CN114785612A - Cloud platform management method, device, equipment and medium - Google Patents

Cloud platform management method, device, equipment and medium Download PDF

Info

Publication number
CN114785612A
CN114785612A CN202210505401.7A CN202210505401A CN114785612A CN 114785612 A CN114785612 A CN 114785612A CN 202210505401 A CN202210505401 A CN 202210505401A CN 114785612 A CN114785612 A CN 114785612A
Authority
CN
China
Prior art keywords
security component
access
port
cloud platform
relation
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210505401.7A
Other languages
Chinese (zh)
Inventor
潘高鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN202210505401.7A priority Critical patent/CN114785612A/en
Publication of CN114785612A publication Critical patent/CN114785612A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application discloses a cloud platform management method, a device, equipment and a medium, which comprise the following steps: acquiring an access relation establishment request sent by a security component in a cloud platform; responding to the access relation establishing request, and establishing an access relation with the security component; managing the security component through the access relationship based on a local port and a port mapping relationship; wherein the port mapping relationship is a mapping relationship between the local port and a traffic port of the security component. The security component actively establishes an access relation with the cloud platform, the cloud platform can access services in the security component through the local port based on the port mapping relation and the access relation, and the security component is managed, so that the access relation actively established with the cloud platform through the security component and the port mapping relation access the security component, and the cost can be reduced while the security is guaranteed.

Description

Cloud platform management method, device, equipment and medium
Technical Field
The present application relates to the field of cloud service technologies, and in particular, to a cloud platform management method, apparatus, device, and medium.
Background
At present, a Cloud platform management security component needs to manage a Network to ensure connectivity, and in a VPC (Virtual Private Network ) scene, a Cloud platform cannot directly access the security component, and an existing Network communication mode mainly includes modes of a Private VPN (Virtual Private Network), an EIP (Elastic Internet Protocol, Elastic IP), a single Network card, agent software installation, and the like, and has the following problems: 1. special line VPN: the technical difficulty is high, and the investment cost and the maintenance cost are high. 2. Mapping an EIP scheme: the network maintenance cost is high, and the security is not high. 3. And (3) single network card management: the additional addition of network cards and lines may result in increased costs. 4. Installing an agent: by mapping out the agents, the security issues remain essentially unsolved.
Disclosure of Invention
In view of this, an object of the present application is to provide a cloud platform management method, apparatus, device, and medium, which can reduce cost while ensuring security. The specific scheme is as follows:
in a first aspect, the present application discloses a cloud platform management method, including:
acquiring an access relation establishment request sent by a security component in a cloud platform;
responding to the access relation establishment request, and establishing the access relation with the security component;
managing the security component through the access relationship based on a local port and a port mapping relationship; wherein the port mapping relationship is a mapping relationship between the local port and a traffic port of the security component.
Optionally, the method further includes:
acquiring target data sent by the security component through the access relation; wherein, the target data is data containing the service port;
determining the port mapping relationship based on the target data.
Optionally, the target data is port data;
correspondingly, the determining the port mapping relationship based on the target data includes:
and distributing a local port for the service port based on the port data to obtain the port mapping relation.
Optionally, the target data is a port mapping relationship corresponding to the service port preconfigured in the security component;
correspondingly, the determining the port mapping relationship based on the target data includes:
and directly determining the target data as the port mapping relation.
Optionally, the method further includes:
acquiring a newly added service port of the security component through the access relation;
distributing a local port for the newly added service port, and updating the port mapping relation to obtain an updated port mapping relation;
generating a configuration updating task corresponding to the security component based on the updated port mapping relation;
and acquiring a task query request sent by the security component, responding to the task query request, and issuing the configuration updating task to the security component so that the security component executes the configuration updating task.
Optionally, before the obtaining the request for establishing the access relationship sent by the security component in the cloud platform, the method further includes:
acquiring an access request sent by the security component;
and verifying the access request, and if the access request passes the verification, returning a password to the security component so that the security component can send the access relation establishment request based on the password.
Optionally, the method further includes:
creating a first process to obtain the access request sent by the security component through the first process; verifying the access request, and if the access request passes the verification, returning a password to the security component;
creating one or more second processes, wherein each second process is used for acquiring an access relation establishment request sent by a security component in a cloud platform; responding to the access relation establishing request, and establishing an access relation with the security component; and managing the security component based on the local port and the port mapping relation through the access relation.
In a second aspect, the present application discloses a cloud platform management device, which is applied to a cloud security service platform, and includes:
the request acquisition module is used for acquiring an access relationship establishment request sent by a security component in the cloud platform;
the relationship establishing module is used for responding to the access relationship establishing request and establishing the access relationship with the security component;
the component management module is used for managing the security component through the access relation based on a local port and a port mapping relation; wherein the port mapping relationship is a mapping relationship between the local port and a traffic port of the security component.
In a third aspect, the present application discloses an electronic device comprising a processor and a memory; wherein, the first and the second end of the pipe are connected with each other,
the memory is used for storing a computer program;
the processor is configured to execute the computer program to implement the cloud platform management method.
In a fourth aspect, the present application discloses a computer readable storage medium for storing a computer program, wherein the computer program, when executed by a processor, implements the aforementioned cloud platform management method.
As can be seen, the access relationship establishment request sent by a security component in a cloud platform is obtained, then the access relationship establishment request is responded, the access relationship with the security component is established, and finally the security component is managed through the access relationship based on a local port and a port mapping relationship; wherein the port mapping relationship is a mapping relationship between the local port and a traffic port of the security component. That is, in the present application, the security component actively establishes an access relationship with the cloud platform, and the cloud platform can access the service in the security component through the local port based on the port mapping relationship and the access relationship, and manage the security component.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a schematic diagram of a system framework to which a cloud platform management scheme provided in the present application is applicable;
fig. 2 is a flowchart of a cloud platform management method disclosed in the present application;
fig. 3 is a flowchart of a specific cloud platform management method disclosed in the present application;
FIG. 4 is a diagram of a particular cloud platform management architecture disclosed herein;
FIG. 5 is a specific cloud platform management architecture diagram of the present disclosure;
fig. 6 is a flowchart of a cloud platform management access method disclosed in the present application;
fig. 7 is a schematic structural diagram of a cloud platform management apparatus disclosed in the present application;
fig. 8 is a block diagram of an electronic device disclosed in the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
First, to further explain the terms of the professions involved in the present application, the VPC is a customized logical isolated network space on a public cloud, similar to a traditional network where a user operates in a data center, and hosted in the VPC are service resources of the user on a private cloud, such as a cloud host, load balancing, a cloud database, and the like. A user can define network segment division, IP addresses, routing policies, and the like, and realize multi-layer security protection through a security group, a network ACL (Access Control Lists), and the like. Meanwhile, the VPC and the data center of the user can be communicated through the VPN or a private line, and the hybrid cloud is flexibly deployed. NFV (Network Functions Virtualization) is a concept of Network architecture (Network architecture), and a Virtualization technology is used to divide a Network node level function into several functional blocks, which are implemented in a software manner, respectively, and are not limited to a hardware architecture. The CSSP (Cloud Security Service Platform) provides an administrator and tenant interface, and a tenant can select a required Security component on the interface to apply, manage the Security component and check the authorization and the operating state of the Security component; an administrator can examine and approve the component application of the tenant on the interface and distribute corresponding security components; the management platform is a bridge between a user and a bottom platform, and access path definition and full life cycle management of a tenant network and a security component are achieved. The cloud platform in the present application may be a CSSP and the security component may be an NFV component.
In a VPC scenario, a cloud platform cannot directly access a security component for management, and an existing network access method mainly includes modes such as a private line VPN, mapping EIP, a separate network card, and installing proxy software, and has the following problems: 1. special line VPN: the technical difficulty is high, and the investment cost and the maintenance cost are high. 2. Mapping an EIP scheme: the network maintenance cost is high, and the security is not high. 3. And (3) individual network card management: additional network cards and wiring may result in increased costs. 4. Installing an agent: by mapping out the agents, the security issues remain essentially unsolved. Therefore, the cloud platform management scheme is provided, and the cost can be reduced while the safety is guaranteed.
In the cloud platform solution of the present application, the system framework adopted may specifically refer to fig. 1, and may specifically include: server, client and network. The user side includes, but is not limited to, a tablet computer, a notebook computer, a smart phone, and a Personal Computer (PC), and is not limited herein.
The user operates the user side, the security component in the cloud platform is triggered to send an access relation establishment request to the cloud platform, and the server executes the following steps: acquiring an access relation establishment request sent by a security component in a cloud platform; responding to the access relation establishment request, and establishing the access relation with the security component; managing the security component through the access relationship based on a local port and a port mapping relationship; wherein the port mapping relationship is a mapping relationship between the local port and a traffic port of the security component.
Referring to fig. 2, an embodiment of the present application discloses a cloud platform management access method, including:
step S11: and acquiring an access relation establishment request sent by the security component in the cloud platform.
In one embodiment, before acquiring an access relationship establishment request sent by a security component in a cloud platform, acquiring an access request sent by the security component; and verifying the access request, and if the access request passes the verification, returning a password to the security component so that the security component can send the access relation establishment request based on the password.
Further, in a specific implementation manner, an access request carrying a verification code sent by the security component may be obtained, the access request is verified through the verification code, and if the verification code is consistent with a local verification code, it is determined that the access request passes verification.
The security component acquires an IP address or a domain name of the cloud platform input by a user, and then sends an access request to the cloud platform. And before sending the access request, carrying out parameter validity check on the IP address or the domain name of the cloud platform input by the user.
Step S12: and responding to the access relation establishment request, and establishing the access relation with the security component.
In a specific implementation manner, the encrypted data carried in the access relationship establishment request may be decrypted based on the password, so as to obtain decrypted data; establishing an access relationship with the security component based on the decrypted data. That is, only if the decryption is successful, the access relation with the security component is established, and the validity verification of the security component is realized.
And in the subsequent communication process, the security component also performs data interaction with the cloud platform based on the password. That is, when sending data to the cloud platform, the security component encrypts the data through the password, and the cloud platform decrypts the data after receiving the data, so that the communication security is guaranteed.
Step S13: managing the security component through the access relationship based on a local port and a port mapping relationship; wherein the port mapping relationship is a mapping relationship between the local port and a traffic port of the security component.
In a specific implementation manner, service logic in the cloud platform accesses a local IP address and a local port, and then accesses a service in the security component through the access relationship based on the local port and the port mapping relationship to manage the security component.
Further, in the embodiment of the present application, the target data sent by the security component may be obtained through the access relationship; the target data is data containing the service port; determining the port mapping relationship based on the target data. That is to say, the port mapping relationship in the embodiment of the present application is determined based on the data sent by the security component, and the cloud platform acquires the service port opened by the security component through the data sent by the security component, thereby further ensuring the security of the security component.
In a specific embodiment, the target data is the port data; correspondingly, the determining the port mapping relationship based on the target data includes: and distributing a local port for the service port based on the port data to obtain the port mapping relation. It can be understood that, after determining the port mapping relationship, the cloud platform sends the port mapping relationship to the security component, so that when the security component receives a service access request sent by the cloud platform, the security component sends the service access request to a corresponding service port based on the port mapping relationship, so as to implement access to a corresponding service in the security component.
In another embodiment, the target data is a port mapping relationship corresponding to the service port pre-configured in the security component; correspondingly, the determining the port mapping relationship based on the target data includes: and directly determining the target data as the port mapping relation. That is, in the embodiment of the present application, a mapping relationship between a service port in a security component and a port of a cloud platform may be configured in advance in the security component.
In addition, the embodiment of the application can acquire the newly added service port of the security component through the access relationship; and distributing a local port for the newly added service port, and updating the port mapping relation to obtain an updated port mapping relation.
Moreover, the configuration updating task corresponding to the security component can be generated based on the updated port mapping relation; and acquiring a task query request sent by the security component, responding to the task query request, and issuing the configuration updating task to the security component so that the security component executes the configuration updating task. The task query request is a request sent by the security component at regular time.
In addition, the embodiment of the application may return the public key to the security component after the access request passes the verification, so that the security component sends the task query request based on the public key, that is, sends the task query request after encrypting the task query request data by using the public key. And the communication safety of the safety component and the cloud platform is further guaranteed.
As can be seen, in the embodiment of the present application, an access relationship establishment request sent by a security component in a cloud platform is obtained first, then the access relationship establishment request is responded, an access relationship with the security component is established, and finally, the security component is managed through the access relationship based on a local port and a port mapping relationship; wherein the port mapping relationship is a mapping relationship between the local port and a traffic port of the security component. That is, in the embodiment of the present application, the security component actively establishes an access relationship with the cloud platform, and the cloud platform can access the service in the security component through the local port based on the port mapping relationship and the access relationship to manage the security component, so that the access relationship actively established with the cloud platform by the security component and the port mapping relationship access the security component, and the cost can be reduced while the security is ensured.
Referring to fig. 3, the embodiment of the present application discloses a specific cloud platform management access method, including:
step S21: and creating a first process to acquire the access request sent by the security component through the first process, verifying the access request, and returning a password to the security component if the access request passes the verification.
The security component comprises a third process, and the third process is a process used for sending the access request to the cloud platform in the security component.
That is, in a specific implementation manner, the security component sends an access request to the first process through the third process, and the first process obtains the access request sent by the security component; and verifying the access request, and if the access request passes the verification, returning a password and a public key to the security component.
In a specific implementation manner, parameter validity check and storage are performed on an IP address or a domain name of a cloud service platform input by a user through a first process, and a survival state of a second process is monitored.
Step S22: creating one or more second processes, wherein each second process is used for acquiring an access relation establishment request sent by a security component in a cloud platform; responding to the access relation establishing request, and establishing an access relation with the security component; and managing the security component through the access relation based on the local port and the port mapping relation.
Further, the second process is further configured to obtain, through the access relationship, target data sent by the security component; the target data is data containing the service port; determining the port mapping relationship based on the target data. For a specific implementation of determining the port mapping relationship, reference may be made to the foregoing embodiments, and details are not repeated here.
Further, the second process is further configured to obtain a new service port of the security component through the access relationship; and distributing a local port for the newly added service port, and updating the port mapping relation to obtain an updated port mapping relation. Correspondingly, the first process is further configured to generate a configuration update task corresponding to the security component based on the updated port mapping relationship; and acquiring a task query request sent by the security component, responding to the task query request, and issuing the configuration updating task to the security component so that the security component executes the configuration updating task. And the first process issues the configuration updating task to a third process of the security component, so that the third process executes the configuration updating task.
In addition, in a specific implementation manner, the load balancing agent may obtain access relationship establishment requests sent by the plurality of security components, and send the plurality of access relationship establishment requests to the plurality of second processes, respectively.
In a specific embodiment, the load balancing agent may be configured through a preset rule, for example, configured according to an IP address of a security component, so as to send the multiple access relationship establishment requests to the multiple second processes, respectively.
That is, in the embodiment of the present application, when the cloud platform needs to host a large number of security components, load balancing can be implemented through the load balancing agent. Thereby improving reliability and processing performance.
Further, in the embodiment of the present application, a first process to be upgraded may be determined from the first process and the second process; and acquiring a first target program upgrading package corresponding to the first process to be upgraded, and upgrading the first process to be upgraded by using the first target program upgrading package.
Moreover, a second process to be upgraded can be determined from a third process and the fourth process; and acquiring a second target program upgrading packet corresponding to the second process to be upgraded, and upgrading the program of the second process to be upgraded by using the second target program upgrading packet. And the fourth process is a process which sends an access relation establishment request to a cloud platform in the security component and responds to the service access request sent by the second process. And the fourth process sends an access relation establishment request based on the IP address or the domain name of the cloud platform input by the user and acquired by the first process.
In a specific embodiment, an upgrade task corresponding to the security component may be generated based on the second target program upgrade package; and acquiring a task query request sent by the security component, responding to the task query request, and issuing the upgrading task to the security component so that the security component executes the upgrading task to upgrade the program of the second process to be upgraded by using the second target program upgrading packet. In a specific implementation manner, the upgrade task is issued to a third process of the security component, so that the third process performs program upgrade on the second process to be upgraded by using the second target program upgrade package
It should be noted that, in the embodiment of the present application, a first process to be upgraded may be determined from the first process and the second process by the first process; and acquiring a first target program upgrading package corresponding to the first process to be upgraded, and upgrading the first process to be upgraded by using the first target program upgrading package. In a specific implementation manner, a second process to be upgraded can be determined from a third process and the fourth process through a first process; and acquiring a second target program upgrading package corresponding to the second process to be upgraded, and upgrading the program of the second process to be upgraded by using the second target program upgrading package.
In a specific embodiment, the third process performs data transmission based on the public key and the first process, and the fourth process performs data transmission based on the password and the second process, so as to ensure security.
Therefore, according to the embodiment of the application, the access channel of the cloud platform to the security component is opened through the second process in the cloud platform and the fourth process in the security component, so that the service logic of the cloud platform can access the service of the security component through the local port and the IP, and the reliability and the safety of the second process and the fourth process are ensured through the first process in the cloud platform and the third process in the security component, so that the subsequent maintenance is facilitated.
For example, referring to fig. 4, fig. 4 is a specific cloud platform management architecture diagram disclosed in the embodiment of the present application. The cloud platform is CSSP, the security component is NFV, a third process named as a control plane process a and a fourth process named as a data plane process b are created on the NFV side, a first process named as a control plane process d and a second process named as a data plane process e are created on the CSSP side. In addition, the NFV side also includes a service process c, and the CSSP side also includes a service process f. The data tunnel of the NFV and the CSSP is opened through the data plane process, the service in the NFV can be accessed through the existing service logic of the CSSP by accessing a local IP and a port, and the reliability, the safety and the subsequent maintenance of the data plane process are ensured through the control plane process. The control plane process a is mainly used for verifying and storing user IP or CSSP domain name input, ensuring the safety and the legality of the data plane process, monitoring the data plane process b and performing subsequent upgrading maintenance functions, and requesting and executing opposite-end tasks through regular polling. And the data plane process b is used as a client of the data plane process, actively connects with the data plane process e of the CSSP by taking the IP address or the domain name of the CSSP input by the user, establishes a reverse data tunnel, and forwards the flow of the opposite end server to the local service. The service process c is a process corresponding to the original service of the NFV, such as a Web console logging-in and upgrading a large version of the NFV. The management and control plane process d is mainly used for realizing legal access of the management and control plane of the NFV, allocating local NFV resources, that is, allocating local ports to the acquired service ports, and upgrading and maintaining service functions of the management plane and the data plane process of the NFV. And the data plane process e is used as a server side of the data plane process, the legality of the client side is checked, the reverse proxy tunnel is opened locally and mapped to the NFV, and local flow is forwarded to the client side. And the service process f is a process corresponding to the original service of the CSSP, such as operations of authorization, single sign-on, NFV upgrading and the like.
It can be understood that, by installing the agent programs, namely the management plane process and the data plane process, on the NFV and the CSSP, in a single or multiple VPC scenario, the CSSP cannot directly access the NFV, but the NFV can access the CSSP, the problem of managing the NFV by the CSSP is solved, the external network is not affected, and the method has the advantages of easiness, safety and maintainability.
For a single CSSP, thousands of NFVs need to be managed, and load balancing can be performed to a plurality of internal data plane processes e by introducing a reverse proxy g. Referring to fig. 5, fig. 5 is a specific diagram of a cloud platform management architecture disclosed in an embodiment of the present application. The reverse proxy g balances the load of the data channels of the NFVs to a plurality of internal data plane processes through certain rule configuration, thereby improving the reliability and the processing performance.
Referring to fig. 6, an embodiment of the present application discloses a cloud platform management method applied to a security component, including:
step S31: and sending an access relation establishment request to a cloud platform so that the cloud platform responds to the access relation establishment request to establish the access relation with the security component.
In a specific implementation manner, before sending a connection request to a cloud platform, an access request is sent to the cloud platform; the cloud platform verifies the access request, and if the access request passes the verification, a password is returned to the security component; the security component sends the access relationship establishment request based on the password, so that the cloud platform decrypts encrypted data carried in the access relationship establishment request based on the password to obtain decrypted data; establishing an access relationship with the security component based on the decrypted data.
Step S32: responding to a service access request sent by the cloud platform so that the cloud platform can access the service in the security component and manage the security component; the service access request is an access request which is sent by the cloud platform through an access relation based on a local port and a port mapping relation of the cloud platform, and the port mapping relation is a mapping relation between the local port and a service port of the security component.
In one embodiment, the target data can be sent to the cloud platform through the access relation; so that the cloud platform determines the port mapping relation based on the target data, wherein the target data is data containing the service port.
In a specific embodiment, the target data is port data; correspondingly, the cloud platform allocates a local port to the service port based on the port data to obtain the port mapping relationship.
In another specific implementation, the target data is a port mapping relationship corresponding to the service port, which is configured in advance in the security component; and the cloud platform directly determines the target data as the port mapping relation.
Further, in the embodiment of the present application, the communication connection may send the newly added service port of the security component to the cloud security service, so that the cloud platform allocates a local port to the newly added service port, and updates the port mapping relationship to obtain an updated port mapping relationship.
In addition, the embodiment of the application can acquire the configuration updating task issued by the cloud platform and execute the configuration updating task according to the task query request sent to the cloud platform; the configuration updating task is generated by the cloud platform based on the updated port mapping relation.
Further, in a specific implementation manner, a third process and a fourth process may be created, where the third process is used to send the access request to the cloud platform, and the fourth process is used to send an access relationship establishment request to the cloud platform and respond to the service access request sent by the second process.
And the method can send a task query request to the acquisition cloud platform, so that the cloud platform responds to the task query request and sends an upgrade task to the security component. Correspondingly, the security component executes the upgrading task so as to utilize the second target program upgrading package to carry out program upgrading on the second process to be upgraded.
The upgrading task is the upgrading task corresponding to the security component generated by the cloud platform based on the second target program upgrading packet, and the second target program upgrading packet is the program upgrading packet which is obtained by the cloud platform through determining a second process to be upgraded from a third process and a fourth process and corresponding to the second process to be upgraded.
Therefore, the access relation is actively established between the security component and the cloud platform, and the cloud platform can access the service in the security component through the local port based on the port mapping relation and the access relation.
Referring to fig. 7, the present application discloses a cloud platform management apparatus, including:
a request obtaining module 11, configured to obtain an access relationship establishment request sent by a security component in a cloud platform;
a relationship establishing module 12, configured to respond to the access relationship establishing request and establish an access relationship with the security component;
the component management module 13 is configured to manage the security component through the access relationship based on a local port and a port mapping relationship; wherein the port mapping relationship is a mapping relationship between the local port and a traffic port of the security component.
As can be seen, in the embodiment of the present application, an access relationship establishment request sent by a security component in a cloud platform is obtained first, then the access relationship establishment request is responded, an access relationship with the security component is established, and finally the security component is managed through the access relationship based on a local port and a port mapping relationship; wherein the port mapping relationship is a mapping relationship between the local port and a traffic port of the security component. That is, in the embodiment of the present application, the security component actively establishes an access relationship with the cloud platform, and the cloud platform can access the service in the security component through the local port based on the port mapping relationship and the access relationship, and manage the security component.
Further, the apparatus further comprises:
the target data acquisition module is used for acquiring target data sent by the security component through the access relation; the target data is data containing the service port;
a port mapping relationship determination module for determining the port mapping relationship based on the target data.
In a specific embodiment, the target data is port data;
correspondingly, the port mapping relationship determining module is specifically configured to allocate a local port to the service port based on the port data, so as to obtain the port mapping relationship.
In another specific implementation, the target data is a port mapping relationship corresponding to the service port configured in advance in the security component;
correspondingly, the port mapping relationship determining module is specifically configured to directly determine the target data as the port mapping relationship.
Further, the apparatus further comprises:
a newly added service port obtaining module, configured to obtain a newly added service port of the security component through the access relationship;
and the port mapping relation updating module is used for distributing a local port for the newly added service port and updating the port mapping relation to obtain an updated port mapping relation.
Further, the apparatus further comprises:
the configuration updating task generating module is used for generating a configuration updating task corresponding to the security component based on the updated port mapping relation;
and the task query request processing module is used for acquiring a task query request sent by the security component, responding to the task query request and sending the configuration updating task to the security component so that the security component can execute the configuration updating task.
Further, the apparatus further comprises:
an access request obtaining module, configured to obtain an access request sent by a security component before obtaining a connection request sent by the security component;
and the access request processing module is used for verifying the access request, and if the access request passes the verification, a password is returned to the security component so that the security component can send the access relationship establishment request based on the password.
Further, the communication connection establishing module 12 specifically includes:
a data decoding unit: the access relation establishment request is used for carrying out encryption on the data to be encrypted, and the encrypted data is carried in the access relation establishment request and is decrypted based on the password to obtain decrypted data;
and the communication connection establishing unit is used for establishing an access relation with the security component based on the decrypted data.
In addition, the apparatus further comprises:
a first process creating module, configured to create a first process, so as to obtain, through the first process, an access request sent by the security component; verifying the access request, and if the access request passes the verification, returning a password to the security component;
the second process creating module is used for creating one or more second processes, wherein each second process is used for acquiring an access relationship establishing request sent by a security component in the cloud platform; responding to the access relation establishing request, and establishing an access relation with the security component; and managing the security component based on the local port and the port mapping relation through the access relation.
Further, the apparatus further comprises:
and the load balancing module is used for acquiring the access relationship establishment requests sent by the plurality of security components through a load balancing agent and sending the access relationship establishment requests to the plurality of second processes respectively.
In addition, the apparatus further comprises:
the first process to be upgraded determining module is used for determining a first process to be upgraded from the first process and the second process;
a first target program upgrade package obtaining module, configured to obtain a first target program upgrade package corresponding to the first process to be upgraded;
and the first process to be upgraded upgrading module is used for upgrading the first process to be upgraded by utilizing the first target program upgrading package.
Further, the apparatus further comprises:
the second process to be upgraded determining module is used for determining a second process to be upgraded from a third process and the fourth process;
a second target program upgrade package obtaining module, configured to obtain a second target program upgrade package corresponding to the second process to be upgraded;
and the second process upgrading module is used for upgrading the program of the second process to be upgraded by utilizing the second target program upgrading package.
The third process is a process in the security component for sending the access request to the cloud security service platform, and the fourth process is a process in the security component for sending an access relationship establishment request to the cloud security service platform and responding to a business access request sent by the second process.
Further, the second process-to-be-upgraded module is specifically configured to generate an upgrade task corresponding to the security component based on the second target program upgrade package, and the task query request processing module is specifically configured to acquire a task query request sent by the security component, respond to the task query request, and issue the upgrade task to the security component, so that the security component executes the upgrade task, and performs program upgrade on the second process-to-be-upgraded by using the second target program upgrade package.
Referring to fig. 8, an embodiment of the present application discloses an electronic device 30, which includes a processor 31 and a memory 32; wherein, the memory 32 is used for storing computer programs; the processor 31 is configured to execute the computer program, and the cloud platform management method disclosed in the foregoing embodiment.
For the specific process of the cloud platform management method, reference may be made to corresponding contents disclosed in the foregoing embodiments, and details are not repeated here.
The memory 32 is used as a carrier for resource storage, and may be a read-only memory, a random access memory, a magnetic disk, or an optical disk, and the storage manner may be a transient storage or a permanent storage.
In addition, the electronic device 30 further includes a power supply 33, a communication interface 34, an input-output interface 35, and a communication bus 36; the power supply 33 is configured to provide an operating voltage for each hardware device on the electronic device 30; the communication interface 24 can create a data transmission channel between the electronic device 30 and an external device, and a communication protocol followed by the communication interface is any communication protocol applicable to the technical solution of the present application, and is not specifically limited herein; the input/output interface 35 is configured to acquire external input data or output data to the outside, and a specific interface type thereof may be selected according to specific application requirements, which is not specifically limited herein.
Further, an embodiment of the present application also discloses a computer-readable storage medium for storing a computer program, where the computer program is executed by a processor to implement the cloud platform management method disclosed in the foregoing embodiment.
For the specific process of the cloud platform management method, reference may be made to corresponding contents disclosed in the foregoing embodiments, and details are not repeated here.
In the present specification, the embodiments are described in a progressive manner, and each embodiment focuses on differences from other embodiments, and the same or similar parts between the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The cloud platform management method, the cloud platform management device, the cloud platform management equipment and the cloud platform management medium are introduced in detail, specific examples are applied in the description to explain the principle and the implementation mode of the cloud platform management method, and the description of the embodiments is only used for helping to understand the method and the core idea of the cloud platform management method; meanwhile, for a person skilled in the art, according to the idea of the present application, the specific implementation manner and the application scope may be changed, and in summary, the content of the present specification should not be construed as a limitation to the present application.

Claims (10)

1. A cloud platform management method is characterized by comprising the following steps:
acquiring an access relation establishment request sent by a security component in a cloud platform;
responding to the access relation establishment request, and establishing the access relation with the security component;
managing the security component through the access relationship based on a local port and a port mapping relationship; wherein the port mapping relationship is a mapping relationship between the local port and a traffic port of the security component.
2. The cloud platform management method according to claim 1, further comprising:
acquiring target data sent by the security component through the access relation; wherein, the target data is data containing the service port;
determining the port mapping relationship based on the target data.
3. The cloud platform management method of claim 2, wherein the target data is port data;
correspondingly, the determining the port mapping relationship based on the target data includes:
and distributing a local port for the service port based on the port data to obtain the port mapping relation.
4. The cloud platform management method according to claim 2, wherein the target data is a port mapping relationship corresponding to the service port pre-configured in the security component;
correspondingly, the determining the port mapping relationship based on the target data includes:
and directly determining the target data as the port mapping relation.
5. The cloud platform management method of claim 4, further comprising:
acquiring a newly added service port of the security component through the access relation;
distributing a local port for the newly added service port, and updating the port mapping relation to obtain an updated port mapping relation;
generating a configuration updating task corresponding to the security component based on the updated port mapping relation;
and acquiring a task query request sent by the security component, responding to the task query request, and issuing the configuration updating task to the security component so that the security component executes the configuration updating task.
6. The method for managing the security component cloud platform according to any one of claims 1 to 5, wherein before the acquiring the request for establishing the access relationship sent by the security component in the cloud platform, the method further comprises:
acquiring an access request sent by the security component;
and verifying the access request, and if the access request passes the verification, returning a password to the security component so that the security component can send the access relation establishment request based on the password.
7. The cloud platform management method of claim 6, further comprising:
creating a first process to obtain the access request sent by the security component through the first process; verifying the access request, and if the access request passes the verification, returning a password to the security component;
creating one or more second processes, wherein each second process is used for acquiring an access relation establishment request sent by a security component in a cloud platform; responding to the access relation establishment request, and establishing the access relation with the security component; and managing the security component based on the local port and the port mapping relation through the access relation.
8. A cloud platform management apparatus, comprising:
the request acquisition module is used for acquiring an access relationship establishment request sent by a security component in the cloud platform;
the relationship establishing module is used for responding to the access relationship establishing request and establishing the access relationship with the security component;
the component management module is used for managing the security component through the access relation based on a local port and a port mapping relation; wherein the port mapping relationship is a mapping relationship between the local port and a traffic port of the security component.
9. An electronic device comprising a processor and a memory; wherein, the first and the second end of the pipe are connected with each other,
the memory is used for storing a computer program;
the processor for executing the computer program to implement the cloud platform management method of any of claims 1 to 7.
10. A computer-readable storage medium storing a computer program, wherein the computer program when executed by a processor implements the cloud platform management method according to any one of claims 1 to 7.
CN202210505401.7A 2022-05-10 2022-05-10 Cloud platform management method, device, equipment and medium Pending CN114785612A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210505401.7A CN114785612A (en) 2022-05-10 2022-05-10 Cloud platform management method, device, equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210505401.7A CN114785612A (en) 2022-05-10 2022-05-10 Cloud platform management method, device, equipment and medium

Publications (1)

Publication Number Publication Date
CN114785612A true CN114785612A (en) 2022-07-22

Family

ID=82437302

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210505401.7A Pending CN114785612A (en) 2022-05-10 2022-05-10 Cloud platform management method, device, equipment and medium

Country Status (1)

Country Link
CN (1) CN114785612A (en)

Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090328193A1 (en) * 2007-07-20 2009-12-31 Hezi Moore System and Method for Implementing a Virtualized Security Platform
CN108600204A (en) * 2018-04-11 2018-09-28 浙江大学 A kind of corporate intranet access method based on Opposite direction connection and application layer tunnel
US20180302337A1 (en) * 2016-03-03 2018-10-18 Huawei Technologies Co., Ltd. Resource configuration method and network device thereof
US20190075115A1 (en) * 2017-09-01 2019-03-07 Atlassian Pty Ltd Systems and methods for accessing cloud resources from a local development environment
US20190207784A1 (en) * 2018-01-03 2019-07-04 Cyberark Software Ltd. Establishing a secure connection between separated networks
CN110365663A (en) * 2019-06-28 2019-10-22 北京淇瑀信息科技有限公司 Access method, device and electronic equipment between a kind of isolation cluster
US20200159624A1 (en) * 2018-04-25 2020-05-21 Cloud Daddy, Inc. System, Method and Process for Protecting Data Backup from Cyberattack
CN111327720A (en) * 2020-02-21 2020-06-23 北京百度网讯科技有限公司 Network address conversion method, device, gateway equipment and storage medium
CN112688917A (en) * 2020-12-10 2021-04-20 龙芯中科技术股份有限公司 Network access method, device, electronic equipment and storage medium
CN113162944A (en) * 2021-04-29 2021-07-23 杭州安恒信息安全技术有限公司 Network communication method, device and equipment for security operation platform and security component
US20210303366A1 (en) * 2020-03-31 2021-09-30 Bmc Software, Inc. Cloud-native proxy gateway to cloud resources
CN113672901A (en) * 2021-08-30 2021-11-19 济南浪潮数据技术有限公司 Access request processing method, container cloud platform, electronic device and storage medium
CN113765936A (en) * 2021-09-22 2021-12-07 杭州安恒信息技术股份有限公司 Data transmission method, device, equipment and computer readable storage medium

Patent Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090328193A1 (en) * 2007-07-20 2009-12-31 Hezi Moore System and Method for Implementing a Virtualized Security Platform
US20180302337A1 (en) * 2016-03-03 2018-10-18 Huawei Technologies Co., Ltd. Resource configuration method and network device thereof
US20190075115A1 (en) * 2017-09-01 2019-03-07 Atlassian Pty Ltd Systems and methods for accessing cloud resources from a local development environment
US20190207784A1 (en) * 2018-01-03 2019-07-04 Cyberark Software Ltd. Establishing a secure connection between separated networks
CN108600204A (en) * 2018-04-11 2018-09-28 浙江大学 A kind of corporate intranet access method based on Opposite direction connection and application layer tunnel
US20200159624A1 (en) * 2018-04-25 2020-05-21 Cloud Daddy, Inc. System, Method and Process for Protecting Data Backup from Cyberattack
CN110365663A (en) * 2019-06-28 2019-10-22 北京淇瑀信息科技有限公司 Access method, device and electronic equipment between a kind of isolation cluster
CN111327720A (en) * 2020-02-21 2020-06-23 北京百度网讯科技有限公司 Network address conversion method, device, gateway equipment and storage medium
US20210303366A1 (en) * 2020-03-31 2021-09-30 Bmc Software, Inc. Cloud-native proxy gateway to cloud resources
CN112688917A (en) * 2020-12-10 2021-04-20 龙芯中科技术股份有限公司 Network access method, device, electronic equipment and storage medium
CN113162944A (en) * 2021-04-29 2021-07-23 杭州安恒信息安全技术有限公司 Network communication method, device and equipment for security operation platform and security component
CN113672901A (en) * 2021-08-30 2021-11-19 济南浪潮数据技术有限公司 Access request processing method, container cloud platform, electronic device and storage medium
CN113765936A (en) * 2021-09-22 2021-12-07 杭州安恒信息技术股份有限公司 Data transmission method, device, equipment and computer readable storage medium

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
李漭研;胡红明;徐健平;潘锡斌;王昊;: "基于云技术和SSH反向隧道技术的视频监控机器人设计", 科技与创新, no. 01, pages 54 - 56 *
杨宏宇;邓强;谢丽霞;: "网络安全组件协同操作研究", 计算机应用, no. 09, pages 2315 - 2318 *

Similar Documents

Publication Publication Date Title
US10230704B2 (en) System and method for providing key-encrypted storage in a cloud computing environment
JP6782307B2 (en) Dynamic access to hosted applications
US8364842B2 (en) System and method for reduced cloud IP address utilization
US11438421B2 (en) Accessing resources in a remote access or cloud-based network environment
US10318747B1 (en) Block chain based authentication
CN110944330A (en) MEC platform deployment method and device
US11522847B2 (en) Local mapped accounts in virtual desktops
US11354300B2 (en) Mobile auditable and tamper-resistant digital-system usage tracking and analytics
KR101219662B1 (en) Security system of cloud service and method thereof
US20140229620A1 (en) Method and system to enhance private cloud system provisioning security
CN108462752B (en) Method and system for accessing shared network, VPC management equipment and readable storage medium
US10721719B2 (en) Optimizing caching of data in a network of nodes using a data mapping table by storing data requested at a cache location internal to a server node and updating the mapping table at a shared cache external to the server node
CN111818081A (en) Virtual encryption machine management method and device, computer equipment and storage medium
US20220021532A1 (en) Tracking Tainted Connection Agents
WO2022105617A1 (en) Private key management
CN114785612A (en) Cloud platform management method, device, equipment and medium
CN117319486A (en) Micro-service debugging method and device, electronic equipment and storage medium
CN117792763A (en) Network vulnerability scanning method and device and electronic equipment
Moreno Martín Security in cloud computing

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination