JP5486526B2 - Control device, control system, control method, and control program - Google Patents

Description

  Embodiments described herein relate generally to a control device, a control system, a control method, and a control program.

  In recent years, a service for connecting a plurality of VPNs (Virtual Private Networks) to each other (hereinafter referred to as “VPN connection service”) has been proposed. For example, it is a usage mode in which a VPN of a data center and a VPN of the company are connected to each other, and an in-house server installed in the data center is accessed from the user terminal of the company.

  In such a data center, virtual machine technology may be used. Virtual machine technology divides physical hardware logically and operates an OS (Operating System) for each divided hardware, so that one machine is as if it were multiple machines. It is a technology to make it work. For example, by applying this technology to one server installed in a data center, it can be operated as if it were a plurality of servers, and services can be individually provided to a plurality of companies.

  Here, one of the technologies associated with the virtual machine technology is live migration. Live migration is a technique for migrating an OS or software running on a running virtual machine to another virtual machine without stopping. According to live migration, for example, when the load on the operating virtual machine is high, the virtual machine can be operated on another server without stopping the service.

Takaaki Koyama, Shuichi Karasawa, Kazuhiro Kishi, Shintaro Mizuno, Satoru Iwamura, “Proposal of VPN Connection Management System”, IEICE Technical Report IN 2009-48 (2009-09), p. 53-58 Hei first, Kazuo Moriwaka, Ryuichiro Tsuruno, Kohei Maeda, “Introductory KVM”, Shosuisha Co., Ltd.

  However, when live migration is performed across VPNs, it may be necessary to construct a new path for accessing the migration destination virtual machine. Although there is a technology in which the migration destination virtual machine notifies the management server when live migration execution is complete, even if this is applied, the processing time that occurs on the service provider side when live migration is performed The time is the sum of the time and the route construction time, and becomes longer. For this reason, there is a demand for a technique for reducing the processing time that occurs with live migration.

The control device according to the embodiment constructs a path for a user terminal installed in a VPN to access a virtual machine installed in another VPN by setting the network device, and controls the connection between the VPNs Device. The control device includes a detection unit, a setting unit, and a switching unit. The detection unit migrates a virtual machine installed in the first VPN when a path for the user terminal to access the virtual machine installed in the first VPN is constructed as a working path. as the original, to detect the execution start of the migration of the virtual machine as the migration destination installed in the second VPN. Setting unit, when the execution start of migration by the detection portion is detected, in parallel with the execution of the migration, the access to the virtual machine the user terminal is installed on the second VPN The setting for constructing a route for this is performed for a predetermined network device. Switching unit detects the execution completion of the migration, and the setting to the network device is completed, the path of the current is switched to the path constructed by the setting unit. The network device accommodates a plurality of VPNs to be connected between VPNs, is installed between a packet transfer control device that controls packet transfer between VPNs, and between the packet transfer control device and each VPN. An address translation device that translates an included address, wherein the address translation device translates both a source address and a destination address contained in a packet according to address translation information, and the setting unit includes the detection unit When the execution start of the migration is detected, the address translation information is set for the address translation apparatus installed between the packet transfer control apparatus and the second VPN.

  There is an effect that it is possible to reduce the processing time that occurs with live migration.

FIG. 1 is a diagram for explaining an overview of an inter-VPN connection service according to the first embodiment. FIG. 2 is a sequence diagram illustrating a live migration processing procedure according to the first embodiment. FIG. 3 is a block diagram showing the configuration of the inter-VPN connection management system according to the first embodiment. FIG. 4 is a diagram for explaining the customer network setting storage unit according to the first embodiment. FIG. 5 is a diagram for explaining assignment of IP addresses in the first embodiment. FIG. 6 is a diagram for explaining the network device setting storage unit according to the first embodiment. FIG. 7 is a diagram for explaining a modification of the first embodiment. FIG. 8 is a diagram for explaining Twice-NAT in the second embodiment. FIG. 9 is a diagram for explaining address translation by Single-NAT. FIG. 10 is a diagram for explaining address conversion by Twice-NAT. FIG. 11 is a diagram for explaining management of IP addresses in the second embodiment. FIG. 12 is a diagram for explaining VPN as a plurality of local area network groups connected by the VPN service. FIG. 13 is a diagram for explaining VPN as a plurality of local area network groups connected by the VPN service. FIG. 14 is a diagram for explaining VPN as a plurality of local area network groups connected by the VPN service. FIG. 15 is a diagram illustrating that the information processing by the control program according to the embodiment is specifically realized using a computer.

  Hereinafter, a control device, a control system, a control method, and a control program according to embodiments will be described.

(First embodiment)
[Outline of VPN connection service]
The inter-VPN connection service is a service for mutually connecting a plurality of VPNs. For example, a service is provided in which a VPN of a data center and a VPN of a customer company are connected to each other, and a server installed in the data center is accessed from a customer user terminal. Hereinafter, a system that provides such an inter-VPN connection service is referred to as an “inter-VPN communication system”, and a system that manages the inter-VPN connection service and constructs a route is referred to as an “inter-VPN connection management system”.

  FIG. 1 is a diagram for explaining an overview of an inter-VPN connection service according to the first embodiment. First, an inter-VPN communication system will be described. In the inter-VPN communication system, as shown in FIG. 1, the collective virtual router accommodates a plurality of VPNs in a star shape, and an address translation device is installed between the collective virtual router and each VPN. The aggregation virtual router controls packet transfer between VPNs. The virtual router is realized by logically dividing a collective virtual router as physical hardware and operating each divided hardware as a router. The inter-VPN connection service is usually provided for each virtual router. The address translation device translates an address included in the packet (NAT (Network Address Translation)). That is, the address translation device translates a private address used in each VPN and an address used on the collective virtual router side. The VPN termination device terminates the VPN in order to accommodate each VPN in the collective virtual router.

  Here, in the first embodiment, a path for the user terminal installed in the VPN 3 to access the virtual machine 1 installed in the VPN 1 (data center 1) has already been established as a working path. Assume that. That is, as information for transferring a packet between the user terminal and the virtual machine 1, address translation information is set in the address translation device 1 and the address translation device 3, and routing information is set in the collective virtual router. ing. In other words, before the live migration, the address translation device 1 and the address translation device 3 are in the “active” state as the current address translation device, and the address translation device 2 is in the “standby” state as the spare address translation device. It is in. In the first embodiment, the collective virtual router, the address translation device 2 and the VPN 2 corresponding to the backup route are physically connected in advance.

  In the first embodiment, the virtual machine 1 installed in the VPN 1 (data center 1) is used as the migration source, and live migration is executed using the virtual machine 2 installed in the VPN 2 (data center 2) as the migration destination. Assuming that That is, it is assumed that information for transferring a packet between the user terminal and the virtual machine 2 is newly set in the address translation device 2 and the collective virtual router. In other words, after the live migration is performed, the working path is switched, the address translation device 1 is in a “standby” state, and the address translation device 2 and the address translation device 3 are in an “active” state. In the first embodiment, the data center 1 and the data center 2 are connected in advance by a dedicated line.

  Next, an inter-VPN connection management system will be described. The inter-VPN connection management system 100 according to the first embodiment is operated by, for example, a telecommunications carrier that provides an inter-VPN connection service. The inter-VPN connection management system 100 is connected to various network devices via a control network (not shown in FIG. 1), and performs settings for the various network devices via the control network. For example, the inter-VPN connection management system 100 is connected to the collective virtual router, the address translation devices 1 to 3 and the data center 1 and the data center 2 through a control network, and performs live migration processing, setting processing, and the like.

  In the first embodiment, the inter-VPN connection management system 100 includes a live migration processing unit 10 and an inter-VPN connection processing unit 20. The live migration processing unit 10 performs live migration processing, and the inter-VPN connection processing unit 20 performs setting processing for the network device.

[Live migration procedure]
FIG. 2 is a sequence diagram illustrating a live migration processing procedure according to the first embodiment. The virtual machine 1 installed in the VPN 1 (data center 1) is operating, and the user terminal is accessing the virtual machine 1 installed in the VPN 1 (data center 1) (step S1).

  At this time, for example, when the load of the virtual machine 1 is high, the live migration processing unit 10 instructs the virtual machine 1 to perform live migration with the virtual machine 2 installed in the VPN 2 (data center 2) as the migration destination. (Step S2).

  Then, the virtual machine 1 transmits a live migration execution confirmation notification to the live migration processing unit 10 (step S3), and executes live migration with the virtual machine 2 as the migration destination (step S4).

  On the other hand, the live migration processing unit 10 that has detected the start of live migration upon reception of the execution confirmation notification in step S3 starts with an address translation device so as to construct a path for the user terminal to access the virtual machine 2. 2 is transmitted to the inter-VPN connection processing unit 20 (step S5).

  Then, the inter-VPN connection processing unit 20 sets address translation information for the address translation device 2 (step S6). After that, when the setting for the address translation device 2 is completed, a setting completion notification is sent to the live migration processing unit 10. It transmits to (step S7).

  On the other hand, when the execution of live migration is completed, the virtual machine 1 that has started execution of live migration in step S4 transmits an execution completion notification to the live migration processing unit 10 (step S8).

  In this way, the live migration processing unit 10 receives a live migration execution completion notification from the virtual machine 1 and receives a setting completion notification for the address translation device 2 from the inter-VPN connection processing unit 20.

  Then, the live migration processing unit 10 transmits a routing switching instruction to the inter-VPN connection processing unit 20 (step S9). The inter-VPN connection processing unit 20 sets routing information for the collective virtual router, and changes from a path for accessing the virtual machine 1 from the user terminal to a path for accessing the virtual machine 2 from the user terminal. The current route (routing) is switched (step S10).

  As a result, as shown in FIG. 2, the user terminal has accessed the virtual machine 1 in step S1, but the access is automatically transferred to the virtual machine 2 (step S11). That is, for example, when the communication performed between the user terminal and the virtual machine 1 or the virtual machine 2 is TCP (Transmission Control Protocol), if the user terminal does not receive a response from the accessing virtual machine 1, Resend. While repeating this retransmission, the user terminal can automatically access the virtual machine 2.

  Here, it can be said that the processing time generated on the side of the inter-VPN connection management system 100 with live migration is the time from the start of live migration in step S4 to the switching of routing in step S10. In this regard, the inter-VPN connection management system 100 according to the first embodiment detects the start of execution of live migration, and starts setting for the address translation device 2 as a trigger. That is, the execution of live migration and the construction of a route are performed in parallel. As a result, the processing time that accompanies live migration is not the sum of the live migration execution time and the route construction time, but in principle, either the live migration execution time or the route construction time. The longer time will be almost done.

  The live migration processing procedure is not limited to the processing procedure shown in FIG. For example, the live migration processing unit 10 may detect the start of live migration in the live migration execution instruction (step S2) and start the process of step S5 before receiving the execution confirmation notification (step S3). . Further, the order of the setting completion notification (step S7) of the address translation device 2 and the live migration execution completion notification (step S8) may be reversed. The live migration execution completion notification (step S8) may be received not from the migration source virtual machine 1 but from the migration destination virtual machine 2.

[Configuration of inter-VPN connection management system according to the first embodiment]
FIG. 3 is a block diagram showing a configuration of the inter-VPN connection management system 100 according to the first embodiment. As shown in FIG. 3, the inter-VPN connection management system 100 includes a live migration processing unit 10 and an inter-VPN connection processing unit 20.

  The live migration processing unit 10 includes a customer network setting storage unit 11, a communication unit 12, an input unit 13, a setting instruction transmission unit 14, a live migration execution unit 15, an address conversion setting instruction unit 16, and a routing setting instruction. Unit 17.

  The customer network setting storage unit 11 stores network setting information of a customer who is a provider of the inter-VPN connection service. FIG. 4 is a diagram for explaining the customer network setting storage unit according to the first embodiment. As shown in FIG. 4, the customer network setting storage unit 11 stores network setting information related to the virtual machines, the address translation devices 1 to 3 and the collective virtual router for each customer. Hereinafter, the network setting information will be described with reference to FIG. 5 together with FIG. FIG. 5 is a diagram for explaining assignment of IP addresses in the first embodiment.

  As shown in FIG. 4, the customer network setting storage unit 11 uses the IP (Internet Protocol) address “192.168.1.10” of the migration source virtual machine 1 and its control IP address “172.16” as network setting information regarding the virtual machine. .100.1 ”and the IP address“ 172.16.100.2 ”for control of the migration destination virtual machine 2 are stored. In the first embodiment, these IP addresses have a subnet mask of 24 bits.

  Referring to FIG. 5, the IP address of the virtual machine 1 installed in the VPN 1 (data center 1) is “192.168.1.10”. This IP address is an address for uniquely identifying the virtual machine 1 within the VPN 1. As shown in FIG. 5, the data center 1 has a control interface, and the IP address of the interface is “172.16.100.1”. The data center 2 also has a control interface, and the IP address of the interface is “172.16.100.2”. The inter-VPN connection management system 100 is connected to this interface via a control network (not shown), and uses the control IP addresses “172.16.100.1” and “172.16.100.2” to instruct live migration execution and the like.

  Returning to FIG. 4, the customer network setting storage unit 11 stores a control IP address and address conversion information as network setting information regarding the address conversion apparatuses 1 to 3. Referring to FIG. 5, in the first embodiment, a route for a user terminal installed in VPN 3 to access virtual machine 1 installed in VPN 1 is already established as a working route. Suppose. That is, it is assumed that the address translation information is already set in the address translation device 3 and the address translation device 1. Therefore, the customer network setting storage unit 11 stores address translation information in addition to the control IP address for the address translation device 3 and the address translation device 1.

  The address translation information set in the address translation device 3 translates “192.168.1.10” and “10.0.1.10” to each other, and “172.16.2.10” and “10.0.2.10” to each other. Indicates to convert. On the other hand, the address translation information set in the address translation device 1 converts “192.168.1.10” and “10.0.2.10” to each other, and “172.16.1.10” and “10.0.1.10”. Indicates conversion to each other.

  Further, the customer network setting storage unit 11 stores a control IP address and routing information as network setting information regarding the collective virtual router. For example, the routing information (working) “destination 10.0.2.10: gateway 10.0.20.97” is “10.0.20.97” when the virtual router shown in FIG. 5 receives a packet whose destination is “10.0.2.10”. Indicates routing to the interface.

  An example of address translation and routing will be described. For example, a packet transmitted from the user terminal to the virtual machine 1 is received by the virtual machine 1 while being address-converted.

  First, the user terminal knows that the IP address of the virtual machine 1 is “172.16.2.10”. On the other hand, the virtual machine 1 knows that the IP address of the user terminal is “172.16.1.10”. Further, the virtual router of the collective virtual router grasps that the IP address of the user terminal is “10.0.1.10” and grasps the IP address of the virtual machine 1 is “10.0.2.10”.

  When the user terminal accesses the virtual machine 1, the user terminal transmits a packet whose destination is “172.16.2.10” and whose transmission source is “192.168.1.10”. Then, the address translation device 3 converts “172.16.2.10” to “10.0.2.10” and “192.168.1.10” to “10.0.1.10” according to the address translation information. As a result, the packet transmitted by the user terminal is a packet whose destination is “10.0.2.10” and whose transmission source is “10.0.1.10”.

  The virtual router performs routing according to the routing information. In this case, since the destination is a packet of “10.0.2.10”, the virtual router routes this packet to the interface of “10.0.20.97”. Subsequently, the address translation device 1 translates “10.0.2.10” into “192.168.1.10” and “10.0.1.10” into “172.16.1.10” according to the address translation information. As a result, the packet transmitted by the user terminal is a packet whose destination is “192.168.1.10” and whose transmission source is “172.16.1.10”. Referring to FIG. 5, the IP address of the virtual machine 1 is “192.168.1.10”. For this reason, this packet is received by the virtual machine 1. Thus, the packet transmitted from the user terminal to the virtual machine 1 is received by the virtual machine 1 while being address-converted. Although not shown in FIGS. 4 and 5, the packet transmitted from the virtual machine 1 to the user terminal is also received by the user terminal while being address-converted.

  Returning to FIG. 3, the communication unit 12 is a general interface for IP communication. For example, the communication unit 12 communicates with the data center 1 and the data center 2 via a control network. The input unit 13 is a keyboard or a mouse. The setting instruction transmission unit 14 is an interface inside the inter-VPN connection management system 100 and transmits / receives information to / from the inter-VPN connection processing unit 20.

  In the first embodiment, when the operator of the inter-VPN connection management system 100 remotely monitors the inter-VPN connection service and determines that the load on the virtual machine 1 is high, for example, the input unit 13 is used. A live migration execution instruction is input together with the customer ID “000001”.

  When the live migration execution unit 15 receives a live migration execution instruction together with the customer ID from the input unit 13, the live migration execution unit 15 transmits a live migration execution instruction to the virtual machine 1. Specifically, the live migration execution unit 15 refers to the customer network setting storage unit 11 using the customer ID, and the IP address “192.168.1.10” of the migration source virtual machine 1 and the control IP address “172.16”. .100.1 ”and the control IP address“ 172.16.100.2 ”of the migration destination virtual machine 2 are acquired. Then, the live migration execution unit 15 communicates with the data center 1 to provide a live migration execution instruction with the migration source as the virtual machine 1 and the migration destination as the virtual machine 2 as an IP address necessary for live migration. Etc. to send with.

  When the live migration execution unit 15 receives a live migration execution confirmation notification from the virtual machine 1, the live migration execution unit 15 notifies the address conversion setting instruction unit 16 together with the customer ID that the start of execution of live migration has been detected.

  When the address conversion setting instruction unit 16 receives a notification that the start of live migration execution has been detected from the live migration execution unit 15 together with the customer ID, the address conversion setting instruction unit 16 refers to the customer network setting storage unit 11 using the customer ID, and 1 control IP address “172.16.10.1” and address translation information, and control IP address “172.16.10.2” of the address translation device 2 are acquired. Then, the address translation setting instruction unit 16 transmits a setting instruction for the address translation device 2 to the inter-VPN connection processing unit 20 together with address translation information necessary for setting. The address conversion setting instruction unit 16 adds an argument such as “T-NAT” to the header of the setting instruction information.

  When the address translation setting instruction unit 16 receives a setting completion notification for the address translation device 2 from the inter-VPN connection processing unit 20, the address translation setting instruction unit 16 notifies the routing setting instruction unit 17 that the setting for the address translation device 2 is completed together with the customer ID. Notify them.

  When the routing setting instructing unit 17 receives the live migration execution completion notification from the virtual machine 1 and receives from the address translation setting instructing unit 16 the notification that the setting for the address translation device 2 has been completed, the routing setting instructing unit 17 uses the customer ID. The customer network setting storage unit 11 is referred to, and an IP address and routing information (standby) for controlling the collective virtual router are acquired. Then, the routing setting instruction unit 17 transmits a setting instruction for the collective virtual router to the inter-VPN connection processing unit 20 together with routing information necessary for setting. Note that the routing setting instruction unit 17 adds an argument such as “VR” to the header of the setting instruction information.

  On the other hand, the inter-VPN connection processing unit 20 includes a network device setting storage unit 21, a communication unit 22, a setting instruction receiving unit 23, an address conversion setting unit 24, and a routing setting unit 25.

  The network device setting storage unit 21 stores information for setting the network device. FIG. 6 is a diagram for explaining the network device setting storage unit according to the first embodiment. As illustrated in FIG. 6, the network device setting storage unit 21 stores control IP addresses and passwords for the address translation devices 1 to 3 and the collective virtual router. FIG. 6 illustrates a part of information stored in the network device setting storage unit 21.

  Returning to FIG. 3, the communication unit 22 is a general interface for IP communication. For example, the communication unit 22 communicates with the address translation devices 1 to 3 and the collective virtual router via a control network. The setting instruction receiving unit 23 is an interface inside the inter-VPN connection management system 100 and transmits / receives information to / from the live migration processing unit 10. The setting instruction receiving unit 23 provides the setting instruction information in which the argument “T-NAT” is included in the header to the address translation setting unit 24, and the setting instruction information in which the argument “VR” is included in the header is This is provided to the routing setting unit 25.

  When the address translation setting unit 24 receives a setting instruction for the address translation device 2 from the address translation setting instruction unit 16 together with address translation information necessary for the setting, the address translation setting unit 24 refers to the network device setting storage unit 21 and The control IP address “172.16.10.2” and the password “hogehoge02” are acquired. Then, the address translation setting unit 24 accesses the address translation device 2 using the control IP address “172.16.10.2” and the password “hogehoge02”, and sets the address translation information received from the address translation setting instruction unit 16. . That is, address translation information having the same content as the address translation information set in the address translation device 1 is set in the address translation device 2.

  The address conversion setting unit 24 may use, for example, an attachment when accessing the address conversion device 2. The attachment includes a program for reflecting the address translation information to the address translation device 2 and a program for reflecting the routing information to the collective virtual router.

  Specifically, the attachment defines a communication protocol used between the VPN connection management system 100 and the address translation device 2 and a communication protocol used between the VPN connection management system 100 and the collective virtual router. Is done. In addition, an ID / password for logging in to the address translation device 2 or the collective virtual router, a path where address translation information and routing information should be stored are designated in the attachment, and address translation information and routing information are designated in the designated path. A command for storing, a command for restarting the address translation device 2 and the collective virtual router, and the like are described. Note that address translation information and routing information may be reflected by storing and restarting, or reflected by storing. In general, as the communication protocol, a proprietary communication protocol defined by the vendor of the address translation device 2 or the vendor of the collective virtual router is used. The inter-VPN connection processing unit 20 stores the attachment in advance by being input to the operator of the inter-VPN connection management system 100, for example.

  Further, when the setting for the address translation device 2 is completed, the address translation setting unit 24 notifies the address translation setting instruction unit 16 that the setting for the address translation device 2 has been completed.

  When the routing setting unit 25 receives a setting instruction for the collective virtual router from the routing setting instruction unit 17 together with routing information necessary for the setting, the routing setting unit 25 refers to the network device setting storage unit 21 and controls the IP address for controlling the collective virtual router. Get “172.16.10.4” and password “hogehoge”. Then, the routing setting unit 25 accesses the aggregate virtual router using the control IP address “172.16.10.4” and the password “hogehoge”, and sets the routing information received from the routing setting instruction unit 17.

  That is, the working path (routing) is switched from the path for accessing the virtual machine 1 from the user terminal to the path for accessing the virtual machine 2 from the user terminal. Referring to FIG. 5, a packet routed from the interface “10.0.10.97” of the virtual router to the interface “10.0.20.97” is changed from the interface “10.0.10.97” to the interface “10.0.30.97” after switching the routing. Routed. Note that the routing setting unit 25 may use, for example, the attachment described above when accessing the collective virtual router.

[Effect of the first embodiment]
As described above, the inter-VPN connection management system 100 according to the first embodiment detects the start of live migration, and starts setting for the network device using this as a trigger. That is, the execution of live migration and the construction of a route are performed in parallel. As a result, the processing time that occurs on the side of the inter-VPN connection management system 100 with live migration is not the sum of the live migration execution time and the path construction time, but in principle, the live migration execution The longer of the time or the path construction time, whichever is longer, will be almost completed. Therefore, the processing time generated with live migration is shortened.

  Further, the inter-VPN connection management system 100 according to the first embodiment sets the address translation information having the same contents as the address translation information set in the migration source address translation apparatus for the migration destination address translation apparatus. To do. For example, this is possible when the migration-destination data center 2 is operated as a standby system for the migration-source data center 1. That is, in the migration destination data center 2, if the IP address used in the migration source data center 1 is secured in advance as a free IP address, the address translation information set in the migration source address translation device is used. It is only necessary to duplicate the migration destination address translation device. For example, even if the IP address is accidentally free, if address translation information having the same content as the address translation information set in the migration source address translation device is set in the migration destination address translation device, Good.

[Modification of First Embodiment]
Subsequently, a modification of the first embodiment will be described.

(Modification 1)
In the first embodiment, the example in which the data center 1 and the data center 2 are connected by a dedicated line and the dedicated line is used as a communication path for live migration has been described. However, the present invention is not limited to this. FIG. 7 is a diagram for explaining a modification of the first embodiment. As shown in FIG. 7, an inter-VPN connection service can be used as a live migration communication path. Note that, generally, a setting change associated with execution of live migration does not occur in a route constructed as a live migration communication channel.

(Modification 2)
In the first embodiment, an example has been described in which the operator remotely monitors the connection service between VPNs and inputs a live migration execution instruction when determining a situation where the load on the virtual machine 1 is high, for example. It is not limited to this. For example, the inter-VPN connection management system 100 monitors the load status of the CPU (Central Processing Unit) of the virtual machine 1 and the bandwidth used in the network by executing a program for remote monitoring, and exceeds a predetermined threshold, for example. On this condition, execution of live migration may be determined. That is, it may be automated, not manually by an operator.

  On the contrary, in the first embodiment, an example in which all subsequent processes are automated has been described, but the present invention is not limited to this. For example, even when the information notifying that the start of live migration has been detected is output to the output unit included in the inter-VPN connection management system 100, the operator inputs a setting start instruction for the network device as a trigger. Good. In addition, for example, information notifying that the execution of live migration is completed and the setting for the address translation device is completed is output to the output unit of the inter-VPN connection management system 100, and the operator confirms this. Then, an instruction to switch routing may be input. Other processing can be replaced manually by the operator according to the operation mode.

(Modification 3)
In the first embodiment, FIG. 3 is exemplified as the configuration of the inter-VPN connection management system 100, but the configuration is not limited to this. First, as described above, the inter-VPN connection management system 100 is a system that manages an inter-VPN connection service and constructs a route, and responds to, for example, an on-demand request. For this reason, the inter-VPN connection management system 100 may further include information necessary for providing such an inter-VPN connection service, and may include another control unit whose description is omitted.

  Further, the customer network setting storage unit 11 and the network device setting storage unit 21 are not limited to those described in the first embodiment. Information described as information stored on the live migration processing unit 11 side may be stored on the inter-VPN connection processing unit 20 side, or vice versa. Also, the information storage method (table structure) can be arbitrarily changed. Although explanation is omitted, for example, when it is necessary to identify a virtual router, it may be stored together with identification information of the virtual router, and control may be performed using this identification information.

  Further, it is not always necessary to be divided into the live migration processing unit 11 and the VPN connection processing unit 20.

(Second Embodiment)
Next, the second embodiment will be described. In the first embodiment, it is assumed that address translation information having the same content as the address translation information set in the migration source address translation device is set in the migration destination address translation device. For example, this is effective when the IP address to be set is an IP address reserved in advance at the migration destination or an accidentally free IP address.

  In the second embodiment, it is assumed that a new IP address is issued and new address translation information is generated and set. For example, this is effective when the IP address used at the migration source is an IP address in use at the migration destination or a reserved IP address. It is also effective in the case of an operation in which a new IP address is paid out when live migration is executed. The configuration of the inter-VPN connection management system 100 according to the second embodiment is the same as that of the first embodiment.

  In addition, when the IP address of the migration source virtual machine and the IP address of the migration destination virtual machine are different IP addresses, a technique for realizing live migration may be a known technique, global live migration. (For example, Hidenobu Watanabe et al., “Global Live Migration Using IP Mobility and Multiple Interfaces”, IEICE Transactions VOL.J93-B NO.7 JULY2010, P.893-901). For example, this document describes that an IP mobility technique is applied. IP mobility is a technique for continuing communication performed before movement even when the IP address allocated to the terminal is changed as the terminal moves.

  In the case of using a method on the premise that the “IP address of the migration destination virtual machine” is determined before the execution of the live migration, the inter-VPN connection management system 100, for example, from step S2 of FIG. In advance, the “migration destination virtual machine IP address” may be determined. When such a method is not used, the “IP address of the migration destination virtual machine” may be determined at an arbitrary stage required for live migration.

[Application of Twice-NAT]
Before describing IP address delivery, the address translation technique “Tice-NAT” applied to the inter-VPN communication system will be described first. Twice-NAT is a technology of RFC (Request for Comments) 2663 published by the Internet Engineering Task Force (IETF).

  Twice-NAT is a technique for converting both a source IP address and a destination IP address. Hereinafter, an IP address for uniquely identifying a user terminal or a virtual machine that uses a connection service between VPNs within the own VPN in which the user terminal or virtual machine is installed is referred to as an “address within the own VPN”. Call. In addition, an IP address for uniquely identifying a user terminal or a virtual machine installed in another VPN serving as a communication partner is referred to as a “first address”. An IP address for uniquely identifying a user terminal or a virtual router that uses a certain inter-VPN connection service is referred to as a “second address”.

FIG. 8 is a diagram for explaining Twice-NAT in the second embodiment. In FIG. 8, “a _i ” is an address in the own VPN for uniquely identifying the user terminal in the VPN _i , and “a _j ” is for uniquely identifying the virtual machine 1 in the VPN _j . Address in its own VPN. Although not shown in FIG. 8, VPN _k , which is a VPN other than VPN _i and VPN _j , is also provided with an inter-VPN connection service. “A _k ” is an address in the own VPN for uniquely identifying the terminal in VPN _k . Note that i, j, and k are positive integer values independent of each other, and in this case, i ≠ j, j ≠ k, and k ≠ i. Further, (1) is a translation operator that represents address translation from VPN _i to a virtual router (VRF _m (Virtual Routing and Forwarding)). Further, (2) is a conversion operator that represents address conversion from the virtual router (VRF _m ) to VPN _j . Here, m and n are mutually independent positive integer values that identify the virtual router, and in this case, m ≠ n.

Thus, in FIG. 8, the virtual machine 1 under user terminal and VPN _j under VPN _i utilizing inter-VPN connection service provided by the virtual router (VRF _m), uniquely in virtual router (VRF _m) The second address for identification is an IP address obtained by translating the in-VPN address “a _i ” and the in-VPN address “a _j ” once by the address translation device, and is expressed as (3).

In FIG. 8, the first address for uniquely identifying the virtual machine 1 under VPN _j in VPN _i is (4). Similarly, the first address for uniquely identifying the user terminal under VPN _i in VPN _j is (5).

When providing an inter-VPN connection service on demand, the inter-VPN connection management system 100 issues a first address and a second address, generates address translation information, and makes settings for the address translation apparatus. Specifically, the inter-VPN connection management system 100 determines the first address so as to satisfy Equation (6). (6) the right side of the equation, VPN a subordinate terminal VPN _k which can be a communication counterpart for the terminal in the VPN _i (VPN connections by virtual router (VRF _n) from the terminal in the terminal and VPN _k in VPN _{i) This} is the first address for uniquely identifying _i . That is, the first address for uniquely identifying the virtual machine 1 under VPN _j in VPN _i is different from the first address for uniquely identifying the terminal under VPN _k in VPN _i . There must be. Therefore, the expression (6) indicates that “the first address is used in the VPN _i in the time zone in which the inter-VPN connection service is provided between the user terminal installed in the VPN _i and the virtual machine 1. Must be paid out so as to be uniquely identified in the first address ", and eventually the first address is not used in VPN _i for that time zone (or in that time zone) An IP address that is not scheduled to be used is used. Note that the expressions (7) and (8) must also be satisfied.

Further, the inter-VPN connection management system 100 determines the first address so as to satisfy the expression (9). (9) the right side of the equation, VPN a subordinate terminal VPN _k which can be a communication counterpart for the terminal in the VPN _j (VPN connections by virtual router (VRF _n) from the terminal in the terminal and VPN _k in VPN _{j) This} is the first address for uniquely identifying in _j . That is, the first address for uniquely identifying the user terminal under VPN _i in VPN _j is different from the first address for uniquely identifying the terminal under VPN _k in VPN _j . There must be. Therefore, the expression (9) indicates that “the first address is used in the VPN _j in a time zone in which the inter-VPN connection service is provided between the user terminal installed in the VPN _i and the virtual machine 1. Must be paid out so as to be uniquely identified in the first address. "As a result, the first address is not used in that time zone in VPN _j (or in that time zone) An IP address that is not scheduled to be used is used. Note that the expressions (10) and (11) must also be satisfied.

Further, the inter-VPN connection management system 100 determines the second address so as to satisfy the expression (12), for example. The expression (12) indicates that “the second address is uniquely identified within the same virtual router in the time period during which the inter-VPN connection service is provided between the user terminal installed in VPN _i and the virtual machine 1. Must be paid out ".

  As described above, the inter-VPN connection management system 100 uses the “twice-NAT” and “virtual router” technologies to make the IP address space independent, thereby solving the IP address conflict and assigning the IP address. Is simplified. Specifically, first, the IP address space is separated in the vertical direction between the VPN and the virtual router by “Twice-NAT” (see the white arrow in FIG. 8). Further, the “virtual router” separates the IP address space in the horizontal direction between the virtual routers set as the aggregate virtual router (see the white arrow in FIG. 8). The inter-VPN connection management system 100 combines the two to make the IP address space independent in each VPN and each virtual router, and resolves IP address conflicts while assigning IP addresses. It is simplified.

  As described above, the address translation based on Twice-NAT is more convenient than the address translation based on Single-NAT. This point will be described using a specific IP address as an example.

  FIG. 9 is a diagram for explaining address translation by Single-NAT. First, the IP address that uniquely identifies the user terminal installed in the VPN 3 within the VPN 3 is “192.168.1.10”. This IP address “192.168.1.10” is not notified to the outside. That is, when the address translation device 3 translates the IP address “192.168.1.10” into the IP address “172.16.1.10”, the external IP address of the user terminal becomes “172.16.1.10”. For this reason, in the VPN 1 in which the virtual router or the virtual machine 1 is installed, the IP address for uniquely identifying the user terminal is “172.16.1.10”.

  On the other hand, the IP address that uniquely identifies the virtual machine 1 installed in the VPN 1 within the VPN 1 is “192.168.1.10”. This IP address “192.168.1.10” is not notified to the outside. That is, when the address translation device 1 translates the IP address “192.168.1.10” into the IP address “172.16.2.10”, the external IP address of the virtual machine 1 becomes “172.16.2.10”. Therefore, the IP address that uniquely identifies the virtual machine 1 in the VPN 3 in which the virtual router and the user terminal are installed is “172.16.2.10”.

  Here, before the live migration is performed, the user terminal transmits a packet with the destination “172.16.2.10” and the transmission source “192.168.1.10”. Convert “192.168.1.10” to “172.16.1.10”. As a result, the packet transmitted by the user terminal is a packet whose destination is “172.16.2.10” and whose transmission source is “172.16.1.10”.

  The virtual router performs routing according to the routing information. In this case, since the destination is a packet of “172.16.2.10”, the virtual router routes this packet toward the address translation device 1. Subsequently, the address translation device 1 translates “172.16.2.10” into “192.168.1.10” according to the address translation information. As a result, the packet transmitted by the user terminal is a packet whose destination is “192.168.1.10” and whose transmission source is “172.16.1.10”. Here, since the IP address of the virtual machine 1 is “192.168.1.10”, this packet reaches the virtual machine 1.

  On the other hand, after the completion of the live migration, the virtual router routes the packet whose destination is “172.16.2.10” and whose transmission source is “172.16.1.10” to the address translation device 2 this time. Here, the address translation device 2 performs address translation of the destination IP address, but does not perform address translation of the source IP address. That is, the source IP address “172.16.1.10” reaches VPN 2 as it is. Therefore, in the migration destination VPN 2, it is “required” to use “172.16.1.10” as an IP address for uniquely identifying the user terminal. If “172.16.1.10” is already used or reserved in the VPN 2, the virtual router and the address translation device 3 must also review the IP address.

  FIG. 10 is a diagram for explaining address conversion by Twice-NAT. First, the IP address that uniquely identifies the user terminal installed in the VPN 3 within the VPN 3 is “192.168.1.10”. This IP address “192.168.1.10” is not notified to the outside. That is, the address conversion device 3 converts the IP address “192.168.1.10” into the IP address “10.0.1.10”. For this reason, in the virtual router, the IP address that uniquely identifies the user terminal is “10.0.1.10”. Further, the address translation device 1 translates the IP address “10.0.1.10” into the IP address “172.16.1.10”. For this reason, the IP address that uniquely identifies the user terminal in the VPN 1 in which the virtual machine 1 is installed is “172.16.1.10”.

  On the other hand, the IP address that uniquely identifies the virtual machine 1 installed in the VPN 1 within the VPN 1 is “192.168.1.10”. This IP address “192.168.1.10” is not notified to the outside. That is, the address translation device 1 translates the IP address “192.168.1.10” into the IP address “10.0.2.10”. Therefore, the IP address for uniquely identifying the virtual machine 1 in the virtual router is “10.0.2.10”. Further, the address translation device 3 translates the IP address “10.0.2.10” into the IP address “172.16.2.10”. For this reason, the IP address that uniquely identifies the virtual machine 1 in the VPN 3 in which the user terminal is installed is “172.16.2.10”.

  Here, before the live migration is performed, the user terminal transmits a packet with the destination “172.16.2.10” and the transmission source “192.168.1.10”, so the address translation device 3 follows the address translation information. IP address “172.16.2.10” is converted to “10.0.2.10”, and the source IP address “192.168.1.10” is converted to “10.0.1.10”. As a result, the packet transmitted by the user terminal is a packet whose destination is “10.0.2.10” and whose transmission source is “10.0.1.10”.

  The virtual router performs routing according to the routing information. In this case, since the destination is a packet of “10.0.2.10”, the virtual router routes this packet toward the address translation device 1. Subsequently, the address translation device 1 translates the destination IP address “10.0.2.10” to “192.168.1.10” according to the address translation information, and changes the source IP address “10.0.1.10” to “172.16.1.10”. Convert. As a result, the packet transmitted by the user terminal is a packet whose destination is “192.168.1.10” and whose transmission source is “172.16.1.10”. Since the IP address of the virtual machine 1 is “192.168.1.10”, this packet reaches the virtual machine 1.

  On the other hand, after the completion of the live migration, the virtual router routes the packet whose destination is “10.0.2.10” and whose transmission source is “10.0.1.10” toward the address translation device 2 this time. Here, the address translation device 2 translates both the destination IP address and the source IP address. That is, as in the case of Single-NAT, the source IP address does not reach VPN 2 as it is. For this reason, in the migration destination VPN 2, it is not essential to use “172.16.1.10” as an IP address for uniquely identifying the user terminal, and at least the VPN between the user terminal and the virtual machine 2 is used. In the time zone in which the inter-connection service is provided, it is only necessary to uniquely select the IP address used in the VPN 2. In FIG. 10, the reason why the IP address for “uniquely identifying the user terminal within VPN2” is “selectable” is that the IP address for “uniquely identifying the user terminal within VPN2” is “172.16. This means that it is not essential to use ".1.10". Further, in FIG. 10, the reason that the IP address “uniquely identifying the virtual machine 2 within VPN2” is described as “existing” is that the IP address “uniquely identifying the virtual machine 2 within VPN2” is not necessarily It is not essential to be the same as the IP address that uniquely identifies the virtual machine 1, which means that an existing IP address may be used.

  Thus, the inter-VPN connection management system 100 simplifies IP address assignment while resolving IP address conflicts by making the IP address space independent.

[IP address assignment]
In the second embodiment, the address translation setting instruction unit 16 or the address translation setting unit 24 issues a new IP address and generates new address translation information. Hereinafter, as an example, the case where the address translation setting instruction unit 16 issues a new IP address and generates new address translation information will be described.

  Here, as described with reference to FIG. 10, the IP address to be issued by the address conversion setting instruction unit 16 is “IP address for uniquely identifying the user terminal in the VPN 2” (first address ). An IP address (second address) for uniquely identifying the user terminal and the virtual machine 2 in the virtual router is provided between the user terminal and the virtual machine 1 or the virtual machine 2. The payout may be performed so as to be uniquely identified in the same virtual router in the time zone. For this reason, when migrating from the virtual machine 1 to the virtual machine 2 by live migration, in principle, the second address does not overlap within the virtual router, and there is no need to change the second address. This is because the route between the user terminal and the virtual machine 1 and the route between the user terminal and the virtual machine 2 do not become an active route (active) at the same time.

  FIG. 11 is a diagram for explaining management of IP addresses in the second embodiment. In the second embodiment, the address translation setting instruction unit 16 manages the IP address space using the time axis as shown in FIG. Here, FIG. 11 shows an IP address space managed for VPN2, for example.

  In FIG. 11, “IP address used to uniquely identify a device within the VPN 2 within VPN 2” cannot be used for paying out the first address in all time zones. This is because it has already been assigned to a device in VPN2 or has been secured as an IP address to be assigned to a device in VPN2.

  The thick solid line is an IP address that is already in use as the first address of the inter-VPN connection service, and the thick dotted line is an IP address reserved as the first address of the inter-VPN connection service. The address conversion setting instruction unit 16 stores these pieces of information together with time information in a table or the like. The address conversion setting instruction unit 16 pays out the first address when transmitting a setting instruction to the address conversion device 2. Specifically, the address translation setting instruction unit 16 refers to the table and is not used and used at least in a time zone in which the inter-VPN connection service is provided between the user terminal and the virtual machine 2. An IP address that is not scheduled to be selected is selected as the first address.

  Then, as shown in FIG. 10, the address conversion setting instruction unit 16 newly issued the address conversion information for converting the existing IP address assigned to the virtual machine 2 and “10.0.2.10”. Address conversion information for converting the first address and “10.0.1.10” is newly generated.

  Thereafter, as in the first embodiment, the address conversion setting instruction unit 16 transmits a setting instruction for the address conversion device 2 to the inter-VPN connection processing unit 20 together with the newly generated address conversion information and the like.

[Effects of Second Embodiment]
As described above, the inter-VPN connection management system 100 according to the second embodiment pays out a new IP address (first address) for uniquely identifying the user terminal in the VPN 2 and issues a new IP that has been issued. Address translation information using addresses is set for the address translation device 2. In this case, the inter-VPN connection management system 100 is uniquely identified among terminals that can be communication partners in the VPN 2 at least in a time zone in which a path is established between the user terminal and the virtual machine 2. To pay out a new IP address. As a result, it is possible to flexibly cope with the case where the address translation information set in the migration source address translation device is, for example, an IP address in use or includes a reserved IP address. Become.

  The address translation setting instruction unit 16 determines whether the address translation information set in the migration source address translation device can be set for the address translation device 2, and determines that the address translation information cannot be set. In this case, a new IP address may be issued, and address conversion information using the new IP address that has been issued may be set for the address conversion device 2.

In the second embodiment, the second address is not duplicated in the virtual router in principle, and it is not necessary to change the second address. It is not limited to this. In other words, when establishing a new route between the user terminal and the virtual machine 2, the inter-VPN connection management system 100 may issue a second address and use the newly issued second address. In this case, the inter-VPN connection management system 100 sets the second address in the same virtual router in the time zone in which the inter-VPN connection service is provided between the user terminal installed in the VPN _i and the virtual machine 2. Pay out to be uniquely identified. When the second address is changed, the inter-VPN connection management system 100 not only sets the routing information using the new second address in the collective virtual router but also the address translation device 3. The address conversion information using the new second address is set.

(Third embodiment)
The control device, the control system, the control method, and the control program according to the embodiment are not limited to the first embodiment and the second embodiment. Hereinafter, it demonstrates in order.

  In the first embodiment and the second embodiment, live migration is assumed. However, the present disclosure is not limited to this, and the disclosed technique can be similarly applied to “migration”. In this case, the inter-VPN connection management system 100 is installed in the first VPN when the path for the user terminal to access the virtual machine installed in the first VPN is constructed as the working path. The execution start of migration is detected with the virtual machine set as the migration source and the virtual machine installed in the second VPN as the migration destination. Next, when the execution start of the migration is detected, the inter-VPN connection management system 100 provides a path for the user terminal to access the virtual machine installed in the second VPN in parallel with the execution of the migration. Is set for a predetermined network device. Then, the inter-VPN connection management system 100 detects the completion of the migration and switches the currently used route to the newly constructed route when the setting to the network device is completed.

[Mode of the base]
In the above-described embodiment, it is assumed that the VPN is a local area network (LAN) connected to a VPN service provided by a telecommunications carrier or the like. However, the present invention is not limited to this. The VPN may be a single terminal instead of a so-called network. For example, there is a case where the router installed in the VPN is realized by software in the terminal instead of a physical router. The VPN may be an in-house network with a plurality of local area network groups connected by a VPN service provided by a telecommunications carrier or the like.

  12 to 14 are diagrams for explaining a VPN as a plurality of local area network groups connected by the VPN service. In addition, in FIGS. 12-14, it shows using two types of dotted lines. One is a normal dotted line, and the other is a broken line (a combination of a short line and a long line). The broken lines indicate that a plurality of bases belonging to the same VPN service and a VPN is formed between bases in the same company (for example, C company). On the other hand, the dotted line indicates that the VPNs are connected. For example, connection between a plurality of VPNs belonging to different VPN services, or connection between VPNs of different companies, even between a plurality of VPNs belonging to the same VPN service.

  As illustrated in FIG. 12, for example, Company C has a base group belonging to the VPN service 1 and a base point belonging to the VPN service 3. On the other hand, Company D has a base belonging to the VPN service 2 and a base belonging to the VPN service 4. The inter-VPN connection management system 100 implements such an inter-VPN connection service between the base group (VPN) of company C and the base group (VPN) of company D belonging to different VPN services.

  Further, as illustrated in FIG. 13, for example, Company C has a base group (VPN) grouped by the VPN service 3. On the other hand, the company D has a base group (VPN) grouped by the VPN service 4. The inter-VPN connection management system 100 implements such an inter-VPN connection service between the base group (VPN) of company C and the base group (VPN) of company D belonging to different VPN services.

  Further, as illustrated in FIG. 14, for example, both company C and company D have a base group (VPN) grouped by the VPN service 2. The inter-VPN connection management system 100 realizes such an inter-VPN connection service between the group of companies C (VPN) and the group of companies D (VPN) belonging to the same VPN service.

[Computer]
FIG. 15 is a diagram illustrating that the information processing by the control program according to the embodiment is specifically realized using a computer. As shown in FIG. 15, the computer has, for example, a memory, a CPU, a hard disk drive interface, a disk drive interface, a serial port interface, a video adapter, and a network interface. Connected.

  As shown in FIG. 15, the memory includes a ROM (Read Only Memory) and a RAM (Random Access Memory). The ROM stores a boot program such as BIOS (Basic Input Output System). The hard disk drive interface is connected to the hard disk drive as shown in FIG. The disk drive interface is connected to the disk drive as shown in FIG. For example, a removable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive. As shown in FIG. 15, the serial port interface is connected to a mouse and a keyboard, for example. As shown in FIG. 15, the video adapter is connected to a display, for example.

  Here, as shown in FIG. 15, the hard disk drive stores, for example, an OS, an application program, a program module, and program data. That is, the control program according to the embodiment is stored in, for example, a hard disk drive as a program module in which a command to be executed by a computer is described. Specifically, a procedure for executing information processing similar to that of the live migration execution unit 15 described in the first embodiment, a procedure for executing information processing similar to that of the address conversion setting instruction unit 16, and an address conversion setting unit 24, a program module in which a procedure for executing the same information processing as 24, a procedure for executing the same information processing as the routing setting instruction unit 17, and a procedure for executing the same information processing as the routing setting unit 25 are described. Stored on the hard disk drive.

  Further, data used for information processing by the control program, such as data stored in the customer network setting storage unit 11 and the network device setting storage unit 21 described in the first embodiment, is, for example, a hard disk drive as program data. Is remembered. Then, the CPU reads the program module and program data stored in the hard disk drive into the RAM as necessary, and executes the above-described procedure.

  Note that the program module and program data related to the control program are not limited to being stored in the hard disk drive, but may be stored in, for example, a removable storage medium and read out by the CPU via the disk drive or the like. Alternatively, a program module and program data related to the control program may be stored in another computer connected via a LAN, a WAN (Wide Area Network), and read by the CPU via a network interface.

DESCRIPTION OF SYMBOLS 100 Connection management system between VPNs 10 Live migration process part 11 Customer network setting memory | storage part 12 Communication part 13 Input part 14 Setting instruction | indication transmission part 15 Live migration execution part 16 Address conversion setting instruction | indication part 17 Routing setting instruction | indication part 20 Inter VPN connection process part 21 network device setting storage unit 22 communication unit 23 setting instruction receiving unit 24 address conversion setting unit 25 routing setting unit

Claims (8)

A control device that controls a connection between VPNs by establishing a route for a user terminal installed in a VPN (Virtual Private Network) to access a virtual machine installed in another VPN by setting the network device. ,
When the path for the user terminal to access the virtual machine installed in the first VPN is constructed as a working path, the virtual machine installed in the first VPN is used as the migration source, a detection unit for detecting the start of the execution of the migration of the virtual machines to be installed in the second VPN and migration destination,
Execution start of the migration by said detecting portion is detected, in parallel with the execution of the migration, a path for accessing the virtual machine in which the user terminal is installed on the second VPN A setting unit for setting a predetermined network device,
Detecting the execution completion of the migration, and the setting to the network device is completed, the path of the working, and a switching unit for switching a path constructed by the setting unit,
The network device is:
A packet transfer control device that accommodates a plurality of VPNs to be connected between VPNs and controls packet transfer between VPNs, and is installed between the packet transfer control device and each VPN, and converts addresses contained in packets And an address translation device
The address translator is
Both the source address and the destination address included in the packet are converted according to the address conversion information,
When the detection unit detects the start of the migration, the setting unit sets the address conversion information for an address conversion device installed between the packet transfer control device and the second VPN. A control device characterized by that. The setting unit sends address translation information having the same content as the address translation information set in the address translation device installed between the packet transfer control device and the first VPN to the packet transfer control device and the first VPN. The control device according to claim 1 , wherein the control device is set for an address translation device installed between two VPNs. The setting unit may set the second in the VPN dispensing a new address for uniquely identifying the user terminal, the address translation information using a new address paid out, to the address translator The control device according to claim 1 , wherein: The setting unit uniquely identifies the user terminal in the second VPN included in address conversion information set in an address conversion device installed between the packet transfer control device and the first VPN. When it is determined that the address for identifying the address is settable for the address translation device installed between the packet transfer control device and the second VPN, and is not settable In addition, a new address for uniquely identifying the user terminal in the second VPN is issued, and address translation information using the new address issued is set for the address translation device. The control device according to claim 3 . The setting unit routes the new address for uniquely identifying the user terminal in the second VPN between the user terminal and a virtual machine installed in the second VPN. 5. The control device according to claim 3 , wherein payout is performed so as to be uniquely identified among terminals that can be a communication partner in the second VPN in a time zone in which the network is configured. A control system for controlling a route for a user terminal installed in a VPN to access a virtual machine installed in another VPN,
A packet transfer control apparatus that accommodates a plurality of VPNs and controls packet transfer between VPNs;
An address conversion device installed between the packet transfer control device and each VPN, for converting an address included in the packet;
A control device for constructing a path for connecting between VPNs,
The control device includes:
When the path for the user terminal to access the virtual machine installed in the first VPN is constructed as a working path, the virtual machine installed in the first VPN is used as the migration source, a detection unit for detecting the start of the execution of the migration of the virtual machines to be installed in the second VPN and migration destination,
Execution start of the migration by said detecting portion is detected, in parallel with the execution of the migration, a path for accessing the virtual machine in which the user terminal is installed on the second VPN A setting unit configured to set an address translation device installed between the packet transfer control device and the second VPN;
Detecting the execution completion of the migration, and the setting to the address translation device is completed, the path of the working, and a switching unit for switching a path constructed by the setting unit,
The address translator is
Both the source address and the destination address included in the packet are converted according to the address conversion information,
When the detection unit detects the start of the migration, the setting unit sets the address conversion information for an address conversion device installed between the packet transfer control device and the second VPN. A control system characterized by that. This is a control method that is executed by a control device that controls a connection between VPNs by constructing a path for a user terminal installed in a VPN to access a virtual machine installed in another VPN by setting the network device. And
When the path for the user terminal to access the virtual machine installed in the first VPN is constructed as a working path, the virtual machine installed in the first VPN is used as the migration source, a detection step of detecting the start of the execution of the migration of the virtual machines to be installed in the second VPN and migration destination,
When the detection process by the start of the execution of the migration is detected, in parallel with the execution of the migration, a path for accessing the virtual machine in which the user terminal is installed on the second VPN A setting process for setting a predetermined network device,
Detecting the execution completion of the migration, and includes the setting to the network device is completed, the path of the current, and a switching step of switching a path constructed by the setting step,
The network device is:
A packet transfer control device that accommodates a plurality of VPNs to be connected between VPNs and controls packet transfer between VPNs, and is installed between the packet transfer control device and each VPN, and converts addresses contained in packets And an address translation device
The address translator is
Both the source address and the destination address included in the packet are converted according to the address conversion information,
In the setting step, when the start of execution of the migration is detected by the detection step, the address conversion information is set for the address conversion device installed between the packet transfer control device and the second VPN. A control method characterized by that. Control program for functioning as a control apparatus according to a computer to claim 1-5.

Images