CN115499434A

CN115499434A - Cross-VPC flow forwarding method

Info

Publication number: CN115499434A
Application number: CN202210911121.6A
Authority: CN
Inventors: 黄永远
Original assignee: Tianyi Cloud Technology Co Ltd
Current assignee: Tianyi Cloud Technology Co Ltd
Priority date: 2022-07-29
Filing date: 2022-07-29
Publication date: 2022-12-20

Abstract

The application relates to a cross-VPC traffic forwarding method, in particular to the technical field of cloud networks. In the application, a VPC peer gateway cluster is introduced for VPC peer-to-peer connection between a first VPC and a second VPC, the first VPC can send peer-to-peer connection traffic to the VPC peer gateway cluster after generating the peer-to-peer connection traffic, the VPC peer gateway cluster modifies MAC address information of the peer-to-peer connection traffic from first MAC address information related to the first VPC to second MAC address information related to the second VPC after receiving the peer-to-peer connection traffic, and sends the peer-to-peer connection traffic to the second VPC based on the modified second MAC address information, so that traffic forwarding across the VPCs is realized.

Description

Cross-VPC flow forwarding method

Technical Field

The invention relates to the technical field of cloud networks, in particular to a cross-VPC traffic forwarding method.

Background

In the field of Cloud network technology, virtual Private Cloud (VPC) refers to an isolated, private Virtual network environment on a Cloud.

In the related art, interworking of Virtual Machines (VMs) in the same VPC is supported, for example, a VPC may include a plurality of different subnets, support interworking of Virtual Machines (VMs) under the same subnet in the same VPC, and support interworking of VMs across subnets in the same VPC. However, interworking of VMs across VPCs has not been supported.

Disclosure of Invention

The application provides a cross-VPC flow forwarding method, and the technical scheme is as follows.

In one aspect, a method for forwarding traffic across VPCs is provided, where the method is performed by a VPC peer gateway cluster in a VPC peer-to-peer connection network, where the VPC peer-to-peer connection network further includes a first VPC and a second VPC, and the method includes:

receiving peer-to-peer connection traffic sent by the first VPC, where Media Access Control (MAC) address information of the peer-to-peer connection traffic is first MAC address information, and the first MAC address information is related to a MAC address of a first Distributed Virtual Router (DVR) in the first VPC and a MAC address of a first peer port reserved by a first subnet in the first VPC;

modifying the MAC address information of the peer-to-peer connection flow from the first MAC address information to second MAC address information, wherein the second MAC address information is related to the MAC address of a second DVR in the second VPC and the MAC address of a second peer-to-peer port reserved by a second subnet in the second VPC;

and sending the peer-to-peer connection traffic with the modified address information to the second VPC.

In one aspect, a method for forwarding traffic across VPCs is provided, where the method is performed by a first VPC in a VPC peer-to-peer connection network, the VPC peer-to-peer connection network further includes a VPC peer gateway cluster and a second VPC, and the method includes:

generating peer-to-peer connection traffic, wherein MAC address information of the peer-to-peer connection traffic is third MAC address information, and the third MAC address information is related to a MAC address of a first DVR in the first VPC and a MAC address of a first VM in the first VPC;

modifying the MAC address information of the peer-to-peer connection flow from the third MAC address information to first MAC address information, wherein the first MAC address information is related to the MAC address of a first DVR in the first VPC and the MAC address of a first peer-to-peer port reserved by a first subnet in the first VPC;

and sending the peer-to-peer connection traffic after the address information is modified to the VPC peer-to-peer gateway cluster so that the VPC peer-to-peer gateway cluster forwards the peer-to-peer connection traffic to the second VPC.

In a possible implementation manner, the MAC address of the first peer port corresponds to a preset MAC address prefix, and the preset MAC address prefix is used for identifying that the flow belongs to a flow forwarded across VPCs in a flow table matching process of the flow.

In one aspect, a method for forwarding traffic across VPCs is provided, the method being performed by a second VPC in a VPC peer-to-peer connection network, the VPC peer-to-peer connection network further including a VPC peer gateway cluster, a first VPC, the method including:

receiving peer-to-peer connection traffic sent by the VPC peer-to-peer gateway cluster, wherein the peer-to-peer connection traffic is received by the VPC peer-to-peer gateway cluster from the first VPC, MAC address information of the peer-to-peer connection traffic is second MAC address information, and the second MAC address information is related to an MAC address of a second DVR in the second VPC and an MAC address of a second peer-to-peer port reserved by a second subnet in the second VPC;

modifying the MAC address information of the peer-to-peer connection traffic from the second MAC address information to fourth MAC address information, wherein the fourth MAC address information is related to a MAC address of a second DVR in the second VPC and a MAC address of a second VM in the second VPC;

and sending the peer-to-peer connection traffic with the modified address information to the second VM.

In a possible implementation manner, the MAC address of the second peer port corresponds to a preset MAC address prefix, and the preset MAC address prefix is used to identify that the flow belongs to a flow forwarded across a VPC in a flow table matching process of the flow.

In yet another aspect, there is provided a traffic forwarding apparatus across VPCs, the apparatus being performed by a VPC peer gateway cluster in a VPC peer-to-peer connection network, the VPC peer-to-peer connection network further including a first VPC, a second VPC, the apparatus comprising: the system comprises a flow receiving module, an address information modifying module and a flow sending module;

the traffic receiving module is configured to receive peer-to-peer connection traffic sent by the first VPC, where MAC address information of the peer-to-peer connection traffic is first MAC address information, and the first MAC address information is related to a MAC address of a first DVR in the first VPC and a MAC address of a first peer port reserved by a first subnet in the first VPC;

the address information modification module is configured to modify the MAC address information of the peer-to-peer connection traffic from the first MAC address information to second MAC address information, where the second MAC address information is related to a MAC address of a second DVR in the second VPC and a MAC address of a second peer port reserved by a second subnet in the second VPC;

and the flow sending module is used for sending the peer-to-peer connection flow after the address information is modified to the second VPC.

In one possible implementation manner, the gateway node in the VPC peer-to-peer gateway cluster includes: br-conjoin, br-source, wherein an interface for communicating with VPC is established on the br-source, and a Veth Pair is established between the br-conjoin and the br-source for each VPC;

the address information modification module is configured to:

after receiving the peer-to-peer connection traffic sent by the first VPC, the br-south sends the peer-to-peer connection traffic out of a first Veth Pair corresponding to the first VPC, and sends the peer-to-peer connection traffic to the br-join;

the br-conjoin modifies the source MAC address of the peer-to-peer connection flow from the MAC address of a first DVR in the first VPC to the MAC address of a second peer-to-peer port reserved by a second subnet in the second VPC, and modifies the destination MAC address of the peer-to-peer connection flow from the MAC address of the first peer-to-peer port reserved by the first subnet in the first VPC to the MAC address of the second DVR in the second VPC;

the traffic sending module is configured to:

the br-conjoin sends the peer-to-peer connection flow with the modified address information out of a second Veth Pair corresponding to the second VPC, and sends the peer-to-peer connection flow to the br-south;

and the br-south sends the peer-to-peer connection traffic with the modified address information to the second VPC.

In a possible implementation manner, the br-conjoin includes a subnet selection group flow table corresponding to the second VPC, where the subnet selection group flow table is used to perform load balancing selection on a subnet in the second VPC;

the address information modification module is configured to select, by the br-conjoin, a second subnet in a second VPC using the subnet selection group flow table before the br-conjoin modifies a source MAC address of the peer connection flow from a MAC address of a first DVR in the first VPC to a MAC address of a second peer port reserved for the second subnet in the second VPC.

In a possible implementation manner, the br-source includes a DVR instance selection group flow table corresponding to the second DVR, and the DVR instance selection group flow table is used for performing load balancing selection on DVR instances of the second DVR;

the traffic sending module is configured to:

the br-south selects a target DVR instance of the second DVR using the DVR instance selection group flow table;

and the br-south sends the peer-to-peer connection traffic with the modified address information to a target DVR instance of the second DVR.

In a possible implementation manner, the MAC address of the first peer port and the MAC address of the second peer port correspond to a preset MAC address prefix, where the preset MAC address prefix is used to identify that the flow belongs to a flow forwarded across VPCs in a flow table matching process of the flow.

In yet another aspect, there is provided a traffic forwarding apparatus across VPCs, the apparatus being performed by a first VPC in a VPC peer-to-peer connection network, the VPC peer-to-peer connection network further comprising a VPC peer gateway cluster, a second VPC, the apparatus comprising: the system comprises a flow generation module, an address information modification module and a flow sending module;

the traffic generation module is configured to generate peer-to-peer connection traffic, where MAC address information of the peer-to-peer connection traffic is third MAC address information, and the third MAC address information is related to a MAC address of a first DVR in the first VPC and a MAC address of a first VM in the first VPC;

the address information modification module is configured to modify MAC address information of the peer-to-peer connection traffic from the third MAC address information to first MAC address information, where the first MAC address information is related to a MAC address of a first DVR in the first VPC and a MAC address of a first peer port reserved by a first subnet in the first VPC;

the traffic sending module is configured to send the peer-to-peer connection traffic after the address information is modified to the VPC peer-to-peer gateway cluster, so that the VPC peer-to-peer gateway cluster forwards the peer-to-peer connection traffic to the second VPC.

In one possible implementation, a peer-to-peer connection routing rule is included in a first DVR of the first VPC, and the peer-to-peer connection routing rule includes: when the destination IP address of the flow belongs to the destination network segments of other VPCs, the next hop is the IP address of the peer port reserved by the subnet from which the flow comes;

the address information modification module is configured to:

after receiving the peer-to-peer connection traffic sent by the first VM, the first DVR modifies a source MAC address of the peer-to-peer connection traffic from a MAC address of the first VM in the first VPC to a MAC address of the first DVR in the first VPC and modifies a destination MAC address of the peer-to-peer connection traffic from the MAC address of the first DVR in the first VPC to a MAC address of a first peer-to-peer port reserved by a first subnet in the first VPC based on the peer-to-peer connection routing rule.

In one possible implementation manner, the VPC peer-to-peer gateway cluster includes at least one gateway node group, each gateway node group includes at least one gateway node, and a peer-to-peer connection between the first VPC and the second VPC is carried by a target gateway node group in the at least one gateway node group;

the traffic sending module is configured to:

the first DVR sends the peer-to-peer connection flow after the address information is modified to br-tun in the first VPC, wherein the br-tun comprises a gateway node selection group flow table corresponding to the target gateway node group, and the gateway node selection group flow table is used for carrying out load balancing selection on gateway nodes in the target gateway node group;

the br-tun selects a target gateway node in the target gateway node group by using the gateway node selection group flow table;

and the br-tun sends the peer-to-peer connection flow with the modified address information to the target gateway node.

In a possible implementation manner, the MAC address of the first peer port corresponds to a preset MAC address prefix, and the preset MAC address prefix is used to identify that the flow belongs to a flow forwarded across a VPC in a flow table matching process of the flow.

In yet another aspect, there is provided a traffic forwarding apparatus across VPCs, the apparatus being performed by a second VPC in a VPC peer-to-peer connection network, the VPC peer-to-peer connection network further comprising a VPC peer gateway cluster, a first VPC, the apparatus comprising: the system comprises a flow receiving module, an address information modifying module and a flow sending module;

the traffic receiving module is configured to receive peer-to-peer connection traffic sent by the VPC peer gateway cluster, where the peer-to-peer connection traffic is received by the VPC peer gateway cluster from the first VPC, and MAC address information of the peer-to-peer connection traffic is second MAC address information, where the second MAC address information is related to a MAC address of a second DVR in the second VPC and a MAC address of a second peer port reserved by a second subnet in the second VPC;

the address information modification module is configured to modify MAC address information of the peer connection traffic from the second MAC address information to fourth MAC address information, where the fourth MAC address information is related to a MAC address of a second DVR in the second VPC and a MAC address of a second VM in the second VPC;

the traffic sending module is configured to send the peer-to-peer connection traffic after the address information is modified to the second VM.

In one possible implementation manner, a second DVR in the second VPC includes a direct routing rule therein, where the direct routing rule includes: when the destination IP address of the flow belongs to the destination network segment of the second VPC, the next hop is a direct connection network card corresponding to the subnet to which the second VM belongs;

the address information modification module is configured to:

after receiving the peer-to-peer connection traffic sent by the VPC peer gateway cluster, the second DVR modifies the source MAC address of the peer-to-peer connection traffic from the MAC address of the second peer port reserved by the second subnet in the second VPC to the MAC address of the second DVR in the second VPC and modifies the destination MAC address of the peer-to-peer connection traffic from the MAC address of the second DVR in the second VPC to the MAC address of the second VM in the second VPC based on the direct routing rule.

In yet another aspect, a computer device is provided, which includes a processor and a memory, where the memory stores at least one instruction, at least one program, code set, or instruction set, and the at least one instruction, at least one program, code set, or instruction set is loaded and executed by the processor to implement the above-mentioned traffic forwarding method across VPCs.

In yet another aspect, a computer-readable storage medium is provided, where at least one instruction is stored, and the at least one instruction is loaded and executed by a processor to implement the above-mentioned cross-VPC traffic forwarding method.

In yet another aspect, a computer program product or computer program is provided, the computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The computer instructions are read from the computer-readable storage medium by a processor of the computer device, and the processor executes the computer instructions to cause the computer device to perform the cross-VPC traffic forwarding method described above.

The technical scheme provided by the application can comprise the following beneficial effects:

the VPC peer-to-peer connection between the first VPC and the second VPC is introduced with a VPC peer-to-peer gateway cluster, the first VPC can modify the MAC address of the peer-to-peer connection traffic after the peer-to-peer connection traffic is generated, the third MAC address information is modified into the first MAC address information, the peer-to-peer connection traffic is sent to the VPC peer-to-peer gateway cluster based on the modified first MAC address, the VPC peer-to-peer gateway cluster modifies the MAC address information of the peer-to-peer connection traffic from the first MAC address information related to the first VPC to the second MAC address information related to the second VPC after receiving the peer-to-peer connection traffic, the second VPC modifies the MAC address of the peer-to-peer connection traffic after receiving the peer-to-peer connection traffic and modifies the second MAC address information into the fourth MAC address information to send the peer-to-peer connection traffic to a destination VM, and therefore traffic forwarding across VPCs is achieved.

Drawings

In order to more clearly illustrate the detailed description of the present application or the technical solutions in the prior art, the drawings used in the detailed description or the prior art description will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present application, and other drawings can be obtained by those skilled in the art without creative efforts.

FIG. 1 is a schematic diagram illustrating a virtual network within a compute node, according to an example embodiment.

Fig. 2 is a schematic diagram illustrating a virtual network within a network node, according to an example embodiment.

Fig. 3 is a schematic diagram illustrating east-west traffic under a same subnet as a VPC in accordance with an exemplary embodiment.

Fig. 4 is a schematic diagram illustrating east-west traffic in a different subnet than a VPC according to an example embodiment.

FIG. 5 is a diagram illustrating north-south traffic while accessing the Internet, according to an example embodiment.

Fig. 6 is a schematic diagram illustrating an existing VPC network implementation model according to an exemplary embodiment.

FIG. 7 is a schematic diagram illustrating an improved VPC peer-to-peer connection network model in accordance with an exemplary embodiment.

FIG. 8 is a method flow diagram illustrating a method of traffic forwarding across VPCs in accordance with an exemplary embodiment.

Fig. 9 is a schematic diagram illustrating a gateway node in a VPC peer gateway cluster in packet form in accordance with an example embodiment.

Fig. 10 is a schematic diagram illustrating a network model of a gateway node, according to an example embodiment.

FIG. 11 is a method flow diagram illustrating a method of traffic forwarding across VPCs in accordance with an exemplary embodiment.

FIG. 12 is a diagram illustrating flow table matching in br-tun according to an example embodiment.

Fig. 13 is a diagram illustrating flow table matching in br-south, according to an example embodiment.

Fig. 14 is a diagram illustrating flow table matching in br-conjoin, according to an example embodiment.

FIG. 15 is a schematic diagram illustrating a traffic forwarding process across VPCs in accordance with an illustrative embodiment.

Fig. 16 is a block diagram illustrating an architecture of a cross-VPC traffic forwarding device in accordance with an exemplary embodiment.

Fig. 17 is a block diagram illustrating the structure of a cross-VPC traffic forwarding device in accordance with an exemplary embodiment.

Fig. 18 is a block diagram illustrating an architecture of a cross-VPC traffic forwarding device in accordance with an exemplary embodiment.

FIG. 19 is a schematic diagram of a computer device provided in accordance with an exemplary embodiment of the present application.

Detailed Description

The technical solutions of the present application will be described clearly and completely with reference to the accompanying drawings, and it is to be understood that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.

It should be understood that "indication" mentioned in the embodiments of the present application may be a direct indication, an indirect indication, or an indication of an association relationship. For example, a indicates B, which may indicate that a directly indicates B, e.g., B may be obtained by a; it may also mean that a indicates B indirectly, for example, a indicates C, and B may be obtained by C; it can also mean that there is an association between a and B.

In the description of the embodiments of the present application, the term "correspond" may indicate that there is a direct correspondence or an indirect correspondence between the two, may also indicate that there is an association between the two, and may also indicate and be indicated, configure and configured, and so on.

In the embodiment of the present application, "predefining" may be implemented by saving a corresponding code, table, or other manners that may be used to indicate related information in advance in a device (for example, including a terminal device and a network device), and the present application is not limited to a specific implementation manner thereof.

Before describing the various embodiments shown herein, the concepts related to the present application will be described.

Virtual Private Cloud (VPC)

VPC is introduced from both the point of view of compute nodes and network nodes.

Fig. 1 shows a virtual network inside a computing node, which mainly includes the following elements:

VM: namely, a Virtual Machine (Virtual Machine), which includes a cloud desktop, a cloud host, and some Virtual Network Function (VNF) Network elements (such as a vFW, a Virtual Private Network (VPN), a vCPE, and the like).

Qbrxxx: linux bridge to provide security group functionality for VMs.

DHCP: i.e. Dynamic Host Configuration Protocol (Dynamic Host Configuration Protocol), usually one VPC corresponds to multiple DHCP instances (clusters), and automatically allocates IP addresses, DNS addresses, etc. to VMs to provide network services. DHCP can be uniformly dispersed to each computing node by the control node according to a certain scheduling strategy.

DVR: i.e., distributed Virtual Router (Distributed Virtual Router), one VPC may correspond to one DVR. When a VM instance of this VPC exists on a certain computing node, a DVR is created on the computing node accordingly. The DVR is a default gateway of the VM private network, and traffic (including east-west traffic and north-south traffic) related to cross-network access of the VM needs to be forwarded by the DVR in three layers. Meanwhile, the DVR also provides a flexible and customizable routing rule interface, which facilitates the traction of different traffic flows, and will be described in detail below.

FIP: namely, a File Transfer Protocol (File Transfer Protocol) can be regarded as a local gateway, only one computing node exists and is shared by all tenants on the node, and the method is mainly used for supporting a VM on the computing node to directly access an external network (including the internet) from the node. For example, a certain VM on the present compute node is bound with the scenario of elastic IP alone.

Br-int: openVswitch implements logical isolation between different VPCs in a node through a Virtual Local Area Network (VLAN), and implements two-layer forwarding through a flow table.

Br-tun: openVswitch is mainly used to realize the conversion between Local VLAN and global Virtual extended Local Area Network (VXLAN). And the VXLAN logical sub-interface is bound to the br-tun bridge, a VXLAN tunnel is established among other computing nodes, network nodes and virtual gateway nodes, and cross-node VPC network access is realized through the flow table.

Br-ex: and OpenVswitch, binding a VLAN logical subinterface and providing a channel for the VM of the node to access an external network.

A service network card: and 2 10G network cards are logically bound to provide underlay bearing for cross-node mutual access of the tenant network.

Fig. 2 shows a virtual Network inside a Network node, which includes elements other than a Network Address Translation (NAT) gateway, and the remaining elements are consistent with those described by the computing node:

NAT gateway: one VPC corresponds to one NAT instance, and the two instances are deployed and fall on different network nodes respectively in consideration of high availability. And when the main node fails, the standby node is switched to the main node to continuously bear the flow. The NAT gateway mainly provides two service forms, namely Source Network Address Translation (SNAT) and Destination Network Address Translation (DNAT), and mainly provides a Network service for Address Translation for a VM accessing the internet or being accessed by the internet.

Traffic pulling

The description is mainly made from east-west traffic and north-south traffic, and only a cross-node scenario is introduced.

East-west flow

In the case of the same subnet as the VPC, as shown in fig. 3, three-layer forwarding is not involved and is tunneled to the target compute node via VXLAN.

In the case of a subnet different from the VPC, as shown in fig. 4, three-layer forwarding is involved, so that the routing rule is matched on the DVR, the forwarding is performed to another subnet through the DVR, and the forwarding is sent to the target computing node through the VXLAN tunnel.

North-south traffic

When accessing the internet, there are various ways to realize such service traffic, mainly including: NAT gateway mode, vFW mode, private line mode, ipsec VPN mode, vCPE mode. And these are implemented primarily by means of the custom policy routing framework provided by the DVR. The traffic of the VM accessing the Internet is firstly delivered to the DVR, and then the strategy routing of the DVR determines which way to carry out. Fig. 5 shows the way of NAT gateway, and the other ways are similar.

When accessing the client side intranet, there are multiple ways to realize the service flow, mainly: private line mode, ipsec VPN mode, vCPE mode. And these are implemented primarily by means of the custom policy routing framework provided by the DVR. The flow of VM accessing the client-side intranet is firstly delivered to the DVR, and then the strategy routing of the DVR determines which way to carry out.

In the related art, interworking between cross-VPCs has not been supported. Referring to fig. 6 in combination, a conventional VPC network implementation model is shown in fig. 6 above. Some of the technical details are as follows:

only the direct routing rule and the next hop in the DVR instance are default routing rules for the NAT gateway.

In the VPC, the same subnet can be communicated with each other by two-layer forwarding, and the cross-subnet communication is performed by three-layer forwarding through a DVR matched route.

Within the VPC, for north-south traffic (e.g., accessing the public network, accessing the client side), matching the default routing rule with the next hop being NAT gateway through the DVR or the customized routing rule with the next hop being VPN or virtual gateway.

In order to support cross-VPC intercommunication, a VPC peer gateway cluster is introduced for VPC peer-to-peer connection between a first VPC and a second VPC, the first VPC can modify the MAC address of the peer-to-peer connection flow after generating the peer-to-peer connection flow, the third MAC address information is modified into the first MAC address information, the peer-to-peer connection flow is sent to the VPC peer gateway cluster based on the modified first MAC address, the VPC peer gateway cluster modifies the MAC address information of the peer-to-peer connection flow from the first MAC address information related to the first VPC into the second MAC address information related to the second VPC after receiving the peer-to-peer connection flow, the peer-to-peer connection flow is sent to the second VPC based on the modified second MAC address information, the second VPC modifies the MAC address of the peer-to-peer connection flow after receiving the peer-to-peer connection flow, the fourth MAC address information modifies the MAC address information to send the peer-to-peer connection flow, and therefore, cross-to-transfer the VPC traffic.

For example, with reference to fig. 7 in combination, VPC1 and VPC2 implement peer-to-peer connectivity through a VPC peer gateway cluster, a VM in VPC1 may send traffic to a VM in VPC 2.

The technical solutions provided in the present application will be described below with reference to several examples.

Fig. 8 is a method flow diagram illustrating a method of traffic forwarding across VPCs in accordance with an example embodiment. The method is applied to a VPC peer-to-peer connection network, and the VPC peer-to-peer connection network comprises the following steps: a first VPC, a VPC peer gateway cluster, and a second VPC. As shown in fig. 8, the method for forwarding traffic across VPCs may include the following steps:

step 801: the first VPC generates peer-to-peer connection flow, the MAC address information of the peer-to-peer connection flow is third MAC address information, and the third MAC address information is related to the MAC address of the first DVR in the first VPC and the MAC address of the first VM in the first VPC.

Where peer-to-peer connection traffic is traffic across the VPCs. In an embodiment of the application, peer-to-peer connection traffic is generated by a first VM in a first VPC, expecting to reach a second VM in a second VPC.

When the traffic forwarding across the VPC is carried out, three-layer forwarding is involved, and the traffic forwarding needs to pass through a DVR in the VPC. Therefore, the peer-to-peer connection traffic corresponds to the third MAC address information when being generated, and in the third MAC address information, the source MAC address of the peer-to-peer connection traffic is indicated to be the MAC address of the first VM in the first VPC, and the destination MAC address of the peer-to-peer connection traffic is indicated to be the MAC address of the first DVR in the first VPC.

Step 802: and the first VPC modifies the MAC address information of the peer-to-peer connection flow from third MAC address information to first MAC address information, wherein the first MAC address information is related to the MAC address of a first DVR in the first VPC and the MAC address of a first peer-to-peer port reserved by a first subnet in the first VPC.

In the embodiment of the application, a corresponding peer port is created for each subnet, and the peer port corresponds to a pair of IP/MAC addresses. And after the forwarding of the peer-to-peer connection traffic in the first VPC is completed based on the initial third MAC address information and reaches a first DVR in the first VPC, the first DVR modifies the MAC address information of the peer-to-peer connection traffic from the third MAC address information to the first MAC address information so as to realize the next forwarding of the traffic.

In the first MAC address information, it is indicated that a source MAC address of the peer-to-peer connection traffic is a MAC address of a first DVR in the first VPC, and a destination MAC address of the peer-to-peer connection traffic is a MAC address of a first peer-to-peer port reserved by a first subnet in the first VPC.

Step 803: and the first VPC sends the peer-to-peer connection traffic with the modified address information to a VPC peer-to-peer gateway cluster.

Correspondingly, the VPC peer-to-peer gateway cluster receives peer-to-peer connection traffic sent by the first VPC, the MAC address information of the peer-to-peer connection traffic is first MAC address information, and the first MAC address information is related to the MAC address of the first DVR in the first VPC and the MAC address of the first peer-to-peer port reserved by the first subnet in the first VPC.

Since the first DVR in the first VPC modifies the MAC address information of the peer-to-peer connection traffic from the third MAC address information to the first MAC address information, the first VPC may subsequently direct the peer-to-peer connection traffic to the VPC peer-to-peer gateway cluster based on the first MAC address information.

Step 804: and the VPC peer gateway cluster modifies the MAC address information of the peer-to-peer connection flow from the first MAC address information to second MAC address information, and the second MAC address information is related to the MAC address of a second DVR in the second VPC and the MAC address of a second peer port reserved by a second subnet in the second VPC.

To send peer-to-peer connection traffic to the second VPC, the VPC peer gateway cluster modifies MAC address information of the peer-to-peer connection traffic from first MAC address information associated with the first VPC to second MAC information associated with the second VPC.

Wherein, in the second MAC address information, the source MAC address of the peer-to-peer connection traffic is indicated as the MAC address of the second peer-to-peer port reserved by the second subnet in the second VPC, and the destination MAC address of the peer-to-peer connection traffic is the MAC address of the second DVR in the second VPC.

Step 805: and the VPC peer-to-peer gateway cluster sends the peer-to-peer connection flow with the modified address information to a second VPC.

Correspondingly, the second VPC receives peer-to-peer connection traffic sent by the VPC peer-to-peer gateway cluster, and the MAC address information of the peer-to-peer connection traffic is second MAC address information, and the second MAC address information is related to the MAC address of the second DVR in the second VPC and the MAC address of the second peer port reserved by the second subnet in the second VPC.

Step 806: and the second VPC modifies the MAC address information of the peer-to-peer connection flow from the second MAC address information to fourth MAC address information, wherein the fourth MAC address information is related to the MAC address of a second DVR in the second VPC and the MAC address of a second VM in the second VPC.

And after the peer-to-peer connection traffic reaches a second DVR in the second VPC, the second DVR modifies the MAC address information of the peer-to-peer connection traffic from the second MAC address information to fourth MAC address information so as to realize the next step of forwarding the traffic.

In the fourth MAC address information, the source MAC address of the peer-to-peer connection traffic is indicated as the MAC address of the second DVR in the second VPC, and the destination MAC address of the peer-to-peer connection traffic is indicated as the MAC address of the second VM in the second VPC.

Step 807: and the second VPC sends the peer-to-peer connection traffic with the modified address information to the second VM.

In summary, in the method for forwarding traffic across VPCs provided in this embodiment, a VPC peer gateway cluster is introduced for VPC peer-to-peer connection between a first VPC and a second VPC, the first VPC may modify a MAC address of peer-to-peer connection traffic after generating the peer-to-peer connection traffic, modify the MAC address of the peer-to-peer connection traffic into first MAC address information, send the peer-to-peer connection traffic to the VPC peer gateway cluster based on the modified first MAC address, the VPC peer gateway cluster modifies the MAC address information of the peer-to-peer connection traffic from the first MAC address information related to the first VPC into second MAC address information related to the second VPC after receiving the peer-to-peer connection traffic, send the peer-to-peer connection traffic to the second VPC based on the modified second MAC address information, the second VPC modifies the MAC address of the peer-to-peer connection traffic from the second MAC address information into fourth MAC address information after receiving the peer-to-peer connection traffic, thereby implementing forwarding the VPC-to-peer connection traffic across VPCs.

The peer ports above are further explained below.

In a possible implementation manner, the MAC address of the first peer port and the MAC address of the second peer port correspond to a preset MAC address prefix, and the preset MAC address prefix is used for identifying that the flow belongs to a cross-VPC forwarded flow in a flow table matching process of the flow.

For the VPC establishing peer-to-peer connections, a Neutron Port is created from under each subnet, whose device _ owner is designed as "network: peer," peer Port for short. The mechanism for native Neutron Port assignment MAC is modified to customize, for a peer Port (by matching device _ owner to "network: pending"), a preset MAC address prefix as fixed in fa: 17.

Among them, the peer port has the following functions:

the peer port will be assigned an IP address and will be used to configure the peer connection routing rules in the DVR instance, whose next hop is the reserved IP.

A peer port will allocate a MAC address, such as a preset MAC address prefix fixed in fa: 17. Meanwhile, the flow table matching is carried out by adopting the fixed preset MAC address prefix, and the configuration quantity of the flow tables can be greatly reduced.

The above described VPC peer gateway cluster is further explained below.

In a possible implementation manner, the gateway nodes in the VPC peer gateway cluster take a packet form, the VPC peer gateway cluster includes at least one gateway node group, each gateway node group includes at least one gateway node, and the peer-to-peer connection between the first VPC and the second VPC is carried by a target gateway node group in the at least one gateway node group.

Illustratively, referring to FIG. 9 in combination, the VPC peer gateway cluster includes 3 gateway node groups: group1, group2 and Group3. Wherein, group1 includes 1 gateway node, group2 includes 2 gateway nodes, and Group3 includes 3 gateway nodes.

Wherein a 1-group gateway node group may carry multiple peer-to-peer connections. When a peer-to-peer connection is created, the group with the most idle (i.e. the least number of peer-to-peer connections) is selected as the gateway node group of the peer-to-peer connection. The set of gateway nodes and the number of peer-to-peer connections it carries are recorded in a database.

The gateway nodes in each gateway node group can be flexibly expanded and contracted according to the change of the traffic.

Wherein, by monitoring the working state of the gateway members in the gateway node group, if some member is found to have a fault, the member can be automatically set to the 'forbidden' state. At the same time, the administrator can also force a member in the group to be in a disabled state in a command line manner. The member in the disabled state does not participate in the forwarding of the peer-to-peer connection traffic any more, and continues to carry traffic forwarding after the member is restored to the available state.

The gateway node group itself also has a state, which is "available" when being created by default, and the group in the "available" state participates in allocation and scheduling. The administrator can set this to the "disabled" state by way of the command line, and the group in the "disabled" state will not participate in the allocation and scheduling.

Where a peer-to-peer connection can be migrated from one group to another at the granularity of a group.

In one possible implementation, a gateway node in a VPC peer-to-peer gateway cluster includes: br-conjoin, br-source with interface to communicate with VPC created, and between br-conjoin and br-source, there is Veth Pair established for each VPC.

With reference to fig. 10, it shows an abstract virtual network model in a gateway node, which is divided into several parts:

two OVS bridges, br-conjoin, br-south, respectively.

And a VXLAN subinterface is created on the br-south, and a VXLAN tunnel is established with the computing node where the VM is located.

Between br-south and br-conjoin, a Veth Pair is established for each VPC of the peer-to-peer connection, bridging to the two OVS bridges respectively.

The virtual network model is designed based on the following points:

the reason for using 2 OVS bridges instead of only 1 OVS bridge: traffic entering from a VXLAN subinterface is avoided, and then exiting from the same VXLAN subinterface after being processed by a flow table, namely: the source port enters and exits from the source port, which finally causes the OVS packet loss problem.

Reason for establishing a Veth Pair for each VPC between 2 OVS bridges: when the br-south bridge receives the peer-to-peer connection traffic, the VXLAN tunnel ID value can be extracted, and then the differentiation of different VPC peer-to-peer connection traffic is realized by matching the VXLAN tunnel ID value. The VXLAN tunnel ID, however, does not continue to be passed on to the br-conjoin bridge, i.e., the br-conjoin bridge cannot see the VXLAN tunnel ID value. Therefore, by establishing the Veth Pair, the corresponding input PORT (IN _ PORT) is directly matched to realize the differentiation of the peer-to-peer connection traffic of different VPCs.

The DVR described above is further described below.

In one possible implementation, in the DVR instance, a peer connection routing rule is added to an existing policy routing table, where the next hop is the IP address of the reserved peer port.

Illustratively, the following table is referred to in combination, and the table lists the policy routing tables and the routing rules contained in the tables included in the current DVR instance. In order to realize peer-to-peer connection, in the policy routing table of the local sub-netlist, a peer-to-peer connection routing rule is configured, and the next hop of the peer-to-peer connection routing rule is the IP address of the peer-to-peer port correspondingly reserved for the subnet. And according to the configured peer-to-peer connection routing rule, the VM can finish the three-layer routing forwarding of the peer-to-peer connection traffic at the local computing node.

FIG. 11 is a method flow diagram illustrating a method of traffic forwarding across VPCs in accordance with an exemplary embodiment. The method is applied to a VPC peer-to-peer connection network, and the VPC peer-to-peer connection network comprises the following steps: a first VPC, a VPC peer gateway cluster and a second VPC. As shown in fig. 11, the method for forwarding traffic across VPCs may include the following steps:

step 1101: a first VM in a first VPC generates peer-to-peer connection traffic, wherein a source MAC address of the peer-to-peer connection traffic is a MAC address of the first VM in the first VPC, and a destination MAC address of the peer-to-peer connection traffic is a MAC address of a first DVR in the first VPC.

Step 1102: a first VM in a first VPC sends peer-to-peer connection traffic to a first DVR in the first VPC.

Correspondingly, a first DVR in the first VPC receives peer-to-peer connection traffic sent by a first VM in the first VPC, the source MAC address of the peer-to-peer connection traffic is the MAC address of the first VM in the first VPC, and the destination MAC address of the peer-to-peer connection traffic is the MAC address of the first DVR in the first VPC.

Step 1103: and the first DVR in the first VPC modifies the source MAC address of the peer-to-peer connection traffic from the MAC address of the first VM in the first VPC to the MAC address of the first DVR in the first VPC and modifies the destination MAC address of the peer-to-peer connection traffic from the MAC address of the first DVR in the first VPC to the MAC address of the first peer-to-peer port reserved by the first subnet in the first VPC based on the peer-to-peer connection routing rule.

Wherein, a first DVR in a first VPC comprises a peer-to-peer connection routing rule, and the peer-to-peer connection routing rule comprises: and when the destination IP address of the traffic belongs to the destination network segments of other VPCs, the next hop is the IP address of the peer port reserved by the subnet from which the traffic comes.

Step 1104: and the first DVR in the first VPC sends the peer-to-peer connection traffic after the address information is modified to a target gateway in the VPC peer-to-peer gateway cluster.

Correspondingly, a target gateway in the VPC peer gateway cluster receives peer-to-peer connection traffic sent by a first DVR in the first VPC, and a source MAC address of the peer-to-peer connection traffic is a MAC address of the first DVR in the first VPC, and a destination MAC address of the peer-to-peer connection traffic is a MAC address of a first peer port reserved by a first subnet in the first VPC.

In a possible implementation manner, the VPC peer-to-peer gateway cluster includes at least one gateway node group, each gateway node group includes at least one gateway node, and a peer-to-peer connection between the first VPC and the second VPC is carried by a target gateway node group in the at least one gateway node group; the first DVR sends the peer-to-peer connection flow after the address information is modified to br-tun in the first VPC, wherein the br-tun comprises a gateway node selection group flow table corresponding to a target gateway node group, and the gateway node selection group flow table is used for carrying out load balancing selection on gateway nodes in the target gateway node group; br-tun selects a target gateway node in the target gateway node group by using a gateway node selection group flow table; and br-tun sends the peer-to-peer connection traffic with the modified address information to a target gateway node.

Namely, a gateway node selection group flow table for accurately identifying peer-to-peer connection traffic is added to the br-tun bridge of the computing node where the VM is located, and the peer-to-peer connection traffic is guided to the VPC peer-to-peer gateway cluster in a load balancing mode.

Illustratively, with reference to FIG. 12, peer-to-peer traffic is forwarded to br-tun for processing after DVR route matching. To pull peer-to-peer connection traffic to the associated gateway node, accurate identification of peer-to-peer connection traffic is added at table = 20: through the MAC prefix of the matching peer Port (Peering Port in the figure) and the target network segment of the peer route, after hit, the target gateway node group related to the peer connection is transferred. In the Group flow table corresponding to the target gateway node Group, a certain gateway node in the target gateway node Group can be randomly selected by calculating the Hash value of the message, and the flow is forwarded to the gateway node Group (through the VXLAN tunnel).

It can be understood that, when the gateway node Group is expanded, the corresponding Group flow table is updated to take effect in time. And the gateway node members in the gateway node Group fail to be available or are forbidden by an administrator, and the corresponding Group flow table is updated as well to take effect in time. When the peer-to-peer connection is migrated from one Group to another Group, only the diverted Group flow table is needed to be modified, and the effect is achieved in time.

Step 1105: after receiving the peer-to-peer connection traffic sent by the first VPC, the br-source in the target gateway sends the peer-to-peer connection traffic out of the first Veth Pair corresponding to the first VPC, and sends the peer-to-peer connection traffic to the br-join in the target gateway.

Correspondingly, br-join in the target gateway receives peer-to-peer connection traffic sent by br-route in the target gateway through the first Veth Pair, and the source MAC address of the peer-to-peer connection traffic is the MAC address of the first DVR in the first VPC, and the destination MAC address of the peer-to-peer connection traffic is the MAC address of the first peer-to-peer port reserved by the first subnet in the first VPC.

Illustratively, referring in conjunction with fig. 13, peer connection traffic enters from the vxlan subinterface, thus going to table =4, continuing to match the flow table, and since the destination MAC address of the peer connection traffic hits the MAC prefix of the peer port, the traffic is sent from the vet _ pair port of the VPC1 that generated the traffic to the br-join bridge.

Step 1106: and the br-join in the target gateway modifies the source MAC address of the peer-to-peer connection traffic from the MAC address of the first DVR in the first VPC to the MAC address of a second peer port reserved by a second subnet in the second VPC, and modifies the destination MAC address of the peer-to-peer connection traffic from the MAC address of a first peer port reserved by a first subnet in the first VPC to the MAC address of a second DVR in the second VPC.

In a possible implementation manner, br-conjoin includes a subnet selection group flow table corresponding to the second VPC, and the subnet selection group flow table is used for performing load balancing selection on the subnet in the second VPC; the br-conjoin selects a second subnet in the second VPC using a subnet selection group flow table before the br-conjoin modifies the source MAC address of the peer connection traffic from the MAC address of the first DVR in the first VPC to the MAC address of the second peer port reserved by the second subnet in the second VPC.

That is, adding a subnet selection group flow table in br-conjoin directs peer connection traffic to one subnet in the second VPC of the peer in a load balanced manner.

Illustratively, referring to fig. 14 in combination, peer-to-peer connection traffic enters from the veth _ path port, and the destination MAC address of the peer-to-peer connection traffic hits the MAC prefix of the peer-to-peer port, so that going to table =1, matching the veth _ path port and matching the destination network segment, it is exactly identified which VPC in which peer-to-peer connection the peer-to-peer connection traffic belongs to sends. And after the table =1 processing is finished, switching to a Group flow table corresponding to the identified opposite-end VPC, wherein the Group ID of the Group flow table is the VXLAN tunnel ID value of the opposite-end VPC. In the Group flow table, how many subnets the opposite-end VPC has corresponds to the same number of buckets, and the MAC address translation and the VXLAN tunnel ID value translation (replacement exit) are performed in specific buckets. When the MAC address is modified, the destination MAC address is modified to the MAC address of the DVR in the opposite-end VPC, and the purpose of the modification is to pull the traffic to the DVR example for processing.

Step 1107: and the br-join in the target gateway sends the peer-to-peer connection flow with the modified address information out of a second Veth Pair corresponding to the second VPC and sends the peer-to-peer connection flow to the br-route in the target gateway.

Correspondingly, br-south in the target gateway receives the peer-to-peer connection traffic sent by br-conjoin in the target gateway through the second Veth Pair, and the source MAC address of the peer-to-peer connection traffic is the MAC address of the second peer port reserved by the second subnet in the second VPC, and the destination MAC address of the peer-to-peer connection traffic is the MAC address of the second DVR in the second VPC.

Step 1108: and the br-south in the target gateway sends the peer-to-peer connection traffic with the modified address information to a second DVR in the second VPC.

Correspondingly, the second DVR in the second VPC receives the peer-to-peer connection traffic sent by the br-source in the target gateway, and the source MAC address of the peer-to-peer connection traffic is the MAC address of the second peer port reserved by the second subnet in the second VPC, and the destination MAC address of the peer-to-peer connection traffic is the MAC address of the second DVR in the second VPC.

In a possible implementation manner, br-south includes a DVR instance selection group flow table corresponding to the second DVR, and the DVR instance selection group flow table is used for performing load balancing selection on the DVR instance of the second DVR; br-south selects a target DVR instance of a second DVR in the DVR instance selection group flow table; br-south sends the peer-to-peer connection traffic with modified address information to the target DVR instance of the second DVR.

That is, a DVR instance selection group flow table is added in br-south, and peer-to-peer connection traffic is led to one DVR instance of the second VPC at the opposite end in a load balancing manner, so that the throughput is improved, and single-point failure is avoided.

Exemplarily, referring to fig. 13 in combination, if the VXLAN tunnel ID value (i.e. vni in the figure) is matched and the destination MAC = DVR MAC, the flow is shifted to the Group flow table, where the Group ID is the VXLAN tunnel ID value of the corresponding VPC. In the Group flow table, the configuration is actually calculated according to the situation of the computing nodes scattered by the DVRs of the VPC. For example: the DVR of the VPC is dispersed on 2 computing nodes, then 2 buckets are configured, and the outlet is a vxlan subinterface established with the 2 computing nodes. The purpose of realizing the method is to fully utilize the advantages of VPC DVR distributed clusters, send the flow to the distributed instances in a load balancing mode, improve the throughput and simultaneously avoid single point of failure

Step 1109: after receiving peer-to-peer connection traffic sent by the VPC peer-to-peer gateway cluster, the second DVR modifies a source MAC address of the peer-to-peer connection traffic from a MAC address of a second peer port reserved by a second subnet in the second VPC to a MAC address of the second DVR in the second VPC and modifies a destination MAC address of the peer-to-peer connection traffic from the MAC address of the second DVR in the second VPC to the MAC address of a second VM in the second VPC based on a direct routing rule.

Wherein, the second DVR in the second VPC includes the direct routing rule, and the direct routing rule includes: and when the destination IP address of the flow belongs to the destination network segment of the second VPC, the next hop is the direct connection network card corresponding to the subnet to which the second VM belongs.

Step 1110: and the second DVR sends the peer-to-peer connection traffic after the address information is modified to the second VM.

In summary, according to the cross-VPC traffic forwarding method provided in this embodiment, when the peer port corresponding to the subnet is reserved, the MAC address prefix of the peer port is customized to be the preset MAC address prefix, so that the number of flow table configurations for identifying the peer connection traffic can be greatly reduced.

Meanwhile, a peer-to-peer connection routing rule is added in a subnet strategy routing table of the DVR, and the VM can finish three-layer routing forwarding of peer-to-peer connection traffic at a local computing node.

Meanwhile, a plurality of gateway nodes are divided into a gateway node group, gateway nodes are distributed for peer-to-peer connection by taking the group as granularity, migration of peer-to-peer connection is implemented by taking the group as the granularity, and the gateway nodes can be flexibly expanded and contracted according to traffic.

Meanwhile, after the peer-to-peer connection is associated by taking the group as granularity, the flow of the peer-to-peer connection can be led to all gateway nodes in the group in a load balancing mode, and when the gateway nodes are expanded and contracted and opened or forbidden, only the corresponding group flow table needs to be updated independently, so that the effect is achieved quickly.

Meanwhile, when a network model of a gateway node is designed, two OVS bridges are created, the problem that a VXLAN traffic source port enters a source port and exits is solved, a Veth Path is created for each VPC and bridged to the two OVS bridges, and the peer-to-peer connection traffic of different VPCs is distinguished by matching the Veth Path ports.

Meanwhile, on the gateway node, the destination MAC address of the peer-to-peer connection flow is changed into the MAC address of the DVR of the opposite-end VPC by using the group flow table, and the peer-to-peer connection flow is guided to a plurality of DVR instances of the opposite-end VPC by using the group flow table in a load balancing mode, so that the throughput is improved, and the single-point fault is avoided.

In the following, a traffic forwarding method across VPCs provided by the present application is exemplarily described with reference to an example.

As shown in fig. 15, there are two VPCs that need to communicate with each other, and after establishing peer-to-peer connection, VM1 in VPC1 and VM2 in VPC2 can implement network communication. For convenience of description, specific IP and MAC addresses are shown in the figure, as shown in the following table:

	IP address	MAC address
			VM1	10.10.1.10	fa:16:3e:11:22:33
VM2	10.10.2.10	fa:16:3e:44:55:66
			DVR1	10.10.1.1	fa:16:3e:00:01:01
DVR2	10.10.2.1	fa:16:3e:00:02:01
			Service network card 1	192.168.1.11	0a:16:3f:00:00:01
Service network card 2	192.168.1.12	0a:16:3f:00:00:02
			Service network card 3	192.168.1.13	0a:16:3f:00:00:03

The following describes the forwarding details of the data flow in 12 steps, as follows:

1) VM1 issues traffic.

The message information of the flow is as follows: source IP =10.10.1.10, source MAC = fa:16 e.

2) And sending the flow to the ovs bridge br-int, matching the flow table, and sending the flow to the DVR1 after hitting the flow table.

Matching flow tables at br-int may refer to prior art implementations, the details of which are not set forth herein in detail, and are not set forth herein in detail with respect to this bridge.

3) After the traffic enters DVR1, the peer-to-peer connection routing rule is matched and the traffic is forwarded.

Peer connection routing rules in DVR 1: destination =10.10.2.0/24, next hop =10.10.1.100.

The IP address of the peer port reserved by the subnet to which VM1 belongs =10.10.1.100, and its MAC address is = fa: 3 d.

At this time, since the traffic matches the peer-to-peer connection routing rule, the DVR1 continues to forward the traffic, and at this time, the message information of the traffic is: source IP =10.10.1.10, source MAC = fa:16 e.

4) And the flow comes out from the DVR1 to reach the ovs bridge br-int, the flow table is continuously matched, and the flow is forwarded to the ovs bridge br-tun after the flow table is hit.

5) And when the flow reaches the ovs bridge br-tun, matching the flow table, and then transferring to a group flow table, wherein the group flow table mainly performs load balancing on a plurality of peer gateways, selects one of the peer gateways, and sends the flow to the peer gateway.

With combined reference to fig. 12, the matching procedure is as follows: firstly, after a flow table with matching table =0 hits, the flow table is switched to table =1, after table =1 hits, the flow table is switched to table =2, because the flow is a unicast message, the flow continues to be switched to table =20, and at table =20, the peer-to-peer connection flow table is accurately matched: and after hitting the target network segment, switching to a group flow table by matching MAC prefixes (namely: fa:17: 00.

The group flow table mainly performs load balancing on a plurality of peer gateways, and finally selects one of the peer gateways to send the traffic to the peer gateway.

The flow encapsulation VXLAN message is sent from the service network card 1, and the message information is: source IP =192.168.1.11 (i.e., IP address of traffic network card 1), source MAC =0a 16. At this time, since the VXLAN message is encapsulated, the inner layer message information of the VM is hidden.

6) And sending the VXLAN message from the service network card 1 to a service network card 3 of the peer gateway, removing the encapsulation of the VXLAN message by the br-south, matching a br-south flow table, and sending the flow from a vpveth path port to a br-conjoin bridge.

Wherein, the message information after the encapsulation is removed is as follows: source IP =10.10.1.10, source MAC = fa:16, 3e.

Referring to fig. 13 in combination, the flow of matching the br-south flow table is as follows: first match the flow table at table =0, because it enters from the vxlan subinterface, and thus go to table =4, continue matching the flow table, because the destination MAC is fa:16 d 3 a 0.

7) And after the flow reaches the br-conjoin bridge, continuously matching the flow tables, and then transferring to a group flow table, wherein the group flow table mainly performs load balancing on a plurality of subnets of the VPC2 of the opposite end, selects one of the subnets, modifies the source/destination MAC address along with the selected subnet, and sends the flow back to the br-south bridge from a vet pair port of the VPC 2.

Referring to fig. 14 in combination, the matching process is as follows: firstly, matching the flow tables at table =0, switching to table =1, matching the flow tables, and switching to the group flow tables (the VPCs establishing peer-to-peer connection all correspond to one group flow table, where the hit group flow table corresponds to the opposite-end VPC). The group flow table is mainly used for randomly selecting a plurality of subnets of the opposite-end VPC, and modifying source MAC and destination MAC addresses after a certain subnet is selected.

In this example, only one subnet is involved, so after the execution is completed, the message information is: source IP =10.10.1.10, source MAC = fa:16 d 3 a0 (i.e. MAC address of the reserved peer port of VPC2 subnet), destination IP =10.10.2.10, destination MAC = fa:16 3 e. After the message is processed, the message is sent back to the br-south bridge from the path _ pair port of the opposite end VPC.

8) And continuously matching the flow tables at the br-socket network bridge, and then transferring to a group flow table, wherein the group flow table is mainly used for carrying out load balancing on a plurality of DVR instances, selecting one DVR instance, and sending the flow to the computing node where the DVR instance is located.

Referring to fig. 13 in combination, the matching process is as follows: first, the flow table is matched at table =0, and the flow table is switched to table =1 because the flow table enters from the path port of the vpc bridge, and the flow table is switched to the group flow table because the destination MAC is the DVR MAC at this time.

The group flow table is mainly used for carrying out load balancing scheduling on a plurality of DVR (digital video recorder) instances of VPC (virtual private network), and finally, the DVR instance of a certain computing node is selected and a flow encapsulation VXLAN (virtual extensible local area network) message is sent to a target computing node.

At this time, the VXLAN message coming out from the service network card 3 is: source IP =192.168.1.13, source MAC =0 a. Also, the inner layer message information of the VM is hidden because of the encapsulation of VXLAN.

9) And sending the VXLAN message to a service network card 2 of the target computing node from the service network card 3, removing the VXLAN message from the br-tun bridge, matching the flow table, hitting the flow table, and sending the flow to the br-int bridge.

Wherein, the message information after the encapsulation is removed is as follows: source IP =10.10.1.10, source MAC = fa:16:3d (i.e. MAC address of the reserved peer port of VPC2 subnet).

With combined reference to fig. 12, the matching procedure is as follows: first, the flow table is matched at table =0, and the flow table enters from the VXLAN port, so that the flow table is switched to table =4, the flow table is continuously matched, and finally, the traffic is sent out from the patch-int port and sent to the br-int bridge.

10 Continue to match flow tables at the br-int bridge and pass the traffic to the DVR2 instance.

11 In DVR2, the direct routing rules are matched and the traffic is forwarded.

The message information received by the DVR2 is: source IP =10.10.1.10, source MAC = fa:16:3d (i.e. MAC address of the reserved peer port of VPC2 subnet).

Direct routing rules in DVR 2: destination =10.10.2.0/24, next hop = direct network card.

At this time, since the traffic matches the direct connection routing rule, three-layer forwarding is performed in the DVR2, and the message information at this time is: source IP =10.10.1.10, source MAC = fa:16 3 e.

12 Traffic is sent to the br-int bridge, matching flow tables, and finally forwarded to VM2.

The reverse traffic forwarding process is similar and will not be described herein.

It should be noted that the above method embodiments may be implemented alone or in combination, and the present application is not limited thereto.

Fig. 16 is a block diagram illustrating an architecture of a cross-VPC traffic forwarding device in accordance with an exemplary embodiment. The apparatus is performed by a VPC peer gateway cluster in a VPC peer-to-peer connection network, the VPC peer-to-peer connection network further comprising a first VPC, a second VPC, the apparatus comprising: a traffic receiving module 1601, an address information modifying module 1602, and a traffic sending module 1603;

the traffic receiving module 1601 is configured to receive peer connection traffic sent by the first VPC, where media access control MAC address information of the peer connection traffic is first MAC address information, and the first MAC address information is related to a MAC address of a first distributed virtual router DVR in the first VPC and a MAC address of a first peer port reserved by a first subnet in the first VPC;

the address information modification module 1602, configured to modify the MAC address information of the peer-to-peer connection traffic from the first MAC address information to second MAC address information, where the second MAC address information is related to a MAC address of a second DVR in the second VPC and a MAC address of a second peer port reserved by a second subnet in the second VPC;

the traffic sending module 1603 is configured to send the peer-to-peer connection traffic with modified address information to the second VPC.

the address information modification module 1602 is configured to:

the br-conjoin modifies a source MAC address of the peer-to-peer connection traffic from a MAC address of a first DVR in the first VPC to a MAC address of a second peer port reserved by a second subnet in the second VPC, and modifies a destination MAC address of the peer-to-peer connection traffic from a MAC address of a first peer port reserved by a first subnet in the first VPC to a MAC address of a second DVR in the second VPC;

the traffic sending module 1603 is configured to:

the address information modifying module 1602, configured to select, by the br-conjoin, a second subnet in the second VPC using the subnet selection group flow table before the br-join modifies the source MAC address of the peer connection flow from the MAC address of the first DVR in the first VPC to the MAC address of the second peer port reserved by the second subnet in the second VPC.

In a possible implementation manner, the br-source includes a DVR instance selection group flow table corresponding to the second DVR, and the DVR instance selection group flow table is used for performing load balancing selection on the DVR instance of the second DVR;

the traffic sending module 1603 is configured to:

In a possible implementation manner, the MAC address of the first peer port and the MAC address of the second peer port correspond to a preset MAC address prefix, where the preset MAC address prefix is used to identify that the flow belongs to a flow forwarded across a VPC in a flow table matching process of the flow.

Fig. 17 is a block diagram illustrating an architecture of a cross-VPC traffic forwarding device in accordance with an exemplary embodiment. The apparatus is performed by a first VPC in a VPC peer-to-peer connection network further comprising a VPC peer gateway cluster, a second VPC, the apparatus comprising: a traffic generating module 1701, an address information modifying module 1702 and a traffic transmitting module 1703;

the traffic generation module 1701 is configured to generate peer-to-peer connection traffic, where media access control MAC address information of the peer-to-peer connection traffic is third MAC address information, and the third MAC address information is related to a MAC address of a first distributed virtual router DVR in the first VPC and a MAC address of a first virtual machine VM in the first VPC;

the address information modification module 1702 is configured to modify the MAC address information of the peer-to-peer connection traffic from the third MAC address information to first MAC address information, where the first MAC address information is related to a MAC address of a first DVR in the first VPC and a MAC address of a first peer port reserved by a first subnet in the first VPC;

the traffic sending module 1703 is configured to send the peer-to-peer connection traffic after the address information is modified to the VPC peer-to-peer gateway cluster, so that the VPC peer-to-peer gateway cluster forwards the peer-to-peer connection traffic to the second VPC.

In one possible implementation, a first DVR in the first VPC includes a peer-to-peer connection routing rule therein, the peer-to-peer connection routing rule including: when the destination IP address of the flow belongs to the destination network segments of other VPCs, the next hop is the IP address of the peer port reserved by the subnet from which the flow comes;

the address information modification module 1702 is configured to:

In a possible implementation manner, the VPC peer-to-peer gateway cluster includes at least one gateway node group, each gateway node group includes at least one gateway node, and a peer-to-peer connection between the first VPC and the second VPC is carried by a target gateway node group in the at least one gateway node group;

the traffic sending module 1703 is configured to:

Fig. 18 is a block diagram illustrating an architecture of a cross-VPC traffic forwarding device in accordance with an exemplary embodiment. The apparatus is performed by a second VPC in a VPC peer-to-peer connection network further comprising a VPC peer gateway cluster, a first VPC, the apparatus comprising: a traffic receiving module 1801, an address information modifying module 1802, and a traffic sending module 1803;

the traffic receiving module 1801 is configured to receive peer-to-peer connection traffic sent by the VPC peer gateway cluster, where the peer-to-peer connection traffic is received by the VPC peer gateway cluster from the first VPC, and media access control MAC address information of the peer-to-peer connection traffic is second MAC address information, where the second MAC address information is related to a MAC address of a second distributed virtual route DVR in the second VPC and a MAC address of a second peer port reserved by a second subnet in the second VPC;

the address information modification module 1802 is configured to modify the MAC address information of the peer-to-peer connection traffic from the second MAC address information to fourth MAC address information, where the fourth MAC address information is related to a MAC address of a second DVR in the second VPC and a MAC address of a second virtual machine VM in the second VPC;

the traffic sending module 1803 is configured to send the peer-to-peer connection traffic after the address information is modified to the second VM.

the address information modification module 1802 is configured to:

In a possible implementation manner, the MAC address of the second peer port corresponds to a preset MAC address prefix, and the preset MAC address prefix is used to identify that the flow belongs to a flow forwarded across VPCs in a flow table matching process of the flow.

It should be noted that: the traffic forwarding apparatus across VPCs provided in the foregoing embodiment is only illustrated by the above-mentioned division of each functional module, and in practical applications, the above-mentioned function distribution may be completed by different functional modules according to needs, that is, the internal structure of the device is divided into different functional modules to complete all or part of the above-mentioned functions. In addition, the apparatus and method embodiments provided by the above embodiments belong to the same concept, and specific implementation processes thereof are described in the method embodiments for details, which are not described herein again.

Please refer to fig. 19, which is a schematic diagram of a computer device according to an exemplary embodiment of the present application, the computer device includes a memory and a processor, the memory is used for storing a computer program, and when the computer program is executed by the processor, the method for forwarding traffic across VPCs is implemented.

The processor may be a Central Processing Unit (CPU). The Processor may also be other general purpose processors, digital Signal Processors (DSPs), application Specific Integrated Circuits (ASICs), field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components, or a combination thereof.

The memory, which is a non-transitory computer-readable storage medium, may be used to store non-transitory software programs, non-transitory computer-executable programs, and modules, such as program instructions/modules corresponding to the methods in the embodiments of the present invention. The processor executes various functional applications and data processing of the processor by executing non-transitory software programs, instructions and modules stored in the memory, that is, the method in the above method embodiment is realized.

The memory may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created by the processor, and the like. Further, the memory may include high speed random access memory, and may also include non-transitory memory, such as at least one disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, the memory optionally includes memory located remotely from the processor, and such remote memory may be coupled to the processor via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.

In an exemplary embodiment, a computer readable storage medium is also provided for storing at least one computer program, which is loaded and executed by a processor to implement all or part of the steps of the above method. For example, the computer-readable storage medium may be a Read-Only Memory (ROM), a Random Access Memory (RAM), a Compact Disc Read-Only Memory (CD-ROM), a magnetic tape, a floppy disk, an optical data storage device, and the like.

Other embodiments of the present application will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any variations, uses, or adaptations of the invention following, in general, the principles of the application and including such departures from the present disclosure as come within known or customary practice within the art to which the invention pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the application being indicated by the following claims.

It will be understood that the present application is not limited to the precise arrangements that have been described above and shown in the drawings, and that various modifications and changes may be made without departing from the scope thereof. The scope of the application is limited only by the appended claims.

Claims

1. A method of traffic forwarding across a Virtual Private Cloud (VPC), the method performed by a VPC peer gateway cluster in a VPC peer-to-peer connection network, the VPC peer-to-peer connection network further comprising a first VPC and a second VPC, the method comprising:

receiving peer-to-peer connection traffic sent by the first VPC, wherein Media Access Control (MAC) address information of the peer-to-peer connection traffic is first MAC address information, and the first MAC address information is related to an MAC address of a first Distributed Virtual Router (DVR) in the first VPC and an MAC address of a first peer port reserved by a first subnet in the first VPC;

modifying the MAC address information of the peer-to-peer connection flow from the first MAC address information to second MAC address information, wherein the second MAC address information is related to the MAC address of a second DVR in the second VPC and the MAC address of a second peer port reserved by a second subnet in the second VPC;

and sending the peer-to-peer connection flow with the modified address information to the second VPC.

2. The method of claim 1, wherein a gateway node in the VPC peer gateway cluster comprises: the VPC interface management system comprises br-conjoin and br-source, wherein an interface for communicating with a VPC is established on the br-source, and a Veth Pair is established between the br-conjoin and the br-source for each VPC;

the modifying the MAC address information of the peer-to-peer connection traffic from the first MAC address information to a second MAC address information includes:

the sending the peer-to-peer connection traffic after the address information is modified to the second VPC includes:

the br-conjoin sends the peer-to-peer connection flow with the modified address information out of a second Veth Pair corresponding to the second VPC and sends the peer-to-peer connection flow to the br-route;

3. The method of claim 2, wherein the br-conjoin comprises a subnet selection group flow table corresponding to the second VPC, and wherein the subnet selection group flow table is used for load balancing selection of subnets in the second VPC;

before the br-conjoin modifies a source MAC address of the peer-to-peer connection traffic from a MAC address of a first DVR in the first VPC to a MAC address of a second peer port reserved by a second subnet in the second VPC, the method further comprising:

the br-conjoin selects a second subnet in the second VPC using the subnet selection group flow table.

4. The method of claim 2, wherein the br-south includes a DVR instance selection group flow table corresponding to the second DVR, and the DVR instance selection group flow table is used for performing load balancing selection on DVR instances of the second DVR;

the br-south sends the peer-to-peer connection traffic with the modified address information to the second VPC, including:

5. The method of claim 1,

the MAC address of the first peer port and the MAC address of the second peer port correspond to a preset MAC address prefix, and the preset MAC address prefix is used for identifying that the flow belongs to the flow forwarded across VPCs in the flow table matching process of the flow.

6. A method of traffic forwarding across Virtual Private Cloud (VPC), the method being performed by a first VPC in a VPC peer-to-peer connection network, the VPC peer-to-peer connection network further comprising a VPC peer gateway cluster, a second VPC, the method comprising:

generating peer-to-peer connection traffic, wherein Media Access Control (MAC) address information of the peer-to-peer connection traffic is third MAC address information, and the third MAC address information is related to an MAC address of a first Distributed Virtual Router (DVR) in the first VPC and an MAC address of a first Virtual Machine (VM) in the first VPC;

7. The method of claim 6, wherein a peer-to-peer connection routing rule is included in a first DVR in the first VPC, wherein the peer-to-peer connection routing rule comprises: when the destination IP address of the flow belongs to the destination network segments of other VPCs, the next hop is the IP address of the peer port reserved for the subnet from which the flow comes;

the modifying the MAC address information of the peer-to-peer connection traffic from the third MAC address information to the first MAC address information includes:

8. The method of claim 7, wherein the VPC peer-to-peer gateway cluster comprises at least one set of gateway node groups, wherein each set of gateway node groups comprises at least one gateway node, and wherein a peer-to-peer connection between the first VPC and the second VPC is carried by a target gateway node group of the at least one set of gateway node groups;

the sending the peer-to-peer connection traffic after the address information modification to the VPC peer-to-peer gateway cluster includes:

9. A method of traffic forwarding across a Virtual Private Cloud (VPC), the method performed by a second VPC in a VPC peer-to-peer connection network further comprising a VPC peer gateway cluster, a first VPC, the method comprising:

receiving peer-to-peer connection traffic sent by the VPC peer-to-peer gateway cluster, where the peer-to-peer connection traffic is received by the VPC peer-to-peer gateway cluster from the first VPC, and Media Access Control (MAC) address information of the peer-to-peer connection traffic is second MAC address information, and the second MAC address information is related to a MAC address of a second Distributed Virtual Routing (DVR) in the second VPC and a MAC address of a second peer port reserved by a second subnet in the second VPC;

modifying the MAC address information of the peer-to-peer connection flow from the second MAC address information to fourth MAC address information, wherein the fourth MAC address information is related to the MAC address of a second DVR in the second VPC and the MAC address of a second virtual machine VM in the second VPC;

10. The method of claim 9, wherein a second DVR in the second VPC comprises a direct routing rule therein, wherein the direct routing rule comprises: when the destination IP address of the flow belongs to the destination network segment of the second VPC, the next hop is a direct connection network card corresponding to the subnet to which the second VM belongs;

the modifying the MAC address information of the peer-to-peer connection traffic from the second MAC address information to fourth MAC address information includes: