CN111147345B - Cloud environment network isolation device and method and cloud system - Google Patents

Cloud environment network isolation device and method and cloud system Download PDF

Info

Publication number
CN111147345B
CN111147345B CN201911330369.8A CN201911330369A CN111147345B CN 111147345 B CN111147345 B CN 111147345B CN 201911330369 A CN201911330369 A CN 201911330369A CN 111147345 B CN111147345 B CN 111147345B
Authority
CN
China
Prior art keywords
virtual machine
network
agent module
user
request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911330369.8A
Other languages
Chinese (zh)
Other versions
CN111147345A (en
Inventor
赖新明
邓应强
王志刚
孙科武
林文辉
舒南飞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Aisino Corp
Original Assignee
Aisino Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Aisino Corp filed Critical Aisino Corp
Priority to CN201911330369.8A priority Critical patent/CN111147345B/en
Publication of CN111147345A publication Critical patent/CN111147345A/en
Application granted granted Critical
Publication of CN111147345B publication Critical patent/CN111147345B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The disclosure relates to a cloud environment network isolation device and method and a cloud environment. The cloud environment network isolation device comprises a user division module. The user dividing module is used for numbering the virtual machines on each physical machine by using the native VLAN ID, and dividing the user subnets of the virtual machines according to the user numbers and the VLAN IDs. Compared with the existing scheme of network isolation by adopting the VLAN technology, the technical scheme provided by the disclosure can divide the cloud environment into more than 4094 sub-networks for users to use, and the expansion of the number of the users in the cloud environment is realized.

Description

Cloud environment network isolation device and method and cloud system
Technical Field
The present disclosure relates to the field of cloud environment technologies, and in particular, to a cloud environment network isolation apparatus and method, and a cloud environment.
Background
With the continuous development and perfection of cloud computing technology and the convenience and easy expansibility of cloud resources, more and more enterprises begin to self-establish private clouds to replace traditional physical clusters as the operation environment of business application. Whether the enterprise uses the private cloud service of a cloud computing provider or establishes a private cloud environment in the enterprise, the enterprise usually only establishes and maintains one cloud environment (cloud data center) for all the molecular companies and departments in the enterprise. Therefore, it is necessary to isolate the resources used by each user, especially the network, to ensure data security. Since the virtual computing resources (virtual machines) leased by each user are typically scattered over different physical resources (physical machines), a physical isolation method cannot be used for each user. Currently, virtual local area network VLAN technology is commonly used to achieve network isolation between virtual machines. Then, the VLAN-based technical standard only reserves 12 bits for VLAN user division, so that a maximum of 4094 subnets are divided for users in a cloud environment (cloud data processing center) by using VLAN technology, which is sufficient for small enterprises and far insufficient for large enterprises, especially for cloud computing providers.
Disclosure of Invention
The present disclosure is directed to a cloud environment network isolation apparatus and method, and a cloud environment, so as to solve the above problems.
In order to achieve the above object, the present disclosure provides a cloud environment network isolation apparatus, which is applied to a cloud environment, where the cloud environment includes a plurality of physical machines, each of the physical machines runs on a plurality of virtual machines, and the cloud environment network isolation apparatus includes a user partitioning module;
the user division module is used for numbering the virtual machines on each physical machine by using a native VLAN ID and dividing user subnets of the virtual machines according to the user numbers and the VLAN IDs.
Optionally, the cloud environment network isolating device further includes a route discovery registry and a network agent module, where the network agent module runs in each of the physical machines and the route discovery registry to monitor network card information of each of the physical machines and the route discovery registry and agent traffic of each of the physical machines and the route discovery registry;
the network agent module is operated on each physical machine and is used for sending the network meta-information of the virtual machine on the physical machine where the network agent module is located to the route discovery registration center and acting the request of the virtual machine on the physical machine where the network agent module is located, wherein the network meta-information comprises the IP address of the virtual machine, the gateway routed to the target virtual machine, the MAC address of the virtual machine, the VLAN ID of the virtual machine and the user number of the user of the virtual machine;
the route discovery registration center is used for receiving and storing the network meta-information sent by the network agent module of each physical machine through the network agent module running on the route discovery registration center, and responding to the request of each virtual machine according to the network meta-information.
Optionally, when the request of a virtual machine is an address resolution protocol, ARP, request:
the network agent module of the physical machine where the virtual machine is located is specifically configured to send the ARP request to the network agent module of the route discovery registration center, where the ARP request includes an IP address of a target virtual machine;
the route discovery registration center is specifically configured to receive the ARP request through a network agent module running thereon, determine an MAC address of a target virtual machine of the ARP request according to network meta information stored therein, and return the MAC address to the network agent module of a physical machine in which the virtual machine is located through the network agent module running thereon;
the network agent module of the physical machine in which the virtual machine is located is specifically further configured to return the MAC address to the virtual machine.
Optionally, when the request of a virtual machine is a broadcast request:
the network agent module of the physical machine where the virtual machine is located is specifically configured to send the broadcast request to the network agent module of the route discovery registration center, where the broadcast request includes a user number and broadcast content of a user to which the virtual machine belongs;
the route discovery registration center is specifically configured to receive the broadcast request through a network agent module running thereon, determine a receiving virtual machine according to a user number of a user to which the virtual machine belongs and all stored network meta information, and send the broadcast content and the VLAN ID of the receiving virtual machine to the network agent module of the physical machine to which the receiving virtual machine belongs through the network agent module running thereon, where the user number of the user to which the receiving virtual machine belongs is the same as the user number of the user to which the virtual machine belongs;
the network agent module of the physical machine where the receiving virtual machine is located is specifically configured to send the broadcast content to the receiving virtual machine according to the VLAN ID of the receiving virtual machine.
Optionally, the route discovery registration center is further configured to establish an index table for the stored network meta-information according to the IP address of the virtual machine and the user number of the user to which the virtual machine belongs, so as to query the network meta-information of the virtual machine according to the IP address of the virtual machine and the user number of the user to which the virtual machine belongs.
The present disclosure also provides a cloud environment network isolation method applied to a cloud environment network isolation device for isolating a cloud environment, where the cloud environment includes a plurality of physical machines, each of the physical machines runs on a plurality of virtual machines, the cloud environment network isolation device includes a user partitioning module, and the method includes:
the user dividing module numbers the virtual machine on each physical machine by using a native virtual local area network number VLAN ID, and divides the user subnet of the virtual machine according to the user number and the VLAN ID.
Optionally, the cloud environment network isolating device further includes a route discovery registry and a network agent module, where the network agent module runs in each of the physical machines and the route discovery registry to monitor network card information of each of the physical machines and the route discovery registry and agent traffic of each of the physical machines and the route discovery registry, and the method further includes:
the network agent module running on each physical machine sends the network meta-information of the virtual machine on the physical machine where the network agent module is located to the route discovery registration center and acts for the request of the virtual machine on the physical machine where the network agent module is located, wherein the network meta-information comprises the IP address of the virtual machine, the gateway routed to the target virtual machine, the MAC address of the virtual machine, the VLAN ID of the virtual machine and the user number of the user of the virtual machine;
and the route discovery registration center receives and stores the network meta-information sent by the network agent module of each physical machine through the network agent module running on the route discovery registration center, and responds to the request of each virtual machine according to the network meta-information.
Optionally, when the request of a virtual machine is an address resolution protocol, ARP, request:
the step of proxying the request of the virtual machine on the physical machine of which the proxy is located comprises: the network agent module of the physical machine where the virtual machine is located sends the ARP request to the network agent module of the route discovery registration center, wherein the ARP request comprises the IP address of the target virtual machine;
the steps of receiving and storing the network meta-information sent by the network agent module of each physical machine through the network agent module running thereon, and responding to the request of each virtual machine according to the network meta-information include: the route discovery registration center receives the ARP request through a network agent module running on the route discovery registration center, determines the MAC address of a target virtual machine of the ARP request according to the stored network meta-information of the ARP request, and returns the MAC address to the network agent module of a physical machine where the virtual machine is located through the network agent module running on the route discovery registration center;
the step of proxying the request of the virtual machine on the physical machine where the virtual machine is located further comprises: and the network agent module of the physical machine where the virtual machine is located returns the MAC address to the virtual machine.
Optionally, when the request of a virtual machine is a broadcast request:
the step of proxying the request of the virtual machine on the physical machine of which the proxy is located comprises: the network agent module of the physical machine where the virtual machine is located sends the broadcast request to the network agent module of the route discovery registration center, wherein the broadcast request comprises the user number and the broadcast content of the user to which the virtual machine belongs;
the steps of receiving and storing the network meta-information sent by the network agent module of each physical machine through the network agent module running thereon, and responding to the request of each virtual machine according to the network meta-information include: the route discovery registration center receives the broadcast request through a network agent module running on the route discovery registration center, determines a receiving virtual machine according to the user number of the user to which the virtual machine belongs and all stored network meta information, and sends the broadcast content and the VLAN ID of the receiving virtual machine to the network agent module of the physical machine where the receiving virtual machine is located through the network agent module running on the route discovery registration center, wherein the user number of the user to which the receiving virtual machine belongs is the same as the user number of the user to which the virtual machine belongs;
the step of proxying the request of the virtual machine on the physical machine where the virtual machine is located further comprises: and the network agent module of the physical machine where the receiving virtual machine is located sends the broadcast content to the receiving virtual machine according to the VLAN ID of the receiving virtual machine.
The present disclosure also provides a cloud environment, which includes a plurality of physical machines and the cloud environment network isolation device described above, where each of the physical machines runs on a plurality of virtual machines.
Through the technical scheme, the virtual machine on each physical machine still uses the native VLAN ID with the serial number of the virtual local area network, namely the virtual machine on each physical machine can use the VLAN ID of 1-4094. And dividing the user subnet of the virtual machine according to the user number and the VLAN ID, so that each virtual machine comprises the user number and the VLAN ID. That is, for any two virtual machines on the same physical machine, if the VLAN IDs of the two virtual machines are the same, the two virtual machines belong to the same user. For any two virtual machines on different physical machines, if the VLAN IDs of the two virtual machines are the same, the two virtual machines do not necessarily belong to the same user, and when the user numbers of the two virtual machines are the same, the two virtual machines belong to the same user, and when the user numbers of the two virtual machines are different, the two virtual machines belong to different users. From the above, it can be seen that the technical solution provided by the present disclosure enables the number of users (the number of user subnets that can be divided) supported by the cloud environment to be not limited by the maximum available number of VLAN IDs in the VLAN technology, that is, the number of users may exceed 4094. Therefore, compared with the existing scheme of using the VLAN technology for network isolation, the technical scheme provided by the disclosure can divide the cloud environment into more than 4094 sub-networks for users to use, and the expansion of the number of the users in the cloud environment is realized.
Additional features and advantages of the disclosure will be set forth in the detailed description which follows.
Drawings
The accompanying drawings, which are included to provide a further understanding of the disclosure and are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and together with the description serve to explain the disclosure without limiting the disclosure. In the drawings:
fig. 1 is a block diagram of a cloud environment network isolation device according to an embodiment of the present disclosure.
Fig. 2 is a block diagram of another cloud environment network isolation apparatus provided in an embodiment of the present disclosure.
Fig. 3 is a schematic diagram of the discovery registry and the network broker module of fig. 2 applied to a cloud environment.
Fig. 4 is a flowchart of a cloud environment network isolation method according to an embodiment of the present disclosure.
Detailed Description
The following detailed description of specific embodiments of the present disclosure is provided in connection with the accompanying drawings. It should be understood that the detailed description and specific examples, while indicating the present disclosure, are given by way of illustration and explanation only, not limitation.
As shown in fig. 1, an embodiment of the present disclosure provides a cloud environment network isolation device 10, which is applied to a cloud environment. The cloud environment includes a plurality of physical machines, each of which has a plurality of virtual machines running thereon. The cloud environment network isolation device 10 includes a user division module 11.
The user dividing module 11 is configured to number the virtual machine on each physical machine by using a native VLAN ID, and divide a user subnet of the virtual machine according to the user number and the VLAN ID.
In the existing VLAN technology, each user subnet corresponds to a VLAN ID one to one. According to the technical standard of VLAN, the VLAN technology only reserves 12 bits for VLAN user division. Therefore, in the prior art, a maximum of 4094 subnets are partitioned for users in a cloud environment by using the VLAN technology. That is, in the prior art, a cloud environment based on the VLAN technology can only provide services for 4094 users, which is far from sufficient for an enterprise with a large number of users.
Through the technical scheme, the virtual machine on each physical machine still uses the native VLAN ID with the serial number of the virtual local area network, namely the virtual machine on each physical machine can use the VLAN ID of 1-4094. And dividing the user subnet of the virtual machine according to the user number and the VLAN ID, so that each virtual machine comprises the user number and the VLAN ID. That is, for any two virtual machines on the same physical machine, if the VLAN IDs of the two virtual machines are the same, the two virtual machines belong to the same user. For any two virtual machines on different physical machines, if the VLAN IDs of the two virtual machines are the same, the two virtual machines do not necessarily belong to the same user, and when the user numbers of the two virtual machines are the same, the two virtual machines belong to the same user, and when the user numbers of the two virtual machines are different, the two virtual machines belong to different users. From the above, according to the technical scheme provided by the present disclosure, the number of users (the number of user subnets that can be divided) supported by the cloud environment is not limited by the maximum available number of VLAN IDs in the VLAN technology, that is, the number of users may exceed 4094. Therefore, compared with the existing scheme of using the VLAN technology for network isolation, the technical scheme provided by the disclosure can divide the cloud environment into more than 4094 sub-networks for users to use, and the expansion of the number of the users in the cloud environment is realized.
As shown in fig. 2 and fig. 3, optionally, the cloud environment network isolation apparatus 10 further includes a route discovery registry 13 and a network agent module 15. The network agent module 15 operates in each of the physical machines and the route discovery registry 13 to monitor network card information of each of the physical machines and the route discovery registry 13 and agent traffic of each of the physical machines and the route discovery registry 13.
And the network agent module 15 running on each physical machine is used for sending the network meta-information of the virtual machine on the physical machine where the network agent module is located to the route discovery registry 13 and for acting on the request of the virtual machine on the physical machine where the network agent module is located. The network meta information comprises the IP address of the virtual machine, a gateway routed to a target virtual machine, the MAC address of the virtual machine, the VLAN ID of the virtual machine and the user number of the user of the virtual machine.
The route discovery registry 13 is configured to receive and store, through the network agent module 15 running thereon, the network meta-information sent by the network agent module 15 of each of the physical machines, and respond to the request of each of the virtual machines according to the network meta-information.
Wherein the network proxy module 15 may be based on the Envoy network proxy technology. When the network agent module 15 operates in each of the physical machines, the network card information of each of the physical machines is monitored and the traffic of each of the physical machines is proxied. In this embodiment, the network agent module 15 running on each physical machine is configured to send the network meta-information of each virtual machine to the route discovery registration center 13 when each virtual machine on the local (the physical machine where the network agent module 15 runs) is created and started (when the network agent module is actually used, the network meta-information of the virtual machine is sent to the network agent module 15 of the route discovery registration center 13, and the network agent module 15 of the route discovery registration center 13 stores the network meta-information of the virtual machine in the route discovery registration center 13). Similarly, the network agent module 15 running on each physical machine is further configured to log out the network meta information of a virtual machine in the route discovery registry 13 when the virtual machine is destroyed locally (the physical machine where the virtual machine is located). The network agent module 15 running on each physical machine is further configured to agent the request of the virtual machine on the physical machine where the network agent module runs and send the response result of the route discovery registry 13 to the corresponding virtual machine on the physical machine where the network agent module runs. When the network agent module 15 operates in the route discovery registry 13, it monitors the network card information of the route discovery registry 13 and acts on the traffic of the route discovery registry 13. In this embodiment, the network agent module 15 running in the route discovery registry 13 is configured to receive the network meta-information sent by the network agent module 15 of each of the physical machines and store the network meta-information in the route discovery registry 13. The network agent module 15 running in the route discovery registry 13 is further configured to send the request of the virtual machine sent by the network agent module 15 running in each of the physical machines to the route discovery registry 13, and send the response result of the route discovery registry 13 to the network agent module 15 running in the corresponding physical machine.
The route discovery registry 13 may be based on database technology, for example, based on MySQL database, and may be configured to store the received network meta-information and respond to each of the virtual machine requests according to the network meta-information.
In the prior art, two upgrading technologies, GRE (Generic Routing Encapsulation) and VXLAN (Virtual eXtensible Local Area Network), are adopted to solve the defects of the VLAN technology (only 4094 subnets can be divided). By the technical scheme, based on a network agent technology (such as an Envoy network agent technology), a primary VLAN subnet division specification is multiplexed, the operation of packet unpacking on a data packet does not exist, and the network routing performance of a cross-physical node is improved compared with GRE and VXLAN which need to perform packet unpacking on the data packet; the multicast can be carried out, and compared with GRE which can not carry out multicast but only can carry out whole subnet broadcast, a large amount of public bandwidth can not be occupied; when crossing physical nodes (physical machines), only the addressing is needed through the route discovery registration center 13, and compared with VXLAN crossing physical node communication, the routing is needed for multiple times, so that the network performance is improved.
Optionally, when the request of a virtual machine is an address resolution protocol ARP request, the network agent module 15 of the physical machine where the virtual machine is located is specifically configured to send the ARP request to the network agent module 15 of the route discovery registration center 13, where the ARP request includes an IP address of a target virtual machine. The route discovery registry 13 is specifically configured to receive the ARP request through the network agent module 15 running thereon, determine the MAC address of the target virtual machine of the ARP request according to the stored network meta information, and return the MAC address to the network agent module 15 of the physical machine where the virtual machine is located through the network agent module 15 running thereon. The network agent module 15 of the physical machine in which the virtual machine is located is specifically further configured to return the MAC address to the virtual machine.
Through the technical scheme, when one virtual machine of the physical machine carries out the ARP request, the network agent module 15 of the physical machine reads the MAC address information of the target virtual machine from the route discovery registration center 13 according to the ARP request, so that the ARP request of the virtual machine does not need to be broadcasted in the public network, only the route discovery registration center 13 needs to be requested in a directional mode, and the pressure of the public physical network is relieved.
Optionally, when the request of a virtual machine is a broadcast request, the network agent module 15 of the physical machine in which the virtual machine is located is specifically configured to send the broadcast request to the network agent module 15 of the route discovery registration center 13. The broadcast request comprises the user number and the broadcast content of the user to which the virtual machine belongs. The route discovery registration center 13 is specifically configured to receive the broadcast request through the network agent module 15 running thereon, determine a receiving virtual machine according to the user number of the user to which the virtual machine belongs and all stored network meta information, and send the broadcast content and the VLAN ID of the receiving virtual machine to the network agent module 15 of the physical machine to which the receiving virtual machine belongs through the network agent module 15 running thereon. And the user number of the user to which the receiving virtual machine belongs is the same as the user number of the user to which the receiving virtual machine belongs. The network agent module 15 of the physical machine where the receiving virtual machine is located is specifically configured to send the broadcast content to the receiving virtual machine according to the VLAN ID of the receiving virtual machine.
Through the above technical solution, when a virtual machine needs to broadcast a message, the network agent module 15 of the physical machine where the virtual machine is located sends the broadcast content and the user number of the user to which the virtual machine belongs to the route discovery registration center 13. The user number of the user to which the virtual machine belongs may be included in the network meta information of the virtual machine, that is, the network agent module 15 of the physical machine to which the virtual machine belongs sends the broadcast content and the network meta information of the virtual machine to the route discovery registry 13. The route discovery registration center 13 will query all receiving virtual machines with the same user number according to the user number of the user to which the virtual machine belongs, that is, obtain the VLAN network where other virtual machines belonging to the same user as the virtual machine are located, and send broadcast content to these VLAN networks, thereby completing the broadcast communication of the virtual machine across networks. The broadcast information of the virtual machine is uniformly proxied through the routing discovery registration center 13, so that the broadcast target is more accurate, and the utilization efficiency of the public network bandwidth is improved.
Optionally, the route discovery registry 13 is further configured to establish an index table for the stored network meta-information according to the IP address of the virtual machine and the user number of the user to which the virtual machine belongs, so as to query the network meta-information of the virtual machine according to the IP address of the virtual machine and the user number of the user to which the virtual machine belongs.
By the technical scheme, the index is established according to the IP address of the virtual machine and the user number of the user to which the virtual machine belongs, and the access performance is improved.
Based on the above inventive concept, the embodiment of the present disclosure further provides a cloud environment network isolation method, which is applied to the cloud environment network isolation apparatus 10. Fig. 4 is a flowchart illustrating a cloud environment network isolation method according to an embodiment of the present disclosure. As shown in fig. 4, the method comprises the steps of:
in step S11, the user partitioning module 11 numbers the virtual machine on each physical machine using the native VLAN ID, and performs user subnet partitioning on the virtual machine according to the user number and the VLAN ID.
Through the technical scheme, the virtual machine on each physical machine still uses the native VLAN ID with the serial number of the virtual local area network, namely the virtual machine on each physical machine can use the VLAN ID of 1-4094. And dividing the user subnet of the virtual machine according to the user number and the VLAN ID, so that each virtual machine comprises the user number and the VLAN ID. That is, for any two virtual machines on the same physical machine, if the VLAN IDs of the two virtual machines are the same, the two virtual machines belong to the same user. For any two virtual machines on different physical machines, if the VLAN IDs of the two virtual machines are the same, the two virtual machines do not necessarily belong to the same user, and when the user numbers of the two virtual machines are the same, the two virtual machines belong to the same user, and when the user numbers of the two virtual machines are different, the two virtual machines belong to different users. From the above, according to the technical scheme provided by the present disclosure, the number of users (the number of user subnets that can be divided) supported by the cloud environment is not limited by the maximum available number of VLAN IDs in the VLAN technology, that is, the number of users may exceed 4094. Therefore, compared with the existing scheme of using the VLAN technology for network isolation, the technical scheme provided by the disclosure can divide the cloud environment into more than 4094 sub-networks for users to use, and the expansion of the number of the users in the cloud environment is realized.
Optionally, the cloud environment network isolating device 10 further includes a route discovery registry 13 and a network agent module 15, where the network agent module 15 runs in each of the physical machines and the route discovery registry 13 to monitor network card information of each of the physical machines and the route discovery registry 13 and agent traffic of each of the physical machines and the route discovery registry 13, and the method further includes:
the network agent module 15 running on each physical machine sends the network meta information of the virtual machine on the physical machine where the network agent module runs to the route discovery registration center 13, and agents the request of the virtual machine on the physical machine where the network meta information comprises the IP address of the virtual machine, the gateway routed to the target virtual machine, the MAC address of the virtual machine, the VLAN ID of the virtual machine, and the user number of the user to which the virtual machine belongs.
The route discovery registry 13 receives and stores the network meta-information sent by the network agent module 15 of each physical machine through the network agent module 15 running thereon, and responds to the request of each virtual machine according to the network meta-information.
Wherein the network proxy module 15 may be based on the Envoy network proxy technology. When the network agent module 15 operates in each of the physical machines, the network card information of each of the physical machines is monitored and the traffic of each of the physical machines is proxied. In this embodiment, the network agent module 15 running on each physical machine is configured to send the network meta-information of each virtual machine to the route discovery registration center 13 when each virtual machine on the local (the physical machine where the network agent module 15 runs) is created and started (when the network agent module is actually used, the network meta-information of the virtual machine is sent to the network agent module 15 of the route discovery registration center 13, and the network agent module 15 of the route discovery registration center 13 stores the network meta-information of the virtual machine in the route discovery registration center 13). Similarly, the network agent module 15 running on each physical machine is further configured to log out the network meta information of a virtual machine in the route discovery registry 13 when the virtual machine is destroyed locally (the physical machine where the virtual machine is located). The network agent module 15 running on each physical machine is further configured to agent the request of the virtual machine on the physical machine where the network agent module runs and send the response result of the route discovery registry 13 to the corresponding virtual machine on the physical machine where the network agent module runs. When the network agent module 15 operates in the route discovery registry 13, it monitors the network card information of the route discovery registry 13 and acts on the traffic of the route discovery registry 13. In this embodiment, the network agent module 15 running in the route discovery registry 13 is configured to receive the network meta-information sent by the network agent module 15 of each of the physical machines and store the network meta-information in the route discovery registry 13. The network agent module 15 running in the route discovery registry 13 is further configured to send the request of the virtual machine sent by the network agent module 15 running in each of the physical machines to the route discovery registry 13, and send the response result of the route discovery registry 13 to the network agent module 15 running in the corresponding physical machine.
The route discovery registry 13 may be based on database technology, for example, based on MySQL database, and may be configured to store the received network meta-information and respond to each of the virtual machine requests according to the network meta-information.
In the prior art, two upgrading technologies, GRE (Generic Routing Encapsulation) and VXLAN (Virtual eXtensible Local Area Network), are adopted to solve the defects of the VLAN technology (only 4094 subnets can be divided). By the technical scheme, based on a network agent technology (such as an Envoy network agent technology), a primary VLAN subnet division specification is multiplexed, the operation of packet unpacking on a data packet does not exist, and the network routing performance of a cross-physical node is improved compared with GRE and VXLAN which need to perform packet unpacking on the data packet; the multicast can be carried out, and compared with GRE which can not carry out multicast but only can carry out whole subnet broadcast, a large amount of public bandwidth can not be occupied; when crossing physical nodes (physical machines), only the addressing is needed through the route discovery registration center 13, and compared with VXLAN crossing physical node communication, the routing is needed for multiple times, so that the network performance is improved.
Optionally, when the request of a virtual machine is an address resolution protocol, ARP, request:
the step of proxying the request of the virtual machine on the physical machine of which the proxy is located comprises: the network agent module 15 of the physical machine in which the virtual machine is located sends the ARP request to the network agent module 15 of the route discovery registry 13, where the ARP request includes the IP address of the target virtual machine.
The steps of receiving and storing the network meta-information sent by the network agent module 15 of each physical machine through the network agent module 15 running thereon, and responding to the request of each virtual machine according to the network meta-information include: the route discovery registry 13 receives the ARP request through the network agent module 15 running thereon, determines the MAC address of the target virtual machine of the ARP request according to the network meta-information stored therein, and returns the MAC address to the network agent module 15 of the physical machine where the virtual machine is located through the network agent module 15 running thereon.
The step of proxying the request of the virtual machine on the physical machine where the virtual machine is located further comprises: the network agent module 15 of the physical machine in which the virtual machine is located returns the MAC address to the virtual machine.
Through the technical scheme, when one virtual machine of the physical machine carries out the ARP request, the network agent module 15 of the physical machine reads the MAC address information of the target virtual machine from the route discovery registration center 13 according to the ARP request, so that the ARP request of the virtual machine does not need to be broadcasted in the public network, only the route discovery registration center 13 needs to be requested in a directional mode, and the pressure of the public physical network is relieved.
Optionally, when the request of a virtual machine is a broadcast request:
the step of proxying the request of the virtual machine on the physical machine of which the proxy is located comprises: the network agent module 15 of the physical machine in which the virtual machine is located sends the broadcast request to the network agent module 15 of the route discovery registration center 13, where the broadcast request includes the user number and broadcast content of the user to which the virtual machine belongs.
The steps of receiving and storing the network meta-information sent by the network agent module 15 of each physical machine through the network agent module 15 running thereon, and responding to the request of each virtual machine according to the network meta-information include: the route discovery registration center 13 receives the broadcast request through the network agent module 15 running thereon, determines a receiving virtual machine according to the user number of the user to which the virtual machine belongs and all the stored network meta information, and sends the broadcast content and the VLAN ID of the receiving virtual machine to the network agent module 15 of the physical machine to which the receiving virtual machine belongs through the network agent module 15 running thereon, wherein the user number of the user to which the receiving virtual machine belongs is the same as the user number of the user to which the virtual machine belongs;
the step of proxying the request of the virtual machine on the physical machine where the virtual machine is located further comprises: the network agent module 15 of the physical machine in which the receiving virtual machine is located sends the broadcast content to the receiving virtual machine according to the VLAN ID of the receiving virtual machine.
Through the above technical solution, when a virtual machine needs to broadcast a message, the network agent module 15 of the physical machine where the virtual machine is located sends the broadcast content and the user number of the user to which the virtual machine belongs to the route discovery registration center 13. The user number of the user to which the virtual machine belongs may be included in the network meta information of the virtual machine, that is, the network agent module 15 of the physical machine to which the virtual machine belongs sends the broadcast content and the network meta information of the virtual machine to the route discovery registry 13. The route discovery registration center 13 will query all receiving virtual machines with the same user number according to the user number of the user to which the virtual machine belongs, that is, obtain the VLAN network where other virtual machines belonging to the same user as the virtual machine are located, and send broadcast content to these VLAN networks, thereby completing the broadcast communication of the virtual machine across networks. The broadcast information of the virtual machine is uniformly proxied through the routing discovery registration center 13, so that the broadcast target is more accurate, and the utilization efficiency of the public network bandwidth is improved.
Optionally, the method further comprises:
the route discovery registry 13 establishes an index table for the stored network meta-information according to the IP address of the virtual machine and the user number of the user to which the virtual machine belongs, so as to query the network meta-information of the virtual machine according to the IP address of the virtual machine and the user number of the user to which the virtual machine belongs.
By the technical scheme, the index is established according to the IP address of the virtual machine and the user number of the user to which the virtual machine belongs, and the access performance is improved.
With regard to the method in the above embodiment, the detailed implementation of each step thereof has been described in detail in the embodiment of the apparatus, and will not be elaborated herein.
Based on the above inventive concept, the embodiment of the present disclosure further provides a cloud environment, which includes a plurality of physical machines and the cloud environment network isolation apparatus 10. And a plurality of virtual machines run on each physical machine. The cloud environment realizes user subnet division (network isolation) by the cloud environment network isolation device 10 included therein.
The preferred embodiments of the present disclosure are described in detail with reference to the accompanying drawings, however, the present disclosure is not limited to the specific details of the above embodiments, and various simple modifications may be made to the technical solution of the present disclosure within the technical idea of the present disclosure, and these simple modifications all belong to the protection scope of the present disclosure.
It should be noted that, in the foregoing embodiments, various features described in the above embodiments may be combined in any suitable manner, and in order to avoid unnecessary repetition, various combinations that are possible in the present disclosure are not described again.
In addition, any combination of various embodiments of the present disclosure may be made, and the same should be considered as the disclosure of the present disclosure, as long as it does not depart from the spirit of the present disclosure.

Claims (8)

1. The cloud environment network isolation device is applied to a cloud system, the cloud system comprises a plurality of physical machines, a plurality of virtual machines run on each physical machine, the cloud environment network isolation device comprises a user dividing module, the cloud environment network isolation device further comprises a route discovery registry and a network agent module, and the network agent module runs on each physical machine and the route discovery registry so as to monitor network card information of each physical machine and the route discovery registry and agent traffic of each physical machine and the route discovery registry;
the user dividing module is used for numbering the virtual machines on each physical machine by using a native VLAN ID and dividing user subnets of the virtual machines according to the user numbers and the VLAN IDs;
the network agent module is operated on each physical machine and is used for sending the network meta-information of the virtual machine on the physical machine where the network agent module is located to the route discovery registration center and acting the request of the virtual machine on the physical machine where the network agent module is located, wherein the network meta-information comprises the IP address of the virtual machine, the gateway routed to the target virtual machine, the MAC address of the virtual machine, the VLAN ID of the virtual machine and the user number of the user of the virtual machine;
the route discovery registration center is used for receiving and storing the network meta-information sent by the network agent module of each physical machine through the network agent module running on the route discovery registration center, and responding to the request of each virtual machine according to the network meta-information.
2. The cloud environment network isolation device of claim 1, wherein when the request of a virtual machine is an Address Resolution Protocol (ARP) request:
the network agent module of the physical machine where the virtual machine is located is specifically configured to send the ARP request to the network agent module of the route discovery registration center, where the ARP request includes an IP address of a target virtual machine;
the route discovery registration center is specifically configured to receive the ARP request through a network agent module running thereon, determine an MAC address of a target virtual machine of the ARP request according to network meta information stored therein, and return the MAC address to the network agent module of a physical machine in which the virtual machine is located through the network agent module running thereon;
the network agent module of the physical machine in which the virtual machine is located is specifically further configured to return the MAC address to the virtual machine.
3. The cloud environment network isolation device of claim 1, wherein when the request of a virtual machine is a broadcast request:
the network agent module of the physical machine where the virtual machine is located is specifically configured to send the broadcast request to the network agent module of the route discovery registration center, where the broadcast request includes a user number and broadcast content of a user to which the virtual machine belongs;
the route discovery registration center is specifically configured to receive the broadcast request through a network agent module running thereon, determine a receiving virtual machine according to a user number of a user to which the virtual machine belongs and all stored network meta information, and send the broadcast content and the VLAN ID of the receiving virtual machine to the network agent module of the physical machine to which the receiving virtual machine belongs through the network agent module running thereon, where the user number of the user to which the receiving virtual machine belongs is the same as the user number of the user to which the virtual machine belongs;
the network agent module of the physical machine where the receiving virtual machine is located is specifically configured to send the broadcast content to the receiving virtual machine according to the VLAN ID of the receiving virtual machine.
4. The cloud environment network isolation device of any of claims 1-3,
the route discovery registration center is further configured to establish an index table for the stored network meta-information according to the IP address of the virtual machine and the user number of the user to which the virtual machine belongs, so as to query the network meta-information of the virtual machine according to the IP address of the virtual machine and the user number of the user to which the virtual machine belongs.
5. A cloud environment network isolation method is applied to a cloud environment network isolation device for isolating a cloud system, wherein the cloud system comprises a plurality of physical machines, a plurality of virtual machines run on each physical machine, the cloud environment network isolation device comprises a user partitioning module, the cloud environment network isolation device further comprises a route discovery registry and a network agent module, the network agent module runs on each physical machine and the route discovery registry and monitors network card information of each physical machine and the route discovery registry and acts traffic of each physical machine and the route discovery registry, and the method comprises the following steps:
the user dividing module numbers the virtual machine on each physical machine by using a native virtual local area network number VLAN ID, and divides a user subnet of the virtual machine according to the user number and the VLAN ID;
the network agent module running on each physical machine sends the network meta-information of the virtual machine on the physical machine where the network agent module is located to the route discovery registration center and acts for the request of the virtual machine on the physical machine where the network agent module is located, wherein the network meta-information comprises the IP address of the virtual machine, the gateway routed to the target virtual machine, the MAC address of the virtual machine, the VLAN ID of the virtual machine and the user number of the user of the virtual machine;
and the route discovery registration center receives and stores the network meta-information sent by the network agent module of each physical machine through the network agent module running on the route discovery registration center, and responds to the request of each virtual machine according to the network meta-information.
6. The cloud environment network isolation method of claim 5, wherein when the request of a virtual machine is an Address Resolution Protocol (ARP) request:
the step of proxying the request of the virtual machine on the physical machine of which the proxy is located comprises: the network agent module of the physical machine where the virtual machine is located sends the ARP request to the network agent module of the route discovery registration center, wherein the ARP request comprises the IP address of the target virtual machine;
the steps of receiving and storing the network meta-information sent by the network agent module of each physical machine through the network agent module running thereon, and responding to the request of each virtual machine according to the network meta-information include: the route discovery registration center receives the ARP request through a network agent module running on the route discovery registration center, determines the MAC address of a target virtual machine of the ARP request according to the stored network meta-information of the ARP request, and returns the MAC address to the network agent module of a physical machine where the virtual machine is located through the network agent module running on the route discovery registration center;
the step of proxying the request of the virtual machine on the physical machine where the virtual machine is located further comprises: and the network agent module of the physical machine where the virtual machine is located returns the MAC address to the virtual machine.
7. The cloud environment network isolation method of claim 5, wherein when the request of a virtual machine is a broadcast request:
the step of proxying the request of the virtual machine on the physical machine of which the proxy is located comprises: the network agent module of the physical machine where the virtual machine is located sends the broadcast request to the network agent module of the route discovery registration center, wherein the broadcast request comprises the user number and the broadcast content of the user to which the virtual machine belongs;
the steps of receiving and storing the network meta-information sent by the network agent module of each physical machine through the network agent module running thereon, and responding to the request of each virtual machine according to the network meta-information include: the route discovery registration center receives the broadcast request through a network agent module running on the route discovery registration center, determines a receiving virtual machine according to the user number of the user to which the virtual machine belongs and all stored network meta information, and sends the broadcast content and the VLAN ID of the receiving virtual machine to the network agent module of the physical machine where the receiving virtual machine is located through the network agent module running on the route discovery registration center, wherein the user number of the user to which the receiving virtual machine belongs is the same as the user number of the user to which the virtual machine belongs;
the step of proxying the request of the virtual machine on the physical machine where the virtual machine is located further comprises: and the network agent module of the physical machine where the receiving virtual machine is located sends the broadcast content to the receiving virtual machine according to the VLAN ID of the receiving virtual machine.
8. A cloud system comprising a plurality of physical machines each having a plurality of virtual machines running thereon and the cloud environment network isolation apparatus of any of claims 1-4.
CN201911330369.8A 2019-12-20 2019-12-20 Cloud environment network isolation device and method and cloud system Active CN111147345B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911330369.8A CN111147345B (en) 2019-12-20 2019-12-20 Cloud environment network isolation device and method and cloud system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911330369.8A CN111147345B (en) 2019-12-20 2019-12-20 Cloud environment network isolation device and method and cloud system

Publications (2)

Publication Number Publication Date
CN111147345A CN111147345A (en) 2020-05-12
CN111147345B true CN111147345B (en) 2022-01-07

Family

ID=70519231

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911330369.8A Active CN111147345B (en) 2019-12-20 2019-12-20 Cloud environment network isolation device and method and cloud system

Country Status (1)

Country Link
CN (1) CN111147345B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104601568A (en) * 2015-01-13 2015-05-06 深圳市深信服电子科技有限公司 Virtual security isolation method and device
CN107959689A (en) * 2018-01-10 2018-04-24 北京工业大学 A kind of cloud platform tenant network isolation test

Family Cites Families (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9264351B2 (en) * 2013-09-07 2016-02-16 Cisco Technology, Inc. System and method for utilization of a segmentation identification to support transmission of data to a destination node
CN104486192B (en) * 2014-12-05 2019-02-01 国云科技股份有限公司 A kind of virtual network partition method
CN104539743B (en) * 2015-01-26 2017-11-21 中国联合网络通信集团有限公司 A kind of cloud computing system and its control method
CN104580505A (en) * 2015-01-26 2015-04-29 中国联合网络通信集团有限公司 Tenant isolating method and system
CN104579898A (en) * 2015-01-26 2015-04-29 中国联合网络通信集团有限公司 Tenant isolating method and system
US20170289002A1 (en) * 2016-03-31 2017-10-05 Mrittika Ganguli Technologies for deploying dynamic underlay networks in cloud computing infrastructures
CN107770026B (en) * 2016-08-17 2020-11-03 中国电信股份有限公司 Tenant network data transmission method, tenant network system and related equipment
CN106453307B (en) * 2016-10-10 2019-03-15 烽火通信科技股份有限公司 PON carries the method and system of the network safety prevention of small base station passback
CN109962862A (en) * 2017-12-25 2019-07-02 航天信息股份有限公司 Cloud platform, distribution method of dynamic bandwidth and device based on cloud platform
CN107979614A (en) * 2017-12-30 2018-05-01 杭州华为数字技术有限公司 Data packet detection method and device
CN109120494B (en) * 2018-08-28 2019-08-30 无锡华云数据技术服务有限公司 The method of physical machine is accessed in cloud computing system
CN109889421B (en) * 2019-03-06 2021-04-30 乐鑫信息科技(上海)股份有限公司 Router management method, device, terminal, system and storage medium

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104601568A (en) * 2015-01-13 2015-05-06 深圳市深信服电子科技有限公司 Virtual security isolation method and device
CN107959689A (en) * 2018-01-10 2018-04-24 北京工业大学 A kind of cloud platform tenant network isolation test

Also Published As

Publication number Publication date
CN111147345A (en) 2020-05-12

Similar Documents

Publication Publication Date Title
US11563681B2 (en) Managing communications using alternative packet addressing
EP4040739B1 (en) Optical line terminal olt device virtualization method and related device
EP2866389B1 (en) Method and device thereof for automatically finding and configuring virtual network
CN1177439C (en) Method of acting address analytic protocol Ethernet Switch in application
EP2466818A1 (en) Implementation method and system of virtual private network
US8458303B2 (en) Utilizing a gateway for the assignment of internet protocol addresses to client devices in a shared subset
US20130024553A1 (en) Location independent dynamic IP address assignment
US10785158B1 (en) System and method for provisioning both IPV4 and IPV6 internet service and load balancer service
US9344360B2 (en) Technique for managing an allocation of a VLAN
EP2922246B1 (en) Method and data center network for cross-service zone communication
WO2015150756A1 (en) Data center networks
CN101001264B (en) Method, device, network edge equipment and addressing server for L1VPN address distribution
CN112968965B (en) Metadata service method, server and storage medium for NFV network node
CN111510310A (en) Network mode implementation method and device under public cloud architecture
CN110851238A (en) Implementation method of openstack fully-distributed dhcp service
CN113938353A (en) Multi-PDN implementation method between indoor unit and outdoor unit and storage medium
CN111147345B (en) Cloud environment network isolation device and method and cloud system
CN104683491B (en) A kind of method and system for the Internet Protocol address for obtaining virtual machine
CN112994928B (en) Virtual machine management method, device and system
CN116418724A (en) Service access method, device and load balancing system
CN110324435B (en) Network request processing method and system
CN115208857A (en) Address allocation method, device and equipment
CN106804054B (en) Method and device for sharing transmission resources by access network of virtualized base station
CN113328942B (en) Configuration issuing method and device and computer equipment
CN114095357B (en) Service system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant