to the first request instruction, recording and storing the VPC tenant information;

correspondingly, the creating a first virtual router, a second virtual router and a first distributed virtual switch, the first virtual router being communicatively connected to the second virtual router via the first distributed virtual switch, includes:

and if the identification information of the client belongs to the VPC tenant information, creating the first virtual router, the second virtual router and the first distributed virtual switch, wherein the first virtual router is in communication connection with the second virtual router through the first distributed virtual switch.

Optionally, the counting the number of segments of the first subnet segment, and creating the second distributed virtual switches with the number of segments, where after the second distributed virtual switches with the number of segments are respectively in communication connection with the first virtual router, the method includes:

configuring a Dynamic Host Configuration Protocol (DHCP) on the first virtual router interface;

receiving a second request instruction sent by the client; the second request instruction is used for requesting the server to create a virtual machine VM based on the first subnet section;

responding to the second request instruction, creating the VM, and controlling the first virtual router to allocate an Internet Protocol (IP) address to the VM based on the DHCP;

determining a target subnet network segment to which the IP address belongs, and determining a target distributed virtual switch corresponding to the target subnet network segment; the target subnet network segment belongs to the first subnet network segment, and the target distributed virtual switch belongs to a second distributed virtual switch with the number of the network segments;

and configuring the VM to be in communication connection with the target distributed virtual switch.

Optionally, the configuring, after the first virtual router is configured to be in communication connection with a private network corresponding to the client, and the second virtual router is in communication connection with a public network, the configuring includes:

receiving a third request instruction sent by the client; the third request instruction is used for requesting the server to start a safety protection function;

responding to the third request instruction to create a firewall virtual machine, and connecting the firewall virtual machine with the first virtual router and the first distributed virtual switch; and the firewall virtual machine is used for realizing the safety protection function.

Optionally, after the creating a firewall virtual machine in response to the third request instruction and connecting the firewall virtual machine with the first virtual router and the first distributed virtual switch, the method includes:

if the firewall virtual machine is detected to be started, configuring a first routing strategy of the first virtual router; the first routing policy is used for indicating that after the first virtual router receives first data information sent by the VM through a corresponding second distributed virtual switch, the first virtual router sends the first data information to the firewall virtual machine for security protection;

configuring a second routing policy of the second virtual router; and the second routing policy is used for indicating that the second virtual router sends second data information to the firewall virtual machine for security protection after receiving the second data information sent by the public network.

Optionally, after the creating a firewall virtual machine in response to the third request instruction and connecting the firewall virtual machine with the first virtual router and the first distributed virtual switch, the method further includes:

if the firewall virtual machine is detected to be closed or abnormal, configuring a third routing strategy of the first virtual router; after the third routing policy is used for indicating that the first virtual router receives third data information sent by the VM through a corresponding second distributed virtual switch, the first virtual router sends the third data information to the first distributed virtual switch so as to send the third data information to the second virtual router;

configuring a fourth routing policy of the second virtual router; after the fourth routing policy is used to instruct the second virtual router to receive fourth data information sent by the public network, the second virtual router sends the fourth data information to the first distributed virtual switch, so as to send the fourth data information to the first virtual router.

receiving a control instruction sent by the client; wherein the control instruction is used for instructing the server to delete the VPC tenant information;

and if the server does not store the virtual storage and the VM related to the VPC tenant, responding to the control instruction to delete the first virtual router, the second virtual router, the first distributed virtual switch, the second distributed virtual switch machine and the firewall virtual machine.

In another aspect, a server, the server comprising: a processor, a memory, and a communication bus; wherein:

the communication bus is used for realizing connection communication between the processor and the memory;

the processor is configured to execute the network creation program stored in the memory to implement the steps of:

receiving a first subnet section sent by a client;

Optionally, the processor is configured to perform the step of creating a first virtual router, a second virtual router and a first distributed virtual switch, and after the step of connecting the first virtual router through the first distributed virtual switch and the second virtual router, further perform the following steps:

In yet another aspect, a computer readable storage medium having stored thereon a network creation program which, when executed by a processor, implements the steps of the network creation method as recited in any one of the above.

In another aspect, a VPC system of a virtual private cloud is communicatively linked to a client, and includes a first virtual router, a second virtual router, a first distributed virtual switch, and a second distributed virtual switch, where:

a first end of the first virtual router is in communication connection with a first end of the first distributed virtual switch, a second end of the first virtual router is in communication connection with a first end of at least one second distributed virtual switch, and a third end of the first virtual router is in communication connection with a private network corresponding to the client;

the first end of the second virtual router is in communication connection with the second end of the first distributed virtual switch, and the second end of the second virtual router is in communication connection with a public network.

Optionally, the VPC system further includes a firewall virtual machine, wherein:

and the first end of the firewall virtual machine is in communication connection with the fourth end of the first virtual router, and the second end of the firewall virtual machine is in communication connection with the third end of the first distributed virtual switch.

Optionally, the VPC system further comprises at least one virtual machine, wherein:

one end of the virtual machine is in communication connection with the second end of the corresponding second distributed virtual switch.

According to the network creating method, the server, the computer readable storage medium and the system provided by the embodiment of the invention, after a first subnet section sent by a client is received, a first virtual router, a second virtual router and a first distributed virtual switch are created, the first virtual router is in communication connection with the second virtual router through the first distributed virtual switch and is configured with a private network communication connection corresponding to the client, the second virtual router is in communication connection with a public network, then the number of the subnet sections of the first subnet section is counted, a second distributed virtual switch with the number of the subnet sections is created, and the second distributed virtual switches with the number of the subnet sections are respectively in communication connection with the first virtual router. Therefore, the server starts to establish the first virtual router, the second virtual router and the first distributed virtual switch in the VPC according to the first subnet network segment sent by the client, corresponding communication connection is carried out, then the number of the network segments of the first subnet network segment is counted, and the second distributed virtual switch with the number of the network segments is established to be respectively in communication connection with the first virtual router.

Drawings

Fig. 1 is a schematic flowchart of a network creation method according to an embodiment of the present invention;

fig. 2 is a schematic flowchart of another network creation method according to an embodiment of the present invention;

fig. 3 is a flowchart illustrating a further network creation method according to an embodiment of the present invention;

fig. 4 is a flowchart illustrating another network creation method according to an embodiment of the present invention;

FIG. 5 is a schematic structural diagram of a VPC system according to an embodiment of the present invention;

FIG. 6 is a schematic diagram illustrating a flow of data information according to an embodiment of the present invention;

FIG. 7 is a schematic flow chart illustrating a data message according to an embodiment of the present invention;

FIG. 8 is a flow chart illustrating another data message flow according to an embodiment of the present invention;

FIG. 9 is a schematic diagram illustrating another data flow according to an embodiment of the present invention;

fig. 10 is a schematic structural diagram of a server according to an embodiment of the present invention.

Detailed Description

It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.

An embodiment of the present invention provides a network creation method, which is applied to a server, and as shown in fig. 1, the method includes the following steps:

step 101, receiving a first subnet section sent by a client.

In the embodiment of the present invention, the client refers to an application installed on a user terminal device that can be operated by a user, and the user terminal device may refer to an electronic device, such as a computer, that has a communication link with the internet and has an information processing capability and a storage capability. The first subnet section generally refers to a part of a computer network that can directly communicate using the same physical layer device (transmission medium, repeater, hub, etc.), for example, 192.168.0.1 to 192.168.0.254 corresponds to a subnet section, and any two terminal devices corresponding to IP addresses in 192.168.0.1 to 192.168.0.254 can directly communicate. The first subnetwork segment here comprises at least one subnetwork segment.

And 102, creating a first virtual router, a second virtual router and a first distributed virtual switch, wherein the first virtual router is in communication connection with the second virtual router through the first distributed virtual switch.

In the embodiment of the invention, the first virtual router and the second virtual router are both virtual routers, have logically independent routing tables and forwarding tables, and can realize the same functions as an entity router. The first virtual router and the second virtual router can provide three-layer routing functions, complete three-layer network switching of the network, and simultaneously can support network functions such as Access Control Lists (ACLs), Dynamic Host Configuration Protocol (DHCP) and the like. The first virtual router or the second virtual router may define a plurality of subnet segments. The first virtual router is responsible for route configuration and traditional classic Network smooth upgrade, and the second virtual router can be responsible for Network Address Translation (NAT) function and floating Elastic IP Address (EIP) function. Therefore, the protection function of the virtual firewall can be conveniently expanded by combining the routing policy configuration functions of the first virtual router and the second virtual router, and service interruption is avoided in the process of opening and closing the virtual firewall. Distributed Virtual Switch (DVS) is a technology that implements a virtualized network, and can achieve two-layer capabilities of communication between a host and a Virtual machine through a logical Virtual network Switch on each physical host.

And 103, configuring the first virtual router to be in communication connection with a private network corresponding to the client, and configuring the second virtual router to be in communication connection with a public network.

In the embodiment of the invention, the private network refers to a communication network provided inside an enterprise, and can be called an intranet for short; the public network refers to a network which can be used by all people, and is called an external network for short.

And step 104, counting the network segment number of the first subnet network segment, and creating a second distributed virtual switch with the network segment number, wherein the second distributed virtual switch with the network segment number is respectively in communication connection with the first virtual router.

In the embodiment of the invention, the network segment quantity of the first subnet network segment sent by the client is counted, and the second distributed virtual switch represents one subnet network segment.

The network creation method provided by the embodiment of the invention comprises the steps of receiving a first subnet network segment sent by a client, creating a first virtual router, a second virtual router and a first distributed virtual switch, wherein the first virtual router is in communication connection with the second virtual router through the first distributed virtual switch, configuring the first virtual router to be in communication connection with a private network corresponding to the client, the second virtual router is in communication connection with a public network, counting the number of the network segments of the first subnet network segment, creating a number of second distributed virtual switches, and the number of the second distributed virtual switches is in communication connection with the first virtual router. Therefore, the server starts to establish the first virtual router, the second virtual router and the first distributed virtual switch in the VPC according to the first subnet network segment sent by the client, corresponding communication connection is carried out, then the number of the network segments of the first subnet network segment is counted, and the second distributed virtual switch with the number of the network segments is established to be respectively in communication connection with the first virtual router.

Based on the foregoing embodiments, an embodiment of the present invention provides a network creating method, which is applied to a server, and as shown in fig. 2, the method includes the following steps:

step 201, receiving a first request instruction sent by a client.

The first request instruction is used for requesting a server to create a Virtual Private Cloud (VPC) tenant, and the first request instruction carries identity information of a client.

In the embodiment of the invention, when a manager in an enterprise requests to create a VPC for the enterprise through a client, the client sends a first request instruction for requesting to create a VPC tenant to a VPC automatic creation background server set by a corresponding VPC provider.

And 202, responding to the first request instruction, and recording and storing VPC tenant information.

In the embodiment of the present invention, the server responds to the first request instruction, and records information related to creating a VPC for a request sent by the client, so as to obtain VPC tenant information, where the VPC tenant information may include, for example, a name of a VPC corresponding to an enterprise, a size of the VPC, an application field, a duration of use, and identification information of the corresponding client.

In some application scenarios corresponding to other embodiments of the present invention, when responding to the first request instruction, the server may automatically create a VPC unit while recording VPC tenant information, where the VPC unit includes a first virtual router, a second virtual router, and a first distributed virtual switch connecting the first virtual router and the second virtual router. However, when the first request instruction is received, the VPC unit is created, and if the user does not input the subnet segment subsequently to create the corresponding virtual machine, a large amount of resources of a VPC automatic creation background server (server for short) provided by a VPC provider are occupied.

And step 203, receiving the first subnet section sent by the client.

In the embodiment of the invention, for example, when a manager in an enterprise user wishes to create a VPC, the manager opens a corresponding client to enable the client to operate and display in an interface mode, wherein corresponding network segment information is information that the manager needs to edit, the manager sends a first subnet segment to the client through an input device such as a keyboard, a voice acquisition device or a handwriting input device connected with a terminal device, and the client sends the subnet segment to a server after receiving the first subnet segment sent by the manager. The server correspondingly creates a management background server for the VPC provided by the VPC provider.

And 204, if the identification information of the client belongs to VPC tenant information, creating a first virtual router, a second virtual router and a first distributed virtual switch, wherein the first virtual router is in communication connection with the second virtual router through the first distributed virtual switch.

In the embodiment of the invention, in order to avoid that the VPC unit is created to occupy the server resource when the server responds to the first request instruction, the VPC unit corresponding to the VPC tenant information is created only after the server receives the first subnet network segment sent by the client and when the identity information of the client belongs to the stored VPC tenant information. The VPC unit is the base resource on which the created VPC depends. And the first subnet network segment received by the client is stored in the storage unit corresponding to the VPC tenant information.

Step 205, configuring the first virtual router to be in communication connection with the private network corresponding to the client, and configuring the second virtual router to be in communication connection with the public network.

In the embodiment of the invention, the first virtual router is connected with an internal communication network of an enterprise, and the second virtual router is connected with a communication network outside the enterprise, so that information interaction between a private network and a public network is realized through the first virtual router and the second virtual router.

And step 206, counting the network segment number of the first subnet network segment, and creating a second distributed virtual switch with the network segment number, wherein the second distributed virtual switch with the network segment number is respectively in communication connection with the first virtual router.

In the embodiment of the invention, the server counts the network segment number of the first subnet network segment, automatically creates the second distributed virtual switches with the network segment number, and sets the created second distributed virtual switches with the network segment number to be in communication connection with the first virtual router.

And step 207, configuring a Dynamic Host Configuration Protocol (DHCP) on the first virtual router interface.

In the embodiment of the invention, the server automatically configures the DHCP on the interface of the first virtual router, so that the first virtual router has the DHCP service function.

And step 208, receiving a second request instruction sent by the client.

And the second request instruction is used for requesting the server to create the virtual machine VM based on the first subnet section.

In the embodiment of the present invention, the client in this step and the client in step 201 may be the same or different, but are both corresponding clients in the VPC tenant information. Virtual Machine (VM) refers to a complete computer system which has complete hardware system functions and runs in a completely isolated environment, and is simulated by a virtualization technology, and the VM runs and is used in an intranet.

And step 209, responding to the second request instruction, creating the VM, and controlling the first virtual router to allocate an Internet Protocol (IP) address to the VM based on the DHCP.

In the embodiment of the present invention, at least one VM requested to be created in the second request instruction is used, and accordingly, since the VM is used in an intranet and the first virtual router DHCP can implement a DHCP service function, after the VM is enabled, the first virtual router can automatically allocate an IP address to the VM based on the DHCP.

Step 210, determining a target subnet section to which the IP address belongs, and determining a target distributed virtual switch corresponding to the target subnet section.

The target subnet network segment belongs to the first subnet network segment, and the target distributed virtual switch belongs to the second distributed virtual switch with the number of the network segments.

In the embodiment of the invention, each second distributed virtual switch corresponds to one subnet section in the first subnet section, so that the target subnet section corresponding to each VM can be automatically determined for the IP address allocated to the VM according to the first virtual router based on the DHCP.

And step 211, configuring the VM to be in communication connection with the target distributed virtual switch.

In the embodiment of the invention, the communication connection between the VM and the target distributed virtual switch corresponding to the target subnet section of the VM is realized.

It should be noted that, for the explanation of the same steps or concepts in the present embodiment as in the other embodiments, reference may be made to the description in the other embodiments, and details are not described here.

Based on the foregoing embodiments, an embodiment of the present invention provides a network creating method, which is applied to a server, and as shown in fig. 3, the method includes the following steps:

step 301, receiving a first request instruction sent by a client.

And step 302, responding to the first request instruction, and recording and storing VPC tenant information.

Step 303, receiving the first subnet section sent by the client.

And 304, if the identification information of the client belongs to VPC tenant information, creating a first virtual router, a second virtual router and a first distributed virtual switch, wherein the first virtual router is in communication connection with the second virtual router through the first distributed virtual switch.

And 305, configuring the first virtual router to be in communication connection with a private network corresponding to the client, and configuring the second virtual router to be in communication connection with a public network.

And step 306, receiving a third request instruction sent by the client.

And the third request instruction is used for requesting the server to start the safety protection function.

In the embodiment of the present invention, the client here is the same as or different from the client in steps 201 and 208 of the foregoing embodiment, but is the corresponding client in the VPC tenant information. The safety protection function can be realized by creating a firewall virtual machine, namely, a virtual firewall technology is realized by the firewall virtual machine, namely, a traditional application firewall is made into a mirror image template through virtualization by means of the virtualization technology, and the firewall is provided by starting the firewall virtual machine to realize the safety protection function.

And 307, responding to the third request instruction to create a firewall virtual machine, and connecting the firewall virtual machine with the first virtual router and the first distributed virtual switch.

The firewall virtual machine is used for realizing a safety protection function.

In the embodiment of the invention, a signal interface at one end of the firewall virtual machine is in communication connection with the first virtual router, and a signal interface at the other end of the firewall virtual machine is connected with the first distributed virtual switch.

And 308, counting the network segment number of the first subnet network segment, and creating a second distributed virtual switch with the network segment number, wherein the second distributed virtual switch with the network segment number is respectively in communication connection with the first virtual router.

Step 309, configuring a dynamic host configuration protocol DHCP on the first virtual router interface.

And step 310, receiving a second request instruction sent by the client.

And 311, responding to the second request instruction, creating the VM, and controlling the first virtual router to allocate an Internet Protocol (IP) address to the VM based on the DHCP.

And step 312, determining the target subnet section to which the IP address belongs, and determining the target distributed virtual switch corresponding to the target subnet section.

And step 313, configuring the VM to be in communication connection with the target distributed virtual switch.

Based on the foregoing embodiment, in another embodiment of the present invention, as shown in fig. 4, after the server performs step 313, the following steps 314 to 315 may also be performed:

and step 314, receiving a control instruction sent by the client.

The control instruction is used for instructing the server to delete the VPC tenant information.

In the embodiment of the present invention, the client is the same as or different from the client in step 201, 208 or step 306 of the foregoing embodiment, and may be a client corresponding to the VPC tenant information, but the client in this step may also refer to a client corresponding to a VPC manufacturer, that is, after the VPC renting by an enterprise is finished, the VPC manufacturer releases its internal resources, so as to improve the operation performance of the server provided by the VPC manufacturer. After receiving the control instruction, the server performs corresponding logical judgment on the VPC tenant information corresponding to the control instruction, that is, the server judges whether the server stores resources corresponding to the VPC tenant information.

And 315, if the virtual storage and the VM related to the VPC tenant are not stored in the server, responding to the control instruction to delete the first virtual router, the second virtual router, the first distributed virtual switch, the second distributed virtual switch machine and the firewall virtual machine.

In the embodiment of the invention, the resources corresponding to the VPC tenant information comprise virtual storage and VM (virtual memory) related to the VPC tenant, and the first virtual router, the second virtual router, the first distributed virtual switch, the second distributed virtual switch machine and the firewall virtual machine are deleted in response to the control instruction to recycle the related VPC logical resources.

Based on the foregoing embodiments, in other embodiments of the present invention, the following steps a1 to a2, or steps B1-B2, may be performed after the server performs any one of the steps after step 307:

step A1, if detecting that the firewall virtual machine is started, configuring a first routing policy of the first virtual router.

The first routing strategy is used for indicating that after the first virtual router receives first data information sent by the VM through the corresponding second distributed virtual switch, the first virtual router sends the first data information to the firewall virtual machine for safety protection.

In the embodiment of the present invention, the detection of the firewall virtual machine by the server may be realized by the firewall virtual machine sending its own start state to the server, or may be obtained by the server actively performing detection. The first routing policy of the first virtual router may specifically be: the VM sends first data information to a second distributed virtual switch corresponding to the VM, the second distributed virtual switch corresponding to the VM sends the received first data information to a first virtual router, the first virtual router sends the received first data information to a firewall virtual machine, the firewall virtual machine sends the first data information to the first distributed virtual switch after safety protection processing, the first distributed virtual switch sends the first data information after safety protection processing to a second virtual router, and the second virtual router sends the first data information after safety protection processing to a public network.

The first data information may be only information that part of the data information sent by the VM to the second virtual router needs to be subjected to security protection, and a transmission path of fifth data information that does not need to be subjected to security protection in the data information sent by the VM to the second virtual router is: and the VM sends the fifth data information to a second distributed virtual switch corresponding to the VM, the second distributed virtual switch corresponding to the VM sends the received fifth data information to the first virtual router, the first virtual router sends the received fifth data information to the second virtual router, and the second virtual router sends the fifth data information to the public network.

And step A2, configuring a second routing strategy of the second virtual router.

And the second routing strategy is used for indicating that the second virtual router sends the second data information to the firewall virtual machine for safety protection after receiving the second data information sent by the public network.

In this embodiment of the present invention, the second routing policy of the second virtual router may specifically be: the public network sends second data information needing to be sent to the VM to a second virtual router, when the second virtual router determines that the second data information needs to be sent to a firewall virtual machine, the second virtual router sends the second data information to a first distributed virtual switch, the first distributed virtual switch sends the second data information to the firewall virtual machine, the firewall virtual machine carries out safety protection processing on the second data information and then sends the second data information to the first virtual router, the first virtual router sends the second data information after the safety protection processing to a second distributed virtual switch corresponding to the VM, and the second distributed virtual switch corresponding to the VM sends the second data information after the safety protection processing to the VM.

The second data information may be only information that a part of the data information that needs to be sent to the VM needs to be subjected to security protection in the public network, and a transmission path of sixth data information that does not need to be subjected to security protection in the data information that needs to be sent to the VM in the public network is: the public network sends sixth data information needing to be sent to the VM to the second virtual router, the second virtual router sends the sixth data information to the first distributed virtual switch, the first distributed virtual switch sends the sixth data information to the first virtual router, the first virtual router sends the sixth data information to the second distributed virtual switch corresponding to the VM, and the second distributed virtual switch corresponding to the VM sends the sixth data information to the VM. .

It should be noted that, in the embodiment of the present invention, the execution sequence of step a1 and step a2 is not sequential, that is, when the firewall virtual machine is detected to be started, step a1 and step a2 may be executed simultaneously, or step a1 is executed before step a2, or step a1 is executed after step a2, and the specific execution sequence may be determined according to an actual application scenario, which is not limited herein.

And step B1, if the firewall virtual machine is detected to be closed or abnormal, configuring a third routing strategy of the first virtual router.

And after the third routing strategy is used for indicating that the first virtual router receives third data information sent by the VM through the corresponding second distributed virtual switch, the first virtual router sends the third data information to the first distributed virtual switch so as to send the third data information to the second virtual router.

In the embodiment of the present invention, the virtual closing of the firewall may be selected by the enterprise user, that is, the enterprise user sends a closing instruction to the server through the client, and the server instructs the firewall virtual machine to close after receiving the closing instruction. The condition of closing the firewall virtual machine can also be that when the network is abnormal or the operation maintenance is upgraded, the user selects to temporarily close the firewall virtual machine. The firewall virtual machine exception may refer to a firewall virtual machine exception or to a security function exception of the firewall virtual machine. The third routing policy may specifically be: and the VM sends the third data information to a second distributed virtual switch corresponding to the VM, the second distributed virtual switch corresponding to the VM sends the received third data information to the first virtual router, the first virtual router sends the received third data information to the second virtual router, and the second virtual router sends the third data information to the public network.

And step B2, configuring a fourth routing strategy of the second virtual router.

And the fourth routing strategy is used for indicating that the second virtual router sends the fourth data information to the first distributed virtual switch after receiving the fourth data information sent by the public network, so that the fourth data information is sent to the first virtual router.

In this embodiment of the present invention, the fourth routing policy may specifically be: the public network sends fourth data information needing to be sent to the VM to a second virtual router, the second virtual router sends the fourth data information to a first distributed virtual switch, the first distributed virtual switch sends the fourth data information to a first virtual router, the first virtual router sends the fourth data information to a second distributed virtual switch corresponding to the VM, and the second distributed virtual switch corresponding to the VM sends the fourth data information to the VM. The server executes step B1 and step B2, i.e. updates the policies of the first virtual router and the second virtual router, so as to ensure network connection without interrupting traffic. When the network is abnormal, the user selects to close the VAF, so that the problem of the network abnormality can be more conveniently analyzed and determined, or when the operation maintenance is upgraded, the user selects to close the VAF, so that the boundary of the network and the safety protection can be determined.

It should be noted that, in the embodiment of the present invention, the execution sequence of step B1 and step B2 is not sequential, that is, when the firewall virtual machine is detected to be closed or abnormal, step B1 and step B2 may be executed simultaneously, or step B1 is executed before step B2, or step B1 is executed after step B2, and the specific execution sequence may be determined according to an actual application scenario, which is not limited herein.

Correspondingly, an embodiment of the present invention provides a schematic diagram of a VPC system structure, and as shown in fig. 5, the VPC system structure includes an intra-a network router, an extra-B network router, a C DVS1, a D DVS2, an E DVS3, an F VM1, a G VM2, and an H VAF. The intranet router A is connected with the extranet router B through DVS1C, the VAF H is connected with the intranet router A, the VAF H is further connected with DVS1C, both the DVS 2D and the DVS 3E are connected with the intranet router A, the VM 1F is connected with the DVS 2D, and the VM 2G is connected with the DVS 3E. The intranet router is a first virtual router in the embodiment of the present invention, and the extranet router is a second virtual router in the embodiment of the present invention.

Based on the VPC system structure diagram shown in fig. 5, when VAF H starts, VM 1F and VM 2G receive the data flow of the data information sent by the extranet router B as indicated by the arrow direction in fig. 6. Taking an example that it is determined that the first data information that needs to be subjected to security protection includes first sub-data information corresponding to the VM 1F and second sub-data information corresponding to the VM 1G, the data flow specifically includes: after receiving first data information which needs to be sent to a VM 1F and a VM 2G by a public network (not shown in the figure), an extranet router B sends the first data information to a DVS1C, the DVS1C receives the first data information and sends the first data information to a VAF H, the VAF H performs security protection processing on the first data information, the VAF H sends the first data information after the security protection processing to an intranet router a, the intranet router a sends first subdata information corresponding to the VM 1F in the first data information after the security protection processing to a DVS 2D, the DVS 2D sends the first subdata information to the VM 1F, the intranet router a sends second subdata information corresponding to the VM 1G in the first data information after the security protection processing to a DVS 3E, and the DVS 3E sends the second subdata information to a 2G.

Based on the VPC system structure diagram shown in fig. 5, when VAF H starts, the data flow of the data information sent by VM 1F and VM 2G received by extranet router B is as indicated by the arrow direction in fig. 7. Taking the example that the second data information that needs to be subjected to security protection includes the third sub-data information corresponding to the VM 1F and the fourth sub-data information corresponding to the VM 1G, the data flow specifically includes: the VM 1F sends the third sub-data information to the DVS 2D, the DVS 2D sends the third sub-data information to the intranet router a, the VM 2G sends the fourth sub-data information to the DVS 3E, the DVS 3E sends the fourth sub-data information to the intranet router a, the intranet router a receives the third sub-data information and the fourth sub-data information to obtain second data information, the intranet router a sends the second data information to the VAF H, the VAF H performs security protection processing on the second data information and sends the second data information after the security protection processing to the extranet router B, and the extranet router B sends the second data information after the security protection processing to a corresponding public network (not shown in the figure).

Based on the VPC system structure diagram shown in fig. 5, when VAF H is abnormal or turned off, VM 1F and VM 2G receive the data flow of the data information sent by the outer network router B as indicated by the arrow direction in fig. 8. Taking the example that the third data information received by the external network router B includes the fifth sub data information corresponding to the VM 1F and the sixth sub data information corresponding to the VM 1G, the data flow specifically includes: after the extranet router B receives third data information which needs to be sent to the VM 1F and the VM 2G by a public network (not shown in the figure), the extranet router B sends the third data information to the DVS1C, the DVS1C receives the third data information and sends the third data information to the intranet router a, the intranet router a sends fifth sub-data information corresponding to the VM 1F in the third data information to the DVS 2D, the DVS 2D sends the fifth sub-data information to the VM 1F, the intranet router a sends sixth sub-data information corresponding to the VM 1G in the third data information to the DVS 3E, and the DVS 3E sends the sixth sub-data information to the VM 2G.

Based on the VPC system structure diagram shown in fig. 5, when VAF H is abnormal or turned off, the data flow of the data information sent by VM 1F and VM 2G received by extranet router B is as indicated by the arrow in fig. 9. Taking the fourth data information including the seventh sub data information corresponding to the VM 1F and the eighth sub data information corresponding to the VM 1G as an example, the data flow specifically includes: the VM 1F sends the seventh sub data information to the DVS 2D, the DVS 2D sends the seventh sub data information to the intranet router a, the VM 2G sends the eighth sub data information to the DVS 3E, the DVS 3E sends the eighth sub data information to the intranet router a, the intranet router a receives the seventh sub data information and the eighth sub data information to obtain fourth data information, the intranet router a sends the fourth data information to the extranet router B, and the extranet router B sends the fourth data information to a corresponding public network (not shown in the figure).

The network creation method provided by the embodiment of the invention comprises the steps of receiving a first subnet network segment sent by a client, creating a first virtual router, a second virtual router and a first distributed virtual switch, wherein the first virtual router is in communication connection with the second virtual router through the first distributed virtual switch, configuring the first virtual router to be in communication connection with a private network corresponding to the client, the second virtual router is in communication connection with a public network, counting the number of the network segments of the first subnet network segment, creating a number of second distributed virtual switches, and the number of the second distributed virtual switches is in communication connection with the first virtual router. Therefore, the server starts to establish the first virtual router, the second virtual router and the first distributed virtual switch in the VPC according to the first subnet network segment sent by the client, corresponding communication connection is carried out, then the number of the network segments of the first subnet network segment is counted, and the second distributed virtual switch with the number of the network segments is established to be respectively in communication connection with the first virtual router. Furthermore, after the server receives an instruction of a user for creating a safety protection function, a firewall virtual machine is automatically created, the safety protection performance of the VPC is improved, the network and the safety protection function are distinguished, troubleshooting is facilitated when the network connection is abnormal, and the limitation and the constraint on the smooth upgrading of a public service network and a traditional network are reduced.

Based on the foregoing embodiments, an embodiment of the present invention provides a server 4, which may be applied in the embodiments corresponding to fig. 1 to 4, and as shown in fig. 10, the server may include: a processor 41, a memory 42, and a communication bus 43, wherein:

the communication bus 43 is used for realizing connection communication between the processor 41 and the memory 42;

the processor 41 is configured to execute a network creation program stored in the memory 42 to implement the steps of:

receiving a first subnet section sent by a client;

configuring a first virtual router to be in communication connection with a private network corresponding to a client, and configuring a second virtual router to be in communication connection with a public network;

Before the step of receiving the first subnet segment sent by the client is executed by the processor 41, the network creation program stored in the memory 42 is also executed to implement the following steps:

receiving a first request instruction sent by a client; the first request instruction is used for requesting a server to create a Virtual Private Cloud (VPC) tenant, and the first request instruction carries identity information of a client;

responding to the first request instruction, recording and storing VPC tenant information;

accordingly, the processor 41 executes the steps of creating a first virtual router, a second virtual router and a first distributed virtual switch, wherein the first virtual router is communicatively connected with the second virtual router through the first distributed virtual switch, and implementing the following steps:

if the identity information of the client belongs to VPC tenant information, a first virtual router, a second virtual router and a first distributed virtual switch are created, and the first virtual router is in communication connection with the second virtual router through the first distributed virtual switch.

The processor 41 performs the step of counting the number of segments of the first subnet segment, and creates the second distributed virtual switches with the number of segments, and after the step of the communication connection between the second distributed virtual switches with the number of segments and the first virtual router, the processor also performs the network creation program stored in the memory 42, so as to implement the following steps:

configuring a Dynamic Host Configuration Protocol (DHCP) on a first virtual router interface;

receiving a second request instruction sent by the client; the second request instruction is used for requesting the server to create the virtual machine VM based on the first subnet section;

responding to the second request instruction, creating a VM (virtual machine), and controlling a first virtual router to distribute an Internet Protocol (IP) address to the VM based on a Dynamic Host Configuration Protocol (DHCP);

determining a target subnet network segment to which the IP address belongs, and determining a target distributed virtual switch corresponding to the target subnet network segment; the target subnet network segment belongs to a first subnet network segment, and the target distributed virtual switch belongs to a second distributed virtual switch with the number of network segments;

The processor 41 executes a private network communication connection for configuring the first virtual router to correspond to the client, and after the step of communicatively connecting the second virtual router to the public network, executes a network creation program stored in the memory 42 to implement the following steps:

responding to the third request instruction to create a firewall virtual machine, and connecting the firewall virtual machine with the first virtual router and the first distributed virtual switch; the firewall virtual machine is used for realizing a safety protection function.

After the step of creating the firewall virtual machine in response to the third request instruction and connecting the firewall virtual machine with the first virtual router and the first distributed virtual switch is executed by the processor 41, a network creation program stored in the memory 42 is also executed to implement the steps of:

if the firewall virtual machine is detected to be started, configuring a first routing strategy of a first virtual router; the first routing strategy is used for indicating that after the first virtual router receives first data information sent by the VM through the corresponding second distributed virtual switch, the first virtual router sends the first data information to the firewall virtual machine for safety protection;

configuring a second routing policy of a second virtual router; and the second routing strategy is used for indicating that the second virtual router sends the second data information to the firewall virtual machine for safety protection after receiving the second data information sent by the public network.

After the processor 41 executes the firewall virtual machine created in response to the third request instruction and connects the firewall virtual machine with the first virtual router and the first distributed virtual switch, it also executes the network creation program stored in the memory 42 to implement the following steps:

if the closing or the abnormality of the firewall virtual machine is detected, configuring a third routing strategy of the first virtual router; after the third routing strategy is used for indicating that the first virtual router receives third data information sent by the VM through the corresponding second distributed virtual switch, the first virtual router sends the third data information to the first distributed virtual switch so as to send the third data information to the second virtual router;

configuring a fourth routing policy of the second virtual router; and the fourth routing strategy is used for indicating that the second virtual router sends the fourth data information to the first distributed virtual switch after receiving the fourth data information sent by the public network, so that the fourth data information is sent to the first virtual router.

After the step of creating the firewall virtual machine in response to the third request instruction and connecting the firewall virtual machine with the first virtual router and the first distributed virtual switch, the processor 41 further includes:

receiving a control instruction sent by a client; the control instruction is used for instructing the server to delete VPC tenant information;

It should be noted that, in the interaction process between steps implemented by the processor in this embodiment, reference may be made to the interaction process in the network creation method provided in the embodiments corresponding to fig. 1 to 4 and the above embodiments, and details are not described here again.

The server provided by the embodiment of the invention receives a first subnet network segment sent by a client, and then creates a first virtual router, a second virtual router and a first distributed virtual switch, wherein the first virtual router is in communication connection with the second virtual router through the first distributed virtual switch, and is configured with the first virtual router in communication connection with a private network corresponding to the client, the second virtual router is in communication connection with a public network, then the number of the subnet segments of the first subnet network segment is counted, and a number of the second distributed virtual switches is created, and the number of the second distributed virtual switches is respectively in communication connection with the first virtual router. Therefore, the server starts to establish the first virtual router, the second virtual router and the first distributed virtual switch in the VPC according to the first subnet network segment sent by the client, corresponding communication connection is carried out, then the number of the network segments of the first subnet network segment is counted, and the second distributed virtual switch with the number of the network segments is established to be respectively in communication connection with the first virtual router. Furthermore, after the server receives an instruction of a user for creating a safety protection function, a firewall virtual machine is automatically created, the safety protection performance of the VPC is improved, the network and the safety protection function are distinguished, troubleshooting is facilitated when the network connection is abnormal, and the limitation and the constraint on the smooth upgrading of a public service network and a traditional network are reduced.

Based on the foregoing embodiments, embodiments of the present invention provide a computer-readable storage medium storing one or more network creation programs, the one or more network creation programs being executable by one or more processors to implement the steps of:

receiving a first subnet section sent by a client;

In other embodiments of the present invention, before receiving the first subnet section sent by the client, the processor further executes the following steps:

correspondingly, a first virtual router, a second virtual router and a first distributed virtual switch are created, the first virtual router is connected with the second virtual router through the first distributed virtual switch in a communication mode, and the method comprises the following steps:

In other embodiments of the present invention, after counting the number of segments of the first subnet segment and creating the second distributed virtual switches with the number of segments, the second distributed virtual switches with the number of segments are respectively in communication connection with the first virtual router, the processor further executes the following steps:

In other embodiments of the present invention, after configuring the first virtual router to be in communication connection with the private network corresponding to the client, and the second virtual router to be in communication connection with the public network, the processor further performs the following steps:

In other embodiments of the present invention, after the firewall virtual machine is created in response to the third request instruction and connected to the first virtual router and the first distributed virtual switch, the processor further performs the following steps:

Based on the foregoing embodiments, an embodiment of the present invention provides a virtual private cloud VPC system, where the VPC system may be linked to a client in a communication manner, and the VPC system includes a first virtual router, a second virtual router, a first distributed virtual switch, and a second distributed virtual switch, where:

the first end of the first virtual router is in communication connection with the first end of the first distributed virtual switch, the second end of the first virtual router is in communication connection with the first end of at least one second distributed virtual switch, and the third end of the first virtual router is in communication connection with a private network corresponding to the client;

the first end of the second virtual router is in communication connection with the second end of the first distributed virtual switch, and the second end of the second virtual router is in communication connection with the public network.

In other embodiments of the present invention, the VPC system further includes a firewall virtual machine, wherein:

In other embodiments of the present invention, the VPC system further comprises at least one virtual machine, wherein:

one end of each virtual machine is in communication connection with the second end of the corresponding second distributed virtual switch.

The corresponding VPC system structure diagram can be as shown in fig. 5, wherein the private network and the public network corresponding to the client are not shown in fig. 5.

It should be noted that, in the interaction process between the steps implemented by the VPC system in this embodiment, reference may be made to the interaction processes in the network creation methods provided in the embodiments corresponding to fig. 1 to 9 and the above embodiments, and details are not described here.

It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.

The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.

Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal (such as a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the methods described in the embodiments of the present invention.

The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.

Claims

1. A method for network creation, the method comprising:

receiving a first subnet section sent by a client;

2. The method of claim 1, wherein prior to receiving the first subnet segment sent by the client, the method further comprises:

3. The method of claim 1, wherein the counting the number of segments of the first subnet segment and creating the number of segments of the second distributed virtual switch, and after the number of segments of the second distributed virtual switch is respectively communicatively connected to the first virtual router, the method comprises:

4. The method according to any one of claims 1-3, wherein the configuring the first virtual router to communicatively connect with the private network corresponding to the client, and the configuring the second virtual router to communicatively connect with the public network comprises:

5. The method of claim 4, wherein after creating a firewall virtual machine in response to the third request instruction and connecting the firewall virtual machine to the first virtual router and the first distributed virtual switch, comprising:

if the firewall virtual machine is detected to be started, configuring a first routing strategy of the first virtual router; the first routing policy is used for indicating that after the first virtual router receives first data information sent by a VM through a corresponding second distributed virtual switch, the first virtual router sends the first data information to the firewall virtual machine for security protection;

6. The method of claim 4, wherein after the creating a firewall virtual machine in response to the third request instruction and connecting the firewall virtual machine with the first virtual router and the first distributed virtual switch, further comprising:

if the firewall virtual machine is detected to be closed or abnormal, configuring a third routing strategy of the first virtual router; the third routing policy is used for indicating that after the first virtual router receives third data information sent by the VM through the corresponding second distributed virtual switch, the first virtual router sends the third data information to the first distributed virtual switch so as to send the third data information to the second virtual router;

7. The method of claim 4, wherein after the creating a firewall virtual machine in response to the third request instruction and connecting the firewall virtual machine with the first virtual router and the first distributed virtual switch, further comprising:

receiving a control instruction sent by the client; the control instruction is used for instructing the server to delete VPC tenant information;

8. A server, characterized in that the server comprises: a processor, a memory, and a communication bus; wherein:

receiving a first subnet section sent by a client;

9. The server according to claim 8, wherein the processor is configured to perform the step of creating a first virtual router, a second virtual router, and a first distributed virtual switch, and wherein after the step of connecting the first virtual router through the first distributed virtual switch and the second virtual router, the following steps are further performed:

10. A computer-readable storage medium, characterized in that a network creation program is stored thereon, which when executed by a processor implements the steps of the network creation method according to any one of claims 1 to 7.

11. A Virtual Private Cloud (VPC) system, wherein the VPC system is communicatively linked with a client, the VPC system comprising a first virtual router, a second virtual router, a first distributed virtual switch, and a second distributed virtual switch, wherein:

a first end of the first virtual router is in communication connection with a first end of the first distributed virtual switch, a second end of the first virtual router is in communication connection with a first end of at least one second distributed virtual switch, and a third end of the first virtual router is in communication connection with a private network corresponding to the client; the VPC system is established based on a first subnet network segment sent by the client, and the number of the second distributed virtual switches is the same as that of the first subnet network segment;

12. The system of claim 11, wherein the VPC system further comprises a firewall virtual machine, wherein:

13. The system of claim 12, wherein the VPC system further comprises at least one virtual machine, wherein: