JP2019169862A - Virtual router and relay program - Google Patents

Abstract

To provide a technique that can respond quickly to updates of an IP address and a domain for public cloud services.SOLUTION: A virtual router 100 includes a response analysis unit 110 and a proxy function unit 120. The proxy function unit 120 receives transmission data transmitted from a base router 200 via the Internet, and relays the transmission data to a service server 160A. The response analysis unit 110, when receiving redirect information from the service server 160A as a response to the transmission data, extracts a domain from the redirect information. The response analysis unit 110 obtains public information 171 published in which the domain and an IP address are in association with each other, from a web server 170. The response analysis unit 110 transmits the transmission information including the extracted domain and the acquired public information 171 to a base router control device 300.SELECTED DRAWING: Figure 2

Description

  The present invention relates to a virtual router and a relay program.

  Due to the spread of public cloud services, communication traffic from the center to the Internet is increasing. In a conventional corporate network, data is temporarily transmitted from each company base to the center base, and the base data is transmitted from the center base to the public cloud service via the Internet. The data transmitted from each base to the center base is increasing, and there is a problem that the load is concentrated on the equipment at the center base and the communication quality is deteriorated.

  In response to this problem, the SD-WAN technology solves the problem by a method of directing communication for public clouds from each base to the Internet. In this method, the network administrator registers the destination IP address of the public cloud in the SD-WAN controller, and the SD-WAN dedicated device performs path control based on the information, thereby solving the above problem ( For example, Non-Patent Document 1).

  However, in the public cloud service, the IP address and domain are changed irregularly, so the network administrator periodically checks whether the IP address and domain are updated, and if there is an update, manually changes the settings. ing. Therefore, there is a problem that the SD-WAN technology cannot quickly cope with the update of the IP address and domain of the public cloud service.

NTT PC Communications, "What is SD-WAN", [online], [March 19, 2018 search], Internet <URL: https: // cloudwan. nttpc. co. jp / outline />

  An object of this invention is to provide the technique which can respond rapidly with respect to the update of the IP address and domain of a public cloud service.

The virtual router of the present invention is
A proxy function unit that receives transmission data transmitted from the base router via the Internet and relays the transmission data to a service server;
When the proxy function unit receives redirect information from the service server as a response to the transmission data, a domain indicating a redirect destination included in the redirect information is extracted from the redirect information as response data extraction information, The public information is acquired from a public information server having public information that is publicly associated with the IP address, and the transmission information including the extracted response data extraction information and the acquired public information, A response analysis unit that transmits to a control device that controls the base router.

  ADVANTAGE OF THE INVENTION According to this invention, the technique which can respond rapidly with respect to the update of the IP address and domain of a public cloud service can be provided.

FIG. 3 is a diagram of the system configuration of the update detection system 1000 in the first embodiment. FIG. 3 is a diagram of the first embodiment, showing an overview of the configuration of each device in the update detection system 1000. The figure of Embodiment 1 is a figure which shows the hardware constitutions of service server 160A-1. FIG. 6 is a flowchart of the operation of the response analysis unit 110 in the first embodiment. FIG. 6 is a flowchart of the operation of the response analysis unit 110 in the first embodiment. The figure of Embodiment 1 is a figure which shows flag information 110A. The figure of Embodiment 1 is a figure which shows the condition where various flags are set. FIG. 3 is a diagram illustrating the public IP address / public domain information 171 in the first embodiment. FIG. 10 is a flowchart of the operation of the cloud destination calculation unit 310 in the diagram of the first embodiment. The figure of Embodiment 1 is a figure which shows the domain table of cloud destination management DB330. The figure of Embodiment 1 is a figure which shows the IP address table of cloud destination management DB330. The figure of Embodiment 1 is a figure which shows the update date table of cloud destination management DB330. FIG. 4 is a flowchart of the operation of the configuration creation unit 320 in the first embodiment. 5 is a diagram of the operation of the cloud communication control unit 211 in the first embodiment. FIG.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings. In addition, the same code | symbol is attached | subjected to the part which is the same or it corresponds in each figure. In the description of the embodiments, the description of the same or corresponding parts will be omitted or simplified as appropriate.

Embodiment 1 FIG.
Hereinafter, the update detection system 1000 according to the first embodiment will be described with reference to FIGS. The update detection system 1000 detects the change when the domain or IP address of the public cloud 160 is changed. In the update detection system 1000, the virtual router 100 constructed in the IaaS environment 150 of the public cloud 160, the base router controller 300 installed in the center base 30, and the control module 210 installed in the expansion slot of each base router 200. Work together.

  FIG. 1 is a system configuration diagram of the update detection system 1000. The update detection system 1000 includes a cloud provider data center 10, each base 20, and a center base 30.

The cloud operator data center 10 includes a public cloud 160, a web server 170, and a data center gateway 180. The public cloud 160 includes an IaaS environment service server 160A-1 and a SaaS environment service server 160A-2.
The service server 160A-1 in the IaaS environment is a server on which the virtual router 100 operates.
The service server 160A-2 in the SaaS environment is a server that provides a service in response to the transmission data 230 relayed from the virtual router 100.
The service server 160A-1 has a virtual router 100 described later. The virtual router 100 is a virtual router realized by a program. Although details will be described later, the virtual router 100 receives the transmission data 230 transmitted from the base router 200 via the Internet 410 and relays the transmission data 230 to the service server 160A-2 in the SaaS environment.
FIG. 1 shows a state in which the virtual router 100 relays the transmission data 230 to the leftmost service server 160A-2 among the three service servers 160A-2.
The service server 160A-2 that has received the transmission data 230 returns a response to the transmission data 230 as a response packet 161 to the virtual router 100 operating on the service server 160A-1. There may be no response from the service server 160A-2 to the virtual router 100. The response mode of the service server 160A-2 to the virtual router 100 is as follows, as shown in FIGS.
(1) In the case of domain communication, the response mode of the service server 160A-2 is any one of redirect, response other than redirect, or no response.
(2) In the case of IP address communication, the response mode of the service server 160A-2 is either a response or no response.
The web server 170 stores public IP address / public domain information 171 to be described later. Public IP address / public domain information 171 may be referred to as public information 171. The web server 170 is a public information server. The service servers 160A-1 and 160A-2 and the web server 170 are connected to the Internet 410 and the closed network 420 via the data center gateway 180.

  Each base 20 has a base A and a base B. In FIG. 1, the two locations A and B are illustrated. There are multiple bases and any number is possible. The site A has a site router 200 and a personal computer terminal 220. The base router 200 has a control module 210 incorporated therein. The base router 200 is connected to the Internet 410 and the closed network 420. The configuration of the base B is the same as the base A. Note that a DNS server 430 is connected to the Internet 410. The DNS server 430 is also a public information server described later.

  The center base 30 has a base router control device 300. The base router control device 300 controls the base router 200 of each base 20. The base router control device 300 is connected to the Internet 410 and the closed network 420 via the center base gateway 31.

  FIG. 2 shows an outline of the device configuration in the update detection system 1000. The service server 160A-1 has a virtual router 100. The virtual router 100 includes a response analysis unit 110 and a proxy function unit 120. The web server 170 stores public IP address / public domain information 171. The public IP address / public domain information 171 is referred to by the response analysis unit 110.

  The base router 200 includes a control module 210. The control module 210 has a cloud communication control unit 211. The cloud communication control unit 211 is connected to the personal computer terminal 220. In FIG. 2, the personal computer terminal 220 is represented as a PC terminal 220.

  The base router control apparatus 300 includes a cloud destination calculation unit 310, a configuration creation unit 320, a cloud destination management DB 330, a router configuration management DB 340, and a router control function unit 350. In the cloud destination management DB 330 and the router configuration management DB 340, the database is expressed as DB.

*** Explanation of configuration ***
FIG. 3 shows a hardware configuration of the service server 160A-1. Service server 160A-1 is a computer. The virtual router 100 is a virtual router realized by the service server 160A-1 executing a program.

  The service server 160A-1 includes a processor 510 and other hardware such as a main storage device 520, an auxiliary storage device 530, and a communication interface device 540. The processor 510 is connected to other hardware via the signal line 501 and controls these other hardware.

  The service server 160A-1 includes a response analysis unit 110 and a proxy function unit 120 as functional elements of the virtual router 100. The functions of the response analysis unit 110 and the proxy function unit 120 are realized by a relay program.

  The processor 510 is a device that executes a relay program. The relay program is a program that realizes the functions of the response analysis unit 110 and the proxy function unit 120. The processor 510 is an IC (Integrated Circuit) that performs arithmetic processing. Specific examples of the processor 510 are a CPU (Central Processing Unit), a DSP (Digital Signal Processor), and a GPU (Graphics Processing Unit). The processor 510 is sometimes referred to as a processing circuit.

  The main storage device 520 is a storage device that temporarily stores data. Specific examples of the main storage device 520 are SRAM (Static Random Access Memory) and DRAM (Dynamic Random Access Memory). The main storage device 520 holds the calculation result of the processor 510.

  The auxiliary storage device 530 is a storage device that stores data in a nonvolatile manner. The auxiliary storage device 530 stores a relay program. A specific example of the auxiliary storage device 530 is an HDD (Hard Disk Drive). The auxiliary storage device 530 is a portable recording medium such as an SD (registered trademark) (Secure Digital) memory card, a NAND flash, a flexible disk, an optical disk, a compact disk, a Blu-ray (registered trademark) disk, or a DVD (Digital Versatile Disk). There may be.

  The communication interface device 540 is a device for communicating between the processor 510 and an external device.

  The relay program is read by the processor 510 and executed by the processor 510.

  The service server 160A-1 may include a plurality of processors that replace the processor 510. The plurality of processors share the execution of the relay program.

  The relay program is a program that causes a computer to execute each process, each procedure, or each process in which “part” of the response analysis unit 110 and the proxy function unit 120 is read as “process”, “procedure”, or “process”. The relay method is a method performed by the service server 160A-1 being a computer executing a relay program. The relay program may be provided by being stored in a computer-readable recording medium or may be provided as a program product.

The operation of the response analysis unit 110 of the virtual router 100 will be described with reference to FIGS. 4, 5, 6, 7, and 8.
4 and 5 are flowcharts of the operation of the response analysis unit 110. FIG.
FIG. 6 shows the flag information 110A.
FIG. 7 shows a situation where various flags are set.
FIG. 8 shows the public IP address / public domain information 171.

  In the virtual router 100, the proxy function unit 120 relays communication for the public cloud 160 sent from each site 20, thereby relaying communication to various services in the public cloud. The response analysis unit 110 of the virtual router 100 analyzes the response result 162 from the public cloud 160. The response analysis unit 110 detects whether the public cloud IP address or domain is updated.

  Below, the process of the response analysis part 110 is demonstrated. The processing of the response analysis unit 110 is different depending on whether the communication to the public cloud 160 is domain communication such as HTTP or HTTPS and communication other than domain communication. Communication other than domain communication is called IP address communication. In the case of domain communication, the response result when the public cloud domain is updated is “redirect” or “no response”.

  In step S <b> 11, the response analysis unit 110 acquires the response result 162 indicated by the response packet 161 from the public cloud 160 from the proxy function unit 120 and confirms the response result 162.

  As a premise of step S11, the proxy function unit 120 receives the transmission data 230 transmitted from the base router 200 via the Internet 410, and relays the transmission data 230 to the service server 160A-2 in the SaaS environment. To do. In addition, the proxy function unit 120 transmits the data received from the service server 160A-2 to the base router 200 via the Internet 410. As a result of confirmation by the response analysis unit 110, if the response result 162 is domain communication, the process proceeds to step S20. If the response result 162 is IP address communication, the process proceeds to step S26 in FIG.

  A case where the process proceeds to step S20 will be described. If the response result 162 indicates domain communication, the process proceeds to step S20.

  In step S20, the response analysis unit 110 confirms whether the response result 162 is redirected. In the case of redirection, the process proceeds to step S21. In this case, it is assumed that the response result 162 is a redirect.

In step S <b> 21, the response analysis unit 110 sets the communication flag 111 to 1 and the detection flag 112 to 1. As shown in FIG. 6, the flag information 110A includes a communication flag 111, a detection flag 112, a domain addition flag 113, a domain update flag 114, and an IP address update flag 115. The response analysis unit 110 sets the flag information 110A. The domain addition flag 113 is response data content information. Both the domain update flag 114 and the IP address update flag 115 are transmission data content information.
FIG. 7 corresponds to the flowcharts of FIGS. 4 and 5. The communication flag 111 is set to 1 for domain communication, and set to 0 for IP address communication other than domain communication. The detection flag 112 is set to 1 for redirection and 0 for no response. The domain addition flag 113 to the IP address update flag 115 will be described later in steps S25, S19, and S31, respectively.

In step S22, the response analysis unit 110 extracts the redirect destination URL domain 163 from the response packet 161. The URL domain 163 is response data extraction information. Note that the response data extraction information and transmission data extraction information to be described later are described as extraction information in FIGS. 6 and 7.
As described above, when the proxy function unit 120 receives the redirect information 161A from the service server 160A-2 as a response to the transmission data 230, the response analysis unit 110 indicates the URL domain 163 indicating the redirect destination included in the redirect information 161A. Are extracted from the redirect information 161A as response data extraction information.

In step S <b> 23, the response analysis unit 110 acquires the latest “public IP address / public domain information 171” from the web server 170. The public IP address / public domain information 171 may be referred to as public information 171.
FIG. 8 shows the public IP address / public domain information 171. As shown in FIG. 8, “public IP address / public domain information 171” is information published in association with service names, domains, IP addresses, and netmasks. The response analysis unit 110 acquires the latest public IP address / public domain information 171 from the web server 170.
As described above, the response analysis unit 110 acquires the public information 171 from the web server 170 that is the public information server having the public information 171 that is disclosed in association with the domain and the IP address.

  In step S24, the response analysis unit 110 determines whether the public IP address / public domain information 171 includes the URL domain 163 extracted in step S22. As described above, the response analysis unit 110 determines whether the domain that is the response data extraction information is included in the acquired public information 171.

  If the URL domain 163 is included in the public IP address / public domain information 171, the process proceeds to step S 18.

In step S18, the response analysis unit 110
(1) Flag information 110A;
(2) Latest public IP address / public domain information 171,
(3) URL domain 163
Is sent to the base router control device 300.
The response analysis unit 110 transmits transmission information including the URL domain 163 that is the extracted response data extraction information and the acquired public information 171 to the base router control device 300 that controls the base router 200.

  If the URL domain 163 is not included in the public IP address / public domain information 171 in step S24, the response analysis unit 110 sets the domain addition flag 113 to 1, and the process proceeds to step S18.

  The process will explain step S13. In step S13, the response analysis unit 110 determines whether the response result 162 has no response. If there is no response, the process ends. In this case, it is a normal response that is neither a redirect nor a response. If the response result 162 is no response, the process proceeds to step S14.

  Since there is no response in step S14, the response analysis unit 110 sets the communication flag 111 to 1 (domain) and the detection flag 112 to 0 (no response) in the flag information 110A.

In step S15, the response analysis unit 110 extracts the domain 202 of the connection destination cloud from the “no response packet 201”. “No response packet” is a packet addressed to the public cloud 160 received by the proxy function unit 120 from the base router 200. The “connected cloud domain 202” is a domain included in the no-response packet 201.
As described above, when there is no response from the service server 160A-2 to the transmission data 230, the response analysis unit 110 extracts the transmission data 230 from either the domain that is the destination of the transmission data 230 or the IP address. Extract as information. In this case, the response analysis unit 110 extracts the domain 202 as transmission data extraction information.

  In step S16, the response analysis unit 110 acquires the latest public IP address / public domain information 171. The process of step S16 is the same as step S23.

  Step S17 is the same process as step S24. In step S17, the response analysis unit 110 determines whether the public IP address / public domain information 171 includes the IP address 203 extracted in step S15.

  If the public IP address / public domain information 171 includes the domain 202, the process proceeds to step S18.

  Since the process of step S18 has been described, a description thereof will be omitted.

  If the domain 202 is not included in the public IP address / public domain information 171 in step S17, the response analysis unit 110 sets the domain addition flag 113 to 1, and the process proceeds to step S18.

  With reference to FIG. 5, the case where the response result 162 is IP address communication will be described.

  In step S26, the response analysis unit 110 determines whether or not the response result 162 has no response. If there is no response, the process ends. In this case, it is a normal response by IP address communication. If the response result 162 is no response, the process proceeds to step S27.

  In step S27, the response analysis unit 110 sets the communication flag 111 to 0 (IP address) and the detection flag 112 to 0 (no response).

  In step S28, the response analysis unit 110 extracts the IP address 203 of the connection destination cloud from the no-response packet 201 by IP address communication. As described above, when there is no response from the service server 160A-2 to the transmission data 230, the response analysis unit 110 extracts the transmission data 230 from either the domain that is the destination of the transmission data 230 or the IP address. Extract as information. In this case, the response analysis unit 110 extracts the IP address 203 as transmission data extraction information.

  In step S <b> 29, the response analysis unit 110 acquires the latest public IP address / public domain information 171 from the web server 170.

  In step S30, the response analysis unit 110 determines whether the public IP address / public domain information 171 includes the IP address 203 extracted in step S28. If the IP address 203 is included, the process ends. If the IP address 203 is not included, the process proceeds to step S30.

  In step S31, the response analyzer 110 sets the IP address update flag 115 to 1.

In step S32, the response analysis unit 110
(1) Flag information 110A,
(2) Public IP address / public domain information 171,
(3) IP address 203,
The base router control device 300,
Send to.

  FIG. 9 is a flowchart showing the operation of the cloud destination calculation unit 310. The operation of the cloud destination calculation unit 310 will be described with reference to FIG.

In step S41, the cloud destination calculation unit 310 receives various types of information from the virtual router 100 as follows. In the case of going through step S24, the cloud destination calculation unit 310
(1) Flag information 110A,
(2) Public IP address / public domain information 171,
(3) URL domain 163,
Receive.

In the case of going through step S17, the cloud destination calculation unit 310
(1) Flag information 110A,
(2) Public IP address / public domain information 171,
(3) URL domain 202,
Receive.

In the case of going through step S30, the cloud destination calculation unit 310
(1) Flag information 110A,
(2) Public IP address / public domain information 171,
(3) IP address 203,
Receive.

  In step S42, the cloud destination calculation unit 310 determines whether the communication flag 111 is 1 (domain communication) or 0 (IP address communication). If the communication flag 111 is 1 (domain communication), the process proceeds to step S44. If the communication flag 111 is 0 (IP address communication), the process proceeds to step S54.

  In step S43, the cloud destination calculation unit 310 determines whether the detection flag 112 is 1 (redirect) or 0 (no response). If the detection flag 112 is 1, the process proceeds to step S44. If the detection flag 112 is 0, the process proceeds to step S50.

In step S <b> 44, the cloud destination calculation unit 310 determines whether there is a difference between the contents of the public IP address / public domain information 171 and the cloud destination management DB 330. If there is a difference, the process proceeds to step S45, and if there is no difference, the process proceeds to step S47. 10 to 12 show information stored in the cloud destination management DB 330.
FIG. 10 is a domain table. In the domain table, service names and domains are associated with each other.
FIG. 11 is an IP address table. In the IP address table, an IP address, a service name, and a netmask are associated with each other.
FIG. 12 is an update date table. In the update date table, the registration date and update date of the domain or IP address for the service name are registered.

  In step S45, URL domains to be added and deleted are created as an addition list 311 and a deletion list 312. Assume that the public IP address / public domain information 171 includes A, B, and D as URL domains, and the cloud destination management DB 330 includes A, B, and C as URL domains. In this case, C of the URL domain is described in the deletion list 312, and D of the URL domain is described in the addition list 311.

  In step S <b> 46, the cloud destination calculation unit 310 updates the cloud destination management DB 330 based on the addition list 311 and the deletion list 312. In the above example, the cloud destination calculation unit 310 deletes the URL domain C and adds the URL domain D to the cloud destination management DB 330.

  In step S47, the cloud destination calculation unit 310 determines whether the domain addition flag 113 is 1. If the domain addition flag 113 is 1, the process proceeds to step S48. If the domain addition flag 113 is not 1, the process proceeds to step S49.

  In step S <b> 48, the cloud destination calculation unit 310 adds the URL domain 163 that is an acquisition domain corresponding to the domain addition flag 113 to the addition list 311 and adds it to the cloud destination management DB 330.

  In step S49, the cloud destination calculation unit 310 sends the addition list 311 and the deletion list 312 to the configuration creation unit 320, and the process ends.

  Next, the transition to step S50 will be described.

  In step S50, the cloud destination calculation unit 310 determines whether the domain update flag 114 is 1. If the domain update flag 114 is 1, the process proceeds to step S51. If the domain update flag 114 is not 1, the process proceeds to step S49.

  In step S51, the cloud destination calculation unit 310 determines whether there is a difference between the contents of the public IP address / public domain information 171 and the cloud destination management DB 330. If there is a difference, the process proceeds to step S52. If there is no difference, the process proceeds to step S49.

  In step S52, the cloud destination calculation unit 310 creates a list of URL domains to be added and deleted as an addition list 311 and a deletion list 312 as in step S45.

  In step S <b> 53, the cloud destination calculation unit 310 updates the cloud destination management DB 330 based on the addition list 311 and the deletion list 312.

In step S54, the cloud destination calculation unit 310 determines whether the IP address update flag 115 is 1. If the IP address update flag 115 is 1, the process proceeds to step S51. In step S52, the cloud destination calculation unit 310 adds the IP addresses to be added and deleted to the addition list 311 and the deletion list 312 as in step S54. Create as.
If the IP address update flag 115 is not 1, the process ends.

  FIG. 13 is a flowchart showing the operation of the configuration creation unit 320. In step S <b> 61, the configuration creation unit 320 acquires the addition list 311 and the deletion list 312 from the cloud destination calculation unit 310.

  In step S62, the configuration creation unit 320 acquires the routing information of each router from the router configuration management DB 340.

  In step S <b> 63, the configuration creation unit 320 determines whether there is an IP address that does not exist in the routing information of the router in the addition list 311. If there is an IP address, the process proceeds to step S64. If there is no IP address, the process proceeds to step S66.

  In step S <b> 64, the configuration creation unit 320 extracts a necessary IP address from the addition list 311.

  In step S65, the configuration creation unit 320 creates a routing addition configuration.

  In step S <b> 66, the configuration creation unit 320 determines whether there is an IP address present in the router routing information in the deletion list 312. If there is an IP address, the process proceeds to step S67. If there is no IP address, the process proceeds to step S69.

  In step S <b> 67, the configuration creation unit 320 extracts a necessary IP address from the deletion list 312.

  In step S68, the configuration creation unit 320 creates a routing deletion configuration.

  In step S <b> 69, the configuration creation unit 320 sends the routing addition or routing deletion configuration to the router control function unit 350.

  FIG. 14 is a flowchart showing the operation of the cloud communication control unit 211. The operation of the cloud communication control unit 211 will be described with reference to FIG.

  In step S71, the cloud communication control unit 211 monitors communication from the base.

  In step S <b> 72, the cloud communication control unit 211 determines detection of a packet addressed to the proxy server at the center base 30. If a packet is detected, the process proceeds to step S73. If it cannot be detected, the process ends.

  In step S73, the cloud communication control unit 211 confirms the connection destination URL of the detected packet.

  In step S <b> 74, the cloud communication control unit 211 determines whether the domain of the connection destination URL matches the destination information of the public cloud 160. If they match, the process proceeds to step S75. If they do not match, the process ends.

  In step S75, the cloud communication control unit 211 rewrites the destination IP address of the detected packet and transfers it to the virtual router 100.

  Regarding the processing of the cloud communication control unit 211 included in the control module 210 described above, in a corporate network, it is common to use a proxy for communication for the Internet. In this case, the destination of a communication packet that passes through a base router is This is the IP address of the proxy server. Therefore, in order to change the communication route, it is necessary to replace the destination IP address of the communication packet. Further, when proxying HTTPS communication that is frequently used in public clouds, information on the connection destination URL is sent to the proxy server by the CONNECT method of HTTP communication. Therefore, the destination domain can be confirmed by referring to the connection destination URL included in the packet of the CONNECT method.

*** Effects of Embodiment 1 ***
In the first embodiment described above, the control of the base router at each base is dynamically performed based on the updated contents of the connection destination domain or IP address detected by the virtual router. Therefore, even when there is an irregular update of the IP address and domain of the public cloud service, the system according to the first embodiment can quickly respond.
In addition, it is possible to perform network control that can promptly respond to irregular updates of the IP address or domain of the connection destination of the public cloud, triggered by communication from the base to the public cloud.

  1000 update detection system, 10 cloud operator data center, 100 virtual router, 110 response analysis unit, 110A flag information, 111 communication flag, 112 detection flag, 113 domain addition flag, 114 domain update flag, 115 IP address update flag, 120 Proxy function unit, 130 transmission information, 150 IaaS environment, 160 public cloud, 160A-1, 160A-2 service server, 161 response packet, 161A redirect information, 162 response result, 163 URL domain, 170 web server, 171 public IP address / Public domain information, 180 data center gateway, 20 each base, 200 base router, 201 no response packet, 202 domain, 203 IP address 230 transmission data, 210 control module, 211 cloud communication control unit, 220 personal computer terminal, 30 center base, 31 center base gateway, 300 base router control device, 311 additional list, 312 deletion list, 310 cloud destination calculation unit, 320 config Creation unit, 330 Cloud destination management DB, 340 Router configuration management DB, 350 Router control function unit, 410 Internet, 420 Closed network, 430 DNS server, 510 processor, 501 Signal line, 520 Main storage device, 530 Auxiliary storage device, 540 Communication interface device.

Claims (8)

A proxy function unit that receives transmission data transmitted from the base router via the Internet and relays the transmission data to a service server;
When the proxy function unit receives redirect information from the service server as a response to the transmission data, a domain indicating a redirect destination included in the redirect information is extracted from the redirect information as response data extraction information, The public information is acquired from a public information server having public information that is publicly associated with the IP address, and the transmission information including the extracted response data extraction information and the acquired public information, A virtual router comprising: a response analysis unit that transmits to a control device that controls the base router. The response analysis unit
When there is no response from the service server to the transmission data, the transmission data destination domain or IP address is extracted from the transmission data as transmission data extraction information, the transmission data extraction information, The virtual router according to claim 1, wherein the transmission information including the public information is transmitted to the control device. The response analysis unit
It is determined whether the domain that is the response data extraction information is included in the acquired public information, generates response data content information indicating a determination result, and transmits the response data content information included in the transmission information The virtual router according to claim 1. The response analysis unit
The virtual according to claim 2, wherein it is determined whether the transmission data extraction information is included in the public information, transmission data content information indicating a determination result is generated, and the transmission data content information is included in the transmission information and transmitted. Router. On the computer,
Processing for receiving transmission data transmitted from the base router via the Internet and relaying the transmission data to a service server;
Processing for receiving redirect information transmitted by the service server as a response to the transmission data;
A domain indicating a redirect destination included in the redirect information is extracted as response data extraction information from the redirect information, and the public information is obtained from a public information server having public information in which a domain and an IP address are associated with each other. A process of transmitting the acquired response data extraction information and the transmission information including the acquired public information to a control device that controls the base router;
A relay program that executes In the computer,
When there is no response from the service server to the transmission data, a process of extracting either the domain or IP address that is the destination of the transmission data as transmission data extraction information from the transmission data;
Processing for transmitting the transmission information including the transmission data extraction information and the public information to the control device;
The relay program according to claim 5, wherein: In the computer,
It is determined whether the domain that is the response data extraction information is included in the acquired public information, generates response data content information indicating a determination result, and transmits the response data content information included in the transmission information processing,
7. The relay program according to claim 6, wherein: In the computer,
Determining whether the transmission data extraction information is included in the public information, generating transmission data content information indicating a determination result, and transmitting the transmission data content information in the transmission information;
The relay program according to claim 7, wherein:

Images