CN109510870A - A kind of method of group enterprise's tradition IT architecture cloud - Google Patents

Abstract

The invention discloses a kind of methods of group enterprise's tradition IT architecture cloud, by way of being designed in this method and step, group enterprise is in combination with itself traditional IT architecture feature, realize enterprise IT architecture cloud, and realize the exchanging visit of system and cloud external system on cloud, the security isolation of system on cloud is realized simultaneously, the shortcomings that abandon traditional IT architecture, so that the resource utilization of enterprise IT architecture is greatly improved, system deployment is more flexible and convenient, purchase cost sharp fall is the group enterprise of conventional architectures suitable for IT architecture.

Description

A kind of method of group enterprise's tradition IT architecture cloud

Technical field

The present invention relates to cloud computing, virtualization and security isolations, and in particular to a kind of group enterprise's tradition IT architecture cloud The method of change.

Background technique

Enterprise's tradition IT architecture is by server storage solitary toweraphy into framework funnel-shaped one by one, each server (cluster) corresponding independent storage or network, each business have independent region, and the physical boundary of each service area is the industry The dedicated access switch of business, the equipment such as calculating, storage, safety are also specific to the business, expensive, configuration section that there are purchase costs Administration it is complicated it is not flexible, be difficult to manage, the level of resources utilization is low, is not easy the disadvantages of extending.

Cloud computing be it is a kind of can network obtained in a manner of convenient, pay-for-use computing resource (including network, Server, storage, application and service etc.) and improve its availability, flexibility, expansibility and the efficient mode of the utilization of resources, These resources can be obtained and be released in a manner of most laborsaving and unmanned intervention from a shared configurable resource pool It puts.But group enterprise IT architecture cloud is a complicated engineering, there are many technical problems, the bad realization of single method, Need to study a kind of comprehensive method.

Summary of the invention

The object of the present invention is to provide one kind to realize on cloud outside system and cloud for group enterprise's tradition IT architecture System intercommunication guarantees the suitable corporate identity of operation system safety in enterprise's private clound by the Border Protection of privately owned cloud platform The method of privately owned comprehensive cloud.

The technical solution adopted by the invention is as follows: a kind of method of group enterprise's tradition IT architecture cloud, specifically includes Following steps:

Step (1) builds privately owned cloud platform by cloud management software using physical server, physical store and physical network；

Step (2) implements physical server virtualization in the privately owned cloud platform put up, and creates logic calculation resource pool, real Physical store virtualization is applied, logical storage resources pond is created, implements physical network virtualization, creates logical network resources pond；

Step (3) distributes virtual machine in privately owned cloud platform, and from logic calculation resource pool, memory resource pool and Internet resources Chi Zhongwei virtual machine distributes CPU, memory, disk and IP address resource, using PtoV by the business on the physical server of enterprise Application system is migrated into the virtual machine in privately owned cloud platform；

Step (4) is aiming at the problem that virtual machine can not access in physical server and private clound after enterprise's cloud, using network bridge Logical VXLAN and VLAN is taken, physical server and the host of privately owned cloud platform are communicated, by formulating access control Policy Table realizes exchanging visit between the two；

Step (5) uses differential section and micro- isolation method in security isolation to the virtual machine in privately owned cloud platform, passes through formulation Security isolation Policy Table, realizes the defense controls of East and West direction flow between privately owned cloud platform host, virtual in privately owned cloud platform Security isolation between machine, reaches security protection.

The beneficial effects of the present invention are:

So that group enterprise is combined itself traditional IT architecture feature by means of the present invention, realizes enterprise IT architecture cloud, and Realize the exchanging visit of system and cloud external system on cloud, while the present invention ensure that enterprise is privately owned by the Border Protection of privately owned cloud platform The safety of operation system on cloud, by the security isolation of system on cloud, thus the shortcomings that having abandoned traditional IT architecture, so that enterprise The resource utilization of industry IT architecture is greatly improved, and system deployment is more flexible and convenient, purchase cost sharp fall, thoroughly Change IT application in enterprises architecture and method of service, realizes enterprise data center from conventional data centers to green energy conservation cloud number According to the transformation at center, so that enterprise data center enters " cloud era ", its core business is supported to move towards quick for enterprise IT, more preferably The propulsion that fast changing business event competition and development environment and double wound platforms are coped in ground plays key effect.This kind of method Suitable for following enterprise:

1. group enterprise IT architecture is conventional architectures, it is desirable to by cloud, carry out the Transformation Development of traditional IT architecture.

2. the cloud of group enterprise IT architecture needs to be based on to implement on the basis of existing IT system and equipment.

3. the IT architecture of group enterprise is complicated, it is wide to be related to business, more than system application type and many and diverse.

4. most of core business of group enterprise needs to move on cloud, but has the physical environment that can not be migrated, Need to guarantee the exchanging visit of private clound and physical environment.

5. group enterprise needs to consider security protection after realizing cloud.

Present invention combination enterprise data center network, server, storage status, build the private clound of suitable corporate identity Mode merges existing resource using existing enterprise's data center infrastructure condition, realizes server virtualization and creates logic Computing resource pool realizes Storage Virtualization and creates logical storage resources pond, realizes network virtualization and creates logical network money Source pond；By being based on enterprise's existing network environment, in the case where not changing original operation system IP address, by existing business System in graceful migration to the privately owned cloud platform put up, realizes enterprise IT architecture U2VL transition from physical server.

The present invention gives full play to the hardware performance of server, storage and network by virtualization, can throw ensuring enterprise While entering cost, efficiency of operation, energy saving reduction economic cost and space waste are improved, for quickly growing, at calipers For the big user of mould, more economic benefits can be brought by virtualization.Server virtualization is to calculate server to provide Source virtualization, provides computing resource pool.Storage Virtualization will specifically store equipment or the same server operating system of storage system Separate, provides unified storage pool for storage user.It is simulated on a physical network by network virtualization Multiple logical network.

The present invention passes through PtoV(physical machine to virtual machine (vm) migration), i.e., physical machine is cloned into virtual machine technique, provides one The system migration tool of kind server virtualization.

The present invention is forwarded network packet by network bridging, the address of the link layer according to OSI network model Process, mainly use the handover of VXLAN and VLAN, that is, realize the connection of VXLAN and VLAN.Some small machines of physics in enterprise System can not move in privately owned cloud platform, but the system in the system and privately owned cloud platform on the small machine of the physics needs mutually It visits, after the present invention is by implementing network virtualization and deployment VXLAN, realizes the server in physical server and privately owned cloud platform Mutual access.

The present invention is by Network Isolation, with access control thought to be tactful, based on physical isolation, and defines related constraint The security intensity for carrying out Logistics networks with rule, can not only make the isolation of two network implementationss physically, but also can be in the network of safety Data exchange is carried out under environment, main target is to keep apart harmful network security threats, to ensure data information credible Secure interactive is carried out in network.

Transition of the group enterprise from conventional architectures to cloud framework is realized using method of the invention, enterprise's private clound is built, makes The case where originally enterprise supports a business up to a hundred using up to a hundred servers be changed into can be supported using tens servers it is several Hundred applications, effectively promotion resource utilization, greatly save business equipment purchase cost, greatly reduce system and equipment event Barrier rate and O&M cost.IT application in enterprises architecture and method of service are revolutionized using method of the invention, by enterprise Data center is the cloud data center of green energy conservation by conventional data centers development；And combine enterprise practical situation, it can be achieved that cloud System intercommunication under upper and cloud；The security isolation of system in cloud platform is realized simultaneously, ensure that the safe and reliable of system and data.

Detailed description of the invention

The foundation of privately owned cloud platform Fig. 1 of the invention and the migration schematic diagram of operation system；

Schematic diagram is realized in the exchanging visit of system and other physical server systems in privately owned cloud platform Fig. 2 of the invention；

Schematic diagram is realized in the micro- isolation of privately owned cloud platform Fig. 3 of the invention；

Fig. 4 is the physical host and computing resource of integration；

Fig. 5 is the storage resource of integration；

Fig. 6 is the logical network resources of integration；

Fig. 7 is to migrate to the operation system of privately owned cloud platform；

Fig. 8 is the intercommunication figure that vlan network and VXLAN network are realized by bridging functionality；

Fig. 9 is security protection figure；

Figure 10 is user group administration interface；

Figure 11 is tenant's resource pool application interface；

Figure 12 is that resource checks process.

In figure: 1-privately owned cloud platform；2-logic calculation resource pools；3-logical storage resources ponds；4-logical network money Source pond；5-physical servers；6-physical stores；7-physical networks；8-can adjourn to the operation system of private clound；9-is virtual Machine；10-No. 1 physical switches；11-No. 2 physical switches；12-No. 3 physical switches；13-No. 4 physical switches； 14-physical hosts；15-private clound virtual machines；16-No. 1 host；17-No. 2 hosts；18-No. 3 hosts；19— Cloud Guan Pingtai.

Specific embodiment

Below with reference to specific drawings and examples, invention is further described in detail；

A kind of method of group enterprise's tradition IT architecture cloud, specifically includes the following steps:

Step (1): enterprise's private clound is built by cloud management software using physical server 5, physical store 6 and physical network 7 Platform 1;

Step (2): in the privately owned cloud platform 1 put up, logic calculation resource pool 2 is established in the virtualization of service implementation device；It is taking In the privately owned cloud platform 1 built up, implements Storage Virtualization, establish logical storage resources pond 3；Using existing physical network 7, taking In the privately owned cloud platform 1 built up, implements network virtualization, establish logical network resources pond 4；

Step (3): virtual machine 9 is distributed in logic-based computing resource pool 2, memory resource pool 3 and logical network resources pond 4, uses PtoV will be in the virtual machine 9 in 8 graceful migration of operation system to privately owned cloud platform 1 that can adjourn to private clound；

Step (4): aiming at the problem that virtual machine 15 can not access in physical host 14 and private clound after enterprise's cloud, using network Bridge joint gets through VXLAN and VLAN, so that 16, No. 2 hosts 17,3 of physical server 5 and No. 1 host of privately owned cloud platform Number host 18 can communicate, and by formulating access control policy table in cloud pipe platform 19, realize the physical host that can not go up cloud Connection between 14 and private clound virtual machine 15 realizes that the system in physical network can pass through 10, No. 2 objects of No. 1 physical switches Manage the mutual access of system in the physical switches 13 of physical switches 12,4 of interchanger 11,3 and privately owned cloud platform；It is described Access control policy table, the IP address information of mac address information, virtual machine comprising virtual machine, routing iinformation, VXLAN encapsulation To the transitional information, the mac address information of physical server and the IP address information of physical server of VLAN；

Step (5): the system in privately owned cloud platform 1 how protection with high safety aiming at the problem that, cloud pipe platform 19 formulate pacify Full isolation Policy Table realizes the defense controls of the East and West direction flow of privately owned cloud platform 1 by differential section and micro- isolation method, real Security isolation in existing privately owned cloud platform 1 between private clound virtual machine 15, to achieve the effect that security protection；The security isolation Policy Table, the IP address information of mac address information, virtual machine comprising virtual machine, the name information of virtual machine, virtual machine net The logical switch information where safe group information, virtual machine where card information, virtual machine, the port information for needing to be isolated, Direction (outbound or inbound) information is isolated, isolation strategy (allows or refuse) information.

Embodiment

Certain enterprise's private clound platform construction is a kind of typical case of group enterprise's tradition IT architecture cloud, is exactly foundation Cloud computing technology framework and development trend, in conjunction with the actual conditions of enterprise, establishment and rolling construction plan build and complete enterprise's private There are the computing resource pool and memory resource pool of cloud basic platform, by realizing network virtualization, establishes the peace of private clound Full protection, while the privately owned cloud platform Self-Service mode of enterprise is realized, the specific implementation is as follows:

1, resource consolidation

The privately owned cloud platform of enterprise is built by cloud management software using physical server, physical store and physical network；It is building In good privately owned cloud platform, the virtualization of service implementation device completes the resource consolidation of 36 physical servers altogether, establishes logic calculation Resource pool is illustrated in figure 4 the physical host and computing resource of integration；Implement Storage Virtualization, completes the resource of 3 storages altogether Integration, establishes logical storage resources pond, the storage resource that such as 5 figures show integration: utilizes existing physical network, integrates 10 objects Interchanger is managed, network virtualization is realized, establishes logical network resources pond, as shown in fig. 6, for the logical network resources of integration.

2, operation system migrates

Virtual machine is distributed in logic-based computing resource pool, memory resource pool and logical network resources pond, can be adjourned to using PtoV In virtual machine in the operation system graceful migration to privately owned cloud platform of private clound, as shown in fig. 7, to migrate to privately owned cloud platform Operation system: as shown in Figure 7: buying web physical server, will be on system migration to privately owned cloud platform using PtoV technology In virtual machine cgweb.

3, access control and security isolation strategy are formulated

Aiming at the problem that virtual machine can not access in physical host and private clound after enterprise's cloud, got through using network bridging VXLAN and VLAN realizes that the physical host that can not go up cloud and private clound are empty by formulating access control policy table in cloud pipe platform Connection between quasi- machine realizes that the system in physical network can pass through the mutual of the system in physical switches and privately owned cloud platform Access, bridge joint are as shown in Figure 8: the intercommunication of vlan network and VXLAN network is realized by bridging functionality, as shown in Figure 8: 10.1.201 network segment host realizes the ERP system in physical network by bridging functionality respectively in vlan network and VXLAN network The data of metering system in system and virtual network access mutually.

The system in privately owned cloud platform how protection with high safety aiming at the problem that, cloud pipe platform formulate security isolation plan Sketch form realizes the defense controls of the East and West direction flow of privately owned cloud platform by differential section and micro- isolation method, realizes that private clound is flat Security isolation on platform between virtual machine, to achieve the effect that security protection.It is specific as shown in Figure 9: to pass through distributed fire wall Function is realized between virtual machine and virtual machine, East and West direction flow is anti-based on the other safety of port level between virtual machine and physical machine Shield, as shown in figure 9, any host is allowed to access the FTP of certain virtual server, HTTP service and 4455/ in privately owned cloud platform 4477/8080/8891/ 8892 ports.

4, privately owned cloud platform main functional modules

Finally, private clound Platform deployment is completed, mainly includes following functions module:

1) user and rights management

Role Management

For managing role, increases, deletes, the permission of modification role and setting role.

Division management

For administrative department, increases, deletes, modification department.

User management

For managing user, increases, deletes, the password of modification user and resetting user.AD User Catalog is integrated to support inside AD User Catalog agreement, is verified by internal user directory service.

Tenant's management

For managing tenant, increases, deletes, modification tenant, resetting the operations such as tenant administrator login password, termination tenant.Such as It is user group administration interface shown in Figure 10:

2) management of resource pool

Hardware resource pool is managed, such as: host, CPU, memory, storage, network pooling technology.By resource fragmentation, As computing unit, storage unit, the Charging Detail Record unit that can independently distribute one by one.

Organization and administration

For showing organized list data, modification refreshes cloud platform user group data.

Resource provides platform management

Platform is provided for managing resource, is increased, filing, modification backstage cloud resource pond.

Computing resource is reserved

For dividing computing resource pool to different tenants, include: CPU, memory, virtual machine quantity, network accessibility.

Network resource reservation based on moving speed

For the network port allocating default network information different to virtual platform, such as: IP range, gateway, DNS.Simultaneously It supports network pool function, carries out the distribution and recycling of IP in deployment phase.

Storage resource is reserved

It is configured for storage resource SLA differentiated control, and to storage quota.

The distribution of tenant's resource pool

Distribute reserved resource pool to each tenant, resource pool includes: computing resource is reserved, network resource reservation based on moving speed, storage resource are pre- It stays.It as shown in figure 11, is tenant's resource pool application interface.

3) application process and deployment management

User uses the products & services issued in cloud platform, it is necessary to by carrying out resource one by application process from service door Cause property and compliance inspection, by or not by personnel examine (depending on business need), finally have system automation dispose process draw Hold up carry out automatically dispose.

Approval process setting

For managing approval process setting, increases, deletes, modification approval process.In setting process node automatic flow rule, Strategy, the selection routing of flow nodes personnel.

Examine scene settings

Scene settings are examined for managing, increases, delete, modification examination & approval scene.Scene is examined by a plurality of approval process setting group It closes, it can be according to the flow priority in the information settings scene such as different project.

Check process settings

Process settings are checked for managing, and are increased, are deleted, process is checked in modification.

Check scene settings

Scene settings are checked for managing, and are increased, are deleted, scene is checked in modification.

Deployment management

According to applying for and examining situation, according to service catalogue, exploitation customization automatic Deployment Solution for Services is realized and automates resource deployment. As shown in figure 12, process is checked for resource.

Claims (1)

1. a kind of method of group enterprise's tradition IT architecture cloud, it is characterised in that: specifically includes the following steps:

Step (1) builds privately owned cloud platform by cloud management software using physical server, physical store and physical network；

Step (2) implements physical server virtualization in the privately owned cloud platform put up, and creates logic calculation resource pool, real Physical store virtualization is applied, logical storage resources pond is created, implements physical network virtualization, creates logical network resources pond；

Step (3) distributes virtual machine in privately owned cloud platform, and from logic calculation resource pool, memory resource pool and Internet resources Chi Zhongwei virtual machine distributes CPU, memory, disk and IP address resource, using PtoV by the business on the physical server of enterprise Application system is migrated into the virtual machine in privately owned cloud platform；

Step (4) is aiming at the problem that virtual machine can not access in physical server and private clound after enterprise's cloud, using network bridge Logical VXLAN and VLAN is taken, physical server and the host of privately owned cloud platform are communicated, by formulating access control Policy Table realizes exchanging visit between the two；

Step (5) uses differential section and micro- isolation method in security isolation to the virtual machine in privately owned cloud platform, passes through formulation Security isolation Policy Table, realizes the defense controls of East and West direction flow between privately owned cloud platform host, virtual in privately owned cloud platform Security isolation between machine, reaches security protection.