WO2018027586A1 - 云计算系统中虚拟机访问物理服务器的方法、装置和系统 - Google Patents
云计算系统中虚拟机访问物理服务器的方法、装置和系统 Download PDFInfo
- Publication number
- WO2018027586A1 WO2018027586A1 PCT/CN2016/094225 CN2016094225W WO2018027586A1 WO 2018027586 A1 WO2018027586 A1 WO 2018027586A1 CN 2016094225 W CN2016094225 W CN 2016094225W WO 2018027586 A1 WO2018027586 A1 WO 2018027586A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- service
- address
- virtual machine
- publishing
- physical server
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/2539—Hiding addresses; Keeping addresses anonymous
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/2557—Translation policies or rules
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/256—NAT traversal
- H04L61/2575—NAT traversal using address mapping retrieval, e.g. simple traversal of user datagram protocol through session traversal utilities for NAT [STUN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45562—Creating, deleting, cloning virtual machine instances
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45595—Network integration; Enabling network access in virtual machine instances
Definitions
- the present invention relates to the field of IT technologies, and in particular, to a method, an apparatus, and a system for a virtual machine to access a physical server in a cloud computing system.
- PM physical machine
- DB Oracle's database
- the user logs in to the virtual machine (VM) and accesses the physical server that deploys the above types of services through the network.
- VM virtual machine
- the VM needs to obtain the IP address of the PM to access various services on the physical server.
- the VM can obtain the real IP address of the PM or PM cluster running the service, the network planning information of the physical server where the service is located on the cloud platform is exposed, and the malicious user can perform network attack on the network where the PM is located and the device in the network. , thus endangering the security of the cloud platform.
- the embodiment of the invention describes a method, device and system for a virtual machine to access a physical server, which prevents the virtual machine from acquiring the real address of the physical server and jeopardizing network security.
- an embodiment of the present invention provides a system for a virtual machine to access a physical server, where the system includes a cloud platform, at least one physical server, at least one host, and at least one access network element, the host, the physical server.
- the cloud platform communicates with each other, and the host runs at least one virtual machine, and the virtual machine accesses the physical server by using the access network element, where the physical server is deployed with a service, where the cloud
- the platform allocates a publishing IP address and a publishing port corresponding to the service to the service, and establishes a correspondence between the publishing IP address and an IP address and a port of the publishing port and the physical server running the service, where the cloud
- the platform issues the service, so that the service is visible to the virtual machine;
- the cloud platform sends a NAT rule associated with the virtual machine to the access network element, where the NAT rule includes the publishing IP address and the publishing port Corresponding relationship between the IP address and the port of the physical server running the service;
- the access network element receives the service
- virtual The machine can access the service without knowing the real IP address and port of the physical server that deploys the service.
- the service can be uniquely identified by the publishing IP address and the publishing port corresponding to the service, even if the service is deployed in multiple On a different physical server or physical server cluster of IP addresses, different virtual machines can use the same published IP address and publishing port to access the same service without paying attention to the real IP address of the physical server or physical server cluster where the service is actually located. And the port, the unified access to the service.
- the source address of the service response message is an IP address and a port of the physical server
- the NAT rule may also be used according to the NAT rule.
- the real address of the physical server is still not included.
- the source address of the service response message sent by the cloud platform may also be directly set to the publishing IP address and the publishing port, without the access unit modifying the source address.
- the physical server When the source address of the service response packet sent by the physical server is the real address of the physical server, the physical server does not need to be modified to adapt to the embodiment of the present invention, thereby improving the efficiency of service deployment and distribution.
- the physical server When the source address of the service response packet sent by the physical server is the advertised IP address and the advertised port corresponding to the service, the physical server needs to be adaptively modified, and the service and the advertised IP address and the advertised port are recorded.
- the physical server sends a service response message, the source address of the service response message is set to the advertised IP address and the advertised port. At this time, the access network element does not need to perform the source address of the service response message.
- the NAT conversion improves the efficiency of the virtual machine accessing the service deployed on the physical server.
- the physical server needs to be modified to implement the solution of the embodiment of the present invention, thereby reducing the efficiency of service deployment and release.
- the cloud platform can publish the service in a plurality of manners.
- the cloud platform has a user-oriented service presentation interface and a management presentation interface for the operation and maintenance personnel, and the user can log in.
- the service presents an interface, browses various services provided by the cloud platform, and initiates a service application.
- the cloud platform displays service information on the service presentation interface, and provides an introduction to the service to the user, the service information including an external display address of the service.
- the external display address of the service may be the publishing IP address and the publishing port, or may be the domain name corresponding to the service.
- the virtual machine may request the access service from the physical server by using the publishing IP address and the publishing port as the destination address; when the external display address is the domain name The virtual machine needs to obtain the address corresponding to the domain name first. Therefore, the virtual machine sends the DNS service.
- the server initiates a domain name resolution operation, and obtains an address corresponding to the domain name from the DNS server, where the address corresponding to the domain name is the publishing IP address and the publishing port.
- the cloud platform may send the mapping between the domain name and the publishing IP address and the publishing port corresponding to the service to the DNS server in advance through a registration process. Specifically, the cloud platform sends the domain platform to the DNS server of the domain name system. Corresponding relationship between the domain name and the publishing IP address and the publishing port; the virtual machine is configured to initiate a domain name resolution operation, and obtain the publishing IP address and the publishing corresponding to the service from the DNS server according to the domain name port.
- the user logs in to the service presentation page to apply for a service to the cloud platform, and the cloud platform returns a service request response to the virtual machine, and the service request response carries the external display address.
- the cloud platform After the cloud platform determines that the service authorization is passed, the cloud platform records the authorization information of the user to which the virtual machine belongs, and the authorization information of the user includes the user identifier and the virtual machine identifier. And an account number and password assigned to the user. The cloud platform can use the recorded authorization information to authenticate the user's service access request.
- the cloud platform may perform service authorization at a user granularity, that is, if the user has multiple virtual machines, the user may access the authorized service through any one of the virtual machines, when When the user creates a new virtual machine, the cloud platform sends the NAT rule to the access network element connected to the new virtual machine, so that the user can access the physical server normally through the new virtual machine.
- Service Service authorization by user granularity can bring greater convenience to users, so that users do not need to separately apply for service authorization for each virtual machine separately. Further, when the user deletes any virtual machine that belongs to the user, the cloud platform notifies the access network element to delete the NAT rule associated with the virtual machine when deleting the virtual machine. .
- the user may actively request to terminate the service authorization or the cloud platform may actively terminate the service authorization for the user when the user owes a fee.
- the cloud platform determines that the service authorization of the user needs to be terminated, the cloud platform determines the involved
- the virtual machine sends a delete message to the access network element that is connected to the virtual machine, and notifies the access network element to delete the NAT rule of the virtual machine.
- the cloud platform may also have the capability of service detection/collection.
- service information and the information of the physical server deploying the service may be obtained in time.
- the physical server is a single physical server or a cluster of physical servers.
- an embodiment of the present invention provides a method for a virtual machine to access a physical server in a cloud computing system, The station performs the steps in the above system.
- an embodiment of the present invention provides a method for a virtual machine to access a physical server in a cloud computing system, where the access network element performs the steps in the foregoing system.
- an embodiment of the present invention provides a cloud platform, which has the function of implementing the cloud platform defined in the foregoing system.
- the functions may be implemented by hardware or by corresponding software implemented by hardware.
- the hardware or software includes one or more modules corresponding to the functions described above.
- the embodiment of the present invention further provides a host, where the virtual machine defined in the system and the access network element are run, and the access network element may be a virtual machine network element.
- the access network element may be a virtual machine network element.
- the openvswitch, or the access network element can be implemented in hardware, specifically a top-of-rack switch on the host.
- the host has the function of implementing an access network element defined in the above system. Further, the host may also have the function of a virtual machine defined in the above system.
- the functions may be implemented by hardware or by corresponding software implemented by hardware.
- the hardware or software includes one or more modules corresponding to the functions described above.
- the cloud platform and host are implemented by a general purpose or dedicated server, and the structure of the server includes a processor, a memory, a system bus, and an input and output interface, and the processor is configured to support the system.
- the input and output interface is for communicating with other components in the cloud computing system, and the processor executes instructions stored in the memory.
- an embodiment of the present invention provides a computer storage medium for storing computer software instructions for use in the cloud platform, which includes a program designed to perform the above aspects.
- an embodiment of the present invention provides a computer storage medium for storing computer software instructions for use by the host, including a program designed to perform the above aspects.
- the solution provided by the embodiment of the present invention can shield the virtual machine from the real address of the physical server that provides the service, and provide a unified access mode to the virtual machine, which not only ensures the network security of the cloud platform, but also improves the network security of the cloud platform. The convenience of the user accessing the service.
- FIG. 1A is a schematic diagram of a network architecture of a cloud computing system according to an embodiment of the present invention
- 1B is a schematic diagram of a network architecture of another cloud computing system according to an embodiment of the present invention.
- FIG. 2 is a schematic structural diagram of a hardware of a computer device according to an embodiment of the present invention.
- FIG. 3 is a schematic diagram of a virtualization structure on a host according to an embodiment of the present invention.
- FIG. 4 is a flowchart of packet forwarding processing of a virtual machine accessing a physical server according to an embodiment of the present invention
- FIG. 5 is a schematic flowchart of a virtual machine accessing a service running on a physical server according to an embodiment of the present invention
- FIG. 6 is a schematic structural diagram of a cloud platform according to an embodiment of the present disclosure.
- FIG. 7A is a schematic structural diagram of an access device according to an embodiment of the present invention.
- FIG. 7B is a schematic structural diagram of another access device according to an embodiment of the present invention.
- the network architecture and the service scenario described in the embodiments of the present invention are used to more clearly illustrate the technical solutions of the embodiments of the present invention, and do not constitute a limitation of the technical solutions provided by the embodiments of the present invention.
- the technical solutions provided by the embodiments of the present invention are equally applicable to similar technical problems.
- FIG. 1A and FIG. 1B are network architecture diagrams of a cloud computing system according to an embodiment of the present invention.
- the cloud computing system includes a host 101, a cloud platform 102, a physical server 103, a network 104, and an access network element 105.
- a plurality of virtual machines are running on the host 101, and the virtual machines are connected to the network 104, the access cloud platform 102, and the physical server 103 through the access network element 105.
- the virtual machine running on the host 101 carries the service of the user, and the user logs in to the virtual machine by using the client, and then accesses various services externally distributed by the cloud platform 102 through the network 104, and the service is a service running on the physical server 103, for example, Database services, etc.
- Cloud computing systems can be divided into infrastructure as a service (Infrastructure as a Service, IAAS), Platform as a Service (PAAS) layer, and Software as a Service (SAAS) layer.
- the services deployed on the physical server 103 are generally PAAS layer services.
- the cloud platform 102 is a management terminal of the cloud computing system, and is used for managing the underlying devices and services provided by the cloud computing provider, including managing resources such as computing, network, and storage, and monitoring operation and maintenance.
- the cloud platform 102 also includes a service presentation page for the user and a management presentation page for the administrator.
- the administrator configures and manages the services deployed on the physical server by managing the presentation page.
- the user logs in to the service presentation page of the cloud platform 102 to view the available services, which are displayed on the service presentation page.
- the service information includes an external display address of the service.
- the VM When the VM needs to access the foregoing service, the VM initiates a request for accessing the service by using the external display address, where the external display address may uniquely identify the service deployed on the physical server, and the external display address may specifically be The publishing IP address and publishing port corresponding to the service, or the domain name corresponding to the service.
- the cloud platform 102 establishes a correspondence between the publishing IP address and the publishing port and the real address of the physical server 103 where the service is deployed, and sends the corresponding relationship to the access network of each virtual machine. Yuan 105.
- the virtual machine initiates a service access process by using the publishing IP address and the publishing port as a destination address of the service access request;
- the virtual machine needs to initiate the domain name resolution process, obtain the publishing IP address and the publishing port corresponding to the domain name from the DNS server, and then use the publishing IP address and the publishing port as the service access.
- the destination address of the request initiates a service access process.
- the cloud platform 102 is also used to the domain name system DNS server. Corresponding relationship between the domain name and the publishing IP address and the publishing port.
- the DNS server is used internally by the cloud computing system, and the DNS server is connected to the host 101 and the cloud platform 102 through the network 104.
- the cloud platform 102 includes an SDN (Software Defined Network) controller.
- SDN controller in the cloud platform 102 obtains the network topology of the virtual machine and is in the form of a flow table.
- the network address translation (NAT) rule is sent to the access network element 105 of the virtual machine, where the NAT rule includes the publishing IP address and the publishing port and the IP address of the physical server 103 running the service. Correspondence with the port.
- the issuing IP and the publishing port are specifically an IP and a port corresponding to the service, that is, a service can be uniquely determined through the publishing IP address and the publishing port.
- the issuing IP may adopt a reserved address, where the reserved address is data.
- TCP Transmission Control Protocol
- UDP User Datagram Protocol
- the external display addresses of the same service are the same for different users.
- the cloud platform 102 can have the following functions:
- the operation and maintenance function that is, the system administrator can configure and manage the service through the management presentation interface provided by the cloud platform 102;
- the monitoring function is to monitor the physical server in real time and obtain the information of the service going online/offline;
- the network information acquisition function is to acquire the network topology of the virtual machine running on the host 101 and obtain the IP address and port of the physical server 103 running the service;
- Service publishing function that is, presenting service information to a user through a service presentation interface
- the cloud platform 102 can also have functions such as service billing and alarms.
- Physical server 103 A physical server that deploys the above services, which may be a single physical server or a server cluster.
- the virtual machine accesses the physical server 103 through the network 104 to access services running on the physical server 103.
- the real address of the physical server of the deployed service is an address that is externally presented by the physical server cluster.
- the cluster is in the active/standby mode, the active and standby physical servers have the same Address, the same address is the address that the physical server cluster presents externally; or, when multiple physical servers form a cluster, the virtual IP address of the primary node in the cluster is externally presented as the address externally presented by the physical server cluster.
- a service access request of a virtual machine When a service access request of a virtual machine is routed to an externally presented address of the physical server cluster, it can be served by a server in the cluster in a load balancing manner.
- the implementation form of the foregoing server cluster is not limited, as long as the service access request can be routed to the server cluster through the address presented by the server cluster, and the load balancing inside the server cluster is Implementations can employ a variety of approaches in the prior art.
- the physical server 103 Upon receiving the service access request from the virtual machine, the physical server 103 processes the service access request and returns a service access response.
- the service access request may be a virtual machine initiated database query request for querying data to a database service deployed on the physical server 103, where the database query request may carry a query condition.
- the physical server 103 When the database query request is routed to the physical server 103, the physical server 103 generates a query result according to the query condition, and carries the query result in the service access response, and returns the service access response to the virtual machine.
- the embodiment of the present invention does not limit the type and purpose of the service access request, and does not limit the specific method for the physical server 103 to process the service access request.
- Various service access requests common in the prior art are in the present invention. The methods of processing a service access request by a physical server disclosed in the prior art may also be directly cited in the embodiment of the present invention.
- the access network element 105 may be a virtual network element (for example, an Open vSwitch) running on the host 101 or a Top Of Rack (TOR) of the host, and the access network element 105 is connected to the virtual machine, and The virtual machine provides network access capabilities.
- the access network element 105 can be located in the virtualization layer of the host 101 as shown in FIG. 1A. Alternatively, as shown in FIG. 1B, it is a top-of-rack switch physically connected to the host 101.
- the top-of-rack switch is an independent hardware device. In a specific application scenario, the host may independently share a top-of-rack switch, multiple hosts may share one top-of-rack switch, or multiple hosts share multiple top-of-rack switches, which is not limited in this embodiment of the present invention.
- a NAT rule is configured on the access network element, and the NAT rule includes a corresponding relationship between the publishing IP address and the publishing port corresponding to the service and the IP address and port of the physical server. Further, the NAT rule can be directed to both the VM direction and the VM direction. It should be noted that, in the embodiments of the present invention, the IP address and port of the physical server are real IP addresses and ports of the physical server, which are different from the publishing IP address and the publishing port corresponding to the service.
- the NAT rule may be implemented by using the Iptables in the Linux system or the flow table sent by the SDN controller.
- the specific implementation manner is not limited in the embodiment of the present invention.
- a VM on the IAAS layer of a cloud platform vendor accesses a PAAS service running on a PM through a network.
- the IAAS and the PAAS are respectively provided by different vendors, the IAAS can be implemented for the PAAS service running on the PM.
- PAAS decoupling facilitates rapid integration of IAAS and PAAS.
- the method for accessing a physical server by the virtual machine in the embodiment of the present invention can make the real address of the physical server invisible to the virtual machine, thereby shielding the virtual machine from the physical server and improving the security of the cloud computing system;
- the physical server externally presents the same external display address.
- the same access mode is provided for different users to access the service running on the physical server, and the access address is normalized, and the cloud platform is deployed on the physical server. The efficiency of the new service.
- the cloud platform can control the deployment of the physical server. After running the service on the physical server, the cloud platform publishes information about the services running on the physical server. The user can view the published service through the service presentation interface provided by the cloud platform, and initiate a service application, and the cloud platform approves the service application of the user. If the approval is passed, the authorization information is returned to the user, and the authorization information may include the user identifier. , virtual machine identification, permissions, and account and password assigned to the user. The user information of the user is recorded in the cloud platform, including information of each virtual machine used by the user. The cloud platform can authorize the user to access the service on the physical server at the granularity of the user.
- each virtual machine of the user can access the server; the cloud platform can also authorize the user to access the service on the physical server by using the virtual machine as a granularity, that is, The cloud platform authorizes users to access services through specific virtual machines.
- the cloud platform can determine the list of authorized virtual machines, and the cloud platform delivers the NAT rule to the access network element connected to each authorized virtual machine, and converts the external display address of the service into physical through the NAT rule.
- the access network element may be a mounted network element or a tunnel encapsulating network element of the virtual machine.
- the cloud platform, the host, the physical server deploying the service, and the access network element in the cloud computing system shown in FIG. 1A and FIG. 1B can be implemented by hardware/software. Illustratively, as shown in FIG. 2, the present invention is implemented.
- the computer device 200 includes at least one processor 201, a communication bus 202, a memory 203, and at least one communication interface 204.
- the processor 201 can be a general purpose central processing unit (CPU) or microprocessor that executes the instructions in the memory 203 to implement the functions of the various devices described above.
- CPU central processing unit
- microprocessor that executes the instructions in the memory 203 to implement the functions of the various devices described above.
- Communication bus 202 can include a path for communicating information between the components described above.
- the communication interface 304 uses devices such as any transceiver for communicating with other devices or communication networks, such as Ethernet, Radio Access Network (RAN), Wireless Local Area Networks (WLAN), and the like.
- RAN Radio Access Network
- WLAN Wireless Local Area Networks
- the memory 203 can be a read-only memory (ROM) or other type of static storage device that can store static information and instructions, a random access memory (RAM) or other type that can store information and instructions.
- the dynamic storage device can also be an Electrically Erasable Programmable Read-Only Memory (EEPROM), a Compact Disc Read-Only Memory (CD-ROM) or other optical disc storage, and a disc storage device. (including compact discs, laser discs, optical discs, digital versatile discs, Blu-ray discs, etc.), magnetic disk storage media or other magnetic storage devices, or can be used to carry or store desired program code in the form of instructions or data structures and can be Any other media accessed, but not limited to this.
- the memory can exist independently and be connected to the processor via a bus.
- the memory 203 is used to store application code for executing the solution of the present invention, and is controlled by the processor 201 for execution.
- the processor 201 is configured to execute application code stored in the memory 203.
- processor 201 may include one or more CPUs, such as CPU0 and CPU1 in FIG.
- computer device 200 can include multiple processors, such as processor 201 and processor 208 in FIG. Each of these processors can be a single-CPU processor or a multi-core processor.
- a processor herein may refer to one or more devices, circuits, and/or processing cores for processing data, such as computer program instructions.
- computer device 200 may also include an output device 205 and an input device 206.
- Output device 205 is in communication with processor 201 and can display information in a variety of ways.
- the output device 205 can be a liquid crystal display (LCD), a light emitting diode (LED) display device, a cathode ray tube (CRT) display device, or a projector.
- Input device 206 is in communication with processor 201 and can accept user input in a variety of ways.
- input device 206 can be a mouse, keyboard, touch screen device or sensing device, and the like.
- the computer device 200 described above can be a general purpose computer device or a special purpose computer device.
- the computer device 200 can be a desktop computer, a portable computer, a network server, a personal digital assistant (PDA), a mobile phone, a tablet, a wireless terminal device, a communication device, an embedded device, or have FIG. A device of similar structure.
- Embodiments of the invention do not limit the type of computer device 200.
- the cloud platform, the host, the physical server for deploying the service, and the access network element in FIG. 1A and FIG. 1B may be the device shown in FIG. 2, and the memory stores one or more software modules for implementing the cloud platform, the host, and the The physical server that deploys the service and the functions of the access NE (for example, NAT translation function, etc.).
- the cloud platform, the host, the physical server deploying the service, and the access network element can implement a method for the virtual machine to access the service deployed on the physical server through the processor and the program code in the memory.
- FIG. 2 merely gives possible hardware implementations of various parts of the cloud computing system, and may add or delete hardware components of the computer device according to different functions or changes of various parts of the system. In order to match the functions of the various parts of the system.
- FIG. 3 it is a schematic diagram of a virtualization structure on a host provided by an embodiment of the present invention.
- the host is a physical server.
- the bottom layer of the host is the hardware layer.
- the hardware layer mainly includes hardware resources such as a central processing unit (CPU), memory, hard disk, and physical network card.
- Server virtualization is based on virtualized software on physical servers (eg VMWare ESX, Citrix XEN) implements a virtualized running environment for multiple virtual machines (VMs).
- the software layer installed on the server to implement the virtualized environment is called Virtual Machine Monitor (VMM).
- the VMM running on top of the hardware layer assumes the scheduling, allocation, and management of hardware resources in the hardware layer. Multiple virtual machine VMs are run on the VMM.
- the VMM provides virtualized CPU, memory, storage, IO devices (such as physical network cards) and Ethernet switches for each virtual machine to ensure that multiple virtual machines run in isolation.
- the VMM creates a virtual network interface card (vNIC) for each virtual machine.
- the virtual switch vSwitch provides communication between virtual machines and between virtual machines and external networks.
- the virtual NIC of each virtual machine corresponds to a virtual port of the vSwitch.
- the physical NIC of the host corresponds to the port that the vSwitch connects to the external top-of-rack switch.
- the dashed lines in Figure 3 represent logical connections in the virtual network and the solid lines represent physical connections.
- the function of the access network element is implemented by a virtual switch (vSwitch), and the cloud platform sends the NAT rule of the virtual machine to the virtual switch, where the virtual switch is configured on the virtual port connected to the virtual machine.
- the NAT rule when the virtual machine switch receives the service access request from the virtual machine, uses the NAT rule to modify the destination address of the service access request to the publishing IP address and the publishing port corresponding to the service, thereby The message access request is routed to the physical server where the service is deployed.
- the function of the access network element is implemented by a top-of-rack switch connected to the host, and the cloud platform generates the NAT rule of the virtual machine to the top-of-rack switch, and configures the virtual machine on the top-of-rack switch.
- the NAT rule when the top-of-rack switch receives the service access request from the virtual machine, uses the NAT rule to modify the destination address of the service access request to the publishing IP address and the publishing port corresponding to the service, thereby The message access request is routed to the physical server where the service is deployed.
- NAT translation is performed on the address of the physical server, and in the direction of the VM, The destination address of the packet is modified to the advertised IP address and the advertised port corresponding to the service. In the direction of the VM, the source address of the packet is modified to the advertised IP address and the advertised port corresponding to the service.
- the routing process of the packet between the host and the physical server is performed according to the existing standard definition manner, which is not limited by the embodiment of the present invention, as long as the packet can be routed to the physical server according to the publishing IP address and the publishing port. .
- the packet forwarding processing process of the virtual machine accessing the physical server includes:
- Step 401 The external display address of the service running on the physical server is visible to the virtual machine, and the virtual machine sends a service access request to the physical server.
- the destination address of the service access request is a publishing IP address and an issuance port corresponding to the service.
- the external display address includes a publishing IP address and an issuing port, and the publishing IP address and the publishing port may uniquely identify a service running by the physical server;
- the external display address is a domain name
- the domain name can uniquely identify a service run by the physical server.
- the virtual machine initiates a domain name resolution operation on the domain name, and obtains a publishing IP address and a publishing port corresponding to the service run by the physical server.
- the virtual machine After the virtual machine obtains the publishing IP address and the publishing port corresponding to the service running by the physical server, the virtual machine initiates the service access request with the publishing IP address and the publishing port as the destination address.
- Step 402 The access network element receives the service access request, and replaces the destination address carried by the request packet with an IP address and a port of a physical server running the service according to the NAT rule, where the NAT rule includes an operation center.
- the NAT rule may be a flow table delivered by an SDN controller in the cloud platform.
- Step 403 The NAT-transformed service access request is routed through the network to the physical server running the service.
- Step 404 The physical server receives a service access request of the virtual machine, and returns a service response message to the virtual machine.
- the source address of the service response packet sent by the physical server may be a publishing IP address and an advertised port corresponding to the service, and when the access network element receives the service response packet, The NAT of the source address of the service response packet is translated to ensure that the virtual machine cannot obtain the real address of the physical server.
- the physical server needs to be modified to record the publishing IP address and the publishing port corresponding to the service, and set the source address as the publishing IP address and the publishing port in the returned response message, the above modification.
- the access network element does not need to replace the source address of the service response packet after receiving the service response packet, so that the efficiency of the virtual machine accessing the service on the physical server can be improved.
- the source address of the service response packet sent by the physical server may be the real IP address and port of the physical server, and the service response packet is routed to the access network element through the network, And the access network element replaces the source address of the service response packet with the publishing IP address and the publishing port corresponding to the service, and returns the service response packet to the virtual machine according to the NAT rule. .
- the virtual machine can access the physical server running the service.
- the same service has the same external display address, which unifies the access mode of the virtual machine.
- the real address of the physical server is invisible to the virtual machine, which ensures the network security of the physical server.
- the cloud platform deletes the authorized information of the recorded user, terminates the service authorization, and notifies the access network element connected to the virtual machine to delete the NAT rule associated with the user.
- the NAT rule corresponding to the virtual machine is dynamically migrated.
- the dynamic migration can be implemented through the migration tool or the openflow can be dynamically sent through the SDN controller.
- the flow table and other methods are implemented to ensure continuous access to the services on the physical server when the virtual machine is migrated.
- the access network element before the virtual machine is migrated to establish a connection with the migrated access network element, and the NAT rule corresponding to the virtual machine is sent to the access network element after the virtual machine is migrated;
- the SDN controller obtains the address of the access NE after the virtual machine is migrated, and sends the NAT rule to the migrated access NE in the form of a flow table to ensure that the virtual machine can be normal after the migration. Access the service. To ensure that the virtual machine access service is not interrupted during the migration process, you can use the tools such as Conntrackd to transfer the status information of the virtual machine to host 2.
- the physical server running the service may be a single physical server or a cluster of physical servers with high availability.
- the server cluster may be implemented according to the performance requirements of the service based on existing tools or protocols. Not limited.
- the physical server is a server cluster, it may specifically be a shared service cluster or a single instance service cluster, and the shared service cluster provides a cluster of physical servers that are isolated from each other based on user access rights, and the single instance service cluster provides user access rights.
- the service access methods provided by the embodiments of the present invention are applicable.
- FIG. 5 provides a schematic diagram of a process for a virtual machine to access a service running on a physical server, including a service deployment phase, a service application phase, and a service access phase.
- Step 501 After the physical server is online, deploy one or more services provided to the virtual machine on the physical server.
- These services can be deployed on a single physical server or on a cluster of highly available physical servers.
- the cloud platform administrator configures the physical server through the management presentation interface and deploys the service on the physical server.
- the specific process may adopt an existing solution, which is not limited by the embodiment of the present invention.
- Step 502 The cloud platform records an IP address and a port of a physical server running the service.
- the virtual machine accesses the single physical server to access the service; when the service is deployed on the physical server cluster, the cloud platform records the physical server running the service.
- the IP address and port are the IP addresses and ports that the physical server cluster presents externally. For example, when the cluster is in the active/standby mode, the primary and secondary physical servers have the same IP address and port. The same IP address and port are the externally presented addresses of the physical server cluster. Alternatively, when multiple physical servers form a cluster, The virtual IP address and virtual port of the primary node in the cluster are externally presented as the external address of the physical server cluster.
- Step 503 The cloud platform allocates an external display address to the service, and the external display address can uniquely identify the service.
- the external display address includes a publishing IP address and a publishing port.
- the external display address is a domain name corresponding to the service, and the cloud platform And assigning an IP address and a publishing port to the service, and establishing a mapping relationship between the domain name and the publishing IP address and the publishing port.
- the cloud platform records the IP address and port of the physical server, the identifier of the service running by the physical server, and the association between the publishing IP address and the publishing port corresponding to the service. Further, when the external display address is a domain name corresponding to the service, the association relationship may further include a domain name corresponding to the service.
- Step 504 After the service deployment is completed, the cloud platform externally issues service information, where the service information includes an external display address of the service.
- Step 505 The user queries the service provided by the cloud platform, and initiates a service request request to the cloud platform.
- the service presentation interface of the cloud platform is visible to the user, and the user logs in to the service presentation interface by using the virtual machine to query the service information, and initiates a service request request to the cloud platform, where the service application request can carry the identifier and user of the service to be applied for. Identification and virtual machine identification, etc. It should be noted that, the embodiment of the present invention does not limit the content carried in the service request request, as long as the cloud platform can obtain the information required for performing the service approval from the service application request.
- Step 506 The cloud platform approves the service request request, and after the approval is passed, records the user authorization information, where the authorization information includes a user identifier, a virtual machine identifier, a rights, an account number and a password assigned to the user, and the like.
- the cloud platform After receiving the service request from the user, the cloud platform can be automatically approved or manually approved by the administrator.
- the service request returns the reason for the failure to the virtual machine.
- the cloud platform After the service request request approval is passed, the cloud platform returns the authorization information to the virtual machine.
- the service authorization may be user-granular, that is, after the user's service application request is approved, all the virtual machines belonging to the user may access the service, and the authorization information may not include the virtual machine identifier;
- the authorization may be virtual machine granularity, that is, the qualified user can only access the service through the virtual machine that obtains the approval.
- the authorization information may not include the user identifier.
- the authority in the authorization information refers to the operation authority of the user to access the service.
- the authority in the authorization information may be used to restrict the user to only have the query permission of the database service, or to grant the user the update authority for the database service.
- Step 507 The cloud platform returns a service request response to the virtual machine.
- the service request response includes an external display address of the service, the authorization information, and the like.
- Step 508 The cloud platform sends a NAT rule to the access network element of the virtual machine, where the NAT rule includes an IP address and a port of the physical server running the service, and a publishing IP address and a publishing port corresponding to the service. Correspondence relationship.
- Step 509 The access network element of the virtual machine receives and records the NAT rule, and is used for processing subsequent data packets.
- Step 510 The virtual machine sends a service access request, where the destination address of the service access request is a publishing IP address and an issuance port corresponding to the service.
- the external display address of the service can be a domain name.
- the cloud platform may send the corresponding relationship between the domain name and the publishing IP address corresponding to the service to the domain name system DNS server through a registration process; the virtual machine is used to initiate the domain name.
- the parsing operation acquires the publishing IP address and the publishing port corresponding to the service from the DNS server according to the domain name.
- the DNS server is an internal DNS server of the cloud computing system.
- Step 511 The access network element receives the service access request, and replaces the destination address of the service access request with an IP address and a port of a physical server running the service according to a NAT rule, where the NAT rule includes running the The corresponding relationship between the IP address of the service's physical server and the port's publishing IP address and the publishing port.
- Step 512 The NAT-translated service access request is routed through the network to the physical server running the service.
- Step 513 The physical server receives the service access request of the virtual machine, and returns a service response message, where the source address of the service response message is an IP address and a port of the physical server.
- Step 514 The service response packet is routed to the access network element through a network.
- Step 515 The access network element replaces the source address of the service response packet with the publishing IP address and the publishing port corresponding to the service according to the NAT rule, and returns the service response packet. Give the virtual machine.
- the method for accessing a physical server by using a virtual machine can shield the virtual machine from the real IP address of the physical server that provides the service, and provide a unified access mode to the virtual machine, thereby ensuring network security of the cloud platform and improving The convenience of the user accessing the service.
- the same access mode is configured for the same service, which reduces the complexity of the deployment and operation and maintenance management services on the physical server, and the user does not need to pay attention to the functions of online service, operation and maintenance, upgrade, and high availability of the physical server;
- the tunneling technology such as Vxlan is not required in the process, and the transmission efficiency is higher.
- the access NEs connected to each virtual machine implement NAT rules, which improves the concurrent processing efficiency of massive users' secure access to PAAS services.
- the user can log in to the service presentation interface provided by the cloud platform, view the service information, and initiate a service application.
- the cloud platform can authenticate the service request from the virtual machine, and the specific authentication mode can be the account password mode or other manners, which is not limited by the embodiment of the present invention.
- the cloud platform can control the access of the virtual machine to the service by the granularity of the user, the virtual machine, or the host.
- the cloud platform can perform service authorization for the user, and the virtual machine belonging to the user can access the service; or the cloud platform is for the virtual machine.
- Service access authorization each virtual machine accesses the service of the physical server with different IPs; or, multiple virtual machines on one host share IP, and the cloud platform presents the same IP address to access the physical server service. Different virtual machines on the same host can be distinguished by unused message ports.
- the cloud platform may also terminate the service access authorization of the virtual machine, and the termination of the service access authorization may be caused by the user actively initiating the termination application or the cloud platform determining the user's arrears.
- the cloud platform sends a delete message to the access network element where the virtual machine is located, and deletes the NAT rule of the virtual machine recorded on the access network element, deletes the user information recorded in the cloud platform, and stops accessing the user.
- Authorization The cloud platform can retain the data copy service for storing the user's data for a certain period of time and for the user. During the validity period of the reasonable time period, the user can choose to renew and continue to use the service provided by the PM.
- FIG. 6 is a schematic structural diagram of a cloud platform according to an embodiment of the present invention, including: processing Unit 601, publishing unit 602, receiving unit 603, and transmitting unit 604,
- the processing unit 601 is configured to allocate a publishing IP address and an issuing port corresponding to the service to the service, and record a correspondence between the publishing IP address and an IP address and a port of the publishing port and a physical server running the service;
- the issuing unit 602 is configured to publish the service
- the receiving unit 603 is configured to receive a service request request sent by the virtual machine.
- the sending unit 604 is configured to send a NAT rule to an access network element of the virtual machine, where the NAT rule includes the publishing IP address and an IP address and a port of the publishing port and the physical server running the service. Corresponding relationship, wherein the virtual machine accesses the network of the cloud computing system through the access network element.
- the cloud platform externally releases the service information through the foregoing publishing unit, specifically:
- the issuing unit 602 is specifically configured to provide a service presentation interface to the virtual machine, and display service information, where the service information includes an external display address of the service.
- the external display address includes a domain name corresponding to the service, or a publishing IP address and an issuance port corresponding to the service.
- the external display address can uniquely identify the service.
- the cloud computing system further includes a DNS server, which is a DNS server used internally by the cloud computing system, and the host, the cloud platform, and the DNS server running the virtual machine are connected through a network, and the cloud platform is completed.
- the sending unit 604 is further configured to deliver the domain name, the publishing IP address, and the publishing port to the domain name system DNS server.
- the sending unit 604 is further configured to return a service request response to the virtual machine, where the service request response carries the external display address.
- the processing unit 601 is further configured to record authorization information of a user to which the virtual machine belongs, where the authorization information of the user includes a user identifier, a virtual machine identifier, and an account and password assigned to the user.
- the receiving unit 603 is further configured to receive a virtual machine creation request.
- the processing unit 601 is further configured to create another virtual machine for the user according to the virtual machine creation request;
- the sending unit 604 is further configured to deliver the NAT rule to an access network element that is connected to the another virtual machine after the another virtual machine is created.
- the processing unit 601 is further configured to terminate service authorization for the virtual machine
- the sending unit 604 is further configured to send a delete message to the access network element, to notify the access network element to delete the NAT rule of the virtual machine.
- an access device implements the function of an access network element in the foregoing system, where the access device includes:
- a client sending unit 701 configured to forward a service request request of the virtual machine to the cloud platform;
- the client receiving unit 702 is configured to receive a NAT rule of the virtual machine returned by the cloud platform after the approval of the service request request, the NAT rule including the publishing IP address and the publishing port, and the running the service Corresponding relationship between the IP address and the port of the physical server, wherein the virtual machine accesses the network of the cloud computing system through the access network element;
- the client sending unit 701 is further configured to receive a service access request sent by the virtual machine, where the destination address of the service access request is the publishing IP address and the publishing port corresponding to the service;
- the client processing unit 703 is configured to replace, according to the NAT rule, a destination address of the service access request with an IP address and a port of the physical server;
- the client sending unit 701 is further configured to route the modified service access request to the physical server;
- the client receiving unit 702 is configured to receive a service response message returned by the physical server.
- client processing unit 703 is further configured to replace the source address of the service response message with the publishing IP address and the publishing port corresponding to the service according to the NAT rule;
- the client sending unit 702 is further configured to send the modified service response message to the virtual machine.
- the access device may be a functional component on the host in the foregoing system, and a central processor running instruction on the host implements the foregoing function of the access device; as shown in FIG. 7B, the access device
- the device may be a top-of-rack switch as described in the foregoing system, and the top-of-rack switch may be a physical device independent of the host. In another possible design, the top-of-rack switch may be one of the hosts. component.
- the aforementioned cloud platform and access device can be implemented by using a computer device as shown in FIG. 2.
- An embodiment of the present invention further provides a computer storage medium for storing computer software instructions for use in the apparatus shown in Figures 6 and 7 above, including a program designed to execute the above method embodiments.
- a stored program By executing a stored program, you can implement a method for a virtual machine to access a service deployed on a physical server.
- the method, apparatus, and system for accessing a physical server by a virtual machine can shield a virtual machine from a real IP address of a physical server that provides a service, and provide a unified access mode to the virtual machine.
- the network security of the cloud platform improves the convenience of users accessing services. Further, configuring the same access mode for the same service reduces the complexity of deployment and operation and maintenance management services on the physical server, and the user does not need to pay attention to the physical service.
- the server provides services such as on-line, operation and maintenance, upgrade, and high-availability.
- the virtual machine accesses the physical server without tunneling technology such as Vxlan, and the transmission efficiency is higher.
- the access NE connected by each virtual machine executes the NAT rule. Improve the concurrent processing efficiency of massive users' secure access to PAAS services.
- embodiments of the present invention can be provided as a method, apparatus (device), or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment, or a combination of software and hardware. Moreover, the invention can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) including computer usable program code.
- the computer program is stored/distributed in a suitable medium, provided with other hardware or as part of the hardware, or in other distributed forms, such as over the Internet or other wired or wireless telecommunication systems.
- the computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device.
- the apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
- These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device.
- the instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
Claims (22)
- 一种云计算系统,其特征在于,所述系统包括云平台、至少一个物理服务器、至少一个主机以及至少一个接入网元,所述主机、所述物理服务器以及所述云平台相互通信,所述主机上运行有至少一个虚拟机,所述虚拟机通过所述接入网元访问所述物理服务器,所述物理服务器上部署有服务,所述云平台用于为所述服务分配与所述服务对应的发布IP地址和发布端口,记录所述发布IP地址和发布端口与运行所述服务的所述物理服务器的IP地址和端口的对应关系,发布所述服务;所述云平台还用于接收所述虚拟机发送的服务申请请求,向所述接入网元发送NAT规则,所述NAT规则包括所述发布IP地址和发布端口与运行所述服务的所述物理服务器的IP地址和端口的对应关系;所述接入网元用于接收所述虚拟机发送的服务访问请求,所述服务访问请求的目的地址为与所述服务对应的所述发布IP地址和发布端口;所述接入网元还用于根据所述NAT规则,将所述服务访问请求的目的地址替换为所述物理服务器的IP地址和端口,将修改后的服务访问请求路由到所述物理服务器,并接收所述物理服务器返回的服务响应消息。
- 如权利要求1所述的系统,其特征在于,所述服务响应消息的源地址为所述物理服务器的IP地址和端口,所述接入网元还用于根据所述NAT规则将所述服务响应消息的源地址替换为与所述服务对应的所述发布IP地址和发布端口,将修改后的服务响应消息发送给所述虚拟机。
- 如权利要求1或2所述的系统,其特征在于,所述云平台还用于向所述虚拟机提供服务呈现界面,显示服务信息,所述服务信息包括所述服务的外部显示地址。
- 如权利要求3所述的系统,其特征在于,所述外部显示地址包括所述服务对应的域名,或者与所述服务对应的发布IP地址和发布端口。
- 如权利要求4所述的系统,其特征在于,当所述服务的外部显示地址为与所述服务对应的域名时,所述云平台还用于向域名系统DNS服务器下发所述域名与所述发布IP地址和发布端口的对应关系;所述虚拟机用于发起域名解析操作,根据所述域名从所述DNS服务器获取与所述服务对应的所述发布IP地址和发布端口。
- 如权利要求3-5任一所述的系统,其特征在于,所述云平台还用于向所述虚拟机返回服务申请响应,所述服务申请响应携带所述外部显示地址。
- 如权利要求6所述的系统,其特征在于,所述云平台还用于记录所述虚拟机所属的用户的授权信息,所述用户的授权信息包括用户标识、虚拟机标识以及分配给所述用户的账号和密码。
- 如权利要求7所述的系统,其特征在于,所述云平台还用于接收虚拟机创建请求,为所述用户创建另一虚拟机,向所述另一虚拟机连接的接入网元下发所述NAT规则。
- 如权利要求1-8任一所述的系统,其特征在于,云平台还用于终止对所述虚拟机服务授权,向所述接入网元发送删除消息,通知所述接入网元删除所述虚拟机的NAT规则。
- 一种云计算系统中虚拟机访问物理服务器的方法,其特征在于,包括:云平台为服务分配与所述服务对应的发布IP地址和发布端口,记录所述发布IP地址和发布端口与运行所述服务的物理服务器的IP地址和端口的对应关系,发布所述服务;所述云平台接收虚拟机发送的服务申请请求,向所述虚拟机的接入网元发送NAT规则,所述NAT规则包括所述发布IP地址和发布端口与运行所述服务的所述物理服务器的IP地址和端口的对应关系,其中,所述虚拟机通过所述接入网元接入到云计算系统的网络;所述接入网元接收所述虚拟机发送的服务访问请求,所述服务访问请求的目的地址为与所述服务对应的所述发布IP地址和发布端口;所述接入网元根据所述NAT规则,将所述服务访问请求的目的地址替换为所述物理服务器的IP地址和端口,将修改后的服务访问请求路由到所述物理服务器;所述接入网元接收所述物理服务器返回的服务响应消息,将所述服务响应消息发送给所 述虚拟机。
- 如权利要求10所述的方法,其特征在于,所述云平台发布所述服务包括:所述云平台向所述虚拟机提供服务呈现界面,显示服务信息,所述服务信息包括所述服务的外部显示地址。
- 如权利要求11所述的方法,其特征在于,所述外部显示地址包括所述服务对应的域名,或者与所述服务对应的发布IP地址和发布端口。
- 如权利要求12所述的方法,其特征在于,当所述服务的外部显示地址为与所述服务对应的域名时,在所述云平台接收虚拟机发送的服务申请请求之前,所述方法还包括:所述云平台向域名系统DNS服务器下发所述域名与所述发布IP地址和发布端口的对应关系,以使得所述虚拟机发起域名解析操作时,根据所述域名从所述DNS服务器获取与所述服务对应的所述发布IP地址和发布端口。
- 如权利要求11-13任一所述的方法,其特征在于,所述云平台接收所述虚拟机发送的服务申请请求后,所述方法还包括:所述云平台向所述虚拟机返回服务申请响应,所述服务申请响应携带所述外部显示地址。
- 如权利要求14所述的方法,其特征在于,在对所述服务申请请求审批通过后,所述方法还包括:所述云平台记录所述虚拟机所属的用户的授权信息,所述用户的授权信息包括用户标识、虚拟机标识以及分配给所述用户的账号和密码。
- 如权利要求15所述的方法,其特征在于,所述方法还包括:所述云平台接收虚拟机创建请求,为所述用户创建另一虚拟机,向所述另一虚拟机连接的接入网元下发所述NAT规则。
- 如权利要求10-16任一所述的方法,其特征在于,所述方法还包括:所述云平台终止对所述虚拟机的服务授权,向所述接入网元发送删除消息,通知所述接入网元删除所述虚拟机的NAT规则。
- 一种云计算系统中虚拟机访问物理服务器的方法,其特征在于,包括:接入网元向云平台转发虚拟机的服务申请请求;接入网元接收云平台在对所述服务申请请求审批通过后返回的虚拟机的NAT规则,所述NAT规则包括所述发布IP地址和发布端口与运行所述服务的所述物理服务器的IP地址和端口的对应关系,其中,所述虚拟机通过所述接入网元接入到云计算系统的网络;所述接入网元接收所述虚拟机发送的服务访问请求,所述服务访问请求的目的地址为与所述服务对应的所述发布IP地址和发布端口;所述接入网元根据所述NAT规则,将所述服务访问请求的目的地址替换为所述物理服务器的IP地址和端口,将修改后的服务访问请求路由到所述物理服务器,并接收所述物理服务器返回的服务响应消息。
- 如权利要求18所述的方法,其特征在于,所述服务响应消息的源地址为所述物理服务器的IP地址和端口,所述方法还包括:所述接入网元根据所述NAT规则将所述服务响应消息的源地址替换为与所述服务对应的所述发布IP地址和发布端口,将修改后的服务响应消息发送给所述虚拟机。
- 一种接入装置,其特征在于,包括:客户端发送单元,用于向云平台转发虚拟机的服务申请请求;客户端接收单元,用于接收云平台在对所述服务申请请求审批通过后返回的虚拟机的NAT规则,所述NAT规则包括所述发布IP地址和发布端口与运行所述服务的所述物理服务器的IP地址和端口的对应关系,其中,所述虚拟机通过所述接入网元接入到云计算系统的网络;所述客户端发送单元,还用于接收所述虚拟机发送的服务访问请求,所述服务访问请求的目的地址为与所述服务对应的所述发布IP地址和发布端口;客户端处理单元,用于根据所述NAT规则,将所述服务访问请求的目的地址替换为所述物理服务器的IP地址和端口;所述客户端发送单元,还用于将修改后的服务访问请求路由到所述物理服务器;所述客户端接收单元,用于接收所述物理服务器返回的服务响应消息。
- 如权利要求20所述的接入装置,其特征在于,所述客户端处理单元,还用于根据所述NAT规则将所述服务响应消息的源地址替换为与所述服务对应的所述发布IP地址和发布端口;所述客户端发送单元,还用于将修改后的服务响应消息发送给所述虚拟机。
- 一种计算机,其特征在于,包括处理器、存储器以及系统总线,所述存储器中存储有指令,所述处理器执行所述存储器中的指令以执行如权利要求10-19任一所述的方法。
Priority Applications (8)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110098217.0A CN112995272A (zh) | 2016-08-09 | 2016-08-09 | 云计算系统中虚拟机访问物理服务器的方法、装置和系统 |
EP16912041.7A EP3493510B1 (en) | 2016-08-09 | 2016-08-09 | Method, device and system for virtual machine to access physical server in cloud computing system |
CN201680086943.8A CN109314724B (zh) | 2016-08-09 | 2016-08-09 | 云计算系统中虚拟机访问物理服务器的方法、装置和系统 |
PCT/CN2016/094225 WO2018027586A1 (zh) | 2016-08-09 | 2016-08-09 | 云计算系统中虚拟机访问物理服务器的方法、装置和系统 |
CA3033217A CA3033217C (en) | 2016-08-09 | 2016-08-09 | Method for virtual machine to access physical server in cloud computing system, apparatus, and system |
JP2019507139A JP6771650B2 (ja) | 2016-08-09 | 2016-08-09 | クラウドコンピューティングシステムにおいて仮想マシンが物理サーバにアクセスするための方法、装置、およびシステム |
US16/262,872 US10659471B2 (en) | 2016-08-09 | 2019-01-30 | Method for virtual machine to access physical server in cloud computing system, apparatus, and system |
US15/931,217 US11418512B2 (en) | 2016-08-09 | 2020-05-13 | Method for virtual machine to access physical server in cloud computing system, apparatus, and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/CN2016/094225 WO2018027586A1 (zh) | 2016-08-09 | 2016-08-09 | 云计算系统中虚拟机访问物理服务器的方法、装置和系统 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/262,872 Continuation US10659471B2 (en) | 2016-08-09 | 2019-01-30 | Method for virtual machine to access physical server in cloud computing system, apparatus, and system |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2018027586A1 true WO2018027586A1 (zh) | 2018-02-15 |
Family
ID=61161254
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2016/094225 WO2018027586A1 (zh) | 2016-08-09 | 2016-08-09 | 云计算系统中虚拟机访问物理服务器的方法、装置和系统 |
Country Status (6)
Country | Link |
---|---|
US (2) | US10659471B2 (zh) |
EP (1) | EP3493510B1 (zh) |
JP (1) | JP6771650B2 (zh) |
CN (2) | CN109314724B (zh) |
CA (1) | CA3033217C (zh) |
WO (1) | WO2018027586A1 (zh) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110535964A (zh) * | 2019-09-03 | 2019-12-03 | 北京首都在线科技股份有限公司 | 基于Paas连接器实现的数据处理方法及装置 |
CN111416792A (zh) * | 2019-01-08 | 2020-07-14 | 杭州海康威视数字技术股份有限公司 | 嵌入式设备的内部免认证方法以及嵌入式设备 |
CN115102720A (zh) * | 2022-05-31 | 2022-09-23 | 苏州浪潮智能科技有限公司 | 虚拟机安全管理方法、系统和计算机设备 |
CN115914389A (zh) * | 2021-08-09 | 2023-04-04 | 北京字节跳动网络技术有限公司 | 云服务控制系统、方法、装置、电子设备和存储介质 |
Families Citing this family (34)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11824863B2 (en) * | 2016-11-03 | 2023-11-21 | Nicira, Inc. | Performing services on a host |
US10412047B2 (en) | 2017-08-17 | 2019-09-10 | Arista Networks, Inc. | Method and system for network traffic steering towards a service device |
US10721651B2 (en) | 2017-09-29 | 2020-07-21 | Arista Networks, Inc. | Method and system for steering bidirectional network traffic to a same service device |
US11265310B2 (en) * | 2017-10-19 | 2022-03-01 | Microsoft Technology Licensing, Llc | Isolating networks and credentials using on-demand port forwarding |
US10764234B2 (en) * | 2017-10-31 | 2020-09-01 | Arista Networks, Inc. | Method and system for host discovery and tracking in a network using associations between hosts and tunnel end points |
US10917342B2 (en) | 2018-09-26 | 2021-02-09 | Arista Networks, Inc. | Method and system for propagating network traffic flows between end points based on service and priority policies |
US10855733B2 (en) | 2018-12-04 | 2020-12-01 | Arista Networks, Inc. | Method and system for inspecting unicast network traffic between end points residing within a same zone |
US10848457B2 (en) | 2018-12-04 | 2020-11-24 | Arista Networks, Inc. | Method and system for cross-zone network traffic between different zones using virtual network identifiers and virtual layer-2 broadcast domains |
US10749789B2 (en) | 2018-12-04 | 2020-08-18 | Arista Networks, Inc. | Method and system for inspecting broadcast network traffic between end points residing within a same zone |
CN110008005B (zh) * | 2019-04-11 | 2023-07-18 | 中国南方电网有限责任公司 | 基于云平台的电网通信资源虚拟机迁移系统及方法 |
CN112306701B (zh) * | 2019-07-25 | 2024-05-03 | 中移动信息技术有限公司 | 服务熔断方法、装置、设备及存储介质 |
CN112311837A (zh) * | 2019-08-02 | 2021-02-02 | 上海擎感智能科技有限公司 | 基于云平台路由服务器的车机数据传输方法、系统及装置 |
CN110471683B (zh) * | 2019-08-06 | 2023-11-24 | 上海浦东发展银行股份有限公司信用卡中心 | 一种基于智能dns的容器云应用蓝绿发布方法 |
CN110474981A (zh) * | 2019-08-13 | 2019-11-19 | 中科天御(苏州)科技有限公司 | 一种软件定义动态安全存储方法及装置 |
CN110730252A (zh) * | 2019-09-25 | 2020-01-24 | 南京优速网络科技有限公司 | 一种通过改造linux内核报文处理功能的地址转换方法 |
US11550608B2 (en) * | 2019-10-31 | 2023-01-10 | International Business Machines Corporation | Guest-to-host virtual networking |
CN111147550B (zh) * | 2019-12-10 | 2022-06-21 | 华能集团技术创新中心有限公司 | 一种基于大数据电商平台的数据访问方法及装置 |
CN113472831B (zh) * | 2020-03-31 | 2022-12-06 | 北京金山云网络技术有限公司 | 一种服务访问方法、装置、网关设备及存储介质 |
CN113301080B (zh) * | 2020-06-09 | 2022-08-02 | 阿里巴巴集团控股有限公司 | 资源调用方法、设备、系统及存储介质 |
CN112003964B (zh) * | 2020-08-27 | 2023-01-10 | 北京浪潮数据技术有限公司 | 一种基于多架构的ip地址的分配方法、装置和介质 |
EP3975502B1 (de) * | 2020-09-28 | 2023-07-26 | Siemens Aktiengesellschaft | Verfahren und system zur bereitstellung von zeitkritischen diensten mittels einer ablaufsteuerungsumgebung |
CN114650290A (zh) * | 2020-12-17 | 2022-06-21 | 中移(苏州)软件技术有限公司 | 网络连通的方法、处理装置、终端及存储介质 |
CN113010897B (zh) * | 2021-03-19 | 2023-06-13 | 中国联合网络通信集团有限公司 | 云计算安全管理方法及其系统 |
CN113489731B (zh) * | 2021-07-12 | 2022-11-04 | 于洪 | 基于虚拟化网络的数据传输方法、系统和网络安全设备 |
CN113766044A (zh) * | 2021-07-30 | 2021-12-07 | 广东浪潮智慧计算技术有限公司 | 一种域名解析方法及系统 |
CN113760452B (zh) * | 2021-08-02 | 2023-09-26 | 阿里巴巴新加坡控股有限公司 | 一种容器调度方法、系统、设备及存储介质 |
CN114124948A (zh) * | 2021-09-19 | 2022-03-01 | 济南浪潮数据技术有限公司 | 一种云端组件高可用的方法、装置、设备及可读介质 |
US20220014520A1 (en) * | 2021-09-23 | 2022-01-13 | Intel Corporation | Controlled Network Sharing for Virtual Machines |
CN114338382B (zh) * | 2021-12-30 | 2023-11-14 | 北京天融信网络安全技术有限公司 | 基于域名的设备上线方法、装置及计算机设备、存储介质 |
US11799822B2 (en) | 2022-01-21 | 2023-10-24 | Google Llc | Proxyless network address translation with dynamic port allocation |
CN114915420B (zh) * | 2022-03-03 | 2024-04-26 | 阿里巴巴(中国)有限公司 | 用于云桌面的通信方法及系统 |
CN115426324A (zh) * | 2022-08-26 | 2022-12-02 | 绿盟科技集团股份有限公司 | 一种实体设备接入网络靶场的方法及装置 |
CN115529292A (zh) * | 2022-10-11 | 2022-12-27 | 中国农业银行股份有限公司 | 访问请求处理方法、装置、设备、系统和存储介质 |
WO2023151354A2 (zh) * | 2022-12-01 | 2023-08-17 | 黄建邦 | 数据传输方法、系统、第一端、中间网络设备及控制设备 |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103326997A (zh) * | 2012-03-23 | 2013-09-25 | 百度在线网络技术(北京)有限公司 | 一种访问虚拟服务器的方法及虚拟服务器系统 |
CN103733574A (zh) * | 2011-08-16 | 2014-04-16 | 微软公司 | 虚拟化与非虚拟化网络之间的虚拟化网关 |
CN105227686A (zh) * | 2014-06-20 | 2016-01-06 | 中国电信股份有限公司 | 云主机域名的动态配置方法和系统 |
CN105577723A (zh) * | 2014-10-16 | 2016-05-11 | 杭州华三通信技术有限公司 | 虚拟化网络中实现负载分担的方法和装置 |
Family Cites Families (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1232080C (zh) * | 2002-05-15 | 2005-12-14 | 华为技术有限公司 | 网络中节省ip地址提供内部服务器的方法 |
JP2004112018A (ja) * | 2002-09-13 | 2004-04-08 | Johnson Controls Inc | インターネットアクセスWeb監視制御システム |
US8489701B2 (en) * | 2007-01-30 | 2013-07-16 | Microsoft Corporation | Private virtual LAN spanning a public network for connection of arbitrary hosts |
US7840701B2 (en) * | 2007-02-21 | 2010-11-23 | Array Networks, Inc. | Dynamic system and method for virtual private network (VPN) packet level routing using dual-NAT method |
US8953592B2 (en) * | 2012-09-28 | 2015-02-10 | Juniper Networks, Inc. | Network address translation for application of subscriber-aware services |
WO2014079009A1 (zh) | 2012-11-22 | 2014-05-30 | 华为技术有限公司 | 虚拟机的管理控制方法及装置、系统 |
JP5977706B2 (ja) * | 2013-03-29 | 2016-08-24 | 株式会社日立ソリューションズ | データ交換システム、及び仮想プライベートクラウド間でデータ交換を可能とする環境を設定する方法 |
CN103916314A (zh) * | 2013-12-26 | 2014-07-09 | 杭州华为数字技术有限公司 | 报文转发控制方法和相关装置及物理主机 |
US9419937B2 (en) * | 2014-01-29 | 2016-08-16 | Vmware, Inc. | System and method for dynamically configuring a DNS server in a virtual network environment |
US9825854B2 (en) * | 2014-03-27 | 2017-11-21 | Nicira, Inc. | Host architecture for efficient cloud service access |
CN104753930B (zh) * | 2015-03-17 | 2016-10-05 | 成都盛思睿信息技术有限公司 | 基于安全网关的云桌面管理系统及其安全访问控制方法 |
CN105306433B (zh) * | 2015-09-10 | 2019-04-19 | 深信服科技股份有限公司 | 一种访问虚拟机服务器的方法和装置 |
-
2016
- 2016-08-09 CN CN201680086943.8A patent/CN109314724B/zh active Active
- 2016-08-09 CA CA3033217A patent/CA3033217C/en active Active
- 2016-08-09 EP EP16912041.7A patent/EP3493510B1/en active Active
- 2016-08-09 CN CN202110098217.0A patent/CN112995272A/zh active Pending
- 2016-08-09 WO PCT/CN2016/094225 patent/WO2018027586A1/zh unknown
- 2016-08-09 JP JP2019507139A patent/JP6771650B2/ja active Active
-
2019
- 2019-01-30 US US16/262,872 patent/US10659471B2/en active Active
-
2020
- 2020-05-13 US US15/931,217 patent/US11418512B2/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103733574A (zh) * | 2011-08-16 | 2014-04-16 | 微软公司 | 虚拟化与非虚拟化网络之间的虚拟化网关 |
CN103326997A (zh) * | 2012-03-23 | 2013-09-25 | 百度在线网络技术(北京)有限公司 | 一种访问虚拟服务器的方法及虚拟服务器系统 |
CN105227686A (zh) * | 2014-06-20 | 2016-01-06 | 中国电信股份有限公司 | 云主机域名的动态配置方法和系统 |
CN105577723A (zh) * | 2014-10-16 | 2016-05-11 | 杭州华三通信技术有限公司 | 虚拟化网络中实现负载分担的方法和装置 |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111416792A (zh) * | 2019-01-08 | 2020-07-14 | 杭州海康威视数字技术股份有限公司 | 嵌入式设备的内部免认证方法以及嵌入式设备 |
CN110535964A (zh) * | 2019-09-03 | 2019-12-03 | 北京首都在线科技股份有限公司 | 基于Paas连接器实现的数据处理方法及装置 |
CN110535964B (zh) * | 2019-09-03 | 2021-12-14 | 北京首都在线科技股份有限公司 | 基于Paas连接器实现的数据处理方法及装置 |
CN115914389A (zh) * | 2021-08-09 | 2023-04-04 | 北京字节跳动网络技术有限公司 | 云服务控制系统、方法、装置、电子设备和存储介质 |
CN115102720A (zh) * | 2022-05-31 | 2022-09-23 | 苏州浪潮智能科技有限公司 | 虚拟机安全管理方法、系统和计算机设备 |
CN115102720B (zh) * | 2022-05-31 | 2023-08-11 | 苏州浪潮智能科技有限公司 | 虚拟机安全管理方法、系统和计算机设备 |
Also Published As
Publication number | Publication date |
---|---|
US20190173888A1 (en) | 2019-06-06 |
CA3033217A1 (en) | 2018-02-15 |
US20200274875A1 (en) | 2020-08-27 |
EP3493510A1 (en) | 2019-06-05 |
CN109314724B (zh) | 2021-02-09 |
EP3493510A4 (en) | 2019-07-31 |
US11418512B2 (en) | 2022-08-16 |
JP2019528005A (ja) | 2019-10-03 |
CN112995272A (zh) | 2021-06-18 |
CA3033217C (en) | 2021-09-28 |
CN109314724A (zh) | 2019-02-05 |
EP3493510B1 (en) | 2020-10-07 |
US10659471B2 (en) | 2020-05-19 |
JP6771650B2 (ja) | 2020-10-21 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2018027586A1 (zh) | 云计算系统中虚拟机访问物理服务器的方法、装置和系统 | |
US10701139B2 (en) | Life cycle management method and apparatus | |
US10785029B2 (en) | Systems and methods for pairing on-premise clusters to clouds using identity service providers | |
US11469964B2 (en) | Extension resource groups of provider network services | |
US8959310B2 (en) | Dynamic network adapter memory resizing and bounding for virtual function translation entry storage | |
US8937940B2 (en) | Optimized virtual function translation entry memory caching | |
US10397132B2 (en) | System and method for granting virtualized network function life cycle management | |
US20130034094A1 (en) | Virtual Switch Data Control In A Distributed Overlay Network | |
US20200159555A1 (en) | Provider network service extensions | |
US11048543B2 (en) | Computer system and resource access control method for securely controlling access using roles with a plurality of users | |
US10958654B1 (en) | Resource deletion protection service | |
JP7212158B2 (ja) | プロバイダネットワークサービス拡張 | |
US11573719B2 (en) | PMEM cache RDMA security |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 16912041 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 3033217 Country of ref document: CA |
|
ENP | Entry into the national phase |
Ref document number: 2019507139 Country of ref document: JP Kind code of ref document: A |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
ENP | Entry into the national phase |
Ref document number: 2016912041 Country of ref document: EP Effective date: 20190226 |