CN115514692A - Network interaction method, system, storage medium and terminal in resource pool - Google Patents
Network interaction method, system, storage medium and terminal in resource pool Download PDFInfo
- Publication number
- CN115514692A CN115514692A CN202211145379.6A CN202211145379A CN115514692A CN 115514692 A CN115514692 A CN 115514692A CN 202211145379 A CN202211145379 A CN 202211145379A CN 115514692 A CN115514692 A CN 115514692A
- Authority
- CN
- China
- Prior art keywords
- elastic
- security component
- pool
- access request
- intranet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 55
- 230000003993 interaction Effects 0.000 title claims abstract description 29
- 238000006243 chemical reaction Methods 0.000 claims abstract description 55
- 238000013507 mapping Methods 0.000 claims description 16
- 230000004048 modification Effects 0.000 claims description 15
- 238000012986 modification Methods 0.000 claims description 15
- 238000004590 computer program Methods 0.000 claims description 9
- 230000008859 change Effects 0.000 claims description 4
- 230000009286 beneficial effect Effects 0.000 abstract description 2
- 230000008569 process Effects 0.000 description 12
- 238000004891 communication Methods 0.000 description 7
- 238000010586 diagram Methods 0.000 description 5
- 230000009471 action Effects 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 238000013519 translation Methods 0.000 description 3
- 239000003999 initiator Substances 0.000 description 2
- 238000002955 isolation Methods 0.000 description 2
- 238000004140 cleaning Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000002715 modification method Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 239000013589 supplement Substances 0.000 description 1
- 230000007704 transition Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/14—Routing performance; Theoretical aspects
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/74—Address processing for routing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides a network interaction method in resource pool is applied to a tenant boundary router connected with an internal network security component, the tenant boundary router is pre-configured with a destination address conversion rule and a source address conversion rule, the internal network security component is pre-configured with an elastic IP, and the method comprises the following steps: receiving an access request with the elastic IP as a destination address; changing the destination address of the access request into the data IP of the intranet security component through a destination address conversion rule; and after the intranet security component responds to the access request to generate a data return packet, switching the source address of the data return packet into the elastic IP through the source address conversion rule and returning the elastic IP. According to the method and the system, the intranet data network segment and the external network are isolated and decoupled more, the safety of the intranet safety component is guaranteed, and meanwhile, the network deployment planning is more flexible. The application also provides a network interaction system, a storage medium and a terminal in the resource pool, and the system and the terminal have the beneficial effects.
Description
Technical Field
The present application relates to the field of communications, and in particular, to a method, a system, a storage medium, and a terminal for network interaction in a resource pool.
Background
Currently, in a public cloud scenario, the purpose of accessing an intranet security component is mainly achieved by configuring a PBR (Policy Based Routing) rule in a core router or a switch to indiscriminately drain the traffic of an entire intranet data network segment, but the PBR rule configured in the core router or the switch drains the intranet data network segment which is too large (the current data network segment mask 19), which easily affects the planning and deployment of a customer network, and all intranet security components are exposed and accessible.
Disclosure of Invention
The application aims to provide a network interaction method, a system, a storage medium and a terminal in a resource pool, so that an intranet security component in an intranet can be accessed from the outside through an elastic IP, and other intranet components cannot be accessed, so that intranet data and extranet data are decoupled, and the intranet data security is improved.
In order to solve the above technical problem, the present application provides a method for network interaction in a resource pool, which is applied to a tenant border router connected to an internal network security component, wherein the tenant border router is preconfigured with a destination address conversion rule and a source address conversion rule, and the internal network security component is preconfigured with an elastic IP, and the specific technical solution is as follows:
receiving an access request with the elastic IP as a destination address;
changing the destination address of the access request into the data IP of the intranet security component through a destination address conversion rule;
and after the intranet security component responds to the access request to generate a data return packet, switching the source address of the data return packet into the elastic IP through the source address conversion rule and returning the elastic IP.
Optionally, after the intranet security component configures the resilient IP, the method further includes:
establishing a mapping relation between the elastic IP and the data IP corresponding to the intranet security component;
the changing the destination address of the access request to the data IP of the intranet security component by the destination address conversion rule includes:
and changing the destination address of the access request into the data IP of the intranet security component by using a destination address conversion rule according to the mapping relation.
Optionally, the method further includes:
and distributing idle elastic IP for the intranet security component from the elastic IP pool, and binding the idle elastic IP with the intranet security component.
Optionally, allocating an idle elastic IP for the intranet security component from the elastic IP pool, and binding the idle elastic IP with the intranet security component includes:
acquiring an IP binding instruction of a target intranet security component;
if the IP binding instruction does not contain the specified elastic IP, acquiring an idle elastic IP from the elastic IP pool, and binding the idle elastic IP with the target intranet security component;
and if the IP binding instruction contains a specified elastic IP, binding the specified elastic IP with the target intranet security component.
Optionally, the method further includes:
receiving an IP pool modification request containing a new IP pool;
if the new elastic IP in the new IP pool is not in the elastic IP pool, reallocating the idle elastic IP from the elastic IP pool;
if the designated elastic IP is located in the elastic IP pool, keeping the elastic IP pool unchanged;
and if the IP number of the new IP pool is smaller than the number of the currently used elastic IP, rejecting the IP pool modification request.
Optionally, the binding the idle resilient IP and the target intranet security component includes:
and establishing a mapping relation between the idle elastic IP and the target intranet security component in a database, and marking the idle elastic IP as an occupied state.
Optionally, if the access request originates from a physical core router or an intranet core virtual switch, before the tenant boundary router receives the access request with the elastic IP as a destination address, the method further includes:
configuring PBR (physical core router) drainage at the physical core router or the intranet core virtual switch; the PBR flow guide is used for guiding the access request to the tenant boundary router after receiving the access request.
The present application further provides a network interaction system in a resource pool, which is applied to a tenant border router connected to an internal network security component, wherein the tenant border router is configured with a destination address conversion rule and a source address conversion rule in advance, and the internal network security component is configured with an elastic IP in advance, including:
a request receiving module, configured to receive an access request with the flexible IP as a destination address;
a first address conversion module, configured to change a destination address of the access request to a data IP of the intranet security component according to a destination address conversion rule;
and the second address conversion module is used for switching the source address of the data packet back to the elastic IP through the source address conversion rule and returning the source address after the intranet security component responds to the access request to generate the data packet back.
The present application also provides a computer-readable storage medium having stored thereon a computer program which, when being executed by a processor, carries out the steps of the method as set forth above.
The present application further provides a terminal, which includes a memory and a processor, where the memory stores a computer program, and the processor implements the steps of the method when calling the computer program in the memory.
The application provides a network interaction method in resource pool is applied to a tenant boundary router connected with an internal network security component, the tenant boundary router is pre-configured with a destination address conversion rule and a source address conversion rule, the internal network security component is pre-configured with an elastic IP, and the method comprises the following steps: receiving an access request with the elastic IP as a destination address; changing the destination address of the access request into the data IP of the intranet security component through a destination address conversion rule; and after the intranet security component responds to the access request to generate a data packet, switching the source address of the data packet into the elastic IP through the source address conversion rule and returning the elastic IP.
According to the method and the device, the elastic IP is configured for the internal network security component, and when the access request of the external network is received, the address conversion rule is utilized to perform address conversion on the access request and the data packet, so that the internal network data network segment and the external network are isolated and decoupled, the security of the internal network security component is guaranteed, and the network deployment planning is flexible. For intranet security component, through adding elasticity IP for it, can realize intranet security component's access control through the mode of binding or unbinding elasticity IP, then realized the complete isolation with external world to intranet security component that does not contain elasticity IP.
The application further provides a network interaction system, a storage medium and a terminal in the resource pool, which have the beneficial effects and are not repeated herein.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a flowchart of a network interaction method in a resource pool according to an embodiment of the present disclosure;
fig. 2 is a flowchart of a network interaction process in a resource pool according to an embodiment of the present disclosure;
fig. 3 is a flowchart of another resource pool network interaction process provided in an embodiment of the present application;
fig. 4 is a flowchart of a method for binding an elastic IP and an intranet security component according to an embodiment of the present disclosure;
fig. 5 is a schematic structural diagram of a network interaction system in a resource pool according to an embodiment of the present application:
fig. 6 is a schematic structural diagram of a terminal according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present application without making any creative effort belong to the protection scope of the present application.
Referring to fig. 1, fig. 1 is a flowchart of a network interaction method in a resource pool provided in an embodiment of the present application, where the resource pool provided in the present application is applied to a tenant border router connected to an internal network security component, and the tenant border router configures a destination address conversion rule and a source address conversion rule in advance, and the internal network security component configures an elastic IP in advance.
How to configure the resilient IP is not limited, and for example, the resilient IP may be configured for each intranet security component by setting a resilient IP pool and allocating the resilient IP by IP allocation. Specifically, an idle elastic IP may be allocated from the elastic IP pool for the intranet security component, and bound with the intranet security component. The elastic IP pool can be configured by user definition, and can be configured according to network planning definition, including the number of the elastic IPs, the IP address interval and the like. The network plan may contain the number of loads connected by tenant boundary routers, etc. Of course, other IP sets, such as an elastic IP data table, an elastic IP database, etc., may be used, and other elastic IP sets that perform the same function as the elastic IP pool in the present application should be within the scope of the present application.
After the configuration of the elastic IP pool is completed, the elastic IPs bound by each intranet security component can be uniformly distributed and managed by the elastic IP pool, and it should be noted that the elastic IPs of any intranet security component need to exist in the elastic IP pool.
In the above background, the specific technical solution of the resource pool network interaction method provided by the present application is as follows:
s101: receiving an access request with the elastic IP as a destination address;
the embodiment of the application is applied to a tenant boundary router, namely a router facing a user and located at the edge or the tail end of a network, can provide basic security protection for an external network, and can also be used for entering a special network area from an area lacking network control. In the embodiment of the present application, the tenant boundary router is required to be configured with an address translation rule in advance, which specifically includes a destination address translation rule and a source address translation rule. The internal security component connected by the tenant boundary router is not limited herein, and may include various application loads, virtual loads, bastion machines, VPNs, etc., all of which may control the forwarding of the access request by the tenant boundary router.
In this step, an access request addressed to the resilient IP is received, but the initiator of the access request is not limited to any particular one, and the resilient IP of the internal network security component to which the access request needs to be accessed is required to be carried in the access request.
S102: changing the destination address of the access request into the data IP of the intranet security component through a destination address conversion rule;
this step requires that the destination address in the access request is changed to the data IP of the intranet security component by the destination address conversion rule, and any mapping table, data table, etc. containing the mapping relationship between the elastic IP and the data IP may be used in the conversion process.
In this embodiment, a mapping relationship between the resilient IP and the data IP corresponding to the intranet security component may be established before the step is performed, so that the destination address of the access request may be changed to the data IP of the intranet security component by using the destination address conversion rule directly according to the mapping relationship when the step is performed.
It should be noted that each intranet security component has its unique corresponding data IP, so as to perform access with an extranet access request.
S103: and after the intranet security component responds to the access request to generate a data return packet, switching the source address of the data return packet into the elastic IP through the source address conversion rule and returning the elastic IP.
After the intranet security component responds to the access request and generates a data return packet, address conversion is carried out on the data return packet, namely the source address of the data return packet is switched into the elastic IP through a source address conversion rule and returned to the initiator of the access request.
According to the embodiment of the application, the elastic IP is configured for the internal network security component, and when the access request of the external network is received, the address conversion rule is utilized to perform address conversion on the access request and the data packet, so that the internal network data network segment and the external network are isolated and decoupled, the security of the internal network security component is guaranteed, and meanwhile, the network deployment planning is more flexible. For the intranet security component, by adding the elastic IP for the intranet security component, access control of the intranet security component can be realized in a mode of binding or unbinding the elastic IP, and complete isolation from the outside is realized for the intranet security component which does not contain the elastic IP.
Referring to fig. 2, fig. 2 is a flowchart of a resource pool internal network interaction process provided in an embodiment of the present application, where fig. 2 includes virtual application loads such as vmaf and vmad, and user-side applications such as SSL VPN and bastion machine, and a vlan direct connection mode is adopted, when the present application is applied, an access request from an external internet is received first, a PBR (Policy-Based Routing) is implemented in an external physical core switch to direct an elastic IP, and after receiving the access request, a tenant 2 boundary router converts the elastic IP into a corresponding data IP by using a destination address conversion rule, so that external access to various application terminals connected to the tenant 2 boundary router can be implemented.
Based on the above embodiment, if the access request originates from a physical core router or an intranet core virtual switch, before the tenant boundary router receives the access request with the flexible IP as a destination address, a PBR flow guide may be configured in the physical core router or the intranet core virtual switch, where the PBR flow guide is used to flow the access request to the tenant boundary router after receiving the access request.
Referring to fig. 3, fig. 3 is another resource pool internal network interaction process flow diagram provided in this embodiment, a route forwarding mode is adopted, after an external home core router sends an access request to a core router through a transition port, PBR is applied to the core router and flows to a tenant 2 boundary router, and then the process described in the above embodiment is applied, so that resource pool internal network interaction can be achieved. Therefore, no matter the route forwarding mode or the vlan direct connection mode is adopted, for the tenant boundary router, an address conversion rule needs to be configured in advance to realize address conversion of the access request and the data return packet.
Referring to fig. 4, on the basis of the foregoing embodiment, in a possible implementation manner, the following may specifically describe how to bind the resilient IP and the intranet security component, and include the following steps:
s201: acquiring an IP binding instruction of a target intranet security component;
s202: if the IP binding instruction does not contain the specified elastic IP, acquiring an idle elastic IP from an elastic IP pool, and binding the idle elastic IP with the target intranet security component;
s203: and if the IP binding instruction contains the specified elastic IP, binding the specified elastic IP with the target intranet security component.
The embodiment aims to realize the elastic IP binding of the intranet security component on the basis of constructing the elastic IP pool in advance, and after receiving an IP binding instruction, judges whether the IP binding instruction contains a specified elastic IP, wherein the specified elastic IP can be an elastic IP directly input by a user, and the like. If the IP binding instruction does not contain the specified elastic IP, the idle elastic IP can be obtained from the elastic IP pool, and the idle elastic IP is bound with the target intranet security component.
The embodiment realizes the relation binding between the intranet security component and the elastic IP. The binding process is actually a recording process of the binding relationship between the elastic IP and the intranet security component, and the elastic IP may not be sent to the corresponding target intranet security component. Specifically, a mapping relationship between the idle elastic IP and the target intranet security component may be established in the database, and the idle elastic IP is marked as an occupied state.
Since each intranet security component contains its own corresponding data IP, after the above process is completed, a mapping relationship between the data IP and the elastic IP is actually established. After that, when receiving an access request of the external network, the tenant boundary router may determine the actual data IP of the internal network security component that it needs to access according to the binding relationship between the elastic IP and the internal network security component.
On the basis of this embodiment, can also further realize the unbinding of intranet security subassembly and elasticity IP, it is specific, can clear up the address conversion rule of tenant border router with power etc. and clear up automatic PBR drainage rule with power etc. simultaneously, if manual configuration PBR needs manual cleaning. Finally, the elastic IP records of the component in the database are cleaned by power, and finally the corresponding elastic IP is recovered to an elastic IP pool.
Through realizing binding or unbinding between elasticity IP and intranet security subassembly, if intranet security subassembly breaks down, the data IP that corresponds this moment changes, need not the external access request that initiates again this moment, can directly change the intranet security subassembly that elasticity IP bound can.
For example, if the external world accesses the intranet security component a, the corresponding data IP is A1, the original bound elastic IP is A2, the intranet security component a fails, the intranet security component B may replace the data a, and the intranet security component corresponds to the data IP is B2, at this time, only the intranet security components a and A2 need to be unbound, and the intranet security component B is bound to the data A2, and since the access request includes the elastic IP, it is still ensured that the service impact is minimized when the intranet security component a fails. Therefore, it can be seen that by implementing the binding and unbinding of the elastic IP and the intranet security component and combining the previous embodiment, the fast recovery of the intranet fault service can be implemented, even the service is guaranteed to be short, the redundancy of the intranet service is further ensured, and the disaster tolerance capability of the intranet security component is enhanced.
On the basis of the foregoing embodiment, as a preferred embodiment, the following supplements corresponding description for an elastic IP pool, and for the elastic IP pool, after the initial configuration is completed, the capacity expansion or modification of the elastic IP pool may be performed, which specifically includes the following steps:
firstly, receiving an IP pool modification request containing a new IP pool, and then selecting and executing the following operations according to the specific content of the new IP pool:
if the new elastic IP in the new IP pool is not in the elastic IP pool, the idle elastic IP is redistributed from the elastic IP pool;
if the designated elastic IP is located in the elastic IP pool, keeping the elastic IP pool unchanged;
and if the IP number of the new IP pool is less than the number of the currently used elastic IP, rejecting the IP pool modification request.
The embodiment of the application supports idempotent modification of the elastic IP pool, but all the elastic IPs distributed to the intranet security component need to be ensured to be in the elastic IP pool. If the used elastic IP is not in the range of the new IP pool, automatically calculating and distributing the idle elastic IP, and seeing the newly distributed elastic IP according to the details of the safety component; if the used elastic IP is in the range of the new IP pool, keeping the elastic IP pool unchanged; and if the new IP pool is less than the used elastic IP number, forbidding modification, namely rejecting the IP pool modification request.
The modification method of the elastic IP pool provided by the embodiment of the application is convenient for timely adjusting the corresponding elastic IP pool when the number or the type of the intranet security components is changed so as to adapt to the application requirements of the intranet security components.
Referring to fig. 5, fig. 5 is a schematic structural diagram of a network interaction system in a resource pool provided in an embodiment of the present application, and the present application further provides a network interaction system in a resource pool, including:
a request receiving module, configured to receive an access request with the flexible IP as a destination address;
a first address conversion module, configured to change a destination address of the access request to a data IP of the intranet security component according to a destination address conversion rule;
and the second address conversion module is used for switching the source address of the data loopback packet into the elastic IP through the source address conversion rule and returning the elastic IP after the intranet security component responds to the access request to generate the data loopback packet.
Based on the above embodiment, as a preferred embodiment, the method further includes:
the mapping establishing module is used for establishing a mapping relation between the elastic IP and the data IP corresponding to the intranet security component;
the first address conversion module is a module for changing a destination address of the access request into a data IP of the intranet security component by using a destination address conversion rule according to the mapping relationship.
Based on the above embodiment, as a preferred embodiment, the method further includes:
and the IP binding module is used for distributing idle elastic IP for the intranet security component from the elastic IP pool and binding the idle elastic IP with the intranet security component.
Based on the foregoing embodiment, as a preferred embodiment, the IP binding module includes:
the appointed acquisition unit is used for acquiring an IP binding instruction of the target intranet security component;
a first binding unit, configured to, if the IP binding instruction does not include a specified elastic IP, obtain an idle elastic IP from the elastic IP pool, and bind the idle elastic IP with the target intranet security component;
and the second binding unit is used for binding the specified elastic IP with the target intranet security component if the IP binding instruction contains the specified elastic IP.
Based on the above embodiment, as a preferred embodiment, the method further includes:
an IP modification module used for receiving an IP pool modification request containing a new IP pool; if the new elastic IP in the new IP pool is not in the elastic IP pool, reallocating the idle elastic IP from the elastic IP pool; if the designated elastic IP is located in the elastic IP pool, keeping the elastic IP pool unchanged; and if the IP number of the new IP pool is smaller than the number of the currently used elastic IP, rejecting the IP pool modification request.
Based on the foregoing embodiment, as a preferred embodiment, the IP binding module is a module configured to establish a mapping relationship between the idle elastic IP and the target intranet security component in a database, and mark the idle elastic IP as an occupied state.
Based on the above embodiment, as a preferred embodiment, the method further includes:
the flow guide setting module is used for configuring PBR flow guide at the physical core router or the intranet core virtual switch; the PBR drainage is used for draining the access request to the tenant boundary router after receiving the access request.
The present application further provides a computer-readable storage medium, on which a computer program is stored, which, when executed, may implement the steps of the method provided by the above-mentioned embodiments. The storage medium may include: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The present application further provides a terminal, which may include a memory and a processor, where the memory stores a computer program, and when the processor calls the computer program in the memory, the steps of the method provided in the foregoing embodiment may be implemented. Of course, the terminal may also include various network interfaces, power supplies, and the like. Referring to fig. 6, fig. 6 is a schematic structural diagram of a terminal according to an embodiment of the present application, where the terminal according to the embodiment may include: a processor 601 and a memory 602.
Optionally, the terminal may further comprise a communication interface 603, an input unit 604 and a display 605 and a communication bus 606.
The processor 601, the memory 602, the communication interface 603, the input unit 604, and the display 605 all communicate with each other via the communication bus 606.
In the embodiment of the present application, the processor 601 may be a Central Processing Unit (CPU), an asic (application specific integrated circuit), a digital signal processor, an off-the-shelf programmable gate array, or other programmable logic device.
The processor may call a program stored in the memory 602. In particular, the processor may perform the operations performed by the terminal in the above embodiments.
The memory 602 is used for storing one or more programs, which may include program codes including computer operation instructions, and in this embodiment, the memory stores at least the programs for implementing the following functions:
in one possible implementation, the memory 602 may include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required for at least one function, and the like; the storage data area may store data created during use of the computer.
Further, the memory 602 may include high speed random access memory and may also include non-volatile memory, such as at least one magnetic disk storage device or other volatile solid state storage device.
The communication interface 603 may be an interface of a communication module, such as an interface of a GSM module.
The present application may also include a display 605 and an input unit 604, and the like.
The structure of the terminal shown in fig. 6 does not constitute a limitation of the terminal in the embodiments of the present application, and in practical applications, the terminal may include more or less components than those shown in fig. 6, or some components may be combined.
The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. For the system provided by the embodiment, the description is relatively simple because the system corresponds to the method provided by the embodiment, and the relevant points can be referred to the method part for description.
The principles and embodiments of the present application are described herein using specific examples, which are only used to help understand the method and its core idea of the present application. It should be noted that, for those skilled in the art, it is possible to make several improvements and modifications to the present application without departing from the principle of the present application, and such improvements and modifications also fall within the scope of the claims of the present application.
It is further noted that, in the present specification, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising one of 8230; \8230;" 8230; "does not exclude the presence of additional like elements in a process, method, article, or apparatus that comprises the element.
Claims (10)
1. A resource pool internal network interaction method is applied to a tenant boundary router connected with an internal network security component, the tenant boundary router is preconfigured with a destination address conversion rule and a source address conversion rule, the internal network security component is preconfigured with an elastic IP, and the method comprises the following steps:
receiving an access request with the elastic IP as a destination address;
changing the destination address of the access request into the data IP of the intranet security component through a destination address conversion rule;
and after the intranet security component responds to the access request to generate a data packet, switching the source address of the data packet into the elastic IP through the source address conversion rule and returning the elastic IP.
2. The resource pool internal network interaction method according to claim 1, further comprising, after the intranet security component configures the resilient IP, the step of:
establishing a mapping relation between the elastic IP and the data IP corresponding to the intranet security component;
the changing the destination address of the access request to the data IP of the intranet security component by the destination address conversion rule includes:
and changing the destination address of the access request into the data IP of the intranet security component by using a destination address conversion rule according to the mapping relation.
3. The method for network interaction in the resource pool according to claim 2, further comprising:
and distributing idle elastic IP for the intranet security component from the elastic IP pool, and binding the idle elastic IP with the intranet security component.
4. The method of claim 3, wherein assigning an idle resilient IP from a resilient IP pool to the Intranet security component and binding with the Intranet security component comprises:
acquiring an IP binding instruction of a target intranet security component;
if the IP binding instruction does not contain the specified elastic IP, acquiring an idle elastic IP from the elastic IP pool, and binding the idle elastic IP with the target intranet security component;
and if the IP binding instruction contains a specified elastic IP, binding the specified elastic IP with the target intranet security component.
5. The resource pool network interaction method of claim 3, further comprising:
receiving an IP pool modification request containing a new IP pool;
if the new elastic IP in the new IP pool is not in the elastic IP pool, reallocating the idle elastic IP from the elastic IP pool;
if the designated elastic IP is located in the elastic IP pool, keeping the elastic IP pool unchanged;
and if the IP number of the new IP pool is smaller than the number of the currently used elastic IP, rejecting the IP pool modification request.
6. The method of claim 4, wherein the binding the idle resilient IP with the target intranet security component comprises:
and establishing a mapping relation between the idle elastic IP and the target intranet security component in a database, and marking the idle elastic IP as an occupied state.
7. The method according to claim 1, wherein if the access request originates from a physical core router or an intranet core virtual switch, the tenant border router further includes, before receiving the access request with the flexible IP as a destination address:
configuring PBR drainage at the physical core router or the intranet core virtual switch; the PBR flow guide is used for guiding the access request to the tenant boundary router after receiving the access request.
8. A resource pool internal network interaction system is applied to a tenant boundary router connected with an internal network security component, the tenant boundary router is preconfigured with a destination address conversion rule and a source address conversion rule, the internal network security component is preconfigured with an elastic IP, and the resource pool internal network interaction system comprises:
a request receiving module, configured to receive an access request with the flexible IP as a destination address;
a first address conversion module, configured to change a destination address of the access request to a data IP of the intranet security component according to a destination address conversion rule;
and the second address conversion module is used for switching the source address of the data loopback packet into the elastic IP through the source address conversion rule and returning the elastic IP after the intranet security component responds to the access request to generate the data loopback packet.
9. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method for network interaction within a resource pool according to any one of claims 1-7.
10. A terminal, characterized in that it comprises a memory in which a computer program is stored and a processor, which when calling the computer program in the memory implements the steps of the resource pool network interaction method according to any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211145379.6A CN115514692A (en) | 2022-09-20 | 2022-09-20 | Network interaction method, system, storage medium and terminal in resource pool |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211145379.6A CN115514692A (en) | 2022-09-20 | 2022-09-20 | Network interaction method, system, storage medium and terminal in resource pool |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115514692A true CN115514692A (en) | 2022-12-23 |
Family
ID=84502972
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211145379.6A Pending CN115514692A (en) | 2022-09-20 | 2022-09-20 | Network interaction method, system, storage medium and terminal in resource pool |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115514692A (en) |
Citations (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150350155A1 (en) * | 2014-06-03 | 2015-12-03 | Manuel Diaz | Systems and methods for ip sharing across wide area networks |
| WO2015192584A1 (en) * | 2014-06-18 | 2015-12-23 | 中兴通讯股份有限公司 | Virtual routing system and method |
| WO2016134624A1 (en) * | 2015-02-28 | 2016-09-01 | 华为技术有限公司 | Routing method, device and system, and gateway dispatching method and device |
| CN106878482A (en) * | 2017-01-03 | 2017-06-20 | 新华三技术有限公司 | Method for network address translation and device |
| CN106899710A (en) * | 2017-04-26 | 2017-06-27 | 上海优刻得信息科技有限公司 | IP address conversion method, IP address conversion device and gateway system |
| CN108566445A (en) * | 2018-03-15 | 2018-09-21 | 华为技术有限公司 | A kind of message transmitting method and device |
| CN109451084A (en) * | 2018-09-14 | 2019-03-08 | 华为技术有限公司 | A kind of service access method and device |
| CN111031020A (en) * | 2019-12-04 | 2020-04-17 | 紫光云(南京)数字技术有限公司 | Method for managing network and tenant network communication based on port mapping |
| CN111262960A (en) * | 2020-01-15 | 2020-06-09 | 山东汇贸电子口岸有限公司 | Public cloud elastic public network IP cluster implementation method and system |
| US20200351328A1 (en) * | 2017-11-17 | 2020-11-05 | Beijing Kingsoft Cloud Network Technology Co., Ltd. | Data transmission method, device, equipment, and readable storage medium |
| CN112272145A (en) * | 2020-10-26 | 2021-01-26 | 新华三信息安全技术有限公司 | Message processing method, device, equipment and machine readable storage medium |
| CN112383481A (en) * | 2020-11-02 | 2021-02-19 | 科大讯飞股份有限公司 | Flow table generation and port forwarding method, node, electronic device and storage medium |
| US20210377149A1 (en) * | 2017-09-06 | 2021-12-02 | China Unionpay Co., Ltd. | Region interconnect controller, region interconnect control method, and computer storage medium |
| US20220021646A1 (en) * | 2018-12-15 | 2022-01-20 | Telefonaktiebolaget Lm Ericsson (Publ) | Efficient network address translation (nat) in cloud networks |
| CN114024741A (en) * | 2021-11-03 | 2022-02-08 | 深信服科技股份有限公司 | Request processing method and device, flow proxy terminal, equipment and readable storage medium |
| CN114095430A (en) * | 2021-10-14 | 2022-02-25 | 网宿科技股份有限公司 | Processing method, system and working node of access message |
| US20220239627A1 (en) * | 2021-01-22 | 2022-07-28 | Vmware, Inc. | Managing internet protocol (ip) address allocation to tenants in a computing environment |
-
2022
- 2022-09-20 CN CN202211145379.6A patent/CN115514692A/en active Pending
Patent Citations (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150350155A1 (en) * | 2014-06-03 | 2015-12-03 | Manuel Diaz | Systems and methods for ip sharing across wide area networks |
| WO2015192584A1 (en) * | 2014-06-18 | 2015-12-23 | 中兴通讯股份有限公司 | Virtual routing system and method |
| CN105227454A (en) * | 2014-06-18 | 2016-01-06 | 中兴通讯股份有限公司 | Virtual flow-line system and method |
| WO2016134624A1 (en) * | 2015-02-28 | 2016-09-01 | 华为技术有限公司 | Routing method, device and system, and gateway dispatching method and device |
| CN106878482A (en) * | 2017-01-03 | 2017-06-20 | 新华三技术有限公司 | Method for network address translation and device |
| CN106899710A (en) * | 2017-04-26 | 2017-06-27 | 上海优刻得信息科技有限公司 | IP address conversion method, IP address conversion device and gateway system |
| US20210377149A1 (en) * | 2017-09-06 | 2021-12-02 | China Unionpay Co., Ltd. | Region interconnect controller, region interconnect control method, and computer storage medium |
| US20200351328A1 (en) * | 2017-11-17 | 2020-11-05 | Beijing Kingsoft Cloud Network Technology Co., Ltd. | Data transmission method, device, equipment, and readable storage medium |
| CN108566445A (en) * | 2018-03-15 | 2018-09-21 | 华为技术有限公司 | A kind of message transmitting method and device |
| CN109451084A (en) * | 2018-09-14 | 2019-03-08 | 华为技术有限公司 | A kind of service access method and device |
| US20220021646A1 (en) * | 2018-12-15 | 2022-01-20 | Telefonaktiebolaget Lm Ericsson (Publ) | Efficient network address translation (nat) in cloud networks |
| CN111031020A (en) * | 2019-12-04 | 2020-04-17 | 紫光云(南京)数字技术有限公司 | Method for managing network and tenant network communication based on port mapping |
| CN111262960A (en) * | 2020-01-15 | 2020-06-09 | 山东汇贸电子口岸有限公司 | Public cloud elastic public network IP cluster implementation method and system |
| CN112272145A (en) * | 2020-10-26 | 2021-01-26 | 新华三信息安全技术有限公司 | Message processing method, device, equipment and machine readable storage medium |
| CN112383481A (en) * | 2020-11-02 | 2021-02-19 | 科大讯飞股份有限公司 | Flow table generation and port forwarding method, node, electronic device and storage medium |
| US20220239627A1 (en) * | 2021-01-22 | 2022-07-28 | Vmware, Inc. | Managing internet protocol (ip) address allocation to tenants in a computing environment |
| CN114095430A (en) * | 2021-10-14 | 2022-02-25 | 网宿科技股份有限公司 | Processing method, system and working node of access message |
| CN114024741A (en) * | 2021-11-03 | 2022-02-08 | 深信服科技股份有限公司 | Request processing method and device, flow proxy terminal, equipment and readable storage medium |
Non-Patent Citations (1)
| Title |
|---|
| "弹性公网IP(EIP)快速入门", Retrieved from the Internet <URL:https://doc.yun.unionpay.com/tcloud/NetWork/EIP/quickstart> * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11682055B2 (en) | Partitioned private interconnects to provider networks | |
| US20200195511A1 (en) | Network management method and related device | |
| EP3512233B1 (en) | Method for managing network slice and management unit | |
| CN111224821B (en) | Security service deployment system, method and device | |
| CN115380514A (en) | Automated deployment of network elements for heterogeneous computing elements | |
| US9876756B2 (en) | Network access method and device for equipment | |
| US9954763B1 (en) | Pre-configured virtual gateways for isolated virtual networks | |
| CN107342895A (en) | A kind of network optimized approach of multi-tenant, system, computing device and storage medium | |
| JPWO2015099035A1 (en) | Management system, virtual communication function management node, and management method | |
| CN104796469A (en) | Method and device for configuring cloud computing platforms | |
| CN109379450B (en) | Network interface interaction management method and device, computer equipment and storage medium | |
| JP6555676B2 (en) | Resource management method and apparatus | |
| CN111478846A (en) | Method, device and medium for realizing multi-tenant network in cloud network environment | |
| CN109688241B (en) | IPv4/IPv6 dual-stack conversion method and system based on SDN | |
| CN112311669B (en) | Network service switching method, device, system and storage medium | |
| US10972534B2 (en) | Efficient un-allocation of cloud resources | |
| CN113542421A (en) | Data forwarding method and device based on 5G user plane functional entity | |
| CN114448937A (en) | Access request response method and device and storage medium | |
| CN109347715B (en) | Private network access method and system for external tenant | |
| CN101350772B (en) | Method for selecting line of router with multiple WAN interfaces, system and router | |
| EP3353998A1 (en) | Advertising method and system in network functions virtualization environment | |
| CN115514692A (en) | Network interaction method, system, storage medium and terminal in resource pool | |
| CN111885044A (en) | Method, device, equipment and storage medium for configuring multiple network cards of cloud host | |
| CN108023774B (en) | Cross-gateway migration method and device | |
| CN109889421A (en) | Management method, device, terminal, system and the storage medium of router |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |