HK40090849B - Virtual private cloud communication method, virtual private cloud communication configuration method, and related apparatuses - Google Patents

Description

Virtual Private Cloud Communication and Configuration Methods and Related Devices

Technical Field

This application relates to the field of cloud technology, and in particular to a virtual private cloud communication and configuration method and related apparatus.

Background Technology

With the development of cloud technology, there is a need for communication between two or more Virtual Private Clouds (VPCs). However, due to reasons such as private network address planning, if the private network addresses of the VPCs that need to communicate overlap, it will cause the VPCs to be unable to communicate.

Summary of the Invention

To address the problems of existing technologies, embodiments of the present invention provide a virtual private cloud communication and configuration method and related apparatus, which can effectively solve the technical problem that VPCs in the cloud cannot communicate due to overlapping private network addresses.

In one aspect, this application provides a configuration method for Virtual Private Cloud (VPC) communication. In this method, a first VPC and a second VPC with the same private network address range communicate through a third VPC. The private network address range of the third VPC is different from that of the first VPC and the second VPC. The method includes the following steps: binding the private network address in the first VPC to a first address, wherein the first address is an address belonging to the private network address range of the third VPC; binding the private network address in the second VPC to a second address, wherein the second address is an address belonging to the private network address range of the third VPC; the first address and the second address are different; configuring the source address of the message sent from the first VPC to the second VPC as the first address and the destination address as the second address.

Through the bridging of the third VPC, the first VPC accesses the second VPC by accessing the second address bound to the second VPC, and the second VPC accesses the first VPC by accessing the first address bound to the first VPC. This enables communication between the first VPC and the second VPC even when their private network address ranges overlap.

According to one possible implementation of the first aspect, the above configuration method further includes the step of configuring routing rules on the third VPC, wherein the routing rules on the third VPC include: forwarding packets with a destination address of the first address to the first VPC, and forwarding packets with a destination address of the second address to the second VPC.

By configuring routing rules, the third VPC can forward packets between the first and second VPCs, thus achieving bridging.

According to one possible implementation of the first aspect, the above configuration method further includes the following steps: configuring a first gateway in a first VPC and configuring a second gateway in a second VPC, wherein the private network address of the first gateway is configured as a first address and the private network address of the second gateway is configured as a second address; configuring a first packet processing rule on the first gateway, the first packet processing rule including: converting the source address of outgoing packets from the address in the first VPC to the first address and converting the destination address of incoming packets from the first address to the address in the first VPC; configuring a second packet processing rule on the second gateway, the second packet processing rule including: converting the source address of outgoing packets from the address in the second VPC to the second address and converting the destination address of incoming packets from the second address to the address in the second VPC.

By configuring message processing rules, the first gateway binds the address in the first VPC to the first address, and the second gateway binds the address in the second VPC to the second address. This allows the first VPC to access the second VPC by accessing the second address, and the second VPC to access the first VPC by accessing the first address.

According to one possible implementation of the first aspect, the configuration method further includes the step of configuring routing rules. Specifically, routing rules are configured on the router of the first VPC, and the routing rules on the router of the first VPC include: forwarding packets with a destination address of the second address to the first gateway, and forwarding packets with a destination address within the first VPC to the subnet of the first VPC. Routing rules are also configured on the router of the second VPC, and the routing rules on the router of the second VPC include: forwarding packets with a destination address of the first address to the second gateway, and forwarding packets with a destination address within the second VPC to the subnet of the first VPC.

By configuring routing rules, the router in the first VPC can forward packets between the first gateway and the subnets within the first VPC, and the router in the second VPC can forward packets between the second gateway and the subnets of the second VPC.

According to other possible implementations of the first aspect, the addresses within the first VPC include addresses in the subnet of the on-premises data center that remotely accesses the first VPC.

According to other possible implementations of the first aspect, the addresses within the first VPC include the addresses within the subnets of the first VPC.

Secondly, this application provides a configuration method for Virtual Private Cloud (VPC) communication. This method is used for communication between a first VPC and a second VPC with the same private network address range via a third VPC. The private network address range of the third VPC is different from that of the first and second VPCs. The method includes the following steps: configuring a first gateway in the first VPC and configuring a second gateway in the second VPC, wherein a first address is configured for the first gateway, and a second address is configured for the second gateway. The first and second addresses belong to the private network address range of the third VPC, and the first and second addresses are different. A first message processing rule is configured on the first gateway, and a second message processing rule is configured on the second gateway. The first message processing rule includes: converting the source address of outgoing messages from an address within the first VPC to a first... The first routing rule converts the destination address of incoming packets from the first address to an address within the first VPC. The second packet processing rule includes: converting the source address of outgoing packets from an address within the second VPC to the second address, and converting the destination address of incoming packets from the second address to an address within the second VPC. The first routing rule is configured on the router of the first VPC, the second routing rule is configured on the router of the second VPC, and the third routing rule is configured on the router of the third VPC. The first routing rule includes: routing packets with a destination address of the second address to the first gateway. The second routing rule includes: routing packets with a destination address of the first address to the second gateway within the first VPC, and routing packets with a destination address of the second address to the second gateway within the second VPC.

Through the bridging of the third VPC, the first VPC accesses the second VPC by accessing the second address bound to the second VPC, and the second VPC accesses the first VPC by accessing the first address bound to the first VPC. This enables communication between the first VPC and the second VPC even when their private network address ranges overlap.

According to one possible implementation of the second aspect, the above method further includes the following steps: configuring the connection relationship between the first VPC and the third VPC, and configuring the connection relationship between the second VPC and the third VPC.

Specifically, the router in the third VPC can be connected to the first gateway in the first VPC, and the router in the third VPC can be connected to the second gateway in the second VPC. This allows the first VPC and the second VPC to be connected to the third VPC respectively, and the third VPC addresses the first VPC through the first address bound to the first VPC, and addresses the second VPC through the second address bound to the second VPC.

Thirdly, this application provides a Virtual Private Cloud (VPC) communication method. This method is used for a first VPC and a second VPC with the same private network address range to communicate through a third VPC. The private network address range of the third VPC is different from that of the first VPC and the second VPC. The method includes the following steps: the first VPC sends a message with a source address of a first address and a destination address of a second address. Both the first address and the second address belong to the private network address range of the third VPC. The private network address in the first VPC is bound to the first address, and the private network address in the second VPC is bound to the second address. The third VPC receives the message and forwards it to the second VPC according to a pre-set routing rule. The routing rule of the third VPC includes forwarding messages with a destination address of the second address to the second VPC.

Through the bridging of the third VPC, the first VPC accesses the second VPC by accessing the second address bound to the second VPC, and the second VPC accesses the first VPC by accessing the first address bound to the first VPC. This enables communication between the first VPC and the second VPC even when their private network address ranges overlap.

According to one possible implementation of the third aspect, the routing rule also includes: forwarding the packet with the destination address as the first address to the first VPC. In this case, the above method also includes the following steps: the second VPC sends a response packet with the source address as the second address and the destination address as the first address; the third VPC receives the response packet and forwards the response packet to the first VPC according to the routing rule.

By setting routing rules, the response message from the second VPC can be forwarded to the first VPC through the third VPC, thus achieving the response.

Fourthly, this application provides a Virtual Private Cloud (VPC) communication method. A first VPC and a second VPC communicate through a third VPC. The first VPC and the second VPC share the same private network address range, while the private network address range of the third VPC is different from that of the first and second VPCs. The first VPC is equipped with a first gateway, and the second VPC is equipped with a second gateway. The first gateway is configured with a first address, and the second gateway is configured with a second address. Both the first and second addresses belong to the private network address range of the third VPC, but the first address and the second address are different. The method includes the following steps: the first VPC's routing... The router receives a message sent by the first device, wherein the source address of the message is the private network address of the first device and the destination address is the second address. The router of the first VPC forwards the message to the first gateway according to the first routing rule. The first gateway modifies the source address of the message to the first address and forwards the modified message to the router of the third VPC. The router of the third VPC is configured with a third routing rule. The first routing rule includes: messages whose destination address belongs to the private network address range of the third VPC need to be forwarded to the first gateway. The third routing rule includes: messages whose destination address is the second address need to be forwarded to the second gateway of the second VPC.

Through the bridging of the third VPC, the first VPC accesses the second VPC by accessing the second address bound to the second VPC, and the second VPC accesses the first VPC by accessing the first address bound to the first VPC. This enables communication between the first VPC and the second VPC even when their private network address ranges overlap.

In one possible implementation of the fourth aspect, the first device can be a first virtual machine in a first subnet of a first VPC, or a physical machine or virtual machine in a second subnet of a first on-premises data center connected to the first VPC via a remote communication tunnel. The second device can be a second virtual machine in a third subnet of a second VPC, or a physical machine or virtual machine in a fourth subnet of a second on-premises data center connected to the second VPC via a remote communication tunnel.

In one possible implementation of the fourth aspect, the above method further includes the following steps: the second gateway receives a packet forwarded by the router of the third VPC, modifies the destination address of the received packet to the address of the second device, and sends the modified packet to the router of the second VPC. The router of the second VPC forwards the received packet to the subnet where the second device is located according to the second routing rules. The second routing rules include: packets whose destination address belongs to the second address need to be forwarded to the subnet where the second device is located.

After the message is modified and forwarded by the second gateway, and then forwarded by the router of the second VPC, the message can reach the subnet where the second device is located, so that the second device can receive the message.

Fifthly, this application provides a configuration device for Virtual Private Cloud (VPC) communication. A first VPC and a second VPC with the same private network address range communicate through a third VPC. The private network address range of the third VPC is different from that of the first VPC and the second VPC. The device includes the following modules: an address binding module, used to bind a private network address in the first VPC to a first address, wherein the first address is an address belonging to the private network address range of the third VPC; and a module for binding a private network address in the second VPC to a second address, wherein the second address is an address belonging to the private network address range of the third VPC; the first address and the second address are different; and an address configuration module, used to configure the source address of a message sent from the first VPC to the second VPC as the first address and the destination address as the second address, and to configure the source address of a message sent from the second VPC to the first VPC as the second address and the destination address as the first address.

The fifth aspect or any implementation thereof is a device implementation corresponding to the first aspect or any implementation thereof. The description in the first aspect or any implementation thereof applies to the fifth aspect or any implementation thereof, and will not be repeated here.

Sixthly, this application provides a configuration device for Virtual Private Cloud (VPC) communication. A first VPC and a second VPC with the same private network address range communicate through a third VPC. The private network address range of the third VPC is different from that of the first VPC and the second VPC. The device includes: a gateway configuration module for configuring a first gateway in the first VPC and a second gateway in the second VPC; an address configuration module for configuring a first address for the first gateway and a second address for the second gateway, wherein the first address and the second address belong to the private network address range of the third VPC and are different; and an address binding module for configuring a first packet processing rule on the first gateway and a second packet processing rule on the second gateway. The first packet processing rule includes: converting the source address of outgoing packets from the address in the first VPC to the first address and sending the modified outgoing packets to the router of the third VPC; and converting the destination address of incoming packets from the first address to... The first routing rule configuration module is used to configure a first routing rule on the router of the first VPC, a second routing rule on the router of the second VPC, and a third routing rule on the router of the third VPC. The first routing rule includes routing packets with a destination address of the second address to the first gateway. The second routing rule includes routing packets with a destination address of the first address to the second gateway. The third routing rule includes routing packets with a destination address of the first address to the first gateway in the first VPC and routing packets with a destination address of the second address to the second gateway in the second VPC.

The sixth aspect or any implementation thereof is a device implementation corresponding to the second aspect or any implementation thereof. The description in the second aspect or any implementation thereof applies to the sixth aspect or any implementation thereof, and will not be repeated here.

Seventhly, this application provides a Virtual Private Cloud (VPC) communication system, including a first VPC, a second VPC, and a third VPC. The first VPC and the second VPC have the same private network address range. The first VPC and the second VPC communicate through the third VPC. The private network address range of the third VPC is different from that of the first VPC and the second VPC. The first VPC is used to send messages. The source address of the message is a first address, and the destination address is a second address. Both the first address and the second address belong to the private network address range of the third VPC. The private network addresses in the first VPC are bound to the first address, and the private network addresses in the second VPC are bound to the second address. The third VPC is used to receive messages and forward messages to the second VPC according to pre-set routing rules. The routing rules of the third VPC include: forwarding messages with the destination address of the second address to the second VPC.

The seventh aspect or any implementation of the seventh aspect is the system implementation corresponding to the third aspect or any implementation of the third aspect. The description in the third aspect or any implementation of the third aspect applies to the seventh aspect or any implementation of the seventh aspect, and will not be repeated here.

Eighthly, this application provides a Virtual Private Cloud (VPC) communication system, including a first VPC, a second VPC, and a third VPC. The first VPC and the second VPC communicate through the third VPC. The first VPC and the second VPC share the same private network address range. The private network address range of the third VPC is different from that of the first VPC and the second VPC. The first VPC is equipped with a first gateway, and the second VPC is equipped with a second gateway. The first gateway is configured with a first address, and the second gateway is configured with a second address. Both the first address and the second address belong to the private network address range of the third VPC. The first address and the second address are different. The router in the first VPC is used to receive packets sent by the first device, where the source address of the packet is the private network address of the first device and the destination address is the second address. The router in the first VPC is also used to forward the packets to the first gateway according to the first routing rules. The first gateway is used to modify the source address of the packet to the first address and forward the modified packet to the router in the third VPC. The router in the third VPC is configured with third routing rules. The first routing rules include: packets whose destination address belongs to the private network address range of the third VPC need to be forwarded to the first gateway. The third routing rules include: packets whose destination address is the second address need to be forwarded to the second gateway of the second VPC.

The eighth aspect or any implementation of the eighth aspect is the system implementation corresponding to the fourth aspect or any implementation of the fourth aspect. The description in the fourth aspect or any implementation of the fourth aspect applies to the eighth aspect or any implementation of the eighth aspect, and will not be repeated here.

Ninthly, this application provides a Virtual Private Cloud (VPC) communication system, including a first VPC, a second VPC, and a third VPC. The first VPC and the second VPC communicate through the third VPC. The first VPC and the second VPC share the same private network address range. The private network address range of the third VPC is different from that of the first VPC and the second VPC. The first VPC is configured with a first gateway connected to the third VPC, and the second VPC is configured with a second gateway connected to the third VPC. The first gateway is configured with a first address, and the second gateway is configured with a second address. Both the first address and the second address belong to the private network address range of the third VPC, but the first address and the second address are different. A first virtual machine in a first subnet of the first VPC is used to send packets to the switch of the first subnet. The source address of the packet is the address of the first virtual machine in the first subnet. The private network address in the first subnet has a destination address of the second address. The switch in the first subnet sends packets to the router in the first VPC. The router in the first VPC receives packets and forwards them to the first gateway. The first gateway receives packets, modifies the source address of the packets to the first address, and forwards the modified packets to the router in the third VPC. The router in the third VPC receives packets and forwards them to the second gateway. The second gateway receives packets, modifies the destination address of the received packets to the private network address of the second virtual machine in the second subnet of the second VPC, and sends the modified packets to the router in the second VPC. The router in the second VPC receives packets and forwards them to the switch in the second subnet. The switch in the second subnet receives packets and sends them to the second virtual machine.

Tenthly, this application provides a Virtual Private Cloud (VPC) communication system, including a first VPC, a second VPC, and a third VPC. The first VPC and the second VPC communicate through the third VPC. The first VPC and the second VPC share the same private network address range, while the private network address range of the third VPC is different from that of the first VPC and the second VPC. The first VPC is equipped with a first remote connection gateway for remote connection to a first on-premises data center and a first gateway for connection to the third VPC. The second VPC is equipped with a second remote connection gateway for remote connection to a second on-premises data center and a second gateway for connection to the third VPC. The first gateway is configured with a first address, and the second gateway is configured with a second address. Both the first address and the second address belong to the private network address range of the third VPC, but the first address and the second address are different. The first remote connection gateway is used to receive a first address from the first subnet of the first on-premises data center. The device sends a message and forwards it to the router of the first VPC. The source address of the message is the private network address of the first device in the first subnet, and the destination address is the second address. The router of the first VPC receives the message and forwards it to the first gateway. The first gateway receives the message, modifies the source address of the message to the first address, and forwards the modified message to the router of the third VPC. The router of the third VPC receives the message and forwards it to the second gateway. The second gateway receives the message, modifies the destination address of the received message to the private network address of the second device in the second subnet of the second cloud data center, and sends the modified message to the router of the second VPC. The router of the second VPC receives the message and forwards it to the second remote connection gateway. The second remote connection gateway receives the message and sends it to the second device in the second subnet of the second cloud data center.

Eleventhly, this application provides a Virtual Private Cloud (VPC) communication system, including a first VPC, a second VPC, and a third VPC. The first VPC and the second VPC communicate through the third VPC. The first VPC and the second VPC share the same private network address range, while the private network address range of the third VPC is different from that of the first VPC and the second VPC. The first VPC is equipped with a first gateway, and the second VPC is equipped with a second gateway. The first gateway is configured with a first address, and the second gateway is configured with a second address. Both the first address and the second address belong to the private network address range of the third VPC. The routers of the first VPC and the second VPC are respectively connected to the router of the third VPC. The first address and the second address are different. A first virtual machine in a first subnet of the first VPC is used to send packets to the switch of the first subnet. The source address of the message is the private network address of the first virtual machine in the first subnet, and the destination address is the second address. The switch of the first subnet is used to send the message to the first gateway. The first gateway is used to modify the source address of the message to the first address and send the modified message to the router of the first VPC. The router of the first VPC is used to receive the message and forward the message to the router of the third VPC. The router of the third VPC is used to receive the message and forward the message to the router of the second VPC. The router of the second VPC is used to receive the message and forward the message to the second gateway. The second gateway is used to receive the message, modify the destination address of the received message to the private network address of the second virtual machine in the second subnet of the second VPC, and send the modified message to the switch of the second subnet. The switch of the second subnet is used to receive the message and send the message to the second virtual machine.

In a twelfth aspect, this application provides a computing device including at least one memory and at least one processor, wherein the at least one memory is used to store program instructions and the at least one processor executes the program instructions to perform a method for implementing the first aspect and any possible implementation thereof.

In a thirteenth aspect, this application provides a computing device including at least one memory and at least one processor, wherein the at least one memory is used to store program instructions and the at least one processor executes the program instructions to perform a method for implementing the second aspect and any possible implementation thereof.

In a fourteenth aspect, this application provides a non-transient readable storage medium, which, when executed by a computing device, performs the method provided in the first aspect or any possible implementation thereof. The storage medium stores a program. The storage medium includes, but is not limited to, volatile memory, such as random access memory, and non-volatile memory, such as flash memory, hard disk drive (HDD), and solid-state drive (SSD).

In a fifteenth aspect, this application also provides a non-transient readable storage medium, which, when executed by a computing device, performs the method provided in the second aspect or any possible implementation thereof. The storage medium stores a program. The storage medium includes, but is not limited to, volatile memory, such as random access memory, and non-volatile memory, such as flash memory, hard disk drive (HDD), and solid-state drive (SSD).

In a sixteenth aspect, this application provides a computing device program product comprising computer instructions that, when executed by a computing device, enable the computing device to perform the methods provided in the first aspect or any possible implementation thereof. The computer program product may be a software installation package, which can be downloaded and executed on a computing device when the methods provided in the first aspect or any possible implementation thereof are required.

In a seventeenth aspect, this application also provides another computing device program product, which includes computer instructions that, when executed by a computing device, enable the computing device to perform the methods provided in the second aspect or any possible implementation thereof. This computer program product may be a software installation package, which can be downloaded and executed on a computing device when the methods provided in the second aspect or any possible implementation thereof are required.

Eighteenthly, this application also provides a configuration method for Virtual Private Cloud (VPC) communication, in which a first VPC and a second VPC with the same private network address range communicate through a third VPC, wherein the private network address range of the third VPC is different from that of the first VPC and the second VPC. The method includes the following steps: providing a first configuration page to a user in the first VPC, the first configuration page prompting the user in the first VPC to create a first gateway in the first VPC, and prompting the user in the first VPC to enter the information of the third VPC to which the first gateway needs to connect, and the first address of the first gateway in the third VPC; providing a second configuration page to a user in the second VPC, the second configuration page prompting the user in the second VPC to create a second gateway in the second VPC, and prompting the user in the second VPC to enter the information of the third VPC to which the second gateway needs to connect, and the second address of the second gateway in the third VPC, wherein the first address and the second address belong to the private network address range of the third VPC, and the first address and the second address are different; creating a first gateway according to the information of the first configuration page; and creating a second gateway according to the information of the second configuration page.

According to one possible implementation of aspect eighteen, the configuration method for VPC communication further includes the following steps: configuring a first message processing rule on a first gateway, configuring a second message processing rule on a second gateway, wherein the first message processing rule includes: converting the source address of outgoing messages from an address within the first VPC to a first address, and converting the destination address of incoming messages from a first address to an address within the first VPC; the second message processing rule includes: converting the source address of outgoing messages from an address within the second VPC to a second address, and converting the destination address of incoming messages from a second address to an address within the second VPC; configuring a first routing rule on a router of the first VPC, configuring a second routing rule on a router of the second VPC, and configuring a third routing rule on a router of the third VPC, wherein the first routing rule includes: routing messages with a destination address of the second address to the first gateway; the second routing rule includes: routing messages with a destination address of the first address to the second gateway; and the third routing rule includes: routing messages with a destination address of the first address to the first gateway in the first VPC, and routing messages with a destination address of the second address to the second gateway in the second VPC.

Attached Figure Description

Figure 1 is a schematic diagram of the system architecture of a VPC communication system;

Figure 2 is a schematic diagram of the system structure of a VPC communication system according to an embodiment of the present invention;

Figure 3 is a schematic diagram of another system structure of the VPC communication system according to an embodiment of the present invention;

Figure 4 is a flowchart of a VPC communication setup method according to an embodiment of the present invention;

Figures 5a-5g show the VPC settings interface provided by the control platform;

Figure 6 shows a schematic diagram of the system structure of a VPC communication system according to an embodiment of the present invention;

Figure 7 shows another system structure diagram of the VPC communication system according to an embodiment of the present invention;

Figure 8 shows another system structure diagram of the VPC communication system according to an embodiment of the present invention;

Figure 9 is a schematic diagram of another system structure of the VPC communication system according to an embodiment of the present invention;

Figure 10 shows a schematic diagram of the configuration device according to an embodiment of the present invention;

Figure 11 shows a schematic diagram of the device structure of a computing device according to an embodiment of the present invention.

Detailed Implementation

First, the terms used in the embodiments of this invention are explained as follows:

Cloud Data Center: A data center that provides public cloud services.

On-premises data centers: Data centers that provide non-public cloud services. When an on-premises data center provides local deployment services, it includes multiple physical machines. When an on-premises data center provides private cloud services, it includes multiple virtual machines.

Public cloud services, or Infrastructure as a Service (IaaS), refer to providing public cloud infrastructure as a service via the internet. In this service model, users do not build their own data centers but instead rent infrastructure such as servers, storage, and networks. Public cloud services are implemented by providing virtual environments (such as virtual machines). The core attribute of public cloud is that multiple users share cloud infrastructure while maintaining isolation between users.

Non-public cloud services: Infrastructure dedicated to a single user, such as private cloud services and on-premises deployment services.

Private Clouds: A single user owns the infrastructure, including servers, storage, and networks, and has complete control over this infrastructure. Private cloud services are implemented by providing virtual environments (such as virtual machines). The core attribute of private cloud services is that each user has exclusive access to the infrastructure.

On-premises services: A single user builds their own infrastructure, such as servers, storage, and networks, locally. The user has exclusive access to this self-built infrastructure. On-premises services are implemented through physical machines.

Private IP address: An IP address that cannot be addressed on the Internet and can only be addressed within a local area network. Private IP addresses are prohibited from appearing on the Internet.

A private IP address is a reserved range of IP addresses. The categories, subnets, and quantities of private IP addresses are shown in the table below:

Private network address classification network segment Number of available private network addresses Class A private network address 192.168.0.0/16 65,532 Class B private network address 172.16.0.0/12 1,048,572 Class C private network address 10.0.0.0/8 16,777,212

Virtual Private Cloud (VPC): VPCs are set up in the public cloud. A VPC is a virtual network in the cloud data center for users of public cloud services. Each VPC can be networked independently and is logically isolated from other VPCs. Therefore, the private network segments of subnets in different VPCs can be exactly the same.

Specifically, each VPC has a unique tunnel number. Packets between virtual machines within a VPC share the same tunnel identifier and are then transmitted over the physical network. Virtual machines in different VPCs, because they reside in different tunnels and operate on two different routing planes, cannot communicate with each other, thus naturally achieving logical isolation.

Tunnel identifiers can be, for example, Virtual Local Area Network Identification (VLAN ID) or Virtual Network ID (VNI).

Please refer to Figure 1 first. Figure 1 is a schematic diagram of the system structure of a VPC communication system. As shown in Figure 1, the VPC communication system includes a cloud data center 10 and a client 7. The client 7 accesses the cloud data center 10 through the Internet 8.

Figure 1 shows a logical schematic diagram of the cloud data center 10. The cloud data center 10 provides VPC1 and VPC2 for public cloud users. VPC1 includes router 1 and subnet 1. The private network segment of VPC1 is 192.168.0.0/16, and the private network segment of subnet 1 is 192.168.0.0/24. Virtual machines (VMs) 1 and VM2 are set up in subnet 1. The private network address of VM1 is 192.168.0.2, and the private network address of VM2 is 192.168.0.3. VM1 and VM2 are connected to switch 1, and router 1 is connected to switch 1.

It is worth noting that the private network segment of subnet 1 is a subset of the private network segment of VPC1. VPC1 can include other subnets besides subnet 1, such as a subnet with a private network segment of 192.168.1.0/24 or a subnet with a private network segment of 192.168.2.0/24. Router 1 is used to forward packets for communication between different subnets.

Furthermore, VPC2 includes Router 2 and Subnet 2. The private network segment of VPC1 is 192.168.0.0/16, and the private network segment of Subnet 2 is 192.168.0.0/24. VM3 and VM4 are configured in Subnet 2. The private network address of VM3 is 192.168.0.2, and the private network address of VM4 is 192.168.0.3. VM3 and VM4 are connected to Switch 2, and Router 2 is connected to Switch 2.

Subnet 1 and subnet 2 share the same private network segment, meaning their private network addresses overlap.

Similarly, the private network segment of subnet 2 is a subset of the private network segment of VPC2. VPC2 can include other subnets besides subnet 1, such as the subnet with a private network segment of 192.168.1.0/24, or the subnet with a private network segment of 192.168.2.0/24. Router 2 is used to forward packets for communication between different subnets.

Client 7 accesses control platform 6 via the Internet 8. Control platform 6 provides a VPC configuration interface. Client 7 accesses the VPC configuration interface via the Internet and enters the VPC configuration information. Control platform 6 configures the VPC in cloud data center 10 according to the configuration information. Specifically, it can configure various functional modules in the VPC, such as creating or deleting VPCs, creating or deleting virtual machines in VPCs, and configuring routing rules for routers in VPCs. Control platform 6 can perform full lifecycle management of VPCs based on the configuration information. From the client 7's perspective, cloud data center 10 provides logically isolated VPC1 and VPC2. Client 7 can log in to VM1 or VM2 in VPC1 via remote desktop, and can also log in to VM3 and VM4 in VPC2. VPC1 and VPC2 are logically isolated and do not interfere with each other.

Client 7 is a terminal device such as a mobile phone, personal computer, personal digital assistant or thin client with Internet access. Users operate virtual machines in cloud data center 10 by operating client 7.

As shown in Figure 1, VM1 and VM2 are configured in subnet 1 of VPC1. VM1 has a private network address of 192.168.0.2 in subnet 1 of VPC1, and VM2 has a private network address of 192.168.0.3 in subnet 1 of VPC1. VM1 communicates with VM2 through switch 1. VM3 and VM4 are configured in subnet 2 of VPC2. VM3 has a private network address of 192.168.0.2 in subnet 2 of VPC2, and VM4 has a private network address of 192.168.0.3 in subnet 2 of VPC2. VM3 communicates with VM4 through switch 2.

For example, a user operates client 7 to log in to VM1 and enters the Internet Control Message Protocol (ICMP) command "ping 192.168.1.3" in VM1. This command is used to control VM1 to send IP packets to VM2 to test whether VM1 and VM2 can communicate with each other. In this embodiment, since VM1 and VM2 are set in the same VPC1, VM1 will receive a response from VM2.

However, as shown in Figure 1, since VPC1 and VPC2 are logically isolated, the virtual machines in VPC1 and VPC2 cannot communicate with each other. Specifically, when client 7 logs into VM1, it can enter the ICMP command "ping 192.168.0.3" in VM1. This command is used to test whether VM1 and VM4 can communicate with each other. However, in this embodiment, since VM1 and VM4 are set in different VPCs, VM1 will not receive a response from VM4.

In enterprise cloud application scenarios, due to the need for business isolation between departments, VPCs can be used to achieve business isolation. For example, VPC1 belongs to the R&D department, and VPC2 belongs to the finance department. In the logical architecture shown in Figure 1, VMs within the R&D department can communicate with each other, and VMs within the finance department can also communicate with each other, but VMs in the R&D department and VMs in the finance department cannot communicate. By setting VMs of different departments in different VPCs, data isolation can be effectively achieved.

However, in practical applications, the VMs of the R&D department and the VMs of the finance department need to communicate in certain situations. For example, the VM of the R&D department needs to obtain the financial data of the R&D department from the VM of the finance department. If the two are completely isolated, the purpose of obtaining financial data from the VM of the finance department cannot be achieved.

Therefore, in some implementations, router 1 and router 2 are connected so that VPC1 and VPC2 can communicate. However, in the scenario shown in Figure 1, the private network address ranges of subnet 1 and subnet 2 overlap. Even if router 1 and router 2 are connected, subnet 1 and subnet 2 cannot communicate. For example, when VM1 communicates with VM3, VM1 constructs an IP packet with both its source IP address and destination IP address being 192.168.0.2. When this IP packet arrives at switch 1, it will be intercepted by switch 1 and sent to VM1 according to its destination IP address, or it will be directly intercepted by VM1's operating system. Therefore, this IP packet cannot reach subnet 2.

To solve the above-mentioned technical problems, this invention provides a VPC communication system. Please refer to Figure 2, which is a schematic diagram of the system structure of the VPC communication system according to an embodiment of the invention. As shown in Figure 2, VPC1 and VPC2, which have the same private network address range, communicate through VPC3. The private network address range of VPC3 is different from that of VPC1 and VPC2. The private network address within VPC1 is bound to 10.0.0.9, where 10.0.0.9 belongs to the private network address range of VPC3. The private network address within VPC2 is bound to 10.0.0.10, where 10.0.0.10 belongs to the private network address range of the third VPC. The source address of a message sent from VPC1 to VPC2 is configured as 10.0.0.9, and the destination address is configured as 10.0.0.10. This message is sent from VPC1 to VPC3 and then forwarded by VPC3 to VPC2.

Through the bridging of VPC3, VPC1 can access VPC2 by accessing 10.0.0.10, which is bound to VPC2, enabling communication between VPC1 and VPC2 even when their private network address ranges overlap.

To further clarify, please refer to Figure 3. Figure 3 is a schematic diagram of another system structure of the VPC communication system according to an embodiment of the present invention. Figure 3 is a specific implementation of Figure 2. In this embodiment, VPC3 is set between VPC1 and VPC2 through the control platform 6, and VPC3 is set to have a private network segment that does not overlap with the private network addresses of VPC1 and VPC2. Gateway 1 connected to VPC3 is set in VPC1, wherein gateway 1 is set with the first private network address of VPC3. Gateway 2 connected to VPC3 is set in VPC2, and gateway 2 is set with the second private network address of VPC3. By setting the routing rules of the routers of VPC1, VPC2, and VPC3, as well as the message processing rules of gateway 1 and gateway 2, VM1 of VPC1 is bound to gateway 1, and VM3 of VPC2 is bound to gateway 2, so that VM1 communicates with VM3 by accessing the second private network address of VPC3, and VM3 communicates with VM1 by accessing the first private network address of VPC3.

The control platform 6 can create the aforementioned gateway and configure rules in the cloud data center 10 according to the configuration information, and the configuration information is input by the client 7 into the VPC configuration interface provided by the control platform 6.

In other embodiments, the control platform 6 may also automatically generate the above configuration information and perform the above configuration.

Specifically:

Based on the configuration information, control platform 6 can assign one private network address (10.0.0.9) from the private network segment of VPC3 (e.g., 10.0.0.0/24) to gateway 1, and assign another private network address (10.0.0.10) from the same segment to gateway 2. It also configures gateway 1 to connect to router 3 of VPC3, and gateway 2 to connect to router 3 of VPC3. Control platform 6 configures the routers and gateways respectively to achieve the following:

Router 1 is configured with:

Routing rule 1: When router 1 receives a packet whose destination IP address is the private network segment 10.0.0.0/24 of VPC3, it forwards the IP packet to gateway 1;

Routing rule 2: When router 1 receives a packet whose destination IP address is the private network segment 192.168.0.0/24 of subnet 1, it forwards the packet to subnet 1.

Gateway 1 is configured with:

Message processing rule 1: When the source IP address of the outgoing message received by gateway 1 is the private network address 192.168.0.2 of VM1 in subnet 1, 192.168.0.2 is converted to the private network address 10.0.0.9 of gateway 1 in VPC3, and the modified outgoing message is sent to router 3 of VPC3;

Message processing rule 2: When the destination IP address of the incoming message received by gateway 1 is 10.0.0.9, which is the private network address of gateway 1 in VPC3, 10.0.0.9 is converted to 192.168.0.2, which is the private network address of VM1 in subnet 1, and the modified incoming message is sent to router 1 of VPC1.

Outgoing messages refer to messages received by gateway 1 from router 1, while incoming messages are messages received by gateway 1 from router 3.

Router 3 has the following settings:

Routing rule 5: If the destination IP address of a packet received by router 3 is gateway 2's private network address 10.0.0.10 in VPC3, then router 3 shall forward the IP packet to gateway 2.

Routing rule 6: If the destination IP address of a packet received by router 3 is gateway 1 in VPC3's private network address 10.0.0.9, then the packet will be forwarded to subnet 1.

Gateway 2 is configured with:

Message processing rule 3: When the destination IP address of the incoming message received by gateway 2 is 10.0.0.10, the destination IP address of gateway 2 in VPC3 is converted to 192.168.0.2, the destination IP address of VM3 in subnet 2, and the modified incoming message is sent to router 2.

Message processing rule 4: When the source IP address of the outgoing message received by gateway 2 is 192.168.0.2, the private network address of VM3 in subnet 2, 192.168.0.2 will be converted to the private network address of gateway 2 in VPC3, 10.0.0.10.

Outgoing messages refer to messages received by gateway 2 from router 2, while incoming messages are messages received by gateway 2 from router 3.

Router 2 is configured with:

Routing rule 3: When the destination IP address of a packet received by router 2 is the private network segment 10.0.0.0/24 of VPC3, forward the packet to gateway 2;

Routing rule 4: When the destination IP address of a packet received by router 2 is the private network segment 192.168.0.0/24 of subnet 2, forward the packet to subnet 1.

It is worth noting that Gateway 1 can have two private network addresses. One private network address belongs to VPC1 and is used for the internal settings and management of the gateway set up in the first VPC. The other address belongs to VPC3 (for example, 10.0.0.9 mentioned above) and is used for external communication. This patent application involves external communication. Therefore, unless otherwise specified, the private network address of Gateway 1 in this patent application refers to the private network address of Gateway 1 belonging to VPC3. Similarly, Gateway 2 can also have two private network addresses, which will not be elaborated here.

The following will describe in detail the method for setting the corresponding rules of the gateway and router as shown in Figure 4. Figure 4 is a flowchart of the VPC communication setting method according to an embodiment of the present invention. The method is executed by the control platform 6 and includes the following steps:

Step S101: Create Gateway 1 in VPC1.

For details, refer to Figure 5a, which shows the VPC1 settings interface 1. In this interface, the user needs to enter the gateway name (gateway 1), the VPC where the gateway is located (VPC1), the VPC to which the gateway needs to connect (VPC3), and the private network address of the VPC to which the gateway needs to connect, 10.0.0.9.

Step S102: Configure the message processing rules for gateway 1.

Referring to Figure 5b, which shows the VPC1 settings interface 2, the user inputs the message processing rules for the created gateway 1. The message processing rules shown in Figure 5b are the same as message processing rule 1 and message processing rule 2 for gateway 1 shown in Figure 2.

Message processing rule 1 includes source network address translation (SNAT) rules, and message processing rule 2 includes destination network address translation (DNAT) rules.

Step S103: Configure routing rules for VPC1.

Referring to Figure 5c, which shows the VPC1 settings interface 3, the user enters the routing rules of router 1, namely routing rule 1 and routing rule 2 shown in Figure 2.

Step S104: Create Gateway 2 in VPC2.

For details, please refer to Figure 5d, which shows the VPC2 settings interface 1. In this interface, the user needs to enter the gateway name (gateway 2), the VPC where the gateway is located (VPC2), the VPC to which the gateway needs to connect (VPC3), and the private network address of the VPC to which the gateway needs to connect, 10.0.0.10.

Step S105: Configure the message processing rules for gateway 2.

Referring to Figure 5e, which shows the VPC2 settings interface 2, the user inputs the message processing rules for the created gateway 2. The message processing rules shown in Figure 5e are the same as the message processing rules 3 and 4 of gateway 2 shown in Figure 2.

Step S107: Configure routing rules for VPC2.

Referring to Figure 5f, which shows the VPC2 settings interface 3, the user enters the routing rules of router 2, namely routing rule 3 and routing rule 4 shown in Figure 2.

Step S107: Configure routing rules for VPC2.

Referring to Figure 5g, which shows the VPC3 settings interface, the user enters the routing rules for router 3, namely routing rule 5 and routing rule 6 shown in Figure 2.

The order of steps S101-S107 can be adjusted as needed. For example, the step of creating gateway 2 can be performed first, followed by the step of creating gateway 1. This embodiment of the invention does not limit this.

It is worth noting that the above configuration information is input by the user through the operation client 7 to the VPC configuration interface provided by the control platform 6, and then sent by the control platform 6 to the control platform 6. The control platform 6 configures VPC1 and VPC2 according to the configuration information.

After the control platform 6 runs the above configuration method, the VPC communication system shown in Figure 2 can be implemented in the cloud data center 10.

Further, please refer to Figure 6, which shows a data interaction diagram of a VPC communication method according to an embodiment of the present invention. The method is based on the VPC communication system shown in Figure 3, and specifically shows the message flow when VM1 accesses VM3 across VPCs.

As shown in Figure 6, the VPC communication method according to an embodiment of the present invention includes the following steps:

Step 1: VM1 constructs IP packet 1 and sends IP packet 1 to switch 1.

The source IP address of IP packet 1 is 192.168.0.2, the private network address of VM1 in subnet 1, and the destination IP address is 10.0.0.10, the private network address of gateway 2 in subnet 3. The data portion of IP packet 1 carries request information.

It is worth noting that VM1 can query the correspondence between 10.0.0.10 and VM3 in advance according to business needs. For example, it can query the correspondence between 10.0.0.10 and VM3 from the second VPC, or it can query the correspondence between 10.0.0.10 and VM3 from the control platform 6.

Step 2: Switch 1 forwards IP packet 1 to router 1.

After receiving IP packet 1, switch 1 confirms that the destination IP address of IP packet 1 does not belong to subnet 1, and sends IP packet 1 to router 1 for cross-network segment packet transmission.

Step 3: Router 1 forwards IP packet 1 according to routing rule 1.

After receiving IP packet 1, router 1 matches the destination IP address (10.0.0.10) with routing rule 1 and sends IP packet 1 to gateway 1 according to routing rule 1.

Step 4: Gateway 1 modifies the source IP address of IP packet 1 according to packet processing rule 1 and sends the modified IP packet 1 to router 3.

After receiving IP packet 1 from router 1, gateway 1 confirms that IP packet 1 is an outgoing packet because it comes from router 1. According to the packet processing rule 1, the source IP address of IP packet 1 is matched and modified from 192.168.0.2 to 10.0.0.9. The modified IP packet 1 is then sent to router 3.

Step 5: Router 3 forwards IP packet 1 to gateway 2 according to routing rule 5.

After receiving IP packet 1, router 3 matches the destination IP address (10.0.0.10) with routing rule 5 and forwards IP packet 1 to gateway 2.

Step 6: Gateway 2 modifies the destination IP address of IP packet 1 according to packet processing rule 3 and sends the modified IP packet 1 to router 2.

After receiving IP packet 1 from router 3, gateway 2 confirms that IP packet 1 is an incoming packet since it comes from router 3. Based on the destination address of IP packet 1 and matching packet processing rule 3, gateway 2 modifies the destination IP address of IP packet 1 from 10.0.0.10 to 192.168.0.2 and sends the modified IP packet 1 to router 2.

Step 7: Router 2 forwards the modified IP packet 1 to switch 2 according to routing rule 4.

Router 2 matches routing rule 4 based on the destination IP address 192.168.0.2 of IP packet 1 and sends IP packet 1 to subnet 2. Switch 2 is set up in subnet 2, specifically, it is the switch that sends IP packet 1 to subnet 2.

Step 8: Switch 2 sends IP packet 1 to VM3.

Switch 2 sends IP packet 1 to VM3 based on the destination IP address 192.168.0.2 of IP packet 1.

Step 9: VM3 constructs and sends IP packet 2 to switch 2.

IP packet 2 is a response message to IP packet 1.

After receiving IP packet 1, VM3 obtains the request information from the data portion of IP packet 1, generates response information based on the request information, and constructs IP packet 2. Specifically, VM3 sets the source IP address 10.0.0.9 of IP packet 1 to the destination IP address of IP packet 2, sets the destination IP address 192.168.0.2 of IP packet 1 to the source IP address of IP packet 2, sets the response information in the data portion of IP packet 2, and sends IP packet 2 to switch 2.

Step 10: Switch 2 forwards IP packet 2 to router 2.

After receiving IP packet 2, switch 2 confirms that the destination IP address 10.0.0.9 of IP packet 2 does not belong to subnet 1 (192.168.0.0/24), and sends IP packet 2 to router 2 for cross-network segment packet transmission.

Step 11: Router 2 forwards IP packet 2 according to routing rule 3.

After receiving IP packet 2, router 2 matches the destination IP address (10.0.0.9) of IP packet 2 with routing rule 3, and sends IP packet 2 to gateway 2 according to routing rule 3.

Step 12: Gateway 2 modifies the source IP address of IP packet 2 according to packet processing rule 4 and sends the modified IP packet 2 to router 3.

After receiving IP packet 2 from router 2, gateway 2 confirms that IP packet 2 is an outgoing packet because it comes from router 2. According to the packet processing rule 4, it modifies the source IP address of IP packet 2 from 192.168.0.2 to 10.0.0.10 and sends the modified IP packet 2 to router 3.

Step 13: Router 3 forwards IP packet 2 to gateway 1 according to routing rule 6.

After receiving IP packet 2, router 3 matches the destination IP address (10.0.0.9) with routing rule 6 and forwards IP packet 2 to gateway 1.

Step 14: Gateway 1 modifies the destination IP address of IP packet 2 according to packet processing rule 2 and sends the modified IP packet 2 to router 1.

After receiving IP packet 2 from router 3, gateway 1 confirms that IP packet 2 is an incoming packet since it comes from router 3. Based on the destination address of IP packet 2 and matching packet processing rule 2, gateway 1 modifies the destination IP address of IP packet 2 from 10.0.0.9 to 192.168.0.2 and sends the modified IP packet 2 to router 1.

Step 15: Router 1 forwards the modified IP packet 2 to switch 1 according to routing rule 2.

Router 1 matches routing rule 2 based on the destination IP address 192.168.0.2 of IP packet 2 and sends IP packet 2 to subnet 1. Switch 1 is set up in subnet 1, specifically, it is the switch that sends IP packet 2 to subnet 1.

Step 16: Switch 1 sends IP packet 2 to VM1.

Switch 1 sends IP packet 2 to VM1 based on the destination IP address 192.168.0.2 of IP packet 2.

After receiving IP packet 2, VM1 confirms that IP packet 2 is a response packet to IP packet 1 based on the source IP address 10.0.0.10 and destination IP address 192.168.0.2 (since the source IP address and destination IP address of IP packet 2 are reversed compared to IP packet 1). VM1 obtains the response information from the data part of IP packet 2, thereby completing the communication process between VM1 and VM2.

In summary, by configuring gateways 1-2 and VPC3 in cloud data center 10, and configuring the routers and gateways 1-2 in VPC1-3, VM1 and VM3 can communicate even when they have the same private network address.

For example, the embodiments of the present invention are applicable to the following scenario: VPC3 serves as the large network within an enterprise, while VPC1 and VPC2 serve as smaller networks within the enterprise. VPC1 is, for example, the virtual network of the finance department, VPC2 is, for example, the virtual network of the R&D department, and VPC3 is, for example, the virtual network of the enterprise's IT management department. When the private network addresses of VPC1 and VPC2 overlap, a private network address of VPC3 can be requested from the control platform. For example, VPC1 requests private network address 1 of VPC3, and VPC2 requests private network address 2 of VPC3. The virtual machines in VPC1 are bound to private network address 1 through the gateway, and the virtual machines in VPC2 are bound to private network address 2 through the gateway. The virtual machines in VPC1 can access the virtual machines in VPC2 by accessing private network address 2, and the virtual machines in VPC2 can access the virtual machines in VPC1 by accessing private network address 1. This solves the technical problem of the inability to communicate with each other caused by the overlap of private network addresses of different VPCs within the enterprise.

It is worth noting that VPC1, VPC2, and VPC3 can belong to different users. Different users log in to their respective VPCs using their own accounts. When VPC1 and VPC3 need to establish a connection, the user of VPC1 can enter the user's account in the control platform. The control platform sends a request to the VPC3 settings interface based on the VPC3 user's account. The user of VPC3 can confirm whether to accept the request through the VPC3 settings interface. Only if the request is accepted will the control platform establish a connection between VPC1 and VPC3. The connection establishment process between VPC2 and VPC3 is similar.

In other embodiments, if VPC1, VPC2, and VPC3 belong to the same user, that user can log in to VPC1, VPC2, and VPC3 with a single account, and the control platform does not need to send a request.

Users can register an account with the control platform and purchase VPCs through the paid page provided by the control platform.

Please refer to Figure 7 below. Figure 7 shows another system structure diagram of the VPC communication system according to an embodiment of the present invention. In this embodiment, compared with the embodiment shown in Figure 2, gateway 1 can also be bound to VMs in other subnets of VPC1, and gateway 2 can also be bound to VMs in other subnets of VPC2. As shown in Figure 7, VPC1 also has a subnet 3 (192.168.1.0/24), and a VM5 is set in subnet 3. The private network address of VM5 is 192.168.1.2. VPC2 also has a subnet 4 (192.168.1.0/24), and a VM6 is set in subnet 4. The private network address of VM5 is also 192.168.1.2.

If VM5 needs to communicate with VM6, then in router 1, add routing rule 7: forward packets with a destination IP address of 192.168.1.0/24 to subnet 3. In router 2, add routing rule 8: forward packets with a destination IP address of 192.168.1.0/24 to subnet 4. Assign a private network address of VPC3 to gateway 1 (e.g., 10.0.0.11). Set packet processing rule 5 for gateway 1: when the source IP address of an outgoing packet is 192.168.1.2, change the source IP address to 10.0.0.11. Set packet processing rule 6: when the destination IP address of an incoming packet is 10.0.0.11, change the destination IP address to 192.168.1.2.

Assign a private network address of VPC3 to gateway 2 (e.g., 10.0.0.12). Configure packet processing rule 7 for gateway 2: when the source IP address of an outgoing packet is 192.168.1.2, change the source IP address to 10.0.0.12 and send the modified outgoing packet to router 3. Configure packet processing rule 8: when the destination IP address of an incoming packet is 10.0.0.12, change the destination IP address to 192.168.1.2.

Configure routing rule 9 for router 3: when the destination IP address is 10.0.0.12, send the packet to gateway 2. Configure routing rule 10: when the destination IP address is 10.0.0.11, send the packet to gateway 1.

Based on the above configuration, VM5 can construct an IP packet with a source IP address of 192.168.1.2 and a destination IP address of 10.0.0.12, and send the IP packet to VM6 via Router 1, Gateway 1, Router 3, Gateway 2 and Router 2 in a communication manner similar to the above embodiments. The IP packet returned by VM6 for response can also be sent to VM1 via Router 2, Gateway 2, Router 3, Gateway 1 and Router 1.

Therefore, in this embodiment of the invention, by setting different rules for the gateway and the router, different subnets with the same private network address range in VPC1 and VPC2 can communicate with each other.

Furthermore, embodiments of the present invention can also enable communication between on-premises data centers when private network addresses overlap. Please refer to Figure 8, which shows another system structure diagram of the VPC communication system according to an embodiment of the present invention. Figure 8 adds on-premises data centers 21-22 to the embodiment shown in Figure 3. On-premises data center 21 includes subnet 5, in which physical machines (PM) 1 and PM2 are configured. On-premises data center 22 includes subnet 6, in which physical machines (PM) 3 and PM4 are configured. Subnet 5 is connected to the remote connection gateway 1 of VPC1 through remote connection gateway 3, and subnet 6 is connected to the remote connection gateway 2 of VPC2 through remote connection gateway 4. A remote communication tunnel is formed between remote connection gateway 3 and remote connection gateway 1, and a remote communication tunnel is formed between remote connection gateway 4 and remote connection gateway 2. IP packets can be transmitted in the remote communication tunnels, and the IP packets remain unchanged during transmission.

It is worth noting that the remote connection gateway 1 of VPC1 and the remote connection gateway 2 of VPC2 can be configured by the control platform 6 according to the configuration information, and the configuration information is input to the control platform 6 by the user operation client 7.

For example, a remote communication gateway can be a Virtual Private Network (VPN) gateway or a leased line gateway.

As shown in Figure 8, the private network addresses of subnets 5 and 6 overlap. PM1 needs to communicate with PM3. Therefore, we can add routing rule 11 to router 1: forward packets with a destination IP address of 192.168.2.0/24 to remote connection gateway 1. In router 2, we can add routing rule 12: forward packets with a destination IP address of 192.168.2.0/24 to remote connection gateway 2. We can also assign a private network address of VPC3 (e.g., 10.0.0.13) to gateway 1. We can set packet processing rule 9 for gateway 1: when the source IP address of an outgoing packet is 192.168.2.2, change the source IP address to 10.0.0.13. We can also set packet processing rule 10: when the destination IP address of an incoming packet is 10.0.0.13, change the destination IP address to 192.168.2.2.

Assign a private network address of VPC3 to gateway 2 (e.g., 10.0.0.14). Configure packet processing rule 11 for gateway 2: when the source IP address of an outgoing packet is 192.168.2.2, change the source IP address to 10.0.0.14 and send the modified outgoing packet to router 3. Configure packet processing rule 12: when the destination IP address of an incoming packet is 10.0.0.14, change the destination IP address to 192.168.2.2 and send the modified incoming packet to router 2.

Configure routing rule 13 for router 3: when the destination IP address is 10.0.0.14, send the packet to gateway 2. Configure routing rule 14: when the destination IP address is 10.0.0.13, send the packet to gateway 1.

Based on the above configuration, PM1 can construct an IP packet with a source IP address of 192.168.2.2 and a destination IP address of 10.0.0.14. This packet is forwarded by switch 5 to remote connection gateway 3, sent to remote connection gateway 1 via a remote communication tunnel, and then sent by remote connection gateway 1 to router 1. Using a communication method similar to the above embodiment, the IP packet is then sent to remote connection gateway 2 via router 1, gateway 1, router 3, gateway 2, and router 2, and finally to remote connection gateway 4 via a remote communication tunnel, thus reaching PM3 in subnet 6. Similarly, the IP packet returned by PM3 for acknowledgment can also be sent to PM1.

It is worth noting that the PM in the on-premises data center can also be replaced with VM, and this embodiment of the invention does not limit this.

Therefore, in other embodiments of the present invention, by setting different rules for gateways and routers, different subnets with the same private network address range between on-premises data centers can be interconnected through cloud data centers.

Please refer to Figure 9 below. Figure 9 is a schematic diagram of another system structure of the VPC communication system according to an embodiment of the present invention. Compared with the embodiment shown in Figure 3, in this embodiment, gateway 1 is set in subnet 1 and gateway 2 is set in subnet 2. At this time, gateway 1 and gateway 2 can only support communication between subnet 1 and subnet 2.

Specifically, the control platform 6 can assign one private network address 10.0.0.9 of the private network segment of VPC3 (e.g., 10.0.0.0/24) to gateway 1, assign another private network address 10.0.0.10 of the private network segment of VPC3 (e.g., 10.0.0.0/24) to gateway 2, and set up router 1 to connect with router 3, and set up router 2 to connect with router 3.

Router 1 is configured with:

Routing rule 1': Router 1 receives a packet whose destination IP address is 10.0.0.10 and forwards the packet to VPC3;

Routing rule 2': When router 1 receives a packet whose destination IP address is 10.0.0.9, it forwards the packet to gateway 1.

Gateway 1 is configured with:

Message processing rule 1': When the source IP address of the outgoing message received by gateway 1 is 192.168.0.2, the private network address of VM1 in subnet 1, 192.168.0.2 is converted to 10.0.0.9, the private network address of gateway 1 in VPC3, and the modified outgoing message is sent to router 1;

Message processing rule 2': When the destination IP address of the incoming message received by gateway 1 is 10.0.0.9, the gateway 1 will convert 10.0.0.9 to 192.168.0.2, the private network address of VM1 in subnet 1, and send the modified incoming message to gateway 1.

Outgoing messages refer to messages received by gateway 1 from switch 1, while incoming messages are messages received by gateway 1 from router 1.

Router 2 is configured with:

Routing rule 5': When the destination IP address of a packet received by router 2 is 10.0.0.9, forward the packet to VPC3;

Routing rule 6': When the destination IP address of a packet received by router 2 is 10.0.0.10, forward the packet to gateway 2.

Gateway 2 is configured with:

Message processing rule 3': When the destination IP address of the incoming message received by gateway 2 is 10.0.0.10, 10.0.0.10 is converted to 192.168.0.2, and the modified outgoing message is sent to router 2;

Message processing rule 4': When the source IP address of the outgoing message received by gateway 2 is 192.168.0.2, 192.168.0.2 is converted to 10.0.0.10, and the modified outgoing message is sent to router 1.

Outgoing messages refer to messages received by gateway 2 from switch 2, while incoming messages are messages received by gateway 1 from router 2.

Router 3 has the following settings:

Routing rule 3': When the destination IP address of a packet received by router 2 is 10.0.0.10, forward the packet to router 2;

Routing rule 4': When the destination IP address of a packet received by router 2 is 10.0.0.9, forward the packet to router 1.

When VM1 needs to access VM3 across VPC, VM1 constructs IP packet 1'. The source IP address of IP packet 1' is VM1's private network address 192.168.0.2 in subnet 1, and the destination IP address is gateway 2's private network address 10.0.0.10 in subnet 3. The data part of IP packet 1' carries request information.

VM1 sends IP packet 1' to switch 1. Switch 1 determines that the destination IP address of IP packet 1' does not belong to subnet 1, and sends IP packet 1' to gateway 1. Gateway 1 matches IP packet 1' with packet processing rule 1', and changes the source IP address of IP packet 1 from 192.168.0.2 to 10.0.0.9. Gateway 1 sends the modified IP packet 1' to router 1. Router 1 matches IP packet 1' with routing rule 2', and forwards IP packet 1' to router 3 of VPC3.

Router 3 receives IP packet 1', matches IP packet 1' with routing rule 3', and forwards IP packet 1' to router 2 in VPC2.

Router 2 receives IP packet 1', matches IP packet 1' with routing rule 6', and forwards IP packet 1' to gateway 2.

Gateway 2 receives IP packet 1', matches IP packet 1' with packet processing rule 3', changes the destination IP address of IP packet 1 from 10.0.0.10 to 192.168.0.2, and then sends IP packet 1' to switch 2. Switch 2 then sends IP packet 3 to VM3.

VM3 generates a response message based on the request information carried in the data portion of IP packet 1', and constructs IP packet 2'. IP packet 2' is a response message to IP packet 1'. The source IP address of IP packet 2' is the destination IP address of IP packet 1' (192.168.0.2), and the destination IP address is the source IP address of IP packet 1' (10.0.0.9). The data portion of IP packet 2' carries the response information.

VM3 sends IP packet 2' to switch 2. Switch 2 determines that the destination IP address of IP packet 2' does not belong to subnet 2, and then sends IP packet 2' to gateway 2.

Gateway 2 matches IP packet 2' with packet processing rule 4', changes the source IP address of IP packet 2' from 192.168.0.2 to 10.0.0.10, and sends IP packet 2' to router 2.

Router 2 matches IP packet 2' with routing rule 5' and forwards IP packet 2' to router 3 in VPC3.

Router 3 receives IP packet 2', matches IP packet 2' with routing rule 4', and forwards IP packet 2' to router 1 of VPC1.

Router 1 receives IP packet 2', matches IP packet 2' with routing rule 2', and forwards IP packet 2' to gateway 1.

Gateway 1 receives IP packet 2', matches IP packet 2' with packet processing rule 2', changes the destination IP address of IP packet 2' from 10.0.0.9 to 192.168.0.2, and sends IP packet 2' to switch 1. Switch 1 then sends IP packet 2' to VM1.

VM1 obtains the response information carried in IP packet 6. From VM1's perspective, IP packet 6 comes from 10.0.0.10 and is a response packet to IP packet 1.

In summary, in this embodiment, although VM1 and VM2 have the same private network address, they can access each other through the bridging of VPC3.

Further, please refer to FIG10, which shows a schematic diagram of the device structure of the configuration device according to an embodiment of the present invention. As shown in FIG6, the configuration device 60 includes a first configuration module 601 and a second configuration module 602, wherein the first configuration module 601 is used to perform the action of creating a gateway in the above embodiment, and the second configuration module 603 is used to perform the action of setting rules for the gateway and router in the above embodiment.

The configuration device 60 can be installed in the control platform 6.

Please refer to Figure 11 below. Figure 11 shows a schematic diagram of the device structure of a computing device according to an embodiment of the present invention. As shown in Figure 11, the computing device may include a processing unit 421 and a communication interface 422. The processing unit 421 is used to execute the functions defined by the operating system and various software programs running on the physical server, for example, to implement the functions of the control platform 6. The communication interface 422 is used to communicate and interact with other computing nodes. Other devices may be other physical servers. Specifically, the communication interface 422 may be a network adapter card. Optionally, the physical server may also include an input/output interface 423. The input/output interface 423 is connected to an input/output device for receiving input information and outputting operation results. The input/output interface 423 may be a mouse, keyboard, monitor, or optical drive, etc. Optionally, the physical server may also include an auxiliary storage 424, generally also called external storage. The storage medium of the auxiliary storage 424 may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., optical disc), or a semiconductor medium (e.g., solid-state drive), etc. The processing unit 421 can have various specific implementations. For example, the processing unit 421 may include a processor 4212 and a memory 4211. The processor 4212 executes the relevant operations of the control platform 6 in the above embodiments according to the program instructions stored in the memory 4211. The processor 4212 can be a central processing unit (CPU) or a graphics processing unit (GPU). The processor 4212 can be a single-core processor or a multi-core processor. The processing unit 421 can also be implemented using a logic device with built-in processing logic, such as a field-programmable gate array (FPGA) or a digital signal processor (DSP).

Those skilled in the art will clearly understand that, for the sake of convenience and brevity, the specific working processes of the systems, devices, and units described above can be referred to the corresponding processes in the foregoing method embodiments, and will not be repeated here.

Furthermore, in other embodiments of the present invention, containers may be used to replace virtual machines, and the embodiments of the present invention do not limit this.

This invention also provides a computer program product for implementing the functions of the aforementioned control platform. All of these computer program products include a computer-readable storage medium storing program code. The instructions included in the program code are used to execute the method flow described in any of the foregoing method embodiments. Those skilled in the art will understand that the aforementioned storage medium includes various non-transitory machine-readable media capable of storing program code, such as USB flash drives, portable hard drives, magnetic disks, optical disks, random-access memory (RAM), solid-state drives (SSDs), or non-volatile memory.

It should be noted that any of the device embodiments described above are merely illustrative. The units described as separate components may or may not be physically separate, and the components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the processes can be selected to achieve the purpose of this embodiment according to actual needs. Furthermore, in the accompanying drawings of the device embodiments provided by this invention, the connection relationships between processes indicate that they have communication connections, which can be specifically implemented as one or more communication buses or signal lines. Those skilled in the art can understand and implement this without any creative effort.

Through the above description of the embodiments, those skilled in the art can clearly understand that the present invention can be implemented by means of software plus necessary general-purpose hardware, and of course, it can also be implemented by special hardware including application-specific integrated circuits, special CPUs, special memory, special components, etc. Generally, any function performed by a computer program can be easily implemented by corresponding hardware, and the specific hardware structure used to implement the same function can also be diverse, such as analog circuits, digital circuits, or special-purpose circuits. However, for the present invention, software program implementation is more often the preferred implementation method. Based on this understanding, the technical solution of the present invention, or the part that contributes to the prior art, can be embodied in the form of a software product. This computer software product is stored in a readable storage medium, such as a computer floppy disk, USB flash drive, portable hard disk, read-only memory (ROM), random access memory (RAM), magnetic disk, or optical disk, etc., including several instructions to cause a computer device (which may be a personal computer, host, or network device, etc.) to execute the methods described in the various embodiments of the present invention.

Those skilled in the art will clearly understand that the specific working process of the system, device or unit described above can be referred to the corresponding process in the foregoing method embodiments, and will not be repeated here.

The above description is merely a specific embodiment of the present invention, but the scope of protection of the present invention is not limited thereto. Any variations or substitutions that can be easily conceived by those skilled in the art within the technical scope disclosed in the present invention should be included within the scope of protection of the present invention. Therefore, the scope of protection of the present invention should be determined by the scope of the claims.

Claims (22)

1. A method for configuring communication in a Virtual Private Cloud (VPC), characterized in that the method is used to configure a first VPC and a second VPC to communicate through an enterprise network, wherein the first VPC, the second VPC, and the enterprise network are located in a public cloud, and the method includes: Configure a first gateway connected to the enterprise network in the first VPC, and configure a second gateway connected to the enterprise network in the second VPC, wherein the first gateway is configured with a first address and the second gateway is configured with a second address; Configure a first message processing rule on the first gateway. The first message processing rule includes: converting the source address of the outgoing message of the first gateway from the address in the first VPC to the first address, wherein the outgoing message of the first gateway is a message received by the first gateway from inside the first VPC. Configure a second message processing rule on the second gateway. The second message processing rule includes: converting the destination address of the incoming message of the second gateway from the second address to an address within the second VPC, wherein the incoming message of the second gateway is a message received by the second gateway from the enterprise network. Configure routing rules on the routers in the enterprise network. The routing rules of the routers in the enterprise network include: forwarding packets whose destination address is the second address to the second gateway; In this process, the first gateway receives a first message from the first VPC, wherein the source address of the first message is an address within the first VPC, and the destination address of the first message is a second address of the second gateway. The first gateway converts the source address of the first message from the address within the first VPC to the first address according to the first message processing rules, and sends the modified first message to the router of the enterprise network. The router of the enterprise network receives the first message and forwards it to the second gateway according to the routing rules. The second gateway receives the first message, converts the destination address of the first message from the second address to an address within the second VPC according to the second message processing rules, and sends the modified first message to the second VPC. The private network address range of the enterprise network is different from the private network address range of the first VPC, and the private network address range of the enterprise network VPC is different from the private network address range of the second VPC. 2. The method according to claim 1, characterized in that, The first message processing rule further includes: converting the destination address of the incoming message of the first gateway from the first address to an address within the first VPC, wherein the incoming message of the first gateway is a message received by the first gateway from the enterprise network; The second message processing rule further includes: converting the source address of the outgoing message of the second gateway from the address within the second VPC to the second address, wherein the outgoing message of the second gateway is the message received by the second gateway from the second VPC; The routing rule includes: forwarding packets whose destination address is the first address to the first gateway; In this process, the second gateway receives a second message from the second VPC, wherein the source address of the second message is an address within the second VPC, and the destination address of the second message is a first address of the first gateway. The second gateway converts the source address of the second message from the address within the second VPC to the second address according to the second message processing rules, and sends the modified second message to the router of the enterprise network. The router of the enterprise network receives the second message and forwards the second message to the first gateway according to the routing rules. The first gateway receives the second message, converts the destination address of the second message from the first address to the address within the first VPC according to the first message processing rules, and sends the modified second message to the first VPC. 3. The method according to claim 1, wherein the first address is a first private network address in the private network address segment, and the second address is a second private network address in the private network address segment. 4. The method according to claim 3, wherein the private network address segment includes 192.168.0.0/16, 172.16.0.0/12, and 10.0.0.0/8. 5. The method according to claim 3, wherein the private network address of the first gateway is different from the private network address range of the subnet of the first VPC and the subnet of the second VPC, and the private network address of the second gateway is different from the private network address range of the subnet of the first VPC and the subnet of the second VPC. 6. The method according to claim 1, wherein the first VPC is provided with a first subnet, the second VPC is provided with a second subnet, the first subnet and the second subnet have the same private network address range, the address in the first VPC is the address in the first subnet, and the address in the second VPC is the address in the second subnet. 7. The method according to claim 6, wherein a first virtual machine is provided in the first subnet and a second virtual machine is provided in the second subnet. 8. The method according to claim 1, characterized in that it further comprises: Configure routing rules on the router of the first VPC. The routing rules on the router of the first VPC include: forwarding packets with the destination address as the second address to the first gateway. Configure routing rules on the router of the second VPC. The routing rules on the router of the second VPC include: forwarding packets with the destination address as the first address to the second gateway. 9. The method according to claim 1 or 2, wherein the first address and the second address are private network addresses belonging to the enterprise network. 10. The method according to claim 9, wherein the enterprise network is implemented through a third VPC in the public cloud. 11. A Virtual Private Cloud (VPC) communication system, characterized in that it comprises: Control platform, used for: A first gateway connected to the enterprise network is configured in a first VPC, and a second gateway connected to the enterprise network is configured in a second VPC. The first gateway is set with a first address, and the second gateway is set with a second address. The first VPC, the second VPC, and the enterprise network are located in a public cloud. The private network address range of the enterprise network is different from that of the first VPC, and the private network address range of the enterprise network VPC is different from that of the second VPC. Configure a first message processing rule on the first gateway. The first message processing rule includes: converting the source address of the outgoing message of the first gateway from the address in the first VPC to the first address, wherein the outgoing message of the first gateway is a message received by the first gateway from inside the first VPC. Configure a second message processing rule on the second gateway. The second message processing rule includes: converting the destination address of the incoming message of the second gateway from the second address to an address within the second VPC, wherein the incoming message of the second gateway is a message received by the second gateway from the enterprise network. Configure routing rules on the routers in the enterprise network. The routing rules of the routers in the enterprise network include: forwarding packets whose destination address is the second address to the second gateway; The first gateway is configured to receive a first message from the first VPC, wherein the source address of the first message is an address within the first VPC, the destination address of the first message is a second address of the second gateway, and convert the source address of the first message from the address within the first VPC to the first address according to the first message processing rules, and send the modified first message to the router of the enterprise network. The router of the enterprise network is used to receive the first message and forward the first message to the second gateway according to the routing rules; The second gateway is used to receive the first message, convert the destination address of the first message from the second address to an address within the second VPC according to the second message processing rules, and send the modified first message to the second VPC. 12. The system according to claim 11, characterized in that, The first message processing rule further includes: converting the destination address of the incoming message of the first gateway from the first address to an address within the first VPC, wherein the incoming message of the first gateway is a message received by the first gateway from the enterprise network; The second message processing rule further includes: converting the source address of the outgoing message of the second gateway from the address within the second VPC to the second address, wherein the outgoing message of the second gateway is the message received by the second gateway from the second VPC; The routing rule includes: forwarding packets whose destination address is the first address to the first gateway; In this process, the second gateway receives a second message from the second VPC, wherein the source address of the second message is an address within the second VPC, and the destination address of the second message is a first address of the first gateway. The second gateway converts the source address of the second message from the address within the second VPC to the second address according to the second message processing rules, and sends the modified second message to the router of the enterprise network. The router of the enterprise network receives the second message and forwards the second message to the first gateway according to the routing rules. The first gateway receives the second message, converts the destination address of the second message from the first address to the address within the first VPC according to the first message processing rules, and sends the modified second message to the first VPC. 13. The system according to claim 11, wherein the first address is a first private network address in the private network address segment, and the second address is a second private network address in the private network address segment. 14. The system according to claim 13, wherein the private network address segments include 192.168.0.0/16, 172.16.0.0/12, and 10.0.0.0/8. 15. The system according to claim 13, wherein the private network address of the first gateway is different from the private network address range of the subnet of the first VPC and the subnet of the second VPC, and the private network address of the second gateway is different from the private network address range of the subnet of the first VPC and the subnet of the second VPC. 16. The system according to claim 11, wherein the first VPC is provided with a first subnet, the second VPC is provided with a second subnet, the first subnet and the second subnet have the same private network address range, the address in the first VPC is the address in the first subnet, and the address in the second VPC is the address in the second subnet. 17. The system according to claim 16, wherein a first virtual machine is provided in the first subnet and a second virtual machine is provided in the second subnet. 18. The system according to claim 11, characterized in that it further comprises: Configure routing rules on the router of the first VPC. The routing rules on the router of the first VPC include: forwarding packets with the destination address as the second address to the first gateway. Configure routing rules on the router of the second VPC. The routing rules on the router of the second VPC include: forwarding packets with the destination address as the first address to the second gateway. 19. The system according to claim 11, wherein the first address and the second address are private network addresses belonging to the enterprise network. 20. The system according to claim 19, wherein the enterprise network is implemented through a third VPC in the public cloud. 21. A computing device, characterized in that it comprises at least one memory and at least one processor, the at least one memory being used to store program instructions, the at least one processor executing the program instructions to perform the method according to any one of claims 1 to 10. 22. A non-transient readable storage medium, wherein when executed by a computing device, the computing device performs the method according to any one of claims 1 to 10.