CN111314368B - Method for realizing tube renting intercommunication by using load balancer - Google Patents
Method for realizing tube renting intercommunication by using load balancer Download PDFInfo
- Publication number
- CN111314368B CN111314368B CN202010123976.3A CN202010123976A CN111314368B CN 111314368 B CN111314368 B CN 111314368B CN 202010123976 A CN202010123976 A CN 202010123976A CN 111314368 B CN111314368 B CN 111314368B
- Authority
- CN
- China
- Prior art keywords
- network
- eip
- server
- management network
- slb
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1001—Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
- H04L67/1036—Load balancing of requests to servers for services different from user content provisioning, e.g. load balancing across domain name servers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5007—Internet protocol [IP] addresses
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
Abstract
The invention provides a method for realizing tube renting intercommunication by using a load balancer, which comprises the following steps: s1, creating a load balancing example SLB; s2, adding an internal network EIP network segment in the public network address pool; s3, allocating an internal network EIP from the internal network EIP network segment to be bound with the SLB; and S4, opening the route between the management network and the core firewall. The method for realizing the renting, managing and communicating by using the load balancer has high safety degree, the management network is invisible to the tenant network, and the safety isolation between the management network and the tenant network and the communication between the management network and the tenant network can be realized.
Description
Technical Field
The invention belongs to the technical field of cloud computing networks, and particularly relates to a method for realizing renting, managing and communicating by using a load balancer.
Background
In a cloud computing network, openstack is deployed in a management network, a VM is deployed in a service network, and in practical application, the management network needs to be communicated with a tenant network. The virtual machine of the tenant generally defaults to only one network card, if the virtual machine is used as a server end and needs to be accessed by a public network IP, an EIP must be bound, if the mutual communication between the tenant network and a management network is to be realized, the virtual machine of the tenant can be directly bound with the EIP to realize the mutual communication, and in this case, a problem occurs.
The solution using two EIPs has the following drawbacks:
1. the virtual machine of the tenant is additionally provided with a network card which can be seen by the customer, so that the customer experience is not good, the real public network IP is wasted, a large amount of public network IPs are used, and the cost performance is not high.
2. If one virtual machine is used for binding two EIPs to realize access to the Internet network and the management network, a problem exists in that the virtual machine of the tenant network can randomly attack the management network, which is fatal to public cloud or private cloud enterprises, extremely low in security and unappreciable from the security perspective.
Disclosure of Invention
In view of the above, the present invention provides a method for implementing tube renting interworking by using a load balancer to overcome the above-mentioned defects in the prior art.
In order to achieve the purpose, the technical scheme of the invention is realized as follows:
a method for realizing tube renting intercommunication by using a load balancer comprises the following steps:
s1, creating a load balancing example SLB;
s2, adding an internal network EIP network segment in the public network address pool;
s3, allocating an internal network EIP from the internal network EIP network segment to be bound with the SLB;
and S4, opening the route between the management network and the core firewall.
Furthermore, the virtual machine where the client server with the Paas product is located is used as a back-end server to be added into the back-end server group of the SLB, and meanwhile, the monitoring port of the listener is consistent with the port of the back-end server for providing the external service, so that different services in the server can be normally accessed by the outside.
Further, when the management network actively accesses the VM, the flow trends as follows:
the management network reaches the firewall, and the message reaches the virtual IP of the SLB through the route after NAT mapping of the EIP, and is issued to the back-end server, namely the real server of the client according to the load balancing algorithm.
Further, the flow when the back-end server actively accesses the management network goes to the following:
the back end server directly accesses the Nginx server in the DMZ area, the route between the management network and the Nginx server is opened, and the Nginx server is used as a reverse proxy to access the management network.
Compared with the prior art, the invention has the following advantages:
1. by utilizing the load balancer and the Nginx reverse proxy technology, the management network can be effectively protected, the management network is prevented from being attacked at will, and the safety is high;
2. by using the internal network EIP, the specification of the original external network EIP is not occupied, and the original external network EIP is not influenced;
and 3, after the LB instance is released, the internal network EIP is recovered, the IP address can be recycled, and the resource waste is avoided.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate an embodiment of the invention and, together with the description, serve to explain the invention and not to limit the invention. In the drawings:
fig. 1 is a schematic structural block diagram according to an embodiment of the present invention.
Detailed Description
It should be noted that the embodiments and features of the embodiments may be combined with each other without conflict.
In the description of the present invention, it is to be understood that the terms "central," "longitudinal," "lateral," "upper," "lower," "front," "rear," "left," "right," "vertical," "horizontal," "top," "bottom," "inner," "outer," and the like are used in the orientations and positional relationships indicated in the drawings, which are based on the orientations and positional relationships indicated in the drawings, and are used for convenience in describing the present invention and for simplicity in description, but do not indicate or imply that the device or element so referred to must have a particular orientation, be constructed in a particular orientation, and be operated, and thus should not be construed as limiting the present invention. Furthermore, the terms "first," "second," and the like are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or to implicitly indicate a number of the indicated technical features. Thus, a feature defined as "first," "second," etc. may explicitly or implicitly include one or more of that feature. In the description of the present invention, "a plurality" means two or more unless otherwise specified.
In the description of the present invention, it should be noted that, unless otherwise explicitly specified or limited, the terms "mounted," "connected," and "connected" are to be construed broadly, e.g., as meaning either a fixed connection, a removable connection, or an integral connection; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meaning of the above terms in the present invention can be understood by those of ordinary skill in the art through specific situations.
The present invention will be described in detail below with reference to the embodiments with reference to the attached drawings.
In a cloud computing network, openstack is deployed in a management network, a VM is deployed in a service network, and in practical application, the management network needs to be communicated with a tenant network. The Paas products, such as the RDS service provided by the database in the VM, need to complete and start the provided specific service deployment in the process of starting the VM, and at this time, need to upload the RPM packet to the VM where the RDS service is located, and this process needs the management network and the tenant network to communicate; the tenant network where the RDS service is located needs to communicate with the message queue in the openstack management network, report information such as the server state and the like regularly, and at the moment, the tenant network needs to communicate with the management network.
The virtual machine of the tenant generally defaults to only one network card, if the virtual machine is used as a server end and needs to be accessed by a public network IP, an EIP must be bound, if the mutual communication between the tenant network and a management network is to be realized, the virtual machine of the tenant can be directly bound with the EIP to realize the mutual communication, and in this case, a problem occurs.
The drawbacks of the scheme using two EIPs are two:
1. the virtual machine of the tenant is additionally provided with a network card which can be seen by the customer, so that the customer experience is not good, the real public network IP is wasted, a large amount of public network IPs are used, and the cost performance is not high.
2. If one virtual machine is used for binding two EIPs to realize access to the Internet network and the management network, a problem exists in that the virtual machine of the tenant network can randomly attack the management network, which is fatal to public cloud or private cloud enterprises, extremely low in security and unappreciable from the security perspective.
Aiming at the scheme that the virtual machine uses two EIPs to respectively realize the intercommunication between the virtual machine and the Internet network and the management network, the method has great security holes and low cost performance.
Because the Loadbalance itself is reverse proxy, the load balancing instance can bind the intranet false EIP of the reserved network segment, the virtual machine of the tenant can be used as a back-end server and added into the load balancing instance, and the management network can be protected in the aspect of LB security, that is, the back-end server cannot directly access the management network, so that the management network can be prevented from being attacked at will.
The structure block diagram is shown in the attached figure 1.
1. To realize the communication between the tenant network and the management network, a load balancing instance needs to be created first, the virtual machine where the client server with the Paas product is located is added to the back-end server group of the SLB as a back-end server, and meanwhile, the monitoring port of the listener is consistent with the port of the back-end server providing the external service, so that different services in the server can be accessed by the outside normally.
2. And adding an internal network EIP network segment in the public network address pool, and after the SLB is created, allocating an internal network EIP from the internal network EIP network segment to be bound with the SLB.
3. The management network and the core firewall are communicated, and the configuration of the intranet EIP can be issued to the core firewall, so that the management network can be ensured to access the intranet EIP.
When the management network actively accesses the VM, the flow trend is that the management network reaches a firewall, and after NAT mapping of EIP, the message can reach a virtual IP of the SLB through a route and is issued to a back-end server, namely a real server of a client according to a load balancing algorithm.
The flow direction when the back-end server actively accesses the management network is that the back-end server directly accesses the Nginx server in the DMZ area, the route between the management network and the Nginx server is opened, and the Nginx server is used as a reverse proxy to access the management network.
The method utilizes the load balancer and the Nginx reverse proxy technology, can effectively protect the management network, ensures that the management network is not attacked at will and has high safety; by using the internal network EIP, the specification of the original external network EIP is not occupied, and the original external network EIP is not influenced; after the LB instance is released, the internal network EIP is recovered, the IP address can be repeatedly utilized, and the resource waste is avoided.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.
Claims (2)
1. A method for realizing tube renting intercommunication by using a load balancer is characterized in that: the method comprises the following steps:
s1, creating a load balancing example SLB;
s2, adding an internal network EIP network segment in the public network address pool, wherein the EIP represents an elastic public network IP;
s3, allocating an internal network EIP from the internal network EIP network segment to be bound with the SLB;
s4, opening a route between the management network and the core firewall;
a virtual machine where a client server provided with Paas products is located is taken as a back-end server to be added into a back-end server group of the SLB, and meanwhile, a monitoring port of a monitor is consistent with a port of the back-end server for providing services to the outside, so that different services in the server can be normally accessed by the outside;
when the management network actively accesses the VM, the flow trend is as follows:
the management network reaches the firewall, and the message reaches the virtual IP of the SLB through the route after NAT mapping of the EIP, and is issued to the back-end server, namely the real server of the client according to the load balancing algorithm.
2. The method of claim 1, wherein the method for implementing tenant interworking by using a load balancer comprises: the flow when the back-end server actively accesses the management network is as follows:
the back end server directly accesses the Nginx server in the DMZ area, the route between the management network and the Nginx server is opened, and the Nginx server is used as a reverse proxy to access the management network.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010123976.3A CN111314368B (en) | 2020-02-27 | 2020-02-27 | Method for realizing tube renting intercommunication by using load balancer |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010123976.3A CN111314368B (en) | 2020-02-27 | 2020-02-27 | Method for realizing tube renting intercommunication by using load balancer |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111314368A CN111314368A (en) | 2020-06-19 |
| CN111314368B true CN111314368B (en) | 2022-06-07 |
Family
ID=71148130
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010123976.3A Active CN111314368B (en) | 2020-02-27 | 2020-02-27 | Method for realizing tube renting intercommunication by using load balancer |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111314368B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112243036B (en) * | 2020-10-21 | 2022-03-15 | 北京首都在线科技股份有限公司 | Data processing method and device for PaaS service, equipment and storage medium |
| CN112272145B (en) * | 2020-10-26 | 2022-05-24 | 新华三信息安全技术有限公司 | Message processing method, device, equipment and machine readable storage medium |
| CN112968802B (en) * | 2021-02-25 | 2023-04-18 | 紫光云技术有限公司 | Universal method for managing IP state and relation of elastic public network |
| CN113037815A (en) * | 2021-02-25 | 2021-06-25 | 紫光云技术有限公司 | Method for operating EIP (extended Access Point) under BWS (broadband remote Access Server) service interruption or EIP service interruption scene |
| CN114205229B (en) * | 2021-12-03 | 2024-01-05 | 紫光云(南京)数字技术有限公司 | Method for judging issuing configuration of elastic public network IP binding elastic network card |
| CN115277628A (en) * | 2022-05-30 | 2022-11-01 | 紫光建筑云科技(重庆)有限公司 | Method for realizing FULL NAT local IP |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103812704A (en) * | 2014-02-25 | 2014-05-21 | 国云科技股份有限公司 | Public network IP (Internet Protocol) dynamic management method for virtual machine |
| CN206226495U (en) * | 2016-12-09 | 2017-06-06 | 深圳竹信科技有限公司 | A kind of operation system based on cloud platform |
| US10148493B1 (en) * | 2015-06-08 | 2018-12-04 | Infoblox Inc. | API gateway for network policy and configuration management with public cloud |
| CN109032760A (en) * | 2018-08-01 | 2018-12-18 | 北京百度网讯科技有限公司 | Method and apparatus for application deployment |
| CN109660466A (en) * | 2019-02-26 | 2019-04-19 | 浪潮软件集团有限公司 | A kind of more live load balance realizing methods towards cloud data center tenant |
| CN109743415A (en) * | 2019-02-27 | 2019-05-10 | 上海浪潮云计算服务有限公司 | A kind of public cloud network resilience IP realization method and system |
| CN110266822A (en) * | 2019-07-23 | 2019-09-20 | 浪潮云信息技术有限公司 | A kind of shared implementation of load balancing based on nginx |
| CN110392108A (en) * | 2019-07-23 | 2019-10-29 | 浪潮云信息技术有限公司 | A kind of public cloud Network Load Balance system architecture and implementation method |
| CN110737508A (en) * | 2019-10-14 | 2020-01-31 | 浪潮云信息技术有限公司 | cloud container service network system based on wave cloud and implementation method |
-
2020
- 2020-02-27 CN CN202010123976.3A patent/CN111314368B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103812704A (en) * | 2014-02-25 | 2014-05-21 | 国云科技股份有限公司 | Public network IP (Internet Protocol) dynamic management method for virtual machine |
| US10148493B1 (en) * | 2015-06-08 | 2018-12-04 | Infoblox Inc. | API gateway for network policy and configuration management with public cloud |
| CN206226495U (en) * | 2016-12-09 | 2017-06-06 | 深圳竹信科技有限公司 | A kind of operation system based on cloud platform |
| CN109032760A (en) * | 2018-08-01 | 2018-12-18 | 北京百度网讯科技有限公司 | Method and apparatus for application deployment |
| CN109660466A (en) * | 2019-02-26 | 2019-04-19 | 浪潮软件集团有限公司 | A kind of more live load balance realizing methods towards cloud data center tenant |
| CN109743415A (en) * | 2019-02-27 | 2019-05-10 | 上海浪潮云计算服务有限公司 | A kind of public cloud network resilience IP realization method and system |
| CN110266822A (en) * | 2019-07-23 | 2019-09-20 | 浪潮云信息技术有限公司 | A kind of shared implementation of load balancing based on nginx |
| CN110392108A (en) * | 2019-07-23 | 2019-10-29 | 浪潮云信息技术有限公司 | A kind of public cloud Network Load Balance system architecture and implementation method |
| CN110737508A (en) * | 2019-10-14 | 2020-01-31 | 浪潮云信息技术有限公司 | cloud container service network system based on wave cloud and implementation method |
Non-Patent Citations (1)
| Title |
|---|
| 面向大中型企业多租户云部署模式的安全服务设计;何军;《网络安全技术与应用》;20161215(第12期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111314368A (en) | 2020-06-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111314368B (en) | Method for realizing tube renting intercommunication by using load balancer | |
| CN102571749B (en) | Data transmission system and method using relay server | |
| US8627313B2 (en) | Virtual machine liveness determination | |
| CN101495993B (en) | System and method for distributed multi-processing security gateway | |
| US10404747B1 (en) | Detecting malicious activity by using endemic network hosts as decoys | |
| US20120311670A1 (en) | System and method for providing source id spoof protection in an infiniband (ib) network | |
| CN101420455A (en) | Systems and/or methods for streaming reverse http gateway, and network including the same | |
| EP2492837A1 (en) | Network communication system, server system and terminals | |
| US20120311124A1 (en) | System and method for supporting subnet manager (sm) level robust handling of unkown management key in an infiniband (ib) network | |
| KR101472685B1 (en) | Network connection gateway, a network isolation method and a computer network system using such a gateway | |
| CN105049412A (en) | Secure data exchange method, device and equipment among different networks | |
| CN113098990B (en) | Server system, client and communication method for communication | |
| CN112822037B (en) | Flow arrangement method and system for security resource pool | |
| CN111182022B (en) | Data transmission method and device, storage medium and electronic device | |
| CN112272145A (en) | Message processing method, device, equipment and machine readable storage medium | |
| US20170141984A1 (en) | Method and system for detecting client causing network problem using client route control system | |
| Kantola | 6G network needs to support embedded trust | |
| CN111131448B (en) | Edge management method, edge proxy equipment and computer readable storage medium for ADSL Nat operation and maintenance management | |
| US20180307474A1 (en) | Firmware update in a stacked network device | |
| Walfish et al. | Distributed Quota Enforcement for Spam Control. | |
| EP2239883B1 (en) | Method, device, system, client node, peer node and convergent point for preventing node from forging identity | |
| CN101141396B (en) | Packet processing method and network appliance | |
| CN112671629B (en) | Method for realizing private line access under cloud network | |
| CN111818081B (en) | Virtual encryption machine management method, device, computer equipment and storage medium | |
| CN110943999B (en) | Logistics multi-bin network intercommunication and monitoring method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |