CN110213181B - Data stream guiding device and data stream guiding method in virtual network - Google Patents

Data stream guiding device and data stream guiding method in virtual network Download PDF

Info

Publication number
CN110213181B
CN110213181B CN201910351096.9A CN201910351096A CN110213181B CN 110213181 B CN110213181 B CN 110213181B CN 201910351096 A CN201910351096 A CN 201910351096A CN 110213181 B CN110213181 B CN 110213181B
Authority
CN
China
Prior art keywords
virtual machine
data
bridge
port
security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910351096.9A
Other languages
Chinese (zh)
Other versions
CN110213181A (en
Inventor
巩泉吉
王�华
周栋臣
高超
朱娜
李力军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Cloud Computing Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN201910351096.9A priority Critical patent/CN110213181B/en
Publication of CN110213181A publication Critical patent/CN110213181A/en
Priority to PCT/CN2020/084347 priority patent/WO2020220977A1/en
Application granted granted Critical
Publication of CN110213181B publication Critical patent/CN110213181B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4604LAN interconnection over a backbone network, e.g. Internet, Frame Relay
    • H04L12/462LAN interconnection over a bridge based backbone
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/25Routing or path finding in a switch fabric
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/25Routing or path finding in a switch fabric
    • H04L49/252Store and forward routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/25Routing or path finding in a switch fabric
    • H04L49/253Routing or path finding in a switch fabric using establishment or release of connections between ports
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/35Switches specially adapted for specific applications
    • H04L49/354Switches specially adapted for specific applications for supporting virtual local area networks [VLAN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/70Virtual switches
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A data stream guiding device and a data stream guiding method in a virtual network relate to the technical field of virtual networks. In the data flow guiding device, a first virtual machine, a second virtual machine and a safety service node are respectively connected with a virtual switch, and a flow table is used for indicating a routing rule of the virtual switch for transmitting data. When the data flow guiding device is used for flow guiding, data does not need to be packaged through a virtual machine gateway in the whole data flow guiding process, and data flow guiding is not needed to be carried out through a memory transmission mode by a virtual machine. Therefore, for the security service node, a protocol adopted by virtual gateway encapsulation data does not need to be determined in advance, an API (application programming interface) matched with a memory of a virtual machine does not need to be customized and developed in advance, and accordingly, a large amount of adaptation work does not need to be performed on the security service node provided by a third party in advance, and therefore the application flexibility of the data drainage device is improved.

Description

Data stream guiding device and data stream guiding method in virtual network
Technical Field
The present application relates to the field of virtual network technologies, and in particular, to a data flow guiding device and a data flow guiding method in a virtual network.
Background
In a virtualized network such as a cloud scene, two Virtual Machines (VMs) may send data to each other to perform communication. And, in the process of sending data to another virtual machine, the data is typically directed to a security service node before being passed to the other virtual machine, the data is processed by the security service node to monitor the security of the communication between the two virtual machines, and the data is forwarded by the security service node to the other virtual machine.
In the related art, data can be directed to the security service node by means of the virtual gateway. Specifically, when the virtual machine a needs to send data to the virtual machine B, the virtual machine a first sends the data to a virtual gateway a of a virtual local area network (VxLAN) in which the virtual machine a is located, the virtual gateway a encapsulates the data, and a destination address carried in the encapsulated data is an address of a security service node. When the security service node receives the encapsulated data, the data is obtained after being decapsulated, so that the data can be processed subsequently. In addition, after the security service node decapsulates the data, the data is encapsulated again, the destination address carried in the encapsulated data is the address of the virtual gateway B in the virtual local area network where the virtual machine B is located, and the virtual gateway B finally sends the data to the virtual machine B.
In the related art, data can be directed to the security service node in a memory transfer mode. Specifically, when the virtual machine a needs to send data to the virtual machine B, the virtual machine a writes the data into the memory corresponding to the virtual machine a, and the security service node reads the data from the memory corresponding to the virtual machine a and rewrites the data into the memory corresponding to the virtual machine B, so as to send the data of the virtual machine a to the virtual machine B.
For the above-mentioned method of passing through the virtual gateway, it is necessary that the security service node can specify the protocol used when the virtual gateway encapsulates data in advance. For the above-mentioned manner of memory transfer, the security service node needs to customize and develop an Application Programming Interface (API) interface matched with the memory of the virtual machine in advance. The security service node is usually provided by a third party, so that a large amount of adaptation work needs to be performed on the security service node provided by the third party in advance in both the two modes, and the flexibility of the data drainage process is affected.
Disclosure of Invention
The embodiment of the application provides a data drainage device and a data drainage method in a virtual network, which can improve the flexibility of data drainage.
In a first aspect, a data stream guiding device in a virtual network is provided, where the data stream guiding device includes a first virtual machine, a second virtual machine, a security service node, and a virtual switch; the first virtual machine, the second virtual machine and the safety service node are respectively connected with the virtual switch; the virtual switch is used for forwarding data transmitted between the first virtual machine and the second virtual machine to the security service node according to the flow table so as to instruct the security service node to process the first data, and the flow table is used for instructing the virtual switch to transmit a routing rule of the data.
Since the first virtual machine, the second virtual machine, and the security service node are respectively connected to the virtual switch, and the flow table is used to indicate a routing rule for the virtual switch to transmit data, in this embodiment of the present application, data can be directed to the security service node through the virtual switch and the flow table created among the first virtual machine, the second virtual machine, and the security service node. In the whole data flow guiding process, data does not need to be packaged through a virtual machine gateway, and data flow guiding is also not needed to be carried out through a memory transmission mode by a virtual machine. Therefore, for the security service node, the protocol adopted by the virtual gateway encapsulation data does not need to be clarified in advance, and the API interface matched with the memory of the virtual machine does not need to be customized and developed in advance. Therefore, through the data stream guidance device provided by the embodiment of the application, a large amount of adaptation work does not need to be carried out on the security service node provided by the third party in advance, and therefore the application flexibility of the data stream guidance device is improved.
Optionally, the virtual switch includes a first virtual machine bridge, a second virtual machine bridge, a security monitoring bridge module, and an integrated bridge; the first virtual machine is connected with the first virtual machine bridge, the second virtual machine is connected with the second virtual machine bridge, the safety service node is connected with the safety monitoring bridge module, and the first virtual machine bridge, the second virtual machine bridge and the safety monitoring bridge module are respectively connected with the integrated bridge; one or more pairs of paired ports exist on the first virtual machine bridge and the safety monitoring bridge module, the paired ports mean that data sent by one port is received by the other port, data sent by the other port is received by one port, and the flow table is used for indicating a routing rule for transmitting data inside any one of the first virtual machine bridge, the second virtual machine bridge, the safety monitoring bridge module and the integrated bridge.
In the embodiment of the application, in order to enable the security monitoring bridge module and other bridges to communicate with each other, data is directed to the security service node. One or more pairs of ports may be created between the security monitoring bridge module and other bridges that are paired with each other. Therefore, data can be guided to the security service node through the flow table and the created one or more pairs of ports which are paired with each other.
Optionally, the security service node includes a first security virtual machine, the security monitoring bridge module includes a first security virtual machine bridge component, the first security virtual machine is connected to the first security virtual machine bridge component, the first virtual machine bridge includes a first port and a second port, and the first security virtual machine bridge component includes a third port and a fourth port; the first port and a third port on the first secure virtual machine bridge element are a pair of ports that are paired with each other, and the second port and a fourth port on the first secure virtual machine bridge element are a pair of ports that are paired with each other.
Based on the structure, the safety service node can only comprise one safety virtual machine, the safety monitoring bridge module only comprises one safety virtual machine bridge component, and therefore data only need to be guided to one safety virtual machine, and the flexibility of the data guiding device is improved.
Optionally, the security service node includes N security virtual machines, the security monitoring bridge module includes N security virtual machine bridge components, the N security virtual machines and the N security virtual machine bridge components correspond to each other one by one, a pair of ports that are paired with each other exists on every two adjacent security virtual machine bridge components after the N security virtual machine bridge components are sorted according to a reference sequence, N is a positive integer greater than or equal to 2, the first virtual machine bridge includes a first port and a second port, and each security virtual machine bridge component includes a third port and a fourth port; the first port and the third port on the first secure virtual machine bridge element after the ordering are a pair of ports that are paired with each other, and the second port and the fourth port on the last secure virtual machine bridge element after the ordering are a pair of ports that are paired with each other.
Based on above-mentioned structure, the safety service node includes a plurality of safe virtual machines, and safety monitoring bridge module also includes a plurality of safe virtual machine bridge components, can be with data drainage to a plurality of safe virtual machines like this to carry out safety monitoring respectively, improved this data drainage device's flexibility.
Optionally, for the ith safety virtual machine bridge element after the sorting, the third port on the ith safety virtual machine bridge element and the fourth port of the (i-1) th safety virtual machine bridge element are a pair of ports which are paired with each other, and i is a positive integer greater than or equal to 2 and less than or equal to N.
Based on the above results, data may be transmitted from the first secure virtual machine bridge component to the last secure virtual machine bridge component in sequence, ensuring that the data may be returned to the first virtual machine bridge after the plurality of secure virtual machines.
Optionally, any secure virtual machine bridge component further includes a fifth port and a sixth port, where the fifth port and the sixth port on any secure virtual machine bridge component are used to connect to a secure virtual machine; the flow table is used for indicating that data sent by a third port on any one safety virtual machine network bridge component is sent out by a fifth port on the same safety virtual machine network bridge component, and data sent by the fifth port on any one safety virtual machine network bridge component is sent out by the third port on the same safety virtual machine network bridge component; the flow table is further used for indicating that data sent by a sixth port on any one of the secure virtual machine bridge elements is sent out by a fourth port located on the same secure virtual machine bridge element, and data sent by a fourth port on any one of the secure virtual machine bridge elements is sent out by a sixth port located on the same secure virtual machine bridge element.
By the routing rule, the data received by the safe virtual machine bridge component can be sent to the virtual machine connected with the safe virtual machine bridge component, and the data received by the virtual machine connected with the safe virtual machine bridge component can be sent to other safe virtual machine bridge components or the first virtual machine bridge.
Optionally, the first virtual machine bridge further includes a seventh port, where the seventh port is connected to the first virtual machine, the flow table is used to indicate that data received by the seventh port is sent out by the first port, and data received by the first port is sent out by the seventh port.
Through the routing rule, the data received by the first virtual machine bridge can be sent to the first virtual machine, or the data received by the first virtual machine bridge from the first virtual machine can be sent out.
Optionally, the first virtual machine bridge further includes an eighth port, the integrated bridge includes a ninth port, and the eighth port is connected to the ninth port; the flow table is further configured to indicate that the data received by the second port is sent out by the eighth port, and the data received by the eighth port is sent out by the ninth port.
By means of the routing rule, data received by the first virtual machine bridge can be sent to the integrated bridge, or data received by the integrated bridge can be sent to the first virtual machine bridge.
Optionally, the integrated bridge further includes a tenth port, the second virtual machine bridge further includes an eleventh port and a twelfth port, the tenth port is connected to the eleventh port, and the twelfth port is connected to the second virtual machine; the flow table is further used for indicating that data received by the ninth port is sent out by the tenth port, and data received by the tenth port is sent out by the ninth port; the flow table is further used for indicating that the data received by the eleventh port is sent out by the twelfth port, and the data received by the twelfth port is sent out by the eleventh port.
Through the routing rule, the data received by the first virtual machine bridge can be sent to the second virtual machine bridge through the integrated bridge, or the data received by the second virtual machine bridge can be sent to the first virtual machine bridge through the integrated bridge.
Optionally, any secure virtual machine bridge component comprises a first secure virtual machine bridge and a second secure virtual machine bridge; the first secure virtual machine bridge is provided with a third port and a fifth port, and the second secure virtual machine bridge is provided with a fourth port and a sixth port.
With this arrangement, a transmission path of data sent to the secure virtual machine and a transmission path of data sent by the secure virtual machine can be implemented by different bridges, so that the SDN controller can create the flow table.
Optionally, the virtual switch is created by a software defined network SDN controller, and the flow table is issued to the virtual switch by the SDN controller.
In a second aspect, a data stream method in a virtual network is provided, which is applied to the data stream apparatus of any one of claims 1 to 11, and the method includes: the virtual switch receives first data sent by a first virtual machine; the virtual switch forwards the first data to a security service node according to a flow table to indicate the security service node to process the first data, and the flow table is used for indicating a routing rule of the virtual switch for transmitting the data; and when the virtual switch receives the first data sent by the security service node, sending the first data to the second virtual machine according to the flow table.
Optionally, the virtual switch includes a first virtual machine bridge, a second virtual machine bridge, a security monitoring bridge module, and an integrated bridge; the virtual switch receives first data sent by a first virtual machine, and the method comprises the following steps: the method comprises the steps that a first virtual machine bridge receives first data sent by a first virtual machine; correspondingly, the virtual switch forwards the first data to the security service node according to the flow table to instruct the security service node to process the first data, including: the first virtual machine bridge sends the first data to the safety monitoring bridge module according to the flow table; the safety monitoring bridge module forwards the received first data to a safety service node according to the flow table so as to indicate the safety service node to process the first data; correspondingly, when the virtual switch receives the first data sent by the security service node, the first data is sent to the second virtual machine according to the flow table, including: the safety monitoring bridge module sends first data sent by the safety service node to the first virtual machine bridge according to the flow table; when receiving first data sent by a security monitoring bridge module, a first virtual machine bridge sends the first data to an integrated bridge according to a flow table; when receiving the first data, the integrated network bridge sends the first data to the second virtual machine network bridge according to the flow table, and the second virtual machine network bridge sends the first data to the second virtual machine according to the flow table.
Optionally, the security service node includes a first security virtual machine, and the security monitoring bridge module includes a first security virtual machine bridge component; the first virtual machine bridge sends the first data to the security monitoring bridge module according to the flow table, including: when the first virtual machine bridge receives first data sent by the first virtual machine, the first virtual machine bridge sends the first data through the first port; correspondingly, the security monitoring bridge module forwards the received first data to the security service node according to the flow table, and is used for instructing the security service node to process the first data, and the method includes the following steps: the first security virtual machine bridge component receives the first data through the third port and sends the first data to the first security virtual machine, and the first port and the third port on the first security virtual machine bridge component are a pair of ports which are paired with each other.
Optionally, the sending, by the security monitoring bridge module, the first data sent by the security service node to the first virtual machine bridge according to the flow table includes: when the first safety virtual machine bridge component receives first data sent by the first safety virtual machine, the first safety virtual machine bridge component sends the first data through the fourth port;
the first virtual machine bridge receives the first data through the second port, and the second port and the fourth port on the first secure virtual machine bridge component are a pair of ports that are paired with each other.
Optionally, the security service node includes N security virtual machines, the security monitoring bridge module includes N security virtual machine bridge components, the N security virtual machines and the N security virtual machine bridge components are in one-to-one correspondence, and N is a positive integer greater than or equal to 2; the first virtual machine bridge sends the first data to the security monitoring bridge module according to the flow table, including: when a first virtual machine bridge receives first data sent by a first virtual machine, a first virtual machine bridge component sends the first data through a first port, a first safety virtual machine bridge component, which is sequenced by N safety virtual machine bridge components according to a reference sequence, receives the first data through a third port, and the first port and the third port on the first safety virtual machine bridge component after sequencing are a pair of ports which are paired with each other; correspondingly, the security monitoring bridge module forwards the received first data to the security service node according to the flow table to instruct the security service node to process the first data, and the process includes: the first safety virtual machine bridge component sends first data to a corresponding safety virtual machine to indicate the corresponding safety virtual machine to process the first data, the first safety virtual machine bridge component receives the first data sent by the corresponding safety virtual machine, and the first safety virtual machine bridge component sends the first data to a second safety virtual machine; for the ith sequenced security virtual machine bridge component, the ith security virtual machine bridge component receives first data sent by the (i-1) th security virtual machine bridge component, and sends the first data to the corresponding security virtual machine to indicate the corresponding security virtual machine to process the first data, and returns the first data to the ith security virtual machine bridge component, wherein i is a positive integer greater than or equal to 2 and less than or equal to N, and a pair of ports which are paired with each other exists on every two adjacent security virtual machine bridge components after the N security virtual machine bridge components are sequenced according to a reference sequence.
Optionally, the sending, by the security monitoring bridge module, the first data sent by the security service node to the first virtual machine bridge according to the flow table includes: when the bridge component of the last sequenced secure virtual machine receives first data sent by the corresponding secure virtual machine, sending the first data through the fourth port; the first virtual machine bridge receives the first data through the second port, and the second port and the fourth port on the last secure virtual machine bridge component after the ordering are a pair of ports paired with each other.
Optionally, the method further comprises: the virtual switch receives second data sent by a second virtual machine aiming at the first data; the virtual switch forwards the second data to the security service node according to the flow table so as to instruct the security service node to process the second data; and when the virtual switch receives the second data sent by the security service node, sending the second data to the first virtual machine according to the flow table.
Optionally, the virtual switch includes a first virtual machine bridge, a second virtual machine bridge, a security monitoring bridge module, and an integrated bridge; the virtual switch receives second data sent by a second virtual machine for the first data, and the method comprises the following steps:
the second virtual machine bridge receives second data sent by the second virtual machine; correspondingly, the virtual switch forwards the second data to the security service node according to the flow table to instruct the security service node to process the second data, including: the second virtual machine bridge sends the second data to the integrated bridge in the virtual switch according to the flow table; when receiving the second data, the integrated network bridge sends the second data to the first virtual machine network bridge according to the flow table; when the first virtual machine bridge receives second data sent by the integrated bridge, the second data are sent to the safety monitoring bridge module according to the flow table; the security monitoring bridge module forwards the received second data to the security service node according to the flow table so as to indicate the security service node to process the second data; correspondingly, when the virtual switch receives the second data sent by the security service node, the virtual switch sends the second data to the first virtual machine according to the flow table, and the method includes the following steps: the safety monitoring bridge module sends second data sent by the safety service node to the first virtual machine bridge according to the flow table; and when the first virtual machine bridge receives the second data sent by the safety monitoring bridge module, sending the second data to the first virtual machine according to the flow table.
Optionally, the security service node includes a first security virtual machine, and the security monitoring bridge module includes a first security virtual machine bridge component; when the first virtual machine bridge receives second data sent by the integrated bridge, the second data is sent to the security monitoring bridge module according to the flow table, and the method comprises the following steps: when the first virtual machine network bridge receives second data sent by the integrated network bridge, the first virtual machine network bridge sends the second data through the second port; the first secure virtual machine bridge element receives the second data through a fourth port, and the second port and the fourth port on the first secure virtual machine bridge element are a pair of ports which are paired with each other.
Optionally, the sending, by the security monitoring bridge module, the second data sent by the security service node to the first virtual machine bridge according to the flow table includes: when the first safety virtual machine bridge component receives second data sent by the first safety virtual machine, the second data is sent through a third port in the first safety virtual machine bridge component; the first virtual machine bridge receives the second data through the first port.
Optionally, the security service node includes N security virtual machines, the security monitoring bridge module includes N security virtual machine bridge components, the N security virtual machines and the N security virtual machine bridge components are in one-to-one correspondence, and N is a positive integer greater than or equal to 2; when the first virtual machine bridge receives second data sent by the integrated bridge, the second data is sent to the security monitoring bridge module according to the flow table, and the method comprises the following steps: when the first virtual machine bridge receives second data sent by the integrated bridge, the first virtual machine bridge component sends the second data through the second port, the last safety virtual machine bridge component after the N safety virtual machine bridge components are sequenced according to the reference sequence receives the second data through the fourth port, and the fourth ports on the second port and the last safety virtual machine bridge component after the sequencing are a pair of ports which are paired with each other;
correspondingly, the security monitoring bridge module forwards the received second data to the security service node according to the flow table to instruct the security service node to process the second data, and the method includes:
the last safe virtual machine bridge component sends the second data to the corresponding safe virtual machine to indicate the corresponding safe virtual machine to process the second data, the second data is returned to the last safe virtual machine bridge component, and the last safe virtual machine bridge component sends the second data to the sequenced penultimate safe virtual machine bridge component;
for the jth safety virtual machine bridge component after sequencing, the jth safety virtual machine bridge component receives second data sent by the jth +1 safety virtual machine bridge component, and sends the second data to the corresponding safety virtual machine to indicate the corresponding safety virtual machine to process the second data, and returns the second data to the jth safety virtual machine bridge component, j is a positive integer which is greater than or equal to 1 and less than or equal to N-1, and a pair of ports which are paired with each other exists on every two adjacent safety virtual machine bridge components after the N safety virtual machine bridge components are sequenced according to a reference sequence.
Optionally, the sending, by the security monitoring bridge module, the second data sent by the security service node to the first virtual machine bridge according to the flow table includes: when the first sequenced safety virtual machine bridge component receives second data sent by the corresponding safety virtual machine, the second data is sent through a third port; the first virtual machine bridge receives the second data through the first port, and the first port and the third port on the first secure virtual machine bridge element after the ordering are a pair of ports which are paired with each other.
The beneficial effects of the data drainage method in the virtual network provided by the second aspect may refer to the beneficial effects of the apparatus provided by the first aspect, and are not described herein again.
Drawings
Fig. 1 is a schematic structural diagram of a host in a virtualized network according to an embodiment of the present application;
fig. 2 is a schematic structural diagram of a data drainage device in a virtual network according to an embodiment of the present disclosure;
FIG. 3 is a schematic structural diagram of another data drainage device provided in an embodiment of the present application;
FIG. 4 is a schematic diagram of another data drainage device provided in the embodiments of the present application;
fig. 5 is a flowchart of a data drainage method in a virtual network according to an embodiment of the present disclosure;
fig. 6 is a flowchart of another data drainage method in a virtual network according to an embodiment of the present disclosure.
Detailed Description
To make the objects, technical solutions and advantages of the present application more clear, embodiments of the present application will be described in further detail below with reference to the accompanying drawings.
Before explaining the data traffic guiding device and the data traffic guiding method in the virtual network provided by the embodiment of the present application, an application scenario of the embodiment of the present application is explained first.
In a non-virtualized network, if data transmitted between two network devices needs to be monitored safely, security devices such as an Intrusion Prevention System (IPS) or an Intrusion Detection System (IDS) may be connected in series between the two network devices to drain the data transmitted between the two network devices to the security devices, so as to monitor safety. In a virtualized network, however, the nature of virtualization breaks the traditional network boundary. If the data transmitted between the two virtual machines needs to be monitored safely, due to the complexity of routing configuration and some limitations realized by the cloud scene, the mode of connecting the safety equipment in series in the network to realize data drainage is difficult to realize in the virtualized network. Therefore, the embodiment of the application provides a data stream guiding device and a data stream guiding method in a virtualized network. Fig. 1 is a schematic structural diagram of a host in a virtualized network according to an embodiment of the present disclosure. As shown in fig. 1, an operating system 101 is installed in a host 100, and a plurality of virtual machines are run on the operating system 101, and data transmission between the virtual machines is possible. The data stream guidance device and the data stream guidance method provided by the embodiment of the application can be applied between two virtual machines located in the same host machine and can also be applied between two virtual machines located in different host machines.
The data drainage device provided by the embodiment of the present application is explained in detail below.
Fig. 2 is a schematic structural diagram of a data drainage device in a virtual network according to an embodiment of the present disclosure. As shown in fig. 2, the data drainage apparatus 200 includes a first virtual machine 201, a second virtual machine 202, a security service node 203, and a virtual switch 204. The first virtual machine 201, the second virtual machine 202, and the security service node 203 are connected to a virtual switch 204, respectively. The virtual switch 204 is configured to forward data transmitted between the first virtual machine 201 and the second virtual machine 202 to the security service node 203 according to the flow table, so as to instruct the security service node 203 to process the first data, and the flow table is configured to instruct the virtual switch 204 to transmit a routing rule of the data.
Since the first virtual machine, the second virtual machine, and the security service node are respectively connected to the virtual switch, and the flow table is used to indicate a routing rule for the virtual switch to transmit data, in this embodiment of the present application, data can be directed to the security service node through the virtual switch and the flow table created among the first virtual machine, the second virtual machine, and the security service node. In the whole data flow guiding process, data does not need to be packaged through a virtual machine gateway, and data flow guiding is also not needed to be carried out through a memory transmission mode by a virtual machine. Therefore, for the security service node, the protocol adopted by the virtual gateway encapsulation data does not need to be clarified in advance, and the API interface matched with the memory of the virtual machine does not need to be customized and developed in advance. Therefore, through the data stream guidance device provided by the embodiment of the application, a large amount of adaptation work does not need to be carried out on the security service node provided by the third party in advance, and therefore the application flexibility of the data stream guidance device is improved.
Among other things, virtual switch 204 may be created by a Software Defined Network (SDN) controller. Of course, the virtual switch 204 may be created by other types of network controllers, and will not be illustrated herein. The flow table may be issued by the SDN controller to the virtual switch 204. The flow table may specifically be an openflow (a network communication protocol) based flow table.
The following describes the structure of the virtual switch provided in the embodiments of the present application in detail:
in one possible implementation, as shown in fig. 2, the virtual switch 204 includes a first virtual machine bridge 2041, a second virtual machine bridge 2042, a security monitoring bridge module 2043, and an integration bridge 2044. The first virtual machine 201 is connected to a first virtual machine bridge 2041. The second virtual machine 202 is connected to a second virtual machine bridge 2042. The security service node 203 is connected with a security monitoring bridge module 2043. The first virtual machine bridge 2041, the second virtual machine bridge 2042, and the security monitoring bridge module 2043 are connected to the integrated bridge 2044, respectively. The first virtual machine bridge 2041, the second virtual machine bridge 2042, the security monitoring bridge module 2043, and the integrated bridge 2044 may all be created by an SDN controller.
In this embodiment, in order to enable the security monitoring bridge module 2043 and other bridges to communicate with each other, data is directed to the security service node. One or more pairs of ports may be created between security monitoring bridge module 2043 and other bridges that are paired with each other. A pair of ports that are paired with each other means that data sent by one port is received by the other port, and data sent by the other port is received by one port. Specifically, in the data stream director shown in fig. 2, the stream table is used to indicate a routing rule for transferring data inside any one of the first virtual machine bridge 2041, the second virtual machine bridge 2042, the security monitoring bridge module 2043, and the integration bridge 2044. Therefore, in the embodiment of the present application, data can be directed to the security service node through the flow table and the created one or more pairs of ports that are paired with each other.
Specifically, virtual switch 204 may have the following two possible configurations:
in a first possible configuration, there are two pairs of ports on the first virtual machine bridge 2041 and the security monitoring bridge module 2043 that are paired with each other. Thus, the first virtual machine bridge 2041 may stream data to the security monitoring bridge module 2043 through one pair of paired ports, and when receiving data fed back by the security service node 203, the security monitoring bridge module 2043 may return the data to the first virtual machine bridge 2041 through the other pair of paired ports, so as to send the data to the second virtual machine 202 through the first virtual machine bridge 2041, the integrated bridge 2044, and the second virtual machine bridge 2042.
When data between the first virtual machine 201 and the second virtual machine 202 does not need to be streamed to the security service node, the data between the first virtual machine 201 and the second virtual machine 202 is transmitted through the first virtual bridge 2041, the second virtual bridge 2042, and the integrated bridge 2044. For example, when the first virtual machine 201 sends data, the data is transmitted to the second virtual machine 202 through the first virtual bridge 2041 → the integrated bridge 2044 → the second virtual bridge 2042. Therefore, data drainage is carried out through the first possible structure, the original path for transmitting data between the virtual machines can be compatible, too much modification to the flow table is avoided, and the application flexibility of the data drainage device is improved.
In a second possible configuration, a pair of ports that are paired with each other may be created on the first virtual machine bridge 2041 and the security monitoring bridge module 2043, and another pair of ports that are paired with each other may be created on the security monitoring bridge module 2043 and the second virtual machine bridge 2042. Thus, the first virtual machine bridge 2041 may direct data to the security monitoring bridge module 2043, and when receiving the data fed back by the security service node 203, the security monitoring bridge module 2043 may send the data to the second virtual machine bridge 2042, so as to send the data to the second virtual machine 202. However, in this case, a large amount of modification needs to be performed on the existing flow table, which is not favorable for the popularization of the data drainage apparatus.
In addition, in a virtualized network, a Security Virtual Machine (SVM) may perform security monitoring on data. Therefore, in the embodiment of the present application, the security service node may include a security virtual machine, so as to perform security monitoring on data through the security virtual machine. Of course, the security service node may include a plurality of security virtual machines to perform security monitoring on data through each of the plurality of security virtual machines, respectively. Therefore, with respect to the first possible structure, the data drainage device shown in fig. 2 can be embodied in the following two structures.
Fig. 3 is a schematic structural diagram of another data drainage device according to an embodiment of the present application. As shown in fig. 3, the security service node 203 includes a first secure virtual machine 2031, the security monitoring bridge module 2043 includes a first secure virtual machine bridge component 20431, the first secure virtual machine 2031 is connected to the first secure virtual machine bridge component 20431, the first secure virtual machine bridge 2031 includes a first port and a second port, and the first secure virtual machine bridge component 20431 includes a third port and a fourth port. The first port and the third port on the first secure virtual machine bridge element 20431 are paired ports, and the second port and the fourth port on the first secure virtual machine bridge element 20431 are paired ports.
That is, in the data stream apparatus shown in fig. 3, the security service node only includes one security virtual machine, and the security monitoring bridge module only includes one security virtual machine bridge element, so that data only needs to be streamed to one security virtual machine.
Fig. 4 is a schematic diagram of another data drainage device according to an embodiment of the present application. As shown in fig. 4, the security service node 203 includes N security virtual machines 2032. The security monitor bridge module 2043 includes N secure virtual machine bridge components 20432. The N secure virtual machines 2032 are in one-to-one correspondence with the N secure virtual machine bridge elements 20432. After the N secure virtual machine bridge elements 20432 are ordered according to the reference order, a pair of ports paired with each other exists on each of the two adjacent secure virtual machine bridge elements 20432. N is a positive integer greater than or equal to 2, and the first virtual machine bridge 2041 includes a first port and a second port. Each secure virtual machine bridge element 20432 includes a third port and a fourth port. The first port and the third port on the first secure virtual machine bridge element 20432 after the ordering are a pair of ports that are paired with each other. The second port and the fourth port on the last secure virtual machine bridge element 20432 after the ordering are a pair of ports that are paired with each other.
Since the first port and the third port on the first secure virtual machine bridge element 20432 after the sorting are paired ports, the first virtual machine bridge 2041 can send data to the first secure virtual machine bridge element 20432 after the sorting. Since a pair of ports paired with each other exists on each two adjacent secure virtual machine bridge components 20432 after the N secure virtual machine bridge components 20432 are sorted according to the reference sequence, data can be sequentially transmitted from the first secure virtual machine bridge component 20432 to the last secure virtual machine bridge component 20432. Since the second port and the fourth port on the last secure virtual machine bridge element 20432 after the ordering are paired ports, data can also be returned to the first virtual machine bridge 2041 after all the secure virtual machines 2032 have been passed.
That is, in the data stream apparatus shown in fig. 4, the security service node 203 includes a plurality of security virtual machines 2032, and the security monitoring bridge module 2043 also includes a plurality of security virtual machine bridge components 20432, so that data can be streamed to the plurality of security virtual machines 2032 for security monitoring respectively, thereby improving the flexibility of the data stream apparatus.
In fig. 4, N is merely illustrated as 2, and the number of the secure virtual machines 2032 and the number of the secure virtual machine bridge components 20432 in fig. 4 do not form any specific limitation on N.
In addition, in the data traffic device shown in fig. 4, the specific fact that a pair of paired ports exists on each two adjacent secure virtual machine bridge components 20432 after the N secure virtual machine bridge components 20432 are sorted according to the reference sequence may be: for the ith secure virtual machine bridge element 20432 after the sorting, the third port on the ith secure virtual machine bridge element 20432 and the fourth port of the (i-1) th secure virtual machine bridge element 20432 are a pair of ports that are paired with each other, and i is a positive integer greater than or equal to 2 and less than or equal to N. For example, in fig. 4, the third port of the 2 nd secure virtual machine bridge element 20432 and the fourth port of the 1 st secure virtual machine bridge element 20432 are paired ports.
In addition, as shown in fig. 3 or fig. 4, for any one of the secure virtual machine bridge elements, the secure virtual machine bridge element further includes a fifth port and a sixth port, and the fifth port and the sixth port on the secure virtual machine bridge element are used for connecting one secure virtual machine.
At this time, the flow table is used to indicate that data sent by the third port on any one of the secure virtual machine bridge elements is sent out by the fifth port located on the same secure virtual machine bridge element, and data sent by the fifth port on any one of the secure virtual machine bridge elements is sent out by the third port located on the same secure virtual machine bridge element. The flow table is further used for indicating that data sent by a sixth port on any one of the secure virtual machine bridge elements is sent out by a fourth port located on the same secure virtual machine bridge element, and data sent by a fourth port on any one of the secure virtual machine bridge elements is sent out by a sixth port located on the same secure virtual machine bridge element. By the routing rule, the data received by the safe virtual machine bridge component can be sent to the virtual machine connected with the safe virtual machine bridge component, and the data received by the virtual machine connected with the safe virtual machine bridge component can be sent to other safe virtual machine bridge components or the first virtual machine bridge.
In addition, as shown in fig. 3 or fig. 4, the first virtual machine bridge further includes a seventh port, and the seventh port is connected to the first virtual machine. At this time, the flow table is used to indicate that the data received by the seventh port is sent out by the first port, and the data received by the first port is sent out by the seventh port. Through the routing rule, the data received by the first virtual machine bridge can be sent to the first virtual machine, or the data received by the first virtual machine bridge from the first virtual machine can be sent out.
In addition, as shown in fig. 3 or fig. 4, the first virtual machine bridge further includes an eighth port, the integrated bridge includes a ninth port, and the eighth port and the ninth port are connected. At this time, the flow table is further used to indicate that the data received by the second port is sent out by the eighth port, and the data received by the eighth port is sent out by the ninth port. By means of the routing rule, data received by the first virtual machine bridge can be sent to the integrated bridge, or data received by the integrated bridge can be sent to the first virtual machine bridge.
The integrated bridge further comprises a tenth port, the second virtual machine bridge further comprises an eleventh port and a twelfth port, the tenth port is connected with the eleventh port, and the twelfth port is connected with the second virtual machine. At this time, the flow table is further used to indicate that the data received by the ninth port is sent out by the tenth port, and the data received by the tenth port is sent out by the ninth port. The flow table is further used for indicating that the data received by the eleventh port is sent out by the twelfth port, and the data received by the twelfth port is sent out by the eleventh port. Through the routing rule, the data received by the first virtual machine bridge can be sent to the second virtual machine bridge through the integrated bridge, or the data received by the second virtual machine bridge can be sent to the first virtual machine bridge through the integrated bridge.
In addition, since the flow table issued by the SDN controller is generally issued for a bridge, in this embodiment of the application, for any secure virtual machine bridge element, as shown in fig. 3 or fig. 4, the secure virtual machine bridge element may include a first secure virtual machine bridge and a second secure virtual machine bridge, and a third port and a fifth port in fig. 3 or fig. 4 are deployed on the first secure virtual machine bridge. The fourth port and the sixth port in fig. 3 or fig. 4 are deployed on the second secure virtual machine bridge. With this arrangement, a transmission path of data sent to the secure virtual machine and a transmission path of data sent by the secure virtual machine can be implemented by different bridges, so that the SDN controller can create the flow table.
In the data stream apparatus shown in fig. 3 or fig. 4, the types of the first virtual machine bridge, the first secure virtual machine bridge, the second secure virtual machine bridge, and the second virtual machine bridge may be linux (a kind of operating system) bridges. For example, such a bridge may be named a Br-ply bridge, although other names may be named. In addition, in the data stream apparatus shown in fig. 3 or fig. 4, the type of the integrated bridge may be an open virtual machine switch (OVS) bridge. For example, this type of bridge may be named a Br-int bridge, although other names may be named.
In addition, as shown in the data stream apparatus in fig. 3 or fig. 4, the first secure virtual machine bridge or the second secure virtual machine bridge is also connected to the integrated bridge through a port, which is not described in detail herein.
In addition, for the data drainage apparatus shown in fig. 2 to 4, the first virtual machine, the second virtual machine, and the secure virtual machine may be virtual machines on the same host machine, or may be virtual machines on different host machines. If data is needed to be communicated between the first virtual machine and the second virtual machine, the first virtual machine, the second virtual machine and the security virtual machine need to be deployed on the same host. If the first virtual machine only needs to send data to the second virtual machine in a one-way mode, the first virtual machine and the safety virtual machine are only limited to be located on the same host. Similarly, if the second virtual machine only needs to send data to the first virtual machine in one direction, only the second virtual machine and the secure virtual machine need to be restricted to be located on the same host.
The data flow guiding method in the virtual network provided in the embodiment of the present application is explained in detail below. In this embodiment of the application, when the first virtual machine sends the first data to the second virtual machine, the first data may be drained through the data drainage device. Certainly, when the second virtual machine feeds back the second data to the first virtual machine according to the first data, since the second data generally needs to be referred to when the security monitoring is performed on the second data, the second data can be transmitted according to a path opposite to a transmission path of the first data, so as to implement the drainage of the second data. The following embodiments will be explained separately for the above two scenarios.
Fig. 5 is a flowchart of a data drainage method in a virtual network according to an embodiment of the present application, and is applied to the data drainage device shown in the embodiments of fig. 2 to 4. As shown in fig. 5, the method includes the steps of:
step 501: the virtual switch receives first data sent by the first virtual machine.
As shown in fig. 2, since the virtual machine switch comprises a virtual switch comprising a first virtual machine bridge. And the first virtual machine bridge are connected. Thus, in one possible implementation, step 501 may be: the first virtual machine bridge receives first data sent by the first virtual machine. Specifically, as shown in fig. 3 or fig. 4, the seventh port of the first virtual machine bridge receives the first data.
Step 502: the virtual switch forwards the first data to the security service node according to the flow table to instruct the security service node to process the first data, and the flow table is used for instructing the virtual switch to transmit a routing rule of the data.
As shown in fig. 2, step 502 may specifically be: the first virtual machine bridge sends the first data to the safety monitoring bridge module according to the flow table; and the safety monitoring bridge module forwards the received first data to the safety service node according to the flow table so as to indicate the safety service node to process the first data.
As shown in fig. 3, when the security service node includes a first security virtual machine and the security monitoring bridge module includes a first security virtual machine bridge component, the first virtual machine bridge may send the first data to the security monitoring bridge module according to the flow table in an implementation manner: when the first virtual machine bridge receives the first data sent by the first virtual machine, the first virtual machine bridge sends the first data through the first port. Correspondingly, the security monitoring bridge module forwards the received first data to the security service node according to the flow table, and an implementation manner for instructing the security service node to process the first data may be: the first secure virtual machine bridge element receives the first data through the third port and sends the first data to the first secure virtual machine.
In addition, as shown in fig. 4, when the security service node includes N security virtual machines and the security monitoring bridge module includes N security virtual machine bridge components, the first virtual machine bridge sends the first data to the security monitoring bridge module according to the flow table, and the implementation manner may be: when the first virtual machine bridge receives first data sent by the first virtual machine, the first virtual machine bridge component sends the first data through the first port, and the first safety virtual machine bridge components, which are sequenced according to the reference sequence, of the N safety virtual machine bridge components receive the first data through the third port.
Correspondingly, the security monitoring bridge module forwards the received first data to the security service node according to the flow table, so as to instruct the security service node to process the first data in an implementation manner that: the first safety virtual machine bridge component sends first data to a corresponding safety virtual machine to indicate the corresponding safety virtual machine to process the first data, the first safety virtual machine bridge component receives the first data sent by the corresponding safety virtual machine, and the first safety virtual machine bridge component sends the first data to a second safety virtual machine; for the ith sequenced security virtual machine bridge component, the ith security virtual machine bridge component receives first data sent by the (i-1) th security virtual machine bridge component, and sends the first data to the corresponding security virtual machine to indicate the corresponding security virtual machine to process the first data, and returns the first data to the ith security virtual machine bridge component, wherein i is a positive integer greater than or equal to 2 and less than or equal to N, and a pair of ports which are paired with each other exists on every two adjacent security virtual machine bridge components after the N security virtual machine bridge components are sequenced according to a reference sequence.
In the above two implementation manners for fig. 3 and fig. 4, for any one of the security virtual machine bridge components in the security monitoring bridge module, when the security virtual machine bridge component receives the first data through the third port, the first data needs to be sent to the security virtual machine connected to the security virtual machine bridge component. Specifically, as shown in fig. 3 or fig. 4, when the secure virtual machine bridge element receives the first data through the third port, the first data may be sent through a fifth port in the secure virtual machine bridge element to send the first data to the secure virtual machine corresponding to the secure virtual machine bridge element. The secure virtual machine may process the first data after receiving the first data. And returning the first data to the secure virtual machine bridge element. As shown in fig. 3 or 4, the secure virtual machine bridge element receives the first data sent by the corresponding secure virtual machine through the sixth port, and sends the first data through the fourth port in the secure virtual machine bridge element according to the routing rule indicated in the flow table, so as to send the first data to the next secure virtual machine bridge element or the first virtual machine bridge.
Step 503: and when the virtual switch receives the first data sent by the security service node, sending the first data to the second virtual machine according to the flow table.
In a possible implementation manner, as shown in fig. 2, step 503 may specifically be: the safety monitoring bridge module sends first data sent by the safety service node to the first virtual machine bridge according to the flow table; when receiving first data sent by a security monitoring bridge module, a first virtual machine bridge sends the first data to an integrated bridge according to a flow table; when receiving the first data, the integrated network bridge sends the first data to the second virtual machine network bridge according to the flow table, and the second virtual machine network bridge sends the first data to the second virtual machine according to the flow table.
Specifically, as shown in fig. 3, when the security service node includes a first security virtual machine, and the security monitoring bridge module includes a first security virtual machine bridge element, the implementation manner of the security monitoring bridge module sending the first data sent by the security service node to the first virtual machine bridge according to the flow table may be: when the first safety virtual machine bridge component receives first data sent by the first safety virtual machine, the first safety virtual machine bridge component sends the first data through the fourth port; the first virtual machine bridge receives the first data through the second port.
As shown in fig. 4, when the security service node includes N security virtual machines and the security monitoring bridge module includes N security virtual machine bridge components, the implementation manner in which the security monitoring bridge module sends the first data sent by the security service node to the first virtual machine bridge according to the flow table may be: when the bridge component of the last sequenced secure virtual machine receives first data sent by the corresponding secure virtual machine, sending the first data through the fourth port; the first virtual machine bridge receives the first data through the second port.
In addition, as shown in fig. 3 or fig. 4, when the first virtual machine bridge receives the first data sent by the security monitoring bridge module, an implementation manner of sending the first data to the integrated bridge according to the flow table may be: when the first virtual machine bridge receives the first data sent by the safety monitoring bridge module, the first virtual machine bridge sends the first data through the eighth port; the integrated bridge receives the first data through the ninth port.
In addition, as shown in fig. 3 or fig. 4, when receiving the first data, the integrated bridge sends the first data to the second virtual machine bridge according to the flow table, and an implementation manner of sending the first data to the second virtual machine by the second virtual machine bridge according to the flow table may be: the integrated network bridge sends the first data through the tenth port; the second virtual machine bridge receives the first data through the eleventh port and transmits the first data through the twelfth port to transmit the first data to the second virtual machine.
Fig. 6 is a flowchart of another data drainage method in a virtual network according to an embodiment of the present application, and is applied to the data drainage device shown in the embodiments of fig. 2 to 4. As shown in fig. 6, the method includes the steps of:
step 601: the virtual switch receives second data sent by the second virtual machine for the first data.
As shown in fig. 2, since the virtual machine switch includes a second virtual machine bridge. And the second virtual machine bridge are connected. Therefore, in a possible implementation manner, step 601 may specifically be: the second virtual machine bridge receives second data sent by the second virtual machine. Specifically, as shown in fig. 3 or fig. 4, the twelfth port of the second virtual machine bridge receives the second data.
Step 602: the virtual switch forwards the second data to the security service node according to the flow table to instruct the security service node to process the second data.
As shown in fig. 2, the virtual switch forwards the second data to the security service node according to the flow table, so as to instruct the security service node to process the second data, which may be implemented by: the second virtual machine bridge sends the second data to the integrated bridge in the virtual switch according to the flow table; when receiving the second data, the integrated network bridge sends the second data to the first virtual machine network bridge according to the flow table; when the first virtual machine bridge receives second data sent by the integrated bridge, the second data are sent to the safety monitoring bridge module according to the flow table; and the security monitoring bridge module forwards the received second data to the security service node according to the flow table so as to indicate the security service node to process the second data.
Specifically, as shown in fig. 3, when the security service node includes a first security virtual machine, and the security monitoring bridge module includes a first security virtual machine bridge component, when the first virtual machine bridge receives second data sent by the integrated bridge, an implementation manner of sending the second data to the security monitoring bridge module according to the flow table may be: when the first virtual machine network bridge receives second data sent by the integrated network bridge, the first virtual machine network bridge sends the second data through the second port; the first secure virtual machine bridge element receives the second data through the fourth port.
Specifically, as shown in fig. 4, when the security service node includes N security virtual machines and the security monitoring bridge module includes N security virtual machine bridge components, when the first virtual machine bridge receives the second data sent by the integrated bridge, the implementation manner of sending the second data to the security monitoring bridge module according to the flow table may be: when the first virtual machine bridge receives second data sent by the integrated bridge, the first virtual machine bridge component sends the second data through the second port, and the last safety virtual machine bridge component after the N safety virtual machine bridge components are sequenced according to the reference sequence receives the second data through the fourth port.
Correspondingly, the security monitoring bridge module forwards the received second data to the security service node according to the flow table, so as to indicate that the security service node is processing the second data, and the implementation manner may be: the last safe virtual machine bridge component sends the second data to the corresponding safe virtual machine to indicate the corresponding safe virtual machine to process the second data, the second data is returned to the last safe virtual machine bridge component, and the last safe virtual machine bridge component sends the second data to the sequenced penultimate safe virtual machine bridge component; for the jth safe virtual machine bridge component after sequencing, the jth safe virtual machine bridge component receives second data sent by the jth +1 safe virtual machine bridge component, sends the second data to the corresponding safe virtual machine to indicate the corresponding safe virtual machine to process the second data, and returns the second data to the jth safe virtual machine bridge component, wherein j is a positive integer greater than or equal to 1 and less than or equal to N-1.
Step 603: and when the virtual switch receives the second data sent by the security service node, sending the second data to the first virtual machine according to the flow table.
As shown in fig. 2, step 603 may specifically be: the safety monitoring bridge module sends second data sent by the safety service node to the first virtual machine bridge according to the flow table; and when the first virtual machine bridge receives the second data sent by the safety monitoring bridge module, sending the second data to the first virtual machine according to the flow table.
Specifically, as shown in fig. 3, when the security service node includes a first security virtual machine, and the security monitoring bridge module includes a first security virtual machine bridge element, the implementation manner of the security monitoring bridge module sending the second data sent by the security service node to the first virtual machine bridge according to the flow table may be: when the first safety virtual machine bridge component receives second data sent by the first safety virtual machine, the second data is sent through a third port in the first safety virtual machine bridge component; the first virtual machine bridge receives the second data through the first port.
As shown in fig. 4, when the security service node includes N security virtual machines and the security monitoring bridge module includes N security virtual machine bridge components, the implementation manner of the security monitoring bridge module sending the second data sent by the security service node to the first virtual machine bridge according to the flow table may be: when the first sequenced safety virtual machine bridge component receives second data sent by the corresponding safety virtual machine, the second data is sent through a third port; the first virtual machine bridge receives the second data through the first port.
In the data stream apparatus shown in fig. 3 or 4, for any one of the secure virtual machine bridge elements in the security monitoring bridge module, when the secure virtual machine bridge element receives the second data through the fourth port, the second data is sent through the sixth port in the secure virtual machine bridge element, so as to send the second data to the secure virtual machine connected to the secure virtual machine bridge element. When the secure virtual machine bridge element receives second data sent by the connected secure virtual machine through the fifth port, the first data can be sent through the third port in the secure virtual machine bridge element.
In addition, as shown in fig. 3 or fig. 4, the implementation manner of the second virtual machine bridge sending the second data to the integrated bridge in the virtual switch according to the flow table may be: the second virtual machine bridge sends second data through the eleventh port; the integrated bridge receives the second data through the tenth port.
As shown in fig. 3 or fig. 4, when receiving the second data, the integrated bridge may send the second data to the first virtual machine bridge in the virtual switch according to the flow table in an implementation manner: the integrated network bridge sends second data through the ninth port; the first virtual machine bridge receives the second data through the eighth port.
It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program instructing relevant hardware, where the program may be stored in a computer-readable storage medium, and the above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.
The above-mentioned embodiments are provided not to limit the present application, and any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the protection scope of the present application.

Claims (23)

1. The data flow guiding device in the virtual network is characterized by comprising a first virtual machine, a second virtual machine, a safety service node and a virtual switch;
the first virtual machine, the second virtual machine and the safety service node are respectively connected with the virtual switch; the virtual switch comprises a first virtual machine bridge and a safety monitoring bridge module, wherein one or more pairs of paired ports exist on the first virtual machine bridge and the safety monitoring bridge module, the paired ports mean that data sent by one port is received by the other port, and data sent by the other port is received by the one port;
the virtual switch is used for forwarding first data transmitted between the first virtual machine and the second virtual machine to the security service node according to a flow table and one or more pairs of ports which are paired with each other so as to instruct the security service node to process the first data, and the flow table is used for instructing the virtual switch to transmit a routing rule of the data.
2. The data steering device according to claim 1, wherein the virtual switch further comprises a second virtual machine bridge and an integrated bridge;
the first virtual machine is connected with the first virtual machine bridge, the second virtual machine is connected with the second virtual machine bridge, the safety service node is connected with the safety monitoring bridge module, and the first virtual machine bridge, the second virtual machine bridge and the safety monitoring bridge module are respectively connected with the integrated bridge;
the flow table is used to indicate routing rules for transferring data within any of the first virtual machine bridge, the second virtual machine bridge, the security monitoring bridge module, and the integrated bridge.
3. The data steering device according to claim 2, wherein the security service node comprises a first security virtual machine, the security monitoring bridge module comprises a first security virtual machine bridge element, the first security virtual machine is connected to the first security virtual machine bridge element, the first virtual machine bridge comprises a first port and a second port, and the first security virtual machine bridge element comprises a third port and a fourth port;
the first port and a third port on the first secure virtual machine bridge element are a pair of ports that are paired with each other, and the second port and a fourth port on the first secure virtual machine bridge element are a pair of ports that are paired with each other.
4. The data diversion device according to claim 2, wherein the security service node comprises N security virtual machines, the security monitoring bridge module comprises N security virtual machine bridge elements, the N security virtual machines and the N security virtual machine bridge elements are in one-to-one correspondence, a pair of ports which are paired with each other exists on every two adjacent security virtual machine bridge elements after the N security virtual machine bridge elements are sorted according to a reference sequence, the N is a positive integer greater than or equal to 2, the first virtual machine bridge comprises a first port and a second port, and each security virtual machine bridge element comprises a third port and a fourth port;
the first port and the third port on the first secure virtual machine bridge element after the ordering are paired ports, and the second port and the fourth port on the last secure virtual machine bridge element after the ordering are paired ports.
5. The data stream guiding device according to claim 4, wherein for the ith safety virtual machine bridge element after the sorting, the third port on the ith safety virtual machine bridge element and the fourth port of the (i-1) th safety virtual machine bridge element are a pair of ports which are paired with each other, and i is a positive integer greater than or equal to 2 and less than or equal to N.
6. The data stream guiding device according to any one of claims 3 to 5, wherein any one of the secure virtual machine bridge components further comprises a fifth port and a sixth port, and the fifth port and the sixth port of any one of the secure virtual machine bridge components are used for connecting one of the secure virtual machines;
the flow table is used for indicating that data sent by a third port on any one safety virtual machine network bridge component is sent out by a fifth port on the same safety virtual machine network bridge component, and data sent by the fifth port on any one safety virtual machine network bridge component is sent out by the third port on the same safety virtual machine network bridge component;
the flow table is further used for indicating that data sent by a sixth port on any one of the secure virtual machine bridge elements is sent out by a fourth port located on the same secure virtual machine bridge element, and data sent by a fourth port on any one of the secure virtual machine bridge elements is sent out by a sixth port located on the same secure virtual machine bridge element.
7. The data steering apparatus according to any one of claims 3 to 5, wherein the first virtual machine bridge further comprises a seventh port, the seventh port is connected to the first virtual machine, the flow table is configured to indicate that data received by the seventh port is sent out by the first port, and data received by the first port is sent out by the seventh port.
8. The data steering device according to any one of claims 3 to 5, wherein the first virtual machine bridge further comprises an eighth port, the integrated bridge comprises a ninth port, and the eighth port is connected to the ninth port;
the flow table is further configured to indicate that the data received by the second port is sent out by the eighth port, and the data received by the eighth port is sent out by the ninth port.
9. The data steering device of claim 8, wherein the integrated bridge further comprises a tenth port, wherein the second virtual machine bridge further comprises an eleventh port and a twelfth port, wherein the tenth port is connected to the eleventh port, and wherein the twelfth port is connected to the second virtual machine;
the flow table is further configured to indicate that data received by the ninth port is sent out by the tenth port, and data received by the tenth port is sent out by the ninth port;
the flow table is further configured to indicate that data received by the eleventh port is sent out by the twelfth port, and data received by the twelfth port is sent out by the eleventh port.
10. The data steering device according to any one of claims 3 to 5, wherein any one of the secure virtual machine bridge components comprises a first secure virtual machine bridge and a second secure virtual machine bridge;
the third port and the fifth port are deployed on the first secure virtual machine bridge, and the fourth port and the sixth port are deployed on the second secure virtual machine bridge.
11. The data steering device according to any one of claims 1 to 5, wherein the virtual switch is created by a Software Defined Network (SDN) controller, and the flow table is issued to the virtual switch by the SDN controller.
12. A data flow guiding method in a virtual network, which is applied to the data flow guiding device according to any one of claims 1 to 11, wherein the virtual switch comprises a first virtual machine bridge and a security monitoring bridge module; the method comprises the following steps:
the virtual switch receives first data sent by the first virtual machine;
a first virtual machine bridge in the virtual switch sends the first data to the safety monitoring bridge module according to a flow table;
the security monitoring bridge module forwards the received first data to the security service node according to the flow table so as to instruct the security service node to process the first data, and the flow table is used for instructing the virtual switch to transmit a routing rule of the data;
when the virtual switch receives first data sent by the security service node, the first data are sent to the first virtual machine bridge through the security monitoring bridge module according to the flow table, and the first data are sent to the second virtual machine through the first virtual machine bridge according to the flow table.
13. The method of claim 12, wherein the virtual switch comprises a first virtual machine bridge, a second virtual machine bridge, a security monitoring bridge module, and an integration bridge;
the virtual switch receives first data sent by the first virtual machine, and the method comprises the following steps:
the first virtual machine bridge receives first data sent by the first virtual machine;
correspondingly, when the virtual switch receives first data sent by the security service node, sending the first data to the second virtual machine by the first virtual machine bridge according to the flow table, including:
when the first virtual machine bridge receives first data sent by the safety monitoring bridge module, the first data are sent to the integrated bridge according to the flow table;
and when receiving the first data, the integrated network bridge sends the first data to the second virtual machine network bridge according to the flow table, and the second virtual machine network bridge sends the first data to the second virtual machine according to the flow table.
14. The method of claim 13, wherein the security service node comprises a first secure virtual machine, and wherein the security monitoring bridge module comprises a first secure virtual machine bridge element;
the first virtual machine bridge sending the first data to the security monitoring bridge module according to the flow table, including:
when the first virtual machine bridge receives first data sent by the first virtual machine, the first virtual machine bridge sends the first data through a first port;
correspondingly, the security monitoring bridge module forwards the received first data to the security service node according to the flow table, and is configured to instruct the security service node to process the first data, where the process includes:
the first secure virtual machine bridge component receives the first data through a third port and sends the first data to the first secure virtual machine, and the first port and the third port on the first secure virtual machine bridge component are a pair of ports which are paired with each other.
15. The method of claim 14, wherein the security monitoring bridge module sending the first data sent by the security service node to the first virtual machine bridge according to the flow table comprises:
when the first secure virtual machine bridge component receives first data sent by the first secure virtual machine, the first secure virtual machine bridge component sends the first data through a fourth port;
the first virtual machine bridge receives the first data through a second port, and the second port and a fourth port on the first secure virtual machine bridge component are a pair of ports paired with each other.
16. The method of claim 13, wherein the security service node comprises N security virtual machines, wherein the security monitoring bridge module comprises N security virtual machine bridge elements, wherein there is a one-to-one correspondence between the N security virtual machines and the N security virtual machine bridge elements, and wherein N is a positive integer greater than or equal to 2;
the first virtual machine bridge sending the first data to the security monitoring bridge module according to the flow table, including:
when the first virtual machine bridge receives first data sent by the first virtual machine, the first virtual machine bridge component sends the first data through a first port, the first safety virtual machine bridge component, which is sequenced by the N safety virtual machine bridge components according to the reference sequence, receives the first data through a third port, and the first port and the third port on the first safety virtual machine bridge component, which are sequenced, are a pair of ports which are paired with each other;
correspondingly, the security monitoring bridge module forwards the received first data to the security service node according to the flow table to instruct the security service node to process the first data, and the process includes:
the first secure virtual machine bridge component sends the first data to a corresponding secure virtual machine to instruct the corresponding secure virtual machine to process the first data, receives the first data sent by the corresponding secure virtual machine, and sends the first data to a second secure virtual machine;
for the ith safety virtual machine bridge component after sequencing, the ith safety virtual machine bridge component receives first data sent by the (i-1) th safety virtual machine bridge component, sends the first data to the corresponding safety virtual machine to indicate the corresponding safety virtual machine to process the first data, and returns the first data to the ith safety virtual machine bridge component, wherein i is a positive integer which is greater than or equal to 2 and less than or equal to N, and a pair of ports which are paired with each other exists on every two adjacent safety virtual machine bridge components after the N safety virtual machine bridge components are sequenced according to a reference sequence.
17. The method of claim 16, wherein the security monitoring bridge module sending the first data sent by the security service node to the first virtual machine bridge according to the flow table comprises:
when the bridge component of the last sequenced secure virtual machine receives the first data sent by the corresponding secure virtual machine, sending the first data through a fourth port;
the first virtual machine bridge receives the first data through a second port, and the second port and a fourth port on the last sequenced secure virtual machine bridge component are a pair of ports paired with each other.
18. The method of any of claims 12 to 17, further comprising:
the virtual switch receives second data sent by a second virtual machine aiming at the first data;
the virtual switch forwards the second data to a security service node according to the flow table so as to instruct the security service node to process the second data;
and when the virtual switch receives second data sent by the security service node, sending the second data to the first virtual machine according to the flow table.
19. The method of claim 18, wherein the virtual switch comprises a first virtual machine bridge, a second virtual machine bridge, a security monitoring bridge module, and an integration bridge;
the virtual switch receives second data sent by a second virtual machine for the first data, and the method comprises the following steps:
the second virtual machine bridge receives second data sent by the second virtual machine;
correspondingly, the virtual switch forwards the second data to a security service node according to the flow table to instruct the security service node to process the second data, including:
the second virtual machine bridge sending the second data to an integrated bridge in the virtual switch according to the flow table;
when receiving the second data, the integrated bridge sends the second data to the first virtual machine bridge according to the flow table;
when the first virtual machine bridge receives the second data sent by the integrated bridge, the second data is sent to the safety monitoring bridge module according to the flow table;
the security monitoring bridge module forwards the received second data to the security service node according to the flow table so as to indicate the security service node to process the second data;
correspondingly, when the virtual switch receives second data sent by the security service node, sending the second data to the first virtual machine according to the flow table includes:
the security monitoring bridge module sends second data sent by the security service node to the first virtual machine bridge according to the flow table;
and when the first virtual machine bridge receives the second data sent by the security monitoring bridge module, sending the second data to the first virtual machine according to the flow table.
20. The method of claim 19, wherein the security service node comprises a first secure virtual machine, and wherein the security monitoring bridge module comprises a first secure virtual machine bridge element;
when the first virtual machine bridge receives the second data sent by the integrated bridge, the first virtual machine bridge sends the second data to the security monitoring bridge module according to the flow table, and the method comprises the following steps:
when the first virtual machine bridge receives the second data sent by the integrated bridge, the first virtual machine bridge sends the second data through a second port;
and the first secure virtual machine bridge component receives the second data through a fourth port, and the second port and the fourth port on the first secure virtual machine bridge component are a pair of ports which are paired with each other.
21. The method of claim 20, wherein the security monitoring bridge module sending second data sent by the security service node to the first virtual machine bridge according to the flow table comprises:
when the first secure virtual machine bridge element receives the second data sent by the first secure virtual machine, sending the second data through a third port in the first secure virtual machine bridge element;
the first virtual machine bridge receives the second data through a first port.
22. The method of claim 19, wherein the security service node comprises N security virtual machines, wherein the security monitoring bridge module comprises N security virtual machine bridge elements, wherein there is a one-to-one correspondence between the N security virtual machines and the N security virtual machine bridge elements, and wherein N is a positive integer greater than or equal to 2;
when the first virtual machine bridge receives the second data sent by the integrated bridge, the first virtual machine bridge sends the second data to the security monitoring bridge module according to the flow table, and the method comprises the following steps:
when the first virtual machine bridge receives the second data sent by the integrated bridge, the first virtual machine bridge component sends the second data through a second port, the last safety virtual machine bridge component sequenced by the N safety virtual machine bridge components according to the reference sequence receives the second data through a fourth port, and the second port and the fourth port on the last safety virtual machine bridge component sequenced are a pair of ports which are paired with each other;
correspondingly, the security monitoring bridge module forwards the received second data to the security service node according to the flow table to indicate the security service node to process the second data, and the method includes:
the last secure virtual machine bridge component sends the second data to a corresponding secure virtual machine to instruct the corresponding secure virtual machine to process the second data, the second data is returned to the last secure virtual machine bridge component, and the last secure virtual machine bridge component sends the second data to the sequenced penultimate secure virtual machine bridge component;
for the jth safety virtual machine bridge component after sequencing, the jth safety virtual machine bridge component receives second data sent by the jth +1 safety virtual machine bridge component, and sends the second data to corresponding safety virtual machines to indicate the corresponding safety virtual machines to process the second data, and returns the second data to the jth safety virtual machine bridge component, wherein j is a positive integer greater than or equal to 1 and less than or equal to N-1, and a pair of ports which are paired with each other exists on every two adjacent safety virtual machine bridge components after the N safety virtual machine bridge components are sequenced according to a reference sequence.
23. The method of claim 22, wherein the security monitoring bridge module sending second data sent by the security service node to the first virtual machine bridge according to the flow table comprises:
when the sequenced first secure virtual machine bridge component receives the second data sent by the corresponding secure virtual machine, sending the second data through a third port;
the first virtual machine bridge receives the second data through a first port, and the first port and a third port on the first safety virtual machine bridge component after sequencing are a pair of ports which are paired with each other.
CN201910351096.9A 2019-04-28 2019-04-28 Data stream guiding device and data stream guiding method in virtual network Active CN110213181B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201910351096.9A CN110213181B (en) 2019-04-28 2019-04-28 Data stream guiding device and data stream guiding method in virtual network
PCT/CN2020/084347 WO2020220977A1 (en) 2019-04-28 2020-04-11 Data flow guiding apparatus and data flow guiding method in virtual network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910351096.9A CN110213181B (en) 2019-04-28 2019-04-28 Data stream guiding device and data stream guiding method in virtual network

Publications (2)

Publication Number Publication Date
CN110213181A CN110213181A (en) 2019-09-06
CN110213181B true CN110213181B (en) 2021-01-29

Family

ID=67786559

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910351096.9A Active CN110213181B (en) 2019-04-28 2019-04-28 Data stream guiding device and data stream guiding method in virtual network

Country Status (2)

Country Link
CN (1) CN110213181B (en)
WO (1) WO2020220977A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110213181B (en) * 2019-04-28 2021-01-29 华为技术有限公司 Data stream guiding device and data stream guiding method in virtual network

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016128835A1 (en) * 2015-02-10 2016-08-18 Alcatel Lucent Method and system for inserting an openflow flow entry into a flow table using openflow protocol
CN107872443A (en) * 2016-09-28 2018-04-03 深圳市深信服电子科技有限公司 Virtual network security protection system, flow lead method and device
CN207530616U (en) * 2017-09-05 2018-06-22 全球能源互联网研究院有限公司 A kind of substation's station communication drainage system based on SDN
CN108833305A (en) * 2018-07-17 2018-11-16 北京西普阳光教育科技股份有限公司 The virtual network framework of host
CN109547437A (en) * 2018-11-23 2019-03-29 北京奇安信科技有限公司 A kind of drainage processing method and processing device in secure resources pond
CN109587063A (en) * 2018-12-29 2019-04-05 北京奇安信科技有限公司 A kind of drainage method and device of data
CN109639551A (en) * 2018-11-15 2019-04-16 北京六方领安网络科技有限公司 Virtualize drainage device and method

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140189152A1 (en) * 2012-12-27 2014-07-03 Deep River Ventures, Llc Methods, Systems, and Computer Program Products for Identifying a Protocol Address based on Path Information
CN105100026B (en) * 2014-05-22 2018-07-20 新华三技术有限公司 A kind of safe retransmission method of message and device
US9432487B2 (en) * 2014-08-04 2016-08-30 Futurewei Technologies, Inc. System and method for network protocol offloading in virtual networks
CN105530259B (en) * 2015-12-22 2019-01-18 华为技术有限公司 Message filtering method and equipment
CN107645472A (en) * 2016-07-21 2018-01-30 由国峰 A kind of virtual machine traffic detecting system based on OpenFlow
US10778722B2 (en) * 2016-11-08 2020-09-15 Massachusetts Institute Of Technology Dynamic flow system
CN106789542B (en) * 2017-03-03 2019-08-09 清华大学 A kind of implementation method of cloud data center security service chain
CN108471383B (en) * 2018-02-08 2021-02-12 华为技术有限公司 Message forwarding method, device and system
CN110213181B (en) * 2019-04-28 2021-01-29 华为技术有限公司 Data stream guiding device and data stream guiding method in virtual network

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016128835A1 (en) * 2015-02-10 2016-08-18 Alcatel Lucent Method and system for inserting an openflow flow entry into a flow table using openflow protocol
CN107872443A (en) * 2016-09-28 2018-04-03 深圳市深信服电子科技有限公司 Virtual network security protection system, flow lead method and device
CN207530616U (en) * 2017-09-05 2018-06-22 全球能源互联网研究院有限公司 A kind of substation's station communication drainage system based on SDN
CN108833305A (en) * 2018-07-17 2018-11-16 北京西普阳光教育科技股份有限公司 The virtual network framework of host
CN109639551A (en) * 2018-11-15 2019-04-16 北京六方领安网络科技有限公司 Virtualize drainage device and method
CN109547437A (en) * 2018-11-23 2019-03-29 北京奇安信科技有限公司 A kind of drainage processing method and processing device in secure resources pond
CN109587063A (en) * 2018-12-29 2019-04-05 北京奇安信科技有限公司 A kind of drainage method and device of data

Also Published As

Publication number Publication date
CN110213181A (en) 2019-09-06
WO2020220977A1 (en) 2020-11-05

Similar Documents

Publication Publication Date Title
CN110506411B (en) Method and system for providing packet enforcement using logical ports in a virtualized computing environment
US10615997B2 (en) In-vehicle gateway device
US20170214613A1 (en) Service Function Chaining Across Multiple Subnetworks
EP3720075B1 (en) Data transmission method and virtual switch
US20200007472A1 (en) Service insertion in basic virtual network environment
CN108092934A (en) Safety service system and method
CN108337192B (en) Message communication method and device in cloud data center
US20210288909A1 (en) Switch, devices and methods for receiving and forwarding ethernet packets
US20210234812A1 (en) Traffic broker for routing data packets through sequences of in-line tools
CN106101011A (en) A kind of message processing method and device
KR20170052002A (en) System and method for chaining virtualized network funtion
CN110213181B (en) Data stream guiding device and data stream guiding method in virtual network
CN105099915A (en) Business path establishing method and device
WO2015154423A1 (en) Cross-domain service processing method, apparatus and system
US9692636B2 (en) Relay system and relay device
US20190036827A1 (en) Traffic control method and device in software defined network
US8971176B2 (en) Fibre channel over Ethernet switch implicit logout
CN113132200B (en) Data forwarding method, repeater, system, server and storage medium
CN108989248B (en) Method for transmitting message, network edge device and message transmission system
JP5776617B2 (en) Chassis type switch
US20200213247A1 (en) Switch comprising an observation port and communication system comprising such a switch
CN111385184A (en) ARINC 664P7 and Ethernet-type hybrid avionics communication system with predetermined routing
CN112838974B (en) Service chain drainage system and method
KR101867883B1 (en) Method, apparatus and computer program for operating virtual network
US11277345B2 (en) Method for configuring an avionic network, computer program product and related configuration module

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20220217

Address after: 550025 Huawei cloud data center, jiaoxinggong Road, Qianzhong Avenue, Gui'an New District, Guiyang City, Guizhou Province

Patentee after: Huawei Cloud Computing Technology Co.,Ltd.

Address before: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen

Patentee before: HUAWEI TECHNOLOGIES Co.,Ltd.