CN114389886B - Access method, device, equipment and storage medium of virtual private cloud service - Google Patents
Access method, device, equipment and storage medium of virtual private cloud service Download PDFInfo
- Publication number
- CN114389886B CN114389886B CN202210044198.8A CN202210044198A CN114389886B CN 114389886 B CN114389886 B CN 114389886B CN 202210044198 A CN202210044198 A CN 202210044198A CN 114389886 B CN114389886 B CN 114389886B
- Authority
- CN
- China
- Prior art keywords
- service
- private cloud
- virtual private
- accessed
- cloud service
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 50
- 238000013507 mapping Methods 0.000 claims abstract description 76
- 238000004458 analytical method Methods 0.000 claims description 2
- 238000002955 isolation Methods 0.000 abstract description 10
- 238000013473 artificial intelligence Methods 0.000 abstract 1
- 238000004891 communication Methods 0.000 description 7
- 238000006243 chemical reaction Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 206010047289 Ventricular extrasystoles Diseases 0.000 description 2
- 238000012790 confirmation Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000005129 volume perturbation calorimetry Methods 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000005055 memory storage Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/10—Mapping addresses of different types
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
Abstract
The application relates to artificial intelligence, and provides a method, a device, equipment and a storage medium for accessing virtual private cloud service, wherein a target service is accessed through a virtual firewall component and a first address mapping in the virtual firewall component, and an interface service is accessed based on the target service, wherein the first address mapping is a mapping between a virtual private cloud IP of the accessed virtual private cloud service and an IP of a host to which the interface service belongs; and determining the service IP of the accessed virtual private cloud service through the interface service, and forwarding an access request to the accessed virtual private cloud service according to the service IP. Based on address mapping in the virtual firewall component, the inter-access of the internal and external isolation objects of the virtual private cloud is realized, the problem that the virtual private cloud service is failed to be accessed due to the isolation of the virtual private cloud is avoided, the access success rate of the virtual private cloud service is improved, and the user experience is improved.
Description
Technical Field
The present invention relates to the field of data processing technologies, and in particular, to a method, an apparatus, a device, and a computer readable storage medium for accessing a virtual private cloud service.
Background
Tenant isolation based on virtual private cloud VPC (Virtual Private Cloud) is a common approach in the cloud computing field. Kubernetes (K8S for short) is used as a container-based infrastructure platform for shared use by multiple tenants. In Kubernetes clusters, pod is the basis for all traffic types, also the minimum unit level of K8S management, and is a combination of one or more containers. When accessing a service (VPC pod) in the VPC, the service accesses the interface service of the accessed virtual private cloud service VPC pod due to the need for the access object to call the service discovery coreDNS service or the configuration control Ingress Controller to determine the service IP (pod IP) corresponding to the accessed VPC pod. However, when there is a quarantine between the access object and the interface service of the accessed virtual private cloud service or the access object does not have access rights (rights to access the interface service of the accessed virtual private cloud service), there is a problem in that access failure occurs.
Disclosure of Invention
The invention mainly aims to provide a method, a device, equipment and a computer readable storage medium for accessing virtual private cloud services, and aims to solve the technical problem that services in different virtual private clouds cannot be accessed due to virtual private cloud isolation.
In order to achieve the above object, the present invention provides a method for accessing a virtual private cloud service, where the method for accessing a virtual private cloud service includes: accessing a target service through a virtual firewall component and a first address mapping in the virtual firewall component, and accessing an interface service based on the target service, wherein the first address mapping is a mapping between a virtual private cloud IP of the accessed virtual private cloud service and an IP of a host to which the interface service belongs; and determining the service IP of the accessed virtual private cloud service through the interface service, and forwarding an access request to the accessed virtual private cloud service according to the service IP.
In addition, in order to achieve the above object, the present invention further provides an access device for a virtual private cloud service, where the access device for a virtual private cloud service includes: the interface service access module is used for accessing the target service through a virtual firewall component and a first address mapping in the virtual firewall component and accessing the interface service based on the target service, wherein the first address mapping is a mapping between a virtual private cloud IP of the accessed virtual private cloud service and an IP of a host to which the interface service belongs; and the access request forwarding module is used for determining the service IP of the accessed virtual private cloud service through the interface service and forwarding the access request to the accessed virtual private cloud service according to the service IP.
In addition, in order to achieve the above object, the present invention further provides an access device for a vpn cloud service, where the access device for a vpn cloud service includes a processor, a memory, and an access program for a vpn cloud service stored on the memory and executable by the processor, where the access program for a vpn cloud service implements the steps of the access method for a vpn cloud service described above when executed by the processor.
In addition, in order to achieve the above object, the present invention further provides a computer readable storage medium, where an access program for a virtual private cloud service is stored on the computer readable storage medium, where the access program for the virtual private cloud service, when executed by a processor, implements the steps of the method for accessing a virtual private cloud service as described above.
The invention provides an access method of virtual private cloud service, which accesses target service through a virtual firewall component and a first address mapping in the virtual firewall component, and accesses interface service based on the target service, wherein the first address mapping is a mapping between a virtual private cloud IP of the accessed virtual private cloud service and an IP of a host to which the interface service belongs; and determining the service IP of the accessed virtual private cloud service through the interface service, and forwarding an access request to the accessed virtual private cloud service according to the service IP. By the method, based on address mapping in the virtual firewall component, mutual access of objects inside and outside the virtual private cloud is realized, the problem that access to the virtual private cloud service fails due to isolation of the virtual private cloud is avoided, the access success rate of the virtual private cloud service is improved, the user experience is improved, and the technical problem that services in different virtual private clouds cannot be accessed due to isolation of the virtual private cloud is solved.
Drawings
Fig. 1 is a schematic hardware structure of an access device of a virtual private cloud service according to an embodiment of the present invention;
fig. 2 is a flow chart of a first embodiment of an access method of a vpn cloud service according to the present invention;
FIG. 3 is a schematic diagram of an access process of the VPN service of the present invention;
fig. 4 is a flowchart of a second embodiment of an access method for a vpn cloud service according to the present invention;
FIG. 5 is a flowchart illustrating a third embodiment of a method for accessing a VPN service according to the present invention;
fig. 6 is a schematic functional block diagram of a first embodiment of an access device for a vpn cloud service according to the present invention.
The achievement of the objects, functional features and advantages of the present invention will be further described with reference to the accompanying drawings, in conjunction with the embodiments.
Detailed Description
It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
The access method of the virtual private cloud service is mainly applied to the access equipment of the virtual private cloud service, and the access equipment of the virtual private cloud service can be equipment with display and processing functions such as a PC, a portable computer and a mobile terminal.
Referring to fig. 1, fig. 1 is a schematic hardware structure of an access device of a virtual private cloud service according to an embodiment of the present invention. In an embodiment of the present invention, the access device of the vpn service may include a processor 1001 (e.g. CPU), a communication bus 1002, a user interface 1003, a network interface 1004, and a memory 1005. Wherein the communication bus 1002 is used to enable connected communications between these components; the user interface 1003 may include a Display screen (Display), an input unit such as a Keyboard (Keyboard); the network interface 1004 may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface); the memory 1005 may be a high-speed RAM memory or a stable memory (non-volatile memory), such as a disk memory, and the memory 1005 may alternatively be a storage device independent of the processor 1001.
Those skilled in the art will appreciate that the hardware architecture shown in fig. 1 does not constitute a limitation of access devices to virtual private cloud services, and may include more or fewer components than shown, or may combine certain components, or a different arrangement of components.
With continued reference to fig. 1, the memory 1005 in fig. 1, which is a computer readable storage medium, may include an operating system, a network communication module, and an access program for a virtual private cloud service.
In fig. 1, the network communication module is mainly used for connecting with a server and performing data communication with the server; the processor 1001 may call an access program of the virtual private cloud service stored in the memory 1005, and execute the access method of the virtual private cloud service provided by the embodiment of the present invention.
The embodiment of the invention provides a virtual private cloud service access method.
Referring to fig. 2, fig. 2 is a flowchart illustrating a first embodiment of a method for accessing a virtual private cloud service according to the present invention.
In this embodiment, the access method of the virtual private cloud service includes the following steps:
step S10, accessing a target service through a virtual firewall component and a first address mapping in the virtual firewall component, and accessing an interface service based on the target service, wherein the first address mapping is a mapping between a virtual private cloud IP of the accessed virtual private cloud service and an IP of a host to which the interface service belongs;
in the K8S cluster network environment based on VPC isolation, since each pod located in the VPC network (VPC network is defined as a service network) cannot directly access a domain name resolution service (such as a service discovery CoreDNS service or a configuration control Ingress Controller service) located in the cloud network (a host network of K8S cluster nodes is defined as a cloud network), in this embodiment, by adding a virtual firewall component vfw (i.e., a virtual firewall plug-in), and pre-configuring an address mapping in vfw, cross-network access is achieved.
In this embodiment, the access types are classified into three types:
the first is that an access object outside the K8S cluster accesses a pod instance inside the K8S cluster, as in fig. 3, VPC1 and VPC2 belong to the same cluster and different VPCs, and an access object outside the cluster accesses a pod instance inside the cluster. The access object in the type needs to go through the corresponding service (Ingress Controller service), and two address mappings (namely, a mapping between the foreign network IP and the VPC IP of the VPC pod and a mapping between the VPC IP of the accessed VPC pod and the host IP to which the service for obtaining the pod IP of the accessed object belongs) are added to access in vfw;
the second is that the pod instances within different VPCs within the K8S cluster access each other, as in fig. 3 the pod in VPC1 accesses the pod in VPC 2. The access object in the type needs to pass through the corresponding service (CoreDNS service), and two address mappings (namely, a mapping between the VPC IP of the accessed VPC pod and the VOC IP to which the access object belongs and a mapping between the VPC IP of the accessed VPC pod and the host IP to which the service (CoreDNS service) for acquiring the pod IP of the accessed object belongs) are added in vfw;
the third is that pod instances within the same VPC within the K8S cluster access each other, with pod in VPC1 accessing another pod in VPC1 in the following figures. The access object in this type needs to go through the corresponding service (CoreDNS service), and an address map (i.e., a map between the VPC IP of the accessed VPC pod and the host IP to which the service (CoreDNS service) for acquiring the pod IP of the accessed object belongs) is added in vfw.
Specifically, a mapping between the VPC IP of the visited VPC pod and the IP of the host to which the interface service belongs is added in vfw, that is, an interface service located in the cloud management network may be accessed to determine the pod IP of the visited VPC pod through the interface service.
And step S20, determining the service IP of the accessed virtual private cloud service through the interface service, and forwarding an access request to the accessed virtual private cloud service according to the service IP.
In this embodiment, the Cluster IP (i.e., cluster IP) of the VPC Pod is determined by obtaining the service domain name record in the Apiserver service, and the Cluster IP is returned to the VPC Pod (the VPC Pod converts the Cluster IP into the Pod IP through the iptabs Nat rule (for implementing network address conversion) built in the K8S, and forwards the access corresponding to the Pod IP to the backend Pod instance corresponding to the service.
Further, the determining, by the interface service, the service IP of the accessed virtual private cloud service specifically includes:
acquiring a service domain name record through the interface service, and determining a target cluster IP corresponding to the accessed virtual private cloud service according to the service corresponding to the accessed virtual private cloud service in the service domain name record;
and converting the target cluster IP into the target service IP according to a preset rule.
In this embodiment, the interface service stores a service domain name record, where the service domain name record includes each service and its corresponding cluster IP (Cluster IP). And determining the target cluster IP of the service to which the accessed VPC pod belongs in a service domain name record through the service corresponding to the accessed VPC pod (namely the service to which the accessed VPC pod belongs), and marking the target cluster IP as the target cluster IP corresponding to the accessed VPC pod. And then converting the target Cluster IP into the target pod IP through an IPTables Nat rule built in the K8S, namely forwarding the access of the target Cluster IP to a back-end pod instance corresponding to the service to which the accessed VPC pod belongs.
The embodiment provides a method for accessing a virtual private cloud service, which accesses a target service through a virtual firewall component and a first address mapping in the virtual firewall component, and accesses an interface service based on the target service, wherein the first address mapping is a mapping between a virtual private cloud IP of the accessed virtual private cloud service and an IP of a host to which the interface service belongs; and determining the service IP of the accessed virtual private cloud service through the interface service, and forwarding an access request to the accessed virtual private cloud service according to the service IP. By the method, based on address mapping in the virtual firewall component, mutual access of objects inside and outside the virtual private cloud is realized, the problem that access to the virtual private cloud service fails due to isolation of the virtual private cloud is avoided, the access success rate of the virtual private cloud service is improved, the user experience is improved, and the technical problem that services in different virtual private clouds cannot be accessed due to isolation of the virtual private cloud is solved.
Referring to fig. 4, fig. 4 is a flowchart illustrating a second embodiment of an access method for a vpn cloud service according to the present invention.
Based on the embodiment shown in fig. 2, in this embodiment, the step S10 specifically includes:
step S11, when an access object and the accessed virtual private cloud service do not belong to the same cluster, analyzing an external domain name of the access object based on an external domain name analysis service, and determining an external network IP corresponding to the external domain name;
step S12, accessing the virtual firewall component through a service corresponding to the accessed virtual private cloud service, and accessing a corresponding configuration control service through a second address mapping in the virtual firewall component, wherein the second address mapping is a mapping between a virtual private cloud IP of the accessed virtual private cloud service and an external network IP;
and step S13, accessing the interface service corresponding to the accessed virtual private cloud service through the configuration control service and based on the virtual firewall and the first address mapping.
In this embodiment, the access object may be at least one of a mobile terminal, a web page, a terminal, and a client outside the cluster. A set of Ingress Controller is deployed for each VPC, using commonly used nginnx as Ingress Controller, and assigning a unique category name based on the-Ingress-Class parameter, so that Ingress Controller can be determined in category based on the Ingress-Class category.
Configuration is performed in advance in Ingress Controller, i.e. the apierver access is directed to the cluster IP of the visited VPC pod by means of the-kubeconfig parameter.
And then when detecting that the access object outside the cluster accesses the VPC pod in the cluster, firstly resolving the external domain name of the access object based on the external DNS, thereby determining the external network IP corresponding to the external domain name. After determining the foreign network IP, ingress Controller services under the VPC network to which the visited VPC pod belongs are accessed through a second address mapping between the VPC IP of the visited VPC pod and the foreign network IP configured in vfw (i.e., proxy foreign network IP access VPC Ingress Controller IP through vfw). To access the interface service corresponding to the accessed VPC pod through the Ingress Controller service (i.e., access the Apiserver service located at the host IP through the vfw proxy Ingress Controller service).
Further, the step S12 further includes:
and acquiring an access link of the access object to the accessed virtual private cloud service, and comparing the access link with a preset configuration rule through the configuration control service to determine the service corresponding to the accessed virtual private cloud service.
In this embodiment, since there are multiple services in one cluster, the Ingress Controller service needs to compare the access link URL corresponding to the accessed VPC pod (i.e. the link of the external domain name accessing the VPC pod, such as http:// abc.com:80/svc 1) with the configuration rule (for recording the Ingress rule of each URL and the corresponding service). And determining the service group of the service to which the accessed VPC pod belongs according to the comparison result. Ingress Controller the service can determine the visited VPC pod from the service packets of the service to which the visited VPC pod belongs in Apiserver (i.e. pointing to the proxy VPC IP configured in the kubeconfig parameter). To forward the Service traffic to the corresponding backend Pod instance of Service (i.e., the visited VPC Pod).
Referring to fig. 5, fig. 5 is a flowchart illustrating a third embodiment of a method for accessing a virtual private cloud service according to the present invention.
Based on the embodiment shown in fig. 2, in this embodiment, the step S10 further includes:
step S14, when the access object and the accessed virtual private cloud service belong to the same cluster and the same virtual private cloud, determining a service corresponding to the accessed virtual private cloud service based on a service name corresponding to the accessed virtual private cloud service;
step S15, accessing the virtual firewall component through the service corresponding to the accessed virtual private cloud service, and accessing a service discovery service through a first address mapping in the virtual firewall component;
and step S16, accessing the interface service corresponding to the accessed virtual private cloud service through the service discovery service.
In this embodiment, a set of CoreDNS services is configured in advance, the K8S cluster is globally deployed, the CoreDNS services are deployed in a HostNetwork mode in the K8S, and the VPC IP access of the destination VPC pod and the host IP to which the CoreDNS services belong are mapped in vfw, so as to analyze the pod IP of the destination VPC pod through the CoreDNS services, where each VPC (VPC IP of the VPC pod) maps one host IP (i.e., the host IP to which the CoreDNS services belong) so as to implement service access across the host cloud pipe network and the service VPC network plane.
And when the access object and the accessed VPC pod belong to the same cluster and belong to the same VPC, determining the service corresponding to the accessed VPC pod based on the service name corresponding to the accessed VPC pod. Since the VPC networks belong to the same VPC network, there is no network isolation, so that the service corresponding to the visited VPC pod can be directly accessed. And then performing service domain name resolution (i.e. pointing to CoreDNS service) according to the NAmeserver configured in the accessed VPC Pod, specifically accessing CoreDNS service located in the host network through vfw proxy (based on mapping between the VPC IP of the accessed VPC Pod and the IP of the host to which the interface service belongs), determining a Cluster IP (i.e. Cluster IP) of the VPC Pod by the CoreDNS service through acquiring a service domain name record in the Apiserver service, returning the Cluster IP to the VPC Pod (the VPC Pod converts the Cluster IP into Pod IP through IPTables Nat rule (used for realizing network address conversion) built in K8S), and forwarding the access corresponding to the Pod IP to a backend Pod instance corresponding to the service.
Further, before the step of accessing the service discovery service by the service corresponding to the accessed virtual private cloud service accessing the virtual firewall component and through the first address mapping in the virtual firewall component, the method further includes:
and when the access object and the accessed virtual private cloud service belong to the same cluster and do not belong to the same virtual private cloud, accessing the service corresponding to the accessed virtual private cloud service through a third address mapping in the virtual firewall component and the virtual firewall component, wherein the third address mapping is a mapping between a virtual private cloud IP of the virtual private cloud to which the access object belongs and a virtual private cloud IP of the accessed virtual private cloud service.
In this embodiment, when the access object and the accessed VPC pod belong to the same cluster and do not belong to the same VPC, a mapping between the VPC IP of the VPC to which the access object belongs and the VPC IP of the accessed VPC pod needs to be added in the virtual firewall component to implement cross-network service access.
Further, before the step of accessing the virtual firewall component through the service corresponding to the accessed virtual private cloud service and accessing the service discovery service through the first address mapping in the virtual firewall component, the method further includes:
and setting a mark of a preset external domain name resolution strategy corresponding to the accessed virtual private cloud service as a preset mark, and adding an access service discovery service and a corresponding address mapping in an external domain name resolution server in the external domain name resolution configuration.
In this embodiment, dnsPolicy decides a preset DNS configuration policy within Pod (None means no policy and depends on the dnsConfig configuration in Pod Spec; default means that the DNS configuration of Pod is inherited completely from the node.) i.e. dnsPolicy in VPC Pod is configured as preset flag None and names in dnsConfig in VPC Pod are set as address mappings to CoreDNS.
In addition, the embodiment of the invention also provides an access device of the virtual private cloud service.
Referring to fig. 6, fig. 6 is a schematic functional block diagram of a first embodiment of an access device for a vpn cloud service according to the present invention.
In this embodiment, the access device for a virtual private cloud service includes:
an interface service accessing module 10, configured to access a target service through a virtual firewall component and a first address mapping in the virtual firewall component, and access an interface service based on the target service, where the first address mapping is a mapping between a virtual private cloud IP of an accessed virtual private cloud service and an IP of a host to which the interface service belongs;
and the access request forwarding module 20 is configured to determine a service IP of the accessed virtual private cloud service through the interface service, and forward an access request to the accessed virtual private cloud service according to the service IP.
Further, the interface service access module 10 specifically includes:
the external domain name resolution unit is used for resolving the external domain name of the access object based on the external domain name resolution service when the access object and the accessed virtual private cloud service do not belong to the same cluster, and determining an external network IP corresponding to the external domain name;
a control service access unit, configured to access the virtual firewall component through a service corresponding to the accessed virtual private cloud service, and access a corresponding configuration control service through a second address mapping in the virtual firewall component, where the second address mapping is a mapping between a virtual private cloud IP of the accessed virtual private cloud service and the external network IP;
and the first interface service access unit is used for accessing the interface service corresponding to the accessed virtual private cloud service through the configuration control service and based on the virtual firewall and the first address mapping.
Further, the interface service access module 10 specifically further includes:
and the first service confirmation unit is used for acquiring an access link of the access object to the accessed virtual private cloud service, and comparing the access link with a preset configuration rule through the configuration control service to determine the service corresponding to the accessed virtual private cloud service.
Further, the interface service access module 10 specifically includes:
the second service confirmation unit is used for determining the service corresponding to the accessed virtual private cloud service based on the service name corresponding to the accessed virtual private cloud service when the access object and the accessed virtual private cloud service belong to the same cluster and belong to the same virtual private cloud;
a discovery service access unit, configured to access the virtual firewall component through a service corresponding to the accessed virtual private cloud service, and access a service discovery service through a first address mapping in the virtual firewall component;
and the second interface service access unit is used for accessing the interface service corresponding to the accessed virtual private cloud service through the service discovery service.
Further, the interface service access module 10 specifically further includes:
and the accessed service access module is used for accessing the service corresponding to the accessed virtual private cloud service through a third address mapping in the virtual firewall component and the virtual firewall component when the access object and the accessed virtual private cloud service belong to the same cluster and do not belong to the same virtual private cloud, wherein the third address mapping is a mapping between the virtual private cloud IP of the virtual private cloud to which the access object belongs and the virtual private cloud IP of the accessed virtual private cloud service.
Further, the interface service access module 10 specifically further includes:
and the address mapping configuration unit is used for setting a mark of a preset external domain name resolution strategy corresponding to the accessed virtual private cloud service as a preset mark, and adding an access service discovery service and a corresponding address mapping in an external domain name resolution server in the external domain name resolution configuration.
Further, the access request forwarding module 20 is specifically further configured to:
the cluster IP determining module is used for acquiring a service domain name record through the interface service and determining a target cluster IP corresponding to the accessed virtual private cloud service according to the service corresponding to the accessed virtual private cloud service in the service domain name record;
and the Pod IP conversion module is used for converting the target cluster IP into the target service IP according to a preset rule.
Each module in the access device of the vpn service corresponds to each step in the embodiment of the access method of the vpn service, and the functions and implementation processes of the modules are not described in detail herein.
In addition, the embodiment of the invention also provides a computer readable storage medium.
The computer readable storage medium of the invention stores an access program of the virtual private cloud service, wherein when the access program of the virtual private cloud service is executed by a processor, the steps of the access method of the virtual private cloud service are realized.
The method implemented when the access program of the vpn service is executed may refer to each embodiment of the access method of the vpn service according to the present invention, which is not described herein.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The foregoing embodiment numbers of the present invention are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.
The subject application is operational with numerous general purpose or special purpose computer system environments or configurations. For example: personal computers, server computers, hand-held or portable devices, tablet devices, multiprocessor systems, microprocessor-based systems, set top boxes, programmable consumer electronics, network PCs, minicomputers, mainframe computers, distributed computing environments that include any of the above systems or devices, and the like. The application may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The application may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
From the above description of the embodiments, it will be clear to those skilled in the art that the above-described embodiment method may be implemented by means of software plus a necessary general hardware platform, but of course may also be implemented by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (e.g. ROM/RAM, magnetic disk, optical disk) as described above, comprising instructions for causing a terminal device (which may be a mobile phone, a computer, a server, an air conditioner, or a network device, etc.) to perform the method according to the embodiments of the present invention.
The foregoing description is only of the preferred embodiments of the present invention, and is not intended to limit the scope of the invention, but rather is intended to cover any equivalents of the structures or equivalent processes disclosed herein or in the alternative, which may be employed directly or indirectly in other related arts.
Claims (10)
1. The access method of the virtual private cloud service is characterized by comprising the following steps of:
accessing a target service through a virtual firewall component and a first address mapping in the virtual firewall component, and accessing an interface service based on the target service, wherein the first address mapping is a mapping between a virtual private cloud IP of the accessed virtual private cloud service and an IP of a host to which the interface service belongs;
and determining the service IP of the accessed virtual private cloud service through the interface service, and forwarding an access request to the accessed virtual private cloud service according to the service IP.
2. The method for accessing a virtual private cloud service according to claim 1, wherein the accessing a target service through a virtual firewall component and a first address mapping in the virtual firewall component, and accessing an interface service based on the target service specifically comprises:
when an access object and the accessed virtual private cloud service do not belong to the same cluster, analyzing an external domain name of the access object based on an external domain name analysis service, and determining an external network IP corresponding to the external domain name;
accessing the virtual firewall component through a service corresponding to the accessed virtual private cloud service, and accessing a corresponding configuration control service through a second address mapping in the virtual firewall component, wherein the second address mapping is a mapping between a virtual private cloud IP of the accessed virtual private cloud service and the external network IP;
and accessing the interface service corresponding to the accessed virtual private cloud service through the configuration control service and based on the virtual firewall and the first address mapping.
3. The method for accessing a virtual private cloud service according to claim 2, wherein when the access object and the accessed virtual private cloud service do not belong to the same cluster, the method further comprises, before the step of resolving an external domain name of the access object based on an external domain name resolution service and determining an external network IP corresponding to the external domain name:
and acquiring an access link of the access object to the accessed virtual private cloud service, and comparing the access link with a preset configuration rule through the configuration control service to determine the service corresponding to the accessed virtual private cloud service.
4. The method for accessing a virtual private cloud service as recited in claim 1, wherein the accessing a target service through a virtual firewall component and a first address mapping in the virtual firewall component and accessing an interface service based on the target service comprises:
when an access object and the accessed virtual private cloud service belong to the same cluster and belong to the same virtual private cloud, determining a service corresponding to the accessed virtual private cloud service based on a service name corresponding to the accessed virtual private cloud service;
accessing the virtual firewall component through the service corresponding to the accessed virtual private cloud service, and accessing a service discovery service through a first address mapping in the virtual firewall component;
and accessing the interface service corresponding to the accessed virtual private cloud service through the service discovery service.
5. The method for accessing a virtual private cloud service as recited in claim 4, wherein the accessing the virtual firewall component through the service corresponding to the accessed virtual private cloud service, and accessing the service discovery service through a first address mapping in the virtual firewall component, further comprises, prior to the step of:
and when the access object and the accessed virtual private cloud service belong to the same cluster and do not belong to the same virtual private cloud, accessing the service corresponding to the accessed virtual private cloud service through a third address mapping in the virtual firewall component and the virtual firewall component, wherein the third address mapping is a mapping between a virtual private cloud IP of the virtual private cloud to which the access object belongs and a virtual private cloud IP of the accessed virtual private cloud service.
6. The method for accessing a virtual private cloud service as recited in claim 4, wherein the accessing the virtual firewall component through the service corresponding to the accessed virtual private cloud service, and accessing the service discovery service through a first address mapping in the virtual firewall component, further comprises, prior to the step of:
and setting a mark of a preset external domain name resolution strategy corresponding to the accessed virtual private cloud service as a preset mark, and adding an access service discovery service and a corresponding address mapping in an external domain name resolution server in the external domain name resolution configuration.
7. The method for accessing a virtual private cloud service according to any one of claims 1 to 6, wherein the determining, by the interface service, a service IP of the accessed virtual private cloud service specifically includes:
acquiring a service domain name record through the interface service, and determining a target cluster IP corresponding to the accessed virtual private cloud service according to the service corresponding to the accessed virtual private cloud service in the service domain name record;
and converting the target cluster IP into a target service IP according to a preset rule.
8. An access device for a virtual private cloud service, wherein the access device for the virtual private cloud service comprises:
the interface service access module is used for accessing the target service through a virtual firewall component and a first address mapping in the virtual firewall component and accessing the interface service based on the target service, wherein the first address mapping is a mapping between a virtual private cloud IP of the accessed virtual private cloud service and an IP of a host to which the interface service belongs;
and the access request forwarding module is used for determining the service IP of the accessed virtual private cloud service through the interface service and forwarding the access request to the accessed virtual private cloud service according to the service IP.
9. An access device for a virtual private cloud service, wherein the access device for a virtual private cloud service comprises a processor, a memory, and an access program for a virtual private cloud service stored on the memory and executable by the processor, wherein the access program for a virtual private cloud service, when executed by the processor, implements the steps of the access method for a virtual private cloud service according to any one of claims 1 to 7.
10. A computer readable storage medium, wherein an access program for a virtual private cloud service is stored on the computer readable storage medium, wherein the access program for the virtual private cloud service, when executed by a processor, implements the steps of the access method for a virtual private cloud service according to any of claims 1 to 7.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210044198.8A CN114389886B (en) | 2022-01-14 | 2022-01-14 | Access method, device, equipment and storage medium of virtual private cloud service |
| PCT/CN2022/089868 WO2023134066A1 (en) | 2022-01-14 | 2022-04-28 | Virtual private cloud service access method, apparatus and device, and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210044198.8A CN114389886B (en) | 2022-01-14 | 2022-01-14 | Access method, device, equipment and storage medium of virtual private cloud service |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114389886A CN114389886A (en) | 2022-04-22 |
| CN114389886B true CN114389886B (en) | 2024-03-08 |
Family
ID=81201618
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210044198.8A Active CN114389886B (en) | 2022-01-14 | 2022-01-14 | Access method, device, equipment and storage medium of virtual private cloud service |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN114389886B (en) |
| WO (1) | WO2023134066A1 (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114389886B (en) * | 2022-01-14 | 2024-03-08 | 平安科技(深圳)有限公司 | Access method, device, equipment and storage medium of virtual private cloud service |
| CN117082152B (en) * | 2023-09-27 | 2024-01-12 | 新华三技术有限公司 | Service processing method, system and device |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8904511B1 (en) * | 2010-08-23 | 2014-12-02 | Amazon Technologies, Inc. | Virtual firewalls for multi-tenant distributed services |
| CN105471907A (en) * | 2015-12-31 | 2016-04-06 | 云南大学 | Openflow based virtual firewall transmission control method and system |
| CN106713332A (en) * | 2016-12-30 | 2017-05-24 | 山石网科通信技术有限公司 | Network data processing method, device and system |
| CN109451084A (en) * | 2018-09-14 | 2019-03-08 | 华为技术有限公司 | A kind of service access method and device |
| CN112929322A (en) * | 2019-12-06 | 2021-06-08 | 北京百度网讯科技有限公司 | Method, device and system for issuing and accessing service on cloud |
| CN113162835A (en) * | 2021-02-26 | 2021-07-23 | 北京百度网讯科技有限公司 | Method, device, equipment and storage medium for accessing service resource |
Family Cites Families (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105354076B (en) * | 2015-10-23 | 2019-01-25 | 北京云端光科技术有限公司 | Application deployment method and device |
| CN109617995B (en) * | 2018-12-29 | 2022-02-25 | 北京金山云网络技术有限公司 | Management system and method for VPC (virtual private network) internal container of tenant cluster and electronic equipment |
| CN110535831B (en) * | 2019-07-30 | 2022-02-01 | 平安科技(深圳)有限公司 | Kubernetes and network domain-based cluster security management method and device and storage medium |
| CN110611697B (en) * | 2019-08-02 | 2020-07-07 | 杭州网银互联科技股份有限公司 | Network architecture system and network deployment method of hybrid cloud |
| CN112543108A (en) * | 2019-09-04 | 2021-03-23 | 中兴通讯股份有限公司 | Network isolation policy management method and network isolation policy management system |
| CN110727499A (en) * | 2019-09-18 | 2020-01-24 | 平安科技(深圳)有限公司 | Resource data acquisition method and device, computer equipment and storage medium |
| CN110737508A (en) * | 2019-10-14 | 2020-01-31 | 浪潮云信息技术有限公司 | cloud container service network system based on wave cloud and implementation method |
| CN113452806B (en) * | 2021-06-24 | 2022-10-04 | 上海道客网络科技有限公司 | Container adaptation SDN network management method and system based on Kubernets system |
| CN114389886B (en) * | 2022-01-14 | 2024-03-08 | 平安科技(深圳)有限公司 | Access method, device, equipment and storage medium of virtual private cloud service |
-
2022
- 2022-01-14 CN CN202210044198.8A patent/CN114389886B/en active Active
- 2022-04-28 WO PCT/CN2022/089868 patent/WO2023134066A1/en unknown
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8904511B1 (en) * | 2010-08-23 | 2014-12-02 | Amazon Technologies, Inc. | Virtual firewalls for multi-tenant distributed services |
| CN105471907A (en) * | 2015-12-31 | 2016-04-06 | 云南大学 | Openflow based virtual firewall transmission control method and system |
| CN106713332A (en) * | 2016-12-30 | 2017-05-24 | 山石网科通信技术有限公司 | Network data processing method, device and system |
| CN109451084A (en) * | 2018-09-14 | 2019-03-08 | 华为技术有限公司 | A kind of service access method and device |
| CN112929322A (en) * | 2019-12-06 | 2021-06-08 | 北京百度网讯科技有限公司 | Method, device and system for issuing and accessing service on cloud |
| CN113162835A (en) * | 2021-02-26 | 2021-07-23 | 北京百度网讯科技有限公司 | Method, device, equipment and storage medium for accessing service resource |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2023134066A1 (en) | 2023-07-20 |
| CN114389886A (en) | 2022-04-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114389886B (en) | Access method, device, equipment and storage medium of virtual private cloud service | |
| US11336696B2 (en) | Control access to domains, servers, and content | |
| US10951582B2 (en) | Dynamic firewall configuration | |
| CN111800458B (en) | Dynamic load balancing method and system for Kubernetes container cloud platform | |
| US11240152B2 (en) | Exposing a subset of hosts on an overlay network to components external to the overlay network without exposing another subset of hosts on the overlay network | |
| CN108965036B (en) | Method, system, server and storage medium for configuring cross-public network equipment mutual access | |
| CN112291384B (en) | Information processing method for domain name resolution and electronic equipment | |
| CN107809386B (en) | IP address translation method, routing device and communication system | |
| CN112104640B (en) | Data processing method, device and equipment of gateway and readable storage medium | |
| KR101682513B1 (en) | Dns proxy service for multi-core platforms | |
| CN106161396A (en) | A kind of virtual machine network that realizes accesses the method and device controlled | |
| US11303606B1 (en) | Hashing name resolution requests according to an identified routing policy | |
| CN115190107B (en) | Multi-subsystem management method based on extensive domain name, management terminal and readable storage medium | |
| CN113342845B (en) | Data synchronization method, computer device and readable storage medium | |
| CN111478984B (en) | Server IP address obtaining method and device and computer readable storage medium | |
| US10958580B2 (en) | System and method of performing load balancing over an overlay network | |
| JP2012109887A (en) | Resource record control system, resource record control method, application determination method, and program | |
| CN112787947A (en) | Network service processing method, system and gateway equipment | |
| JP6985209B2 (en) | Communication system, communication equipment and management equipment | |
| CN117319481B (en) | Port resource reverse proxy method, system and storage medium | |
| CN114650271B (en) | Global load DNS neighbor site learning method and device | |
| CN114430409B (en) | Webpage access method, webpage access device, storage medium and electronic equipment | |
| CN109618014B (en) | Message forwarding method and device | |
| KR101807695B1 (en) | Mobile communication router apparatus and ip sharing system comprising the same | |
| CN113923008B (en) | Malicious website interception method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |