CN113709200B

CN113709200B - Method and device for establishing communication connection

Info

Publication number: CN113709200B
Application number: CN202010437811.3A
Authority: CN
Inventors: 周磊
Original assignee: Alibaba Group Holding Ltd
Current assignee: Alibaba Group Holding Ltd
Priority date: 2020-05-21
Filing date: 2020-05-21
Publication date: 2023-11-28
Anticipated expiration: 2040-05-21
Also published as: CN113709200A

Abstract

The application provides a method and a device for establishing communication connection. The virtual network card can be established on the virtual machine in advance, and the public network IP address is bound on the virtual network card, so that when the virtual machine in the VPC needs to establish communication connection with external equipment, the virtual machine can acquire the public network IP address of the virtual network card established on the virtual machine, and the communication connection between the virtual machine and the external equipment can be established based on the public network IP address of the virtual network card. The virtual machine can acquire the public network IP address of the virtual network card, so that the direct connection between the virtual machine and the external equipment can be realized, and the operation of the exit gateway for executing the NAT (Network Address Translation ) on the establishment request is not needed, so that the influence caused by the NAT can be avoided, for example, the problem that the communication connection cannot be established due to the NAT is avoided, namely, the application can realize the establishment of the communication connection because the exit gateway is not needed for executing the NAT on the establishment request.

Description

Method and device for establishing communication connection

Technical Field

The present application relates to the field of the internet, and in particular, to a method and apparatus for establishing a communication connection.

Background

In a classical network of traditional physical form, a plurality of physical machines may form a local area network, in which there is also an egress gateway, in which there is bound a public network IP (Internet Protocol ) address of the local area network, each physical machine having its private network IP address in the local area network. For any physical machine in the local area network, the network card of the physical machine stores the private network IP address of the physical machine in the local area network and the public network IP address of the local area network. The same is true for each of the other physical machines in the local area network.

If a physical machine in the local area network needs to interact with external equipment outside the local area network, the physical machine can establish a communication connection with the external equipment, and then interact with the external equipment based on the communication connection.

The operating system of the physical machine can obtain the private network IP address of the physical machine and the public network IP address of the local area network where the physical machine is located, so that the operating system of the physical machine can establish communication connection between the physical machine and external equipment through an egress gateway based on the private network IP address of the physical machine and the public network IP address of the local area network where the physical machine is located.

Disclosure of Invention

With the rapid development of technology, VPC (virtual private cloud ) is widely used, and the VPC is a user-definable isolated network environment based on cloud services, so that a user can fully control own virtual private network, including selecting own IP address range, dividing network segments, configuring routing tables, gateways and the like.

Virtual machines, such as ECS (Elastic Compute Service, elastic computing service) instances, etc., may be deployed in the VPC, and if the ECS instance needs to interact with external devices, the ECS instance needs to establish a communication connection with the external devices, and then interact with the external devices based on the communication connection.

The VPC is provided with an exit gateway, the exit gateway is bound with a public network IP address of the VPC, the ECS instance is provided with a network card, and the network card of the ECS instance is bound with a private network IP address of the ECS instance in the VPC. The ECS instance may interact with the external device world with the public network IP address of the VPC as a public network IP address.

However, the ECS instance can only get its private IP address in the VPC, but not the elastic public IP address of the VPC.

Therefore, since the ECS instance cannot obtain the public IP address of the VPC, the ECS instance cannot establish a communication connection between the ECS instance and the external device.

In order to be able to establish a communication connection between an ECS instance and an external device, the present application shows a method and an apparatus for establishing a communication connection.

In a first aspect, the present application shows a method for establishing a communication connection, applied to a virtual machine in a virtual private cloud VPC, the method comprising:

under the condition that communication connection between the virtual machine and external equipment is required to be established, a public network IP address bound with a virtual network card which is established on the virtual machine in advance is obtained;

and establishing communication connection between the virtual machine and the external equipment at least based on the public network IP address.

In an alternative implementation, the establishing a communication connection between the virtual machine and the external device based at least on the public network IP address includes:

generating a first establishment request, wherein the first establishment request is used for establishing the communication connection;

adding at least the public network IP address into the data load of the first establishment request to obtain a second establishment request;

and establishing the communication connection based on the second establishment request.

and sending the first establishment request and the public network IP address to a virtual switch, wherein the virtual switch is positioned in the VPC and is in communication connection with the virtual machine, so that the virtual switch adds the public network IP address in the message load of the first establishment request to obtain a second establishment request, and the communication connection is established based on the second establishment request.

In an optional implementation manner, the public network IP addresses bound by the virtual network card are multiple;

the obtaining the public network IP address bound by the virtual network card created in advance on the virtual machine includes:

and selecting a public network IP address from a plurality of public network IP addresses bound by the virtual network card.

In an optional implementation manner, the selecting a public network IP address from a plurality of public network IP addresses bound by the virtual network card includes:

and selecting the public network IP address with the largest free bandwidth among bandwidths allocated by the virtual network card from the plurality of public network IP addresses bound by the virtual network card.

In an optional implementation manner, a plurality of virtual network cards are created in advance on the virtual machine;

selecting one virtual network card from a plurality of virtual network cards created on the virtual machine;

and acquiring the public network IP address bound by the selected virtual network card.

In an optional implementation manner, the selecting one virtual network card from the plurality of virtual network cards created on the virtual machine includes:

and selecting the virtual network card with the largest idle bandwidth from a plurality of virtual network cards created on the virtual machine.

In an alternative implementation, the method further includes:

and under the condition that the bandwidth utilization rate of the virtual network card is larger than the first preset utilization rate, creating at least one new virtual network card on the virtual machine.

In an alternative implementation, the method further includes:

and unloading at least one virtual network card on the virtual machine under the condition that the bandwidth utilization rate of the virtual network card is smaller than a second preset utilization rate.

In an alternative implementation, the method further includes:

receiving a configuration request for setting a security group rule for the virtual machine;

and configuring a security group rule for the virtual machine on the virtual network card according to the configuration request.

In a second aspect, the present application shows a method for establishing a communication connection, applied to a virtual switch in a virtual private cloud VPC, the method comprising:

receiving a first establishment request sent by a virtual machine in the VPC, and acquiring a public network IP address bound with a virtual network card which is created in advance on the virtual machine; the first establishment request is used for establishing communication connection between the virtual machine and external equipment;

adding the public network IP address into the message load of the first establishment request to obtain a second establishment request;

In an optional implementation manner, the obtaining the public network IP address bound to the virtual network card created in advance on the virtual machine includes:

receiving a public network IP address which is transmitted by the virtual machine and bound by the virtual network card;

or,

and acquiring a private network IP address of the virtual network card carried in the data load of the first establishment request, and acquiring a public network IP address bound by the virtual network card according to the private network IP address.

In an optional implementation manner, the obtaining, according to the private network IP address, the public network IP address bound by the virtual network card includes:

Searching a public network IP address corresponding to the private network IP address of the virtual network card in the corresponding relation between the private network IP address and the public network IP address of the virtual network card corresponding to the virtual machine.

the obtaining the public network IP address bound by the virtual network card according to the private network IP address includes:

and selecting a public network IP address from a plurality of public network IP addresses bound by the virtual network card according to the private network IP address.

In an optional implementation manner, the selecting, according to the private network IP address, a public network IP address from a plurality of public network IP addresses bound by the virtual network card includes:

and selecting the public network IP address with the largest free bandwidth in the bandwidths distributed by the virtual network card from a plurality of public network IP addresses bound by the virtual network card according to the private network IP address.

In an alternative implementation, the method further includes:

and under the condition that a new virtual network card is created on the virtual machine, storing a private network IP address of the new virtual network card and a public network IP address bound with the new virtual network card in the corresponding relation.

In an alternative implementation, the method further includes:

and deleting the private network IP address of the unloaded virtual network card and the public network IP address bound with the unloaded virtual network card in the corresponding relation under the condition that the virtual network card on the virtual machine is unloaded.

In an alternative implementation, the method further includes:

and configuring a security group rule for the virtual machine on the virtual switch according to the configuration request.

In a third aspect, the present application shows an apparatus for establishing a communication connection, applied to a virtual machine in a virtual private cloud VPC, the apparatus comprising:

the first acquisition module is used for acquiring a public network IP address bound with a virtual network card which is created in advance on the virtual machine under the condition that communication connection between the virtual machine and external equipment is required to be established;

and the first establishing module is used for establishing communication connection between the virtual machine and the external equipment at least based on the public network IP address.

In an alternative implementation, the first establishing module includes:

the first generation unit is used for generating a first establishment request, and the first establishment request is used for establishing the communication connection;

An adding unit, configured to add at least the public network IP address to the data payload of the first establishment request, to obtain a second establishment request;

and the establishing unit is used for establishing the communication connection based on the second establishing request.

In an alternative implementation, the first establishing module includes:

a second generating unit configured to generate a first establishment request, where the first establishment request is used to establish the communication connection;

and the sending unit is used for sending the first establishment request and the public network IP address to a virtual switch, wherein the virtual switch is positioned in the VPC and is in communication connection with the virtual machine, so that the virtual switch adds the public network IP address in the message load of the first establishment request to obtain a second establishment request, and the communication connection is established based on the second establishment request.

the first acquisition module includes:

the first selecting unit is used for selecting one public network IP address from a plurality of public network IP addresses bound by the virtual network card.

In an alternative implementation, the first selecting unit includes:

The first selecting subunit is configured to select, from among the plurality of public network IP addresses bound by the virtual network card, a public network IP address with the largest idle bandwidth among bandwidths allocated by the virtual network card.

the first acquisition module includes:

the second selection unit is used for selecting one virtual network card from a plurality of virtual network cards created on the virtual machine;

the first acquisition unit is used for acquiring the public network IP address bound by the selected virtual network card.

In an alternative implementation, the second selecting unit includes:

and the second selecting subunit is used for selecting the virtual network card with the largest idle bandwidth from the plurality of virtual network cards created on the virtual machine.

In an alternative implementation, the apparatus further includes:

the creation module is used for creating at least one new virtual network card on the virtual machine under the condition that the bandwidth utilization rate of the virtual network card is larger than a first preset utilization rate.

In an alternative implementation, the apparatus further includes:

and the unloading module is used for unloading at least one virtual network card on the virtual machine under the condition that the bandwidth utilization rate of the virtual network card is smaller than the second preset utilization rate.

In an alternative implementation, the apparatus further includes:

the first receiving module is used for receiving a configuration request for setting a security group rule for the virtual machine;

and the first configuration module is used for configuring a security group rule for the virtual machine on the virtual network card according to the configuration request.

In a fourth aspect, the present application shows an apparatus for establishing a communication connection, characterized in that it is applied to a virtual switch in a virtual private cloud VPC, said apparatus comprising:

the second receiving module is used for receiving a first establishment request sent by a virtual machine in the VPC, and the second obtaining module is used for obtaining a public network IP address bound by a virtual network card which is created on the virtual machine in advance; the first establishment request is used for establishing communication connection between the virtual machine and external equipment;

the adding module is used for adding the public network IP address into the message load of the first establishment request to obtain a second establishment request;

and the second establishing module is used for establishing the communication connection based on the second establishing request.

In an alternative implementation, the second obtaining module includes:

the receiving unit is used for receiving the public network IP address which is transmitted by the virtual machine and bound by the virtual network card;

Or,

the second obtaining unit is used for obtaining the private network IP address of the virtual network card carried in the data load of the first establishing request, and the third obtaining unit is used for obtaining the public network IP address bound by the virtual network card according to the private network IP address.

In an alternative implementation, the third obtaining unit includes:

the searching subunit is configured to search, in a corresponding relationship between a private network IP address and a public network IP address of the virtual network card corresponding to the virtual machine, a public network IP address corresponding to the private network IP address of the virtual network card.

the third acquisition unit includes:

and the third selecting subunit is used for selecting one public network IP address from a plurality of public network IP addresses bound by the virtual network card according to the private network IP address.

In an alternative implementation, the third selecting subunit is specifically configured to: and selecting the public network IP address with the largest free bandwidth in the bandwidths distributed by the virtual network card from a plurality of public network IP addresses bound by the virtual network card according to the private network IP address.

In an alternative implementation, the apparatus further includes:

And the storage module is used for storing the private network IP address of the new virtual network card and the public network IP address bound with the new virtual network card in the corresponding relation under the condition that the new virtual network card is created on the virtual machine.

In an alternative implementation, the apparatus further includes:

and the deleting module is used for deleting the private network IP address of the unloaded virtual network card and the public network IP address bound with the unloaded virtual network card in the corresponding relation under the condition that the virtual network card on the virtual machine is unloaded.

In an alternative implementation, the apparatus further includes:

the second receiving module is used for receiving a configuration request for setting a security group rule for the virtual machine;

and the second configuration module is used for configuring a security group rule for the virtual machine on the virtual switch according to the configuration request.

In a fifth aspect, the present application shows an electronic device comprising:

a processor; and

a memory having executable code stored thereon that, when executed, causes the processor to perform the method of establishing a communication connection as described in the first aspect.

In a sixth aspect, the application features a machine readable medium having stored thereon executable code which, when executed, causes a processor to perform a method of establishing a communication connection as described in the first aspect.

In a seventh aspect, the present application shows an electronic device comprising:

a processor; and

a memory having executable code stored thereon that, when executed, causes the processor to perform the method of establishing a communication connection as described in the second aspect.

In an eighth aspect, the present application shows a machine readable medium having stored thereon executable code which when executed causes a processor to perform the method of establishing a communication connection as described in the second aspect.

Compared with the prior art, the embodiment of the application has the following advantages:

in the application, the virtual network card can be established on the virtual machine in advance, and the public network IP address is bound on the virtual network card, so that the virtual machine can acquire the public network IP address of the virtual network card established on the virtual machine under the condition that the virtual machine in the VPC needs to establish communication connection with external equipment, and the communication connection between the virtual machine and the external equipment can be established based on the public network IP address of the virtual network card.

When the communication connection is established, the virtual machine needs to send an establishment request to an external device through a virtual machine switch, an exit gateway and other devices in the VPC, and the virtual machine can obtain the public network IP address of the virtual network card established on the virtual machine, so that the virtual machine can add the public network IP address to the data load of the establishment request. In this way, before the establishment request reaches the exit gateway of the VPC, the public network IP address of the virtual network card is carried in the data load of the establishment request, so that the public network IP address of the external device and the public network IP address of the virtual network card of the virtual machine are included in the data load of the establishment request, thereby realizing the direct connection between the virtual machine and the external device, and avoiding the operation of the exit gateway on the establishment request to execute the NAT (Network Address Translation ), further avoiding the influence caused by the NAT, for example, avoiding the failure to establish the communication connection due to the NAT, that is, the application can realize the establishment of the communication connection because the exit gateway is not required to execute the operation of the NAT on the establishment request.

Drawings

Fig. 1 is a block diagram illustrating a system for establishing a communication connection according to an exemplary embodiment of the present application.

Fig. 2 is a flow chart illustrating a method of establishing a communication connection according to an exemplary embodiment of the present application.

Fig. 3 is a flow chart illustrating a method of establishing a communication connection according to an exemplary embodiment of the present application.

Fig. 4 is a flow chart illustrating a method of establishing a communication connection according to an exemplary embodiment of the present application.

Fig. 5 is a flow chart illustrating a method of establishing a communication connection according to an exemplary embodiment of the present application.

Fig. 6 is a block diagram illustrating a structure of an apparatus for establishing a communication connection according to an exemplary embodiment of the present application.

Fig. 7 is a block diagram illustrating a structure of an apparatus for establishing a communication connection according to an exemplary embodiment of the present application.

Fig. 8 is a schematic structural diagram of an apparatus according to an embodiment of the present application.

Detailed Description

In order that the above-recited objects, features and advantages of the present application will become more readily apparent, a more particular description of the application will be rendered by reference to the appended drawings and appended detailed description.

Referring to fig. 1, there is shown a block diagram of a system for establishing a communication connection according to the present application, the system comprising a VPC (Virtual Private Cloud ) comprising at least one virtual machine, at least one virtual switch and at least one egress gateway. The egress gateway may act as a portal to the VPC.

Under the condition that the virtual machine in the VPC needs to perform data interaction with the external equipment, the virtual machine in the VPC can establish communication connection between the virtual machine and the external equipment through at least one virtual switch and an outlet gateway in the VPC, and then the data interaction between the virtual machine and the external equipment can be performed based on the communication connection. The external device may be located outside the VPC, may be a virtual machine in the VPC, and the like.

The virtual machine comprises at least two virtual network cards, wherein at least one virtual network card is a main network card of the virtual machine, and at least one virtual network card is an auxiliary network card of the virtual machine.

Each host network card can bind private network IP addresses in the VPC respectively.

Each auxiliary network card can be respectively bound with a private network IP address in the VPC, and each auxiliary network card can be respectively bound with at least one public network IP address,

the virtual machine can perform data interaction with the equipment in the VPC based on the private network IP address of the auxiliary network card, the virtual machine can perform data interaction with the equipment outside the VPC based on the public network IP address of the auxiliary network card, and the virtual machine can also perform data interaction with the equipment in the VPC based on the public network IP address of the auxiliary network card.

The host network card may be a network card configured by the virtual machine at the beginning of creation, that is, an inherent network card of the virtual machine, and in one embodiment, the host network card may not be uninstalled from the virtual machine.

The virtual machine can perform data interaction with other devices through the main network card, for example, the virtual machine can perform data interaction with one virtual switch directly connected with the virtual machine, and the virtual machine can send data outwards and receive data sent to the virtual machine based on the main network card.

The auxiliary network card comprises an ENI (Elastic Network Interface, elastic network card), which is a network card that can be created or unloaded on the virtual machine according to the requirement.

The virtual machine can perform data interaction between other devices based on the virtual network card, for example, the virtual machine can perform data interaction with a virtual switch directly connected with the virtual machine.

The virtual machine can send data outwards and receive data sent to the virtual machine based on the virtual network card.

Wherein the virtual machine includes an ECS (Elastic Compute Service, elastic computing service) instance.

The VPC of fig. 1 is illustrated as including a virtual machine, a switch, and an egress gateway, but is not intended to limit the scope of the application,

In fig. 1, the virtual machine includes two network cards, one of which may be a main network card and the other of which may be an auxiliary network card, and the auxiliary network card may be an ENI, and the virtual machine may establish a communication connection with a device in the internet through the virtual switch and the egress gateway based on the auxiliary network card.

In the case where the auxiliary network card is an ENI, the public network IP address of the ENI includes a public network EIP (Elastic Internet Protocol Address, elastic internet protocol) address, etc.

Referring to fig. 2, a flow chart of a method for establishing a communication connection according to the present application is shown, where the method is applied to the virtual machine shown in fig. 1, and the method may include:

in step S101, under the condition that communication connection between the virtual machine and the external device needs to be established, a public network IP address bound with a virtual network card created in advance on the virtual machine is obtained;

wherein in one embodiment the external device may be located outside the VPC, in another embodiment the external device may be another virtual machine within the VPC, etc.

The process of obtaining the public network IP address bound by the virtual network card in this step may refer to the embodiment shown later, and will not be described in detail herein.

In step S102, a communication connection between the virtual machine and the external device is established based at least on the public network IP address.

Wherein the communication connection comprises an application layer protocol based communication connection between the virtual machine and the external device, etc.

In the present application, the application layer protocol includes: FTP (File Transfer Protocol ), h.323 (audio video protocol), RAS (Remote Access Server, remote access service), SIP (Session Initiation Protocol ), NFS (Network File System, network file system), DNS protocol (domain name resolution protocol), RTSP (Real Time Streaming Protocol, real-time streaming protocol), and the like.

When the communication connection is established, the virtual machine needs to send an establishment request to the external device through a virtual machine switch, an exit gateway and other devices in the VPC, and the virtual machine can obtain the public network IP address of the virtual network card established on the virtual machine, so that the virtual machine can add the public network IP address to the data load of the establishment request. In this way, before the establishment request arrives at the exit gateway of the VPC, the public network IP address of the virtual network card is carried in the data load of the establishment request, so that the public network IP address of the external device and the public network IP address of the virtual network card of the virtual machine are included in the data load of the establishment request, and thus, the direct connection between the virtual machine and the external device can be realized, and the exit gateway is not required to execute the NAT operation on the establishment request, and further, the influence caused by the NAT can be avoided, for example, the problem that the communication connection cannot be established due to the NAT operation is avoided, that is, the exit gateway is not required to execute the NAT operation on the establishment request, and thus, the establishment of the communication connection, for example, the establishment of the communication connection based on the application layer protocol and the like can be realized.

In one embodiment of the present application, referring to fig. 3, step S102 includes:

in step S201, a first establishment request is generated based on the first establishment request, the first establishment request being used to establish a communication connection between the virtual machine and the external device;

The data load of the first establishment request may further include a public network IP address of the external device, and the like.

Wherein the data payload of the first setup request is different from the data header (message header) of the first setup request.

In step S202, at least adding a public network IP address to the data payload of the first establishment request to obtain a second establishment request;

in one mode, after the first establishment request is generated, the private network IP address of the virtual network card in the VPC may be carried in the data payload in the first establishment request by default, and the virtual machine may perform data interaction with other devices in the VPC based on the private network IP address of the virtual network card in the VPC.

When the virtual machine needs to establish communication connection between the virtual machine and the external device, the public network IP address bound by the virtual network card of the virtual machine needs to be used for establishing communication connection, so that at least the public network IP address needs to be added in the data load of the first establishment request to obtain a second establishment request, and then the communication connection between the virtual machine and the external device is established based on the second establishment request.

When the virtual machine needs to establish communication connection with the external device, the public network IP address bound by the virtual network card of the virtual machine can be used to establish communication connection, and the private network IP address of the virtual network card in the VPC can be not used to establish communication connection.

Therefore, in order to avoid that the data load of the establishment request carries data which can not be used when the communication connection is established as far as possible, in one embodiment of the application, at least a public network IP address is added in the data load of the first establishment request, when the second establishment request is obtained, the public network IP address can be used to replace the private network IP address of the virtual network card of the data load of the first establishment request in the VPC, so that the second establishment request can not carry the private network IP address of the virtual network card in the VPC, which can not be used when the virtual machine performs data interaction with the external device, thereby realizing the simplification of the second establishment request.

In step S203, a communication connection between the virtual machine and the external device is established based on the second establishment request.

The application needs to establish communication connection between the virtual machine and the external equipment, wherein the data load of the second establishment request at least carries the public network IP address bound by the virtual network card of the virtual machine and the public network IP address of the external equipment.

In this way, the virtual machine can establish a communication connection with the external device via the virtual switch in the VPC and the egress gateway according to the second establishment request.

For example, in the present application, the virtual machine may first route the second setup request to the virtual switch in the VPC based on the public IP address of the external device in the data payload of the second setup request.

The virtual switch receives the second setup request and then routes the second setup request to the egress gateway of the VPC according to the public network IP address of the external device in the data payload of the second setup request.

The egress gateway receives the second setup request and then routes the second setup request to the external device according to the public network IP address of the external device in the data payload of the second setup request.

The external device receives a second setup request. And then generating an establishment response according to the second establishment request, wherein the data load in the establishment response comprises the public network IP address of the external equipment and the public network IP address bound by the virtual network card of the virtual machine, and then routing the establishment response to the exit gateway of the VPC according to the public network IP address in the data load of the establishment response.

The egress gateway of the VPC receives the setup response and then routes the setup response to the virtual switch in the VPC according to the public network IP address in the data payload in the setup response.

The virtual switch receives the setup response and then routes the setup response to the virtual network card of the virtual machine according to the public network IP address in the data payload in the setup response.

The virtual machine receives the establishing response based on the virtual network card in the virtual machine, so that the communication connection between the virtual machine and the external equipment is established.

The above-mentioned process of establishing the communication connection is a two-way handshake process between the virtual machine and the external device, and of course, in another manner, the communication connection may also be a three-way handshake process, which is not described in detail herein.

In the conventional manner, the virtual machine cannot obtain the public network IP address, the virtual machine may obtain the private network IP address of the virtual network card created on the virtual machine, and the virtual machine may generate an establishment request for establishing the communication connection, but the data load of the establishment request carries the private network IP address of the virtual network card of the virtual machine, and no public network IP address exists.

In the embodiment shown in fig. 3, after the first establishment request is generated, the virtual machine needs to add at least the public network IP address to the data payload of the first establishment request, so as to obtain the second establishment request.

This requires the technician to advance make improvements to the functionality of the virtual machine, for example, to modify the computer program code in the virtual machine to provide the virtual machine with the ability to add a public network IP address to the data payload of the setup request.

However, modifying the computer program code in the virtual machine can bring additional effort to the technician, resulting in higher labor costs. Second, often a large number of virtual machines are included in a VPC, and modifying the computer program code of each virtual machine in the VPC by a technician, respectively, can add significant labor costs.

Thus, in order to reduce the labor cost, in another embodiment of the present application, the job of "adding a public network IP address to the data payload of the setup request" may be performed by the virtual switch of the VPC.

For example, a technician may have previously improved the functionality of the virtual switch, e.g., modified computer program code in the virtual switch, to provide the virtual switch with the ability to add a public network IP address to the data payload of the setup request.

Thus, the virtual machine does not need to have the capability of adding the public network IP address to the data load of the establishment request, and the function of the virtual machine does not need to be improved by a technician, for example, the technician does not need to modify computer program codes in the virtual machine.

In a VPC the number of virtual machines is often larger than the number of virtual switches, in which case the skilled person may improve the functionality of fewer devices in the VPC, e.g. may modify fewer device computer program code, than in the embodiment shown in fig. 2. The embodiment of the application can reduce the equipment which needs to be subjected to function improvement in the VPC, thereby reducing the number of the equipment which needs to be modified with the calculation program codes in the VPC, reducing the workload of technicians and further reducing the labor cost.

Specifically, referring to fig. 4, step S102 includes:

in step S301, generating a first establishment request based on the first establishment request, the first establishment request being used for establishing a communication connection between the virtual machine and the external device;

In step S302, a first establishment request and a public network IP address are sent to a virtual switch, where the virtual switch is located in the VPC and is in communication connection with the virtual machine, so that the virtual switch adds the public network IP address in a message payload of the first establishment request to obtain a second establishment request, and establishes a communication connection between the virtual machine and an external device based on the second establishment request.

In the application, after the virtual machine generates the first establishment request, the virtual machine only needs to send the first establishment request and the public network IP address to the virtual switch for processing, and at least the public network IP address is not required to be added in the data load of the first establishment request.

The process of the virtual switch executing "adding the public network IP address to the message payload of the first establishment request to obtain the second establishment request, and establishing the communication connection based on the second establishment request" may specifically refer to the embodiment shown in fig. 4, which is not described in detail herein.

In one embodiment of the present application, the virtual network cards created on the virtual machine may be plural; because the virtual machine may be based on one virtual network card when performing data interaction with the external device, when the public network IP address bound by the virtual network card created in advance on the virtual machine is obtained in step S101, one virtual network card may be selected from the plurality of virtual network cards created on the virtual machine, for example, one virtual network card is randomly selected from the plurality of virtual network cards, and then the public network IP address bound by the selected virtual network card is obtained.

In one embodiment of the present application, when the virtual network cards created on the virtual machine are plural, each virtual network card created on the virtual machine has a respective fixed bandwidth, so, for any virtual network card created on the virtual machine, when the virtual machine performs data interaction with the external device based on the public network IP address bound by the virtual network card, the maximum bandwidth that can be used is: the same is true for each other virtual network card created on the virtual machine with a fixed bandwidth of the virtual network card.

Therefore, in order to improve the interaction efficiency of the data interaction between the virtual machine and the external device, in another embodiment of the present application, when one virtual network card is selected from the plurality of virtual network cards created on the virtual machine, the virtual network card with the largest idle bandwidth may be selected from the plurality of virtual network cards created on the virtual machine.

In one embodiment of the present application, the public network IP address to which the virtual network card of the virtual machine is bound may be plural; as such, the present application may support creating a container in a virtual machine, which may be considered a virtual machine of a virtual machine, e.g., in the case where the virtual machine in the VPC is an ECS instance, the container may be a virtual machine in the ECS instance, etc.

In this way, the system architecture is the VPC-virtual machine-container, at this time, the virtual network card in the virtual machine can serve as an exit gateway, and each container can perform data interaction with devices located outside the virtual machine based on the virtual network card of the virtual machine, wherein the number of public network IP addresses bound by the virtual network card of the virtual machine is multiple, so that different containers in the virtual machine can perform data interaction with external devices based on different public network IP addresses bound by the virtual network card of the virtual machine.

Because the virtual machine can use one public network IP address when performing data interaction with the external device, when the public network IP address bound by the virtual network card created in advance on the virtual machine is obtained in step S101, one public network IP address can be selected from a plurality of public network IP addresses bound by the virtual network card of the virtual machine, for example, one public network IP address is randomly selected from a plurality of public network IP addresses bound by the virtual network card of the virtual machine.

In one embodiment of the present application, the virtual network card of the virtual machine has a fixed bandwidth, so that when the virtual network card of the virtual machine binds a plurality of public network IP addresses, the virtual network card of the virtual machine can respectively allocate respective bandwidths to each public network IP address.

Thus, for any public network IP address bound by the virtual network card of the virtual machine, when the virtual machine performs data interaction with the external device based on the public network IP address bound by the virtual network card, the maximum bandwidth which can be used is as follows: the virtual network card of the virtual machine allocates bandwidth for the public network IP address, and the same is true for each other public network IP address bound by the virtual network card of the virtual machine.

Therefore, in order to improve the interaction efficiency of the data interaction between the virtual machine and the external device, in another embodiment of the present application, when one public network IP address is selected from a plurality of public network IP addresses bound by the virtual network card of the virtual machine, the public network IP address with the largest free bandwidth among bandwidths allocated by the virtual network card may be selected from the plurality of public network IP addresses bound by the virtual network card.

In the application, sometimes, the data volume of the data interaction between the virtual machine and the external equipment is increased along with the increase of the traffic volume, and if the bandwidth of the virtual network card of the virtual machine cannot bear the increased data volume of the interaction, the data interaction efficiency is reduced, thereby influencing the normal operation of the traffic.

Therefore, in this case, the virtual machine may detect in real time whether the bandwidth usage rate of the virtual network card is greater than a first preset usage rate, where the first preset usage rate includes 80%, 85%, or 90% of the bandwidth of the virtual network card, and the present application is not limited thereto, and at least one new virtual network card may be created on the virtual machine in case that the bandwidth usage rate of the virtual network card is greater than the first preset usage rate.

The new virtual network card has a fixed bandwidth, the new virtual network card is bound with the public network IP address, and the virtual machine can perform data interaction with the external equipment based on the public network IP address bound by the new virtual network card, so that the bandwidth which can be used when the virtual machine performs data interaction with the external equipment is increased, the data interaction efficiency is increased, and the influence on normal operation of the service is avoided as much as possible.

Accordingly, sometimes, as the traffic is reduced, the data volume of the data interaction between the virtual machine and the external device is reduced, and most of the bandwidth of the virtual network card of the virtual machine is not fully utilized but is idle, so that the bandwidth resource is wasted and cannot be fully utilized.

Therefore, in this case, the virtual machine may detect in real time whether the bandwidth usage rate of the virtual network card is smaller than the second preset usage rate, where the first preset usage rate includes 20%, 15% or 10% of the bandwidth of the virtual network card, etc., and the present application is not limited thereto, and may offload at least one virtual network card on the virtual machine in case that the bandwidth usage rate of the virtual network card is smaller than the second preset usage rate.

The virtual network card of the virtual machine has a fixed bandwidth, the unloaded virtual network card is bound with the public network IP address, after at least one virtual network card is unloaded, the virtual machine does not interact with external equipment based on the public network IP address bound by the unloaded virtual network card, the bandwidth which can be used when the virtual machine interacts with the external equipment is reduced, the unloaded virtual network card can be established on other virtual machines with larger traffic, and the bandwidth resource of the virtual network card can be fully and reasonably utilized.

Therefore, the virtual network card supporting the public network IP address can be created on one virtual machine or unloaded from the virtual machine, so that the virtual network card supporting the public network IP address can be migrated from one virtual machine to another virtual machine, disaster can be avoided for the virtual machine, and the virtual network card supporting the public network IP address can be migrated to another normal virtual machine under the condition that the virtual machine supporting the public network IP address is down, so that the other normal virtual machine can continue to use the virtual network card supporting the public network IP address to provide data services for the outside, and the availability and reliability are improved.

In another embodiment of the present application, in order to improve security of a virtual machine in a VPC, for example, to avoid data in the virtual machine in the VPC from being stolen by an lawbreaker, a user of the virtual machine may set a security group rule for the virtual machine on a virtual network card of the virtual machine.

The security group rules may include an uplink security group rule and a downlink security group rule.

The upstream direction may include a direction from outside the VPC to the virtual machines in the VPC, and the downstream direction may include a direction from the virtual machines in the VPC to outside the VPC.

The downlink security group rule may include: source IP address, source port, data communication protocol, destination IP address, and destination port.

The source IP address may include an IP address of a virtual network card of the virtual machine, the source port may include a port of the virtual network card of the virtual machine, the destination IP address may include an IP address of an external device for receiving downstream data, and the destination port may include a port of the external device.

In this way, when the source IP address, the source port, the data communication protocol, the destination IP address, and the destination port of the downstream data are the same as the source IP address, the source port, the data communication protocol, the destination IP address, and the destination port in the downstream security group rule set for the virtual machine, it is indicated that the external device has the right to access the data in the virtual machine, and is legally accessing the data in the virtual machine, so that the downstream data will be forwarded to the external device by the virtual network card of the virtual machine.

In the case that at least one of the source IP address, the source port, the data communication protocol, the destination IP address, and the destination port of the downstream data is different from at least one of the source IP address, the source port, the data communication protocol, the destination IP address, and the destination port in the downstream security group rule set for the virtual machine, it is indicated that the external device may not have permission to access the data in the virtual machine, may illegally access the data in the virtual machine, for example, may be an lawless person stealing the data in the virtual machine, so that the downstream data may not be forwarded to the external device by the virtual network card of the virtual machine, thereby avoiding data leakage in the virtual machine.

The uplink security group rule may include: source IP address, source port, data communication protocol, destination IP address, and destination port.

The source IP address may include an IP address of an external device for transmitting uplink data, the source port may include a port of the external device for transmitting uplink data, the destination IP address may include an IP address of a virtual network card of the virtual machine, and the destination port may include a port of a virtual network card of the virtual machine.

In this way, when the source IP address, the source port, the data communication protocol, the destination IP address, and the destination port of the upstream data are the same as the source IP address, the source port, the data communication protocol, the destination IP address, and the destination port in the upstream security group rule set for the virtual machine, it is indicated that the external device has the right to access the data in the virtual machine, and is legally accessing the data in the user VPC, so that the upstream data will be forwarded to the virtual machine by the virtual network card of the virtual machine.

In the case that at least one of the source IP address, the source port, the data communication protocol, the destination IP address, and the destination port of the upstream data is different from at least one of the source IP address, the source port, the data communication protocol, the destination IP address, and the destination port in the upstream security group rule set for the virtual machine, it is indicated that the external device may not have permission to access the data in the virtual machine, may illegally access the data in the virtual machine, for example, may be an lawbreaker steal the data in the virtual machine, so that the upstream data may not be forwarded to the virtual machine by the virtual network card of the virtual machine, thereby avoiding data leakage in the virtual machine.

When a user of the virtual machine needs to set a security group rule for the virtual machine, the user of the virtual machine can submit a configuration request for setting the security group rule for the virtual machine to the virtual machine; the virtual machine receives a configuration request of a security group rule submitted to the virtual machine by a user of the virtual machine; and then configuring security group rules for the virtual machine on the virtual network card of the virtual machine according to the configuration request.

In this way, after the downlink security group rule is configured for the virtual machine, the virtual network card of the virtual machine can firstly acquire the downlink security group rule configured for the virtual machine under the condition that the virtual network card receives downlink data sent by the virtual machine to the external device; then determining whether the downlink data accords with a downlink direction security group rule; and sending the downlink data to the external equipment under the condition that the downlink data accords with the downlink direction security group rule.

The downlink data accords with a downlink direction security group rule, and the method comprises the following steps: the source IP address, the source port, the data communication protocol, the destination IP address, and the destination port of the downstream data are the same as the source IP address, the source port, the data communication protocol, the destination IP address, and the destination port in the downstream security group rule set for the virtual machine.

In this way, after the uplink security group rule is configured for the virtual machine, the virtual network card of the virtual machine can firstly acquire the uplink security group rule configured for the virtual machine under the condition that the virtual network card receives uplink data sent to the virtual machine by the external device; then determining whether the uplink data accords with an uplink direction security group rule; and sending the uplink data to the virtual machine under the condition that the uplink data accords with the uplink direction security group rule.

Wherein, the uplink data accords with the uplink security group rule and comprises: the source IP address, source port, data communication protocol, destination IP address, and destination port of the upstream data are the same as the source IP address, source port, data communication protocol, destination IP address, and destination port in the upstream security group rule set for the virtual machine, respectively.

Thereafter, the user of the virtual machine may also update the security group rules configured for the virtual machine, and so on.

Referring to fig. 5, there is shown a flow chart of a method of establishing a communication connection according to the present application, which is applied to the virtual switch shown in fig. 1, and which can be applied to the one virtual switch shown in fig. 1 in the case where the virtual switch shown in fig. 1 is one, and which can be applied to any one of the at least two virtual switches shown in fig. 1 in the case where the virtual switch shown in fig. 1 is at least two, and which can be applied to a switch directly connected in communication with a virtual machine, or the like, of the at least two virtual switches shown in fig. 1 in one manner.

Specifically, the method may include:

in step S401, a first establishment request sent by a virtual machine located in a VPC is received, and a public network IP address bound to a virtual network card created in advance on the virtual machine is obtained; the first establishment request is used for establishing communication connection between the virtual machine and the external equipment;

In step S402, a public network IP address is added to a message payload of the first establishment request, so as to obtain a second establishment request;

in one mode, after the virtual machine generates the first establishment request, the private network IP address of the virtual network card of the virtual machine in the VPC may be carried by default in the data payload in the first establishment request, and the virtual machine may perform data interaction with other devices in the VPC based on the private network IP address of the virtual network card in the VPC.

In step S403, a communication connection between the virtual machine and the external device is established based on the second establishment request.

In this way, the virtual switch can establish a communication connection between the virtual machine and the external device via the virtual switch in the VPC and the egress gateway according to the second establishment request.

For example, in the present application, the virtual switch routes the second setup request to the egress gateway of the VPC based on the public IP address of the external device in the data payload of the second setup request.

In the application, the virtual network card can be established on the virtual machine in advance, and the public network IP address is bound on the virtual network card, so that under the condition that the virtual machine in the VPC needs to establish communication connection with external equipment, the virtual switch can acquire the public network IP address of the virtual network card established on the virtual machine, and the communication connection between the virtual machine and the external equipment can be established based on the public network IP address of the virtual network card.

When the communication connection is established, the virtual machine needs to send an establishment request to an external device through a virtual machine switch, an exit gateway and other devices in the VPC, and the virtual machine can add the public network IP address to the data load of the establishment request because the virtual switch can obtain the public network IP address of the virtual network card established on the virtual machine. In this way, before the establishment request arrives at the exit gateway of the VPC, the public network IP address of the virtual network card is carried in the data load of the establishment request, so that the public network IP address of the external device and the public network IP address of the virtual network card of the virtual machine are included in the data load of the establishment request, and thus, the direct connection between the virtual machine and the external device can be realized, and the exit gateway is not required to execute the NAT operation on the establishment request, and further, the influence caused by the NAT can be avoided, for example, the problem that the communication connection cannot be established due to the NAT operation is avoided, that is, the exit gateway is not required to execute the NAT operation on the establishment request, and thus, the establishment of the communication connection, for example, the establishment of the communication connection based on the application layer protocol and the like can be realized.

In the manner of the embodiment shown in fig. 2, after the virtual machine generates the first establishment request, the virtual machine needs to add at least the public network IP address to the data payload of the first establishment request, so as to obtain the second establishment request.

In a VPC the number of virtual machines is often larger than the number of virtual switches, in which case the support technician may only improve the functionality of fewer devices in the VPC, e.g. may only modify fewer device computer program code, than in the way of the embodiment shown in fig. 2. The embodiment of the application can reduce the equipment which needs to be subjected to function improvement in the VPC, thereby reducing the number of the equipment which needs to be modified with the calculation program codes in the VPC, reducing the workload of technicians and further reducing the labor cost.

In one embodiment of the present application, the virtual network card of the virtual machine includes an ENI (elastic network card), on which the public network IP address is bound, and the virtual machine sends a first establishment request to the virtual switch based on the virtual network card of the virtual machine, and when the first establishment request is sent to the virtual switch, the public network IP address bound by the virtual network card may also be sent to the virtual machine, so that the virtual switch may receive the public network IP address sent by the virtual machine, where the public network IP address includes the public network IP address of the ENI.

In another embodiment of the present application, for any virtual network card created on a virtual machine, the virtual network card has a public network IP address and a private network IP address in a VPC thereof, the virtual network card may be bound to a virtual switch in advance to have the public network IP address and the private network IP address in the VPC thereof, for example, the private network IP address in the VPC of the virtual network card and the private network IP address in the virtual network card are stored in a correspondence stored in the virtual switch, where the correspondence includes: the corresponding relation between the private network IP address and the public network IP address of the virtual network card corresponding to the virtual machine. The same is true for each of the other virtual network cards created on the virtual machine.

The data load of the first establishing request carries the private network IP address of the virtual network card. Therefore, when the public network IP address of the virtual network card binding created in advance on the virtual machine is obtained, the private network IP address of the virtual network card carried in the data load of the first building request can be obtained, and then the public network IP address of the virtual network card binding is obtained according to the private network IP address. For example, in the corresponding relation between the private network IP address and the public network IP address of the virtual network card corresponding to the virtual machine, the public network IP address corresponding to the private network IP address of the virtual network card is searched.

The virtual network card of the virtual machine comprises a main network card and an auxiliary network card of the virtual machine, wherein the main network card comprises an inherent network card of the virtual machine, the auxiliary network card comprises an ENI, and the public network IP address comprises a public network IP address bound by the main network card and a public network IP address bound by the ENI.

Because the virtual machine can use a public network IP address when performing data interaction with the external device, when the public network IP address bound by the virtual network card of the virtual machine is obtained according to the private network IP address of the virtual network card of the virtual machine, one public network IP address can be selected from a plurality of public network IP addresses bound by the virtual network card of the virtual machine according to the private network IP address of the virtual network card of the virtual machine, for example, one public network IP address can be randomly selected from a plurality of public network IP addresses bound by the virtual network card of the virtual machine according to the private network IP address of the virtual network card of the virtual machine.

Therefore, in order to improve the interaction efficiency of the data interaction between the virtual machine and the external device, in another embodiment of the present application, when one public network IP address is selected from the plurality of public network IP addresses bound by the virtual network card according to the private network IP address of the virtual network card of the virtual machine, the public network IP address with the largest free bandwidth among the bandwidths allocated by the virtual network card of the virtual machine may be selected from the plurality of public network IP addresses bound by the virtual network card according to the private network IP address of the virtual network card of the virtual machine.

Therefore, in this case, the virtual machine may detect in real time whether the bandwidth usage rate of the virtual network card is greater than a first preset usage rate, where the first preset usage rate includes 80%, 85% or 90% of the bandwidth of the virtual network card, and the application is not limited thereto, and in the case that the bandwidth usage rate of the virtual network card is greater than the first preset usage rate, at least one new virtual network card may be executed on the virtual machine.

In order to support that the virtual machine can perform data interaction with the external device based on the public network IP address bound by the new virtual network card, in the present application, after creating at least one new virtual network card on the virtual machine, the virtual machine may send a notification message to the virtual switch, where the notification message is used to notify that at least one new virtual network card has been created on the virtual machine, and the notification message carries the private network IP address of the new virtual network card and the public network IP address bound by the new virtual network card.

The virtual switch receives the notification message, and determines that a new virtual network card has been created on the virtual machine according to the notification message, in which case, the private network IP address of the new virtual network card and the public network IP address bound to the new virtual network card may be stored in a corresponding relationship between the private network IP address and the public network IP address of the virtual network card corresponding to the virtual machine.

When the virtual machine needs to interact data with the external device, when one public network IP address is selected from a plurality of public network IP addresses bound by the virtual network card according to the private network IP address of the virtual network card of the virtual machine, the public network IP address bound by the new virtual network card can be acquired according to the private network IP address of the new virtual network card in the corresponding relation between the private network IP address and the public network IP address of the virtual network card corresponding to the virtual machine, so that the virtual machine can interact data with the external device based on the public network IP address bound by the new virtual network card.

Therefore, in this case, the virtual machine may detect in real time whether the bandwidth usage rate of the virtual network card is smaller than the second preset usage rate, where the first preset usage rate includes 20%, 15% or 10% of the bandwidth of the virtual network card, etc., and the present application is not limited thereto, and may uninstall at least one virtual network card on the virtual machine in case that the bandwidth usage rate of the virtual network card is smaller than the second preset usage rate.

In order to support that the virtual machine can no longer perform data interaction with the external device based on the public network IP address bound by the offloaded virtual network card, in the present application, after at least one virtual network card on the virtual machine is offloaded, the virtual machine may send a notification message to the virtual switch, where the notification message is used to notify that at least one virtual network card on the virtual machine has been offloaded, and the notification message carries the private network IP address of the offloaded virtual network card and the public network IP address bound by the offloaded virtual network card.

The virtual switch receives the notification message, and determines that at least one virtual network card on the virtual machine has been unloaded according to the notification message, in which case, the private network IP address of the unloaded virtual network card and the public network IP address bound to the unloaded virtual network card may be deleted in the corresponding relationship between the private network IP address and the public network IP address of the virtual network card corresponding to the virtual machine.

When the virtual machine needs to interact data with the external device, when one public network IP address is selected from a plurality of public network IP addresses bound by the virtual network card according to the private network IP address of the virtual network card of the virtual machine, the private network IP address of the virtual network card corresponding to the virtual machine and the corresponding relationship between the private network IP address and the public network IP address of the virtual network card can not acquire the public network IP address bound by the unloaded virtual network card according to the private network IP address of the unloaded virtual network card, so that the virtual machine can not interact data with the external device based on the public network IP address bound by the unloaded virtual network card.

In another embodiment of the present application, in order to improve security of the virtual machines in the VPC, for example, to avoid data in the virtual machines in the VPC from being stolen by lawbreakers, a user of the virtual machine may set a security group rule for the virtual machines on the virtual switch.

In this way, when the source IP address, the source port, the data communication protocol, the destination IP address, and the destination port of the downstream data are the same as the source IP address, the source port, the data communication protocol, the destination IP address, and the destination port in the downstream security group rule set for the virtual machine, it is indicated that the external device has the right to access the data in the virtual machine, and is legally accessing the data in the virtual machine, so that the downstream data will be forwarded to the external device by the virtual switch.

In the case that at least one of the source IP address, the source port, the data communication protocol, the destination IP address, and the destination port of the downstream data is different from at least one of the source IP address, the source port, the data communication protocol, the destination IP address, and the destination port in the downstream security group rule set for the virtual machine, it is indicated that the external device may not have permission to access the data in the virtual machine, may illegally access the data in the virtual machine, for example, may be an lawless person stealing the data in the virtual machine, so that the downstream data may not be forwarded to the external device by the virtual switch, thereby avoiding data leakage in the virtual machine.

In this way, when the source IP address, the source port, the data communication protocol, the destination IP address, and the destination port of the upstream data are the same as the source IP address, the source port, the data communication protocol, the destination IP address, and the destination port in the upstream security group rule set for the virtual machine, it is indicated that the external device has the right to access the data in the virtual machine, and is legally accessing the data in the user VPC, so that the upstream data will be forwarded to the virtual machine by the virtual switch.

In the case that at least one of the source IP address, the source port, the data communication protocol, the destination IP address, and the destination port of the upstream data is different from at least one of the source IP address, the source port, the data communication protocol, the destination IP address, and the destination port in the upstream security group rule set for the virtual machine, it is indicated that the external device may not have permission to access the data in the virtual machine, may illegally access the data in the virtual machine, for example, may be an lawbreaker steal the data in the virtual machine, so that the upstream data may not be forwarded to the virtual machine by the virtual switch, thereby avoiding data leakage in the virtual machine.

When a user of the virtual machine needs to set a security group rule for the virtual machine, the user of the virtual machine can submit a configuration request for sending the security group rule set for the virtual machine to the virtual switch; the virtual switch receives a configuration request of a security group rule submitted to the virtual switch by a user of the virtual machine; and then configuring security group rules for the virtual machines on the virtual switch according to the configuration request.

In this way, after the downlink security group rule is configured for the virtual machine, the virtual switch may first obtain the downlink security group rule configured for the virtual machine when receiving downlink data sent by the virtual machine to the external device; then determining whether the downlink data accords with a downlink direction security group rule; and sending the downlink data to the external equipment under the condition that the downlink data accords with the downlink direction security group rule.

In this way, after the uplink security group rule is configured for the virtual machine, the virtual switch may first obtain the uplink security group rule configured for the virtual machine when receiving uplink data sent by the external device to the virtual machine; then determining whether the uplink data accords with an uplink direction security group rule; and sending the uplink data to the virtual machine under the condition that the uplink data accords with the uplink direction security group rule.

Thereafter, the user of the virtual machine may also update security group rules configured for the virtual machine, etc., on the virtual switch.

Referring to fig. 6, there is shown a block diagram of an embodiment of an apparatus for establishing a communication connection, applied to a virtual machine in a virtual private cloud VPC, the apparatus may specifically include the following modules:

the first obtaining module 11 is configured to obtain, when a communication connection between the virtual machine and an external device needs to be established, a public network IP address bound by a virtual network card created in advance on the virtual machine;

a first establishing module 12 is configured to establish a communication connection between the virtual machine and the external device based at least on the public network IP address.

In an alternative implementation, the first establishing module includes:

the first acquisition module includes:

In an alternative implementation, the first selecting unit includes:

the first acquisition module includes:

In an alternative implementation, the second selecting unit includes:

In an alternative implementation, the apparatus further includes:

When the communication connection is established, the virtual machine needs to send an establishment request to an external device through a virtual machine switch, an exit gateway and other devices in the VPC, and the virtual machine can obtain the public network IP address of the virtual network card established on the virtual machine, so that the virtual machine can add the public network IP address to the data load of the establishment request. In this way, before the establishment request arrives at the exit gateway of the VPC, the public network IP address of the virtual network card is carried in the data load of the establishment request, so that the public network IP address of the external device and the public network IP address of the virtual network card of the virtual machine are included in the data load of the establishment request, and thus, the direct connection between the virtual machine and the external device can be realized, and the exit gateway is not required to execute the NAT operation on the establishment request, and further, the influence caused by the NAT can be avoided, for example, the problem that the communication connection cannot be established due to the NAT operation is avoided, that is, the exit gateway is not required to execute the NAT operation on the establishment request, and thus, the establishment of the communication connection, for example, the establishment of the communication connection based on the application layer protocol and the like can be realized.

Referring to fig. 7, there is shown a block diagram of an embodiment of an apparatus for establishing a communication connection, applied to a virtual machine in a VPC, the apparatus may specifically include the following modules:

A second receiving module 21, configured to receive a first establishment request sent by a virtual machine located in the VPC, and a second obtaining module, configured to obtain a public network IP address bound to a virtual network card created in advance on the virtual machine; the first establishment request is used for establishing communication connection between the virtual machine and external equipment;

an adding module 22, configured to add the public network IP address to the message payload of the first establishment request, to obtain a second establishment request;

In an alternative implementation, the second obtaining module includes:

or,

In an alternative implementation, the third obtaining unit includes:

the third acquisition unit includes:

In an alternative implementation, the apparatus further includes:

The embodiment of the application also provides a non-volatile readable storage medium, in which one or more modules (programs) are stored, where the one or more modules are applied to a device, and the device can execute instructions (instructions) of each method step in the embodiment of the application.

Embodiments of the application provide a machine-readable medium having instructions stored thereon, which when executed by one or more processors, cause an electronic device to perform a method as described in one or more of the above embodiments. In the embodiment of the application, the electronic equipment comprises a server, a gateway, sub-equipment and the like, wherein the sub-equipment is equipment such as equipment of the internet of things.

Embodiments of the present disclosure may be implemented as an apparatus for performing a desired configuration using any suitable hardware, firmware, software, or any combination thereof, which may include a server (cluster), a terminal device, such as an IoT device, or the like.

Fig. 8 schematically illustrates an exemplary apparatus 1300 that may be used to implement various embodiments described in the present disclosure.

For one embodiment, fig. 8 illustrates an example apparatus 1300 having one or more processors 1302, a control module (chipset) 1304 coupled to at least one of the processor(s) 1302, a memory 1306 coupled to the control module 1304, a non-volatile memory (NVM)/storage 1308 coupled to the control module 1304, one or more input/output devices 1310 coupled to the control module 1304, and a network interface 1312 coupled to the control module 1304.

The processor 1302 may include one or more single-core or multi-core processors, and the processor 1302 may include any combination of general-purpose or special-purpose processors (e.g., graphics processors, application processors, baseband processors, etc.). In some embodiments, the apparatus 1300 can be used as a server device such as a gateway in the embodiments of the present application.

In some embodiments, the apparatus 1300 may include one or more computer-readable media (e.g., memory 1306 or NVM/storage 1308) having instructions 1314 and one or more processors 1302 combined with the one or more computer-readable media configured to execute the instructions 1314 to implement the modules to perform actions described in this disclosure.

For one embodiment, the control module 1304 may include any suitable interface controller to provide any suitable interface to at least one of the processor(s) 1302 and/or any suitable device or component in communication with the control module 1304.

The control module 1304 may include a memory controller module to provide an interface to the memory 1306. The memory controller modules may be hardware modules, software modules, and/or firmware modules.

Memory 1306 may be used to load and store data and/or instructions 1314 for device 1300, for example. For one embodiment, memory 1306 may include any suitable volatile memory, such as suitable DRAM. In some embodiments, memory 1306 may include double data rate type four synchronous dynamic random access memory (DDR 4 SDRAM).

For one embodiment, the control module 1304 may include one or more input/output controllers to provide interfaces to the NVM/storage 1308 and the input/output device(s) 1310.

For example, NVM/storage 1308 may be used to store data and/or instructions 1314. NVM/storage 1308 may include any suitable nonvolatile memory (e.g., flash memory) and/or may include any suitable nonvolatile storage device(s) (e.g., hard disk drive(s) (HDD), compact disk drive(s) (CD) and/or digital versatile disk drive (s)).

NVM/storage 1308 may include storage resources that are physically part of the device on which apparatus 1300 is installed, or may be accessible by the device without necessarily being part of the device. For example, NVM/storage 1308 may be accessed over a network via input/output device(s) 1310.

Input/output device(s) 1310 may provide an interface for apparatus 1300 to communicate with any other suitable device, input/output device 1310 may include a communication component, pinyin component, sensor component, and the like. The network interface 1312 may provide an interface for the device 1300 to communicate over one or more networks, and the device 1300 may communicate wirelessly with one or more components of a wireless network according to any of one or more wireless network standards and/or protocols, such as accessing a wireless network based on a communication standard, such as WiFi, 2G, 3G, 4G, 5G, etc., or a combination thereof.

For one embodiment, at least one of the processor(s) 1302 may be packaged together with logic of one or more controllers (e.g., memory controller modules) of the control module 1304. For one embodiment, at least one of the processor(s) 1302 may be packaged together with logic of one or more controllers of the control module 1304 to form a System In Package (SiP). For one embodiment, at least one of the processor(s) 1302 may be integrated on the same mold as logic of one or more controllers of the control module 1304. For one embodiment, at least one of the processor(s) 1302 may be integrated on the same die with logic of one or more controllers of the control module 1304 to form a system on chip (SoC).

In various embodiments, apparatus 1300 may be, but is not limited to being: a server, a desktop computing device, or a mobile computing device (e.g., a laptop computing device, a handheld computing device, a tablet, a netbook, etc.), among other terminal devices. In various embodiments, the apparatus 1300 may have more or fewer components and/or different architectures. For example, in some embodiments, apparatus 1300 includes one or more cameras, a keyboard, a Liquid Crystal Display (LCD) screen (including a touch screen display), a non-volatile memory port, multiple antennas, a graphics chip, an Application Specific Integrated Circuit (ASIC), and a speaker.

The embodiment of the application provides electronic equipment, which comprises: one or more processors; and a machine-readable medium having instructions stored thereon, which when executed by the one or more processors, cause the electronic device to perform a method of establishing a communication connection as described in one or more of the present applications.

For the device embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, and reference is made to the description of the method embodiments for relevant points.

In this specification, each embodiment is described in a progressive manner, and each embodiment is mainly described by differences from other embodiments, and identical and similar parts between the embodiments are all enough to be referred to each other.

Embodiments of the present application are described with reference to flowchart illustrations and/or block diagrams of methods, terminal devices (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing terminal device to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing terminal device, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

While preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. It is therefore intended that the following claims be interpreted as including the preferred embodiment and all such alterations and modifications as fall within the scope of the embodiments of the application.

Finally, it is further noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or terminal that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or terminal. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or terminal device comprising the element.

The above description of the method and apparatus for establishing a communication connection provided by the present application has been provided in detail, and specific examples are applied to illustrate the principles and embodiments of the present application, and the above description of the examples is only used to help understand the method and core idea of the present application; meanwhile, as those skilled in the art will have variations in the specific embodiments and application scope in accordance with the ideas of the present application, the present description should not be construed as limiting the present application in view of the above.

Claims

1. A method of establishing a communication connection, for application to a virtual machine in a virtual private cloud, VPC, the method comprising:

under the condition that communication connection between the virtual machine and external equipment is required to be established, a public network Internet Protocol (IP) address bound with a virtual network card which is established on the virtual machine in advance is acquired;

establishing a communication connection between the virtual machine and the external device based at least on the public network IP address; the method realizes the straight-through between the virtual machine and the external equipment without the operation of executing network address translation NAT on the establishment request by the exit gateway.

2. The method of claim 1, wherein the establishing a communication connection between the virtual machine and the external device based at least on the public network IP address comprises:

3. The method of claim 1, wherein the establishing a communication connection between the virtual machine and the external device based at least on the public network IP address comprises:

4. The method of claim 1, wherein the virtual network card binds a plurality of public network IP addresses;

5. The method of claim 4, wherein selecting a public network IP address from a plurality of public network IP addresses bound by the virtual network card comprises:

6. The method of claim 1, wherein the virtual network cards created in advance on the virtual machine are a plurality of;

7. The method of claim 6, wherein selecting one of the plurality of virtual network cards created on the virtual machine comprises:

8. The method according to claim 1, wherein the method further comprises:

9. The method according to claim 1, wherein the method further comprises:

10. The method according to claim 1, wherein the method further comprises:

11. A method of establishing a communication connection, for use with a virtual switch in a virtual private cloud, VPC, the method comprising:

receiving a first establishment request sent by a virtual machine in the VPC, and acquiring a public network Internet Protocol (IP) address bound with a virtual network card which is created in advance on the virtual machine; the first establishment request is used for establishing communication connection between the virtual machine and external equipment;

establishing the communication connection based on the second establishment request; the method realizes the straight-through between the virtual machine and the external equipment without the operation of executing network address translation NAT on the establishment request by the exit gateway.

12. The method of claim 11, wherein the obtaining the public network IP address of the virtual network card binding created in advance on the virtual machine comprises:

or,

13. The method of claim 12, wherein the obtaining the public network IP address bound by the virtual network card according to the private network IP address comprises:

14. The method of claim 12, wherein the virtual network card binds a plurality of public network IP addresses;

15. The method according to claim 14, wherein selecting a public network IP address from a plurality of public network IP addresses bound by the virtual network card according to the private network IP address comprises:

16. The method of claim 13, wherein the method further comprises:

17. The method of claim 13, wherein the method further comprises:

18. The method of claim 13, wherein the method further comprises:

19. An apparatus for establishing a communication connection, the apparatus being applied to a virtual machine in a virtual private cloud, VPC, the apparatus comprising:

the first acquisition module is used for acquiring a public network Internet Protocol (IP) address bound with a virtual network card which is created on the virtual machine in advance under the condition that communication connection between the virtual machine and external equipment is required to be established;

The first establishing module is used for establishing communication connection between the virtual machine and the external equipment at least based on the public network IP address; the method realizes the straight-through between the virtual machine and the external equipment without the operation of executing network address translation NAT on the establishment request by the exit gateway.

20. The apparatus of claim 19, wherein the first establishing means comprises:

21. The apparatus of claim 19, wherein the first establishing means comprises:

22. The apparatus of claim 19, wherein the virtual network card binds a plurality of public network IP addresses;

the first acquisition module includes:

23. The apparatus of claim 22, wherein the first selection unit comprises:

24. The apparatus of claim 19, wherein the virtual network cards created in advance on the virtual machine are a plurality of;

the first acquisition module includes:

25. The apparatus of claim 24, wherein the second selection unit comprises:

26. The apparatus of claim 19, wherein the apparatus further comprises:

27. The apparatus of claim 19, wherein the apparatus further comprises:

28. The apparatus of claim 19, wherein the apparatus further comprises:

29. An apparatus for establishing a communication connection, the apparatus being adapted for use with a virtual switch in a virtual private cloud, VPC, the apparatus comprising:

the second receiving module is used for receiving a first establishment request sent by a virtual machine in the VPC, and the second obtaining module is used for obtaining a public network Internet Protocol (IP) address bound by a virtual network card which is created on the virtual machine in advance; the first establishment request is used for establishing communication connection between the virtual machine and external equipment;

a second establishing module, configured to establish the communication connection based on the second establishing request; the method realizes the straight-through between the virtual machine and the external equipment without the operation of executing network address translation NAT on the establishment request by the exit gateway.

30. The apparatus of claim 29, wherein the second acquisition module comprises:

or,

31. The apparatus of claim 30, wherein the third acquisition unit comprises:

32. The apparatus of claim 30, wherein the virtual network card binds a plurality of public network IP addresses;

the third acquisition unit includes:

33. The apparatus of claim 32, wherein the third selection subunit is specifically configured to: and selecting the public network IP address with the largest free bandwidth in the bandwidths distributed by the virtual network card from a plurality of public network IP addresses bound by the virtual network card according to the private network IP address.

34. The apparatus of claim 31, wherein the apparatus further comprises:

35. The apparatus of claim 31, wherein the apparatus further comprises:

36. The apparatus of claim 31, wherein the apparatus further comprises:

37. An electronic device, the electronic device comprising:

a processor; and

memory having executable code stored thereon that, when executed, causes the processor to perform the method of establishing a communication connection as claimed in one or more of claims 1-10.

38. A machine readable medium having stored thereon executable code which when executed causes a processor to perform the method of establishing a communication connection as claimed in one or more of claims 1-10.

39. An electronic device, the electronic device comprising:

a processor; and

memory having executable code stored thereon that, when executed, causes the processor to perform the method of establishing a communication connection as claimed in one or more of claims 11-18.

40. A machine readable medium having stored thereon executable code which when executed causes a processor to perform a method of establishing a communication connection as claimed in one or more of claims 11-18.