CN117714230A - Gateway management method, device, electronic equipment and storage medium - Google Patents

Gateway management method, device, electronic equipment and storage medium Download PDF

Info

Publication number
CN117714230A
CN117714230A CN202211086323.8A CN202211086323A CN117714230A CN 117714230 A CN117714230 A CN 117714230A CN 202211086323 A CN202211086323 A CN 202211086323A CN 117714230 A CN117714230 A CN 117714230A
Authority
CN
China
Prior art keywords
vpn gateway
certificate
gateway
vpn
relay device
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211086323.8A
Other languages
Chinese (zh)
Inventor
刘国旭
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN202211086323.8A priority Critical patent/CN117714230A/en
Publication of CN117714230A publication Critical patent/CN117714230A/en
Pending legal-status Critical Current

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a gateway management method, device, equipment and storage medium, and relates to the field of cloud technology. The gateway management method comprises the following steps: receiving a registration request sent by a VPN gateway, wherein the VPN gateway is arranged on an edge computing node; and responding to the registration request, and sending a first certificate stored in advance in a first certificate pool to the VPN gateway, wherein the first certificate is used for authenticating the VPN gateway when interacting with the control equipment, and the first certificate is generated according to at least one of the regional information and the equipment model of the VPN gateway. The embodiment of the application can carry out high-efficiency access authentication on the VPN gateway on the edge computing node, and realize management on the VPN gateway on each edge computing node.

Description

Gateway management method, device, electronic equipment and storage medium
Technical Field
The present application relates to the field of cloud technologies, and in particular, to a method, an apparatus, an electronic device, and a storage medium for gateway management.
Background
Proprietary cloud networks, such as virtual private clouds (Virtual Private Cloud, VPC), are an isolated network environment built based on enterprise clouds, with logical complete isolation between proprietary cloud networks. Currently, if a cloud tenant wants to communicate a local internet data center (Internet Data Center, IDC) or a terminal device with a proprietary cloud network, the cloud tenant can connect to a VPN gateway provided by a cloud vendor by means of a virtual private network (Virtual Private Network, VPN).
The edge computing technology provides a large number of service or functional interfaces for users by utilizing edge computing resources, so that the data volume uploaded to the cloud data center is greatly reduced, and the network bandwidth pressure is relieved. Specifically, the VPN gateway can be deployed on the edge computing node closest to the user, the user side is connected with the VPN gateway on the edge computing node closest to the user side through the customized VPN client side, and the VPN gateway arranged on the edge computing node can be connected with the access gateway in the proprietary cloud network through a private line, so that the user can access the proprietary cloud network more conveniently and rapidly. How to manage VPN gateways on edge computing nodes is a challenge.
Disclosure of Invention
The embodiment of the application provides a gateway management method, device, equipment and storage medium, which can realize the management of VPN gateways on all edge computing nodes.
In a first aspect, an embodiment of the present application provides a method for gateway management, which is applied to a control device, and includes:
receiving a registration request sent by a VPN gateway of a virtual private network, wherein the VPN gateway is arranged on an edge computing node;
and responding to the registration request, and sending a first certificate stored in a first certificate pool to the VPN gateway, wherein the first certificate is used for authenticating when the VPN gateway interacts with the control equipment, and the first certificate is generated according to at least one of the regional information and the equipment model of the VPN gateway.
In a second aspect, an embodiment of the present application provides a method for gateway management, which is applied to a relay device, and includes:
receiving a first control message sent by control equipment;
and sending the first control message to the VPN gateway through a secure shell protocol (SSH) connection between the relay equipment and the VPN gateway, wherein the VPN gateway is arranged on an edge computing node.
In a third aspect, an embodiment of the present application provides a method for gateway management, which is applied to a VPN gateway, including:
receiving a first control message forwarded by a relay device from a control device through secure shell protocol (SSH) connection between the VPN gateway and the relay device, wherein the VPN gateway is arranged on an edge computing node;
and carrying out data processing according to the first control message.
In a fourth aspect, an embodiment of the present application provides an apparatus for gateway management, including:
the receiving unit is used for receiving a registration request sent by a VPN gateway of a virtual private network, and the VPN gateway is arranged on the edge computing node;
and the sending unit is used for responding to the registration request and sending a first certificate stored in advance in a first certificate pool to the VPN gateway, wherein the first certificate is used for authenticating the VPN gateway when interacting with the control equipment, and the first certificate is generated according to at least one of the regional information and the equipment model of the VPN gateway.
In a fifth aspect, an embodiment of the present application provides an apparatus for gateway management, including:
the receiving unit is used for acquiring a first control message sent by the control equipment;
and the sending unit is used for sending the first control message to the VPN gateway through the secure shell protocol SSH connection between the relay equipment and the VPN gateway, wherein the VPN gateway is arranged on the edge computing node.
In a sixth aspect, an embodiment of the present application provides an apparatus for gateway management, including:
the receiving unit is used for receiving a first control message forwarded by the relay equipment from the control equipment through secure shell protocol (SSH) connection between a VPN gateway and the relay equipment, wherein the VPN gateway is arranged on an edge computing node;
and the processing unit is used for carrying out data processing according to the first control message.
In a seventh aspect, embodiments of the present application provide an electronic device, including:
a processor adapted to implement computer instructions; the method comprises the steps of,
a memory storing computer instructions adapted to be loaded by a processor and to perform the method of any of the first to third aspects described above.
In an eighth aspect, embodiments of the present application provide a computer-readable storage medium storing computer instructions that, when read and executed by a processor of a computer device, cause the computer device to perform the method of any one of the first to third aspects described above.
In a ninth aspect, embodiments of the present application provide a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. A processor of a computer device reads the computer instructions from a computer-readable storage medium, the processor executing the computer instructions, causing the computer device to perform the method of any one of the above-mentioned first to third aspects.
According to the method and the device for achieving the access authentication of the VPN gateway, the certificate stored in the certificate pool in advance can be sent to the VPN gateway, the certificate is not required to be generated in real time when the VPN gateway is on line, the computing resource consumption of the control device can be reduced when the VPN gateway is accessed to the control device, and then simultaneous access of a large number of VPN gateways on edge computing nodes can be supported, and efficient access authentication of the VPN gateway is achieved.
Drawings
Fig. 1 is a diagram of a cloud network access system architecture related to the related art;
fig. 2 is a schematic diagram of another cloud network access system architecture related to the related art;
FIG. 3 is a schematic diagram of a network architecture suitable for use in embodiments of the present application;
FIG. 4 is a schematic flow chart of a method of gateway management provided in an embodiment of the present application;
FIG. 5 is a schematic diagram of a certificate pool provided in an embodiment of the present application;
FIG. 6 is another schematic diagram of a network architecture suitable for use in embodiments of the present application;
FIG. 7 is a schematic flow chart diagram of another gateway management method provided in an embodiment of the present application;
FIG. 8 is a schematic block diagram of an apparatus for gateway management according to an embodiment of the present application;
FIG. 9 is a schematic block diagram of another gateway-managed device of an embodiment of the present application;
FIG. 10 is a schematic block diagram of another gateway-managed device of an embodiment of the present application;
fig. 11 is a schematic block diagram of an electronic device provided in an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present invention and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or server that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed or inherent to such process, method, article, or apparatus, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
The scheme that this application provided can relate to cloud technical field. Cloud technology (Cloud technology) refers to a hosting technology for integrating hardware, software, network and other series resources in a wide area network or a local area network to realize calculation, storage, processing and sharing of data.
The cloud technology is based on the general names of network technology, information technology, integration technology, management platform technology, application technology and the like applied by the cloud computing business mode, can form a resource pool, and is flexible and convenient as required. Cloud computing technology will become an important support. Background services of technical networking systems require a large amount of computing, storage resources, such as video websites, picture-like websites, and more portals. Along with the high development and application of the internet industry, each article possibly has an own identification mark in the future, the identification mark needs to be transmitted to a background system for logic processing, data of different levels can be processed separately, and various industry data needs strong system rear shield support and can be realized through cloud computing.
Cloud computing (closed computing) refers to the delivery and usage mode of an IT infrastructure, meaning that required resources are obtained in an on-demand, easily scalable manner through a network; generalized cloud computing refers to the delivery and usage patterns of services, meaning that the required services are obtained in an on-demand, easily scalable manner over a network. The service may be IT, software, internet related, or other service cloud Computing may be Grid Computing (Grid Computing), distributed Computing (distributed Computing), parallel Computing (Parallel Computing), utility Computing (Utility Computing), network storage (Network Storage Technologies), virtualization (Virtualization), load balancing (Load balancing), and other products of conventional computer and network technology development fusion.
With the development of the internet, real-time data flow and diversification of connected devices, and the promotion of demands of search services, social networks, mobile commerce, open collaboration and the like, cloud computing is rapidly developed. Unlike the previous parallel distributed computing, the generation of cloud computing will promote the revolutionary transformation of the whole internet mode and enterprise management mode in concept.
A Private Cloud (Private Cloud) is a Cloud infrastructure created with software and hardware resources within a firewall for organizations or departments within an enterprise to share resources within a data center. A private cloud is created, typically cloud device (IaaS, infrastructure as a Service, infrastructure as a service) software in addition to hardware resources.
The private cloud computing comprises three levels of cloud hardware, cloud platforms and cloud services. In contrast, cloud hardware is a user's own personal computer or server, rather than a data center of a cloud computing vendor. Cloud computing manufacturers build data centers to provide public cloud services for millions of users, thus requiring tens of millions of servers. Private cloud computing serves only friends and relatives to individuals, and staff and clients and suppliers to businesses, so personal or business's own personal computers or servers are sufficient to provide cloud services.
Before introducing the technical solutions of the present application, the following first describes relevant knowledge of the present application:
1. proprietary cloud network: the method is an isolated network environment constructed based on enterprise cloud, and the private cloud networks are logically and thoroughly isolated. Proprietary cloud networks offer two capabilities, one being that users can customize the network topology, including selecting a free internet protocol (Internet Protocol, IP) address range, partitioning segments, configuring routing tables and gateways, and so on. The other capability is that the cloud resources and the cloud resources are planned by using the same network address through connecting a special line or VPN with the original data center, so that smooth migration and cloud loading of the application are realized. The cloud may also be referred to as a cloud.
Each private cloud network consists of a private network segment, a router and at least one switch. The router is a hub of the private cloud network, and as an important functional component in the private cloud network, can be connected with each switch in the private cloud network, and is also gateway equipment for connecting the private cloud network and other networks. The switch is basic network equipment forming a proprietary cloud network and is used for connecting different cloud product instances.
Alternatively, in the embodiment of the present application, the proprietary cloud network may be a VPC or a content center network (Content Centric Network, CCN) or the like, but is not limited thereto.
2. VPN: network technology for establishing private data communications in a public network by means of internet service providers (Internet Service Provider, ISP) and other network service providers (Network Service Provider, NSP) may provide secure data transmission tunneling services between enterprises or between individuals and enterprises. The link between any two points in the VPN is not an end-to-end physical link required by the traditional private network, but is dynamically formed by using public network resources, which can be understood as a point-to-point private line technology which is simulated on the public data network through a private tunneling technology and has the same function as the private network, and virtual refers to a technology realized by using the public internet network without pulling an actual long-distance physical line.
3. Edge calculation: edges in edge computing refer to computing and storage resources on the edge of the network, where the edge of the network is opposite the data center, closer to the user, both from geographic distance and network distance. As a new calculation mode, edge calculation deploys calculation tasks close to the network edge of a data generation source, a large number of service or function interfaces are provided for users by utilizing edge resources, the data volume uploaded to a cloud data center is greatly reduced, the network bandwidth pressure is relieved, and meanwhile, the problems of data safety and privacy can be better solved. Under the edge computing environment, the data has isomerism and larger data volume, the application programs for data processing have diversity, the computing tasks associated with different application programs are different, the management of the computing tasks has larger complexity, and the simple middleware software structure cannot effectively ensure the feasibility of the computing tasks, the reliability of the application programs and the maximization of resource utilization. Meanwhile, the functions to be realized by the edge computing system facing different applications or scenes are different. Therefore, the edge computing platform has important significance and influence on popularization and development of the edge computing field.
The technical problems and the inventive concepts to be solved by the technical scheme of the present application will be described below:
fig. 1 is a schematic diagram of a cloud network access system provided in the related art, as shown in fig. 1, for a customer premise equipment (Customer Premises Equipment, CPE) in an IDC room built by a customer or a branch store of an enterprise and a VPC of a third party cloud vendor purchased, the VPC may be connected with a VPC gateway in a proprietary cloud network through a VPN gateway, so as to open the proprietary cloud network. The VPN gateway in the proprietary cloud network may also be referred to as an on-cloud VPN gateway, and an internet protocol security (Internet Protocol Security, IPSec) protocol public network VPN tunnel may be established between the VPN gateway on the user side and the cloud VPN gateway, so as to perform data encryption transmission. For a personal computer (personal computer, PC), a client side of a secure socket layer (Secure Sockets Layer, SSL) can access a VPN gateway on the cloud in a mode of a public network SSL VPN, so that a private cloud network is opened. The mobile phone terminal can access to the VPN gateway on the cloud through an SLL Application (APP) client terminal in a public network SSL VPN mode, so that a special cloud network is opened. After the IDC, network equipment, VPC, PC or mobile phone end of the third party cloud manufacturer and the like are accessed into the proprietary cloud network, the IDC, network equipment, the third party cloud manufacturer and the mobile phone end can realize the intercommunication with resources such as a cloud host, a container or a storage on the proprietary cloud network.
In order to further improve the efficiency of cloud network access, an edge computing technology may be used to deploy VPN gateways of cloud vendors on edge servers closest to users. Fig. 2 is another cloud network access system architecture diagram provided in the related art, as shown in fig. 2, a VPN gateway is disposed on an edge computing node in an edge computing room closest to a user, and a user side may customize a VPN client, and the VPN client may establish VPN connection with the VPN gateway on the edge computing node closest to the user. At this time, the edge computing node is connected with the access gateway of the proprietary cloud network (i.e. cloud end) through a private line, so that the user side device can be connected to the resources of the user on the cloud. According to the scheme, the VPN client side of the user side is connected with the VPN gateway arranged on the edge computing node, and the VPN gateway is connected with the access gateway in the proprietary cloud network through the private line, so that the user side equipment can be conveniently and rapidly accessed into the cloud network.
In the system architecture of fig. 2, VPN gateways on edge computing nodes are newly added network elements that need to be managed by a controller deployed in the cloud. How to manage VPN gateways on each edge computing node by the cloud controller is a problem to be solved.
Illustratively, the VPN gateway is deployed at edge computing nodes (such as an edge machine room) in each place, and is accessed to the cloud controller through the public network, so that the cloud controller needs to perform access authentication on the VPN gateway on the edge computing nodes to implement management on the VPN gateway. In the related art, when a new gateway accesses to a controller, the controller can generate a unique certificate for the new gateway according to the related information of the gateway, and the certificate needs to be carried for authentication when the gateway interacts with the controller later. However, for the controller, the generation of the certificate is a behavior that consumes very much computing resources, and if there are a large number of gateway devices to apply for the certificate online at the same time, it may cause the cloud to be unbearable. For example, when a large number of VPN gateways are deployed at the edge computing nodes at the same time, the consumption of a large number of computing resources by the cloud controller, such as generating certificates for these VPN gateways at the same time, may cause a bottleneck in the performance of the cloud controller, and it is not necessary to perform computing resource expansion specifically for this purpose.
In view of this, embodiments of the present application provide a method, an apparatus, a device, and a storage medium for gateway management, which can perform efficient access authentication on VPN gateways on edge computing nodes, so as to implement management on VPN gateways on each edge computing node.
Specifically, when receiving a registration request sent by a VPN gateway disposed on an edge computing node, the embodiments of the present application may send a certificate stored in advance in a certificate pool to the VPN gateway, so that the VPN gateway may perform authentication when interacting with a control device later, where the certificate is generated according to at least one of a region to which the VPN gateway belongs and a device model. Therefore, the embodiment of the application can reduce the calculation resource consumption of the control equipment when the VPN gateway is accessed to the control equipment by sending the certificate stored in the certificate pool in advance to the VPN gateway without waiting for the VPN gateway to be online, thereby supporting the simultaneous access of a large number of VPN gateways on edge calculation nodes and realizing the efficient access authentication to the VPN gateway.
Fig. 3 shows a schematic diagram of a network architecture to which embodiments of the present application are applicable. Illustratively, as shown in fig. 3, the network architecture includes a control device 31 and at least one VPN gateway, such as VPN gateway 32, VPN gateway 33 and VPN gateway 34, disposed on edge computing nodes of different territories. The control device 31 may communicate with VPN gateways, e.g. VPN gateways may access the control device via a public network. The control device 31 may be a controller deployed in the cloud. The control device 31 may include an access authentication module, and when each VPN gateway accesses the control device through the public network, the access management module may perform authentication management on each VPN gateway.
The edge computing node may be an edge server, which may be an independent physical server, or may be a server cluster or a distributed system formed by a plurality of physical servers. The edge server may also be referred to as an edge computing server.
Illustratively, the VPN gateway may be a virtual VPN gateway. For example, a VPN gateway on an edge computing node may be a functional module on the edge computing node that implements the VPN gateway's role.
Optionally, the control device 31 may also communicate with a VPN client on the user side, for example, the VPN client may be a customer-built IDC room or a CPE in a branch office of an enterprise, a VPN gateway on the VPC side of a third party cloud vendor purchased. For another example, the VPN terminal may be an SSL client installed on a PC or an APP installed on a handset terminal.
Optionally, the VPN gateway may also be connected to an access gateway provided in the private cloud network through a private line, so as to implement communications between the two. The access gateway is also called an intersystem connector and a protocol converter, and can be used for realizing the interconnection of two networks with different higher protocols, namely an edge terminal and a cloud network.
The following describes a scheme provided in the embodiments of the present application with reference to the accompanying drawings.
Fig. 4 is a schematic flowchart of a method 400 for gateway management according to an embodiment of the present application. The method 400 may be performed by a control device and a VPN gateway. The method 400 may be applied to the network architecture shown in fig. 3. As shown in fig. 4, method 400 includes steps 410 and 420.
410, the vpn gateway sends a registration request to the control device.
For example, when a VPN gateway on an edge computing node is online, the VPN gateway may proactively send a registration request to the control device, where the registration request is for requesting registration of the VPN gateway on the control device. Alternatively, the registration request may carry information about a device model number, an Identification (ID), an IP, etc. of the VPN gateway.
420, the control device sends, in response to the registration request, a first certificate stored in advance in a first certificate pool to the VPN gateway, the first certificate being generated according to at least one of geographical information and a device model of the VPN gateway. Wherein the first certificate is used for authentication of the VPN gateway when interacting with the control device.
That is, at least one certificate has been stored in advance in the first certificate pool when the control apparatus receives the registration request. For example, the control device may generate at least one certificate in advance according to at least one of the regional information and the device model of the VPN gateway, and store the at least one certificate in the first certificate pool, so as to implement that a batch of certificates is created in advance for VPN gateway devices of related regions or device models. Alternatively, the control device may store the regional information or the device model of each VPN gateway in advance (such as at the time of initialization).
Optionally, the regional information of the VPN gateway, that is, the information of the region to which the VPN gateway belongs, for example, the name of the region currently supporting the VPN gateway function, the geographic location or city where the region is located, and the like, are not limited.
In some embodiments, when the control device receives the registration message of the VPN gateway, the control device may acquire, in the first certificate pool, the domain information of the VPN gateway or a certificate corresponding to the device model according to at least one of the domain information and the device model of the VPN gateway, and send the obtained certificate to the VPN gateway.
It may be appreciated that VPN gateways on different edge computing nodes may have the same regional information or the same device model, and thus a group of certificates generated according to at least one of the regional information and the device model of the VPN gateway may be used as a class of certificates of at least one VPN having the regional information or the device model, respectively.
Therefore, when receiving a registration request of a VPN gateway arranged on an edge computing node, the embodiment of the present application sends a certificate stored in advance in a certificate pool to the VPN gateway, and does not need to wait for the VPN gateway to be online and generate a certificate in real time, so that when the VPN gateway accesses to a control device, the computing resource consumption of the control device can be reduced, and further, simultaneous access of a large number of VPN gateways on the edge computing node can be supported, and efficient access authentication to the VPN gateway is realized.
In some embodiments, the control device may construct at least one certificate pool for at least one VPN gateway of each zone, and generate at least one certificate according to at least one of zone information of each zone and a device model of the VPN gateway, and store the at least one certificate into the at least one certificate pool. Wherein the certificates in each certificate pool are generated according to at least one of the same region information and the same device model.
For example, the control device may construct a certificate pool for at least one VPN gateway of each zone, or construct a certificate pool for VPN gateways of the same device model of each zone, without limitation.
When a certificate pool is constructed for at least one VPN gateway of each zone, at least one certificate may be generated according to zone information of each zone, and the at least one certificate may be stored in the certificate pool. At this time, the certificates in the certificate pool are generated according to the same region information, that is, the certificate pool corresponds to or is associated with the region information.
When a certificate pool is constructed for at least one VPN gateway of the same device model of each zone, at least one certificate may be generated according to at least one of zone information of each zone and the device model, and the at least one certificate may be stored in the certificate pool. At this time, the certificates in the certificate pool are generated according to at least one of the same region information and the same device model, i.e., the certificate pool corresponds to or is associated with at least one of the region information and the device model.
Optionally, according to at least one of the regional information of each region and the device model of the VPN gateway, the generated at least two certificates may be the same certificate or different certificates, and are not limited. For example, after generating the same at least two certificates according to at least one of the regional information of each region and the device model of the VPN gateway, indexes may be added to the same at least two certificates, respectively, to obtain at least two different certificates.
Therefore, the embodiment of the application can realize the establishment of the certificate pool for the VPN gateways in different regions, thereby realizing the unified and advanced establishment of a batch of certificates for at least one VPN gateway in different regions, supporting the simultaneous access of a large number of VPN gateways in each region and realizing the efficient access authentication for the VPN gateways in each region.
In some embodiments, when the control device constructs at least one certificate pool, the control device may determine, when receiving a registration request sent by the VPN gateway, the first certificate pool in the at least one certificate pool according to at least one of a domain and a device model to which the VPN gateway belongs. For example, the control device may determine the first certificate pool from at least one certificate pool according to the region or the device model to which the VPN gateway belongs, in combination with the region information or the device model corresponding to each certificate pool.
In some embodiments, the first pool of credentials stores at most N credentials, N being a positive integer. That is, the capacity size of the first certificate pool is N, and the number of certificates stored in the first certificate pool is less than or equal to N. Thus, when VPN gateway devices are online in batches, N certificates can be acquired from the first certificate pool at most once, that is, the control device can support N gateway devices to complete registration simultaneously under the condition of almost not consuming computing resources by storing N certificates in the first certificate pool in advance.
For example, when the first certificate pool is a resource pool corresponding to a VPN gateway of a first device model of a first domain, and the capacity size of the first certificate pool is N, the control device may support N VPN gateways of the first device model of the first domain to complete registration at the same time with little consumption of computing resources.
Optionally, when the control device constructs the certificate pools, the capacity of the certificate pools may be set, for example, the capacity of each certificate pool is set to N, or the corresponding capacity of each certificate pool is set respectively. Illustratively, when a pool of N-sized certificates is built and initialized, the control device may create N certificates to fill the pool of certificates.
In some embodiments, the control device may set a timer for the first pool of credentials. When the timer corresponding to the first certificate pool is overtime, the control equipment determines the number M of the certificates stored in the first certificate pool, wherein M is a positive integer less than or equal to N. Alternatively, after the timer expires, the control device may reset the timer.
If M is less than N, generating (N-M) certificates, and storing the (N-M) certificates in the first certificate pool so as to fill the first certificate pool. If M is equal to N, i.e., the first pool of credentials is still full, then it is determined that no new credentials are generated for the first pool of credentials.
In addition, in some embodiments, when more than N VPN gateways of the first device model are registered in the first domain, after the N certificates in the first certificate pool are issued, the devices later in the VPN gateways need to wait for periodically generating new certificates to acquire the certificates, so as to complete registration.
Fig. 5 shows a schematic diagram of a certificate pool provided in an embodiment of the present application, where the certificate pool may be, for example, a first certificate pool. As shown in fig. 5, when the VPN gateway registers authentication, the control device may take out a certificate from the certificate pool and issue the certificate to the VPN gateway. At this time, the number of certificates stored in the certificate pool is correspondingly reduced. Meanwhile, the control device can store newly produced certificates into the certificate pool, and the certificates in the certificate pool are continuously filled. For example, the control device may check the capacity of the certificate pool at regular time (e.g. by setting a timer), and create a new certificate to fill the certificate pool when the certificate pool is not full, so as to ensure that when a new VPN gateway is registered subsequently, a certificate can be obtained from the certificate pool and issued to the VPN gateway. In addition, by periodically filling up the certificate pool, the control device can support the VPN gateway devices to complete registration simultaneously with little consumption of computing resources when a large number of VPN gateways are subsequently online.
Therefore, the embodiment of the application can ensure that a limited plurality of VPN gateways finish registration at the highest speed through the pre-generated certificate pool. In addition, when the certificates in the certificate pool are insufficient, the maximum capacity of the certificate pool is set, and the certificate pool is filled periodically, so that the computing resources of the control equipment can be prevented from being overloaded.
For example, the speed at which the computing resource of the control device generates the credentials may be estimated, as well as the size of the computing resource, the number of credentials that the control device maximally updates when a timer period has arrived is determined, and the maximum capacity of the credential pool is determined, thereby ensuring that the computing resource of the control device can generate enough credentials to fill the credential pool when the timer has arrived. In addition, if the number of VPN gateway devices registered at the same time is excessive, the VPN gateway devices can only wait for certificate generation in a queue, so that the bottleneck of performance of the control device caused by large consumption of computing resources of the control device is avoided, and excessive application of computing resources is not required to avoid cost prompt.
In some embodiments, a VPN gateway provided on an edge computing node is connected to an access gateway of a proprietary cloud network (i.e., cloud) through a dedicated line. However, the dedicated connection is used for transporting traffic between the VPN gateway and the access gateway and is not suitable for transporting control data for the VPN gateway. In addition, since the public network IP is public, if the control device provides the VPN gateway with the IP access transmission control data of the public network, the management authority of the VPN gateway is exposed, so that the network security of the VPN gateway deployed at the edge computing node cannot be ensured.
In view of this, the embodiments of the present application further provide a method, an apparatus, a device, and a storage medium for gateway management, where the cloud control device can safely access VPN gateways on edge computing nodes, so as to implement management of VPN gateways on edge computing nodes.
Specifically, in the embodiment of the present application, the control device may send, to the relay device, a control packet that needs to be sent to the VPN gateway, where the relay device sends the control packet to the VPN gateway through a Secure Shell protocol (SSH) connection between the relay device and the VPN gateway, so that the control device performs Secure access to the VPN gateway on the edge computing node, without having to transmit control data to the VPN gateway through an IP of a public network, and performs Secure management to the VPN gateway on each edge computing node.
Fig. 6 shows a schematic diagram of a network architecture to which embodiments of the present application are applicable. Illustratively, as shown in fig. 6, the network architecture includes a proprietary cloud network 60 and at least one VPN gateway, such as VPN gateway 63 and VPN gateway 64, disposed on edge computing nodes of different territories. The proprietary cloud network 60 includes a control device 61 and a relay device 62. Control device 61 may communicate with VPN gateways, such as by way of a public network access control device, to transport traffic. The control device 61 may also communicate with each VPN gateway through a relay device 62 for secure transmission of control data.
The relay device may be a relay server, which may be an independent physical server, or may be a server cluster or a distributed system formed by a plurality of physical servers.
The edge computing node may be an edge server, which may be an independent physical server, or may be a server cluster or a distributed system formed by a plurality of physical servers. The edge server may also be referred to as an edge computing server.
Illustratively, the VPN gateway may be a virtual VPN gateway. For example, a VPN gateway on an edge computing node may be a functional module on the edge computing node that implements the VPN gateway's role.
Optionally, the control device 31 may also communicate with a VPN client on the user side, for example, the VPN client may be a customer-built IDC room or a CPE in a branch office of an enterprise, a VPN gateway on the VPC side of a third party cloud vendor purchased. For another example, the VPN terminal may be an SSL client installed on a PC or an APP installed on a handset terminal.
Optionally, the VPN gateway may also be connected to an access gateway provided in the private cloud network through a private line, so as to implement communications between the two. The access gateway is also called an intersystem connector and a protocol converter, and can be used for realizing the interconnection of two networks with different higher protocols, namely an edge terminal and a cloud network.
The following describes a scheme provided in the embodiments of the present application with reference to the accompanying drawings.
Fig. 7 is a schematic flowchart of a method 700 for gateway management according to an embodiment of the present application. The method 700 may be performed by a control device, a relay device, and a VPN gateway. The method 700 may be applied to the network architecture shown in fig. 6. As shown in fig. 7, method 700 includes steps 710 and 720.
It should be noted that, before step 710, the VPN gateway may complete registration on the control device, for example, complete access authentication through the method 400 provided in the embodiment of the present application. After the VPN gateway completes registration, the control device may send a control packet to the VPN gateway through the method 700 provided by the embodiment of the present application, so as to implement security management and control on the VPN gateway.
And 710, the control device sends a first control message to the relay device. The first control message includes control data of the VPN gateway. Correspondingly, the relay device receives the first control message.
The VPN gateway is disposed on the edge computing node, for example, may be one of at least one VPN gateway in fig. 6, such as VPN gateway 63, or VPN gateway 64, which is not limited in this application.
Illustratively, when the control device needs to send the first control message to the VPN gateway, the control device may request to the relay device through a remote procedure call (Remote Procedure Call, RPC) inside the proprietary cloud network to send the first control message to the relay device.
And 720, the relay equipment sends the first control message to the VPN gateway through SSH connection between the relay equipment and the VPN gateway. Correspondingly, the VPN gateway receives the first control message and performs data processing according to the first control message.
Therefore, after the control device sends the control message to be sent to the VPN gateway to the relay device, the relay device sends the control message to the VPN gateway through the SSH connection between the relay device and the VPN gateway, so that the control device can safely access the VPN gateway on the edge computing node, and the control data of the VPN gateway is not required to be transmitted through the IP of the public network, so that the safety management of the VPN gateway on each edge computing node is realized.
In some embodiments, in the case that an SSH connection has been established between the relay device and the VPN gateway, the first control message may be sent to the VPN gateway through the already established SSH connection.
In some embodiments, when there is no SSH connection between the relay device and the VPN gateway, the SSH connection between the relay device and the VPN gateway may be established to transmit the first control message.
As one implementation, the relay device may send a first instruction to the VPN gateway, the first instruction to instruct to establish an SSH connection between the relay device and the VPN gateway.
Alternatively, referring to fig. 7, sending the first instruction to the VPN gateway may be implemented through steps 711 and 712.
711, the vpn gateway sends a heartbeat message to the relay device.
Illustratively, the relay device may provide a dedicated public network IP and port through which the VPN gateway may periodically send heartbeat messages to the relay device, such as every 10s the VPN gateway sends a heartbeat message to the relay device.
The relay device sends 712 a heartbeat reply message to the VPN gateway, the heartbeat reply message including the first instruction.
For example, after receiving the heartbeat message sent by the VPN gateway, the relay device may record the heartbeat state of the VPN gateway, and send a heartbeat reply message to the VPN gateway through a private public network IP and a port provided by the relay device.
Optionally, when the relay device receives the first control message sent by the control device and there is no SSH connection between the relay device and the VPN gateway, the relay device may instruct to establish the SSH connection between the relay device and the VPN gateway by carrying the first instruction in the heartbeat reply message after receiving the next heartbeat message of the VPN gateway after the first control message.
Optionally, with continued reference to fig. 7, establishing the SSH connection may be accomplished through steps 713 and 714.
713, the vpn gateway sends an SSH connection establishment request to the relay device. Correspondingly, the relay device receives the SSH connection establishment request sent by the VPN gateway.
Specifically, after receiving the first instruction, the VPN gateway may actively send an SSH connection establishment request to the relay device to establish an SSH connection with the relay device.
714, the relay device establishes an SSH connection with the VPN gateway.
Specifically, the relay device establishes an SSH connection with the VPN gateway in response to the SSH connection establishment request. After the SSH connection is established, the relay device may send the first control packet to the VPN gateway through the SSH connection.
In some embodiments, the timer is started after the relay device sends the first control message. If the timer does not expire, the SSH connection continues to be maintained. If the relay device acquires the second control message sent by the control device to the VPN gateway during the period of continuing to maintain the SSH connection, the relay device sends the second control message to the VPN gateway through the SSH connection, without establishing a new connection. In the event that the timer expires, the relay device disconnects the SSH connection between the relay device and the VPN gateway. That is, during a period of time (e.g., a time when the timer does not expire), if no message needs to be sent, the relay device may actively disconnect the SSH connection.
Therefore, in the embodiment of the application, the SSH connection between the relay device and the VPN gateway can be established when required and is not maintained for a long time, so that the resource consumption of the VPN gateway and the relay device can be reduced.
The specific embodiments of the present application have been described in detail above with reference to the accompanying drawings, but the present application is not limited to the specific details of the above embodiments, and various simple modifications may be made to the technical solutions of the present application within the scope of the technical concept of the present application, and all the simple modifications belong to the protection scope of the present application. For example, the specific features described in the above embodiments may be combined in any suitable manner, and in order to avoid unnecessary repetition, various possible combinations are not described in detail. As another example, any combination of the various embodiments of the present application may be made without departing from the spirit of the present application, which should also be considered as disclosed herein.
It should be further understood that, in the various method embodiments of the present application, the sequence numbers of the foregoing processes do not mean the order of execution, and the order of execution of the processes should be determined by the functions and internal logic of the processes, and should not constitute any limitation on the implementation process of the embodiments of the present application. It is to be understood that the numbers may be interchanged where appropriate such that the described embodiments of the application may be implemented in other sequences than those illustrated or described.
Method embodiments of the present application are described above in detail in connection with fig. 1-7, and apparatus embodiments of the present application are described below in connection with fig. 8-11.
Fig. 8 is a schematic block diagram of an apparatus 800 for gateway management of an embodiment of the present application. As shown in fig. 8, the apparatus 800 may include a receiving unit 810 and a transmitting unit 820.
A receiving unit 810, configured to receive a registration request sent by a VPN gateway, where the VPN gateway is disposed on an edge computing node;
and a sending unit 820, configured to send, in response to the registration request, a first certificate stored in advance in a first certificate pool to the VPN gateway, where the first certificate is used for authenticating when the VPN gateway interacts with the control device, and the first certificate is generated according to at least one of geographical information and a device model of the VPN gateway.
In some embodiments, the apparatus 800 further comprises a processing unit to:
constructing at least one certificate pool for at least one VPN gateway of each region;
generating at least one certificate according to at least one of the regional information of each region and the equipment model of the VPN gateway, and storing the at least one certificate into at least one certificate pool, wherein the certificates in each certificate pool are generated according to at least one of the same regional information and the same equipment model.
In some embodiments, the first pool of credentials stores at most N credentials, N being a positive integer.
In some embodiments, the processing unit is further to:
when a timer corresponding to the first certificate pool is overtime, determining the number M of certificates stored in the first certificate pool, wherein M is a positive integer less than or equal to N;
if M is less than N, generating (N-M) certificates, and storing the (N-M) certificates in the first certificate pool.
In some embodiments, the sending unit 820 is further configured to:
and sending a first control message to a relay device, so that the relay device sends the first control message to the VPN gateway through SSH connection between the relay device and the VPN gateway.
Specifically, while the apparatus 800 managed by the gateway in this embodiment may correspond to a control device that performs the method 400 in this embodiment of the present application, the foregoing and other operations and/or functions of each module in the apparatus 800 are respectively for implementing a corresponding flow of the control device in the method in fig. 4, and are not repeated herein for brevity.
Fig. 9 is a schematic block diagram of an apparatus 900 for gateway management of an embodiment of the present application. As shown in fig. 9, the apparatus 900 may include a receiving unit 910 and a transmitting unit 920.
A receiving unit 910, configured to obtain a first control packet sent by a control device;
and the sending unit 920 is configured to send the first control packet to a VPN gateway through a secure shell protocol SSH connection between a relay device and the VPN gateway, where the VPN gateway is disposed on an edge computing node.
In some embodiments, the sending unit 920 is further configured to send a first instruction to the VPN gateway, where the first instruction is configured to instruct to establish the SSH connection.
The receiving unit 910 is further configured to receive an SSH connection establishment request sent by the VPN gateway.
The apparatus 900 further comprises a processing unit for establishing the SSH connection with the VPN gateway in response to the SSH connection establishment request.
In some embodiments, the receiving unit 910 is further configured to: receiving a heartbeat message sent by the VPN gateway;
the transmitting unit 920 specifically is configured to: and responding to the heartbeat message, sending a heartbeat confirmation reply message to the VPN, wherein the heartbeat confirmation reply message comprises the first instruction.
In some embodiments, the processing unit is further to: and starting a timer after the first control message is sent.
In the case that the timer does not timeout, the receiving unit 910 is further configured to obtain a second control packet sent by the control device to the VPN gateway, and the sending unit 920 is further configured to send the second control packet to the VPN gateway through the SSH connection.
The processing unit is further configured to: and disconnecting the SSH connection when the timer is overtime.
Specifically, while the apparatus 900 managed by the gateway in this embodiment may correspond to a relay device performing the method 700 in this embodiment of the present application, the foregoing and other operations and/or functions of each module in the apparatus 900 are respectively for implementing the corresponding flow of the relay device in the method in fig. 7, and are not repeated herein for brevity.
Fig. 10 is a schematic block diagram of an apparatus 1000 for gateway management of an embodiment of the present application. As shown in fig. 10, the apparatus 1000 may include a receiving unit 1010 and a processing unit 1020.
A receiving unit 1010, configured to receive, through a secure shell protocol SSH connection between a VPN gateway and a relay device, a first control packet forwarded by the relay device from a control device, where the VPN gateway is disposed on an edge computing node;
and a processing unit 1020, configured to perform data processing according to the first control packet.
In some embodiments, the receiving unit 1010 is further configured to: receiving a first instruction sent by the relay device, wherein the first instruction is used for indicating to establish the SSH connection;
the apparatus 1000 further comprises a sending unit configured to send an SSH connection establishment request to the relay device to establish the SSH connection with the VPN gateway.
In some embodiments, the sending unit is further configured to send a heartbeat message to the relay device;
the receiving unit 1010 is specifically configured to receive a heartbeat acknowledgment reply message sent by the relay device, where the heartbeat acknowledgment reply message includes the first instruction.
Specifically, while the apparatus 1000 for gateway management in this embodiment may correspond to a VPN gateway performing the method 700 of the embodiment of the present application, the foregoing and other operations and/or functions of each module in the apparatus 1000 are respectively for implementing the corresponding flow of the VPN gateway of the method in fig. 7, and are not repeated herein for brevity.
It should be understood that apparatus embodiments and method embodiments may correspond with each other and that similar descriptions may refer to the method embodiments. To avoid repetition, no further description is provided here.
The apparatus and system of embodiments of the present application are described above in terms of functional modules in connection with the accompanying drawings. It should be understood that the functional module may be implemented in hardware, or may be implemented by instructions in software, or may be implemented by a combination of hardware and software modules. Specifically, each step of the method embodiments in the embodiments of the present application may be implemented by an integrated logic circuit of hardware in a processor and/or an instruction in software form, and the steps of the method disclosed in connection with the embodiments of the present application may be directly implemented as a hardware decoding processor or implemented by a combination of hardware and software modules in the decoding processor. Alternatively, the software modules may be located in a well-established storage medium in the art such as random access memory, flash memory, read-only memory, programmable read-only memory, electrically erasable programmable memory, registers, and the like. The storage medium is located in a memory, and the processor reads information in the memory, and in combination with hardware, performs the steps in the above method embodiments.
Fig. 11 is a schematic block diagram of an electronic device 1100 provided by an embodiment of the present application.
As shown in fig. 11, the electronic device 1100 may include:
a memory 1110 and a processor 1120, the memory 1110 being for storing a computer program and transmitting the program code to the processor 1120. In other words, the processor 1120 may call and run a computer program from the memory 1110 to implement the methods in embodiments of the present application.
For example, the processor 1120 may be used to perform the steps of the methods 400 or 700 described above according to instructions in the computer program.
In some embodiments of the present application, the processor 1120 may include, but is not limited to:
a general purpose processor, digital signal processor (Digital Signal Processor, DSP), application specific integrated circuit (Application Specific Integrated Circuit, ASIC), field programmable gate array (Field Programmable Gate Array, FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like.
In some embodiments of the present application, the memory 1110 includes, but is not limited to:
volatile memory and/or nonvolatile memory. The nonvolatile Memory may be a Read-Only Memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an Electrically Erasable EPROM (EEPROM), or a flash Memory. The volatile memory may be random access memory (Random Access Memory, RAM) which acts as an external cache. By way of example, and not limitation, many forms of RAM are available, such as Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double Data Rate SDRAM (Double Data Rate SDRAM), enhanced SDRAM (ESDRAM), synchronous Link DRAM (SLDRAM), and Direct memory bus RAM (DR RAM).
In some embodiments of the present application, the computer program may be partitioned into one or more modules that are stored in the memory 1110 and executed by the processor 1120 to perform the methods provided herein. The one or more modules may be a series of computer program instruction segments capable of performing particular functions to describe the execution of the computer program in the electronic device 1100.
Optionally, the electronic device 1100 may further include:
a communication interface 1130, the communication interface 1130 being connectable to the processor 1120 or the memory 1110.
Wherein the processor 1120 may control the communication interface 1130 to communicate with other devices, and in particular, may send information or data to other devices, or receive information or data sent by other devices. By way of example, the communication interface 1130 may include a transmitter and a receiver. Communication interface 1130 may further include an antenna, which may be one or more in number.
It should be appreciated that the various components in the electronic device 1100 are connected by a bus system that includes a power bus, a control bus, and a status signal bus in addition to a data bus.
According to an aspect of the present application, there is provided an electronic device comprising a processor and a memory for storing a computer program, the processor being adapted to invoke and run the computer program stored in the memory, such that the encoder performs the method of the above-described method embodiments.
According to an aspect of the present application, there is provided a computer storage medium having stored thereon a computer program which, when executed by a computer, enables the computer to perform the method of the above-described method embodiments. Alternatively, embodiments of the present application also provide a computer program product comprising instructions which, when executed by a computer, cause the computer to perform the method of the method embodiments described above.
According to another aspect of the present application, there is provided a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer readable storage medium and executes the computer instructions to cause the computer device to perform the method of the above-described method embodiments.
In other words, when implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, produces, in whole or in part, a flow or function consistent with embodiments of the present application. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by a wired (e.g., coaxial cable, fiber optic, digital subscriber line (digital subscriber line, DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that contains an integration of one or more available media. The usable medium may be a magnetic medium (e.g., a floppy disk, a hard disk, a magnetic tape), an optical medium (e.g., a digital video disc (digital video disc, DVD)), or a semiconductor medium (e.g., a Solid State Disk (SSD)), or the like.
It should be understood that in the embodiments of the present application, "B corresponding to a" means that B is associated with a. In one implementation, B may be determined from a. It should also be understood that determining B from a does not mean determining B from a alone, but may also determine B from a and/or other information.
In the description of the present application, unless otherwise indicated, "at least one" means one or more, and "a plurality" means two or more. In addition, "and/or" describes an association relationship of the association object, and indicates that there may be three relationships, for example, a and/or B may indicate: a alone, a and B together, and B alone, wherein a, B may be singular or plural. The character "/" generally indicates that the context-dependent object is an "or" relationship. "at least one of" or the like means any combination of these items, including any combination of single item(s) or plural items(s). For example, at least one (one) of a, b, or c may represent: a, b, c, a-b, a-c, b-c, or a-b-c, wherein a, b, c may be single or plural.
It should be further understood that the description of the first, second, etc. in the embodiments of the present application is for purposes of illustration and distinction only, and does not represent a specific limitation on the number of devices in the embodiments of the present application, and should not constitute any limitation on the embodiments of the present application.
It should also be appreciated that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the present application. Furthermore, the particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments.
Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or server that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed or inherent to such process, method, article, or apparatus, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
It will be appreciated that in the specific embodiments of the present application, data related to user information and the like may be involved. When the above embodiments of the present application are applied to specific products or technologies, user approval or consent is required, and the collection, use and processing of relevant data is required to comply with relevant laws and regulations and standards of the relevant countries and regions.
Those of ordinary skill in the art will appreciate that the various illustrative modules and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
In the several embodiments provided in this application, it should be understood that the disclosed apparatus, device, and method may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, and for example, the division of the modules is merely a logical function division, and there may be additional divisions when actually implemented, for example, multiple modules or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or modules, which may be in electrical, mechanical, or other forms.
The modules illustrated as separate components may or may not be physically separate, and components shown as modules may or may not be physical modules, i.e., may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. For example, functional modules in the embodiments of the present application may be integrated into one processing module, or each module may exist alone physically, or two or more modules may be integrated into one module.
The foregoing is merely a specific embodiment of the present application, but the protection scope of the present application is not limited thereto, and any person skilled in the art can easily think about changes or substitutions within the technical scope of the present application, and the changes or substitutions are covered in the protection scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (14)

1. A method of gateway management, the method being applied to a control device, the method comprising:
receiving a registration request sent by a VPN gateway of a virtual private network, wherein the VPN gateway is arranged on an edge computing node;
and responding to the registration request, and sending a first certificate stored in a first certificate pool to the VPN gateway, wherein the first certificate is used for authenticating when the VPN gateway interacts with the control equipment, and the first certificate is generated according to at least one of the regional information and the equipment model of the VPN gateway.
2. The method as recited in claim 1, further comprising:
constructing at least one certificate pool for at least one VPN gateway of each region;
generating at least one certificate according to at least one of the regional information of each region and the equipment model of the VPN gateway, and storing the at least one certificate into at least one certificate pool, wherein the certificates in each certificate pool are generated according to at least one of the same regional information and the same equipment model.
3. The method of claim 1, wherein the first pool of credentials stores at most N credentials, N being a positive integer.
4. A method according to claim 3, further comprising:
when a timer corresponding to the first certificate pool is overtime, determining the number M of certificates stored in the first certificate pool, wherein M is a positive integer less than or equal to N;
if M is less than N, generating (N-M) certificates, and storing the (N-M) certificates in the first certificate pool.
5. The method as recited in claim 1, further comprising:
and sending a first control message to a relay device, so that the relay device sends the first control message to the VPN gateway through SSH connection between the relay device and the VPN gateway.
6. A method of gateway management, applied to a relay device, comprising:
receiving a first control message sent by control equipment;
and sending the first control message to the VPN gateway through a secure shell protocol (SSH) connection between the relay equipment and the VPN gateway, wherein the VPN gateway is arranged on an edge computing node.
7. The method as recited in claim 6, further comprising:
Sending a first instruction to the VPN gateway, wherein the first instruction is used for indicating to establish the SSH connection;
receiving an SSH connection establishment request sent by the VPN gateway;
and responding to the SSH connection establishment request, and establishing the SSH connection with the VPN gateway.
8. The method of claim 7, wherein the sending a first instruction to the VPN gateway comprises:
receiving a heartbeat message sent by the VPN gateway;
and responding to the heartbeat message, sending a heartbeat confirmation reply message to the VPN, wherein the heartbeat confirmation reply message comprises the first instruction.
9. The method as recited in claim 6, further comprising:
starting a timer after the first control message is sent;
if the timer is not overtime, if a second control message sent by the control equipment to the VPN gateway is obtained, the second control message is sent to the VPN gateway through the SSH connection;
and disconnecting the SSH connection when the timer is overtime.
10. A method of gateway management, applied to a VPN gateway, comprising:
receiving a first control message forwarded by a relay device from a control device through secure shell protocol (SSH) connection between the VPN gateway and the relay device, wherein the VPN gateway is arranged on an edge computing node;
And carrying out data processing according to the first control message.
11. The method as recited in claim 10, further comprising:
receiving a first instruction sent by the relay device, wherein the first instruction is used for indicating to establish the SSH connection;
and sending an SSH connection establishment request to the relay equipment, and establishing the SSH connection with the VPN gateway.
12. The method of claim 11, wherein the receiving the first instruction sent by the relay device comprises:
sending a heartbeat message to the relay device;
and receiving a heartbeat confirmation reply message sent by the relay device, wherein the heartbeat confirmation reply message comprises the first instruction.
13. An electronic device comprising a processor and a memory, the memory having instructions stored therein, which when executed by the processor, cause the processor to perform the method of any of claims 1-12.
14. A computer storage medium comprising instructions which, when run on a computer, cause the computer to perform the method of any of claims 1-12.
CN202211086323.8A 2022-09-06 2022-09-06 Gateway management method, device, electronic equipment and storage medium Pending CN117714230A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211086323.8A CN117714230A (en) 2022-09-06 2022-09-06 Gateway management method, device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211086323.8A CN117714230A (en) 2022-09-06 2022-09-06 Gateway management method, device, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN117714230A true CN117714230A (en) 2024-03-15

Family

ID=90142970

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211086323.8A Pending CN117714230A (en) 2022-09-06 2022-09-06 Gateway management method, device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN117714230A (en)

Similar Documents

Publication Publication Date Title
JP5520375B2 (en) Dynamic migration of computer networks
CN113950816A (en) System and method for providing multi-cloud micro-service gateway using sidecar agency
US20020143960A1 (en) Virtual network generation system and method
US9369448B2 (en) Network security parameter generation and distribution
CN103580980A (en) Automatic searching and automatic configuration method and device of VN
WO2022242507A1 (en) Communication method, apparatus, computer-readable medium electronic device, and program product
US20150120943A1 (en) Secure mobile access to resources within a private network
WO2014079335A1 (en) Ip packet processing method, apparatus and network system
US11595306B2 (en) Executing workloads across multiple cloud service providers
US20230254292A1 (en) Private and Secure Chat Connection Mechanism for Use in a Private Communication Architecture
CN113329454B (en) Method, network element, system and equipment for releasing route
US20220385638A1 (en) Private Matter Gateway Connection Mechanism for Use in a Private Communication Architecture
CN111464334A (en) System, method and server for realizing terminal equipment management under software defined wide area network system
US9451049B2 (en) Sharing media among remote access clients in a universal plug and play environment
US20220329569A1 (en) Metaverse Application Gateway Connection Mechanism for Use in a Private Communication Architecture
CN114884771B (en) Identity network construction method, device and system based on zero trust concept
CN108234165A (en) A kind of method and apparatus that gateway is configured
US11888898B2 (en) Network configuration security using encrypted transport
CN117714230A (en) Gateway management method, device, electronic equipment and storage medium
CN117579425A (en) Cloud network access method, device, medium and program product
TWI836974B (en) Private and secure chat connection mechanism for use in a private communication architecture
CN117014435A (en) Private secure chat join mechanism for private communication architecture
TWI829487B (en) Private matter gateway connection mechanism for use in a private communication architecture
US20230083939A1 (en) Private Matter Gateway Connection Mechanism for Use in a Private Communication Architecture
WO2023169124A1 (en) Multi-station cascade system, calling method and related device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination