CN114938318A

Movatterモバイル変換

Info

Publication number: CN114938318A
Application number: CN202210506847.1A
Authority: CN
Inventors: 康淼峰; 李彦君; 胡章丰; 任秋峥
Original assignee: Inspur Cloud Information Technology Co Ltd
Current assignee: Inspur Cloud Information Technology Co Ltd
Priority date: 2022-05-11
Filing date: 2022-05-11
Publication date: 2022-08-23
Anticipated expiration: 2042-05-11
Also published as: CN114938318B

Abstract

The invention discloses a cross-regional peer-to-peer connection implementation method based on an elastic public network IP, and relates to the technical field of cloud network communication; based on the IP of the elastic public network, a GRE tunnel is established, a link from the home terminal virtual private network to the opposite terminal virtual private network is established through the GRE tunnel, and peer-to-peer connection is carried out according to the link from the home terminal virtual private network to the opposite terminal virtual private network; the requirement of inter-access interconnection of intranet addresses among virtual private networks in different areas is met, the network cards of subnets can be located in the same virtual router with the service VPC of a user and cannot occupy network segment resources of the user, and an independent network naming space is set for the network cards, so that conflict between link configuration of peer-to-peer connection and link configuration of other networks is prevented, a scheme based on an elastic public network IP and a GRE tunnel is further optimized, a private communication protocol is not relied on, the method is easy to implement, and the method can be popularized as an intranet communication scheme among heterogeneous clouds.

Description

Cross-regional peer-to-peer connection implementation method based on elastic public network IP

Technical Field

The invention discloses an implementation method, relates to the technical field of cloud network communication, and particularly relates to a cross-regional peer-to-peer connection implementation method based on an elastic public network IP.

Background

Virtual private networks provided in the current cloud platform network technology are isolated from each other, and a virtual machine in a certain virtual private network and a virtual machine in other virtual private networks cannot communicate by using an internal network address. The peer-to-peer connection means that two virtual private networks isolated from each other are opened, so that virtual machine instances in the two virtual private networks can use an intranet address for mutual access, and the access security is ensured. However, the existing peer-to-peer connection scheme usually aims at the requirement of inter-network address exchange of two virtual private networks in the same area in the cloud platform, but cannot meet the requirement of inter-network address exchange of two virtual private networks in different areas.

Disclosure of Invention

Aiming at the problems in the prior art, the invention provides a cross-region peer-to-peer connection implementation method based on the elastic public network IP, provides the intranet address inter-access capability among the virtual private networks in a plurality of regions of the cloud platform, and meets the requirement of peer-to-peer connection among the virtual private networks in a plurality of regions.

The specific scheme provided by the invention is as follows:

a cross-region peer-to-peer connection realization method based on elastic public network IP, creates GRE tunnel, creates link from home terminal virtual private network to opposite terminal virtual private network through GRE tunnel, the link creation process:

establishing a link from the local virtual private network to the local peer-to-peer connection flow gateway: establishing a non-service network segment subnet of a local terminal virtual private network, establishing a network card of the non-service network segment subnet of the local terminal, binding the network card with a peer-to-peer connection flow gateway of the local terminal, and configuring a destination terminal of a local terminal virtual router as an opposite terminal virtual private network;

establishing a link from the opposite-end virtual private network to the opposite-end peer-to-peer connection traffic gateway: establishing a non-service network segment subnet of an opposite-end virtual private network, establishing a network card of the opposite-end non-service network segment subnet, binding the network card with an opposite-end peer-to-peer connection flow gateway, and configuring a destination end of an opposite-end virtual route as a home-end virtual private network;

establishing a link from the peer-to-peer connection traffic gateway of the local terminal to the peer-to-peer connection traffic gateway of the opposite terminal: binding the local network card and the opposite network card with an elastic public network IP respectively, setting separate network namespaces for the local network card and the opposite network card, creating GRE tunnel port equipment under the network namespaces, and configuring local IP information and opposite IP information to the port equipment;

and performing peer-to-peer connection according to the link from the local virtual private network to the opposite virtual private network.

Further, in the method for implementing cross-regional peer-to-peer connection based on elastic public network IP, the establishing of the local peer-to-peer connection traffic gateway instance is responsible for establishing a GRE tunnel with an opposite virtual private network, establishing the network card instance of the local non-service network segment subnet, binding with the local peer-to-peer connection traffic gateway instance,

and establishing an opposite-end peer-to-peer connection traffic gateway instance, establishing a network card instance of the non-service network segment subnet of the opposite end, and binding the network card instance with the opposite-end peer-to-peer connection traffic gateway instance.

Further, in the implementation method for cross-regional peer-to-peer connection based on the elastic public network IP, the kernel components of GRE are loaded in the local peer-to-peer connection traffic gateway instance and the opposite peer-to-peer connection traffic gateway instance through a modprobe IP _ GRE command, and GRE tunnel configuration is performed.

Furthermore, in the implementation method of cross-regional peer-to-peer connection based on the elastic public network IP, GRE tunnel port equipment is established in the network namespace through an IP tunnel command.

The invention also provides a device for realizing cross-regional peer-to-peer connection based on the elastic public network IP, which comprises a link establishing module and a connecting module,

the link establishing module establishes a GRE tunnel based on the IP of the elastic public network, establishes a link from the home terminal virtual private network to the opposite terminal virtual private network through the GRE tunnel, and establishes a link process by the link establishing module:

establishing a link from the opposite-end virtual private network to the opposite-end peer-to-peer connection traffic gateway: establishing a non-service network segment subnet of an opposite-end virtual private network, establishing a network card of the non-service network segment subnet of the opposite end, binding the network card with an opposite-end peer-to-peer connection flow gateway, and configuring a destination end of an opposite-end virtual router as a home-end virtual private network;

creating a link from the peer-to-peer connection traffic gateway of the local terminal to the peer-to-peer connection traffic gateway of the opposite terminal: binding the local network card and the opposite network card with an elastic public network IP respectively, setting separate network namespaces for the local network card and the opposite network card, creating GRE tunnel port equipment under the network namespaces, and configuring local IP information and opposite IP information to the port equipment;

the connection module performs peer-to-peer connection according to a link from the home virtual private network to the opposite virtual private network.

Further, the link creating module in the cross-regional peer-to-peer connection implementation device based on the elastic public network IP creates a local peer-to-peer connection traffic gateway instance, is responsible for creating a GRE tunnel with an opposite virtual private network, creates a network card instance of the non-service network segment subnet at the local end, and is bound with the local peer-to-peer connection traffic gateway instance,

and creating an opposite terminal peer-to-peer connection traffic gateway instance, creating a network card instance of the non-service network segment subnet of the opposite terminal, and binding the network card instance with the opposite terminal peer-to-peer connection traffic gateway instance.

Further, in the apparatus for implementing cross-regional peer-to-peer connection based on elastic public network IP, the link creation module loads core components of GRE in the local peer-to-peer connection traffic gateway instance and the peer-to-peer connection traffic gateway instance through a modprobe IP _ GRE command, and performs GRE tunnel configuration.

Further, in the apparatus for implementing resilient public network IP based cross-regional peer-to-peer connection, the link creation module creates a GRE tunnel port device in the network namespace through an IP tunnel command.

The invention has the advantages that:

the invention provides a cross-region peer-to-peer connection implementation method based on an elastic public network IP, which solves the requirement of intranet address mutual access interconnection between virtual private networks in different regions, utilizes a network card of a subnet to be in the same virtual router with the service VPC of a user without occupying network segment resources of the user, sets a separate network naming space for the network card, prevents link configuration of peer-to-peer connection from conflicting with link configuration of other networks, further optimizes a scheme based on the elastic public network IP and a GRE tunnel, does not depend on a private communication protocol, is easy to implement, and can be popularized as an intranet communication scheme between heterogeneous clouds.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.

FIG. 1 is a schematic diagram of the application framework of the method of the present invention.

Detailed Description

The GRE (General Routing Encapsulation) protocol encapsulates some network layer protocol data packets, so that the encapsulated data packets can be transmitted in another network layer protocol (e.g., IPv 4). GRE provides a mechanism for encapsulating messages of one protocol in messages of another protocol, which is a three-layer tunnel encapsulation technology, so that the messages can be transmitted transparently through a GRE tunnel.

GRE is a method of establishing direct point-to-point connections on a network with the aim of simplifying the connections between individual networks. In addition, the realization mechanism is simple, the burden on equipment at two ends of the tunnel is small, and the method is suitable for the purpose of opening VPCs in two areas in the scheme.

In order to establish a GRE tunnel across areas, elastic public network IP resources provided by a cloud platform are needed.

The elastic public network IP resource of the cloud platform provides a connection outlet with a public network, and provides the capability of accessing an external network by the cloud resource.

The present invention is further described below in conjunction with the following figures and specific examples so that those skilled in the art may better understand the present invention and practice it, but the examples are not intended to limit the present invention.

The invention provides a cross-region peer-to-peer connection realization method based on an elastic public network IP, which comprises the steps of establishing a GRE tunnel based on the elastic public network IP, establishing a link from a local virtual private network to an opposite virtual private network through the GRE tunnel, and establishing the link, wherein the link establishing process comprises the following steps:

creating a link from the opposite-end virtual private network to the opposite-end peer-to-peer connection flow gateway: establishing a non-service network segment subnet of an opposite-end virtual private network, establishing a network card of the opposite-end non-service network segment subnet, binding the network card with an opposite-end peer-to-peer connection flow gateway, and configuring a destination end of an opposite-end virtual route as a home-end virtual private network;

The method of the invention is based on the cross-domain peer-to-peer connection of the elastic public network IP, mainly depends on the elastic public network IP resources of the cloud platform and the GRE tunnel protocol, completes the communication of virtual private networks (VPC) in different areas, and realizes the purpose of intranet address communication.

In specific application, in some embodiments of the method of the present invention, a link is constructed, where the link is mainly three segments, and includes a link from a home virtual private network to a home peer-to-peer connection traffic gateway, a link from the home peer-to-peer connection traffic gateway to an opposite peer-to-peer connection traffic gateway, and a link from the opposite peer-to-peer connection traffic gateway to an opposite virtual private network.

As can be seen from the three-segment link, the link is substantially symmetrical. Therefore, the service logic of the method of the present invention is mainly described by taking the 1.5 link creation process of the home terminal as an example:

establishing a link from the local virtual private network to a local peer-to-peer connection traffic gateway: establishing a non-service network segment subnet of the local virtual private network, establishing a network card of the non-service network segment subnet of the local, binding with a peer-to-peer connection traffic gateway of the local, and configuring the destination of the local virtual router as an opposite virtual private network,

further, the method comprises the following specific steps:

applying for a flexible public network IP on the cloud platform, wherein the IP is used as an end point for establishing the GRE tunnel,

creating a peer-to-peer traffic gateway instance, which is responsible for creating GRE tunnels with peers, and forwarding traffic into the tunnels or into the service VPC,

in the user's home terminal service VPC, a sub-network of non-service network segment is established, the purpose of establishing the network segment is that the network segment can be in the same virtual router with the user's service VPC, and can not occupy the user's network segment resource,

creating a network card instance in the subnet of the non-service network segment, and binding the network card instance on a peer-to-peer connection traffic gateway instance,

configuring a static route in the router of the local end VPC, wherein the destination end of the route is an opposite end service VPC network segment, the next hop is a network card IP of a non-service network segment,

the link from the customer service network to the home peer-to-peer connection traffic gateway is already created. The following operation is to configure the traffic gateway of the home terminal and create a GRE tunnel of the home terminal. Namely, a link from the peer-to-peer connection traffic gateway of the local terminal to the peer-to-peer connection traffic gateway of the opposite terminal is established: binding the local terminal network card and the opposite terminal network card with an elastic public network IP respectively, setting independent network name spaces for the local terminal network card and the opposite terminal network card, creating GRE tunnel port equipment under the network name spaces, and configuring local terminal IP information and opposite terminal IP information to the port equipment.

Further, the method comprises the following specific steps:

associating the applied elastic public network IP with the network card bound on the peer-to-peer connection flow gateway example to ensure that the network card of the example has the public network access capability,

the command "modprobe ip _ GRE" is used to load the kernel component of GRE in the traffic gateway instance, for subsequent GRE tunnel creation configuration,

setting the network card of the non-service network segment sub-network bound on the flow gateway instance into a single network name space, which is used for preventing the link configuration of the peer-to-peer connection from generating conflict with the link configuration of other networks,

and creating tunnel port equipment under the network card independent network name space by using an 'IP tunnel' command, and configuring the IP of the home terminal and the IP of the opposite terminal of the tunnel to the port equipment according to the planning.

Configuring static route in the network name space, the destination end is the flow of the network segment of the opposite end and sending out through the tunnel port device, the default route takes the non-service subnet gateway as forwarding and sends out through the network card device of the non-service subnet.

The link at the home end has already been created. The link creation of the opposite end is basically the same as that of the local end, and the IP information configuration in the port device and the aforementioned IP information configuration description should be symmetrical.

Further, take a certain cross-regional peer-to-peer connection scheme as an example:

VPC1(192.168.0.0/16) in area A needs to communicate with VPC2(172.16.0.0/12) in area B for intranet address, then:

apply for a resilient public network IP instance in area a with IP address 100.111.0.100. An example of a resilient public network IP is claimed in area B, with IP address 100.112.0.100.

Secondly, a peer-to-peer connection traffic gateway example is created in the area A, which is called as the traffic gateway A for short.

③ in the VPC1 of area a, a subnet of 11.0.101.0/24 is created and its gateway is plugged onto the virtual router of VPC 1.

Creating a network card example in 11.0.101.0/24 subnet, and allocating IP 11.0.101.100. The network card is plugged onto the traffic gateway a.

Fifthly, configuring the following routing rule in the virtual router corresponding to the VPC 1: the destination is 172.16.0.0/12 and the next hop is 11.0.101.100.

Sixthly, the public network IP 100.111.0.100 is bound with the network card 11.0.101.100.

And seventhly, logging in the flow gateway A, executing the 'lsmod | grep ip _ GRE' to check whether the kernel GRE component is loaded, if no printing exists, indicating that no loading exists, and executing a 'modprobe ip _ GRE' command to load the component.

And creating a network namespace in the traffic gateway A, and executing an ip netns add ns-gre command by taking the name ns-gre as an example. Finding 11.0.101.100 network card name, taking the name eth1 as an example, executes "ip link set eth1 nstns ns-gre" to put the network card in the network namespace.

Ninthly, in the ns-GRE naming space, using the 'ip tunnel' to create the local end of the GRE tunnel, executing 'ip added tunnel2 mode GRE local 100.111.0.100remote 100.112.0.100'. And configures the IP for the created network card device tunnel2, and executes the command "IP addr add 12.1.100.101dev tunnel2 peer 12.1.100.102".

In ns-gre namespace, the (r) configures static routes, executes the command "ip route add172.16.0.0/12dev tunnel 2", and directs outbound direction traffic to tunnel port tunnel 2. And configuring a default route, executing a command 'ip route add default via 11.0.101.100dev eth 1', and directing other traffic to the bound network card device eth 1.

The method realizes the peer-to-peer connection between the area A and the area B and carries out the intranet address communication.

establishing a link from the local virtual private network to a local peer-to-peer connection traffic gateway: establishing a non-service network segment subnet of a local terminal virtual private network, establishing a network card of the non-service network segment subnet of the local terminal, binding the network card with a peer-to-peer connection flow gateway of the local terminal, and configuring a destination terminal of a local terminal virtual router as an opposite terminal virtual private network;

Because the content of information interaction, execution process, and the like among the modules in the device is based on the same concept as the method embodiment of the present invention, specific content can be referred to the description in the method embodiment of the present invention, and is not described herein again.

The device can apply cross-region peer-to-peer connection based on the elastic public network IP, solves the requirement of intranet address mutual access interconnection between virtual private networks in different regions, utilizes the network card of a subnet to be in the same virtual router with the service VPC of a user without occupying network segment resources of the user, sets a separate network naming space for the network card, prevents link configuration of peer-to-peer connection from conflicting with link configuration of other networks, further optimizes a scheme based on the elastic public network IP and a GRE tunnel, does not depend on a private communication protocol, is easy to realize, and can be popularized as an intranet communication scheme between heterogeneous clouds.

It should be noted that not all steps and modules in the above flows and system structure diagrams are necessary, and some steps or modules may be omitted according to actual needs. The execution order of the steps is not fixed and can be adjusted as required. The system structure described in the above embodiments may be a physical structure or a logical structure, that is, some modules may be implemented by the same physical entity, or some modules may be implemented by a plurality of physical entities, or some components in a plurality of independent devices may be implemented together.

The above-mentioned embodiments are merely preferred embodiments for fully illustrating the present invention, and the scope of the present invention is not limited thereto. The equivalent substitution or change made by the technical personnel in the technical field on the basis of the invention is all within the protection scope of the invention. The protection scope of the invention is subject to the claims.

Claims

1. A cross-region peer-to-peer connection realization method based on elastic public network IP is characterized in that a GRE tunnel is established based on the elastic public network IP, a link from a local virtual private network to an opposite virtual private network is established through the GRE tunnel, and the link establishment process comprises the following steps:

2. The method according to claim 1, wherein said creating a local peer-to-peer connection traffic gateway instance is responsible for creating a GRE tunnel with an opposite virtual private network, creating a network card instance of said non-service network segment subnet of the local, binding with the local peer-to-peer connection traffic gateway instance,

3. The method for implementing resilient public network IP-based cross-regional peer-to-peer connection according to claim 2, wherein a modprobe IP _ GRE command is used to load GRE kernel components in the local peer-to-peer connection traffic gateway instance and the peer-to-peer connection traffic gateway instance to perform GRE tunnel configuration.

4. A method for implementing resilient public network IP based cross-regional peer-to-peer connection according to any of claims 1-3, characterized by creating GRE tunnel port device under the network namespace by means of IP tunnel command.

5. A cross-region peer-to-peer connection realizing device based on the elastic public network IP is characterized by comprising a link establishing module and a connecting module,

the link creating module creates a GRE tunnel based on the IP of the elastic public network, and creates a link from the home terminal virtual private network to the opposite terminal virtual private network through the GRE tunnel, wherein the link creating module creates the link process:

6. The apparatus for implementing cross-regional peer-to-peer connection based on elastic public network IP as claimed in claim 1, wherein the link creation module creates a local peer-to-peer connection traffic gateway instance, is responsible for creating a GRE tunnel with an opposite virtual private network, creates a network card instance of the local non-service network segment subnet, and binds with the local peer-to-peer connection traffic gateway instance,

7. The apparatus according to claim 6, wherein the link creation module loads GRE kernel components in the local peer-to-peer connection traffic gateway instance and the peer-to-peer connection traffic gateway instance through a modprobe IP _ GRE command to perform GRE tunnel configuration.

8. The apparatus for implementing cross-regional peer-to-peer connection based on resilient public network IP according to any of claims 5-7, wherein the link creation module creates the GRE tunnel port device under the network namespace through an IP tunnel command.