CN117176673A - Method, system, device and computer equipment for realizing peer-to-peer connection between subnetworks - Google Patents
Method, system, device and computer equipment for realizing peer-to-peer connection between subnetworks Download PDFInfo
- Publication number
- CN117176673A CN117176673A CN202311257540.3A CN202311257540A CN117176673A CN 117176673 A CN117176673 A CN 117176673A CN 202311257540 A CN202311257540 A CN 202311257540A CN 117176673 A CN117176673 A CN 117176673A
- Authority
- CN
- China
- Prior art keywords
- virtual router
- virtual
- data packet
- router
- subnet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 62
- 238000013507 mapping Methods 0.000 claims abstract description 74
- 230000015654 memory Effects 0.000 claims description 26
- 238000012795 verification Methods 0.000 claims description 18
- 206010047289 Ventricular extrasystoles Diseases 0.000 description 31
- 238000005129 volume perturbation calorimetry Methods 0.000 description 31
- 238000004891 communication Methods 0.000 description 16
- 238000010586 diagram Methods 0.000 description 13
- 238000002955 isolation Methods 0.000 description 11
- 230000005540 biological transmission Effects 0.000 description 10
- 238000005516 engineering process Methods 0.000 description 6
- 230000008569 process Effects 0.000 description 5
- 238000011161 development Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 239000007787 solid Substances 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The disclosure relates to a method, a system, a device and computer equipment for realizing peer-to-peer connection between subnetworks, comprising: acquiring request information and network configuration information issued by a user; obtaining a first subnet to be connected with the local virtual private cloud, a first network to which the first subnet belongs, a second subnet to which the opposite virtual private cloud is to be connected, a second network to which the second subnet belongs, a local virtual private cloud virtual router and an opposite virtual private cloud virtual router according to the request information and the network configuration information; determining a first virtual router corresponding to the local virtual private cloud virtual router in the first switch according to the router mapping relation, and determining a second virtual router corresponding to the opposite virtual private cloud virtual router in the first switch according to the router mapping relation; transmitting the data packet sent by the first subnet to a first virtual router through a first network; receiving a data packet returned from the second virtual router; the data packet is sent to a second subnetwork of the second network.
Description
Technical Field
The present disclosure relates to the field of computer networks, and in particular, to a method, a system, an apparatus, and a computer device for implementing peer-to-peer connection between subnets.
Background
With development of cloud computing technology, more and more enterprises migrate services to the cloud, and the sharing of cloud network resources is achieved by adopting switches and related devices. The development of cloud computing enables enterprises to more efficiently manage and utilize resources while reducing management and maintenance costs. Because of the demands of enterprises for network security and network isolation, VPC (Virtual Private Cloud ) technology is generated, and the networks in the VPCs are mutually communicated, and the network isolation is performed among the VPCs. In order to ensure network isolation among VPCs, the designated subnets among partial VPCs can communicate traffic, and peer-to-peer connection technology is developed.
The peer-to-peer connection is a cloud computing network solution based on physical network equipment, can provide higher security and stability, constructs a network tunnel between two mutually isolated VPCs, allows partial sub-networks between the VPCs to communicate with each other, and meets the requirements of isolation and intercommunication. However, in the conventional peer-to-peer connection solution, the user generally needs to perform complicated configuration and management on the hardware network device, and the operation is complex, so that more manpower resources are needed to be input, and the manpower cost of the enterprise is high.
Disclosure of Invention
In view of this, the present disclosure provides a method, a system, an apparatus, and a computer device for implementing peer-to-peer connection between subnets, so as to solve the problem that in the conventional peer-to-peer connection solution, a user generally needs to perform complicated configuration and management on a hardware network device, and the operation is complex, so that more human resources need to be input.
In a first aspect, the present disclosure provides a method for implementing peer-to-peer connection between subnets, where the method is applied to a cloud platform, and the method includes:
acquiring request information and network configuration information issued by a user;
obtaining a first subnet to be connected with a local virtual private cloud, a first network to which the first subnet belongs, a second subnet to which an opposite-end virtual private cloud is to be connected, a second network to which the second subnet belongs, a local virtual private cloud virtual router and an opposite-end virtual private cloud virtual router according to request information and network configuration information, wherein the first subnet and the second subnet are network objects for realizing peer-to-peer connection, and network addresses of the first subnet and the second subnet are not overlapped;
determining a first virtual router corresponding to a home-end virtual private cloud virtual router in a first switch according to a router mapping relation, and determining a second virtual router corresponding to an opposite-end virtual private cloud virtual router in the first switch according to the router mapping relation, wherein the corresponding relation between each virtual router in each switch and the home-end virtual private cloud virtual router or the opposite-end virtual private cloud virtual router is stored in the router mapping relation;
Transmitting the data packet sent by the first subnet to a first virtual router through a first network;
receiving a data packet returned from the second virtual router;
the data packet is sent to a second subnetwork of the second network.
In the embodiment of the disclosure, a leaf spine architecture is utilized to obtain a first switch which needs to be relied when the peer-to-peer connection of the sub-network is realized between the local virtual private cloud of the cloud platform and the opposite virtual private cloud, a first virtual router corresponding to the local virtual private cloud virtual router in the first switch is determined according to a router mapping relation, and a second virtual router corresponding to the opposite virtual private cloud virtual router in the first switch is further used for completing the transmission of a data packet sent by a first sub-network to be connected of the local virtual private cloud to the first virtual router of the first switch, then the data packet returned by the second virtual router of the first switch is received and is sent to a second sub-network of the second network, so that the intercommunication between different VPCs can be realized, the specific intercommunication sub-network can be controlled in a fine granularity, the security requirement of network isolation between the VPCs is met, the requirement of mutual communication between the sub-networks is met, and the problem that a user generally needs to carry out complicated configuration and management on hardware network equipment in the conventional peer-to-peer connection scheme is solved.
In an optional implementation manner, according to the request information and the network configuration information, a first subnet to which the home-end vpn cloud is to be connected, a first network to which the first subnet belongs, a second subnet to which the peer-end vpn cloud is to be connected, a second network to which the second subnet belongs, a home-end vpn virtual router, and a peer-end vpn virtual router are obtained, including:
determining a first subnet to be connected with the local virtual private cloud and a second subnet to be connected with the opposite virtual private cloud according to the request information;
and determining a home terminal virtual private cloud virtual router, an opposite terminal virtual private cloud virtual router, a first network and a second network according to the network configuration information.
In an alternative embodiment, the first subnetwork is at least one, and the second subnetwork is at least one.
In a second aspect, an embodiment of the present disclosure provides a method for implementing peer-to-peer connection between subnets, where the method is applied to a first switch, and the method includes:
the method comprises the steps that a first virtual router receives a data packet sent by a first network from a home terminal virtual private cloud, wherein a mapping relation exists between the first virtual router of a first switch and the home terminal virtual private cloud virtual router, and the data packet is data sent by a first subnet to be connected in the first network of the home terminal virtual private cloud;
Transmitting the data packet to a third virtual router in the second switch, wherein the first virtual router and the third virtual router have a mapping relation;
the second virtual router receives the data packet returned by the fourth virtual router in the second switch, wherein the second virtual router and the fourth virtual router have a mapping relation;
and the second virtual router sends the data packet to the opposite-end virtual private cloud.
In the embodiment of the disclosure, through direct communication between the cloud platform and the physical switch, dependence of the cloud platform on a third party SDN is reduced, and network capacity and product competitiveness of the cloud platform are improved.
In a third aspect, an embodiment of the present disclosure provides a method for implementing peer-to-peer connection between subnets, where the method is applied to a second switch, and the method includes:
the third virtual router receives a data packet forwarded by a first virtual router in the first switch, wherein the third virtual router and the first virtual router have a mapping relation, and the data packet is data sent by a first subnet to be connected in a first network of the local virtual private cloud;
transmitting the data packet to the firewall through a third virtual router;
Receiving a verification passing instruction of the firewall and a returned data packet;
and sending the data packet to a second virtual router of the first switch through a fourth virtual router, wherein the second virtual router and the fourth virtual router have a mapping relation.
In the embodiment of the disclosure, based on hardware switch and firewall implementation, more reliable and more efficient network transmission capability can be provided compared with pure soft implementation.
In a fourth aspect, an embodiment of the present disclosure provides a method for implementing peer-to-peer connection between subnets, where the method is applied to a firewall, and the method includes:
receiving a data packet sent by a third virtual router in a second switch, wherein the data packet is data sent by a first subnet to be connected in a first network of a local virtual private cloud;
acquiring a source address and a target address of a data packet;
matching a preset rule according to the source address and the target address to obtain a matching result, wherein the preset rule is used for representing an original source address and an original target address;
and issuing a verification passing instruction and the data packet according to the matching result, and sending the data packet to a fourth virtual router of the second switch.
In the embodiment of the disclosure, the firewall is used to verify whether the data packet meets the preset rule, and then the matching result is used as the condition for forwarding the data packet, so that the safety of the inter-communication of the appointed network between the VPCs is improved.
In a fifth aspect, an embodiment of the present disclosure provides a peer-to-peer connection system implemented between subnets, the system including a cloud platform, a first switch, a second switch, and a firewall;
the cloud platform acquires request information and network configuration information issued by a user;
the cloud platform obtains a first subnet to be connected with the local virtual private cloud, a first network to which the first subnet belongs, a second subnet to which the opposite virtual private cloud is to be connected, a second network to which the second subnet belongs, a local virtual private cloud virtual router and an opposite virtual private cloud virtual router according to the request information and the network configuration information, wherein the first subnet and the second subnet are network objects for realizing peer-to-peer connection, and network addresses of the first subnet and the second subnet are not overlapped;
the cloud platform determines a first virtual router corresponding to a local virtual private cloud virtual router in a first switch according to a router mapping relation, and determines a second virtual router corresponding to an opposite virtual private cloud virtual router in the first switch according to the router mapping relation, wherein the router mapping relation stores the corresponding relation between each virtual router in each switch and the local virtual private cloud virtual router or the opposite virtual private cloud virtual router;
The cloud platform sends a data packet sent by a first subnet to be connected with a local virtual private cloud to a first virtual router through a first network;
after the first virtual router of the first switch receives the data packet, the data packet is sent to a third virtual router of the second switch, wherein the third virtual router and the first virtual router have a mapping relation;
after the third virtual router receives the data packet, the data packet is sent to the firewall through the third virtual router;
after receiving the data packet, the firewall acquires a source address and a target address of the data packet;
the firewall matches a preset rule according to the source address and the target address to obtain a matching result, wherein the preset rule is used for representing an original source address and an original target address;
the firewall issues verification passing instructions and data packets according to the matching result, and sends the data packets to a fourth virtual router of the second switch;
after the fourth virtual router receives the data packet, the data packet is sent to a second virtual router of the first switch through the fourth virtual router, wherein the second virtual router and the fourth virtual router have a mapping relation;
after receiving the data packet, the second virtual router sends the data packet to the opposite-end virtual private cloud;
And after receiving the data packet, the opposite-end virtual private cloud virtual router of the cloud platform sends the data packet to a second subnet of the second network.
In a sixth aspect, an embodiment of the present disclosure provides a device for implementing peer-to-peer connection between subnets, where the device is a cloud platform, and the device includes:
the first acquisition module is used for acquiring request information and network configuration information issued by a user;
the first obtaining module is used for obtaining a first subnet to be connected with the local terminal virtual private cloud, a first network to which the first subnet belongs, a second subnet to which the opposite terminal virtual private cloud is to be connected, a second network to which the second subnet belongs, a local terminal virtual private cloud virtual router and an opposite terminal virtual private cloud virtual router according to the request information and the network configuration information, wherein the first subnet and the second subnet are network objects for realizing peer-to-peer connection, and network addresses of the first subnet and the second subnet are not overlapped;
the determining module is used for determining a first virtual router corresponding to the local virtual private cloud virtual router in the first switch according to the router mapping relation, and determining a second virtual router corresponding to the opposite virtual private cloud virtual router in the first switch according to the router mapping relation, wherein the corresponding relation between each virtual router in each switch and the local virtual private cloud virtual router or the opposite virtual private cloud virtual router is stored in the router mapping relation;
The first sending module is used for sending the data packet sent by the first subnet to the first virtual router through the first network;
the first receiving module is used for receiving the data packet returned by the second virtual router;
and the second sending module is used for sending the data packet to a second subnet of the second network.
In a seventh aspect, an embodiment of the present disclosure provides an apparatus for implementing peer-to-peer connection between subnets, where the apparatus is a first switch, and the apparatus includes:
the second receiving module is used for receiving a data packet sent by a first network from the local virtual private cloud by the first virtual router, wherein the first virtual router of the first switch and the local virtual private cloud virtual router have a mapping relation, and the data packet is data sent by a first subnet to be connected in the first network of the local virtual private cloud;
the third sending module is used for sending the data packet to a third virtual router in the second switch, wherein the first virtual router and the third virtual router have a mapping relation;
the third receiving module is used for receiving the data packet returned by the fourth virtual router from the second switch by the second virtual router, wherein the second virtual router and the fourth virtual router have a mapping relation;
And the fourth sending module is used for sending the data packet to the opposite-end virtual private cloud by the second virtual router.
In an eighth aspect, an embodiment of the present disclosure provides an apparatus for implementing peer-to-peer connection between subnets, the apparatus being a second switch, the apparatus including:
the fourth receiving module is used for receiving the data packet forwarded by the first virtual router in the first switch by the third virtual router, wherein the third virtual router and the first virtual router have a mapping relation, and the data packet is data sent by a first subnet to be connected in a first network of the local terminal virtual private cloud;
the fifth sending module is used for sending the data packet to the firewall through the third virtual router;
the fifth receiving module is used for receiving the verification passing instruction of the firewall and the returned data packet;
and the sixth sending module is used for sending the data packet to a second virtual router of the first switch through a fourth virtual router, wherein the second virtual router and the fourth virtual router have a mapping relation.
In a ninth aspect, an embodiment of the present disclosure provides an apparatus for implementing peer-to-peer connection between subnets, where the apparatus is a firewall, and the apparatus includes:
a sixth receiving module, configured to receive a data packet sent by a third virtual router in the second switch, where the data packet is data sent by a first subnet to be connected in a first network of the home terminal virtual private cloud;
The second acquisition module is used for acquiring the source address and the target address of the data packet;
the second obtaining module is used for obtaining a matching result according to a preset rule matched with the source address and the target address, wherein the preset rule is used for representing the original source address and the original target address;
and the seventh sending module is used for issuing a verification passing instruction and a data packet according to the matching result and sending the data packet to a fourth virtual router of the second switch.
In a tenth aspect, the present disclosure provides a computer device comprising: the memory and the processor are in communication connection with each other, the memory stores computer instructions, and the processor executes the computer instructions, so as to implement the peer-to-peer connection method between the subnetworks according to the first aspect or any implementation mode corresponding to the first aspect.
In an eleventh aspect, the present disclosure provides a computer readable storage medium having stored thereon computer instructions for causing a computer to perform the above-described first aspect or any of its corresponding embodiments of a method for implementing peer-to-peer connection between subnets.
Drawings
In order to more clearly illustrate the embodiments of the present disclosure or the prior art, the drawings that are required in the detailed description or the prior art will be briefly described, it will be apparent that the drawings in the following description are some embodiments of the present disclosure, and other drawings may be obtained according to the drawings without inventive effort for a person of ordinary skill in the art.
FIG. 1 is a schematic diagram of the interworking of various networks within a VPC;
FIG. 2 is a flow diagram of a method for implementing peer-to-peer connections between subnets according to an embodiment of the present disclosure;
FIG. 3 is a process interface schematic for creating a VPC according to an embodiment of the present disclosure;
FIG. 4 is an interface schematic for creating a peer-to-peer connection according to an embodiment of the present disclosure;
FIG. 5 is an interface schematic for creating an associated subnet according to an embodiment of the disclosure;
fig. 6 is a system-wide schematic diagram of a method of implementing peer-to-peer connections between subnets in accordance with an embodiment of the present disclosure;
fig. 7 is a flow diagram of a method for implementing peer-to-peer connections between subnets according to another embodiment of the present disclosure;
fig. 8 is a flow diagram of a method for implementing peer-to-peer connections between subnets in accordance with yet another embodiment of the present disclosure;
fig. 9 is a flow diagram of a method of implementing peer-to-peer connections between subnets according to yet another embodiment of the present disclosure;
fig. 10 is a block diagram of a structure of an inter-subnet peer-to-peer connection device according to an embodiment of the disclosure;
fig. 11 is a block diagram of a structure for implementing a peer-to-peer connection device between subnets according to another embodiment of the present disclosure;
fig. 12 is a block diagram of a structure of an inter-subnet implementing peer-to-peer connection device according to yet another embodiment of the disclosure;
fig. 13 is a block diagram of a structure of an inter-subnet implementing peer-to-peer connection device according to yet another embodiment of the disclosure;
Fig. 14 is a schematic diagram of a hardware structure of a computer device according to an embodiment of the present disclosure.
Detailed Description
For the purposes of making the objects, technical solutions and advantages of the embodiments of the present disclosure more apparent, the technical solutions of the embodiments of the present disclosure will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present disclosure, and it is apparent that the described embodiments are some embodiments of the present disclosure, but not all embodiments. Based on the embodiments in this disclosure, all other embodiments that a person skilled in the art would obtain without making any inventive effort are within the scope of protection of this disclosure.
In the current cloud computing technology, due to the demands of enterprises for network security and network isolation, a VPC (Virtual Private Cloud ) technology is generated, where the VPC is used to construct an isolated network environment, and networks between different VPCs are not communicated. After a user creates a VPC, a default router is automatically created within the VPC. The user may then continue to create a network within the VPC, and after the network creation is successful, automatically connect to the default router, while the different networks connected to the default router are interworking. I.e. inter-VPC network interworking, inter-VPC network isolation, see in particular the schematic diagram of the inter-VPC network interworking shown in fig. 1.
In order to ensure network isolation among VPCs, the designated subnets among partial VPCs can communicate traffic, and peer-to-peer connection technology is developed. In the traditional peer-to-peer connection scheme, a user is generally required to perform complicated configuration and management on hardware network equipment, the operation is complex, and more human resources are required to be input, so that the human cost of an enterprise is higher.
In order to solve the above-mentioned problem, an embodiment of the present disclosure proposes a method for implementing peer-to-peer connection between subnets, as shown in fig. 2, an execution subject of the method may be a cloud platform, and a flow of the method includes the following steps:
step S201, request information and network configuration information issued by a user are obtained.
Optionally, in the embodiment of the present disclosure, the cloud platform is used as a platform side closely associated with the user and receiving the request information and the network configuration information of the user, and the platform side obtains, according to the request information, that the user wants to implement peer-to-peer connection between a subnet in one VPC and a subnet in another VPC, so as to complete the requirement of data communication, and also obtains the network configuration information of the user on the subnet information.
It can be appreciated that VPCs are private clouds, so in the embodiments of the disclosure, two VPCs are referred to as VPC1 (i.e., the home virtual private cloud) and VPC2 (i.e., the peer virtual private cloud); a subnet within VPC1 may be referred to as VM1 (i.e., a first subnet), and a subnet within VPC1 may be referred to as VM2 (i.e., a second subnet); the network configuration information mainly includes network type, network segment and network segment ID, router, etc.
Step S202, a first subnet to be connected with a local virtual private cloud, a first network to which the first subnet belongs, a second subnet to which an opposite virtual private cloud is to be connected, a second network to which the second subnet belongs, a local virtual private cloud virtual router and an opposite virtual private cloud virtual router are obtained according to request information and network configuration information, wherein the first subnet and the second subnet are network objects for realizing peer-to-peer connection, and network addresses of the first subnet and the second subnet are not overlapped.
Optionally, the specific process of creating the VPC is that referring to fig. 3, the name, network type, physical network, IP type, IPV4 address, etc. that need to be configured when the VPC adds the subnet are included in fig. 3. Further, the subnets are added according to the request information of the user, and then some network information of each subnet is determined according to the network configuration information input by the user and is filled in the corresponding position of fig. 3.
After a plurality of subnets to be connected are acquired, peer-to-peer connection is also required to be established, as shown in fig. 4, names are filled in, a home terminal virtual data center, a home terminal virtual private cloud, an opposite terminal virtual data center and an opposite terminal virtual private cloud are selected, and only one peer-to-peer connection can be established between the two VPCs.
After the peer-to-peer connection is successfully established, the cloud platform uses a Java NETCONF library to connect to physical network equipment such as a switch, sends an XML request to the switch, and after the subsequent switch is configured, the cloud platform receives the response of the switch and performs corresponding processing. For example, the cloud platform uses the Java NETCONF library to connect to a switch with an IP address of 192.168.1.1, using admin/admin as a username and password. The cloud platform then sends an XML request to the switch with an IP address of 192.168.1.1, which gets the information of the interface named eth-trunk1 and prints the response. Finally, the cloud platform disconnects from the switch.
At the same time, after the peer-to-peer connection is successfully created, a new piece of data is generated in the peer-to-peer connection list to prompt that the peer-to-peer connection is successfully created.
So far, two VPCs have had the basis for traffic interworking, but two specific subnets within the two-end VPCs are wanted to be communicated, and associated subnets need to be further created, as shown in fig. 5, and the own subnets (i.e. the first subnets) and the opposite subnets (i.e. the second subnets) are filled in fig. 5.
It should be noted that the number of the first subnetworks may be plural, the number of the second subnetworks may be plural, and the two end subnetworks may be in a many-to-many relationship. The network addresses of the first and second subnetworks do not overlap, i.e. 1. There may not be an overlap of the present/paired subnetworks CIDR (classification Inter-Domain Routing). 2. Among the sub-networks to which the own sub-network is associated, there may not be a sub-network overlapping the opposite sub-network CIDR. 3. In other subnets in the home terminal virtual private cloud, there may not be a subnet overlapping with the opposite-terminal network CIDR. 4. Of the sub-networks with which the sub-networks are associated, there may not be a sub-network overlapping the own sub-network CIDR. 5. In other subnets in the opposite-end virtual private cloud, there may not be subnets overlapping the local subnets CIDR.
According to the above, the first subnet (i.e., VM 1) to be connected to the home-end virtual private cloud (i.e., VPC 1) can be obtained according to the user request information, and the second subnet (i.e., VM 2) to be connected to the peer-end virtual private cloud (i.e., VPC 2) can be obtained according to the user request information.
In addition, the network segment 192.168.1.0/24 in fig. 3 may be obtained according to the network configuration information input by the user, which is a first network (or referred to as a first network address) of the first subnet, and the network segment may be 192.168.2.0/24 according to the network configuration information input by the user, which may be a second network (or referred to as a second network address) of the second subnet.
In addition, each VPC automatically creates a default router, such as a home-end virtual private cloud router and an opposite-end virtual private cloud router, where the home-end virtual private cloud router and the opposite-end virtual private cloud router may also be generated according to network configuration information input by a user.
Step S203, a first virtual router corresponding to a home-end virtual private cloud virtual router in a first switch is determined according to a router mapping relation, and a second virtual router corresponding to an opposite-end virtual private cloud virtual router in the first switch is determined according to the router mapping relation, wherein the corresponding relation between each virtual router in each switch and the home-end virtual private cloud virtual router or the opposite-end virtual private cloud virtual router is stored in the router mapping relation.
Alternatively, in the embodiments of the present disclosure, since the cloud platform may be understood as an entry for receiving some information of a user, and the actual data transmission or data communication should be implemented by a switch, the embodiments of the present disclosure use a leaf-spine architecture, which includes a leaf switch (i.e., a first switch) and a spine switch (i.e., an intermediary that simply sends a data packet transmitted by the first switch to a boundary switch (i.e., a second switch), which has no great influence on implementing peer-to-peer connection between subnets in the present disclosure, so the embodiments of the present disclosure are not described herein. It should be noted that, by adopting the leaf-spine leaf spine architecture in the embodiment of the present disclosure, flexibility and expandability of network topology can be improved, many-to-many sub-gateway connections are supported, and requirements of different service scenarios are satisfied.
As can be seen from the foregoing description, in order to implement peer-to-peer connection between the first subnet and the second subnet, the embodiments of the present disclosure implement transmission between data, and need to pass through the first switch and the second switch, and the cloud platform is currently only connected with the first switch, as shown in fig. 6, so that the embodiments of the present disclosure need to create a first virtual router corresponding to the home-end virtual private cloud router (i.e., VRF1 (Virtual Router Forward, virtual route forwarding) in fig. 6) in the first switch according to the router mapping relationship, and create a second virtual router corresponding to the peer-end virtual private cloud router (i.e., VRF2 in fig. 6) in the first switch according to the router mapping relationship.
In step S204, the data packet sent by the first subnet is sent to the first virtual router through the first network.
Optionally, after determining the first virtual router corresponding to the home vpn virtual router in the first switch, since a first network (192.168.1.0/24) is created in VPC1, the first network corresponds to a vlan (i.e., vlan 1001.168.1.0/24 in fig. 6) on the first switch, the newly created first network is automatically connected to the default router (i.e., the home vpn virtual router), and then the data packet sent by the first subnet may be sent to the first virtual router through the first network.
In step S205, a data packet returned from the second virtual router is received.
Alternatively, as can be seen from fig. 6, the cloud platform is directly connected to the first switch, so the opposite end virtual private Yun Huijie of the cloud platform receives the data packet returned by the second virtual router from the first switch.
Step S206, the data packet is sent to the second subnet of the second network.
Optionally, in the opposite-end virtual private cloud, the opposite-end virtual private cloud virtual router sends the data packet to a second subnet of a second network requesting to establish connection with the first subnet, so as to achieve the goal of interconnecting the first subnet in the VPC1 and the second subnet in the VPC 2.
In the embodiment of the disclosure, a leaf spine architecture is utilized to obtain a first switch which needs to be relied when the peer-to-peer connection of the sub-network is realized between the local virtual private cloud of the cloud platform and the opposite virtual private cloud, a first virtual router corresponding to the local virtual private cloud virtual router in the first switch is determined according to a router mapping relation, and a second virtual router corresponding to the opposite virtual private cloud virtual router in the first switch is further used for completing the transmission of a data packet sent by a first sub-network to be connected of the local virtual private cloud to the first virtual router of the first switch, then the data packet returned by the second virtual router of the first switch is received and is sent to a second sub-network of the second network, so that the intercommunication between different VPCs can be realized, the specific intercommunication sub-network can be controlled in a fine granularity, the security requirement of network isolation between the VPCs is met, the requirement of mutual communication between the sub-networks is met, and the problem that a user generally needs to carry out complicated configuration and management on hardware network equipment in the conventional peer-to-peer connection scheme is solved.
In some optional implementations, an embodiment of the present disclosure proposes a method for implementing peer-to-peer connection between subnets, where an execution body of the method may be a first switch, as shown in fig. 7, and a flow of the method includes the following steps:
Step 701, a first virtual router receives a data packet sent from a first network of a home terminal virtual private cloud, where the first virtual router of a first switch and the home terminal virtual private cloud virtual router have a mapping relationship, and the data packet is data sent by a first subnet to be connected in the first network of the home terminal virtual private cloud;
step S702, the data packet is sent to a third virtual router in a second switch, wherein a mapping relationship exists between the first virtual router and the third virtual router;
step S703, the second virtual router receives the data packet returned from the fourth virtual router in the second switch, where the second virtual router and the fourth virtual router have a mapping relationship;
in step S704, the second virtual router sends the data packet to the peer virtual private cloud.
Optionally, in an embodiment of the present disclosure, the first switch is an execution body. As shown in fig. 6, the first virtual router VRF1 of the first switch receives the data packet sent from the first subnet to be connected in the first network of the home terminal virtual private cloud, it can be understood that, because there is a mapping relationship between the first virtual router of the first switch and the home terminal virtual private cloud virtual router, the corresponding first virtual router can be found directly according to the home terminal virtual private cloud virtual router, so as to further implement the operation that the first virtual router receives the data packet.
As shown in fig. 6, the first switch and the second switch are also in communication with each other, so the first switch sends a packet to a third virtual router VRF3 in the second switch having a mapping relationship with the first virtual router. And then the second virtual router VRF2 of the first switch receives the data packet returned by the fourth virtual router VRF4 in the second switch, and then the data packet is sent to the opposite-end virtual private cloud through the second virtual router.
In the embodiment of the disclosure, through direct communication between the cloud platform and the physical switch, dependence of the cloud platform on a third party SDN is reduced, and network capacity and product competitiveness of the cloud platform are improved.
In some optional implementations, an embodiment of the present disclosure proposes a method for implementing peer-to-peer connection between subnets, where an execution body of the method may be a second switch, as shown in fig. 8, and a flow of the method includes the following steps:
step S801, a third virtual router receives a data packet forwarded by a first virtual router in a first switch, where the third virtual router and the first virtual router have a mapping relationship, and the data packet is data sent by a first subnet to be connected in a first network of a home terminal virtual private cloud;
Step S802, the data packet is sent to a firewall through a third virtual router;
step S803, receiving a verification passing instruction of the firewall and a returned data packet;
step S804, the data packet is sent to the second virtual router of the first switch through the fourth virtual router of the second switch, where the second virtual router and the fourth virtual router have a mapping relationship.
Alternatively, as can be derived from fig. 6, the second switch communicates with the first switch and the firewall respectively, specifically, a third virtual router corresponding to the first virtual router of the first switch is created on the second switch (the sender switch), where a mapping relationship exists between the first virtual router and the third virtual router, and data packets passing through these VRFs are set, and forwarded north to the firewall. Since the second switch is required to receive the firewall packet, a virtual router for receiving the firewall packet is also required to be set on the second switch, and if the second switch does not exist, a VRF, namely a fourth virtual router of the second switch, is created for receiving the firewall packet.
As can be seen from fig. 6, the third virtual router of the second switch receives the data packet forwarded by the first virtual router in the first switch, then sends the data packet to the firewall through the third virtual router, then receives the instruction that the firewall verifies the data packet and the returned data packet back, and then the second switch sends the received returned data packet to the second virtual router of the first switch by using the fourth virtual router. It can be understood that a mapping relationship exists between the fourth virtual router of the second switch and the second virtual router of the first switch, so that the backhaul data packet can be directly sent to the second virtual router after the backhaul data packet is received by the fourth virtual router.
In addition, the data packet is transmitted back to the second switch only after the firewall passes the verification of the data packet, otherwise, the data packet is directly discarded.
In the embodiment of the disclosure, based on hardware switch and firewall implementation, more reliable and more efficient network transmission capability can be provided compared with pure soft implementation.
In some optional implementations, an embodiment of the present disclosure proposes a method for implementing peer-to-peer connection between subnets, where an execution body of the method may be a firewall, as shown in fig. 9, and a flow of the method includes the following steps:
Step S901, receiving a data packet sent by a third virtual router in a second switch, where the data packet is data sent by a first subnet to be connected in a first network of a home terminal virtual private cloud;
step S902, acquiring a source address and a target address of a data packet;
step S903, a preset rule is matched according to the source address and the target address to obtain a matching result, wherein the preset rule is used for representing an original source address and an original target address;
step S904, issuing a verification passing instruction and a data packet according to the matching result, and sending the data packet to a fourth virtual router of the second switch.
Optionally, according to the above embodiment, the associated subnet: after the first subnet and the second subnet are successfully set, the correct preset rules are issued on the fireproof wall according to the network segments of the subnets, wherein the preset rules are the original source addresses and the original target addresses of the subnets. And then after receiving the data packet sent by the third virtual router in the second switch, the firewall can check whether the source address and the target address of the data packet are in the original source address and the original target address of the subnet, if so, the firewall passes the verification, returns the data packet to the fourth virtual router of the second switch, otherwise, the matching result fails the verification, and discards the data packet.
The process of issuing the cloud platform to the firewall configuration in the embodiment of the disclosure is realized based on netcon f (Network Configuration Protocol ). The NETCONF protocol is utilized, and the dependence of the cloud platform on a third party SDN is reduced through direct communication of the cloud platform, the first switch, the second switch and the firewall, so that the network capability and the product competitiveness of the cloud platform are improved.
In the embodiment of the disclosure, the firewall is used to verify whether the data packet meets the preset rule, and then the matching result is used as the condition for forwarding the data packet, so that the safety of the inter-communication of the appointed network between the VPCs is improved.
In some optional implementations, an embodiment of the disclosure proposes a peer-to-peer connection system between subnets, where the system includes a cloud platform, a first switch, a second switch, and a firewall;
the cloud platform acquires request information and network configuration information issued by a user;
the cloud platform obtains a first subnet to be connected with the local virtual private cloud, a first network to which the first subnet belongs, a second subnet to which the opposite virtual private cloud is to be connected, a second network to which the second subnet belongs, a local virtual private cloud virtual router and an opposite virtual private cloud virtual router according to the request information and the network configuration information, wherein the first subnet and the second subnet are network objects for realizing peer-to-peer connection, and network addresses of the first subnet and the second subnet are not overlapped;
The cloud platform determines a first virtual router corresponding to a local virtual private cloud virtual router in a first switch according to a router mapping relation, and determines a second virtual router corresponding to an opposite virtual private cloud virtual router in the first switch according to the router mapping relation, wherein the router mapping relation stores the corresponding relation between each virtual router in each switch and the local virtual private cloud virtual router or the opposite virtual private cloud virtual router;
the cloud platform sends a data packet sent by a first subnet to be connected with a local virtual private cloud to a first virtual router through a first network;
after the first virtual router of the first switch receives the data packet, the data packet is sent to a third virtual router of the second switch, wherein the third virtual router and the first virtual router have a mapping relation;
after the third virtual router receives the data packet, the data packet is sent to the firewall through the third virtual router;
after receiving the data packet, the firewall acquires a source address and a target address of the data packet;
the firewall matches a preset rule according to the source address and the target address to obtain a matching result, wherein the preset rule is used for representing an original source address and an original target address;
The firewall issues verification passing instructions and data packets according to the matching result, and sends the data packets to a fourth virtual router of the second switch;
after the fourth virtual router receives the data packet, the data packet is sent to a second virtual router of the first switch through the fourth virtual router, wherein the second virtual router and the fourth virtual router have a mapping relation;
after receiving the data packet, the second virtual router sends the data packet to the opposite-end virtual private cloud;
and after receiving the data packet, the opposite-end virtual private cloud virtual router of the cloud platform sends the data packet to a second subnet of the second network.
Optionally, in the embodiment of the present disclosure, taking an example of implementing the mutual communication and data transmission of the designated subnetwork between two VPCs, the following description will be developed:
as shown in fig. 6, the peer-to-peer connection system implemented between subnets includes a cloud platform, a first switch, a second switch, and a firewall, and specifically includes the following steps:
the cloud platform receives request information issued by a user, such as requesting the subnet VM1 in the VPC1 to communicate with the subnet VM2 in the VPC2, and obtains network configuration information issued by the user, such as network segments, network types and the like, after the peer-to-peer connection is established, when the VM1 in the VPC1 wants to communicate with the VM2 in the VPC2, a data packet sent by the VM1 is sent to a first virtual router on a first switch through a first network 192.168.1.0/24 to which the data packet belongs. The first virtual router then sends the data packet to a third virtual router on the second switch. And the third virtual router sends the data packet to the hardware firewall. If the data packet is not matched with the preset rule on the fireproof wall, discarding the data packet; and if the data packet matches the preset rule, the data packet is transmitted back to the second switch.
The data packet returned to the fourth virtual router of the second switch is sent to the second virtual router on the first switch after being matched to the route, and the second virtual router on the first switch sends the data packet to the second network 192.168.2.0/24 and then to the second subnet VM2 in the network. Thus, one network communication between VM1 and VM2 is realized, and the reverse VM2 accesses the VM1 data packet transmission path and the principle are the same.
The embodiment of the disclosure realizes the flow intercommunication between the VPCs based on the capacity of the switch. Based on the capability of the hardware firewall, fine-grained control is further realized, and the intercommunication between any networks in the two VPCs can be controlled instead of all the subnets connected to the default routers of the two VPCs. The method ensures isolation and realizes flow intercommunication among designated subnets, and provides more reliable and more efficient network transmission capability than pure soft implementation by means of the capability of hardware network equipment.
Based on the foregoing embodiments, as an alternative embodiment, if the specified subnets among the VPCs cannot communicate with each other, only the preset rule of the firewall needs to be changed, so that the source address and the destination address of the data packet received by the firewall cannot be included in the original source address and the original destination address all the time, or after the specified subnets among the VPCs are communicated with each other, the remaining subnets in each VPC are listed as being unable to communicate with each other.
In this embodiment, a device for implementing peer-to-peer connection between subnets is further provided, and the device is used for implementing the foregoing embodiments and preferred embodiments, which are not described herein. As used below, the term "module" may be a combination of software and/or hardware that implements a predetermined function. While the means described in the following embodiments are preferably implemented in software, implementation in hardware, or a combination of software and hardware, is also possible and contemplated.
The embodiment provides a device for implementing peer-to-peer connection between subnetworks, the device is a cloud platform, as shown in fig. 10, the device includes:
a first obtaining module 1001, configured to obtain request information and network configuration information issued by a user;
a first obtaining module 1002, configured to obtain, according to the request information and the network configuration information, a first subnet to which the home terminal virtual private cloud is to be connected, a first network to which the first subnet belongs, a second subnet to which the peer terminal virtual private cloud is to be connected, a second network to which the second subnet belongs, a home terminal virtual private cloud virtual router, and a peer terminal virtual private cloud virtual router, where the first subnet and the second subnet are network objects for implementing peer-to-peer connection, and network addresses of the first subnet and the second subnet are not overlapped;
A determining module 1003, configured to determine a first virtual router corresponding to a home-end virtual private cloud virtual router in the first switch according to a router mapping relationship, and determine a second virtual router corresponding to an opposite-end virtual private cloud virtual router in the first switch according to the router mapping relationship, where the router mapping relationship stores a correspondence between each virtual router in each switch and the home-end virtual private cloud virtual router or the opposite-end virtual private cloud virtual router;
a first sending module 1004, configured to send a data packet sent by a first subnet to a first virtual router through a first network;
a first receiving module 1005, configured to receive a data packet returned from the second virtual router;
a second sending module 1006, configured to send the data packet to a second subnet of the second network.
In the embodiment of the disclosure, a leaf spine architecture is utilized to obtain a first switch which needs to be relied when the peer-to-peer connection of the sub-network is realized between the local virtual private cloud of the cloud platform and the opposite virtual private cloud, a first virtual router corresponding to the local virtual private cloud virtual router in the first switch is determined according to a router mapping relation, and a second virtual router corresponding to the opposite virtual private cloud virtual router in the first switch is further used for completing the transmission of a data packet sent by a first sub-network to be connected of the local virtual private cloud to the first virtual router of the first switch, then the data packet returned by the second virtual router of the first switch is received and is sent to a second sub-network of the second network, so that the intercommunication between different VPCs can be realized, the specific intercommunication sub-network can be controlled in a fine granularity, the security requirement of network isolation between the VPCs is met, the requirement of mutual communication between the sub-networks is met, and the problem that a user generally needs to carry out complicated configuration and management on hardware network equipment in the conventional peer-to-peer connection scheme is solved.
In some alternative embodiments, the first obtaining module 1002 includes:
the first determining unit is used for determining a first subnet to be connected with the local virtual private cloud and a second subnet to be connected with the opposite virtual private cloud according to the request information;
and the second determining unit is used for determining the local virtual private cloud virtual router, the opposite virtual private cloud virtual router, the first network and the second network according to the network configuration information.
In some alternative embodiments, the first subnetwork is at least one, and the second subnetwork is at least one.
The embodiment provides a device for implementing peer-to-peer connection between subnetworks, the device is a first switch, as shown in fig. 11, and the device includes:
the second receiving module 1101 is configured to receive, by using a first virtual router, a data packet sent from a first network of a home vpn, where the first virtual router of the first switch has a mapping relationship with the first virtual router of the home vpn, and the data packet is data sent by a first subnet to be connected in the first network of the home vpn;
a third sending module 1102, configured to send the data packet to a third virtual router in the second switch, where a mapping relationship exists between the first virtual router and the third virtual router;
A third receiving module 1103, configured to receive, by a second virtual router, a data packet returned by a fourth virtual router in the second switch, where the second virtual router and the fourth virtual router have a mapping relationship;
a fourth sending module 1104, configured to send the data packet to the peer vpn cloud by the second virtual router.
The embodiment provides a device for implementing peer-to-peer connection between subnetworks, the device is a second switch, as shown in fig. 12, and the device includes:
a fourth receiving module 1201, configured to receive, by using a third virtual router, a data packet forwarded by a first virtual router in a first switch, where the third virtual router has a mapping relationship with the first virtual router, and the data packet is data sent by a first subnet to be connected in a first network of a home terminal virtual private cloud;
a fifth sending module 1202, configured to send the data packet to the firewall through the third virtual router;
a fifth receiving module 1203, configured to receive a verification passing instruction of the firewall and a returned data packet;
and a sixth sending module 1204, configured to send the data packet to a second virtual router of the first switch through a fourth virtual router, where the second virtual router has a mapping relationship with the fourth virtual router.
The embodiment provides a device for implementing peer-to-peer connection between subnets, which is a firewall, as shown in fig. 13, and includes:
a sixth receiving module 1301, configured to receive a data packet sent by a third virtual router in the second switch, where the data packet is data sent by a first subnet to be connected in a first network of the home terminal virtual private cloud;
a second obtaining module 1302, configured to obtain a source address and a destination address of the data packet;
a second obtaining module 1303, configured to obtain a matching result according to a preset rule matching the source address and the target address, where the preset rule is used to characterize an original source address and an original target address;
and a seventh sending module 1304, configured to send the verification passing instruction and the data packet according to the matching result, and send the data packet to the fourth virtual router of the second switch.
The means for implementing peer-to-peer connections between the subnetworks in this embodiment are presented in the form of functional units, here means ASIC circuits, processors and memories executing one or more software or firmware programs, and/or other devices that can provide the functionality described above.
Further functional descriptions of the above respective modules and units are the same as those of the above corresponding embodiments, and are not repeated here.
The embodiment of the disclosure also provides a computer device, which is provided with the device for realizing peer-to-peer connection between the subnetworks shown in the above fig. 10 or 11 or 12 or 13.
Referring to fig. 14, fig. 14 is a schematic structural diagram of a computer device according to an alternative embodiment of the disclosure, as shown in fig. 14, the computer device includes: one or more processors 10, memory 20, and interfaces for connecting the various components, including high-speed interfaces and low-speed interfaces. The various components are communicatively coupled to each other using different buses and may be mounted on a common motherboard or in other manners as desired. The processor may process instructions executing within the computer device, including instructions stored in or on memory to display graphical information of the GUI on an external input/output device, such as a display device coupled to the interface. In some alternative embodiments, multiple processors and/or multiple buses may be used, if desired, along with multiple memories and multiple memories. Also, multiple computer devices may be connected, each providing a portion of the necessary operations (e.g., as a server array, a set of blade servers, or a multiprocessor system). One processor 10 is illustrated in fig. 14.
The processor 10 may be a central processor, a network processor, or a combination thereof. The processor 10 may further include a hardware chip, among others. The hardware chip may be an application specific integrated circuit, a programmable logic device, or a combination thereof. The programmable logic device may be a complex programmable logic device, a field programmable gate array, a general-purpose array logic, or any combination thereof.
Wherein the memory 20 stores instructions executable by the at least one processor 10 to cause the at least one processor 10 to perform a method for implementing the embodiments described above.
The memory 20 may include a storage program area that may store an operating system, at least one application program required for functions, and a storage data area; the storage data area may store data created from the use of the computer device of the presentation of a sort of applet landing page, and the like. In addition, the memory 20 may include high-speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid-state storage device. In some alternative embodiments, memory 20 may optionally include memory located remotely from processor 10, which may be connected to the computer device via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
Memory 20 may include volatile memory, such as random access memory; the memory may also include non-volatile memory, such as flash memory, hard disk, or solid state disk; the memory 20 may also comprise a combination of the above types of memories.
The computer device also includes a communication interface 30 for the computer device to communicate with other devices or communication networks.
The presently disclosed embodiments also provide a computer readable storage medium, and the methods described above according to the presently disclosed embodiments may be implemented in hardware, firmware, or as recordable storage medium, or as computer code downloaded over a network that is originally stored in a remote storage medium or a non-transitory machine-readable storage medium and is to be stored in a local storage medium, such that the methods described herein may be stored on such software processes on a storage medium using a general purpose computer, special purpose processor, or programmable or dedicated hardware. The storage medium can be a magnetic disk, an optical disk, a read-only memory, a random access memory, a flash memory, a hard disk, a solid state disk or the like; further, the storage medium may also comprise a combination of memories of the kind described above. It will be appreciated that a computer, processor, microprocessor controller or programmable hardware includes a storage element that can store or receive software or computer code that, when accessed and executed by the computer, processor or hardware, implements the methods illustrated by the above embodiments.
Although embodiments of the present disclosure have been described in connection with the accompanying drawings, various modifications and variations may be made by those skilled in the art without departing from the spirit and scope of the disclosure, and such modifications and variations are within the scope defined by the appended claims.
Claims (12)
1. A method for implementing peer-to-peer connection between subnetworks, the method being applied to a cloud platform, the method comprising:
acquiring request information and network configuration information issued by a user;
obtaining a first subnet to be connected with a local virtual private cloud, a first network to which the first subnet belongs, a second subnet to which an opposite-end virtual private cloud is to be connected, a second network to which the second subnet belongs, a local virtual private cloud virtual router and an opposite-end virtual private cloud virtual router according to the request information and the network configuration information, wherein the first subnet and the second subnet are network objects for realizing peer-to-peer connection, and network addresses of the first subnet and the second subnet are not overlapped;
determining a first virtual router corresponding to the home-end virtual private cloud virtual router in a first switch according to a router mapping relation, and determining a second virtual router corresponding to the opposite-end virtual private cloud virtual router in the first switch according to the router mapping relation, wherein the router mapping relation stores the corresponding relation between each virtual router in each switch and the home-end virtual private cloud virtual router or the opposite-end virtual private cloud virtual router;
Transmitting a data packet sent by a first subnet to the first virtual router through the first network;
receiving the data packet returned from the second virtual router;
the data packet is sent to the second subnetwork of the second network.
2. The method of claim 1, wherein the obtaining, according to the request information and the network configuration information, a first subnet to which a home-end virtual private cloud is to be connected, a first network to which the first subnet belongs and a second subnet to which a peer-end virtual private cloud is to be connected, a second network to which the second subnet belongs, a home-end virtual private cloud virtual router, and a peer-end virtual private cloud virtual router includes:
determining the first subnet to be connected with the home terminal virtual private cloud and the second subnet to be connected with the opposite terminal virtual private cloud according to the request information;
and determining the home terminal virtual private cloud virtual router, the opposite terminal virtual private cloud virtual router, the first network and the second network according to the network configuration information.
3. The method according to claim 1 or 2, wherein the first subnetwork is at least one and the second subnetwork is at least one.
4. A method for implementing peer-to-peer connection between subnetworks, said method being applied to a first switch, said method comprising:
the method comprises the steps that a first virtual router receives a data packet sent by a first network from a home terminal virtual private cloud, wherein a mapping relation exists between the first virtual router of a first switch and the home terminal virtual private cloud virtual router, and the data packet is data sent by a first subnet to be connected in the first network of the home terminal virtual private cloud;
the data packet is sent to a third virtual router in a second switch, wherein a mapping relation exists between the first virtual router and the third virtual router;
the second virtual router receives the data packet returned by the fourth virtual router in the second switch, wherein the second virtual router and the fourth virtual router have a mapping relation;
and the second virtual router sends the data packet to the opposite-end virtual private cloud.
5. A method for implementing peer-to-peer connection between subnetworks, said method being applied to a second exchange, said method comprising:
a third virtual router receives a data packet forwarded by a first virtual router in a first switch, wherein the third virtual router and the first virtual router have a mapping relation, and the data packet is data sent by a first subnet to be connected in a first network of a local virtual private cloud;
Transmitting the data packet to a firewall through the third virtual router;
receiving a verification passing instruction of the firewall and the returned data packet;
and sending the data packet to a second virtual router of the first switch through a fourth virtual router, wherein the second virtual router and the fourth virtual router have a mapping relation.
6. A method for implementing peer-to-peer connection between subnetworks, said method being applied to a firewall, said method comprising:
receiving a data packet sent by a third virtual router in a second switch, wherein the data packet is data sent by a first subnet to be connected in a first network of a local virtual private cloud;
acquiring a source address and a target address of the data packet;
according to the source address and the target address, a preset rule is matched to obtain a matching result, wherein the preset rule is used for representing an original source address and an original target address;
and issuing a verification passing instruction and the data packet according to the matching result, and sending the data packet to a fourth virtual router of the second switch.
7. The system is characterized by comprising a cloud platform, a first switch, a second switch and a firewall;
The cloud platform acquires request information and network configuration information issued by a user;
the cloud platform obtains a first subnet to be connected with a local virtual private cloud, a first network to which the first subnet belongs, a second subnet to which an opposite-end virtual private cloud is to be connected, a second network to which the second subnet belongs, a local virtual private cloud virtual router and an opposite-end virtual private cloud virtual router according to the request information and the network configuration information, wherein the first subnet and the second subnet are network objects for realizing peer-to-peer connection, and network addresses of the first subnet and the second subnet are not overlapped;
the cloud platform determines a first virtual router corresponding to the home-end virtual private cloud virtual router in the first switch according to a router mapping relation, and determines a second virtual router corresponding to the opposite-end virtual private cloud virtual router in the first switch according to the router mapping relation, wherein the router mapping relation stores a corresponding relation between each virtual router in each switch and the home-end virtual private cloud virtual router or the opposite-end virtual private cloud virtual router;
The cloud platform sends a data packet sent by a first subnet to be connected with a local virtual private cloud to the first virtual router through the first network;
after the first virtual router of the first switch receives the data packet, the data packet is sent to a third virtual router of a second switch, wherein the third virtual router and the first virtual router have a mapping relation;
after the third virtual router receives the data packet, the data packet is sent to a firewall through the third virtual router;
after the firewall receives the data packet, acquiring a source address and a target address of the data packet;
the firewall matches a preset rule according to the source address and the target address to obtain a matching result, wherein the preset rule is used for representing an original source address and an original target address;
the firewall issues a verification passing instruction and the data packet according to the matching result, and sends the data packet to a fourth virtual router of the second switch;
after the fourth virtual router receives the data packet, the data packet is sent to a second virtual router of the first switch through the fourth virtual router, wherein the second virtual router and the fourth virtual router have a mapping relation;
After the second virtual router receives the data packet, the data packet is sent to the opposite-end virtual private cloud;
and after receiving the data packet, the opposite-end virtual private cloud virtual router of the cloud platform sends the data packet to the second subnet of the second network.
8. A device for implementing peer-to-peer connection between subnetworks, the device being a cloud platform, the device comprising:
the first acquisition module is used for acquiring request information and network configuration information issued by a user;
the first obtaining module is configured to obtain a first subnet to be connected to the home terminal virtual private cloud, a first network to which the first subnet belongs, a second subnet to which the opposite terminal virtual private cloud is to be connected, a second network to which the second subnet belongs, a home terminal virtual private cloud virtual router, and an opposite terminal virtual private cloud virtual router according to the request information and the network configuration information, where the first subnet and the second subnet are network objects for implementing peer-to-peer connection, and network addresses of the first subnet and the second subnet are not overlapped;
the determining module is used for determining a first virtual router corresponding to the home-end virtual private cloud virtual router in the first switch according to a router mapping relation, and determining a second virtual router corresponding to the opposite-end virtual private cloud virtual router in the first switch according to the router mapping relation, wherein the router mapping relation stores the corresponding relation between each virtual router in each switch and the home-end virtual private cloud virtual router or the opposite-end virtual private cloud virtual router;
The first sending module is used for sending the data packet sent by the first subnet to the first virtual router through the first network;
the first receiving module is used for receiving the data packet returned by the second virtual router;
and the second sending module is used for sending the data packet to the second subnet of the second network.
9. A device for implementing peer-to-peer connection between subnetworks, said device being a first switch, said device comprising:
the second receiving module is used for receiving a data packet sent by a first network from a local virtual private cloud by a first virtual router, wherein the first virtual router of the first switch and the local virtual private cloud virtual router have a mapping relation, and the data packet is data sent by a first subnet to be connected in the first network of the local virtual private cloud;
the third sending module is used for sending the data packet to a third virtual router in the second switch, wherein the first virtual router and the third virtual router have a mapping relation;
the third receiving module is used for receiving the data packet returned by the fourth virtual router in the second switch by the second virtual router, wherein the second virtual router and the fourth virtual router have a mapping relation;
And the fourth sending module is used for sending the data packet to the opposite-end virtual private cloud by the second virtual router.
10. A device for implementing peer-to-peer connection between subnetworks, said device being a second switch, said device comprising:
a fourth receiving module, configured to receive, by using a third virtual router, a data packet forwarded by a first virtual router in a first switch, where the third virtual router has a mapping relationship with the first virtual router, and the data packet is data sent by a first subnet to be connected in a first network of a home terminal virtual private cloud;
a fifth sending module, configured to send the data packet to a firewall through the third virtual router;
a fifth receiving module, configured to receive the verification passing instruction of the firewall and the returned data packet;
and the sixth sending module is used for sending the data packet to a second virtual router of the first switch through a fourth virtual router, wherein the second virtual router and the fourth virtual router have a mapping relation.
11. A device for implementing peer-to-peer connection between subnetworks, said device being a firewall, said device comprising:
A sixth receiving module, configured to receive a data packet sent by a third virtual router in the second switch, where the data packet is data sent by a first subnet to be connected in a first network of the home terminal virtual private cloud;
the second acquisition module is used for acquiring the source address and the target address of the data packet;
the second obtaining module is used for obtaining a matching result according to a preset rule matched with the source address and the target address, wherein the preset rule is used for representing an original source address and an original target address;
and the seventh sending module is used for sending the verification passing instruction and the data packet according to the matching result and sending the data packet to a fourth virtual router of the second switch.
12. A computer device, comprising:
a memory and a processor, the memory and the processor being communicatively connected to each other, the memory having stored therein computer instructions, the processor executing the computer instructions to perform the method of implementing peer-to-peer connection between sub-networks as claimed in any one of claims 1 to 3 or claim 4 or claim 5 or claim 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311257540.3A CN117176673A (en) | 2023-09-26 | 2023-09-26 | Method, system, device and computer equipment for realizing peer-to-peer connection between subnetworks |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311257540.3A CN117176673A (en) | 2023-09-26 | 2023-09-26 | Method, system, device and computer equipment for realizing peer-to-peer connection between subnetworks |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117176673A true CN117176673A (en) | 2023-12-05 |
Family
ID=88941253
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311257540.3A Pending CN117176673A (en) | 2023-09-26 | 2023-09-26 | Method, system, device and computer equipment for realizing peer-to-peer connection between subnetworks |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117176673A (en) |
-
2023
- 2023-09-26 CN CN202311257540.3A patent/CN117176673A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CA3106407C (en) | Multi-cloud connectivity using srv6 and bgp | |
| CN113132201B (en) | Communication method and device between VPCs | |
| US10547463B2 (en) | Multicast helper to link virtual extensible LANs | |
| US11470001B2 (en) | Multi-account gateway | |
| US10437775B2 (en) | Remote direct memory access in computing systems | |
| US10708125B1 (en) | Gateway configuration using a network manager | |
| TWI821463B (en) | Logical router comprising disaggregated network elements | |
| CN107646185B (en) | Method, system and storage medium for operation maintenance management in an overlay environment | |
| US9825822B1 (en) | Group networking in an overlay network | |
| US9755959B2 (en) | Dynamic service path creation | |
| CN111698338B (en) | Data transmission method and computer system | |
| EP3694157B1 (en) | Vxlan configuration method, device and system | |
| US11405320B2 (en) | Systems and methods for scalable validation of multiple paths in a network using segment routing | |
| US20170302526A1 (en) | Communication via a connection management message that uses an attribute having information on queue pair objects of a proxy node in a switchless network | |
| CN117176673A (en) | Method, system, device and computer equipment for realizing peer-to-peer connection between subnetworks | |
| CN108259292B (en) | Method and device for establishing tunnel | |
| Wohlbold | Load Balancing and Failover for Isolated, Multi-Tenant Layer 2 Virtual Private Networks | |
| CN116781509A (en) | Cloud private line configuration device, method, computer equipment and storage medium | |
| CN118784565A (en) | Communication method and device between cloud platform virtual private networks | |
| Hou et al. | Using tunneling techniques to realize virtual routers |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |