CN117792995A - Tenant communication method, tenant communication device, electronic equipment and storage medium - Google Patents

Tenant communication method, tenant communication device, electronic equipment and storage medium Download PDF

Info

Publication number
CN117792995A
CN117792995A CN202311725470.XA CN202311725470A CN117792995A CN 117792995 A CN117792995 A CN 117792995A CN 202311725470 A CN202311725470 A CN 202311725470A CN 117792995 A CN117792995 A CN 117792995A
Authority
CN
China
Prior art keywords
target
address
network
communication
tenant
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311725470.XA
Other languages
Chinese (zh)
Inventor
张泽云
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Resources Digital Technology Co Ltd
Original Assignee
China Resources Digital Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Resources Digital Technology Co Ltd filed Critical China Resources Digital Technology Co Ltd
Priority to CN202311725470.XA priority Critical patent/CN117792995A/en
Publication of CN117792995A publication Critical patent/CN117792995A/en
Pending legal-status Critical Current

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the application provides a tenant communication method, device, electronic equipment and storage medium, and belongs to the technical field of network communication. The method comprises the following steps: connecting a virtual router of a target tenant with an internal shared network, wherein the target tenant is provided with a target virtual machine, and the target virtual machine is provided with a virtual network card address; acquiring a target network segment address of an internal shared network; storing the mapping relation between the virtual network card address and the target network segment address in an initial address conversion table of the virtual router to obtain a target address conversion table; receiving a communication interaction request initiated by an access virtual machine of an access tenant through a virtual router; performing request analysis processing on the communication interaction request based on the target address conversion table to obtain a target source address representing the virtual network card address; and establishing a communication connection between the target virtual machine and the access virtual machine based on the target source address and the communication interaction request. The tenant can realize the cross-tenant communication without connecting an external public network, and the security of the cross-tenant communication is improved.

Description

Tenant communication method, tenant communication device, electronic equipment and storage medium
Technical Field
The present disclosure relates to the field of network communications technologies, and in particular, to a tenant communication method, device, electronic device, and storage medium.
Background
In a cloud network based on the OpenStack technology, communication cannot be performed between different tenants due to the limitation of tenant routers. At present, a mode of renting an operator public network IP is mainly adopted for realizing communication of different tenants, however, in practical application, the mode needs to be connected with an external shared network, so that the security of the tenants cannot be ensured. Therefore, how to improve the security of the inter-tenant communication becomes a technical problem to be solved.
Disclosure of Invention
The embodiment of the application mainly aims to provide a tenant communication method, device, electronic equipment and storage medium, and aims to improve security of cross-tenant communication.
To achieve the above object, a first aspect of an embodiment of the present application proposes a tenant communication method, where the method includes:
connecting a virtual router of a target tenant with a pre-established internal shared network; the target tenant is provided with a target virtual machine, and the target virtual machine is provided with a virtual network card address;
acquiring a target network segment address of the internal shared network;
Creating an initial address translation table on the virtual router;
establishing a mapping relation between the virtual network card address and the target network segment address, and storing the mapping relation in the initial address conversion table to obtain a target address conversion table;
receiving a communication interaction request from an access tenant through the virtual router;
performing request analysis processing on the communication interaction request based on the target address conversion table to obtain a target source address; the communication interaction request is initiated by the access virtual machine of the access tenant, and the target source address is the virtual network card address;
and establishing communication connection between the target virtual machine and the access virtual machine based on the target source address and the communication interaction request.
In some embodiments, the connecting the virtual router of the target tenant with the pre-created internal shared network includes:
network identification is carried out on the network interface accessed to the virtual router, and a network interface identification result is obtained;
if the network interface identification result represents that the network interface belongs to the internal shared network, acquiring interface information of the network interface;
Performing static route configuration on the virtual router based on the interface information to obtain a static route table;
and establishing network connection between the virtual router and the internal shared network based on the static routing table.
In some embodiments, the establishing a network connection between the virtual router and the internal shared network based on the static routing table includes:
determining a routing communication path based on the static routing table; wherein the routing communication path is a communication path between the virtual router and the internal shared network;
performing network communication test based on the routing communication path to obtain a network test result;
and if the network test result indicates that the routing communication path is correct, network connection is carried out between the virtual router and the internal shared network based on the routing communication path.
In some embodiments, the performing a request parsing process on the communication interaction request based on the destination address translation table to obtain a destination source address includes:
network identification is carried out on the communication interaction request, and a target network identification is obtained;
and if the target network identifier characterizes the communication interaction request to be transmitted to the virtual router through the internal shared network, carrying out source address analysis on the communication interaction request based on the target address conversion table to obtain the target source address.
In some embodiments, the performing source address resolution on the communication interaction request based on the destination address translation table to obtain the destination source address includes:
performing access address resolution on the communication interaction request to obtain a target access address;
and converting the source address of the target access address through the target address conversion table to obtain the target source address.
In some embodiments, after the establishing of the communication connection between the target virtual machine and the access virtual machine based on the target source address and the communication interaction request, the method further comprises:
receiving communication resources returned by the target virtual machine according to the communication interaction request;
carrying out communication address analysis on the communication interaction request to obtain a target communication address;
and sending the communication resource to the access virtual machine based on the target communication address through the virtual router.
In some embodiments, the initial address translation table includes address translation rules, and the target segment address includes at least one target subnet segment address; the establishing a mapping relation between the virtual network card address and the target network segment address, and storing the mapping relation in the initial address conversion table to obtain a target address conversion table, including:
Distributing the target subnet segment address to the virtual network card address based on the address conversion rule to obtain the mapping relation;
and storing the mapping relation in the initial address conversion table to obtain the target address conversion table.
To achieve the above object, a second aspect of the embodiments of the present application proposes a tenant communication device, the device including:
the network connection module is used for connecting the virtual router of the target tenant with the pre-established internal shared network; the target tenant is provided with a target virtual machine, and the target virtual machine is provided with a virtual network card address;
the network segment address acquisition module is used for acquiring a target network segment address of the internal shared network;
a conversion table creation module for creating an initial address conversion table on the virtual router;
the address mapping module is used for establishing a mapping relation between the virtual network card address and the target network segment address, and storing the mapping relation in the initial address conversion table to obtain a target address conversion table;
the request acquisition module is used for receiving a communication interaction request from an access tenant through the virtual router;
The request analysis module is used for carrying out request analysis processing on the communication interaction request based on the target address conversion table to obtain a target source address; the communication interaction request is initiated by the access virtual machine of the access tenant, and the target source address is the virtual network card address;
and the communication connection module is used for establishing communication connection between the target virtual machine and the access virtual machine based on the target source address and the communication interaction request.
To achieve the above object, a third aspect of the embodiments of the present application proposes an electronic device, which includes a memory and a processor, the memory storing a computer program, the processor implementing the method according to the first aspect when executing the computer program.
To achieve the above object, a fourth aspect of the embodiments of the present application proposes a computer-readable storage medium storing a computer program that, when executed by a processor, implements the method of the first aspect.
The tenant communication method, the tenant communication device, the electronic equipment and the storage medium are characterized in that a virtual router of a target tenant is connected with a pre-established internal shared network; the target tenant is provided with a target virtual machine, and the target virtual machine is provided with a virtual network card address; acquiring a target network segment address of an internal shared network; creating an initial address translation table on the virtual router; establishing a mapping relation between a virtual network card address and a target network segment address, and storing the mapping relation in an initial address conversion table to obtain a target address conversion table; receiving a communication interaction request from an access tenant through a virtual router; performing request analysis processing on the communication interaction request based on the target address conversion table to obtain a target source address; the communication interaction request is initiated by an access virtual machine of an access tenant, and the target source address is a virtual network card address; a communication connection between the target virtual machine and the access virtual machine is established based on the target source address and the communication interaction request. The tenant can realize cross-tenant communication without connecting an external public network, so that the security in the cross-tenant communication is improved.
Drawings
Fig. 1 is a flowchart of a tenant communication method provided in an embodiment of the present application;
fig. 2 is a flowchart of step S101 in fig. 1;
fig. 3 is a flowchart of step S204 in fig. 2;
fig. 4 is a flowchart of step S104 in fig. 1;
fig. 5 is a flowchart of step S106 in fig. 1;
fig. 6 is a flowchart of step S502 in fig. 5;
fig. 7 is a flowchart of a tenant communication method provided in another embodiment of the present application;
fig. 8 is a schematic structural diagram of a tenant communication device provided in an embodiment of the present application;
fig. 9 is a schematic hardware structure of an electronic device according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be further described in detail with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the present application.
It should be noted that although functional block division is performed in a device diagram and a logic sequence is shown in a flowchart, in some cases, the steps shown or described may be performed in a different order than the block division in the device, or in the flowchart. The terms first, second and the like in the description and in the claims and in the above-described figures, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The terminology used herein is for the purpose of describing embodiments of the present application only and is not intended to be limiting of the present application.
First, several nouns referred to in this application are parsed:
in OpenStack, a tenant refers to a collection of resources, and may be understood as a container of resources or an owner of resources, including computer resources, storage resources, network resources, mirror resources, and so on. A tenant may be a person, project or organization, having multiple users in the tenant that may use resources in the tenant according to a division of rights.
Virtual machines (Virtual machines), which refer to complete computer systems that run in a completely isolated environment, through software emulation, with complete hardware system functionality. The virtual machine may be created in a physical computer and the same or similar functions as the physical machine implemented therein. Each virtual machine has a separate CMOS, hard disk and operating system, and can operate as if it were a physical machine.
Static routing (Static routing), which is a way of routing, the routing entries are manually configured, rather than dynamically determined. Unlike dynamic routing, static routing is fixed and does not change during use even if the network conditions have changed or are reconfigured.
Class-free Inter-Domain Routing (CIDR), which is an IP address allocation and Routing technique, allocates IP addresses more flexibly by introducing variable length prefixes. In CIDR, an IP address is divided into two parts, a network prefix for identifying a network address and a host identifier for identifying a host address. The CIDR has the advantages of better supporting functions such as Variable Length Subnet Mask (VLSM) and route aggregation, thereby improving the utilization rate of network resources and the efficiency of route selection. Compared with the traditional IP address classification mode (A, B, C, D, E five types), the CIDR is more flexible, can allocate the IP address according to the actual demand, and avoids the problems of address waste and deficiency. Meanwhile, the CIDR can better support route aggregation, so that a network routing table is simpler and more efficient.
In a cloud network based on the OpenStack technology, due to the limitation of a tenant router managed by the OpenStack cloud network, the tenant router can only be associated with one external network, and a tenant virtual machine only supports association with one floating IP, so that communication cannot be directly carried out among different tenants.
At present, communication of different tenants can be realized by creating a shared network and then adding a network card connected to the shared network to each tenant virtual machine, but the method needs to increase network card resources, has high cost and is difficult to manage, so that the method cannot be popularized.
The main method for implementing communication of different tenants is that a network composed of a section of public network IP addresses is purchased from a communication carrier, and the IP addresses can be accessed from the Internet, however, in practical application, the method needs to connect the tenant network to an external shared network, so that other users on the Internet can access the tenant virtual machine at will through the floating public network IP, the security of the tenant cannot be ensured, the cost of purchasing the public network IP is high, and the tenant cannot accept the method.
Therefore, how to improve the security of the inter-tenant communication becomes a technical problem to be solved.
Based on this, the embodiment of the application provides a tenant communication method, device, electronic equipment and storage medium, aiming at improving the security of cross-tenant communication.
The tenant communication method, device, electronic equipment and storage medium provided in the embodiments of the present application are specifically described through the following embodiments, and the tenant communication method in the embodiments of the present application is first described.
The embodiment of the application provides a tenant communication method, and relates to the technical field of network communication. The tenant communication method provided by the embodiment of the application can be applied to a terminal, a server side and software running in the terminal or the server side. In some embodiments, the terminal may be a smart phone, tablet, notebook, desktop, etc.; the server side can be configured as an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, and a cloud server for providing cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, CDNs, basic cloud computing services such as big data and artificial intelligent platforms and the like; the software may be an application or the like that implements the tenant communication method, but is not limited to the above form.
The subject application is operational with numerous general purpose or special purpose computer system environments or configurations. For example: personal computers, server computers, hand-held or portable devices, tablet devices, multiprocessor systems, microprocessor-based systems, set top boxes, programmable consumer electronics, network PCs, minicomputers, mainframe computers, distributed computing environments that include any of the above systems or devices, and the like. The application may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The application may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
Fig. 1 is an optional flowchart of a tenant communication method provided in an embodiment of the present application, where the method in fig. 1 may include, but is not limited to, steps S101 to S107.
Step S101, a virtual router of a target tenant is connected with a pre-established internal shared network; the target tenant is provided with a target virtual machine, and the target virtual machine is provided with a virtual network card address;
step S102, a target network segment address of an internal shared network is obtained;
step S103, an initial address conversion table is created on the virtual router;
step S104, establishing a mapping relation between the virtual network card address and the target network segment address, and storing the mapping relation in an initial address conversion table to obtain a target address conversion table;
step S105, receiving a communication interaction request from an access tenant through a virtual router;
step S106, carrying out request analysis processing on the communication interaction request based on the target address conversion table to obtain a target source address; the communication interaction request is initiated by an access virtual machine of an access tenant, and the target source address is a virtual network card address;
step S107, a communication connection between the target virtual machine and the access virtual machine is established based on the target source address and the communication interaction request.
In step S101 to step S107 illustrated in the embodiment of the present application, by connecting a virtual router of a target tenant with a pre-created internal shared network, an initial address conversion table is created on the virtual router, then a target network segment address is allocated for a virtual network card address of a target virtual machine of the target tenant, so as to obtain a mapping relationship between the virtual network card address and the target network segment address, and the mapping relationship is stored in the initial address conversion table, so as to obtain the target address conversion table, when the virtual router receives requests of other accessing tenants, the virtual router can convert through the target address conversion table, and establish communication connection, and the tenant can realize cross-tenant communication without connecting an external public network, thereby improving security in the cross-tenant communication.
In addition, according to the embodiment of the application, based on the virtual router, the target virtual machine and the network card of the virtual machine of the target tenant, all tenants can be brought into the network by configuring one internal shared network, so that cross-tenant communication is realized, no additional hardware/software equipment is required to be added, and the realization cost and the operation and maintenance difficulty are saved.
In one embodiment, multiple internal shared networks can be formed between different tenants, so that the group effect is achieved, for example, tenant a, tenant B and tenant C form a shared network 1, tenant B, tenant C and tenant D form a shared network 2, tenant a, tenant C and tenant D form a shared network 3, specifically, the shared network 1, shared network 2 and shared network 3 can coexist, and the shared network is deployed to achieve the group intra-tenant communication, without adding hardware/software equipment, without additional expense, and can be expanded more strongly.
It should be noted that tenant communication refers to communication between different tenant virtual machines, for example, a tenant owns an a virtual machine, B tenant owns a B virtual machine. When a communication connection is established between the a virtual machine and the b virtual machine, this behavior is referred to as cross-tenant communication.
Referring to fig. 2, in some embodiments, step S101 may include, but is not limited to, steps S201 to S204:
step S201, network identification is carried out on a network interface of an access virtual router, and a network interface identification result is obtained;
step S202, if the network interface identification result represents that the network interface belongs to the internal shared network, acquiring interface information of the network interface;
step S203, carrying out static route configuration on the virtual router based on the interface information to obtain a static route table;
step S204, network connection between the virtual router and the internal shared network is established based on the static routing table.
In the steps S201 to S204 illustrated in the embodiments of the present application, by setting a virtual router, performing network identification on a network interface of an access virtual router to obtain a network interface identification result, if the network interface identification result characterizes that the network interface belongs to an internal shared network, the network can be accessed to the virtual router, interface information of the network interface is obtained, static route configuration is performed on the virtual router based on the interface information to obtain a static routing table, so that network connection between the virtual router and the internal shared network is established based on the static routing table, a network can be added to the virtual router of the tenant in a targeted manner, and other networks are avoided from being accessed, thereby affecting security of the tenant.
In step S201 of some embodiments, by performing debugging on the virtual router of the target tenant, an interface identification rule is added, and network identification is performed on the network interface of each access virtual router, so as to ensure security of the tenant network.
In step S202 of some embodiments, if the network interface does not belong to the internal shared network as a result of the network interface identification, and belongs to other networks, the virtual router is not allowed to be accessed, so as to ensure the security of the tenant network.
In some embodiments, the internal shared network is provided with an internal shared gateway, the interface information of the network interface includes a gateway address of the internal shared gateway, and the network connection between the virtual router and the internal shared network is realized by performing static routing configuration on the gateway address of the internal shared gateway on the routing table of the virtual router, thereby obtaining the static routing table.
When the internal shared network is required to be used for network transmission, the transmission resources are sent to the corresponding internal shared gateway according to the gateway address configured on the static routing table, so that the internal shared gateway sends the transmission resources to the virtual machine of the target tenant, and network communication connection is realized.
In one embodiment, the internal shared gateway is deployed on a preset switch.
Referring to fig. 3, in some embodiments, step S204 may include, but is not limited to, steps S301 to S303:
step S301, determining a routing communication path based on a static routing table; the routing communication path is a communication path between the virtual router and the internal shared network;
step S302, performing network communication test based on the routing communication path to obtain a network test result;
step S303, if the network test result indicates that the routing communication path is correct, the virtual router and the internal shared network are connected in a network mode based on the routing communication path.
After static route configuration, the steps S301 to S303 illustrated in the embodiments of the present application need to perform network connectivity test on network connection between the virtual router and the internal shared network, so that connectivity, performance, security, reliability and other aspects of the network can be verified, network problems can be timely found and solved, network configuration and route selection are optimized, and performance and reliability of the network in cross-tenant communication are ensured.
In step S302 of some embodiments, the network connectivity test may use a ping command to test whether the network connection is normal, and in the ping command, a gateway address of the internal shared gateway may be specified to test network connectivity with the internal shared gateway; tracking the transmission path of the data packet in the network by using a traceroute command, and checking whether the data packet can reach the internal shared gateway; network communication tests may also be performed using netstat commands, route print commands, and the like, which are not limited in this embodiment.
In step S102 of some embodiments, the target network segment address is an IP address range of the internal shared network, for example, a.a.a. a.a. z range, including 26 IP addresses a.a.a. a.a. z. It should be noted that, the range of the target network segment address can be freely expanded according to the scene requirement, and the method is not limited to the range.
In step S103 of some embodiments, by setting rules for iptables of the virtual router, specifically, setting address translation rules for the snat chain and the dnat chain, the address translation rules for the target network card address and the target network segment address are increased.
In one embodiment, the priority of the address translation rule is increased, so that when the virtual router receives any communication request, the virtual router can preferentially judge whether the communication request is transmitted through the internal shared network, thereby increasing the connection speed of the communication.
Referring to FIG. 4, in some embodiments, the initial address translation table includes address translation rules, and the target segment address includes at least one target subnet segment address; step S104 may include, but is not limited to, steps S401 to S402:
step S401, distributing a target subnet segment address to the virtual network card address based on an address conversion rule to obtain a mapping relation;
Step S402, storing the mapping relation in the initial address conversion table to obtain a target address conversion table.
Step S401 to step S402 illustrated in the embodiment of the present application, a mapping relationship is obtained by allocating a target subnet segment address to a virtual network card address based on an address conversion rule; the mapping relation is stored in the initial address conversion table to obtain the target address conversion table, so that the effect similar to floating IP is achieved, and the cross-tenant communication can be achieved on the premise of guaranteeing tenant data safety.
In one embodiment, the virtual network card address and the target network segment address are associated through an address translation rule, for example, the virtual network card address of the a virtual machine of the a tenant is a.b.c.a. translated into the target subnet segment address a.a.a.a; and the virtual network card address of the B virtual machine of the tenant B is b.c.a.b and is converted into a target subnet segment address A.A.A.b, wherein a.b.c.a-A.A.a, b.c.a.b-A.A.a.b are mapping relations, the mapping relations are stored in an initial address conversion table to obtain a target address conversion table, and when a request of sharing a network in a private domain is received, the address conversion can be rapidly carried out according to the target address conversion table, so that the processing efficiency is improved.
In step S105 of some embodiments, since the scheme of the present application is set on the basis of the existing tenant network and the shared network, the access tenant that initiates the request may not be in the internal shared network, but may be another tenant belonging to the internal shared network, and thus needs to perform verification and identification processing on the received communication interaction request.
Referring to fig. 5, in some embodiments, step S106 may further include, but is not limited to, steps S501 to S502:
step S501, network identification is carried out on the communication interaction request, and a target network identification is obtained;
step S502, if the target network identifier characterizes the communication interaction request to be transmitted to the virtual router through the internal shared network, the source address analysis is performed on the communication interaction request based on the target address conversion table, and the target source address is obtained.
Step S501 to step S502 illustrated in the embodiment of the present application, a network identifier is identified by performing network identifier identification on a communication interaction request, so as to obtain a target network identifier; if the target network identification characterizes the communication interaction request to be transmitted to the virtual router through the internal shared network, the source address analysis is carried out on the communication interaction request based on the target address conversion table, and the target source address is obtained. Therefore, the method and the device can process the request from the internal shared network transmission in a targeted manner, and realize cross-tenant communication.
In step 501 of some embodiments, information capable of identifying the transmission network, such as a gateway address, a network interface, etc., may be obtained by parsing the transmission path of the communication interaction request.
In one embodiment, the target network is identified as a gateway address of the transport network, and if the gateway address is a gateway address of the internal shared gateway, the communication interaction request is characterized as being transmitted to the virtual router through the internal shared network, which indicates that the access tenant is also connected to the internal shared network, so that communication between the target tenant and the access tenant can be achieved through the internal shared network.
If the target network identifier characterizes the communication interaction request to be transmitted to the virtual router not through the internal shared network but through other networks, the access tenant is not in the internal shared network, and the access tenant cannot realize the communication with the target tenant.
In one embodiment, a virtual route interface object is created on a virtual router, an interface for managing an internal shared network may be referred to as an internal shared network object, and when a network identifier of a communication interaction request is parsed, an obtained target network identifier characterizes the communication interaction request as being transmitted to the virtual router through the internal shared network, and then the internal shared network object processes the communication interaction request.
Referring to fig. 6, in some embodiments, step S502 includes, but is not limited to, steps S601 to S602:
Step S601, carrying out access address analysis on the communication interaction request to obtain a target access address;
step S602, performing source address conversion on the target access address through the target address conversion table to obtain a target source address.
In the steps S601 to S602 illustrated in the embodiments of the present application, the access address is resolved by the communication interaction request to obtain the target access address, and then the target access address is converted into the target source address by the target address conversion table, so that the communication interaction request is conveniently issued to the corresponding target virtual machine according to the target source address, so as to realize the communication between the target virtual machine and the access virtual machine, and realize the cross-tenant communication.
In one embodiment, the communication interaction request is a data packet, and the information such as the communication address, identifier, etc. of the data packet is stored in the data packet header, and when the communication interaction request is transmitted, each router, gateway, and switch in the network parses the communication interaction request to look at the addresses, so as to send the data packet to the correct target host.
It should be noted that, the virtual machines that communicate between different tenants are not aware of the virtual network card addresses of both communication parties, and all communicate through the target network segment address, so after the virtual router receives a communication interaction request and analyzes to obtain a target access address, the target access address needs to be converted into the virtual network card address of the target virtual machine by using the target address conversion table, so as to determine to which virtual machine the communication interaction request needs to be issued.
In some embodiments, the communication-interaction request further includes a target communication address that characterizes a target segment address to which the requesting virtual machine is assigned. It should be noted that, the target access address and the target communication address are both target network segment addresses belonging to the internal shared network.
Referring to fig. 7, after step S107 in some embodiments, the method may include, but is not limited to, steps S701 to S703:
step S701, receiving a communication resource returned by the target virtual machine according to the communication interaction request;
step S702, carrying out communication address analysis on the communication interaction request to obtain a target communication address;
in step S703, the communication resource is transmitted to the access virtual machine based on the target communication address by the virtual router.
In step S701 to step S703 illustrated in the embodiment of the present application, when the virtual router receives the communication resource returned by the target virtual machine according to the communication interaction request, the virtual router performs communication address resolution on the communication interaction request to obtain the target communication address of the access virtual machine, that is, the target network segment address of the access virtual machine, and further sends the communication resource back to the access virtual machine according to the target communication address, thereby implementing cross-tenant free communication.
In step S701 of some embodiments, the communication resources may be packaged into a data packet, where information such as a communication address, identifier, etc. may be stored in the data packet header, and when the communication resources are transmitted, each router, gateway, and switch in the network may parse the communication resources to view the communication addresses to send the communication resources to the correct target host.
In step S702 of some embodiments, in addition to the communication address resolution of the communication interaction request, the target communication address may also be obtained by resolving the communication resource.
In some embodiments, after the internal shared network is established, all tenants in the OpenStack environment need to be connected to the internal shared network to perform network configuration, and a specific network configuration process includes, but is not limited to, the following steps:
network identification is carried out on a network interface accessed to the virtual router, and a network interface identification result is obtained; if the network interface identification result represents that the network interface belongs to the internal shared network, acquiring interface information of the network interface;
performing static route configuration on the virtual router based on the interface information to obtain a static route table;
Determining a routing communication path based on the static routing table; the routing communication path is a communication path between the virtual router and the internal shared network;
performing network communication test based on the routing communication path to obtain a network test result; if the network test result indicates that the routing communication path is correct, the virtual router is connected with the internal shared network in a network mode based on the routing communication path;
acquiring a target network segment address of an internal shared network;
creating an initial address translation table on the virtual router;
distributing a target subnet segment address to the virtual network card address based on the address conversion rule to obtain a mapping relation;
storing the mapping relation in an initial address conversion table to obtain a target address conversion table;
and creating an internal shared network object on the virtual router, wherein the internal shared network object is used for carrying out network identification on the communication interaction request when the virtual router receives the communication interaction request from the access tenant to obtain a target network identification, and if the target network identification characterizes the communication interaction request to be transmitted to the virtual router through an internal shared network, the internal shared network object is used for processing the communication interaction request.
When all tenants complete network configuration and are connected to the internal shared network, free communication can be realized among different tenants through the internal shared network.
It should be noted that, in the embodiment of the present application, based on the existing virtual router of the target tenant, the network cards of the target virtual machine and the virtual machine, all tenants can be incorporated into the network by configuring a shared network by themselves, so as to implement cross-tenant communication, the tenants can implement cross-tenant communication without being connected to an external public network, and users of the external network cannot directly access the tenants through the public network IP, and the internal shared network exists in the form of a two-layer internal network in the OpenStack environment, so that the security during the cross-tenant communication is improved.
In addition, the tenant does not need to additionally increase hardware/software equipment or rent the public network IP of the operator, and the implementation cost and the operation and maintenance difficulty are saved.
In one embodiment, the communication between virtual machines of tenants that handle an internal shared network may include, but is not limited to, the steps of:
the tenant 1 receives a communication interaction request from the tenant 2 through a virtual router; the communication interaction request is initiated by the access virtual machine of the tenant 2;
network identification is carried out on the communication interaction request, and a target network identification is obtained;
if the target network identification characterizes the communication interaction request as being transmitted to the virtual router over the internal shared network,
Performing access address resolution on the communication interaction request to obtain a target access address;
performing source address conversion on the target access address through a target address conversion table to obtain a target source address, wherein the target source address is a virtual network card address of the tenant 1 virtual machine;
establishing a communication connection between the target virtual machine and the access virtual machine based on the target source address and the communication interaction request;
the virtual router of the tenant 1 receives communication resources returned by the target virtual machine according to the communication interaction request;
resolving a communication address of the communication interaction request to obtain a target communication address;
the communication resource is sent to the accessing virtual machine by the virtual router based on the target communication address.
After receiving the communication resource, the virtual router of the tenant 2 also needs to perform steps such as network identification, access address resolution, source address conversion and the like on the network resource, so as to send the communication resource to the correct access virtual machine.
Specifically, the path of communication between the target virtual machine of tenant 1 and the access virtual machine of tenant 2 can be understood as: the virtual network card address of the target virtual machine, the target source address, the gateway address of the internal shared gateway, the target access address and the virtual network card address of the access virtual machine.
Referring to fig. 8, an embodiment of the present application further provides a tenant communication device, which may implement the tenant communication method, where the device includes:
a network connection module 801, configured to connect a virtual router of a target tenant with a pre-created internal shared network; the target tenant is provided with a target virtual machine, and the target virtual machine is provided with a virtual network card address;
a network segment address obtaining module 802, configured to obtain a target network segment address of an internal shared network;
a translation table creation module 803 for creating an initial address translation table on the virtual router;
the address mapping module 804 is configured to establish a mapping relationship between the virtual network card address and the target network segment address, and store the mapping relationship in the initial address translation table to obtain a target address translation table;
a request obtaining module 805, configured to receive, through a virtual router, a communication interaction request from an access tenant;
the request parsing module 806 is configured to perform a request parsing process on the communication interaction request based on the target address translation table, to obtain a target source address; the communication interaction request is initiated by an access virtual machine of an access tenant, and the target source address is a virtual network card address;
a communication connection module 807 for establishing a communication connection between the target virtual machine and the access virtual machine based on the target source address and the communication interaction request.
In some embodiments of the network connection module 801, the network connection module 801 further comprises:
the network identification unit is used for carrying out network identification on the network interface accessed to the virtual router to obtain a network interface identification result;
the interface information acquisition unit is used for acquiring the interface information of the network interface if the network interface identification result characterizes that the network interface belongs to the internal shared network;
the static route configuration unit is used for carrying out static route configuration on the virtual router based on the interface information to obtain a static route table;
and the network connection establishment unit is used for establishing network connection between the virtual router and the internal shared network based on the static routing table.
In the network connection establishment unit of some embodiments, the network connection establishment unit further includes:
a communication path determination subunit configured to determine a routing communication path based on the static routing table; the routing communication path is a communication path between the virtual router and the internal shared network;
the network communication testing subunit is used for carrying out network communication testing based on the routing communication path to obtain a network testing result;
and the network connection subunit is used for connecting the virtual router with the internal shared network based on the routing communication path if the network test result indicates that the routing communication path is correct.
In the address mapping module 804 of some embodiments, the address mapping module 804 further includes:
the address allocation unit is used for allocating a target subnet segment address to the virtual network card address based on the address conversion rule to obtain a mapping relation;
and the storage unit is used for storing the mapping relation in the initial address conversion table to obtain a target address conversion table.
In the request parsing module 806 of some embodiments, the request parsing module 806 further includes:
the network identification unit is used for carrying out network identification on the communication interaction request to obtain a target network identification;
and the source address analysis unit is used for carrying out source address analysis on the communication interaction request based on the target address conversion table to obtain a target source address if the target network identification characterizes the communication interaction request to be transmitted to the virtual router through the internal shared network.
In the source address resolution unit of some embodiments, the source address resolution unit further includes:
the access address analysis subunit is used for carrying out access address analysis on the communication interaction request to obtain a target access address;
and the source address conversion subunit is used for carrying out source address conversion on the target access address through the target address conversion table to obtain a target source address.
In some embodiments, the address tenant communication device further comprises:
the resource receiving module is used for receiving communication resources returned by the target virtual machine according to the communication interaction request;
the communication address analysis module is used for carrying out communication address analysis on the communication interaction request to obtain a target communication address;
and the resource sending module is used for sending the communication resource to the access virtual machine based on the target communication address through the virtual router.
The specific implementation of the tenant communication device is basically the same as the specific embodiment of the tenant communication method described above, and will not be described herein.
The embodiment of the application also provides electronic equipment, which comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes the tenant communication method when executing the computer program. The electronic equipment can be any intelligent terminal including a tablet personal computer, a vehicle-mounted computer and the like.
Referring to fig. 9, fig. 9 illustrates a hardware structure of an electronic device according to another embodiment, the electronic device includes:
the processor 901 may be implemented by a general purpose CPU (central processing unit), a microprocessor, an application specific integrated circuit (ApplicationSpecificIntegratedCircuit, ASIC), or one or more integrated circuits, etc. for executing related programs to implement the technical solutions provided by the embodiments of the present application;
The memory 902 may be implemented in the form of read-only memory (ReadOnlyMemory, ROM), static storage, dynamic storage, or random access memory (RandomAccessMemory, RAM). The memory 902 may store an operating system and other application programs, and when the technical solution provided in the embodiments of the present disclosure is implemented by software or firmware, relevant program codes are stored in the memory 902, and the processor 901 invokes the tenant communication method for executing the embodiments of the present disclosure;
an input/output interface 903 for inputting and outputting information;
the communication interface 904 is configured to implement communication interaction between the device and other devices, and may implement communication in a wired manner (e.g. USB, network cable, etc.), or may implement communication in a wireless manner (e.g. mobile network, WIFI, bluetooth, etc.);
a bus 905 that transfers information between the various components of the device (e.g., the processor 901, the memory 902, the input/output interface 903, and the communication interface 904);
wherein the processor 901, the memory 902, the input/output interface 903 and the communication interface 904 are communicatively coupled to each other within the device via a bus 905.
The embodiment of the application also provides a computer readable storage medium, wherein the computer readable storage medium stores a computer program, and the computer program realizes the tenant communication method when being executed by a processor.
The memory, as a non-transitory computer readable storage medium, may be used to store non-transitory software programs as well as non-transitory computer executable programs. In addition, the memory may include high-speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, the memory optionally includes memory remotely located relative to the processor, the remote memory being connectable to the processor through a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The tenant communication method, device, electronic equipment and storage medium provided by the embodiment of the application connect a virtual router of a target tenant with a pre-established internal shared network; the target tenant is provided with a target virtual machine, and the target virtual machine is provided with a virtual network card address; acquiring a target network segment address of an internal shared network; creating an initial address translation table on the virtual router; establishing a mapping relation between a virtual network card address and a target network segment address, and storing the mapping relation in an initial address conversion table to obtain a target address conversion table; receiving a communication interaction request from an access tenant through a virtual router; performing request analysis processing on the communication interaction request based on the target address conversion table to obtain a target source address; the communication interaction request is initiated by an access virtual machine of an access tenant, and the target source address is a virtual network card address; a communication connection between the target virtual machine and the access virtual machine is established based on the target source address and the communication interaction request. The tenant can realize cross-tenant communication without connecting an external public network, so that the security in the cross-tenant communication is improved.
The embodiments described in the embodiments of the present application are for more clearly describing the technical solutions of the embodiments of the present application, and do not constitute a limitation on the technical solutions provided by the embodiments of the present application, and as those skilled in the art can know that, with the evolution of technology and the appearance of new application scenarios, the technical solutions provided by the embodiments of the present application are equally applicable to similar technical problems.
It will be appreciated by those skilled in the art that the technical solutions shown in the figures do not constitute limitations of the embodiments of the present application, and may include more or fewer steps than shown, or may combine certain steps, or different steps.
The above described apparatus embodiments are merely illustrative, wherein the units illustrated as separate components may or may not be physically separate, i.e. may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
Those of ordinary skill in the art will appreciate that all or some of the steps of the methods, systems, functional modules/units in the devices disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof.
The terms "first," "second," "third," "fourth," and the like in the description of the present application and in the above-described figures, if any, are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that embodiments of the present application described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
It should be understood that in this application, "at least one" means one or more, and "a plurality" means two or more. "and/or" for describing the association relationship of the association object, the representation may have three relationships, for example, "a and/or B" may represent: only a, only B and both a and B are present, wherein a, B may be singular or plural. The character "/" generally indicates that the context-dependent object is an "or" relationship. "at least one of" or the like means any combination of these items, including any combination of single item(s) or plural items(s). For example, at least one (one) of a, b or c may represent: a, b, c, "a and b", "a and c", "b and c", or "a and b and c", wherein a, b, c may be single or plural.
In the several embodiments provided in this application, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the above-described division of units is merely a logical function division, and there may be another division manner in actual implementation, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
The units described above as separate components may or may not be physically separate, and components shown as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be embodied essentially or in part or all of the technical solution or in part in the form of a software product stored in a storage medium, including multiple instructions to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods of the various embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing a program.
Preferred embodiments of the present application are described above with reference to the accompanying drawings, and thus do not limit the scope of the claims of the embodiments of the present application. Any modifications, equivalent substitutions and improvements made by those skilled in the art without departing from the scope and spirit of the embodiments of the present application shall fall within the scope of the claims of the embodiments of the present application.

Claims (10)

1. A tenant communication method, the method comprising:
connecting a virtual router of a target tenant with a pre-established internal shared network; the target tenant is provided with a target virtual machine, and the target virtual machine is provided with a virtual network card address;
acquiring a target network segment address of the internal shared network;
creating an initial address translation table on the virtual router;
establishing a mapping relation between the virtual network card address and the target network segment address, and storing the mapping relation in the initial address conversion table to obtain a target address conversion table;
receiving a communication interaction request from an access tenant through the virtual router;
performing request analysis processing on the communication interaction request based on the target address conversion table to obtain a target source address; the communication interaction request is initiated by the access virtual machine of the access tenant, and the target source address is the virtual network card address;
and establishing communication connection between the target virtual machine and the access virtual machine based on the target source address and the communication interaction request.
2. The method of claim 1, wherein the connecting the virtual router of the target tenant with the pre-created internal shared network comprises:
Network identification is carried out on the network interface accessed to the virtual router, and a network interface identification result is obtained;
if the network interface identification result represents that the network interface belongs to the internal shared network, acquiring interface information of the network interface;
performing static route configuration on the virtual router based on the interface information to obtain a static route table;
and establishing network connection between the virtual router and the internal shared network based on the static routing table.
3. The method of claim 2, wherein the establishing a network connection between the virtual router and the internal shared network based on the static routing table comprises:
determining a routing communication path based on the static routing table; wherein the routing communication path is a communication path between the virtual router and the internal shared network;
performing network communication test based on the routing communication path to obtain a network test result;
and if the network test result indicates that the routing communication path is correct, network connection is carried out between the virtual router and the internal shared network based on the routing communication path.
4. The method according to claim 1, wherein the performing a request parsing process on the communication interaction request based on the destination address translation table to obtain a destination source address includes:
network identification is carried out on the communication interaction request, and a target network identification is obtained;
and if the target network identifier characterizes the communication interaction request to be transmitted to the virtual router through the internal shared network, carrying out source address analysis on the communication interaction request based on the target address conversion table to obtain the target source address.
5. The method of claim 4, wherein the performing source address resolution on the communication interaction request based on the destination address translation table to obtain the destination source address comprises:
performing access address resolution on the communication interaction request to obtain a target access address;
and converting the source address of the target access address through the target address conversion table to obtain the target source address.
6. The method of claim 1, wherein after the establishing a communication connection between the target virtual machine and the accessing virtual machine based on the target source address and the communication interaction request, the method further comprises:
Receiving communication resources returned by the target virtual machine according to the communication interaction request;
carrying out communication address analysis on the communication interaction request to obtain a target communication address;
and sending the communication resource to the access virtual machine based on the target communication address through the virtual router.
7. The method of any of claims 1-6, wherein the initial address translation table includes address translation rules and the target segment address includes at least one target subnet segment address; the establishing a mapping relation between the virtual network card address and the target network segment address, and storing the mapping relation in the initial address conversion table to obtain a target address conversion table, including:
distributing the target subnet segment address to the virtual network card address based on the address conversion rule to obtain the mapping relation;
and storing the mapping relation in the initial address conversion table to obtain the target address conversion table.
8. A tenant communication device, the device comprising:
the network connection module is used for connecting the virtual router of the target tenant with the pre-established internal shared network; the target tenant is provided with a target virtual machine, and the target virtual machine is provided with a virtual network card address;
The network segment address acquisition module is used for acquiring a target network segment address of the internal shared network;
a conversion table creation module for creating an initial address conversion table on the virtual router;
the address mapping module is used for establishing a mapping relation between the virtual network card address and the target network segment address, and storing the mapping relation in the initial address conversion table to obtain a target address conversion table;
the request acquisition module is used for receiving a communication interaction request from an access tenant through the virtual router;
the request analysis module is used for carrying out request analysis processing on the communication interaction request based on the target address conversion table to obtain a target source address; the communication interaction request is initiated by the access virtual machine of the access tenant, and the target source address is the virtual network card address;
and the communication connection module is used for establishing communication connection between the target virtual machine and the access virtual machine based on the target source address and the communication interaction request.
9. An electronic device comprising a memory storing a computer program and a processor that when executing the computer program implements the tenant communication method of any one of claims 1 to 7.
10. A computer readable storage medium storing a computer program, characterized in that the computer program, when executed by a processor, implements the tenant communication method of any one of claims 1 to 7.
CN202311725470.XA 2023-12-14 2023-12-14 Tenant communication method, tenant communication device, electronic equipment and storage medium Pending CN117792995A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311725470.XA CN117792995A (en) 2023-12-14 2023-12-14 Tenant communication method, tenant communication device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311725470.XA CN117792995A (en) 2023-12-14 2023-12-14 Tenant communication method, tenant communication device, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN117792995A true CN117792995A (en) 2024-03-29

Family

ID=90388243

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311725470.XA Pending CN117792995A (en) 2023-12-14 2023-12-14 Tenant communication method, tenant communication device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN117792995A (en)

Similar Documents

Publication Publication Date Title
CN111885075B (en) Container communication method, device, network equipment and storage medium
CN108075987B (en) Multi-path data transmission method and device
EP2499787B1 (en) Smart client routing
CN113950816A (en) System and method for providing multi-cloud micro-service gateway using sidecar agency
CN101964799B (en) Solution method of address conflict in point-to-network tunnel mode
CN105207873A (en) Message processing method and apparatus
EP2901630B1 (en) Method operating in a fixed access network and user equipments
KR20140057553A (en) - virtualization gateway between virtualized and non-virtualized networks
EP2942914A1 (en) Load sharing method and apparatus
CN112965824A (en) Message forwarding method and device, storage medium and electronic equipment
CN112333017B (en) Service configuration method, device, equipment and storage medium
CN103618801A (en) Method, device and system for sharing P2P (Peer-to-Peer) resources
CN105450585A (en) Information transmission method and device
CN102970387A (en) Domain name resolution method, device and system
CN114189492A (en) Network card pressure testing method and system based on network address translation technology
CN112583655B (en) Data transmission method and device, electronic equipment and readable storage medium
CN117792995A (en) Tenant communication method, tenant communication device, electronic equipment and storage medium
CN114157632A (en) Network isolation method, device, equipment and storage medium
US8036218B2 (en) Technique for achieving connectivity between telecommunication stations
CN113595848B (en) Communication tunnel establishing method, device, equipment and storage medium
CN104753867A (en) Network data access method, equipment and system
US10693673B2 (en) Method and apparatus for routing data to cellular network
JP2001136198A (en) Inter-network communication method and server, and inter-network communication system
CN111147345B (en) Cloud environment network isolation device and method and cloud system
CN117376313A (en) Address configuration method and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination