CN116319927A - Service calling method, electronic equipment and system in hybrid cloud environment - Google Patents

Service calling method, electronic equipment and system in hybrid cloud environment Download PDF

Info

Publication number
CN116319927A
CN116319927A CN202310105785.8A CN202310105785A CN116319927A CN 116319927 A CN116319927 A CN 116319927A CN 202310105785 A CN202310105785 A CN 202310105785A CN 116319927 A CN116319927 A CN 116319927A
Authority
CN
China
Prior art keywords
service
platform
call request
cloud platform
private cloud
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310105785.8A
Other languages
Chinese (zh)
Inventor
陈登月
王景龙
陈樟洪
莫元武
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
eBaoTech Corp
Original Assignee
eBaoTech Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by eBaoTech Corp filed Critical eBaoTech Corp
Priority to CN202310105785.8A priority Critical patent/CN116319927A/en
Publication of CN116319927A publication Critical patent/CN116319927A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Abstract

The application relates to the technical field of computers, in particular to a service calling method, electronic equipment and a system in a hybrid cloud environment. The method comprises the following steps: a first private cloud platform in the at least one private cloud platform receives a first call request, wherein the first call request is a call request for a platform service running in a hybrid cloud environment; determining that the first call request accords with a preset forwarding condition for forwarding to a platform service deployed on at least one public cloud platform for processing, encrypting the first call request by the first private cloud platform, and forwarding the encrypted first call request to the first public cloud platform; and determining that the first call request does not meet the preset forwarding condition, and sending the first call request to a second platform service on the first private cloud platform by the first private cloud platform. Thus, the security of external service call on the public cloud platform is improved, and the efficiency of processing service call requests in the mixed cloud environment is improved.

Description

Service calling method, electronic equipment and system in hybrid cloud environment
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a service calling method, an electronic device, and a system in a hybrid cloud environment.
Background
Cloud computing has gained widespread attention in the scientific and industrial world as an emerging industry in recent years. In the current commercial scenario, the cloud platform provides platform services and the user services supporting the terminal software or the application program to provide the required functions often depend on each other to achieve the maximum effect. For example, a platform service may provide some non-business functionality that can support user services, which may then augment their business capabilities by virtue of the functionality provided by the platform service.
The differences of the cloud platform for providing platform services based on the running environment mainly comprise two types: public clouds (public clouds) and private clouds (private clouds). The scheme in which public cloud provides platform services can be by means of cloud service providers, such as ali cloud TM Tencerting cloud TM And the like, deploying the platform service on the public cloud, wherein the user terminal needs to access the public cloud through the public network to call the corresponding platform service. The private cloud provides a platform service scheme, so that a user enterprise is required to own an intranet server and middleware to deploy all or part of the required platform service. The scheme for providing the platform service is widely used at present, and the platform service is provided by using the public cloud and the private cloud to deploy the mixed cloud of the platform service, so that the technical advantages of the public cloud and the private cloud can be integrated, and the platform service is provided for users more comprehensively and safely.
Although, at present, an edge router (router) can be arranged in a public cloud and a private cloud, and the edge router in the public cloud and the edge router in the private cloud are connected through a physical private line to construct a hybrid cloud environment, so that private network interview of the hybrid cloud environment can be realized, data and platform services respectively provided can be shared between the public cloud and the private cloud, and the like. However, in the above-mentioned hybrid cloud environment, based on the fact that the edge router cannot accurately identify whether the service call request sent by the user terminal is a platform service provided for public cloud or a platform service provided for private cloud, the forwarding time of the service call request in the hybrid cloud environment is too long, so that the problem that the service call delay is relatively long and the response time of the user terminal is relatively long is caused, and the use experience of the user is not facilitated to be improved.
Disclosure of Invention
The application provides a service calling method, electronic equipment and a system in a hybrid cloud environment, wherein a service calling request for platform service running in the hybrid cloud environment is accessed through a private cloud platform with higher security, and the service calling request for external service on a public cloud is encrypted and then forwarded to the public cloud platform, so that the security of a service end of a business system in calling the service process of the public cloud platform is improved. And when the service call request is accessed, the running environment of the service corresponding to the service call request is distinguished, so that the processing efficiency of the cloud platform providing the hybrid cloud environment on the service call request can be improved, further, the service call request of the service end can be responded more quickly, the data processing efficiency of the service end is improved, and the use experience of a user is improved.
In a first aspect, the present application provides a service invocation method applied to a cloud platform providing a hybrid cloud environment, where the cloud platform includes at least one private cloud platform and at least one public cloud platform, and the method includes: a first private cloud platform in the at least one private cloud platform receives a first call request, wherein the first call request is a call request for a platform service running in a hybrid cloud environment; determining that the first call request accords with a preset forwarding condition for forwarding to platform services deployed on at least one public cloud platform for processing, encrypting the first call request by the first private cloud platform, and forwarding the encrypted first call request to the first public cloud platform, wherein the preset forwarding condition comprises determining that a target service of the first call request corresponding to the request is a first platform service provided by the first public cloud platform; and determining that the first calling request does not meet a preset forwarding condition, and sending the first calling request to a second platform service by the first private cloud platform, wherein the second platform service is a service provided by the first private cloud platform.
For example, the cloud platform for providing the hybrid cloud environment includes a private cloud platform and a public cloud platform, wherein the private cloud platform is responsible for accessing service call requests for each platform service on the cloud platform, namely, the first call request. It can be understood that in the service invocation method provided in the present application, the private cloud platform is responsible for accessing the service invocation request, so that the platform service on the cloud platform or the platform service running in the hybrid cloud environment may be, for example, an internal service running in the private cloud environment provided by the private cloud platform, including the second platform service. The platform service on the cloud platform may be, for example, an external service running in a public cloud environment provided by a public cloud platform, including the first platform service. In other embodiments, the platform services running in the private cloud environment and the platform services running in the public cloud environment may also be described by other types of names, without limitation.
Therefore, in the service call scheme provided in the first aspect, that is, in the process of processing the call request for the platform service in the hybrid cloud environment, the private cloud platform with higher security can uniformly receive the service call request. And then, the private cloud platform can encrypt the received service call request and then forward the encrypted service call request to the public cloud platform for processing when the received service call request is determined to be a call request for calling external service provided by the public cloud platform, namely, the received service call request meets the preset forwarding condition. Thus, the security of external service call on the public cloud platform is improved, and the efficiency of processing service call requests in the mixed cloud environment is improved.
In one possible implementation of the first aspect, the presetting a target service list on the cloud platform, where the target service list is used to record information about one or more platform services provided by the first public cloud platform, and determining that the first call request meets a preset forwarding condition for forwarding to at least one platform service deployed on the public cloud platform for processing, includes: the first private cloud platform compares the related information of the target service with the related information of each platform service in the target service list; the first private cloud platform determines that the related information of the target service is matched with the related information of the first platform service in the target service list, and determines that the first calling request meets a preset forwarding condition.
In one possible implementation of the first aspect, the presetting a second service list on the cloud platform, the target service list is used for recording related information of one or more platform services provided by the first private cloud platform, and determining that the first call request accords with a preset forwarding condition for forwarding to at least one platform service deployed on the public cloud platform for processing, where the preset forwarding condition includes: the first private cloud platform compares the related information of the target service with the related information of each platform service in the second service list; the first private cloud platform determines that the related information of the target service has no matched information record in the second service list, and determines that the first call request meets a preset forwarding condition.
In one possible implementation manner of the first aspect, determining that the first call request does not meet the preset forwarding condition includes: the first private cloud platform determines that the related information of the target service is matched with the related information of the second platform service in the second service list, and determines that the first calling request does not accord with a preset forwarding condition.
In a possible implementation manner of the first aspect, the target service list or the second service list is preset on the first private cloud platform; or the target service list or the second service list is preset in a data storage space provided by the first public cloud platform to the first private cloud platform.
In a possible implementation of the first aspect, the information about the platform service includes at least one of the following information: identification information of the first platform service or the second platform service; public cloud environment information to which the first platform service belongs or private cloud environment information to which the second platform service belongs; path information of the first platform service or the second platform service.
In one possible implementation manner of the first aspect, the first private cloud platform includes a first key preset for a first call request that meets a preset forwarding condition, and encrypts the first call request, including:
the first private cloud platform encrypts the first call request with a first key.
In one possible implementation of the first aspect, sending the first call request to the second platform service includes: the first private cloud platform confirms that a requester of the first call request has call authority to the second platform service, and sends the first call request to the second platform service.
It may be appreciated that the private cloud platform, upon receiving a service invocation request for a platform service in a hybrid cloud environment, may first authenticate, e.g., to confirm whether the requestor of the first invocation request has invocation rights for the first platform service or the second platform service. And further, for the first call request passing the authentication, forwarding the first call request to the first platform service or forwarding the first call request to a public cloud platform where the second platform service is located. Thus, the service call request accessed to the hybrid cloud environment can be filtered, and the service call request without permission is prevented from occupying related resources in the hybrid cloud environment.
In one possible implementation of the first aspect, the first private cloud platform includes a first gateway module and a pre-deployed routing service, and the method includes: the first gateway module receives a first call request for a target service; determining that the first call request accords with a preset forwarding condition for forwarding to a platform service deployed on at least one public cloud platform for processing, and sending the forwarding request to a routing service by a first gateway module; in response to the forwarding request, the routing service encrypts the first call request and forwards the encrypted first call request to the first public cloud platform; and determining that the first call request does not meet the preset forwarding condition, and sending the first call request to the second platform service by the first gateway module.
The private cloud platform can access the service call request through the gateway module, and the gateway module can judge whether the service call request received by the private cloud platform meets the preset forwarding condition or not. And when the forwarding condition is met, the gateway module on the private cloud platform can forward the received service call request to the public cloud platform through a preset routing module, for example, to the first public cloud platform.
In one possible implementation manner of the first aspect, the first public cloud platform includes a second gateway module, and forwards the encrypted first call request to the first public cloud platform, including: the routing service sends the encrypted first call request to the second gateway module, and the second gateway module sends the first call request to the first platform service under the condition that the requester of the first call request is determined to have the call authority.
In a second aspect, the present application provides an electronic device, comprising: one or more processors; one or more memories; the one or more memories store one or more programs that, when executed by the one or more processors, cause the electronic device to run a cloud platform that provides a hybrid cloud environment and to perform the service invocation methods provided in the first aspect and various possible implementations of the first aspect described above.
In a third aspect, the present application provides a service system, including a server and a client, where the server operates on a cloud platform that provides a hybrid cloud environment, the cloud platform includes at least one private cloud platform and at least one public cloud platform, and the server responds to a service invocation request sent by the client by executing the service invocation method provided in the foregoing first aspect and various possible implementations of the first aspect.
Drawings
Fig. 1 is a schematic diagram of a service call scenario of a hybrid environment according to an embodiment of the present application.
Fig. 2 is a schematic software structure diagram of private cloud and public cloud in a hybrid cloud environment according to an embodiment of the present application.
Fig. 3 is a schematic process diagram of a cloud platform providing a hybrid cloud environment according to an embodiment of the present application in response to a service call request sent by a user terminal.
Fig. 4 is a schematic implementation flow diagram of a service calling method in a hybrid cloud environment according to an embodiment of the present application.
Fig. 5 is a schematic structural diagram of an electronic device for running a cloud platform that provides a hybrid cloud environment according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application more clear, the technical solutions of the embodiments of the present application will be described in detail below with reference to the accompanying drawings and specific embodiments of the present application.
In order to facilitate understanding of the solutions in the embodiments of the present application by those skilled in the art, some concepts and terms related to the embodiments of the present application are explained below.
(1) Public cloud is a cloud platform mode for providing public computing resources and platform services for the public. For example, the public cloud may be a resource provided by an internet data center (internet data center, IDC) service provider or a third party, such as an application computing and storage resource, etc. The resources may be deployed in a service provider's premises, and users may acquire and use the resources through a public network such as the internet (internet). The public cloud has the advantages of low cost and very good expansibility. The defects are lack of control over cloud resources, security of secret data, network performance and matching problems.
(2) The private cloud is a cloud platform mode for extending and optimizing the enterprise traditional data center, and can provide storage capacity and processing capacity for various functions. "private" more refers to such platforms belonging to non-shared resources than to their security advantages. Private clouds are built for individual use by a customer, and are shared exclusively by customers. The data, security and quality of service provided by these private clouds are better guaranteed than the public clouds.
(3) Hybrid clouds are currently the mainstream cloud platform model. In the hybrid cloud mode, the cloud platform is composed of two different modes, namely private cloud and public cloud. The private cloud and the public cloud platform are still independent entities, but are bound by using standardized or proprietary technology, so that data and application can be transplanted between the private cloud and the public cloud platform, and data sharing and interaction between platform services provided by the private cloud and the public cloud platform are realized. Under the condition of the application hybrid cloud mode, enterprise users can deploy secondary applications and data on public cloud, the advantages of the public cloud in expansibility and cost are fully utilized, and meanwhile, key applications and data are deployed on private cloud, so that safety is higher.
Fig. 1 illustrates a service invocation scenario diagram of a hybrid environment, according to an embodiment of the present application.
As shown in fig. 1, the scenario includes a user terminal 100, and a cloud platform providing a hybrid cloud environment, which may include at least one private cloud 200 and at least one public cloud 300. The user terminal 100 may run a client that provides various user services, for example, an insurance business system software or an application product that provides an application service, policy management, and the like, which is not limited herein.
It will be appreciated that in the above-described hybrid cloud environment, platform services for supporting user services to implement various functions may be deployed on private cloud 200 and public cloud 300, respectively, for example, some platform services may provide computing resources for processing computing of large-scale policy data, and storage resources for storing applicant information of each insurance company, etc., without limitation.
In order to distinguish the platform services provided by the private cloud 200 and the public cloud 300, in the embodiment of the present application, the platform services provided by the private cloud 200 are referred to as internal services, and the platform services provided by the public cloud 300 are referred to as external services. In the embodiment of the present application, for security and to optimize the resource structure, the user may choose to deploy fewer internal services that provide the necessary business functions on the private cloud 200, and more general functional services that may be commonly provided to each tenant on the public cloud, that is, the above external services, on the public cloud 300. There is no limitation in this regard.
It will be appreciated that in the scenario shown in fig. 1, the user service provided by the client running on the user terminal 100 may need to obtain the internal service provided by the hybrid cloud environment to implement the corresponding function, and may need to obtain the external service to implement the corresponding function. As described above, the edge routers can be deployed on the private cloud 200 and the public cloud 300 that currently support the hybrid cloud environment, and a physical private line connection can be established to implement data sharing and service interaction, and then the user terminal 100 can obtain the external service provided on the public cloud 300 through the private cloud 200. However, in such a hybrid cloud environment, the private cloud 200 cannot timely distinguish whether the accessed service call request is for an internal service provided by the private cloud 200 or an external service provided by the public cloud 300. Therefore, the problem that the service call delay is larger and the response time of the user terminal is longer can be caused by overlong forwarding time of the service call request in the mixed cloud environment, so that the use experience of a user is not improved.
In order to solve the above problems, the embodiment of the present application provides a service calling method in a hybrid cloud environment, which is applied to a cloud platform. The cloud platform can operate on electronic equipment with rich hardware resources such as a server or a server cluster, and comprises public clouds and private clouds, wherein the private clouds provide private cloud environments in a hybrid cloud environment, and the public clouds provide public cloud environments in the hybrid cloud environment.
Specifically, the method is characterized in that a service list is preconfigured on a private cloud of a hybrid cloud environment, the service list can comprise related information of various external services provided by a public cloud, and the service list can be preset in a common access space of the private cloud or the hybrid cloud environment in the form of a configuration file. Furthermore, the method uses the pre-configured service list as an API gateway on the private cloud to determine whether to forward the received service call request to the public cloud through the routing service by deploying the routing service for forwarding the service call request to the public cloud on the private cloud. Wherein the API gateway is an application programming interface (application programming interface, API) gateway (gateway) for receiving service call requests. The API gateway can direct a service call request meeting preset forwarding conditions to the preset routing service, and the routing service uniformly forwards the service call request to the public cloud.
The service call request meeting the preset forwarding condition may be, for example, the same request as the API request corresponding to the platform service preconfigured in the service list. And for the service call request which does not meet the preset forwarding condition, for example, the API request of other services except the platform service which is preset in the service list, the API gateway may authenticate the service call request according to the existing processing logic and forward the service call request to the corresponding internal service on the private cloud. The authentication may be, for example, checking whether the requester of the corresponding service call request has authority authentication for calling the requested service, and the specific checking manner may be, for example, checking according to the tenant authority of the requester corresponding to the corresponding cloud, etc., which is not limited herein.
In this way, in the hybrid cloud environment, the service call requests sent by the user terminals can be forwarded in a distinguishing mode, so that corresponding platform services on public clouds and private clouds are accurately called, the response efficiency to the service call requests is improved, the response efficiency of the user terminals to user operation is finally improved, and the user experience is improved. In order to ensure the safety of processing service call requests forwarded by a plurality of private clouds to the same public cloud, a multi-tenant isolation mechanism can be applied to the public cloud to provide different tenant spaces for different private clouds for data isolation, so that the safety of calling external services on the public cloud can be further improved.
It will be appreciated that in some embodiments, the service list may be preset as a group, for example, an external service list for recording external service related information provided by a public cloud only, or an internal service list for recording internal service related information provided by a private cloud only. At this time, if the platform service corresponding to the service call request is on the external service list or not on the internal service list, it may be determined that the request meets a preset forwarding condition, and needs to be forwarded through the routing service. Otherwise, if the platform service corresponding to the service call request is not on the external service list or the internal service list, the request may be determined not to meet the preset forwarding condition. In other embodiments, the service list may be preset in two groups, for example, the internal service list and the external service list may be preset simultaneously, which is not limited herein.
It can be understood that when the above routing service forwards a service call request meeting a preset forwarding condition to the public cloud, the routing service may encrypt a related data packet of the service call request by using a preset key, and then forward the encrypted service call request data packet to the public cloud for processing. Thus, the security of accessing the public cloud to call the external service can be improved.
It may be understood that the electronic device to which the service invocation method in the hybrid cloud environment provided by the present application is applicable may be, for example, a server for providing various hardware resources, a server cluster, a supercomputer, or other electronic devices with multiple processors embedded or coupled and capable of accessing a network, or the like, which is not limited herein.
Fig. 2 illustrates a software architecture diagram of private cloud and public cloud in a hybrid cloud environment according to an embodiment of the present application.
As shown in fig. 2, the private cloud 200 included in the hybrid cloud environment may include a gateway module 201, a configuration module 202, an authentication module 203, and an interface module 204. It will be appreciated that in other embodiments, private cloud 200 may also include more or fewer functional modules than shown in fig. 2, without limitation.
The gateway module 201 is configured to receive a service invocation request sent by a user terminal, and may be configured to authenticate, forward the service invocation request, and control the number of access requests when there are more requests, i.e. perform throttling, etc. It will be appreciated that the gateway module 201 plays a role in security management of service call requests or other API requests that mainly access the private cloud 200, both to prevent unauthorized access and to protect internal services provided by the backend services, such as the private cloud 200, from service anomalies caused by requests that exceed restrictions.
The configuration module 202 is a configuration center on the private cloud 200, and is configured to perform data management on configuration data corresponding to internal services provided by the private cloud 200. For example, the environment information of the corresponding internal service operation, the path information of the database resource which needs to be called when the operation is performed, and the like are managed. In this embodiment of the present application, the configuration module 202 may further add or update the external service related information obtained by the private cloud 200, for example, the identification information corresponding to the external service provided by the public cloud 300, the public cloud environment information to which the external service belongs, the service call path information, and the like, to a preset service list, so that the gateway module 201 may be used. In addition, the configuration module 202 may be further configured to configure and manage key information set for the service call request to be forwarded, where the key information may be used by the routing service deployed on the private cloud 200 to encrypt the service call request to be forwarded. Further, the routing service sends the encrypted service call request packet to the public cloud, so as to improve the security of accessing the public cloud 300 to call the external service.
The authentication module 203 is configured to perform authority authentication on the received service call request or other API requests, for example, check whether the requester of the service call request has authority to call the corresponding service, or check whether the corresponding requester has authority to use the API corresponding to the requested service. It will be appreciated that the authentication module 203 may be invoked by the gateway module 201 described above to authenticate various types of API requests.
The interface module 204 is configured to call an API provided by the public cloud 300, so as to forward a service call request for an external service to the public cloud 300.
With continued reference to fig. 2, the public cloud 300 included in the hybrid cloud environment may include a gateway module 301, a configuration module 302, an authentication module 303, and a user module 304. It will be appreciated that public cloud 300 may include more or fewer functional modules than those shown in fig. 2, for example, in other embodiments public cloud 300 may include, without limitation, a multi-lingual module that supports multi-lingual recognition and processing functions, an audit module that supports audit functions, a product definition module that supports definition of items or service products, and mail modules, text message modules, and the like.
Specifically, the gateway module 301 is configured to receive a service call request forwarded by a routing service deployed on the private cloud 200 through the interface module 204, and is configured to authenticate and limit a service call request. It can be appreciated that the gateway module 301 mainly performs security management on forwarded service call requests and the like on the public cloud 300, so as to prevent unauthorized access and protect external services provided by the backend services, such as the public cloud 300, from service anomalies caused by requests exceeding restrictions.
The configuration module 302 is a configuration center on the public cloud 300, and is configured to perform data management on configuration data corresponding to external services provided by the public cloud 300. For example, the environment information of the corresponding service operation, the path information of the database resource which needs to be called when the operation is performed, and the like are managed. In this embodiment of the present application, the configuration module 302 may further add or update identification information, information of the running environment, service call path information, and the like corresponding to corresponding service information provided by the public cloud 300 to a preset service list, and configure the service list in a space that can be called by the gateway module 201 on the private cloud 200, so as to be called by the gateway module 201.
An authentication module 303, configured to perform authority authentication on the received service call request or other API requests, may be called by the gateway module 301 to authenticate various API requests.
The user module 304 is configured to manage account information logged in by the user, relevant tenant information, and other associated account information, including adding, modifying, deleting corresponding information records, and the like.
It will be appreciated that the above modules that make up the private cloud 200 or the public cloud 300 may be micro services deployed in a corresponding private cloud environment or public cloud environment to provide corresponding functions, which is not limited herein.
It can be understood that, based on the structures of the private cloud 200 and the public cloud 300 in the hybrid cloud environment shown in fig. 2, the following specifically describes, with reference to the corresponding drawings, deploying a routing service in the hybrid cloud environment shown in fig. 2 for forwarding a service call request between the private cloud and the public cloud, so as to implement a process of the service call method provided in the present application.
Fig. 3 is a schematic process diagram of a cloud platform providing a hybrid cloud environment in response to a service call request sent by a user terminal according to an embodiment of the present application.
As shown in fig. 3, platform services provided by a cloud platform providing a hybrid cloud environment may include internal services 210 provided by private cloud 200 and external services 310 provided by public cloud 300. Wherein an internal service 210 deployed on private cloud 200 may include a routing service 211 for forwarding service invocation requests to public cloud 300. The routing service 211 may cooperate with the gateway module 201 to perform splitting processing on the received service call request in the private cloud 200. It will be appreciated that the internal service 210 and the external service 310 may form a service end of a service system deployed on a cloud platform, for example, a service end of an insurance service system, and provide various service supports related to insurance services for clients of the insurance service system.
With continued reference to fig. 3, for example, a client of a corresponding service system may be installed on the user terminal 100. The user terminal 100 may transmit a corresponding service invocation request to the server 410 in response to a user operation on the client interface. The service call request may access the cloud platform through the gateway module 201 of the private cloud 200, i.e. may first access the private cloud environment in the hybrid cloud environment.
The gateway module 201 on the private cloud 200 may determine, according to a preset service list, whether the currently received service call request meets a condition of forwarding to the public cloud 300, and divert the service call request meeting the preset forwarding condition to the routing service 211. Further, the routing service 211 may forward the service invocation request to the public cloud 300. And the gateway module 201 may authenticate the service call request that does not meet the preset forwarding condition, and send the service call request to the corresponding internal service 210 for response if the authentication is passed.
Public cloud 300 may then access the service invocation request forwarded by routing service 211 through gateway module 301. Further, if the forwarded service call request is authenticated, the gateway module 301 on the public cloud 300 may send the request to the corresponding external service 310 to respond.
That is, the processing path of the service call request corresponding to the external service provided by the public cloud 300 may be: gateway module 201→routing service 210→public cloud 300→gateway module 301→external service 310.
In contrast, the processing path of the service call request corresponding to the internal service provided by the private cloud 200 may be: gateway module 201→internal service 210.
Specifically, the specific implementation process of the service calling method provided by the application will be described in more detail below in conjunction with the interactive flowchart.
Fig. 4 is a schematic flow chart of an implementation of a service invocation method in a hybrid cloud environment according to an embodiment of the application.
As shown in fig. 4, the interaction flow may involve interactions between gateway module 201, internal services 210, routing services 211 on private cloud 200, and gateway module 301, external services 310 on public cloud 300.
Specifically, the interactive flow may include the following steps.
401: the gateway module 201 receives the service invocation request.
Illustratively, the user terminal 100 may transmit a corresponding service invocation request to the service terminal 410 to request a corresponding business service to provide a corresponding service function to perform a corresponding data processing in response to a user operation. At this time, the gateway module 201 on the private cloud 200 may receive the service call request sent by the user terminal 100. The service invocation request may be, for example, an http request or the like, as examples and is not limited herein.
It is appreciated that in embodiments of the present application, a service invocation request to access a hybrid cloud environment for processing may be received by gateway module 201 on private cloud 200 by default. The service call request may be, for example, a service call request for requesting a premium calculation service in an insurance business system, or a service call request for a statistical service for counting historical business data. Wherein premium computing services associated with high insurance traffic belong to business services, such as may be deployed on private cloud 200, and statistical services associated with low insurance traffic belong to non-business services, such as may be deployed on public cloud 300. In other embodiments, the service call request received by the gateway module 201 further includes service call requests for other business services and non-business services, which are not enumerated and described herein.
402: gateway module 201 authenticates the received service invocation request.
Illustratively, the gateway module 201 on the private cloud 200 may first authenticate the service invocation request received to filter the interference of some unauthorized users requesting to invoke the corresponding service. In this manner, the service resources provided by the hybrid cloud environment may focus on responses to service invocation requests that have rights. The authentication process may also be, for example, checking whether the requester of the corresponding service call request has authority authentication for calling the requested service, and the specific checking manner may be, for example, checking according to the tenant authority of the requester on the private cloud 200, etc., which is not limited herein.
In other embodiments, the gateway module 201 on the private cloud 200 may execute the following determination process in step 403, and then authenticate the corresponding service call request according to the preset authentication logic when it is determined that the service call request for requesting to invoke the internal service provided by the private cloud 200 does not need to be forwarded.
403: the gateway module 201 determines whether the platform service corresponding to the service invocation request is on a preset service list.
If the result is yes, it indicates that the platform service corresponding to the service call request is an external service on the public cloud 300, at this time, the following steps 404 to 409 may be continuously executed, and the service call request is forwarded to the public cloud 300 for processing;
if the result of the determination is no, it indicates that the platform service corresponding to the service call request is an internal service provided on the private cloud 200, and at this time, the following steps 409 to 410 may be executed, and the response processing may be performed on the private cloud 200 to the service call request.
For example, a service list may be preconfigured in the hybrid cloud environment, and the service list is used to record an internal service provided by the private cloud or an external service provided by the public cloud, so that the gateway module 201 on the private cloud 200 is used to determine whether the received service call request meets the forwarding condition. The service list may be preconfigured by the configuration module 202 on the private cloud 200, or may be preconfigured by the configuration module 302 on the public cloud 300, but a call path corresponding to the service list after being preset or updated may be provided to the gateway module 201 on the private cloud 200. Further, the gateway module 201 may determine whether the received service call request needs to be forwarded to the public cloud 300 for processing by determining whether the platform service corresponding to the service call request is on a preset service list.
It will be appreciated that, as described above, in some embodiments, the service list may be preset as a group, for example, an external service list for recording only external service related information provided by a public cloud, or an internal service list for recording only internal service related information provided by a private cloud. In other embodiments, the service list may be preset in two groups, for example, the internal service list and the external service list may be preset simultaneously, which is not limited herein.
404: gateway module 201 requests forwarding of service invocation requests to routing service 210.
Illustratively, for a service call request that needs to be forwarded to public cloud 300 for processing, for example, a service call request for external service 310 deployed on public cloud 300, gateway module 201 may request routing service 210 deployed on private cloud 200 for unified forwarding. It can be understood that, when the gateway module 201 performs the above step 403, if the corresponding determination result is yes, it indicates that the received service call request needs to be forwarded to the public cloud 300 for processing.
405: the routing service 210 encrypts the service call request to be forwarded.
Illustratively, the routing service 210 may encrypt a service call request that needs to be forwarded to the public cloud 300 based on a key pre-configured by the configuration module 202 of the private cloud 200. Accordingly, the configuration module 302 of the public cloud 300 may preset a corresponding decryption mechanism to decrypt the received encrypted service call request and then continue processing.
406: the routing service 210 forwards the encrypted service invocation request to the gateway module 301. Wherein the service invocation request is a service invocation request for an external service on the public cloud 300.
Illustratively, the routing service 210, in response to the request of the gateway module 201, may forward the service invocation request to the gateway module 301 on the public cloud 300. At this time, the platform service requested to be invoked by the service invocation request may be an invocation request for the external service 310 provided by the public cloud 300, so the service invocation request is a service invocation request for the external service.
407: the gateway module 301 authenticates the forwarded service invocation request.
Illustratively, the gateway module 301 may authenticate the service call request forwarded by the routing service 210 on the private cloud 200 according to a preset authentication logic. The authentication process may be, for example, checking whether the requester of the corresponding service call request has authority authentication for calling the requested service, and the specific checking manner may be, for example, checking according to the tenant authority of the requester on the public cloud 300, etc., which is not limited herein.
It will be appreciated that the authentication logic employed by the gateway module 201 on the private cloud 200 in step 402 described above may be different from the authentication logic employed by the gateway module 301 of the public cloud 300 in step 407. Thus, the public cloud 300 performs authentication again on the authenticated service call request, so that the security and the execution efficiency of the external service provided by the public cloud 300 can be better ensured.
408: the gateway module 301 transmits the authenticated service invocation request to the corresponding external service.
Illustratively, the gateway module 301 may forward the service invocation request for authentication to the corresponding requested external service 310 on the public cloud 300.
409: the external service 310 triggers execution and provides corresponding service functions to perform corresponding data processing in response to the service call request.
It can be appreciated that the external service 310 provides the data processing result executed by the corresponding service function, and may also be forwarded to the user terminal 100 through the private cloud 200, and further fed back to the user.
410: the gateway module 201 transmits the service call request to the corresponding internal service.
Illustratively, the gateway module 201 requests for authenticated service calls may be forwarded to the corresponding requested internal service 210 on the private cloud 200.
411: the internal service 210 triggers execution and provides corresponding service functions to perform corresponding data processing in response to the service invocation request.
Based on the execution flow of steps 401 to 411 shown in fig. 4, the service call method in the hybrid cloud environment provided in the embodiment of the present application uses the gateway on the private cloud to access the service call request, and encrypts and forwards the service call request for calling the external service provided by the public cloud through the routing service deployed on the private cloud. Therefore, the platform service deployed on the private cloud and the public cloud can be quickly and accurately called, and the security guarantee can be provided for the external service calling process of the public cloud environment by utilizing the high security of the private cloud.
Fig. 5 shows a schematic structural diagram of an electronic device 500 according to an embodiment of the present application. In the embodiment of the present application, the electronic device 500 may be a server cluster or a supercomputer running the cloud platform providing the hybrid cloud environment as described above. In other embodiments, the electronic device 500 may also operate a service end of some service systems, such as a service end of an insurance service system, which is not limited herein.
As shown in FIG. 5, in some embodiments, an electronic device 500 may include one or more processors 504, system control logic 508 coupled to at least one of the processors 504, system memory 512 coupled to the system control logic 508, non-volatile memory (NVM) 516 coupled to the system control logic 508, and a network interface 520 coupled to the system control logic 508.
In some embodiments, processor 504 may include one or more single-core or multi-core processors. In some embodiments, processor 504 may include any combination of general-purpose and special-purpose processors (e.g., graphics processor, application processor, baseband processor, etc.). In embodiments in which the electronic device 500 employs an eNB (enhanced base station) or RAN (radio access network ) controller, the processor 504 may be configured to perform various conforming embodiments, such as the embodiments shown in fig. 1-4.
In some embodiments, system control logic 508 may include any suitable interface controller to provide any suitable interface to at least one of processors 504 and/or any suitable device or component in communication with system control logic 508.
In some embodiments, system control logic 508 may include one or more memory controllers to provide an interface to system memory 512. The system memory 512 may be used for loading and storing data and/or instructions. The memory 512 of the electronic device 500 may include any suitable volatile memory in some embodiments, such as suitable dynamic random access memory (dynamic random access memory, DRAM).
NVM/memory 516 may include one or more tangible, non-transitory computer-readable media for storing data and/or instructions. In some embodiments, NVM/memory 516 may include any suitable nonvolatile memory, such as flash memory, and/or any suitable nonvolatile storage device, such as at least one of a Hard Disk Drive (HDD), compact disc drive (CD) drive, digital versatile disc (digital versatile disc, DVD) drive.
NVM/memory 516 may include a portion of a memory resource on the device in which electronic apparatus 500 is installed, or it may be accessed by, but not necessarily a part of, the apparatus. For example, NVM/storage 516 may be accessed over a network via network interface 520.
In particular, system memory 512 and NVM/storage 516 may each include: a temporary copy and a permanent copy of instruction 524. The instructions 524 may include: instructions that, when executed by at least one of the processors 504, cause the electronic device 500 to implement the method as shown in fig. 4. In some embodiments, instructions 524, hardware, firmware, and/or software components thereof may additionally/alternatively be disposed in system control logic 508, network interface 520, and/or processor 504.
Network interface 520 may include a transceiver to provide a radio interface for electronic device 500 to communicate with any other suitable device (e.g., a front-end module, antenna, etc.) over one or more networks. In some embodiments, the network interface 520 may be integrated with other components of the electronic device 500. For example, network interface 520 may be integrated with at least one of processor 504, system memory 512, nvm/storage 516, and a firmware device (not shown) having instructions which, when executed by at least one of processor 504, implement the method described above with respect to fig. 4.
Network interface 520 may further include any suitable hardware and/or firmware to provide a multiple-input multiple-output radio interface. For example, network interface 520 may be a network adapter, a wireless network adapter, a telephone modem, and/or a wireless modem.
In some embodiments, at least one of the processors 504 may be packaged together with logic for one or more controllers of the system control logic 508 to form a system-in-package (SiP). In some embodiments, at least one of the processors 504 may be integrated on the same die with logic for one or more controllers of the system control logic 508 to form a system on chip (SoC).
The electronic device 500 may further include: an input/output (I/O) device 532. The I/O device 532 may include a user interface to enable a user to interact with the electronic device 500; the design of the peripheral component interface enables the peripheral component to also interact with the electronic device 500.
In some embodiments, the peripheral component interface may include, but is not limited to, a non-volatile memory port, an audio jack, and a power interface.
The disclosure of the embodiments of the present application also relates to an operating device for executing the text. The apparatus may be specially constructed for the required purposes, or it may comprise a general-purpose computer selectively activated or reconfigured by a computer program stored in the computer. Such a computer program may be stored in a computer readable medium, such as, but is not limited to, any type of disk including floppy disks, optical disks, CD-ROMs, magnetic-optical disks, read-only memories (ROMs), random Access Memories (RAMs), EPROMs, EEPROMs, magnetic or optical cards, application Specific Integrated Circuits (ASICs), or any type of media suitable for storing electronic instructions, and each may be coupled to a computer system bus. Furthermore, the computers referred to in the specification may include a single processor or may be architectures employing multiple processors for increased computing power.
Additionally, the language used in the specification has been principally selected for readability and instructional purposes, and may not have been selected to delineate or circumscribe the disclosed subject matter. Accordingly, the present application example disclosure is intended to be illustrative, but not limiting, of the scope of the concepts discussed herein.

Claims (12)

1. A service invocation method, characterized by being applied to a cloud platform providing a hybrid cloud environment, the cloud platform comprising at least one private cloud platform and at least one public cloud platform, and the method comprising:
a first private cloud platform of the at least one private cloud platform receives a first call request, wherein the first call request is a call request for a platform service running in the hybrid cloud environment;
determining that the first call request accords with a preset forwarding condition for forwarding to a platform service deployed on the at least one public cloud platform for processing, encrypting the first call request by the first private cloud platform, and forwarding the encrypted first call request to the first public cloud platform, wherein the preset forwarding condition comprises determining that a target service of the request corresponding to the first call request is a first platform service provided by the first public cloud platform;
And determining that the first call request does not accord with the preset forwarding condition, and sending the first call request to a second platform service by the first private cloud platform, wherein the second platform service is a service provided by the first private cloud platform.
2. The method of claim 1, wherein a target service list is preset on the cloud platform, the target service list is used for recording relevant information of one or more platform services provided by the first public cloud platform,
the determining that the first call request meets a preset forwarding condition for forwarding to a platform service deployed on the at least one public cloud platform for processing includes:
the first private cloud platform compares the related information of the target service with the related information of each platform service in the target service list;
the first private cloud platform determines that the related information of the target service is matched with the related information of the first platform service in the target service list, and determines that the first call request meets a preset forwarding condition.
3. The method of claim 2, wherein a second service list is preset on the cloud platform, the target service list is used for recording relevant information of one or more platform services provided by the first private cloud platform, and,
The determining that the first call request meets a preset forwarding condition for forwarding to a platform service deployed on the at least one public cloud platform for processing includes:
the first private cloud platform compares the related information of the target service with the related information of each platform service in the second service list;
and the first private cloud platform determines that the related information of the target service has no matched information record in the second service list, and determines that the first call request meets a preset forwarding condition.
4. The method of claim 3, wherein the determining that the first invocation request does not meet the preset forwarding condition comprises:
and the first private cloud platform determines that the related information of the target service is matched with the related information of the second platform service in the second service list, and determines that the first call request does not accord with the preset forwarding condition.
5. A method according to claim 3, wherein the target service list or the second service list is preset on the first private cloud platform; or alternatively, the process may be performed,
the target service list or the second service list is preset in a data storage space provided by the first public cloud platform to the first private cloud platform.
6. The method according to any of claims 2 to 5, wherein the information about the platform service comprises at least one of the following information:
identification information of the first platform service or the second platform service;
public cloud environment information to which the first platform service belongs or private cloud environment information to which the second platform service belongs;
path information of the first platform service or the second platform service.
7. The method of claim 1, wherein the first private cloud platform includes a first key preset for a first call request that meets the preset forwarding condition, and,
the encrypting the first call request includes:
the first private cloud platform encrypts the first call request by adopting the first key.
8. The method of claim 1, wherein the sending the first call request to a second platform service comprises:
and the first private cloud platform confirms that the requester of the first calling request has the calling authority to the second platform service, and sends the first calling request to the second platform service.
9. The method of any of claims 1 to 8, wherein the first private cloud platform comprises a first gateway module and a pre-deployed routing service, and the method comprises:
the first gateway module receives a first call request for a target service;
determining that the first call request accords with a preset forwarding condition for forwarding to a platform service deployed on the at least one public cloud platform for processing, and sending a forwarding request to the routing service by the first gateway module;
the routing service encrypts the first call request in response to the forwarding request, and forwards the encrypted first call request to a first public cloud platform;
and determining that the first call request does not accord with the preset forwarding condition, and sending the first call request to the second platform service by the first gateway module.
10. The method of claim 9, wherein the first public cloud platform includes a second gateway module, and wherein the forwarding the encrypted first call request to the first public cloud platform comprises:
the routing service sends the encrypted first call request to the second gateway module, and the second gateway module sends the first call request to the first platform service under the condition that the requester of the first call request is determined to have the call authority.
11. An electronic device, comprising: one or more processors; one or more memories; the one or more memories store one or more programs that, when executed by the one or more processors, cause the electronic device to run a cloud platform that provides a hybrid cloud environment and perform the service invocation method of any of claims 1-10.
12. A service system, comprising a server and a client, wherein the server operates on a cloud platform providing a hybrid cloud environment, the cloud platform comprises at least one private cloud platform and at least one public cloud platform, and the server responds to a service invocation request sent by the client by executing the service invocation method of any one of claims 1 to 10.
CN202310105785.8A 2023-02-13 2023-02-13 Service calling method, electronic equipment and system in hybrid cloud environment Pending CN116319927A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310105785.8A CN116319927A (en) 2023-02-13 2023-02-13 Service calling method, electronic equipment and system in hybrid cloud environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310105785.8A CN116319927A (en) 2023-02-13 2023-02-13 Service calling method, electronic equipment and system in hybrid cloud environment

Publications (1)

Publication Number Publication Date
CN116319927A true CN116319927A (en) 2023-06-23

Family

ID=86795121

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310105785.8A Pending CN116319927A (en) 2023-02-13 2023-02-13 Service calling method, electronic equipment and system in hybrid cloud environment

Country Status (1)

Country Link
CN (1) CN116319927A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117097568A (en) * 2023-10-19 2023-11-21 睿至科技集团有限公司 Cloud platform and data management method thereof

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117097568A (en) * 2023-10-19 2023-11-21 睿至科技集团有限公司 Cloud platform and data management method thereof
CN117097568B (en) * 2023-10-19 2024-01-26 睿至科技集团有限公司 Cloud platform and data management method thereof

Similar Documents

Publication Publication Date Title
US20200304485A1 (en) Controlling Access to Resources on a Network
US11121873B2 (en) System and method for hardening security between web services using protected forwarded access tokens
US9537835B2 (en) Secure mobile app connection bus
US9769266B2 (en) Controlling access to resources on a network
US10284366B2 (en) Mobile communication system implementing integration of multiple logins of mobile device applications
US10255446B2 (en) Clipboard management
CN110839087B (en) Interface calling method and device, electronic equipment and computer readable storage medium
CN103384237A (en) Method for sharing IaaS cloud account, shared platform and network device
US20180063088A1 (en) Hypervisor network profiles to facilitate vpn tunnel
US20200145213A1 (en) Iot security mechanisms for industrial applications
US11812273B2 (en) Managing network resource permissions for applications using an application catalog
CN116319927A (en) Service calling method, electronic equipment and system in hybrid cloud environment
US20230224161A1 (en) Self-authorizing identification and applications therefor
CN107645474A (en) Log in the method for open platform and log in the device of open platform
CN106911721B (en) Entrepreneurship registration data processing platform based on cloud computing
EP2761852A1 (en) A mobile communication system implementing integration of multiple logins of mobile device applications
CN111190700B (en) Cross-domain security access and resource control method for virtualized equipment
WO2023125152A1 (en) Unified configuration management method, system and device for application, and storage medium
CN111181929A (en) Heterogeneous hybrid cloud architecture based on shared virtual machine files and management method
CN104753774B (en) A kind of distributed enterprise comprehensive access gate
CN114070616A (en) Distributed session sharing method and system based on redis cache
US20230246818A1 (en) Secure data migration
CN112583777B (en) Method and device for realizing user login
US11831773B1 (en) Secured database restoration across service regions
US11546411B1 (en) Backing up confidential data to user devices on the same local network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination