CN115664920A - Network communication management method, device, equipment and storage medium of cloud platform - Google Patents

Network communication management method, device, equipment and storage medium of cloud platform Download PDF

Info

Publication number
CN115664920A
CN115664920A CN202211345316.5A CN202211345316A CN115664920A CN 115664920 A CN115664920 A CN 115664920A CN 202211345316 A CN202211345316 A CN 202211345316A CN 115664920 A CN115664920 A CN 115664920A
Authority
CN
China
Prior art keywords
communication
host
network
managed
management
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211345316.5A
Other languages
Chinese (zh)
Inventor
林东森
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Qingyun Science And Technology Co ltd
Original Assignee
Beijing Qingyun Science And Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qingyun Science And Technology Co ltd filed Critical Beijing Qingyun Science And Technology Co ltd
Priority to CN202211345316.5A priority Critical patent/CN115664920A/en
Publication of CN115664920A publication Critical patent/CN115664920A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a network communication management method, a system, electronic equipment and a storage medium of a cloud platform, wherein the method comprises the following steps: aiming at any cloud host on the cloud platform, the cloud host is used as a host to be managed, and target communication scene information of the host to be managed is determined; determining current management configuration information matched with target communication scene information according to a pre-configured communication management configuration file; and according to the current management configuration information, in combination with the communication attribute information of the host to be managed, carrying out routing configuration on the communication network of the host to be managed to obtain routing configuration information, so that the host to be managed carries out network communication based on the routing configuration information in a target communication scene. According to the technical scheme, accurate and effective network service can be provided for different target communication scene information of different cloud hosts, the effectiveness of determining the communication channel can be improved, and accurate management of network communication is realized.

Description

Network communication management method, device, equipment and storage medium of cloud platform
Technical Field
The invention relates to the technical field of computers, in particular to a network communication management method and system of a cloud platform, electronic equipment and a storage medium.
Background
The cloud platform may provide computing, networking, and storage capabilities based on the services of hardware and software resources. For a cloud host on a cloud platform, when a user needs to use a security product, a security instance can be added to the user's own VPC network. A security instance may be added to multiple networks during operation, so that multiple network cards may dynamically exist in the security instance, and at this time, network management needs to be performed on the network cards.
At present, default network management software of an operating system can achieve automatic distribution of dhcp, but high-level network configuration corresponding to each network card depends on customization to be achieved, and when multiple network cards are used, routing conflict is easily caused when the default network management software based on the dhcp is simply used for distributing IP addresses for the network cards, so that network problems are caused.
Disclosure of Invention
The invention provides a network communication management method and system of a cloud platform, electronic equipment and a storage medium. The method and the system can provide accurate and effective network service for the requirements of different communication scene information of different cloud hosts.
In a first aspect, an embodiment of the present disclosure provides a network communication management method for a cloud platform, which is applied to a network management device on the cloud platform, and the method includes:
aiming at any cloud host on the cloud platform, the cloud host is used as a host to be managed, and target communication scene information currently possessed by the host to be managed is determined;
determining current management configuration information matched with target communication scene information according to a pre-configured communication management configuration file;
and according to the current management configuration information, in combination with the communication attribute information of the host to be managed, carrying out routing configuration on the communication network of the host to be managed to obtain routing configuration information, so that the host to be managed carries out network communication based on the routing configuration information in a target communication scene.
In a second aspect, an embodiment of the present disclosure provides a network communication management apparatus for a cloud platform, including:
the system comprises a first determining module, a second determining module and a third determining module, wherein the first determining module is used for determining target communication scene information currently possessed by a host to be managed by taking any cloud host on a cloud platform as the host to be managed;
the second determining module is used for determining the current management configuration information matched with the target communication scene information according to the pre-configured communication management configuration file;
the first obtaining module is used for carrying out routing configuration on the communication network of the host to be managed according to the current management configuration information and by combining with the communication attribute information of the host to be managed, and obtaining the routing configuration information so as to enable the host to be managed to carry out network communication based on the routing configuration information in a target communication scene.
In a third aspect, an embodiment of the present disclosure provides an electronic device, including:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,
the memory stores a computer program executable by the at least one processor, the computer program being executable by the at least one processor to enable the at least one processor to perform the method for network communication management of a cloud platform as provided by any of the embodiments.
In a fourth aspect, the present disclosure provides a computer-readable storage medium storing computer instructions, where the computer instructions are configured to, when executed, enable a processor to implement the network communication management method for a cloud platform provided in any embodiment.
According to the network communication management method, the network communication management device, the network communication management equipment and the storage medium of the cloud platform, the cloud host is used as a host to be managed aiming at any cloud host on the cloud platform, and target communication scene information currently possessed by the host to be managed is determined; determining current management configuration information matched with target communication scene information according to a pre-configured communication management configuration file; and according to the current management configuration information, in combination with the communication attribute information of the host to be managed, carrying out routing configuration on the communication network of the host to be managed to obtain routing configuration information, so that the host to be managed carries out network communication based on the routing configuration information in a target communication scene. By adopting the technical scheme, the communication management configuration file is configured in advance, and the efficiency of network communication service is improved. According to the management configuration information corresponding to each communication scene information, the route is configured by combining the host attribute, and accurate and effective network service can be provided aiming at different target communication scene information of different cloud hosts. By the technical scheme, the effectiveness of determining the communication channel is improved, and accurate management of network communication is realized.
It should be understood that the statements in this section do not necessarily identify key or critical features of the embodiments of the present invention, nor do they necessarily limit the scope of the invention. Other features of the present invention will become apparent from the following description.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a flowchart of a network communication management method of a cloud platform according to an embodiment of the present invention;
fig. 2 is a flowchart of a network communication management method of a cloud platform according to a second embodiment of the present invention;
fig. 3 is a diagram illustrating an example of topological communication between a cloud host and a service virtual host in the network communication management method for a cloud platform according to the second embodiment of the present invention;
fig. 4 is a schematic structural diagram of a network communication management apparatus of a cloud platform according to a third embodiment of the present invention;
fig. 5 is a schematic structural diagram of an electronic device according to a fourth embodiment of the present invention.
Detailed Description
In order to make those skilled in the art better understand the technical solutions of the present invention, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments in the present invention, shall fall within the protection scope of the present invention.
It should be noted that the terms "first," "second," and "target" and the like in the description and claims of the invention and the above-described drawings are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in other sequences than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Example one
Fig. 1 is a flowchart of a network communication management method for a cloud platform according to an embodiment of the present invention, where this embodiment is applicable to a situation of performing configuration management on network communication services of different hosts of the cloud platform, and the method may be executed by a network communication management apparatus for a cloud platform, and the apparatus may be implemented in a form of hardware and/or software.
As shown in fig. 1, the method includes:
s101, aiming at any cloud host on the cloud platform, the cloud host is used as a host to be managed, and target communication scene information of the host to be managed is determined.
In this embodiment, the cloud platform may be a cloud computing platform, and may be specifically understood as a virtual platform that provides computing, networking, and storage capabilities based on services of hardware resources and software resources. A user can be provided with a communalized internet infrastructure service. The cloud platform may include: the cloud computing platform comprises a storage type cloud platform taking data storage as a main part, a computing type cloud platform taking data processing as a main part and a comprehensive cloud computing platform taking computing and data storage processing into consideration.
The cloud host (cloud host) can be understood as a server constructed by using a virtualization Technology, is an important component of cloud computing in infrastructure application, integrates IT (Internet Technology) infrastructure capability renting services of computing, storage and network resources, can provide a server renting service of on-demand and pay-on-demand capabilities based on a cloud computing mode, and can freely customize resource utilization.
The host to be managed can be understood as a cloud host on the cloud platform without network management.
The target communication scenario information may be understood as scenario information of communication performed by the host to be managed for the target communication device.
Specifically, for any cloud host in the secure resource pool on the cloud platform, the cloud host is determined as a host to be managed, and target communication scene information between the target communication device and the current host to be managed is determined.
For example, the target communication scenario information may include communication scenario information of a security product, and the like, and the security product may include at least a WAF (Web Application Firewall), a security log service, and the like.
S102, determining current management configuration information matched with the target communication scene information according to a pre-configured communication management configuration file.
In the present embodiment, the communication management configuration file may be understood as a file storing management configuration information required for communication. The current management configuration information may be understood as instruction information that is input and stored by the current host to be managed after the target communication scenario is determined.
Specifically, a communication management configuration file is preconfigured in the host to be managed, the management configuration file can meet various communication scenes, after a target communication scene of the device to be managed is determined, the preconfigured communication management configuration file is directly searched, and current management configuration information corresponding to the scene information is determined based on target communication scene information.
S103, according to the current management configuration information, combining with the communication attribute information of the host to be managed, performing routing configuration on the communication network of the host to be managed to obtain routing configuration information, so that the host to be managed performs network communication based on the routing configuration information in a target communication scene.
In this embodiment, the communication attribute information may be understood as attribute information of hardware for implementing interconnection communication between devices. The communication network may be a data link that physically connects each isolated terminal, realizes information exchange between terminals, and achieves the purpose of resource sharing and communication. Route configuration is understood to be the configuration of network routes, which may include the configuration of addresses to which packets flow. The routing configuration information may be understood as content information configured for routing to the host communication network to be managed. The specific routing configuration information can be configured differently according to different communication scenes, and a user can display the routing configuration information by inquiring a routing table of the communication network of the host to be managed.
Specifically, based on a pre-configured communication management configuration file, corresponding management configuration information is determined according to target communication scene information of the host to be managed, and in combination with communication attribute information of the host to be managed, routing configuration is performed on each communication network of the host to be managed, and each routing configuration information is determined. Based on the routing configuration information of the communication network, the host to be managed can realize network communication based on the routing configuration information in a target communication scene.
In the embodiment, the target communication scene information of the host to be managed is determined by taking any cloud host on the cloud platform as the host to be managed; determining current management configuration information matched with target communication scene information according to a pre-configured communication management configuration file; and according to the current management configuration information, in combination with the communication attribute information of the host to be managed, carrying out routing configuration on the communication network of the host to be managed to obtain routing configuration information, so that the host to be managed carries out network communication based on the routing configuration information in a target communication scene. By adopting the technical scheme, the communication management configuration file is configured in advance, and the efficiency of network communication management is improved. According to the management configuration information corresponding to each communication scene information, the routing is configured by combining the host attributes, and accurate and effective network service can be provided for different communication scene information of different cloud hosts. By the technical scheme, the effectiveness of determining the communication channel is improved, and accurate management of network communication is realized.
As a first alternative embodiment of the embodiment, on the basis of the above embodiment, the first alternative embodiment further optimizes and adds: and detecting the equipped network card of the host to be managed, and taking the obtained network card information as communication attribute information.
In this embodiment, the network card may be a piece of computer hardware designed to allow the cloud host to communicate over the cloud computing network, and may be connected to each other via a cable or wirelessly. Each network card has a unique 48-bit serial number called the MAC (Media Access Control Address) Address, which is written in a ROM (Read-Only Memory) on the network card. Each network card on the communication network has a unique MAC address. The network card information may be understood as configuration information of the network card, and may include hardware information such as a model of the network card and network configuration information.
Specifically, the network card of the cloud host may be hot plug and dial in nature, and may join or leave the private network at any time. Based on the host to be managed on the cloud platform, the detection of the network card equipped on the host to be managed can be realized according to the method for automatically discovering the network card. For example, the network card information may be detected according to a periodic check logic, or the network card may be detected and the network card information may be obtained based on a hardware device discovery mechanism of the operating system. And using the obtained network card information as communication attribute information.
For example, the logic is periodically checked, the adding or removing condition of the network card can be detected based on a time interval with a fixed time limit, and the adding or removing condition of the network card can be determined by querying a kernel-state storage folder "/sys/class/net/"; the hardware device discovery mechanism of the operating system may be that a network card management script is triggered based on a udev rule under linux, add or remove events of the network card are determined based on the udev rule in configuration, if the events are newly increased, run + = assignment may be performed on the network card, a specific script is assigned to the newly increased network card, and a corresponding script is executed on the newly increased network card to use the network card.
In this optional embodiment, the network card information obtained by detecting the equipped network card of the host to be managed is used as the communication attribute information. By adopting the technical scheme, the change information such as the increase and decrease condition of the network card can be effectively monitored, the network card information of the changed network card is determined as the communication attribute information of the host to be managed, and a good information foundation is laid for network communication. By the technical scheme, the time lag problem caused by the change of the communication attribute information in the network communication is effectively reduced, and the correctness of the network communication connection is ensured.
As a second optional embodiment of the embodiment, on the basis of the above embodiment, the second optional embodiment further optimizes and increases: according to each security instance included in the security resource pool, determining a communication management configuration file including at least one binary relation group, wherein the binary relation group is a pair of communication scene information and management configuration information.
In this embodiment, there are many security instances of the secure resource pool on the cloud platform. A security resource pool may be understood as a management method of a security instance set, which may manage security instances in which various security engines exist. A security instance may be understood as a Virtual Machine (VM) or cloud host that has a security software engine installed, for example, a WAF, an NGFW (Next generation firewall), etc. The binary relation group can be understood as a pairing relation group formed by two groups of data information with pairing relation. The matching information of the information can be searched in the binary relation group through a table lookup based on the known information.
Specifically, the communication management configuration file includes at least one binary relationship group, and the binary relationship group may be a pairing relationship group of the communication scenario information and the management configuration information. In network communication, management configuration information corresponding to the communication scene information in each binary relation group in the communication management configuration file can be determined.
Further, determining a communication management profile including at least one binary relationship group according to each security instance included in the security resource pool may include:
a1 Obtain security instances stored in the secure resource pool.
In this embodiment, a security pool stores many security instances, and each security instance is first obtained, and the type of each obtained security instance is determined.
b1 By analysis of each of the security instances, associated communication scenario information is determined.
In the embodiment, according to the type of the security instance, the security software engine installed in the security instance is determined, and the communication scene information type involved in the operation of the security instance is determined.
c1 Receive management configuration information configured with respect to each of the communication scenario information.
In this embodiment, each piece of communication scenario information has management configuration information configured corresponding to the communication scenario information, and the management configuration information configured by the communication scenario information is received based on each piece of communication scenario information.
d1 The communication scene information and the corresponding management configuration information form a binary relation group, and a communication management configuration file containing each binary relation group is formed.
In this embodiment, based on the received management configuration information configured with respect to each piece of communication scenario information and each piece of communication scenario information, a binary relationship group is constructed from each pair of communication scenario information and management configuration information having a corresponding configuration relationship, and a communication management configuration file is formed based on each binary relationship group having a corresponding configuration relationship.
In this optional embodiment, each security instance stored in the security resource pool is acquired, the associated communication scenario information is determined through analysis of each security instance, the management configuration information configured with respect to each communication scenario information is received, and a binary relationship group is formed by the communication scenario information and the corresponding management configuration information, so as to form a communication management configuration file including each binary relationship group. In the above technical solution, the content of the pre-configured communication management configuration file is determined, a binary relationship group between the target communication scene and the management configuration information exists in the communication management configuration file, the management configuration information corresponding to the target communication scene of the host to be managed can be determined directly based on the corresponding relationship in each binary relationship group, and the current management configuration information corresponding to the host to be managed does not need to be determined through complicated steps. The management efficiency of the cloud computing network communication is effectively improved.
Example two
Fig. 2 is a flowchart of a network communication management method of a cloud platform according to an embodiment of the present invention, and this embodiment further optimizes any of the above embodiments. The embodiment is applicable to the situation of performing configuration management on network communication services of different hosts of the cloud platform, and the method can be executed by a network communication management device of the cloud platform, and the device can be implemented in the form of hardware and/or software.
As shown in fig. 2, the method includes:
s201, aiming at any cloud host on the cloud platform, taking the cloud host as a host to be managed.
S202, determining a target security instance of the host to be managed which is currently operated, and determining communication requirements corresponding to the communication network under each communication network type involved in the operation of the target security instance.
The target security instance may be understood as a security instance running within the cloud host that is currently the host to be managed. The communication network type may be understood as a type of communication network. The communication requirement may be understood as a requirement required for the communication network to communicate in the target security instance.
Illustratively, the communication network may include network types such as a management communication network and a service communication network. Based on the communication network type as the communication network for managing the communication network, the corresponding communication requirements may include at least single sign-on, SSH (Secure Shell protocol) access, activation, and issuing of a certificate to the security engine, and the like. Based on the communication network being a service communication network in the communication network type, the corresponding communication requirement may at least comprise receiving externally pushed data information.
Specifically, a security instance currently operated by a host to be managed is determined as a target security instance, and based on a communication network type involved in the operation of the target security instance, a communication requirement corresponding to the communication network of the type is determined. For example, the management communication network operated based on the target security instance may determine that the communication requirement of the management communication network is single sign-on, and the business communication network operated based on the target security instance may determine that the communication requirement of the business communication network is receiving externally pushed log data, and the like, which is not limited in this embodiment.
And S203, determining the target communication scene information currently possessed by the host to be managed based on each communication requirement.
In this embodiment, target communication scenario information is determined by combining communication requirements in the host to be managed. Different types of communication networks existing in the host to be managed may include, for example, a management communication network and a service communication network, and the target communication scenario information currently possessed by the host to be managed may be determined based on a combination of a communication requirement corresponding to the management communication network and a communication requirement corresponding to the service communication network.
Exemplarily, for a management communication network, there are cloud management needs of single sign-on and activation, certificate issuing, etc., and only an external request is received, and the connection is not actively initiated outwards. For a service communication network, there may be a need to receive external service data only, forward the service data in a network proxy mode, and the like, and the network does not actively initiate connection to the outside, and even does not need to make any reply under the condition of adopting the udp protocol. The communication scenario information content may be determined according to the requirements of the management communication network and the business communication network, for example, the content may be a WAF firewall or a security log service.
And S204, determining the current management configuration information matched with the target communication scene information according to the pre-configured communication management configuration file.
S205, analyzing the current management configuration information, and determining the network communication management rule contained in the current management configuration information.
In this embodiment, the network communication management rule may be understood as rule information for managing network communication under the cloud platform. For example, default routing rules may be configured and/or routing policies may be configured.
Specifically, configuring the default route may obtain network configuration based on network card auto-discovery and dhcp, and determine the network egress card of the default route by setting the route priority. The network card automatic discovery may be implemented based on the detection of the network card in the above embodiment, and the DHCP obtains the network Configuration, which may be understood as that the Host to be managed obtains information such as an IP address, a mask, a gateway, and a domain name service address through a Dynamic Host Configuration Protocol (DHCP). The route priority may be determined by setting only a default route, or by setting a route management distance (metric).
For example, only one default route is set to determine the routing priority, for example, the routing priority of the communication network may be set, the first network card eth0 is a network card of the communication network, only the network gateway of the first network card is set to be the default route, and the default route is not set by other network cards. The problem of route conflict caused by multiple default routes of multiple network cards can be effectively avoided.
Illustratively, the route priority is determined by setting a route management distance, and in the route management distance metric policy, the smaller the distance, the higher the priority. For example, setting the routing priority of the communication network, the first network card eth0 may be set as the network card of the communication network, the default route of the first network card eth0 is set to be 1 or no route management distance is set, the default routes of other network cards are set to be greater than 1, at this time, the priority of the network card eth0 of the communication network is the highest, and the traffic sent to the outside only goes through the network gateway of the first network card. The problem of route conflict can be effectively avoided.
By setting the routing priority, the default routing of the communication network can be configured correctly, the condition that the flow of the current type communication network flows into another communication network can not occur, and the condition that network conflicts occur because multiple network cards all have the default routing and cannot determine the network card gateway for the flow sent to the outside.
In particular, configuring a routing policy may be understood as a technique for modifying routing information by changing the path traveled by network traffic, primarily by changing routing attributes (including reachability). For example, an iptables routing strategy can be used to keep the network card of the traffic consistent with the network card of the traffic, so as to realize accurate traffic transceiving.
By configuring a routing strategy, the current communication network flow can be consistent in the network access port, the network address field can have the address consistency condition, and the problem that the communication cannot be carried out due to network conflict is solved.
S206, according to the network card information included in the communication attribute information, determining the communication network card currently possessed by the host to be managed.
In this embodiment, the network card information included in the communication attribute may directly determine the type and number of the currently-provided communication network cards. And under a specific communication scene of the host to be managed, determining whether the current network card is the first network card, and if the current network card is the first network card, configuring a default route according to a network communication management rule.
And S207, carrying out route configuration by combining each communication network card according to a network communication management rule to obtain the current route configuration information of the host to be managed so as to enable the host to be managed to carry out network communication based on the route configuration information in a target communication scene.
In this embodiment, the current routing configuration information of the host to be managed is obtained based on different network communication management rules and the network routes configured by each communication network card, and the routing configuration information can be queried through the routing table, so as to implement network communication of the host to be managed in a target communication scenario.
In the embodiment, any cloud host on the cloud platform is used as a host to be managed; determining a target security instance of a host to be managed which is currently operated, and determining communication requirements corresponding to communication networks under various communication network types involved in the operation of the target security instance; determining target communication scene information currently possessed by a host to be managed based on each communication requirement; determining current management configuration information matched with target communication scene information according to a pre-configured communication management configuration file; analyzing the current management configuration information and determining a network communication management rule contained in the current management configuration information; determining a communication network card currently possessed by the host to be managed according to the network card information included in the communication attribute information; and according to the network communication management rule, carrying out routing configuration by combining each communication network card to obtain the current routing configuration information of the host to be managed so as to carry out network communication on the host to be managed based on the routing configuration information under the target communication scene. By adopting the technical scheme, the network routing configuration is carried out by combining the communication network card according to the network communication management rule, so that the situations of routing conflict among the network cards and conflict among networks are effectively avoided. The technical scheme solves the problem that network communication cannot be carried out due to communication network conflict, and can meet various network requirements of different cloud platforms to realize basic network service.
As a first optional embodiment of the embodiment, on the basis of the above embodiment, the first optional embodiment further optimizes and adds a step of obtaining the management communication network routing configuration information on the host to be managed, and specifically may include:
a2 Determine a target management network card corresponding to a management communication network on the host to be managed from each communication network card.
In this embodiment, the target management network card is specifically understood as a network card that enables the management communication network to communicate on the cloud host, and multiple network cards may exist in the host to be managed, and a network card corresponding to the management communication network is determined among the network cards based on the target communication scene information and the network card information, and is used as the target management network card.
b2 Configure the network gateway of the target management network card as default routing information on the host to be managed, and record as the current routing configuration information of the host to be managed.
In this embodiment, a network Gateway (Gateway) can be understood as an IP address where one network is connected to another network. The gateway may have multiple gateways according to different classification standards, and in this embodiment, the gateway may include a gateway under a TCP/IP (Transmission Control Protocol/Internet Protocol ) Protocol, a gateway under a UDP (User Datagram Protocol), and the like, which is not limited in this embodiment.
Specifically, a gateway of a target management network card for managing the communication network is configured as a default route of the host to be managed, and no default route is set for any other network card, so that the host to be managed only has one default route for managing the communication network, records and stores the route configuration information, and finds out the specific content of the route configuration information by querying a route table.
For example, eth0 is used as a target management network card for managing the communication network, and the eth0 network card is configured with the default route, for example, the gateway of the network card is 10.73.14.1, and then 10.73.14.1 may be configured with the default route.
c2 According to a set distance determination rule, determining the route management distances of the target management network card and the rest communication network cards, and forming the current route configuration information of the host to be managed based on the set route management distances.
In this embodiment, based on the network communication management rule, the set distance determination rule may be understood as that in the route management distance metric policy, the smaller the metric distance, the higher the priority.
For example, eth0 is used as a target management network card for managing the communication network, the default routing setting metric of the first network card eth0 is 1, the default routing setting metrics of the other communication network cards are greater than 1, for example, the metric of eth1 is set to 2, the metric of eth2 is set to 3, at this time, it may be determined that the priority of the target management network card eth0 for managing the communication network is the highest, and the traffic sent to the outside only walks through the network gateway of the target management network card eth 0. The problem of route conflict can be effectively avoided.
In this embodiment, by setting the routing priority, the default route of the communication network may be correctly configured, and the only network card from which the traffic sent to the outside flows out is determined, so that the problem that the traffic of the current type communication network flows into another communication network is solved, and the situation that network conflicts occur because multiple network cards all have default routes and cannot determine a network card gateway from which the traffic sent to the outside flows is effectively avoided.
As a second optional embodiment of the embodiment, on the basis of the above embodiment, the second optional embodiment further optimizes and adds a step of obtaining the service communication network routing configuration information on the host to be managed, and specifically may include:
a3 Determine each target service network card corresponding to the service communication network on the host to be managed from each communication network card.
In this embodiment, the target service network card is specifically understood as a network card that enables a service communication network to communicate on the cloud host, and multiple service network cards may exist in the host to be managed. And determining a network card corresponding to the service communication network in each network card as a target service network card based on the target communication scene information and the network card information.
b3 According to the receiving path of the data packet received by the host to be managed), determining a service virtual host corresponding to each target service network card.
In this embodiment, a packet may be understood as a plurality of data blocks into which a single message is divided in a switching network, and these data blocks are referred to as packets and contain address information of a sender and a receiver. The data packets travel along different paths in one or more networks and are recombined at the destination. The receiving path may be understood as a path through which the host to be managed receives transmission of a packet sent from the service virtual host. The service virtual host can be understood as a corresponding virtual host which is in service communication with the host to be managed on the cloud platform.
On the Cloud platform, the security resource pool has many security instances, and when a user needs to use a security product, the security instances can be added into the user's own VPC (Virtual Private Cloud) network. A security instance may be added to multiple service communication networks during operation, so that multiple network cards are dynamically present in the host to be managed, i.e. the host needs to communicate with the cloud security management control platform (management communication network) and the VPC network of the user (service communication network).
Specifically, according to a receiving path of a data packet received by the host to be managed, a data packet sending end at the other end of the path is determined, and the data packet sending end is determined as a service virtual host corresponding to the target service network card.
c3 Based on the host identity of each service virtual host, determining a packet tag of each target service network card.
The host identifier can be understood as a unique identifier number of the service virtual host, and the service virtual host can be determined according to the unique host identifier. Packet marking may be understood as marking packets transmitted between a host to be managed and a service virtual host.
Illustratively, the packet marking may be Mark marking, which is a digital marking marked on the core packet, which may be, for example, a 16-bit or 32-bit integer representation.
Under the iptables routing configuration, marking the data packet entering eth1 with 0x1, marking the data packet entering eth2 with 0x2, and storing the marks of the data packets in the connection record, when the security engine needs to reply after processing the data, recovering the mark of the data packet from the connection record, so that the data packet can be routed correctly.
Fig. 3 is a diagram illustrating an example of topological communication between a cloud host and a service virtual host in the network communication management method for a cloud platform according to the second embodiment of the present invention. For example, as shown in fig. 3, in tcp connection, there are four network cards in the cloud host currently serving as the host to be managed, where eth0 is the network card for managing the communication network, and eth1, eth2, and eth3 are all the network cards for the service communication network. eth1 generates service communication with the service virtual host 1, eth2 generates service communication with the service virtual host 2, and eth3 generates service communication with the service virtual host 3. Wherein eth1 and eth3 are network cards of vpc1, eth2 is a network card of vpc2, the IP addresses on the eth1 and eth2 network cards are the same network1, such as 172.17.0.5, the IP address of the eth3 network card is another address network2, and the secure instance monitors tcp port 5.
Specifically, a service network 172.17.0.0/24 of the vpc1 has one service virtual host 1, an IP of the service virtual host 1 may be 172.17.0.2, for example, and accesses 172.17.0.5 of the same network, and a flow of an eth1 network card will be marked by mark =1 for a packet, that is, 0x1 (16 system number) in the above embodiment. At this time, after the data packet sent by the service virtual host 1 accesses eth1 through the tcp port 5, the data packet is marked as 1 based on the iptables routing policy, and at this time, the data packet returned to the service virtual host can be returned according to the original path and is not sent from other network cards according to the default route.
A service network 172.17.0.0/24 of the vpc2 has one service virtual host 2, the IP of the service virtual host 2 is 172.17.0.2, 172.17.0.5 of the same network is accessed, the flow of the eth2 network card is marked with mark =2 for the data packet, that is, 0x2 in the above embodiment. At this time, after a data packet sent by the service virtual host 2 accesses eth2 through the tcp port 5, the data packet is marked as 2 based on an iptables routing policy, and at this time, the data packet returned to the service virtual host can be returned according to an original path, but is not sent from other network cards according to a default route.
In this embodiment, the network address segments and the IPs of eth1 and eth2 are completely the same, but the originating end and the destination end are different, the originating end is two service virtual hosts in different VPC networks, and the destination end is two different service communication network cards in one cloud host to which different VPC networks are added. The data packet can be marked through the control of the routing strategy, the same round-trip path of the data packet is realized, the gateway address of the target network card is determined, the problem of network conflict caused by the fact that the network card is not the same as the sent network card is avoided, and the data packet can be normally and correctly received and sent.
d3 A routing information table for each of the target traffic network cards is determined based on each of the packet tags.
In this embodiment, the routing table may be understood as a spreadsheet (file) or a class database stored in the router or the cloud host. The routing information table stores paths that point to specific network addresses. The route configuration rule configures a specific packet tag corresponding to a specific routing table.
Illustratively, in the configuration of the routing rule, a packet label 0x1 routing table 1 is configured, a packet label 0x2 routing table 2 is configured, and other packets are configured according to the default routing rule of the system.
e3 Each routing information table is used as the current routing configuration information of the host to be managed.
In this embodiment, the current routing configuration information of the host to be managed may be determined from the routing information tables determined based on the packet flags.
In this embodiment, the service communication network is configured by routing based on the iptables routing policy, so that the data packet can be normally and correctly transmitted and received even when the network address field and the IP of each service virtual host are completely the same. By adopting the technical scheme of the embodiment, the current communication network flow can be consistent in the network access port, the network address field can have the condition of consistent address, and the problem that the communication cannot be carried out due to network conflict is solved.
EXAMPLE III
Fig. 4 is a schematic structural diagram of a network communication management apparatus of a cloud platform according to a third embodiment of the present invention. As shown in fig. 4, the apparatus includes a first determining module 31, a second determining module 32, and a first obtaining module 33.
The first determining module 31 is configured to determine, for any cloud host on a cloud platform, target communication scene information currently possessed by the host to be managed, where the cloud host is used as the host to be managed;
a second determining module 32, configured to determine, according to a pre-configured communication management configuration file, current management configuration information matched with the target communication scenario information;
the first obtaining module 33 is configured to perform, according to the current management configuration information and in combination with the communication attribute information of the host to be managed, route configuration on the communication network of the host to be managed, so as to obtain route configuration information, so that the host to be managed performs network communication based on the route configuration information in a communication scenario.
By adopting the technical scheme of the embodiment, the communication management configuration file is configured in advance, and the efficiency of network communication management is improved. According to the management configuration information corresponding to each communication scene information, the routing is configured by combining the host attributes, and accurate and effective network service can be provided for different communication scene information of different cloud hosts. The effectiveness of determining the communication channel is improved, and the accurate management of network communication is realized.
The device further comprises a third determining module, configured to determine, according to each security instance included in the security resource pool, a communication management configuration file including at least one binary relationship group, where the binary relationship group is a pairing of communication scenario information and management configuration information.
Optionally, the third determining module is specifically configured to:
acquiring each security instance stored in a security resource pool;
determining associated communication scenario information through analysis of each of the security instances;
receiving management configuration information configured with respect to each of the communication scene information;
and forming a binary relation group by using the communication scene information and the corresponding management configuration information to form a communication management configuration file containing each binary relation group.
Optionally, the first determining module 31 is specifically configured to:
determining a target security instance of the host to be managed which operates currently, and determining communication requirements corresponding to communication networks under various communication network types involved in the operation of the target security instance;
and determining the target communication scene information currently possessed by the host to be managed based on each communication requirement.
Optionally, the first obtaining module 33 includes:
a first determining unit, configured to analyze the current management configuration information, and determine a network communication management rule included in the current management configuration information;
a second determining unit, configured to determine, according to network card information included in the communication attribute information, a communication network card currently provided by the host to be managed;
and the first acquisition unit is used for carrying out route configuration by combining each communication network card according to the network communication management rule to acquire the current route configuration information of the host to be managed.
Optionally, the first obtaining unit is specifically configured to:
determining a target management network card corresponding to a management communication network on the host to be managed from each communication network card;
configuring the network gateway of the target management network card as default routing information on the host to be managed, and recording the default routing information as the current routing configuration information of the host to be managed; or,
and determining the route management distances of the target management network card and the rest communication network cards according to a set distance determination rule, and forming the current route configuration information of the host to be managed based on the set route management distances.
Optionally, the first obtaining unit is further specifically configured to:
determining each target business network card corresponding to the business communication network on the host to be managed from each communication network card;
determining a service virtual host corresponding to each target service network card according to a receiving path of a data packet received by the host to be managed;
determining a data packet label of each target service network card based on the host identity of each service virtual host;
determining a routing information table of each target service network card based on each data packet label;
and taking each routing information table as the current routing configuration information of the host to be managed.
The network communication management device of the cloud platform provided by the embodiment of the invention can execute the network communication management method of the cloud platform provided by any embodiment of the invention, and has corresponding functional modules and beneficial effects of the execution method.
Example four
Fig. 5 is a schematic structural diagram of an electronic device according to a fourth embodiment of the present invention. The electronic device 40 may be understood as applying to a network management device on a cloud platform, intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other suitable computers. The electronic device may also represent various forms of mobile devices, such as personal digital assistants, cellular phones, smart phones, wearable devices (e.g., helmets, glasses, watches, etc.), and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the inventions described and/or claimed herein.
As shown in fig. 5, the electronic device 40 includes at least one processor 41, and a memory communicatively connected to the at least one processor 41, such as a Read Only Memory (ROM) 42, a Random Access Memory (RAM) 43, and the like, wherein the memory stores a computer program executable by the at least one processor, and the processor 41 may perform various suitable actions and processes according to the computer program stored in the Read Only Memory (ROM) 42 or the computer program loaded from the storage unit 48 into the Random Access Memory (RAM) 43. In the RAM 43, various programs and data necessary for the operation of the network communication management apparatus 40 of the cloud platform can also be stored. The processor 41, the ROM 42, and the RAM 43 are connected to each other via a bus 44. An input/output (I/O) interface 45 is also connected to the bus 44.
A number of components in the electronic device 40 are connected to the I/O interface 45, including: an input unit 46 such as a keyboard, a mouse, etc.; an output unit 47 such as various types of displays, speakers, and the like; a storage unit 48 such as a magnetic disk, an optical disk, or the like; and a communication unit 49 such as a network card, modem, wireless communication transceiver, etc. The communication unit 49 allows the electronic device 40 to exchange information/data with other devices via a computer network such as the internet and/or various telecommunication networks.
Processor 41 may be a variety of general and/or special purpose processing components with processing and computing capabilities. Some examples of processor 41 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various processors running machine learning model algorithms, a Digital Signal Processor (DSP), and any suitable processor, controller, microcontroller, or the like. The processor 41 performs the various methods and processes described above, such as a network communication management method of a cloud platform.
In some embodiments, the network communication management method of the cloud platform may be implemented as a computer program tangibly embodied in a computer-readable storage medium, such as storage unit 48. In some embodiments, part or all of the computer program may be loaded and/or installed onto the electronic device 40 via the ROM 42 and/or the communication unit 49. When the computer program is loaded into the RAM 43 and executed by the processor 41, one or more steps of the network communication management method of the cloud platform described above may be performed. Alternatively, in other embodiments, processor 41 may be configured in any other suitable manner (e.g., by way of firmware) to perform a network communication management method for a cloud platform.
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuitry, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), system on a chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be special or general purpose, receiving data and instructions from, and transmitting data and instructions to, a storage system, at least one input device, and at least one output device.
A computer program for implementing the methods of the present invention may be written in any combination of one or more programming languages. These computer programs may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the computer programs, when executed by the processor, cause the functions/acts specified in the flowchart and/or block diagram block or blocks to be performed. A computer program can execute entirely on a machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of the present invention, a computer-readable storage medium may be a tangible medium that can contain, or store a computer program for use by or in connection with an instruction execution system, apparatus, or device. A computer readable storage medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. Alternatively, the computer readable storage medium may be a machine readable signal medium. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on an electronic device having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) by which a user can provide input to the electronic device. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic, speech, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a back-end component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such back-end, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), blockchain networks, and the Internet.
The computing system may include clients and servers. A client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server can be a cloud server, also called a cloud computing server or a cloud host, and is a host product in a cloud computing service system, so that the defects of high management difficulty and weak service expansibility in the traditional physical host and VPS service are overcome.
It should be understood that various forms of the flows shown above may be used, with steps reordered, added, or deleted. For example, the steps described in the present invention may be executed in parallel, sequentially, or in different orders, and are not limited herein as long as the desired results of the technical solution of the present invention can be achieved.
The above-described embodiments should not be construed as limiting the scope of the invention. It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and substitutions may be made, depending on design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (11)

1. A network communication management method of a cloud platform is characterized by being applied to network management equipment on the cloud platform and comprising the following steps:
aiming at any cloud host on a cloud platform, taking the cloud host as a host to be managed, and determining target communication scene information currently possessed by the host to be managed;
determining current management configuration information matched with the target communication scene information according to a pre-configured communication management configuration file;
and according to the current management configuration information, in combination with the communication attribute information of the host to be managed, performing routing configuration on the communication network of the host to be managed to obtain routing configuration information, so that network communication is performed on the host to be managed based on the routing configuration information in a target communication scene.
2. The method of claim 1, further comprising:
and detecting the equipped network card of the host to be managed, and taking the obtained network card information as the communication attribute information.
3. The method of claim 1, further comprising:
according to each security instance included in the security resource pool, determining a communication management configuration file including at least one binary relation group, wherein the binary relation group is a pair of communication scene information and management configuration information.
4. The method of claim 3, wherein determining the communication management profile including the at least one binary relationship group according to the security instances included in the security resource pool comprises:
acquiring each security instance stored in a security resource pool;
determining associated communication scenario information through analysis of each of the security instances;
receiving management configuration information configured with respect to each of the communication scene information;
and forming a binary relation group by using the communication scene information and the corresponding management configuration information to form a communication management configuration file containing each binary relation group.
5. The method according to claim 1, wherein the determining the target communication scenario information currently provided by the host to be managed comprises:
determining a target security instance of the host to be managed which operates currently, and determining communication requirements corresponding to communication networks under various communication network types involved in the operation of the target security instance;
and determining the target communication scene information currently possessed by the host to be managed based on each communication demand.
6. The method according to claim 1, wherein the performing, according to the current management configuration information and in combination with the communication attribute information of the host to be managed, the routing configuration on the communication network of the host to be managed to obtain the routing configuration information includes:
analyzing the current management configuration information, and determining a network communication management rule contained in the current management configuration information;
determining a communication network card currently possessed by the host to be managed according to network card information included in the communication attribute information;
and according to the network communication management rule, carrying out route configuration by combining each communication network card to obtain the current route configuration information of the host to be managed.
7. The method according to claim 6, wherein performing routing configuration according to the network communication management rule in combination with each communication network card to obtain current routing configuration information of the host to be managed includes:
determining a target management network card corresponding to a management communication network on the host to be managed from each communication network card;
configuring the network gateway of the target management network card as default routing information on the host to be managed, and recording the default routing information as the current routing configuration information of the host to be managed; or,
and determining the route management distances of the target management network card and the rest communication network cards according to a set distance determination rule, and forming the current route configuration information of the host to be managed based on the set route management distances.
8. The method according to claim 6, wherein the obtaining, according to the network communication management rule, the current routing configuration information of the host to be managed by performing routing configuration in combination with each of the communication network cards includes:
determining each target business network card corresponding to the business communication network on the host to be managed from each communication network card;
determining a service virtual host corresponding to each target service network card according to a receiving path of a data packet received by the host to be managed;
determining a data packet label of each target service network card based on the host identifier of each service virtual host;
determining a routing information table of each target service network card based on each data packet label;
and taking each routing information table as the current routing configuration information of the host to be managed.
9. A network communication management apparatus of a cloud platform, comprising:
the system comprises a first determining module, a second determining module and a third determining module, wherein the first determining module is used for determining target communication scene information currently possessed by a host to be managed by taking any cloud host on a cloud platform as the host to be managed;
the second determining module is used for determining the current management configuration information matched with the target communication scene information according to a pre-configured communication management configuration file;
a first obtaining module, configured to perform, according to the current management configuration information and in combination with the communication attribute information of the host to be managed, route configuration on the communication network of the host to be managed, and obtain route configuration information, so that network communication is performed on the host to be managed based on the route configuration information in a communication scenario.
10. An electronic device, characterized in that the electronic device comprises:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,
the memory stores a computer program executable by the at least one processor, the computer program being executable by the at least one processor to enable the at least one processor to perform the network communication management method of the cloud platform of any of claims 1-8.
11. A computer-readable storage medium storing computer instructions for causing a processor to implement the network communication management method of the cloud platform according to any one of claims 1 to 8 when executed.
CN202211345316.5A 2022-10-31 2022-10-31 Network communication management method, device, equipment and storage medium of cloud platform Pending CN115664920A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211345316.5A CN115664920A (en) 2022-10-31 2022-10-31 Network communication management method, device, equipment and storage medium of cloud platform

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211345316.5A CN115664920A (en) 2022-10-31 2022-10-31 Network communication management method, device, equipment and storage medium of cloud platform

Publications (1)

Publication Number Publication Date
CN115664920A true CN115664920A (en) 2023-01-31

Family

ID=84993086

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211345316.5A Pending CN115664920A (en) 2022-10-31 2022-10-31 Network communication management method, device, equipment and storage medium of cloud platform

Country Status (1)

Country Link
CN (1) CN115664920A (en)

Similar Documents

Publication Publication Date Title
US11637906B2 (en) Private service endpoints in isolated virtual networks
US20210036951A1 (en) Segment routing with fast reroute for container networking
CN111683011B (en) Message processing method, device, equipment and system
CN108293022B (en) Method, device and system for transmitting message
US9304801B2 (en) Elastic enforcement layer for cloud security using SDN
US8650326B2 (en) Smart client routing
CN106533890B (en) Message processing method, device and system
CN112965824B (en) Message forwarding method and device, storage medium and electronic equipment
CN109547349B (en) Virtual routing-based traffic management method, device, terminal and storage medium
CA3111399C (en) Unique identities of endpoints across layer 3 networks
US9009782B2 (en) Steering traffic among multiple network services using a centralized dispatcher
CN109474713B (en) Message forwarding method and device
CN114024900A (en) Data processing method and related equipment
US11929851B2 (en) Gateway selection method, device, and system
CN110636149B (en) Remote access method, device, router and storage medium
CN112311672B (en) Method, device and equipment for obtaining routing table item
WO2020029928A1 (en) Method for establishing bgp session and sending interface address and alias, and network device
CN116016448A (en) Service network access method, device, equipment and storage medium
KR20210016802A (en) Method for optimizing flow table for network service based on server-client in software defined networking environment and sdn switch thereofor
CN115664920A (en) Network communication management method, device, equipment and storage medium of cloud platform
CN114978808A (en) Data forwarding method and device, electronic equipment and storage medium
CN114531320A (en) Communication method, device, equipment, system and computer readable storage medium
Safdar et al. ARP Overhead Reduction Framework for Software Defined Data Centers
US11909624B2 (en) Communication method, apparatus, device, system, and computer-readable storage medium
WO2023216584A1 (en) Method for obtaining application-aware network identifier and related device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination