CN114095357B - Service system - Google Patents

Service system Download PDF

Info

Publication number
CN114095357B
CN114095357B CN202111368332.1A CN202111368332A CN114095357B CN 114095357 B CN114095357 B CN 114095357B CN 202111368332 A CN202111368332 A CN 202111368332A CN 114095357 B CN114095357 B CN 114095357B
Authority
CN
China
Prior art keywords
management
control
service
access
network card
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111368332.1A
Other languages
Chinese (zh)
Other versions
CN114095357A (en
Inventor
陈智
解培
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Everbright Bank Co Ltd
Original Assignee
China Everbright Bank Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Everbright Bank Co Ltd filed Critical China Everbright Bank Co Ltd
Priority to CN202111368332.1A priority Critical patent/CN114095357B/en
Publication of CN114095357A publication Critical patent/CN114095357A/en
Application granted granted Critical
Publication of CN114095357B publication Critical patent/CN114095357B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the application discloses a service system, which comprises: the system comprises a management and control end and at least one service end; the control end and each business end are respectively provided with a control network card; distributing network addresses of the control planes to the control network cards based on the network address segments of the control planes; respectively establishing a management and control access relation between a management and control network card of the management and control end and at least one management and control network card of the service end; and the management and control network card is provided with the management and control access relation, and management and control associated data is transmitted based on the corresponding management and control access relation. According to the technology of the application, the management and control efficiency and the management and control safety are improved, the service system expansion scene is convenient to adapt, and the stability of the service system is ensured.

Description

Service system
Technical Field
The embodiment of the application relates to the field of data processing, in particular to a cloud computing technology, and particularly relates to a business system.
Background
Cloud computing (cloud computing) refers to a technical system that a shared physical or virtual resource pool which is elastically extensible is accessed through a network, resources can comprise servers, operating systems, networks, software, applications, storage devices and the like, and resources can be deployed and managed in an on-demand and self-service mode.
In a scenario where the cloud computing platform involves multiple business parties, management control of each business party can facilitate maintaining good operation of the entire cloud computing platform.
Disclosure of Invention
The application provides a service system to realize unified management and control of all service parties in the service system.
The embodiment of the application provides a service system, which comprises: the system comprises a management and control end and at least one service end;
the control end and each business end are respectively provided with a control network card;
Distributing network addresses of the control planes to the control network cards based on the network address segments of the control planes;
Respectively establishing a management and control access relation between a management and control network card of the management and control end and at least one management and control network card of the service end;
And the management and control network card is provided with the management and control access relation, and management and control associated data is transmitted based on the corresponding management and control access relation.
The network address of the control plane is distributed to each control network card based on the network address segment of the control plane by arranging the control network card in the control end and at least one service end of the service system; respectively establishing a management and control access relation between a management and control network card of a management and control end and a management and control network card of a service end; the management and control network card with the management and control access relation transmits management and control associated data based on the corresponding management and control access relation, so that unified management and control of the management and control end to each service end is realized, and management and control efficiency and safety are improved. Meanwhile, because a unified control plane is adopted in the service system, the service system is convenient to expand, when a newly added service end exists, the access relation configuration is directly and dynamically carried out, the operation is convenient, and the overall stability of the service system is improved.
Drawings
Fig. 1 is a schematic structural diagram of a service system according to an embodiment of the present application;
fig. 2 is a schematic structural diagram of another service system according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of another service system according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of another service system according to an embodiment of the present application.
Detailed Description
The application is described in further detail below with reference to the drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the application and are not limiting thereof. It should be further noted that, for convenience of description, only some, but not all of the structures related to the present application are shown in the drawings.
Fig. 1 is a schematic structural diagram of a service system according to an embodiment of the present application, where the embodiment is applicable to an application scenario for uniformly controlling each service party in a service system involving multiple service parties.
Referring to the business system shown in fig. 1, comprising: the system comprises a management and control end and at least one service end;
the control end and each business end are respectively provided with a control network card;
Distributing network addresses of the control planes to the control network cards based on the network address segments of the control planes;
Respectively establishing a management and control access relation between a management and control network card of the management and control end and at least one management and control network card of the service end;
And the management and control network card is provided with the management and control access relation, and management and control associated data is transmitted based on the corresponding management and control access relation.
The service end is used for providing corresponding application service for the service party. The application services provided by different business ends are the same or different; the service parties corresponding to different service ends are the same or different.
The service end can provide corresponding functional services for the service party through own software and/or hardware. For example, the service end can implement corresponding service functions by deploying virtual machines. At this time, one virtual machine can be regarded as one service end.
Correspondingly, the control end is used for providing control service, for example, a control tool can be provided for a control person, and the control tool is used for controlling each service end. The control end can provide control service through own software and/or hardware. For example, the control end can implement the control function by deploying a virtual machine. At this time, one virtual machine can be regarded as one management and control end.
Typically, in a service system, the number of control ends is 1, and the number of service ends is at least one, and typically a plurality. In one specific implementation, the number of service ends may be dynamically deployed or extended according to the service scale.
The management and control end and each service end can be realized based on the virtual private cloud, the service ends providing the same application service correspond to the same virtual private cloud, and the service ends providing different application services correspond to different virtual private clouds. In an alternative embodiment, the management network card may be a physical network card or a virtual network card.
For example, a preset management and control protocol may be dynamically used to allocate network addresses of the control planes for the network cards, where the preset management and control protocol may be set by a technician according to actual needs or experience values. For example, the preset protocol may be a DHCP (Dynamic Host Configuration Protocol ) protocol.
The management and control network cards are respectively arranged in the management and control end and the service end, the network addresses of the control plane are distributed to the management and control network cards of the management and control end, and the transmission of management and control associated data among different management and control network cards is realized through the management and control access relation between the management and control network cards of the management and control end and the management and control network cards of the service end, so that the centralized management and control of the management and control end on each service end can be realized, and the management and control efficiency and the safety are improved. Meanwhile, because a unified control plane is adopted in the service system, the service system is convenient to expand, when a newly added service end exists, the access relation configuration is directly and dynamically carried out, the operation is convenient, and the overall stability of the service system is improved.
It should be noted that, the management access relationship may be a unidirectional access relationship or a bidirectional access relationship, and those skilled in the art may configure or adjust the management access relationship according to actual requirements. Under the normal condition, the control access relation is set to be a one-way access relation, so that the waste of transmission bandwidth caused by irrelevant flow is avoided, and the utilization rate of bandwidth resources is improved. Meanwhile, under the condition that one of the participants involved in the unidirectional access relationship is broken, the adoption of the unidirectional access relationship can avoid potential safety hazards brought to the other participant, and the overall safety of the service system is improved.
In an optional implementation manner, a management and control network card of the management and control end responds to a management and control access relation configuration request to select a target service end from at least one service end; and establishing a unidirectional management and control access relation of the management and control network card of the management and control end to the target service end, thereby realizing the active supervision of the management and control end to the target service end.
The management access relation configuration request generally includes management access reference information, and a target service end is selected from at least one service end according to the management access reference information.
For example, the management access reference information may include a management access intention and a management access target. The management and control access intention can comprise at least one of flow monitoring, data acquisition, script issuing, unified start-stop and the like. The managed access target may be used to determine the full traffic volume or the selected partial traffic volume.
Optionally, part of the service ends can be directly added or selected in the management and control access target; or alternatively, part of the service ends can be selected and determined by the condition of the control target carried in the control access target.
In one particular implementation, the management target condition may be a performance class or a functional type of the target service end. For example, a database service end, a service end with a processing speed of the CPU (Central Processing Unit ) being less than a preset speed, or a service end corresponding to a specific network address segment, etc.
In another optional embodiment, the target service end in the at least one service end responds to the management access relationship configuration request to establish a unidirectional management access relationship of the target service end to the management end, thereby realizing passive supervision of the target service end by the management end.
The access reference information is generally included in the management access relation configuration request, and the target service end is selected from at least one service end according to the management access reference information.
For example, the regulatory access reference information may include a regulatory access intent and/or a regulatory access target. Managing access intents may include reporting content categories, etc.; the management and control access target is a management and control end. In the unidirectional access relation of the service end access control end, the control access target is fixed as the control end, so that the control end can be set as a default control access target in advance, and additional configuration is not needed.
In an alternative embodiment, the network addresses of the management and control plane may comprise at least one network protocol type, so that the establishment of access relations between network addresses of different protocol types is adapted by constructing different types of network address spaces.
Illustratively, the network address of the control plane may include at least one of IPv4 (Internet Protocol version 4 ) and IPv6 (Internet Protocol version, internet protocol version 6), and may be flexibly configured according to actual requirements.
In one particular implementation, if the network address of the management and control plane is IPv4, the saved address of the management and control plane may support, but is not limited to, class a, class B, and class C network address segments.
Further referring to a service system shown in fig. 2, a management and control security group is disposed in each of the management and control network cards of the management and control end and at least one service end, so that fine-grained access control of the traffic of the management and control plane is realized through the management and control security group.
In an alternative embodiment, the policing security group is used to configure five-tuple rules governing access relationships so that source IP (Internet Protocol Address ) address, source port, destination IP address, destination port, and transport layer protocol can be precisely controlled.
In another alternative embodiment, the administration security group may also be used to configure access rights for administration access relationships, enabling on-demand access for administration procedures.
Optionally, a blacklist can be accessed through setting, so that a 'mutual trust' mode in the group is realized, and network communication among all the management and control network cards in the control plane is defaulted. Or alternatively, the 'isolation' mode in the group can be realized by setting and accessing the white list, and network isolation among all the management and control network cards in the control plane is defaulted.
It should be noted that, the control security group in the above embodiment may be implemented in software and/or hardware. For example, the regulatory security group may include at least one of a virtual firewall, a virtual route, a hardware firewall, a hardware switch, and the like.
For example, setting mutual trust closing in a management and control security group, defaulting that all the management and control network cards are isolated from each other, configuring security group rules of a management and control end for accessing a certain target service end in the management and control security group, configuring a source IP address src_ip and a source port src_port of the management and control end, configuring a target IP address dst_ip and a target port dst_port of the target service end, and configuring a transport layer protocol corresponding to the access relation, so that when the dst_port port in the dst_ip address is accessed by adopting the corresponding transport layer protocol based on the src_port port in the src_ip address, the access is reachable, and the access is unreachable in other access modes.
It should be noted that, in order to facilitate management of the service end by the management end, a unified management tool and a service management system may be deployed in the management end, so as to facilitate operation of an administrator. For example, a unified agent or database service management system, etc. may be deployed at the administration end.
On the basis of the above technical solutions, referring to a service system shown in fig. 3, a management and control end and each service end are respectively provided with a service network card; distributing network addresses of service planes for each service network card based on the network address segments of the service planes; respectively establishing service access relations among different service network cards; the service network card is provided with a service access relation, and service association data is transmitted based on the corresponding service access relation.
For example, the different service network cards correspond to the current service end (the management and control end or the service end), and respond to the service access relation configuration request to select a target service end from other service ends; and establishing a business access relation between the business network card of the current server and the business network card of the target server, thereby realizing the transmission of business association data from the current server to the target server.
The service access relation configuration request generally includes service access reference information, and a target server is selected from other servers according to the service access reference information.
For example, the service access reference information may include a service access intention and a service access target. The service access intention may include data issuing or data reporting, etc., or may further include a data type of the issued or reported data. The business access target may be used to determine at least one target server.
Optionally, the target server may be directly added or selected from the service access targets; or alternatively, the target server may be further determined by selecting a service target condition carried in the service access target.
In one particular implementation, the traffic target condition may be a performance class or a functional type of the target traffic end. For example, an upstream service end, a downstream service end, or a service end corresponding to a specific network address segment, etc.
It can be understood that the service network cards are respectively arranged in the management and control end and the service end, and the transmission of service association data among different service network cards is realized based on the service access relationship, so that the mutual isolation of the service association data and the management and control association data is realized, the management and control and maintenance of the service system are facilitated, and the stability of the service system and the convergence of the network configuration are improved.
In an alternative embodiment, the service network card may be a physical network card or a virtual network card.
For example, a preset service protocol may be used to dynamically allocate a network address of a service plane to each service network card, where the preset service protocol may be set by a technician according to an actual requirement or an experience value. It should be noted that, the preset service protocol is the same as or different from the preset management and control protocol, and the present application is not limited in any way.
Based on the above technical solutions, referring to a service system shown in fig. 4, a service security group is deployed in each service network card of a management and control end and at least one service end, so that fine-grained access control on service plane traffic is achieved through the service security group.
In an alternative embodiment, the service security group is used to configure five-tuple rules for service access relationships so that the source IP (Internet Protocol Address ) address, source port, destination IP address, destination port, and transport layer protocol can be precisely controlled.
In another alternative embodiment, the service security group may also be used to configure access rights for service access relationships, thereby enabling on-demand access to service association data.
Optionally, the blacklist can be accessed through setting, so that a 'mutual trust' mode in the group is realized, and network communication among all service network cards in a default service plane is realized. Or alternatively, the "isolation" mode in the group can be realized by setting and accessing the white list, and network isolation between all service network cards in the service plane is defaulted.
It should be noted that, the service security group in the foregoing embodiments may be implemented in software and/or hardware. For example, the traffic security group may include at least one of a virtual firewall, a virtual route, a hardware firewall, a hardware switch, and the like.
For example, setting mutual trust closing in a service security group, defaulting that all service network cards are isolated from each other, configuring security group rules between service ends and accessing a certain target service end in the service security group, configuring a source IP address src_ip and a source port src_port of the service ends, configuring a target IP address dst_ip and a target port dst_port of the target service ends, and configuring a transport layer protocol corresponding to the access relation, so that when the corresponding transport layer protocol is adopted to access the dst_port port in the dst_ip address based on the src_port port in the src_ip address, access is reachable, and access is not reachable in other access modes.
Note that the above is only a preferred embodiment of the present application and the technical principle applied. It will be understood by those skilled in the art that the present application is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the application. Therefore, while the application has been described in connection with the above embodiments, the application is not limited to the embodiments, but may be embodied in many other equivalent forms without departing from the spirit or scope of the application, which is set forth in the following claims.

Claims (8)

1.A business system, comprising: the system comprises a management and control end and at least one service end;
the control end and each business end are respectively provided with a control network card;
Distributing network addresses of the control planes to the control network cards based on the network address segments of the control planes;
Respectively establishing a management and control access relation between a management and control network card of the management and control end and at least one management and control network card of the service end;
The management and control network card is provided with the management and control access relation, and management and control associated data are transmitted based on the corresponding management and control access relation;
The establishing a management and control access relationship between the management and control network card of the management and control end and at least one management and control network card of the service end respectively includes: the management and control network card of the management and control end responds to a first management and control access relation configuration request, and a target service end is selected from the at least one service end; establishing a one-way management and control access relation of the management and control network card of the management and control end to the target service end;
The first management and control access relation configuration request comprises first management and control access reference information; the first management and control access reference information comprises a first management and control access intention and a first management and control access target; the first management and control access intention comprises at least one of flow monitoring, data acquisition, script issuing and unified start-stop; the first management and control access target is used for determining a full service end or a selected partial service end;
Or alternatively
The establishing the management and control access relation between the management and control network card of the management and control end and the management and control network card of at least one service end respectively comprises the following steps: a target service end in the at least one service end responds to a second management and control access relation configuration request, and a unidirectional management and control access relation of the target service end for accessing the management and control end is established;
The second management and control access relation configuration request comprises second management and control access reference information; the second management and control access reference information comprises a second management and control access intention and/or a second management and control access target; the second management and control access intention comprises a report content category; and the second control access target is a control end.
2. The service system of claim 1, wherein a management and control security group is deployed in the management and control end and at least one of the service end management and control network cards.
3. The business system of claim 2, wherein,
The management and control security group is used for configuring five-tuple rules and/or access rights of the management and control access relationship.
4. The business system of claim 2, wherein the regulatory security group is implemented based on at least one of: virtual firewalls, virtual routes, hardware firewalls, and hardware switches.
5. The traffic system according to claim 1, wherein the network address of the management and control plane comprises at least one network protocol type.
6. The service system according to claim 1, wherein the control end and each service end are respectively provided with a service network card;
distributing the network address of the service plane for each service network card based on the network address segment of the service plane;
respectively establishing service access relations among different service network cards;
And the service network card is provided with the service access relation and transmits service association data based on the corresponding service access relation.
7. The service system according to any one of claims 1-5, wherein the management side and each of the service sides are implemented based on a virtual private cloud.
8. The business system of claim 7, wherein the management and control network card is a virtual network card.
CN202111368332.1A 2021-11-18 2021-11-18 Service system Active CN114095357B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111368332.1A CN114095357B (en) 2021-11-18 2021-11-18 Service system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111368332.1A CN114095357B (en) 2021-11-18 2021-11-18 Service system

Publications (2)

Publication Number Publication Date
CN114095357A CN114095357A (en) 2022-02-25
CN114095357B true CN114095357B (en) 2024-05-14

Family

ID=80301547

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111368332.1A Active CN114095357B (en) 2021-11-18 2021-11-18 Service system

Country Status (1)

Country Link
CN (1) CN114095357B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104869020A (en) * 2015-05-22 2015-08-26 国云科技股份有限公司 Method of monitoring cloud server network port
EP3016044A1 (en) * 2014-11-03 2016-05-04 Jakamo Oy Method, system and apparatus for network management based on business relationship information
WO2016177207A1 (en) * 2015-10-13 2016-11-10 中兴通讯股份有限公司 Method and system for isolating control plane and service plane, server and cloud computation platform
US10021196B1 (en) * 2015-06-22 2018-07-10 Amazon Technologies, Inc. Private service endpoints in isolated virtual networks
CN108632378A (en) * 2018-05-11 2018-10-09 国云科技股份有限公司 A kind of monitoring method of facing cloud platform business
CN112636942A (en) * 2019-10-08 2021-04-09 中国移动通信集团浙江有限公司 Method and device for monitoring service host node

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180123924A1 (en) * 2016-10-31 2018-05-03 Hongfujin Precision Electronics (Tianjin) Co.,Ltd. Cluster server monitoring system and method
US11271812B2 (en) * 2018-06-29 2022-03-08 Forescout Technologies, Inc. Segmentation management including visualization, configuration, simulation, or a combination thereof

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3016044A1 (en) * 2014-11-03 2016-05-04 Jakamo Oy Method, system and apparatus for network management based on business relationship information
CN104869020A (en) * 2015-05-22 2015-08-26 国云科技股份有限公司 Method of monitoring cloud server network port
US10021196B1 (en) * 2015-06-22 2018-07-10 Amazon Technologies, Inc. Private service endpoints in isolated virtual networks
WO2016177207A1 (en) * 2015-10-13 2016-11-10 中兴通讯股份有限公司 Method and system for isolating control plane and service plane, server and cloud computation platform
CN108632378A (en) * 2018-05-11 2018-10-09 国云科技股份有限公司 A kind of monitoring method of facing cloud platform business
CN112636942A (en) * 2019-10-08 2021-04-09 中国移动通信集团浙江有限公司 Method and device for monitoring service host node

Also Published As

Publication number Publication date
CN114095357A (en) 2022-02-25

Similar Documents

Publication Publication Date Title
US11159487B2 (en) Automatic configuration of perimeter firewalls based on security group information of SDN virtual firewalls
US10848461B2 (en) Unified security policies across virtual private clouds with overlapping IP address blocks
CN111066300B (en) Providing networking and security for workloads through controlling a virtual private cloud shared across multiple virtual private clouds
US9584369B2 (en) Methods of representing software defined networking-based multiple layer network topology views
CN105634998B (en) Method and system for unified monitoring of physical machine and virtual machine in multi-tenant environment
US7962601B2 (en) Intergrated service management system
WO2015058626A1 (en) Virtual network function network elements management method, device and system
US20090109970A1 (en) Network system, network management server, and access filter reconfiguration method
EP3201777B1 (en) Providing functional requirements for a network connection from a local library
US11212260B2 (en) Dynamic firewall configuration and control for accessing services hosted in virtual networks
CN105939267B (en) Outband management method and device
CN104901825B (en) A kind of method and apparatus for realizing zero configuration starting
US11159481B2 (en) Port address translation scalability in stateful network device clustering
US10652310B2 (en) Secure remote computer network
KR20210016802A (en) Method for optimizing flow table for network service based on server-client in software defined networking environment and sdn switch thereofor
CN114095357B (en) Service system
CN105847257A (en) Clustered computer network system and method for resource distribution and configuration
JP2000330897A (en) Firewall load dispersing system and method and recording medium
CN112203302A (en) Access equipment configuration method and network management system
KR20170006950A (en) Network flattening system based on sdn and method thereof
CN101170544A (en) A communication method in high-availability cluster system based on single practical IP address
CN111147345B (en) Cloud environment network isolation device and method and cloud system
US11831511B1 (en) Enforcing network policies in heterogeneous systems
CN112653653B (en) Communication circuit management method, network equipment and storage medium
US20240179070A1 (en) Implementing defined service policies in a third-party container cluster

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant