CN114760246A

CN114760246A - Service drainage method, device and medium

Info

Publication number: CN114760246A
Application number: CN202210319421.5A
Authority: CN
Inventors: 胡章丰; 孙思清; 高传集; 李彦君; 任秋峥
Original assignee: Inspur Cloud Information Technology Co Ltd
Current assignee: Inspur Cloud Information Technology Co Ltd
Priority date: 2022-03-29
Filing date: 2022-03-29
Publication date: 2022-07-15
Anticipated expiration: 2042-03-29

Abstract

The application discloses a service drainage method, a device and a medium, comprising the following steps: acquiring configuration information of a service drainage chain; each non-business type virtual device in the service flow guiding chain is hooked to a virtual router in a user VPC (virtual private network) based on the configuration information; the virtual router is deployed in the user VPC by adopting a fully distributed architecture; generating an outgoing strategy route according to the forward sequence of each non-service type virtual device in the service drainage chain and generating an incoming strategy route according to the reverse sequence of each non-service type virtual device; and issuing the outgoing strategy route and the incoming strategy route to the virtual router, and carrying out service drainage based on the outgoing strategy route and the incoming strategy route. The method can realize the symmetry of the flow path under the condition of ensuring the stability and the robustness of the cloud platform, and has strong expandability.

Description

Service drainage method, device and medium

Technical Field

The application relates to the technical field of cloud computing, in particular to a service drainage method, a service drainage device and a service drainage medium.

Background

With the large-scale Cloud-up of user services, various non-service type devices in a traditional data center are also gradually virtualized and migrated to the Cloud, such as a Web Application firewall waf (Web Application firewall), a border firewall, a dpi (deep Packet inspection) device, a log auditing device, and the like, after the devices are virtualized, a user can dynamically create and deploy in a user VPC (Virtual Private Cloud) on line at a Cloud computing management console according to the self requirement, and then specific service traffic is pulled to one or more non-service type devices, so as to achieve the purposes of security protection, internet behavior auditing, daily monitoring, and the like. However, the simple routing or policy routing-based service drainage method of the conventional data center cannot work normally under a large-scale cloud computing platform based on a fully distributed routing architecture, this is because, under the fully distributed routing architecture, the SNAT (i.e. Source Network Address Translation)/DNAT (i.e. Destination Network Address Translation) operation of the north-south traffic of the elastic cloud server when entering or exiting the VPC needs to be executed symmetrically, i.e. on the VPC virtual router on the physical node where the elastic cloud server is located, this presents the problem that when the source elastic cloud server of the drainage chain is located in a different physical node than the non-traffic type virtual device, the flow paths of the ingress and egress VPCs and the source and destination IP addresses in the messages are not aligned, which can cause that the security equipment can not normally establish the session and the communication can not be normally established.

At present, a transparent drainage scheme based on a full-flow table provided by an OpenStack community for a DVR (Distributed Virtual Router) architecture forms huge invasiveness to a two-layer forwarding logic of a data plane, and a relevant flow table needs to be issued for all source elastic cloud servers, so that a large amount of interaction between a control plane and the data plane can be caused when the elastic cloud servers of a user are added or deleted, the requirements of a large-scale public cloud on stability and robustness cannot be met, and the large-scale scene cannot be supported due to poor expandability.

Disclosure of Invention

In view of this, an object of the present application is to provide a service drainage method, device and medium, which can implement symmetry of a traffic path under the condition of ensuring stability and robustness of a cloud platform, and have strong expandability. The specific scheme is as follows:

in a first aspect, the present application discloses a service drainage method, comprising:

acquiring configuration information of a service drainage chain;

each non-business type virtual device in the service flow guiding chain is connected to a virtual router in a user VPC in a hanging mode based on the configuration information; the virtual router is deployed in the user VPC by adopting a fully distributed architecture;

generating an outgoing strategy route according to the forward sequence of each non-service type virtual device in the service drainage chain and generating an incoming strategy route according to the reverse sequence of each non-service type virtual device;

and issuing the outgoing strategy route and the incoming strategy route to the virtual router, and carrying out service drainage based on the outgoing strategy route and the incoming strategy route.

Optionally, the method further includes:

executing SNAT operation aiming at the outgoing flow through a virtual router on a physical node where the last non-service type virtual device in the service flow guiding chain is located;

and performing DNAT operation aiming at the networking traffic through a virtual router on a physical node where the destination elastic cloud server is located.

Optionally, the executing, by the virtual router on the physical node where the last non-traffic type virtual device in the service flow guide chain is located, a SNAT operation for the outgoing traffic includes:

and when the virtual router on the physical node where the last non-service type virtual device in the service flow guiding chain is located judges that the current message is an outgoing message according to the destination IP in the message, executing SNAT operation aiming at the outgoing flow.

Optionally, the hooking each non-service type virtual device in the service flow guide chain to a virtual router in the user VPC based on the configuration information includes:

determining a non-traffic type virtual device in the service drainage chain based on the configuration information;

creating an independent interconnected subnet for each non-service type virtual device in a user VPC;

and each non-service type virtual device is connected to a virtual router in the user VPC through the interconnection sub-network.

Optionally, the obtaining configuration information of the service drainage chain includes:

acquiring configuration information of a service drainage chain through a cloud computing management console;

correspondingly, the method further comprises the following steps: and calling a preset northbound interface based on the configuration information, and starting the step of hooking each non-service type virtual device in the service flow guiding chain to a virtual router in the VPC of the user based on the configuration information.

Optionally, the outbound policy routing includes a source IP, a source port, a transport layer protocol type, a message ingress port, and next hop information; the network access strategy route comprises a destination IP, a destination port, a transport layer protocol type, a message input port and next hop information.

Optionally, the service drainage based on the outgoing policy routing and the incoming policy routing includes:

when the virtual router receives an outgoing message, matching a first target outgoing strategy route in the outgoing strategy routes according to a first matching condition, and conducting service drainage based on the first target outgoing strategy route;

when the virtual router receives the network access message, matching a second target network access strategy route in the network access strategy routes according to a second matching condition, and performing service drainage based on the second target network access strategy route;

the first matching condition comprises a source IP, a source port, a transmission layer protocol type and a message input port, and the second matching condition comprises a target IP, a target port, a transmission layer protocol type and a message input port.

In a second aspect, the present application discloses a service drainage device, comprising a configuration information acquisition module, a virtual device hooking module, a policy route generation module, a policy route issuing module, and a virtual router,

the configuration information acquisition module is used for acquiring configuration information of the service drainage chain;

the virtual equipment hooking module is used for hooking each non-service type virtual equipment in the service drainage chain to a virtual router in a VPC (virtual private network) of a user based on the configuration information; the virtual router is deployed in the user VPC by adopting a fully distributed architecture;

the policy routing generation module is configured to generate an outbound policy routing according to a forward sequence of each non-service type virtual device in the service drainage chain, and generate an inbound policy routing according to a reverse sequence of each non-service type virtual device;

the policy route issuing module is configured to issue the outgoing policy route and the incoming policy route to the virtual router;

and the virtual router is used for carrying out service drainage based on the network-out strategy route and the network-in strategy route.

Optionally, the virtual router on the physical node where the last non-service type virtual device in the service flow guide chain is located is configured to perform a SNAT operation for the outgoing traffic;

and the virtual router on the physical node where the destination elastic cloud server is located is used for executing DNAT operation aiming at the network access traffic.

In a third aspect, the present application discloses a computer readable storage medium for storing a computer program, wherein the computer program, when executed by a processor, implements the aforementioned service steering method.

Therefore, the configuration information of the service flow guiding chain is firstly obtained, and then each non-service type virtual device in the service flow guiding chain is connected to a virtual router in a user VPC in an articulated mode based on the configuration information; the virtual router is deployed in the user VPC by adopting a fully distributed architecture, then generates an outgoing policy route according to a forward sequence of each non-service type virtual device in the service flow guiding chain and generates an incoming policy route according to a reverse sequence of each non-service type virtual device, finally sends the outgoing policy route and the incoming policy route to the virtual router, and conducts service flow guiding based on the outgoing policy route and the incoming policy route. That is, the configuration information of the service drainage chain can be obtained, each non-service type virtual device in the service drainage chain is connected to a virtual router in a user VPC, a policy route is generated, service drainage is performed through the policy route, the data plane is not intrusive, the stability and the robustness of a cloud platform are guaranteed, the scale of the policy route does not increase along with the increase of the number of elastic cloud servers, compared with a full-flow tabular service drainage scheme, the method has good expandability, furthermore, as the policy route comprises the step of generating the network-out policy route according to the forward sequence of each non-service type virtual device in the service drainage chain and the step of generating the network-in policy route according to the reverse sequence of each non-service type virtual device, the method has symmetry, and the symmetry of a flow path during service drainage is guaranteed.

Drawings

In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.

FIG. 1 is a flow chart of a service drainage method disclosed herein;

FIG. 2 is a diagram of a specific service drainage implementation architecture disclosed herein;

FIG. 3 is a schematic view of a service drainage principle disclosed herein;

FIG. 4 is a schematic view of service drainage in the same node outbound direction as disclosed herein;

fig. 5 is a schematic view of service drainage in the same-node network access direction disclosed in the present application;

FIG. 6 is a schematic diagram of service drainage across node outbound directions as disclosed herein;

fig. 7 is a schematic diagram illustrating service drainage in a cross-node network access direction according to the present disclosure;

fig. 8 is a schematic view of service drainage in a chain-type same-node network-out direction disclosed in the present application;

fig. 9 is a schematic view of service drainage in a chained same-node network access direction disclosed in the present application;

FIG. 10 is a schematic view of service drainage in a chain-type cross-node outbound direction as disclosed herein;

FIG. 11 is a schematic view of service drainage in a chain-type cross-node network access direction disclosed in the present application

Fig. 12 is a schematic structural view of a service drainage device disclosed in the present application.

Detailed Description

The technical solutions in the embodiments of the present application will be described clearly and completely with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only some embodiments of the present application, and not all embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present application without making any creative effort belong to the protection scope of the present application.

With the maturity of cloud computing technology and the increasing increase of the demands of applications on flexible expansion, high availability and the like, more and more enterprises choose to migrate their own services from a physical machine of an offline computer room to a cloud host of a cloud data center. For enterprises, the cloud service can bring many benefits, such as saving investment of IT infrastructure of heavy assets, opening a cloud host according to the service scale as required to deploy services, and effectively reducing the early cost expenditure of the enterprises, particularly small and medium-sized enterprises and entrepreneurship-type enterprises; in addition, with the increase of the service scale of the user, the number of resources on the cloud can be dynamically increased at any time to incrementally deploy the service, and when the scale of some services is reduced, the number of resources on the cloud can be dynamically reduced to save the cost. With the cloud application of the user, a complete application infrastructure on the cloud is formed and services of the user are supported. In a traditional data center, these non-service type devices generally exist in the form of physical devices, and are usually deployed at the edge of a physical network, and the traffic of a user service is guided by configuring routing table items or policy routing table items, and the like, and the traffic of a specific service is guided to one or more non-service type devices to perform operations such as security filtering, virus protection, log auditing and the like, so as to ensure the safety and robustness of the service, or perform related statistical monitoring operations. Because the cost of the non-service type equipment of the traditional data center is high and the equipment is deployed in a centralized manner, the equipment often serves users in the whole data center, the service flows of different users may need to be processed by the same boundary equipment, which is not beneficial to the safety isolation of user services, and meanwhile, the configuration interfaces of the boundary equipment need to be exposed to the users, and potential safety hazards also exist. Virtualization and cloud-on-migration of non-business type equipment meet the cloud-on-business requirements and are also basic requirements for enterprise informatization. Compared with a traditional data center, the non-business type devices are obviously different in the aspects of existence form, deployment mode, service subject and the like on the Cloud, the traditional data center generally exists in the form of a physical server or a special physical device, the Cloud generally exists in the form of an elastic Cloud server ecs (elastic Cloud server) or a container, the deployment mode in the traditional data center is generally deployed at the edge of a network in advance by operation and maintenance personnel or an administrator, the Cloud is generally deployed on demand by a user on line automatically according to needs and is deployed in a VPC of the user, all or multiple users are generally served in the traditional data center, and virtual non-business type devices created by the user on the Cloud only belong to the user and are not visible to other users.

After the non-business type device is migrated to the cloud, an important problem is the service drainage problem. In a traditional data center, such devices are generally directly connected in series at the edge of a network, so service drainage can be realized through simple routing configuration or policy routing configuration, however, in a virtualized cloud environment, an elastic cloud server or container mode exists in a user's own VPC, and traffic traction of entering and exiting the network from a virtual router of the VPC is required. The virtual router of the VPC is used for three-layer routing between different subnets in the same VPC and also bears SNAT operation of the outbound flow and DNAT operation of the inbound flow, and if the flow guiding is realized by adopting a simple routing table entry or a policy routing mode under a fully distributed routing architecture, the flow path of the inbound and outbound flow of the VPC is asymmetric or a message source and a destination IP address in the flow are asymmetric, so that the session cannot be normally established by security equipment, and the communication process cannot be established. The OpenStack community also proposes a fully transparent SFC (Service Function Chain) scheme for the DVR architecture, and uses a transparent drainage scheme implemented by full streaming, which has several obvious disadvantages: 1) the data plane intrusiveness is large, the drainage action is fused in the two-layer forwarding logic, and the instability of the platform is easily introduced; 2) the expandability is poor, a series of flow tables need to be added every time a protection target is added, a large amount of control plane and data plane interaction is involved, and huge pressure is brought to a system control plane; 3) only one-way drainage is supported, two-way drainage is not supported, and if two-way symmetrical drainage is needed, two symmetrical chains are needed to be established; 4) the service flow guiding in the north-south direction is not supported, and the flow can not be led out from the virtual router of the VPC. At present, some measures for optimizing the scheme are provided, for example, a diversion transfer agent is introduced, the flow in the north and south directions is converted into the flow in the east and west directions through the transfer agent, and then the south and north directions are drained by means of a full-flow standardized transparent diversion scheme, but the requirements of large-scale public clouds on stability, robustness, expansibility and the like cannot be fundamentally met. Therefore, the service drainage scheme is provided, the symmetry of the flow path can be realized under the condition that the stability and the robustness of the cloud platform are guaranteed, and the expandability is strong.

Referring to fig. 1, an embodiment of the present application discloses a service drainage method, including:

step S11: and acquiring configuration information of the service drainage chain.

In a specific embodiment, the configuration information of the service drainage chain is acquired through a cloud computing management console. The user can create the service drainage chain on the cloud computing management console through the interface, and therefore the configuration information of the service drainage chain is obtained through the cloud computing management console in the embodiment of the application.

Step S12: each non-business type virtual device in the service flow guiding chain is hooked to a virtual router in a user VPC (virtual private network) based on the configuration information; wherein the virtual router is deployed in the user VPC by adopting a fully distributed architecture.

In particular embodiments, a non-traffic type virtual device in the service drainage chain may be determined based on the configuration information; creating an independent interconnected subnet for each non-service type virtual device in a user VPC; and each non-service type virtual device is connected to a virtual router in the user VPC through the interconnection sub-network.

Step S13: and generating an outgoing policy route according to the forward sequence of each non-service type virtual device in the service flow guiding chain, and generating an incoming policy route according to the reverse sequence of each non-service type virtual device.

The outgoing strategy route comprises a source IP, a source port, a transport layer protocol type, a message incoming port and next hop information; the network access strategy route comprises a destination IP, a destination port, a transport layer protocol type, a message input port and next hop information.

Moreover, a message input port in the first strategy route in the network-out direction is a VPC default gateway port, and a message input port in the subsequent strategy route is a default gateway port of an interconnection subnet of the last-hop non-service type virtual equipment; the message input port in the first strategy route in the network access direction is an interface connected with an external network, and the message input port in the subsequent strategy route is a default gateway port of an internet subnet of the last-hop non-service type virtual equipment. It can be understood that the next hop information in the first outgoing policy route in the outgoing direction is the first non-service type virtual device of the service flow guiding chain, and the next hop information in the first incoming policy route in the incoming direction is the last non-service type virtual device of the service flow guiding chain.

Step S14: and issuing the outgoing strategy route and the incoming strategy route to the virtual router, and performing service drainage based on the outgoing strategy route and the incoming strategy route.

When the virtual router receives an outgoing message, matching a first target outgoing policy route in the outgoing policy routes according to a first matching condition, and performing service drainage based on the first target outgoing policy route; when the virtual router receives a network access message, matching a second target network access strategy route in the network access strategy routes according to a second matching condition, and performing service drainage based on the second target network access strategy route; the first matching condition comprises a source IP, a source port, a transmission layer protocol type and a message input port, and the second matching condition comprises a target IP, a target port, a transmission layer protocol type and a message input port. That is, in the present application, the matching condition is formed according to the source IP, the source port, the transport layer protocol type, and the packet ingress port, and the routing policy in the egress direction is matched, and the matching condition is formed according to the destination IP, the destination port, the transport layer protocol type, and the packet ingress port, and the routing policy in the ingress direction is matched, so that the egress traffic and the ingress traffic are pulled.

When the non-service type virtual equipment finishes processing the message sent by the virtual router, the processed message is sent back to the virtual router on the same physical node through a default route.

Further, in the embodiment of the present application, after the configuration information of the service drainage chain is acquired through the cloud computing management console, based on the configuration information, a preset northbound interface is called, and the steps of the step S12, the step S13, and the step of issuing the outgoing policy route and the incoming policy route to the virtual router are started, so as to complete the creation of the service drainage chain.

It can be seen that, in the embodiment of the present application, configuration information of a service drainage chain is obtained, each non-service type virtual device in the service drainage chain is hooked to a virtual router in a user VPC, a policy route is generated, service drainage is performed through the policy route, there is no intrusiveness on a data plane, stability and robustness of a cloud platform are ensured, and a scale of the policy route does not increase with an increase in the number of elastic cloud servers.

Further, in the embodiment of the present application, a virtual router on a physical node where a last non-service type virtual device in the service flow guide chain is located executes a SNAT operation for an outgoing flow; and performing DNAT operation aiming at the networking traffic through a virtual router on a physical node where the destination elastic cloud server is located. Therefore, service drainage in the north-south direction can be realized, and the symmetry of the message source IP and the destination IP is guaranteed.

And when the virtual router on the physical node where the last non-service type virtual device in the service flow guiding chain is located judges that the current message is an outgoing message according to the destination IP in the message, executing SNAT operation aiming at the outgoing flow. It can be understood that the virtual router on the physical node where the last non-traffic type virtual device in the service flow guiding chain is located does not match the outgoing policy route, and the traffic is sent through the default route. And the destination elastic cloud server is the elastic cloud server to which the message is sent.

That is, in the embodiment of the present application, the non-service type virtual device is deployed inside the VPC of the user, and is interconnected with the virtual router of the VPC through the independent interconnection subnet; the virtual router of the VPC adopts a fully distributed architecture, namely the virtual router of the VPC is generated on physical nodes related to resources in the VPC, and the virtual router on each node is only responsible for the routing of flow related to the VPC and SNAT/DNAT operation on the node; according to the user configuration information, issuing policy routing items on the virtual router, and redirecting the specified service flow to the user-defined non-service type virtual equipment; the bidirectional flow entering and exiting the VPC needs to pass through non-functional virtual equipment, and when strategy routing is configured, the exit direction or the entry direction is distinguished through a receiving port of a message; for a chain path formed by a plurality of non-service type virtual devices, an interconnection subnet needs to be established for each device and is connected to a virtual router of a VPC (virtual private network), flow is pulled from a first non-service type virtual device to a second non-service type virtual device through a strategy route, then the flow is pulled from the second to the third through the strategy route, and the like, so that a complete chain path is formed; and adopting asymmetric processing for SNAT/DNAT operation of the north-south flow, wherein the SNAT operation in the network-out direction is executed by a VPC virtual router of a node where the last non-service type virtual device is located, and the DNAT operation in the network-in direction is executed by a VPC virtual router on a node where the target elastic cloud server is located. Compared with a flow table-based drainage scheme, the method only relates to the development of a control plane of the cloud computing platform, is non-invasive to the data plane, and does not damage the stability and the robustness of the data plane; the policy routing realizes full-path forward and reverse symmetrical flow guiding, and can support various non-service type virtual devices, including various safety devices, monitoring devices, log auditing devices and the like; the service drainage under the fully distributed routing architecture is supported, and chain type and cross-node south-north service drainage is supported through asymmetric SNAT/DNAT operation; the flow guiding amount is directly pulled hop by hop from a virtual router of the VPC through a strategy route without introducing an additional flow guiding service transfer agent, so that the deployment cost can be effectively reduced; the non-service type virtual equipment is simple in configuration, each equipment is only required to be configured with a default route to point to a gateway of each interconnected subnet, and complex chained drainage can be realized without other external configuration; the scale of the strategy routing table entry is not increased along with the increase of the number of the elastic cloud servers of the newly added drainage source, and compared with a full-flow tabulation service drainage scheme, the strategy routing table entry has good expandability.

Further, referring to fig. 2, an embodiment of the present application discloses an implementation architecture diagram of a specific service drainage scheme, including the following components: a northbound interface; configuring a database; a service chain management module; virtual network L3 management module; and an interconnection subnet management module. Wherein the content of the first and second substances,

a north interface: and providing a series of restful interfaces for creating, modifying, deleting and viewing the user-defined service flow guide chain for the cloud computing management platform or a third-party platform.

Configuring a database: the method is used for recording the configuration information of the service drainage chain created by the user.

A service chain management module: specific behaviors of creating, modifying, deleting and the like of the negative service diversion chain, related functions of the interconnection sub-network management module are called to create an interconnection sub-network for each non-functional virtual device, related interfaces of the virtual network L3 management module are called to create a strategy routing item and are issued to a virtual router of the VPC, and flow traction of a data plane is achieved.

Virtual network L3 management module: and the VPC virtual router is responsible for route management and policy route management of the VPC virtual router, including adding routes and policy routes, deleting routes and policy routes, modifying the next hop of the routes and policy routes, inquiring the currently configured route and policy route information and the like.

An interconnection subnet management module: and the virtual router is responsible for managing the internet subnet aiming at the non-functional virtual equipment in the VPC, including creation and deletion, and hanging the internet subnet on the virtual router of the VPC, so that the communication between the non-functional virtual equipment and the VPC of a user is realized.

The following describes an execution process of the control plane by taking the user creating a service drainage chain as an example, and the specific process is as follows: a user creates a service drainage chain on a cloud computing management console through an interface; the cloud computing management console calls a northbound interface of the service drainage system to establish a service drainage chain; the northbound interface calls a service chain management module to start and create a service drainage chain, and configuration information is recorded into a configuration database; the service chain management module calls an interface of the internet subnet management module to create an internet subnet for each non-service type virtual device and is hung on a virtual router of a user VPC; the service chain management module calls an interface of the virtual network L3 management module to issue a policy route for each non-service type virtual device, where the policy route includes an outbound direction and an inbound direction, and may be specifically distinguished by a source IP and a destination IP, and assuming that the policy route for outbound should be defined for traffic of a TCP 1010 port of an elastic cloud server with an IP of 10.0.1.1: 10.0.1.1 for source IP, 1010 for source port, TCP for transport layer protocol type, and the first node of the service flow chain for next hop, and the policy routing for network entry should be defined as follows: 10.0.1.1, 1010, TCP, and TCP, the next hop is the last node of the service drainage chain, i.e. the next hop of the outgoing policy route and the incoming policy route is symmetric to the service chain. By this point, the creation process of the service drainage chain is completed.

Referring to fig. 3, fig. 3 is a schematic view illustrating a service drainage principle disclosed in an embodiment of the present application. A message sent by a virtual cloud server (VM) in a subnet firstly reaches a virtual router (vrouter) of a virtual router (VPC); the virtual router sends the message to a virtual firewall VFW on the node through Policy-based Routing (PBR); the virtual firewall VFW carries out safety protection filtering, if the message is allowed to pass through, the message is sent to the virtual router vrouter again through a default route, after the virtual router vrouter receives the message, the message can be judged to be an outgoing message according to the destination IP of the message, SNAT operation is executed, the source IP of the message is mapped into a public network IP or a floating IP which is mapped with the public network IP in a one-to-one mode, the virtual router vrouter sends the message to equipment on the upper layer of the topology to execute further address mapping or directly output the message to the public network, and the outgoing is finished. Further, the execution process of the data plane is divided into a plurality of possible scenarios, including: the following description is respectively provided for same-node outgoing, same-node incoming, cross-node outgoing, cross-node incoming, chained same-node outgoing, chained same-node incoming, chained cross-node outgoing, chained cross-node incoming, and the like.

Referring to fig. 4, fig. 4 is a schematic view of service drainage in the same-node outgoing direction disclosed in the embodiment of the present application, where the service drainage in the same-node outgoing direction includes the following steps:

step 21: a message sent by an elastic cloud server VM firstly reaches a virtual router vrouter of the VPC on a current physical server (namely a computing node 1);

step 22: the virtual router sends the message to a virtual firewall VFW on the node through a policy routing (PBR);

step 23: the virtual firewall VFW carries out safety protection filtering, if the message is allowed to pass through, the message is sent to the virtual router vrouter again through a default route, the step 24 is skipped, and otherwise the message is discarded;

step 24: after receiving the message, the virtual router vrouter can judge that the message is an outgoing message according to the destination IP of the message, execute SNAT operation, map the source IP of the message into a public network IP or a floating IP which is mapped in a one-to-one manner with the public network IP from an internal network IP, and the mapping from the floating IP to the public network IP is completed by equipment on a higher layer;

step 25: and the virtual router vrouter sends the message to equipment on a higher layer of the topology to execute further address mapping or directly output the message to a public network, and the network output is finished.

Referring to fig. 5, fig. 5 is a schematic view of service drainage in the same-node network access direction disclosed in the embodiment of the present application, where the service drainage in the same-node network access direction includes the following steps:

step 31: a message from a public network reaches a VPC virtual router vrouter on a current physical server (namely a computing node 1);

step 32: the virtual router vrouter executes DNAT operation, and maps the message destination IP from the public network IP into the intranet IP of the elastic cloud server VM;

step 33: the virtual router sends the message to a virtual firewall VFW on the node through policy routing;

step 34: the virtual firewall VFW carries out safety protection filtering, if the message is allowed to pass through, the message is sent back to the virtual router vrouter through a default route, the step 35 is skipped, and otherwise, the message is discarded;

step 35: and the virtual router vrouter sends the message to a target host, namely the elastic cloud server VM, through a direct route, and thus, the network access is completed.

Referring to fig. 6, fig. 6 is a schematic view of service drainage in a cross-node outgoing direction disclosed in an embodiment of the present application, where the service drainage in the cross-node outgoing direction includes the following steps:

step 41: a message sent by an elastic cloud server VM first reaches a virtual router vrouter of the VPC on a current physical server (namely a computing node 1);

step 42: a virtual router vrouter on the computing node 1 sends a message to a virtual firewall VFW on the computing node 2 through policy routing;

step 43: the VFW on the computing node 2 carries out safety protection filtering, if the message is allowed to pass through, the message is sent to a virtual router vrouter on the computing node 2 through a default route, and the step 44 is skipped to, otherwise, the message is discarded;

step 44: after receiving the message, the virtual router vrouter on the computing node 2 can judge that the message is an outgoing message according to the destination IP of the message, execute SNAT operation, map the source IP of the message from the intranet IP to the public network IP or a floating IP mapped in one-to-one correspondence with the public network IP, and the mapping from the floating IP to the public network IP is completed by higher-layer equipment;

step 45: and the virtual router vrouter on the computing node 2 sends the message to equipment at the upper layer of the topology to execute further address mapping or directly output to the public network, and the network output is finished.

Referring to fig. 7, fig. 7 is a schematic view of service drainage in a cross-node network access direction disclosed in an embodiment of the present application, where the service drainage in the cross-node network access direction includes the following steps:

step 51: the message from the public network reaches a VPC virtual router (vRouter) on a physical server (namely a computing node 1) where an elastic cloud server (VM) is located;

step 52: a virtual router vrouter on the computing node 1 executes DNAT operation, and maps a message destination IP from a public network IP into an intranet IP of the elastic cloud server VM;

step 53: a virtual router vrounter on a computing node 1 sends a message to a virtual firewall VFW on a computing node 2 through policy routing;

step 54: the VFW on the computing node 2 carries out safety protection filtering, if the message is allowed to pass through, the message is sent to a virtual router vrouter on the computing node 2 through a default route, and the step 55 is skipped to, otherwise, the message is discarded;

step 55: and the virtual router vrouter on the computing node 2 sends the message to a target host, namely the elastic cloud server VM, through the direct route, and then network access is completed.

Referring to fig. 8, fig. 8 is a schematic view of service drainage in the chain-type same-node outgoing direction disclosed in the embodiment of the present application, where the service drainage in the chain-type same-node outgoing direction includes the following steps:

step 61: a message sent by an elastic cloud server VM first reaches a virtual router vrouter of the VPC on a current physical server (namely a computing node 1);

step 62: a virtual router vrouter on the computing node 1 sends a message to a virtual firewall VFW on the computing node 1 through policy routing;

and step 63: a virtual firewall VFW on the computing node 1 carries out safety protection filtering, if the message is allowed to pass through, the message is sent back to a virtual router vrouter on the computing node 1 through a default route, and the step 64 is skipped to, otherwise, the message is discarded;

step 64: a virtual router vrouter on the computing node 1 sends a message to a Web application firewall WAF on the computing node 1 through policy routing;

step 65: the Web application firewall WAF on the computing node 1 executes security protection filtering, if the message is allowed to pass through, the message is sent back to the virtual router vrouter on the computing node 1 through a default route, and the step 66 is skipped, otherwise, the message is discarded;

and step 66: after receiving the message, the virtual router vrouter on the computing node 1 can judge that the message is an outgoing message according to the destination IP of the message, execute SNAT operation, map the source IP of the message from the intranet IP to the public IP or a floating IP mapped in one-to-one correspondence with the public IP, and the mapping from the floating IP to the public IP is completed by higher-layer equipment;

step 67: and the virtual router vrouter on the computing node 1 sends the message to equipment at the upper layer of the topology to execute further address mapping or directly output to the public network, and the network output is finished.

Referring to fig. 9, fig. 9 is a schematic view of service drainage in a chain-type same-node network access direction disclosed in an embodiment of the present application, where the service drainage in the chain-type same-node network access includes the following steps:

step 71: a message from a public network reaches a VPC virtual router (vrounter) on a physical server (namely a computing node 1) where an elastic cloud server (VM) is located;

step 72: a virtual router vrouter on the computing node 1 executes DNAT operation, and maps a message destination IP from a public network IP into an intranet IP of the elastic cloud server VM;

step 73: a virtual router vrouter on the computing node 1 sends a message to a Web application firewall WAF on the computing node 1 through policy routing;

step 74: a Web application firewall WAF on the computing node 1 carries out safety protection filtering, if the message is allowed to pass through, the message is sent back to a virtual router vrouter on the computing node 1 through a default route, and the step 75 is skipped, otherwise, the message is discarded;

step 75: the virtual router on the computing node 1 sends the message to a virtual firewall VFW on the computing node 1 for safety protection filtering through policy routing, if the message is allowed to pass through, the message is sent back to the virtual router vrouter on the computing node 1 through a default route, and the step 76 is skipped, otherwise, the message is discarded;

step 76: and the virtual router vrouter on the computing node 1 sends the message to a target host, namely the elastic cloud server VM, through a direct route, and thus, the network access is completed.

Referring to fig. 10, fig. 10 is a schematic view of service drainage in a chain-type cross-node outgoing direction disclosed in an embodiment of the present application, where the service drainage in the chain-type cross-node outgoing direction includes the following steps:

step 81: a message sent by an elastic cloud server VM first reaches a virtual router vrouter of the VPC on a current physical server (namely a computing node 1);

step 82: a virtual router vrouter on the computing node 1 sends a message to a virtual firewall VFW on the computing node 2 through policy routing;

step 83: a virtual firewall VFW on the computing node 2 carries out safety protection filtering, if the message is allowed to pass through, the message is sent to a virtual router vrouter on the computing node 2 through a default route, and the step 84 is skipped, otherwise, the message is discarded;

step 84: a virtual router vrouter on the computing node 2 sends a message to a Web application firewall WAF on the computing node 3 through policy routing;

and step 85: the Web application firewall WAF on the computing node 3 executes safety protection filtering, if the message is allowed to pass through, the message is sent to a virtual router vrouter on the computing node 3 through a default route, and the step 86 is skipped, otherwise, the message is discarded;

step 86: after receiving the message, the virtual router vrouter on the computing node 3 can judge that the message is an outgoing message according to the destination IP of the message, execute SNAT operation, map the source IP of the message from the intranet IP to the public network IP or a floating IP mapped in one-to-one correspondence with the public network IP, and the mapping from the floating IP to the public network IP is completed by higher-layer equipment;

step 87: and the virtual router vrouter on the computing node 3 sends the message to equipment at the upper layer of the topology to execute further address mapping or directly output the message to the public network, and the network output is finished.

Referring to fig. 11, fig. 11 is a schematic view of service drainage in a chain-type cross-node network access direction disclosed in the embodiment of the present application, where the service drainage in a chain-type cross-node network access includes the following steps:

step 91: the message from the public network reaches a VPC virtual router (vRouter) on a physical server (namely a computing node 1) where an elastic cloud server (VM) is located;

and step 92: a virtual router vrouter on the computing node 1 executes DNAT operation, and maps a message destination IP from a public network IP into an intranet IP of the elastic cloud server VM;

step 93: a virtual router vrouter on a computing node 1 sends a message to a Web application firewall WAF on a computing node 3 through policy routing;

step 94: a Web application firewall WAF on the computing node 3 carries out safety protection filtering, if the message is allowed to pass through, the message is sent to a virtual router vrouter on the computing node 3 through a default route, and the step 95 is skipped, otherwise, the message is discarded;

step 95: the virtual router on the computing node 3 sends the message to a virtual firewall VFW on the computing node 2 for safety protection and filtration through policy routing, if the message is allowed to pass through, the message is sent back to the virtual router vrouter on the computing node 2 through a default route, and the step 96 is skipped, otherwise, the message is discarded;

step 96: and the virtual router vrouter on the computing node 2 sends the message to a target host, namely the elastic cloud server VM, through the direct route, and then network access is completed.

Referring to fig. 12, an embodiment of the present application discloses a service drainage apparatus, including a configuration information obtaining module 11, a virtual device hooking module 12, a policy route generating module 13, a policy route issuing module 14, and a virtual router 15, wherein,

the configuration information obtaining module 11 is configured to obtain configuration information of a service drainage chain;

the virtual device hooking module 12 is configured to hook each non-service type virtual device in the service flow guiding chain to a virtual router in the user VPC based on the configuration information; the virtual router is deployed in the user VPC by adopting a fully distributed architecture;

the policy route generating module 13 is configured to generate an outgoing policy route according to a forward sequence of each non-service type virtual device in the service drainage chain, and generate an incoming policy route according to a reverse sequence of each non-service type virtual device;

the policy route issuing module 14 is configured to issue the outgoing policy route and the incoming policy route to the virtual router;

the virtual router 15 is configured to perform service steering based on the outbound policy routing and the inbound policy routing.

As can be seen, in the embodiment of the present application, configuration information of a service drainage chain is obtained first, and then each non-service type virtual device in the service drainage chain is hooked to a virtual router in a user VPC based on the configuration information; the virtual router is deployed in the user VPC by adopting a fully distributed architecture, then generates an outgoing policy route according to a forward sequence of each non-service type virtual device in the service flow guiding chain and generates an incoming policy route according to a reverse sequence of each non-service type virtual device, finally sends the outgoing policy route and the incoming policy route to the virtual router, and conducts service flow guiding based on the outgoing policy route and the incoming policy route. That is, the configuration information of the service drainage chain can be obtained, each non-service type virtual device in the service drainage chain is connected to the virtual router in the user VPC, a policy route is generated, service drainage is performed through the policy route, and the data plane is not invasive, so that the stability and the robustness of the cloud platform are guaranteed, the scale of the policy route is not increased along with the increase of the number of the elastic cloud servers.

The virtual router on the physical node where the last non-service type virtual device in the service flow guide chain is located is used for executing SNAT operation aiming at the outgoing flow;

The virtual device hooking module 12 is specifically configured to determine, based on the configuration information, a non-service type virtual device in the service drainage chain; creating an independent interconnection sub-network for each non-service type virtual device in a user VPC; and each non-service type virtual device is connected to a virtual router in the user VPC through the interconnection sub-network.

In a specific embodiment, the configuration information obtaining module is specifically configured to:

correspondingly, the device is also used for: and calling a preset northbound interface based on the configuration information, and starting the virtual equipment hooking module 12.

The outgoing policy routing comprises a source IP, a source port, a transport layer protocol type, a message incoming port and next hop information; the network access strategy route comprises a destination IP, a destination port, a transport layer protocol type, a message input port and next hop information.

In a particular embodiment of the present invention,

the virtual router is used for matching a first target outgoing strategy route in the outgoing strategy routes according to a first matching condition when receiving an outgoing message, and conducting service drainage based on the first target outgoing strategy route; when receiving a network access message, matching a second target network outlet strategy route in the network outlet strategy routes according to a second matching condition, and carrying out service drainage based on the second target network outlet strategy route;

Further, the embodiment of the present application also discloses a computer readable storage medium for storing a computer program, wherein the computer program, when executed by a processor, implements the service drainage method disclosed in the foregoing embodiment.

For the specific process of the service drainage method, reference may be made to the corresponding contents disclosed in the foregoing embodiments, and details are not repeated herein.

The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.

The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.

The service drainage method, device and medium provided by the present application are described in detail above, and the principle and the implementation of the present application are explained in the present application by applying specific examples, and the description of the above examples is only used to help understand the method and the core idea of the present application; meanwhile, for a person skilled in the art, according to the idea of the present application, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present application.

Claims

1. A service drainage method, comprising:

acquiring configuration information of a service drainage chain;

2. The service drainage method according to claim 1, further comprising:

3. The service drainage method according to claim 2, wherein the performing, by the virtual router on the physical node where the last non-traffic type virtual device in the service drainage chain is located, a SNAT operation for the outbound traffic includes:

4. The service drainage method according to claim 1, wherein the hooking each non-traffic type virtual device in the service drainage chain to a virtual router in a customer VPC based on the configuration information comprises:

5. The service drainage method according to claim 1, wherein the obtaining configuration information of the service drainage chain comprises:

correspondingly, the method further comprises the following steps: calling a preset northbound interface based on the configuration information, and starting the step of hooking each non-service type virtual device in the service flow guiding chain to a virtual router in a user VPC based on the configuration information.

6. The service steering method according to any one of claims 1 to 5, wherein the outbound policy routing comprises a source IP, a source port, a transport layer protocol type, a messaging port, and next hop information; the network access strategy route comprises a destination IP, a destination port, a transport layer protocol type, a message input port and next hop information.

7. The service drainage method according to claim 6, wherein the conducting service drainage based on the outbound policy routing and the inbound policy routing comprises:

when the virtual router receives an outgoing message, matching a first target outgoing policy route in the outgoing policy routes according to a first matching condition, and performing service drainage based on the first target outgoing policy route;

8. A service flow guiding device is characterized by comprising a configuration information acquisition module, a virtual equipment hanging module, a strategy route generation module, a strategy route issuing module and a virtual router, wherein,

the policy routing issuing module is configured to issue the outgoing policy routing and the incoming policy routing to the virtual router;

9. The service drainage device of claim 8,

the virtual router on the physical node where the last non-service type virtual device in the service flow guiding chain is located is used for executing SNAT operation aiming at the outgoing flow;

10. A computer-readable storage medium for storing a computer program, wherein the computer program, when executed by a processor, implements the service drainage method of any of claims 1 to 7.