CN118714087A - Traffic forwarding method, device and storage medium - Google Patents

Abstract

The present disclosure provides a traffic forwarding method, device and storage medium. The method controls the forwarding behavior of traffic by directly sending down a flow table through a controller. By overlaying the MAC of the network as the basis for back-end routing, the MAC of the subport or the MAC of the virtual network card group can be flexibly used as the basis for routing. The MAC of the subport is used to guide the return traffic to the network element device associated with the subport, and the MAC of the virtual network card group is used to guide the return traffic to the network element device corresponding to the subport associated with the virtual network card group. In the scenario where the virtual network card group is used to realize load balancing network element cluster and multi-tenant, it is ensured that the back-end server can accurately send the return message to the correct network element device to realize load sharing.

Description

Traffic forwarding method, device and storage medium

Technical Field

The present disclosure relates to the field of data processing, and in particular to a traffic forwarding method, device, and storage medium.

Background Art

The Software Defined Networking (SDN) framework in the related technology provides a load balancing, multi-tenant sharing, and elastic network interface group (Group Elastic Network Interface, GroupENI) technology for network function virtualization (NFV). It abstracts multiple virtual network cards (subport) into one logical card, associates different trunk ports corresponding to different virtual network functions (VNF) through subports, introduces the traffic equal-cost multi-path selection (ECMP) of GroupENI to the corresponding VNF, realizes the load balancing function, and distinguishes tenants through virtual local area network (VLAN). By dynamically updating the subport of GroupENI, the network element can be dynamically expanded and reduced. For network elements that need to undergo Destination Network Address Translation (DNAT) operations, such as DNAT network element clusters and external network load balancing (LB) network element clusters, the source IP address of the traffic entering the cloud is usually uncertain, and the network element address corresponding to the tenant is also uncertain. How the backend server can accurately send the return message to the correct network element device is a problem that needs to be solved.

Summary of the invention

The first aspect of the present disclosure proposes a traffic forwarding method, which is applied to a cloud computing virtual network. The cloud computing virtual network includes at least one virtual private cloud VPN, at least one load balancing network element and an Internet gateway. The load balancing network element is connected to at least one back-end server. The method includes: receiving user access traffic through the Internet gateway, determining a target sub-port from a virtual network card group of at least one VPN according to the destination IP of the access traffic, encapsulating the access traffic into a message based on a virtual extended local area network vxlan, and sending the message to a target load balancing network element bound to the target sub-port; the target load balancing network element receives the user's access traffic from the connected back-end server Select the target backend server, set the inner source MAC of the message to the MAC of the target subport or the MAC of the target virtual network card group according to the flow table sent by the controller, and forward the message to the cloud host where the target backend server is located after vxlan encapsulation; the cloud host where the target backend server is located establishes a ct table entry according to the source MAC of the message, and defines a ct tag based on the ct table entry to save the data type, the inner source MAC of the message, and the tunnel source IP of the message; the cloud host where the target backend server is located matches the corresponding flow table according to the data type of the ct tag, executes the flow table based on the ct tag to fill the inner destination MAC of the return message as the MAC of the target subport or the MAC of the target virtual network card group, and sends the return message back to the target load balancing network element, or randomly selects a load balancing network element bound to a subport from the target virtual network card group as the new target load balancing network element, and sends the return message back to the new target load balancing network element.

In some embodiments of the present disclosure, the method also includes: creating a virtual network card group for the VPN, binding at least one port configured in the VPN as a subport in the virtual network card group, and binding each subport to a trunk port of at least one load balancing network element, wherein the virtual network card group includes a fixed IP and MAC and the virtual network card group is bound to at least one floating IP.

In some embodiments of the present disclosure, receiving user access traffic through an Internet gateway, determining a target subport from a virtual network card group of at least one VPN according to a destination IP of the access traffic, encapsulating the access traffic into a message based on a virtual extended local area network vxlan, and sending the message to a target load balancing network element bound to the target subport includes: receiving user access traffic through an Internet gateway, matching the destination IP of the access traffic with a floating IP bound to a virtual network card group of at least one virtual private cloud VPN, determining a target virtual network card group according to a matching result, and converting the destination IP into a fixed IP of the target virtual network card group; randomly selecting a target subport from the subports of the target virtual network card group, encapsulating the access traffic into a message through vxlan, setting the MAC of the target subport as an inner target MAC of the message, and sending the message to a host machine where the load balancing network element bound to the target subport is located; the host machine selects a corresponding target subport according to the target MAC of the message, inserts a virtual local area network VLAN tag into the target subport, sets the inner target MAC of the message to the MAC corresponding to the trunk port, and sends the message to the corresponding load balancing network element through the trunk port.

In some embodiments of the present disclosure, the target load balancing network element selects a target backend server from the downstream backend servers, sets the inner source MAC of the message to the MAC of the target subport or the MAC of the target virtual network card group according to the flow table sent by the controller, and forwards the message to the cloud host where the target backend server is located after being encapsulated by vxlan, including: the target load balancing network element selects the target backend server from the downstream backend servers according to a preset policy, converts the fixed IP of the target virtual network card group to the source IP of the target backend server, and sends the message from the trunk port to the switch where the target load balancing network element is located; the switch matches the corresponding target subport according to the vlan tag of the message, strips the vlan tag from the target subport, determines to set the MAC of the target subport to the inner source MAC according to the first flow table sent by the controller, or determines to set the MAC of the target virtual network card group to the source MAC of the memory according to the first flow table sent by the controller; the switch encapsulates the message through vxlan according to the route of vpc and sends it to the cloud host where the target backend server is located.

In some embodiments of the present disclosure, the cloud host where the target backend server is located searches the flow table for a ct table entry based on the source MAC of the message, and defines a ct tag based on the ct table entry to save the inner source MAC of the message and the tunnel source IP of the message, including: the cloud host where the target backend server is located determines whether a ct table entry is established for the message based on the source MAC of the message; if a ct table entry needs to be established for the message, the MAC of the target subport is matched based on the first flow table, the MAC of the target subport is saved in the ct tag as the inner source MAC of the message, the tunnel terminal IP where the target load balancing network element is located is saved in the ct tag as the tunnel source IP of the message, or the MAC of the target virtual network card group is matched based on the second flow table, and the MAC of the target virtual network card group is saved in the ct tag as the inner source MAC of the message.

In some embodiments of the present disclosure, selecting keys to be eliminated from all keys in combination with combination features and timing features and eliminating them includes: fusing the combination features and timing features through a fully connected layer to obtain the time interval for the next access of each key; determining the cached data corresponding to the key with the largest time interval, and eliminating the cached data.

In some embodiments of the present disclosure, the message is sent back to the target load balancing network element, or a load balancing network element bound to a subport is randomly selected from the target virtual network card group. After the message is sent back to the load balancing network element, the method also includes: the target load balancing network element or the new target load balancing network element forwards the return message to the Internet gateway through vxlan, via the switch where the target load balancing network element or the new target load balancing network element is located; and the return message is sent to the user through the Internet gateway.

The second aspect of the present disclosure provides a traffic forwarding device, which includes: a traffic receiving unit, which is used to receive user access traffic through an Internet gateway, determine a target subport from a virtual network card group of at least one VPN according to a destination IP of the access traffic, encapsulate the access traffic into a message based on a virtual extended local area network vxlan, and send the message to a target load balancing network element bound to the target subport; a flow table decision unit, which is used for the target load balancing network element to select a target backend server from the downstream backend servers, set an inner source MAC of the message to the MAC of the target subport or the MAC of the target virtual network card group according to a flow table sent by a controller, and forward the message to the cloud host where the target backend server is located after being encapsulated through vxlan; a ct label definition unit, which is used for the cloud host where the target backend server is located to establish a ct table entry according to the source MAC of the message, and define a ct label based on the ct table entry to store the data type, the inner source MAC of the message, and the MAC of the target subport. AC and the tunnel source IP of the message; the traffic return diversion unit is used for the cloud host where the target backend server is located to match the corresponding flow table according to the data type of the ct label, and execute the flow table based on the ct label to fill the inner destination MAC of the return message with the MAC of the target subport or the MAC of the target virtual network card group, and send the return message back to the target load balancing network element, or randomly select a load balancing network element bound to a subport from the target virtual network card group as the new target load balancing network element, and send the return message back to the new target load balancing network element.

The third aspect embodiment of the present disclosure proposes a communication device, comprising: at least one processor; and a memory communicatively connected to the at least one processor; wherein the memory stores instructions executable by the at least one processor, and the instructions are executed by the at least one processor so that the at least one processor can execute the method described in the first aspect embodiment of the present disclosure.

The fourth aspect embodiment of the present disclosure proposes a non-transitory computer-readable storage medium storing computer instructions, wherein the computer instructions are used to enable a computer to execute the method described in the first aspect embodiment of the present disclosure.

The fifth aspect embodiment of the present disclosure provides a computer program product, including a computer program, which implements the method described in the first aspect embodiment of the present disclosure when executed by a processor.

In summary, the traffic forwarding method proposed in the present invention realizes the control of traffic forwarding behavior by directly sending flow tables through the controller, and uses the MAC of the overlay network as the basis for back-end routing. The MAC of the subport or the MAC of the virtual network card group can be flexibly used as the basis for routing. The MAC of the subport is used to direct the return traffic to the network element device associated with the subport, and the MAC of the virtual network card group is used to direct the return traffic to the network element device corresponding to the subport associated with the virtual network card group. In the scenario where the virtual network card group is used to realize load balancing network element cluster and multi-tenant, it is ensured that the back-end server can accurately send the return message to the correct network element device to achieve load sharing.

It is to be understood that the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the present disclosure.

BRIEF DESCRIPTION OF THE DRAWINGS

The drawings herein are incorporated into and constitute a part of the specification, illustrate embodiments consistent with the present disclosure, and together with the description are used to explain the principles of the present disclosure, and do not constitute improper limitations on the present disclosure.

FIG1 is a flow chart of a traffic forwarding method provided by an embodiment of the present disclosure;

FIG2 is a diagram showing an example of a framework of a cloud computing virtual network provided by an embodiment of the present disclosure;

FIG3 is a flow chart of a traffic forwarding method provided by an embodiment of the present disclosure;

FIG4 is an example diagram of a ct label provided by an embodiment of the present disclosure;

FIG5 is a schematic diagram of the structure of a traffic forwarding device provided in an embodiment of the present disclosure;

FIG. 6 is a schematic diagram of the hardware composition structure of a communication device provided in an embodiment of the present disclosure.

DETAILED DESCRIPTION

Embodiments of the present disclosure are described in detail below, and examples of the embodiments are shown in the accompanying drawings, wherein the same or similar reference numerals throughout represent the same or similar elements or elements having the same or similar functions. The embodiments described below with reference to the accompanying drawings are exemplary and are intended to be used to explain the present disclosure, and should not be construed as limiting the present disclosure.

First, the technical problems to be solved by the technical solution of the present disclosure and related technologies are elaborated in detail.

Cloud computing is an Internet-based computing method in which shared hardware and software resources and information can be provided to computers and other devices on demand.

In the public cloud scenario of large-scale cloud hosts, in order to reduce background traffic, overlay often uses the Address Resolution Protocol (ARP) proxy answering method, that is, the inner MAC propagated in the network is often a false MAC, which can be a fixed value. After being encapsulated by VXLAN, the tunnel encapsulation is removed after being transmitted to the target device, and the destination inner MAC is changed to the real port corresponding to the virtual port before being sent to the virtual host. Since there is no ARP learning, the encapsulation of the message is controlled by the rules issued by the controller.

Tianchi SDN is a strong control solution. Tianchi Software Defined Networking (SDN) provides a load balancing, multi-tenant sharing, and elastic network interface group (GroupENI) technology for Network Functions Virtualization (NFV). It abstracts multiple virtual network cards (subport) into one logical card, associates different trunk ports corresponding to different virtual network functions (VNF) through subports, introduces the traffic equal-cost multi-path selection (ECMP) of GroupENI to the corresponding VNF, realizes the load balancing function, and distinguishes tenants through virtual local area networks (VLANs). By dynamically updating the subport of GroupENI, the network element can be dynamically expanded or reduced.

For network elements that need to undergo Destination Network Address Translation (DNAT) operations, such as DNAT network element clusters and external network load balancing (LB) network element clusters, the source IP address of the traffic entering the cloud is usually uncertain, and the network element address corresponding to the tenant is also uncertain. How the backend server can accurately send the return message to the correct network element device is a problem that needs to be solved.

In order to correctly select the target client or load balancing server for the return of the data packet in DNAT mode, the relevant technical solution is in the back-end Server, by establishing a connection tracking table in the kernel for the matching flow, and the return message selects the corresponding load balancer according to the tracking table. However, this solution can only solve the return traffic of a single load balancing device, and cannot solve the scenario where there are multiple virtualized load balancing network elements in the same VTEP device, and the forwarding efficiency using the kernel tracking table is poor. At present, there is no solution to the method of correctly selecting the return of the data packet in the LB network element cluster and multi-tenant function implemented by GroupENI in the Tianchi SDN scenario.

In order to solve the above problems, the present invention proposes a new traffic forwarding solution, which adopts the SDN strong control solution. The controller directly sends down the flow table to control the forwarding behavior of the traffic, and uses the MAC of the overlay network as the basis for back-end routing. The MAC of the subport or the MAC of GroupENI can be flexibly used as the basis for routing according to the application scenario: the MAC of the subport is used to guide the return traffic to a network element device associated with the subport; the MAC of GroupENI is used to guide the return traffic to the network element corresponding to a group of subports associated with GroupENI. In the Tianchi SDN scenario, that is, the LB network element cluster and multi-tenant function realized by GroupE NI can ensure the correct selection of the target client or load balancing server for the return of the data packet to achieve load sharing.

The present disclosure is further described in detail below with reference to the accompanying drawings and specific embodiments.

Figure 1 is a flow chart of a traffic forwarding method provided in an embodiment of the present disclosure, which is applied to a cloud computing virtual network. The cloud computing virtual network includes at least one virtual private cloud vpn, at least one load balancing LB network element and an Internet gateway, and at least one back-end server is hung under the load balancing network element.

In some embodiments, the tenant VPN includes at least one virtual machine, and communications between the virtual machine, the LB network element, and the Internet gateway are all encapsulated through VXLAN.

In some embodiments, the Internet Gateway (hereinafter referred to as IGW) is a public network service gateway, which is a unified exit for the interaction between the cloud computing virtual network architecture and the public network.

As shown in FIG1 , the traffic forwarding method provided by the embodiment of the present disclosure includes the following steps 101-104:

Step 101, receive the user's access traffic through the Internet gateway, determine the target sub-port from the virtual network card group of at least one VPN according to the destination IP of the access traffic, encapsulate the access traffic into a message based on the virtual extended LAN vxlan, and send the message to the target load balancing network element bound to the target sub-port.

In some embodiments of the present disclosure, the virtual extended local area network vxlan is a tunnel protocol carried on UDP packets, which can realize a virtual layer 2 network across a 3-layer physical network, commonly known as a big layer 2.

In some embodiments of the present disclosure, the logical topology structure can be decoupled from the physical network topology through encapsulation and tunneling technology, and a virtual network layer, namely, an overlay network, is created on top of the physical network. In this way, communication between virtual machines can achieve isolation of the virtual network while avoiding the broadcast and traffic increase problems that may be introduced by the traditional ARP protocol.

In some embodiments, the user accesses the cloud service through the floating IP bound to the GroupENI, and the traffic is sent to the IGW from the IGW external network interface, and the corresponding GroupENI is matched according to the destination IP, that is, the floating IP bound to the GroupENI. The device node where the VNF bound to a subport under the GroupENI is located is randomly selected, including the LB network element bound to the subport, and the traffic is encapsulated into a message based on the VXL AN tunnel protocol, and the VXLAN tunnel endpoint (VXLAN Tunnel Endpoint, hereinafter referred to as VTEP) is used as the next hop address of the tunnel, and the message is sent to the tunnel peer device.

In some embodiments, a message refers to a data packet encapsulated in a tunnel, which represents actual application data or traffic to be transmitted.

In step 102, the target load balancing network element selects the target backend server from the downstream backend servers, sets the inner source MAC of the message to the MAC of the target subport or the MAC of the target virtual network card group according to the flow table sent by the controller, and forwards the message to the cloud host where the target backend server is located after vxlan encapsulation.

In some embodiments of the present disclosure, a MAC address is used to uniquely identify a network interface controller to facilitate communication between devices within a local area network (LAN), and a source MAC address (SMAC) is a field in a data frame that represents the MAC address of a source device.

In some embodiments of the present disclosure, the backend server is a server group that actually processes client requests. Each server may run the same application or service to share the workload.

In some embodiments of the present disclosure, in an overlay network, a data packet is encapsulated by VXLAN, which contains a false inner MAC address. When it arrives at the target device, the network device will remove the VXLAN encapsulation, and the encapsulation of the message is controlled by the rules issued by the controller.

In some embodiments of the present disclosure, an openflow communication protocol is adopted, and a virtual switch (Open vSwitch, hereinafter referred to as OVS) supporting openflow is adopted to connect virtual machines and other network devices. The switch can process and forward data packets according to instructions from the controller to realize a virtual network.

In some embodiments of the present disclosure, through the flow table sent by the controller, the switch where the target load balancing network element is located decides that the inner MAC address of the message sent by the controller is the MAC of the target subport or the MAC of the target virtual network card group, thereby achieving the return traffic being directed to a network element device associated with the subport through the MAC of the subport, or using the MAC of GroupENI to direct the return traffic to the network elements corresponding to a group of subports associated with GroupENI, thereby achieving load sharing.

In some embodiments of the present disclosure, the LB network element selects a backend server from the downstream backend servers according to a preset policy, and sends the message from the Trunk port of the LB network element to the switch where the LB network element is located, such as the OVS virtual switch. The switch decides based on the flow table sent by the controller to set the MAC of the subport to the inner SMAC, or to set the MAC of the GroupENI associated with the subport to the inner SMAC, and then encapsulates the message via VXLAN according to the vpc routing and sends it to the cloud host where the backend server is located.

Step 103, the cloud host where the target backend server is located establishes a ct table entry according to the source MAC of the message, and defines a ct tag based on the ct table entry to save the data type, the inner source MAC of the message, and the tunnel source IP of the message.

In some embodiments of the present disclosure, a connection tracking (CT) table entry is used to store and manage a data structure or table of active connection status information, including source IP address, destination IP address, source port, destination port, etc. The ct tag is a tag or metadata used to uniquely identify and track the status and attributes of each network connection.

In some embodiments of the present disclosure, the source MAC of the message is matched, the data type of the operation is determined, and the inner source MAC of the message and the tunnel source IP of the message are saved in the ct tag, including two data types, one is to match according to the MAC of the target subport, and save the MAC of the subport and the tunnel source IP of the device in the ct tag, and the other is to match according to the MAC of the target GroupENI, and only save the MAC of the target GroupENI in the ct tag.

Step 104, the cloud host where the target backend server is located matches the corresponding flow table according to the data type of the ct tag, executes the flow table based on the ct tag to fill the inner destination MAC of the return message with the MAC of the target subport or the MAC of the target virtual network card group, and sends the return message back to the target load balancing network element, or randomly selects a subport bound to the load balancing network element from the target virtual network card group as the new target load balancing network element, and sends the return message back to the new target load balancing network element.

In some embodiments of the present disclosure, the flow table is used to store traffic processing rules of network devices (such as switches and routers), and the rules define how to process different types of data packets, including which port to forward to, which policies to apply, which operations to perform, etc. Through the flow table, the network device can determine the routing and processing method of the data packet based on the characteristics of the data packet (such as source IP, destination IP, protocol type, etc.).

In some embodiments of the present disclosure, the flow table includes an OpenFlow flow table, and the controller sends flow table entries to the switch through the OpenFlow protocol. The flow table entries describe the conditions for data packet matching and the actions performed after successful matching.

In some embodiments of the present disclosure, CT in OVS-DPDK (Data Plane Development Kit) mode is used to establish a session to improve forwarding performance, and the ct label is used to store the inner source MAC in the message and the tunnel source IP of the message according to different mark bits, which is used in the return traffic and has good scalability.

In some embodiments of the present disclosure, if the operation type is to match according to the MAC of the target subport, when the flow table is filled with the return message based on the ct tag, the MAC saved in the ct tag is set as the inner destination MAC of the return message, and the tunnel source IP saved in the ct tag is set as the outer destination IP of the return message, and the return message is sent back to the target load balancing network element.

In some embodiments of the present disclosure, if the operation type is to match according to the MAC of the target GroupENI, the MAC saved in the ct tag is set as the inner destination MAC of the return message, a subport is randomly selected in the target GroupENI, the inner destination MAC of the return message is changed to the MAC corresponding to the subport, and the return message is sent back to the load balancing network element bound to the subport.

In summary, the embodiments provided by the present invention control the forwarding behavior of traffic by directly sending down the flow table through the controller, and use the MAC of the overlay network as the basis for back-end routing. The MAC of the subport or the MAC of the virtual network card group can be flexibly used as the basis for routing. The MAC of the subport is used to direct the return traffic to the network element device associated with the subport, and the MAC of the virtual network card group is used to direct the return traffic to the network element device corresponding to the subport associated with the virtual network card group. In the scenario where the virtual network card group is used to implement load balancing network element clusters and multi-tenants, it is ensured that the back-end server can accurately send the return message to the correct network element device to achieve load sharing.

Based on the embodiment shown in Figure 1, as shown in Figure 3, Figure 3 is a flow chart of another traffic forwarding method provided in the embodiment of the present disclosure, the method is applied to a cloud computing virtual network, the cloud computing virtual network includes at least one virtual private cloud vpn, at least one load balancing LB network element and an Internet gateway, and the load balancing network element has at least one back-end server hanging under it.

In some embodiments, the tenant VPN includes at least one virtual machine, and communications between the virtual machine, the LB network element, and the Internet gateway are all encapsulated through VXLAN.

In some embodiments, the Internet Gateway (IGW) is a public network service gateway, which is a unified exit for interaction between the cloud computing virtual network architecture and the public network, enabling instances in the virtual private cloud to communicate bidirectionally with the public network.

The traffic forwarding method provided by the embodiment of the present disclosure includes the following steps:

Step 201, create a virtual network card group for the VPN, bind at least one port configured in the VPN as a subport in the virtual network card group, bind each subport to the trunk port of at least one load balancing network element, wherein the virtual network card group includes a fixed IP and MAC and the virtual network card group is bound to at least one floating IP.

In some embodiments of the present disclosure, a virtual private cloud (VPN) is a logically independent resource environment in a cloud computing environment, with secure isolation between different VPCs.

In some embodiments, GroupENI is a virtual network card group technology that can abstract multiple virtual network cards into a logical port, so that GroupENI has basic properties of the port, including a fixed IP address (Fixed IP Address, hereinafter referred to as Fix-IP), a media access control (Media Access Control, hereinafter referred to as MAC) address, etc.

In some embodiments, the Fix-IP in GroupENI is obtained from a subnet deducted from the tenant's VPC, so the subnet routes within the VPC are naturally interconnected. The tenant's virtual machine can access the Fix-IP of GroupENI to introduce traffic through ECMP into the network element instance bound to the subport attached to GroupENI for business processing, such as the load balancing LB network element.

In some embodiments, GroupENI supports binding floating IP (or Floating IP) like ordinary ports. Because GroupENI supports multiple IPs, floating IP needs to establish an IP pair with Fix-IP in GroupENI. External network users can access the floating IP of GroupENI to introduce traffic through ECMP to the network element bound to the subport under GroupENI for business processing. The next route can be designated as GroupENI in conjunction with routing, and the traffic can be equally routed to the VNF associated with the subport under GroupENI to achieve load sharing of VNF.

In some embodiments, the virtual network function VNF is a basic component of the network function virtualization NFV. VNF refers to a network function running in a virtualized environment that can be deployed on general computing resources such as servers, storage and network devices.

In some embodiments, the method can be applied to the scenario where GroupENI cooperates with Trunk function to provide basic network services for NFV. As shown in FIG2, tenant vpc1 creates a GroupENI (vpc1-GroupENI), which is bound to multiple ports including (subport subport: vpc1-subport-1, subport: vpc1-subport-2, ..., subport: vpc1-subport-n), and establishes a network card group; subport is respectively associated with multiple LB load balancer virtualized network elements, such as LB_1, LB_2...LB_n in FIG2. It is a cluster that provides LB services to the cloud host of vpc1, and each LB network element is connected to multiple backend servers. Each VNF can be shared by multiple tenants, and there is only one trunk port for sending and receiving business traffic. The tenant realizes the traffic interaction between vpc and VNF by binding the subport of vpc and the trunk port, and isolates the tenants through vlan. As shown in FIG2, the communication between virtual machines, LB network elements and IGW is all encapsulated through V XLAN.

In some embodiments of the present disclosure, the traffic forwarding path for a user to access a cloud service through a floating IP bound to GroupENI is shown in the following steps 202-209.

Step 202, receiving the user's access traffic through the Internet gateway, matching the destination IP of the access traffic with the floating IP bound to the virtual network card group of at least one virtual private cloud VPN, determining the target virtual network card group according to the matching result, and converting the destination IP into the fixed IP of the target virtual network card group.

In some embodiments of the present disclosure, taking the example of a user accessing a cloud service through a floating IP bound to Vpc1-GroupENI, traffic is transmitted from the IGW external network interface to the IGW, and the corresponding vpc1-GroupENI is found as the target GroupENI based on the destination IP, i.e., the floating IP bound to Vpc1-GroupENI, and the destination IP is converted into the fixed IP of vpc1-GroupENI.

Step 203, randomly select a target subport from the subports of the target virtual network card group, encapsulate the access traffic into a message through vxlan, set the MAC of the target subport as the inner target MAC of the message, and send the message to the host machine where the load balancing network element bound to the target subport is located.

In some embodiments of the present disclosure, the traffic randomly selects a subport under the target GroupENI as the target subport according to the hash algorithm, uses the VTEP of the device node where the VNF bound to the target subport is located as the next hop address of the tunnel, and uses the MAC of the selected subport as the destination MAC of the inner message to send the traffic to the device at the other end of the tunnel.

It should be noted that the SDN framework adopted by the present disclosure is a strong control solution, that is, the inner MAC propagated in the network is often a false MAC, which can be a fixed value. After being encapsulated by vxlan, the tunnel encapsulation is removed after being transmitted to the target device. The destination inner MAC is changed to the real port corresponding to the virtual port between the virtual hosts, and there is no ARP. By default, the destination MAC and source MAC are set to fixed values. When sent to the virtual machine, the switch changes it to the real MAC corresponding to the port. When sending a message, the switch responds with a default MAC.

In step 204, the host selects the corresponding target subport according to the target MAC of the message, inserts the virtual LAN (VLAN) tag into the target subport, sets the inner target MAC of the message to the MAC corresponding to the trunk port, and sends the message to the corresponding load balancing network element through the trunk port.

In some embodiments of the present disclosure, the host machine where the LB network element is located strips off the vxlan header after receiving the message, selects the corresponding sub-port according to the destination MAC, inserts the vlan label, and changes the DMAC to the mac corresponding to the trunk port, and sends it to the LB network element through the Trunk port.

It should be noted that Trunk technology allows a physical link (interface) to transmit data traffic from multiple VLANs, and the data traffic from each VLAN will be marked with a "label" to indicate which VLAN the data traffic belongs to, thereby realizing the transmission of data traffic from different VLANs.

Step 205, the target load balancing network element selects a target backend server from the downstream backend servers according to a preset strategy, converts the fixed IP of the target virtual network card group into the source IP of the target backend server, and sends the message from the trunk port to the switch where the target load balancing network element is located.

In some embodiments of the present disclosure, the LB network element receives a message and obtains the resource space corresponding to the tenant according to the VLAN, selects a backend according to the policy, converts the fixed IP of the target GroupENI to the IP of the backend server, and sends it from the Trunk port of the network element.

In step 206, the switch matches the corresponding target subport according to the VLAN tag of the message, strips the VLAN tag from the target subport, sets the MAC of the target subport to the inner source MAC according to the first flow table sent by the controller, or sets the MAC of the target virtual network card group to the source MAC of the memory according to the first flow table sent by the controller, and encapsulates the message through vxlan according to the routing of vpc and sends it to the cloud host where the target backend server is located.

In some embodiments of the present disclosure, in the OVS where the LB network element is located, traffic is processed according to the VLAN matching of the message, and decisions are made according to the flow table rules issued by the controller. When the message passes through OVS, if the vlan tag needs to be stripped according to the flow table decision, OVS will perform a vlan tag stripping operation to remove the vlan tag in the message. The inner source SMAC of the message is set according to the flow table rules issued by the controller. Once the inner SMAC is determined, OVS decides how to further process the message based on the configuration of the VPC routing table. The message is encapsulated as a vxlan data packet and reaches the cloud host through the OVS network.

In some embodiments of the present disclosure, the virtual switch OVS where the LB network element is located matches the corresponding target subport according to the VLAN of the message, strips off the VLAN tag, and decides based on the flow table sent by the controller whether to set the MAC of the target subport to the inner SMAC, or to set the MAC of the target GroupENI associated with the target subport to the inner S MAC, and then encapsulates the message via VXLAN according to the vpc routing and sends it to the cloud host where the backend server is located.

Step 207, the cloud host where the target backend server is located establishes a ct table entry according to the source MAC of the message, and defines a ct tag based on the ct table entry to save the data type, the inner source MAC of the message, and the tunnel source IP of the message.

In some embodiments of the present disclosure, the cloud host where the target backend server is located searches the flow table for a ct table entry based on the source MAC of the message, and defines a ct tag based on the ct table entry to save the inner source MAC of the message and the tunnel source IP of the message, including: the cloud host where the target backend server is located determines whether a ct table entry is established for the message based on the source MAC of the message; if a ct table entry needs to be established for the message, the MAC of the target subport is matched based on the first flow table, the MAC of the target subport is saved in the ct tag as the inner source MAC of the message, the tunnel terminal IP where the target load balancing network element is located is saved in the ct tag as the tunnel source IP of the message, or the MAC of the target virtual network card group is matched based on the second flow table, and the MAC of the target virtual network card group is saved in the ct tag as the inner source MAC of the message.

In some embodiments of the present disclosure, after receiving the message, the cloud host where the backend server is located strips off the vxlan header, establishes a CT table entry based on the source MAC match of the message, and defines a 128-bit ct label (ct_lable) to save relevant information so that the return message can be filled and then sent to the corresponding cloud host.

In some embodiments of the present disclosure, the format of the ct tag is as shown in Figure 4, with 128 bits, [120...127] stores type e, which is used to define the stored data type, [72...119] stores the inner source MAC of the message, and [40...71] stores the tunnel source IP of the message.

In some embodiments of the present disclosure, the two flow tables table 154 and table 155 mentioned above are two types of operations respectively. Table 154 matches according to the MAC of the target subport, type = 1, and the tunnel IP of the device where the MAC of the target subport is located is saved in ct_lable; table 155 matches according to the MAC of the target GroupENI, type = 3, and only the MAC of the target GroupENI is saved in ct_lable.

It should be noted that the difference between the two types of flow tables is whether the backend return message goes through the original LB network element or re-enters the corresponding GroupENI to randomly select an LB network element. The two types of flow tables are controlled by the controller switch, and one of them is issued.

In step 208, the cloud host where the target backend server is located matches the corresponding flow table according to the data type of the ct tag, executes the flow table based on the ct tag to fill in the inner destination MAC of the return message with the MAC of the target subport or the MAC of the target virtual network card group, and sends the return message back to the target load balancing network element, or randomly selects a subport bound to the load balancing network element from the target virtual network card group as the new target load balancing network element, and sends the return message back to the new target load balancing network element.

In some embodiments of the present disclosure, the server cloud host returns a packet, and after the local OVS goes through the CT session, it jumps to the flow table table=102, and the match of ct_lable type=1 to the flow table table=102 is as follows:

Execute table=102, set the MAC in ct_lable to the destination MAC of the inner layer of the message, that is, change the inner destination MAC of the message to the MAC of the destination subport, set the tunnel IP of the device to the destination IP of the outer layer of the message, and set the vn i (Virtual Network Identifier) flag vlan network traffic, and send the message to the host machine where the corresponding LB network element is located.

In some embodiments of the present disclosure, the match of type=3 of ct_lable to flow table=102 is as follows:

Execute table=102, only change the inner destination MAC of the message to the MAC of the destination GroupENI, and jump to table103; in table 103, match the group group established by the corresponding target GroupENI according to the destination MAC of the message, randomly select a hash bucket corresponding to a subport according to the Hash algorithm, change the inner DMAC to the MAC corresponding to the subport, set the VTEP where the subport is bound to the LB network element as the destination IP of the outer layer of the message, set vni, and send the message to the host where the corresponding LB network element is located.

In some embodiments of the present disclosure, the host machine where the LB network element is located strips off the vxlan header after receiving the message, selects the corresponding sub-port according to the destination MAC, inserts the vlan label, and sends it to the LB network element through the Trunk port.

Step 209, the target load balancing network element or the new target load balancing network element forwards the return message to the Internet gateway through vxlan via the switch where the target load balancing network element or the new target load balancing network element is located; and sends the return message to the user through the Internet gateway.

In some embodiments of the present disclosure, the LB network element receives a message and obtains the resource space corresponding to the tenant based on the VLAN, converts the source IP of the backend server into the fixed IP of GroupENI, and sends it from the Trunk port of the network element; the OV S where the LB network element is located encapsulates and forwards the traffic to the IGW gateway; after receiving the message, the IGW gateway strips off the vxlan header, converts the fixed IP of GroupENI into the corresponding Floating IP, and sends it out of the public network to the user.

In summary, the solution provided by the present disclosure has the following improvements and beneficial effects:

1. Adopt SDN strong control, through openflow protocol, the inner MAC can be flexibly changed as needed to control the forwarding of traffic: set the MAC of the subport to the inner SMAC, and guide the return traffic to a network element device associated with the subport; set the MAC of GroupENI associated with the subport to the inner SMAC, and guide the return traffic to the network element corresponding to a group of subports associated with GroupEN I to achieve load sharing.

2. Use the OVS-DPDK mode to maintain sessions in user mode to improve forwarding rate, and define the structure of the ct label to store the source MAC of the inner layer of the overlay, which has good scalability when used in return traffic.

The embodiment of the present disclosure further provides a traffic forwarding device, as shown in Figure 5. Figure 5 is a schematic diagram of the structure of the traffic forwarding device provided by the embodiment of the present disclosure, and the traffic forwarding device 300 includes:

The traffic receiving unit 310 is used to receive the user's access traffic through the Internet gateway, determine the target subport from the virtual network card group of at least one VPN according to the destination IP of the access traffic, encapsulate the access traffic into a message based on the virtual extended local area network vxlan, and send the message to the target load balancing network element bound to the target subport;

The flow table decision unit 320 is used for the target load balancing network element to select the target backend server from the downstream backend servers, set the inner source MAC of the message to the MAC of the target subport or the MAC of the target virtual network card group according to the flow table sent by the controller, and forward the message to the cloud host where the target backend server is located after encapsulation through vxlan;

The ct label definition unit 330 is used for the cloud host where the target backend server is located to establish a ct table entry according to the source MAC of the message, and define a ct label based on the ct table entry to save the data type, the inner source MAC of the message, and the tunnel source IP of the message;

The traffic return diversion unit 340 is used for the cloud host where the target backend server is located to match the corresponding flow table according to the data type of the ct tag, execute the flow table based on the ct tag to fill the inner destination MAC of the return message with the MAC of the target subport or the MAC of the target virtual network card group, and send the return message back to the target load balancing network element, or randomly select a load balancing network element bound to a subport from the target virtual network card group as the new target load balancing network element, and send the return message back to the new target load balancing network element.

In some embodiments of the present disclosure, the device also includes a virtual network card group creation unit, which is used to create a virtual network card group for a VPN, bind at least one port configured in the VPN as a subport in the virtual network card group, and bind each subport to a trunk port of at least one load balancing network element, wherein the virtual network card group includes a fixed IP and MAC and the virtual network card group is bound to at least one floating IP.

In some embodiments of the present disclosure, the traffic receiving unit 310 is specifically used to: receive the user's access traffic through the Internet gateway, match the destination IP of the access traffic with the floating IP bound to the virtual network card group of at least one virtual private cloud VPN, determine the target virtual network card group according to the matching result, and convert the destination IP into a fixed IP of the target virtual network card group; randomly select a target subport from the subports of the target virtual network card group, encapsulate the access traffic into a message through vxlan, set the MAC of the target subport as the inner target MAC of the message, and send the message to the host machine where the load balancing network element bound to the target subport is located; the host machine selects the corresponding target subport according to the target MAC of the message, inserts a virtual local area network VLAN tag into the target subport, and sets the inner target MAC of the message to the MAC corresponding to the trunk port, and sends the message to the corresponding load balancing network element through the trunk port.

In some embodiments of the present disclosure, the flow table decision unit 320 is specifically used to: control the target load balancing network element to select the target backend server from the downstream backend servers according to a preset strategy, convert the fixed IP of the target virtual network card group into the source IP of the target backend server, and send the message from the trunk port to the switch where the target load balancing network element is located; the switch matches the corresponding target sub-port according to the VLAN tag of the message, strips the VLAN tag from the target sub-port, and determines to set the MAC of the target sub-port to the inner source MAC according to the first flow table sent by the controller, or determines to set the MAC of the target virtual network card group to the source MAC of the memory according to the first flow table sent by the controller; the switch encapsulates the message through vxlan according to the vpc route and sends it to the cloud host where the target backend server is located.

In some embodiments of the present disclosure, the dual-channel processing module 420 is specifically used to: control the cloud host where the target back-end server is located to determine whether a ct table entry is established for the message based on the source MAC of the message; if the message needs to establish a ct table entry, match the MAC of the target sub-port based on the first flow table, and save the MAC of the target sub-port as the inner source MAC of the message in the ct tag, and save the tunnel terminal IP where the target load balancing network element is located as the tunnel source IP of the message in the ct tag, or match the MAC of the target virtual network card group based on the second flow table, and save the MAC of the target virtual network card group as the inner source MAC of the message in the ct tag.

In some embodiments of the present disclosure, the device also includes a sending back unit, which is used to send the message back to the target load balancing network element, or randomly select a load balancing network element bound to a subport from the target virtual network card group, and after sending the message back to the load balancing network element, control the target load balancing network element or the new target load balancing network element to forward the return message to the Internet gateway through vxlan via the switch where the target load balancing network element or the new target load balancing network element is located; and send the return message to the user through the Internet gateway.

In summary, the traffic forwarding device provided by the present invention controls the forwarding behavior of the traffic by directly sending down the flow table through the controller, and uses the MAC of the overlay network as the basis for back-end routing. The MAC of the subport or the MAC of the virtual network card group can be flexibly used as the basis for routing. The MAC of the subport is used to direct the return traffic to the network element device associated with the subport, and the MAC of the virtual network card group is used to direct the return traffic to the network element device corresponding to the subport associated with the virtual network card group. In the scenario where the virtual network card group is used to realize load balancing network element cluster and multi-tenant, it is ensured that the back-end server can accurately send the return message to the correct network element device to realize load sharing.

The traffic forwarding device provided in the above embodiment and a traffic forwarding method embodiment provided in the embodiment of the present disclosure belong to the same concept. The specific implementation process is detailed in the method embodiment and will not be repeated here.

Figure 6 is a schematic diagram of the hardware composition structure of the communication device provided in an embodiment of the present disclosure. As shown in Figure 6, the communication device 400 includes at least one processor 402; and a memory 401 that is communicatively connected to the at least one processor 402; wherein the memory 401 stores instructions that can be executed by the at least one processor 402, and the instructions are executed by the at least one processor 402 to implement the steps of the traffic forwarding method described in the embodiment of the present disclosure; or, the instructions are executed by the at least one processor 402 to implement the steps of the traffic forwarding method described in the embodiment of the present disclosure.

Optionally, the communication device may specifically be a control device of an embodiment of the present application, and the communication device may implement corresponding processes implemented by the control device in each method of the embodiment of the present application, which will not be described in detail here for the sake of brevity.

It is understood that the communication device also includes a communication interface 403. The various components in the communication device are coupled together through a bus system 404. It is understood that the bus system 404 is used to realize the connection and communication between these components. In addition to the data bus, the bus system 404 also includes a power bus, a control bus, and a status signal bus. However, for the sake of clarity, various buses are labeled as bus system 404 in FIG. 6.

It is understood that the memory 401 may be a volatile memory or a non-volatile memory, and may also include a volatile memory and a non-volatile memory.

Both non-volatile memory. Among them, non-volatile memory can be read-only memory (ROM), programmable read-only memory (PROM), erasable programmable read-only memory (EPROM), electrically erasable programmable read-only memory (EEPROM), magnetic random access memory (FRAM), ferromagnetic random access memory, flash memory, magnetic surface memory, optical disk, or read-only optical disk (CD-ROM); magnetic surface memory can be magnetic disk memory or tape memory. Volatile memory can be random access memory (RAM), which is used as an external cache. By way of example but not limitation, many forms of RAM are available, such as static random access memory (SRAM), synchronous static random access memory (SSRAM), dynamic random access memory (DRAM), synchronous dynamic random access memory (SDRAM), double data rate synchronous dynamic random access memory (DDRSDRAM), enhanced synchronous dynamic random access memory (ESDRAM), synchronous link dynamic random access memory (SLDRAM), direct memory bus random access memory (DRRAM). The memory 401 described in the embodiments of the present invention is intended to include, but is not limited to, these and any other suitable types of memory.

The method disclosed in the above embodiment of the present disclosure can be applied to the processor 402, or implemented by the processor 402. The processor 402 may be an integrated circuit chip with signal processing capabilities. In the implementation process, each step of the above method can be completed by the hardware integrated logic circuit in the processor 402 or the instruction in the form of software. The above processor 402 may be a general-purpose processor, a DSP, or other programmable logic devices, discrete gates or transistor logic devices, discrete hardware components, etc. The processor 402 can implement or execute the methods, steps and logic block diagrams disclosed in the embodiments of the present invention. The general-purpose processor may be a microprocessor or any conventional processor, etc. In combination with the steps of the method disclosed in the embodiment of the present invention, it can be directly embodied as a hardware decoding processor to execute, or it can be executed by a combination of hardware and software modules in the decoding processor. The software module can be located in a storage medium, which is located in the memory 401, and the processor 402 reads the information in the memory 401 and completes the steps of the above method in combination with its hardware.

In an exemplary embodiment, the communication device may be implemented by one or more application specific integrated circuits (ASIC), DSP, programmable logic device (PLD), complex programmable logic device (CPLD), FPGA, general purpose processor, controller, MCU, microprocessor, or other electronic components to execute the aforementioned method.

The embodiment of the present case also provides a non-transitory computer-readable storage medium storing computer instructions, wherein the computer instructions are used to enable the computer to implement the steps of the traffic forwarding method described in the embodiment of the present invention when executed; or, the computer instructions are used to enable the computer to implement the steps of the traffic forwarding method described in the embodiment of the present invention when executed.

Optionally, the computer-readable storage medium can be applied to the control device in the embodiments of the present application, and the computer instructions enable the computer to execute the corresponding processes implemented by the control device in the various methods of the embodiments of the present application. For the sake of brevity, they are not repeated here.

In the several embodiments provided in the present application, it should be understood that the disclosed devices and methods can be implemented in other ways. The device embodiments described above are only schematic. For example, the division of the units is only a logical function division. There may be other division methods in actual implementation, such as: multiple units or components can be combined, or can be integrated into another system, or some features can be ignored or not executed. In addition, the coupling, direct coupling, or communication connection between the components shown or discussed can be through some interfaces, and the indirect coupling or communication connection of the devices or units can be electrical, mechanical or other forms.

The units described above as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place or distributed on multiple network units; some or all of the units may be selected according to actual needs to achieve the purpose of the present embodiment.

In addition, all functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may be separately used as a unit, or two or more units may be integrated into one unit; the above-mentioned integrated units may be implemented in the form of hardware or in the form of hardware plus software functional units.

A person of ordinary skill in the art can understand that: all or part of the steps of implementing the above-mentioned method embodiment can be completed by hardware related to program instructions, and the aforementioned program can be stored in a computer-readable storage medium, which, when executed, executes the steps of the above-mentioned method embodiment; and the aforementioned storage medium includes: various media that can store program codes, such as mobile storage devices, ROM, RAM, magnetic disks or optical disks.

Alternatively, if the above-mentioned integrated unit of the present invention is implemented in the form of a software function module and sold or used as an independent product, it can also be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the embodiment of the present invention can be essentially or partly reflected in the form of a software product that contributes to the prior art. The computer software product is stored in a storage medium and includes several instructions for a computer device (which can be a personal computer, a server, or a network device, etc.) to execute all or part of the methods described in each embodiment of the present invention. The aforementioned storage medium includes: various media that can store program codes, such as mobile storage devices, ROM, RAM, magnetic disks or optical disks.

The above is only a specific embodiment of the present invention, but the protection scope of the present invention is not limited thereto. Any person skilled in the art who is familiar with the technical field can easily think of changes or substitutions within the technical scope disclosed by the present invention, which should be included in the protection scope of the present invention. Therefore, the protection scope of the present invention should be based on the protection scope of the claims.

Claims (10)

1. A traffic forwarding method, characterized in that the method is applied to a cloud computing virtual network, the cloud computing virtual network includes at least one virtual private cloud vpn, at least one load balancing network element and an Internet gateway, the load balancing network element is connected to at least one backend server, and the method includes: Receive the user's access traffic through the Internet gateway, determine the target subport from at least one virtual network card group of the VPN according to the destination IP of the access traffic, encapsulate the access traffic into a message based on the virtual extended local area network vxlan, and send the message to the target load balancing network element bound to the target subport; The target load balancing network element selects a target backend server from the downstream backend servers, sets the inner source MAC of the message to the MAC of the target subport or the MAC of the target virtual network card group according to the flow table sent by the controller, and forwards the message to the target backend server after encapsulation through the vxlan; The target backend server establishes a connection tracking ct table entry according to the source MAC of the message, and defines a ct tag based on the ct table entry to save the data type, the inner source MAC of the message, and the tunnel source IP of the message; The target backend server matches the corresponding flow table according to the data type of the ct tag, executes the flow table based on the ct tag to fill the inner destination MAC of the return message with the MAC of the target subport or the MAC of the target virtual network card group, and sends the return message back to the target load balancing network element, or randomly selects a load balancing network element bound to a subport from the target virtual network card group as a new target load balancing network element, and sends the return message back to the new target load balancing network element. 2. The method according to claim 1, characterized in that the method further comprises: Create a virtual network card group for the VPN, bind at least one port configured in the VPN as a subport in the virtual network card group, and bind each of the subports to a trunk port of at least one load balancing network element, wherein the virtual network card group includes a fixed IP and MAC and the virtual network card group is bound to at least one floating IP. 3. The method according to claim 2 is characterized in that the receiving of user access traffic through the Internet gateway, determining a target subport from at least one virtual network card group of the VPN according to a destination IP of the access traffic, encapsulating the access traffic into a message based on a virtual extended local area network vxlan, and sending the message to a target load balancing network element bound to the target subport comprises: Receive the user's access traffic through the Internet gateway, match the destination IP of the access traffic with the floating IP bound to the virtual network card group of at least one virtual private cloud VPN, determine the target virtual network card group according to the matching result, and convert the destination IP into the fixed IP of the target virtual network card group; Randomly select a target subport from the subports of the target virtual network card group, encapsulate the access traffic into a message through vxlan, set the MAC of the target subport as the inner target MAC of the message, and send the message to the host machine where the load balancing network element bound to the target subport is located; The host machine selects the corresponding target subport according to the target MAC of the message, inserts a virtual local area network (vlan) tag into the target subport, sets the inner target MAC of the message to the MAC corresponding to the trunk port, and sends the message to the corresponding load balancing network element through the trunk port. 4. The method according to claim 3 is characterized in that the target load balancing network element selects a target backend server from the downstream backend servers, sets the inner source MAC of the message to the MAC of the target subport or the MAC of the target virtual network card group according to the flow table sent by the controller, and forwards the message to the cloud host where the target backend server is located after encapsulating it through the vxlan, comprising: The target load balancing network element selects a target backend server from the downstream backend servers according to a preset strategy, converts the fixed IP of the target virtual network card group into the source IP of the target backend server, and sends the message to the switch where the target load balancing network element is located through the trunk port; The switch matches the corresponding target subport according to the vlan tag of the message, strips the vlan tag from the target subport, and determines to set the MAC of the target subport as the inner source MAC according to the first flow table sent by the controller, or determines to set the MAC of the target virtual network card group as the source MAC of the memory according to the first flow table sent by the controller; The switch encapsulates the message through vxlan according to the route of the vpc and sends it to the cloud host where the target backend server is located. 5. The method according to claim 4 is characterized in that the cloud host where the target backend server is located establishes a ct table entry according to the source MAC of the message, and defines a ct tag based on the ct table entry to save the data type, the inner source MAC of the message, and the tunnel source IP of the message, including: The cloud host where the target backend server is located determines whether the message establishes a ct table entry according to the source MAC of the message; If the message needs to establish a ct table entry, the MAC of the target subport is matched based on the first flow table, the MAC of the target subport is saved in the ct tag as the inner source MAC of the message, and the tunnel terminal IP where the target load balancing network element is located is saved in the ct tag as the tunnel source IP of the message, Or matching the MAC of the target virtual network card group based on the second flow table, and storing the MAC of the target virtual network card group in the ct tag as the inner source MAC of the message. 6. The method according to claim 5, characterized in that after sending the message back to the target load balancing network element, or randomly selecting a load balancing network element bound to a subport from the target virtual network card group and sending the message back to the load balancing network element, the method further comprises: The target load balancing network element or the new target load balancing network element forwards the return message to the Internet gateway through the vxlan via the switch where the target load balancing network element or the new target load balancing network element is located; The return message is sent to the user through the Internet gateway. 7. A traffic forwarding device, characterized in that the device comprises: A traffic receiving unit, configured to receive the user's access traffic through the Internet gateway, determine a target subport from at least one virtual network card group of the VPN according to the destination IP of the access traffic, encapsulate the access traffic into a message based on a virtual extended local area network vxlan, and send the message to a target load balancing network element bound to the target subport; A flow table decision unit, used to control the target load balancing network element to select a target backend server from the downstream backend servers, set the inner source MAC of the message to the MAC of the target subport or the MAC of the target virtual network card group according to the flow table sent by the controller, and forward the message to the cloud host where the target backend server is located after encapsulating it through the vxlan; a ct label definition unit, configured to control the cloud host where the target backend server is located to establish a connection tracking ct table entry according to the source MAC of the message, and define a ct label based on the ct table entry to save the data type, the inner source MAC of the message, and the tunnel source IP of the message; A traffic return diversion unit is used to control the cloud host where the target backend server is located to match the corresponding flow table according to the data type of the ct tag, execute the flow table based on the ct tag to fill the inner destination MAC of the return message as the MAC of the target subport or the MAC of the target virtual network card group, and send the return message back to the target load balancing network element, or randomly select a load balancing network element bound to a subport from the target virtual network card group as a new target load balancing network element, and send the return message back to the new target load balancing network element. 8. A communication device, characterized in that it comprises: at least one processor; and a memory communicatively connected to the at least one processor; wherein the memory stores instructions executable by the at least one processor, and the instructions are executed by the at least one processor so that the at least one processor can execute the method described in any one of claims 1 to 6. 9. A non-transitory computer-readable storage medium storing computer instructions, wherein the computer instructions are used to cause the computer to execute the method according to any one of claims 1 to 6. 10. A computer program product, characterized in that it comprises a computer program, wherein when the computer program is executed by a processor, the computer program implements the method according to any one of claims 1 to 6.