CN117040933B - Cross-regional network drainage processing method, security processing method, device and equipment - Google Patents
Cross-regional network drainage processing method, security processing method, device and equipment Download PDFInfo
- Publication number
- CN117040933B CN117040933B CN202311295879.2A CN202311295879A CN117040933B CN 117040933 B CN117040933 B CN 117040933B CN 202311295879 A CN202311295879 A CN 202311295879A CN 117040933 B CN117040933 B CN 117040933B
- Authority
- CN
- China
- Prior art keywords
- security
- network
- access
- local
- virtual machine
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 55
- 238000012545 processing Methods 0.000 claims abstract description 127
- 238000000034 method Methods 0.000 claims description 49
- 238000004590 computer program Methods 0.000 claims description 11
- 238000010586 diagram Methods 0.000 description 12
- 230000008569 process Effects 0.000 description 11
- 238000004891 communication Methods 0.000 description 6
- 230000006978 adaptation Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000008676 import Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 238000012805 post-processing Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/40—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using virtualisation of network functions or resources, e.g. SDN or NFV entities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a trans-regional network drainage processing method, a security processing method, a device and equipment, which relate to the technical field of cloud computing and are used for solving the problems that the existing trans-cloud environment cloud connection and a cloud private line do not support security service drainage, wherein the network drainage processing comprises the following steps: acquiring a first access flow of a virtual machine in a local drainage subnet of a local cloud environment; forwarding the first access traffic to a security network element virtual machine in an opposite-end security sub-network of an opposite-end cloud environment through an interconnection router by utilizing a default router of the local-end drainage sub-network so as to perform traffic security processing on the first access traffic by utilizing the security network element virtual machine and forwarding the first access traffic after the traffic security processing to a destination network protocol address of the first access traffic; according to the invention, by means of the arrangement of the interconnection router, the transit network and the default router, security service drainage among different areas of the cross-cloud platform is realized, and network security performance is improved.
Description
Technical Field
The present invention relates to the field of cloud computing technologies, and in particular, to a cross-regional network drainage processing method, a cross-regional network security processing method, a device, equipment, and a computer readable storage medium.
Background
A manner of using two or more cloud environments (such as OpenStack, a cloud computing software) to communicate with each other is called cloud connection; the mode of enabling the cloud environment to communicate with an external network is called a cloud private line; the two communication modes have the problem that the safety of external traffic cannot be guaranteed. In order to solve the traffic security problem in the north-south direction (communication between the subnetwork in the cloud environment and the external network) and the east-west direction (communication between subnetworks in different cloud environments), a hardware security network element can be equipped in the physical network, and a soft security network element can be added in the software layer. Compared with hardware equipment, the soft safety network element is more flexible to use and has relatively low cost.
In the prior art, the functions of injecting a single OpenStack into a security network element and editing a security service are realized, but for multiple sets of OpenStack cloud environment communication (i.e. cloud connection) and multiple sets of OpenStack cloud environment communication with an external network (i.e. cloud private line), security service drainage is not supported. Therefore, how to realize security service drainage among different areas of the cross-cloud platform and improve network security performance is an urgent problem to be solved nowadays.
Disclosure of Invention
The invention aims to provide a cross-regional network drainage processing method, a cross-regional network security processing method, a device, equipment and a computer readable storage medium, so as to realize secure traffic forwarding among different regions of a cross-cloud platform and improve network security performance.
In order to solve the technical problems, the invention provides a cross-regional network drainage processing method, which comprises the following steps:
acquiring a first access flow of a virtual machine in a local drainage subnet of a local cloud environment; the first access flow comprises flow for accessing an external network, the interconnection router of the local end cloud environment is connected with the interconnection router of the opposite end cloud environment through a transit network, and the number of the opposite end cloud environments is greater than or equal to 1;
forwarding the first access traffic to a security network element virtual machine in an opposite-end security subnet of the opposite-end cloud environment through the interconnection router by utilizing a default router of the home-end drainage subnet so as to perform traffic security processing on the first access traffic by utilizing the security network element virtual machine and forwarding the first access traffic after the traffic security processing to a destination network protocol address of the first access traffic; the default router is a virtual router of the virtual private cloud.
In some embodiments, the forwarding, by the default router using the local-end drainage subnet, the first access traffic to a secure network element virtual machine within a peer-end secure subnet of the peer-end cloud environment via the interconnection router includes:
And modifying the destination physical address of the first access flow by using the default router of the local end drainage subnet, and forwarding the first access flow to a security network element virtual machine in an opposite end security subnet of the opposite end cloud environment through the interconnection router.
In some embodiments, the modifying, by using the default router of the home network, the destination physical address of the first access traffic, and forwarding, by the interconnection router, the first access traffic to a secure network element virtual machine in a peer secure subnet of the peer cloud environment, includes:
modifying the target physical address of the first access flow into the physical address of the interconnection router of the local cloud environment by using the default router of the local drainage subnet, and forwarding the first access flow to the interconnection router of the local cloud environment;
and forwarding the first access flow to the interconnection router of the opposite end cloud environment by using the interconnection router of the local end cloud environment, so that the first access flow is forwarded to the security network element virtual machine by using the interconnection router of the opposite end cloud environment through the default router of the opposite end security sub-network.
In some embodiments, before the default router using the local end drainage subnet forwards the first access traffic to the secure network element virtual machine in the opposite end secure subnet of the opposite end cloud environment through the interconnection router, the method further includes:
performing firewall processing on the first access flow by using the virtual machine in the local drainage sub-network to obtain the first access flow after firewall processing;
correspondingly, the forwarding, by the default router of the local end drainage subnet, the first access traffic to a secure network element virtual machine in the opposite end secure subnet of the opposite end cloud environment through the interconnection router includes:
and forwarding the first access flow processed by the firewall to a security network element virtual machine in the opposite-end security sub-network through the interconnection router by utilizing the default router of the local-end drainage sub-network.
In some embodiments, the forwarding, by the default router using the local-end drainage subnet, the first access traffic to a secure network element virtual machine within a peer-end secure subnet of the peer-end cloud environment via the interconnection router includes:
determining the first access flow from the access flow forwarded by the default router of the local drainage subnet according to east-west access shielding configuration information by utilizing the interconnection router of the local cloud environment; the east-west access mask configuration information is east-west access mask or east-west access non-mask.
In some embodiments, the determining, by the interconnection router of the local cloud environment, the first access traffic from access traffic forwarded by a default router of the local drainage subnet according to east-west access mask configuration information includes:
if the east-west access mask configuration information is that the east-west access is not masked, determining the access traffic of which the source network protocol address is the virtual machine network protocol address of the local end drainage subnet in the access traffic as the first access traffic;
and if the east-west access mask configuration information is the east-west access mask, determining that a source network protocol address in the access traffic is a virtual machine network protocol address of the local drainage subnet and a destination network protocol address is an external network protocol address as the first access traffic.
In some embodiments, the forwarding, by the default router using the local-end drainage subnet, the first access traffic to a secure network element virtual machine within a peer-end secure subnet of the peer-end cloud environment via the interconnection router includes:
determining a target security network element virtual machine corresponding to the current first access flow by using an interconnection router of the local cloud environment and adopting a load balancing strategy; the current first access flow is any first access flow, and the target safety network element virtual machine is any safety network element virtual machine in the opposite-terminal safety sub-network;
And modifying the target physical address of the current first access flow into the physical address of the target security network element virtual machine by using the interconnection router of the local cloud environment, and forwarding the current access flow to the interconnection router of the opposite cloud environment corresponding to the target security network element virtual machine.
In some embodiments, the interconnection router is a virtual router of an open virtual network.
In some embodiments, before the obtaining the first access traffic of the virtual machine in the local drainage subnet of the local cloud environment, the method further includes:
creating cloud connection between the local cloud environment and the end cloud environment by using a network service component of the local cloud environment, and creating the transit network between an interconnection router in the local cloud environment and an interconnection router of the opposite cloud environment; each cloud connection corresponds to one transit network.
In some embodiments, the drainage subnetwork and the security subnetwork are not simultaneously provided within each cloud environment that is connected through the same transit network.
In some embodiments, the network drainage processing method further comprises:
acquiring a second access flow forwarded by a security network element virtual machine in the opposite-end security sub-network by using an interconnection router of the local-end cloud environment; the destination network protocol address of the second access flow is a virtual machine network protocol address of the local end drainage subnet, and the source physical address is a physical address of the security network element virtual machine;
And forwarding the second access flow to a virtual machine in the local drainage sub-network through a default router of the local drainage sub-network by using the interconnection router of the local cloud environment.
In some embodiments, the network drainage processing method further comprises:
acquiring a third access flow forwarded by the network card equipment by using the interconnection router of the local cloud environment; the destination network protocol address of the third access flow is a virtual machine network protocol address of the local end drainage subnet or the opposite end drainage subnet, and the destination physical address is a gateway physical address;
and forwarding the third access flow to a security network element virtual machine in an opposite-end security subnet of the opposite-end cloud environment by using the interconnection router of the local-end cloud environment, so as to perform flow security processing on the third access flow by using the security network element virtual machine, and forwarding the third access flow after the flow security processing to a destination network protocol address of the third access flow.
In some embodiments, the forwarding, by the interconnection router of the home cloud environment, the third access traffic to a secure network element virtual machine within a peer secure subnet of the peer cloud environment includes:
Determining a target security network element virtual machine corresponding to the current third access flow by using an interconnection router of the local cloud environment and adopting a load balancing strategy; the current third access flow is any third access flow, and the target security network element virtual machine is any security network element virtual machine in the opposite-end security subnet or the local-end security subnet;
and modifying the target physical address of the current access flow into the physical address of the target security network element virtual machine corresponding to the current third access flow by using the interconnection router of the local cloud environment, and forwarding the current access flow to the interconnection router of the opposite cloud environment where the target security network element virtual machine corresponding to the current third access flow is located.
The invention also provides a cross-regional network drainage processing device, which comprises:
the acquisition module is used for acquiring a first access flow of the virtual machine in the local drainage sub-network of the local cloud environment; the first access flow comprises flow for accessing an external network, the interconnection router of the local end cloud environment is connected with the interconnection router of the opposite end cloud environment through a transit network, and the number of the opposite end cloud environments is greater than or equal to 1;
The forwarding module is used for forwarding the first access traffic to a security network element virtual machine in an opposite-end security subnet of the opposite-end cloud environment through the interconnection router by utilizing a default router of the local-end drainage subnet so as to perform traffic security processing on the first access traffic by utilizing the security network element virtual machine and forwarding the first access traffic after the traffic security processing to a destination network protocol address of the first access traffic; the default router is a virtual router of the virtual private cloud.
The invention also provides a cross-regional network security processing method, which comprises the following steps:
acquiring access flow sent by a virtual machine in an opposite-end drainage subnet forwarded by an interconnection router of an opposite-end cloud environment by utilizing the interconnection router of the local-end cloud environment; the access flow comprises flow of accessing an external network, the interconnection router of the local end cloud environment is connected with the interconnection router of the opposite end cloud environment through a transit network, and the number of the opposite end cloud environments is greater than or equal to 1;
forwarding the access flow to a security network element virtual machine in the local security sub-network by using an interconnection router of the local cloud environment and through a default router of the local security sub-network in the local cloud environment;
And carrying out flow security processing on the access flow by utilizing the security network element virtual machine, and forwarding the access flow after the flow security processing to a destination network protocol address of the access flow.
In some embodiments, the destination physical address of the access traffic is a physical address of the secure network element virtual machine.
In some embodiments, before forwarding the access traffic after traffic security processing to the destination network protocol address of the access traffic, the method further includes:
performing firewall processing on the access traffic subjected to flow security processing by using the security network element virtual machine to obtain the access traffic subjected to firewall processing;
correspondingly, the forwarding the access traffic after traffic security processing to the destination network protocol address of the access traffic includes:
and forwarding the access traffic processed by the firewall to a destination network protocol address of the access traffic.
In some embodiments, the forwarding the access traffic after traffic security processing to a destination network protocol address of the access traffic includes:
and forwarding the access flow after the flow security processing to network card equipment through an interconnection router of the local cloud environment by utilizing a default router of the local security subnet so as to forward the access flow after the flow security processing to a destination network protocol address of the access flow through the network card equipment.
In some embodiments, the network security processing method further comprises:
acquiring inward access flow forwarded by network card equipment by utilizing an interconnection router of the local cloud environment; the destination network protocol address of the inward access traffic is a virtual machine network protocol address of the opposite end drainage subnet, and the destination physical address is a gateway physical address;
forwarding the inward access flow to a security network element virtual machine in the local security sub-network through a default router of the local security sub-network by using the interconnection router of the local cloud environment, so as to perform flow security processing on the inward access flow by using the security network element virtual machine, and forwarding the inward access flow after the flow security processing to a destination network protocol address of the inward access flow.
In some embodiments, the forwarding, by the interconnection router of the local cloud environment, the inward access traffic to a secure network element virtual machine within the local secure subnet through a default router of the local secure subnet includes:
determining a target security network element virtual machine corresponding to the current inward access flow by using an interconnection router of the local cloud environment and adopting a load balancing strategy; the current inward access flow is any inward access flow, and the target security network element virtual machine is any security network element virtual machine in the opposite-end security subnet or the local-end security subnet;
And modifying the target physical address of the current access flow into the physical address of the target security network element virtual machine by using the interconnection router of the local cloud environment, and forwarding the current access flow to the target security network element virtual machine.
The invention also provides a cross-regional network security processing device, which comprises:
the forwarding acquisition module is used for acquiring access flow sent by the virtual machine in the opposite-end drainage sub-network forwarded by the interconnection router of the opposite-end cloud environment by utilizing the interconnection router of the local-end cloud environment; the access flow comprises flow of accessing an external network, the interconnection router of the local end cloud environment is connected with the interconnection router of the opposite end cloud environment through a transit network, and the number of the opposite end cloud environments is greater than or equal to 1;
the default forwarding module is used for forwarding the access flow to a security network element virtual machine in the local security sub-network through a default router of the local security sub-network in the local cloud environment by using an interconnection router of the local cloud environment;
and the security processing module is used for carrying out traffic security processing on the access traffic by utilizing the security network element virtual machine and forwarding the access traffic after the traffic security processing to a destination network protocol address of the access traffic.
The invention also provides an electronic device, comprising:
a memory for storing a computer program;
and the processor is used for realizing the cross-regional network drainage processing method and/or the cross-regional network security processing method steps when executing the computer program.
In addition, the invention further provides a computer readable storage medium, and a computer program is stored on the computer readable storage medium, and the computer program realizes the cross-regional network drainage processing method and/or the cross-regional network security processing method steps when being executed by a processor.
The invention provides a cross-regional network drainage processing method, which comprises the following steps: acquiring a first access flow of a virtual machine in a local drainage subnet of a local cloud environment; the first access flow comprises flow for accessing an external network, wherein the interconnection router of the local end cloud environment is connected with the interconnection router of the opposite end cloud environment through a transit network, and the number of the opposite end cloud environments is greater than or equal to 1; forwarding the first access traffic to a security network element virtual machine in an opposite-end security sub-network of an opposite-end cloud environment through an interconnection router by utilizing a default router of the local-end drainage sub-network so as to perform traffic security processing on the first access traffic by utilizing the security network element virtual machine and forwarding the first access traffic after the traffic security processing to a destination network protocol address of the first access traffic; the default router is a virtual router of the virtual private cloud;
The invention realizes the intercommunication of two or more sets of cloud environments by utilizing the arrangement of the interconnection router and the transit network; the setting of a default router of the sub-network is utilized to realize the intercommunication among the sub-networks of the cross-cloud environment; through utilizing the default router of the local end drainage sub-network, forwarding the first access flow to the security network element virtual machine in the opposite end security sub-network of the opposite end cloud environment through the interconnection router, the security service drainage between different areas of the cross-cloud platform can be realized by utilizing the security network element in the opposite end cloud environment to safely process the flow of the access flow, and the network security performance is improved. In addition, the invention also provides a cross-regional network drainage processing device, a cross-regional network security processing method, equipment and a computer readable storage medium, which also have the beneficial effects.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present invention, and that other drawings can be obtained according to the provided drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flowchart of a cross-regional network drainage processing method according to an embodiment of the present invention;
fig. 2 is a schematic diagram of a cloud environment interworking structure of another cross-regional network drainage processing method according to an embodiment of the present invention;
fig. 3 is a schematic diagram of network element serial logic of another cross-regional network drainage processing method according to an embodiment of the present invention;
fig. 4 is a flowchart of a cross-regional network security processing method according to an embodiment of the present invention;
fig. 5 is a block diagram of a cross-regional network drainage processing device according to an embodiment of the present invention;
fig. 6 is a block diagram of a cross-regional network security processing apparatus according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present invention;
fig. 8 is a schematic diagram of a specific structure of an electronic device according to an embodiment of the present invention;
fig. 9 is a schematic structural diagram of a computer readable storage medium according to an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Referring to fig. 1, fig. 1 is a flowchart of a cross-regional network drainage processing method according to an embodiment of the present invention. The method may include:
step 101: acquiring a first access flow of a virtual machine in a local drainage subnet of a local cloud environment; the first access flow comprises flow for accessing an external network, the interconnection router of the local end cloud environment is connected with the interconnection router of the opposite end cloud environment through a transit network, and the number of the opposite end cloud environments is greater than or equal to 1.
It should be noted that, the local cloud environment in this embodiment may be a cloud environment of the local end (such as OpenStack cloud environment a in fig. 2), that is, a cloud environment operated by a processor in a local electronic device (such as a server). Correspondingly, the opposite-end cloud environment in this embodiment may be a cloud environment (such as OpenStack cloud environments A, B and C in fig. 2) in which the interconnection router and the interconnection router of the local-end cloud environment are connected through a transit network, that is, cloud environments other than the local-end cloud environment in two or more cloud environments interconnected through the transit network. The number of the opposite-end cloud environments is not limited to a specific number, for example, the number of the opposite-end cloud environments may be 1, or may be a positive integer greater than 1, as shown in fig. 2, and the number of the opposite-end cloud environments may be 2.
Correspondingly, the local end drainage subnetwork in the embodiment may be a subnetwork created in the local end cloud environment (such as subnetwork-1 in fig. 2), the first access traffic in the embodiment may be traffic of the virtual machine in the local end drainage subnetwork accessing outside the local end cloud environment, for example, the first access traffic may include traffic accessing the external network, that is, the destination IP (Internet Protocol, IP) address of each first access traffic may be an external network IP address; the first access traffic may also include traffic accessing the external network and traffic accessing the drainage subnetwork of the peer-to-peer cloud environment (i.e., the peer-to-peer drainage subnetwork), i.e., the destination IP address of each first access traffic may be an external network IP address or an IP address of a virtual machine within the peer-to-peer drainage subnetwork.
It can be understood that, the interconnection router in this embodiment may be a router for implementing communication between the local end cloud environment and the opposite end cloud environment, that is, the data interaction between the interconnection routers of the local end cloud environment and the opposite end cloud environment may be performed through a transit network. In the embodiment, the interconnection router of the local cloud environment and the interconnection router of the opposite cloud environment are connected through the transit network, so that the intercommunication of two or more sets of cloud environments is realized. The embodiment is not limited to a specific router type of the interconnection router, for example, the interconnection router may be a virtual router of an open virtual network (Open Virtual Network, OVN), and may also be other forms of virtual routers.
Accordingly, in this embodiment, default routers of subnets (such as a local-end drainage subnet and a peer-end security subnet), that is, virtual routers of the virtual private cloud (Virtual Private Cloud, VPC) are set. In this embodiment, a virtual machine in a subnet in a cloud environment (such as a home cloud environment or a peer cloud environment) may communicate with an interconnection router of the cloud environment through a default router, so as to implement inter-subnet interworking across cloud environments. As shown in fig. 2, the OVN layer of the cloud environment of each region may create an interconnection router, the OVN layer adds an inline network and a transit network to the interconnection router in an interface form, the intranet network is added to a default router of the VPC layer (such as a router-1 to a router-3 in fig. 2), connection is implemented through an interconnection router link, a subnet CIDR (class-less Inter-Domain Routing) of the local terminal is issued to the OVN layer through an interface, and the OVN layer configures static routes on the default router and the interconnection router, and meanwhile, cross-regional call completes issuing of the subnet CIDR of the terminal and issuing of related routes.
Correspondingly, the method provided by the embodiment can further comprise a creation process of the transit network so as to connect the local cloud environment and the opposite cloud environment. For the concrete mode of creating the transit network in the embodiment, the mode can be set by a designer, for example, when cloud connection is created, the transit network can be correspondingly created; for example, before step 101, the processor may create a cloud connection between the local cloud environment and the end cloud environment using a network service component of the local cloud environment, and create a transit network between an interconnection router within the local cloud environment and an interconnection router of the opposite cloud environment; wherein each cloud connection corresponds to a transit network; for example, the processor may use a neutron-server (a component responsible for providing network services in OpenStack), and each time a cloud connection is created, a transit network is correspondingly created, the name of the transit network uses the id of the cloud connection, so as to ensure that one cloud connects to one transit network, and the cloud connection may issue to multiple OpenStack clusters that need to be interworking. In the embodiment, a transit network is utilized to put a plurality of cloud environments on a network planning level, namely, multi-place intercommunication is advanced to plan network segment intercommunication, and other flows want to be shared and are realized through security service drainage, so that the intercommunication logic among cross-resource pools is not required to be put down to a user level, and network collision or other services are avoided.
It should be noted that, in this embodiment, a traffic path between cloud environments connected by a transit network is taken as an example to perform display, in order to facilitate forwarding of traffic, and avoid network conflicts, for example, interfaces and static routes of a local end router collide with an inline or interconnection CIDR (classification Inter-Domain Routing), or peer-to-peer connection, or create other network interconnection services such as multiple cloud connections, cloud private lines, etc., where there is a problem of CIDR conflicts, in this embodiment, a drainage subnet and a security subnet are not simultaneously set in each cloud environment connected by the same transit network, that is, in this embodiment, in a case where a local end drainage subnet of a local end cloud environment communicates with a subnet of an opposite end cloud environment through a transit network, a security subnet that communicates with the subnet of the opposite end cloud environment through the transit network is not set in the local end cloud environment; accordingly, in each opposite-end cloud environment communicating with the local-end drainage subnetwork through the transit network, the subnetwork communicating with the cross-cloud environment through the transit network may be a drainage subnetwork or a security subnetwork. That is, if the secure subnet is set in the local cloud environment, the secure subnet may communicate with the corresponding subnet of the opposite cloud environment through the created other transit network. The traffic paths corresponding to other transit networks between cloud environments may be implemented in the same or similar manner as the method provided in this embodiment, which is not limited in this embodiment.
Correspondingly, in this embodiment, a subnet of a cloud environment of a home terminal (i.e., a home terminal cloud environment) is used as a drainage subnet (i.e., a home terminal drainage subnet), all or part of a subnet of a peer terminal cloud environment is used as a security subnet (i.e., a peer terminal drainage subnet), and virtual machines created by the security subnet can be used as security network elements (i.e., security network element virtual machines); the drainage subnetwork is a subnetwork protected by a security network element, and the security subnetwork can be a subnetwork for injecting security services. The embodiment does not limit the number of subnetworks in the local cloud environment and the opposite cloud environment and the number of virtual machines in each subnetwork; for example, when the number of the opposite-end cloud environments is greater than or equal to 2, a part of the opposite-end cloud environments may set a security subnet, so that the security network element virtual machines in the security subnet are utilized to perform traffic security processing of security services on access traffic (such as access traffic of an external network or access of the external network to the drainage subnet) of virtual machines in the drainage subnet in the local-end cloud environment and other opposite-end cloud environments.
Accordingly, for the specific manner in which the processor obtains the first access flow of the virtual machine in the local drainage subnetwork of the local cloud environment in this embodiment, that is, the first access flow of the virtual machine in the local drainage subnetwork, the method may be set by the designer according to the practical scenario and the user requirement, for example, the method may be implemented in the same or similar manner as the method in the prior art in which the virtual machine accesses the external network or the flow of the drainage subnetwork of the opposite cloud environment, which is not limited in this embodiment.
Step 102: forwarding the first access traffic to a security network element virtual machine in an opposite-end security sub-network of an opposite-end cloud environment through an interconnection router by utilizing a default router of the local-end drainage sub-network so as to perform traffic security processing on the first access traffic by utilizing the security network element virtual machine and forwarding the first access traffic after the traffic security processing to a destination IP address of the first access traffic; the default router is a virtual router of the virtual private cloud.
It can be understood that in this embodiment, the default router of the local end drainage subnet and the interconnection router of the local end cloud environment may be utilized to forward the first access traffic to the interconnection router of the opposite end cloud environment, and the first access traffic is forwarded to the security network element virtual machine in the opposite end security subnet through the default router of the opposite end security subnet, so that the security network element virtual machine may be utilized to perform traffic security processing on the access external network, and achieve the drainage of the security service.
Correspondingly, for the specific mode that the processor uses the default router of the local end drainage sub-network to forward the first access flow to the safety network element virtual machine in the opposite end safety sub-network of the opposite end cloud environment through the interconnection router in the step, the specific mode can be set by a designer according to the practical scene and the user requirement, for example, the processor can use the default router of the local end drainage sub-network to modify the destination mac (Media Access Control, medium access control) address (i.e. the destination physical address) of the first access flow and forward the first access flow to the safety network element virtual machine in the opposite end safety sub-network of the opposite end cloud environment through the interconnection router. That is, the default router of the local drainage subnet can enable the interconnection router of the local drainage subnet to identify the first access traffic to be drained to the virtual machine of the security network element by modifying the destination mac address of the first access traffic. For example, in this step, the processor uses a default router of the local drainage subnet to modify a destination mac address of the first access traffic into a mac address or a preset mac address of an interconnection router of the local cloud environment, and forwards the first access traffic to the interconnection router of the local cloud environment; and forwarding the first access flow to the interconnection router of the opposite-end cloud environment by using the interconnection router of the local-end cloud environment so as to forward the first access flow to the security network element virtual machine by using the interconnection router of the opposite-end cloud environment through the default router of the opposite-end security sub-network.
For example, according to the destination mac address and the source IP address of the access traffic, the interconnection router of the local cloud environment may identify, as the first access traffic, the access traffic of which the destination mac address is the mac address of the interconnection router of the local cloud environment and the source IP address is the IP address of the virtual machine of the local drainage subnet, so that the interconnection router of the local cloud environment determines a secure network element virtual machine that processes the first access traffic, and forwards the first access traffic to the secure network element virtual machine of the opposite secure subnet, thereby implementing secure service drainage of the first access traffic. Correspondingly, as shown in fig. 3, when the cloud environment of the place a is the local end cloud environment and the security network element virtual machine is in the subnet-2 of the place B or the subnet-3 of the place C, the traffic (i.e., the first access traffic) of the virtual machine-1 of the drainage subnet-1 (i.e., the local drainage subnet) accessing the external network can be forwarded to the interconnection router (vif 1) of the cloud environment of the place a, and the interconnection router can identify the traffic accessing the external network by matching the source IP address (the IP address of the drainage subnet-1) and the destination mac address (the mac address of the vif 1) and execute policy routing to import the security network element virtual machine, i.e., the traffic passing through the virtual machine-1 can be imported into the security network element virtual machine (security network element B1, B2 or C) of the place B or C for traffic security processing; the traffic processed by the security network element virtual machine is forwarded to an external network according to the destination IP address, for example, through an interconnection router (vif 4) corresponding to the external network, and is forwarded to the external network through network card equipment (for example, a computing node service network card).
Correspondingly, the processor can also modify the destination mac address of the first access flow into the mac address or the preset mac address of the security network element virtual machine by using the default router of the local drainage subnet, and forward the first access flow to the interconnection router of the local cloud environment, so that the security network element virtual machine for processing the first access flow is directly determined by the default router of the local drainage subnet, or the destination mac address of the first access flow is directly modified into the preset mac address, and the recognition and matching of the interconnection router of the local cloud environment on the first access flow are facilitated.
Further, when the first access traffic may only include traffic accessing the external network (i.e., north-south traffic), or include traffic accessing the external network and traffic (i.e., east-west traffic) of the virtual machine in the local end drainage subnetwork accessing the virtual machine in the drainage subnetwork of the opposite end cloud environment (i.e., opposite end drainage subnetwork), in this embodiment, a switch capable of shielding the east-west traffic may be provided, so as to avoid the east-west traffic from being drained to the security network element, and reduce the load of the security network element. If the internet router of the local cloud environment can be adopted to realize east-west traffic shielding, for example, in the process of forwarding the first access traffic to the security network element virtual machine in the opposite-end security sub-network of the opposite-end cloud environment through the internet router in step 102, the processor can determine the first access traffic from the access traffic forwarded by the default router of the local drainage sub-network according to the east-west access shielding configuration information by using the internet router of the local cloud environment; the east-west access mask configuration information is east-west access mask or east-west access non-mask. For example, if the east-west access mask configuration information is that the east-west access is not masked, determining an access flow in which a source IP address in the access flow is an IP address of a virtual machine of the local drainage subnet as a first access flow; and if the east-west access mask configuration information is the east-west access mask, determining that the source IP address in the access traffic is the virtual machine IP address of the local end drainage subnet and the destination IP address is the external network IP address as the first access traffic.
For example, in this embodiment, if the east-west access mask configuration information is that east-west access is not masked, the interconnection router of the local cloud environment may determine, as the first access flow, the access flow directly taking the source IP address in the access flow as the virtual machine IP address of the local drainage subnet and the destination mac as the mac address of the interconnection router of the local cloud environment; if the east-west access mask configuration information is east-west access mask, the interconnection router of the local end cloud environment can determine the access flow of which the source IP address is the virtual machine IP address of the local end drainage subnet, the destination mac is the mac address of the interconnection router of the local end cloud environment and the destination IP address is not the virtual machine IP address of the opposite end drainage subnet in the access flow as the first access flow; that is, for the access traffic of the mac address of the interconnection router in which the source IP address is the virtual machine IP address of the home-end drainage subnet and the destination mac is the home-end cloud environment, the access traffic of the virtual machine IP address of which the destination IP address is not the peer-end drainage subnet may be determined as the north-south traffic of the destination IP address as the external network IP address, and the access traffic of the virtual machine IP address of which the destination IP address is the peer-end drainage subnet may be determined as the east-west traffic.
Further, the number of the security network element virtual machines may be multiple, for example, the number of the security network element virtual machines in the opposite-end security sub-network may be multiple and/or multiple opposite-end security sub-networks may be set, and in this embodiment, traffic paths may be arranged for traffic (such as the first access traffic) that needs to be processed by the security network element virtual machines, so as to implement traffic load balancing of the security network element virtual machines. If load balancing can be implemented by adopting an interconnection router of the local end cloud environment, for example, in the process of forwarding the first access flow to the security network element virtual machine in the opposite end security sub-network of the opposite end cloud environment through the interconnection router in step 102, the processor can determine the target security network element virtual machine corresponding to the current first access flow by adopting a load balancing strategy by utilizing the interconnection router of the local end cloud environment; the target security network element virtual machine is any security network element virtual machine in the opposite-end security sub-network; and modifying the destination mac address of the current first access flow into the mac address of the target security network element virtual machine corresponding to the current first access flow by using the interconnection router of the local cloud environment, and forwarding the current access flow to the interconnection router of the opposite cloud environment corresponding to the target security network element virtual machine, namely the interconnection router of the opposite cloud environment where the target security network element virtual machine corresponding to the current first access flow is located, so as to forward the current access flow to the target security network element virtual machine corresponding to the current first access flow for flow security processing.
That is, in this embodiment, the specific content of the above-mentioned load balancing policy may be set by the designer, for example, the method may be implemented in the same or similar manner as the traffic load balancing method in the prior art, for example, in this embodiment, an ECMP (Equal-Cost Multi-Path Routing) function of OVN policy Routing may be utilized, a plurality of next hop destination IP addresses (i.e., IP addresses of security network elements) may be specified, and when a reroute action is performed, a hash (hash) algorithm may be used to select one of the next hop destination IP addresses, so as to implement the effect of traffic load balancing; that is, the interconnection router of the cloud environment at the home end can perform load balancing processing on the first access traffic by adopting a hash algorithm, and determine the target security network element virtual machines corresponding to the first access traffic. The interconnection router of the cloud environment of the home terminal can also determine a target security network element virtual machine corresponding to the current first access flow by adopting a load balancing strategy based on priority. The present embodiment does not impose any limitation on this.
Further, in this embodiment, the interconnection router of the local cloud environment may further obtain an access flow (i.e., a second access flow) processed by the secure network element virtual machine in the local drainage subnet, for example, a flow (i.e., a north-south flow) of an external network accessing the virtual machine in the local drainage subnet or a flow (i.e., a east-west flow) of the local drainage subnet accessing the virtual machine in the local drainage subnet, so as to forward the second access flow to the virtual machine in the local drainage subnet, that is, a virtual machine corresponding to a destination IP address of the second access flow, through a default router of the local drainage subnet. For example, the method provided by the embodiment may further include obtaining, by using an interconnection router of the local end cloud environment, a second access flow forwarded by a secure network element virtual machine in the opposite end secure subnet; the destination IP address of the second access flow is the IP address of the virtual machine of the local network element, and the source mac address (i.e., source physical address) is the mac address (i.e., physical address) of the virtual machine of the security network element; and forwarding the second access flow to the virtual machine in the local drainage sub-network through a default router of the local drainage sub-network by using an interconnection router of the local cloud environment.
Correspondingly, after the security network element virtual machine processes the access traffic, the source mac address and the destination IP address can be modified to be the mac address (i.e., the network element interface mac address) of the security network element virtual machine, so that the interconnection router can identify the processed access traffic.
Furthermore, in this embodiment, the interconnection router of the home cloud environment may further obtain the traffic (i.e., the third access traffic) of the external network access drainage subnet before the processing of the security network element virtual machine, for example, the traffic of the external network access home drainage subnet or the traffic of the virtual machine in the peer drainage subnet, so as to forward the third access traffic to the security network element virtual machine in the peer security subnet, and perform security service drainage on the traffic of the virtual machine in the external network access drainage subnet. For example, the method provided by the embodiment may further include: acquiring a third access flow forwarded by the network card equipment by using an interconnection router of the local cloud environment; the destination IP address of the third access flow is the virtual machine IP address of the local end drainage subnet or the opposite end drainage subnet, and the destination mac address is the gateway mac address; and forwarding the third access flow to a security network element virtual machine in an opposite-end security subnet of the opposite-end cloud environment by using an interconnection router of the local-end cloud environment so as to perform flow security processing on the third access flow by using the security network element virtual machine, and forwarding the third access flow after the flow security processing to a destination IP address of the third access flow. That is, the interconnection router in the cloud environment of the home terminal can match the traffic with the destination ip address as the drainage subnet and the destination mac address as the gateway interface mac address, and import the traffic into the security network element, and the traffic processed by the security network element is forwarded to the virtual machine of the drainage network element according to the destination ip address.
Accordingly, in some embodiments, the traffic load balancing of the security network element virtual machine may be implemented by adopting an interconnection router of the local cloud environment; in the process of forwarding the third access flow to the security network element virtual machine in the opposite-end security sub-network of the opposite-end cloud environment by using the interconnection router of the local-end cloud environment, the processor may determine the target security network element virtual machine corresponding to the current third access flow by using the interconnection router of the local-end cloud environment and adopting a load balancing policy; the current third access flow is any third access flow, and the target security network element virtual machine is any security network element virtual machine in the opposite-end security subnet or the local-end security subnet; and modifying the destination mac address of the current access flow into the mac address of the target security network element virtual machine corresponding to the current third access flow by using the interconnection router of the local cloud environment, and forwarding the current access flow to the interconnection router of the opposite cloud environment where the target security network element virtual machine corresponding to the current third access flow is located.
Further, before step 102, the processor may perform firewall processing on the first access traffic by using a virtual machine in the local drainage subnet to obtain a first access traffic after firewall processing; correspondingly, in step 102, the processor forwards the first access traffic processed by the firewall to the secure network element virtual machine in the opposite-end secure subnet through the interconnection router by using the default router of the local-end drainage subnet. That is, for traffic paths that drain virtual machines within a subnet to access external networks: the method comprises the steps that routing policy matching can be carried out on the traffic of the virtual machine locally, the traffic is routed to a firewall network element of a drainage sub-network after hit, the firewall network element is imported from a tunnel network card, routing policy matching is carried out on the traffic processed by the firewall at a computing node, and the traffic is imported into a safety network element through the tunnel network after matching; the network element processes and then routes to match the target network, and flows into the external network from the service network card after being forwarded by the external network route.
Correspondingly, for the external network access, the traffic path of the virtual machine in the subnet is drained: after the southbound traffic passes through the computing node service network card, policy routing is matched in an interconnection router, then a security network element is imported through a tunnel network, the traffic processed by the security network element hits the policy routing in a default router, and the traffic is rerouted to a firewall network element of a security subnet through the tunnel network; after firewall processing, the interconnection router routes the traffic to the destination virtual machine according to the destination ip.
It should be noted that, in this embodiment, the processor may implement traffic forwarding of the interconnection router of OVN layers through Data interception and synchronization processing of NB (Northbound DB) and SB (Southbound DB) of OVN, i.e., two OVN DBs (Data Base ); for example, when the event listener process monitors that the OVN NB has a change, data of a master node (master node) in the NB cluster is updated to the master node in the OVN SB cluster, the master node can be synchronized to other nodes in the OVN SB cluster and a controller node of OVN, and when a Control service (Control service) of OVN detects that the OVN SB database has a change, it is required to synchronize a message in which logic flow table data in the OVN SB is translated into an OpenFlow (an open southbound interface protocol) format, and synchronize the message to an OVS flow table in the OVS DB, so as to implement flow forwarding.
Further, when data in the OVS DB of OVN is lost or destroyed or a node is restarted, data is restored from mariadib (a database management system) to the OVS DB by using components for realizing backup and restoration; if the data of Mariadb is firstly restored to a master node in an NB cluster of OVN, after the master node NB is successfully restored, synchronizing to other flow nodes in an OVN NB cluster, and completing the synchronization of the OVN NB.
In the embodiment of the invention, the two or more sets of cloud environments are communicated by utilizing the arrangement of the interconnection router and the transit network; the setting of a default router of the sub-network is utilized to realize the intercommunication among the sub-networks of the cross-cloud environment; through utilizing the default router of the local end drainage sub-network, forwarding the first access flow to the security network element virtual machine in the opposite end security sub-network of the opposite end cloud environment through the interconnection router, the security service drainage between different areas of the cross-cloud platform can be realized by utilizing the security network element in the opposite end cloud environment to safely process the flow of the access flow, and the network security performance is improved.
Based on the above embodiment, the embodiment of the present invention further provides a cross-regional network security processing method, so as to perform traffic security processing on the drained access traffic, and improve network security performance. Accordingly, referring to fig. 4, fig. 4 is a flowchart of a cross-regional network security processing method according to an embodiment of the present invention. The method may include:
Step 201: acquiring access flow sent by a virtual machine in an opposite-end drainage subnet forwarded by an interconnection router of an opposite-end cloud environment by utilizing the interconnection router of the local-end cloud environment; the access flow comprises flow of accessing an external network, the interconnection router of the local end cloud environment is connected with the interconnection router of the opposite end cloud environment through a transit network, and the number of the opposite end cloud environments is greater than or equal to 1.
It can be understood that, in this embodiment, the subnet of the cloud environment of the home terminal (i.e., the cloud environment of the home terminal) is taken as an example to perform the presentation, that is, the security network element virtual machine in the security subnet of the home terminal of the cloud environment of the home terminal can perform the flow security processing on the access flow, so as to provide the security service. The interconnection router in this embodiment may be a virtual router of an open virtual network.
Correspondingly, in this step, the processor may obtain, by using the interconnection router of the local end cloud environment, the access flow (e.g., the first access flow in the embodiment described above) sent by the virtual machine in the opposite end drainage subnet forwarded by the interconnection router of the opposite end cloud environment, so as to forward, by using the default router of the local end security subnet, the access flow to the corresponding security network element virtual machine in the local end security subnet, and perform the flow security processing on the access flow. That is, the interconnection router of the local cloud environment can identify, according to the destination mac address of the access traffic, the traffic sent by the virtual machine in the opposite-end drainage subnet and required to be forwarded to the secure network element virtual machine in the local-end secure subnet, for example, the destination mac address of the access traffic sent by the virtual machine in the opposite-end drainage subnet and forwarded by the interconnection router of the opposite-end cloud environment is the mac address of the secure network element virtual machine in the local-end secure subnet, that is, when the obtained destination mac address of the access traffic is the mac address of the secure network element virtual machine in the local-end secure subnet, the interconnection router of the local cloud environment determines that the access traffic is the traffic sent by the virtual machine in the opposite-end drainage subnet and required to be forwarded to the secure network element virtual machine in the local-end secure subnet, and can forward the access traffic to the corresponding secure network element virtual machine in the local-end secure subnet for processing.
Correspondingly, the processor in this step may directly use the interconnection router of the local cloud environment to obtain the access flow forwarded by the interconnection router of the opposite cloud environment, for example, the access flow sent by the virtual machine in the opposite end drainage subnet and the access flow of the external network access drainage subnet, that is, the access flow of the external network access drainage subnet forwarded by the interconnection router of the opposite cloud environment may also adopt the method provided in this embodiment, and forward the access flow to the corresponding security network element virtual machine in the local security subnet, so as to perform flow security processing on the access flow.
Step 202: and forwarding the access flow to the security network element virtual machine in the local security sub-network through a default router of the local security sub-network in the local cloud environment by using an interconnection router of the local cloud environment.
The interconnection router of the local cloud environment in the step can forward the access flow to a default router of the local security subnet, and then the default router of the local security subnet forwards the access flow to a security network element virtual machine in the local security subnet.
Step 203: and carrying out flow security processing on the access flow by using the security network element virtual machine, and forwarding the access flow after the flow security processing to a destination IP address of the access flow.
It can be understood that, in this step, the processor may perform traffic security processing on the access traffic by using the secure network element virtual machine in the local secure subnet, so as to forward the access traffic after the traffic security processing to the destination IP address of the access traffic.
Correspondingly, the specific mode of forwarding the access traffic after the traffic is safely processed to the destination IP address of the access traffic by using the safety network element virtual machine can be set by a designer, for example, the processor can forward the access traffic after the traffic is safely processed to the network card device by using the default router of the local end safety sub-network and the interconnection router of the local end cloud environment, so that the access traffic after the traffic is safely processed is forwarded to the destination IP address of the access traffic by using the network card device.
Furthermore, before forwarding the access traffic after the traffic security processing to the destination IP address of the access traffic, the processor may further perform firewall processing on the access traffic after the traffic security processing by using the security network element virtual machine, so as to obtain the access traffic after the firewall processing, so that the security network element virtual machine is used to forward the access traffic after the firewall processing to the destination IP address of the access traffic.
Furthermore, in this embodiment, the interconnection router of the home terminal cloud environment may further obtain the traffic of the external network access drainage subnet, for example, the traffic of the access drainage subnet (i.e., the inward access traffic) that is not forwarded by the interconnection router of the peer terminal cloud environment. For example, the method provided by the embodiment may further include: acquiring inward access flow forwarded by network card equipment by utilizing an interconnection router of a local cloud environment; the destination IP address of the inward access flow is the virtual machine IP address of the opposite end drainage subnet, and the destination mac address is the gateway mac address; and forwarding the inward access traffic to a security network element virtual machine in the local security subnetwork through a default router of the local security subnetwork by using an interconnection router of the local cloud environment so as to perform traffic security processing on the inward access traffic by using the security network element virtual machine and forwarding the inward access traffic after the traffic security processing to a destination IP address of the inward access traffic.
Accordingly, in some embodiments, the traffic load balancing of the security network element virtual machine may be implemented by adopting an interconnection router of the local cloud environment; the process of forwarding the inward access traffic to the secure network element virtual machine in the local secure subnetwork by the default router of the local secure subnetwork by using the interconnection router of the local cloud environment may include: determining a target security network element virtual machine corresponding to the current inward access flow by using an interconnection router of the local cloud environment and adopting a load balancing strategy; the current inward access flow is any inward access flow, and the target security network element virtual machine is any security network element virtual machine in the opposite-end security subnet or the local-end security subnet; and modifying the destination mac address of the current access flow into the mac address of the target security network element virtual machine by using an interconnection router of the local cloud environment, and forwarding the current access flow to the target security network element virtual machine. If the target security network element virtual machine is a security network element virtual machine in the local security sub-network, forwarding the current inward access flow to the target security network element virtual machine through a default router of the local security sub-network; when the target security network element virtual machine is a security network element virtual machine in the opposite-end security sub-network, the current inward access flow can be forwarded to the target security network element virtual machine through an interconnection router of the local end cloud environment.
In the embodiment of the invention, the two or more sets of cloud environments are communicated by utilizing the arrangement of the interconnection router and the transit network; the setting of a default router of the sub-network is utilized to realize the intercommunication among the sub-networks of the cross-cloud environment; through utilizing the interconnection router of local end cloud environment, through the default router of local end safety subnetwork in the cloud environment of local end, forward the access flow to the safe network element virtual machine in the local end safety subnetwork, can utilize the safe network element virtual machine in the local end safety subnetwork to carry out the flow safety to the access flow of opposite end drainage subnetwork drainage, realize crossing the security service drainage between the different regions of cloud platform, promote network security performance.
Corresponding to the above method embodiment, the embodiment of the present invention further provides a cross-regional network drainage processing device, where a cross-regional network drainage processing device described below and a cross-regional network drainage processing method described above may be referred to correspondingly.
Referring to fig. 5, fig. 5 is a block diagram of a cross-regional network drainage processing device according to an embodiment of the present invention. The apparatus may include:
the acquiring module 10 is configured to acquire a first access flow of a virtual machine in a local drainage subnet of a local cloud environment; the first access flow comprises flow for accessing an external network, wherein the interconnection router of the local end cloud environment is connected with the interconnection router of the opposite end cloud environment through a transit network, and the number of the opposite end cloud environments is greater than or equal to 1;
The forwarding module 20 is configured to forward, by using a default router of the local end drainage subnet, the first access traffic to a security network element virtual machine in an opposite end security subnet of the opposite end cloud environment through an interconnection router, so as to perform traffic security processing on the first access traffic by using the security network element virtual machine, and forward the first access traffic after the traffic security processing to a destination IP address of the first access traffic; the default router is a virtual router of the virtual private cloud.
In some embodiments, the forwarding module 20 may be specifically configured to modify a destination mac address of the first access traffic by using a default router of the local end drainage subnet, and forward the first access traffic to a secure network element virtual machine in an opposite end secure subnet of the opposite end cloud environment through the interconnection router.
In some embodiments, forwarding module 20 may include:
the first routing sub-module is used for modifying the destination mac address of the first access flow into the mac address of the interconnection router of the local cloud environment by using the default router of the local drainage sub-network, and forwarding the first access flow to the interconnection router of the local cloud environment;
and the second routing sub-module is used for forwarding the first access flow to the interconnection router of the opposite-end cloud environment by using the interconnection router of the local-end cloud environment so as to forward the first access flow to the security network element virtual machine by using the interconnection router of the opposite-end cloud environment through the default router of the opposite-end security sub-network.
In some embodiments, the apparatus may further comprise:
the firewall processing module is used for performing firewall processing on the first access flow by utilizing the virtual machine in the local end drainage subnet to obtain the first access flow after firewall processing;
correspondingly, the forwarding module 20 may be specifically configured to forward, by using a default router of the local end drainage subnet, the first access traffic processed by the firewall to a secure network element virtual machine in the opposite end secure subnet through the interconnection router.
In some embodiments, forwarding module 20 may include:
the shielding configuration sub-module is used for determining a first access flow from access flows forwarded by a default router of the local drainage sub-network according to east-west access shielding configuration information by utilizing an interconnection router of the local cloud environment; the east-west access mask configuration information is east-west access mask or east-west access non-mask.
In some embodiments, the shielding configuration sub-module may include:
the first determining unit is used for determining the access flow of which the source IP address is the virtual machine IP address of the local drainage subnet in the access flow as the first access flow if the east-west access shielding configuration information is that the east-west access is not shielded;
And the second determining unit is used for determining that the source IP address in the access traffic is the virtual machine IP address of the local drainage subnet and the destination IP address is the external network IP address as the first access traffic if the east-west access mask configuration information is the east-west access mask.
In some embodiments, forwarding module 20 may include:
the load balancing sub-module is used for determining a target security network element virtual machine corresponding to the current first access flow by using an interconnection router of the local cloud environment and adopting a load balancing strategy; the target security network element virtual machine is any security network element virtual machine in the opposite-end security sub-network;
and the balanced forwarding sub-module is used for modifying the destination mac address of the current first access flow into the mac address of the target security network element virtual machine by using the interconnection router of the local end cloud environment, and forwarding the current access flow to the interconnection router of the opposite end cloud environment corresponding to the target security network element virtual machine.
In some embodiments, the interconnection router is a virtual router of an open virtual network.
In some embodiments, the apparatus may further comprise:
the creation module is used for creating cloud connection between the local cloud environment and the end cloud environment by utilizing the network service component of the local cloud environment, and creating a transit network between an interconnection router in the local cloud environment and an interconnection router in the opposite cloud environment; wherein each cloud connection corresponds to a transit network.
In some embodiments, the drainage subnetwork and the security subnetwork are not simultaneously provided within each cloud environment that is connected through the same transit network.
In some embodiments, the apparatus may further comprise:
the post-processing acquisition module is used for acquiring a second access flow forwarded by the security network element virtual machine in the opposite-end security sub-network by utilizing the interconnection router of the local-end cloud environment; the destination IP address of the second access flow is the IP address of the virtual machine of the local drainage subnet, and the source mac address is the mac address of the virtual machine of the security network element;
and the processed forwarding module is used for forwarding the second access flow to the virtual machine in the local drainage subnetwork through the default router of the local drainage subnetwork by using the interconnection router of the local cloud environment.
In some embodiments, the apparatus may further comprise:
the external acquisition module is used for acquiring a third access flow forwarded by the network card equipment by utilizing the interconnection router of the local cloud environment; the destination IP address of the third access flow is the virtual machine IP address of the local end drainage subnet or the opposite end drainage subnet, and the destination mac address is the gateway mac address;
and the external forwarding module is used for forwarding the third access flow to a security network element virtual machine in an opposite-end security subnet of the opposite-end cloud environment by using an interconnection router of the local-end cloud environment so as to perform flow security processing on the third access flow by using the security network element virtual machine and forwarding the third access flow after the flow security processing to a destination IP address of the third access flow.
In some embodiments, the external forwarding module may include:
the external load balancing sub-module is used for determining a target security network element virtual machine corresponding to the current third access flow by using an interconnection router of the local cloud environment and adopting a load balancing strategy; the current third access flow is any third access flow, and the target security network element virtual machine is any security network element virtual machine in the opposite-end security subnet or the local-end security subnet;
and the external balanced forwarding sub-module is used for modifying the destination mac address of the current access flow into the mac address of the target security network element virtual machine corresponding to the current third access flow by using the interconnection router of the local cloud environment, and forwarding the current access flow to the interconnection router of the opposite cloud environment where the target security network element virtual machine corresponding to the current third access flow is located.
In the embodiment of the invention, the two or more sets of cloud environments are communicated by utilizing the arrangement of the interconnection router and the transit network; the setting of a default router of the sub-network is utilized to realize the intercommunication among the sub-networks of the cross-cloud environment; the forwarding module 20 forwards the first access traffic to the security network element virtual machine in the opposite-end security sub-network of the opposite-end cloud environment through the interconnection router by utilizing the default router of the local-end drainage sub-network, so that the traffic security processing of the access traffic by utilizing the security network element in the opposite-end cloud environment can be realized, the security service drainage among different areas of the cross-cloud platform is realized, and the network security performance is improved.
Corresponding to the above method embodiment, the embodiment of the present invention further provides a cross-regional network security processing apparatus, where a cross-regional network security processing apparatus described below and a cross-regional network security processing method described above may be referred to correspondingly.
Referring to fig. 6, fig. 6 is a block diagram of a cross-regional network security processing apparatus according to an embodiment of the present invention. The apparatus may include:
the forwarding obtaining module 30 is configured to obtain, by using an interconnection router of the local end cloud environment, an access flow sent by a virtual machine in an opposite end drainage subnet forwarded by the interconnection router of the opposite end cloud environment; the access flow comprises the flow of accessing an external network, the interconnection router of the local end cloud environment is connected with the interconnection router of the opposite end cloud environment through a transit network, and the number of the opposite end cloud environments is greater than or equal to 1;
the default forwarding module 40 is configured to forward, by using an interconnection router of the local cloud environment, the access traffic to a security network element virtual machine in the local security subnet through a default router of the local security subnet in the local cloud environment;
the security processing module 50 is configured to perform traffic security processing on the access traffic by using the security network element virtual machine, and forward the access traffic after the traffic security processing to a destination IP address of the access traffic.
In some embodiments, the destination mac address of the access traffic is a mac address of the secure network element virtual machine.
In some embodiments, the security processing module 50 may include:
the security firewall sub-module is used for performing firewall processing on the access flow after the flow security processing by utilizing the security network element virtual machine to obtain the access flow after the firewall processing;
and the processing and forwarding sub-module is used for forwarding the access traffic processed by the firewall to the destination IP address of the access traffic by utilizing the security network element virtual machine.
In some embodiments, the security processing module 50 may include:
and the forwarding sub-module is used for forwarding the access flow after the flow security processing to the network card equipment through the interconnection router of the local cloud environment by utilizing the default router of the local security sub-network so as to forward the access flow after the flow security processing to the destination IP address of the access flow through the network card equipment.
In some embodiments, the apparatus may further comprise:
the inward acquisition module is used for acquiring inward access flow forwarded by the network card equipment by utilizing the interconnection router of the local cloud environment; the destination IP address of the inward access flow is the virtual machine IP address of the opposite end drainage subnet, and the destination mac address is the gateway mac address;
And the inward forwarding module is used for forwarding the inward access traffic to a security network element virtual machine in the local security subnetwork through a default router of the local cloud environment by utilizing the interconnection router of the local cloud environment so as to perform traffic security processing on the inward access traffic by utilizing the security network element virtual machine and forwarding the inward access traffic after the traffic security processing to a destination IP address of the inward access traffic.
In some embodiments, the inward forwarding module may include:
the inward balancing sub-module is used for determining a target security network element virtual machine corresponding to the current inward access flow by using an interconnection router of the local cloud environment and adopting a load balancing strategy; the current inward access flow is any inward access flow, and the target security network element virtual machine is any security network element virtual machine in the opposite-end security subnet or the local-end security subnet;
and the inward forwarding sub-module is used for modifying the destination mac address of the current access flow into the mac address of the target security network element virtual machine by utilizing the interconnection router of the local end cloud environment, and forwarding the current access flow to the target security network element virtual machine.
In the embodiment of the invention, the two or more sets of cloud environments are communicated by utilizing the arrangement of the interconnection router and the transit network; the setting of a default router of the sub-network is utilized to realize the intercommunication among the sub-networks of the cross-cloud environment; the default forwarding module 40 forwards the access traffic to the safety network element virtual machine in the local safety sub-network by using the interconnection router of the local cloud environment and the default router of the local safety sub-network in the local cloud environment, so that the safety network element virtual machine in the local safety sub-network can be used for carrying out traffic safety treatment on the access traffic drained by the opposite end drainage sub-network, thereby realizing the safety service drainage between different areas of the cross-cloud platform and improving the network safety performance.
Corresponding to the above method embodiment, the embodiment of the present invention further provides an electronic device, where an electronic device described below may be referred to correspondingly with a cross-regional network drainage processing method and a cross-regional network security processing method described above.
Referring to fig. 7, fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the invention. The electronic device may include:
a memory D1 for storing a computer program;
and the processor D2 is configured to implement the cross-regional network drainage processing method and/or the cross-regional network security processing method provided by the foregoing method embodiment when executing the computer program.
Specifically, referring to fig. 8, fig. 8 is a schematic diagram of a specific structure of an electronic device according to an embodiment of the present invention, where the electronic device 310 may have a relatively large difference due to different configurations or performances, and may include one or more processors (central processing units, CPU) 322 (e.g., one or more processors) and a memory 332, and one or more storage media 330 (e.g., one or more mass storage devices) storing application programs 342 or data 344. Wherein the memory 332 and the storage medium 330 may be transitory or persistent. The program stored on the storage medium 330 may include one or more modules (not shown), each of which may include a series of instruction operations on the host. Still further, the central processor 322 may be configured to communicate with the storage medium 330 to execute a series of instruction operations in the storage medium 330 on the electronic device 310.
The electronic device 310 may also include one or more power supplies 326, one or more wired or wireless network interfaces 350, one or more input/output interfaces 358, and/or one or more operating systems 341.
The electronic device 310 may be embodied as a server, such as a server of a cloud platform.
The steps in the above-described cross-regional network drainage processing method and/or cross-regional network security processing method may be implemented by the structure of the electronic device.
Corresponding to the above method embodiment, the present invention further provides a computer readable storage medium, where a computer readable storage medium described below and a cross-regional network drainage processing method and a cross-regional network security processing method described above may be referred to correspondingly.
Referring to fig. 9, fig. 9 is a schematic structural diagram of a computer readable storage medium according to an embodiment of the invention. The computer-readable storage medium 60 stores a computer program 61, and the computer program 61 when executed by a processor implements the steps of the cross-regional network drainage processing method and/or the cross-regional network security processing method provided in the above method embodiments.
The computer readable storage medium 60 may be a usb disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, etc. which can store various program codes.
In the description, each embodiment is described in a progressive manner, and each embodiment is mainly described by the differences from other embodiments, so that the same similar parts among the embodiments are mutually referred. For the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant points refer to the description of the method section.
The above describes a cross-regional network drainage processing method, a cross-regional network security processing method, a device, equipment and a computer readable storage medium provided by the invention in detail. The principles and embodiments of the present invention have been described herein with reference to specific examples, the description of which is intended only to facilitate an understanding of the method of the present invention and its core ideas. It should be noted that it will be apparent to those skilled in the art that various modifications and adaptations of the invention can be made without departing from the principles of the invention and these modifications and adaptations are intended to be within the scope of the invention as defined in the following claims.
Claims (23)
1. A cross-regional network drainage processing method, comprising:
acquiring a first access flow of a virtual machine in a local drainage subnet of a local cloud environment; the first access flow comprises flow for accessing an external network, the interconnection router of the local end cloud environment is connected with the interconnection router of the opposite end cloud environment through a transit network, and the number of the opposite end cloud environments is greater than or equal to 1;
forwarding the first access traffic to a security network element virtual machine in an opposite-end security subnet of the opposite-end cloud environment through the interconnection router by utilizing a default router of the home-end drainage subnet so as to perform traffic security processing on the first access traffic by utilizing the security network element virtual machine and forwarding the first access traffic after the traffic security processing to a destination network protocol address of the first access traffic; the default router is a virtual router of the virtual private cloud.
2. The method for cross-regional network drainage processing according to claim 1, wherein the forwarding, by using the default router of the local end drainage subnet, the first access traffic to a secure network element virtual machine in an opposite end secure subnet of the opposite end cloud environment through the interconnection router includes:
And modifying the destination physical address of the first access flow by using the default router of the local end drainage subnet, and forwarding the first access flow to a security network element virtual machine in an opposite end security subnet of the opposite end cloud environment through the interconnection router.
3. The method for cross-regional network drainage processing according to claim 2, wherein the modifying, by using a default router of the local end drainage subnet, a destination physical address of the first access traffic and forwarding, by the interconnection router, the first access traffic to a secure network element virtual machine in an opposite end secure subnet of the opposite end cloud environment includes:
modifying the target physical address of the first access flow into the physical address of the interconnection router of the local cloud environment by using the default router of the local drainage subnet, and forwarding the first access flow to the interconnection router of the local cloud environment;
and forwarding the first access flow to the interconnection router of the opposite end cloud environment by using the interconnection router of the local end cloud environment, so that the first access flow is forwarded to the security network element virtual machine by using the interconnection router of the opposite end cloud environment through the default router of the opposite end security sub-network.
4. The method for cross-regional network drainage processing according to claim 1, wherein before forwarding, by the default router of the local end drainage subnet, the first access traffic to a secure network element virtual machine in a peer secure subnet of the peer cloud environment through the interconnection router, the method further comprises:
performing firewall processing on the first access flow by using the virtual machine in the local drainage sub-network to obtain the first access flow after firewall processing;
correspondingly, the forwarding, by the default router of the local end drainage subnet, the first access traffic to a secure network element virtual machine in the opposite end secure subnet of the opposite end cloud environment through the interconnection router includes:
and forwarding the first access flow processed by the firewall to a security network element virtual machine in the opposite-end security sub-network through the interconnection router by utilizing the default router of the local-end drainage sub-network.
5. The method for cross-regional network drainage processing according to claim 1, wherein the forwarding, by using the default router of the local end drainage subnet, the first access traffic to a secure network element virtual machine in an opposite end secure subnet of the opposite end cloud environment through the interconnection router includes:
Determining the first access flow from the access flow forwarded by the default router of the local drainage subnet according to east-west access shielding configuration information by utilizing the interconnection router of the local cloud environment; the east-west access mask configuration information is east-west access mask or east-west access non-mask.
6. The method for cross-regional network drainage processing according to claim 5, wherein the determining, by the interconnection router using the local cloud environment, the first access traffic from access traffic forwarded by a default router of the local drainage subnet according to east-west access mask configuration information includes:
if the east-west access mask configuration information is that the east-west access is not masked, determining the access traffic of which the source network protocol address is the virtual machine network protocol address of the local end drainage subnet in the access traffic as the first access traffic;
and if the east-west access mask configuration information is the east-west access mask, determining that a source network protocol address in the access traffic is a virtual machine network protocol address of the local drainage subnet and a destination network protocol address is an external network protocol address as the first access traffic.
7. The method for cross-regional network drainage processing according to claim 1, wherein the forwarding, by using the default router of the local end drainage subnet, the first access traffic to a secure network element virtual machine in an opposite end secure subnet of the opposite end cloud environment through the interconnection router includes:
determining a target security network element virtual machine corresponding to the current first access flow by using an interconnection router of the local cloud environment and adopting a load balancing strategy; the current first access flow is any first access flow, and the target safety network element virtual machine is any safety network element virtual machine in the opposite-terminal safety sub-network;
and modifying the target physical address of the current first access flow into the physical address of the target security network element virtual machine by using the interconnection router of the local cloud environment, and forwarding the current access flow to the interconnection router of the opposite cloud environment corresponding to the target security network element virtual machine.
8. The cross-regional network drainage processing method of claim 1, wherein the interconnection router is a virtual router of an open virtual network.
9. The method for cross-regional network drainage processing according to claim 1, wherein before the obtaining the first access traffic of the virtual machine in the local drainage subnet of the local cloud environment, the method further comprises:
Creating cloud connection between the local cloud environment and the end cloud environment by using a network service component of the local cloud environment, and creating the transit network between an interconnection router in the local cloud environment and an interconnection router of the opposite cloud environment; each cloud connection corresponds to one transit network.
10. The cross-regional network drainage processing method according to claim 1, wherein the drainage subnetwork and the security subnetwork are not simultaneously set in each cloud environment connected through the same transit network.
11. The cross-regional network drainage processing method of any of claims 1 to 10, further comprising:
acquiring a second access flow forwarded by a security network element virtual machine in the opposite-end security sub-network by using an interconnection router of the local-end cloud environment; the destination network protocol address of the second access flow is a virtual machine network protocol address of the local end drainage subnet, and the source physical address is a physical address of the security network element virtual machine;
and forwarding the second access flow to a virtual machine in the local drainage sub-network through a default router of the local drainage sub-network by using the interconnection router of the local cloud environment.
12. The cross-regional network drainage processing method of claim 11, further comprising:
acquiring a third access flow forwarded by the network card equipment by using the interconnection router of the local cloud environment; the destination network protocol address of the third access flow is a virtual machine network protocol address of the local end drainage subnet or the opposite end drainage subnet, and the destination physical address is a gateway physical address;
and forwarding the third access flow to a security network element virtual machine in an opposite-end security subnet of the opposite-end cloud environment by using the interconnection router of the local-end cloud environment, so as to perform flow security processing on the third access flow by using the security network element virtual machine, and forwarding the third access flow after the flow security processing to a destination network protocol address of the third access flow.
13. The method for cross-regional network drainage processing according to claim 12, wherein forwarding the third access traffic to a secure network element virtual machine in a peer-to-peer secure subnet of the peer-to-peer cloud environment by using an interconnection router of the peer-to-peer cloud environment includes:
determining a target security network element virtual machine corresponding to the current third access flow by using an interconnection router of the local cloud environment and adopting a load balancing strategy; the current third access flow is any third access flow, and the target security network element virtual machine is any security network element virtual machine in the opposite-terminal security subnet or the local-terminal security subnet;
And modifying the target physical address of the current access flow into the physical address of the target security network element virtual machine corresponding to the current third access flow by using the interconnection router of the local cloud environment, and forwarding the current access flow to the interconnection router of the opposite cloud environment where the target security network element virtual machine corresponding to the current third access flow is located.
14. A cross-regional network drainage processing apparatus, comprising:
the acquisition module is used for acquiring a first access flow of the virtual machine in the local drainage sub-network of the local cloud environment; the first access flow comprises flow for accessing an external network, the interconnection router of the local end cloud environment is connected with the interconnection router of the opposite end cloud environment through a transit network, and the number of the opposite end cloud environments is greater than or equal to 1;
the forwarding module is used for forwarding the first access traffic to a security network element virtual machine in an opposite-end security subnet of the opposite-end cloud environment through the interconnection router by utilizing a default router of the local-end drainage subnet so as to perform traffic security processing on the first access traffic by utilizing the security network element virtual machine and forwarding the first access traffic after the traffic security processing to a destination network protocol address of the first access traffic; the default router is a virtual router of the virtual private cloud.
15. A cross-regional network security processing method, comprising:
acquiring access flow sent by a virtual machine in an opposite-end drainage subnet forwarded by an interconnection router of an opposite-end cloud environment by utilizing the interconnection router of the local-end cloud environment; the access flow comprises flow of accessing an external network, the interconnection router of the local end cloud environment is connected with the interconnection router of the opposite end cloud environment through a transit network, and the number of the opposite end cloud environments is greater than or equal to 1;
forwarding the access flow to a security network element virtual machine in the local security sub-network by using an interconnection router of the local cloud environment and through a default router of the local security sub-network in the local cloud environment;
and carrying out flow security processing on the access flow by utilizing the security network element virtual machine, and forwarding the access flow after the flow security processing to a destination network protocol address of the access flow.
16. The method for cross-regional network security processing according to claim 15, wherein the destination physical address of the access traffic is a physical address of the secure network element virtual machine.
17. The cross-regional network security processing method of claim 15, wherein before forwarding the access traffic after traffic security processing to the destination network protocol address of the access traffic, further comprising:
Performing firewall processing on the access traffic subjected to flow security processing by using the security network element virtual machine to obtain the access traffic subjected to firewall processing;
correspondingly, the forwarding the access traffic after traffic security processing to the destination network protocol address of the access traffic includes:
and forwarding the access traffic processed by the firewall to a destination network protocol address of the access traffic.
18. The cross-regional network security processing method of claim 15, wherein forwarding the access traffic after traffic security processing to a destination network protocol address of the access traffic comprises:
and forwarding the access flow after the flow security processing to network card equipment through an interconnection router of the local cloud environment by utilizing a default router of the local security subnet so as to forward the access flow after the flow security processing to a destination network protocol address of the access flow through the network card equipment.
19. The cross-regional network security processing method of claim 15, further comprising:
acquiring inward access flow forwarded by network card equipment by utilizing an interconnection router of the local cloud environment; the destination network protocol address of the inward access traffic is a virtual machine network protocol address of the opposite end drainage subnet, and the destination physical address is a gateway physical address;
Forwarding the inward access flow to a security network element virtual machine in the local security sub-network through a default router of the local security sub-network by using the interconnection router of the local cloud environment, so as to perform flow security processing on the inward access flow by using the security network element virtual machine, and forwarding the inward access flow after the flow security processing to a destination network protocol address of the inward access flow.
20. The method for cross-regional network security processing according to claim 19, wherein forwarding the inward access traffic to a secure network element virtual machine within the home security subnet by the default router of the home security subnet using the interconnection router of the home cloud environment comprises:
determining a target security network element virtual machine corresponding to the current inward access flow by using an interconnection router of the local cloud environment and adopting a load balancing strategy; the current inward access flow is any inward access flow, and the target security network element virtual machine is any security network element virtual machine in a peer security subnet or a home security subnet;
and modifying the target physical address of the current access flow into the physical address of the target security network element virtual machine by using the interconnection router of the local cloud environment, and forwarding the current access flow to the target security network element virtual machine.
21. A cross-regional network security processing apparatus, comprising:
the forwarding acquisition module is used for acquiring access flow sent by the virtual machine in the opposite-end drainage sub-network forwarded by the interconnection router of the opposite-end cloud environment by utilizing the interconnection router of the local-end cloud environment; the access flow comprises flow of accessing an external network, the interconnection router of the local end cloud environment is connected with the interconnection router of the opposite end cloud environment through a transit network, and the number of the opposite end cloud environments is greater than or equal to 1;
the default forwarding module is used for forwarding the access flow to a security network element virtual machine in the local security sub-network through a default router of the local security sub-network in the local cloud environment by using an interconnection router of the local cloud environment;
and the security processing module is used for carrying out traffic security processing on the access traffic by utilizing the security network element virtual machine and forwarding the access traffic after the traffic security processing to a destination network protocol address of the access traffic.
22. An electronic device, comprising:
a memory for storing a computer program;
processor for implementing a trans-regional network drainage processing method according to any of claims 1 to 13 and/or trans-regional network security processing method steps according to claims 15 to 20 when executing said computer program.
23. A computer readable storage medium, characterized in that the computer readable storage medium has stored thereon a computer program which, when executed by a processor, implements the cross-regional network drainage processing method of any of claims 1 to 13 and/or the cross-regional network security processing method steps of claims 15 to 20.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311295879.2A CN117040933B (en) | 2023-10-09 | 2023-10-09 | Cross-regional network drainage processing method, security processing method, device and equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311295879.2A CN117040933B (en) | 2023-10-09 | 2023-10-09 | Cross-regional network drainage processing method, security processing method, device and equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117040933A CN117040933A (en) | 2023-11-10 |
| CN117040933B true CN117040933B (en) | 2024-02-13 |
Family
ID=88634071
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311295879.2A Active CN117040933B (en) | 2023-10-09 | 2023-10-09 | Cross-regional network drainage processing method, security processing method, device and equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117040933B (en) |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103746997A (en) * | 2014-01-10 | 2014-04-23 | 浪潮电子信息产业股份有限公司 | Network security solution for cloud computing center |
| CN106487695A (en) * | 2015-08-25 | 2017-03-08 | 华为技术有限公司 | A kind of data transmission method, virtual network managing device and data transmission system |
| CN111225071A (en) * | 2018-11-23 | 2020-06-02 | 深信服科技股份有限公司 | Cloud platform and cross-cloud platform network intercommunication system and method |
| CN112291252A (en) * | 2020-11-02 | 2021-01-29 | 浪潮云信息技术股份公司 | Architecture and method for realizing symmetric flow guiding of north-south flow |
| CN113010314A (en) * | 2021-03-17 | 2021-06-22 | 北京金山云网络技术有限公司 | Load balancing method and device and electronic equipment |
| CN113542092A (en) * | 2021-05-27 | 2021-10-22 | 贵州电网有限责任公司 | Openstack-based automatic drainage method |
| CN114448674A (en) * | 2021-12-27 | 2022-05-06 | 天翼云科技有限公司 | Distributed flow cleaning method and system |
| WO2023050070A1 (en) * | 2021-09-28 | 2023-04-06 | 中远海运科技股份有限公司 | Method and device for cloud host total traffic network access protection |
| CN116545665A (en) * | 2023-04-14 | 2023-08-04 | 济南浪潮数据技术有限公司 | Safe drainage method, system, equipment and medium |
-
2023
- 2023-10-09 CN CN202311295879.2A patent/CN117040933B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103746997A (en) * | 2014-01-10 | 2014-04-23 | 浪潮电子信息产业股份有限公司 | Network security solution for cloud computing center |
| CN106487695A (en) * | 2015-08-25 | 2017-03-08 | 华为技术有限公司 | A kind of data transmission method, virtual network managing device and data transmission system |
| CN111225071A (en) * | 2018-11-23 | 2020-06-02 | 深信服科技股份有限公司 | Cloud platform and cross-cloud platform network intercommunication system and method |
| CN112291252A (en) * | 2020-11-02 | 2021-01-29 | 浪潮云信息技术股份公司 | Architecture and method for realizing symmetric flow guiding of north-south flow |
| CN113010314A (en) * | 2021-03-17 | 2021-06-22 | 北京金山云网络技术有限公司 | Load balancing method and device and electronic equipment |
| CN113542092A (en) * | 2021-05-27 | 2021-10-22 | 贵州电网有限责任公司 | Openstack-based automatic drainage method |
| WO2023050070A1 (en) * | 2021-09-28 | 2023-04-06 | 中远海运科技股份有限公司 | Method and device for cloud host total traffic network access protection |
| CN114448674A (en) * | 2021-12-27 | 2022-05-06 | 天翼云科技有限公司 | Distributed flow cleaning method and system |
| CN116545665A (en) * | 2023-04-14 | 2023-08-04 | 济南浪潮数据技术有限公司 | Safe drainage method, system, equipment and medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117040933A (en) | 2023-11-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112470436B (en) | Systems, methods, and computer-readable media for providing multi-cloud connectivity | |
| US11902364B2 (en) | Automatic replacement of computing nodes in a virtual computer network | |
| EP3122004B1 (en) | Traffic switching method, device, and system | |
| CN107646185B (en) | Method, system and storage medium for operation maintenance management in an overlay environment | |
| CN107231221B (en) | Method, device and system for controlling service flow among data centers | |
| CN111585800B (en) | Virtual private cloud-based network node configuration method, device and medium | |
| US8396053B2 (en) | Method and apparatus for VLAN-based selective path routing | |
| CN107733795B (en) | Ethernet virtual private network EVPN and public network intercommunication method and device | |
| US20180041474A1 (en) | Hierarchical clustering in a geographically dispersed network environment | |
| CN110474802B (en) | Equipment switching method and device and service system | |
| WO2016174598A1 (en) | Sdn network element affinity based data partition and flexible migration schemes | |
| CN113572831A (en) | Communication method between Kubernetes clusters, computer equipment and medium | |
| EP3989512A1 (en) | Method for controlling traffic forwarding, device, and system | |
| Alasadi et al. | SSED: Servers under software-defined network architectures to eliminate discovery messages | |
| CN105227458A (en) | The route computing method of TRILL ISIS and device | |
| CN116155650B (en) | Data message forwarding method and equipment and electronic equipment | |
| CN117040933B (en) | Cross-regional network drainage processing method, security processing method, device and equipment | |
| CN108900422B (en) | Multicast forwarding method and device and electronic equipment | |
| CN112968879B (en) | Method and equipment for realizing firewall management | |
| US11025536B1 (en) | Support for flooding in encapsulation and inter-VLAN communication via proxy-ARP | |
| CN114697220B (en) | Message processing method and related device | |
| CN111385182B (en) | Traffic transmission method, device and system | |
| WO2022053007A1 (en) | Network reachability verification method and apparatus, and computer storage medium | |
| CN117201135B (en) | Service following method, device, computer equipment and storage medium | |
| CN111565141B (en) | Data transmission method, first PE and second PE |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |