WO2024067338A1 - Cloud networking system, secure access method, and device and storage medium - Google Patents

Cloud networking system, secure access method, and device and storage medium Download PDF

Info

Publication number
WO2024067338A1
WO2024067338A1 PCT/CN2023/120291 CN2023120291W WO2024067338A1 WO 2024067338 A1 WO2024067338 A1 WO 2024067338A1 CN 2023120291 W CN2023120291 W CN 2023120291W WO 2024067338 A1 WO2024067338 A1 WO 2024067338A1
Authority
WO
WIPO (PCT)
Prior art keywords
gwlb
vpc
security
message
tunnel
Prior art date
Application number
PCT/CN2023/120291
Other languages
French (fr)
Chinese (zh)
Inventor
穆立超
彭觅
Original Assignee
杭州阿里云飞天信息技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 杭州阿里云飞天信息技术有限公司 filed Critical 杭州阿里云飞天信息技术有限公司
Publication of WO2024067338A1 publication Critical patent/WO2024067338A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Provided in the embodiments of the present application are a cloud networking system, a secure access method, and a device and a storage medium. In the embodiments of the present application, a security control VPC is introduced to a TR-based networking system, a GWLB is used in the security control VPC, and the GWLB is used as an exposed object for providing a security service to the outside; since the GWLB and a TR are not located in the same plane, a new product object, i.e., a GWLB attachment, is further added to the networking system to serve as a routing medium between the TR and the GWLB, thereby realizing the interconnection between the TR and the GWLB; and the TR is configured with security routing information which is directed towards the GWLB attachment by default, such that a security service can be provided while two client VPCs corresponding to the security routing information perform service access, thereby realizing secure mutual access, and solving the security problem when the client VPCs perform mutual access in a TR networking scenario. Furthermore, the present application also facilitates the simplification of access implementation of the security service in the TR networking scenario, and a traffic forwarding path is relatively short, thereby facilitating the reduction of a transmission delay on the path.

Description

云组网系统、安全访问方法、设备及存储介质Cloud networking system, secure access method, device and storage medium
本申请要求于2022年09月26日提交中国专利局、申请号为202211177346.X、申请名称为“云组网系统、安全访问方法、设备及存储介质”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims priority to the Chinese patent application filed with the China Patent Office on September 26, 2022, with application number 202211177346.X and application name “Cloud Networking System, Secure Access Method, Device and Storage Medium”, all contents of which are incorporated by reference in this application.
技术领域Technical Field
本申请涉及云计算技术领域,尤其涉及一种云组网系统、安全访问方法、设备及存储介质。The present application relates to the field of cloud computing technology, and in particular to a cloud networking system, a secure access method, a device, and a storage medium.
背景技术Background technique
随着云计算技术的发展,用户可以在云网络上构建自己的虚拟私有云(Virtual Private Cloud,VPC),VPC是一个隔离的、允许用户自己管理配置和策略的虚拟网络环境,不同VPC相互隔离,实现数据、服务的安全。With the development of cloud computing technology, users can build their own virtual private cloud (VPC) on the cloud network. VPC is an isolated virtual network environment that allows users to manage their own configurations and policies. Different VPCs are isolated from each other to ensure the security of data and services.
在实际应用中,不同VPC之间可能需要互通,于是出现了转发路由器(Transit Router,TR),通过TR可以实现不同VPC之间的互通,不同VPC之间的服务可以互访,简称为TR组网场景。In actual applications, different VPCs may need to communicate with each other, so a transit router (TR) appears. TR can be used to achieve intercommunication between different VPCs, and services between different VPCs can access each other, which is referred to as the TR networking scenario.
但是,VPC的初衷是安全隔离,不同VPC互通之后,不同VPC之间的服务可以互访,这相当于对VPC的安全性降级,所以TR组网场景面临着如何解决跨VPC互访时的安全问题。However, the original intention of VPC is security isolation. After different VPCs are interconnected, services between different VPCs can access each other, which is equivalent to downgrading the security of VPC. Therefore, the TR networking scenario faces the problem of how to solve the security problem of cross-VPC access.
发明内容Summary of the invention
本申请的多个方面提供一种云组网系统、安全访问方法、设备及存储介质,用以解决TR组网场景面临的跨VPC互访时的安全问题。Multiple aspects of the present application provide a cloud networking system, a secure access method, a device, and a storage medium to solve the security issues faced by TR networking scenarios when accessing across VPCs.
本申请实施例提供一种云组网系统,包括:转发路由器TR,以及与所述TR互联的多个客户虚拟私有云VPC;所述多个客户VPC之间通过所述TR进行服务互访;所述云组网系统还包括:安全管控VPC,所述安全管控VPC中包括网关型负载均衡设备GWLB以及与所述GWLB互联的多个安全服务节点,用于对外提供安全服务;在所述云组网系统中还部署有GWLB连接组件,所述GWLB连接组件作为所述TR和所述GWLB之间的路由媒介,分别与所述TR和所述GWLB互联;所述TR上配置有默认指向所述GWLB连接组件的至少一条安全路由信息,用于在每条安全路由信息对应的两个客户VPC进行服务访问过程中,通过所述GWLB连接组件和所述GWLB使用所述安全管控VPC中的安全服务节点为所述服务访问过程提供安全服务。 An embodiment of the present application provides a cloud networking system, including: a forwarding router TR, and multiple customer virtual private clouds VPCs interconnected with the TR; the multiple customer VPCs perform service mutual access through the TR; the cloud networking system also includes: a security management and control VPC, the security management and control VPC includes a gateway-type load balancing device GWLB and multiple security service nodes interconnected with the GWLB, which are used to provide security services to the outside world; a GWLB connection component is also deployed in the cloud networking system, and the GWLB connection component serves as a routing medium between the TR and the GWLB, and is interconnected with the TR and the GWLB respectively; the TR is configured with at least one security routing information pointing to the GWLB connection component by default, which is used to provide security services for the service access process through the GWLB connection component and the GWLB using the security service nodes in the security management and control VPC during the service access process between two customer VPCs corresponding to each security routing information.
本申请实施例还提供一种安全访问方法,应用于云组网系统中的转发路由器TR,所述方法包括:接收来自云组网系统中任一客户VPC中的第一隧道报文,所述第一隧道报文是根据所述任一客户VPC向另一客户VPC请求目标服务的原始报文进行隧道封装得到的;若所述第一隧道报文对应的路由信息属于安全路由信息,将所述第一隧道报文发送给云组网系统中的GWLB连接组件,以通过安全管控VPC中的GWLB使用安全管控VPC中的安全服务节点对所述原始报文进行安全认证;其中,所述安全路由信息指向所述GWLB连接组件,所述GWLB连接组件作为所述TR和所述GWLB之间的路由媒介,分别与所述TR和所述GWLB互联,所述GWLB与安全服务节点互联。An embodiment of the present application also provides a secure access method, which is applied to a forwarding router TR in a cloud networking system, and the method includes: receiving a first tunnel message from any customer VPC in the cloud networking system, wherein the first tunnel message is obtained by tunnel encapsulating an original message from any customer VPC requesting a target service from another customer VPC; if the routing information corresponding to the first tunnel message belongs to secure routing information, sending the first tunnel message to a GWLB connection component in the cloud networking system, so as to perform security authentication on the original message through the GWLB in the security control VPC using a security service node in the security control VPC; wherein the secure routing information points to the GWLB connection component, and the GWLB connection component serves as a routing medium between the TR and the GWLB, and is interconnected with the TR and the GWLB respectively, and the GWLB is interconnected with the security service node.
本申请实施例还提供一种安全访问方法,应用于云组网系统中的网关型负载均衡设备GWLB连接组件,所述方法包括:接收云组网系统中的转发路由器TR发送的第一隧道报文,所述第一隧道报文是根据云组网系统中任一客户VPC向另一客户VPC请求目标服务的原始报文进行隧道封装得到的;从所述第一隧道报文中解析出所述原始报文,将所述原始报文发送给安全管控VPC中的GWLB,以使所述GWLB将所述原始报文负载均衡至安全管控VPC中的安全服务节点上进行安全认证;所述GWLB连接组件作为所述TR和所述GWLB之间的路由媒介,分别与所述TR和所述GWLB互联,所述GWLB与安全服务节点互联。An embodiment of the present application also provides a secure access method, which is applied to a gateway load balancing device GWLB connection component in a cloud networking system, the method comprising: receiving a first tunnel message sent by a forwarding router TR in the cloud networking system, the first tunnel message being obtained by tunnel encapsulating an original message in which any customer VPC in the cloud networking system requests a target service from another customer VPC; parsing the original message from the first tunnel message, and sending the original message to the GWLB in the security control VPC, so that the GWLB load balances the original message to a security service node in the security control VPC for security authentication; the GWLB connection component serves as a routing medium between the TR and the GWLB, and is interconnected with the TR and the GWLB respectively, and the GWLB is interconnected with the security service node.
本申请实施例还提供一种安全访问方法,应用于云组网系统中的虚拟私有云VPC连接组件,所述方法包括:接收其所在客户VPC中客户端请求访问目标服务的原始报文;根据预先配置的指向转发路由器TR的路由信息,将所述原始报文封装为第一隧道报文;将所述第一隧道报文发送给所述TR,以通过所述TR与提供所述目标服务的另一客户VPC进行服务互访。An embodiment of the present application also provides a secure access method, which is applied to a virtual private cloud (VPC) connection component in a cloud networking system. The method includes: receiving an original message from a client in a customer VPC requesting access to a target service; encapsulating the original message into a first tunnel message based on pre-configured routing information pointing to a forwarding router TR; and sending the first tunnel message to the TR to perform service mutual access with another customer VPC that provides the target service through the TR.
本申请实施例提供一种安全访问装置,可位于云组网系统中的转发路由器TR中实现,该装置包括:存储模块,用于存储默认指向云组网系统中的网关型负载均衡设备GWLB连接组件的至少一条安全路由信息;接收模块,用于接收来自云组网系统中任一客户VPC中的第一隧道报文,所述第一隧道报文是根据所述任一客户VPC向另一客户VPC请求目标服务的原始报文进行隧道封装得到的;发送模块,用于在所述第一隧道报文对应的路由信息属于安全路由信息的情况下,将所述第一隧道报文发送给所述GWLB连接组件,以通过安全管控VPC中的GWLB使用安全管控VPC中的安全服务节点对所述原始报文进行安全认证;其中,所述GWLB连接组件作为所述TR和所述GWLB之间的路由媒介,分别与所述TR和所述GWLB互联,所述GWLB与安全服务节点互联。An embodiment of the present application provides a secure access device, which can be implemented in a forwarding router TR in a cloud networking system, and the device includes: a storage module, which is used to store at least one secure routing information that defaults to a gateway load balancing device GWLB connection component in the cloud networking system; a receiving module, which is used to receive a first tunnel message from any customer VPC in the cloud networking system, wherein the first tunnel message is obtained by tunnel encapsulating an original message from any customer VPC requesting a target service from another customer VPC; a sending module, which is used to send the first tunnel message to the GWLB connection component when the routing information corresponding to the first tunnel message belongs to secure routing information, so as to perform security authentication on the original message through the GWLB in the security control VPC using a security service node in the security control VPC; wherein the GWLB connection component serves as a routing medium between the TR and the GWLB, and is interconnected with the TR and the GWLB respectively, and the GWLB is interconnected with the security service node.
本申请实施例提供一种转发路由器,可应用于云组网系统中,包括:存储器和处理器;所述存储器用于存储计算机程序和默认指向云组网系统中的网关型负载均衡设备GWLB连接组件的至少一条安全路由信息;所述处理器,与所述存储器耦合,用于执行所述计算机程序,以用于执行本申请实施例提供的可由转发路由器执行的方法中的步骤。An embodiment of the present application provides a forwarding router that can be applied to a cloud networking system, comprising: a memory and a processor; the memory is used to store a computer program and at least one piece of security routing information that defaults to a gateway load balancing device GWLB connection component in the cloud networking system; the processor, coupled to the memory, is used to execute the computer program to execute the steps in the method that can be executed by the forwarding router provided in the embodiment of the present application.
本申请实施例提供一种安全访问装置,安全访问装置,可位于云组网系统中的网关 型负载均衡设备GWLB连接组件中实现,该装置包括:接收模块,用于接收云组网系统中的转发路由器TR发送的第一隧道报文,所述第一隧道报文是根据云组网系统中任一客户VPC向另一客户VPC请求目标服务的原始报文进行隧道封装得到的;解封装模块,用于从所述第一隧道报文中解析出所述原始报文;发送模块,用于将所述原始报文发送给安全管控VPC中的GWLB,以使所述GWLB将所述原始报文负载均衡至安全管控VPC中的安全服务节点上进行安全认证;所述GWLB连接组件作为所述TR和所述GWLB之间的路由媒介,分别与所述TR和所述GWLB互联,所述GWLB与安全服务节点互联。The present application embodiment provides a secure access device, which can be located in a gateway of a cloud networking system. The device is implemented in a GWLB connection component of a load balancing device of the type, and the device includes: a receiving module, which is used to receive a first tunnel message sent by a forwarding router TR in a cloud networking system, wherein the first tunnel message is obtained by tunnel encapsulating an original message from any customer VPC in the cloud networking system to request a target service from another customer VPC; a decapsulation module, which is used to parse the original message from the first tunnel message; a sending module, which is used to send the original message to the GWLB in the security control VPC, so that the GWLB load balances the original message to the security service node in the security control VPC for security authentication; the GWLB connection component serves as a routing medium between the TR and the GWLB, and is interconnected with the TR and the GWLB respectively, and the GWLB is interconnected with the security service node.
本申请实施例提供一种云计算设备,可作为云组网系统中的网关型负载均衡设备GWLB连接组件实现,包括:存储器和处理器;所述存储器用于存储计算机程序,所述处理器,与所述存储器耦合,用于执行所述计算机程序,以用于执行本申请实施例提供的可由GWLB连接组件执行的方法中的步骤。An embodiment of the present application provides a cloud computing device, which can be implemented as a gateway-type load balancing device GWLB connection component in a cloud networking system, including: a memory and a processor; the memory is used to store a computer program, and the processor, coupled to the memory, is used to execute the computer program to execute the steps in the method provided in the embodiment of the present application that can be executed by the GWLB connection component.
本申请实施例提供一种云计算设备,可作为云组网系统中的虚拟私有云VPC连接组件实现,包括:存储器和处理器;所述存储器用于存储计算机程序,所述处理器,与所述存储器耦合,用于执行所述计算机程序,以用于执行本申请实施例提供的可由VPC连接组件执行的方法中的步骤。An embodiment of the present application provides a cloud computing device that can be implemented as a virtual private cloud (VPC) connection component in a cloud networking system, including: a memory and a processor; the memory is used to store a computer program, and the processor, coupled to the memory, is used to execute the computer program to execute the steps in the method that can be executed by the VPC connection component provided in the embodiment of the present application.
本申请实施例提供一种存储有计算机程序的计算机可读存储介质,当所述计算机程序被处理器执行时,致使所述处理器能够实现本申请实施例提供的各方法中的步骤。An embodiment of the present application provides a computer-readable storage medium storing a computer program. When the computer program is executed by a processor, the processor is enabled to implement the steps in each method provided in the embodiment of the present application.
在本申请实施例中,在基于TR的组网系统中,引入安全管控VPC,在安全管控VPC中使用GWLB,将GWLB作为对外提供安全服务的暴露对象;由于GWLB与TR不在同一平面,在该组网系统中进一步增加一种新的产品对象即GWLB连接组件,作为TR和GWLB之间的路由媒介,实现TR和GWLB的互联,并通过在TR上配置默认指向GWLB连接组件的安全路由信息,使得能够在安全路由信息对应的两个客户VPC进行服务访问过程中提供安全服务,实现安全互访,解决TR组网场景中客户VPC之间互访时所面临的安全问题。In the embodiment of the present application, in a TR-based networking system, a security control VPC is introduced, GWLB is used in the security control VPC, and GWLB is used as an exposed object for providing security services to the outside world; since GWLB and TR are not on the same plane, a new product object, namely the GWLB connection component, is further added to the networking system as a routing medium between TR and GWLB to achieve interconnection between TR and GWLB, and by configuring security routing information pointing to the GWLB connection component by default on TR, it is possible to provide security services during service access between two customer VPCs corresponding to the security routing information, achieve secure mutual access, and solve the security problems faced by mutual access between customer VPCs in the TR networking scenario.
另外,在本申请实施例中,直接在TR和GWLB之间增加GWLB连接组件的方式,有利于简化TR组网场景中安全服务的接入实现,客户VPC之间的互访流量只需经TR和GWLB连接组件流入GWLB进而使用安全服务,流量转发路径较短,有利于降低路径上的传输时延。In addition, in the embodiment of the present application, the method of directly adding a GWLB connection component between TR and GWLB is conducive to simplifying the access implementation of security services in the TR networking scenario. The mutual access traffic between customer VPCs only needs to flow into GWLB through TR and GWLB connection components to use security services. The traffic forwarding path is shorter, which is conducive to reducing the transmission delay on the path.
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
此处所说明的附图用来提供对本申请的进一步理解,构成本申请的一部分,本申请的示意性实施例及其说明用于解释本申请,并不构成对本申请的不当限定。在附图中:The drawings described herein are used to provide a further understanding of the present application and constitute a part of the present application. The illustrative embodiments of the present application and their descriptions are used to explain the present application and do not constitute an improper limitation on the present application. In the drawings:
图1a为本申请示例性实施例提供的一种云组网系统的结构示意图;FIG1a is a schematic diagram of the structure of a cloud networking system provided by an exemplary embodiment of the present application;
图1b为本申请示例性实施例提供的另一云网络系统的结构示意图;FIG1b is a schematic diagram of the structure of another cloud network system provided by an exemplary embodiment of the present application;
图2a为本申请示例性实施例提供的一种安全访问方法的流程示意图; FIG2a is a schematic flow chart of a secure access method provided by an exemplary embodiment of the present application;
图2b为本申请示例性实施例提供的另一种安全访问方法的流程示意图;FIG2b is a flow chart of another secure access method provided by an exemplary embodiment of the present application;
图2c为本申请示例性实施例提供的又一种安全访问方法的流程示意图;FIG2c is a flow chart of another secure access method provided by an exemplary embodiment of the present application;
图3a为本申请示例性实施例提供的一种安全访问装置的结构示意图;FIG3a is a schematic structural diagram of a secure access device provided by an exemplary embodiment of the present application;
图3b为本申请示例性实施例提供的另一种安全访问装置的结构示意图;FIG3 b is a schematic structural diagram of another secure access device provided by an exemplary embodiment of the present application;
图3c为本申请示例性实施例提供的又一种安全访问装置的结构示意图;FIG3c is a schematic structural diagram of another secure access device provided by an exemplary embodiment of the present application;
图4为本申请示例性实施例提供的转发路由器的结构示意图。FIG. 4 is a schematic diagram of the structure of a forwarding router provided in an exemplary embodiment of the present application.
具体实施方式Detailed ways
为使本申请的目的、技术方案和优点更加清楚,下面将结合本申请具体实施例及相应的附图对本申请技术方案进行清楚、完整地描述。显然,所描述的实施例仅是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。In order to make the purpose, technical solution and advantages of the present application clearer, the technical solution of the present application will be clearly and completely described below in combination with the specific embodiments of the present application and the corresponding drawings. Obviously, the described embodiments are only part of the embodiments of the present application, not all of the embodiments. Based on the embodiments in the present application, all other embodiments obtained by ordinary technicians in this field without making creative work are within the scope of protection of the present application.
现有TR组网场景面临着如何解决跨VPC互访时的安全问题,针对该技术问题,在本申请实施例中,在基于TR的组网系统中,引入安全管控VPC,在安全管控VPC中使用GWLB,将GWLB作为对外提供安全服务的暴露对象;由于GWLB与TR不再同一平面,在该组网系统中进一步增加一种新的产品对象即GWLB连接组件,作为TR和GWLB之间的路由媒介,实现TR和GWLB的互联,并通过在TR上配置默认指向GWLB连接组件的安全路由信息,使得能够在安全路由信息对应的两个客户VPC进行服务访问过程中提供安全服务,实现安全互访,解决TR组网场景中客户VPC之间互访时所面临的安全问题。The existing TR networking scenario is faced with how to solve the security problem of cross-VPC mutual access. To address this technical problem, in an embodiment of the present application, a security control VPC is introduced in a TR-based networking system, and GWLB is used in the security control VPC, and GWLB is used as an exposed object for providing security services to the outside world. Since GWLB and TR are no longer on the same plane, a new product object, namely the GWLB connection component, is further added to the networking system as a routing medium between TR and GWLB to achieve interconnection between TR and GWLB, and by configuring the default security routing information pointing to the GWLB connection component on TR, it is possible to provide security services during the service access between the two customer VPCs corresponding to the security routing information, achieve secure mutual access, and solve the security problems faced by customer VPCs in the TR networking scenario when they visit each other.
另外,在本申请实施例中,直接在TR和GWLB之间增加GWLB连接组件的方式,有利于简化TR组网场景中安全服务的接入实现,客户VPC之间的互访流量只需经TR和GWLB连接组件流入GWLB进而使用安全服务,流量转发路径较短,有利于降低路径上的传输时延。In addition, in the embodiment of the present application, the method of directly adding a GWLB connection component between TR and GWLB is conducive to simplifying the access implementation of security services in the TR networking scenario. The mutual access traffic between customer VPCs only needs to flow into GWLB through TR and GWLB connection components to use security services. The traffic forwarding path is shorter, which is conducive to reducing the transmission delay on the path.
以下结合附图,详细说明本申请各实施例提供的技术方案。The technical solutions provided by various embodiments of the present application are described in detail below in conjunction with the accompanying drawings.
图1a为本申请示例性实施例提供的一种云组网系统的结构示意图。如图1a所示,该系统100包括:转发路由器(Transit Router,TR)10,以及与TR 10互联的多个客户VPC(CustomerVPC)。在图1a中,以两个客户VPC为例进行图示,分别是客户VPC 11和客户VPC 12。FIG1a is a schematic diagram of the structure of a cloud networking system provided by an exemplary embodiment of the present application. As shown in FIG1a , the system 100 includes: a transit router (TR) 10, and a plurality of customer VPCs (Customer VPCs) interconnected with TR 10. In FIG1a , two customer VPCs are illustrated as an example, namely, customer VPC 11 and customer VPC 12.
在本实施例中,TR 10是指具有流量转发功能的网元实例,可以在不同网络实例之间进行流量转发。在本申请实施例中,网络实例主要指客户VPC,但并不限于此,例如还可以是边界路由器(Virtual Border Router,VBR)实例,或者云连接网(Cloud Connect Network,CCN)实例。需要说明的是,本实施例中通过TR互联的客户VPC可以位于同一区域(Region)内,也可以位于不同区域内,也就是说,TR可以转发同区域内或不同区域间的流量。需要说明的是,TR可以有多种实现形态,除了可以实现为路由器形态之外,还可以实现为网关形态,例如可以具体实现为转发网关(Transit Gateway,TGW),在图1a中以TGW 为例进行图示。在本实施例中,TR 10为了实现不同客户VPC的互联和流量转发,至少具有与客户VPC互联、支持路由表、以及允许添加路由条目或路由策略等丰富的网络互通和路由管理功能。In this embodiment, TR 10 refers to a network element instance with a traffic forwarding function, which can forward traffic between different network instances. In the embodiment of the present application, the network instance mainly refers to the customer VPC, but is not limited to this. For example, it can also be a border router (Virtual Border Router, VBR) instance, or a Cloud Connect Network (Cloud Connect Network, CCN) instance. It should be noted that in this embodiment, the customer VPCs interconnected by TR can be located in the same region (Region) or in different regions. In other words, TR can forward traffic within the same region or between different regions. It should be noted that TR can have multiple implementation forms. In addition to being implemented as a router, it can also be implemented as a gateway form. For example, it can be specifically implemented as a forwarding gateway (Transit Gateway, TGW). In Figure 1a, TGW is used In this embodiment, in order to realize the interconnection and traffic forwarding of different customer VPCs, TR 10 has at least rich network interconnection and routing management functions such as interconnection with customer VPCs, support for routing tables, and allowing the addition of routing entries or routing policies.
在本实施例中,客户VPC是一种VPC,VPC是采用虚拟化技术在物理网络上构建出的逻辑隔离的网络环境。其中,物理网络包括各种物理资源,例如,物理机、交换机或网关等。一个区域中的物理资源上可以部署一个或多个客户VPC,同一客户VPC通常部署在一个区域中。每个客户VPC中包括至少一个计算节点,该计算节点可以是弹性计算服务(Elastic Compute Service,ECS)实例、裸金属服务器、虚拟机等,在一个区域中部署客户VPC,具体是指,在该区域中的物理机上部署客户VPC中的计算节点。这些计算节点上可以部署各种服务,可选地,同一VPC中可以部署一种服务,也可以部署多种服务,对此不做限定。另外,同一VPC中的同一种服务,可以由多个服务实例提供,也可以由一个服务实例提供。可选地,可提供服务的服务实例可以是部署于计算节点上的容器、虚拟机或应用等。In this embodiment, the customer VPC is a VPC, which is a logically isolated network environment built on a physical network using virtualization technology. The physical network includes various physical resources, such as physical machines, switches, or gateways. One or more customer VPCs can be deployed on the physical resources in a region, and the same customer VPC is usually deployed in one region. Each customer VPC includes at least one computing node, which can be an Elastic Compute Service (ECS) instance, a bare metal server, a virtual machine, etc. Deploying a customer VPC in a region specifically refers to deploying computing nodes in the customer VPC on physical machines in the region. Various services can be deployed on these computing nodes. Optionally, one service or multiple services can be deployed in the same VPC, and there is no limitation on this. In addition, the same service in the same VPC can be provided by multiple service instances or by one service instance. Optionally, the service instance that can provide the service can be a container, a virtual machine, or an application deployed on a computing node.
这些客户VPC可以位于同一区域,也可以位于不同区域;每个区域包括一个或多个可用区(Azone),对于位于同一区域内的客户VPC,可以位于同一可用区内,也可以分布在不同的可用区内。另外,对同一客户VPC,其可以位于同一区域中的同一可用区内,也可以分布在同一区域的不同可用区内,即跨可用区实现;或者,也可以跨区域实现,即同一客户VPC分布在不同的区域中,具体可以分布在不同区域的不同可用区内。在本实施例中,对于同一客户VPC分布在一个或多个可用区的情况,也可以称为该客户VPC包括至少一个可用区。在图1a中,客户VPC 11包括两个可用区AZ1和AZ2,也就是说,客户VPC 11分布在可用区AZ1和AZ2中;相应地,客户VPC 12包括两个可用区AZ3和AZ4,也就是说,客户VPC 12分布在两个可用区AZ3和AZ4中。These customer VPCs can be located in the same region or in different regions; each region includes one or more availability zones (Azone). For customer VPCs located in the same region, they can be located in the same availability zone or distributed in different availability zones. In addition, for the same customer VPC, it can be located in the same availability zone in the same region, or distributed in different availability zones in the same region, that is, implemented across availability zones; or, it can also be implemented across regions, that is, the same customer VPC is distributed in different regions, specifically, it can be distributed in different availability zones in different regions. In this embodiment, for the case where the same customer VPC is distributed in one or more availability zones, it can also be said that the customer VPC includes at least one availability zone. In Figure 1a, customer VPC 11 includes two availability zones AZ1 and AZ2, that is, customer VPC 11 is distributed in availability zones AZ1 and AZ2; correspondingly, customer VPC 12 includes two availability zones AZ3 and AZ4, that is, customer VPC 12 is distributed in two availability zones AZ3 and AZ4.
在本实施例中,为了满足更大范围的组网需求,例如企业级的组网需求,需要多个客户VPC之间进行互联。具体地,多个客户VPC之间通过TR 10进行互联,并且可以通过TR 10进行服务互访。如图1a所示,客户VPC 11和客户VPC 12通过TR 10互联。在本实施例中,TR 10不属于客户VPC,它属于系统层面的网元实例,可选地,可以部署在云组网系统100的系统VPC中。考虑到TR 10与客户VPC不在同一平面,一个属于系统VPC,一个是客户VPC,为了实现客户VPC与TR 10之间的互联,本申请实施例提出一种产品对象,即VPC连接组件(VPCAttachment),VPC连接组件被部署在客户VPC中,并被挂载到TR 10下面,用于与TR 10互联,进而实现其所在客户VPC与TR 10之间的互联。如图1a所示,客户VPC 11中部署有VPC连接组件11a,客户VPC 12中部署有VPC连接组件12a,且VPC连接组件11a和VPC连接组件12a分别与TR 10互联。其中,将VPC连接组件挂载到TR 10下面是指在TR 10上添加VPC连接组件的标识,建立TR 10与VPC连接组件之间的绑定关系。另外,为了达到多个客户VPC之间通过TR 10进行互联的目的,在VPC连接组件上配置有默认指向TR 10的路由信息,基于该路由信息,客户VPC中到 达VPC连接组件的所有报文会被发送给TR 10。当然,在将报文发送给TR 10之前,还可以采用客户VPC使用的隧道协议对报文进行隧道封装。为了便于区分和描述,在本申请实施例中,将隧道封装之前的报文称为原始报文,将经过隧道封装后的报文称为隧道报文。也就是说,VPC连接组件不仅具有路由功能还具有隧道封装和解封装功能。In this embodiment, in order to meet a wider range of networking requirements, such as enterprise-level networking requirements, multiple customer VPCs need to be interconnected. Specifically, multiple customer VPCs are interconnected through TR 10, and services can be accessed through TR 10. As shown in Figure 1a, customer VPC 11 and customer VPC 12 are interconnected through TR 10. In this embodiment, TR 10 does not belong to the customer VPC, it belongs to the network element instance at the system level, and can be optionally deployed in the system VPC of the cloud networking system 100. Considering that TR 10 and customer VPC are not on the same plane, one belongs to the system VPC and the other is the customer VPC. In order to realize the interconnection between customer VPC and TR 10, the embodiment of the present application proposes a product object, namely VPC connection component (VPCAttachment). The VPC connection component is deployed in the customer VPC and mounted under TR 10 for interconnection with TR 10, thereby realizing the interconnection between the customer VPC and TR 10. As shown in FIG. 1a, a VPC connection component 11a is deployed in customer VPC 11, and a VPC connection component 12a is deployed in customer VPC 12, and VPC connection component 11a and VPC connection component 12a are interconnected with TR 10 respectively. Mounting the VPC connection component under TR 10 means adding the identifier of the VPC connection component to TR 10 and establishing a binding relationship between TR 10 and the VPC connection component. In addition, in order to achieve the purpose of interconnecting multiple customer VPCs through TR 10, the VPC connection component is configured with default routing information pointing to TR 10. Based on the routing information, the customer VPC to TR 10 can be connected to the VPC connection component. All messages reaching the VPC connection component will be sent to TR 10. Of course, before sending the message to TR 10, the message can also be tunnel-encapsulated using the tunnel protocol used by the customer VPC. For the convenience of distinction and description, in the embodiment of the present application, the message before tunnel encapsulation is called the original message, and the message after tunnel encapsulation is called the tunnel message. In other words, the VPC connection component not only has a routing function but also has a tunnel encapsulation and decapsulation function.
在本实施例中,每个客户VPC具有自己可用的IP地址网段,该客户VPC内的服务实例可以从该客户VPC的IP地址网段中分配IP地址。从访问角色的角度,对客户VPC中的服务实例进行划分,将发起访问请求的服务实例称为客户端(client),将提供服务的服务实例称为服务端(Server)。在图1a中,客户VPC 11中的可用区AZ1中包括客户端(client),客户VPC 12中的可用区AZ4中包括服务端(Server),且客户VPC 11中的客户端可以通过TR 10访问客户VPC 12中的服务端提供的服务,为便于描述,将客户VPC 12中的服务端提供的服务称为目标服务。在基于TR实现互联的情况下,客户VPC 11中的客户端可以通过TR 10访问客户VPC 12中的服务端提供的目标服务,该服务访问过程如图1a所示,包括:In this embodiment, each customer VPC has its own available IP address network segment, and the service instances in the customer VPC can be allocated IP addresses from the IP address network segment of the customer VPC. From the perspective of access roles, the service instances in the customer VPC are divided, and the service instance that initiates the access request is called the client (client), and the service instance that provides the service is called the server (Server). In Figure 1a, the availability zone AZ1 in the customer VPC 11 includes the client (client), and the availability zone AZ4 in the customer VPC 12 includes the server (Server), and the client in the customer VPC 11 can access the service provided by the server in the customer VPC 12 through TR 10. For the convenience of description, the service provided by the server in the customer VPC 12 is called the target service. In the case of interconnection based on TR, the client in the customer VPC 11 can access the target service provided by the server in the customer VPC 12 through TR 10. The service access process is shown in Figure 1a, including:
步骤1,客户VPC 11中的客户端向客户VPC 11中的VPC连接组件11a发起访问目标服务的原始报文,该原始报文可以是服务请求,但不限于此。Step 1: The client in customer VPC 11 initiates an original message to access the target service to VPC connection component 11a in customer VPC 11. The original message can be a service request, but is not limited to this.
在本实施例中,客户端发起的原始报文具有五元组信息,该五元组信息中的源IP地址为客户端的IP地址,源端口号为客户端的端口号,目的IP地址为目标服务(或者服务端)的IP地址,目的端口号为目标服务(或服务端)的端口号,传输协议可以是TCP或UDP,本申请实施例对此不做限定。In this embodiment, the original message initiated by the client has five-tuple information, in which the source IP address is the IP address of the client, the source port number is the port number of the client, the destination IP address is the IP address of the target service (or server), the destination port number is the port number of the target service (or server), and the transmission protocol can be TCP or UDP, which is not limited to this embodiment of the present application.
步骤2,VPC连接组件11a接收客户端发起的原始报文,基于本地预先配置的默认指向TR 10的路由信息,将该原始报文封装为第一隧道报文,并将第一隧道报文发送给TR 10。Step 2: VPC connection component 11a receives the original message initiated by the client, encapsulates the original message into a first tunnel message based on the locally pre-configured default routing information pointing to TR 10, and sends the first tunnel message to TR 10.
具体地,VPC连接组件11a为原始报文添加第一隧道封装信息,生成第一隧道报文。第一隧道封装信息包括客户VPC 11对应的隧道标识(ID)以及隧道五元组信息,该隧道五元组信息中的源IP地址为VPC连接组件11a对应的IP地址,具体可以是VPC连接组件11a自身的IP地址或者是承载VPC连接组件11a的虚拟网卡设备的IP地址,源端口号为随机分配的端口号或者默认端口号,目的IP地址为TR 10的IP地址,目的端口号为TR10的端口号。Specifically, the VPC connection component 11a adds the first tunnel encapsulation information to the original message to generate a first tunnel message. The first tunnel encapsulation information includes the tunnel identifier (ID) corresponding to the customer VPC 11 and the tunnel quintuple information. The source IP address in the tunnel quintuple information is the IP address corresponding to the VPC connection component 11a, which can be the IP address of the VPC connection component 11a itself or the IP address of the virtual network card device carrying the VPC connection component 11a. The source port number is a randomly assigned port number or a default port number. The destination IP address is the IP address of TR 10, and the destination port number is the port number of TR10.
步骤3,TR 10根据预先配置的客户VPC 11与客户VPC 12之间的路由信息,将第一隧道报文封装为第二隧道报文,并将第二隧道报文发送给客户VPC 12中的VPC连接组件12a。Step 3, TR 10 encapsulates the first tunnel message into a second tunnel message according to the pre-configured routing information between customer VPC 11 and customer VPC 12, and sends the second tunnel message to the VPC connection component 12a in customer VPC 12.
具体地,TR 10将第一隧道报文中的第一隧道封装信息替换为第二隧道封装信息,得到第二隧道报文。第二隧道封装信息包括客户VPC 12对应的隧道标ID以及隧道五元组信息,该隧道五元组信息中的源IP地址为TR 10的IP地址,源端口号为TR 10的端口号,目的IP地址为VPC连接组件12a对应的IP地址,具体可以是VPC连接组件12a自身的IP地址或者是承载VPC连接组件12a的虚拟网卡设备的IP地址,目的端口号为随机分配 的端口号或者默认端口号。为了实现跨VPC的互访,TR 10除了具有跨VPC的路由功能之外,还具有隧道解封装和再封装功能。Specifically, TR 10 replaces the first tunnel encapsulation information in the first tunnel message with the second tunnel encapsulation information to obtain the second tunnel message. The second tunnel encapsulation information includes the tunnel ID corresponding to the customer VPC 12 and the tunnel quintuple information. The source IP address in the tunnel quintuple information is the IP address of TR 10, the source port number is the port number of TR 10, the destination IP address is the IP address corresponding to the VPC connection component 12a, which can be the IP address of the VPC connection component 12a itself or the IP address of the virtual network card device carrying the VPC connection component 12a, and the destination port number is randomly assigned. In order to achieve cross-VPC intercommunication, TR 10 has the functions of tunnel decapsulation and recapsulation in addition to the cross-VPC routing function.
步骤4,VPC连接组件12a对第二隧道报文进行解析,得到原始报文,将原始报文发送给客户VPC 12中AZ4中的服务端,使得该服务端为客户端提供目标服务。Step 4: The VPC connection component 12a parses the second tunnel message to obtain the original message, and sends the original message to the server in AZ4 in the customer's VPC 12, so that the server provides the target service to the client.
服务端为客户端提供目标服务之后,采用步骤5-8所示的流程向客户端返回服务结果。其中,步骤5-8是上述步骤1-4的逆过程,其处理操作相同或相似,在此不再详述。After the server provides the target service to the client, it returns the service result to the client using the process shown in steps 5-8. Steps 5-8 are the reverse process of steps 1-4, and the processing operations are the same or similar, so they will not be described in detail here.
在上述服务访问过程中,有可能会给客户VPC11和客户VPC 12带来安全风险。为了保证客户VPC互访时的安全性,在本申请实施例的云组网系统100中引入了安全管控VPC 13,安全管控VPC 13也是一种VPC,具有VPC的通用属性和特性,不再赘述。其中,安全管控VPC 13可以是第三方服务商提供的,也可以是云组网系统100的云厂商提供的,还可以是客户VPC所属客户自身提供的,对此不做限定。安全管控VPC 13中包括多个安全服务节点,用于对外提供安全服务,具体是指在客户VPC的服务互访过程中提供安全服务,确保客户VPC的安全性。通过这些安全服务可以配置哪些流量是可以放行的,哪些流量是不能放行的,即需要被过滤或丢弃,从而保证客户VPC互访时的安全性。During the above-mentioned service access process, security risks may be brought to customer VPC 11 and customer VPC 12. In order to ensure the security of customer VPCs visiting each other, a security control VPC 13 is introduced in the cloud networking system 100 of the embodiment of the present application. The security control VPC 13 is also a VPC with common properties and characteristics of VPC, which will not be repeated. Among them, the security control VPC 13 can be provided by a third-party service provider, or by the cloud vendor of the cloud networking system 100, or by the customer to which the customer VPC belongs, without limitation. The security control VPC 13 includes multiple security service nodes for providing security services to the outside world, specifically providing security services during the service visits of customer VPCs to ensure the security of customer VPCs. Through these security services, it can be configured which traffic can be released and which traffic cannot be released, that is, it needs to be filtered or discarded, thereby ensuring the security of customer VPCs visiting each other.
在本实施例中,并不限定安全管控VPC 13对外提供的安全服务的形式,相应地,也不限定安全服务节点的实现形态。例如,安全服务节点可以是但不限于:防火墙、入侵检测和防御系统、深度数据包检测系统等。在本实施例中,安全管控VPC 13可以仅包含同一种安全服务节点,例如所有安全服务节点均为防火墙,从而对外提供一种安全服务;当然,安全管控VPC 13也可以同时包含多种不同的安全服务节点,例如该安全管控VPC 13中同时包含防火墙和深度数据包检测系统,从而对外提供不同的安全服务,对此不做限定。在图1a中,安全管控VPC 13包括两个可用区,分别是可用区AZ5和AZ6,且以安全服务节点是防火墙为例进行图示,但并不限于此。在此说明,图1a中,各VPC中包含的可用区可以是相同的可用区,也可以是不同的可用区。例如,可用区AZ1和可用区AZ3是同一可用区,可用区AZ2和可用区AZ4是同一可用区;当然,也可以是可用区AZ1和可用区AZ3是不同的可用区,可用区AZ2和可用区AZ4是不同的可用区。In this embodiment, the form of security services provided by the security control VPC 13 to the outside is not limited, and accordingly, the implementation form of the security service node is not limited. For example, the security service node can be but is not limited to: a firewall, an intrusion detection and prevention system, a deep data packet inspection system, etc. In this embodiment, the security control VPC 13 can only include the same type of security service node, for example, all security service nodes are firewalls, thereby providing a security service to the outside; of course, the security control VPC 13 can also include a variety of different security service nodes at the same time, for example, the security control VPC 13 includes both firewalls and deep data packet inspection systems, thereby providing different security services to the outside, and this is not limited. In Figure 1a, the security control VPC 13 includes two availability zones, namely availability zones AZ5 and AZ6, and the security service node is a firewall as an example for illustration, but it is not limited to this. It should be noted that in Figure 1a, the availability zones included in each VPC can be the same availability zone or different availability zones. For example, availability zone AZ1 and availability zone AZ3 are the same availability zone, and availability zone AZ2 and availability zone AZ4 are the same availability zone; of course, availability zone AZ1 and availability zone AZ3 may be different availability zones, and availability zone AZ2 and availability zone AZ4 may be different availability zones.
在本实施例中,安全管控VPC 13面向云组网系统100中的各客户VPC提供安全服务,为了保证安全管控VPC 13的高可用性和可扩展性,在安全管控VPC 13中采用网关型负载均衡设备(Gateway Load Balancer,GWLB),安全管控VPC 13中负责提供安全服务的安全服务节点挂载在GWLB之后,安全管控VPC 13对外暴露的服务对象为GWLB,从而对外提供基于负载均衡的安全服务。基于GWLB使得安全管控VPC 13中部署、扩展和管理安全服务节点的可用性变得简单且经济高效。但是,因为GWLB与TR不在同一平面,不能直接互联,例如为了实现客户端与服务端之间的通信,TR使用隧道技术,而GWLB并未使用隧道技术,所以两者无法直接互联。于是,在本实施例的云组网系统100中增加一种新的产品对象即GWLB连接组件(GWLB Attachment)14,作为TR和GWLB之间的路由媒介,实现TR和GWLB的互联。 In this embodiment, the security control VPC 13 provides security services to each customer VPC in the cloud networking system 100. In order to ensure the high availability and scalability of the security control VPC 13, a gateway load balancing device (GWLB) is used in the security control VPC 13. The security service node responsible for providing security services in the security control VPC 13 is mounted after the GWLB. The service object exposed to the outside by the security control VPC 13 is the GWLB, thereby providing security services based on load balancing to the outside. Based on the GWLB, the deployment, expansion and management of the availability of security service nodes in the security control VPC 13 become simple and cost-effective. However, because the GWLB and the TR are not on the same plane, they cannot be directly interconnected. For example, in order to realize the communication between the client and the server, the TR uses the tunnel technology, while the GWLB does not use the tunnel technology, so the two cannot be directly interconnected. Therefore, a new product object, namely the GWLB connection component (GWLB Attachment) 14, is added to the cloud networking system 100 of this embodiment as a routing medium between the TR and the GWLB to realize the interconnection between the TR and the GWLB.
本实施例的GWLB连接组件作为具有流量转发功能的网元实例,是一种逻辑产品对象,可以认为是一种特殊类型的私网连接(privatelink)的终端端点(endpoint),该特殊类型的endpoint与传统私网连接的endpoint相比,功能更丰富。其中,GWLB连接组件至少具有以下功能:一方面GWLB连接组件14可以与指定的GWLB进行关联,能够直接连接到其关联的GWLB,可以理解为该GWLB连接组件具备负载均衡能力,被汇聚到GWLB连接组件的流量可经GWLB被负载到各个安全服务节点上进行安全处理;另一方面GWLB连接组件14类似VPC连接组件,能够与TR 10互联,而且能够作为TR 10在路由信息中的下一跳,在TR 10上做路由配置的时候,可以将GWLB连接组件配置为下一跳,可以理解为该GWLB连接组件具备网关能力,对TR组网中来自网关TR 10的边界流量具有汇聚作用。简单来说,本实施例的GWLB连接组件14同时融合了网关和负载均衡能力,一方面能够将TR组网中来自网关边界的流量汇聚到一起,另一方面借助于GWLB的负载均衡能力可将汇聚到一起的流量负载均衡到各个安全服务节点上。再者,GWLB连接组件还融合了隧道封装和解封装功能,以与TR 10的隧道功能相适配。The GWLB connection component of this embodiment is a network element instance with traffic forwarding function, which is a logical product object and can be considered as a special type of private link terminal endpoint. Compared with the traditional private link endpoint, this special type of endpoint has richer functions. Among them, the GWLB connection component has at least the following functions: on the one hand, the GWLB connection component 14 can be associated with the specified GWLB and can be directly connected to its associated GWLB. It can be understood that the GWLB connection component has load balancing capability, and the traffic aggregated to the GWLB connection component can be loaded to each security service node through the GWLB for security processing; on the other hand, the GWLB connection component 14 is similar to the VPC connection component, which can be interconnected with TR 10 and can be used as the next hop of TR 10 in the routing information. When making routing configuration on TR 10, the GWLB connection component can be configured as the next hop. It can be understood that the GWLB connection component has gateway capability and has a convergence effect on the boundary traffic from the gateway TR 10 in the TR networking. In short, the GWLB connection component 14 of this embodiment integrates both gateway and load balancing capabilities. On the one hand, it can aggregate the traffic from the gateway boundary in the TR network, and on the other hand, with the help of the load balancing capability of GWLB, it can load balance the aggregated traffic to each security service node. Furthermore, the GWLB connection component also integrates tunnel encapsulation and decapsulation functions to adapt to the tunnel function of TR 10.
基于上述,还可以通过在TR 10上配置默认指向GWLB连接组件的安全路由信息,安全路由信息是指需要使用安全管控VPC提供安全服务的路由信息,每条安全路由信息涉及两个客户VPC,表示两个客户VPC之间的流量需要经过安全处理,可选地,可以配置两个客户VPC之间的流量可以支持单向安全处理,也可以支持双向安全处理。对于安全路由信息,其下一跳是GWLB连接组件14,用于通过GWLB连接组件14将两个客户VPC之间需要进行安全处理的流量引入到安全管控VPC中进行安全处理。Based on the above, it is also possible to configure the default secure routing information pointing to the GWLB connection component on TR 10. The secure routing information refers to the routing information that needs to use the security management VPC to provide security services. Each secure routing information involves two customer VPCs, indicating that the traffic between the two customer VPCs needs to be securely processed. Optionally, the traffic between the two customer VPCs can be configured to support unidirectional security processing or bidirectional security processing. For the secure routing information, its next hop is the GWLB connection component 14, which is used to introduce the traffic that needs to be securely processed between the two customer VPCs into the security management VPC for security processing through the GWLB connection component 14.
在本实施例中,安全路由信息涉及的是两个客户VPC之间的流量,安全路由信息中包括其涉及的两个客户VPC的网段信息,如果是单向安全处理,则该安全路由信息表示从一个客户VPC发往另一个客户VPC的全部流量需要经过安全管控VPC 13中的安全服务节点进行安全处理;如果是双向安全处理,则该安全路由信息表示两个客户VPC之间的全部流量需要经过安全管控VPC 13中的安全服务节点进行安全处理。以客户VPC 11和客户VPC 12为例,可以配置一条支持单向安全处理的安全路由信息:客户VPC 11->客户VPC 12需经安全处理,其下一跳是GWLB连接组件,在该安全路由信息中包括客户VPC 11的网段信息和客户VPC 12的网段信息。继续以客户VPC 11和客户VPC 12为例,可以配置一条支持双向安全处理的安全路由信息:客户VPC 11->客户VPC 12需经安全处理,客户VPC 12->客户VPC 11需经安全处理,其下一跳是GWLB连接组件,在该安全路由信息中包括客户VPC 11的网段信息和客户VPC 12的网段信息。In this embodiment, the security routing information involves traffic between two customer VPCs, and the security routing information includes the network segment information of the two customer VPCs involved. If it is unidirectional security processing, the security routing information indicates that all traffic sent from one customer VPC to another customer VPC needs to pass through the security service node in the security control VPC 13 for security processing; if it is bidirectional security processing, the security routing information indicates that all traffic between the two customer VPCs needs to pass through the security service node in the security control VPC 13 for security processing. Taking customer VPC 11 and customer VPC 12 as an example, a security routing information that supports unidirectional security processing can be configured: customer VPC 11->customer VPC 12 needs to be securely processed, and its next hop is the GWLB connection component. The network segment information of customer VPC 11 and the network segment information of customer VPC 12 are included in the security routing information. Continuing with customer VPC 11 and customer VPC 12 as an example, a secure routing information that supports bidirectional security processing can be configured: customer VPC 11->customer VPC 12 requires security processing, and customer VPC 12->customer VPC 11 requires security processing. The next hop is the GWLB connection component. The network segment information of customer VPC 11 and the network segment information of customer VPC 12 are included in the secure routing information.
基于上述安全路由信息,TR 10可以将安全路由信息对应的两个客户VPC之间需要进行安全处理的流量通过GWLB连接组件和GWLB引入安全管控VPC 13中进行安全处理,也就是说能够在安全路由信息对应的两个客户VPC进行服务访问过程中,通过GWLB连接组件和GWLB使用所述安全管控VPC中的安全服务节点为该服务访问过程提供安全服务,实现安全互访,解决TR组网场景中客户VPC之间互访时所面临的安全问题。 Based on the above security routing information, TR 10 can introduce the traffic that needs to be securely processed between the two customer VPCs corresponding to the security routing information into the security management and control VPC 13 for security processing through the GWLB connection component and GWLB. That is to say, during the service access process between the two customer VPCs corresponding to the security routing information, the GWLB connection component and GWLB can use the security service node in the security management and control VPC to provide security services for the service access process, realize secure mutual access, and solve the security problems faced when customer VPCs visit each other in the TR networking scenario.
在此说明,TR 10上除了可以配置安全路由信息之外,也可以配置常规路由信息,常规路由信息同样涉及两个客户VPC,但是这两个客户VPC之间的流量无需经过安全处理,即不需要进行安全处理,对于这种路由信息,两个客户VPC之间的服务访问过程可以按照上述步骤1-8描述的流程进行处理,在本申请实施例中不做重点描述。It is noted that in addition to configuring secure routing information on TR 10, conventional routing information can also be configured. Conventional routing information also involves two customer VPCs, but the traffic between the two customer VPCs does not need to be securely processed. For this type of routing information, the service access process between the two customer VPCs can be processed according to the process described in steps 1-8 above, which will not be described in detail in the embodiments of this application.
进一步,在增加安全管控VPC和GWLB连接组件的基础上,结合TR 10上预先配置的安全路由信息和常规路由信息,云组网系统100中的任一客户VPC中的任一客户端都可以向另一客户VPC发起服务访问;任一客户VPC中的VPC连接组件可接收其所在客户VPC中客户端发起的原始报文,将该原始报文封装成第一隧道报文,并基于指向TR 10的路由信息将第一隧道报文发送给TR 10。对TR 10来说,可以接收来自任一客户VPC的第一隧道报文,识别第一隧道报文对应的路由信息是否为安全路由信息;若第一隧道报文对应的路由信息属于安全路由信息,则将第一隧道报文发送给GWLB连接组件14,以通过GWLB使用安全管控VPC 13中的安全服务节点对原始报文进行安全认证。Further, on the basis of adding the security control VPC and GWLB connection components, combined with the pre-configured security routing information and conventional routing information on TR 10, any client in any customer VPC in the cloud networking system 100 can initiate service access to another customer VPC; the VPC connection component in any customer VPC can receive the original message initiated by the client in its customer VPC, encapsulate the original message into a first tunnel message, and send the first tunnel message to TR 10 based on the routing information pointing to TR 10. For TR 10, it can receive the first tunnel message from any customer VPC and identify whether the routing information corresponding to the first tunnel message is secure routing information; if the routing information corresponding to the first tunnel message is secure routing information, the first tunnel message is sent to the GWLB connection component 14, so as to perform security authentication on the original message using the security service node in the security control VPC 13 through GWLB.
具体地,TR 10在识别第一隧道报文对应的路由信息是否为安全路由信息时,可以从第一隧道报文中解析出原始报文,根据原始报文中的源IP地址和目的IP地址,确定源客户VPC和目的客户VPC的网段信息;原始报文中的源IP地址是客户端的IP地址,则根据客户端的IP地址可以确定客户端所属客户VPC的网段信息,该客户VPC也就是源客户VPC;相应地,原始报文中的目的IP地址是目标服务或服务端的IP地址,则根据目标服务或服务端的IP地址可以确定目标服务或服务端所属客户VPC的网段信息,该客户VPC也就是目的客户VPC;根据源客户VPC和目的客户VPC的网段信息在至少一条安全路由信息中匹配;若匹配中某条安全路由信息,确定第一隧道报文对应的路由信息为安全路由信息,被匹配中的安全路由信息即为第一隧道报文对应的路由信息。Specifically, when TR 10 identifies whether the routing information corresponding to the first tunnel message is secure routing information, it can parse the original message from the first tunnel message, and determine the network segment information of the source customer VPC and the destination customer VPC according to the source IP address and the destination IP address in the original message; if the source IP address in the original message is the IP address of the client, then the network segment information of the customer VPC to which the client belongs can be determined according to the IP address of the client, and the customer VPC is also the source customer VPC; accordingly, if the destination IP address in the original message is the IP address of the target service or server, then the network segment information of the customer VPC to which the target service or server belongs can be determined according to the IP address of the target service or server, and the customer VPC is also the destination customer VPC; match the network segment information of the source customer VPC and the destination customer VPC in at least one secure routing information; if a certain secure routing information is matched, it is determined that the routing information corresponding to the first tunnel message is secure routing information, and the matched secure routing information is the routing information corresponding to the first tunnel message.
对GWLB连接组件14而言,可以接收安全管控VPC 13发送的第一隧道报文,从第一隧道报文中解析出原始报文,将原始报文发送给GWLB,以使GWLB将原始报文负载均衡至安全管控VPC中的安全服务节点上进行安全认证。进一步可选地,GWLB连接组件14还可以对第一隧道报文进行会话管理,记录第一隧道报文对应的会话信息,该会话信息包括第一隧道报文对应的第一隧道封装信息,以及原始报文中的五元组信息等,以便于通过该会话信息在原始报文通过安全认证的情况下,重新向TR 10返回第一隧道报文。For the GWLB connection component 14, it can receive the first tunnel message sent by the security control VPC 13, parse the original message from the first tunnel message, and send the original message to the GWLB, so that the GWLB load balances the original message to the security service node in the security control VPC for security authentication. Further optionally, the GWLB connection component 14 can also perform session management on the first tunnel message, record the session information corresponding to the first tunnel message, and the session information includes the first tunnel encapsulation information corresponding to the first tunnel message, and the five-tuple information in the original message, so as to return the first tunnel message to TR 10 through the session information when the original message passes the security authentication.
接续上文,GWLB接收GWLB连接组件14发送的原始报文,一方面对原始报文进行会话管理,维护原始报文所属的会话连接,记录原始报文的会话信息,该会话信息可包括原始报文的五元组信息等;另一方面将原始报文负载均衡至安全管控VPC中的目标安全服务节点上,以使目标安全服务节点基于本地安全策略对原始报文进行安全认证;在原始报文通过安全认证的情况下,目标安全服务节点根据原始报文生成安全报文,并向GWLB返回安全报文。可选地,在原始报文未通过安全认证的情况下,目标安全服务节点可以将该原始报文丢弃。可选地,安全报文与原始报文的载荷信息相同,且包含原始报文中的五元组信息,区别在于报文格式不同。可选地,GWLB可以采用各种负载均衡算法,例如对 原始报文的五元组进行哈希处理,从而将原始报文负载均衡至安全管控VPC中的目标安全服务节点上,且可以将属于同一会话的原始报文尽量负载均衡至同一安全服务节点上,但并不限于此。Continuing from the above, GWLB receives the original message sent by the GWLB connection component 14. On the one hand, it performs session management on the original message, maintains the session connection to which the original message belongs, and records the session information of the original message, which may include the five-tuple information of the original message, etc.; on the other hand, it load balances the original message to the target security service node in the security management VPC, so that the target security service node performs security authentication on the original message based on the local security policy; if the original message passes the security authentication, the target security service node generates a security message based on the original message, and returns the security message to GWLB. Optionally, if the original message fails the security authentication, the target security service node may discard the original message. Optionally, the security message has the same payload information as the original message and contains the five-tuple information in the original message. The difference lies in the different message formats. Optionally, GWLB can adopt various load balancing algorithms, such as The five-tuple of the original message is hashed to load balance the original message to the target security service node in the security control VPC, and the original messages belonging to the same session can be load balanced to the same security service node as much as possible, but it is not limited to this.
GWLB接收到安全报文之后,会将该安全报文返回给GWLB连接组件14;GWLB连接组件14还用于接收GWLB返回的安全报文,根据第一隧道报文对应的会话信息和该安全报文重新生成第一隧道报文并返回给TR 10。具体地,GWLB连接组件14可以根据安全报文中携带的原始报文中的五元组信息,在各隧道报文对应的会话信息中进行匹配,从而确定该安全报文对应于第一隧道报文对应的会话信息;然后,根据第一隧道报文对应的会话信息中的第一隧道封装信息,对安全报文进行隧道封装,重新得到第一隧道报文。例如,可以为安全报文添加第一隧道封装信息,得到第一隧道报文。可选地,GWLB可以根据上述会话信息,确定需要将第一隧道报文返回给TR 10,或者,也会维护指向TR 10的路由信息,基于该路由信息可以将重新封装得到的第一隧道报文发送给TR 10。After receiving the security message, the GWLB returns the security message to the GWLB connection component 14; the GWLB connection component 14 is also used to receive the security message returned by the GWLB, regenerate the first tunnel message according to the session information corresponding to the first tunnel message and the security message, and return it to TR 10. Specifically, the GWLB connection component 14 can match the session information corresponding to each tunnel message according to the five-tuple information in the original message carried in the security message, so as to determine that the security message corresponds to the session information corresponding to the first tunnel message; then, according to the first tunnel encapsulation information in the session information corresponding to the first tunnel message, the security message is tunnel encapsulated to obtain the first tunnel message again. For example, the first tunnel encapsulation information can be added to the security message to obtain the first tunnel message. Optionally, the GWLB can determine that the first tunnel message needs to be returned to TR 10 according to the above session information, or it can also maintain routing information pointing to TR 10, and the re-encapsulated first tunnel message can be sent to TR 10 based on the routing information.
进一步,TR 10还会接收TR返回的第一隧道报文,根据第一隧道报文对应的安全路由信息,可以将第一隧道报文封装为第二隧道报文并提供给提供目标服务的另一客户VPC,以使另一客户VPC为上述请求目标服务的任一客户VPC提供所述目标服务。具体地,根据第一隧道报文对应的安全路由信息,可以确定第二隧道封装信息,将第一隧道报文对应的第一隧道封装信息替换为第二隧道封装信息,得到第二隧道报文。其中,第一隧道封装信息包括请求目标服务的任一客户VPC对应的隧道ID以及对应的隧道五元组信息,该隧道五元组信息中的源IP地址是任一客户VPC中VPC连接组件对应的IP地址,源端口号为随机分配的端口号或者默认端口号,目的IP地址为TR 10的IP地址,目的端口号为TR 10的端口号。根据第一隧道报文对应的安全路由信息中另一客户VPC的网段信息,可以确定另一客户VPC是谁,进而基于客户VPC与隧道ID之间的对应关系,可确定另一客户VPC对应的隧道ID;除此之外,还可以确定另一客户VPC中VPC连接组件对应的IP地址作为第二隧道封装信息中的目的IP地址,该IP地址指向目标服务。在另一客户VPC中VPC连接组件对应多个IP地址,且多个IP地址都能指向目标服务的情况下,可以采用哈希算法或随机选择算法等,从多个IP地址中选择一个IP地址。例如,可以对第一隧道报文中的隧道五元组信息进行哈希处理,根据哈希结果对应的IP地址。据此确定第二隧道封装信息,第二隧道封装信息包括提供目标服务的另一客户VPC对应的隧道ID以及对应的隧道五元组信息,该隧道五元组信息中的源IP地址是TR 10的IP地址,源端口号为TR 10的端口号,目的IP地址是另一客户VPC中VPC连接组件对应的IP地址,目的端口号为随机分配的端口号或者默认端口号或者默认端口号。Further, TR 10 will also receive the first tunnel message returned by TR. According to the security routing information corresponding to the first tunnel message, the first tunnel message can be encapsulated into a second tunnel message and provided to another customer VPC that provides the target service, so that the other customer VPC provides the target service for any customer VPC that requests the target service. Specifically, according to the security routing information corresponding to the first tunnel message, the second tunnel encapsulation information can be determined, and the first tunnel encapsulation information corresponding to the first tunnel message is replaced with the second tunnel encapsulation information to obtain the second tunnel message. Among them, the first tunnel encapsulation information includes the tunnel ID corresponding to any customer VPC that requests the target service and the corresponding tunnel quintuple information, the source IP address in the tunnel quintuple information is the IP address corresponding to the VPC connection component in any customer VPC, the source port number is a randomly assigned port number or a default port number, the destination IP address is the IP address of TR 10, and the destination port number is the port number of TR 10. According to the network segment information of another customer VPC in the security routing information corresponding to the first tunnel message, it is possible to determine who the other customer VPC is, and then based on the correspondence between the customer VPC and the tunnel ID, the tunnel ID corresponding to the other customer VPC can be determined; in addition, the IP address corresponding to the VPC connection component in the other customer VPC can also be determined as the destination IP address in the second tunnel encapsulation information, and the IP address points to the target service. In the case where the VPC connection component in the other customer VPC corresponds to multiple IP addresses, and the multiple IP addresses can point to the target service, a hash algorithm or a random selection algorithm can be used to select an IP address from the multiple IP addresses. For example, the tunnel quintuple information in the first tunnel message can be hashed, and the IP address corresponding to the hash result can be determined. Based on this, the second tunnel encapsulation information is determined, and the second tunnel encapsulation information includes the tunnel ID corresponding to the other customer VPC providing the target service and the corresponding tunnel quintuple information, the source IP address in the tunnel quintuple information is the IP address of TR 10, the source port number is the port number of TR 10, the destination IP address is the IP address corresponding to the VPC connection component in the other customer VPC, and the destination port number is a randomly assigned port number or a default port number or a default port number.
在此说明,在上述实施例中,在确定另一客户VPC中VPC连接组件对应的IP地址作为第二隧道封装信息中的目的IP地址时,对客户端和服务端是否必须位于同一可用区不做限定。在一可选实施例中,根据应用需求需要客户端和服务端位于同一可用区,则在确定另一客户VPC中VPC连接组件对应的IP地址时,可以结合客户端所在可用区来确定,具 体地,可以从另一客户VPC中VPC连接组件对应的多个IP地址中选择位于客户端所在可用区内的IP地址,作为第二隧道封装信息中的目的IP地址。其中,TR 10可以根据用户的配置信息获取客户端所在的可用区信息,或者,也可以在原始报文的报文头中携带客户端所在的可用区信息,TR 10通过对第一隧道报文进行解析,从原始报文的报文头中获取客户端所在的可用区信息。It is to be noted that in the above embodiment, when determining the IP address corresponding to the VPC connection component in another customer's VPC as the destination IP address in the second tunnel encapsulation information, there is no limitation on whether the client and the server must be located in the same availability zone. In an optional embodiment, if the application requires that the client and the server be located in the same availability zone, when determining the IP address corresponding to the VPC connection component in another customer's VPC, it can be determined in combination with the availability zone where the client is located. Specifically, an IP address located in the available zone where the client is located can be selected from multiple IP addresses corresponding to the VPC connection component in another customer VPC as the destination IP address in the second tunnel encapsulation information. TR 10 can obtain the available zone information where the client is located according to the user's configuration information, or the available zone information where the client is located can be carried in the message header of the original message. TR 10 obtains the available zone information where the client is located from the message header of the original message by parsing the first tunnel message.
其中,第二隧道报文被发送给另一客户VPC中的VPC连接组件之后,该VPC连接组件从第二隧道报文中解析出安全报文,将安全报文提供给服务端,由服务端提供目标服务,服务结果可依次通过另一客户VPC中的VPC连接组件、TR 10,发起服务访问的任一客户VPC中的VPC连接组件,直至到达客户端。在该过程中,也会涉及报文的封装、解封装过程,对此不做详述。Among them, after the second tunnel message is sent to the VPC connection component in another customer's VPC, the VPC connection component parses the security message from the second tunnel message and provides the security message to the server, which provides the target service. The service result can be sequentially transmitted through the VPC connection component in another customer's VPC, TR 10, and the VPC connection component in any customer VPC that initiates the service access until it reaches the client. In this process, the encapsulation and decapsulation process of the message is also involved, which will not be described in detail.
以上描述了第一隧道报文对应的路由信息属于安全路由信息的安全访问过程。可选地,第一隧道报文对应的路由信息也可能是常规路由信息,则在第一隧道报文对应的路由信息是常规路由信息的情况下,TR 10可以直接根据第一隧道报文对应的常规路由信息,确定第二隧道封装信息,将第一隧道报文对应的第一隧道封装信息替换为第二隧道封装信息,得到第二隧道报文,将第二隧道报文发送给提供目标服务的另一客户VPC中的VPC连接组件;该VPC连接组件从第二隧道报文中解析出安全报文,将安全报文提供给服务端,由服务端提供目标服务,服务结果可依次通过另一客户VPC中的VPC连接组件、TR 10,发起服务访问的任一客户VPC中的VPC连接组件,直至到达客户端。在该过程中,也会涉及报文的封装、解封装过程,对此不做详述。The above describes the secure access process in which the routing information corresponding to the first tunnel message belongs to the secure routing information. Optionally, the routing information corresponding to the first tunnel message may also be conventional routing information. In this case, when the routing information corresponding to the first tunnel message is conventional routing information, TR 10 can directly determine the second tunnel encapsulation information based on the conventional routing information corresponding to the first tunnel message, replace the first tunnel encapsulation information corresponding to the first tunnel message with the second tunnel encapsulation information, obtain the second tunnel message, and send the second tunnel message to the VPC connection component in another customer VPC that provides the target service; the VPC connection component parses the secure message from the second tunnel message, and provides the secure message to the server, which provides the target service. The service result can be sequentially passed through the VPC connection component in another customer VPC, TR 10, and the VPC connection component in any customer VPC that initiates the service access, until it reaches the client. In this process, the encapsulation and decapsulation process of the message is also involved, which will not be described in detail.
为便于更清楚的理解本申请实施例提供的云组网系统100中客户VPC之间进行安全互访的过程,结合图1a,以客户VPC 11中的客户端通过TR 10访问客户VPC 12中的服务端提供的目标服务的过程为例,结合图1a,对整个服务访问过程进行示例性说明:In order to more clearly understand the process of secure mutual access between customer VPCs in the cloud networking system 100 provided in the embodiment of the present application, in conjunction with FIG. 1a, taking the process of a client in customer VPC 11 accessing a target service provided by a server in customer VPC 12 through TR 10 as an example, in conjunction with FIG. 1a, the entire service access process is exemplarily described:
步骤1,客户VPC 11中的客户端向客户VPC 11中的VPC连接组件11a发起访问目标服务的原始报文,该原始报文可以是服务请求,但不限于此。Step 1: The client in customer VPC 11 initiates an original message to access the target service to VPC connection component 11a in customer VPC 11. The original message can be a service request, but is not limited to this.
步骤2,VPC连接组件11a接收客户端发起的原始报文,基于本地预先配置的默认指向TR 10的路由信息,将该原始报文封装为第一隧道报文,并将第一隧道报文发送给TR 10。Step 2: VPC connection component 11a receives the original message initiated by the client, encapsulates the original message into a first tunnel message based on the locally pre-configured default routing information pointing to TR 10, and sends the first tunnel message to TR 10.
步骤2.1,TR 10接收VPC连接组件11a发送的第一隧道报文,在第一隧道报文对应的路由信息属于安全路由信息的情况下,将第一隧道报文发送给GWLB连接组件14。In step 2.1, TR 10 receives the first tunnel message sent by the VPC connection component 11a, and sends the first tunnel message to the GWLB connection component 14 when the routing information corresponding to the first tunnel message is secure routing information.
步骤2.2,GWLB连接组件14接收安全管控VPC 13发送的第一隧道报文,从第一隧道报文中解析出原始报文,将原始报文发送给GWLB。In step 2.2, the GWLB connection component 14 receives the first tunnel message sent by the security control VPC 13, parses the original message from the first tunnel message, and sends the original message to the GWLB.
步骤2.3,GWLB接收GWLB连接组件14发送的原始报文,将原始报文负载均衡至安全管控VPC中的目标安全服务节点上,以使目标安全服务节点基于本地安全策略对原始报文进行安全认证。In step 2.3, the GWLB receives the original message sent by the GWLB connection component 14, and load balances the original message to the target security service node in the security management VPC, so that the target security service node performs security authentication on the original message based on the local security policy.
步骤2.4,在原始报文通过安全认证的情况下,目标安全服务节点根据原始报文生成安全报文,并向GWLB返回安全报文。 Step 2.4: When the original message passes the security authentication, the target security service node generates a security message based on the original message and returns the security message to the GWLB.
步骤2.5,GWLB接收到安全报文之后,会将该安全报文返回给GWLB连接组件14。Step 2.5, after receiving the security message, the GWLB returns the security message to the GWLB connection component 14.
步骤2.6,GWLB连接组件14接收到安全报文后,重新生成第一隧道报文并返回给TR 10。Step 2.6, after receiving the security message, the GWLB connection component 14 regenerates the first tunnel message and returns it to TR 10.
步骤3,TR 10根据预先配置的客户VPC 11与客户VPC 12之间的安全路由信息,将第一隧道报文封装为第二隧道报文,并将第二隧道报文发送给客户VPC 12中的VPC连接组件12a。Step 3, TR 10 encapsulates the first tunnel message into a second tunnel message based on the pre-configured security routing information between customer VPC 11 and customer VPC 12, and sends the second tunnel message to the VPC connection component 12a in customer VPC 12.
步骤4,VPC连接组件12a对第二隧道报文进行解析,得到安全报文,将安全报文发送给客户VPC 12中AZ4中的服务端,使得该服务端为客户端提供目标服务。Step 4: The VPC connection component 12a parses the second tunnel message to obtain a secure message, and sends the secure message to the server in AZ4 in the customer's VPC 12, so that the server provides the target service to the client.
步骤5,服务端向VPC连接组件12a返回服务结果。Step 5: The server returns the service result to the VPC connection component 12a.
步骤6,VPC连接组件12a将服务结果封装为第三隧道报文,并发送给TR 10。Step 6: VPC connection component 12a encapsulates the service result into a third tunnel message and sends it to TR 10.
第三隧道报文对应的第三隧道封装信息,第三隧道封装信息包括客户VPC 12对应的隧道ID以及隧道五元组信息,该隧道五元组信息中的源IP地址是VPC连接组件12a对应的IP地址,源端口号是随机分配的端口号,目的IP地址是TR 10的IP地址,目的端口号是TR 10的端口号。The third tunnel encapsulation information corresponding to the third tunnel message includes the tunnel ID corresponding to the customer VPC 12 and the tunnel quintuple information. The source IP address in the tunnel quintuple information is the IP address corresponding to the VPC connection component 12a, the source port number is a randomly assigned port number, the destination IP address is the IP address of TR 10, and the destination port number is the port number of TR 10.
步骤7,TR 10将第三隧道报文封装为第四隧道报文,并发送给VPC连接组件11a。Step 7, TR 10 encapsulates the third tunnel message into the fourth tunnel message and sends it to the VPC connection component 11a.
进一步可选地,在步骤7中,若预先配置的客户VPC 11与客户VPC 12之间的安全路由信息是需要单向安全处理,则TR 10在接收到VPC连接组件12a发送的第三隧道报文之后,直接将第三隧道报文封装为第四隧道报文,并发送给VPC连接组件11a。Further optionally, in step 7, if the pre-configured security routing information between customer VPC 11 and customer VPC 12 requires one-way security processing, then after receiving the third tunnel message sent by VPC connection component 12a, TR 10 directly encapsulates the third tunnel message into a fourth tunnel message and sends it to VPC connection component 11a.
进一步可选地,在步骤7中,若预先配置的客户VPC 11与客户VPC 12之间的安全路由信息是需要双向安全处理,则在执行步骤7之前,TR 10可以参照步骤2.1-2.6的过程对第三隧道报文进行处理,当接收到GWLB连接组件14重新返回的第三隧道报文时再执行步骤7中将第三隧道报文封装为第四隧道报文并发送给VPC连接组件11a的操作,关于参照步骤2.1-2.6对第三隧道报文进行处理的过程与对第一隧道报文进行处理的过程相同或相似,在此不再赘述。Further optionally, in step 7, if the pre-configured security routing information between customer VPC 11 and customer VPC 12 requires bidirectional security processing, then before executing step 7, TR 10 may process the third tunnel message with reference to the process of steps 2.1-2.6, and when receiving the third tunnel message returned by GWLB connection component 14, execute the operation of encapsulating the third tunnel message into a fourth tunnel message and sending it to VPC connection component 11a in step 7. The process of processing the third tunnel message with reference to steps 2.1-2.6 is the same or similar to the process of processing the first tunnel message, and will not be repeated here.
具体地,将第三隧道报文对应的第三隧道封装信息替换为第四隧道封装信息,得到第四隧道报文。第四隧道封装信息包括客户VPC 11对应的隧道ID以及隧道五元组信息,该隧道五元组信息中的源IP地址是TR 10的IP地址,源端口号是TR 10的端口号,目的IP地址是VPC连接组件11a对应的IP地址,目的端口号是随机分配的端口号。Specifically, the third tunnel encapsulation information corresponding to the third tunnel message is replaced with the fourth tunnel encapsulation information to obtain the fourth tunnel message. The fourth tunnel encapsulation information includes the tunnel ID corresponding to the customer VPC 11 and the tunnel quintuple information, wherein the source IP address in the tunnel quintuple information is the IP address of TR 10, the source port number is the port number of TR 10, the destination IP address is the IP address corresponding to the VPC connection component 11a, and the destination port number is a randomly assigned port number.
步骤8,VPC连接组件11a对第四隧道报文进行解析,得到服务结果,将服务结果发送给客户端。Step 8: The VPC connection component 11a parses the fourth tunnel message, obtains a service result, and sends the service result to the client.
进一步可选地,在第一隧道报文对应的路由信息属于常规路由信息的情况下,则可以跳过步骤2.1-2.6,直接进入步骤3-8。Further optionally, when the routing information corresponding to the first tunnel message is conventional routing information, steps 2.1-2.6 may be skipped and steps 3-8 may be directly performed.
在本申请上述实施例中,在基于TR的云组网系统中,引入安全管控VPC,在安全管控VPC中使用GWLB,将GWLB作为对外提供安全服务的暴露对象;由于GWLB与TR不再同一平面,在该组网系统中进一步增加一种新的产品对象即GWLB连接组件,作为 TR和GWLB之间的路由媒介,实现TR和GWLB的互联,并通过在TR上配置默认指向GWLB连接组件的安全路由信息,使得能够在安全路由信息对应的两个客户VPC进行服务访问过程中提供安全服务,实现安全互访,解决TR组网场景中客户VPC之间互访时所面临的安全问题。In the above embodiment of the present application, in the cloud networking system based on TR, a security control VPC is introduced, GWLB is used in the security control VPC, and GWLB is used as an exposed object for providing security services to the outside world; since GWLB and TR are no longer on the same plane, a new product object, namely the GWLB connection component, is further added to the networking system as The routing medium between TR and GWLB realizes the interconnection between TR and GWLB, and by configuring the default secure routing information pointing to the GWLB connection component on TR, it is possible to provide security services during the service access between the two customer VPCs corresponding to the secure routing information, realize secure mutual access, and solve the security problems faced by mutual access between customer VPCs in the TR networking scenario.
另外,需要说明的是,除了采用本实施例中直接在TR和GWLB之间增加GWLB连接组件,实现TR和GWLB之间的互联之外,也可以采用图1b所示方式,在TR和GWLB之间增加一个中间VPC,在该中间VPC中部署VPC连接组件和GWLB对应的终端节点(Gateway Load Balancer endpoint,GWLBe),GWLBe与GWLB互联,GWLBe与VPC连接组件,VPC连接组件再与TR 10互联。在图1b中,以中间VPC包括两个可用区AZ7和AZ8为例进行图示,但并不限于此。在图1b所示系统中,在TR与防火墙之间的安全访问过程包括步骤3.1-步骤3.8,需要依次经过中间VPC中的VPC连接组件,GWLBe,GWLB才能到防火墙,该流量转发路径相对较长,传输时延相对较大,但同样可以实现TR组网场景中安全服务的接入,解决TR组网场景中跨VPC服务互访时的安全问题。相比于通过中间VPC、VPC连接组件和GWLBe实现TR与GWLB互联的方式,在本申请实施例中,直接在TR和GWLB之间增加GWLB连接组件,由GWLB连接组件实现TR与GWLB互联,有利于简化TR组网场景中安全服务的接入实现;而且客户VPC之间的互访流量只需经TR和GWLB连接组件流入GWLB进而使用安全服务,流量转发路径较短,有利于降低路径上的传输时延。In addition, it should be noted that, in addition to directly adding a GWLB connection component between TR and GWLB in this embodiment to realize the interconnection between TR and GWLB, an intermediate VPC can also be added between TR and GWLB in the manner shown in FIG. 1b, and the VPC connection component and the terminal node corresponding to GWLB (Gateway Load Balancer endpoint, GWLBe) are deployed in the intermediate VPC, GWLBe is interconnected with GWLB, GWLBe is interconnected with the VPC connection component, and the VPC connection component is interconnected with TR 10. In FIG. 1b, the intermediate VPC includes two availability zones AZ7 and AZ8 as an example, but it is not limited to this. In the system shown in FIG. 1b, the secure access process between TR and the firewall includes steps 3.1 to 3.8, and it is necessary to pass through the VPC connection component, GWLBe, and GWLB in the intermediate VPC in sequence to reach the firewall. The traffic forwarding path is relatively long and the transmission delay is relatively large, but it can also realize the access of security services in the TR networking scenario and solve the security problem of cross-VPC service mutual access in the TR networking scenario. Compared with the method of interconnecting TR and GWLB through an intermediate VPC, a VPC connection component and GWLBe, in an embodiment of the present application, a GWLB connection component is directly added between TR and GWLB, and the GWLB connection component is used to interconnect TR and GWLB, which is beneficial to simplify the access implementation of security services in the TR networking scenario; and the mutual access traffic between customer VPCs only needs to flow into GWLB through TR and GWLB connection components to use security services. The traffic forwarding path is shorter, which is beneficial to reduce the transmission delay on the path.
关于步骤3.1-步骤3.8进行简单描述:步骤3.1,TR将第一隧道报文发送给中间VPC中的VPC连接组件;步骤3.2,中间VPC中的VPC连接组件从第一隧道报文中解析出原始报文,将原始报文发送给GWLBe;步骤3.3,GWLBe将原始报文发送给GWLB;步骤3.4,GWLB将原始报文负载均衡至安全服务节点(例如某个防火墙)上进行安全认证;步骤3.5,安全服务节点在原始报文通过安全认证的情况下,根据原始报文生成安全报文,将安全报文发送给GWLB;步骤3.6,GWLB将安全报文发送给GWLBe;步骤3.7,GWLBe将安全报文发送给中间VPC中的VPC连接组件;步骤3.8,中间VPC中的VPC连接组件重新将安全报文封装成第一隧道报文,并返回给TR。图1b中的步骤1-8与图1a中的步骤1-8相同或相似,不再赘述。A brief description of steps 3.1 to 3.8 is as follows: Step 3.1, TR sends the first tunnel message to the VPC connection component in the intermediate VPC; Step 3.2, the VPC connection component in the intermediate VPC parses the original message from the first tunnel message and sends the original message to GWLBe; Step 3.3, GWLBe sends the original message to GWLB; Step 3.4, GWLB load balances the original message to the security service node (such as a firewall) for security authentication; Step 3.5, if the original message passes the security authentication, the security service node generates a security message based on the original message and sends the security message to GWLB; Step 3.6, GWLB sends the security message to GWLBe; Step 3.7, GWLBe sends the security message to the VPC connection component in the intermediate VPC; Step 3.8, the VPC connection component in the intermediate VPC re-encapsulates the security message into the first tunnel message and returns it to TR. Steps 1-8 in Figure 1b are the same or similar to steps 1-8 in Figure 1a, and are not repeated here.
在本申请实施例中,GWLB连接组件作为具有流量转发功能的网元实例,是一种逻辑产品对象,其流量转发功能可由虚拟网卡设备来承载,相应地,安全路由信息和常规路由信息配置在该虚拟网卡设备上,由该虚拟网卡设备与TR进行互联。但是,需要说明的是,GWLB连接组件不属于客户VPC,也不属于安全管控VPC,而是属于系统VPC,GWLB连接组件对客户来说是不可见的,因此不需要消耗各客户VPC和安全管控VPC中的虚拟网卡资源,有利于节约客户VPC的网卡资源。In the embodiment of the present application, the GWLB connection component is a network element instance with traffic forwarding function, which is a logical product object. Its traffic forwarding function can be carried by a virtual network card device. Accordingly, the security routing information and the conventional routing information are configured on the virtual network card device, and the virtual network card device is interconnected with the TR. However, it should be noted that the GWLB connection component does not belong to the customer VPC or the security control VPC, but to the system VPC. The GWLB connection component is invisible to the customer, so it does not need to consume the virtual network card resources in each customer VPC and the security control VPC, which is conducive to saving the network card resources of the customer VPC.
同理,客户VPC中的VPC连接组件也具有流量转发功能,其流量转发功能可由虚拟网卡设备来承载,相应地,指向TR的路由信息也配置在该虚拟网卡设备上,由该虚拟网 卡设备与TR进行互联。进一步,在客户VPC包括至少一个可用区的情况下,该客户VPC中的VPC连接组件可以包括与每个可用区对应的虚拟网卡设备,即可以为每个可用区配置至少一个虚拟网卡设备,优选地,一个可用区对应一个虚拟网卡设备,每个虚拟网网卡设备负责接收其对应可用区内客户端发起的请求访问目标服务的原始报文,将原始报文封装为第一隧道报文,并基于指向TR的路由信息,将第一隧道报文发送给TR。具体地,对虚拟网卡设备来说,还具有隧道封装和解封装功能,可以为原始报文添加第一隧道封装信息,生成第一隧道报文,所述第一隧道封装信息包括该虚拟网卡设备所属客户VPC对应的隧道标识ID、源IP地址为该虚拟网卡设备的IP地址,目的IP地址为TR的IP地址。Similarly, the VPC connection component in the customer VPC also has a traffic forwarding function, which can be carried by the virtual network card device. Correspondingly, the routing information pointing to the TR is also configured on the virtual network card device. The card device is interconnected with TR. Further, in the case where the customer VPC includes at least one availability zone, the VPC connection component in the customer VPC may include a virtual network card device corresponding to each availability zone, that is, at least one virtual network card device may be configured for each availability zone. Preferably, one availability zone corresponds to one virtual network card device. Each virtual network card device is responsible for receiving the original message initiated by the client in its corresponding availability zone requesting access to the target service, encapsulating the original message into a first tunnel message, and sending the first tunnel message to TR based on the routing information pointing to TR. Specifically, for the virtual network card device, it also has the tunnel encapsulation and decapsulation function, and can add the first tunnel encapsulation information to the original message to generate a first tunnel message. The first tunnel encapsulation information includes the tunnel identification ID corresponding to the customer VPC to which the virtual network card device belongs, the source IP address is the IP address of the virtual network card device, and the destination IP address is the IP address of TR.
在一可选实施例中,虚拟网卡设备可以采用弹性网络接口(Elastic Network Interface,ENI),ENI是一种与各种VPC(例如客户VPC、系统VPC)绑定的虚拟网卡,例如,ENI会为与其绑定的VPC连接组件或GWLB连接组件提供一个私网IP地址,该私网IP地址可以是该ENI所在VPC中的一个IP地址,也就是其所承载的VPC连接组件或GWLB连接组件的IP地址。在本实施例中,ENI的主要作用与TR进行互联,并负责与TR进行流量转发。In an optional embodiment, the virtual network card device can use an elastic network interface (ENI). ENI is a virtual network card bound to various VPCs (such as customer VPCs and system VPCs). For example, ENI will provide a private IP address for the VPC connection component or GWLB connection component bound to it. The private IP address can be an IP address in the VPC where the ENI is located, that is, the IP address of the VPC connection component or GWLB connection component it carries. In this embodiment, the main function of ENI is to interconnect with TR and forward traffic with TR.
在一可选实施例中,本实施例的云组网系统还包括:管控节点。该管控节点属于控制面节点,用于面向客户提供人机交互接口,用于接收客户的各种请求,对客户的请求进行响应。具体地,该管控节点可以响应转发路由器的创建请求,在系统VPC中创建TR;以及响应路由配置操作,在所创建的TR上配置至少一条安全路由信息;另外,在每条安全路由信息对应的两个客户VPC中分别部署VPC连接组件,并在该TR上添加所部署的VPC连接组件的标识,以建立VPC连接组件与TR之间的关联关系。另外,在基于TR的云组网场景中,在客户需要引入基于GWLB的服务的情况下,还可以通过管控节点针对GWLB服务创建GWLB连接组件。具体地,管控节点还可以响应GWLB连接组件的创建请求,在系统VPC中部署GWLB连接组件,并指定该GWLB连接组件关联的GWLB,在本实施例中,该GWLB指向安全管控服务;进一步,还需要在TR上添加GWLB连接组件的标识,以建立TR与GWLB连接组件的对应关系,使得该GWLB连接组件可以作为安全路由信息中的下一跳。需要说明的是,GWLB连接组件的创建和TR的创建过程相对独立,客户可以根据应用需求灵活创建。In an optional embodiment, the cloud networking system of this embodiment also includes: a management and control node. The management and control node belongs to a control plane node, which is used to provide a human-computer interaction interface for customers, receive various requests from customers, and respond to customer requests. Specifically, the management and control node can respond to the creation request of the forwarding router to create a TR in the system VPC; and respond to the routing configuration operation to configure at least one security routing information on the created TR; in addition, VPC connection components are deployed in the two customer VPCs corresponding to each security routing information, and the identifier of the deployed VPC connection component is added to the TR to establish an association relationship between the VPC connection component and the TR. In addition, in a TR-based cloud networking scenario, when a customer needs to introduce a GWLB-based service, a GWLB connection component can also be created for the GWLB service through the management and control node. Specifically, the control node can also respond to the creation request of the GWLB connection component, deploy the GWLB connection component in the system VPC, and specify the GWLB associated with the GWLB connection component. In this embodiment, the GWLB points to the security control service; further, it is necessary to add the identifier of the GWLB connection component on the TR to establish a corresponding relationship between the TR and the GWLB connection component, so that the GWLB connection component can be used as the next hop in the security routing information. It should be noted that the creation process of the GWLB connection component and the TR are relatively independent, and customers can flexibly create them according to application requirements.
需要说明的是,在云组网系统中,TR可以是一个或多个,在图1a中,以一个TR为例进行图示。在TR为多个的情况下,每个TR都有各自对应的GWLB连接组件,多个TR对应的GWLB连接组件可以关联到同一GWLB,即多个TR可以使用同一GWLB所在VPC提供的服务。It should be noted that in a cloud networking system, there can be one or more TRs. In Figure 1a, one TR is used as an example. In the case of multiple TRs, each TR has its own corresponding GWLB connection component, and the GWLB connection components corresponding to multiple TRs can be associated with the same GWLB, that is, multiple TRs can use the services provided by the VPC where the same GWLB is located.
需要说明的是,本申请实施例提供的云组网系统不仅适用于引入安全管控VPC的场景,可以拓展至引入任何基于GWLB的中间服务VPC的场景,中间服务VPC是指可以在客户VPC之间通过TR进行服务互访过程中提供某种中间服务的VPC,例如可以是数据清洗服务,或数据计算服务,或安全服务。基于此,本申请实施例还提供另 一种云组网系统,该云组网系统,包括TR,以及与TR互联的多个客户VPC;多个客户VPC之间通过TR进行服务互访;进一步,还云组网系统还包括:中间服务VPC,中间服务VPC中包括GWLB以及与GWLB互联的多个中间服务节点,用于对外提供中间服务。进一步,在云组网系统中还部署有GWLB连接组件,GWLB连接组件作为TR和GWLB之间的路由媒介,分别与TR和GWLB互联。基于此,在TR上配置默认指向GWLB连接组件的至少一条安全路由信息,该TR可以在每条安全路由信息对应的两个客户VPC进行服务访问过程中,通过GWLB连接组件和GWLB使用中间服务VPC中的中间服务节点为服务访问过程提供中间服务。关于该云组网系统中的相关组件或对象的定义、描述以及相关动作的详细描述均可参见前述实施例,在此不再赘述。It should be noted that the cloud networking system provided in the embodiment of the present application is not only applicable to the scenario of introducing a security control VPC, but can also be extended to the scenario of introducing any intermediate service VPC based on GWLB. The intermediate service VPC refers to a VPC that can provide some intermediate services during the service exchange process between customer VPCs through TR, such as data cleaning services, data computing services, or security services. Based on this, the embodiment of the present application also provides another A cloud networking system, the cloud networking system includes a TR, and multiple customer VPCs interconnected with the TR; multiple customer VPCs perform service mutual access through the TR; further, the cloud networking system also includes: an intermediate service VPC, the intermediate service VPC includes a GWLB and multiple intermediate service nodes interconnected with the GWLB, which are used to provide intermediate services to the outside. Furthermore, a GWLB connection component is also deployed in the cloud networking system, and the GWLB connection component serves as a routing medium between the TR and the GWLB, and is interconnected with the TR and the GWLB respectively. Based on this, at least one security routing information pointing to the GWLB connection component is configured on the TR by default. The TR can use the intermediate service nodes in the intermediate service VPC to provide intermediate services for the service access process through the GWLB connection component and the GWLB during the service access process between the two customer VPCs corresponding to each security routing information. Detailed descriptions of the definitions, descriptions, and related actions of the relevant components or objects in the cloud networking system can be found in the aforementioned embodiments, which will not be repeated here.
除上述云组网系统之外,本申请实施例还提供了以下几种安全访问方法,这些安全访问方法分别是从TR、GWLB连接组件和VPC连接组件的角度进行的描述,具体参见图2a-图2c所示方法实施例。In addition to the above-mentioned cloud networking system, the embodiments of the present application also provide the following security access methods, which are described from the perspectives of TR, GWLB connection components and VPC connection components, respectively. For details, please refer to the method embodiments shown in Figures 2a-2c.
图2a为本申请示例性实施例提供的一种安全访问方法的流程示意图。该方法是从转发路由器TR角度进行的描述,如图2a所示,该方法包括:FIG2a is a flow chart of a secure access method provided by an exemplary embodiment of the present application. The method is described from the perspective of a forwarding router TR. As shown in FIG2a, the method includes:
21a、接收来自云组网系统中任一客户VPC中的第一隧道报文,所述第一隧道报文是根据所述任一客户VPC向另一客户VPC请求目标服务的原始报文进行隧道封装得到的;21a. Receive a first tunnel message from any customer VPC in the cloud networking system, where the first tunnel message is obtained by tunnel encapsulating an original message from any customer VPC requesting a target service from another customer VPC;
22a、若第一隧道报文对应的路由信息属于安全路由信息,将第一隧道报文发送给云组网系统中的GWLB连接组件,以通过安全管控VPC中的GWLB使用安全管控VPC中的安全服务节点对原始报文进行安全认证。22a. If the routing information corresponding to the first tunnel message is secure routing information, the first tunnel message is sent to the GWLB connection component in the cloud networking system, so that the original message is securely authenticated by the GWLB in the security control VPC using the security service node in the security control VPC.
在本实施例中,在云组网系统中,增设新的产品对象即GWLB连接组件;GWLB连接组件作为TR和GWLB之间的路由媒介,分别与TR和GWLB互联,在安全管控VPC中,GWLB与安全服务节点互联。In this embodiment, a new product object, namely, a GWLB connection component, is added in the cloud networking system; the GWLB connection component serves as a routing medium between TR and GWLB, and is interconnected with TR and GWLB respectively. In the security management VPC, GWLB is interconnected with the security service node.
在本实施例中,在TR上预先配置有默认指向GWLB连接组件的至少一种安全路由信息,每条安全路由信息涉及两个客户VPC,表示两个客户VPC之间的流量需要经过安全处理,可选地,可以配置两个客户VPC之间的流量可以支持单向安全处理,也可以支持双向安全处理。In this embodiment, at least one security routing information pointing to the GWLB connection component by default is pre-configured on the TR. Each security routing information involves two customer VPCs, indicating that the traffic between the two customer VPCs needs to be securely processed. Optionally, the traffic between the two customer VPCs can be configured to support unidirectional security processing or bidirectional security processing.
进一步可选地,安全路由信息涉及的是两个客户VPC之间的流量,安全路由信息中包括其涉及的两个客户VPC的网段信息,如果是单向安全处理,则该安全路由信息表示从一个客户VPC发往另一个客户VPC的全部流量需要经过安全管控VPC中的安全服务节点进行安全处理;如果是双向安全处理,则该安全路由信息表示两个客户VPC之间的全部流量需要经过安全管控VPC 13中的安全服务节点进行安全处理。基于此,TR可以在每条安全路由信息对应的两个客户VPC进行服务访问过程中,通过GWLB连接组件和GWLB使用安全管控VPC中的安全服务节点为服务访问过程提供安全服务。Further optionally, the security routing information involves traffic between two customer VPCs, and the security routing information includes the network segment information of the two customer VPCs involved. If it is a one-way security processing, the security routing information indicates that all traffic sent from one customer VPC to another customer VPC needs to be securely processed by the security service node in the security control VPC; if it is a two-way security processing, the security routing information indicates that all traffic between the two customer VPCs needs to be securely processed by the security service node in the security control VPC 13. Based on this, TR can provide security services for the service access process through the GWLB connection component and the GWLB using the security service node in the security control VPC during the service access process between the two customer VPCs corresponding to each security routing information.
具体地,TR可以接收来自云组网系统中任一客户VPC中的第一隧道报文,所述第一隧道报文是根据所述任一客户VPC向另一客户VPC请求目标服务的原始报文进行隧道封 装得到的;若第一隧道报文对应的路由信息属于安全路由信息,将第一隧道报文发送给云组网系统中的GWLB连接组件,以通过安全管控VPC中的GWLB使用安全管控VPC中的安全服务节点对原始报文进行安全认证。Specifically, the TR may receive a first tunnel message from any customer VPC in the cloud networking system, wherein the first tunnel message is tunnel blocked according to an original message from any customer VPC requesting a target service from another customer VPC. if the routing information corresponding to the first tunnel message belongs to secure routing information, the first tunnel message is sent to the GWLB connection component in the cloud networking system, so as to perform security authentication on the original message through the GWLB in the security control VPC using the security service node in the security control VPC.
进一步可选地,该方法还包括:识别第一隧道报文对应的路由信息是否属于安全路由信息的步骤。该步骤具体包括:从第一隧道报文中解析出原始报文,根据原始报文中的源IP地址和目的IP地址,确定源客户VPC和目的客户VPC的网段信息;根据源客户VPC和目的客户VPC的网段信息在至少一条安全路由信息中匹配;若匹配中,确定第一隧道报文对应的路由信息为安全路由信息。Further optionally, the method also includes: a step of identifying whether the routing information corresponding to the first tunnel message belongs to secure routing information. This step specifically includes: parsing the original message from the first tunnel message, determining the network segment information of the source customer VPC and the destination customer VPC according to the source IP address and the destination IP address in the original message; matching the network segment information of the source customer VPC and the destination customer VPC in at least one secure routing information; if there is a match, determining that the routing information corresponding to the first tunnel message is secure routing information.
进一步可选地,该方法还包括:接收GWLB连接组件返回的第一隧道报文,第一隧道报文是GWLB连接组件在原始报文通过安全认证的情况下根据GWLB返回的安全报文重新生成的,安全报文是安全管控VPC中的安全服务节点在原始报文通过安全认证的情况下根据原始报文生成的;将第一隧道报文封装为第二隧道报文,并提供给另一客户VPC,以使另一客户VPC为任一客户VPC提供目标服务。Further optionally, the method also includes: receiving a first tunnel message returned by the GWLB connection component, the first tunnel message being regenerated by the GWLB connection component based on a security message returned by the GWLB when the original message passes security authentication, and the security message being generated by a security service node in a security control VPC based on the original message when the original message passes security authentication; encapsulating the first tunnel message into a second tunnel message, and providing it to another customer VPC, so that the other customer VPC provides the target service for any customer VPC.
进一步可选地,上述将第一隧道报文封装为第二隧道报文,包括:根据第一隧道报文对应的安全路由信息,将第一隧道报文对应的第一隧道封装信息替换为第二隧道封装信息,得到第二隧道报文;第二隧道封装信息包括另一客户VPC对应的隧道标识ID,且第二隧道封装信息中的源IP地址为TR的IP地址,目的IP地址为另一客户VPC中VPC连接组件对应的IP地址;第一隧道封装信息包括任一客户VPC对应的隧道ID,且第一隧道封装信息的源IP地址为任一客户VPC中VPC连接组件对应的IP地址,目的IP地址为TR的IP地址。Further optionally, the above-mentioned encapsulation of the first tunnel message into the second tunnel message includes: according to the security routing information corresponding to the first tunnel message, replacing the first tunnel encapsulation information corresponding to the first tunnel message with the second tunnel encapsulation information to obtain the second tunnel message; the second tunnel encapsulation information includes the tunnel identification ID corresponding to another customer VPC, and the source IP address in the second tunnel encapsulation information is the IP address of TR, and the destination IP address is the IP address corresponding to the VPC connection component in another customer VPC; the first tunnel encapsulation information includes the tunnel ID corresponding to any customer VPC, and the source IP address of the first tunnel encapsulation information is the IP address corresponding to the VPC connection component in any customer VPC, and the destination IP address is the IP address of TR.
在本实施例中,在云组网系统中增加一种新的产品对象即GWLB连接组件,作为TR和GWLB之间的路由媒介,实现TR和GWLB的互联,并通过在TR上配置默认指向GWLB连接组件的安全路由信息,使得能够在安全路由信息对应的两个客户VPC进行服务访问过程中提供安全服务,实现安全互访,解决TR组网场景中客户VPC之间互访时所面临的安全问题。In this embodiment, a new product object, namely, the GWLB connection component, is added to the cloud networking system as a routing medium between TR and GWLB to realize the interconnection between TR and GWLB, and by configuring the security routing information pointing to the GWLB connection component by default on TR, it is possible to provide security services during the service access process of the two customer VPCs corresponding to the security routing information, realize secure mutual access, and solve the security problems faced when customer VPCs visit each other in the TR networking scenario.
图2b为本申请示例性实施例提供的另一种安全访问方法的流程示意图;该方法是从GWLB连接组件角度进行的描述,如图2b所示,该方法包括:FIG2b is a flow chart of another secure access method provided by an exemplary embodiment of the present application; the method is described from the perspective of the GWLB connection component, as shown in FIG2b , the method includes:
21b、接收云组网系统中的转发路由器TR发送的第一隧道报文,所述第一隧道报文是根据云组网系统中任一客户VPC向另一客户VPC请求目标服务的原始报文进行隧道封装得到的;21b. Receive a first tunnel message sent by a forwarding router TR in the cloud networking system, where the first tunnel message is obtained by tunnel encapsulating an original message from any customer VPC in the cloud networking system requesting a target service from another customer VPC;
22b、从第一隧道报文中解析出原始报文,将原始报文发送给安全管控VPC中的GWLB,以使GWLB将所述原始报文负载均衡至安全管控VPC中的安全服务节点上进行安全认证。22b. Parse the original message from the first tunnel message, and send the original message to the GWLB in the security control VPC, so that the GWLB load balances the original message to the security service node in the security control VPC for security authentication.
在本实施例中,在云组网系统中,增设新的产品对象即GWLB连接组件;GWLB连接组件作为TR和GWLB之间的路由媒介,分别与TR和GWLB互联,在安全管控VPC中,GWLB与安全服务节点互联。 In this embodiment, a new product object, namely, a GWLB connection component, is added in the cloud networking system; the GWLB connection component serves as a routing medium between TR and GWLB, and is interconnected with TR and GWLB respectively. In the security management VPC, GWLB is interconnected with the security service node.
在本实施例中,TR可以接收来自云组网系统中任一客户VPC中的第一隧道报文,所述第一隧道报文是根据所述任一客户VPC向另一客户VPC请求目标服务的原始报文进行隧道封装得到的;若第一隧道报文对应的路由信息属于安全路由信息,将第一隧道报文发送给云组网系统中的GWLB连接组件。In this embodiment, TR can receive a first tunnel message from any customer VPC in the cloud networking system, where the first tunnel message is obtained by tunnel encapsulating the original message from any customer VPC requesting a target service from another customer VPC; if the routing information corresponding to the first tunnel message is secure routing information, the first tunnel message is sent to the GWLB connection component in the cloud networking system.
在本实施例中,GWLB连接组件除了分别与TR和GWLB互联之外,还可以接收云组网系统中的TR发送的第一隧道报文,从第一隧道报文中解析出原始报文,将原始报文发送给安全管控VPC中的GWLB,以使GWLB将原始报文负载均衡至安全管控VPC中的安全服务节点上进行安全认证。GWLB连接组件还具有报文收发和解封装(或解析)的功能。In this embodiment, in addition to being interconnected with TR and GWLB respectively, the GWLB connection component can also receive the first tunnel message sent by TR in the cloud networking system, parse the original message from the first tunnel message, and send the original message to the GWLB in the security control VPC, so that the GWLB load balances the original message to the security service node in the security control VPC for security authentication. The GWLB connection component also has the functions of sending and receiving messages and decapsulating (or parsing).
进一步可选地,该方法还包括:在将原始报文发送给GWLB之前,记录第一隧道报文对应的会话信息;以及在将原始报文发送给GWLB之后,接收GWLB返回的安全报文,该安全报文是在原始报文通过安全认证的情况下由安全管控VPC中的安全服务节点根据原始报文生成并提供给GWLB的;进一步,根据第一隧道报文对应的会话信息和安全报文重新生成第一隧道报文,并返回给TR,以使所述TR将第一隧道报文封装为第二隧道报文并提供给另一客户VPC,进而使得另一客户VPC为所述任一客户VPC提供目标服务。由此可见,在本申请实施例中,GWLB连接组件还具有报文封装以及会话记录和维护等功能。Further optionally, the method also includes: before sending the original message to the GWLB, recording the session information corresponding to the first tunnel message; and after sending the original message to the GWLB, receiving the security message returned by the GWLB, the security message is generated by the security service node in the security control VPC according to the original message and provided to the GWLB when the original message passes the security authentication; further, regenerating the first tunnel message according to the session information and the security message corresponding to the first tunnel message, and returning it to the TR, so that the TR encapsulates the first tunnel message into the second tunnel message and provides it to another customer VPC, thereby enabling the other customer VPC to provide the target service for any of the customer VPCs. It can be seen that in the embodiment of the present application, the GWLB connection component also has functions such as message encapsulation and session recording and maintenance.
在本实施例中,在云组网系统中增加一种新的产品对象即GWLB连接组件,作为TR和GWLB之间的路由媒介,实现TR和GWLB的互联,并通过在TR上配置默认指向GWLB连接组件的安全路由信息,使得能够在安全路由信息对应的两个客户VPC进行服务访问过程中提供安全服务,实现安全互访,解决TR组网场景中客户VPC之间互访时所面临的安全问题。In this embodiment, a new product object, namely, the GWLB connection component, is added to the cloud networking system as a routing medium between TR and GWLB to realize the interconnection between TR and GWLB, and by configuring the security routing information pointing to the GWLB connection component by default on TR, it is possible to provide security services during the service access process of the two customer VPCs corresponding to the security routing information, realize secure mutual access, and solve the security problems faced when customer VPCs visit each other in the TR networking scenario.
图2c为本申请示例性实施例提供的又一种安全访问方法的流程示意图;该方法是从VPC连接组件角度进行的描述,如图2c所示,该方法包括:FIG2c is a flow chart of another secure access method provided by an exemplary embodiment of the present application; the method is described from the perspective of a VPC connection component. As shown in FIG2c, the method includes:
21c、接收VPC连接组件所在客户VPC中客户端请求访问目标服务的原始报文;21c. Receive the original message from the client in the customer VPC where the VPC connection component is located, requesting to access the target service;
22c、根据预先配置的指向转发路由器TR的路由信息,将原始报文封装为第一隧道报文;22c. Encapsulate the original message into a first tunnel message according to the pre-configured routing information pointing to the forwarding router TR;
23c、将第一隧道报文发送给TR,以通过TR与云组网系统中提供目标服务的另一客户VPC进行服务互访。23c. Send the first tunnel message to the TR, so as to perform service mutual access with another customer VPC providing the target service in the cloud networking system through the TR.
在本实施例中,在云组网系统中,增设新的产品对象即GWLB连接组件;GWLB连接组件作为TR和GWLB之间的路由媒介,分别与TR和GWLB互联,在安全管控VPC中,GWLB与安全服务节点互联。In this embodiment, a new product object, namely, a GWLB connection component, is added in the cloud networking system; the GWLB connection component serves as a routing medium between TR and GWLB, and is interconnected with TR and GWLB respectively. In the security management VPC, GWLB is interconnected with the security service node.
客户VPC中客户端请求访问目标服务时向VPC连接组件发送原始报文;VPC连接组件接收该原始报文,并根据预先配置的指向TR的路由信息,将原始报文封装为第一隧道报文;将第一隧道报文发送给TR。TR可以接收第一隧道报文,若第一隧道报文对应的路 由信息属于安全路由信息,将第一隧道报文发送给云组网系统中的GWLB连接组件。GWLB连接组件接收TR发送的第一隧道报文,从第一隧道报文中解析出原始报文,将原始报文发送给安全管控VPC中的GWLB,以使GWLB将原始报文负载均衡至安全管控VPC中的安全服务节点上进行安全认证。When a client in a customer VPC requests to access a target service, it sends an original message to the VPC connection component. The VPC connection component receives the original message and encapsulates the original message into a first tunnel message based on the pre-configured routing information pointing to the TR. The first tunnel message is sent to the TR. The TR can receive the first tunnel message. If the route corresponding to the first tunnel message is Since the information belongs to secure routing information, the first tunnel message is sent to the GWLB connection component in the cloud networking system. The GWLB connection component receives the first tunnel message sent by the TR, parses the original message from the first tunnel message, and sends the original message to the GWLB in the security control VPC, so that the GWLB load balances the original message to the security service node in the security control VPC for security authentication.
在本实施例中,在云组网系统中增加一种新的产品对象即GWLB连接组件,作为TR和GWLB之间的路由媒介,实现TR和GWLB的互联,并通过在TR上配置默认指向GWLB连接组件的安全路由信息,使得能够在安全路由信息对应的两个客户VPC进行服务访问过程中提供安全服务,实现安全互访,解决TR组网场景中客户VPC之间互访时所面临的安全问题。In this embodiment, a new product object, namely, the GWLB connection component, is added to the cloud networking system as a routing medium between TR and GWLB to realize the interconnection between TR and GWLB, and by configuring the security routing information pointing to the GWLB connection component by default on TR, it is possible to provide security services during the service access process of the two customer VPCs corresponding to the security routing information, realize secure mutual access, and solve the security problems faced when customer VPCs visit each other in the TR networking scenario.
需要说明的是,在上述实施例及附图中的描述的一些流程中,包含了按照特定顺序出现的多个操作,但是应该清楚了解,这些操作可以不按照其在本文中出现的顺序来执行或并行执行,操作的序号如21a、22a等,仅仅是用于区分开各个不同的操作,序号本身不代表任何的执行顺序。另外,这些流程可以包括更多或更少的操作,并且这些操作可以按顺序执行或并行执行。需要说明的是,本文中的“第一”、“第二”等描述,是用于区分不同的消息、设备、模块等,不代表先后顺序,也不限定“第一”和“第二”是不同的类型。It should be noted that in some of the processes described in the above embodiments and the accompanying drawings, multiple operations that appear in a specific order are included, but it should be clearly understood that these operations may not be executed in the order in which they appear in this article or executed in parallel, and the sequence numbers of the operations, such as 21a, 22a, etc., are only used to distinguish between different operations, and the sequence numbers themselves do not represent any execution order. In addition, these processes may include more or fewer operations, and these operations may be executed in sequence or in parallel. It should be noted that the descriptions of "first", "second", etc. in this article are used to distinguish different messages, devices, modules, etc., do not represent the order of precedence, and do not limit the "first" and "second" to be different types.
图3a为本申请示例性实施例提供的一种安全访问装置的结构示意图。该装置可位于云组网系统中的转发路由器TR中实现,如图3a所示,该装置包括:存储模块31a、接收模块32a和发送模块33a。Fig. 3a is a schematic diagram of the structure of a secure access device provided by an exemplary embodiment of the present application. The device can be implemented in a forwarding router TR in a cloud networking system, as shown in Fig. 3a, the device includes: a storage module 31a, a receiving module 32a and a sending module 33a.
存储模块31a,用于存储默认指向云组网系统中的GWLB连接组件的至少一条安全路由信息。接收模块32a,用于接收来自云组网系统中任一客户VPC中的第一隧道报文,第一隧道报文是根据任一客户VPC向另一客户VPC请求目标服务的原始报文进行隧道封装得到的。发送模块33a,用于在第一隧道报文对应的路由信息属于安全路由信息的情况下,将所述第一隧道报文发送给所述GWLB连接组件,以通过安全管控VPC中的GWLB使用安全管控VPC中的安全服务节点对所述原始报文进行安全认证;其中,所述GWLB连接组件作为所述TR和所述GWLB之间的路由媒介,分别与所述TR和所述GWLB互联,所述GWLB与安全服务节点互联。The storage module 31a is used to store at least one piece of security routing information that points to the GWLB connection component in the cloud networking system by default. The receiving module 32a is used to receive a first tunnel message from any customer VPC in the cloud networking system, and the first tunnel message is obtained by tunnel encapsulation based on the original message from any customer VPC requesting the target service from another customer VPC. The sending module 33a is used to send the first tunnel message to the GWLB connection component when the routing information corresponding to the first tunnel message belongs to the security routing information, so as to perform security authentication on the original message through the GWLB in the security control VPC using the security service node in the security control VPC; wherein the GWLB connection component serves as a routing medium between the TR and the GWLB, and is interconnected with the TR and the GWLB respectively, and the GWLB is interconnected with the security service node.
在一可选实施例中,该装置还包括:解析模块,用于从第一隧道报文中解析出原始报文,根据原始报文中的源IP地址和目的IP地址,确定源客户VPC和目的客户VPC的网段信息。以及匹配模块,用于根据源客户VPC和目的客户VPC的网段信息在至少一条安全路由信息中匹配;若匹配中,确定第一隧道报文对应的路由信息为安全路由信息。In an optional embodiment, the device further includes: a parsing module, used to parse the original message from the first tunnel message, and determine the network segment information of the source customer VPC and the destination customer VPC according to the source IP address and the destination IP address in the original message. And a matching module, used to match the network segment information of the source customer VPC and the destination customer VPC in at least one secure routing information; if there is a match, determining that the routing information corresponding to the first tunnel message is secure routing information.
在一可选实施例中,接收模块32a还用于:接收GWLB连接组件返回的第一隧道报文,第一隧道报文是GWLB连接组件在原始报文通过安全认证的情况下根据GWLB返回的安全报文重新生成的,安全报文是根据原始报文生成的。相应地,发送模块33a还用于:将第一隧道报文封装为第二隧道报文,并提供给另一客户VPC,以使另一客户VPC为任一客户VPC提供目标服务。 In an optional embodiment, the receiving module 32a is further used to: receive a first tunnel message returned by the GWLB connection component, the first tunnel message is regenerated by the GWLB connection component according to the security message returned by the GWLB when the original message passes the security authentication, and the security message is generated according to the original message. Correspondingly, the sending module 33a is further used to: encapsulate the first tunnel message into a second tunnel message, and provide it to another customer VPC, so that the other customer VPC provides the target service for any customer VPC.
进一步可选地,发送模块33a在将第一隧道报文封装为第二隧道报文时,具体用于:根据第一隧道报文对应的安全路由信息,将第一隧道报文对应的第一隧道封装信息替换为第二隧道封装信息,得到第二隧道报文;第二隧道封装信息包括另一客户VPC对应的隧道标识ID,且第二隧道封装信息中的源IP地址为TR的IP地址,目的IP地址为另一客户VPC中VPC连接组件对应的IP地址;第一隧道封装信息包括任一客户VPC对应的隧道ID,且第一隧道封装信息的源IP地址为任一客户VPC中VPC连接组件对应的IP地址,目的IP地址为TR的IP地址。Further optionally, when the sending module 33a encapsulates the first tunnel message into the second tunnel message, it is specifically used to: replace the first tunnel encapsulation information corresponding to the first tunnel message with the second tunnel encapsulation information according to the security routing information corresponding to the first tunnel message, so as to obtain the second tunnel message; the second tunnel encapsulation information includes the tunnel identification ID corresponding to another customer VPC, and the source IP address in the second tunnel encapsulation information is the IP address of TR, and the destination IP address is the IP address corresponding to the VPC connection component in another customer VPC; the first tunnel encapsulation information includes the tunnel ID corresponding to any customer VPC, and the source IP address of the first tunnel encapsulation information is the IP address corresponding to the VPC connection component in any customer VPC, and the destination IP address is the IP address of TR.
图3b为本申请示例性实施例提供的另一种安全访问装置的结构示意图。该装置可位于云组网系统中的GWLB连接组件中实现,如图3b所示,该装置包括:解封装模块31b、接收模块32b和发送模块33b。Fig. 3b is a schematic diagram of the structure of another secure access device provided by an exemplary embodiment of the present application. The device can be implemented in a GWLB connection component in a cloud networking system, as shown in Fig. 3b, the device includes: a decapsulation module 31b, a receiving module 32b and a sending module 33b.
接收模块32b,用于接收云组网系统中的转发路由器TR发送的第一隧道报文,第一隧道报文是根据云组网系统中任一客户VPC向另一客户VPC请求目标服务的原始报文进行隧道封装得到的。解封装模块31b,用于从第一隧道报文中解析出原始报文。发送模块33b,用于将原始报文发送给安全管控VPC中的GWLB,以使GWLB将原始报文负载均衡至安全管控VPC中的安全服务节点上进行安全认证。其中,GWLB连接组件作为TR和GWLB之间的路由媒介,分别与TR和GWLB互联,GWLB与安全服务节点互联。The receiving module 32b is used to receive the first tunnel message sent by the forwarding router TR in the cloud networking system. The first tunnel message is obtained by tunnel encapsulation based on the original message from any customer VPC in the cloud networking system requesting the target service to another customer VPC. The decapsulation module 31b is used to parse the original message from the first tunnel message. The sending module 33b is used to send the original message to the GWLB in the security control VPC, so that the GWLB load balances the original message to the security service node in the security control VPC for security authentication. Among them, the GWLB connection component serves as a routing medium between TR and GWLB, and is interconnected with TR and GWLB respectively, and GWLB is interconnected with the security service node.
在一可选实施例中,该装置还包括:封装模块和会话管理模块。会话管理模块,用于在将原始报文发送给GWLB之前,记录第一隧道报文对应的会话信息。接收模块32b还用于:在将原始报文发送给GWLB之后,接收GWLB返回的安全报文,安全报文是在原始报文通过安全认证的情况下根据原始报文生成的。封装模块用于:根据第一隧道报文对应的会话信息和安全报文重新生成第一隧道报文。发送模块33b还用于:将第一隧道报文返回给TR,以使TR将第一隧道报文封装为第二隧道报文并提供给另一客户VPC。In an optional embodiment, the device further includes: an encapsulation module and a session management module. The session management module is used to record the session information corresponding to the first tunnel message before sending the original message to the GWLB. The receiving module 32b is also used to: after sending the original message to the GWLB, receive the security message returned by the GWLB, the security message is generated based on the original message when the original message passes the security authentication. The encapsulation module is used to: regenerate the first tunnel message based on the session information and the security message corresponding to the first tunnel message. The sending module 33b is also used to: return the first tunnel message to the TR, so that the TR encapsulates the first tunnel message into the second tunnel message and provides it to another customer VPC.
图3c为本申请示例性实施例提供的另一种安全访问装置的结构示意图。该装置可位于云组网系统中的VPC连接组件中实现,如图3c所示,该装置包括:封装模块31c、接收模块32c和发送模块33c。Fig. 3c is a schematic diagram of the structure of another secure access device provided by an exemplary embodiment of the present application. The device can be implemented in a VPC connection component in a cloud networking system, as shown in Fig. 3c, the device includes: an encapsulation module 31c, a receiving module 32c and a sending module 33c.
接收模块32c,用于接收VPC连接组件所在客户VPC中客户端请求访问目标服务的原始报文。封装模块31c,用于根据预先配置的指向转发路由器TR的路由信息,将原始报文封装为第一隧道报文。发送模块33c,用于将第一隧道报文发送给TR,以通过TR与云组网系统中提供目标服务的另一客户VPC进行服务互访。The receiving module 32c is used to receive an original message from a client in the customer VPC where the VPC connection component is located, requesting to access the target service. The encapsulation module 31c is used to encapsulate the original message into a first tunnel message according to the pre-configured routing information pointing to the forwarding router TR. The sending module 33c is used to send the first tunnel message to the TR, so as to perform service mutual access with another customer VPC that provides the target service in the cloud networking system through the TR.
在此说明,上述各装置中各模块所实现的详细功能可参见前述方法或系统实施例中的相关描述,在此不再赘述。It is to be noted that the detailed functions implemented by each module in the above-mentioned devices can be found in the relevant descriptions in the above-mentioned method or system embodiments, and will not be repeated here.
图4为本申请示例性实施例提供的一种转发路由器的结构示意图。该转发路由器可实现为一种云计算设备,包括:存储器41、处理器42以及通信组件43。Fig. 4 is a schematic diagram of the structure of a forwarding router provided by an exemplary embodiment of the present application. The forwarding router can be implemented as a cloud computing device, including: a memory 41, a processor 42 and a communication component 43.
存储器41,用于存储计算机程序,并可被配置为存储其它各种数据以支持在转发路由器上的操作。这些数据的示例包括用于在转发路由器上操作的任何应用程序或方法的指令, 消息,图片,视频等。进一步,存储器41还用于存储默认指向云组网系统中的GWLB连接组件的至少一条安全路由信息。The memory 41 is used to store computer programs and can be configured to store various other data to support operations on the forwarding router. Examples of such data include instructions for any application or method operating on the forwarding router, Messages, pictures, videos, etc. Further, the memory 41 is also used to store at least one piece of security routing information pointing to the GWLB connection component in the cloud networking system by default.
处理器42,与存储器41耦合,用于执行存储器41中的计算机程序,以用于在每条安全路由信息对应的两个客户VPC进行服务访问过程中,通过安全管控VPC中的GWLB连接组件和GWLB使用安全管控VPC中的安全服务节点为服务访问过程提供安全服务。其中,GWLB连接组件作为TR和GWLB之间的路由媒介,分别与TR和GWLB互联,GWLB与安全服务节点互联。The processor 42 is coupled to the memory 41 and is used to execute the computer program in the memory 41, so as to provide security services for the service access process through the GWLB connection component in the security control VPC and the GWLB using the security service node in the security control VPC during the service access process between the two customer VPCs corresponding to each security routing information. The GWLB connection component serves as a routing medium between the TR and the GWLB, and is interconnected with the TR and the GWLB respectively, and the GWLB is interconnected with the security service node.
可选地,处理器42具体用于:通过通信组件43接收来自云组网系统中任一客户VPC中的第一隧道报文,第一隧道报文是根据任一客户VPC向另一客户VPC请求目标服务的原始报文进行隧道封装得到的;若第一隧道报文对应的路由信息属于安全路由信息,将第一隧道报文发送给云组网系统中的GWLB连接组件,以通过安全管控VPC中的GWLB使用安全管控VPC中的安全服务节点对原始报文进行安全认证。Optionally, the processor 42 is specifically used to: receive a first tunnel message from any customer VPC in the cloud networking system through the communication component 43, the first tunnel message being obtained by tunnel encapsulating an original message from any customer VPC requesting a target service from another customer VPC; if the routing information corresponding to the first tunnel message is security routing information, send the first tunnel message to the GWLB connection component in the cloud networking system, so as to perform security authentication on the original message through the GWLB in the security control VPC using the security service node in the security control VPC.
可选地,处理器42还用于:从第一隧道报文中解析出原始报文,根据原始报文中的源IP地址和目的IP地址,确定源客户VPC和目的客户VPC的网段信息;根据源客户VPC和目的客户VPC的网段信息在至少一条安全路由信息中匹配;若匹配中,确定第一隧道报文对应的路由信息为安全路由信息。Optionally, the processor 42 is also used to: parse the original message from the first tunnel message, determine the network segment information of the source customer VPC and the destination customer VPC based on the source IP address and the destination IP address in the original message; match at least one secure routing information based on the network segment information of the source customer VPC and the destination customer VPC; if there is a match, determine that the routing information corresponding to the first tunnel message is secure routing information.
可选地,处理器42还用于:通过通信组件43接收GWLB连接组件返回的第一隧道报文,第一隧道报文是GWLB连接组件在原始报文通过安全认证的情况下根据GWLB返回的安全报文重新生成的,安全报文是根据原始报文生成的;将第一隧道报文封装为第二隧道报文,并提供给另一客户VPC,以使另一客户VPC为任一客户VPC提供目标服务。Optionally, the processor 42 is also used to: receive a first tunnel message returned by the GWLB connection component through the communication component 43, the first tunnel message is regenerated by the GWLB connection component based on the security message returned by the GWLB when the original message passes security authentication, and the security message is generated based on the original message; encapsulate the first tunnel message into a second tunnel message, and provide it to another customer VPC, so that the other customer VPC provides the target service for any customer VPC.
可选地,处理器42具体用于:根据第一隧道报文对应的安全路由信息,将第一隧道报文对应的第一隧道封装信息替换为第二隧道封装信息,得到第二隧道报文;第二隧道封装信息包括另一客户VPC对应的隧道标识ID,且第二隧道封装信息中的源IP地址为TR的IP地址,目的IP地址为另一客户VPC中VPC连接组件对应的IP地址;第一隧道封装信息包括任一客户VPC对应的隧道ID,且第一隧道封装信息的源IP地址为任一客户VPC中VPC连接组件对应的IP地址,目的IP地址为TR的IP地址。Optionally, the processor 42 is specifically used to: replace the first tunnel encapsulation information corresponding to the first tunnel message with the second tunnel encapsulation information according to the security routing information corresponding to the first tunnel message, to obtain the second tunnel message; the second tunnel encapsulation information includes the tunnel identification ID corresponding to another customer VPC, and the source IP address in the second tunnel encapsulation information is the IP address of TR, and the destination IP address is the IP address corresponding to the VPC connection component in another customer VPC; the first tunnel encapsulation information includes the tunnel ID corresponding to any customer VPC, and the source IP address of the first tunnel encapsulation information is the IP address corresponding to the VPC connection component in any customer VPC, and the destination IP address is the IP address of TR.
进一步,如图4所示,该转发路由器还包括:电源组件44等其它组件。图4中仅示意性给出部分组件,并不意味着转发路由器只包括图4所示组件。Furthermore, as shown in Fig. 4, the forwarding router also includes other components such as a power supply component 44. Fig. 4 only schematically shows some components, which does not mean that the forwarding router only includes the components shown in Fig. 4.
相应地,本申请实施例还提供一种存储有计算机程序的计算机可读存储介质,计算机程序被处理器执行时,致使处理器能够实现上述方法实施例中可由TR执行的各步骤。Accordingly, an embodiment of the present application further provides a computer-readable storage medium storing a computer program. When the computer program is executed by a processor, the processor is enabled to implement each step that can be executed by the TR in the above method embodiment.
本申请实施例提供一种云计算设备,该云计算设备和图4所示转发路由器具有相同或相似的结构,故未作图示,具体可参见图4所示。本实施例提供的云计算设备可作为于云组网系统中的GWLB连接组件实现,包括存储器和处理器,存储器用于存储计算机程序,处理器与存储器耦合,用于执行存储器中存储的计算机程序,以用于:接收云组网系统中的转发路由器TR发送的第一隧道报文,第一隧道报文是根据云组网系统中任一客户VPC 向另一客户VPC请求目标服务的原始报文进行隧道封装得到的;从第一隧道报文中解析出原始报文,将原始报文发送给安全管控VPC中的GWLB,以使GWLB将原始报文负载均衡至安全管控VPC中的安全服务节点上进行安全认证;GWLB连接组件作为TR和GWLB之间的路由媒介,分别与TR和GWLB互联,GWLB与安全服务节点互联。The embodiment of the present application provides a cloud computing device, which has the same or similar structure as the forwarding router shown in FIG4, so it is not shown in the figure. For details, please refer to FIG4. The cloud computing device provided in this embodiment can be implemented as a GWLB connection component in a cloud networking system, including a memory and a processor, the memory is used to store a computer program, the processor is coupled to the memory, and is used to execute the computer program stored in the memory, so as to: receive a first tunnel message sent by a forwarding router TR in the cloud networking system, the first tunnel message is based on any customer VPC in the cloud networking system The original message that requests the target service from another customer VPC is tunnel-encapsulated; the original message is parsed from the first tunnel message, and the original message is sent to the GWLB in the security control VPC, so that the GWLB load balances the original message to the security service node in the security control VPC for security authentication; the GWLB connection component serves as a routing medium between TR and GWLB, and is interconnected with TR and GWLB respectively, and GWLB is interconnected with the security service node.
进一步可选地,处理器还用于:在将原始报文发送给GWLB之前,记录第一隧道报文对应的会话信息;以及在将原始报文发送给GWLB之后,接收GWLB返回的安全报文,安全报文是在原始报文通过安全认证的情况下根据原始报文生成的;根据第一隧道报文对应的会话信息和安全报文重新生成第一隧道报文,并返回给TR,以使TR将第一隧道报文封装为第二隧道报文并提供给另一客户VPC。Further optionally, the processor is also used to: record the session information corresponding to the first tunnel message before sending the original message to the GWLB; and after sending the original message to the GWLB, receive the security message returned by the GWLB, where the security message is generated based on the original message when the original message passes the security authentication; regenerate the first tunnel message based on the session information corresponding to the first tunnel message and the security message, and return it to the TR, so that the TR encapsulates the first tunnel message into a second tunnel message and provides it to another customer VPC.
相应地,本申请实施例还提供一种存储有计算机程序的计算机可读存储介质,计算机程序被处理器执行时,致使处理器能够实现上述方法实施例中可由GWLB连接组件执行的各步骤。Accordingly, an embodiment of the present application further provides a computer-readable storage medium storing a computer program. When the computer program is executed by a processor, the processor is enabled to implement each step that can be performed by the GWLB connection component in the above method embodiment.
本申请实施例提供一种云计算设备,该云计算设备和图4所示转发路由器具有相同或相似的结构,故未作图示,具体可参见图4所示。本实施例提供的云计算设备可作为于云组网系统中的VPC连接组件实现,包括存储器和处理器,存储器用于存储计算机程序,处理器与存储器耦合,用于执行存储器中存储的计算机程序,以用于:接收VPC连接组件所在客户VPC中客户端请求访问目标服务的原始报文;根据预先配置的指向转发路由器TR的路由信息,将原始报文封装为第一隧道报文;将第一隧道报文发送给TR,以通过TR与云组网系统中提供目标服务的另一客户VPC进行服务互访。The embodiment of the present application provides a cloud computing device, which has the same or similar structure as the forwarding router shown in FIG4, so it is not shown in the figure, and the details can be seen in FIG4. The cloud computing device provided in this embodiment can be implemented as a VPC connection component in a cloud networking system, including a memory and a processor, the memory is used to store a computer program, the processor is coupled to the memory, and is used to execute the computer program stored in the memory, so as to: receive an original message from a client in a customer VPC where the VPC connection component is located to request access to a target service; encapsulate the original message into a first tunnel message according to the pre-configured routing information pointing to the forwarding router TR; send the first tunnel message to TR, so as to perform service mutual access with another customer VPC providing the target service in the cloud networking system through TR.
相应地,本申请实施例还提供一种存储有计算机程序的计算机可读存储介质,计算机程序被处理器执行时,致使处理器能够实现上述方法实施例中可由VPC连接组件执行的各步骤。Accordingly, an embodiment of the present application also provides a computer-readable storage medium storing a computer program. When the computer program is executed by a processor, the processor is enabled to implement each step that can be performed by the VPC connection component in the above method embodiment.
上述实施例中的存储器可以由任何类型的易失性或非易失性存储设备或者它们的组合实现,如静态随机存取存储器(SRAM),电可擦除可编程只读存储器(EEPROM),可擦除可编程只读存储器(EPROM),可编程只读存储器(PROM),只读存储器(ROM),磁存储器,快闪存储器,磁盘或光盘。The memory in the above embodiments can be implemented by any type of volatile or non-volatile storage device or a combination thereof, such as static random access memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic disk or optical disk.
上述实施例中的通信组件被配置为便于通信组件所在设备和其他设备之间有线或无线方式的通信。通信组件所在设备可以接入基于通信标准的无线网络,如WiFi,2G、3G、4G/LTE、5G等移动通信网络,或它们的组合。在一个示例性实施例中,通信组件经由广播信道接收来自外部广播管理系统的广播信号或广播相关信息。在一个示例性实施例中,通信组件还包括近场通信(NFC)模块,以促进短程通信。例如,在NFC模块可基于射频识别(RFID)技术,红外数据协会(IrDA)技术,超宽带(UWB)技术,蓝牙(BT)技术和其他技术来实现。The communication component in the above-mentioned embodiment is configured to facilitate wired or wireless communication between the device where the communication component is located and other devices. The device where the communication component is located can access a wireless network based on a communication standard, such as WiFi, 2G, 3G, 4G/LTE, 5G and other mobile communication networks, or a combination thereof. In an exemplary embodiment, the communication component receives a broadcast signal or broadcast-related information from an external broadcast management system via a broadcast channel. In an exemplary embodiment, the communication component also includes a near field communication (NFC) module to facilitate short-range communication. For example, the NFC module can be implemented based on radio frequency identification (RFID) technology, infrared data association (IrDA) technology, ultra-wideband (UWB) technology, Bluetooth (BT) technology and other technologies.
上述实施例中的电源组件,为电源组件所在设备的各种组件提供电力。电源组件可以包括电源管理系统,一个或多个电源,及其他与为电源组件所在设备生成、管理和分配电 力相关联的组件。The power supply assembly in the above embodiments provides power to various components of the device where the power supply assembly is located. The power supply assembly may include a power management system, one or more power supplies, and other components related to generating, managing and distributing power to the device where the power supply assembly is located. Force-related components.
本领域内的技术人员应明白,本申请的实施例可提供为方法、系统、或计算机程序产品。因此,本申请可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本申请可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art will appreciate that the embodiments of the present application may be provided as methods, systems, or computer program products. Therefore, the present application may adopt the form of a complete hardware embodiment, a complete software embodiment, or an embodiment in combination with software and hardware. Moreover, the present application may adopt the form of a computer program product implemented in one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) that contain computer-usable program code.
本申请是参照根据本申请实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present application is described with reference to the flowchart and/or block diagram of the method, device (system) and computer program product according to the embodiment of the present application. It should be understood that each process and/or box in the flowchart and/or block diagram, and the combination of the process and/or box in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, a special-purpose computer, an embedded processor or other programmable data processing device to produce a machine, so that the instructions executed by the processor of the computer or other programmable data processing device produce a device for realizing the function specified in one process or multiple processes in the flowchart and/or one box or multiple boxes in the block diagram.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing device to work in a specific manner, so that the instructions stored in the computer-readable memory produce a manufactured product including an instruction device that implements the functions specified in one or more processes in the flowchart and/or one or more boxes in the block diagram.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions may also be loaded onto a computer or other programmable data processing device so that a series of operational steps are executed on the computer or other programmable device to produce a computer-implemented process, whereby the instructions executed on the computer or other programmable device provide steps for implementing the functions specified in one or more processes in the flowchart and/or one or more boxes in the block diagram.
在一个典型的配置中,计算设备包括一个或多个处理器(CPU)、输入/输出接口、网络接口和内存。In a typical configuration, a computing device includes one or more processors (CPU), input/output interfaces, network interfaces, and memory.
内存可能包括计算机可读介质中的非永久性存储器,随机存取存储器(RAM)和/或非易失性内存等形式,如只读存储器(ROM)或闪存(flash RAM)。内存是计算机可读介质的示例。Memory may include non-permanent storage in a computer-readable medium, in the form of random access memory (RAM) and/or non-volatile memory, such as read-only memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
计算机可读介质包括永久性和非永久性、可移动和非可移动媒体可以由任何方法或技术来实现信息存储。信息可以是计算机可读指令、数据结构、程序的模块或其他数据。计算机的存储介质的例子包括,但不限于相变内存(PRAM)、静态随机存取存储器(SRAM)、动态随机存取存储器(DRAM)、其他类型的随机存取存储器(RAM)、只读存储器(ROM)、电可擦除可编程只读存储器(EEPROM)、快闪记忆体或其他内存技术、只读光盘只读存储器(CD-ROM)、数字多功能光盘(DVD)或其他光学存储、磁盒式磁带,磁带磁盘存储或其他磁性存储设备或任何其他非传输介质,可用于存储可以被计算设备访问的信息。按照本文中的界定,计算机可读介质不包括暂存电脑可读媒体(transitory media),如调制的数据信号和载波。 Computer readable media include permanent and non-permanent, removable and non-removable media that can be implemented by any method or technology to store information. Information can be computer readable instructions, data structures, program modules or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technology, compact disk read-only memory (CD-ROM), digital versatile disk (DVD) or other optical storage, magnetic cassettes, magnetic tape disk storage or other magnetic storage devices or any other non-transmission media that can be used to store information that can be accessed by a computing device. As defined herein, computer readable media does not include temporary computer readable media (transitory media), such as modulated data signals and carrier waves.
还需要说明的是,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、商品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、商品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括要素的过程、方法、商品或者设备中还存在另外的相同要素。It should also be noted that the terms "include", "comprises" or any other variations thereof are intended to cover non-exclusive inclusion, so that a process, method, commodity or device including a series of elements includes not only those elements, but also other elements not explicitly listed, or also includes elements inherent to such process, method, commodity or device. In the absence of more restrictions, the elements defined by the sentence "comprises a ..." do not exclude the existence of other identical elements in the process, method, commodity or device including the elements.
以上仅为本申请的实施例而已,并不用于限制本申请。对于本领域技术人员来说,本申请可以有各种更改和变化。凡在本申请的精神和原理之内所作的任何修改、等同替换、改进等,均应包含在本申请的权利要求范围之内。 The above are only embodiments of the present application and are not intended to limit the present application. For those skilled in the art, the present application may have various changes and variations. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included within the scope of the claims of the present application.

Claims (15)

  1. 一种云组网系统,其特征在于,包括:转发路由器TR,以及与所述TR互联的多个客户虚拟私有云VPC;所述多个客户VPC之间通过所述TR进行服务互访;A cloud networking system, characterized in that it comprises: a forwarding router TR, and a plurality of customer virtual private clouds VPCs interconnected with the TR; the plurality of customer VPCs perform service mutual access through the TR;
    所述云组网系统还包括:安全管控VPC,所述安全管控VPC中包括网关型负载均衡设备GWLB以及与所述GWLB互联的多个安全服务节点,用于对外提供安全服务;The cloud networking system further includes: a security control VPC, wherein the security control VPC includes a gateway load balancing device GWLB and a plurality of security service nodes interconnected with the GWLB, for providing security services to the outside world;
    在所述云组网系统中还部署有GWLB连接组件,所述GWLB连接组件作为所述TR和所述GWLB之间的路由媒介,分别与所述TR和所述GWLB互联;A GWLB connection component is also deployed in the cloud networking system. The GWLB connection component serves as a routing medium between the TR and the GWLB and is interconnected with the TR and the GWLB respectively;
    所述TR上配置有默认指向所述GWLB连接组件的至少一条安全路由信息,用于在每条安全路由信息对应的两个客户VPC进行服务访问过程中,通过所述GWLB连接组件和所述GWLB使用所述安全管控VPC中的安全服务节点为所述服务访问过程提供安全服务。The TR is configured with at least one security routing information pointing to the GWLB connection component by default, which is used to provide security services for the service access process through the GWLB connection component and the GWLB using the security service node in the security management VPC during the service access process between the two customer VPCs corresponding to each security routing information.
  2. 根据权利要求1所述的系统,其特征在于,所述TR具体用于:接收来自任一客户VPC的第一隧道报文,所述第一隧道报文是根据所述任一客户VPC向另一客户VPC请求目标服务的原始报文进行隧道封装得到的;若所述第一隧道报文对应的路由信息属于安全路由信息,将所述第一隧道报文发送给所述GWLB连接组件,以通过所述GWLB使用所述安全管控VPC中的安全服务节点对所述原始报文进行安全认证;The system according to claim 1 is characterized in that the TR is specifically used to: receive a first tunnel message from any customer VPC, the first tunnel message being obtained by tunnel encapsulating an original message from any customer VPC requesting a target service from another customer VPC; if the routing information corresponding to the first tunnel message belongs to secure routing information, send the first tunnel message to the GWLB connection component, so as to perform security authentication on the original message through the GWLB using a security service node in the security control VPC;
    所述GWLB连接组件,用于从所述第一隧道报文中解析出所述原始报文,将所述原始报文发送给所述GWLB,以使所述GWLB将所述原始报文负载均衡至所述安全管控VPC中的安全服务节点上进行安全认证。The GWLB connection component is used to parse the original message from the first tunnel message and send the original message to the GWLB, so that the GWLB load balances the original message to the security service node in the security management and control VPC for security authentication.
  3. 根据权利要求2所述的系统,其特征在于,所述GWLB连接组件还用于:记录所述第一隧道报文对应的会话信息;以及接收所述GWLB返回的安全报文,根据所述第一隧道报文对应的会话信息和所述安全报文重新生成所述第一隧道报文并返回给所述TR,所述安全报文是所述安全管控VPC中的安全服务节点在所述原始报文通过安全认证的情况下根据所述原始报文生成并发送给所述GWLB的;The system according to claim 2 is characterized in that the GWLB connection component is also used to: record the session information corresponding to the first tunnel message; and receive the security message returned by the GWLB, regenerate the first tunnel message according to the session information corresponding to the first tunnel message and the security message, and return it to the TR, wherein the security message is generated by the security service node in the security control VPC according to the original message and sent to the GWLB when the original message passes the security authentication;
    所述TR还用于:接收所述GWLB连接组件返回的所述第一隧道报文,将所述第一隧道报文封装为第二隧道报文并提供给所述另一客户VPC,以使所述另一客户VPC为所述任一客户VPC提供所述目标服务。The TR is also used to: receive the first tunnel message returned by the GWLB connection component, encapsulate the first tunnel message into a second tunnel message and provide it to the other customer VPC, so that the other customer VPC provides the target service for any customer VPC.
  4. 根据权利要求1-3任一项所述的系统,其特征在于,所述多个客户VPC中分别部署有VPC连接组件;所述VPC连接组件上配置有默认指向所述TR的路由信息,用于将其所在客户VPC中请求访问目标服务的原始报文封装为第一隧道报文,并将所述第一隧道报文发送给所述TR,以通过所述TR与提供所述目标服务的另一客户VPC进行服务互访。The system according to any one of claims 1 to 3 is characterized in that VPC connection components are respectively deployed in the multiple customer VPCs; the VPC connection component is configured with default routing information pointing to the TR, which is used to encapsulate the original message requesting access to the target service in the customer VPC where it is located into a first tunnel message, and send the first tunnel message to the TR, so as to perform service mutual access with another customer VPC that provides the target service through the TR.
  5. 根据权利要求1-3任一项所述的系统,其特征在于,还包括:管控节点,用于执行:The system according to any one of claims 1 to 3, further comprising: a control node, configured to execute:
    响应转发路由器的创建请求,在系统VPC中创建转发路由器TR,以及响应路由配置操作,在所述TR上配置至少一条安全路由信息,在每条安全路由信息对应的两个客户VPC中分别部署VPC连接组件,并在所述TR上添加所述VPC连接组件的标识;In response to the forwarding router creation request, a forwarding router TR is created in the system VPC, and in response to the routing configuration operation, at least one piece of secure routing information is configured on the TR, a VPC connection component is deployed in two customer VPCs corresponding to each piece of secure routing information, and an identifier of the VPC connection component is added to the TR;
    和/或and / or
    响应GWLB连接组件的创建请求,在所述系统VPC中部署GWLB连接组件,并指定所述GWLB连接组件关联的GWLB;以及在所述TR上添加所述GWLB连接组件的标识,以建立所述TR与所述GWLB连接组件的对应关系。In response to a creation request of a GWLB connection component, the GWLB connection component is deployed in the system VPC, and a GWLB associated with the GWLB connection component is specified; and an identifier of the GWLB connection component is added to the TR to establish a corresponding relationship between the TR and the GWLB connection component.
  6. 一种安全访问方法,其特征在于,应用于云组网系统中的转发路由器TR,所述方 法包括:A secure access method, characterized in that it is applied to a forwarding router TR in a cloud networking system, The law includes:
    接收来自云组网系统中任一客户VPC中的第一隧道报文,所述第一隧道报文是根据所述任一客户VPC向另一客户VPC请求目标服务的原始报文进行隧道封装得到的;Receiving a first tunnel message from any customer VPC in the cloud networking system, where the first tunnel message is obtained by tunnel encapsulating an original message from any customer VPC requesting a target service from another customer VPC;
    若所述第一隧道报文对应的路由信息属于安全路由信息,将所述第一隧道报文发送给云组网系统中的GWLB连接组件,以通过安全管控VPC中的GWLB使用安全管控VPC中的安全服务节点对所述原始报文进行安全认证;If the routing information corresponding to the first tunnel message is secure routing information, the first tunnel message is sent to the GWLB connection component in the cloud networking system, so that the GWLB in the security control VPC uses the security service node in the security control VPC to perform security authentication on the original message;
    其中,所述安全路由信息指向所述GWLB连接组件,所述GWLB连接组件作为所述TR和所述GWLB之间的路由媒介,分别与所述TR和所述GWLB互联,所述GWLB与安全服务节点互联。The secure routing information points to the GWLB connection component, and the GWLB connection component serves as a routing medium between the TR and the GWLB, and is interconnected with the TR and the GWLB respectively, and the GWLB is interconnected with a secure service node.
  7. 根据权利要求6所述的方法,其特征在于,还包括:The method according to claim 6, further comprising:
    从所述第一隧道报文中解析出所述原始报文,根据所述原始报文中的源IP地址和目的IP地址,确定源客户VPC和目的客户VPC的网段信息;Parsing the original message from the first tunnel message, and determining the network segment information of the source customer VPC and the destination customer VPC according to the source IP address and the destination IP address in the original message;
    根据所述源客户VPC和目的客户VPC的网段信息在至少一条安全路由信息中匹配;若匹配中,确定所述第一隧道报文对应的路由信息为安全路由信息。According to the network segment information of the source customer VPC and the destination customer VPC, the network segment information is matched in at least one secure routing information; if there is a match, it is determined that the routing information corresponding to the first tunnel message is the secure routing information.
  8. 根据权利要求6或7所述的方法,其特征在于,还包括:The method according to claim 6 or 7, characterized in that it also includes:
    接收所述GWLB连接组件返回的第一隧道报文,所述第一隧道报文是所述GWLB连接组件在所述原始报文通过安全认证的情况下根据所述GWLB返回的安全报文重新生成的,所述安全报文是根据所述原始报文生成的;receiving a first tunnel message returned by the GWLB connection component, wherein the first tunnel message is regenerated by the GWLB connection component according to the security message returned by the GWLB when the original message passes security authentication, and the security message is generated according to the original message;
    将所述第一隧道报文封装为第二隧道报文,并提供给所述另一客户VPC,以使所述另一客户VPC为所述任一客户VPC提供所述目标服务。The first tunnel message is encapsulated into a second tunnel message, and the second tunnel message is provided to the other customer VPC, so that the other customer VPC provides the target service for any customer VPC.
  9. 根据权利要求8所述的方法,其特征在于,将所述第一隧道报文封装为第二隧道报文,包括:The method according to claim 8, characterized in that encapsulating the first tunnel message into the second tunnel message comprises:
    根据所述第一隧道报文对应的安全路由信息,将所述第一隧道报文对应的第一隧道封装信息替换为第二隧道封装信息,得到第二隧道报文;According to the security routing information corresponding to the first tunnel message, the first tunnel encapsulation information corresponding to the first tunnel message is replaced with the second tunnel encapsulation information to obtain the second tunnel message;
    所述第二隧道封装信息包括所述另一客户VPC对应的隧道标识ID,且所述第二隧道封装信息中的源IP地址为所述TR的IP地址,目的IP地址为所述另一客户VPC中VPC连接组件对应的IP地址;The second tunnel encapsulation information includes a tunnel identification ID corresponding to the other customer VPC, and the source IP address in the second tunnel encapsulation information is the IP address of the TR, and the destination IP address is the IP address corresponding to the VPC connection component in the other customer VPC;
    所述第一隧道封装信息包括所述任一客户VPC对应的隧道ID,且所述第一隧道封装信息的源IP地址为所述任一客户VPC中VPC连接组件对应的IP地址,目的IP地址为所述TR的IP地址。The first tunnel encapsulation information includes the tunnel ID corresponding to any one of the customer VPCs, and the source IP address of the first tunnel encapsulation information is the IP address corresponding to the VPC connection component in any one of the customer VPCs, and the destination IP address is the IP address of the TR.
  10. 一种安全访问方法,其特征在于,应用于云组网系统中的网关型负载均衡设备GWLB连接组件,所述方法包括:A secure access method, characterized in that it is applied to a gateway load balancing device GWLB connection component in a cloud networking system, and the method comprises:
    接收云组网系统中的转发路由器TR发送的第一隧道报文,所述第一隧道报文是根据云组网系统中任一客户VPC向另一客户VPC请求目标服务的原始报文进行隧道封装得到的;Receiving a first tunnel message sent by a forwarding router TR in the cloud networking system, where the first tunnel message is obtained by tunnel encapsulating an original message from any customer VPC in the cloud networking system requesting a target service from another customer VPC;
    从所述第一隧道报文中解析出所述原始报文,将所述原始报文发送给安全管控VPC中的GWLB,以使所述GWLB将所述原始报文负载均衡至安全管控VPC中的安全服务节点上进行安全认证;Parsing the original message from the first tunnel message, and sending the original message to the GWLB in the security control VPC, so that the GWLB load balances the original message to the security service node in the security control VPC for security authentication;
    所述GWLB连接组件作为所述TR和所述GWLB之间的路由媒介,分别与所述TR 和所述GWLB互联,所述GWLB与安全服务节点互联。The GWLB connection component acts as a routing medium between the TR and the GWLB, and is respectively connected to the TR The GWLB is interconnected with the security service node.
  11. 根据权利要求10所述的方法,其特征在于,还包括:The method according to claim 10, further comprising:
    在将所述原始报文发送给GWLB之前,记录所述第一隧道报文对应的会话信息;以及Before sending the original message to the GWLB, recording the session information corresponding to the first tunnel message; and
    在将所述原始报文发送给GWLB之后,接收所述GWLB返回的安全报文,所述安全报文是在所述原始报文通过安全认证的情况下根据所述原始报文生成的;After sending the original message to the GWLB, receiving a security message returned by the GWLB, wherein the security message is generated according to the original message when the original message passes security authentication;
    根据所述第一隧道报文对应的会话信息和所述安全报文重新生成所述第一隧道报文,并返回给所述TR,以使所述TR将所述第一隧道报文封装为第二隧道报文并提供给所述另一客户VPC。The first tunnel message is regenerated according to the session information corresponding to the first tunnel message and the security message, and is returned to the TR, so that the TR encapsulates the first tunnel message into a second tunnel message and provides it to the other customer VPC.
  12. 一种转发路由器,可应用于云组网系统中,其特征在于,包括:存储器和处理器;A forwarding router can be applied to a cloud networking system, characterized in that it includes: a memory and a processor;
    所述存储器用于存储计算机程序和默认指向云组网系统中的网关型负载均衡设备GWLB连接组件的至少一条安全路由信息;所述处理器,与所述存储器耦合,用于执行所述计算机程序,以用于执行权利要求6-9任一项所述方法中的步骤。The memory is used to store a computer program and at least one piece of security routing information that defaults to a gateway-type load balancing device GWLB connection component in a cloud networking system; the processor, coupled to the memory, is used to execute the computer program to execute the steps in the method described in any one of claims 6-9.
  13. 一种云计算设备,可作为云组网系统中的网关型负载均衡设备GWLB连接组件实现,其特征在于,包括:存储器和处理器;所述存储器用于存储计算机程序,所述处理器,与所述存储器耦合,用于执行所述计算机程序,以用于执行权利要求10-11任一项所述方法中的步骤。A cloud computing device can be implemented as a gateway load balancing device GWLB connection component in a cloud networking system, characterized in that it includes: a memory and a processor; the memory is used to store a computer program, and the processor, coupled to the memory, is used to execute the computer program to execute the steps in the method described in any one of claims 10-11.
  14. 一种存储有计算机程序的计算机可读存储介质,其特征在于,当所述计算机程序被处理器执行时,致使所述处理器能够实现权利要求6-9以及权利要求10-11中任一项所述方法中的步骤。A computer-readable storage medium storing a computer program, characterized in that when the computer program is executed by a processor, the processor is enabled to implement the steps in the method described in any one of claims 6 to 9 and claims 10 to 11.
  15. 一种云组网系统,其特征在于,包括:转发路由器TR,以及与所述TR互联的多个客户虚拟私有云VPC;所述多个客户VPC之间通过所述TR进行服务互访;A cloud networking system, characterized in that it comprises: a forwarding router TR, and a plurality of customer virtual private clouds VPCs interconnected with the TR; the plurality of customer VPCs perform service mutual access through the TR;
    所述云组网系统还包括:中间服务VPC,所述中间服务VPC中包括网关型负载均衡设备GWLB以及与所述GWLB互联的多个中间服务节点,用于对外提供中间服务;The cloud networking system further includes: an intermediate service VPC, wherein the intermediate service VPC includes a gateway load balancing device GWLB and a plurality of intermediate service nodes interconnected with the GWLB, for providing an intermediate service to the outside;
    在所述云组网系统中还部署有GWLB连接组件,所述GWLB连接组件作为所述TR和所述GWLB之间的路由媒介,分别与所述TR和所述GWLB互联;A GWLB connection component is also deployed in the cloud networking system. The GWLB connection component serves as a routing medium between the TR and the GWLB and is interconnected with the TR and the GWLB respectively;
    所述TR上配置有默认指向所述GWLB连接组件的至少一条安全路由信息,用于在每条安全路由信息对应的两个客户VPC进行服务访问过程中,通过所述GWLB连接组件和所述GWLB使用所述中间服务VPC中的中间服务节点为所述服务访问过程提供中间服务。 The TR is configured with at least one piece of security routing information pointing to the GWLB connection component by default, and is used to provide intermediate services for the service access process through the GWLB connection component and the GWLB using the intermediate service node in the intermediate service VPC during the service access process between the two customer VPCs corresponding to each piece of security routing information.
PCT/CN2023/120291 2022-09-26 2023-09-21 Cloud networking system, secure access method, and device and storage medium WO2024067338A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202211177346.X 2022-09-26
CN202211177346.XA CN115913617A (en) 2022-09-26 2022-09-26 Cloud networking system, secure access method, device and storage medium

Publications (1)

Publication Number Publication Date
WO2024067338A1 true WO2024067338A1 (en) 2024-04-04

Family

ID=86479504

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2023/120291 WO2024067338A1 (en) 2022-09-26 2023-09-21 Cloud networking system, secure access method, and device and storage medium

Country Status (2)

Country Link
CN (1) CN115913617A (en)
WO (1) WO2024067338A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115913617A (en) * 2022-09-26 2023-04-04 阿里巴巴(中国)有限公司 Cloud networking system, secure access method, device and storage medium
CN116545875A (en) * 2023-04-17 2023-08-04 上海米斯里通讯科技有限公司 Safety communication control system based on Internet of things

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180219951A1 (en) * 2017-02-01 2018-08-02 Amazon Technologies, Inc. Service endpoint interconnect in a virtual private gateway
CN115913617A (en) * 2022-09-26 2023-04-04 阿里巴巴(中国)有限公司 Cloud networking system, secure access method, device and storage medium

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180219951A1 (en) * 2017-02-01 2018-08-02 Amazon Technologies, Inc. Service endpoint interconnect in a virtual private gateway
CN115913617A (en) * 2022-09-26 2023-04-04 阿里巴巴(中国)有限公司 Cloud networking system, secure access method, device and storage medium

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
AWS TEAM: "Centralized deep inspection of network traffic using Gateway Load Balancer and Palo Alto Firewall", AMAZON AWS OFFICIAL BLOG, 16 July 2021 (2021-07-16), XP093153905, Retrieved from the Internet <URL:https://aws.amazon.com/cn/blogs/china/centralized-network-traffic-depth-detection-using-gateway-load-balancer-and-palo-alto-firewalls/> *
BOBO5620301HOTM: "使用Gateway Load Balancer和Palo alto防火墙实现集中的网络流量检测", 10 October 2021 (2021-10-10), XP093153904, Retrieved from the Internet <URL:https://blog.51cto.com/bobo5620301/4151964> *

Also Published As

Publication number Publication date
CN115913617A (en) 2023-04-04

Similar Documents

Publication Publication Date Title
CN112470436B (en) Systems, methods, and computer-readable media for providing multi-cloud connectivity
US11563681B2 (en) Managing communications using alternative packet addressing
US8885649B2 (en) Method, apparatus, and system for implementing private network traversal
US11671365B2 (en) Associating route tables with ingress traffic to logically isolated networks
US20190132251A1 (en) Method and system for supporting multiple qos flows for unstructured pdu sessions
WO2024067338A1 (en) Cloud networking system, secure access method, and device and storage medium
US20170026417A1 (en) Systems, methods, and devices for smart mapping and vpn policy enforcement
US11757773B2 (en) Layer-2 networking storm control in a virtualized cloud environment
JP2018125837A (en) Seamless service functional chain between domains
US20220116310A1 (en) Scalable routing and forwarding of packets in cloud infrastructure
TW201815131A (en) Data transmission method and network equipment
CN111492627A (en) Controller-based service policy mapping to establish different tunnels for different applications
WO2015039617A1 (en) Method, system, and device for packet processing
US11671483B2 (en) In-band protocol-based in-network computation offload framework
US20230041806A1 (en) Location-independent programming data plane for packet processing
WO2023165137A1 (en) Cross-cluster network communication system and method
US20230024408A1 (en) Efficient flow management utilizing control packets
CN114500176B (en) Multi-flow load balancing method, device and system for VPN and storage medium
JP2023543831A (en) Microservices-based service mesh system and service-oriented architecture management method
US20240121186A1 (en) Layer-2 networking using access control lists in a virtualized cloud environment
EP3503484B1 (en) Message transmission methods and devices
JP2021510974A (en) GTP tunnel for anchorless backhaul support
WO2022206667A1 (en) Routing method, and device
US20230370371A1 (en) Layer-2 networking storm control in a virtualized cloud environment
CN116016188A (en) NFV access method, device, system and storage medium