CN111130973A - Heterogeneous cloud network intercommunication system and method - Google Patents

Heterogeneous cloud network intercommunication system and method Download PDF

Info

Publication number
CN111130973A
CN111130973A CN201811296022.1A CN201811296022A CN111130973A CN 111130973 A CN111130973 A CN 111130973A CN 201811296022 A CN201811296022 A CN 201811296022A CN 111130973 A CN111130973 A CN 111130973A
Authority
CN
China
Prior art keywords
virtual
cloud
data packet
network
cloud platform
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811296022.1A
Other languages
Chinese (zh)
Other versions
CN111130973B (en
Inventor
陈晓帆
古亮
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN201811296022.1A priority Critical patent/CN111130973B/en
Publication of CN111130973A publication Critical patent/CN111130973A/en
Application granted granted Critical
Publication of CN111130973B publication Critical patent/CN111130973B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/66Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network

Abstract

The invention discloses a heterogeneous cloud network intercommunication system, which comprises: at least two cloud platforms belonging to different manufacturers, wherein each cloud platform is provided with a centralized gateway aiming at each user, each virtual machine of each user of each cloud platform is provided with an agent module, the agent modules of the virtual machines of each user form a cross-cloud coverage network corresponding to the corresponding user, and the centralized gateway is used for forwarding two-layer and three-layer flow of the cross-cloud coverage network corresponding to the corresponding user; the agent module comprises a first virtual network card, a first coverage network tunnel terminal TEP, a DVS unit, a second virtual network card and a DFW unit connected with the DVS unit, wherein the first virtual network card, the first coverage network tunnel terminal TEP, the DVS unit and the second virtual network card are sequentially connected. By applying the technical scheme provided by the embodiment of the invention, the network layer architectures of the heterogeneous cloud are the same through the agent module and the centralized gateway, the real network intercommunication is realized, the deployment mode is simple, and the operation and maintenance difficulty is reduced. The invention also discloses a heterogeneous cloud network intercommunication method which has corresponding technical effects.

Description

Heterogeneous cloud network intercommunication system and method
Technical Field
The invention relates to the technical field of computer application, in particular to a heterogeneous cloud network intercommunication system and method.
Background
With the rapid development of cloud computing technology, various cloud platforms are more and more widely applied, and cloud platforms of different manufacturers relate to the realization and management of different underlying networks, so that the successful deployment of heterogeneous cloud networks deployed in different areas by using the cloud platforms of multiple manufacturers at the same time is always a difficult problem.
At present, three-layer interworking of heterogeneous clouds is mainly achieved through a VPN (Virtual Private Network).
However, this method only realizes the basic intercommunication of heterogeneous clouds, different cloud platforms are still not equal and cannot be unified, and when a virtual machine is migrated, the network configuration and the security policy must be changed to normally operate on the migrated platform, which increases the operation and maintenance difficulty.
Disclosure of Invention
The invention aims to provide a heterogeneous cloud network intercommunication system and method, which are used for realizing real network intercommunication of heterogeneous clouds, are simple in deployment mode and reduce operation and maintenance difficulty.
In order to solve the technical problems, the invention provides the following technical scheme:
a heterogeneous cloud network interworking system, comprising:
at least two cloud platforms belonging to different manufacturers, wherein each cloud platform is provided with a centralized gateway aiming at each user, each virtual machine of each user of each cloud platform is provided with an agent module, the agent modules of the virtual machines of each user form a cross-cloud coverage network corresponding to the corresponding user, and the centralized gateway is used for forwarding two-layer and three-layer flow of the cross-cloud coverage network corresponding to the corresponding user;
the agent module comprises a first virtual network card, a first coverage network tunnel Terminal (TEP), a Distributed Virtual Switching (DVS) unit, a second virtual network card and a distributed virtual firewall (DFW) unit connected with the DVS unit, wherein the first virtual network card is connected with the user program module, the second virtual network card is connected with a virtual switch in a virtual machine management layer of a cloud platform where the second virtual network card is located, the first virtual network card uses an IP address section which corresponds to a corresponding user and is consistent with a cross-cloud coverage network, the second virtual network card uses an IP address distributed by a cloud platform where the second virtual network card is located, and the first TEP is communicated with a second TEP in the centralized gateway to establish, remove and manage a coverage network tunnel.
In an embodiment of the invention, the first TEP is configured to:
when a first data packet sent by the first virtual network card is received, adding the head of the overlay network tunnel into the first data packet;
packaging the first data packet;
and forwarding the first data packet after being packaged through the second virtual network card.
In an embodiment of the present invention, the first TEP is further configured to:
when a second data packet sent by the second virtual network card is received, decapsulating the second data packet;
removing a header of the overlay network tunnel in the second packet;
and sending the payload of the second data packet to the user program module through the first virtual network card.
In an embodiment of the present invention, the centralized gateway is configured to:
when a third data packet which is initiated by the Internet and is for a first virtual machine of a cloud platform where the third data packet is located is received, converting a destination IP address in the third data packet into an IP address of a first virtual network card of the first virtual machine;
and adding the head of the overlay network tunnel into the third data packet, and sending the third data packet to the first virtual machine through a virtual switch of a cloud platform where the third data packet is located.
In an embodiment of the present invention, the centralized gateway is further configured to:
when a fourth data packet of a second virtual machine of a cloud platform where the fourth data packet is located to an external network is received, removing the head of the overlay network tunnel of the fourth data packet;
and converting the source IP address in the fourth data packet into a self public network IP address, modifying the source port number, and entering the Internet through a virtual switch and a virtual router of a cloud platform where the source port number is located.
In an embodiment of the present invention, the centralized gateway is configured to:
when a fifth data packet which is initiated by a virtual machine of a first cloud platform and is sent to a third virtual machine of a second cloud platform where the fifth data packet is located is received, stripping the head of a VPN tunnel of the fifth data packet to obtain a message packaged by the cross-cloud overlay network;
sending the message encapsulated by the cross-cloud coverage network to an agent module of the third virtual machine, and sending an original message to a user program module of the third virtual machine after the decapsulation is carried out by the agent module of the third virtual machine;
the fifth data packet is: and encapsulating and joining the data packet at the head of the VPN tunnel through the cross-cloud coverage network at the first cloud platform.
In an embodiment of the present invention, the centralized gateway is further configured to:
when a sixth data packet of a fifth virtual machine of the first cloud platform, which is initiated by a fourth virtual machine of a second cloud platform where the sixth data packet is located, is received, if the sixth data packet is determined to be sent to the first cloud platform through a VPN tunnel, adding a VPN tunnel head to the sixth data packet;
sending the data to the first cloud platform through a virtual switch and a virtual router of the second cloud platform;
the sixth data packet is: and carrying out cross-cloud coverage network encapsulation on the data packet by the proxy module of the fourth virtual machine.
In a specific embodiment of the present invention, the agent module is a differential section interception point of the cross-cloud overlay network.
A heterogeneous cloud network intercommunication method is applied to a centralized gateway deployed on a second cloud platform, wherein each cloud platform comprises at least two cloud platforms belonging to different manufacturers of the second cloud platform, the centralized gateway is deployed for each user, an agent module is deployed in each virtual machine of each user of each cloud platform, the agent modules of the virtual machines of each user form a cross-cloud coverage network corresponding to the corresponding user, and the centralized gateway is used for forwarding two-layer and three-layer flow of the cross-cloud coverage network corresponding to the corresponding user; the agent module comprises a first virtual network card, a first overlay network tunnel Terminal (TEP), a Distributed Virtual Switching (DVS) unit, a second virtual network card and a distributed virtual firewall (DFW) unit connected with the DVS unit, wherein the first virtual network card is connected with a user program module, the second virtual network card is connected with a virtual switch in a virtual machine management layer of a cloud platform where the second virtual network card is located, the first virtual network card uses an IP address section which corresponds to a corresponding user and is consistent with a cross-cloud overlay network, the second virtual network card uses an IP address distributed by a cloud platform where the second virtual network card is located, the first TEP is communicated with a second TEP in the centralized gateway to establish, remove and manage an overlay network tunnel, and the method comprises the following steps:
when a fifth data packet which is initiated by a virtual machine of a first cloud platform and is sent to a third virtual machine of a second cloud platform where the fifth data packet is located is received, stripping the head of a VPN tunnel of the fifth data packet to obtain a message packaged by the cross-cloud overlay network;
sending the message encapsulated by the cross-cloud coverage network to an agent module of the third virtual machine, and sending an original message to a user program module of the third virtual machine after the decapsulation is carried out by the agent module of the third virtual machine;
the fifth data packet is: and encapsulating and joining the data packet at the head of the VPN tunnel through the cross-cloud coverage network at the first cloud platform.
In one embodiment of the present invention, the method further comprises:
when a sixth data packet of a fifth virtual machine of the first cloud platform, which is initiated by a fourth virtual machine of a second cloud platform where the sixth data packet is located, is received, if the sixth data packet is determined to be sent to the first cloud platform through a VPN tunnel, adding a VPN tunnel head to the sixth data packet;
sending the data to the first cloud platform through a virtual switch and a virtual router of the second cloud platform;
the sixth data packet is: and carrying out cross-cloud coverage network encapsulation on the data packet by the proxy module of the fourth virtual machine.
By applying the technical scheme provided by the embodiment of the invention, each cloud platform is provided with a centralized gateway aiming at each user, each virtual machine of each user of each cloud platform is provided with an agent module, the agent module of each virtual machine of each user forms a cross-cloud overlay network corresponding to the corresponding user, the centralized gateway is used for forwarding two-layer and three-layer flow of the cross-cloud overlay network corresponding to the corresponding user, the agent module comprises a first virtual network card, a first overlay network tunnel terminal TEP, a distributed virtual switching DVS unit, a second virtual network card and a distributed virtual firewall DFW unit connected with the DVS unit which are sequentially connected, the first virtual network card is connected with a user program module, the second virtual network card is connected with a virtual switch in a virtual machine management layer of the cloud platform where the second virtual network card is located, the first virtual network card uses an IP address segment which is consistent with the cross-cloud overlay network corresponding to the corresponding user, the second virtual network card uses an IP address distributed by a cloud platform where the second virtual network card is located, and the first TEP is communicated with a second TEP in the centralized gateway to establish, remove and manage an overlay network tunnel. Through the agent module and the centralized gateway, the network layer architecture of the heterogeneous cloud is the same, real network intercommunication is realized, the deployment mode is simple, and the operation and maintenance difficulty is reduced.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic structural diagram of a heterogeneous cloud network interworking system according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of an internal structure of an agent module according to an embodiment of the present invention;
fig. 3 is a functional structure diagram of a centralized gateway in an embodiment of the present invention;
fig. 4 is a schematic flow direction diagram of VPN tunnels between different cloud platforms according to an embodiment of the present invention;
fig. 5 is a schematic diagram of a two-layer switching/three-layer routing process in the same subnet across a cloud overlay network in the embodiment of the present invention;
fig. 6 is a flowchart illustrating an implementation of a heterogeneous cloud network interworking method according to an embodiment of the present invention.
Detailed Description
In order that those skilled in the art will better understand the disclosure, the invention will be described in further detail with reference to the accompanying drawings and specific embodiments. It is to be understood that the described embodiments are merely exemplary of the invention, and not restrictive of the full scope of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The core of the invention is to provide a heterogeneous cloud network intercommunication system, which comprises at least two cloud platforms belonging to different manufacturers, wherein each cloud platform is provided with a Centralized Gateway (CGW) aiming at each user, each virtual machine of each user of each cloud platform is provided with an agent module agent, the agent module of each virtual machine of each user forms a cross-cloud coverage network corresponding to the corresponding user, and the centralized gateway is used for forwarding two-layer and three-layer flow of the cross-cloud coverage network corresponding to the corresponding user. The agent module comprises a first virtual network card, a first coverage network tunnel Terminal (TEP), a Distributed Virtual Switching (DVS) unit, a second virtual network card and a distributed virtual firewall (DFW) unit connected with the DVS unit, wherein the first virtual network card is connected with a user program, the second virtual network card is connected with a virtual switch in a virtual machine management layer of a cloud platform where the second virtual network card is located, the first virtual network card uses an IP address section which corresponds to a corresponding user and is consistent with a cross-cloud coverage network, the second virtual network card uses an IP address distributed by a cloud platform where the second virtual network card is located, and the first TEP is communicated with a second TEP in a centralized gateway to establish, remove and manage a coverage network tunnel.
As shown in fig. 1, a schematic structural diagram of a heterogeneous cloud network interworking system provided in an embodiment of the present invention includes a cloud platform 100 (cloud platform 1) and a cloud platform 200 (cloud platform 2), where the cloud platform 100 and the cloud platform 200 may perform traffic interaction through the Internet. The cloud platform 200 is deployed with a centralized gateway 210, a virtual machine 220(VM3), a virtual machine 230(VM4), a VPN module 240, a virtual router 250, and a virtual switch 260, and each virtual machine is deployed with an agent module agent. The cloud Platform 100 is deployed with a virtual machine 110(VM2), a virtual machine 120(VM1), a Cloud Management Platform (CMP) 130, a centralized gateway 140, a virtual switch 150, a virtual router 160, and a VPN module 170, and the cloud management Platform 130 can run in the virtual machine, and each virtual machine is deployed with an agent module agent.
The virtual machine and the centralized gateway can run on a virtual machine layer of the cloud platform, and the virtual switch, the virtual router and the VPN module can run on a virtual machine management hypervisor layer of the cloud platform. The hypervisor is the core of all virtualization, and the basic function is to support multi-working load migration without interruption, and when the server starts and executes the hypervisor, it will allocate appropriate amount of memory, CPU, network and disk to each virtual machine, and load the guest operating systems of all virtual machines.
In any cloud platform, the VPN module is configured to establish a layer two (L2) VPN tunnel or a layer three (L3) VPN tunnel with a VPN module of another cloud platform or a VPN unit of the centralized gateway, so as to carry communication traffic between different cloud platforms. The VPN tunnel may be carried over the Internet, an MPLS (Multiprotocol Label Switching) network, or a private line.
The virtual switch is used for two-layer switching, configures an access control list to realize micro-segmentation, and meanwhile, the virtual switch also has a TEP (Tunnel End Point, overlay network Tunnel terminal) function.
The virtual router is used for three-layer routing and gateway services, namely, functions of policy routing, Network Address Translation (NAT), and the like, and realizes mapping and inverse mapping between an intranet IP address and an extranet IP address.
The cloud management platform is used for providing a User Interface (UI) for a User and calling an API (application programming Interface) provided by a lightweight controller of the centralized gateway to manage the hybrid cloud network. The user interface comprises an Access Control List (ACL) configuration interface of micro-segments, a flow and Access relation visual interface, a two-layer and three-layer network configuration interface, other network service configuration interfaces and the like. In the embodiment of the present invention, the cloud management platform may be a third party management platform, and the third party management platform needs to use the capability of the network provided by the centralized gateway and the API related to the micro-segment, and may have a corresponding UI for the client to configure and display the traffic and the access relationship.
The virtual machine may download and install agent agents by interacting with the centralized gateway, configuring agent modules in the virtual machine. And the agent module of each virtual machine realizes the relevant functions of the corresponding cross-cloud coverage network tunnel, namely the establishment, the removal and the configuration management of the cross-cloud coverage network tunnel, the encapsulation and the decapsulation of a coverage network data packet and the like.
As shown in fig. 2, the schematic diagram of the internal structure of the agent module in the virtual machine is shown, and the second virtual network card is the original virtual network card of the virtual machine and is connected to the virtual switch on the cloud platform hypervisor where the second virtual network card is located. The second virtual network card uses the IP address distributed by the cloud platform where the second virtual network card is located, the first virtual network card uses the IP address section which is consistent with the cross-cloud coverage network corresponding to the corresponding user, and the user program module only interacts with the first virtual network card. The first TEP communicates with a second TEP in the centralized gateway to establish, tear down, and manage the overlay network tunnel.
The DVS (distributed virtual switch) unit is used for two-layer forwarding of all subnets, including MAC learning and forwarding, multicasting and broadcasting, and in combination with a lightweight controller of a centralized gateway, can implement ARP suppression or ARP reply, and avoid a large number of ARP request messages in a large-scale network. All the overlay network traffic of the virtual machine is forwarded through the unit.
The DFW (distributed firewall) unit is a key component of a differential segment in a multi-cloud environment, and is responsible for configuring and executing an ACL policy by using the iptables mechanism of linux or the WFP/firewall of windows. The system is used for recording the hit rate of an ACL strategy and the flow rate which is released or rejected by the ACL strategy, transmitting the information back to a lightweight controller of a centralized gateway and then to a cloud management platform, and realizing the visualization of micro-segmented flow rate and access relation on a user interface. In the cloud management platform, the ACL may be set by a VM tag, a security domain tag, a quintuple, etc., and the cloud management platform may convert the ACL into a corresponding quintuple (where the cloud management platform may not be converted and is left to the centralized gateway for conversion), and issue the quintuple to the corresponding centralized gateway, and the centralized gateway converts the quintuple into a form recognizable by the agent module, and the DFW of the agent module converts the configuration information into an iptables or WFP instruction, and configures the DFW unit of the virtual machine.
When receiving a first data packet sent by a first virtual network card, a first TEP adds the head of an overlay network tunnel into the first data packet, encapsulates the first data packet, and forwards the encapsulated first data packet through a second virtual network card. And when a second data packet sent by the second virtual network card is received, decapsulating the second data packet, removing the head of the overlay network tunnel from the second data packet, and sending the payload of the second data packet to the user program module through the first virtual network card.
The centralized gateway is a Cloud gateway, and each Private network (VPC) is deployed one by one in the form of a Virtual machine VM. And functions of micro-segmentation, two-layer and three-layer flow forwarding and the like are realized. The centralized gateway is communicated with the cloud management platform of the management surface, configuration information from the cloud management platform is sent to the corresponding agent module, and information is synchronized with the lightweight controllers of other centralized gateways.
Fig. 3 is a schematic functional structure diagram of a centralized gateway, which includes a lightweight controller, a second TEP, a virtual routing unit, an NAT unit, a DHCP unit, and a VPN unit.
The lightweight controller is used for communicating with lightweight controllers of centralized gateways of other cloud platforms and the cloud management platform, modifying the configuration of other functional units on the centralized gateways, and sending network topology and safety information in a VPC area which is in charge of the centralized gateways to the cloud management platform.
The second TEP is used to communicate with the first TEP on the proxy module of the virtual machine to establish, tear down, and manage the overlay network tunnel. The overlay network tunnel may be GRE, VXLAN, STT, NVGRE, Geneve, etc.
The virtual routing unit is a centralized virtual routing, and the traffic of the cross-subnet on the cross-cloud overlay network, the communication traffic between the cloud platforms and the traffic of the access external network are processed by the virtual routing unit. The device has the functions of DHCP, NAT, VPN and other units. The DHCP unit is responsible for allocating an IP address to a first virtual network card of the virtual machine, the DHCP unit and the cloud management platform are responsible for allocating the IP address of the hybrid cloud, and information of DHCP services of different cloud platforms and information of the DHCP services of the centralized gateway are synchronized through a lightweight controller of the centralized gateway, so that the DHCP services and the information of the DHCP services of the centralized gateway are guaranteed against being repeatedly allocated with the IP address.
Under the condition that the user does not have the public network IP or the user does not configure the public network IP for the centralized gateway, the centralized gateway does not have the public network IP, and the functions of the corresponding VPN unit and the NAT unit cannot be opened. If the centralized gateway is configured with the public network IP, the functions of the VPN unit and the NAT unit in the centralized gateway are also opened, and the VPC where the centralized gateway is located replaces VPN and NAT services provided by the original cloud platform.
According to the embodiment of the invention, a layer of cross-cloud coverage network is added on the virtual network layers of different cloud platforms through the centralized gateway and the agent modules in the virtual machines, so that the network layers of different cloud platforms have the same architecture, and the same two-layer network is realized.
The Overlay Network is a logic Network built by technologies such as a tunnel and the like on the underlying Network. The upper overlay network is transparent to the underlay network, which cannot sense the presence of the upper overlay network.
By applying the system provided by the embodiment of the invention, each cloud platform is provided with a centralized gateway aiming at each user, each virtual machine of each user of each cloud platform is provided with an agent module, the agent module of each virtual machine of each user forms a cross-cloud overlay network corresponding to the corresponding user, the centralized gateway is used for forwarding two-layer and three-layer flow of the cross-cloud overlay network corresponding to the corresponding user, the agent module comprises a first virtual network card, a first overlay network tunnel terminal TEP, a distributed virtual switching DVS unit, a second virtual network card and a distributed virtual firewall DFW unit connected with the DVS unit which are sequentially connected, the first virtual network card is connected with a user program module, the second virtual network card is connected with a virtual switch in a virtual machine management layer of the cloud platform where the second virtual network card is located, the first virtual network card uses an IP address segment consistent with the cross-cloud overlay network corresponding to the corresponding user, the second virtual network card uses the IP address distributed by the cloud platform where the second virtual network card is located, and the first TEP is communicated with the second TEP in the centralized gateway to establish, remove and manage the overlay network tunnel. Through the agent module and the centralized gateway, the network layer architecture of the heterogeneous cloud is the same, real network intercommunication is realized, the deployment mode is simple, and the operation and maintenance difficulty is reduced.
In a specific embodiment of the present invention, the centralized gateway is configured to, when receiving a third data packet initiated by the internet and addressed to a first virtual machine of a cloud platform where the centralized gateway is located, convert a destination IP address in the third data packet into an IP address of a first virtual network card of the first virtual machine, add a header of an overlay network tunnel to the third data packet, and send the third data packet to the first virtual machine through a virtual switch of the cloud platform where the centralized gateway is located; when a fourth data packet of the second virtual machine of the cloud platform where the fourth data packet is received to the external network is received, the head of the coverage network tunnel of the fourth data packet is removed, the source IP address in the fourth data packet is converted into the public network IP address of the fourth data packet, the source port number is modified, and the fourth data packet enters the internet through the virtual switch and the virtual router of the cloud platform where the fourth data packet is located.
In practical application, the Internet may initiate a third data packet of access or response traffic to the first virtual machine of any one of the cloud platforms. For any cloud platform, when receiving the third data packet, the centralized gateway of the cloud platform may convert the destination IP address in the third data packet into the IP address of the first virtual network card of the first virtual machine through the NAT function, add the header of the overlay network tunnel to the third data packet through the second TEP, and send the third data packet to the first virtual machine through the virtual switch of the cloud platform.
The virtual machine of any one of the cloud platforms may initiate a fourth data packet of access or response traffic to the extranet. For any cloud platform, after receiving the fourth data packet, the centralized gateway removes the head of the overlay network tunnel of the fourth data packet through the second TEP, converts the source IP address in the fourth data packet into the public network IP address of the centralized gateway, modifies the source port number, sends the modified fourth data packet to the virtual switch of the cloud platform, and then enters the Internet through the virtual router of the cloud platform.
In an embodiment of the present invention, the centralized gateway is configured to:
when a fifth data packet of a third virtual machine of a second cloud platform where the fifth data packet is located, which is initiated by a virtual machine of a first cloud platform, is received, stripping the VPN tunnel head of the fifth data packet to obtain a cloud-spanning overlay network encapsulated message, sending the cloud-spanning overlay network encapsulated message to an agent module of the third virtual machine, and sending an original message to a user program module of the third virtual machine after the agent module of the third virtual machine is unpacked, wherein the fifth data packet is: and encapsulating and joining the data packet at the head of the VPN tunnel through a cross-cloud coverage network at the first cloud platform.
In the embodiment of the invention, the VPN unit of the centralized gateway can establish an L3VPN tunnel or an L2VPN tunnel with the VPN units of the centralized gateways of other cloud platforms by using the public network IP, so that communication traffic between virtual machines of different cloud platforms is transmitted by the VPN tunnel. The VPN tunnel may be carried over the Internet, private line, or MPLS network.
The virtual machine of any one cloud platform, for example, the first cloud platform, may initiate a fifth data packet of access or response traffic to a third virtual machine of another cloud platform, for example, the second cloud platform. And the fifth data packet is a data packet which is encapsulated at the first cloud platform through the cross-cloud coverage network and is added into the head part of the pre-established VPN tunnel. When the centralized gateway of the first cloud platform receives the fifth data packet, the VPN tunnel head of the fifth data packet is stripped through the VPN unit, the message packaged by the cross-cloud coverage network is sent to an agent module agent of the third virtual machine through the second TEP, the agent module of the third virtual machine is unpacked to obtain an original message, and the original message is sent to a user program module of the third virtual machine.
In an embodiment of the present invention, the centralized gateway is further configured to:
when a sixth data packet of a fifth virtual machine of the first cloud platform, which is initiated by a fourth virtual machine of the second cloud platform where the sixth data packet is located, is received, if the sixth data packet is determined to need to be sent to the first cloud platform through the VPN tunnel, a VPN tunnel head is added to the sixth data packet;
sending the data to the first cloud platform through a virtual switch and a virtual router of the second cloud platform;
the sixth data packet is: and carrying out cross-cloud coverage network encapsulation on the data packet through the proxy module of the fourth virtual machine.
The virtual machine of the cloud platform where the centralized gateway is located can initiate a data packet to the virtual machines of other cloud platforms. When a fourth virtual machine of the second cloud platform initiates access to or response traffic to the virtual machine of the first cloud platform, the data packet may be encapsulated across a cloud overlay network through an agent module of the fourth virtual machine, so as to obtain a sixth data packet. When the centralized gateway of the second cloud platform receives a sixth data packet, which is initiated by a fourth virtual machine of the second cloud platform where the centralized gateway of the second cloud platform is located, to a fifth virtual machine of the first cloud platform, if it is determined that the sixth data packet needs to be sent to the first cloud platform through the VPN tunnel, a VPN tunnel head may be added to the sixth data packet, the sixth data packet is sent to the first cloud platform through a virtual switch and a virtual router of the second cloud platform, the sixth data packet is further processed by the first cloud platform, and finally the sixth data packet is sent to the fifth virtual machine.
Specifically, the VPN tunnel traffic between different cloud platforms goes to the direction shown by the thick solid line in fig. 4, access or response traffic to VM4 of cloud platform 2, which is initiated by VM2 of cloud platform 1, is sent to the centralized gateway of cloud platform 1 after a data packet is encapsulated in a proxy module of VM2 across a cloud overlay network tunnel, and a virtual switching unit and/or a virtual routing unit of the centralized gateway of cloud platform 1 determines that the data packet needs to be sent to cloud platform 2 through a VPN tunnel, so that a message is sent to the VPN unit, and after a VPN tunnel header is encapsulated in the message, the message is sent to the virtual router of cloud platform 2 through the virtual switch and the virtual router of cloud platform 1hypervisor via the Internet. The virtual router of the cloud platform 2 receives the message, sends the message to the centralized gateway of the cloud platform 2 through a predefined routing policy, the VPN module of the centralized gateway strips the VPN tunnel header of the data packet, and forwards the data packet with the tunnel encapsulation of the cross-cloud overlay network to the proxy module of the VM4 through the second TEP. After the agent module of the VM4 is decapsulated, the original packet is sent to the user program module through the first virtual network card. The access or response flow to the virtual machine of the cloud platform 1, which is initiated by the virtual machine of the cloud platform 2, is similar in process and is not described again.
In the embodiment of the invention, the agent module is a differential section interception point of the cross-cloud coverage network. Fig. 5 shows a process of two-layer switching/three-layer routing in the same subnet of the cross-cloud overlay network, in fig. 5, an agent module in a virtual machine is a differential segment interception point, a thick solid line represents two-layer switching traffic of the cross-cloud overlay network, and a thick dotted line represents three-layer routing traffic of the cross-cloud overlay network.
Corresponding to the above method embodiment, an embodiment of the present invention further provides a heterogeneous cloud network interworking method, which is applied to a centralized gateway deployed on a second cloud platform, where each cloud platform includes at least two cloud platforms belonging to different manufacturers, the centralized gateway is deployed for each user, an agent module is deployed in each virtual machine of each user of each cloud platform, the agent modules of the virtual machines of each user form a cross-cloud overlay network corresponding to the corresponding user, and the centralized gateway is used for forwarding two-layer and three-layer traffic of the cross-cloud overlay network corresponding to the corresponding user; the agent module comprises a first virtual network card, a first coverage network tunnel Terminal (TEP), a Distributed Virtual Switching (DVS) unit, a second virtual network card and a distributed virtual firewall (DFW) unit connected with the DVS unit, wherein the first virtual network card is connected with the user program module, the second virtual network card is connected with a virtual switch in a virtual machine management layer of a cloud platform where the second virtual network card is located, the first virtual network card uses an IP address section which corresponds to a corresponding user and is consistent with a cross-cloud coverage network, the second virtual network card uses an IP address distributed by a cloud platform where the second virtual network card is located, the first TEP is communicated with a second TEP in a centralized gateway to establish, remove and manage a coverage network tunnel, and a heterogeneous cloud network intercommunication method described below and a heterogeneous cloud network intercommunication system described above can be correspondingly referred to each other.
Referring to fig. 6, the method comprises the steps of:
s610: when a fifth data packet which is initiated by a virtual machine of a first cloud platform and is sent to a third virtual machine of a second cloud platform is received, stripping the head of a VPN tunnel of the fifth data packet to obtain a message packaged by a cross-cloud overlay network;
s620: sending the message encapsulated by the cross-cloud coverage network to an agent module of a third virtual machine, and sending the original message to a user program module of the third virtual machine after the decapsulation is carried out by the agent module of the third virtual machine;
the fifth packet is: and encapsulating and joining the data packet at the head of the VPN tunnel through a cross-cloud coverage network at the first cloud platform.
By applying the method provided by the embodiment of the invention, each cloud platform is provided with a centralized gateway aiming at each user, each virtual machine of each user of each cloud platform is provided with an agent module, the agent module of each virtual machine of each user forms a cross-cloud overlay network corresponding to the corresponding user, the centralized gateway is used for forwarding two-layer and three-layer flow of the cross-cloud overlay network corresponding to the corresponding user, the agent module comprises a first virtual network card, a first overlay network tunnel terminal TEP, a distributed virtual switching DVS unit, a second virtual network card and a distributed virtual firewall DFW unit connected with the DVS unit which are sequentially connected, the first virtual network card is connected with a user program module, the second virtual network card is connected with a virtual switch in a virtual machine management layer of the cloud platform where the second virtual network card is located, the first virtual network card uses an IP address segment consistent with the cross-cloud overlay network corresponding to the corresponding user, the second virtual network card uses the IP address distributed by the cloud platform where the second virtual network card is located, and the first TEP is communicated with the second TEP in the centralized gateway to establish, remove and manage the overlay network tunnel. For a centralized gateway of any cloud platform, when receiving a data packet of a virtual machine where the centralized gateway is located, which is initiated by a virtual machine of another cloud platform, the VPN tunnel header of the data packet is stripped, the obtained message encapsulated by the cross-cloud overlay network is sent to an agent module of the corresponding virtual machine, and after the agent module is unpacked, the original message is sent to a user program module of the corresponding virtual machine. Through the agent module and the centralized gateway, the network layer architecture of the heterogeneous cloud is the same, real network intercommunication is realized, the deployment mode is simple, and the operation and maintenance difficulty is reduced.
In one embodiment of the present invention, the method may further comprise the steps of:
when a sixth data packet of a fifth virtual machine of the first cloud platform, which is initiated by a fourth virtual machine of the second cloud platform where the sixth data packet is located, is received, if the sixth data packet is determined to need to be sent to the first cloud platform through the VPN tunnel, a VPN tunnel head is added to the sixth data packet;
sending the data to the first cloud platform through a virtual switch and a virtual router of the second cloud platform;
the sixth data packet is: and carrying out cross-cloud coverage network encapsulation on the data packet through the proxy module of the fourth virtual machine.
The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts among the embodiments are referred to each other.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The principle and the implementation of the present invention are explained in the present application by using specific examples, and the above description of the embodiments is only used to help understanding the technical solution and the core idea of the present invention. It should be noted that, for those skilled in the art, it is possible to make various improvements and modifications to the present invention without departing from the principle of the present invention, and those improvements and modifications also fall within the scope of the claims of the present invention.

Claims (10)

1. A heterogeneous cloud network interworking system, comprising:
at least two cloud platforms belonging to different manufacturers, wherein each cloud platform is provided with a centralized gateway aiming at each user, each virtual machine of each user of each cloud platform is provided with an agent module, the agent modules of the virtual machines of each user form a cross-cloud coverage network corresponding to the corresponding user, and the centralized gateway is used for forwarding two-layer and three-layer flow of the cross-cloud coverage network corresponding to the corresponding user;
the agent module comprises a first virtual network card, a first coverage network tunnel Terminal (TEP), a Distributed Virtual Switching (DVS) unit, a second virtual network card and a distributed virtual firewall (DFW) unit connected with the DVS unit, wherein the first virtual network card is connected with the user program module, the second virtual network card is connected with a virtual switch in a virtual machine management layer of a cloud platform where the second virtual network card is located, the first virtual network card uses an IP address section which corresponds to a corresponding user and is consistent with a cross-cloud coverage network, the second virtual network card uses an IP address distributed by a cloud platform where the second virtual network card is located, and the first TEP is communicated with a second TEP in the centralized gateway to establish, remove and manage a coverage network tunnel.
2. The heterogeneous cloud network interworking system of claim 1, wherein the first TEP is configured to:
when a first data packet sent by the first virtual network card is received, adding the head of the overlay network tunnel into the first data packet;
packaging the first data packet;
and forwarding the first data packet after being packaged through the second virtual network card.
3. The heterogeneous cloud network interworking system of claim 2, wherein the first TEP is further configured to:
when a second data packet sent by the second virtual network card is received, decapsulating the second data packet;
removing a header of the overlay network tunnel in the second packet;
and sending the payload of the second data packet to the user program module through the first virtual network card.
4. The heterogeneous cloud network interworking system of claim 1, wherein the centralized gateway is configured to:
when a third data packet which is initiated by the Internet and is for a first virtual machine of a cloud platform where the third data packet is located is received, converting a destination IP address in the third data packet into an IP address of a first virtual network card of the first virtual machine;
and adding the head of the overlay network tunnel into the third data packet, and sending the third data packet to the first virtual machine through a virtual switch of a cloud platform where the third data packet is located.
5. The heterogeneous cloud network interworking system of claim 4, wherein the centralized gateway is further configured to:
when a fourth data packet of a second virtual machine of a cloud platform where the fourth data packet is located to an external network is received, removing the head of the overlay network tunnel of the fourth data packet;
and converting the source IP address in the fourth data packet into a self public network IP address, modifying the source port number, and entering the Internet through a virtual switch and a virtual router of a cloud platform where the source port number is located.
6. The heterogeneous cloud network interworking system of claim 1, wherein the centralized gateway is configured to:
when a fifth data packet which is initiated by a virtual machine of a first cloud platform and is sent to a third virtual machine of a second cloud platform where the fifth data packet is located is received, stripping the head of a VPN tunnel of the fifth data packet to obtain a message packaged by the cross-cloud overlay network;
sending the message encapsulated by the cross-cloud coverage network to an agent module of the third virtual machine, and sending an original message to a user program module of the third virtual machine after the decapsulation is carried out by the agent module of the third virtual machine;
the fifth data packet is: and encapsulating and joining the data packet at the head of the VPN tunnel through the cross-cloud coverage network at the first cloud platform.
7. The heterogeneous cloud network interworking system of claim 6, wherein the centralized gateway is further configured to:
when a sixth data packet of a fifth virtual machine of the first cloud platform, which is initiated by a fourth virtual machine of a second cloud platform where the sixth data packet is located, is received, if the sixth data packet is determined to be sent to the first cloud platform through a VPN tunnel, adding a VPN tunnel head to the sixth data packet;
sending the data to the first cloud platform through a virtual switch and a virtual router of the second cloud platform;
the sixth data packet is: and carrying out cross-cloud coverage network encapsulation on the data packet by the proxy module of the fourth virtual machine.
8. The heterogeneous cloud network interworking system of any one of claims 1-7, wherein the proxy module is a differential segment intercept point of the cross-cloud overlay network.
9. The heterogeneous cloud network intercommunication method is characterized in that the method is applied to a centralized gateway deployed on a second cloud platform, the centralized gateway is deployed for each user on each cloud platform comprising at least two cloud platforms belonging to different manufacturers of the second cloud platform, an agent module is deployed in each virtual machine of each user on each cloud platform, the agent modules of the virtual machines of each user form a cross-cloud coverage network corresponding to the corresponding user, and the centralized gateway is used for forwarding two-layer and three-layer flow of the cross-cloud coverage network corresponding to the corresponding user; the agent module comprises a first virtual network card, a first overlay network tunnel Terminal (TEP), a Distributed Virtual Switching (DVS) unit, a second virtual network card and a distributed virtual firewall (DFW) unit connected with the DVS unit, wherein the first virtual network card is connected with a user program module, the second virtual network card is connected with a virtual switch in a virtual machine management layer of a cloud platform where the second virtual network card is located, the first virtual network card uses an IP address section which corresponds to a corresponding user and is consistent with a cross-cloud overlay network, the second virtual network card uses an IP address distributed by a cloud platform where the second virtual network card is located, the first TEP is communicated with a second TEP in the centralized gateway to establish, remove and manage an overlay network tunnel, and the method comprises the following steps:
when a fifth data packet which is initiated by a virtual machine of a first cloud platform and is sent to a third virtual machine of a second cloud platform where the fifth data packet is located is received, stripping the head of a VPN tunnel of the fifth data packet to obtain a message packaged by the cross-cloud overlay network;
sending the message encapsulated by the cross-cloud coverage network to an agent module of the third virtual machine, and sending an original message to a user program module of the third virtual machine after the decapsulation is carried out by the agent module of the third virtual machine;
the fifth data packet is: and encapsulating and joining the data packet at the head of the VPN tunnel through the cross-cloud coverage network at the first cloud platform.
10. The heterogeneous cloud network interworking method of claim 9, further comprising:
when a sixth data packet of a fifth virtual machine of the first cloud platform, which is initiated by a fourth virtual machine of a second cloud platform where the sixth data packet is located, is received, if the sixth data packet is determined to be sent to the first cloud platform through a VPN tunnel, adding a VPN tunnel head to the sixth data packet;
sending the data to the first cloud platform through a virtual switch and a virtual router of the second cloud platform;
the sixth data packet is: and carrying out cross-cloud coverage network encapsulation on the data packet by the proxy module of the fourth virtual machine.
CN201811296022.1A 2018-11-01 2018-11-01 Heterogeneous cloud network intercommunication system and method Active CN111130973B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811296022.1A CN111130973B (en) 2018-11-01 2018-11-01 Heterogeneous cloud network intercommunication system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811296022.1A CN111130973B (en) 2018-11-01 2018-11-01 Heterogeneous cloud network intercommunication system and method

Publications (2)

Publication Number Publication Date
CN111130973A true CN111130973A (en) 2020-05-08
CN111130973B CN111130973B (en) 2021-09-17

Family

ID=70494849

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811296022.1A Active CN111130973B (en) 2018-11-01 2018-11-01 Heterogeneous cloud network intercommunication system and method

Country Status (1)

Country Link
CN (1) CN111130973B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114844744A (en) * 2022-03-04 2022-08-02 阿里巴巴(中国)有限公司 Virtual private cloud network configuration method and device, electronic equipment and computer-readable storage medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103369027A (en) * 2012-04-04 2013-10-23 思科技术公司 Location-aware virtual service provisioning in a hybrid cloud environment
US20150295731A1 (en) * 2014-04-15 2015-10-15 Cisco Technology, Inc. Programmable infrastructure gateway for enabling hybrid cloud services in a network environment
CN105391771A (en) * 2015-10-16 2016-03-09 张陵 Multi-tenant-oriented cloud network architecture
US20170060615A1 (en) * 2015-08-28 2017-03-02 Vmware, Inc. Hybrid infrastructure provisioning framework tethering remote datacenters
CN106936680A (en) * 2015-12-29 2017-07-07 中移(苏州)软件技术有限公司 The system and method for intercommunication between cloud computing platform heterogeneous network
CN107896191A (en) * 2017-11-27 2018-04-10 深信服科技股份有限公司 A kind of virtual secure component based on container is across cloud system and method
CN107911463A (en) * 2017-11-27 2018-04-13 深信服科技股份有限公司 A kind of business is across cloud framework and its creation method, management method

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103369027A (en) * 2012-04-04 2013-10-23 思科技术公司 Location-aware virtual service provisioning in a hybrid cloud environment
US20150295731A1 (en) * 2014-04-15 2015-10-15 Cisco Technology, Inc. Programmable infrastructure gateway for enabling hybrid cloud services in a network environment
US20170060615A1 (en) * 2015-08-28 2017-03-02 Vmware, Inc. Hybrid infrastructure provisioning framework tethering remote datacenters
CN105391771A (en) * 2015-10-16 2016-03-09 张陵 Multi-tenant-oriented cloud network architecture
CN106936680A (en) * 2015-12-29 2017-07-07 中移(苏州)软件技术有限公司 The system and method for intercommunication between cloud computing platform heterogeneous network
CN107896191A (en) * 2017-11-27 2018-04-10 深信服科技股份有限公司 A kind of virtual secure component based on container is across cloud system and method
CN107911463A (en) * 2017-11-27 2018-04-13 深信服科技股份有限公司 A kind of business is across cloud framework and its creation method, management method

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114844744A (en) * 2022-03-04 2022-08-02 阿里巴巴(中国)有限公司 Virtual private cloud network configuration method and device, electronic equipment and computer-readable storage medium
CN114844744B (en) * 2022-03-04 2023-07-21 阿里巴巴(中国)有限公司 Virtual private cloud network configuration method and device, electronic equipment and computer readable storage medium

Also Published As

Publication number Publication date
CN111130973B (en) 2021-09-17

Similar Documents

Publication Publication Date Title
CN111130975B (en) Hybrid cloud network intercommunication system and method
US11375005B1 (en) High availability solutions for a secure access service edge application
CN111130974B (en) Network intercommunication system and method based on multi-cloud environment
US10778532B2 (en) Overlay network movement operations
EP3694162B1 (en) Methods and apparatus for implementing connectivity between edge devices via a switch fabric
US20230026330A1 (en) Network management services in a point-of-presence
EP2842282B1 (en) Distributed virtual switch architecture for a hybrid cloud
US9923732B2 (en) Virtual gateways and implicit routing in distributed overlay virtual environments
US20230026865A1 (en) Network management services in a virtual network
US20230025586A1 (en) Network management services in a secure access service edge application
EP2885898B1 (en) Method and system for virtual and physical network integration
WO2018032910A1 (en) Cross-network communication method and apparatus
WO2023009159A1 (en) Network management services in a point-of-presence
CN111225071B (en) Cloud platform and cross-cloud platform network intercommunication system and method
EP2974157B1 (en) Software-defined multinetwork bridge
EP2987282A1 (en) Virtual machine migration
CN111124659B (en) Heterogeneous cloud network intercommunication system and method
CN111130973B (en) Heterogeneous cloud network intercommunication system and method
Yong et al. Use cases for data center network virtualization overlay networks
CN113347101B (en) Routing information sending control method, VTEP and computer readable storage medium
CN113647065B (en) virtual network topology
Isaac et al. Internet Engineering Task Force (IETF) L. Yong Request for Comments: 8151 L. Dunbar Category: Informational Huawei
Moreno-Vozmediano et al. Implementation and Provisioning of Federated Networks in Hybrid Clouds (pre-print)

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant