CN112968976A

CN112968976A - External network access control system, method, device, equipment and storage medium

Info

Publication number: CN112968976A
Application number: CN202110351739.7A
Authority: CN
Inventors: 李苗
Original assignee: Beijing QIYI Century Science and Technology Co Ltd
Current assignee: Beijing QIYI Century Science and Technology Co Ltd
Priority date: 2021-03-31
Filing date: 2021-03-31
Publication date: 2021-06-15
Anticipated expiration: 2041-03-31
Also published as: CN112968976B

Abstract

The application relates to an external network access control system, method, device, equipment and storage medium. The system comprises: the network device is provided with a virtualization module; when the virtualization module accesses an external network, the network equipment acquires the indication information of the target agent node; the target agent node is used for acting the external network access request of the virtualization module; the network equipment sends an external network access request to the target agent node according to the indication information; and the target agent node sends the extranet access request to an extranet through an extranet outlet. The method and the device are used for solving the problems that when the virtual machine and the Docker container are used for accessing the external network, the virtual machine and the Docker container share the same fixed external network outlet, so that the external network is inconvenient to access, and even the external network cannot be accessed.

Description

External network access control system, method, device, equipment and storage medium

Technical Field

The present application relates to the field of computer technologies, and in particular, to a system, a method, an apparatus, a device, and a storage medium for controlling extranet access.

Background

With the popularization of cloud services, various virtual machines, Docker containers, are heavily used in development and business deployment.

At present, the external network access of most virtual machines and Docker containers is realized through the external network outlet of a host, and the external network access mode ensures that the virtual machines and the service in the Docker containers can only share the same fixed external network outlet.

This limitation causes many inconveniences to the extranet access of the virtual machines and the Docker containers, and may even result in the virtual machines and the Docker containers not being able to access the extranet.

Disclosure of Invention

The application provides an external network access control system, method, device, equipment and storage medium, which are used for solving the problems that when a virtual machine and a Docker container carry out external network access, the virtual machine and a host share the same fixed external network outlet, so that the external network access is inconvenient, and even the external network cannot be accessed.

In a first aspect, an extranet access control system is provided, which includes a network device and a target agent node, wherein a virtualization module is deployed in the network device;

when the virtualization module accesses an external network, the network equipment acquires the indication information of the target agent node; the target agent node is used for acting the external network access request of the virtualization module;

the network equipment sends an external network access request to the target agent node according to the indication information;

and the target agent node sends the extranet access request to an extranet through an extranet outlet.

In a second aspect, a method for controlling access to an external network is provided, where the method is applied to a network device, and a virtualization module is deployed in the network device, and the method includes:

when the virtualization module accesses an external network, acquiring indication information of a target agent node; the target agent node is used for acting the external network access request of the virtualization module;

according to the indication information, sending an extranet access request to the target agent node; so that the target proxy node sends the extranet access request to the extranet through the extranet exit.

In a third aspect, a method for controlling extranet access is provided, which is applied to a target proxy node, and the method includes:

receiving an extranet access request from the network device, wherein the extranet access request is: when the virtualization module accesses an external network, the network equipment sends the indication information of the target agent node, and the virtualization module is deployed in the network equipment;

and sending the external network access request to the external network through the external network outlet.

In a fourth aspect, a method for controlling access to an external network is provided, where the method is applied to a load balancer, and the method includes:

receiving an external network access request sent by network equipment, wherein the external network access request is sent based on indication information of a target agent node when a virtualization module accesses an external network, and the virtualization module is deployed in the network equipment;

determining a target agent node corresponding to the external network access request based on second identification information; wherein the second identification information comprises at least one of a virtual network address or a virtual port number of the load balancer;

and sending the extranet access request to the target agent node so that the target agent node sends the extranet access request to the extranet through an extranet outlet.

In a fifth aspect, an extranet access control apparatus is provided, which is applied to a network device, where a virtualization module is deployed in the network device, and the apparatus includes:

the acquisition module is used for acquiring the indication information of the target agent node when the virtualization module accesses the external network; the target agent node is used for acting the external network access request of the virtualization module;

the transmission module is used for sending an external network access request to the target agent node according to the indication information; so that the target proxy node sends the extranet access request to the extranet through the extranet exit.

In a sixth aspect, an extranet access control apparatus is provided, which is applied to a target proxy node, and includes:

a receiving module, configured to receive an extranet access request from the network device, where the extranet access request is: when the virtualization module accesses an external network, the network equipment sends the indication information of the target agent node, and the virtualization module is deployed in the network equipment;

and the sending module is used for sending the external network access request to the external network through the external network outlet.

In a seventh aspect, an extranet access control apparatus is provided, which is applied to a load balancer, and the apparatus includes:

the device comprises a receiving module, a processing module and a processing module, wherein the receiving module is used for receiving an external network access request sent by network equipment, the external network access request is sent when a virtualization module accesses an external network, and the virtualization module is deployed in the network equipment;

the processing module is used for determining a target agent node corresponding to the extranet access request based on the second identification information; wherein the second identification information comprises at least one of a virtual network address or a virtual port number of the load balancer;

and the sending module is used for sending the extranet access request to the target agent node so that the target agent node sends the extranet access request to an extranet through an extranet outlet.

In an eighth aspect, an apparatus is provided, which includes a processor, a communication interface, a memory, and a communication bus, wherein the processor, the communication interface, and the memory communicate with each other via the communication bus;

the memory for storing a computer program;

the processor is configured to execute the program stored in the memory to implement the extranet access control method according to the second aspect, or the extranet access control method according to the third aspect, or the extranet access control method according to the fourth aspect.

A ninth aspect provides a computer readable storage medium storing a computer program which, when executed by a processor, implements the extranet access control method of the second aspect, or the extranet access control method of the third aspect, or the extranet access control method of the fourth aspect.

Compared with the prior art, the technical scheme provided by the embodiment of the application has the following advantages: according to the method provided by the embodiment of the application, when the virtualization module accesses the extranet, the network device obtains the indication information of the target agent node corresponding to the virtualization module, and sends the extranet access request to the target agent node according to the indication information, and the target agent node sends the extranet access request to the extranet through the extranet outlet, so that the virtualization module does not need to occupy the extranet interface of the network device when accessing the extranet, and the problems that the extranet is inconvenient to access and even the extranet cannot be accessed due to the fact that each virtualization module and the network device share the extranet interface are solved.

Drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the invention and together with the description, serve to explain the principles of the invention.

Fig. 1 is a first schematic diagram of an architecture of an extranet access control system according to an embodiment of the present application;

fig. 2 is a schematic diagram of an architecture of an extranet access control system according to an embodiment of the present application;

fig. 3 is a schematic flowchart of a network device performing extranet access control in an embodiment of the present application;

fig. 4 is a schematic flowchart illustrating a process of performing extranet access control by a target proxy node in the embodiment of the present application;

fig. 5 is a schematic flowchart of external network access control performed by the load balancer in the embodiment of the present application;

FIG. 6 is a schematic diagram of an exemplary system architecture in an embodiment of the present application;

fig. 7 is a schematic structural diagram of an extranet access control apparatus for a network device in an embodiment of the present application;

fig. 8 is a schematic structural diagram of an extranet access control apparatus for a target proxy node in an embodiment of the present application;

fig. 9 is a schematic structural diagram of an extranet access control apparatus for a load balancer in an embodiment of the present application;

fig. 10 is a schematic structural diagram of an electronic device in an embodiment of the present application.

Detailed Description

In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application.

In a first embodiment of the present application, a system for controlling access to an external network is provided, as shown in fig. 1, the system mainly includes a network device 10 and a target proxy node 11, where a virtualization module is deployed in the network device 10.

When a virtualization module deployed in the network device 10 accesses an external network, the network device 10 acquires indication information of a target agent node 11; the target agent node 11 is used for acting on the extranet access request of the virtualization module;

the network device 10 sends an extranet access request to the target agent node 11 according to the indication information;

the target proxy node 11 sends an extranet access request to the extranet through the extranet egress.

The network device 10 and the target agent node 11 may establish a communication connection therebetween, and the connection with the target agent node 11 through the extranet interface of the network device 10 is not required, so that the extranet interface of the host device is not required to be occupied. For example, the network device 10 and the target proxy node 11 communicate with each other through an internal network, which may be a network device 10 and a target proxy node 11 that are established through a cable or a network device 10 and a target proxy node 11 that are established through near field communication or the like.

In the system, when the virtualization module accesses the extranet, the network equipment acquires the indication information of the target agent node corresponding to the virtualization module, and sends an extranet access request to the target agent node according to the indication information, and the target agent node sends the extranet access request to the extranet through the extranet outlet, so that the virtualization module does not need to occupy an extranet interface of the network equipment when accessing the extranet, thereby avoiding the problems that the extranet access is inconvenient and even the extranet cannot be accessed because each virtualization module and the network equipment share the extranet interface. And the network equipment can send the extranet access request to the target agent node directly according to the indication information of the target agent node corresponding to the virtualization module, and the extranet access request is sent by utilizing the extranet outlet of the target agent node, so that the automation of the extranet access of the virtualization module is realized, and the time resource cost caused by sharing the extranet outlet with the network equipment is reduced.

In a specific embodiment, at least one virtualization module is deployed in the network device 10; the virtualization module includes at least one of a Virtual Machine (VM) or a virtualization container.

The type of the virtualized container includes, but is not limited to, a Docker container, Pod, etc.

The network device refers to a device equipped with a virtualization module such as a virtual machine and a container, and is also referred to as a host or a host device, and the device may be a terminal or a server, and the specific type of the device is not limited herein.

In one embodiment, the target proxy node may be a device for extranet egress, which may be a terminal or a server.

For example, the target proxy node may be a Nginx server. Compiling a module for supporting proxy configuration, such as a module named ngx _ http _ proxy _ connect _ module, into the Nginx server enables the Nginx server to be used as a target proxy node.

It should be understood that the description is given only by taking a nginnx server as an example, and this does not mean that the nginnx server is necessarily used as the target proxy node, and it is within the scope of the present application that the present invention can be applied to other devices such as a server having an external network access capability and capable of being configured to provide a proxy service.

In a specific embodiment, the specific process of the network device 10 obtaining the indication information of the target proxy node 11 is as follows:

the network device 10 reads a configuration file, where the configuration file includes a custom environment variable, and the custom environment variable is used to indicate a first corresponding relationship between the virtualization module and the proxy node; the network device 10 determines a proxy node set corresponding to the virtualization module based on the customized environment variable; the network device 10 determines a target proxy node 11 in the proxy node set, and acquires indication information of the target proxy node 11.

The agent node set corresponding to the virtualization module is configured through the configuration file, so that the network device can determine the agent node corresponding to the virtualization module directly according to the configuration file, the realization is simple and convenient, the agent node corresponding to the virtualization module can be adjusted by modifying the configuration file, the control of external network access is realized, and the operability is strong.

The agent node set comprises at least one agent node. The agent nodes corresponding to the virtualization module are selected from the agent node set corresponding to the virtualization module, so that various configurable agent nodes are provided for the virtualization module, the problem that the access performance of the external network depends too much on the performance of the agent nodes when only one agent node is configured is solved, the selectable space of the proxy nodes is expanded, and the access performance of the external network is guaranteed.

The indication information of the target agent can be configured for the virtualization module according to the extranet identifier which the virtualization module needs to access. The foreign network identification is used to indicate the operator network that needs access.

When the network device 10 adopts the Linux system, the custom environment variables included in the configuration file include at least one of the following:

the http _ proxy variable is used for setting the address of the proxy server used by the http protocol;

the https _ proxy variable is used for setting the address of the proxy server used by the https protocol;

a no _ proxy variable for setting a web address where the proxy is not used.

The network equipment configures the user-defined environment variable of Linux in the configuration file to realize the configuration of the indication information of the target agent node. The configuration file can be a proxy variable of a virtual machine or a Docker container directly configured in the Linux system/etc/profile, and the setting of the proxy variable, namely proxy configuration, is changed through an export command.

That is to say, the http _ proxy variable of the virtualization module is configured in the Linux system/etc/profile, and the proxy server address used by the http protocol is set for the virtualization module, so that when the virtualization module needs to access the extranet, the extranet access request is sent to the proxy server according to the proxy server address used by the http protocol. And modifying the http _ proxy variable in the/etc/profile through the export command when the address of the proxy server needs to be changed.

Or, configuring an https _ proxy variable of a virtualization module in the Linux system/etc/profile, and setting an https protocol use proxy server address for the virtualization module, so that when the virtualization module needs to access an external network, an external network access request is sent to the proxy server according to the https protocol use proxy server address. And when the address of the proxy server needs to be changed, the https _ proxy variable in the/etc/profile is modified through the export command.

Or, configuring a no _ proxy variable of a virtualization module in the Linux system/etc/profile, setting whether to use the proxy server for the virtualization module, and not using the website of the proxy server.

Therefore, whether the proxy server is used or not can be set for the virtualization module and the proxy server used by the http protocol or the https protocol can be set through customizing the environment variables in the/etc/profile, and customized and personalized proxy server configuration is achieved.

For network devices that employ kubernets (also known as k8s), all containers run in a Pod, and a Pod can carry one or more related containers, and containers in the same Pod can be deployed on the same physical machine and can share resources. The environment variables in the property profile corresponding to the Pod, i.e. the yaml profile, may be modified when the Pod is started or run. Specifically, the environment variables in the yaml configuration file are set or modified through the spec parameter, the container parameter and the env parameter in the yaml configuration file. The spec parameter is mainly used for acquiring the detailed definition of the container in the Pod; the container parameter is mainly used for acquiring a container list in the Pod, wherein the container list comprises at least one container; the env parameter is mainly used for acquiring an environment variable list required to be set before the Pod runs. And acquiring an environment variable list of the container through the three parameters to configure the environment variables in the environment variable list.

When a Pod is deployed in a deployment mode, an automatic filling function of the environment variable of the container is added into an ingress-controller component, namely, the change of the Pod under a certain service is monitored through the ingress-controller component, and the changed environment variable of the Pod is written back according to a preset environment variable configuration rule, so that the automatic filling of the environment variable of the container changed in the Pod is realized. In the environment variable configuration rule, a configuration rule is set for a new extender in Pod, for example, the environment variable of a newly added container is set to be a proxy server address used by an http protocol, or is set to be a proxy server address used by an https protocol, or is set to be a web address not using a proxy server, and the like.

In the first corresponding relationship, the virtualization module and the proxy node may be in a one-to-one corresponding relationship, and at this time, the proxy node corresponding to the virtualization module is directly determined as the target proxy node. Alternatively, the first corresponding relationship may be a one-to-many relationship, that is, a plurality of candidate proxy nodes may be configured in advance for one virtualization module, and at this time, the target proxy node needs to be determined among the plurality of candidate proxy nodes.

In a specific embodiment, when the virtualization module is configured with the indication information of a plurality of candidate proxy nodes in advance, the network device selects the indication information of a target proxy node from the indication information of the plurality of candidate proxy nodes according to a set principle;

the set rule may include, but is not limited to, any of the following:

a random selection principle, namely randomly selecting one candidate proxy node from a plurality of candidate proxy nodes configured in advance as a target proxy node;

a rotation distribution principle, namely acquiring candidate agent nodes positioned behind a candidate agent node which is selected at the latest in the arrangement sequence as target agent nodes according to the preset arrangement sequence of a plurality of candidate agent nodes and the candidate agent node which is selected at the latest;

and a minimum connection number distribution principle, namely recording the connection number of a plurality of candidate proxy nodes configured in advance, and selecting the candidate proxy node with the minimum connection number from the candidate proxy nodes as a target proxy node.

The network equipment selects the target proxy node from the candidate proxy nodes according to a set principle, so that load balance can be realized on the network equipment side, and the problem that the selected target proxy node is too heavy due to unbalanced load, and further the access efficiency of the external network is low is solved.

In a specific embodiment, before the target proxy node 11 sends the extranet access request to the extranet through the extranet exit, the target proxy node 11 obtains the network address of the virtualization module carried in the extranet access request; the target agent node 11 verifies the external network access authority of the virtualization module based on the access control information and the network address of the virtualization module; when the virtualization module has the access right to the extranet, the target proxy node 11 sends the extranet access request to the extranet through the extranet exit. The access control information is used for controlling the access authority of the external network, so that the safety of the access of the external network is improved, and the access of the external network which does not meet the requirement can be prevented in time.

The access control information mainly includes information of network addresses allowed to be accessed, and may be a list including each network address allowed to be accessed, or may include rules to be met by the network addresses allowed to be accessed.

And the target agent node extracts the network address of the virtualization module from the external network access request, judges whether the network address is matched with the network address defined by the access control information, if so, sends the external network access request to the external network through the external network outlet, and otherwise, refuses to send the external network access request through the external network outlet.

When the target proxy node is a Nginx server, the Access Control information may be an Access Control List (ACL), an ACL is set according to a Location instruction in the Nginx server, the Location instruction obtains a network address of a virtualization module carried in an extranet Access request, and verifies whether the network address meets the ACL, if so, the extranet is allowed to be accessed, otherwise, the extranet is not allowed to be accessed.

For a network device adopting kubernets (also called k8s), when the network device deploys a Pod in a deployment mode, an ACL automatic generation rule is added into an ingress-controller component, that is, the ingress-controller component monitors the change of the Pod under a certain service, and generates an ACL for the changed Pod according to the preconfigured ACL automatic generation rule, and transmits the generated ACL to a target proxy node, that is, an Nginx server, and the target proxy node performs access control according to the ACL, thereby realizing automation of access control. Wherein the Pod change may cause a change in network address data of a virtualization module that needs to access the external network. In k8s, the access to the internet is based on services (english name service), and there may be multiple pods under each service, and any Pod changes to regenerate an ACL.

In a specific embodiment, according to the difference of the indication information of the target agent node, the process of the network device 10 sending the extranet access request to the target agent node 11 according to the indication information is also different, and the following description is divided into three cases.

First, the indication information of the target proxy node 11 is first identification information, where the first identification information includes: at least one of a network address or a port number of the target proxy node 11.

Specifically, the network device 10 directly sends the extranet access request to the target proxy node 11 indicated by the indication information.

In the mode, the network equipment directly sends the extranet access request to the target agent node, so that resource and time waste caused by route configuration is avoided, the extranet access flow is improved, the virtualization module can use the fixed target agent node as an extranet outlet, and the stable performance of extranet access of the virtualization module is ensured.

Second, as shown in fig. 2, the system further includes a load balancer 21.

The indication information of the target agent node 11 includes second identification information, where the second identification information includes at least one of a Virtual network Address (VIP) or a Virtual port number of the load balancer 21.

Specifically, the network device 10 sends an extranet access request to the target proxy node 11 according to the indication information, including: the network device 10 sends an external network access request to the load balancer 21 according to the second identification information; the load balancer 21 determines the target agent node 11 corresponding to the extranet access request based on the second identification information; the load balancer 21 sends the extranet access request to the target proxy node 11.

Wherein, the load balancer 21 determines the target agent node 11 corresponding to the extranet access request based on the second identification information, and includes:

the load balancer 21 determines a candidate agent node cluster corresponding to the second identification information based on a preset second corresponding relationship; the load balancer 21 determines the target proxy node 11 corresponding to the extranet access request based on the load indication parameter of each candidate proxy node cluster.

And the second corresponding relation is used for indicating the corresponding relation between the second identification information and the candidate agent node cluster. Specifically, a group of second identification information corresponds to the same candidate proxy node cluster, and the group of second identification information includes at least one piece of second identification information.

Wherein, one candidate agent node cluster comprises at least one candidate agent node. And the load balancer acquires the alternative proxy node cluster corresponding to the second identification information according to the second corresponding relation, and selects one alternative proxy node from the alternative proxy node cluster as a target proxy node.

The load indication parameter may include, but is not limited to, at least one of: the number of times the candidate agent node is selected, the network status of the candidate agent node, or the number of connections currently established by the candidate agent node.

The determining, by the load balancer 21, the target proxy node 11 corresponding to the extranet access request based on the load indication parameter of each candidate proxy node cluster includes:

the load balancer 21 determines the target agent node 11 corresponding to the external network access request by adopting a load balancing principle based on the load indication parameters of each alternative agent node cluster;

the load balancing principle comprises any one of the following:

randomly selecting an alternative agent node, namely randomly selecting an alternative agent node from an alternative agent cluster as a target agent node;

selecting a next alternative proxy node of the alternative proxy nodes selected last time in the arrangement sequence from the alternative proxy node cluster as a target proxy node according to the arrangement sequence of the alternative proxy nodes in the alternative proxy node cluster and the alternative proxy node selected last time;

and selecting the candidate proxy node with the minimum connection number as the target proxy node according to the principle of selecting the candidate proxy node with the minimum connection number, namely selecting the candidate proxy node with the minimum connection number as the target proxy node according to the connection number of each candidate proxy node in the candidate proxy node cluster.

The load balancer pre-stores a plurality of second identification information, which may be classified according to service types, and the network device configures corresponding second identification information according to the service type of the virtualization module when configuring the virtualization module. The load balancer obtains the service type mapped by the second identification information after obtaining the external network access request sent by the network device according to the second identification information, and can monitor the traffic of the service type according to the second identification information.

In the method, the load balancing is carried out on the extranet access of the network equipment through the load balancing device, the problem that the extranet access is concentrated on a certain target agent node to cause overlarge load and influence on the extranet access performance is avoided, and the extranet access performance is improved.

Third, as shown in fig. 2, the system further includes a load balancer 21.

The indication information of the target agent node 11 includes third identification information, where the third identification information includes address information of the virtualization module;

wherein, the network device 10 sends the extranet access request to the target agent node 11 according to the indication information, including:

the network device 10 sends an external network access request to the load balancer 21, wherein the external network access request carries third identification information;

the load balancer 21 determines second identification information based on the third identification information, the second identification information including at least one of a virtual network address or a virtual port number of the load balancer;

the load balancer 21 determines the target agent node 11 corresponding to the extranet access request based on the second identification information;

the load balancer 21 sends the extranet access request to the target proxy node 11.

Here, the load balancer 21 stores the mapping relationship between the third identification information and the second identification information, that is, while configuring the second identification information for the virtualized module in the network device 10, the load balancer 21 also stores the mapping relationship between the second identification information and the third identification information of the virtualized module. After receiving the external network access request sent by the network device 10, the load balancer 21 extracts the third identification information carried in the external network access request, and obtains the second identification information corresponding to the third identification according to the mapping relationship, thereby obtaining the target proxy node 11 indicated by the second identification information.

The second identification information is used to indicate the service type requested by the external network access request, and the load balancer can monitor the traffic of the service type according to the second identification information.

the load balancer 21 determines a candidate agent node cluster corresponding to the second identification information based on a preset second corresponding relationship;

the load balancer 21 determines the target proxy node 11 corresponding to the extranet access request based on the load indication parameter of each candidate proxy node cluster.

The load indication parameter includes, but is not limited to, at least one of: the number of times the candidate agent node is selected, the network status of the candidate agent node, or the number of connections currently established by the candidate agent node.

the load balancing principle comprises any one of the following:

The load balancer may have a plurality of candidate proxy node clusters at the same time, and the proxy node clusters may have a plurality of partition rules, where the partition rules are not limited to the specific partition rules, and are partitioned based on different served external networks, which is one of the implementation manners.

Illustratively, when the division is performed based on the difference of the served extranets, the corresponding extranet identifications of any two alternative proxy node clusters are different. And corresponding extranet identifications of any two alternative proxy nodes belonging to the same alternative proxy node cluster are the same.

An extranet identity is used to indicate the extranet exits of a class of operators. In order to meet the external network access requirements of different virtualization modules, candidate proxy node clusters for proxying external network outlets of different operators are respectively configured, that is, a plurality of proxy node clusters are set, and the proxy node clusters correspond to external network outlets of different operators, for example, at least one proxy node cluster corresponds to an external network outlet of operator a, at least one proxy node cluster corresponds to an external network outlet of operator B, and at least one proxy node cluster corresponds to an external network outlet of operator C.

And, corresponding second identification information sets can be configured for different operator networks, and at the network device side, one second identification information is selected from the second identification information sets of the operator networks which need to be adapted to the virtualization module, and is configured to the virtualization module.

And when the operator network to be adapted to the virtualization module changes from the first operator network to the second operator network, re-selecting a second identification information from the second identification information set corresponding to the second operator network, and modifying the environment parameter of the virtualization module according to the re-selected second identification information to reconfigure the second identification information of the virtualization module.

Based on the system architecture, the method flow of the extranet access control provided by the embodiment of the present application is specifically described from the perspective of the network device, the target proxy node and the load balancer.

In the second embodiment of the present application, as shown in fig. 3, a specific process of the network device performing the external network access control is as follows:

step 301, when a virtualization module accesses an extranet, acquiring indication information of a target agent node; the target agent node is used for acting the external network access request of the virtualization module;

step 302, according to the indication information, sending an extranet access request to the target agent node; so that the target proxy node sends the extranet access request to the extranet through the extranet egress.

In a specific embodiment, the obtaining of the indication information of the target agent node includes:

reading a configuration file, wherein the configuration file comprises a user-defined environment variable, and the user-defined environment variable is used for indicating a first corresponding relation between a virtualization module and an agent node;

determining a proxy node set corresponding to the virtualization module based on the user-defined environment variable;

and determining the target proxy node in the proxy node set, and acquiring the indication information of the target proxy node.

Specifically, the custom environment variables include at least one of:

http _ proxy variable;

https _ proxy variable;

no _ proxy variable.

In a specific embodiment, the obtaining the indication information of the target agent node includes:

when the virtualization module is pre-configured with the indication information of a plurality of candidate proxy nodes, selecting the indication information of the target proxy node from the indication information of the candidate proxy nodes according to a set principle;

the set selection principle comprises any one of the following:

a random selection principle;

a principle of alternate distribution;

minimum connection number assignment rule.

In a specific embodiment, the sending of the extranet access request to the target proxy node is performed according to the indication information; so that the target proxy node sends the extranet access request to the extranet through the extranet exit, including:

the indication information is first identification information, wherein the first identification information includes: at least one of a network address or a port number of the target proxy node;

according to the first identification information, sending an extranet access request to the target agent node; so that the target proxy node sends the extranet access request to an extranet through an extranet exit;

or

The indication information of the target proxy node comprises second identification information, wherein the second identification information comprises at least one of a virtual network address or a virtual port number of the load balancer;

sending the external network access request to the load balancer according to the second identification information; enabling the load balancer to determine the target agent node corresponding to the extranet access request based on the second identification information, and sending the extranet access request to the target agent node;

or

The indication information of the target agent node comprises third identification information, wherein the third identification information comprises address information of the virtualization module;

sending the external network access request to a load balancer, wherein the external network access request carries the third identification information;

to cause the load balancer to determine second identification information based on the third identification information, the second identification information including at least one of a virtual network address or a virtual port number of the load balancer; determining the target agent node corresponding to the extranet access request based on the second identification information; and sending the extranet access request to the target agent node.

It should be noted that, for the inexhaustible part of this embodiment, reference is made to the related contents of the foregoing description about the network device, and the description is not repeated here.

In a third embodiment of the present application, as shown in fig. 4, a flow of a method for a target proxy node to perform extranet access control mainly includes:

step 401, receiving an extranet access request from the network device, where the extranet access request is: when the virtualization module accesses an external network, the network equipment sends the indication information of the target agent node, and the virtualization module is deployed in the network equipment;

step 402, sending the extranet access request to the extranet through the extranet exit.

The target proxy node may directly receive the extranet access request sent by the network, or the target proxy node may receive the extranet access request from the network device and forwarded by the load balancer.

In a specific embodiment, a network address of the virtualization module carried in the extranet access request is obtained; verifying the extranet access rights of the virtualization module based on access control information and the network address of the virtualization module; and when the virtualization module has the external network access right, executing the step of sending the external network access request to the external network through the external network outlet.

It should be noted that, for the inexhaustible part of this embodiment, reference is made to the related contents of the foregoing regarding the target proxy node, and the description thereof is not repeated here.

In a fourth embodiment of the present application, as shown in fig. 5, a flow of a method for a load balancer to perform external network access control mainly includes:

step 501, receiving an external network access request sent by a network device, wherein the external network access request is sent based on indication information of a target agent node when a virtualization module accesses an external network, and the virtualization module is deployed in the network device;

step 502, determining a target agent node corresponding to the extranet access request based on second identification information; wherein the second identification information comprises at least one of a virtual network address or a virtual port number of the load balancer;

step 503, sending the extranet access request to the target agent node, so that the target agent node sends the extranet access request to the extranet through the extranet exit.

In a specific embodiment, the second identification information is carried in the external network access request.

Or, in another specific embodiment, the external network access request carries third identification information, where the third identification information includes address information of the virtualization module; before determining the target agent node corresponding to the extranet access request based on the second identification information, the method further includes: determining the second identification information based on the third identification information.

In a specific embodiment, the determining, based on the second identification information, a target proxy node corresponding to the extranet access request includes:

determining a candidate agent node cluster corresponding to the second identification information based on a preset second corresponding relation;

and determining the target agent node corresponding to the extranet access request based on the alternative agent nodes of each alternative agent node cluster.

In a specific embodiment, the determining the target proxy node corresponding to the extranet access request based on the candidate proxy nodes of each candidate proxy node cluster includes:

determining the target proxy node corresponding to the extranet access request by adopting a load balancing principle based on the alternative proxy nodes of each alternative proxy node cluster;

the load balancing principle comprises any one of the following principles:

randomly selecting an alternative agent node;

allocating alternative proxy nodes in turn;

a principle of selecting an alternative proxy node with the smallest number of connections.

It should be noted that, for the inexhaustible part of this embodiment, reference is made to the related contents of the foregoing description about the load balancer, and the description is not repeated here.

In a fifth embodiment of the present application, as shown in fig. 6, an exemplary system architecture is provided, in which a Nginx cluster corresponding to different extranet outlets is constructed, and load balancing (abbreviated as LB) is set for the Nginx cluster, and each of the Nginx clusters corresponds to a VIP set. The mapping relation between each VIP set and the Nginx clusters and the responsible balance of each Nginx cluster are configured in the load balancer. The Nginx cluster includes n Nginx servers, i.e., Nginx-1 … … Nginx-n.

Each cluster comprises n Nginx servers, and each VIP set comprises n VIPs, namely VIP-1 … … VIP-n.

As shown in fig. 6, an Nginx Cluster 1, also called Cluster 1, corresponds to an operator network 1; an Nginx Cluster 2, also called Cluster 2, corresponding to the operator network 2; the Nginx Cluster 3, also called Cluster 3, corresponds to the operator network 3.

The network device (also called client) sets the indication information of the Nginx server in the VM or Docker, i.e. the extranet access of the corresponding operator network can be performed. A VM or Docker operates based on a physical device of a network appliance, which refers to a hardware basis, such as a processor, a memory, etc., of the network appliance.

Based on the system architecture, the virtual network address configured for the virtual machine in the network device is a certain VIP in the VIP set corresponding to the Nginx cluster 1. The virtual machine initiates an external network access request according to the virtual network address, and the external network access request is sent to the load balancer.

And after obtaining the virtual network address carried in the external network access request, the load balancer determines that the virtual network address belongs to the VIP set corresponding to the Nginx cluster 1, obtains a Nginx server from the Nginx cluster 1 through load balancing, and takes the Nginx server as an external network exit proxy node of the virtual machine.

That is, the load balancer transmits the extranet access request to an nginnx server selected from the nginnx cluster 1, and the nginnx server serves as an extranet egress proxy node of the virtual machine and transmits the extranet access request to the extranet.

In the embodiment, the virtual machine in the network device sends the external network access request to the load balancer according to the configured virtual network address, the load balancer obtains the Nginx server according to the virtual network address, and sends the external network access request to the Nginx server, and the Nginx server sends the external network access request to the external network through the external network outlet of the Nginx server, so that the automation of external network access is realized, the external network outlet of the network device is not occupied, the external network access request of the virtual machine is prevented from being sent through the external network outlet of the network device, and the time cost generated by sharing the external network outlet is reduced, so that the time resource cost is reduced, and the external network access efficiency is improved.

In addition, the control of external network access of services such as virtual machines and containers is realized in a mode that the load balancer selects the Nginx server, configuration of external network access routes is not needed, resource and time waste caused by the configuration of the routes is reduced, and the external network access flow is improved.

In a sixth embodiment of the present application, an extranet access control apparatus is provided, which is applied to a network device, where a virtualization module is deployed in the network device. The specific implementation of the apparatus can be referred to the description of the method embodiment, and repeated descriptions are omitted. As shown in fig. 7, the apparatus mainly includes:

an obtaining module 701, configured to obtain indication information of a target agent node when the virtualization module accesses an external network; the target agent node is used for acting the external network access request of the virtualization module;

a transmission module 702, configured to send an extranet access request to the target agent node according to the indication information; so that the target proxy node sends the extranet access request to the extranet through the extranet exit.

In a seventh embodiment of the present application, an extranet access control apparatus is provided, which is applied to a target proxy node, and for specific implementation of the apparatus, reference may be made to the description of the method embodiment, and repeated details are not described again. As shown in fig. 8, the apparatus mainly includes:

a receiving module 801, configured to receive an extranet access request from the network device, where the extranet access request is: when the virtualization module accesses an external network, the network equipment sends the indication information of the target agent node, and the virtualization module is deployed in the network equipment;

a sending module 802, configured to send the extranet access request to an extranet through an extranet exit.

In an eighth embodiment of the present application, an extranet access control apparatus is provided, which is applied to a load balancer, and specific implementation of the apparatus may refer to the description of the method embodiment, and repeated details are not described again. As shown in fig. 9, the apparatus mainly includes:

a receiving module 901, configured to receive an extranet access request sent by a network device, where the extranet access request is sent when a virtualization module accesses an extranet, and the virtualization module is deployed in the network device;

a processing module 902, configured to determine, based on the second identification information, a target proxy node corresponding to the extranet access request; wherein the second identification information comprises at least one of a virtual network address or a virtual port number of the load balancer;

a sending module 903, configured to send the extranet access request to the target agent node, so that the target agent node sends the extranet access request to an extranet through an extranet exit.

Based on the same concept, an embodiment of the present application further provides an electronic device, as shown in fig. 10, the electronic device mainly includes: a processor 1001, a communication interface 1002, a memory 1003 and a communication bus 1004, wherein the processor 1001, the communication interface 1002 and the memory 1003 communicate with each other via the communication bus 1004. The memory 1003 stores a program executable by the processor 1001, and the processor 1001 executes the program stored in the memory 1003, thereby implementing the extranet access control method described in any of the foregoing embodiments.

The communication bus 1004 mentioned in the electronic device may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The communication bus 1004 may be divided into an address bus, a data bus, a control bus, and the like. For ease of illustration, only one thick line is shown in FIG. 10, but this is not intended to represent only one bus or type of bus.

The communication interface 1002 is used for communication between the electronic apparatus and other apparatuses.

The Memory 1003 may include a Random Access Memory (RAM) or a non-volatile Memory (non-volatile Memory), such as at least one disk Memory. Alternatively, the memory may be at least one storage device located remotely from the aforementioned processor 1001.

The Processor 1001 may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), etc., and may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic devices, discrete gates or transistor logic devices, and discrete hardware components.

In still another embodiment of the present application, there is also provided a computer-readable storage medium having stored therein a computer program which, when run on a computer, causes the computer to execute the extranet access control method described in the above-described second or third embodiment or fourth embodiment.

In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the application to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored on a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website site, computer, server, or data center to another website site, computer, server, or data center via wire (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wirelessly (e.g., infrared, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that includes one or more of the available media. The available media may be magnetic media (e.g., floppy disks, hard disks, tapes, etc.), optical media (e.g., DVDs), or semiconductor media (e.g., solid state drives), among others.

It is noted that, in this document, relational terms such as "first" and "second," and the like, may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.

The foregoing are merely exemplary embodiments of the present invention, which enable those skilled in the art to understand or practice the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims

1. An extranet access control system is characterized by comprising network equipment and a target agent node, wherein a virtualization module is deployed in the network equipment;

2. The extranet access control system of claim 1, wherein the network device obtaining the indication information of the target proxy node comprises:

the network equipment reads a configuration file, wherein the configuration file comprises a user-defined environment variable, and the user-defined environment variable is used for indicating a first corresponding relation between a virtualization module and an agent node;

the network equipment determines a proxy node set corresponding to the virtualization module based on the user-defined environment variable;

and the network equipment determines the target proxy node in the proxy node set and acquires the indication information of the target proxy node.

3. The extranet access control system of claim 2, wherein the custom environment variables comprise at least one of:

http _ proxy variable;

https _ proxy variable;

no _ proxy variable.

4. The extranet access control system of any of claims 1-3, wherein the network device obtaining the indication information of the target proxy node comprises:

when the virtualization module is pre-configured with the indication information of a plurality of candidate proxy nodes, the network device selects the indication information of the target proxy node from the indication information of the candidate proxy nodes according to a set principle;

the setting principle comprises any one of the following:

a random selection principle;

a principle of alternate distribution;

minimum connection number assignment rule.

5. The extranet access control system of claim 2 or 3, wherein the indication information of the target proxy node is first identification information, wherein the first identification information includes: at least one of a network address or a port number of the target proxy node.

6. The extranet access control system of claim 1,

before the target agent node sends the extranet access request to an extranet through an extranet outlet, the target agent node acquires a network address of the virtualization module carried in the extranet access request;

the target agent node verifies the external network access authority of the virtualization module based on the access control information and the network address of the virtualization module;

and when the virtualization module has the external network access right, the target agent node sends the external network access request to the external network through the external network outlet.

7. The extranet access control system of any of claims 1-3, further comprising a load balancer; the indication information of the target proxy node comprises second identification information, wherein the second identification information comprises at least one of a virtual network address or a virtual port number of the load balancer;

the network device sends an extranet access request to the target agent node according to the indication information, and the extranet access request comprises the following steps:

the network equipment sends the external network access request to the load balancer according to the second identification information;

the load balancer determines the target agent node corresponding to the extranet access request based on the second identification information;

the load balancer sends the extranet access request to the target agent node.

8. The extranet access control system of any of claims 1-3, further comprising a load balancer; the indication information of the target agent node comprises third identification information, wherein the third identification information comprises address information of the virtualization module;

the network equipment sends the external network access request to the load balancer, wherein the external network access request carries the third identification information;

the load balancer determines second identification information based on the third identification information, wherein the second identification information comprises at least one of a virtual network address or a virtual port number of the load balancer;

the load balancer sends the extranet access request to the target agent node.

9. The extranet access control system of claim 8, wherein the load balancer determines the target proxy node corresponding to the extranet access request based on the second identification information, comprising:

the load balancer determines a candidate agent node cluster corresponding to the second identification information based on a preset second corresponding relation;

and the load balancer determines the target agent node corresponding to the extranet access request based on the load indication parameters of each candidate agent node cluster.

10. The extranet access control system of claim 9, wherein the load balancer determines the target proxy node corresponding to the extranet access request based on a load indication parameter of each candidate proxy node cluster, comprising:

the load balancer determines the target agent node corresponding to the extranet access request by adopting a load balancing principle based on load indication parameters of each alternative agent node cluster;

the load balancing principle comprises any one of the following principles:

randomly selecting an alternative agent node;

allocating alternative proxy nodes in turn;

11. The extranet access control system of claim 9, wherein extranet identifications for any two of the candidate agent node clusters are different.

12. The extranet access control system of claim 1, wherein at least one of the virtualization modules is deployed in the network device;

the virtualization module includes at least one of a virtual machine or a virtualization container.

13. An extranet access control method is applied to a network device, wherein a virtualization module is deployed in the network device, and the method comprises the following steps:

14. The extranet access control method of claim 13, wherein the obtaining the indication information of the target agent node comprises:

15. The extranet access control method of claim 14, wherein the custom environment variable comprises at least one of:

http _ proxy variable;

https _ proxy variable;

no _ proxy variable.

16. The extranet access control method of any of claims 13-15, wherein the obtaining the indication information of the target agent node comprises:

the set selection principle comprises any one of the following:

a random selection principle;

a principle of alternate distribution;

minimum connection number assignment rule.

17. A method according to any of claims 13-15, wherein said sending an extranet access request to said target proxy node according to said indication; so that the target proxy node sends the extranet access request to the extranet through the extranet exit, including:

according to the first identification information, sending an extranet access request to the target agent node; so that the target proxy node sends the extranet access request to an extranet through an extranet exit; wherein the first identification information includes: at least one of a network address or a port number of the target proxy node;

alternatively, the first and second electrodes may be,

sending the external network access request to the load balancer according to the second identification information; enabling the load balancer to determine the target agent node corresponding to the extranet access request based on the second identification information, and sending the extranet access request to the target agent node; wherein the second identification information comprises at least one of a virtual network address or a virtual port number of the load balancer;

alternatively, the first and second electrodes may be,

sending the external network access request to a load balancer, wherein the external network access request carries third identification information; enabling the load balancer to determine the second identification information based on the third identification information, determine the target agent node corresponding to the extranet access request based on the second identification information, and send the extranet access request to the target agent node; wherein the third identification information includes address information of the virtualized module.

18. The extranet access control method of claim 13, wherein at least one of the virtualization modules is deployed in the network device;

19. An extranet access control method is applied to a target agent node, and comprises the following steps:

20. The extranet access control method of claim 19, wherein prior to sending the extranet access request to the extranet via the extranet egress, further comprising:

acquiring the network address of the virtualization module carried in the external network access request;

verifying the extranet access rights of the virtualization module based on access control information and the network address of the virtualization module;

and when the virtualization module has the external network access right, executing the step of sending the external network access request to the external network through the external network outlet.

21. An extranet access control method, applied to a load balancer, the method comprising:

22. The extranet access control method of claim 21, wherein the extranet access request carries the second identification information;

alternatively, the first and second electrodes may be,

the external network access request carries third identification information, wherein the third identification information comprises address information of the virtualization module; before determining the target agent node corresponding to the extranet access request based on the second identification information, the method further includes: determining the second identification information based on the third identification information.

23. The extranet access control method of claim 22, wherein the determining the target proxy node corresponding to the extranet access request based on the second identification information comprises:

24. The extranet access control method of claim 23, wherein the determining the target proxy node corresponding to the extranet access request based on the candidate proxy nodes of each candidate proxy node cluster comprises:

the load balancing principle comprises any one of the following principles:

randomly selecting an alternative agent node;

allocating alternative proxy nodes in turn;

25. The extranet access control method of claim 23, wherein extranet identifications for any two of the candidate agent node clusters are different.

26. An extranet access control apparatus, which is applied to a network device, wherein a virtualization module is deployed in the network device, the apparatus comprising:

27. An extranet access control apparatus, for use in a target proxy node, the apparatus comprising:

28. An extranet access control apparatus, applied to a load balancer, the apparatus comprising:

29. The device is characterized by comprising a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory are communicated with each other through the communication bus;

the memory for storing a computer program;

the processor is configured to execute a program stored in the memory to implement the extranet access control method according to any one of claims 13 to 18, or to implement the extranet access control method according to any one of claims 19 to 20, or to implement the extranet access control method according to any one of claims 21 to 25.

30. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, implements the extranet access control method of any one of claims 13 to 18, or implements the extranet access control method of any one of claims 19 to 20, or implements the extranet access control method of any one of claims 21 to 25.