Hybrid cloud system, gatekeeper, network access method, and storage medium
阅读说明:本技术 混合云系统、网闸、网络访问方法及存储介质 (Hybrid cloud system, gatekeeper, network access method, and storage medium ) 是由 谢东 于 2020-04-30 设计创作,主要内容包括:本申请公开了一种混合云系统,属于云服务技术领域。混合云系统包括第一云系统、第二云系统以及网闸,网闸连接第一云系统与第二云系统;第一云系统中的客户端,用于向内网口发送访问请求报文,访问请求报文的源互联网协议IP地址为客户端的IP地址,目的IP地址为内网口的IP地址;网闸,用于将访问请求报文的源IP地址更改为外网口的IP地址,将访问请求报文的目的IP地址更改为转发节点的IP地址,将更改地址后的访问请求报文发送至转发节点;第二云系统中的转发节点,用于将更改地址后的访问请求报文发送至第二云系统中的业务节点。本申请在实现动态DNS解析的基础上降低了网闸的成本。(The application discloses a mixed cloud system, and belongs to the technical field of cloud services. The hybrid cloud system comprises a first cloud system, a second cloud system and a gatekeeper, wherein the gatekeeper is connected with the first cloud system and the second cloud system; the client in the first cloud system is used for sending an access request message to the internal network port, wherein the source Internet Protocol (IP) address of the access request message is the IP address of the client, and the destination IP address is the IP address of the internal network port; the gateway is used for changing the source IP address of the access request message into the IP address of the external network port, changing the destination IP address of the access request message into the IP address of the forwarding node and sending the access request message with the changed address to the forwarding node; and the forwarding node in the second cloud system is used for sending the access request message with the changed address to the service node in the second cloud system. The cost of the gatekeeper is reduced on the basis of realizing dynamic DNS analysis.)
1. A mixed cloud system is characterized in that the mixed cloud system comprises a first cloud system, a second cloud system and a gatekeeper, the first cloud system comprises a client, the second cloud system comprises a forwarding node and a service node, an internal network port of the gatekeeper is connected with the first cloud system, and an external network port of the gatekeeper is connected with the second cloud system;
the client is used for sending an access request message to the internal network port, wherein the source internet protocol IP address of the access request message is the IP address of the client, and the destination IP address is the IP address of the internal network port;
the gateway is used for changing a source IP address of the access request message into an IP address of the external network port, changing a destination IP address of the access request message into an IP address of the forwarding node, and sending the access request message with the changed address to the forwarding node;
and the forwarding node is used for sending the access request message after the address is changed to the service node.
2. The hybrid cloud system of claim 1, wherein the second cloud system further comprises a first domain name server, the access request packet further carries a domain name of the service node, the first domain name server records a correspondence between the domain name and an IP address of the forwarding node,
the gatekeeper is further configured to send a first domain name resolution request carrying the domain name to the first domain name server;
and the first domain name server is used for performing domain name resolution based on the domain name to obtain the IP address of the forwarding node, and sending a first domain name resolution response carrying the IP address of the forwarding node to the gatekeeper.
3. The hybrid cloud system according to claim 1 or 2, wherein the first cloud system further comprises a second domain name server, and the second domain name server records a correspondence between the domain name of the service node and the IP address of the internal network port;
the client is further configured to send a second domain name resolution request carrying the domain name to the second domain name server;
and the second domain name server is used for performing domain name resolution based on the domain name to obtain the IP address of the internal network port, and sending a second domain name resolution response carrying the IP address of the internal network port to the client.
4. The hybrid cloud system of any one of claims 1 to 3,
the forwarding node is specifically configured to send the address-changed access request packet to the service node based on one or more of the domain name of the service node and the port number of the service node, which are carried in the address-changed access request packet.
5. The hybrid cloud system of any one of claims 1 to 4,
the gatekeeper is further configured to record context information of the access request packet, where the context information includes: and the source IP address, the source port number, the destination IP address and the destination port number of the access request message.
6. The hybrid cloud system of claim 5,
the forwarding node is further configured to receive an access response packet sent by the service node based on the access request packet, and send the access response packet to the external network port, where a source IP address of the access response packet is an IP address of the service node, and a destination IP address of the access response packet is an IP address of the external network port;
the gatekeeper is further configured to obtain context information of the access response packet, change a source IP address of the access response packet to an IP address of the internal gateway when the context information of the access response packet matches the context information of the access request packet, change a destination IP address of the access response packet to an IP address of the client recorded in the context information of the access request packet, and send the access response packet after changing the address to the client.
7. A network access method is applied to a hybrid cloud system, the hybrid cloud system comprises a first cloud system, a second cloud system and a gatekeeper, the first cloud system comprises a client, the second cloud system comprises a forwarding node and a service node, an internal port of the gatekeeper is connected with the first cloud system, an external port of the gatekeeper is connected with the second cloud system, and the method comprises the following steps:
the client sends an access request message to the internal network port, wherein the source Internet Protocol (IP) address of the access request message is the IP address of the client, and the destination IP address is the IP address of the internal network port;
the gateway changes the source IP address of the access request message into the IP address of the external network port, changes the destination IP address of the access request message into the IP address of the forwarding node, and sends the access request message with the changed address to the forwarding node;
and the forwarding node sends the access request message with the changed address to the service node.
8. The method according to claim 7, wherein the second cloud system further includes a first domain name server, the access request packet further carries a domain name of the service node, and the first domain name server records a correspondence between the domain name and an IP address of the forwarding node, and the method further includes:
the gatekeeper sends a first domain name resolution request carrying the domain name to the first domain name server;
and the first domain name server carries out domain name resolution based on the domain name to obtain the IP address of the forwarding node, and sends a first domain name resolution response carrying the IP address of the forwarding node to the gatekeeper.
9. The method according to claim 7 or 8, wherein the first cloud system further includes a second domain name server, and the second domain name server records a correspondence between the domain name of the service node and the IP address of the intranet port, and the method further includes:
the client sends a second domain name resolution request carrying the domain name to the second domain name server;
and the second domain name server carries out domain name resolution based on the domain name to obtain the IP address of the internal network port, and sends a second domain name resolution response carrying the IP address of the internal network port to the client.
10. The method according to any one of claims 7 to 9, wherein the forwarding node sends the address-changed access request packet to the service node, including:
and the forwarding node sends the access request message with the changed address to the service node based on one or more of the domain name of the service node and the port number of the service node carried in the access request message with the changed address.
11. The method according to any one of claims 7 to 10, further comprising:
the gatekeeper records context information of the access request message, and the context information includes: and the source IP address, the source port number, the destination IP address and the destination port number of the access request message.
12. The method of claim 11, further comprising:
the forwarding node receives an access response message sent by the service node based on the access request message, and sends the access response message to the external network port, wherein the source IP address of the access response message is the IP address of the service node, and the destination IP address of the access response message is the IP address of the external network port;
the gateway acquires the context information of the access response message, changes the source IP address of the access response message into the IP address of the internal network port when the context information of the access response message is matched with the context information of the access request message, changes the destination IP address of the access response message into the IP address of the client recorded in the context information of the access request message, and sends the access response message after changing the address to the client.
13. The utility model provides a gatekeeper, its characterized in that, the first cloud system is connected to the internal net gape of gatekeeper, the second cloud system is connected to the external net gape of gatekeeper, the gatekeeper includes:
a first transceiving module, configured to receive an access request packet sent by a client in the first cloud system, where a source IP address of the access request packet is an IP address of the client, and a destination IP address of the access request packet is an IP address of the internal network port;
and the second transceiver module is used for changing the source IP address of the access request message into the IP address of the external network port, changing the destination IP address of the access request message into the IP address of the forwarding node, and sending the access request message with the changed address to the forwarding node in the second cloud system, so that the forwarding node sends the access request message with the changed address to the service node.
14. The gatekeeper of claim 13, wherein the access request packet further carries a domain name of the service node,
the second transceiving module is further configured to send a first domain name resolution request carrying the domain name to a first domain name server in the second cloud system, and receive a first domain name resolution response carrying the IP address of the forwarding node sent by the first domain name server, where the first domain name server records a correspondence between the domain name and the IP address of the forwarding node.
15. The gatekeeper of claim 13 or 14,
the first transceiver module is further configured to record context information of the access request packet, where the context information includes: and the source IP address, the source port number, the destination IP address and the destination port number of the access request message.
16. The gatekeeper of claim 15,
the second transceiver module is further configured to receive an access response packet sent by the forwarding node, where the access response packet is sent to the forwarding node by the service node based on the access request packet, and a source IP address of the access response packet is an IP address of the service node, and a destination IP address is an IP address of an external gateway of the gatekeeper;
the first transceiver module is further configured to acquire context information of the access response packet, change a source IP address of the access response packet to an IP address of the internal network port when the context information of the access response packet matches the context information of the access request packet, change a destination IP address of the access response packet to an IP address of the client recorded in the context information of the access request packet, and send the access response packet after changing the address to the client.
17. A network access method is applied to a gatekeeper, an internal network port of the gatekeeper is connected with a first cloud system, an external network port of the gatekeeper is connected with a second cloud system, and the method comprises the following steps:
receiving an access request message sent by a client in the first cloud system, wherein a source IP address of the access request message is an IP address of the client, and a destination IP address of the access request message is an IP address of the internal network port;
changing the source IP address of the access request message into the IP address of the external network port, changing the destination IP address of the access request message into the IP address of a forwarding node, and sending the access request message with the changed address to the forwarding node in the second cloud system, so that the forwarding node sends the access request message with the changed address to the service node.
18. The method of claim 17, wherein the access request packet further carries a domain name of the service node, and wherein the method further comprises:
sending a first domain name resolution request carrying the domain name to a first domain name server in the second cloud system, and receiving a first domain name resolution response carrying the IP address of the forwarding node sent by the first domain name server, where the first domain name server records a corresponding relationship between the domain name and the IP address of the forwarding node.
19. The method according to claim 17 or 18, further comprising:
recording context information of the access request message, wherein the context information comprises: and the source IP address, the source port number, the destination IP address and the destination port number of the access request message.
20. The method of claim 19, further comprising:
receiving an access response message sent by the forwarding node, wherein the access response message is sent to the forwarding node by the service node based on the access request message, the source IP address of the access response message is the IP address of the service node, and the destination IP address is the IP address of the outer gateway of the gateway;
and obtaining context information of the access response message, changing a source IP address of the access response message into an IP address of the internal network port when the context information of the access response message is matched with the context information of the access request message, changing a destination IP address of the access response message into the IP address of the client end recorded in the context information of the access request message, and sending the access response message after changing the address to the client end.
21. A gatekeeper, comprising: a first portal, a second portal, a processor and a memory, said memory having stored thereon a computer program which, when executed by said processor, causes said gatekeeper to implement the method of any one of claims 17 to 20.
22. A storage medium in which instructions, when executed by a processor, implement the method of any of claims 17 to 20.
Technical Field
The present application relates to the field of cloud service technologies, and in particular, to a hybrid cloud system, a gatekeeper, a network access method, and a storage medium.
Background
Currently, in order to ensure the network security of an intranet (e.g., a private cloud), a gatekeeper is usually provided between the intranet and an extranet (e.g., a public cloud). When a client in the intranet accesses the extranet through the gatekeeper, the access request message of the client can be sent to the extranet through the transmission of the gatekeeper so as to realize the access to the extranet.
In order to ensure that a client can access an Internet Protocol (IP) address through a gatekeeper, the IP address needs to be configured in the gatekeeper in advance as an address allowed to be reached, so that a message carrying the IP address can pass through the gatekeeper, and thus the IP address can be accessed through the message. However, in a scenario of accessing the device through the domain name, the IP address corresponding to the domain name of the device may change, and if the changed IP address is not configured in the gatekeeper as an address that is allowed to be reached, the gatekeeper does not allow the packet carrying the changed IP address to pass through, and thus the access to the device cannot be realized through the packet carrying the changed IP address.
Although this problem can be solved by configuring the gatekeeper with a dynamic DNS function, the gatekeeper with a dynamic DNS function is high in cost and has a limited applicability.
Disclosure of Invention
The application provides a hybrid cloud system, a gatekeeper, a network access method and a storage medium, which can solve the problem that the cost of the gatekeeper with the dynamic DNS function is high at present.
In a first aspect, a hybrid cloud system is provided, which includes a first cloud system, a second cloud system and a gatekeeper, wherein the first cloud system includes a client, the second cloud system includes a forwarding node and a service node, an internal port of the gatekeeper is connected to the first cloud system, and an external port of the gatekeeper is connected to the second cloud system; the client is used for sending an access request message to the internal network port, wherein the source Internet protocol IP address of the access request message is the IP address of the client, and the destination IP address is the IP address of the internal network port; the gateway is used for changing the source IP address of the access request message into the IP address of the external network port, changing the destination IP address of the access request message into the IP address of the forwarding node and sending the access request message with the changed address to the forwarding node; and the forwarding node is used for sending the access request message with the address changed to the service node.
By configuring the forwarding node in the second cloud system, the gatekeeper can send the access request message to the forwarding node, and then send the access request message to the service node through the forwarding node, so that access of the client to the service node can be realized.
In addition, since the configuration of the dynamic DNS resolution function in the gatekeeper destroys the principle of the gatekeeper for static data exchange, and the gatekeeper in the embodiment of the present application does not need to be configured with the dynamic DNS resolution function, the principle of the gatekeeper for static data exchange is not destroyed, and the application range of the hybrid cloud system can be ensured.
Meanwhile, the forwarding node is deployed in the second cloud system, so that the scale and the number of the forwarding nodes can be deployed as required according to application requirements, and different application scenes can be met.
In one implementation manner, the second cloud system further includes a first domain name server, the access request packet further carries a domain name of the service node, and the first domain name server records a correspondence between the domain name of the service node and an IP address of the forwarding node. The gateway is also used for sending a first domain name resolution request carrying the domain name of the service node to the first domain name server; and the first domain name server is used for performing domain name resolution based on the domain name of the service node to obtain the IP address of the forwarding node, and sending a first domain name resolution response carrying the IP address of the forwarding node to the gatekeeper.
When the second cloud system includes the first domain name server, the gatekeeper may acquire the IP address of the forwarding node through the first domain name server. At this time, since the gatekeeper does not need to record the corresponding relationship between the target information and the IP address of the forwarding node, the memory resource occupied by the gatekeeper for storing the corresponding relationship can be reduced, and the cost of the gatekeeper can be further reduced.
Optionally, the first cloud system further includes a second domain name server, where the second domain name server records a correspondence between a domain name of the service node and an IP address of the internal network port; the client is also used for sending a second domain name resolution request carrying the domain name of the service node to a second domain name server; and the second domain name server is used for performing domain name resolution on the basis of the domain name of the service node to obtain the IP address of the inner network port, and sending a second domain name resolution response carrying the IP address of the inner network port to the client.
When the first cloud system includes the second domain name server, the client may obtain an IP address required for implementing the domain name access through domain name resolution.
In an implementation manner, the forwarding node is specifically configured to send the access request packet with the changed address to the service node based on one or more of a domain name of the service node and a port number of the service node, which are carried in the access request packet with the changed address.
Optionally, the gatekeeper is further configured to record context information of the access request packet, where the context information includes: and accessing the source IP address, the source port number, the destination IP address and the destination port number of the request message.
Correspondingly, the forwarding node is further configured to receive an access response packet sent by the service node based on the access request packet, and send the access response packet to the external network port, where a source IP address of the access response packet is an IP address of the service node, and a destination IP address of the access response packet is an IP address of the external network port.
At this time, the gatekeeper is further configured to obtain context information of the access response packet, change the source IP address of the access response packet to the IP address of the internal gateway when the context information of the access response packet matches the context information of the access request packet, change the destination IP address of the access response packet to the IP address of the client described in the context information of the access request packet, and send the access response packet after changing the address to the client.
In a second aspect, a network access method is provided, where the method is applied to a hybrid cloud system, the hybrid cloud system includes a first cloud system, a second cloud system, and a gatekeeper, the first cloud system includes a client, the second cloud system includes a forwarding node and a service node, an internal port of the gatekeeper is connected to the first cloud system, and an external port of the gatekeeper is connected to the second cloud system, and the method includes: the client sends an access request message to the internal network port, wherein the source Internet Protocol (IP) address of the access request message is the IP address of the client, and the destination IP address is the IP address of the internal network port; the gateway changes the source IP address of the access request message into the IP address of the external network port, changes the destination IP address of the access request message into the IP address of the forwarding node, and sends the access request message with the changed address to the forwarding node; and the forwarding node sends the access request message with the changed address to the service node.
Optionally, the second cloud system further includes a first domain name server, the access request packet further carries a domain name of the service node, and the first domain name server records a correspondence between the domain name of the service node and an IP address of the forwarding node, and the method further includes: the gateway sends a first domain name resolution request carrying a domain name of a service node to a first domain name server; and the first domain name server carries out domain name resolution based on the domain name of the service node to obtain the IP address of the forwarding node, and sends a first domain name resolution response carrying the IP address of the forwarding node to the gatekeeper.
Optionally, the first cloud system further includes a second domain name server, where the second domain name server records a correspondence between a domain name of the service node and an IP address of the internal network port, and the method further includes: the client sends a second domain name resolution request carrying the domain name of the service node to a second domain name server; and the second domain name server performs domain name resolution on the basis of the domain name of the service node to obtain the IP address of the internal network port, and sends a second domain name resolution response carrying the IP address of the internal network port to the client.
Optionally, the sending node sends the access request packet after changing the address to the service node, including: and the forwarding node sends the access request message with the changed address to the service node based on one or more of the domain name of the service node and the port number of the service node carried in the access request message with the changed address.
Optionally, the method further includes: the gatekeeper records context information of the access request message, and the context information comprises: and accessing the source IP address, the source port number, the destination IP address and the destination port number of the request message.
Optionally, the method further includes: the forwarding node receives an access response message sent by the service node based on the access request message, and sends the access response message to the external network port, wherein the source IP address of the access response message is the IP address of the service node, and the destination IP address is the IP address of the external network port; the gateway acquires the context information of the access response message, changes the source IP address of the access response message into the IP address of the internal network port when the context information of the access response message is matched with the context information of the access request message, changes the target IP address of the access response message into the IP address of the client end recorded in the context information of the access request message, and sends the access response message with the changed address to the client end.
The third aspect provides a gatekeeper, and first cloud system is connected to the interior net gape of gatekeeper, and the second cloud system is connected to the outer net gape of gatekeeper, and the gatekeeper includes: the first transceiving module is used for receiving an access request message sent by a client in the first cloud system, wherein the source IP address of the access request message is the IP address of the client, and the destination IP address of the access request message is the IP address of the internal network port; and the second transceiving module is used for changing the source IP address of the access request message into the IP address of the external network port, changing the destination IP address of the access request message into the IP address of the forwarding node, and sending the access request message with the changed address to the forwarding node in the second cloud system, so that the forwarding node sends the access request message with the changed address to the service node.
Optionally, the access request packet further carries a domain name of the service node, and the second transceiving module is further configured to send a first domain name resolution request carrying the domain name of the service node to a first domain name server in the second cloud system, and receive a first domain name resolution response carrying the IP address of the forwarding node sent by the first domain name server, where the first domain name server records a correspondence between the domain name of the service node and the IP address of the forwarding node.
Optionally, the first transceiver module is further configured to record context information of the access request packet, where the context information includes: and accessing the source IP address, the source port number, the destination IP address and the destination port number of the request message.
Optionally, the second transceiver module is further configured to receive an access response packet sent by the forwarding node, where the access response packet is sent to the forwarding node by the service node based on the access request packet, a source IP address of the access response packet is an IP address of the service node, and a destination IP address is an IP address of an external gateway of the gatekeeper; the first transceiver module is further configured to acquire context information of the access response packet, change a source IP address of the access response packet to an IP address of the internal network port when the context information of the access response packet matches the context information of the access request packet, change a destination IP address of the access response packet to an IP address of the client recorded in the context information of the access request packet, and send the access response packet after changing the address to the client.
In a fourth aspect, a network access method is provided, where an internal gateway of a gatekeeper is connected to a first cloud system, and an external gateway of the gatekeeper is connected to a second cloud system, and the method includes: receiving an access request message sent by a client in a first cloud system, wherein the source IP address of the access request message is the IP address of the client, and the destination IP address is the IP address of an internal network port; and changing the source IP address of the access request message into the IP address of the external network port, changing the destination IP address of the access request message into the IP address of the forwarding node, and sending the access request message with the changed address to the forwarding node in the second cloud system, so that the forwarding node sends the access request message with the changed address to the service node.
Optionally, the access request packet further carries a domain name of the service node, and the method further includes: sending a first domain name resolution request carrying a domain name of a service node to a first domain name server in a second cloud system, and receiving a first domain name resolution response carrying an IP address of a forwarding node sent by the first domain name server, wherein the first domain name server records a corresponding relation between the domain name of the service node and the IP address of the forwarding node.
Optionally, the method further includes: recording context information of the access request message, wherein the context information comprises: and accessing the source IP address, the source port number, the destination IP address and the destination port number of the request message.
Optionally, the method further includes: receiving an access response message sent by a forwarding node, wherein the access response message is sent to the forwarding node by a service node based on an access request message, the source IP address of the access response message is the IP address of the service node, and the destination IP address is the IP address of an external gateway of a gateway; and obtaining the context information of the access response message, changing the source IP address of the access response message into the IP address of the internal network port when the context information of the access response message is matched with the context information of the access request message, changing the destination IP address of the access response message into the IP address of the client end recorded in the context information of the access request message, and sending the access response message with the changed address to the client end.
In a fifth aspect, there is provided a gatekeeper comprising: the first network port, the second network port, the processor and the memory store have computer programs stored therein, and when the processor executes the computer programs, the gatekeeper implements the method provided in the first aspect.
In a sixth aspect, a storage medium is provided, in which instructions are executed by a processor to implement the method provided in the first aspect.
Drawings
Fig. 1 is a schematic structural diagram of a hybrid cloud system provided in an embodiment of the present application;
fig. 2 is a schematic structural diagram of another hybrid cloud system provided in an embodiment of the present application;
fig. 3 is a schematic structural diagram of another hybrid cloud system provided in an embodiment of the present application;
fig. 4 is a schematic structural diagram of another hybrid cloud system provided in an embodiment of the present application;
fig. 5 is a flowchart of a network access method provided in an embodiment of the present application;
fig. 6 is a schematic structural diagram of a gatekeeper according to an embodiment of the present disclosure;
fig. 7 is a flowchart of another network access method provided in an embodiment of the present application;
fig. 8 is a schematic structural diagram of another gatekeeper provided in the embodiment of the present application.
Detailed Description
To make the objects, technical solutions and advantages of the present application more clear, embodiments of the present application will be described in further detail below with reference to the accompanying drawings.
For the sake of understanding, the terms referred to in the embodiments of the present application will be explained below.
1. Network gate
The gatekeeper is an information security device used to connect two host systems. The two host systems are located in an internal network and an external network respectively. The network gate is provided with an inner network port, an outer network port and a storage medium. Wherein, through controlling that net gape and storage medium, outer net gape and storage medium are not communicateed simultaneously, the gatekeeper can keep apart these two host systems, does not have direct physical connection, logical connection and according to information transfer protocol's information exchange between these two host systems, has blocked the network connection to the intranet for outer net can't direct invasion, attack and destroy the intranet, thereby guarantees to be located the safety of intranet amount host system.
And, the network gate can transmit the data of one host system to another host system in the form of data files by connecting the storage medium with the internal network port and the external network port respectively. The process of implementing data transfer by the gatekeeper will be described by taking the example of sending data from the intranet to the extranet. The data transmission process comprises the following steps: after a host system in an intranet sends data to be transmitted to an internal network port, a storage medium is connected with the internal network port, the data to be transmitted are copied to the storage medium from the internal network port, the connection between the storage medium and the internal network port is disconnected after the copying is completed, then, an external network port is connected with the storage medium, the data to be transmitted are copied to the external network port from the storage medium, the connection between the storage medium and the external network port is disconnected after the copying is completed, and then the data to be transmitted are sent to the host system in the external network by the external network port to realize the data transmission.
2. Domain name resolution
Domain name resolution is a service that directs domain names to a website space IP, and a user can conveniently access a website through a registered domain name. The IP address is a digital address for identifying a station on a network, and is usually a piece of data with a fixed length and difficult to remember. For convenience of memory, a domain name is used to identify the site address instead of an IP address. Thus, domain name resolution is the process of converting a domain name to an IP address.
The embodiment of the application provides a hybrid cloud system. As shown in fig. 1, the hybrid cloud system includes a first cloud system 10, a second cloud system 20, and a gatekeeper 30. The first cloud system 10 includes a client 101. The second cloud system 20 includes a forwarding node 201 and a service node 202. An internal network port of the gatekeeper 30 is connected to the first cloud system 10, and an external network port of the gatekeeper 30 is connected to the second cloud system 20.
The client 101 is configured to send an access request message to the intranet port. The source IP address of the access request packet is the IP address of the client 101, and the IP destination IP address is the IP address of the internal network port.
The gatekeeper 30 is configured to change a source IP address of the access request packet to an IP address of an external network port, acquire an IP address of a forwarding node 201, which is used for forwarding the access request packet, in the second cloud system 20 according to information in the access request packet, change a destination IP address of the access request packet to an IP address of the forwarding node 201, and send the access request packet with the changed address to the forwarding node 201;
and the forwarding node 201 is configured to send the access request packet with the changed address to the service node 202.
As can be seen from the above, in the hybrid cloud system provided in the embodiment of the present application, by configuring the forwarding node 201 in the second cloud system 20, the gatekeeper 30 can send the access request packet to the forwarding node 201, and then send the access request packet to the service node 202 through the forwarding node 201, so that the access of the client 101 to the service node 202 can be realized, compared with the related art, a dynamic DNS resolution function does not need to be configured in the gatekeeper 30, the universal gatekeeper 30 can be used in system deployment, a memory resource occupied by the gatekeeper 30 for storing a DNS resolution address is reduced, the cost of the gatekeeper 30 can be reduced, and an application range of the gatekeeper 30 is expanded. Moreover, since the configuration of the dynamic DNS resolution function in the gatekeeper 30 destroys the principle of the gatekeeper 30 for static data exchange, and the gatekeeper 30 in the embodiment of the present application does not need to be configured with the dynamic DNS resolution function, the principle of the gatekeeper 30 for static data exchange is not destroyed, and the application range of the hybrid cloud system can be ensured.
In one implementation, the first cloud system 10 may be a private cloud system or a local data center, and the first cloud system 10 has a high requirement for data security. The second cloud system 20 may be a public cloud system, a private cloud system, or a data center, and the second cloud system 20 does not require higher data security than the first cloud system 10. By providing the gatekeeper 30 between the first cloud system 10 and the second cloud system 20, the first cloud system 10 and the second cloud system 20 can be isolated from each other, thereby ensuring the data security of the first cloud system 10.
For example, the first cloud system 10 may be a private cloud system used by a government entity or a public security department that has a high requirement on data security, and the second cloud system 20 may be a cloud system formed by virtual machines rented by the government entity or the public security department in a public cloud system, or the like. The first cloud system 10 may be a private cloud system used by a government entity or a public security department that has a high requirement on data security, and the second cloud system 20 may be a private cloud system used by an association unit of the unit that has a high requirement on data security. Or alternatively. The first cloud system 10 may be a local data center used by a government entity or a public security department that has a higher requirement on data security, and the second cloud system 20 may be a data center used by an associated unit of the unit that has a higher requirement on data security.
The client 101 may be used by a user in the first cloud system 10. For example, when the first cloud system 10 is a private cloud system used by the public security department, the client 101 may be used by a worker in the public security department. For another example, the client 101 may be used by a network manager of the first cloud system 10, the client 101 may be connected to a cloud management platform in the first cloud system 10, and the network manager may operate on the client 101 to implement management of the first cloud system 10. Moreover, the cloud service used for managing the first cloud system 10 may be deployed on the service node 202 in the second cloud system 20, and at this time, the network manager may access the service node 202 through the client 101 and implement management on the first cloud system 10 according to the access result. Optionally, cloud services such as authentication, operation and maintenance, Application Programming Interface Gateway (APIG), and web portal (portal) may be deployed on the service node 202.
Alternatively, the client 101 may be a host in the cloud management platform, and the host may also initiate an access request message for accessing the host in the second cloud system 20.
The implementation process from receiving the access request message to sending the address-changed access request message to the forwarding node 201 by the gatekeeper 30 may be as follows: the internal port of the gatekeeper 30 receives the access request message, then the storage medium in the gatekeeper 30 establishes a connection with the internal port, the storage medium copies the access request message from the internal port to the storage medium, and disconnects the connection between the two after the copying is completed, then the storage medium changes the source IP address of the access request message to the IP address of the external port, then the external port establishes a connection with the storage medium, the external port copies the access request message from the storage medium to the storage medium, and disconnects the connection between the two after the copying is completed, then the external port obtains the IP address of the forwarding node 201 for forwarding the access request message in the second cloud system 20 according to the information in the access request message, and changes the destination IP address of the access request message to the IP address of the forwarding node 201.
It should be noted that the operation of changing the source IP address of the access request message to the IP address of the external network port may also be executed by the external network port. However, since the storage medium is not directly connected to the second cloud system 20, when the storage medium performs an operation of changing the source IP address of the access request packet to the IP address of the external port, the possibility that the IP address of the client 101 is leaked to the second cloud system 20 can be reduced, and the security of data can be further improved.
Optionally, there are various implementations of the gatekeeper 30 acquiring the IP address of the forwarding node 201, and the following two implementations are taken as examples to describe the implementations.
In a first implementation manner, the access request packet may carry a domain name of a service node that the access request packet requests to access, and the gatekeeper 30 may obtain the IP address of the forwarding node 201 through DNS resolution. At this time, as shown in fig. 2, the second cloud system 20 further includes a first domain name server 203, and the first domain name server 203 records a corresponding relationship between the domain name of the service node and the IP address of the forwarding node 201. Correspondingly, the gatekeeper 30 is further configured to send a first domain name resolution request carrying the domain name of the service node to the first domain name server 203. The first domain name server 203 is configured to perform domain name resolution by querying a corresponding relationship between a domain name of a service node and an IP address of the forwarding node 201 based on the domain name of the service node, to obtain an IP address of the forwarding node 201, and then send a first domain name resolution response carrying the IP address of the forwarding node 201 to the gatekeeper 30, so that the gatekeeper 30 obtains the IP address of the forwarding node 201.
In a second implementation manner, the access request message may carry at least one target information of a domain name of the service node that the access request message requests to access and a port number of the service node, the gatekeeper 30 may record a corresponding relationship between the target information and the IP address of the forwarding node 201, and the gatekeeper 30 may query the corresponding relationship according to the target information to obtain the IP address of the forwarding node 201. For example, the gateway 30 may record a corresponding relationship between the domain name of the service node and the IP address of the forwarding node 201, and after the gateway 30 obtains the domain name of the service node carried in the access request packet, the gateway 30 may query the corresponding relationship according to the domain name of the service node to obtain the IP address of the forwarding node 201.
It should be noted that, according to whether the gatekeeper 30 supports sending the DNS resolution packet, what manner the gatekeeper 30 uses to obtain the IP address of the forwarding node 201 may be determined. Moreover, when the gatekeeper 30 obtains the IP address of the forwarding node 201 by using DNS resolution, since the gatekeeper 30 does not need to record the corresponding relationship between the target information and the IP address of the forwarding node 201, the memory resource occupied by the gatekeeper 30 for storing the corresponding relationship can be reduced, and the cost of the gatekeeper 30 can be further reduced.
Also, the second cloud system 20 may include a plurality of forwarding nodes 201, and the plurality of forwarding nodes 201 may share forwarding pressure. When the second cloud system 20 includes a plurality of forwarding nodes 201, on one hand, a low performance or system crash caused by an excessive forwarding pressure of a single forwarding node 201 may be avoided, and on the other hand, the forwarding efficiency in the second cloud system 20 may be improved, thereby improving the access efficiency. At this time, after receiving the access request packet, the gatekeeper 30 may first determine a target forwarding node 201 for forwarding the access request packet to the service node 202 from the plurality of forwarding nodes 201. And then sends the access request message to the target forwarding node 201.
In an implementation manner, the gatekeeper 30 may record the corresponding relationship between different source IP addresses and the plurality of forwarding nodes 201, before the gatekeeper 30 sends the access request packet to the forwarding nodes 201, the gatekeeper 30 may further query the corresponding relationship between the different source IP addresses and the plurality of forwarding nodes 201 based on the source IP address of the access request packet to obtain a target forwarding node 201 for sending the access request packet after changing the address to the service node 202, then change the destination IP address of the access request packet to the IP address of the target forwarding node 201, and send the access request packet after changing the address to the target forwarding node 201.
Wherein forwarding node 201 may be implemented by a virtual machine, a container, or a physical server. For example, the network manager may lease a virtual machine in the second cloud system 20 and configure the virtual machine so that the virtual machine has the function of the forwarding node 201. Moreover, the forwarding node 201 may also serve a proxy cloud configured on the virtual machine. For example, forwarding node 201 may be a Nginx proxy cloud service or an SLB proxy cloud service configured on a virtual machine. Moreover, since the forwarding node 201 is deployed in the second cloud system 20, the scale and the number of the forwarding nodes 201 can be deployed as required according to application requirements, so as to meet different application scenarios. In addition, since the IP address of the forwarding node 201 is usually not changed, for example, the IP address of the forwarding node 201 may be fixed in the system configuration process, or the IP address of the forwarding node 201 may be fixed through the cloud platform setting, by setting the forwarding node 201, the gate 30 can be prevented from being re-checked or re-configured due to the IP address change, and the labor cost is effectively reduced.
Optionally, an implementation manner of sending, by the forwarding node 201, the access request packet after changing the address to the service node 202 may include: the forwarding node 201 sends the access request message with the changed address to the service node 202 based on one or more of the domain name of the service node and the port number of the service node carried in the access request message with the changed address.
For example, forwarding node 201 may send the access request packet to service node 202 by means of port mapping. That is, the forwarding node 201 may record a corresponding relationship between the port number and the IP address, after the forwarding node 201 receives the address-changed access request packet sent by the external port of the gatekeeper 30, the forwarding node 201 may obtain a target port of the access request packet, and query the corresponding relationship between the port number and the IP address according to the target port to obtain an IP address corresponding to the port number of the service node 202 that the client 101 requests to access, that is, obtain the IP address of the service node 202, and then send the service request packet to the service node 202 according to the IP address of the service node 202.
For another example, the access request message may carry a domain name of a service node that the client 101 requests to access, and at this time, the forwarding node 201 may send the access request message to the service node 202 in a domain name mapping manner. That is, the forwarding node 201 may record a corresponding relationship between a domain name number and a dynamic IP address, after the forwarding node 201 receives an access request packet sent by an external port of the gatekeeper 30 and having an address changed, the forwarding node 201 may obtain a domain name of a service node carried in the access request packet, and query the corresponding relationship between the domain name and the dynamic IP address according to the domain name of the service node to obtain a dynamic IP address corresponding to the domain name of the service node, i.e., obtain an IP address of the service node 202, and then send the service request packet to the service node 202 according to the IP address of the service node 202.
For another example, the access request message may carry a domain name of a service node that the client 101 requests to access, at this time, the forwarding node 201 may also obtain a dynamic IP address corresponding to the domain name of the service node through domain name resolution, that is, obtain an IP address of the service node 202, and then send the service request message to the service node 202 according to the IP address of the service node 202.
Moreover, since the forwarding node 201 is arranged in the second cloud system 20, the corresponding relationship between the domain name and the IP address recorded in the forwarding node 201 can be updated in time, so that even if the IP address corresponding to the domain name changes, the access request packet can be sent to the service node 202 that requests access, and compared with the related art, the configuration of the gatekeeper 30 is not required when the IP address corresponding to the domain name changes every time, thereby effectively reducing the labor cost and improving the access efficiency, and meanwhile, the client 101 is unaware of the change, and the user experience is improved.
Optionally, when the client 101 performs network access through a domain name, the client 101 may obtain an IP address required for implementing the domain name access through domain name resolution. Correspondingly, as shown in fig. 3, the first cloud system 10 further includes a second domain name server 102, where the second domain name server 102 records a corresponding relationship between a domain name of the service node and an IP address of a portal in the gatekeeper 30. At this time, the client 101 is further configured to send a second domain name resolution request carrying a domain name of a service node that the client requests to access to, to the second domain name server 102; the second domain name server 102 is configured to perform domain name resolution according to a correspondence between the domain name of the service node and the IP address of the internal network port of the gatekeeper 30 based on the domain name of the service node, obtain the IP address of the internal network port, and send a second domain name resolution response carrying the IP address of the internal network port to the client 101. Correspondingly, the client 101 is further configured to construct an access request packet based on the IP address of the intranet port.
Further, in order to facilitate the service node 202 to send the access response message to the client 101, the gatekeeper 30 may also record the context information of the access request message. Wherein the context information includes: and accessing the source IP address, the source port number, the destination IP address and the destination port number of the request message. Alternatively, the context information may further include more information than the source IP address, the source port number, the destination IP address, and the destination port number, which is not specifically limited in this embodiment of the application. For example, the context information may also include a transport layer protocol.
Accordingly, the forwarding node 201 and the gatekeeper 30 also have the following functions:
the forwarding node 201 is further configured to receive an access response packet sent by the service node 202 based on the access request packet, and send the access response packet to the external network port. Wherein, the source IP address of the access response message is the IP address of the service node 202, and the destination IP address of the access response message is the IP address of the external network port;
the gatekeeper 30 is further configured to obtain context information of the access response packet, change a source IP address of the access response packet to an IP address of the internal gateway when the context information of the access response packet matches the context information of the access request packet, change a destination IP address of the access response packet to an IP address of the client 101 recorded in the context information of the access request packet, and send the access response packet after changing the address to the client 101. In the implementation process in which the gatekeeper 30 receives the access response message and waits for the address-modified access response message to be sent to the client 101, the implementation process from receiving the access request message to sending the address-modified access request message to the forwarding node 201 may be referred to correspondingly, and details are not described here again.
Both the access request message and the access response message in the embodiment of the present application may be hyper text transport protocol (http) messages. The information such as the port number and the domain name can be carried in the header of the http message.
In addition, to implement the transmission of the message in the hybrid cloud system, the hybrid cloud system may further include: switches and network address translation gateways. For example, as shown in fig. 4, in the hybrid cloud system, a switch 103 may be further disposed between the client 101 and the internal port of the gatekeeper 30, and a network address translation gateway 204 may be further disposed between the forwarding node 201 and the service node 202. In addition, the external port of the gatekeeper 30 and the transfer node may be connected via a dedicated line network or a software defined wide area network (SD-WAN).
In summary, in the hybrid cloud system provided in the embodiment of the present application, the gatekeeper can send the access request packet to the forwarding node by configuring the forwarding node in the second cloud system, and then send the access request packet to the service node by the forwarding node, so that access to the service node by the client can be realized. In addition, since the configuration of the dynamic DNS resolution function in the gatekeeper destroys the principle of the gatekeeper for static data exchange, and the gatekeeper in the embodiment of the present application does not need to be configured with the dynamic DNS resolution function, the principle of the gatekeeper for static data exchange is not destroyed, and the application range of the hybrid cloud system can be ensured. Meanwhile, the forwarding node is deployed in the second cloud system, so that the scale and the number of the forwarding nodes can be deployed as required according to application requirements, and different application scenes can be met.
The following describes an implementation process of implementing network access through a hybrid cloud according to the embodiment of the present application, by taking the hybrid cloud system shown in fig. 3 as an example. As shown in fig. 5, the implementation process of the network access method may include the following steps:
step 501, the client sends a second domain name resolution request carrying the domain name of the service node to a second domain name server.
When the client accesses the network through the domain name, the client can acquire the IP address required for realizing the domain name access through domain name resolution, so that the client can send a second domain name resolution request carrying the domain name of the service node to a second domain name server.
It should be noted that, before the client sends the second domain name resolution request, the second domain name server needs to be matched with the domain name server used by the first cloud system in advance, so that the second domain name server can be used for domain name resolution for the client. In addition, since the access request messages for requesting access to all service nodes in the second cloud system need to be sent to the second cloud system through the gatekeeper, the IP addresses corresponding to the domain names of all service nodes in the second cloud system can be configured in the second domain name server to be the IP addresses of the internal gatekeeper, so that the access request messages can be correctly transmitted. For example, assuming that the IP address of the intranet port is 1.1.1.1, the IP addresses corresponding to the domain names of all service nodes in the second cloud system may be configured to be 1.1.1.1 in the second domain name server.
Step 502, the second domain name server performs domain name resolution based on the domain name of the service node to obtain the IP address of the internal network port, and sends a second domain name resolution response carrying the IP address of the internal network port to the client.
After receiving the second domain name resolution request sent by the client, the second domain name server may obtain the IP address of the internal network port corresponding to the domain name of the service node according to the correspondence between the domain name of the service node and the IP address of the internal network port recorded by the second domain name server.
Step 503, the client sends an access request message to the intranet port according to the IP address of the intranet port, where the source IP address of the access request message is the IP address of the client, and the destination IP address is the IP address of the intranet port.
After receiving the IP address of the internal network port carried by the second domain name resolution response, the client may construct an access request packet according to the IP address of the internal network port, where a source IP address of the access request packet is the IP address of the client and a destination IP address is the IP address of the internal network port. Optionally, the access request message may also carry a port number of a service node that the client requests to access. For example, if the port number of the service node requested to be accessed by the client is 8080, the IP address of the client is 10.20.0.100, and the IP address of the intranet port is 1.1.1.1, the destination port of the access request message is 8080, the source IP address is 10.20.0.100, and the destination IP address is 1.1.1.1.
Step 504, the internal port of the gatekeeper records the context information of the access request message.
After receiving an access request message sent by a client, an internal port of a gatekeeper can record context information of the access request message, so as to send an access response message sent for the access request message to the client according to the context information. Wherein the context information may include: and accessing the source IP address, the source port number, the destination IP address and the destination port number of the request message. Alternatively, the context information may further include more information than the source IP address, the source port number, the destination IP address, and the destination port number, which is not specifically limited in this embodiment of the application. For example, the context information may also include a transport layer protocol.
And 505, connecting a storage medium of the gatekeeper with the internal network port, copying the access request message into the storage medium, and changing the source IP address of the access request message into the IP address of the external network port.
The implementation process of step 505 may refer to the related description in the foregoing system embodiment, and is not described herein again.
For example, assuming that the IP address of the external network port is 2.1.1.1, and taking the example in step 503 as an example, after the storage medium copies the access request message into the storage medium, the source IP address of the access request message may be changed from 10.20.0.100 to 2.1.1.1.
Step 506, connecting the external network port of the network gate with a storage medium, copying the access request message into the external network port, acquiring the IP address of a forwarding node for sending the access request message to the service node, changing the destination IP address of the access request message into the IP address of the forwarding node, and sending the access request message with the changed address to the forwarding node.
The implementation process of step 506 may refer to the related description in the foregoing system embodiment, and is not described herein again.
For example, assuming that the IP address of the forwarding node sending the access request packet to the service node is 10.10.0.253, taking the example in step 503 as an example, after the external network port copies the access request packet to the external network port, the destination IP address of the access request packet may be changed from 1.1.1.1 to 10.10.0.253.
And step 507, the forwarding node sends the access request message with the address changed to the service node.
The implementation process of step 507 may include: and the forwarding node sends the access request message with the changed address to the service node based on one or more of the domain name of the service node and the port number of the service node carried in the access request message with the changed address. For the specific implementation process, reference is made to the related description in the foregoing system embodiment, and details are not repeated here.
And step 508, the forwarding node receives an access response message sent by the service node based on the access request message, and sends the access response message to the external network port, wherein the source IP address of the access response message is the IP address of the service node, and the destination IP address is the IP address of the external network port.
Step 509, the gatekeeper obtains context information of the access response packet, changes a source IP address of the access response packet to an IP address of the internal gateway when the context information of the access response packet matches the context information of the access request packet, changes a destination IP address of the access response packet to an IP address of the client recorded in the context information of the access request packet, and sends the access response packet after changing the address to the client.
In order to ensure the security of data, the operation of changing the destination IP address of the access response message into the IP address of the client recorded in the context information of the access request message may be executed by the internal port of the gatekeeper. In addition, in the implementation process in which the gatekeeper receives the access response message and waits for the address-modified access response message to be sent to the client, the implementation process from receiving the access request message to sending the address-modified access request message to the forwarding node may be referred to correspondingly, and details are not repeated here.
In summary, in the network access method provided in the embodiment of the present application, the gateway changes the source IP address of the access request packet to the IP address of the external gateway, changes the destination IP address of the access request packet to the IP address of the forwarding node, sends the access request packet after changing the address to the forwarding node, and sends the access request packet to the service node through the forwarding node, so that the service node can be accessed by the client. In addition, since the configuration of the dynamic DNS resolution function in the gatekeeper destroys the principle of the gatekeeper for static data exchange, and the gatekeeper in the embodiment of the present application does not need to be configured with the dynamic DNS resolution function, the principle of the gatekeeper for static data exchange is not destroyed, and the application range of the hybrid cloud system can be ensured. Meanwhile, the forwarding node is deployed in the second cloud system, so that the scale and the number of the forwarding nodes can be deployed as required according to application requirements, and different application scenes can be met.
It should be noted that, the order of steps of the network access method provided in the embodiment of the present application may be appropriately adjusted, and the steps may also be correspondingly increased or decreased according to the situation. Any method that can be easily conceived by a person skilled in the art within the technical scope disclosed in the present application is covered by the protection scope of the present application, and thus the detailed description thereof is omitted.
The embodiment of the application also provides a gatekeeper. An internal network port of the network gate is connected with the first cloud system, and an external network port of the network gate is connected with the second cloud system. As shown in fig. 6, the gatekeeper 60 includes:
a first transceiving module 601, configured to receive an access request packet sent by a client in a first cloud system, where a source IP address of the access request packet is an IP address of the client, and a destination IP address is an IP address of an internal network port;
the second transceiving module 602 is configured to change a source IP address of the access request packet to an IP address of an external network port, change a destination IP address of the access request packet to an IP address of a forwarding node, and send the access request packet with the changed address to the forwarding node in the second cloud system, so that the forwarding node sends the access request packet with the changed address to the service node.
Optionally, the access request packet further carries a domain name of the service node, at this time, the second transceiving module 602 is further configured to send a first domain name resolution request carrying the domain name of the service node to a first domain name server in the second cloud system, and receive a first domain name resolution response carrying the IP address of the forwarding node sent by the first domain name server, where the first domain name server records a corresponding relationship between the domain name of the service node and the IP address of the forwarding node.
Optionally, the first transceiver module 601 is further configured to record context information of the access request packet, where the context information includes: and accessing the source IP address, the source port number, the destination IP address and the destination port number of the request message.
Optionally, the second transceiver module 602 is further configured to receive an access response packet sent by the forwarding node, where the access response packet is sent to the forwarding node by the service node based on the access request packet, a source IP address of the access response packet is an IP address of the service node, and a destination IP address is an IP address of an external gateway of the gatekeeper;
correspondingly, the first transceiver module 601 is further configured to obtain context information of the access response packet, change a source IP address of the access response packet to an IP address of the internal network port when the context information of the access response packet matches the context information of the access request packet, change a destination IP address of the access response packet to an IP address of the client recorded in the context information of the access request packet, and send the access response packet after changing the address to the client.
In summary, in the gatekeeper provided in the embodiment of the present application, the source IP address of the access request packet is changed to the IP address of the external gateway through the second transceiver module, the destination IP address of the access request packet is changed to the IP address of the forwarding node, and the access request packet after changing the address is sent to the forwarding node, so that the forwarding node sends the access request packet to the service node, and thus, the service node can be accessed by the client. In addition, since the configuration of the dynamic DNS resolution function in the gatekeeper destroys the principle of the gatekeeper for static data exchange, and the gatekeeper in the embodiment of the present application does not need to be configured with the dynamic DNS resolution function, the principle of the gatekeeper for static data exchange is not destroyed, and the application range of the hybrid cloud system can be ensured. Meanwhile, the forwarding node is deployed in the second cloud system, so that the scale and the number of the forwarding nodes can be deployed as required according to application requirements, and different application scenes can be met.
It is clear to those skilled in the art that, for convenience and brevity of description, the configuration and specific working process of the gatekeeper and the module described above may refer to the corresponding contents in the foregoing system embodiment and method embodiment, and are not described herein again.
The embodiment of the application also provides a network access method, and the network access method can be applied to a gatekeeper. As shown in fig. 7, the method may include:
step 701, receiving an access request message sent by a client in the first cloud system, where a source IP address of the access request message is an IP address of the client, and a destination IP address is an IP address of the internal network port.
Step 702, recording context information of the access request message, wherein the context information comprises: and accessing the source IP address, the source port number, the destination IP address and the destination port number of the request message.
Step 703, changing the source IP address of the access request packet to the IP address of the external network port, changing the destination IP address of the access request packet to the IP address of the forwarding node, and sending the access request packet with the changed address to the forwarding node in the second cloud system, so that the forwarding node sends the access request packet with the changed address to the service node.
Before the gatekeeper changes the destination IP address of the access request packet to the IP address of the forwarding node, the IP address of the forwarding node needs to be acquired first, and the implementation manner of the gatekeeper may include:
in a first implementation manner, the access request packet may carry a domain name of a service node that the access request packet requests to access, and the gatekeeper may obtain an IP address of the forwarding node through DNS resolution. At this time, as shown in fig. 2, the second cloud system 20 further includes a first domain name server 203, and the first domain name server 203 records a corresponding relationship between the domain name of the service node and the IP address of the forwarding node 201. Correspondingly, the gatekeeper 30 may send a first domain name resolution request carrying the domain name of the service node to the first domain name server 203, and receive a first domain name resolution response carrying the IP address of the forwarding node sent by the first domain name server 203. The first domain name server 203 may perform domain name resolution by querying a correspondence between the domain name of the service node and the IP address of the forwarding node 201 based on the domain name of the service node, so as to obtain the IP address of the forwarding node 201.
In a second implementation manner, the access request message may carry at least one target information of a domain name and a port number of the service node that the access request message requests to access, a corresponding relationship between the target information and the IP address of the forwarding node may be recorded in the gatekeeper, and the gatekeeper may query the corresponding relationship according to the target information to obtain the IP address of the forwarding node. For example, the gatekeeper may record a corresponding relationship between a domain name of the service node and an IP address of the forwarding node, and after the gatekeeper obtains the domain name of the service node carried in the access request packet, the gatekeeper may query the corresponding relationship according to the domain name of the service node to obtain the IP address of the forwarding node.
Step 704, receiving an access response message sent by the forwarding node, where the access response message is sent to the forwarding node by the service node based on the access request message, and a source IP address of the access response message is an IP address of the service node, and a destination IP address is an IP address of an external gateway of the gatekeeper.
Step 705, obtaining context information of the access response message, changing a source IP address of the access response message into an IP address of the intranet access when the context information of the access response message matches the context information of the access request message, changing a destination IP address of the access response message into an IP address of the client terminal recorded in the context information of the access request message, and sending the access response message after changing the address to the client terminal.
In summary, in the network access method provided in the embodiment of the present application, the source IP address of the access request packet is changed to the IP address of the external gateway, the destination IP address of the access request packet is changed to the IP address of the forwarding node, and the access request packet after changing the address is sent to the forwarding node, so that the forwarding node sends the access request packet to the service node, thereby enabling the service node to be accessed by the client. In addition, since the configuration of the dynamic DNS resolution function in the gatekeeper destroys the principle of the gatekeeper for static data exchange, and the gatekeeper in the embodiment of the present application does not need to be configured with the dynamic DNS resolution function, the principle of the gatekeeper for static data exchange is not destroyed, and the application range of the hybrid cloud system can be ensured. Meanwhile, the forwarding node is deployed in the second cloud system, so that the scale and the number of the forwarding nodes can be deployed as required according to application requirements, and different application scenes can be met.
It should be noted that, the order of steps of the network access method provided in the embodiment of the present application may be appropriately adjusted, and the steps may also be correspondingly increased or decreased according to the situation. Any method that can be easily conceived by a person skilled in the art within the technical scope disclosed in the present application is covered by the protection scope of the present application, and thus the detailed description thereof is omitted.
Moreover, it is clear to those skilled in the art that, for convenience and brevity of description, the implementation process described above may refer to the corresponding process in the foregoing system embodiment and method embodiment, and is not described herein again.
The embodiment of the application also provides another network gate. Fig. 8 schematically provides a possible architecture diagram of the gatekeeper. As shown in fig. 8, the gatekeeper 80 may include a processor 801, a memory 802, a first portal 803, a second portal 804, and a bus 805.
In the gatekeeper, the number of the processors 801 may be one or more, and fig. 8 illustrates only one of the processors 801. If the gatekeeper has multiple processors 801, the types of the multiple processors 801 may be different, or may be the same. Optionally, multiple processors of the gatekeeper may also be integrated into a multi-core processor. The processor 801 may be a hardware chip for implementing the lithium precipitation detection method for the rechargeable battery provided in the embodiments of the present application. The hardware chip may be an application-specific integrated circuit (ASIC), a Programmable Logic Device (PLD), or a combination thereof. The PLD may be a Complex Programmable Logic Device (CPLD), a field-programmable gate array (FPGA), a General Array Logic (GAL), or any combination thereof. Alternatively, the processor 801 may be a general-purpose processor, such as a Central Processing Unit (CPU), a Network Processor (NP), or a combination of a CPU and an NP.
The memory 802 stores computer instructions and data, and the memory 802 may store the computer instructions and data needed to implement the network access methods provided herein. The memory 802 can be either volatile memory or nonvolatile memory, or can include both volatile and nonvolatile memory. The nonvolatile memory may be a read-only memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an electrically Erasable EPROM (EEPROM), a flash memory (flash memory), a hard disk (HDD), or a solid-state drive (SSD). Volatile memory can be Random Access Memory (RAM), which acts as external cache memory. By way of example, but not limitation, many forms of RAM are available, such as static random access memory (static RAM, SRAM), Dynamic Random Access Memory (DRAM), Synchronous Dynamic Random Access Memory (SDRAM), double data rate synchronous dynamic random access memory (DDR SDRAM), enhanced synchronous SDRAM (ESDRAM), Synchronous Link DRAM (SLDRAM), and direct bus RAM (DR RAM).
The first network port 803 may be any one or any combination of the following devices: network interface (such as Ethernet interface), wireless network card, etc. The first portal 803 is used for gatekeeper data communication with other network nodes.
The second network port 804 may be any one or any combination of the following devices: network interface (such as Ethernet interface), wireless network card, etc. The second portal 804 is used for gatekeeper data communication with other network nodes.
When the processor executes the computer program, the gatekeeper can control the first gateway, the second gateway and the memory to execute the following steps: one of the first network port and the second network port is connected with the memory after receiving the message, the message is copied into the memory, after the memory is disconnected with the other one of the first network port and the second network port, the other one of the first network port and the second network port is connected with the memory, the message is copied into the other one of the first network port and the second network port, and the message is transmitted through the other one of the first network port and the second network port.
Fig. 8 also illustratively depicts bus 805. The bus 805 may connect the processor 801 with the memory 802 and the first network port 803. Thus, via the bus 805, the processor 801 may access the memory 802 and may also utilize at least one of the first network port 803 and the second network port 804 for data interaction with other network nodes.
In the present application, the gatekeeper executes computer instructions in the memory 802 to implement the network access method provided in the present application. For example, a gatekeeper executing computer instructions in memory 802 may perform the following steps: receiving an access request message sent by a client in a first cloud system, wherein a destination port of the access request message is a port number of a service node in a second cloud system which the client requests to access, a source IP address is an IP address of the client, and a destination IP address is an IP address of an internal network port; and changing the source IP address of the access request message into the IP address of the external network port, changing the destination IP address of the access request message into the IP address of the forwarding node, and sending the access request message with the changed address to the forwarding node in the second cloud system, so that the forwarding node sends the access request message with the changed address to the service node. And, the gatekeeper executes the computer instructions in the memory 802, and the implementation process for executing this step can refer to the corresponding description in the above method embodiments.
Embodiments of the present application further provide a storage medium, which is a non-volatile computer-readable storage medium, and when instructions in the storage medium are executed by a processor, the storage medium implements a network access method as in the embodiments of the present application.
Embodiments of the present application further provide a computer program product including instructions, which when run on a computer, cause the computer to execute the network access method in the embodiments of the present application.
It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program instructing relevant hardware, where the program may be stored in a computer-readable storage medium, and the above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.
In the embodiments of the present application, the terms "first", "second", and "third" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance. The term "at least one" means one or more, and the term "plurality" means two or more, unless expressly defined otherwise.
The term "and/or" in this application is only one kind of association relationship describing the associated object, and means that there may be three kinds of relationships, for example, a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter related objects are in an "or" relationship.
The above description is only exemplary of the present application and is not intended to limit the present application, and any modifications, equivalents, improvements, etc. made within the spirit and principles of the present application are intended to be included within the scope of the present application.