WO2023165321A1

WO2023165321A1 - Communication method and system for cloud desktop

Info

Publication number: WO2023165321A1
Application number: PCT/CN2023/075653
Authority: WO
Inventors: 文敢; 向亚; 严力科; 庞雄伟; 何旻; 彭成
Original assignee: 阿里巴巴（中国）有限公司
Priority date: 2022-03-03
Filing date: 2023-02-13
Publication date: 2023-09-07
Also published as: CN114915420A; CN114915420B

Abstract

The present disclosure relates to a communication method and system for a cloud desktop. A serving end for providing a cloud desktop instance for a client is constructed on the basis of a cloud resource. The method comprises: generating an access token of a client by using an authentication service in a cloud resource; determining DNAT mapping information, wherein the DNAT mapping information is used for representing a mapping relationship between a private network address of a serving end and a public network address of an NAT gateway which is located in the cloud resource and is associated with the serving end; and sending the access token and the DNAT mapping information to the client, such that the client establishes a connection with the serving end on the basis of the access token and the DNAT mapping information, so as to access a cloud desktop instance. Therefore, by means of deep fusion with a cloud resource, the disclosure has advantages such as being lightweight and secure and having no need to build an STUN/TURN service in a desktop streaming scenario of a cloud desktop instance.

Description

Communication method and system for cloud desktop

This application claims the priority of the Chinese patent application with the application number 202210209649.9 and the application title "Communication Method and System for Cloud Desktop" submitted to the China Patent Office on March 3, 2022, the entire contents of which are incorporated herein by reference Applying.

technical field

The present disclosure relates to the technical field of cloud desktops, in particular to a communication method and system for cloud desktops.

Background technique

Cloud desktop, also known as desktop virtualization, is a new model that replaces traditional computing devices (such as computers and mobile phones).

Cloud desktop products (such as cloud computers, cloud phones, etc.) are mainly composed of front-end equipment and back-end servers.

Taking cloud computer as an example, the front-end equipment mainly uses a thin client (such as a device similar to a TV set-top box) to connect to a monitor, keyboard and/or mouse. After installing the client, the user accesses the virtual machine on the back-end server through a unique communication protocol. Host to achieve interactive operation, to achieve the same experience as the computer.

After adopting the cloud desktop, users do not need to purchase equipment hosts. The CPU, memory, hard disk and other components contained in the host can be virtualized in the back-end server. A single high-performance server can virtualize 1-50 virtual hosts.

During the use of cloud desktop products, communication needs to be established between the front-end device and the back-end device to transmit data. How to provide an effective communication solution for cloud desktop products is a technical problem that needs to be solved urgently.

Contents of the invention

A technical problem to be solved in the present disclosure is to provide an effective communication solution for cloud desktop products.

According to a first aspect of the present disclosure, a communication method for cloud desktops is provided, wherein the server for providing cloud desktop instances to clients is constructed based on cloud resources, and the method includes: using The authentication service of the client generates an access token for the client; determines the DNAT mapping information, which is used to represent the mapping relationship between the private network address of the server and the public network address of the NAT gateway associated with the server in the cloud resource; The token and DNAT mapping information are sent to the client so that the client can establish a connection with the server based on the access token and DNAT mapping information to access the cloud desktop instance.

Optionally, the method further includes: providing a resource management device, the resource management device is used to provide resource management services for the client, wherein the step of sending the access token and DNAT mapping information to the client includes: sending the access token and/or Or the DNAT mapping information is sent to the resource management device, and the resource management device sends the access token and/or the DNAT mapping information to the client.

Optionally, the method further includes: providing an open interface for providing DNAT mapping information query service, wherein the step of sending the access token and the DNAT mapping information to the client includes: responding to receiving The end sends the DNAT mapping query request through the open interface, and sends the DNAT mapping information to the client.

Optionally, the step of using the authentication service in the cloud resource to generate the client's access token includes: in response to receiving an access request for the cloud desktop instance sent by the client, verifying the client's identity by the authentication service in the cloud resource Validity is verified; if the verification result is that the identity of the client is legal, an access token is generated.

Optionally, before sending the access token to the client, the method also includes: generating a key pair by the authentication service, the key pair including a public key and a private key; sending the public key to the corresponding cloud desktop instance Signaling service: using the private key to sign the access token, wherein the step of sending the access token and DNAT mapping information to the client includes: sending the signed access token to the client.

Optionally, the method further includes: in response to the signaling process initiated by the client for the signaling service based on the DNAT mapping information and the access token, the signaling service verifies the legitimacy of the access token based on the public key; if If the verification result shows that the access token is valid, the DNAT mapping information is passed to the server through the signaling service, and the signaling process is executed to negotiate the parameters involved in the connection between the client and the server.

Optionally, the method further includes: after the signaling process is executed, in response to the client initiating an access request for the server, the server sends the cloud desktop instance data to the client, and/or obtains the cloud desktop instance data sent by the client for the cloud Operational data and/or locally collected data for desktop instances.

According to a second aspect of the present disclosure, a communication system for cloud desktops is provided, including: a client; a server built based on cloud resources, used to provide a cloud desktop instance for the client; an authentication device for Generate an access token for the client; and a NAT gateway for providing network address translation services for the server, the client obtains the access token and DNAT mapping information, and establishes a connection with the server based on the access token and DNAT mapping information, wherein, The DNAT mapping information is used to represent the mapping relationship between the private network address of the server and the public network address of the NAT gateway.

Optionally, the communication system may further include a resource management device, which is configured to acquire the access token and DNAT mapping information, and send the access token and DNAT mapping information to the client.

Optionally, the communication system further includes a network management device, the network management device is used to determine DNAT mapping information, and sends the DNAT mapping information to the resource management device, or the communication system further includes an open interface, and the open interface is used to provide DNAT query Service, so that the resource management device or client can obtain DNAT mapping information through an open interface.

According to a third aspect of the present disclosure, there is provided a computing device, including: a processor; and a memory, on which executable code is stored, and when the executable code is executed by the processor, the processor executes the above-mentioned first method described in the aspect.

According to a fourth aspect of the present disclosure, there is provided a computer program product, including executable code, when the executable code is executed by a processor of an electronic device, it causes the processor to execute the above-mentioned first aspect. Methods.

According to a fifth aspect of the present disclosure, there is provided a non-transitory machine-readable storage medium, on which executable code is stored, and when the executable code is executed by a processor of an electronic device, the processor executes the above-mentioned A method as described in one aspect.

Therefore, this disclosure is deeply integrated with cloud resources, relying on cloud resources to deploy cloud desktop instances, performing user identity authentication based on authentication services in cloud resources, and issuing access tokens to legitimate users, based on the NAT gateway in cloud resources as Server Provide network address translation services, and send access tokens and DNAT mapping information to clients, making it lightweight, secure, and without the need to build STUN/TURN services in desktop streaming scenarios.

Description of drawings

The above and other objects, features and advantages of the present disclosure will become more apparent by describing the exemplary embodiments of the present disclosure in more detail with reference to the accompanying drawings, wherein, in the exemplary embodiments of the present disclosure, the same reference numerals generally represent same parts.

Fig. 1 shows a schematic diagram of the architecture of a communication system implemented based on WebRTC.

Fig. 2 shows a schematic diagram of the architecture of a communication system for cloud desktops implemented based on the communication method of the present disclosure.

FIG. 3 shows a schematic diagram of the architecture of a WebRTC-based desktop streaming system according to an embodiment of the present disclosure.

Fig. 4 shows a schematic diagram of an access process for a client to access a cloud desktop instance according to an embodiment of the present disclosure.

Fig. 5 shows a schematic structural diagram of a computing device according to an embodiment of the present disclosure.

Detailed ways

Preferred embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. Although preferred embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.

P2P (Peer-To-Peer, point-to-point communication or end-to-end communication) breaks the traditional C/S (Client-Server, client-server) mode, and the status of each node in the network is equal of. Each node not only acts as a server, provides services for other nodes, but also enjoys the services provided by other nodes. The biggest feature of the P2P network is that it does not require the scheduling of the central server, self-organization and coordination, and direct communication between nodes. WebRTC is an audio and video communication technology that integrates a variety of underlying protocols, which can realize P2P communication, that is, it can provide peer-to-peer communication for both parties.

As shown in Figure 1, a WebRTC-based communication system may include three parts: a peer-to-peer communication terminal, a signaling system, and a STUN/TURN service.

1. Peer-to-peer communication terminal

The two parties participating in the WebRTC communication (that is, the WebRTC communication terminal A and the WebRTC communication terminal B shown in Figure 1) will establish a peer-to-peer connection (Peer Connection) after signaling negotiation, and directly perform audio and video communication. At the bottom layer, peer-to-peer connections are carried by UDP (User Datagram Protocol, User Datagram Protocol), and the two parties participating in the communication are equal, that is, UDP connections can be initiated by any party.

2. Signaling system

The WebRTC signaling service can be deployed independently from the communication terminal. In order to ensure the correct establishment of the subsequent peer-to-peer connection, it should be ensured that both communication parties can access the signaling service. Through the signaling service, the communication parties can negotiate the connection communication parameters, and at the same time, through the ICE (Interactive Connectivity Establishment, interactive connection establishment) process, the two parties exchange The IP address and port number of the party behind NAT (Network Address Translation) to assist the peer-to-peer connection to complete the NAT gateway penetration. A NAT gateway refers to a gateway for providing network address translation services.

3. STUN/TURN service

In the case where there is a NAT gateway between peers, the STUN/TURN service is used for NAT gateway traversal.

STUN provides a way for the terminal to know its address (public network address) after NAT mapping, so as to replace the private network address in the application layer and achieve the purpose of NAT penetration. A public network address (also called a public address) refers to an address that is directly reachable on the Internet (Internet). A private network address (also called a private address) refers to an address used internally by an organization, such as an address used by devices in a LAN.

The idea of TURN to solve NAT penetration is similar to that of STUN, which achieves NAT penetration by modifying the private network address in the application layer. Different from STUN, TURN achieves penetration through the "middleman" method of two-party communication. In this way, the two parties to communicate establish their own connections with the TURN server located on the public network to communicate. The server is responsible for data forwarding between the two parties.

Taking the STUN service as an example, the peer-to-peer communication end learns its own NATed IP/port through the STUN service, and uses it in the subsequent ICE process to exchange the NATed IP/port information for subsequent establishment of a peer-to-peer connection.

Audio and video communication technology (such as WebRTC) can be applied to the desktop streaming scenario of cloud desktop products to establish a communication connection between the client and the server.

Desktop streaming refers to the transmission of data related to cloud desktop instances between the client and the server. Specifically, the server can transmit the generated cloud desktop data (picture data) to the client, and the client can send the user's operation data on the cloud desktop or locally collected data (such as video data collected by a camera) to the server .

If the P2P communication technology (such as WebRTC) is directly applied to the streaming of the cloud desktop instance, the following problems will exist:

1) How to perform user identity authentication to prevent illegal users from obtaining instance desktops that do not belong to them;

2) If a public network connection needs to be established between the client connected to the desktop and the server, a single cloud desktop instance will occupy a public network IP address. In a large-scale deployment scenario, a large number of public network addresses will be consumed, increasing the customer cost;

3) In order to perform NAT penetration, STUN/TURN services need to be deployed independently. The STUN service is based on UDP, and there is a security risk of DDOS.

In order to solve the above problems, the present disclosure proposes a communication method for cloud desktops.

The communication method of the present disclosure is described below with reference to FIG. 2 .

As shown in Figure 2, a server for providing a cloud desktop instance to a client may be constructed based on cloud resources.

Cloud resources refer to resources on the cloud (computing resources on the cloud), which may specifically be public cloud computing resources, private cloud computing resources or hybrid cloud computing resources. There can be a one-to-one correspondence between the server and the client, that is, a single server is used to provide a cloud desktop instance for a specific client. The server and client constitute a set of cloud desktop products.

By deploying (integrating) the server in the cloud resource, other related resources in the cloud resource can be used to provide support for the communication between the client and the server, so as to solve the above problems.

Specifically, for the first point above, you can use authentication services in cloud resources (authentication mechanisms, such as public The AK/SK mechanism of the open interface openAPI in the cloud) authenticates the user identity (that is, the client identity) and issues an access token for the legitimate user (that is, the legitimate client), which can solve the first problem above.

For the second point above, you can use the NAT gateway in the cloud resources (such as the public cloud NAT gateway) to provide network address translation services for multiple cloud desktop instances (that is, multiple servers), so that multiple cloud desktop instances can share one Public network addresses save public network addresses and reduce customer costs, which can solve the second problem above.

For the above third problem, since the client always actively connects to the server in the desktop streaming scenario, there is no need to learn the NAT mapping of the client's local network; because the NAT gateway that provides network address translation services for cloud desktop instances belongs to cloud resources , so that the DNAT (Destination Network Address Translation) mapping information required by the client to connect to the server can be perceived by the client through various channels (such as openAPI), and the DNAT mapping information perceived by the client can be reversed Pass it to the server, so that the server does not need to learn its own NAT mapping. Therefore, NAT penetration can be completed without deploying STUN/TURN services, thus solving the third problem above.

The details involved in the present disclosure will be further described in detail below.

access token

The client can send an access request for the cloud desktop instance to the authentication service. The access request can be sent to the authentication service through an out-of-band network (a network not directly connected to the cloud desktop instance). That is, the access request will not pass through the NAT gateway associated with the server, but may be sent to the authentication service through the local NAT gateway of the client.

In response to receiving the access request, the authentication service can verify the legality of the identity of the client. For example, it can be checked whether the identity of the client matches the requested cloud desktop instance to determine whether the client has access rights to the requested cloud desktop instance.

If the verification result shows that the client's identity is legal, the authentication service can generate the client's access token; otherwise, if the verification result shows that the client's identity is not legal, the authentication process can be ended without generating an access token.

Before sending the access token to the client, the authentication service can generate a key pair, which includes a public key and a private key. The public key can be sent to the signaling service corresponding to the cloud desktop instance, and the private key is used to sign the access token. From this, a signed access token can be sent to the client.

DNAT mapping information

By mapping the public network address (such as IP address + port number) on the NAT gateway to the server (that is, the cloud desktop instance), the server can provide Internet services through the public network address. The DNAT mapping information is used to characterize the mapping relationship between the private network address of the server (such as the first IP address and the first port number) and the public network address of the NAT gateway (such as the second IP address and the second port number). The NAT gateway mentioned here refers to the gateway associated with the server located in the cloud resource. The NAT gateway can be bound to one or more public network addresses (for example, it can be an elastic public network IP).

The DNAT mapping information and the access token can be sent to the client together or separately.

When the DNAT mapping information is sent to the client, it may be sent to the client actively, or the client may obtain the DNAT mapping information from the cloud resource through an active query.

In one embodiment, a resource management device can be created (provided) for providing clients with Resource management services. The access token and/or DNAT mapping information may be sent to the resource management device, and the resource management device sends the access token and/or DNAT mapping information to the client.

In another embodiment, an open interface (openAPI) may also be provided, for example, an open interface may be generated based on cloud resources, and the open interface is used to provide DNAT mapping information query service. Thus, in response to receiving the DNAT mapping query request sent by the client through the open interface, the DNAT mapping information can be sent to the client. Among them, the client can also configure the DNAT mapping of the server through an open interface.

Signaling process

Signaling services can be deployed in cloud resources. For example, the signaling service corresponding to the cloud desktop instance can be deployed in the cloud resource, so as to customize the signaling service at the cloud desktop instance level. For another example, the signaling service can also be deployed centrally, that is, the signaling service can be shared by multiple cloud desktop instances to serve multiple cloud desktop instances.

In response to the signaling process initiated by the client for the signaling service based on the DNAT mapping information and the access token, the signaling service verifies the legitimacy of the access token based on the public key.

If the verification result shows that the access token is valid, the DNAT mapping information can be transmitted to the server through the signaling service, and the signaling process is executed to negotiate the parameters involved in the connection between the client and the server. If the verification result is that the access token is invalid, the signaling process can be ended.

After the signaling process is executed, the client can initiate an access request (ie, a connection request) for the server. In response to the client's access request, the server can send the cloud desktop instance data to the client, and/or obtain the operation data and/or local collection data sent by the client for the cloud desktop instance.

So far, the principle and implementation process of the communication method of the present disclosure have been described with reference to FIG. 2 . In the following, the present disclosure will be further illustrated by taking the cloud resource as a public cloud as an example.

As shown in Figure 3, the WebRTC-based desktop streaming system mainly includes WebRTC server, authentication service, public cloud NAT gateway, resource management service, signaling service, network management and control module, and WebRTC client.

The WebRTC server is integrated in the public cloud and provides peer-to-peer connections and desktop streaming. Signaling service and WebRTC server can be integrated in one cloud desktop instance. The advantage of this sub-instance deployment is that the signaling service can be customized at the instance level, but the disadvantage is that some deployment resources will be wasted. Therefore, the signaling service can also be deployed centrally and shared with all cloud desktop instances (that is, different WebRTC servers).

Before initiating a WebRTC connection, the authentication service needs to authenticate the identity of the connecter, and only legal users are allowed to perform signaling and peer-to-peer connections to the WebRTC server. The system architecture can rely on existing public cloud authentication mechanisms (such as the AK/SK mechanism of openAPI), and issue access tokens to legitimate users. In the signaling process of WebRTC, the user's access token is verified, and the connection request with an illegal token is rejected.

There may be a NAT gateway between the WebRTC client and the WebRTC server. On the public cloud side, the public cloud NAT gateway can save a large number of public network IP addresses, which is of great benefit to saving user costs; at the same time, since the public cloud NAT gateway is a standard cloud product, users can directly implement it through openAPI. NAT mapping configuration, and query to obtain the existing configuration.

The resource management service is a service built by customers to manage their own resources on the public cloud. Through the resource management service, customers can perform authentication before accessing the cloud desktop instance, and at the same time obtain the DNAT mapping information required for the connection. Resource management services can be integrated with WebRTC clients or deployed independently of WebRTC clients.

The WebRTC client can obtain the DNAT mapping configuration (that is, DNAT mapping information) from the resource management service. If there is no DNAT mapping in the resource management service, the resource management service can obtain the DNAT mapping configuration from the network management and control module. Among them, the network management and control module can verify the identity of the client before sending the DNAT mapping configuration. If the verification is passed, the DNAT mapping configuration is sent to the resource management service, and then sent to the client via the resource management service.

The WebRTC client is the initiator of the signaling process as well as the peer-to-peer connection. Generally, before accessing the remote desktop, the packets sent and received by the client may pass through the local NAT gateway.

As shown in Figure 4, the access process mainly includes an authentication process, a signaling process, and a desktop connection process.

Authentication process

The authentication process does not pass through the public cloud NAT gateway, but can pass through the local NAT gateway of the WebRTC client.

The WebRTC client can initiate an instance connection request (corresponding to the access request mentioned above) through the out-of-band network (not directly connected to the instance network). The instance connection request can be sent to the authentication service via the local NAT gateway or the resource management service. The authentication service can first verify the legality of the client's identity, and after verifying that the identity is legal, the authentication service can prepare for subsequent WebRTC signaling authentication.

The resource management service can send the DNAT map to the WebRTC client along with the access token. Among them, if the resource management service does not have the DNAT mapping of the instance requested by the WebRTC client, the resource management service can obtain the DNAT mapping configuration from the public cloud NAT gateway, for example, the DNAT can be obtained from the network management and control module connected to the public cloud NAT gateway Mapping configuration.

Steps 1 to 10 shown in FIG. 4 are the authentication process.

In step 1, the WebRTC client sends the instance connection request to the local NAT gateway.

In step 2, the local NAT gateway sends the instance connection request to the resource management service.

In step 3, the resource management service sends the instance connection request to the authentication service.

In step 4, the authentication service generates a public-private key pair after verifying that the identity of the client is legal, and sends the public key to the signaling service corresponding to the cloud desktop instance.

In step 5, the signaling service returns a public key delivery success message to the authentication service.

In step 6, the authentication service generates a time-sensitive access token (token), signs it with a private key, and returns it to the resource management service.

In step 7, if there is no DNAT mapping of the cloud desktop instance corresponding to the client in the resource management service, the resource management service can perform DNAT mapping configuration on the public cloud NAT gateway, for example, the public cloud NAT gateway can be configured through openAPI NAT mapping configuration.

In step 8, the public cloud NAT gateway sends a configuration success message to the resource management service.

In step 9, the resource management service sends the access token and DNAT mapping information to the local NAT gateway.

In step 10, the local NAT gateway sends the access token and DNAT mapping information to the WebRTC client.

Signaling process

When the signaling service and the WebRTC server are integrated in a cloud desktop instance, the signaling process can be sent to the signaling service through the local NAT gateway and the public cloud NAT gateway.

After the WebRTC client obtains the access token, it initiates a signaling process to the signaling service. The whole process basically follows the standard WebRTC signaling process. Key to verify the validity of the access token, if the verification fails, the entire WebRTC connection will be terminated directly.

In an ordinary WebRTC system, both communicating parties may actively initiate a peer-to-peer connection. Different from ordinary WebRTC systems, desktop streaming systems always have WebRTC clients (client users) actively connect to WebRTC servers (cloud desktop instances) to obtain desktops. This is mainly reflected in two aspects of the signaling plane and the data plane.

On the signaling side, the client actively initiates a TCP (Transmission Control Protocol) connection to the signaling system of the cloud desktop instance. On the data side, the client initiates a UDP connection to the server, obtains the desktop from the remote end (server) or pushes local video (such as a camera) to the remote end, and at the same time through SCTP over UDP (SCTP based on UDP, SCTP is a A stream control transmission protocol oriented to multimedia communication) sends events such as local peripherals (such as mouse/keyboard) to the remote end.

In view of this, the WebRTC client only needs to obtain the DNAT mapping of the WebRTC server without learning the NAT mapping of the local network to complete NAT penetration.

For the maintenance of DNAT mapping information, there may be two methods: 1) All configured DNAT mapping information can be maintained by the resource management service, and the client can directly query and obtain the resource management service (as shown in Figure 3 and Figure 4); 2) Clients can query the public cloud NAT gateway for DNAT mapping directly through openAPI.

After obtaining the DNAT mapping, on the one hand, the client can use it to directly initiate the signaling process, that is, initiate a TCP connection to the signaling service; on the other hand, the client can pass the DNAT mapping to the server through the signaling process, and pass Subsequent standard ICE procedures switch to the client to initiate a peer-to-peer connection.

Thus, the signaling procedure may include the ICE procedure. In the ICE process, the WebRTC server can exchange its public network address (such as IP address and port number) behind NAT according to the existing mechanism. The public network address of the WebRTC server behind NAT can be passed from the WebRTC client to the WebRTC server in the signaling process.

Since in the desktop streaming system, the WebRTC client always actively connects to the WebRTC server, so in the ICE process, the WebRTC client may not exchange its public network address (such as IP address and port number) behind the local NAT to WebRTC Server.

As a result, NAT penetration can also be achieved without setting up STUN/TURN services.

Steps 11 to 18 shown in FIG. 4 are signaling procedures.

In steps 11 to 13, the WebRTC client sends the signaling connection request to the signaling service via the local NAT gateway or the public cloud NAT gateway.

In steps 14 to 16, the signaling service sends a connection success message to the WebRTC client via the public cloud NAT gateway and the local NAT gateway.

At step 17, other signaling may be exchanged between the WebRTC client and the signaling service.

In step 18, an ICE procedure may be performed between the WebRTC client and the signaling service.

Step 19 shown in FIG. 4 is a desktop connection process.

In the desktop connection process, the WebRTC client and WebRTC server can be UDP client and UDP server respectively. That is, UDP can be used for communication between the WebRTC client and the WebRTC server.

During the desktop connection process, the WebRTC client can send the operation data and/or local collection data for the cloud desktop instance to the WebRTC server. In response to the cloud desktop instance access request sent by the WebRTC client, the WebRTC server can send the cloud desktop instance data to the client.

To sum up, the WebRTC-based cloud instance desktop streaming system of the present disclosure, through deep integration with the public cloud, can have the advantages of light weight, security, and no need to build STUN/TURN services.

Specifically, this disclosure can rely on the authentication system of the public cloud to perform user identity authentication, issue access tokens to legitimate users, and perform WebRTC connections; for public network streaming scenarios, between the WebRTC client and the server Set up a public network NAT gateway to save a lot of public network IP addresses and reduce customer costs; because the public network NAT gateway is also a product of the public cloud, its NAT mapping can be obtained by users, and because in the desktop streaming system, the signaling plane TCP connections and UDP connections on the data plane are always initiated by the WebRTC client, so NAT penetration can be performed without setting up STUN/TURN services.

The communication method of the present disclosure can also be implemented as a communication system.

The communication system may include a client, a server based on cloud resources, an authentication device, and a NAT gateway. The server is used to provide cloud desktop instances to clients. The authentication device is used to provide authentication service for the client to determine whether the client has the access authority of the cloud desktop instance. The authentication device may be constructed based on cloud resources, for example, the authentication device may be provided by cloud resources.

The NAT gateway is used to provide network address translation services for cloud desktop instances. The NAT gateway is located in the cloud, such as a public cloud NAT gateway.

The client may first obtain the access token and DNAT mapping information, and then establish a connection with the server based on the access token and the DNAT mapping information. Clients can obtain access token and DNAT mapping information in various ways. For example, the authentication device can directly issue the access token to the client, and the client can actively query the DNAT mapping information through an open interface.

As an example, the communication system may also include resource management means. The resource management apparatus is created for the client, and is used to provide the resource management service for the client, so as to manage the resources of the client on the cloud (such as on the public cloud). The resource management device can be deployed on the client, or can be deployed independently of the client.

The resource management device can obtain the access token and DNAT mapping information, and send the access token and DNAT mapping information to the client, so that the client can establish a connection with the server based on the access token and DNAT mapping information to access the cloud desktop instance. The resource management device may obtain the access token from the authentication device.

As an example, the communication system may also include a network management device, the network management device is used to determine the DNAT mapping information, and send the DNAT mapping information to the resource management device, or the communication system may also include an open interface, The open interface is used to provide DNAT query service. The resource management device or the client can obtain the DNAT mapping information through an open interface. For example, the client can acquire DNAT mapping information through an open interface, and send the acquired DNAT mapping information to the resource management device for storage.

Fig. 5 shows a schematic structural diagram of a computing device that can be used to implement the above communication method according to an embodiment of the present disclosure.

Referring to FIG. 5 , a computing device 500 includes a memory 510 and a processor 520 .

The processor 520 may be a multi-core processor, or may include multiple processors. In some embodiments, the processor 520 may include a general-purpose main processor and one or more special co-processors, such as a graphics processing unit (GPU), a digital signal processor (DSP), and the like. In some embodiments, the processor 520 may be implemented using a customized circuit, such as an application specific integrated circuit (ASIC, Application Specific Integrated Circuit) or a field programmable logic gate array (FPGA, Field Programmable Gate Arrays).

The memory 510 may include various types of storage units, such as system memory, read only memory (ROM), and persistent storage. Wherein, the ROM can store static data or instructions required by the processor 520 or other modules of the computer. The persistent storage device may be a readable and writable storage device. Persistent storage may be a non-volatile storage device that does not lose stored instructions and data even if the computer is powered off. In some embodiments, the permanent storage device adopts a mass storage device (such as a magnetic or optical disk, flash memory) as the permanent storage device. In some other implementations, the permanent storage device may be a removable storage device (such as a floppy disk, an optical drive). The system memory can be a readable and writable storage device or a volatile readable and writable storage device, such as dynamic random access memory. System memory can store some or all of the instructions and data that the processor needs at runtime. In addition, memory 510 may include any combination of computer-readable storage media, including various types of semiconductor memory chips (DRAM, SRAM, SDRAM, flash memory, programmable read-only memory), magnetic disks and/or optical disks may also be used. In some embodiments, memory 510 may include a readable and/or writable removable storage device, such as a compact disc (CD), a read-only digital versatile disc (e.g., DVD-ROM, dual-layer DVD-ROM), Read-Only Blu-ray Disc, Super Density Disc, Flash memory card (such as SD card, min SD card, Micro-SD card, etc.), magnetic floppy disk, etc. Computer-readable storage media do not contain carrier waves and transient electronic signals transmitted by wireless or wire.

Executable codes are stored in the memory 510 , and when the executable codes are processed by the processor 520 , the processor 520 can be made to execute the communication method mentioned above.

The communication method, system and computing device according to the present disclosure have been described in detail above with reference to the accompanying drawings.

In addition, the method according to the present invention can also be realized as a computer program or computer program product, the computer program or computer program product including computer program code instructions for executing the above-mentioned steps defined in the above-mentioned method of the present invention.

Alternatively, the present invention can also be implemented as a non-transitory machine-readable storage medium (or computer-readable storage medium, or machine-readable storage medium), on which executable code (or computer program, or computer instruction code is stored) ), when the executable code (or computer program, or computer instruction code) is executed by the processor of the electronic device (or computing device, server, etc.), causing the processor to perform the steps of the above method according to the present invention .

Those skilled in the art will also appreciate that the various exemplary logical blocks, modules, Circuitry and algorithm steps can be implemented as electronic hardware, computer software, or a combination of both.

The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems and methods according to various embodiments of the present invention. In this regard, each block in a flowchart or block diagram may represent a module, program segment, or part of code that includes one or more Executable instructions. It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks in succession may, in fact, be executed substantially concurrently, or they may sometimes be executed in the reverse order, depending upon the functionality involved. It should also be noted that each block of the block diagrams and/or flowchart illustrations, and combinations of blocks in the block diagrams and/or flowchart illustrations, can be implemented by a dedicated hardware-based system that performs the specified functions or operations , or may be implemented by a combination of dedicated hardware and computer instructions.

Having described various embodiments of the present invention, the foregoing description is exemplary, not exhaustive, and is not limited to the disclosed embodiments. Many modifications and alterations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the described embodiments. The terminology used herein is chosen to best explain the principle of each embodiment, practical application or improvement of technology in the market, or to enable other ordinary skilled in the art to understand each embodiment disclosed herein.

Claims

A communication method for cloud desktops, wherein the server for providing cloud desktop instances to clients is constructed based on cloud resources, the method comprising:

Use the authentication service in the cloud resource to generate the client's access token;

Determine DNAT mapping information, where the DNAT mapping information is used to characterize the mapping relationship between the private network address of the server and the public network address of the NAT gateway associated with the server in the cloud resource;

Send the access token and the DNAT mapping information to the client, so that the client establishes a connection with the server based on the access token and the DNAT mapping information to access the cloud desktop instance.
The method according to claim 1, further comprising:

providing a resource management device, the resource management device is used to provide resource management services for the client,

Wherein, the step of sending the access token and the DNAT mapping information to the client includes: sending the access token and/or the DNAT mapping information to the resource management device, and the resource management The device sends the access token and/or the DNAT mapping information to the client.
The method according to claim 1, further comprising:

Provide an open interface, the open interface is used to provide DNAT mapping information query service,

Wherein, the step of sending the access token and the DNAT mapping information to the client includes: in response to receiving the DNAT mapping query request sent by the client through the open interface, sending the DNAT mapping information to sent to the client.
The method according to claim 1, wherein the step of using the authentication service in the cloud resource to generate the client's access token comprises:

In response to receiving the access request sent by the client for the cloud desktop instance, the identity legality of the client is verified by the authentication service in the cloud resource;

If the verification result is that the identity of the client is legal, an access token is generated.
The method according to claim 1, wherein, before sending the access token to the client, the method further comprises:

generating a key pair by the authentication service, the key pair including a public key and a private key;

Send the public key to the signaling service corresponding to the cloud desktop instance;

Sign said access token with the private key,

Wherein, the step of sending the access token and the DNAT mapping information to the client includes: sending the signed access token to the client.
The method according to claim 5, further comprising:

In response to the signaling process initiated by the client for the signaling service based on the DNAT mapping information and the access token, the signaling service verifies the validity of the access token based on the public key test;

If the verification result is that the access token is legal, the DNAT mapping information is transmitted to the server through the signaling service, and a signaling process is executed to verify the relationship between the client and the server. The parameters involved in the connection are negotiated.
The method of claim 6, further comprising:

After the signaling process is executed, in response to the client initiating an access request for the server, the server sends cloud desktop instance data to the client, and/or obtains the Operational data and/or local collection data for the cloud desktop instance.
A communication system for cloud desktops, comprising:

client;

The server built based on cloud resources is used to provide cloud desktop instances for clients;

authentication means for generating an access token for the client; and

a NAT gateway, configured to provide network address translation services for the server,

The client obtains the access token and DNAT mapping information, and establishes a connection with the server based on the access token and the DNAT mapping information, wherein the DNAT mapping information is used to characterize the The mapping relationship between the private network address and the public network address of the NAT gateway.
The system of claim 8, further comprising:

A resource management device, configured to obtain the access token and DNAT mapping information, and send the access token and the DNAT mapping information to the client.
The communication system according to claim 9, wherein,

The communication system further includes a network management device configured to determine the DNAT mapping information and send the DNAT mapping information to the resource management device, or

The communication system further includes an open interface, which is used to provide a DNAT query service, so that the resource management device or the client can obtain the DNAT mapping information through the open interface.
A computing device comprising:

processor; and

A memory on which executable code is stored, which, when executed by the processor, causes the processor to perform the method according to any one of claims 1 to 7.
A computer program product comprising executable codes, which, when executed by a processor of an electronic device, cause the processor to perform the method as claimed in any one of claims 1 to 7.
A non-transitory machine-readable storage medium, on which executable code is stored, and when the executable code is executed by a processor of an electronic device, the processor can perform any one of claims 1 to 7 the method described.