技术领域Technical field
本申请涉及云计算技术领域,尤其涉及一种基于云计算技术下的虚拟实例创建方法及运行该方法的云管理平台。The present application relates to the field of cloud computing technology, and in particular to a virtual instance creation method based on cloud computing technology and a cloud management platform that runs the method.
背景技术Background technique
随着公有云技术的不断成熟,云原生应用得到了极大的发展,越来越多的业务集中于应用开发本身,而当前云网络架设模型使得云原生应用在部署、迁移、互通、安全等操作过程的复杂度较高,无法满足当下云原生应用管理便捷、安全策略定义简化、部署迅速的需求。As public cloud technology continues to mature, cloud native applications have developed greatly, and more and more businesses are focused on application development itself. The current cloud network construction model makes cloud native applications difficult to deploy, migrate, interoperate, and secure. The complexity of the operation process is high and cannot meet the current needs for convenient cloud native application management, simplified security policy definition, and rapid deployment.
发明内容Contents of the invention
为解决现有技术的问题,本发明提供一种基于云计算技术的虚拟实例创建方法云管理平台,通过该方法能够解决因网络模型导致的云原生应用在权限管理、安全策略定义以及部署等操作复杂的问题,实现高效便捷的云资源管理。In order to solve the problems of the existing technology, the present invention provides a cloud management platform based on a virtual instance creation method based on cloud computing technology. This method can solve the problems of permission management, security policy definition and deployment of cloud native applications caused by network models. Solve complex problems and achieve efficient and convenient cloud resource management.
第一方面,本申请提供一种基于云计算技术的虚拟实例创建方法,该方法应用于云管理平台,其中,云管理平台用于管理包括分布部署的多个云数据中心的基础设施,而每个云数据中心中设置有多个计算节点,该方法具体包括以下步骤:接收第一租户输入的第一虚拟实例创建请求,该第一虚拟实例创建请求包括待创建的第一虚拟实例的规格信息以及所属的第一云原生应用的信息,基于此,前述云管理平台选择在第一云数据中心中可提供与规格信息匹配的规格的第一计算节点上创建第一虚拟实例,其中,第一虚拟实例用于运行第一云原生应用或者第一云原生应用中的一个或多个微服务,并且前述的多个云数据中心包括提供第一计算节点的第一云数据中心,进而,再由前述云管理平台根据第一云原生应用的信息配置第一计算节点的第一虚拟实例管理器使用第一云原生应用的标识标记第一虚拟实例发出的业务报文。In the first aspect, this application provides a virtual instance creation method based on cloud computing technology, which method is applied to a cloud management platform, where the cloud management platform is used to manage infrastructure including multiple distributed cloud data centers, and each Multiple computing nodes are provided in a cloud data center. The method specifically includes the following steps: receiving a first virtual instance creation request input by the first tenant, where the first virtual instance creation request includes specification information of the first virtual instance to be created. and the information of the first cloud native application to which it belongs. Based on this, the aforementioned cloud management platform selects to create the first virtual instance on the first computing node in the first cloud data center that can provide specifications that match the specification information, where the first The virtual instance is used to run the first cloud native application or one or more microservices in the first cloud native application, and the aforementioned plurality of cloud data centers include the first cloud data center that provides the first computing node, and then, The aforementioned cloud management platform configures the first virtual instance manager of the first computing node according to the information of the first cloud native application to mark the service packets sent by the first virtual instance using the identifier of the first cloud native application.
在本申请提供的方案中,云管理平台可以通过获取租户输入的虚拟实例创建请求,从而确定虚拟实例的规格信息以及的云原生应用的信息,进而根据这些信息选择匹配的计算节点进行虚拟实例的创建,这样由云管理平台创建的虚拟实例可以更好的匹配租户的实际需求。在此基础上,通过配置虚拟实例管理器来对虚拟实例所发出的业务报文使用虚拟实例所运行的云原生应用的标识进行标记,可以实现对虚拟实例间或者不同云原生应用间互通访问的精确管理,且通过该标识,达到云原生网络间信息传递的简化。In the solution provided by this application, the cloud management platform can obtain the virtual instance creation request input by the tenant to determine the specification information of the virtual instance and the information of the cloud native application, and then select the matching computing node based on this information to create the virtual instance. Create so that the virtual instances created by the cloud management platform can better match the actual needs of tenants. On this basis, by configuring the virtual instance manager to mark the business packets sent by the virtual instance with the identity of the cloud native application running on the virtual instance, interoperability and access between virtual instances or different cloud native applications can be achieved. Precise management, and through this identification, can simplify the information transfer between cloud native networks.
结合第一方面,在第一方面的一种可能的实现方式中,第一虚拟实例创建请求还包括第一站点信息,具体的,该方法还包括以下步骤:云管理平台在多个云数据中心选择与第一站点信息匹配的第一云数据中心。In conjunction with the first aspect, in a possible implementation of the first aspect, the first virtual instance creation request also includes first site information. Specifically, the method further includes the following steps: the cloud management platform operates in multiple cloud data centers Select the first cloud data center that matches the first site information.
在本申请提供的方案中,云管理平台所接收的租户输入的虚拟实例请求中,还包括有站点信息,由此,云管理平台可以根据该站点信息,除了可以确定虚拟实例所在的云数据中心、计算节点,还可以确定虚拟实例所运行的站点。基于此,云管理平台可以进一步的针对不同站点的虚拟实例的网络互通进行配置、控制和管理,在实现对云原生网络架构简化的基础上,满足租户对不同站点间云原生应用访问互通的需求。In the solution provided by this application, the virtual instance request input by the tenant received by the cloud management platform also includes site information. Therefore, the cloud management platform can determine the cloud data center where the virtual instance is located based on the site information. , compute nodes, and can also determine the site where the virtual instance is running. Based on this, the cloud management platform can further configure, control and manage the network interoperability of virtual instances at different sites. On the basis of simplifying the cloud native network architecture, it can meet tenants' needs for cloud native application access and interoperability between different sites. .
结合第一方面,在第一方面的一种可能的实现方式中,云管理平台接收由第一租户输入的第一安全规则,其中,该第一安全规则用于指示第一云原生应用被访问的权限,且该第一安全规则由云管理平台再配置第一计算节点的第一虚拟实例管理器进行记录,具体的,第一虚拟实例管理器根据第一安全规则允许或禁止将运行其他云原生应用或运行其他云原生应用中的一个或多个微服务的虚拟实例发送至第一虚拟实例的业务报文发送至第一虚拟实例。In conjunction with the first aspect, in a possible implementation of the first aspect, the cloud management platform receives a first security rule input by the first tenant, wherein the first security rule is used to indicate that the first cloud native application is accessed permission, and the first security rule is recorded by the first virtual instance manager of the first computing node reconfigured by the cloud management platform. Specifically, the first virtual instance manager allows or prohibits other clouds from running according to the first security rule. Business packets sent to the first virtual instance by a native application or a virtual instance running one or more microservices in other cloud native applications are sent to the first virtual instance.
在本申请提供的方案中,云管理平台根据租户输入的安全规则进行配置,并将该安全规则记录到虚拟实例管理器中,基于此,当该虚拟实例管理器所管理的虚拟实例是访问或互通对象,被其他云原生应用或者其他云原生应用中的一个或多个微服务中的虚拟实例访问时,由该虚拟实例管理器根据该安全规则对访问目标为由其管理的虚拟实例的业务报文进行判断或者鉴权,当业务报文中所标记的标识属于虚拟实例管理器所允许访问的范围内,则允许该业务报文访问该虚拟实例,或者不属于虚拟实例管理器所允许访问范围的,则禁止该业务报文访问该虚拟实例。可选的,当该业务报文经过虚拟实例管理器经过首次判断、鉴权后,在安全规则未发生变化的情况下,不再对同一业务报文进行判断或者鉴权。In the solution provided by this application, the cloud management platform is configured according to the security rules input by the tenant, and records the security rules into the virtual instance manager. Based on this, when the virtual instance managed by the virtual instance manager is accessed or When an interoperable object is accessed by a virtual instance in one or more microservices of other cloud native applications or other cloud native applications, the virtual instance manager will control the access target to the virtual instance managed by it according to the security rules. The packet is judged or authenticated. When the identifier marked in the business packet is within the scope of access allowed by the virtual instance manager, the business packet is allowed to access the virtual instance, or it is not within the scope of access allowed by the virtual instance manager. within the scope, the service packet is prohibited from accessing the virtual instance. Optionally, after the service packet has been judged and authenticated for the first time by the virtual instance manager, if the security rules have not changed, the same service packet will no longer be judged or authenticated.
结合第一方面,在第一方面的一种可能的实现方式中,基础设施中的第二计算节点部署有第二虚拟实例,第二虚拟实例用于运行第二云原生应用或第二云原生应用中的一个或多个微服务,第二计算节点设置在多个云数据中心中的一个云数据中心中,该方法还包括以下具体步骤:接收第一租户输入的第二安全规则,其中第二安全规则用于指示第一云原生应用访问第二云原生应用的权限,配置第二计算节点的第二虚拟实例管理器记录第一云原生应用的标识以及第二安全规则;其中,第一虚拟实例发出的业务报文的目的地址为第二虚拟实例,第二虚拟实例管理器在确认第一虚拟实例发出的业务报文标记有的第一云原生应用的标识与自身记录的标识一致的情况下,根据安全规则允许或禁止将第一业务报文发送至第二虚拟实例。Combined with the first aspect, in a possible implementation of the first aspect, the second computing node in the infrastructure is deployed with a second virtual instance, and the second virtual instance is used to run the second cloud native application or the second cloud native One or more microservices in the application, the second computing node is set in one of the plurality of cloud data centers, the method also includes the following specific steps: receiving the second security rule input by the first tenant, wherein the The second security rule is used to instruct the first cloud native application to access the second cloud native application, and configure the second virtual instance manager of the second computing node to record the identity of the first cloud native application and the second security rule; wherein, the first The destination address of the service message sent by the virtual instance is the second virtual instance. The second virtual instance manager confirms that the identifier of the first cloud native application marked in the service message sent by the first virtual instance is consistent with the identifier recorded by itself. In this case, sending the first service packet to the second virtual instance is allowed or prohibited according to the security rules.
在本申请提供的方案中,云管理平台可以根据租户输入的安全规则,针对特定的云原生应用访问权限进行配置。具体的,第一云原生应用要访问第二云原生应用,为控制第一云原生应用的访问权限,由云管理平台接收第一租户输入的安全规则,并配置被访问的第二云原生应用的虚拟实例管理器记录安全规则以及第一云原生应用的标识,其中,当第一云原生应用访问第二云原生应用时,由第二云原生应用的虚拟实例管理器对由承载第一云原生应用运行的虚拟实例发送的业务报文进行判断,在第二云原生应用的虚拟实例管理器所记录的标识与第一云原生应用所携带的标识一致的情况下,再根据已配置的安全规则确定允许或禁止该业务报文能够访问第二云原生应用的虚拟实例。由此实现根据不同云原生应用的标识来控制各云原生应用访问其他云原生应用的权限。同时,安全规则的配置可以是跨租户配置的,当第二原生应用中的第二虚拟实例是由第二租户创建的,则第一租户输入的第二安全规则可以由云管理平台配置到第二虚拟实例管理器中进行记录,可选的,该第二安全规则的配置可以是云管理平台根据第一租户具有配置第二虚拟实例的权限进行配置。In the solution provided by this application, the cloud management platform can be configured for specific cloud native application access permissions based on the security rules entered by the tenant. Specifically, the first cloud native application needs to access the second cloud native application. In order to control the access rights of the first cloud native application, the cloud management platform receives the security rules input by the first tenant and configures the accessed second cloud native application. The virtual instance manager of the second cloud native application records the security rules and the identification of the first cloud native application, wherein when the first cloud native application accesses the second cloud native application, the virtual instance manager of the second cloud native application conducts the The business packets sent by the virtual instance running the native application are judged. When the identifier recorded by the virtual instance manager of the second cloud native application is consistent with the identifier carried by the first cloud native application, the system will then use the configured security The rule determines whether to allow or prohibit the service packet from accessing the virtual instance of the second cloud native application. In this way, the permissions of each cloud native application to access other cloud native applications can be controlled based on the identification of different cloud native applications. At the same time, the configuration of security rules can be configured across tenants. When the second virtual instance in the second native application is created by the second tenant, the second security rules input by the first tenant can be configured by the cloud management platform to the third tenant. Recording is performed in the second virtual instance manager. Optionally, the configuration of the second security rule may be configured by the cloud management platform based on the first tenant having the authority to configure the second virtual instance.
结合第一方面,在第一方面的一种可能的实现方式中,在云管理平台接收租户输入的针对第一云原生应用的安全规则之前,该方法具体还包括以下步骤:接收第一租户或第二租户输入的第二虚拟实例创建请求,第二虚拟实例创建请求包括待创建的第二虚拟实例的规格信息以及所属的第二云原生应用的信息;选择在第二云数据中心中的可提供与规格信息匹配的规格的第二计算节点上创建第二虚拟实例;根据第二云原生应用的信息配置第二计算节点的第二虚拟实例管理器使用第二云原生应用的标识标记第二虚拟实例发出的业务报文。In conjunction with the first aspect, in a possible implementation of the first aspect, before the cloud management platform receives the security rules for the first cloud native application input by the tenant, the method specifically further includes the following steps: receiving the first tenant or A second virtual instance creation request input by the second tenant. The second virtual instance creation request includes specification information of the second virtual instance to be created and information of the second cloud native application to which it belongs; select an available server in the second cloud data center. Create a second virtual instance on a second computing node that provides specifications that match the specification information; configure the second virtual instance manager of the second computing node according to the information of the second cloud native application to mark the second computing node with the identifier of the second cloud native application. Business packets sent by virtual instances.
在本申请提供的方案中,第二虚拟实例或是其他虚拟实例,可以由云管理平台根据第一租户的创建请求来创建,也可以根据其他租户的创建请求来创建。同样的,该第二虚拟实例的创建应当是满足创建请求中的规格信息,可选的,该第二虚拟实例可以是在第一云数据中心中的第一计算节点中创建,也可以是在第二云数据中心中的第二计算节点中创建。也就是说,云原生应用之间的互相访问可以是跨云数据中心、跨计算节点的,并且可以通过标识和安全规则对访问权限进行管理和控制。在此基础上,通过利用第二云原生应用的标识来标记第二虚拟实例发出的业务报文,当第二虚拟实例访问其他云原生应用的虚拟实例时所发送的业务报文携带有第二云原生应用的标识,由此实现根据该标识实现对访问权限的控制和管理。In the solution provided by this application, the second virtual instance or other virtual instances can be created by the cloud management platform according to the creation request of the first tenant, or can also be created according to the creation requests of other tenants. Similarly, the creation of the second virtual instance should satisfy the specification information in the creation request. Optionally, the second virtual instance can be created in the first computing node in the first cloud data center, or in the first cloud data center. Created in the second computing node in the second cloud data center. In other words, cloud native applications can access each other across cloud data centers and computing nodes, and access permissions can be managed and controlled through identification and security rules. On this basis, by using the identifier of the second cloud native application to mark the service message sent by the second virtual instance, when the second virtual instance accesses the virtual instance of other cloud native application, the service message sent carries the second The identity of the cloud native application, thereby enabling control and management of access rights based on the identity.
结合第一方面,在第一方面的一种可能的实现方式中,该方法具体还包括一下步骤:为第一云原生应用设置第一网络接口,将运行第一云原生应用中的微服务的至少一个虚拟实例绑定到第一网络接口,其中运行第一云原生应用中的微服务的至少一个虚拟实例包括第一虚拟实例,第一网络接口设置在第一站点信息指示的第一云数据中心中,为第二云原生应用设置第二网络接口,将运行第二云原生应用中的微服务的至少一个虚拟实例绑定到第二网络接口,其中运行第二云原生应用中的微服务的至少一个虚拟实例包括第二虚拟实例,第二网络接口设置在第二站点信息指示的第二云数据中心中,其中,第一网络接口和第二网络接口通过设置在基础设施中的云原生网络中相互连接。Combined with the first aspect, in a possible implementation of the first aspect, the method specifically further includes the following steps: setting a first network interface for the first cloud native application, and running the microservice in the first cloud native application. At least one virtual instance is bound to the first network interface, wherein the at least one virtual instance running the microservice in the first cloud native application includes the first virtual instance, and the first network interface is set in the first cloud data indicated by the first site information. In the center, a second network interface is set for the second cloud native application, and at least one virtual instance running the microservice in the second cloud native application is bound to the second network interface, wherein the microservice in the second cloud native application is run. The at least one virtual instance includes a second virtual instance, and the second network interface is set in the second cloud data center indicated by the second site information, wherein the first network interface and the second network interface are configured through a cloud native device set in the infrastructure. interconnected in the network.
在本申请提供的方案中,运行云原生应用的至少一个虚拟实例绑定一个或多个网络接口,不同的网络接口根据站点信息设置在对应的云数据中心中,基于云原生网络中网络接口互相连接。示例的,云数据中心之间通过骨干网或者云专线等方式实现互通。由此,当不同云数据中心中的虚拟实例进行访问互通时,可以用过所绑定的网络接口直接进行访问,提升连通访问效率。In the solution provided by this application, at least one virtual instance running a cloud native application is bound to one or more network interfaces. Different network interfaces are set in the corresponding cloud data center according to the site information. Based on the network interfaces in the cloud native network, they interact with each other. connect. For example, cloud data centers can communicate with each other through backbone networks or cloud dedicated lines. Therefore, when virtual instances in different cloud data centers access each other, they can directly access them through the bound network interface, improving the efficiency of connectivity and access.
结合第一方面,在第一方面的一种可能的实现方式中,根据第一云原生应用的信息配置第一计算节点的第一虚拟实例管理器使用第一云原生应用的标识标记第一虚拟实例发出的业务报文,该方法具体包括以下步骤:配置第一虚拟实例管理器将业务报文封装到叠加报文的内层报文中,并将第一云原生应用的标识设置在叠加报文的外层报文中。In conjunction with the first aspect, in a possible implementation of the first aspect, the first virtual instance manager that configures the first computing node according to the information of the first cloud native application marks the first virtual instance with an identifier of the first cloud native application. The method specifically includes the following steps: configuring the first virtual instance manager to encapsulate the service packet into the inner packet of the overlay packet, and setting the identifier of the first cloud native application in the overlay packet. in the outer message of the message.
在本申请提供的方案中,根据云原生应用的信息配置业务报文的标识,具体是通过将云原生应用的信息封装到叠加报文的外层报文中,而业务报文则封装在叠加报文的内层报文中,由此,当虚拟实例管理器在接收到其他虚拟实例发来的业务报文时,可以通过拆封叠加报文来识别各业务报文所携带的标识,从而实现当虚拟实例所绑定的网络接口不断变化时,仅需调整网络接口所属云原生应用的标识即可,而不再需要对所有计算节点的安全策略进行修改,提升云原生应用间的访问互通效率。In the solution provided by this application, the identification of the business message is configured according to the information of the cloud native application. Specifically, the information of the cloud native application is encapsulated into the outer message of the overlay message, and the business message is encapsulated in the overlay message. In the inner message of the message, when the virtual instance manager receives the service message from other virtual instances, it can identify the identifier carried by each service message by unpacking the superimposed message, so as to When the network interface bound to the virtual instance keeps changing, you only need to adjust the identity of the cloud native application to which the network interface belongs, instead of modifying the security policies of all computing nodes, improving access and interoperability between cloud native applications. efficiency.
结合第一方面,在第一方面的一种可能的实现方式中,虚拟实例包括虚拟机或容器。In conjunction with the first aspect, in a possible implementation manner of the first aspect, the virtual instance includes a virtual machine or a container.
第二方面或第二方面任意一种实现方式是第一方面或第一方面任意一种实现方式对应的装置实现,第一方面或第一方面任意一种实现方式中的描述适用于第二方面或第二方面任意一种实现方式,在此不再赘述。The second aspect or any implementation of the second aspect is the device implementation corresponding to the first aspect or any implementation of the first aspect. The description in the first aspect or any implementation of the first aspect is applicable to the second aspect Or any implementation method of the second aspect, which will not be described again here.
第三方面,本申请还提供了一种面向云原生应用的云网络系统,其中,云原生网络,用于连接多个网络接口,每个网络接口与一个虚拟实例绑定;第一虚拟实例,用于与多个网络接口中的第一网络接口绑定,且第一虚拟实例于运行第一云原生应用或第一云原生应用中的一个或多个微服务;第二虚拟实例,用于与多个网络接口中的第二网络接口绑定,且第二虚拟实例于运行第二云原生应用或第二云原生应用中的一个或多个微服务;云管理平台,用于接收租户输入的安全规则,安全规则用于指示第一云原生应用访问第二云原生应用的权限,第一网络接口和/或第二网络接口通过安全规则确定是否允许第一虚拟实例与第二虚拟实例之间的访问报文通过。In the third aspect, this application also provides a cloud network system for cloud native applications, in which the cloud native network is used to connect multiple network interfaces, and each network interface is bound to a virtual instance; the first virtual instance, The first virtual instance is used to bind to the first network interface among the plurality of network interfaces, and the first virtual instance is used to run the first cloud native application or one or more microservices in the first cloud native application; the second virtual instance is used to is bound to a second network interface among the plurality of network interfaces, and the second virtual instance runs the second cloud native application or one or more microservices in the second cloud native application; the cloud management platform is used to receive tenant input The security rules are used to indicate the permission of the first cloud native application to access the second cloud native application. The first network interface and/or the second network interface determine whether to allow the connection between the first virtual instance and the second virtual instance through the security rules. Access packets pass through.
第四方面,本申请提供了一种计算设备集群,包括至少一个计算设备,每个计算设备包括处理器和存储器;至少一个计算设备的处理器用于执行至少一个计算设备的存储器中存储的指令,以使得计算设备集群执行上述第一方面以及结合上述第一方面中的任意一种实现方式的方法。In a fourth aspect, the present application provides a computing device cluster, including at least one computing device, each computing device including a processor and a memory; the processor of the at least one computing device is used to execute instructions stored in the memory of the at least one computing device, So that the computing device cluster performs the above-mentioned first aspect and the method combined with any one of the above-mentioned first aspects.
第五方面,本申请提供了一种包含指令的计算机程序产品,当指令被计算机设备集群运行时,使得计算机设备集群执行上述第一方面以及结合上述第一方面中的任意一种实现方式的方法。In a fifth aspect, the present application provides a computer program product containing instructions. When the instructions are run by a cluster of computer equipment, the cluster of computer equipment causes the cluster of computer equipment to execute the above-mentioned first aspect and the method combined with any one of the implementation methods of the above-mentioned first aspect. .
第六方面,本申请提供了一种计算机可读存储介质,包括计算机程序指令,当计算机程序指令由计算设备集群执行时,计算设备集群执行上述第一方面以及结合上述第一方面中的任意一种实现方式的方法。In a sixth aspect, the present application provides a computer-readable storage medium, including computer program instructions. When the computer program instructions are executed by a computing device cluster, the computing device cluster executes the above first aspect and any one of the above first aspects. A method of implementation.
附图说明Description of drawings
图1是本发明实施例提供的基于云计算技术的虚拟实例创建的云管理平台的场景示意图;Figure 1 is a schematic diagram of a scenario of a cloud management platform for virtual instance creation based on cloud computing technology provided by an embodiment of the present invention;
图2是本发明实施例提供的基于云计算技术的虚拟实例创建的云管理平台的架构示意图;Figure 2 is a schematic architectural diagram of a cloud management platform for virtual instance creation based on cloud computing technology provided by an embodiment of the present invention;
图3是本发明实施例提供的基于云计算技术的虚拟实例创建方法的一种架构示意图;Figure 3 is an architectural schematic diagram of a virtual instance creation method based on cloud computing technology provided by an embodiment of the present invention;
图4是本发明实施例提供的基于云计算技术的虚拟实例创建方法的简易流程图;Figure 4 is a simple flow chart of a virtual instance creation method based on cloud computing technology provided by an embodiment of the present invention;
图5是本发明实施例提供的基于云计算技术的虚拟实例创建方法的流程示意图;Figure 5 is a schematic flowchart of a virtual instance creation method based on cloud computing technology provided by an embodiment of the present invention;
图6是本发明实施例提供的基于云计算技术的虚拟实例创建方法的又一种流程示意图;Figure 6 is another schematic flowchart of a virtual instance creation method based on cloud computing technology provided by an embodiment of the present invention;
图7是本发明实施例提供的基于云计算技术的虚拟实例创建方法的一种应用原生云网络场景下的架构示意图;Figure 7 is a schematic diagram of the architecture of a native cloud network scenario in which the virtual instance creation method based on cloud computing technology provided by the embodiment of the present invention is applied;
图8是本发明实施例提供的基于云计算技术的虚拟实例创建方法的一种虚拟机场景下的架构示意图;Figure 8 is a schematic diagram of the architecture of a virtual machine scenario of a virtual instance creation method based on cloud computing technology provided by an embodiment of the present invention;
图9是本发明实施例提供的基于云计算技术的虚拟实例创建方法的一种容器场景下的架构示意图;Figure 9 is a schematic diagram of the architecture in a container scenario of a virtual instance creation method based on cloud computing technology provided by an embodiment of the present invention;
图10是本发明实施例提供的基于云计算技术的虚拟实例创建方法的叠加报文的数据格式结构示意图;Figure 10 is a schematic diagram of the data format structure of the overlay message of the virtual instance creation method based on cloud computing technology provided by the embodiment of the present invention;
图11是本发明实施例提供的基于云计算技术的虚拟实例创建方法的一种云网络系统的架构示意图;Figure 11 is a schematic architectural diagram of a cloud network system based on a virtual instance creation method based on cloud computing technology provided by an embodiment of the present invention;
图12是本发明实施例提供的基于云计算技术的虚拟实例创建方法的一种云管理平台的结构示意图;Figure 12 is a schematic structural diagram of a cloud management platform based on a virtual instance creation method based on cloud computing technology provided by an embodiment of the present invention;
图13是本发明实施例提供的基于云计算技术的虚拟实例创建方法的计算设备的结构示意图;Figure 13 is a schematic structural diagram of a computing device of a virtual instance creation method based on cloud computing technology provided by an embodiment of the present invention;
图14是本发明实施例提供的基于云计算技术的虚拟实例创建方法的计算设备集群的一种结构示意图;Figure 14 is a schematic structural diagram of a computing device cluster based on a virtual instance creation method based on cloud computing technology provided by an embodiment of the present invention;
图15是本发明实施例提供的基于云计算技术的虚拟实例创建方法的计算设备集群的又一种结构示意图;Figure 15 is another structural schematic diagram of a computing device cluster based on a virtual instance creation method based on cloud computing technology provided by an embodiment of the present invention;
图16是本发明实施例提供的基于云计算技术的虚拟实例创建方法的计算设备集群的又一种结构示意图;Figure 16 is another structural schematic diagram of a computing device cluster based on a virtual instance creation method based on cloud computing technology provided by an embodiment of the present invention;
具体实施方式Detailed ways
下面结合附图对本发明实施例中的技术方案进行清楚、完整的描述,显然,所描述的实施例仅仅是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some of the embodiments of the present application, rather than all of the embodiments. Based on the embodiments in this application, all other embodiments obtained by those of ordinary skill in the art without creative efforts fall within the scope of protection of this application.
在本文中提及“实施例”意味着,结合实施例描述的特定特征、结构或特性可以包含在本申请的至少一个实施例中。在说明书中的各个位置出现该短语并不一定均是指相同的实施例,也不是与其它实施例互斥的独立的或备选的实施例。本领域技术人员显式地和隐式地理解的是,本文所描述的实施例可以与其它实施例相结合。Reference herein to "an embodiment" means that a particular feature, structure or characteristic described in connection with the embodiment can be included in at least one embodiment of the present application. The appearances of this phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those skilled in the art understand, both explicitly and implicitly, that the embodiments described herein may be combined with other embodiments.
在本说明书中描述的参考“一个实施例”或“一些实施例”等意味着在本申请的一个或多个实施例中包括结合该实施例描述的特定特征、结构或特点。由此,在本说明书中的不同之处出现的语句“在一个实施例中”、“在一些实施例中”、“在其他一些实施例中”、“在另外一些实施例中”等不是必然都参考相同的实施例,而是意味着“一个或多个但不是所有的实施例”,除非是以其他方式另外特别强调。术语“包括”、“包含”、“具有”及它们的变形都意味着“包括但不限于”,除非是以其他方式另外特别强调。Reference in this specification to "one embodiment" or "some embodiments" or the like means that a particular feature, structure or characteristic described in connection with the embodiment is included in one or more embodiments of the application. Therefore, the phrases "in one embodiment", "in some embodiments", "in other embodiments", "in other embodiments", etc. appearing in different places in this specification are not necessarily References are made to the same embodiment, but rather to "one or more but not all embodiments" unless specifically stated otherwise. The terms “including,” “includes,” “having,” and variations thereof all mean “including but not limited to,” unless otherwise specifically emphasized.
首先,结合附图对本申请中所涉及的部分用语和相关技术进行解释说明,以便于本领域技术人员理解。First, some terms and related technologies involved in this application will be explained with reference to the accompanying drawings to facilitate understanding by those skilled in the art.
租户:租用基础设施的用户,租户可通过浏览器或其他租户端在公有云服务提供方运营的云管理平台注册账号,公有云服务提供方会记录不同租户的账号,根据账号实现不同租户的公有云服务的隔离。Tenant: A user who rents infrastructure. Tenants can register an account on the cloud management platform operated by the public cloud service provider through a browser or other tenants. The public cloud service provider will record the accounts of different tenants and implement public ownership of different tenants based on the accounts. Isolation of cloud services.
云管理平台:公有云服务提供方提供的用于与用户交互的平台,用户可在云管理平台注册账号并以账号租用公有云服务,从而成为公有云服务的租户,云管理平台还用于管理基础设施,并根据不同租户的账号实现不同租户租用的计算、网络、和/或存储资源之间的隔离。Cloud management platform: A platform provided by the public cloud service provider for interaction with users. Users can register an account on the cloud management platform and rent public cloud services with the account, thereby becoming a tenant of the public cloud service. The cloud management platform is also used for management infrastructure, and achieve isolation between computing, network, and/or storage resources rented by different tenants based on the accounts of different tenants.
虚拟实例:是指部署基础设施中的云数据中心上中的用于运行公有云服务的实例,该虚拟实例为用于提供计算、网络、或存储资源的实例,虚拟实例包括但不限于例如虚拟机、容器。Virtual instance: refers to an instance used to run public cloud services in a cloud data center in the deployment infrastructure. The virtual instance is an instance used to provide computing, network, or storage resources. Virtual instances include but are not limited to, for example, virtual Machines and containers.
基础设施:支撑云计算服务的设施,包括至少一个云数据中心,每个数据中心包括多个计算节点,计算节点上运行虚拟机或容器等虚拟实例以实现弹性的云计算服务,举例而言,基础设施包括多个云数据中心的情况下,数据中心之间通过骨干网实现远程连接。Infrastructure: Facilities that support cloud computing services, including at least one cloud data center. Each data center includes multiple computing nodes. Virtual instances such as virtual machines or containers are run on the computing nodes to achieve elastic cloud computing services. For example, When the infrastructure includes multiple cloud data centers, the data centers are connected remotely through a backbone network.
叠加报文:一种叠加网络技术,具体指虚拟扩展局域网(Virtual ExtensibleLocal Area Network,VXLAN)报文,VXLAN报文包括外层报文和内层报文,其中,UDP报文的数据部分携带有VXLAN头、内部以太网头(Inner Ethernet Header)、内部IP头(Inner IPHeader)以及IP报文的数据部分(Payload),内部以太网头记录有内层报文的源MAC地址和目的MAC地址,内部IP头记录有内层报文的源IP地址和目的IP地址,外层报文包括外部以太网头(Outer Ethernet Header)、外部IP头(Outer IP Header)、外部用户数据报协议(UserDatagram Protocol,UDP)头(Outer UDP Header)以及VXLAN头。Overlay message: an overlay network technology, specifically refers to Virtual Extensible Local Area Network (VXLAN) message. VXLAN message includes outer layer message and inner layer message. Among them, the data part of UDP message carries VXLAN header, internal Ethernet header (Inner Ethernet Header), internal IP header (Inner IPHeader) and the data part (Payload) of the IP packet. The internal Ethernet header records the source MAC address and destination MAC address of the inner packet. The inner IP header records the source IP address and destination IP address of the inner packet. The outer packet includes the Outer Ethernet Header, Outer IP Header, and UserDatagram Protocol. , UDP) header (Outer UDP Header) and VXLAN header.
云原生应用:云原生应用是一个相互关联但又不独立的组件(Service、Task、Worker)的集合,这些组件与配置结合在一起并在适当的运行时实例化后,共同完成统一的功能目的。Cloud native application: A cloud native application is a collection of interrelated but not independent components (Service, Task, Worker). These components are combined with the configuration and instantiated at the appropriate runtime to complete a unified functional purpose. .
应用原生云网络(Application Native Cloud,ANC):一种应用于云计算技术的网络模型,该模型可供租户在云上创建虚拟实例,为租户的计算、存储、网络等云上资源构建需要的网络环境,是云原生网络的一种实现方式。Application Native Cloud (ANC): A network model applied to cloud computing technology. This model allows tenants to create virtual instances on the cloud and build the required cloud resources for the tenant's computing, storage, network and other cloud resources. The network environment is an implementation method of cloud native network.
网络接口:云原生网络下在租户创建虚拟实例时,需要调用网络接口,并指定网络接口所在的站点,以及所属的云原生网络下的云原生应用,通过创建全局的云原生网络环境即可实现各个站点的网络接口直连互通。Network interface: When a tenant creates a virtual instance under the cloud native network, it needs to call the network interface, specify the site where the network interface is located, and the cloud native application under the cloud native network to which it belongs. This can be achieved by creating a global cloud native network environment. The network interfaces of each site are directly connected to each other.
容器(Container):计算机操作系统中的一种虚拟化技术。该技术使得进程运行于相对独立和隔离的环境(包含独立的文件系统、命名空间、资源视图等),从而能够简化软件的部署流程,增强软件的可移植性和安全性,并提高系统资源利用率。容器技术广泛应用于云计算领域的服务化场景。Container: A virtualization technology in computer operating systems. This technology allows processes to run in relatively independent and isolated environments (including independent file systems, namespaces, resource views, etc.), thereby simplifying the software deployment process, enhancing software portability and security, and improving system resource utilization. Rate. Container technology is widely used in service scenarios in the field of cloud computing.
区域(Region):公有云服务提供商将公有云数据中心设置在位于不同地理位置的区域,不同区域之间的公有云数据中心中的公有云设备之间需通过远程连接网关进行通信。Region: Public cloud service providers set up public cloud data centers in regions located in different geographical locations. Public cloud devices in public cloud data centers in different regions need to communicate through remote connection gateways.
站点(Site):应用原生云网络下的位置属性,云数据中心的可以设置在不同地理位置,在某一地理位置内向其所覆盖的范围内的租户提供云服务,该地理位置所部署的云数据中心为站点,包括核心站点和边缘站点的一种平行模型,站点也可以是租户设置在本地的数据中心。Site: Apply the location attributes under the native cloud network. The cloud data center can be set up in different geographical locations to provide cloud services to tenants within its coverage in a certain geographical location. The cloud deployed in this geographical location The data center is a parallel model of sites, including core sites and edge sites. Sites can also be local data centers set up by tenants.
全球(Global):应用原生云网络下的位置属性,站点属性的上一级,该层级可以对部署在全球不同站点中的云服务进行管理。Global: Apply the location attributes under the native cloud network and the upper level of the site attributes. This level can manage cloud services deployed in different sites around the world.
为便于说明本发明实施例中的基于云计算技术的虚拟实例创建方法,以下请先参见图1,图1是本发明实施例提供的基于云计算技术的虚拟实例创建方法的场景示意图。如图1,云管理平台20用于管理基础设施1,础设施1中包含设置在多个区域的云数据中心集群,示例性的多个区域包含区域10、区域11、区域12,每个区域设置有一个云数据中心集群(图未示出),每个云数据中心包含多个云数据中心,示例性的区域10的云数据中心包含云数据中心101、云数据中心102、云数据中心103,位于区域11的云数据中心集群包含云数据中心111、云数据中心112、云数据中心113,位于区域13的云数据中心集群包含云数据中心121、云数据中心122、云数据中心123,每个云数据中心中又包含多个计算节点,示例性的数据中心101包含计算节点1011、计算节点1012……。To facilitate the description of the virtual instance creation method based on cloud computing technology in the embodiment of the present invention, please refer to FIG. 1 below. FIG. 1 is a schematic scene diagram of the virtual instance creation method based on cloud computing technology provided by the embodiment of the present invention. As shown in Figure 1, the cloud management platform 20 is used to manage the infrastructure 1. The infrastructure 1 includes cloud data center clusters set up in multiple areas. The exemplary multiple areas include area 10, area 11, and area 12. Each area A cloud data center cluster (not shown) is provided. Each cloud data center includes multiple cloud data centers. The exemplary cloud data center in area 10 includes cloud data center 101, cloud data center 102, and cloud data center 103. , the cloud data center cluster located in area 11 includes cloud data center 111, cloud data center 112, and cloud data center 113. The cloud data center cluster located in area 13 includes cloud data center 121, cloud data center 122, and cloud data center 123. Each Each cloud data center contains multiple computing nodes. The exemplary data center 101 includes computing nodes 1011, 1012...
请继续参见图1,在图1中,云管理平台20用于管理基础设施1,租户A通过租户端21连接互联网并登录以预先在云管理平台20注册的与租户A绑定的账号登录云管理平台20。云管理平台20提供配置界面,用来配置运行在基础设施中的云服务。Please continue to refer to Figure 1. In Figure 1, the cloud management platform 20 is used to manage the infrastructure 1. Tenant A connects to the Internet through the tenant terminal 21 and logs in to the cloud with an account bound to tenant A that is pre-registered on the cloud management platform 20. Management platform20. The cloud management platform 20 provides a configuration interface for configuring cloud services running in the infrastructure.
举例而言,租户端21、租户端22可以是具有上网功能手机、个人电脑、个人数字助理、瘦租户端等终端设备、车载主机或其他具有互联网访问功能的终端设备。For example, the tenant end 21 and the tenant end 22 can be terminal devices such as mobile phones with Internet access functions, personal computers, personal digital assistants, thin tenant terminals, vehicle hosts, or other terminal devices with Internet access functions.
以下请参见图2,图2是本发明实施例提供的基于云计算技术的虚拟实例创建的云管理平台的系统结构示意图,具体而言,图2示出图1所示的云数据中心的具体结构,如图2所示,云数据中心101包括多个计算节点1011、1012……,多个计算节点1011、1012分别连接到带宽分配设备1010,其中计算节点1011包括硬件层和软件层,虚拟实例10111设置在计算节点1011的软件层上,计算节点1011的软件层还包括宿主机操作系统10113,虚拟实例管理器101131设置在宿主机操作系统10113上,虚拟实例管理器101131中还设置有云管理平台租户端1011311,虚拟实例管理器101131用于实现对虚拟实例10111的管理,虚拟实例管理器101131通过云管理平台租户端1011311与云管理平台20实现通信,其中当由其他计算节点发送的访问虚拟实例管理器101131中的虚拟实例的业务报文时,由虚拟实例管理器101131进行报文解封,并对业务报文的源虚拟实例进行识别。计算节点1011的计算节点硬件层包括内存10114、处理器10115、网卡10116、硬盘10117,其中网卡10116和云数据中心中的带宽分配设备1010连接,虚拟实例10111通过网卡10116连接互联网,虚拟实例10111的网络报文(包括出报文和入报文)经由带宽分配设备1010与互联网的设备实现通信。Please refer to Figure 2 below. Figure 2 is a schematic system structure diagram of a cloud management platform created based on virtual instances of cloud computing technology provided by an embodiment of the present invention. Specifically, Figure 2 shows the specific configuration of the cloud data center shown in Figure 1 Structure, as shown in Figure 2, the cloud data center 101 includes multiple computing nodes 1011, 1012..., the multiple computing nodes 1011, 1012 are connected to the bandwidth allocation device 1010, where the computing node 1011 includes a hardware layer and a software layer, virtual The instance 10111 is set on the software layer of the computing node 1011. The software layer of the computing node 1011 also includes the host operating system 10113. The virtual instance manager 101131 is set on the host operating system 10113. The virtual instance manager 101131 is also provided with a cloud server. The management platform tenant 1011311 and the virtual instance manager 101131 are used to manage the virtual instance 10111. The virtual instance manager 101131 communicates with the cloud management platform 20 through the cloud management platform tenant 1011311. When accessed by other computing nodes When receiving a service packet from a virtual instance in the virtual instance manager 101131, the virtual instance manager 101131 decapsulates the packet and identifies the source virtual instance of the service packet. The computing node hardware layer of computing node 1011 includes memory 10114, processor 10115, network card 10116, and hard disk 10117. The network card 10116 is connected to the bandwidth allocation device 1010 in the cloud data center. The virtual instance 10111 is connected to the Internet through the network card 10116. The virtual instance 10111 Network packets (including outgoing packets and incoming packets) communicate with devices on the Internet via the bandwidth allocation device 1010.
值得注意的是,在本发明实施例中,虚拟机的数量可以根据需要设置,本发明实施例对此不作限定。It is worth noting that in this embodiment of the present invention, the number of virtual machines can be set as needed, and this is not limited in this embodiment of the present invention.
在图1、图2所述的公有云系统中,租户在公有云系统中创建虚拟实例时,由其是当需要创建多个虚拟实例进行组网共同组成某些服务时,需要租户熟悉当前云网络模型中的包括虚拟私有网络(Virtual Private Cloud,VPC)、弹性负载均衡器(Elastic LoadBalance,ELB)、网络地址转换网关(Network Address Translation,NAT)等多个云产品,且在配置过程中需要对网络参数包括私网网段、私网地址等进行划分。复杂的网络模型、配置参数等,使得租户创建的虚拟实例在跨区域或者云数据中心的进行交互访问时,业务报文需要经过多层级出入,由其是当对不同虚拟实例进行网络安全策略管理时,计算节点的安全策略需要根据其上运行的虚拟实例的变更而修改,使得云资源的管理操作具有较高的复杂度,与云原生应用的快速开发、部署、管理的需求相悖。In the public cloud system described in Figure 1 and Figure 2, when a tenant creates a virtual instance in the public cloud system, especially when multiple virtual instances need to be created for networking to form certain services, the tenant needs to be familiar with the current cloud system. The network model includes multiple cloud products such as virtual private network (Virtual Private Cloud, VPC), elastic load balancer (Elastic LoadBalance, ELB), network address translation gateway (Network Address Translation, NAT), etc., and is required during the configuration process. Divide network parameters including private network segments, private network addresses, etc. Complex network models, configuration parameters, etc. mean that when virtual instances created by tenants are interactively accessed across regions or cloud data centers, business packets need to go through multiple levels of entry and exit. This is especially true when managing network security policies for different virtual instances. At this time, the security policy of the computing node needs to be modified according to changes in the virtual instances running on it, making the management operations of cloud resources highly complex, which is contrary to the needs of rapid development, deployment, and management of cloud native applications.
为解决上述问题,此本申请提供了一种基于云计算技术的虚拟实例创建方法,该方法通过根据租户输入的规格信息以及所属的云原生应用信息在确定的计算节点上创建虚拟实例,由于该虚拟实例用于运行云原生应用或者云原生应用中的一个或多个微服务,则通过配置管理该虚拟实例的虚拟实例管理器记录来记录该虚拟实例上运行的云原生应用的标识来标记该虚拟实例发出的业务报文,实现由虚拟实例管理器根据标识确定安全策略。进而,即使用于运行云原生应用的虚拟实例不发生变更,也不需要再在各计算节点上进行安全策略的重复修改。In order to solve the above problems, this application provides a virtual instance creation method based on cloud computing technology. This method creates a virtual instance on a determined computing node based on the specification information input by the tenant and the associated cloud native application information. Due to the If a virtual instance is used to run a cloud native application or one or more microservices in a cloud native application, then the virtual instance manager record that manages the virtual instance is configured to record the identity of the cloud native application running on the virtual instance to mark the virtual instance. For business packets sent by virtual instances, the virtual instance manager determines the security policy based on the identifier. Furthermore, even if the virtual instances used to run cloud-native applications do not change, there is no need to repeatedly modify security policies on each computing node.
基于图1、图2所述的场景,以下结合图3对本发明实施例提供的基于云计算技术的虚拟实例创建方法作出详细介绍。Based on the scenarios described in Figures 1 and 2, the virtual instance creation method based on cloud computing technology provided by the embodiment of the present invention will be introduced in detail in conjunction with Figure 3.
以下请参见图3,图3是本发明实施例提供的基于云计算技术的虚拟实例创建方法的一种架构示意图。具体而言:Please refer to Figure 3 below. Figure 3 is an architectural schematic diagram of a virtual instance creation method based on cloud computing technology provided by an embodiment of the present invention. in particular:
租户A通过租户端21访问云管理平台20,云管理平台20用于管理基础设施1,基础设施1中设置有计算节点1011、计算节点1021……结合图1,其中,计算节点1011设置在云数据中心101上,计算节点1021设置在云数据中心102中。在计算节点1011上设置有运行云原生应用41或者云原生应用41的一个或多个微服务的虚拟实例10111,计算节点1021上设置有运行云原生应用42或者云原生应用42的一个或多个微服务的虚拟实例10212。当云原生应用41在运行过程中生成访问云原生应用42的业务报文时,由虚拟实例10111将业务报文发送至网络接口411,由网络接口411将业务报文经过虚拟交换机400对业务报文进行封装。可选的,该网络接口可以是网络终端节点(Network Endpoint,NEP)。进而,由虚拟交换机400将封装的叠加报文从计算节点1011中发至计算节点1021的虚拟交换机401,再由虚拟交换机401对封装的叠加报文进行解封转发至网络接口421。其中,结合图1,虚拟交换机400设置在虚拟实例管理器101131中,虚拟交换机401设置在虚拟实例管理器102131中。当虚拟实例10111发出的业务报文经过虚拟实例管理器101131转发时,由虚拟实例管理器101131对该业务报文进行标记,根据云原生应用41的信息将云原生应用的标识标记虚拟实例10111发送出的业务报文。当虚拟实例管理器102131对叠加报文进行解封时,可以识别该业务报文来自于云原生应用41,由此根据标识实现对访问云原生应用42的安全策略的管理。Tenant A accesses the cloud management platform 20 through the tenant terminal 21. The cloud management platform 20 is used to manage the infrastructure 1. The infrastructure 1 is provided with computing nodes 1011, 1021... Combined with Figure 1, the computing node 1011 is provided in the cloud On the data center 101, the computing node 1021 is set in the cloud data center 102. The computing node 1011 is provided with a virtual instance 10111 running the cloud native application 41 or one or more microservices of the cloud native application 41 , and the computing node 1021 is provided with one or more virtual instances 10111 running the cloud native application 42 or one or more microservices of the cloud native application 42 Virtual instance 10212 of the microservice. When the cloud native application 41 generates a service packet for accessing the cloud native application 42 during operation, the virtual instance 10111 sends the service packet to the network interface 411, and the network interface 411 passes the service packet through the virtual switch 400 to report the service. The text is encapsulated. Optionally, the network interface may be a Network Endpoint (NEP). Furthermore, the virtual switch 400 sends the encapsulated overlay packet from the computing node 1011 to the virtual switch 401 of the computing node 1021, and then the virtual switch 401 decapsulates the encapsulated overlay packet and forwards it to the network interface 421. 1, the virtual switch 400 is set in the virtual instance manager 101131, and the virtual switch 401 is set in the virtual instance manager 102131. When the business packet sent by the virtual instance 10111 is forwarded by the virtual instance manager 101131, the virtual instance manager 101131 marks the business packet, and sends the cloud native application identifier to the virtual instance 10111 according to the information of the cloud native application 41. outgoing business packets. When the virtual instance manager 102131 decapsulates the overlay packet, it can identify that the service packet comes from the cloud native application 41, thereby realizing management of security policies for accessing the cloud native application 42 based on the identification.
请继续参见图4,图4是本发明实施例提供的基于云计算技术的虚拟实例创建方法的简易流程图,如图4所示,该方法包括但不限于以下步骤:Please continue to refer to Figure 4. Figure 4 is a simple flow chart of a virtual instance creation method based on cloud computing technology provided by an embodiment of the present invention. As shown in Figure 4, the method includes but is not limited to the following steps:
步骤S301:云管理平台接收租户输入的虚拟实例创建请求,虚拟实例创建请求包括待创建的虚拟实例的规格信息以及所属的云原生应用的信息。Step S301: The cloud management platform receives a virtual instance creation request input by the tenant. The virtual instance creation request includes specification information of the virtual instance to be created and information about the cloud native application to which it belongs.
结合图3所示的架构图,示例性的,云管理平台20获取由租户A输入的虚拟实例创建请求,该虚拟实例创建请求中包括待创建的虚拟实例10111的规格信息以及云原生应用41的信息。其中,规格信息可以包括故障域、部署集、主机的健康状态、主机的型号、处理器架构、处理器核心数量、带宽、内存大小、网卡数量等,本发明对此不作限定。Combined with the architecture diagram shown in Figure 3, for example, the cloud management platform 20 obtains the virtual instance creation request input by tenant A. The virtual instance creation request includes the specification information of the virtual instance 10111 to be created and the cloud native application 41 information. The specification information may include fault domain, deployment set, host health status, host model, processor architecture, number of processor cores, bandwidth, memory size, number of network cards, etc., which is not limited by the present invention.
通过获取租户输入的虚拟实例创建请求,可以根据租户的实际需求,向租户提供匹配其规格需求的虚拟实例。By obtaining the virtual instance creation request input by the tenant, the tenant can be provided with a virtual instance that matches its specification requirements based on the tenant's actual needs.
步骤S302:选择在云数据中心中的可提供与规格信息匹配的规格的计算节点上创建虚拟实例。Step S302: Select to create a virtual instance on a computing node in the cloud data center that can provide specifications matching the specification information.
根据租户输入的虚拟实例的规格信息,云管理平台在基础设施中选择能够和该规格信息相匹配的计算节点来创建虚拟实例,其中该虚拟实例用于运行云原生应用或者云原生应用中的一个或多个微服务,示例性的,结合图3,云管理平台20选择能够提供满足租户输入的规格信息的计算节点1011来创建虚拟实例10111,其中,虚拟实例10111运行云原生应用41或者云原生应用41的一个或多个微服务。According to the specification information of the virtual instance entered by the tenant, the cloud management platform selects a computing node in the infrastructure that matches the specification information to create a virtual instance, where the virtual instance is used to run cloud native applications or one of the cloud native applications. or multiple microservices. For example, with reference to Figure 3, the cloud management platform 20 selects the computing node 1011 that can provide the specification information that meets the tenant input to create a virtual instance 10111, where the virtual instance 10111 runs the cloud native application 41 or cloud native One or more microservices of application 41.
其中,租户输入的虚拟实例创建请求包括待创建的虚拟实例的规格信息以及所述的云原生应用的信息。云管理平台可以根据前述的规格信息在基础设施中选择满足该规格信息的计算节点,可选的,当租户A输入多个虚拟实例创建请求时,云管理平台可以向租户A提供满足该规格信息的不同或者同一计算节点的虚拟实例,该不同计算节点可以设置在不同的云数据中心中,也可以在同一云数据中心中,本发明实施例对此不作限定。The virtual instance creation request input by the tenant includes specification information of the virtual instance to be created and information of the cloud native application. The cloud management platform can select computing nodes in the infrastructure that meet the specification information based on the aforementioned specification information. Optionally, when tenant A inputs multiple virtual instance creation requests, the cloud management platform can provide tenant A with information that satisfies the specification information. Virtual instances of different or the same computing node. The different computing nodes can be set up in different cloud data centers or in the same cloud data center. This is not limited in the embodiment of the present invention.
步骤303:根据云原生应用的信息配置计算节点的虚拟实例管理器使用云原生应用的标识标记虚拟实例发出的业务报文。Step 303: The virtual instance manager of the computing node is configured according to the information of the cloud native application and uses the identifier of the cloud native application to mark the service packets sent by the virtual instance.
云管理平台可以配置虚拟实例管理器用于对虚拟实例发出的报文进行标记,并封装成叠加报文向外发出。如图2所示,虚拟实例10111所在的计算节点1011中配置有虚拟实例管理器101131,结合图3,当虚拟实例10111在运行云原生应用41的过程中产生了访问虚拟实例10212的业务报文,需经网络接口411抵达虚拟交换机400进行转发,该虚拟交换机400由计算节点1011的虚拟实例管理器101131(图中未示出)进行管理。当业务报文经过虚拟交换机400时,由虚拟实例管理器101131根据云管理平台20的配置,使用云原生应用41的标识对该业务报文进行标记。The cloud management platform can configure the virtual instance manager to mark the packets sent by the virtual instance, and encapsulate them into overlay packets and send them out. As shown in Figure 2, the computing node 1011 where the virtual instance 10111 is located is configured with a virtual instance manager 101131. Combined with Figure 3, when the virtual instance 10111 is running the cloud native application 41, a business packet is generated to access the virtual instance 10212. , needs to reach the virtual switch 400 through the network interface 411 for forwarding. The virtual switch 400 is managed by the virtual instance manager 101131 (not shown in the figure) of the computing node 1011. When the service packet passes through the virtual switch 400, the virtual instance manager 101131 uses the identifier of the cloud native application 41 to mark the service packet according to the configuration of the cloud management platform 20.
在前述步骤的基础上,通过获取租户输入的虚拟实例创建请求,根据虚拟实例创建请求中的云原生应用信息对创建的虚拟实例在运行过程中发出的业务报文进行标识,使其经封装后生成访问报文再由计算节点发送至访问对象,值得注意的是,该封装可以由虚拟实例管理器完成,也可以由计算节点的网卡实现。由此该访问报文便可携带云原生应用的标识,当目的计算节点接收到该访问报文在解封出业务报文时,可对该业务报文所携带的标识进行识别。从而根据该标识对业务报文的访问权限进行管理,实现对访问对象的安全策略的控制。Based on the previous steps, by obtaining the virtual instance creation request input by the tenant, the business packets sent by the created virtual instance during operation are identified according to the cloud native application information in the virtual instance creation request, and then encapsulated The access message is generated and then sent to the access object by the computing node. It is worth noting that this encapsulation can be completed by the virtual instance manager or by the network card of the computing node. Therefore, the access message can carry the identifier of the cloud native application. When the destination computing node receives the access message and decapsulates the service message, it can identify the identifier carried by the service message. In this way, the access rights of business packets can be managed based on the identification, and the security policy of the access object can be controlled.
为了进一步清楚说明,请继续参见图5,图5是本发明实施例提供的基于云计算技术的虚拟实例创建方法的流程示意图,具体的:For further clear explanation, please continue to refer to Figure 5. Figure 5 is a schematic flowchart of a virtual instance creation method based on cloud computing technology provided by an embodiment of the present invention. Specifically:
图5是图4提供的虚拟实例创建方法的进一步具体介绍,结合图3所示的结构,进一步如图5所示,该方法包括以下步骤:Figure 5 is a further detailed introduction to the virtual instance creation method provided in Figure 4. Combined with the structure shown in Figure 3, as further shown in Figure 5, the method includes the following steps:
S101.租户端21发送租户A输入的虚拟实例创建请求。S101. The tenant end 21 sends the virtual instance creation request input by tenant A.
租户A通过租户端21登录云管理平台20,根据云管理平台20提供的界面输入虚拟实例创建请求,该虚拟实例创建请求包括待创建的虚拟实例的规格信息以及所属的云原生应用的信息。Tenant A logs into the cloud management platform 20 through the tenant terminal 21 and inputs a virtual instance creation request according to the interface provided by the cloud management platform 20. The virtual instance creation request includes the specification information of the virtual instance to be created and the information of the cloud native application to which it belongs.
值得注意的是,云原生应用的信息可以包括云原生应用的名称信息、识别ID、路径信息、属性信息、用户信息等,其中的一个或多个信息可用于对业务报文的标识,本发明实施例对此不作限定。It is worth noting that the information of the cloud native application may include the name information, identification ID, path information, attribute information, user information, etc. of the cloud native application. One or more of the information may be used to identify the business message. The present invention The embodiment does not limit this.
可选的,租户输入的虚拟实例创建请求中,还可以包括站点信息,站点信息具体指为向一定范围内的国家或者区域的租户提供云服务而在某一国家或地区进行部署的站点,其中站点信息包括地理位置、服务内容、覆盖范围等,本发明实施例对此不做限制。Optionally, the virtual instance creation request entered by the tenant may also include site information. Site information specifically refers to sites deployed in a certain country or region to provide cloud services to tenants in a certain range of countries or regions, where Site information includes geographical location, service content, coverage, etc., which are not limited in this embodiment of the present invention.
另在本发明实施例中,租户端21可以是具有上网功能手机、个人电脑、个人数字助理、瘦租户端等终端设备、车载主机或其他具有互联网访问功能的终端设备。In addition, in the embodiment of the present invention, the tenant terminal 21 may be a terminal device such as a mobile phone with Internet access function, a personal computer, a personal digital assistant, a thin tenant terminal, a vehicle-mounted host, or other terminal devices with Internet access functions.
S102.云管理平台20接收租户A输入的虚拟实例创建请求。S102. The cloud management platform 20 receives the virtual instance creation request input by tenant A.
云管理平台20接收租户A在云管理平台20所提供的界面中输入的虚拟实例请求。The cloud management platform 20 receives the virtual instance request input by tenant A in the interface provided by the cloud management platform 20 .
S103.选择在云数据中心101中的可提供与规格信息匹配的计算节点1011。S103. Select the computing node 1011 in the cloud data center 101 that can provide matching specification information.
云管理平台20根据租户A输入的虚拟实例创建请求中所包含的虚拟实例10111的规格信息以及所述的云原生应用41的信息,其中,云数据中心101中能够提供与上述规格信息向匹配的计算节点1011,云管理平台20选择该计算节点1011来作为承载虚拟实例10111运行的硬件载体。The cloud management platform 20 uses the specification information of the virtual instance 10111 and the information of the cloud native application 41 included in the virtual instance creation request input by tenant A, where the cloud data center 101 can provide a service that matches the above specification information. The computing node 1011 is selected by the cloud management platform 20 as a hardware carrier to carry the operation of the virtual instance 10111.
其中,云管理平台20选择计算节点来创建虚拟实例的过程可以是根据租户A输入的配置来进行的,也可以是云管理平台20根据预设规则进行选择,本发明实施例不对此进行限制。The process in which the cloud management platform 20 selects computing nodes to create virtual instances may be based on the configuration input by tenant A, or the cloud management platform 20 may select according to preset rules, which is not limited in this embodiment of the present invention.
可选的,当租户A输入的虚拟实例创建请求中包括站点信息时,云管理平台20可以在租户A输入的站点选择该站点中云数据中心中的某一和规格信息相匹配的计算节点。Optionally, when the virtual instance creation request input by tenant A includes site information, the cloud management platform 20 may select a computing node in the cloud data center in the site that matches the specification information at the site input by tenant A.
S104.创建虚拟实例10111。S104. Create virtual instance 10111.
云管理平台20在计算节点1011中创建虚拟实例10111,其中,虚拟实例10111用于运行云原生应用41或者云原生应用41的一个或者多个微服务,云原生应用41可以是由云管理平台20根据租户A输入的云原生应用41的信息配置的,也可以是云管理平台20根据其他有相关权限的租户输入的云原生应用41的信息进行配置。The cloud management platform 20 creates a virtual instance 10111 in the computing node 1011, where the virtual instance 10111 is used to run the cloud native application 41 or one or more microservices of the cloud native application 41. The cloud native application 41 may be provided by the cloud management platform 20 It is configured based on the information of the cloud native application 41 input by tenant A, or the cloud management platform 20 may be configured based on the information of the cloud native application 41 input by other tenants with relevant permissions.
可选的,虚拟实例10111还可以用于运行云原生应用41的一个微服务的某一部分,本发明实施例对此不做限定。Optionally, the virtual instance 10111 can also be used to run a certain part of a microservice of the cloud native application 41, which is not limited in this embodiment of the present invention.
S105.根据云原生应用41的信息配置计算节点1011的虚拟实例管理器101131使用该云原生应用的标识标记虚拟实例10111发出的业务报文P1。S105. Configure the virtual instance manager 101131 of the computing node 1011 according to the information of the cloud native application 41 to mark the service packet P1 sent by the virtual instance 10111 using the identifier of the cloud native application.
云管理平台20根据云原生应用41的信息配置计算节点1011的虚拟实例管理器101131使用该云原生应用41的标识标记虚拟实例10111发出的业务报文P1。The cloud management platform 20 configures the virtual instance manager 101131 of the computing node 1011 according to the information of the cloud native application 41 to mark the service packet P1 sent by the virtual instance 10111 using the identifier of the cloud native application 41 .
S106.发送租户输入安全规则R1。S106. Send the tenant to enter security rule R1.
租户A通过租户端21登录云管理平台20,根据云管理平台20提供的界面输入安全规则R1,其中,安全规则R1是用于管理云原生应用41的被访问权限,当其他云原生应用产生访问云原生应用41的业务报文时,安全规则R1确定该业务报文是否有权限访问云原生应用41.Tenant A logs into the cloud management platform 20 through the tenant terminal 21 and inputs the security rule R1 according to the interface provided by the cloud management platform 20. The security rule R1 is used to manage the access rights of the cloud native application 41. When other cloud native applications generate access When receiving business packets from cloud native application 41, security rule R1 determines whether the business packet has permission to access cloud native application 41.
值得注意的是,无论是租户输入的虚拟实例创建请求或是安全规则,此处所提及的输入,可以是租户在云管理平台提供的输入界面直接输入的,也可以是租户根据云管理平台提供的不同选项进行选择的。It is worth noting that whether it is a virtual instance creation request or security rule input by the tenant, the input mentioned here can be directly input by the tenant on the input interface provided by the cloud management platform, or it can be input by the tenant according to the cloud management platform. Different options are provided to choose from.
S107.接收租户输入的安全规则R1。S107. Receive the security rule R1 input by the tenant.
云管理平台20接收租户A输入的安全规则R1。The cloud management platform 20 receives the security rule R1 input by tenant A.
S108.配置计算节点1011的虚拟实例管理器101131记录安全规则R1。S108. Configure the virtual instance manager 101131 of the computing node 1011 to record the security rule R1.
云管理平台20配置计算节点1011中的虚拟实例管理器101131记录租户输入的安全规则R1。The cloud management platform 20 configures the virtual instance manager 101131 in the computing node 1011 to record the security rule R1 input by the tenant.
S109.虚拟实例管理器101131根据安全规则R1允许或禁止将运行其他云原生应用或运行其他云原生应用中的一个或多个微服务的虚拟实例发送至虚拟实例10111的业务报文P2发送至虚拟实例10111。S109. The virtual instance manager 101131 allows or prohibits virtual instances running other cloud native applications or running one or more microservices in other cloud native applications to send business packets P2 to the virtual instance 10111 according to the security rule R1. Example 10111.
基于步骤S105可知,虚拟实例管理器101131将对运行云原生应用41或者云原生应用41中的一个或多个微服务的虚拟实例10111发出的业务报文P1基于云原生应用41标识做标记。同理的,在基础设施中还设置有运行其他云原生应用或运行其他云原生应用中的一个或多个微服务的虚拟实例,当其他虚拟实例在运行过程中产生了访问虚拟实例10111的业务报文P2,则该业务报文P2同样被标记上其所运行的云原生应用的标识,这也就使得业务报文P2在经过计算节点1011中虚拟实例管理器101131时,虚拟实例管理器101131识别业务报文P2中所标记的其所属云原生应用的标识,根据其记录的安全规则R1中业务报文P2访问虚拟实例10111的权限,来判断是否将业务报文P2发送至虚拟实例10111。Based on step S105, it can be known that the virtual instance manager 101131 marks the service packet P1 sent by the virtual instance 10111 running the cloud native application 41 or one or more microservices in the cloud native application 41 based on the cloud native application 41 identifier. Similarly, the infrastructure is also equipped with virtual instances that run other cloud native applications or run one or more microservices in other cloud native applications. When other virtual instances generate services that access virtual instance 10111 during operation, Packet P2, then the business packet P2 is also marked with the identity of the cloud native application it is running, which means that when the business packet P2 passes through the virtual instance manager 101131 in the computing node 1011, the virtual instance manager 101131 Identify the identity of the cloud native application marked in the business packet P2, and determine whether to send the business packet P2 to the virtual instance 10111 based on the permission of the business packet P2 to access the virtual instance 10111 in the recorded security rule R1.
基于上述步骤,实现了通过云原生应用的标识实现对访问权限和安全策略的管理,具体的是将云原生应用的标识标记到虚拟实例发出的业务报文中,进而对云原生应用的标识进行识别、鉴权,这样在业务报文转发的过程中可以不再像单纯依赖对源IP地址和目的IP地址进行权限管理和控制。示例性的,基础设施中存在多个计算节点、多个云原生应用以及用于运行这些云原生应用的多个虚拟实例,当虚拟实例在云原生应用运行的过程中,调用不同的虚拟实例来运行同一云原生应用中的多个微服务,不断变化的虚拟实例就需要相对应的配置不断变化的网络接口。通过根据云原生应用的标识来实现对安全策略的管理,则可以避免当网络接口发生变化导致IP地址变动时对所有计算节点进行安全策略修改,仅需配置变化的网络接口其所属的云原生应用的标识即可,简化安全策略配置,提升权限管理效率。Based on the above steps, the management of access permissions and security policies is realized through the identification of cloud native applications. Specifically, the identification of cloud native applications is marked in the business packets sent by the virtual instance, and then the identification of cloud native applications is implemented. Identification and authentication, so that in the process of forwarding business packets, it is no longer necessary to rely solely on permission management and control of the source IP address and destination IP address. For example, there are multiple computing nodes, multiple cloud native applications, and multiple virtual instances used to run these cloud native applications in the infrastructure. When the virtual instances are running the cloud native applications, different virtual instances are called. When running multiple microservices in the same cloud-native application, changing virtual instances require corresponding configurations of changing network interfaces. By managing the security policy based on the identity of the cloud native application, you can avoid modifying the security policy of all computing nodes when the network interface changes and the IP address changes. You only need to configure the cloud native application to which the changed network interface belongs. The identification can be used to simplify security policy configuration and improve the efficiency of permission management.
本发明的一种实施例,请继续参见图6,图6是本发明实施例提供的基于云计算技术的虚拟实例创建方法的又一种流程示意图,结合图3进行说明,具体的:For an embodiment of the present invention, please continue to refer to Figure 6. Figure 6 is another schematic flow diagram of a virtual instance creation method based on cloud computing technology provided by an embodiment of the present invention. It will be described in conjunction with Figure 3. Specifically:
S101.虚拟实例10211部署在计算节点1021上。S101. The virtual instance 10211 is deployed on the computing node 1021.
基础设施1中部署有设置在云数据中心102上的计算节点1021,该计算节点1021上还设置有虚拟实例10211,其中,虚拟实例10211用于运行云原生应用42或者云原生引用42中的一个或多个微服务。Infrastructure 1 is deployed with a computing node 1021 set on the cloud data center 102, and a virtual instance 10211 is also set on the computing node 1021. The virtual instance 10211 is used to run one of the cloud native applications 42 or the cloud native references 42 or multiple microservices.
S102.发送租户输入安全规则R2。S102. Send the tenant to enter security rule R2.
租户A通过租户端21登录云管理平台20,在云管理平台20提供的界面上输入安全规则R2,其中安全规则R2用于管理云原生应用41访问云原生应用42的访问权限。Tenant A logs into the cloud management platform 20 through the tenant terminal 21 and enters the security rule R2 on the interface provided by the cloud management platform 20, where the security rule R2 is used to manage the access rights of the cloud native application 41 to the cloud native application 42.
S103.接收租户输入的安全规则R2。S103. Receive the security rule R2 input by the tenant.
云管理平台20接收租户A输入的安全规则R2。The cloud management platform 20 receives the security rule R2 input by tenant A.
可选的,虚拟实例10211也可以是根据租户A或租户B输入的虚拟实例创建请求在基础设施中创建的。具体的,在云管理平台20接收租户A输入的安全规则R2之前,云管理平台20还可以租户A或者租户B分别自其对应的租户端输入的虚拟实例10211的虚拟实例创建请求,该虚拟实例创建请求包括虚拟实例10211的规格信息和以及所述的云原生应用42的信息。根据该虚拟实例创建请求,云管理平台20选择在云数据中心102中能够提供与前述规格信息相匹配的计算节点1021上创建虚拟实例10211。在此基础上,根据云原生应用42的信息配置设置在计算节点1021上用于管理虚拟实例1021的虚拟实例管理器102131使用云原生应用42的标识来标记由虚拟实例1021发出的业务报文。Optionally, the virtual instance 10211 may also be created in the infrastructure according to the virtual instance creation request input by tenant A or tenant B. Specifically, before the cloud management platform 20 receives the security rule R2 input by tenant A, the cloud management platform 20 may also receive a virtual instance creation request for the virtual instance 10211 input by tenant A or tenant B from its corresponding tenant. The creation request includes specification information of the virtual instance 10211 and information of the cloud native application 42 . According to the virtual instance creation request, the cloud management platform 20 selects to create the virtual instance 10211 on the computing node 1021 in the cloud data center 102 that can provide matching the aforementioned specification information. On this basis, the virtual instance manager 102131 configured on the computing node 1021 for managing the virtual instance 1021 uses the identifier of the cloud native application 42 to mark the service packets sent by the virtual instance 1021 according to the information configuration of the cloud native application 42 .
S104.配置计算节点1021的虚拟实例管理器102131记录云原生应用41的标识以及安全规则R2。S104. Configure the virtual instance manager 102131 of the computing node 1021 to record the identity of the cloud native application 41 and the security rule R2.
云管理平台20配置设置在计算机节点1021上的虚拟实例管理器102131记录云原生应用41的标识以及安全规则R2。The cloud management platform 20 configures the virtual instance manager 102131 set on the computer node 1021 to record the identity of the cloud native application 41 and the security rule R2.
S105.虚拟实例10111发出的业务报文P1的目的地址为虚拟实例10211。S105. The destination address of the service packet P1 sent by virtual instance 10111 is virtual instance 10211.
虚拟实例10111在运行云原生应用41或者云原生应用41的一个或这个多个微服务的过程中产生了访问虚拟实例10211的业务报文P1,该业务报文P1的目的IP地址为虚拟实例10211。In the process of running the cloud native application 41 or one or more microservices of the cloud native application 41, the virtual instance 10111 generates a business packet P1 that accesses the virtual instance 10211. The destination IP address of the business packet P1 is the virtual instance 10211. .
S106.虚拟实例管理器102131在确认虚拟实例10111发出的业务报文P1标记有的云原生应用41的标识与自身记录的标识是否一致。S106. The virtual instance manager 102131 confirms whether the identifier of the cloud native application 41 marked in the service message P1 sent by the virtual instance 10111 is consistent with the identifier recorded by itself.
当业务报文P1到达计算节点1021时,由虚拟实例管理器102131对业务报文中所包含的标识进行识别,确定虚拟实例10111发出的业务报文P1所标记的云原生应用41是否与自身所记录的标识相一致。如果一致,则进行下一步骤;如果不一致,则禁止该业务报文P1访问虚拟实例10211。When the service message P1 arrives at the computing node 1021, the virtual instance manager 102131 identifies the identifier contained in the service message and determines whether the cloud native application 41 marked in the service message P1 sent by the virtual instance 10111 is the same as its own. The record ID matches. If they are consistent, proceed to the next step; if they are inconsistent, prohibit the service packet P1 from accessing virtual instance 10211.
S107.当标识一致的情况下,根据安全规则R2允许或禁止业务报文P1发送至虚拟实例10211。S107. When the identifiers are consistent, allow or prohibit the service message P1 from being sent to the virtual instance 10211 according to the security rule R2.
当虚拟实例管理器102131确定业务报文P1所标记的云原生应用41的标识与自身所记录的标识一致时,根据已记录的安全规则R2判断允许或禁止业务报文P1发送至虚拟实例10211。When the virtual instance manager 102131 determines that the identity of the cloud native application 41 marked in the service message P1 is consistent with the identity recorded by itself, it determines whether to allow or prohibit the service message P1 from being sent to the virtual instance 10211 based on the recorded security rule R2.
S108.当安全规则R2允许业务报文P1发送至虚拟实例10211。S108. When security rule R2 allows service packet P1 to be sent to virtual instance 10211.
当虚拟实例管理器102131所记录的安全规则R2允许业务报文P1发送至虚拟实例10211时,执行下一步骤。When the security rule R2 recorded by the virtual instance manager 102131 allows the service packet P1 to be sent to the virtual instance 10211, the next step is performed.
S109.发送业务报文P1至虚拟实例10211。S109. Send the service message P1 to virtual instance 10211.
由虚拟实例管理器102131将接收的业务报文P1转发至虚拟实例10211。The virtual instance manager 102131 forwards the received service packet P1 to the virtual instance 10211.
S110.当安全规则R2禁止业务报文P1发送至虚拟实例10211。S110. When security rule R2 prohibits service packet P1 from being sent to virtual instance 10211.
当虚拟实例管理器102131所记录的安全规则R2禁止业务报文P1发送至虚拟实例10211时,业务报文P1则不会被虚拟实例管理器102131转发。When the security rule R2 recorded by the virtual instance manager 102131 prohibits the service packet P1 from being sent to the virtual instance 10211, the service packet P1 will not be forwarded by the virtual instance manager 102131.
S111.反馈发送失败的报文。S111. Feedback the message that failed to be sent.
虚拟实例管理器102131向虚拟实例10111反馈业务报文P1发送失败报文。The virtual instance manager 102131 feeds back the service message P1 transmission failure message to the virtual instance 10111.
S112.反馈发送失败的报文。S112. Feedback the message that failed to be sent.
虚拟实例管理器102131向云管理平台20反馈业务报文P1发送失败报文,并由云管理平台20对此进行记录。The virtual instance manager 102131 feeds back the service message P1 transmission failure message to the cloud management platform 20, and the cloud management platform 20 records this.
本发明的一种实施例,示例性的,某公司配置了财务云原生应用和人力云原生应用,其中财务云原生应用由虚拟实例10111运行,人力云原生应用由虚拟实例10211运行,其中虚拟实例10111设置在计算节点1011上,计算节点1011与计算节点1021可以部署在同一云数据中心中,也可以部署在不同云数据中心中;同样的,可以部署在同一站点,也可以部署在不同站点。为便于说明,实施例中计算节点1011部署在云数据中心101上,虚拟实例10211设置在计算节点1021上,计算节点1021部署在云数据中心102上,属于两个不同的站点。An embodiment of the present invention. For example, a company has configured a financial cloud native application and a human resources cloud native application. The financial cloud native application is run by the virtual instance 10111, and the human resource cloud native application is run by the virtual instance 10211. The virtual instance 10111 is set on computing node 1011. Computing node 1011 and computing node 1021 can be deployed in the same cloud data center or in different cloud data centers; similarly, they can be deployed at the same site or in different sites. For ease of explanation, in the embodiment, the computing node 1011 is deployed on the cloud data center 101, the virtual instance 10211 is configured on the computing node 1021, and the computing node 1021 is deployed on the cloud data center 102, belonging to two different sites.
当人力云原生应用不希望其他云原生应用或者其他云原生应用的一个或多个微服务访问时,可以通过云管理平台20配置安全规则R1用于禁止其他云原生应用或者其他云原生应用的一个或多个微服务访问,并配置计算节点1021上的虚拟实例管理器102131记录安全规则R1。虚拟实例10111在运行过程中产生了访问虚拟实例10211的业务报文P1,业务报文P1经虚拟实例管理器101131标记携带有财务云原生应用的标识,当其抵达虚拟实例管理器102131时,虚拟实例管理器102131判断业务报文P1所携带的云原生应用标识属于其他云原生应用或者其他云原生应用的一个或多个微服务而禁止其访问,停止向虚拟实例10211转发业务报文P1。When a human cloud native application does not want other cloud native applications or one or more microservices of other cloud native applications to access, the security rule R1 can be configured through the cloud management platform 20 to prohibit other cloud native applications or one of other cloud native applications. Or multiple microservices access, and configure the virtual instance manager 102131 on the computing node 1021 to record the security rule R1. During the running process, virtual instance 10111 generates a business packet P1 that accesses virtual instance 10211. The business packet P1 is marked by the virtual instance manager 101131 and carries the identification of the financial cloud native application. When it reaches the virtual instance manager 102131, the virtual instance The instance manager 102131 determines that the cloud native application identifier carried in the business message P1 belongs to other cloud native applications or one or more microservices of other cloud native applications and prohibits their access, and stops forwarding the business message P1 to the virtual instance 10211.
当人力云原生应用仅禁止财务云原生应用或者财务云原生应用的一个或多个微服务访问而允许其他云原生应用访问时,某公司还可以通过云管理平台20配置安全规则R2,其中,安全规则R2禁止财务云云原生应用访问人力云原生应用,并配置计算节点1021上的虚拟实例管理器102131记录安全规则R2以及被禁止访问的财务云原生应用的标识。虚拟实例10111在运行过程中产生了访问虚拟实例10211的业务报文P1,业务报文P1经虚拟实例管理器101131标记携带有财务云原生应用的标识,当其抵达虚拟实例管理器102131时,虚拟实例管理器102131判断虚拟实例10111所携带的云原生应用标识与自己已记录的标识一致,且已记录的安全规则R2禁止标记有该标识的业务报文访问,则停止向虚拟实例10211转发业务报文P1。When the human cloud native application only prohibits access to one or more microservices of the financial cloud native application or the financial cloud native application and allows other cloud native applications to access, a company can also configure security rule R2 through the cloud management platform 20 , where security Rule R2 prohibits the financial cloud native application from accessing the human cloud native application, and configures the virtual instance manager 102131 on the computing node 1021 to record the security rule R2 and the identification of the prohibited financial cloud native application. During the running process, virtual instance 10111 generates a business packet P1 that accesses virtual instance 10211. The business packet P1 is marked by the virtual instance manager 101131 and carries the identification of the financial cloud native application. When it reaches the virtual instance manager 102131, the virtual instance Instance manager 102131 determines that the cloud native application ID carried by virtual instance 10111 is consistent with its own recorded ID, and the recorded security rule R2 prohibits access to business packets marked with this ID, and then stops forwarding business packets to virtual instance 10211. Text P1.
以上基于云计算技术的虚拟实例创建方法中,当某一云原生应用或者该云原生应用的一个或多个微服务在业务中需要设置精确的安全策略来管理其他云原生应用或者该云原生应用的一个或多个微服务的访问权限,通过本技术方案可以在目的端对标识的识别和判断实现对访问端的权限管理,尤其是当大量云原生应用及其所包含的微服务进行安全策略的配置时,配置效率得以提升,并极大减轻了配置操作的复杂度。In the above virtual instance creation method based on cloud computing technology, when a certain cloud native application or one or more microservices of the cloud native application needs to set precise security policies in the business to manage other cloud native applications or the cloud native application. The access permissions of one or more microservices. Through this technical solution, the identification and judgment of the identifier can be realized at the destination end to realize the permission management of the access end, especially when a large number of cloud native applications and the microservices they contain implement security policies. When configuring, the configuration efficiency is improved and the complexity of the configuration operation is greatly reduced.
基于以上步骤实现的虚拟实例创建方法,本发明还提供了一种在应用原生云网络下的实施例,请参见图7,图7是本发明实施例提供的基于云计算技术的虚拟实例创建方法的一种应用原生云网络场景下的架构示意图,具体的:Based on the virtual instance creation method implemented in the above steps, the present invention also provides an embodiment using a native cloud network. Please refer to Figure 7. Figure 7 is a virtual instance creation method based on cloud computing technology provided by an embodiment of the present invention. An architectural diagram of an application in a native cloud network scenario, specifically:
在应用原生云网络场景下,包括Global管控面以及各站点Site级控制器,通过调用全局API可以对Global管控面下的地址管理、规则管理、应用管理进行配置。其中,ANC是Global模型,此模型包含租户指定的网络地址范围,如果租户不指定,ANC可以为租户分配网络地址范围。In the application native cloud network scenario, including the global control plane and site-level controllers of each site, address management, rule management, and application management under the global control plane can be configured by calling the global API. Among them, ANC is the Global model. This model contains the network address range specified by the tenant. If the tenant does not specify it, ANC can allocate the network address range to the tenant.
具体而言,ANC可以实现对管理的地址进行自动分配,ANC的Global管控面会将租户ANC内的网络地址范围所包含的IP地址池切分成若干小的IP地址池,即地址分片的方式来管理。包括以下步骤:Specifically, ANC can automatically allocate managed addresses. The Global management and control plane of ANC will divide the IP address pool included in the network address range within the tenant ANC into several small IP address pools, that is, address slicing. manage. Includes the following steps:
a)当租户在某个Site基于ANC创建网络接口的时候,ANC的Site级控制器内的地址分配模块会先从此Site的地址池中自动分配地址。a) When a tenant creates a network interface based on ANC at a certain site, the address allocation module in the site-level controller of ANC will first automatically allocate addresses from the address pool of this site.
b)如果此Site的地址池使用完毕,则Site级控制器内的地址分配模块会向Global级的地址管理模块申请新的地址空间。Global地址管理模块收到此请求后会从空闲地址分片地址池中,拿出一个分片地址池返回给Site级地址分配模块,补充此Site的地址池。b) If the address pool of this site is used up, the address allocation module in the site-level controller will apply for a new address space from the global-level address management module. After receiving this request, the global address management module will take out a fragmented address pool from the free address fragmented address pool and return it to the site-level address allocation module to supplement the address pool of this site.
c)当一个Site控制器内的分片中的地址完全释放后,此分片会从Site的地址池中回收,即此分片地址池不再属于这个Site,会回收到ANC的空闲地址池中,未来可以分配给其他站点。c) When the address in a fragment in a Site controller is completely released, the fragment will be recycled from the Site's address pool, that is, the fragment address pool no longer belongs to this Site and will be recycled to the ANC's free address pool. , which can be allocated to other sites in the future.
本发明的一种实施例,结合图3,当租户基于ANC创建网络接口时,不需要指定IP地址,ANC管控面会为其分配地址,而需要指定该网络接口所在的Site以及绑定的云原生应用。当网络接口转发由云原生应用所在虚拟实例发送出的业务报文时,经过虚拟实例管理器的配置,使该网络接口集成该云原生应用的标识,此后,从此网络接口发送的报文,都会携带其所属的云原生应用的标识。According to one embodiment of the present invention, with reference to Figure 3, when a tenant creates a network interface based on ANC, there is no need to specify an IP address. The ANC control plane will allocate an address to it, but it is necessary to specify the Site where the network interface is located and the bound cloud native application. When the network interface forwards business packets sent by the virtual instance where the cloud native application is located, the virtual instance manager is configured so that the network interface integrates the identity of the cloud native application. After that, the packets sent from this network interface will be Carrying the identity of the cloud native application to which it belongs.
基于此,在获取租户输入的安全规则后,不需要配置IP地址,只在目的端确定能够访问的访问端云原生应用即可,经管控面将安全规则下发给数据面,实现安全策略部署。Based on this, after obtaining the security rules input by the tenant, there is no need to configure the IP address. It is only necessary to determine the access-side cloud native application that can be accessed at the destination, and then deliver the security rules to the data plane through the management and control plane to implement security policy deployment. .
在上述ANC场景下,本发明实施例还公开了一种虚拟机实例的实现方式,请参见图8,图8是本发明实施例提供的基于云计算技术的虚拟实例创建方法的一种虚拟机实例的架构示意图,具体的:In the above ANC scenario, the embodiment of the present invention also discloses an implementation method of a virtual machine instance. Please refer to Figure 8. Figure 8 is a virtual machine of the virtual instance creation method based on cloud computing technology provided by the embodiment of the present invention. Schematic diagram of the architecture of the instance, specifically:
虚拟实例10111、虚拟实例10112、虚拟实例10211、虚拟实例10212均为虚拟机,其中虚拟实例10111、虚拟实例10112用于运行云原生应用41,虚拟实例10211、虚拟实例10212用于运行云原生应用42,云原生应用41和云原生应用42在应用原生云网络40中通信。虚拟实例10111部署在核心站点A中的云数据中心101,并绑定设置在核心站点A所指示的云数据中心101的网络接口411实现网络接入。虚拟实例10112部署在边缘站点B中的云数据中心101,并绑定设置在边缘站点B所指示的云数据中心中的网络接口412实现网络接入。虚拟实例10211部署在核心站点C中的云数据中心102,并绑定设置在核心站点C所指示的云数据中心102中的网络接口421实现网络接入。虚拟实例10212部署在私有站点D,并绑定私有站点D所指示的本地数据中心的网络接口422实现网络接入。其中边缘站点B、核心站点A、核心站点C可以是在同一地理位置,也可以是不同地理位置,私有站点属于租户的本地数据中心。Virtual instance 10111, virtual instance 10112, virtual instance 10211, and virtual instance 10212 are all virtual machines, among which virtual instance 10111 and virtual instance 10112 are used to run cloud native applications 41, and virtual instances 10211 and virtual instance 10212 are used to run cloud native applications 42 , the cloud native application 41 and the cloud native application 42 communicate in the application native cloud network 40 . The virtual instance 10111 is deployed in the cloud data center 101 in the core site A, and is bound to the network interface 411 set in the cloud data center 101 indicated by the core site A to implement network access. The virtual instance 10112 is deployed in the cloud data center 101 in edge site B, and is bound to the network interface 412 set in the cloud data center indicated by edge site B to implement network access. The virtual instance 10211 is deployed in the cloud data center 102 in the core site C, and is bound to the network interface 421 set in the cloud data center 102 indicated by the core site C to implement network access. The virtual instance 10212 is deployed in private site D, and is bound to the network interface 422 of the local data center indicated by private site D to implement network access. Among them, edge site B, core site A, and core site C can be in the same geographical location or in different geographical locations. The private site belongs to the tenant's local data center.
举例而言,租户可以使用接口创建虚拟机和自动伸缩组(Auto Scaling,AS),创建虚拟机的时候需要调用虚拟网络接口,创建对应的NEP,此时租户不用指定网络相关参数,比如Region、VPC、Subnet、AZ等信息,只需要指定NEP所在的Site,以及所属的ANC下的云原生应用即可。在网络资源侧,通过创建全局的ANC网络即可实现各个站点的NEP直接互通。由此再对云原生应用按照前述实施例进行安全策略的配置即可实现对云原生应用访问权限的管理。For example, tenants can use interfaces to create virtual machines and Auto Scaling groups (Auto Scaling, AS). When creating virtual machines, they need to call the virtual network interface and create the corresponding NEP. At this time, tenants do not need to specify network-related parameters, such as Region, For VPC, Subnet, AZ and other information, you only need to specify the site where the NEP is located and the cloud native application under the ANC to which it belongs. On the network resource side, direct NEP interoperability among various sites can be achieved by creating a global ANC network. Therefore, by configuring the security policy for the cloud native application according to the foregoing embodiment, the access rights of the cloud native application can be managed.
在ANC场景下,本发明实施例还公开了一种容器实例的实现方式,请参见图9,图9是本发明实施例提供的基于云计算技术的容器创建方法的一种容器实例的架构示意图,具体的:In the ANC scenario, the embodiment of the present invention also discloses an implementation method of a container instance. Please refer to Figure 9. Figure 9 is a schematic architectural diagram of a container instance of the container creation method based on cloud computing technology provided by the embodiment of the present invention. ,specific:
图中计算资源包括虚拟实例10111、虚拟实例10112、虚拟实例10121、虚拟实例10122、虚拟实例10211、虚拟实例10212、虚拟实例10221、虚拟实例10222,上述虚拟实例均为容器。其中虚拟实例10111、虚拟实例10112、虚拟实例10121、虚拟实例10122用于运行云原生应用51,虚拟实例10211、虚拟实例10212、虚拟实例10221、虚拟实例10222用于运行云原生应用52,云原生应用51和云原生应用52在应用原生云网络50中通信。虚拟实例10111、虚拟实例10112部署在核心站点A,分别绑定网络接口511、网络接口512实现网络接入,虚拟实例10121、虚拟实例10122部署在边缘站点B,分别绑定网络接口513、网络接口514实现网络接入。虚拟实例10211、虚拟实例10212部署在核心站点C,分别绑定网络接口521、网络接口522实现网络接入,虚拟实例10221、虚拟实例10222部署在私有站点D,分别绑定网络接口523、网络接口524实现网络接入。其中边缘站点B、核心站点A、核心站点C可以是在同一地理位置,也可以是不同地理位置,私有站点属于租户的本地数据中心。The computing resources in the figure include virtual instance 10111, virtual instance 10112, virtual instance 10121, virtual instance 10122, virtual instance 10211, virtual instance 10212, virtual instance 10221, and virtual instance 10222. The above virtual instances are all containers. Among them, virtual instance 10111, virtual instance 10112, virtual instance 10121, and virtual instance 10122 are used to run cloud native applications 51. Virtual instance 10211, virtual instance 10212, virtual instance 10221, and virtual instance 10222 are used to run cloud native applications 52. Cloud native applications 51 and the cloud native application 52 communicate in the application native cloud network 50 . Virtual instance 10111 and virtual instance 10112 are deployed in core site A and bound to network interface 511 and network interface 512 respectively to achieve network access. Virtual instance 10121 and virtual instance 10122 are deployed in edge site B and bound to network interface 513 and network interface respectively. 514 realizes network access. Virtual instance 10211 and virtual instance 10212 are deployed in core site C and bound to network interface 521 and network interface 522 respectively to achieve network access. Virtual instance 10221 and virtual instance 10222 are deployed in private site D and bound to network interface 523 and network interface respectively. 524 realizes network access. Among them, edge site B, core site A, and core site C can be in the same geographical location or in different geographical locations. The private site belongs to the tenant's local data center.
举例而言,容器实例场景下,租户不需要关心多个区域互通的问题,只需要创建全局的ANC,各个站点的NEP就可以实现直接互通。基于ANC对IP地址的自动分配,在创建网络接口绑定容器实例的过程中,并不需要对网络地址范围进行配置,就能实现IP地址和各个网络接口的绑定。通过对站点信息的匹配以及各容器实例所属的云原生应用信息,就可以在互联的基础上,以云原生应用标识为识别对象配置安全策略,实现访问权限的简化管理,具体配置过程如前述步骤。For example, in the container instance scenario, tenants do not need to worry about the interoperability of multiple areas. They only need to create a global ANC, and the NEPs of each site can directly interoperate. Based on ANC's automatic allocation of IP addresses, during the process of creating a network interface binding container instance, there is no need to configure the network address range to achieve binding of IP addresses to each network interface. By matching the site information and the cloud native application information to which each container instance belongs, security policies can be configured based on the interconnection using the cloud native application identifier as the identification object to achieve simplified management of access rights. The specific configuration process is as mentioned above. .
请继续参见图10,图10是本发明实施例提供的基于云计算技术的虚拟实例创建方法的叠加报文的数据格式结构示意图,如图10所示,本发明实施例中的叠加报文可以采取VXLAN的格式进行封装,具体的:Please continue to refer to Figure 10. Figure 10 is a schematic diagram of the data format structure of the overlay message of the virtual instance creation method based on cloud computing technology provided by the embodiment of the present invention. As shown in Figure 10, the overlay message in the embodiment of the present invention can Use VXLAN format for encapsulation, specifically:
VXLAN报文将内层报文封装在UDP报文的数据部分(payload)中,UDP报文的数据部分携带有VXLAN头、内部以太网头(Inner Ethernet Header)、内部IP头(Inner IP Header)以及IP报文的数据部分(Payload),内层报文包括内部以太网头、内部IP头以及IP报文的数据部分(Payload),内部以太网头记录有内层报文的源MAC地址和目的MAC地址,内部IP头记录有内层报文的源IP地址和目的IP地址。The VXLAN message encapsulates the inner layer message in the data part (payload) of the UDP message. The data part of the UDP message carries the VXLAN header, the inner Ethernet header (Inner Ethernet Header), and the inner IP header (Inner IP Header). And the data part (Payload) of the IP message. The inner message includes the internal Ethernet header, the internal IP header and the data part (Payload) of the IP message. The internal Ethernet header records the source MAC address of the inner message and The destination MAC address and the inner IP header record the source IP address and destination IP address of the inner packet.
VXLAN报文还包括隧道封装头,隧道封装头包括外部以太网头(Outer EthernetHeader)、外部IP头(Outer IP Header)、外部用户数据报协议(User Datagram Protocol,UDP)头(Outer UDP Header)以及VXLAN头,VXLAN头包括VXLAN Flags字段(8比特)、Reserved字段(24比特)、VNI(14比特)以及Reserved字段(24比特)。VXLAN messages also include tunnel encapsulation headers. The tunnel encapsulation headers include Outer Ethernet Header, Outer IP Header, External User Datagram Protocol (UDP) header (Outer UDP Header), and VXLAN header, the VXLAN header includes VXLAN Flags field (8 bits), Reserved field (24 bits), VNI (14 bits) and Reserved field (24 bits).
外部以太网头记录有VXLAN隧道终端(VXLAN Tunnel End Point,VTEP)的源MAC地址和目的MAC地址,外部IP头记录VXLAN隧道终端的源IP地址和目的IP地址。The external Ethernet header records the source MAC address and destination MAC address of the VXLAN tunnel end point (VTEP), and the external IP header records the source IP address and destination IP address of the VXLAN tunnel end point.
VXLAN隧道终端又可称为VTEP设备,VTEP设备是VXLAN隧道的端点,用于对内层报文进行封装:在内层报文的基础上打上外部以太网头、外部IP头、外部用户数据报协议头以及VXLAN头,以产生VXLAN报文并发送至其他VTEP设备,又可对从其他VTEP设备接收到的VXLAN报文进行解封装:将VXLAN报文的外部以太网头、外部IP头、外部用户数据报协议头以及VXLAN头剥除,以获取内层报文,并从VXLAN头中获取VNI。VXLAN tunnel terminals can also be called VTEP devices. VTEP devices are the endpoints of VXLAN tunnels and are used to encapsulate inner packets: add external Ethernet headers, external IP headers, and external user datagrams to the inner packets. Protocol header and VXLAN header to generate VXLAN packets and send them to other VTEP devices, and also decapsulate VXLAN packets received from other VTEP devices: convert the external Ethernet header, external IP header, external IP header of the VXLAN packet Strip the user datagram protocol header and VXLAN header to obtain the inner packet and obtain the VNI from the VXLAN header.
本发明实施例中可以配置虚拟实例管理器作为VXLAN隧道终端对虚拟实例发出的业务报文进行封装,将业务报文封装到叠加报文的内层报文中,也即UDP报文中的Payload部分。将云原生应用的标识设置在叠加报文的外层报文中,具体的,可以通过VXLAN GPE协议,将云原生应用的标识设置在VXLAN头中作为外层报文。从而当叠加报文到达目的端的虚拟实例管理器时,在叠加报文解封过程中就可以将云原生应用的标识识别出来,进一步根据安全规则实现对安全策略的进行判断。In the embodiment of the present invention, the virtual instance manager can be configured as a VXLAN tunnel terminal to encapsulate the service messages sent by the virtual instance, and encapsulate the service messages into the inner message of the overlay message, that is, the Payload in the UDP message. part. Set the identity of the cloud native application in the outer packet of the overlay packet. Specifically, you can set the identity of the cloud native application in the VXLAN header as the outer packet through the VXLAN GPE protocol. Therefore, when the overlay packet reaches the virtual instance manager at the destination, the identity of the cloud native application can be identified during the unblocking process of the overlay packet, and the security policy can be judged based on the security rules.
值得注意的是,VXLAN只是叠加网络技术的一种,本发明实施例仅以VXLAN作为本发明实施例的一种用于说明,并不对叠加报文的类型进行限定。It is worth noting that VXLAN is only one type of overlay network technology. The embodiment of the present invention only uses VXLAN as one type of the embodiment of the present invention for explanation, and does not limit the type of overlay packets.
可选的,本发明实施例中所指的虚拟实例为虚拟机或容器。Optionally, the virtual instance referred to in this embodiment of the present invention is a virtual machine or container.
本发明实施例还提供一种云网络系统,以下请参见图11,图11是本发明实施例提供的基于云计算技术的虚拟实例创建方法的一种云网络系统的架构示意图。具体如下:An embodiment of the present invention also provides a cloud network system. Please refer to FIG. 11 below. FIG. 11 is a schematic architectural diagram of a cloud network system based on a virtual instance creation method based on cloud computing technology provided by an embodiment of the present invention. details as follows:
示例性的,云网络系统包括云原生网络40、第一虚拟实例10111、第二虚拟实例10211、云管理平台20。云原生网络40,用于连接多个网络接口,每个网络接口与一个虚拟实例绑定;第一虚拟实例10111,用于与多个网络接口中的第一网络接口411绑定,且第一虚拟实例于运行第一云原生应用41或第一云原生应用41中的一个或多个微服务;第二虚拟实例10211,用于与多个网络接口中的第二网络接口421绑定,且第二虚拟实例10211于运行第二云原生应用42或第二云原生应用42中的一个或多个微服务;云管理平台20,用于接收租户A输入的安全规则,安全规则用于指示第一云原生应用41访问第二云原生应用42的权限,第一网络接口411和/或第二网络接口421通过安全规则确定是否允许第一虚拟实例10111与第二虚拟实例10211之间的访问报文通过。Exemplarily, the cloud network system includes a cloud native network 40, a first virtual instance 10111, a second virtual instance 10211, and a cloud management platform 20. The cloud native network 40 is used to connect multiple network interfaces, each network interface is bound to a virtual instance; the first virtual instance 10111 is used to be bound to the first network interface 411 of the multiple network interfaces, and the first The virtual instance is used to run the first cloud native application 41 or one or more microservices in the first cloud native application 41; the second virtual instance 10211 is used to bind to the second network interface 421 of the plurality of network interfaces, and The second virtual instance 10211 is used to run the second cloud native application 42 or one or more microservices in the second cloud native application 42; the cloud management platform 20 is used to receive security rules input by tenant A, and the security rules are used to indicate the third A cloud native application 41 has permission to access the second cloud native application 42. The first network interface 411 and/or the second network interface 421 determine whether to allow access reports between the first virtual instance 10111 and the second virtual instance 10211 through security rules. The article passed.
本申请还提供一种云管理平台,以下请参见图12,图12是本发明实施例提供的基于云计算技术的虚拟实例创建方法的一种云管理平台的结构示意图。具体如下:The present application also provides a cloud management platform. Please refer to FIG. 12 below. FIG. 12 is a schematic structural diagram of a cloud management platform based on a virtual instance creation method based on cloud computing technology provided by an embodiment of the present invention. details as follows:
请求接收模块301,用于接收第一租户输入的第一虚拟实例创建请求,第一虚拟实例创建请求包括待创建的第一虚拟实例的规格信息以及所属的第一云原生应用的信息;还用于接收第一租户或第二租户输入的第二虚拟实例创建请求,第二虚拟实例创建请求包括待创建的第二虚拟实例的规格信息以及所属的第二云原生应用的信息The request receiving module 301 is configured to receive a first virtual instance creation request input by the first tenant. The first virtual instance creation request includes specification information of the first virtual instance to be created and information of the first cloud native application to which it belongs; and Upon receiving a second virtual instance creation request input by the first tenant or the second tenant, the second virtual instance creation request includes specification information of the second virtual instance to be created and information of the second cloud native application to which it belongs.
实例创建模块302,用于选择在第一云数据中心中的可提供与规格信息匹配的规格的第一计算节点上创建第一虚拟实例,第一虚拟实例用于运行第一云原生应用或第一云原生应用中的一个或多个微服务,并且多个云数据中心包括第一云数据中心;还用于选择在第二云数据中心中的可提供与规格信息匹配的规格的第二计算节点上创建第二虚拟实例;The instance creation module 302 is configured to select to create a first virtual instance on a first computing node in the first cloud data center that can provide specifications matching the specification information. The first virtual instance is used to run the first cloud native application or the first cloud native application. One or more microservices in a cloud native application, and multiple cloud data centers include a first cloud data center; also for selecting a second computing in a second cloud data center that can provide specifications that match the specification information Create a second virtual instance on the node;
配置模块303,配置模块用于根据第一云原生应用的信息配置第一计算节点的第一虚拟实例管理器使用第一云原生应用的标识标记第一虚拟实例发出的业务报文;还用于配置第一计算节点的第一虚拟实例管理器记录第一安全规则;还用于配置第二计算节点的第二虚拟实例管理器记录第一云原生应用的标识以及第二安全规则;还用于根据第二云原生应用的信息配置第二计算节点的第二虚拟实例管理器使用第二云原生应用的标识标记第二虚拟实例发出的业务报文。Configuration module 303. The configuration module is configured to configure the first virtual instance manager of the first computing node to use the identifier of the first cloud native application to mark the service packets sent by the first virtual instance according to the information of the first cloud native application; and is also used for Configuring the first virtual instance manager of the first computing node to record the first security rule; and further configuring the second virtual instance manager of the second computing node to record the identity of the first cloud native application and the second security rule; and further configured to The second virtual instance manager that configures the second computing node according to the information of the second cloud native application uses the identifier of the second cloud native application to mark the service packet sent by the second virtual instance.
规则接收模块304,用于接收第一租户输入的第一安全规则,其中第一安全规则用于指示第一云原生应用被访问的权限;还用于接收第一租户输入的第二安全规则,其中第二安全规则用于指示第一云原生应用访问第二云原生应用的权限;The rule receiving module 304 is configured to receive a first security rule input by the first tenant, where the first security rule is used to indicate the access permission of the first cloud native application; and is also configured to receive a second security rule input by the first tenant, The second security rule is used to indicate the permission of the first cloud native application to access the second cloud native application;
接口设置模块305,用于为第一云原生应用设置第一网络接口,将运行第一云原生应用中的微服务的至少一个虚拟实例绑定到第一网络接口,其中运行第一云原生应用中的微服务的至少一个虚拟实例包括第一虚拟实例,第一网络接口设置在第一站点信息指示的第一云数据中心中;还用于为第二云原生应用设置第二网络接口,将运行第二云原生应用中的微服务的至少一个虚拟实例绑定到第二网络接口,其中运行第二云原生应用中的微服务的至少一个虚拟实例包括第二虚拟实例,第二网络接口设置在第二站点信息指示的第二云数据中心中。The interface setting module 305 is configured to set a first network interface for the first cloud native application, and bind at least one virtual instance running a microservice in the first cloud native application to the first network interface, where the first cloud native application is run. At least one virtual instance of the microservice in includes a first virtual instance, and the first network interface is set in the first cloud data center indicated by the first site information; it is also used to set a second network interface for the second cloud native application, and At least one virtual instance running the microservice in the second cloud native application is bound to the second network interface, wherein at least one virtual instance running the microservice in the second cloud native application includes the second virtual instance, and the second network interface is configured In the second cloud data center indicated by the second site information.
值得注意的是,上述实施例中的租户可以由其他多个租户替换,上述模块均可以实现相应的技术功能,本发明实施例对此不作限定。It is worth noting that the tenants in the above embodiments can be replaced by multiple other tenants, and the above modules can all implement corresponding technical functions, which is not limited in the embodiments of the present invention.
其中,请求接收模块301、实例创建模块302、配置模块303、规则接收模块304、接口设置模块305均可以通过软件实现,或者可以通过硬件实现。示例性的,接下来以请求接收模块301为例,介绍请求接收模块301的实现方式。类似的实例创建模块302、配置模块303、规则接收模块304、接口设置模块305的实现方式可以参考请求接收模块301的实现方式。Among them, the request receiving module 301, the instance creation module 302, the configuration module 303, the rule receiving module 304, and the interface setting module 305 can all be implemented by software, or can be implemented by hardware. Illustratively, the following takes the request receiving module 301 as an example to introduce the implementation of the request receiving module 301. For similar implementations of the instance creation module 302, configuration module 303, rule receiving module 304, and interface setting module 305, please refer to the implementation of the request receiving module 301.
模块作为软件功能单元的一种举例,请求接收模块301可以包括运行在虚拟实例上的代码。其中,虚拟实例可以包括物理主机(计算设备)、虚拟机、容器中的至少一种。进一步地,上述虚拟实例可以是一台或者多台。例如,请求接收模块301可以包括运行在多个主机/虚拟机/容器上的代码。需要说明的是,用于运行该代码的多个主机/虚拟机/容器可以分布在相同的区域中,也可以分布在不同的区域中。Module As an example of a software functional unit, the request receiving module 301 may include code running on a virtual instance. The virtual instance may include at least one of a physical host (computing device), a virtual machine, and a container. Further, the above-mentioned virtual instance may be one or multiple. For example, request receiving module 301 may include code running on multiple hosts/virtual machines/containers. It should be noted that multiple hosts/virtual machines/containers used to run this code can be distributed in the same region or in different regions.
模块作为硬件功能单元的一种举例,请求接收模块301可以包括至少一个计算设备,如服务器等。或者,请求接收模块301也可以是利用专用集成电路(application-specific integrated circuit,ASIC)实现、或可编程逻辑器件(programmable logicdevice,PLD)实现的设备等。其中,上述PLD可以是复杂程序逻辑器件(complexprogrammable logical device,CPLD)、现场可编程门阵列(field-programmable gatearray,FPGA)、通用阵列逻辑(generic array logic,GAL)或其任意组合实现。Module As an example of a hardware functional unit, the request receiving module 301 may include at least one computing device, such as a server. Alternatively, the request receiving module 301 may also be a device implemented using an application-specific integrated circuit (ASIC) or a programmable logic device (PLD). Wherein, the above-mentioned PLD can be implemented by a complex programmable logical device (CPLD), a field-programmable gate array (field-programmable gatearray, FPGA), a general array logic (generic array logic, GAL), or any combination thereof.
需要说明的是,在其他实施例中,请求接收模块301可以用于执行基于云计算技术的虚拟实例创建方法中的任意步骤,实例创建模块302可以用于执行基于云计算技术的虚拟实例创建方法中的任意步骤,配置模块303可以用于执行基于云计算技术的虚拟实例创建方法中的任意步骤,规则接收模块304可以用于执行基于云计算技术的虚拟实例创建方法中的任意步骤,接口设置模块305可以用于执行基于云计算技术的虚拟实例创建方法中的任意步骤,请求接收模块301、实例创建模块302、配置模块303、规则接收模块304、接口设置模块305负责实现的步骤可根据需要指定,通过请求接收模块301、实例创建模块302、配置模块303、规则接收模块304、接口设置模块305分别实现基于云计算技术的虚拟实例创建方法中不同的步骤来实现云管理平台的全部功能。It should be noted that in other embodiments, the request receiving module 301 can be used to execute any step in the virtual instance creation method based on cloud computing technology, and the instance creation module 302 can be used to execute the virtual instance creation method based on cloud computing technology. Any step in the configuration module 303 can be used to perform any step in the virtual instance creation method based on cloud computing technology. The rule receiving module 304 can be used to perform any step in the virtual instance creation method based on cloud computing technology. Interface settings Module 305 can be used to perform any steps in the virtual instance creation method based on cloud computing technology. The steps responsible for implementation by the request receiving module 301, instance creation module 302, configuration module 303, rule receiving module 304, and interface setting module 305 can be implemented as needed. Specify that different steps in the virtual instance creation method based on cloud computing technology are implemented through the request receiving module 301, the instance creation module 302, the configuration module 303, the rule receiving module 304, and the interface setting module 305 to realize all functions of the cloud management platform.
上述详细阐述了本申请实施例的方法、装置和系统,为了便于更好的实施本申请实施例的上述方案,相应地,下面还提供用于配合实施上述方案的相关设备。The methods, devices, and systems of the embodiments of the present application have been described in detail above. In order to facilitate better implementation of the above solutions of the embodiments of the present application, relevant equipment for cooperating with the implementation of the above solutions is also provided below.
本申请提供一种计算设备,以下请参见图13,图13是本发明实施例提供的基于云计算技术的虚拟实例创建方法的计算设备的一种结构示意图。计算设备300包括:总线307、处理器308、存储器306和通信接口309。处理器308、存储器306和通信接口309之间通过总线307通信。计算设备300可以是服务器或终端设备。应理解,本申请不限定计算设备300中的处理器、存储器的个数。The present application provides a computing device. Please refer to FIG. 13 below. FIG. 13 is a schematic structural diagram of a computing device using a virtual instance creation method based on cloud computing technology provided by an embodiment of the present invention. Computing device 300 includes: bus 307, processor 308, memory 306, and communication interface 309. The processor 308, the memory 306 and the communication interface 309 communicate through a bus 307. Computing device 300 may be a server or a terminal device. It should be understood that this application does not limit the number of processors and memories in the computing device 300.
总线12可以是外设部件互连标准(peripheral component interconnect,PCI)总线或扩展工业标准结构(extended industry standard architecture,EISA)总线等。总线可以分为地址总线、数据总线、控制总线等。为便于表示,图13中仅用一条线表示,但并不表示仅有一根总线或一种类型的总线。总线307可包括在计算设备300各个部件(例如,存储器306、处理器308、通信接口309)之间传送信息的通路。The bus 12 may be a peripheral component interconnect (PCI) bus or an extended industry standard architecture (EISA) bus, or the like. The bus can be divided into address bus, data bus, control bus, etc. For ease of presentation, only one line is used in Figure 13, but it does not mean that there is only one bus or one type of bus. Bus 307 may include a path that carries information between various components of computing device 300 (eg, memory 306, processor 308, communications interface 309).
处理器308可以包括中央处理器(central processing unit,CPU)、图形处理器(graphics processing unit,GPU)、微处理器(micro processor,MP)或者数字信号处理器(digital signal processor,DSP)等处理器中的任意一种或多种。The processor 308 may include a central processing unit (CPU), a graphics processing unit (GPU), a microprocessor (MP) or a digital signal processor (DSP). any one or more of them.
存储器306可以包括易失性存储器(volatile memory),例如随机存取存储器(random access memory,RAM)。处理器308还可以包括非易失性存储器(non-volatilememory),例如只读存储器(read-only memory,ROM),快闪存储器,机械硬盘(hard diskdrive,HDD)或固态硬盘(solid state drive,SSD)。Memory 306 may include volatile memory, such as random access memory (RAM). The processor 308 may also include non-volatile memory (non-volatile memory), such as read-only memory (ROM), flash memory, hard disk drive (HDD) or solid state drive (solid state drive). SSD).
存储器306中存储有可执行的程序代码,处理器308执行该可执行的程序代码以分别实现请求接收模块301、实例创建模块302、配置模块303、规则接收模块304、接口设置模块305的功能,从而实现基于云计算技术的虚拟实例创建方法。也即,存储器306上存有云管理平台用于执行基于云计算技术的虚拟实例创建方法的指令。The memory 306 stores executable program code, and the processor 308 executes the executable program code to respectively implement the functions of the request receiving module 301, the instance creation module 302, the configuration module 303, the rule receiving module 304, and the interface setting module 305. This implements a virtual instance creation method based on cloud computing technology. That is, the memory 306 stores instructions for the cloud management platform to execute the virtual instance creation method based on cloud computing technology.
通信接口309使用例如但不限于网络接口卡、收发器一类的收发模块,来实现计算设备300与其他设备或通信网络之间的通信。The communication interface 309 uses transceiver modules such as, but not limited to, network interface cards and transceivers to implement communication between the computing device 300 and other devices or communication networks.
本申请实施例还提供了一种计算设备集群。该计算设备集群包括至少一台计算设备。该计算设备可以是服务器,例如是中心服务器、边缘服务器,或者是本地数据中心中的本地服务器。在一些实施例中,计算设备也可以是台式机、笔记本电脑或者智能手机等终端设备。An embodiment of the present application also provides a computing device cluster. The computing device cluster includes at least one computing device. The computing device may be a server, such as a central server, an edge server, or a local server in a local data center. In some embodiments, the computing device may also be a terminal device such as a desktop computer, a laptop computer, or a smartphone.
以下请参见图14,图14是本申请实施例的基于云计算技术的虚拟实例创建方法的计算设备集群的一种结构示意图。如图14所示,该计算设备集群包括至少一个计算设备300,计算设备集群中的一个或多个计算设备300中的存储器306中可以存有相同的云管理平台用于执行基于云计算技术的虚拟实例创建方法的指令。Please refer to FIG. 14 below. FIG. 14 is a schematic structural diagram of a computing device cluster of a virtual instance creation method based on cloud computing technology according to an embodiment of the present application. As shown in Figure 14, the computing device cluster includes at least one computing device 300. The same cloud management platform may be stored in the memory 306 of one or more computing devices 300 in the computing device cluster for executing cloud computing technology-based Instructions for virtual instance creation methods.
在一些可能的实现方式中,该计算设备集群中的一个或多个计算设备300也可以用于执行云管理平台用于执行基于云计算技术的虚拟实例创建方法的部分指令。换言之,一个或多个计算设备300的组合可以共同执行云管理平台用于执行基于云计算技术的虚拟实例创建方法的指令。In some possible implementations, one or more computing devices 300 in the computing device cluster may also be used to execute part of the instructions of the cloud management platform for executing a virtual instance creation method based on cloud computing technology. In other words, a combination of one or more computing devices 300 may jointly execute instructions of the cloud management platform for executing a virtual instance creation method based on cloud computing technology.
需要说明的是,计算设备集群中的不同的计算设备300中的存储器306可以存储不同的指令,用于执行云管理平台的部分功能。也即,不同的计算设备300中的存储器306存储的指令可以实现请求接收模块301、实例创建模块302、配置模块303、规则接收模块304、接口设置模块305中的一个或多个模块的功能。It should be noted that the memory 306 in different computing devices 300 in the computing device cluster can store different instructions for executing some functions of the cloud management platform. That is, the instructions stored in the memory 306 in different computing devices 300 can implement the functions of one or more modules in the request receiving module 301, the instance creation module 302, the configuration module 303, the rule receiving module 304, and the interface setting module 305.
以下请参见图15,图15是本申请实施例的基于云计算技术的虚拟实例创建方法的计算设备集群的又一种结构示意图。如图15所示,两个计算设备300A和300B通过通信接口309实现连接。计算设备300A中的存储器上存有用于执行实例创建模块302、配置模块303、接口设置模块305的指令。计算设备300B中的存储器上存有用于执行请求接收模块301、规则接收模块304的功能的指令。换言之,计算设备300A和300B的存储器306共同存储了云管理平台用于执行基于云计算技术的虚拟实例创建方法的指令。Please refer to FIG. 15 below. FIG. 15 is another structural schematic diagram of a computing device cluster of a virtual instance creation method based on cloud computing technology according to an embodiment of the present application. As shown in FIG. 15 , two computing devices 300A and 300B are connected through a communication interface 309 . The memory in the computing device 300A stores instructions for executing the instance creation module 302, the configuration module 303, and the interface setting module 305. Instructions for executing the functions of the request receiving module 301 and the rule receiving module 304 are stored in the memory of the computing device 300B. In other words, the memories 306 of the computing devices 300A and 300B jointly store instructions used by the cloud management platform to execute the virtual instance creation method based on cloud computing technology.
图15所示的计算设备集群之间的连接方式可以是考虑到本申请提供的基于云计算技术的虚拟实例创建方法需要对创建和配置虚拟实例、网络接口进行大量计算,同时还需要根据多租户的同时配置进行计算。考虑到请求接收模块301、规则接收模块304的数据传输工作量,为了避免计算设备300A出现超负荷的运算,因此,将请求接收模块301、规则接收模块304实现的功能交由计算设备300B执行。The connection method between the computing device clusters shown in Figure 15 can be considering that the virtual instance creation method based on cloud computing technology provided by this application requires a large amount of calculations to create and configure virtual instances and network interfaces, and also needs to be based on multi-tenant Simultaneous configuration is calculated. Considering the data transmission workload of the request receiving module 301 and the rule receiving module 304, in order to avoid overloaded operations on the computing device 300A, the functions implemented by the request receiving module 301 and the rule receiving module 304 are handed over to the computing device 300B for execution.
应理解,图15中示出的计算设备300A的功能也可以由多个计算设备300完成。同样,计算设备300B的功能也可以由多个计算设备300完成。It should be understood that the functions of the computing device 300A shown in FIG. 15 may also be performed by multiple computing devices 300. Likewise, the functions of computing device 300B may also be performed by multiple computing devices 300 .
以下请参见图16,图16是本申请实施例的基于云计算技术的虚拟实例创建方法的计算设备集群又一种结构示意图。在一些可能的实现方式中,计算设备集群中的一个或多个计算设备可以通过网络连接。其中,所述网络可以是广域网或局域网等等。图16示出了一种可能的实现方式,如图16所示,两个计算设备300C和300D之间通过网络进行连接。具体地,通过各个计算设备中的通信接口与所述网络进行连接。在这一类可能的实现方式中,计算设备300C中的存储器306中存有执行实例创建模块302、配置模块303、接口设置模块305的指令。同时,计算设备300D中的存储器306中存有执行请求接收模块301、规则接收模块304的功能的指令。Please refer to FIG. 16 below. FIG. 16 is another structural schematic diagram of a computing device cluster of a virtual instance creation method based on cloud computing technology according to an embodiment of the present application. In some possible implementations, one or more computing devices in a cluster of computing devices may be connected through a network. Wherein, the network may be a wide area network or a local area network, etc. Figure 16 shows a possible implementation. As shown in Figure 16, two computing devices 300C and 300D are connected through a network. Specifically, the connection to the network is made through a communication interface in each computing device. In this type of possible implementation, the memory 306 in the computing device 300C stores instructions for executing the instance creation module 302, the configuration module 303, and the interface setting module 305. At the same time, instructions for executing the functions of the request receiving module 301 and the rule receiving module 304 are stored in the memory 306 of the computing device 300D.
图16所示的计算设备集群之间的连接方式可以是考虑到本申请提供的基于云计算技术的虚拟实例创建方法需要对创建和配置虚拟实例、网络接口进行大量计算,同时还需要根据多租户的同时配置进行计算。且需要通过网络连接,执行这些功能相对独立,为了使存储、计算性能能够达到最佳,因此考虑将请求接收模块301、规则接收模块304实现的大流量数据传输功能交由计算设备300D执行。The connection method between the computing device clusters shown in Figure 16 can be considering that the virtual instance creation method based on cloud computing technology provided by this application requires a large amount of calculations to create and configure virtual instances and network interfaces, and also needs to be based on multi-tenant Simultaneous configuration is calculated. Moreover, these functions need to be executed relatively independently through network connection. In order to optimize the storage and computing performance, it is considered that the large-traffic data transmission function implemented by the request receiving module 301 and the rule receiving module 304 is handed over to the computing device 300D for execution.
应理解,图16中示出的计算设备300C的功能也可以由多个计算设备300完成。同样,计算设备300D的功能也可以由多个计算设备300完成。It should be understood that the functions of the computing device 300C shown in FIG. 16 may also be performed by multiple computing devices 300. Likewise, the functions of computing device 300D may also be performed by multiple computing devices 300 .
在一些可能的实现方式中,该计算设备集群中的一个或多个计算设备300的存储器306中也可以分别存有用于执行基于云计算技术的虚拟实例创建方法的部分指令。换言之,一个或多个计算设备300的组合可以共同执行用于执行基于云计算技术的虚拟实例创建方法的指令。In some possible implementations, the memory 306 of one or more computing devices 300 in the computing device cluster may also store part of the instructions for executing the virtual instance creation method based on cloud computing technology. In other words, a combination of one or more computing devices 300 may jointly execute instructions for performing a virtual instance creation method based on cloud computing technology.
本申请实施例还提供了一种包含指令的计算机程序产品。所述计算机程序产品可以是包含指令的,能够运行在计算设备上或被储存在任何可用介质中的软件或程序产品。当所述计算机程序产品在至少一个计算机设备上运行时,使得至少一个计算机设备执行上述应用于云管理平台用于执行基于云计算技术的虚拟实例创建方法。An embodiment of the present application also provides a computer program product containing instructions. The computer program product may be a software or program product containing instructions capable of running on a computing device or stored in any available medium. When the computer program product is run on at least one computer device, at least one computer device is caused to execute the above-mentioned method applied to a cloud management platform for executing a virtual instance creation method based on cloud computing technology.
本申请实施例还提供了一种计算机可读存储介质。所述计算机可读存储介质可以是计算设备能够存储的任何可用介质或者是包含一个或多个可用介质的数据中心等数据存储设备。所述可用介质可以是磁性介质,(例如,软盘、硬盘、磁带)、光介质(例如,DVD)、或者半导体介质(例如固态硬盘)等。该计算机可读存储介质包括指令,所述指令指示计算设备执行上述应用于云管理平台用于执行基于云计算技术的虚拟实例创建方法。An embodiment of the present application also provides a computer-readable storage medium. The computer-readable storage medium may be any available medium that a computing device can store or a data storage device such as a data center that contains one or more available media. The usable media may be magnetic media (eg, floppy disk, hard disk, tape), optical media (eg, DVD), or semiconductor media (eg, solid state drive), etc. The computer-readable storage medium includes instructions that instruct the computing device to execute the above-mentioned virtual instance creation method applied to the cloud management platform for executing cloud computing technology-based virtual instance creation.
最后应说明的是:以上实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的保护范围。Finally, it should be noted that the above embodiments are only used to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that it can still be used Modifications are made to the technical solutions described in the foregoing embodiments, or equivalent substitutions are made to some of the technical features; however, these modifications or substitutions do not cause the essence of the corresponding technical solutions to depart from the protection scope of the technical solutions of the various embodiments of the present invention.
所属领域的技术人员可以清楚地了解到,上述描述的系统、装置或单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that for the specific working processes of the systems, devices or units described above, reference can be made to the corresponding processes in the foregoing method embodiments, which will not be described again here.
以上所述,仅为本发明的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本发明的保护范围之内。因此,本发明的保护范围应以所述权利要求的保护范围为准。The above are only specific embodiments of the present invention, but the protection scope of the present invention is not limited thereto. Any person familiar with the technical field can easily think of changes or substitutions within the technical scope disclosed by the present invention. should be covered by the protection scope of the present invention. Therefore, the protection scope of the present invention should be subject to the protection scope of the claims.
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| JP2025508982AJP2025526923A (en) | 2022-08-18 | 2023-08-18 | Method for creating virtual instances based on cloud computing technology and cloud management platform |
| PCT/CN2023/113710WO2024037619A1 (en) | 2022-08-18 | 2023-08-18 | Cloud computing technology-based virtual instance creation method and cloud management platform |
| EP23854516.4AEP4567593A1 (en) | 2022-08-18 | 2023-08-18 | Cloud computing technology-based virtual instance creation method and cloud management platform |
| US19/055,814US20250193081A1 (en) | 2022-08-18 | 2025-02-18 | Virtual Instance Creation Method Based on Cloud Computing Technology and Cloud Management Platform |
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2022109914421 | 2022-08-18 | ||
| CN202210991442 | 2022-08-18 |
| Publication Number | Publication Date |
|---|---|
| CN117632353Atrue CN117632353A (en) | 2024-03-01 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310376231.1APendingCN117632353A (en) | 2022-08-18 | 2023-04-10 | A virtual instance creation method and cloud management platform based on cloud computing technology |
| Country | Link |
|---|---|
| CN (1) | CN117632353A (en) |
| Publication | Publication Date | Title |
|---|---|---|
| CN115699699B (en) | Virtual private cloud and cloud data center communication, configuration method and related device | |
| CN111885075B (en) | Container communication method, device, network equipment and storage medium | |
| US10778532B2 (en) | Overlay network movement operations | |
| US10541836B2 (en) | Virtual gateways and implicit routing in distributed overlay virtual environments | |
| US9749145B2 (en) | Interoperability for distributed overlay virtual environment | |
| US9602307B2 (en) | Tagging virtual overlay packets in a virtual networking system | |
| CN114070723B (en) | Virtual network configuration method and system of bare metal server and intelligent network card | |
| US20180302327A1 (en) | Load balancing for a virtual networking system | |
| US9112801B2 (en) | Quantized congestion notification in a virtual networking system | |
| JP2022541381A (en) | COMMUNICATION METHOD, GATEWAY, AND MANAGEMENT METHOD AND APPARATUS IN HYBRID CLOUD ENVIRONMENT | |
| CN104243265A (en) | Gateway control method, device and system based on virtual machine migration | |
| US20140279885A1 (en) | Data replication for a virtual networking system | |
| US20250193081A1 (en) | Virtual Instance Creation Method Based on Cloud Computing Technology and Cloud Management Platform | |
| CN111654559B (en) | Container data transmission method and device | |
| WO2023231982A1 (en) | Communication method between vpcs based on public cloud, and related product | |
| CN117632353A (en) | A virtual instance creation method and cloud management platform based on cloud computing technology | |
| CN114531320A (en) | Communication method, device, equipment, system and computer readable storage medium | |
| WO2024165025A1 (en) | Virtual instance configuration method based on public cloud, and cloud management platform |
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |