CN114760246B - Service drainage method, device and medium - Google Patents
Service drainage method, device and medium Download PDFInfo
- Publication number
- CN114760246B CN114760246B CN202210319421.5A CN202210319421A CN114760246B CN 114760246 B CN114760246 B CN 114760246B CN 202210319421 A CN202210319421 A CN 202210319421A CN 114760246 B CN114760246 B CN 114760246B
- Authority
- CN
- China
- Prior art keywords
- service
- route
- message
- network
- drainage
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 34
- 230000005540 biological transmission Effects 0.000 claims description 13
- 238000004590 computer program Methods 0.000 claims description 6
- 101000652292 Homo sapiens Serotonin N-acetyltransferase Proteins 0.000 claims 4
- 102100030547 Serotonin N-acetyltransferase Human genes 0.000 claims 4
- 238000007726 management method Methods 0.000 description 27
- 238000010586 diagram Methods 0.000 description 21
- 238000001914 filtration Methods 0.000 description 14
- 238000007667 floating Methods 0.000 description 9
- 238000013507 mapping Methods 0.000 description 7
- 230000008569 process Effects 0.000 description 5
- 238000012550 audit Methods 0.000 description 4
- 230000006854 communication Effects 0.000 description 3
- 238000012544 monitoring process Methods 0.000 description 3
- 238000012546 transfer Methods 0.000 description 3
- 238000013519 translation Methods 0.000 description 3
- 230000009471 action Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000012217 deletion Methods 0.000 description 2
- 230000037430 deletion Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000007689 inspection Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000013508 migration Methods 0.000 description 2
- 230000005012 migration Effects 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000002457 bidirectional effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000035800 maturation Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/58—Association of routers
- H04L45/586—Association of routers of virtual routers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/74—Address processing for routing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/2866—Architectures; Arrangements
- H04L67/30—Profiles
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses a service drainage method, a device and a medium, comprising the following steps: acquiring configuration information of a service drainage chain; each non-service type virtual device in the service flow guide chain is hung to a virtual router in a user VPC based on the configuration information; the virtual router is deployed in the user VPC by adopting a full distributed architecture; generating an outbound policy route according to the forward sequence of each non-service type virtual device in the service drainage chain, and generating an inbound policy route according to the reverse sequence of each non-service type virtual device; and issuing the outbound strategy route and the inbound strategy route to the virtual router, and carrying out service drainage based on the outbound strategy route and the inbound strategy route. The method can realize the symmetry of the flow path under the condition of guaranteeing the stability and the robustness of the cloud platform, and has strong expandability.
Description
Technical Field
The present application relates to the field of cloud computing technologies, and in particular, to a service drainage method, device, and medium.
Background
Along with the large-scale cloud of user services, various non-service type devices in a traditional data center are virtualized and migrated to the cloud gradually, such as a Web application firewall WAF (Web Application Firewall), a boundary firewall, DPI (DEEP PACKET Inspection) devices, log auditing devices and the like, after the devices are virtualized, the devices can be dynamically created on line and deployed in a user VPC (namely Virtual Private Cloud, virtual private cloud) by a user according to the self requirements of a cloud computing management console, and then specific service traffic is pulled to one or more non-service type devices, so that the purposes such as safety protection, online behavior audit, daily monitoring and the like are realized. However, the service drainage method based on the route or policy route in the conventional data center cannot work normally under a large-scale cloud computing platform based on the full-distributed routing architecture, because under the full-distributed routing architecture, the operations of SNAT (Source Network Address Translation )/DNAT (Destination Network Address Translation, destination network address translation) of the elastic cloud server in the process of ingress and egress to the VPC need to be performed symmetrically, that is, the operations are performed on the VPC virtual router on the physical node where the elastic cloud server is located, which causes the problem that when the source elastic cloud server of the drainage chain and the non-service type virtual device are located on different physical nodes, the traffic paths of ingress and egress to the VPC and the source and destination IP addresses in the message are not opposite, which causes that the security type device cannot establish a session normally and communication cannot be established normally.
At present, the OpenStack community forms huge invasiveness to the two-layer forwarding logic of the data plane aiming at the transparent drainage scheme based on the full-flow table, which is proposed by the DVR (Distributed Virtual Router, namely the distributed virtual router) architecture, and related flow tables need to be issued aiming at all source elastic cloud servers, and when the elastic cloud servers of users are added and deleted, a great deal of interaction between the control plane and the data plane can be caused, so that the requirements of large-scale public cloud on stability and robustness can not be met, and the scalability is poor, so that large-scale scenes can not be supported.
Disclosure of Invention
In view of the above, the present application aims to provide a service drainage method, device and medium, which can realize symmetry of a flow path and have strong expandability under the condition of guaranteeing stability and robustness of a cloud platform. The specific scheme is as follows:
in a first aspect, the present application discloses a service drainage method, including:
Acquiring configuration information of a service drainage chain;
each non-service type virtual device in the service flow guide chain is hung to a virtual router in a user VPC based on the configuration information; the virtual router is deployed in the user VPC by adopting a full distributed architecture;
generating an outbound policy route according to the forward sequence of each non-service type virtual device in the service drainage chain, and generating an inbound policy route according to the reverse sequence of each non-service type virtual device;
And issuing the outbound strategy route and the inbound strategy route to the virtual router, and carrying out service drainage based on the outbound strategy route and the inbound strategy route.
Optionally, the method further comprises:
Performing SNAT operation on the outbound traffic through a virtual router on a physical node where the last non-service type virtual device in the service flow guide chain is located;
and executing DNAT operation aiming at the network access traffic through a virtual router on a physical node where the target elastic cloud server is located.
Optionally, the performing SNAT operations on the outbound traffic by the virtual router on the physical node where the last non-service type virtual device in the service flow guide chain is located includes:
And executing SNAT operation aiming at the outbound traffic when the virtual router on the physical node where the last non-service type virtual device in the service flow guide chain is located judges that the current message is the outbound message according to the destination IP in the message.
Optionally, the hooking each non-service type virtual device in the service flow guide chain to a virtual router in the user VPC based on the configuration information includes:
Determining non-business type virtual equipment in the service drainage chain based on the configuration information;
Creating an independent interconnection sub-network for each non-service type virtual device in a user VPC;
and hanging each non-service type virtual device to a virtual router in the user VPC through the interconnection sub-network.
Optionally, the obtaining the configuration information of the service drainage chain includes:
acquiring configuration information of a service drainage chain through a cloud computing management console;
correspondingly, the method further comprises the steps of: and calling a preset northbound interface based on the configuration information, and starting the step of hanging each non-service type virtual device in the service flow guide chain to a virtual router in a user VPC based on the configuration information.
Optionally, the outbound policy route includes source IP, source port, transport layer protocol type, message ingress port and next hop information; the access strategy route comprises a destination IP, a destination port, a transmission layer protocol type, a message access port and next hop information.
Optionally, the service drainage based on the outbound policy route and the inbound policy route includes:
when the virtual router receives the outbound message, a first target outbound strategy route is matched in the outbound strategy routes according to a first matching condition, and service drainage is carried out based on the first target outbound strategy route;
When the virtual router receives the network access message, a second target network access strategy route is matched in the network access strategy routes according to a second matching condition, and service drainage is performed based on the second target network access strategy route;
The first matching condition comprises a source IP, a source port, a transmission layer protocol type and a message inlet port, and the second matching condition comprises a destination IP, a destination port, a transmission layer protocol type and a message inlet port.
In a second aspect, the application discloses a service drainage device, which comprises a configuration information acquisition module, a virtual device hooking module, a policy route generation module, a policy route issuing module and a virtual router,
The configuration information acquisition module is used for acquiring the configuration information of the service drainage chain;
the virtual equipment hooking module is used for hooking each non-service type virtual equipment in the service drainage chain to a virtual router in a user VPC based on the configuration information; the virtual router is deployed in the user VPC by adopting a full distributed architecture;
The policy route generation module is used for generating an outbound policy route according to the forward sequence of each non-service type virtual device in the service drainage chain and generating an inbound policy route according to the reverse sequence of each non-service type virtual device;
The policy route issuing module is used for issuing the outbound policy route and the inbound policy route to the virtual router;
The virtual router is used for conducting service drainage based on the outbound policy route and the inbound policy route.
Optionally, the virtual router on the physical node where the last non-service type virtual device in the service flow guide chain is located is configured to perform SNAT operations for the outbound traffic;
and the virtual router on the physical node where the target elastic cloud server is located is used for executing DNAT operation aiming at the network access traffic.
In a third aspect, the present application discloses a computer readable storage medium for storing a computer program, wherein the computer program when executed by a processor implements the aforementioned service diversion method.
Therefore, the configuration information of the service flow guide chain is firstly obtained, and then each non-service type virtual device in the service flow guide chain is hung to a virtual router in the user VPC based on the configuration information; the virtual router is deployed in the user VPC by adopting a full-distributed architecture, then generates an outbound policy route according to the forward sequence of each non-service type virtual device in the service drainage chain, and generates an inbound policy route in reverse sequence of each non-service type virtual device, finally issues the outbound policy route and the inbound policy route to the virtual router, and conducts service drainage based on the outbound policy route and the inbound policy route. The application can acquire the configuration information of the service drainage chain, each non-service type virtual device in the service drainage chain is connected to the virtual router in the user VPC in a hanging way, and generates a strategy route, the service drainage is carried out through the strategy route, the data plane is not invasive, the stability and the robustness of the cloud platform are ensured, the scale of the strategy route is not increased along with the increase of the number of the elastic cloud servers, and compared with the service drainage scheme of full-flow tabulation, the application has good expandability, and further, because the strategy route comprises the generation of the network strategy route according to the forward sequence of each non-service type virtual device in the service drainage chain and the reverse sequence generation of the network strategy route of each non-service type virtual device, the application has symmetry, and ensures the flow path symmetry during service drainage.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present application, and that other drawings can be obtained according to the provided drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a service drainage method disclosed in the present application;
FIG. 2 is a schematic diagram of an embodiment of a service drainage scheme in accordance with the present disclosure;
FIG. 3 is a schematic diagram of a service drainage principle disclosed in the present application;
Fig. 4 is a schematic diagram of service drainage in the same node network direction according to the present disclosure;
fig. 5 is a schematic diagram of service drainage in the network access direction of the same node according to the present application;
fig. 6 is a schematic diagram of service drainage in a cross-node outbound direction according to the present disclosure;
Fig. 7 is a schematic diagram of service drainage in a cross-node network access direction according to the present disclosure;
FIG. 8 is a schematic diagram of service drainage in the direction of the out-network of a chain type same node;
fig. 9 is a schematic diagram of service drainage in a network access direction of a chain type same node according to the present application;
Fig. 10 is a schematic diagram of service drainage in a chained cross-node outbound direction according to the present disclosure;
FIG. 11 is a schematic diagram of service drainage in a chained cross-node network access direction according to the present application
Fig. 12 is a schematic structural diagram of a service drainage device according to the present disclosure.
Detailed Description
The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
With the maturation of cloud computing technology and the increasing demands of application on elastic expansion, high availability and the like, more and more enterprises choose to migrate own business from physical machines of offline machine rooms to cloud hosts of cloud data centers. For enterprises, cloud service can bring a plurality of benefits, such as IT infrastructure investment of heavy assets can be saved, cloud hosts can be started as required according to the service scale to deploy the services, and early cost expenditure of the enterprises, particularly medium-sized and small-sized enterprises and startup enterprises, is effectively reduced; in addition, as the service scale of the user increases, the number of resources on the cloud can be dynamically increased at any time to incrementally deploy the service, and when the service scale is reduced, the number of resources on the cloud can be dynamically reduced to save the cost. Along with the cloud of the application, non-business type devices of the traditional data center are gradually virtualized and deployed at the cloud, and the devices do not provide specific business for common users, but are important guarantees for user business operation, such as Web application firewall WAF, boundary firewall, DPI (deep packet inspection) equipment, log audit equipment and the like, gradually start to cloud, and form a complete application infrastructure on the cloud together with the cloud application of the user, so that the service of the user is supported. In a traditional data center, the non-business type devices generally exist in the form of physical devices, are generally deployed at the edge of a physical network, realize the drainage of user business by configuring routing table entries or policy routing table entries and the like, pull the traffic of a specific business to one or more non-business type devices to execute operations such as security filtering, virus protection, log audit and the like, ensure the security and the robustness of the business, or execute related statistical monitoring operations. Because of the high cost and centralized deployment of the non-business type devices of the traditional data center, the non-business type devices often serve users in the whole data center, business flows of different users may all need to be processed through the same boundary devices, security isolation of user business is not facilitated, and meanwhile, configuration interfaces of the boundary devices need to be exposed to the users, so that potential safety hazards exist. The virtualization and migration cloud of non-business type equipment are required to meet the cloud demand of business, and are also basic requirements for enterprise informatization transformation. Compared with the traditional data center, the existing form, the deployment mode, the service main body and the like of the non-business type devices on the cloud are obviously different, the traditional data center generally exists in the form of a physical server or special physical equipment, the cloud generally exists in the form of an elastic cloud server ECS (Elastic Cloud Server) or a container, the deployment mode in the traditional data center is generally deployed at the edge of a network by operation and maintenance personnel or an administrator in advance, the cloud is generally deployed on-line and automatic as required by a user, the cloud is deployed in the VPC of the user, the traditional data center is generally internally provided with services for all or a plurality of users, and virtual non-business type devices created by the user on the cloud are only shared by the user and are invisible to other users.
An important challenge faced after migration of non-business type devices to the cloud is the service drainage problem. Because in the traditional data center, the devices are generally directly connected in series at the network edge, service drainage can be realized through simple route configuration or strategy route configuration, however, in the virtualized cloud environment, the devices exist in the VPC of a user in an elastic cloud server or container mode, traffic traction of going in and going out of the network from a virtual router of the VPC is required, the device is relatively easy to realize under a centralized route architecture, and only a drainage route strategy similar to that of the traditional data center is required to be configured on the centralized virtual router, but the mode is not feasible under a full-distributed route architecture. The virtual router of the VPC is used for three-layer routing among different subnets in the same VPC, and also bears SNAT of network-out traffic and DNAT operation of network-in traffic, if a simple routing list item or a strategy routing mode is adopted to realize drainage under the full-distributed routing architecture, the traffic path entering and exiting the VPC is asymmetric, or message sources and destination IP addresses in the traffic are asymmetric, which can cause security devices to be unable to normally establish session, and thus the communication process is unable to be established. The OpenStack community also proposes a fully transparent SFC (Service Function Chain, i.e., service chain) scheme for the DVR architecture, using a transparent drainage scheme implemented by full-stream surfacing, which has several obvious disadvantages: 1) The invasiveness to the data plane is large, and the drainage action is fused in the two-layer forwarding logic, so that the instability of the platform is easily introduced; 2) The expandability is poor, a series of flow tables are required to be added every time a protection target is added, a large number of control planes and data planes are involved in interaction, and huge pressure is brought to a system control plane; 3) Only one-way drainage is supported, two-way drainage is not supported, and if two-way symmetrical drainage is needed, two symmetrical chains are needed to be created; 4) The traffic cannot be pulled from the virtual router of the VPC without supporting the traffic steering in the north-south direction. At present, some measures for optimizing the scheme are also provided, such as introducing a drainage transfer agent, converting the north-south flow into east-west flow through the transfer agent, and then realizing the north-south drainage by means of a transparent drainage scheme of full-flow surfacing, but cannot fundamentally meet the requirements of large-scale public cloud on stability, robustness, expansibility and the like. Therefore, the service drainage scheme provided by the application can realize the symmetry of the flow path under the condition of guaranteeing the stability and the robustness of the cloud platform, and has strong expandability.
Referring to fig. 1, the embodiment of the application discloses a service drainage method, which comprises the following steps:
Step S11: and acquiring configuration information of the service drainage chain.
In a specific embodiment, configuration information of a service drainage chain is obtained through a cloud computing management console. A user can create a service drainage chain on the cloud computing management console through an interface, so that the configuration information of the service drainage chain is obtained through the cloud computing management console.
Step S12: each non-service type virtual device in the service flow guide chain is hung to a virtual router in a user VPC based on the configuration information; the virtual router is deployed in the user VPC by adopting a full distributed architecture.
In a specific embodiment, a non-service type virtual device in the service flow guide chain can be determined based on the configuration information; creating an independent interconnection sub-network for each non-service type virtual device in a user VPC; and hanging each non-service type virtual device to a virtual router in the user VPC through the interconnection sub-network.
Step S13: generating an outbound policy route according to the forward sequence of each non-service type virtual device in the service flow guide chain, and generating an inbound policy route according to the reverse sequence of each non-service type virtual device.
The outbound policy route comprises a source IP, a source port, a transport layer protocol type, a message inlet port and next hop information; the access strategy route comprises a destination IP, a destination port, a transmission layer protocol type, a message access port and next hop information.
The message inlet port in the first strategy route in the network outlet direction is the default gateway port of the VPC, and the message inlet port in the subsequent strategy route is the default gateway port of the interconnection sub-network of the last hop non-service type virtual device; the message inlet port in the first strategy route in the network access direction is an interface for connecting an external network, and the message inlet port in the subsequent strategy route is a default gateway port of the interconnection sub-network of the last-hop non-service type virtual device. It can be understood that the next-hop information in the first outgoing policy route in the outgoing direction is the first non-service type virtual device of the service flow guiding chain, and the next-hop information in the first incoming policy route in the incoming direction is the last non-service type virtual device of the service flow guiding chain.
Step S14: and issuing the outbound strategy route and the inbound strategy route to the virtual router, and carrying out service drainage based on the outbound strategy route and the inbound strategy route.
When the virtual router receives the outbound message, a first target outbound strategy route is matched in the outbound strategy routes according to a first matching condition, and service drainage is carried out based on the first target outbound strategy route; when the virtual router receives the network access message, a second target network access strategy route is matched in the network access strategy routes according to a second matching condition, and service drainage is performed based on the second target network access strategy route; the first matching condition comprises a source IP, a source port, a transmission layer protocol type and a message inlet port, and the second matching condition comprises a destination IP, a destination port, a transmission layer protocol type and a message inlet port. That is, in the present application, a matching condition is formed according to a source IP, a source port, a transport layer protocol type, and a message ingress port, a routing policy in an egress network direction is matched, and a routing policy in an ingress network direction is matched according to a matching condition formed by a destination IP, a destination port, a transport layer protocol type, and a message ingress port, so as to achieve traction of egress network traffic and ingress network traffic.
And when the non-service type virtual equipment processes the message sent by the virtual router, sending the processed message back to the virtual router on the same physical node through a default route.
Further, in the embodiment of the present application, after the configuration information of the service drainage chain is obtained through the cloud computing management console, a preset northbound interface is called based on the configuration information, and the steps of the step S12, the step S13, and the step of issuing the outbound policy route and the inbound policy route to the virtual router are started, so that the creation of the service drainage chain is completed.
It can be seen that, the embodiment of the application obtains the configuration information of the service drainage chain, each non-service type virtual device in the service drainage chain is connected to the virtual router in the user VPC in a hanging manner, and generates the policy route, the service drainage is carried out through the policy route, the data plane is not invasive, the stability and the robustness of the cloud platform are ensured, the scale of the policy route does not increase along with the increase of the number of the elastic cloud servers, and compared with the service drainage scheme of full-flow tabulation, the service drainage system has good expandability, and further, because the policy route comprises the generation of the network-outlet policy route according to the forward sequence of each non-service type virtual device in the service drainage chain and the reverse sequence generation of the network-inlet policy route of each non-service type virtual device, the service drainage system has symmetry, and the flow path symmetry during service drainage is ensured.
Further, in the embodiment of the present application, SNAT operations for outbound traffic are performed by a virtual router on a physical node where a last non-service type virtual device in the service flow-guiding chain is located; and executing DNAT operation aiming at the network access traffic through a virtual router on a physical node where the target elastic cloud server is located. Therefore, the service drainage in the north-south direction can be realized, and the symmetry of the message source IP and the destination IP is ensured.
And executing SNAT operation aiming at the outbound traffic when the virtual router on the physical node where the last non-service type virtual device in the service flow guide chain is located judges that the current message is the outbound message according to the destination IP in the message. It can be understood that the virtual router on the physical node where the last non-service type virtual device in the service flow-guiding chain is located is not matched with the outbound policy route, and the traffic is sent by the default route. And the target elastic cloud server is the elastic cloud server to which the message is sent.
That is, in the embodiment of the present application, the non-service type virtual device is deployed inside the VPC of the user, and is interconnected with the virtual router of the VPC through an independent interconnection subnet; the virtual router of the VPC adopts a full distributed architecture, namely, the virtual router of the VPC is generated on physical nodes related to resources in the VPC, and the virtual router on each node is only responsible for the routing and SNAT/DNAT operation of traffic related to the VPC on the node; according to the user configuration information, strategy route items are issued on the virtual router, and the appointed service flow is redirected to user-defined non-service type virtual equipment; when policy routing is configured, the bidirectional traffic entering and exiting the VPC needs to pass through nonfunctional virtual equipment, and whether the traffic is in the exiting direction or in the entering direction is distinguished through a receiving port of the message; for a chained path formed by a plurality of non-service type virtual devices, an interconnection subnet needs to be created for each device and is hung on a virtual router of the VPC, traffic is pulled from a first non-service type virtual device to a second non-service type virtual device through a strategy route, and then is pulled from the second to a third through the strategy route, and the like, so that a complete chained path is formed; for SNAT/DNAT operation of the north-south traffic, asymmetric processing is adopted, SNAT operation of the outbound direction is executed by a VPC virtual router of a node where the last non-service type virtual device is located, and DNAT operation of the inbound direction is executed by a VPC virtual router of a node where the destination elastic cloud server is located. The operation is that, compared with a drainage scheme based on a flow table, the method only relates to the development of a control plane of a cloud computing platform, is non-invasive to a data plane and does not damage the stability and the robustness of the data plane; the policy routing realizes forward and reverse symmetric drainage of the full path, and can support virtual equipment of various non-business types, including various security equipment, monitoring equipment, log audit equipment and the like; supporting service drainage under a full distributed routing architecture, and supporting service drainage in the north-south directions of chain and cross nodes through asymmetric SNAT/DNAT operation; the traffic is directly pulled hop by hop from the virtual router of the VPC through the strategy route without introducing an additional drainage service transfer agent, so that the deployment cost can be effectively reduced; the non-service type virtual equipment is simple to configure, only a default route is configured for each equipment to point to the gateway of the interconnection sub-network, and complex chained drainage can be realized without other external configuration; the scale of the policy routing table entry does not increase with the increase of the number of the newly added stream guidance source elastic cloud servers, and compared with a full-stream tabulated service stream guidance scheme, the policy routing table entry has good expandability.
Further, referring to fig. 2, an implementation architecture diagram of a specific service drainage scheme is disclosed in the embodiment of the present application, including the following components: a north interface; a configuration database; a service chain management module; a virtual network L3 management module; and an interconnection subnet management module. Wherein,
North interface: and providing a series of restful interfaces for creating, modifying, deleting and viewing user-defined service drainage chains for the cloud computing management platform or the third party platform.
Configuration database: and the configuration information is used for recording the service drainage chain created by the user.
Service chain management module: specific actions such as creation, modification, deletion and the like of the negative service drainage chain are that the related functions of the interconnection sub-network management module are called to create an interconnection sub-network for each nonfunctional virtual device, and the related interfaces of the virtual network L3 management module are called to create strategy route items and send the strategy route items to the virtual router of the VPC, so that the flow traction of the data plane is realized.
Virtual network L3 management module: and the virtual router is responsible for route management and policy route management of the VPC virtual router, and comprises the steps of adding a route and a policy route, deleting the route and the policy route, modifying the next hop of the route and the policy route, inquiring the route and the policy route information which are currently configured and the like.
The interconnection subnet management module: and the management of the interconnection sub-network aiming at the nonfunctional virtual equipment in the VPC is carried out, wherein the management comprises creation and deletion, and the interconnection sub-network is hung on a virtual router of the VPC to realize the communication between the nonfunctional virtual equipment and the user VPC.
Taking a user to create a service drainage chain as an example, the execution process of the control plane is described as follows: a user creates a service drainage chain on a cloud computing management console through an interface; the cloud computing management console calls a northbound interface of the service drainage system to create a service drainage chain; the north interface calls a service chain management module to start creating a service drainage chain, and records configuration information into a configuration database; the service chain management module calls an interface of the interconnection sub-network management module to create an interconnection sub-network for each non-service type virtual device and is hung on a virtual router of the user VPC; the service chain management module calls an interface of the virtual network L3 management module to issue a policy route of drainage for each non-service type virtual device, wherein the policy route comprises an outbound direction and an inbound direction, the outbound direction can be distinguished by a source IP and a destination IP, and the policy route of the outbound can be defined on the assumption that the service of a TCP 1010 port of an elastic cloud server with the IP of 10.0.1.1 needs to be drained: source ip= 10.0.1.1, source port=1010, transport layer protocol type=tcp, next hop=first node of service flow chain, and policy route to network should be defined as follows: destination ip= 10.0.1.1, destination port=1010, transport layer protocol type=tcp, next hop=last node of service flow chain, that is, next hop of outbound policy route and inbound policy route is service chain symmetric. So far, the creation process of the service flow guide chain is completed.
Referring to fig. 3, fig. 3 is a schematic diagram of a service drainage principle according to an embodiment of the present application. The message sent by the elastic cloud server VM in the subnet firstly arrives at the virtual router vrouter of the VPC; the virtual router vrouter sends the message to the virtual firewall VFW on the present node through Policy-based Routing (PBR); the virtual firewall VFW performs security protection filtering, if the message is allowed to pass through, the message is sent to the virtual router vrouter again through the default route, after the virtual router vrouter receives the message, the virtual router can determine that the message is an outbound message according to the destination IP of the message, the operation SNAT is executed, the source IP of the message is mapped from the intranet IP to the public network IP or the floating IP mapped one-to-one with the public network IP, and the virtual router vrouter sends the message to the device on the upper layer of the topology to execute further address mapping or directly send the message to the public network, so that the outbound is completed. Further, the execution of the data plane is divided into a number of possible scenarios, including: the same node network, the cross node network, the chain type same node network, the chain type cross node network, and the like are respectively described below.
Referring to fig. 4, fig. 4 is a schematic diagram of service drainage in the same node outbound direction according to an embodiment of the present application, where the service drainage in the same node outbound direction includes the following steps:
Step 21: the message sent by the elastic cloud server VM firstly arrives at the virtual router vrouter of the VPC on the current physical server (namely the computing node 1);
Step 22: the virtual router vrouter sends the message to the virtual firewall VFW on the present node through policy routing (PBR);
Step 23: the virtual firewall VFW carries out safety protection filtration, if the message is allowed to pass, the message is sent to the virtual router vrouter again through the default route, the step 24 is skipped, otherwise, the message is discarded;
Step 24: after receiving the message, the virtual router vrouter can determine that the message is an outbound message according to the destination IP of the message, execute SNAT operation, map the source IP of the message from an intranet IP to a public network IP or a floating IP mapped one-to-one with the public network IP, and map the floating IP to the public network IP by a device at a higher layer;
Step 25: the virtual router vrouter sends the message to the device of the upper layer of the topology to perform further address mapping or directly goes out to the public network, so that the network output is completed.
Referring to fig. 5, fig. 5 is a schematic diagram of service drainage in a network access direction of a same node according to an embodiment of the present application, where the service drainage in the network access direction of the same node includes the following steps:
Step 31: the message from the public network arrives at the VPC virtual router vrouter on the current physical server (i.e., compute node 1);
step 32: the virtual router vrouter executes DNAT operation, and maps the IP of the message destination from the public network IP to the intranet IP of the elastic cloud server VM;
step 33: the virtual router vrouter sends the message to the virtual firewall VFW on the node through policy routing;
Step 34: the virtual firewall VFW carries out safety protection filtration, if the message is allowed to pass, the message is sent back to the virtual router vrouter through a default route, the step is skipped to step 35, otherwise, the message is discarded;
step 35: the virtual router vrouter sends the message to the destination host, namely the elastic cloud server VM, through the direct connection route, and the network access is completed.
Referring to fig. 6, fig. 6 is a schematic diagram of service drainage in a cross-node outbound direction according to an embodiment of the present application, where the service drainage in the cross-node outbound direction includes the following steps:
step 41: the message sent by the elastic cloud server VM firstly arrives at the virtual router vrouter of the VPC on the current physical server (namely the computing node 1);
step 42: the virtual router vrouter on the computing node 1 sends the message to the virtual firewall VFW on the computing node 2 through policy routing;
step 43: the virtual firewall VFW on the computing node 2 carries out safety protection filtration, if the message is allowed to pass, the message is sent to the virtual router vrouter on the computing node 2 through a default route, the step 44 is skipped, and otherwise, the message is discarded;
Step 44: after receiving the message, the virtual router vrouter on the computing node 2 can determine that the message is an outbound message according to the destination IP of the message, execute SNAT operation, map the source IP of the message from an intranet IP to a public network IP or a floating IP mapped one-to-one with the public network IP, and complete the mapping from the floating IP to the public network IP by a device on a higher layer;
step 45: the virtual router vrouter on the computing node 2 sends the message to the device at the upper layer of the topology to perform further address mapping or directly goes out to the public network, so that the network-out is completed.
Referring to fig. 7, fig. 7 is a schematic diagram of service drainage in a cross-node network access direction according to an embodiment of the present application, where the service drainage in the cross-node network access direction includes the following steps:
Step 51: the message from the public network reaches the VPC virtual router vrouter on the physical server (i.e., compute node 1) where the elastic cloud server VM is located;
Step 52: the virtual router vrouter on the computing node 1 executes DNAT operation, and maps the IP of the message destination from the public network IP to the intranet IP of the elastic cloud server VM;
step 53: the virtual router vrouter on the computing node 1 sends the message to the virtual firewall VFW on the computing node 2 through policy routing;
Step 54: the virtual firewall VFW on the computing node 2 carries out safety protection filtration, if the message is allowed to pass, the message is sent to the virtual router vrouter on the computing node 2 through a default route, the step 55 is skipped, and otherwise, the message is discarded;
Step 55: the virtual router vrouter on the computing node 2 sends the message to the destination host, namely the elastic cloud server VM, through the direct connection route, so that the network access is completed.
Referring to fig. 8, fig. 8 is a schematic diagram of service drainage in a chain type same-node network outlet direction, where the service drainage in the chain type same-node network outlet direction includes the following steps:
Step 61: the message sent by the elastic cloud server VM firstly arrives at the virtual router vrouter of the VPC on the current physical server (namely the computing node 1);
Step 62: the virtual router vrouter on the computing node 1 sends the message to the virtual firewall VFW on the computing node 1 through policy routing;
Step 63: the virtual firewall VFW on the computing node 1 carries out safety protection filtration, if the message is allowed to pass, the message is sent back to the virtual router vrouter on the computing node 1 through the default route, the step 64 is skipped, otherwise, the message is discarded;
step 64: the virtual router vrouter on the computing node 1 sends the message to the Web application firewall WAF on the computing node 1 through policy routing;
step 65: the Web application firewall WAF on the computing node 1 executes security protection filtering, if the message is allowed to pass, the message is sent back to the virtual router vrouter on the computing node 1 through the default route, the step 66 is skipped, otherwise, the message is discarded;
step 66: after receiving the message, the virtual router vrouter on the computing node 1 can determine that the message is an outbound message according to the destination IP of the message, execute SNAT operation, map the source IP of the message from an intranet IP to a public network IP or a floating IP mapped one-to-one with the public network IP, and complete the mapping from the floating IP to the public network IP by a device on a higher layer;
Step 67: the virtual router vrouter on the computing node 1 sends the message to the device of the upper layer of the topology to perform further address mapping or directly goes out to the public network, so that the network-out is completed.
Referring to fig. 9, fig. 9 is a schematic diagram of service drainage in a direction of network access of a chain type peer node, where the service drainage in the direction of network access of the chain type peer node includes the following steps:
step 71: the message from the public network reaches the VPC virtual router vrouter on the physical server (i.e., compute node 1) where the elastic cloud server VM is located;
Step 72: the virtual router vrouter on the computing node 1 executes DNAT operation, and maps the IP of the message destination from the public network IP to the intranet IP of the elastic cloud server VM;
step 73: the virtual router vrouter on the computing node 1 sends the message to the Web application firewall WAF on the computing node 1 through policy routing;
step 74: the Web application firewall WAF on the computing node 1 carries out security protection filtration, if the message is allowed to pass, the message is sent back to the virtual router vrouter on the computing node 1 through the default route, the step is skipped to step 75, otherwise, the message is discarded;
Step 75: the virtual router on the computing node 1 sends the message to the virtual firewall VFW on the computing node 1 for safety protection and filtration through the policy routing, if the message is allowed to pass, the message is sent back to the virtual router vrouter on the computing node 1 through the default routing, the step 76 is skipped, otherwise, the message is discarded;
step 76: the virtual router vrouter on the computing node 1 sends the message to the destination host, namely the elastic cloud server VM, through the direct connection route, so that the network access is completed.
Referring to fig. 10, fig. 10 is a schematic diagram of service drainage in a chained cross-node outbound direction according to an embodiment of the present application, where the chained cross-node outbound service drainage includes the following steps:
Step 81: the message sent by the elastic cloud server VM firstly arrives at the virtual router vrouter of the VPC on the current physical server (namely the computing node 1);
Step 82: the virtual router vrouter on the computing node 1 sends the message to the virtual firewall VFW on the computing node 2 through policy routing;
Step 83: the virtual firewall VFW on the computing node 2 carries out safety protection filtration, if the message is allowed to pass, the message is sent to the virtual router vrouter on the computing node 2 through a default route, the step 84 is skipped, and otherwise, the message is discarded;
Step 84: the virtual router vrouter on the computing node 2 sends the message to the Web application firewall WAF on the computing node 3 through policy routing;
Step 85: the Web application firewall WAF on the computing node 3 executes security protection filtering, if the message is allowed to pass, the message is sent to the virtual router vrouter on the computing node 3 through the default route, the step 86 is skipped, otherwise, the message is discarded;
Step 86: after receiving the message, the virtual router vrouter on the computing node 3 can determine that the message is an outbound message according to the destination IP of the message, execute SNAT operation, map the source IP of the message from an intranet IP to a public network IP or a floating IP mapped one-to-one with the public network IP, and map the floating IP to the public network IP by a device on a higher layer;
Step 87: the virtual router vrouter on the computing node 3 sends the message to the device of the upper layer of the topology to perform further address mapping or directly goes out to the public network, so that the network-out is completed.
Referring to fig. 11, fig. 11 is a schematic diagram of service drainage in a chained cross-node network access direction according to an embodiment of the present application, where the service drainage in the chained cross-node network access includes the following steps:
Step 91: the message from the public network reaches the VPC virtual router vrouter on the physical server (i.e., compute node 1) where the elastic cloud server VM is located;
step 92: the virtual router vrouter on the computing node 1 executes DNAT operation, and maps the IP of the message destination from the public network IP to the intranet IP of the elastic cloud server VM;
Step 93: the virtual router vrouter on the computing node 1 sends the message to the Web application firewall WAF on the computing node 3 through policy routing;
step 94: the Web application firewall WAF on the computing node 3 carries out security protection filtration, if the message is allowed to pass, the message is sent to the virtual router vrouter on the computing node 3 through the default route, the step 95 is skipped, otherwise, the message is discarded;
Step 95: the virtual router on the computing node 3 sends the message to the virtual firewall VFW on the computing node 2 for safety protection and filtration through the strategy route, if the message is allowed to pass, the message is sent back to the virtual router vrouter on the computing node 2 through the default route, the step 96 is skipped, otherwise, the message is discarded;
Step 96: the virtual router vrouter on the computing node 2 sends the message to the destination host, namely the elastic cloud server VM, through the direct connection route, so that the network access is completed.
Referring to fig. 12, the embodiment of the application discloses a service drainage device, which comprises a configuration information acquisition module 11, a virtual device hooking module 12, a policy route generation module 13, a policy route issuing module 14 and a virtual router 15, wherein,
The configuration information acquisition module 11 is configured to acquire configuration information of a service drainage chain;
The virtual device hooking module 12 is configured to hook each non-service type virtual device in the service flow guide chain to a virtual router in the user VPC based on the configuration information; the virtual router is deployed in the user VPC by adopting a full distributed architecture;
The policy route generating module 13 is configured to generate an outbound policy route according to a forward sequence of each non-service type virtual device in the service flow guide chain, and generate an inbound policy route according to a reverse sequence of each non-service type virtual device;
The policy route issuing module 14 is configured to issue the outbound policy route and the inbound policy route to the virtual router;
The virtual router 15 is configured to perform service drainage based on the outbound policy route and the inbound policy route.
Therefore, the embodiment of the application firstly obtains the configuration information of the service flow guide chain, and then, based on the configuration information, each non-service type virtual device in the service flow guide chain is hung to a virtual router in the user VPC; the virtual router is deployed in the user VPC by adopting a full-distributed architecture, then generates an outbound policy route according to the forward sequence of each non-service type virtual device in the service drainage chain, and generates an inbound policy route in reverse sequence of each non-service type virtual device, finally issues the outbound policy route and the inbound policy route to the virtual router, and conducts service drainage based on the outbound policy route and the inbound policy route. The application can acquire the configuration information of the service drainage chain, each non-service type virtual device in the service drainage chain is connected to the virtual router in the user VPC in a hanging way, and generates a strategy route, the service drainage is carried out through the strategy route, the data plane is not invasive, the stability and the robustness of the cloud platform are ensured, the scale of the strategy route is not increased along with the increase of the number of the elastic cloud servers, and compared with the service drainage scheme of full-flow tabulation, the application has good expandability, and further, because the strategy route comprises the generation of the network strategy route according to the forward sequence of each non-service type virtual device in the service drainage chain and the reverse sequence generation of the network strategy route of each non-service type virtual device, the application has symmetry, and ensures the flow path symmetry during service drainage.
The virtual router on the physical node where the last non-service type virtual device in the service flow guide chain is located is used for executing SNAT operations aiming at the outbound traffic;
and the virtual router on the physical node where the target elastic cloud server is located is used for executing DNAT operation aiming at the network access traffic.
And executing SNAT operation for the outbound traffic when the virtual router on the physical node where the last non-service type virtual device in the service flow guide chain is located judges that the current message is the outbound message according to the destination IP in the message.
The virtual device hooking module 12 is specifically configured to determine a non-service type virtual device in the service drainage chain based on the configuration information; creating an independent interconnection sub-network for each non-service type virtual device in a user VPC; and hanging each non-service type virtual device to a virtual router in the user VPC through the interconnection sub-network.
In a specific embodiment, the configuration information obtaining module is specifically configured to:
acquiring configuration information of a service drainage chain through a cloud computing management console;
correspondingly, the device is also used for: and calling a preset north interface based on the configuration information, and starting the virtual equipment hooking module 12.
The outbound policy route comprises a source IP, a source port, a transport layer protocol type, a message inlet port and next hop information; the access strategy route comprises a destination IP, a destination port, a transmission layer protocol type, a message access port and next hop information.
In a specific embodiment of the present invention,
The virtual router is used for matching a first target outbound network policy route in the outbound network policy route according to a first matching condition when receiving the outbound network message, and carrying out service drainage based on the first target outbound network policy route; when a network entry message is received, a second target network exit strategy route is matched in the network exit strategy routes according to a second matching condition, and service drainage is carried out based on the second target network exit strategy route;
The first matching condition comprises a source IP, a source port, a transmission layer protocol type and a message inlet port, and the second matching condition comprises a destination IP, a destination port, a transmission layer protocol type and a message inlet port.
Further, the embodiment of the application also discloses a computer readable storage medium for storing a computer program, wherein the computer program is executed by a processor to implement the service drainage method disclosed in the previous embodiment.
For the specific process of the service drainage method, reference may be made to the corresponding content disclosed in the foregoing embodiment, and no further description is given here.
In this specification, each embodiment is described in a progressive manner, and each embodiment is mainly described in a different point from other embodiments, so that the same or similar parts between the embodiments are referred to each other. For the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant points refer to the description of the method section.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. The software modules may be disposed in Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The foregoing describes in detail a service drainage method, apparatus and medium provided by the present application, and specific examples are applied herein to illustrate the principles and embodiments of the present application, and the above examples are only used to help understand the method and core idea of the present application; meanwhile, as those skilled in the art will have variations in the specific embodiments and application scope in accordance with the ideas of the present application, the present description should not be construed as limiting the present application in view of the above.
Claims (9)
1. A service drainage method, comprising:
Acquiring configuration information of a service drainage chain;
each non-service type virtual device in the service flow guide chain is hung to a virtual router in a user VPC based on the configuration information; the virtual router is deployed in the user VPC by adopting a full distributed architecture;
generating an outbound policy route according to the forward sequence of each non-service type virtual device in the service drainage chain, and generating an inbound policy route according to the reverse sequence of each non-service type virtual device;
issuing the outbound policy route and the inbound policy route to the virtual router, and performing service drainage based on the outbound policy route and the inbound policy route;
The outbound policy route comprises a source IP, a source port, a transport layer protocol type, a message inlet port and next hop information; the access strategy route comprises a destination IP, a destination port, a transmission layer protocol type, a message access port and next hop information; the message inlet port in the first strategy route in the network outlet direction is the default gateway port of the VPC, and the message inlet port in the subsequent strategy route is the default gateway port of the interconnection sub-network of the last hop non-service type virtual device; the message inlet port in the first strategy route in the network access direction is an interface for connecting an external network, and the message inlet port in the subsequent strategy route is a default gateway port of an interconnection sub-network of the last-hop non-service type virtual device; the next-hop information in the first network-exiting strategy route in the network-exiting direction is the first non-service type virtual device of the service flow-guiding chain, and the next-hop information in the first network-entering strategy route in the network-entering direction is the last non-service type virtual device of the service flow-guiding chain.
2. The service drainage method of claim 1, further comprising:
Performing SNAT operation on the outbound traffic through a virtual router on a physical node where the last non-service type virtual device in the service flow guide chain is located;
and executing DNAT operation aiming at the network access traffic through a virtual router on a physical node where the target elastic cloud server is located.
3. The service traffic steering method according to claim 2, wherein the performing SNAT operations for outbound traffic by the virtual router on the physical node where the last non-traffic type virtual device in the service traffic steering chain is located includes:
And executing SNAT operation aiming at the outbound traffic when the virtual router on the physical node where the last non-service type virtual device in the service flow guide chain is located judges that the current message is the outbound message according to the destination IP in the message.
4. The service flow diversion method of claim 1, wherein the hooking each non-traffic type virtual device in the service flow diversion chain to a virtual router within a user VPC based on the configuration information comprises:
Determining non-business type virtual equipment in the service drainage chain based on the configuration information;
Creating an independent interconnection sub-network for each non-service type virtual device in a user VPC;
and hanging each non-service type virtual device to a virtual router in the user VPC through the interconnection sub-network.
5. The service drainage method according to claim 1, wherein the obtaining the configuration information of the service drainage chain includes:
acquiring configuration information of a service drainage chain through a cloud computing management console;
correspondingly, the method further comprises the steps of: and calling a preset northbound interface based on the configuration information, and starting the step of hanging each non-service type virtual device in the service flow guide chain to a virtual router in a user VPC based on the configuration information.
6. The service drainage method according to claim 1, wherein said service drainage based on said outbound policy route and said inbound policy route comprises:
when the virtual router receives the outbound message, a first target outbound strategy route is matched in the outbound strategy routes according to a first matching condition, and service drainage is carried out based on the first target outbound strategy route;
When the virtual router receives the network access message, a second target network access strategy route is matched in the network access strategy routes according to a second matching condition, and service drainage is performed based on the second target network access strategy route;
The first matching condition comprises a source IP, a source port, a transmission layer protocol type and a message inlet port, and the second matching condition comprises a destination IP, a destination port, a transmission layer protocol type and a message inlet port.
7. The service drainage device is characterized by comprising a configuration information acquisition module, a virtual device hooking module, a strategy route generation module, a strategy route issuing module and a virtual router, wherein,
The configuration information acquisition module is used for acquiring the configuration information of the service drainage chain;
the virtual equipment hooking module is used for hooking each non-service type virtual equipment in the service drainage chain to a virtual router in a user VPC based on the configuration information; the virtual router is deployed in the user VPC by adopting a full distributed architecture;
The policy route generation module is used for generating an outbound policy route according to the forward sequence of each non-service type virtual device in the service drainage chain and generating an inbound policy route according to the reverse sequence of each non-service type virtual device;
The policy route issuing module is used for issuing the outbound policy route and the inbound policy route to the virtual router;
the virtual router is used for conducting service drainage based on the outbound strategy route and the inbound strategy route;
The outbound policy route comprises a source IP, a source port, a transport layer protocol type, a message inlet port and next hop information; the access strategy route comprises a destination IP, a destination port, a transmission layer protocol type, a message access port and next hop information; the message inlet port in the first strategy route in the network outlet direction is the default gateway port of the VPC, and the message inlet port in the subsequent strategy route is the default gateway port of the interconnection sub-network of the last hop non-service type virtual device; the message inlet port in the first strategy route in the network access direction is an interface for connecting an external network, and the message inlet port in the subsequent strategy route is a default gateway port of an interconnection sub-network of the last-hop non-service type virtual device; the next-hop information in the first network-exiting strategy route in the network-exiting direction is the first non-service type virtual device of the service flow-guiding chain, and the next-hop information in the first network-entering strategy route in the network-entering direction is the last non-service type virtual device of the service flow-guiding chain.
8. The service diversion apparatus of claim 7 wherein,
The virtual router on the physical node where the last non-service type virtual device in the service flow guide chain is located is used for executing SNAT operations aiming at the outbound traffic;
and the virtual router on the physical node where the target elastic cloud server is located is used for executing DNAT operation aiming at the network access traffic.
9. A computer readable storage medium for storing a computer program, wherein the computer program when executed by a processor implements the service drainage method of any of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210319421.5A CN114760246B (en) | 2022-03-29 | 2022-03-29 | Service drainage method, device and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210319421.5A CN114760246B (en) | 2022-03-29 | 2022-03-29 | Service drainage method, device and medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114760246A CN114760246A (en) | 2022-07-15 |
| CN114760246B true CN114760246B (en) | 2024-05-03 |
Family
ID=82327846
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210319421.5A Active CN114760246B (en) | 2022-03-29 | 2022-03-29 | Service drainage method, device and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114760246B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115242788A (en) * | 2022-07-27 | 2022-10-25 | 广东浪潮智慧计算技术有限公司 | Flow data control method, device and medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109889533A (en) * | 2019-03-11 | 2019-06-14 | 北京网御星云信息技术有限公司 | Security defend method and system, computer readable storage medium under cloud environment |
| CN109889621A (en) * | 2019-01-18 | 2019-06-14 | 北京百度网讯科技有限公司 | The configuration method and device of virtual private cloud service |
| CN110392108A (en) * | 2019-07-23 | 2019-10-29 | 浪潮云信息技术有限公司 | A kind of public cloud Network Load Balance system architecture and implementation method |
| CN111355666A (en) * | 2018-12-21 | 2020-06-30 | 瞻博网络公司 | Facilitating flow symmetry for service chains in a computer network |
| CN112039748A (en) * | 2016-06-30 | 2020-12-04 | 丛林网络公司 | Automatic discovery and automatic scaling of services in a software defined network environment |
| CN112291252A (en) * | 2020-11-02 | 2021-01-29 | 浪潮云信息技术股份公司 | Architecture and method for realizing symmetric flow guiding of north-south flow |
| CN112838974A (en) * | 2020-12-29 | 2021-05-25 | 新华三技术有限公司 | Service chain drainage system and method |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20190140863A1 (en) * | 2017-11-06 | 2019-05-09 | Cisco Technology, Inc. | Dataplane signaled bidirectional/symmetric service chain instantiation for efficient load balancing |
-
2022
- 2022-03-29 CN CN202210319421.5A patent/CN114760246B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112039748A (en) * | 2016-06-30 | 2020-12-04 | 丛林网络公司 | Automatic discovery and automatic scaling of services in a software defined network environment |
| CN111355666A (en) * | 2018-12-21 | 2020-06-30 | 瞻博网络公司 | Facilitating flow symmetry for service chains in a computer network |
| CN109889621A (en) * | 2019-01-18 | 2019-06-14 | 北京百度网讯科技有限公司 | The configuration method and device of virtual private cloud service |
| CN109889533A (en) * | 2019-03-11 | 2019-06-14 | 北京网御星云信息技术有限公司 | Security defend method and system, computer readable storage medium under cloud environment |
| CN110392108A (en) * | 2019-07-23 | 2019-10-29 | 浪潮云信息技术有限公司 | A kind of public cloud Network Load Balance system architecture and implementation method |
| CN112291252A (en) * | 2020-11-02 | 2021-01-29 | 浪潮云信息技术股份公司 | Architecture and method for realizing symmetric flow guiding of north-south flow |
| CN112838974A (en) * | 2020-12-29 | 2021-05-25 | 新华三技术有限公司 | Service chain drainage system and method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114760246A (en) | 2022-07-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11025543B2 (en) | Route advertisement by managed gateways | |
| US9979605B2 (en) | Virtualization mapping | |
| US10645056B2 (en) | Source-dependent address resolution | |
| US9871854B2 (en) | Interaction with a virtual network | |
| US8806482B1 (en) | Interaction with a virtual network | |
| US9979694B2 (en) | Managing communications between virtual computing nodes in a substrate network | |
| US9959132B2 (en) | Managing virtual computing nodes using isolation and migration techniques | |
| US9025468B1 (en) | Custom routing decisions | |
| US9225597B2 (en) | Managed gateways peering with external router to attract ingress packets | |
| US10445124B2 (en) | Managing virtual computing nodes using isolation and migration techniques | |
| CN106850459B (en) | Method and device for realizing load balance of virtual network | |
| US11665088B2 (en) | Assisted replication in software defined network | |
| US11252126B1 (en) | Domain name resolution in environment with interconnected virtual private clouds | |
| CN103118148B (en) | A kind of ARP buffering updating method and equipment | |
| US11296997B2 (en) | SDN-based VPN traffic scheduling method and SDN-based VPN traffic scheduling system | |
| CN111638957A (en) | Method for realizing cluster sharing type public cloud load balance | |
| CN114760246B (en) | Service drainage method, device and medium | |
| CN116155650B (en) | Data message forwarding method and equipment and electronic equipment | |
| CN114598698B (en) | Data transmission method and device, electronic equipment and computer storage medium | |
| WO2021042675A1 (en) | Layer-2 private wire network system and configuration method | |
| CN115633079A (en) | Cloud special line implementation method, device and medium based on cloud platform |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |