[go: up one dir, main page]

CN111083148A - Method for realizing VPN gateway based on cloud computing field - Google Patents

Method for realizing VPN gateway based on cloud computing field Download PDF

Info

Publication number
CN111083148A
CN111083148A CN201911320805.3A CN201911320805A CN111083148A CN 111083148 A CN111083148 A CN 111083148A CN 201911320805 A CN201911320805 A CN 201911320805A CN 111083148 A CN111083148 A CN 111083148A
Authority
CN
China
Prior art keywords
firewall
vpn gateway
cloud computing
virtual
ipsec
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201911320805.3A
Other languages
Chinese (zh)
Inventor
刘永
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Unicloud Technology Co Ltd
Original Assignee
Unicloud Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Unicloud Technology Co Ltd filed Critical Unicloud Technology Co Ltd
Priority to CN201911320805.3A priority Critical patent/CN111083148A/en
Publication of CN111083148A publication Critical patent/CN111083148A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0485Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a method for realizing a VPN gateway based on the cloud computing field, which comprises the following steps: A. creating a virtual firewall; B. an endpoint address IP1 of the local IPSEC is assigned; C. configuring routing information on an access switch connected with the virtual firewall to enable subnet traffic under VPC1 to flow to the virtual firewall; D. configuring IPSEC rules on the virtual firewall; E. and finishing the configuration. The invention has the beneficial effects that: firewall configuration is effectively reduced, and the probability of restarting the firewall fault is reduced; isolation of the VPN gateway of the tenant is provided, different VPCs use different EIP addresses, and maintainability of operation and maintenance is improved.

Description

Method for realizing VPN gateway based on cloud computing field
Technical Field
The invention belongs to the technical field of cloud computing, and particularly relates to a method for realizing a VPN gateway based on the field of cloud computing.
Background
All traffic of the existing data center needs to go away a firewall to perform NAT conversion, packet filtering and other processing if the internet is accessed. In the current cloud computing field, a Firewall (FW) is used as an entity issued by the configuration of a VPN gateway, the VPN gateway conversion function is realized by the firewall, and only one group of stacked firewall devices exist in a data center in the current general networking.
Because all flow and function configurations (including functions of a default gateway, an EIP (enhanced information platform), a VPN (virtual private network) gateway and the like) are realized on one firewall, the equipment configuration is excessive, the equipment failure probability is increased, and once the external firewall of the data center is abnormal, the equipment in the whole data center cannot access the external network. Excessive deployment puts pressure on the firewall and also increases the probability that the entire data center network is unavailable.
A firewall only uses one Virtual Firewall (VFW) to carry these configuration functions, but since a virtual firewall has only one external network interface (Reth1) configured with one public network address EIP, all the VPN gateways created by tenants have the same external network address (i.e. the EIP address configured by Reth1), and once the EIP address is unavailable, none of the VPN gateways created by the VPCs of all the tenants will be available.
Disclosure of Invention
In view of the above, the present invention is directed to a method for implementing a VPN gateway based on the cloud computing field, so as to solve the above-mentioned disadvantages.
In order to achieve the purpose, the technical scheme of the invention is realized as follows:
a method for realizing a VPN gateway based on the cloud computing field comprises the following steps:
A. creating a virtual firewall;
B. an endpoint address IP1 of the local IPSEC is assigned;
C. configuring routing information on an access switch connected with the virtual firewall to enable subnet traffic under a virtual private cloud VPC1 of a local terminal to flow to the virtual firewall;
D. configuring IPSEC rules on the virtual firewall;
E. and finishing the configuration.
Further, the IPSEC rule in step D includes information of ike, IPSEC tunnel, and ACL rules, so that the subnet under VPC1 can access the corresponding subnet through IP 1.
Further, different virtual firewalls establish different VPN IPSSEC tunnels for communicating with peers.
Furthermore, the firewall is connected with the host at the local end through the convergence switch and the access switch, the firewall is connected with the opposite-end server through the ipsec tunnel, and the opposite-end server is connected with the host at the opposite end.
Compared with the prior art, the method for realizing the VPN gateway based on the cloud computing field has the following advantages that:
the method for realizing the VPN gateway based on the cloud computing field effectively reduces the firewall configuration and reduces the firewall fault restart probability; isolation of the VPN gateway of the tenant is provided, different VPCs use different EIP addresses, and maintainability of operation and maintenance is improved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate an embodiment of the invention and, together with the description, serve to explain the invention and not to limit the invention. In the drawings:
fig. 1 is a configuration flow of a method for implementing a VPN gateway based on the cloud computing field according to an embodiment of the present invention;
fig. 2 is a basic networking form used in the method for implementing a VPN gateway based on the cloud computing field according to the embodiment of the present invention;
fig. 3 is a usage example of a method for implementing a VPN gateway based on the cloud computing domain according to an embodiment of the present invention;
fig. 4 shows packet flow directions from HostA to HostB.
Detailed Description
It should be noted that the embodiments and features of the embodiments may be combined with each other without conflict.
The present invention will be described in detail below with reference to the embodiments with reference to the attached drawings.
As shown in fig. 1, a method for implementing a VPN gateway based on the cloud computing field includes the following steps:
A. creating a virtual firewall;
B. allocating an endpoint address IP1 of a local IPSEC, wherein the IPSEC is a protocol function provided for the intercommunication of subnets under two private clouds;
C. configuring routing information on an access switch connected with the virtual firewall to enable subnet traffic under a virtual private cloud VPC1 of a local terminal to flow to the virtual firewall;
D. configuring IPSEC rules on the virtual firewall;
E. and finishing the configuration.
The IPSEC rule in step D includes information of ike, IPSEC tunnel, and ACL rules, so that the subnet under VPC1 can access the opposite subnet through IP1, where the ACL rule is an access control list, and in this embodiment, is an access control information configured on the firewall to match the traffic message of the subnet segment allowed to pass through.
Different virtual firewalls establish different VPN IPSSEC tunnels for communicating with peers.
The firewall is connected with the local host through the convergence switch and the access switch, the firewall is connected with the opposite-end server through the ipsec tunnel, and the opposite-end server is connected with the opposite-end host.
The application process of this embodiment is as follows:
on the basis of original networking, a switch device and a firewall device (DeviceC) are added, HostA accesses the flow of HostB, the flow is directed to a virtual firewall of a new firewall through static routing configuration, an ipsec rule is configured in a certain virtual firewall external network interface of the DeviceC, and an ipsec tunnel is finally established with the DeviceB at the opposite end.
As shown in fig. 2, the IPsec tunnel between the HostA device and the host b device at the opposite end performs an external VPN conversion function through an added FW.
As shown in fig. 3 and 4, HostA and HostD respectively represent hosts under different tenants VPCs, and the VPN gateway under each VPC adopts multiple VFWs to complete the VPN gateway configuration function, and each VPN IPSec connection corresponds to a single public network address, so that it is ensured that the host under the VPC of another tenant is not affected to use the VPN function because a certain public network address is abnormal and unusable.
In the drawings, leaf denotes an access switch as a direct connection to a server; spine represents a converged switch connected to a leaf.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.

Claims (4)

1. A method for realizing VPN gateway based on cloud computing field is characterized in that: the method comprises the following steps:
A. creating a virtual firewall in the firewall;
B. an endpoint address IP1 of the local IPSEC is assigned;
C. configuring routing information on an access switch connected with the virtual firewall to enable subnet flow under a virtual private cloud VPC1 of a local terminal to flow to the virtual firewall;
D. configuring IPSEC rules on the virtual firewall;
E. and finishing the configuration.
2. The method for implementing the VPN gateway based on the cloud computing field according to claim 1, wherein: the IPSEC rule in step D includes information of ike, IPSEC tunnel, and ACL rules, so that the subnet under VPC1 can access the opposite subnet through IP 1.
3. The method for implementing the VPN gateway based on the cloud computing field according to claim 1, wherein: different ones of the virtual firewalls establish different VPN IPSSEC tunnels for communicating with the peer.
4. The method for implementing the VPN gateway based on the cloud computing field according to claim 1, wherein: the firewall is connected with the local host through the convergence switch and the access switch, the firewall is connected with the opposite-end server through the ipsec tunnel, and the opposite-end server is connected with the opposite-end host.
CN201911320805.3A 2019-12-19 2019-12-19 Method for realizing VPN gateway based on cloud computing field Pending CN111083148A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911320805.3A CN111083148A (en) 2019-12-19 2019-12-19 Method for realizing VPN gateway based on cloud computing field

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911320805.3A CN111083148A (en) 2019-12-19 2019-12-19 Method for realizing VPN gateway based on cloud computing field

Publications (1)

Publication Number Publication Date
CN111083148A true CN111083148A (en) 2020-04-28

Family

ID=70315986

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911320805.3A Pending CN111083148A (en) 2019-12-19 2019-12-19 Method for realizing VPN gateway based on cloud computing field

Country Status (1)

Country Link
CN (1) CN111083148A (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200327611A1 (en) * 2017-10-08 2020-10-15 Coinroutes Inc. Distributed crypto-currency smart order router with cost calculator
CN112104492A (en) * 2020-09-07 2020-12-18 紫光云(南京)数字技术有限公司 Networking structure of cloud computing data center
CN112995173A (en) * 2021-02-24 2021-06-18 紫光云技术有限公司 Bare metal safety control method
CN116599769A (en) * 2023-07-13 2023-08-15 北京安数云信息技术有限公司 VPN-based data transmission method and system
CN117714140A (en) * 2023-12-13 2024-03-15 天翼云科技有限公司 Security protection methods and cloud platforms
CN119603369A (en) * 2024-11-27 2025-03-11 新华三信息安全技术有限公司 Message forwarding method, electronic device and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060156403A1 (en) * 2005-01-10 2006-07-13 Mcafee, Inc. Integrated firewall, IPS, and virus scanner system and method
CN102611700A (en) * 2012-02-24 2012-07-25 汉柏科技有限公司 Method for realizing VPN (Virtual Private Network) access under transparent mode
CN103095701A (en) * 2013-01-11 2013-05-08 中兴通讯股份有限公司 Open flow table security enhancement method and device

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060156403A1 (en) * 2005-01-10 2006-07-13 Mcafee, Inc. Integrated firewall, IPS, and virus scanner system and method
CN102611700A (en) * 2012-02-24 2012-07-25 汉柏科技有限公司 Method for realizing VPN (Virtual Private Network) access under transparent mode
CN103095701A (en) * 2013-01-11 2013-05-08 中兴通讯股份有限公司 Open flow table security enhancement method and device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
汤门豪: "防火墙虚拟化场景下的IPSec VPN的设计与实现", 《中国优秀博硕士学位论文全文数据库(硕士) 信息科技辑》 *

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200327611A1 (en) * 2017-10-08 2020-10-15 Coinroutes Inc. Distributed crypto-currency smart order router with cost calculator
US11580600B2 (en) * 2017-10-08 2023-02-14 Coinroutes Inc. Distributed crypto-currency smart order router with cost calculator
CN112104492A (en) * 2020-09-07 2020-12-18 紫光云(南京)数字技术有限公司 Networking structure of cloud computing data center
CN112995173A (en) * 2021-02-24 2021-06-18 紫光云技术有限公司 Bare metal safety control method
CN116599769A (en) * 2023-07-13 2023-08-15 北京安数云信息技术有限公司 VPN-based data transmission method and system
CN116599769B (en) * 2023-07-13 2023-09-26 北京安数云信息技术有限公司 VPN-based data transmission method and system
CN117714140A (en) * 2023-12-13 2024-03-15 天翼云科技有限公司 Security protection methods and cloud platforms
CN119603369A (en) * 2024-11-27 2025-03-11 新华三信息安全技术有限公司 Message forwarding method, electronic device and storage medium

Similar Documents

Publication Publication Date Title
CN111083148A (en) Method for realizing VPN gateway based on cloud computing field
CN113132201B (en) Communication method and device between VPCs
CN106936777B (en) Cloud computing distributed network implementation method and system based on OpenFlow
AU2017277071B2 (en) Multipath TCP in hybrid access networks
CN107770066B (en) Cross-host, cross-VLAN and cross-cluster Docker container diversion method
US20200099610A1 (en) Segment routing with fast reroute for container networking
CN111698338B (en) A method and computer system for data transmission
US8805977B2 (en) Method and system for address conflict resolution
US9258272B1 (en) Stateless deterministic network address translation
US8498295B1 (en) Modular lightweight tunneling mechanisms for transitioning between network layer protocols
EP2466818A1 (en) Implementation method and system of virtual private network
EP2466817A1 (en) Virtual private network implementation method and system
CN110932907B (en) A Linux container network configuration method and network system
CN114363410B (en) Application access method, cloud agent and node agent components, equipment, medium
CN108833305A (en) Host virtual network architecture
CN111756565B (en) Managing satellite devices within a branched network
CN116155650B (en) Data message forwarding method and equipment and electronic equipment
CN105635335A (en) Social resource access method, apparatus, and system
KR20020004287A (en) IP Gatway
CN115766335A (en) Networking system for sharing technical research result information
CN114006909A (en) Method and system for point-to-point unidirectional dynamic private line connection between private cloud tenants
CN109660459B (en) Physical gateway and method for multiplexing IP address
JP5893546B2 (en) Network system, communication control method, communication control apparatus, and communication control program
CN109412864B (en) Method for externally accessing docker container environment in non-docker network environment
CN101170502A (en) A method and system for realizing mutual access between stack members

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20200428