WO2025086627A1

WO2025086627A1 - Cloud resource architecture diagram generation method, cloud management platform, and computing device cluster

Info

Publication number: WO2025086627A1
Application number: PCT/CN2024/094689
Authority: WO
Inventors: 高昕; 熊宇
Original assignee: Huawei Cloud Computing Technologies Co Ltd
Current assignee: Huawei Cloud Computing Technologies Co Ltd
Priority date: 2023-10-25
Filing date: 2024-05-22
Publication date: 2025-05-01
Anticipated expiration: 2026-04-25
Also published as: CN119892830A

Abstract

The present application belongs to the technical field of cloud computing, and discloses a cloud resource architecture diagram generation method, a cloud management platform, and a computing device cluster. The present application comprises: in response to an architecture diagram generation request of a tenant, a cloud management platform acquires configuration information of a first cloud resource, acquires a network traffic log of the first cloud resource, and automatically generates a cloud resource architecture diagram on the basis of the configuration information of the first cloud resource and the network traffic log. Manual drawing by tenants is not needed, the operation is simple, and the availability is high. Moreover, because network traffic logs of cloud resources are acquired on the basis of VPC flow logs associated with the cloud resources, that is, in the embodiments of the present application, connection relationships between the cloud resources can be acquired by means of the VPC flow logs associated with the cloud resources, no agent assembly is required to be installed, the performance of nodes where the cloud resources are located is not affected, the availability is higher, and the cost is lower.

Description

Cloud resource architecture diagram generation method, cloud management platform and computing device cluster

本申请要求于2023年10月25日提交的、申请号为202311393633.9、申请名称为“架构图生成方法、装置、计算设备集群及存储介质”的中国专利申请的优先权，以及要求于2024年1月26日提交的、申请号为202410118224.6、申请名称为“云资源架构图生成方法、云管理平台及计算设备集群”的中国专利申请的优先权，其全部内容通过引用结合在本申请中。This application claims priority to the Chinese patent application with application number 202311393633.9, filed on October 25, 2023, and application name “Architecture diagram generation method, device, computing device cluster and storage medium”, and claims priority to the Chinese patent application with application number 202410118224.6, filed on January 26, 2024, and application name “Cloud resource architecture diagram generation method, cloud management platform and computing device cluster”, all of which are incorporated by reference into this application.

Technical Field

本申请涉及云计算技术领域，尤其涉及一种云资源架构图生成方法、云管理平台及计算设备集群。The present application relates to the field of cloud computing technology, and in particular to a cloud resource architecture diagram generation method, a cloud management platform, and a computing device cluster.

Background Art

近年来，随着云计算技术的发展，云服务商可以向租户提供多种可用的云资源，例如计算资源、存储资源、网络资源等。租户可以购买或租用云服务商提供的云资源，并利用这些云资源来实现自身的业务。例如，租户可以将应用部署到这些云资源所形成的云环境中进行运行，以实现应用上云。In recent years, with the development of cloud computing technology, cloud service providers can provide tenants with a variety of available cloud resources, such as computing resources, storage resources, network resources, etc. Tenants can purchase or rent cloud resources provided by cloud service providers and use these cloud resources to implement their own business. For example, tenants can deploy applications to the cloud environment formed by these cloud resources to run them, so as to realize the application on the cloud.

目前，租户在购买或租用云资源之后，通常可以手动绘制云资源的架构图，进而利用云资源的架构图来管理云资源。然而，手动绘制云资源的架构图不仅操作繁琐效率低下，而且对租户具有较高的能力要求。Currently, after purchasing or renting cloud resources, tenants can usually manually draw an architecture diagram of the cloud resources, and then use the architecture diagram of the cloud resources to manage the cloud resources. However, manually drawing an architecture diagram of cloud resources is not only cumbersome and inefficient, but also requires high capabilities of tenants.

发明内容Summary of the invention

本申请提供一种云资源架构图生成方法、云管理平台、计算设备集群、存储介质及程序产品，操作简单，可用性高，成本低。The present application provides a cloud resource architecture diagram generation method, a cloud management platform, a computing device cluster, a storage medium and a program product, which are simple to operate, high in availability and low in cost.

为达到上述目的，本申请采用如下技术方案：In order to achieve the above objectives, this application adopts the following technical solutions:

第一方面，提供一种云资源架构图生成方法，应用于云管理平台，所述云管理平台用于管理提供多个目标云资源的基础设施，所述基础设施包括至少一个云数据中心，每个云数据中心设置有多个服务器，所述多个目标云资源中的一者或任意组合部署在所述基础设施的至少一个服务器中，所述多个目标云资源包括第一云资源和第二云资源，所述方法包括：响应于租户发送的架构图生成请求，获取所述第一云资源的配置信息，并获取所述第一云资源的网络流量日志，其中，所述第一云资源的配置信息包括所述第一云资源的类型，所述第一云资源的网络流量日志基于所述第一云资源关联的虚拟私有云VPC的流日志获得，所述第一云资源的网络流量日志指示所述第一云资源和第二云资源之间存在数据报文传输；基于所述第一云资源的配置信息和所述第一云资源的网络流量日志，生成云资源架构图，所述云资源架构图中的所述第一云资源和所述第二云资源具有连接关系。In a first aspect, a method for generating a cloud resource architecture diagram is provided, which is applied to a cloud management platform, wherein the cloud management platform is used to manage an infrastructure that provides multiple target cloud resources, wherein the infrastructure includes at least one cloud data center, each cloud data center is provided with multiple servers, and one or any combination of the multiple target cloud resources is deployed in at least one server of the infrastructure, and the multiple target cloud resources include a first cloud resource and a second cloud resource. The method includes: in response to an architecture diagram generation request sent by a tenant, obtaining configuration information of the first cloud resource, and obtaining a network traffic log of the first cloud resource, wherein the configuration information of the first cloud resource includes the type of the first cloud resource, the network traffic log of the first cloud resource is obtained based on a flow log of a virtual private cloud VPC associated with the first cloud resource, and the network traffic log of the first cloud resource indicates that there is data packet transmission between the first cloud resource and the second cloud resource; based on the configuration information of the first cloud resource and the network traffic log of the first cloud resource, a cloud resource architecture diagram is generated, wherein the first cloud resource and the second cloud resource in the cloud resource architecture diagram have a connection relationship.

在本申请中，响应于租户的架构图生成请求，云管理平台可以获取第一云资源的配置信息，并获取第一云资源的网络流量日志，基于该第一云资源的配置信息和网络流量日志来自动生成云资源架构图，无需租户手动绘图，操作简单，可用性高。并且，由于第一云资源的网络流量日志可以通过VPC的流日志来获得，也即，可以通过VPC的流日志来获得云资源之间的连接关系，无需安装侵入性组件，所以成本更低。In the present application, in response to a tenant's architecture diagram generation request, the cloud management platform can obtain the configuration information of the first cloud resource and the network traffic log of the first cloud resource, and automatically generate a cloud resource architecture diagram based on the configuration information and network traffic log of the first cloud resource, without the need for the tenant to draw manually, which is simple to operate and has high availability. In addition, since the network traffic log of the first cloud resource can be obtained through the flow log of the VPC, that is, the connection relationship between cloud resources can be obtained through the flow log of the VPC, there is no need to install invasive components, so the cost is lower.

另外，由于VPC的流日志中包含的云资源之间的连接关系所能覆盖的云资源较多，因此，基于VPC的流日志中包含的各个云资源的网络流量日志可以生成覆盖度更广，信息更为完善的云资源架构图。In addition, because the connection relationships between cloud resources contained in the VPC flow log can cover more cloud resources, the network traffic logs of each cloud resource contained in the VPC flow log can generate a cloud resource architecture diagram with wider coverage and more complete information.

可选地，所述获取所述第一云资源的网络流量日志的实现过程可以包括：获取所述第一云资源关联的虚拟私有云VPC的流日志，所述流日志包括指示所述第一云资源和所述第二云资源之间存在数据报文传输的第一记录，所述第一记录包括数据报文传输的源地址和目的地址，其中，所述第一记录中的源地址为所述第一云资源的IP地址，所述第一记录中的目的地址为所述第二云资源的IP地址；或，所述第一记录中的源地址为所述第二云资源的IP地址，所述第一记录中的目的地址为所述第一云资源的IP地址。 Optionally, the implementation process of obtaining the network traffic log of the first cloud resource may include: obtaining the flow log of the virtual private cloud VPC associated with the first cloud resource, the flow log including a first record indicating that there is data packet transmission between the first cloud resource and the second cloud resource, the first record including a source address and a destination address of the data packet transmission, wherein the source address in the first record is the IP address of the first cloud resource, and the destination address in the first record is the IP address of the second cloud resource; or, the source address in the first record is the IP address of the second cloud resource, and the destination address in the first record is the IP address of the first cloud resource.

其中，第二云资源与第一云资源可能为同一个VPC内的云资源，也可能为不同VPC内的云资源。由此可见，通过第一云资源关联的VPC的流日志，不仅能够获得VPC内存在数据报文传输的云资源之间的连接关系，还能够获得跨VPC进行数据报文传输的云资源之间的连接关系，在此基础上，通过某个VPC内的云资源的网络流量日志，能够获得跨VPC的云资源架构图。The second cloud resource and the first cloud resource may be cloud resources in the same VPC or in different VPCs. Therefore, through the flow log of the VPC associated with the first cloud resource, not only the connection relationship between cloud resources with data message transmission in the VPC can be obtained, but also the connection relationship between cloud resources with data message transmission across VPCs can be obtained. On this basis, through the network traffic log of cloud resources in a VPC, the cloud resource architecture diagram across VPCs can be obtained.

可选地，当第二云资源与第一云资源为不同VPC内的云资源时，云管理平台在基于第一云资源的网络流量日志获得第一云资源和第二云资源之间的连接关系之后，还可以进一步的基于第一云资源的网络流量日志包含的第二云资源的IP地址来获取第二云资源的配置信息以及与第二云资源的网络流量日志，进而基于第二云资源的配置信息和网络流量日志来确定第二云资源关联的VPC内的其他云资源与该第二云资源之间的连接关系。如此，通过各个云资源的串联，可以获得跨多个VPC的云资源的架构图。Optionally, when the second cloud resource and the first cloud resource are cloud resources in different VPCs, after obtaining the connection relationship between the first cloud resource and the second cloud resource based on the network traffic log of the first cloud resource, the cloud management platform can further obtain the configuration information of the second cloud resource and the network traffic log of the second cloud resource based on the IP address of the second cloud resource contained in the network traffic log of the first cloud resource, and then determine the connection relationship between other cloud resources in the VPC associated with the second cloud resource and the second cloud resource based on the configuration information and network traffic log of the second cloud resource. In this way, by connecting various cloud resources in series, an architecture diagram of cloud resources across multiple VPCs can be obtained.

可选地，所述第一记录还包括数据报文传输的源端口标识和目的端口标识，其中，所述源端口标识为所述第一云资源上的第一端口的标识，所述目的端口标识为所述第二云资源上的第二端口的标识；或，所述源端口标识为所述第二云资源上的第二端口的标识，所述目的端口标识为所述第一云资源上的第一端口的标识；所述云资源架构图中的所述第一云资源上的第一端口和所述第二云资源上的第二端口具有连接关系。Optionally, the first record also includes a source port identifier and a destination port identifier of the data packet transmission, wherein the source port identifier is the identifier of the first port on the first cloud resource, and the destination port identifier is the identifier of the second port on the second cloud resource; or, the source port identifier is the identifier of the second port on the second cloud resource, and the destination port identifier is the identifier of the first port on the first cloud resource; the first port on the first cloud resource and the second port on the second cloud resource in the cloud resource architecture diagram have a connection relationship.

在本申请中，不仅可以通过第一记录中的源地址和目的地址获得第一云资源和第二云资源之间的连接关系，还可以通过第一记录中的源端口标识和目的端口标识进一步的确定出第一云资源和第二云资源上的哪两个端口之间建立有通信链路，在此基础上，租户基于云资源架构图中展示的云资源之间的连接关系、云资源的端口之间的链路关系，可以实现更为精细的云资源管理。In the present application, not only can the connection relationship between the first cloud resource and the second cloud resource be obtained through the source address and the destination address in the first record, but the source port identifier and the destination port identifier in the first record can also be used to further determine which two ports on the first cloud resource and the second cloud resource have a communication link established between them. On this basis, tenants can achieve more refined cloud resource management based on the connection relationship between cloud resources and the link relationship between the ports of cloud resources shown in the cloud resource architecture diagram.

可选地，所述第二云资源的IP地址为第一虚拟IP地址，所述流日志还包括指示所述第一云资源与第三云资源之间存在数据报文传输的第二记录，所述第二记录和所述第一记录指示相同的数据报文传输，且所述第二记录和所述第一记录包括的数据报文传输的源地址或目的地址为所述第一云资源的IP地址；所述云资源架构图中所述第三云资源与所述第一虚拟IP地址具有绑定关系。Optionally, the IP address of the second cloud resource is the first virtual IP address, and the flow log also includes a second record indicating that there is data packet transmission between the first cloud resource and the third cloud resource, the second record and the first record indicate the same data packet transmission, and the source address or destination address of the data packet transmission included in the second record and the first record is the IP address of the first cloud resource; the third cloud resource in the cloud resource architecture diagram has a binding relationship with the first virtual IP address.

在本申请中，在第一记录中的源地址或目的地址为虚拟IP地址时，可以通过查找记录有相同的数据报文的相同的传输过程的第二记录来确定出该虚拟IP地址所绑定的实例的真实IP地址，从而确定出虚拟IP地址和实例之间隐藏的绑定关系。In the present application, when the source address or destination address in the first record is a virtual IP address, the real IP address of the instance to which the virtual IP address is bound can be determined by searching the second record that records the same transmission process of the same data packet, thereby determining the hidden binding relationship between the virtual IP address and the instance.

可选地，所述多个目标云资源还包括第四云资源和第五云资源，所述方法还包括：获取所述第四云资源的配置信息，所述第四云资源的配置信息还包括所述第四云资源与所述第五云资源的连接关系，所述云资源架构图中的所述第四云资源和所述第五云资源具有连接关系。Optionally, the multiple target cloud resources also include a fourth cloud resource and a fifth cloud resource, and the method also includes: obtaining configuration information of the fourth cloud resource, the configuration information of the fourth cloud resource also includes a connection relationship between the fourth cloud resource and the fifth cloud resource, and the fourth cloud resource and the fifth cloud resource in the cloud resource architecture diagram have a connection relationship.

在本申请中，云管理平台还可以基于云资源的配置信息还获得云资源之间静态配置的连接关系，这样，结合基于网络流量日志获得的动态的连接关系，可以获得更为完善的云资源架构图。In the present application, the cloud management platform can also obtain the statically configured connection relationship between cloud resources based on the configuration information of cloud resources. In this way, combined with the dynamic connection relationship obtained based on the network traffic log, a more complete cloud resource architecture diagram can be obtained.

可选地，所述多个目标云资源还包括第六云资源，所述方法还包括：获取所述第六云资源的配置信息；基于所述第六云资源的配置信息，获取与所述第六云资源关联的公网资源的配置信息，所述公网资源的配置信息包括所述第六云资源与所述公网资源的连接关系，所述云资源架构图中的所述第六云资源与所述公网资源具有连接关系。Optionally, the multiple target cloud resources also include a sixth cloud resource, and the method also includes: obtaining configuration information of the sixth cloud resource; based on the configuration information of the sixth cloud resource, obtaining configuration information of a public network resource associated with the sixth cloud resource, the configuration information of the public network resource including a connection relationship between the sixth cloud resource and the public network resource, and the sixth cloud resource in the cloud resource architecture diagram has a connection relationship with the public network resource.

在本申请中，可以基于第六云资源的配置信息来查找该第六云资源关联的公网资源的配置信息。这样，云资源架构图中还可以包括该第六云资源与该公网资源的连接关系，使得生成的云资源架构图更为完整。In this application, the configuration information of the public network resource associated with the sixth cloud resource can be searched based on the configuration information of the sixth cloud resource. In this way, the cloud resource architecture diagram can also include the connection relationship between the sixth cloud resource and the public network resource, making the generated cloud resource architecture diagram more complete.

可选地，所述方法还包括：获取所述第一云资源关联的VPC的云审计信息，所述云审计信息包括所述VPC内的云资源添加信息、云资源删除信息和云资源修改信息中的至少一种；基于所述云资源添加信息，在所述云资源架构图中添加对应的云资源；或者，基于所述云资源删除信息，删除所述云资源架构图中对应的云资源；或者，基于所述云资源修改信息，修改所述云资源架构图中对应的云资源。Optionally, the method also includes: obtaining cloud audit information of the VPC associated with the first cloud resource, the cloud audit information including at least one of cloud resource addition information, cloud resource deletion information and cloud resource modification information within the VPC; adding corresponding cloud resources in the cloud resource architecture diagram based on the cloud resource addition information; or, deleting corresponding cloud resources in the cloud resource architecture diagram based on the cloud resource deletion information; or, modifying corresponding cloud resources in the cloud resource architecture diagram based on the cloud resource modification information.

在本申请中，生成云资源架构图之后，还可以通过获取第一云资源关联的VPC的云审计信息来刷新云资源架构图，以此来保证云资源架构图的准确性。In the present application, after the cloud resource architecture diagram is generated, the cloud resource architecture diagram can also be refreshed by obtaining the cloud audit information of the VPC associated with the first cloud resource to ensure the accuracy of the cloud resource architecture diagram.

第二方面，提供一种云管理平台，所述云管理平台用于管理提供多个目标云资源的基础设施，所述基础设施包括至少一个云数据中心，每个云数据中心设置有多个服务器，所述多个目标云资源中的一者或任意组合部署在所述基础设施的至少一个服务器中，所述多个目标云资源包括第一云资源和第二云资源，所述云管理平台包括至少一个模块，所述至少一个模块用于执行上述第一方面所述的云资源架构图生成方法。In a second aspect, a cloud management platform is provided, wherein the cloud management platform is used to manage an infrastructure that provides multiple target cloud resources, wherein the infrastructure includes at least one cloud data center, each cloud data center is provided with multiple servers, and one or any combination of the multiple target cloud resources is deployed in at least one server of the infrastructure, wherein the multiple target cloud resources include a first cloud resource and a second cloud resource. 2. Cloud resources, the cloud management platform includes at least one module, and the at least one module is used to execute the cloud resource architecture diagram generation method described in the first aspect above.

示例性的，所述至少一个模块可以包括资源信息获取模块和架构图生成模块。Exemplarily, the at least one module may include a resource information acquisition module and an architecture diagram generation module.

其中，资源信息获取模块用于响应于租户发送的架构图生成请求，获取所述第一云资源的配置信息，并获取所述第一云资源的网络流量日志，其中，所述第一云资源的配置信息包括所述第一云资源的类型，所述第一云资源的网络流量日志基于所述第一云资源关联的虚拟私有云VPC的流日志获得，所述第一云资源的网络流量日志指示所述第一云资源和第二云资源之间存在数据报文传输；架构图生成模块，用于基于所述第一云资源的配置信息和所述第一云资源的网络流量日志，生成云资源架构图，所述云资源架构图中的所述第一云资源和所述第二云资源具有连接关系。Among them, the resource information acquisition module is used to respond to the architecture diagram generation request sent by the tenant, obtain the configuration information of the first cloud resource, and obtain the network traffic log of the first cloud resource, wherein the configuration information of the first cloud resource includes the type of the first cloud resource, the network traffic log of the first cloud resource is obtained based on the flow log of the virtual private cloud VPC associated with the first cloud resource, and the network traffic log of the first cloud resource indicates that there is data packet transmission between the first cloud resource and the second cloud resource; the architecture diagram generation module is used to generate a cloud resource architecture diagram based on the configuration information of the first cloud resource and the network traffic log of the first cloud resource, and the first cloud resource and the second cloud resource in the cloud resource architecture diagram have a connection relationship.

可选地，所述资源信息获取模块包括：流日志获取单元，用于获取所述第一云资源关联的虚拟私有云VPC的流日志，所述流日志包括指示所述第一云资源和所述第二云资源之间存在数据报文传输的第一记录，所述第一记录包括数据报文传输的源地址和目的地址，其中，所述第一记录中的源地址为所述第一云资源的IP地址，所述第一记录中的目的地址为所述第二云资源的IP地址；或，所述第一记录中的源地址为所述第二云资源的IP地址，所述第一记录中的目的地址为所述第一云资源的IP地址。Optionally, the resource information acquisition module includes: a flow log acquisition unit, used to obtain the flow log of the virtual private cloud VPC associated with the first cloud resource, the flow log including a first record indicating that there is data packet transmission between the first cloud resource and the second cloud resource, the first record including a source address and a destination address of the data packet transmission, wherein the source address in the first record is the IP address of the first cloud resource, and the destination address in the first record is the IP address of the second cloud resource; or, the source address in the first record is the IP address of the second cloud resource, and the destination address in the first record is the IP address of the first cloud resource.

可选地，所述多个目标云资源还包括第四云资源和第五云资源，所述资源信息获取模块包括：资源配置信息获取单元，用于获取所述第四云资源的配置信息，所述第四云资源的配置信息还包括所述第四云资源与所述第五云资源的连接关系，所述云资源架构图中的所述第四云资源和所述第五云资源具有连接关系。Optionally, the multiple target cloud resources also include a fourth cloud resource and a fifth cloud resource, and the resource information acquisition module includes: a resource configuration information acquisition unit, used to obtain the configuration information of the fourth cloud resource, the configuration information of the fourth cloud resource also includes a connection relationship between the fourth cloud resource and the fifth cloud resource, and the fourth cloud resource and the fifth cloud resource in the cloud resource architecture diagram have a connection relationship.

可选地，所述多个目标云资源还包括第六云资源，所述资源信息获取模块包括：资源配置信息获取单元，用于获取所述第六云资源的配置信息；基于所述第六云资源的配置信息，获取与所述第六云资源关联的公网资源的配置信息，所述公网资源的配置信息包括所述第六云资源与所述公网资源的连接关系，所述云资源架构图中的所述第六云资源与所述公网资源具有连接关系。Optionally, the multiple target cloud resources also include a sixth cloud resource, and the resource information acquisition module includes: a resource configuration information acquisition unit, used to obtain the configuration information of the sixth cloud resource; based on the configuration information of the sixth cloud resource, obtaining the configuration information of the public network resources associated with the sixth cloud resource, the configuration information of the public network resources includes the connection relationship between the sixth cloud resource and the public network resources, and the sixth cloud resource in the cloud resource architecture diagram has a connection relationship with the public network resources.

可选地，所述云管理平台还包括：云审计信息获取模块，用于获取所述第一云资源关联的VPC的云审计信息，所述云审计信息包括所述VPC内的云资源添加信息、云资源删除信息和云资源修改信息中的至少一种；架构图更新模块，用于基于云资源添加信息，在所述云资源架构图中添加对应的云资源；或者，基于所述云资源删除信息，删除所述云资源架构图中对应的云资源；或者，基于所述云资源修改信息，修改所述云资源架构图中对应的云资源。Optionally, the cloud management platform also includes: a cloud audit information acquisition module, used to obtain cloud audit information of the VPC associated with the first cloud resource, the cloud audit information including at least one of cloud resource addition information, cloud resource deletion information and cloud resource modification information within the VPC; an architecture diagram update module, used to add corresponding cloud resources in the cloud resource architecture diagram based on the cloud resource addition information; or, based on the cloud resource deletion information, delete the corresponding cloud resources in the cloud resource architecture diagram; or, based on the cloud resource modification information, modify the corresponding cloud resources in the cloud resource architecture diagram.

第三方面，提供一种计算设备集群，包括至少一个计算设备，每个计算设备包括处理器和存储器；所述至少一个计算设备的处理器用于执行所述至少一个计算设备的存储器中存储的指令，以使得所述计算设备集群执行如上述第一方面所述的云资源架构图生成方法。In a third aspect, a computing device cluster is provided, comprising at least one computing device, each computing device comprising a processor and a memory; the processor of the at least one computing device is used to execute instructions stored in the memory of the at least one computing device, so that the computing device cluster executes the cloud resource architecture diagram generation method as described in the first aspect above.

第四方面，提供一种计算机可读存储介质，包括计算机程序指令，当所述计算机程序指令由计算设备集群执行时，所述计算设备集群执行如上述第一方面所述的云资源架构图生成方法。In a fourth aspect, a computer-readable storage medium is provided, comprising computer program instructions. When the computer program instructions are executed by a computing device cluster, the computing device cluster executes the cloud resource architecture diagram generation method as described in the first aspect above.

第五方面，提供了一种包含指令的计算机程序产品，当所述指令被计算设备集群运行时，使得所述计算设备集群执行如上述第一方面所述的云资源架构图生成方法。In a fifth aspect, a computer program product comprising instructions is provided. When the instructions are executed by a computing device cluster, the computing device cluster executes the cloud resource architecture diagram generation method as described in the first aspect above.

上述第二方面、第三方面、第四方面和第五方面所获得的技术效果与第一方面和第二方面中对应的技术手段获得的技术效果近似，在这里不再赘述。The technical effects obtained by the second, third, fourth and fifth aspects above are the same as those obtained by the first and second aspects. The technical effects obtained by the technical means are similar and will not be repeated here.

BRIEF DESCRIPTION OF THE DRAWINGS

图1为本申请实施例提供的一种云资源架构图生成方法的实施架构图；FIG1 is an implementation architecture diagram of a cloud resource architecture diagram generation method provided in an embodiment of the present application;

图2为本申请实施例提供的一种云资源架构图生成方法的流程图；FIG2 is a flow chart of a method for generating a cloud resource architecture diagram provided in an embodiment of the present application;

图3为本申请实施例提供的一种第一云资源所关联的公网资源的配置信息的示意图；FIG3 is a schematic diagram of configuration information of a public network resource associated with a first cloud resource provided in an embodiment of the present application;

图4为本申请实施例提供的一种公网资源所关联的其他公网资源的配置信息的示意图；FIG4 is a schematic diagram of configuration information of other public network resources associated with a public network resource provided in an embodiment of the present application;

图5为本申请实施例提供的一种生成的云资源架构图；FIG5 is a diagram of a generated cloud resource architecture provided in an embodiment of the present application;

图6为本申请实施例提供的一种云管理平台的结构示意图；FIG6 is a schematic diagram of the structure of a cloud management platform provided in an embodiment of the present application;

图7为本申请实施例提供的一种计算设备的结构示意图；FIG7 is a schematic diagram of the structure of a computing device provided in an embodiment of the present application;

图8为本申请实施例提供的一种计算设备集群的结构示意图；FIG8 is a schematic diagram of the structure of a computing device cluster provided in an embodiment of the present application;

图9为本申请实施例提供的另一种计算设备集群的结构示意图。FIG. 9 is a schematic diagram of the structure of another computing device cluster provided in an embodiment of the present application.

DETAILED DESCRIPTION

为使本申请实施例的目的、技术方案和优点更加清楚，下面将结合附图对本申请实施方式作进一步地详细描述。In order to make the objectives, technical solutions and advantages of the embodiments of the present application clearer, the implementation methods of the present application will be further described in detail below in conjunction with the accompanying drawings.

在对本申请实施例进行详细的解释说明之前，先对本申请实施例涉及的应用场景进行介绍。Before explaining the embodiments of the present application in detail, the application scenarios involved in the embodiments of the present application are first introduced.

近年来，随着云计算技术的发展，云服务商可以向租户提供多种可用的云资源，例如弹性计算服务(elastic compute service，ECS)实例、裸金属服务器、云数据库、弹性IP(elastic IP，EIP)、弹性负载均衡(elastic load balance，ELB)实例等。租户可以购买或租用云服务商提供的云资源，并利用这些云资源来实现自身的业务。例如，租户可以租用或购买云资源来搭建VPC，并将自身的应用部署到VPC中运行，以实现应用上云。In recent years, with the development of cloud computing technology, cloud service providers can provide tenants with a variety of available cloud resources, such as elastic compute service (ECS) instances, bare metal servers, cloud databases, elastic IP (EIP), elastic load balancing (ELB) instances, etc. Tenants can purchase or rent cloud resources provided by cloud service providers and use these cloud resources to implement their own business. For example, tenants can rent or purchase cloud resources to build VPCs and deploy their own applications to VPCs to run in order to implement applications on the cloud.

对于已搭建的一个或多个VPC，租户可能会想要获取这些VPC的云资源架构图，通过该云资源架构图，租户能够获知自身租用或购买的云资源之间的关联关系，从而能够基于该关联关系来对VPC中的云资源进行管理。或者，租户也可以参考该云资源架构图来实现其他的VPC的搭建等。For one or more VPCs that have been built, tenants may want to obtain cloud resource architecture diagrams of these VPCs. Through the cloud resource architecture diagram, tenants can learn the associations between the cloud resources they rent or purchase, and manage the cloud resources in the VPC based on the associations. Alternatively, tenants can also refer to the cloud resource architecture diagram to build other VPCs.

目前，租户可以通过云管理平台查询自身所使用的云资源的信息，之后，基于该云资源的信息，租户可以手动绘制云资源架构图。这种手动绘制架构图的方式操作繁琐效率低下，可用性较差。Currently, tenants can query the information of cloud resources they use through the cloud management platform, and then manually draw cloud resource architecture diagrams based on the information of cloud resources. This manual architecture diagram drawing method is cumbersome, inefficient, and has poor usability.

另外，在一些相关技术中，租户也可以通过云管理平台在自身租用或购买的云资源对应的节点上安装代理(agent)组件，云管理平台可以通过各个节点上的agent组件来获取云资源的接口调用关系，进而基于该接口调用关系来生成架构图。然而，由于agent组件获取云资源的接口调用关系会占用节点的计算资源，因此，影响节点性能。另外，一方面，agent组件安装维护成本较高，所以在云环境中的安装率较低，另一方面，某些云资源对应的节点可能并不完全属于该租户，因此，出于安全性考虑，这类节点上可能无法安装agent组件。在这种情况下，通过agent组件能够获取到的云资源的接口调用关系将极为有限，这将导致最终生成的架构图的覆盖度不足，信息不够完善。In addition, in some related technologies, tenants can also install agent components on the nodes corresponding to the cloud resources they rent or purchase through the cloud management platform. The cloud management platform can obtain the interface call relationship of cloud resources through the agent components on each node, and then generate an architecture diagram based on the interface call relationship. However, since the agent component obtains the interface call relationship of cloud resources, it will occupy the computing resources of the node, thus affecting the node performance. In addition, on the one hand, the installation and maintenance cost of the agent component is high, so the installation rate in the cloud environment is low. On the other hand, the nodes corresponding to some cloud resources may not completely belong to the tenant. Therefore, for security reasons, the agent component may not be installed on such nodes. In this case, the interface call relationship of cloud resources that can be obtained through the agent component will be extremely limited, which will result in insufficient coverage of the final generated architecture diagram and incomplete information.

针对上述的架构图生成方法中所存在的问题，本申请实施例提供了一种云资源架构图生成方法，在该方法中，响应于租户的架构图生成请求，云管理平台可以获取第一云资源的配置信息和网络流量日志，其中，第一云资源的配置信息中包括第一云资源的类型，第一云资源的网络流量日志指示第一云资源和第二云资源之间存在数据报文传输。在此基础上，云管理平台基于第一云资源的配置信息和网络流量日志即能够自动生成包含有第一云资源和第二云资源的连接关系的云资源架构图，无需租户手动绘图，操作简单，可用性高。另外，由于本申请实施例中云资源的网络流量日志是基于云资源关联的VPC的流日志获得的，也即，本申请实施例中可以通过云资源关联的VPC的流日志来获得云资源之间的连接关系，无需安装agent组件，不影响云资源所在节点的性能，可用性更强，成本更低。In response to the problems existing in the above-mentioned architecture diagram generation method, an embodiment of the present application provides a cloud resource architecture diagram generation method, in which, in response to the tenant's architecture diagram generation request, the cloud management platform can obtain the configuration information and network traffic log of the first cloud resource, wherein the configuration information of the first cloud resource includes the type of the first cloud resource, and the network traffic log of the first cloud resource indicates that there is data message transmission between the first cloud resource and the second cloud resource. On this basis, the cloud management platform can automatically generate a cloud resource architecture diagram containing the connection relationship between the first cloud resource and the second cloud resource based on the configuration information and network traffic log of the first cloud resource, without the need for the tenant to draw manually, simple operation, and high availability. In addition, since the network traffic log of the cloud resource in the embodiment of the present application is obtained based on the flow log of the VPC associated with the cloud resource, that is, in the embodiment of the present application, the connection relationship between the cloud resources can be obtained through the flow log of the VPC associated with the cloud resource, without the need to install the agent component, and does not affect the performance of the node where the cloud resource is located, the availability is stronger and the cost is lower.

另外，由于VPC的流日志记录了VPC内的云资源之间存在的所有的数据报文传输，所以相较于通过安装agent组件来获取接口调用信息的方法，通过VPC的流日志所能获取到的连接关系所覆盖的云资源更多，在此基础上，基于VPC的流日志中包括的各个云资源的网络流量日志，利用本申请实施例提供的方法可以生成覆盖度更广、信息更完善的云资源架构图。 In addition, since the VPC flow log records all data packet transmissions between cloud resources within the VPC, compared to the method of obtaining interface call information by installing an agent component, the connection relationships that can be obtained through the VPC flow log cover more cloud resources. On this basis, based on the network traffic logs of each cloud resource included in the VPC flow log, the method provided in the embodiment of the present application can generate a cloud resource architecture diagram with wider coverage and more complete information.

接下来对本申请实施例提供的云资源架构图生成方法的实施架构进行介绍。Next, the implementation architecture of the cloud resource architecture diagram generation method provided in the embodiment of the present application is introduced.

图1是本申请实施例提供的一种云资源架构图生成方法的实施架构图。如图1所示，该实施架构中可以包括云管理平台101和租户终端102。其中，租户终端102与云管理平台101建立有通信连接。Fig. 1 is an implementation architecture diagram of a cloud resource architecture diagram generation method provided in an embodiment of the present application. As shown in Fig. 1, the implementation architecture may include a cloud management platform 101 and a tenant terminal 102. The tenant terminal 102 establishes a communication connection with the cloud management platform 101.

云管理平台101用于管理提供多个目标云资源的基础设施。其中，基础设施可以包括至少一个云数据中心，每个云数据中心设置有多个服务器，该多个目标云资源中的一者或任意组合部署在基础设施的至少一个服务器中。并且，云管理平台101还可以用于向租户提供访问接口以访问云数据中心。例如，租户可以通过云管理平台101购买云数据中心提供的资源。再例如，租户在购买云数据中心提供的虚拟机资源之后，可以通过云管理平台101在云数据中心的服务器上创建、管理、登录和操作虚拟机。在本申请实施例中，虚拟机也可以被称为虚拟实例、云服务器或ECS实例。另外，在本申请实施例中，云服务器、虚拟实例和ECS实例也可以互换使用。The cloud management platform 101 is used to manage an infrastructure that provides multiple target cloud resources. Among them, the infrastructure may include at least one cloud data center, each cloud data center is provided with multiple servers, and one or any combination of the multiple target cloud resources is deployed in at least one server of the infrastructure. In addition, the cloud management platform 101 can also be used to provide tenants with an access interface to access the cloud data center. For example, a tenant can purchase resources provided by a cloud data center through the cloud management platform 101. For another example, after purchasing virtual machine resources provided by a cloud data center, a tenant can create, manage, log in and operate a virtual machine on a server in a cloud data center through the cloud management platform 101. In an embodiment of the present application, a virtual machine may also be referred to as a virtual instance, a cloud server or an ECS instance. In addition, in an embodiment of the present application, cloud servers, virtual instances and ECS instances may also be used interchangeably.

在本申请实施例中，租户终端102上可以运行有云服务客户端，租户可以利用在云管理平台101中注册的账号和口令，通过该云服务客户端远程登录云管理平台101。在登录云管理平台101之后，云管理平台101可以通过租户终端102上的云服务客户端，向租户提供交互界面，租户可以在该交互界面中执行架构图获取操作，以触发租户终端102通过该云服务客户端向云管理平台101发送架构图生成请求。In the embodiment of the present application, a cloud service client may be run on the tenant terminal 102, and the tenant may use the account and password registered in the cloud management platform 101 to remotely log in to the cloud management platform 101 through the cloud service client. After logging in to the cloud management platform 101, the cloud management platform 101 may provide an interactive interface to the tenant through the cloud service client on the tenant terminal 102, and the tenant may perform an architecture diagram acquisition operation in the interactive interface to trigger the tenant terminal 102 to send an architecture diagram generation request to the cloud management platform 101 through the cloud service client.

云管理平台101在接收到租户的架构图生成请求后，可以获取该租户所使用的第一云资源的配置信息和网络流量日志，进而基于第一云资源的配置信息和网络流量日志，自动生成云资源架构图。之后，云管理平台101可以向租户终端102发送该云资源架构图。租户终端102可以在云服务客户端的架构图显示页面中显示该云资源架构图。After receiving the tenant's architecture diagram generation request, the cloud management platform 101 can obtain the configuration information and network traffic log of the first cloud resource used by the tenant, and then automatically generate a cloud resource architecture diagram based on the configuration information and network traffic log of the first cloud resource. Afterwards, the cloud management platform 101 can send the cloud resource architecture diagram to the tenant terminal 102. The tenant terminal 102 can display the cloud resource architecture diagram in the architecture diagram display page of the cloud service client.

在一种可能的实现方式中，该实施架构中还可以包括云日志服务器103，该云日志服务器103用于存储不同VPC的流日志，该流日志可以包括不同云资源的网络流量日志。基于此，云管理平台101可以从该云日志服务器103中获取租户的云资源的网络流量日志。In a possible implementation, the implementation architecture may further include a cloud log server 103, which is used to store flow logs of different VPCs, and the flow logs may include network traffic logs of different cloud resources. Based on this, the cloud management platform 101 may obtain the network traffic logs of the tenant's cloud resources from the cloud log server 103.

在一种可能的实现方式中，该实施架构中还可以包括云资源信息服务器104，该云资源信息服务器104用于保存不同租户所租用或购买的云资源的配置信息。例如，云资源信息服务器104上可以部署有配置信息数据库，该配置信息数据库中存储有租户的云资源的配置信息。基于此，云管理平台101可以从该云资源信息服务器中获取租户所关联的云资源的配置信息。In a possible implementation, the implementation architecture may further include a cloud resource information server 104, which is used to store configuration information of cloud resources rented or purchased by different tenants. For example, a configuration information database may be deployed on the cloud resource information server 104, and the configuration information of the cloud resources of the tenants is stored in the configuration information database. Based on this, the cloud management platform 101 may obtain the configuration information of the cloud resources associated with the tenant from the cloud resource information server.

需要说明的是，上述的租户终端102可以是诸如智能手机、平板电脑、个人计算机之类的租户设备。云日志服务器103和云资源信息服务器104均为部署于云数据中心的服务器，并且，云日志服务器103和云资源信息服务器104中的任一个可以为云数据中心的一台物理服务器，或者是一个服务器集群，或者是云服务器，本申请实施例对此不作限定。It should be noted that the above-mentioned tenant terminal 102 can be a tenant device such as a smart phone, a tablet computer, a personal computer, etc. The cloud log server 103 and the cloud resource information server 104 are both servers deployed in a cloud data center, and any one of the cloud log server 103 and the cloud resource information server 104 can be a physical server in the cloud data center, or a server cluster, or a cloud server, which is not limited in the embodiments of the present application.

可以理解的是，上述实施架构图中还包括有云管理平台管理的多个目标云资源，本申请实施例在图1中未示出。并且，本申请实施例提供的云资源架构图生成方法即是针对云管理平台所管理的多个目标云资源中的部分云资源来生成对应的架构图。It is understandable that the above implementation architecture diagram also includes multiple target cloud resources managed by the cloud management platform, which is not shown in Figure 1 of the embodiment of the present application. In addition, the cloud resource architecture diagram generation method provided in the embodiment of the present application is to generate a corresponding architecture diagram for some of the multiple target cloud resources managed by the cloud management platform.

接下来对本申请实施例提供的云资源架构图生成方法进行详细的解释说明。Next, the cloud resource architecture diagram generation method provided in the embodiment of the present application is explained in detail.

图2是本申请实施例提供的一种云资源架构图生成方法的流程图。该方法可以应用于前文介绍的云管理平台中，参见图2，该方法包括以下步骤：FIG2 is a flow chart of a method for generating a cloud resource architecture diagram provided in an embodiment of the present application. The method can be applied to the cloud management platform introduced above. Referring to FIG2, the method includes the following steps:

步骤201：响应于租户发送的架构图生成请求，获取第一云资源的配置信息，并获取第一云资源的网络流量日志。Step 201: In response to an architecture diagram generation request sent by a tenant, configuration information of a first cloud resource is obtained, and a network traffic log of the first cloud resource is obtained.

在本申请实施例中，租户通过租户终端上的云服务客户端登录云管理平台之后，云管理平台可以通过该云服务客户端向租户提供用于管理云资源的交互界面。租户可以在该交互界面中执行架构图获取操作，响应于该架构图获取操作，租户终端可以通过云服务客户端向云管理平台发送架构图生成请求。In an embodiment of the present application, after the tenant logs in to the cloud management platform through the cloud service client on the tenant terminal, the cloud management platform can provide the tenant with an interactive interface for managing cloud resources through the cloud service client. The tenant can perform an architecture diagram acquisition operation in the interactive interface, and in response to the architecture diagram acquisition operation, the tenant terminal can send an architecture diagram generation request to the cloud management platform through the cloud service client.

在一种可能的实现方式中，该交互界面中可以显示有架构图获取选项，响应于租户对该架构图获取选项的选择操作，租户终端可以在该交互界面中显示租户所构建的一个或多个VPC的指示信息。响应于租户对该一个或多个VPC的指示信息中的第一VPC的指示信息的选择操作，租户终端基于租户选择的该第一VPC的指示信息生成架构图生成请求，之后，向云管理平台发送该架构图生成请求。其中，架构图生成请求携带有该第一VPC的指示信息。 In a possible implementation, an architecture diagram acquisition option may be displayed in the interactive interface. In response to the tenant's selection operation of the architecture diagram acquisition option, the tenant terminal may display the indication information of one or more VPCs constructed by the tenant in the interactive interface. In response to the tenant's selection operation of the indication information of the first VPC in the indication information of the one or more VPCs, the tenant terminal generates an architecture diagram generation request based on the indication information of the first VPC selected by the tenant, and then sends the architecture diagram generation request to the cloud management platform. The architecture diagram generation request carries the indication information of the first VPC.

需要说明的是，VPC的指示信息可以指示出对应的VPC。示例性的，VPC的指示信息可以是VPC的网络标识，例如，可以为一个VPC子网的IP地址或者是虚拟扩展局域网网络标识符(VXLAN(virtual extensible local area network)network identifier，VNI)。It should be noted that the indication information of the VPC can indicate the corresponding VPC. Exemplarily, the indication information of the VPC can be the network identifier of the VPC, for example, it can be the IP address of a VPC subnet or the virtual extended local area network network identifier (VXLAN (virtual extensible local area network) network identifier, VNI).

可选地，VPC的指示信息也可以为其他能够指示出VPC的信息，例如，该指示信息可以为与该VPC绑定的EIP所关联的域名地址。或者，该指示信息也可以是租户的标识等。再或者，VPC的指示信息也可以为VPC内任意一个云资源的资源标识，例如，第一VPC的指示信息可以为第一VPC内的第一云资源的资源标识。Optionally, the indication information of the VPC may also be other information that can indicate the VPC, for example, the indication information may be a domain name address associated with the EIP bound to the VPC. Alternatively, the indication information may also be an identifier of a tenant, etc. Alternatively, the indication information of the VPC may also be a resource identifier of any cloud resource in the VPC, for example, the indication information of the first VPC may be a resource identifier of a first cloud resource in the first VPC.

在另一种可能的实现方式中，响应于租户对架构图获取选项的选择操作，租户终端还可以在交互界面中显示用于输入VPC的指示信息的信息输入框。租户可以在该信息输入框中输入第一VPC的指示信息。租户终端在接收到第一VPC的指示信息之后，可以基于该第一VPC的指示信息生成架构图生成请求，并向云管理平台发送该架构图生成请求。其中，该架构图生成请求中携带有第一VPC的指示信息。In another possible implementation, in response to the tenant's selection operation of the architecture diagram acquisition option, the tenant terminal may also display an information input box for inputting VPC indication information in the interactive interface. The tenant may input the indication information of the first VPC in the information input box. After receiving the indication information of the first VPC, the tenant terminal may generate an architecture diagram generation request based on the indication information of the first VPC, and send the architecture diagram generation request to the cloud management platform. The architecture diagram generation request carries the indication information of the first VPC.

云管理平台在接收到该架构图生成请求之后，基于该架构图生成请求中所携带的第一VPC的指示信息，获取第一云资源的配置信息以及网络流量日志。After receiving the architecture diagram generation request, the cloud management platform obtains the configuration information and network traffic log of the first cloud resource based on the indication information of the first VPC carried in the architecture diagram generation request.

在第一种可能的实现方式中，当架构图生成请求中携带的是第一VPC的网络标识时，云管理平台可以基于该第一VPC的网络标识，获取该第一VPC内的至少一个云资源的配置信息。其中，至少一个云资源的配置信息中包括第一云资源的配置信息。In a first possible implementation, when the architecture diagram generation request carries the network identifier of the first VPC, the cloud management platform can obtain configuration information of at least one cloud resource in the first VPC based on the network identifier of the first VPC. The configuration information of the at least one cloud resource includes the configuration information of the first cloud resource.

需要说明的是，租户可以对自身租用或购买的云资源进行配置，从而构建出VPC。云管理平台可以将各个VPC的网络标识与相应VPC内的云资源的配置信息对应存储至云资源信息服务器中。基于此，云管理平台在接收到携带有第一VPC的网络标识的架构图生成请求后，可以从云资源信息服务器中获取该第一VPC的网络标识所对应的云资源的配置信息。It should be noted that tenants can configure the cloud resources they rent or purchase to build a VPC. The cloud management platform can store the network identifiers of each VPC and the configuration information of the cloud resources in the corresponding VPC in the cloud resource information server. Based on this, after receiving the architecture diagram generation request carrying the network identifier of the first VPC, the cloud management platform can obtain the configuration information of the cloud resources corresponding to the network identifier of the first VPC from the cloud resource information server.

示例性的，VPC的网络标识所对应的云资源的配置信息可以包括该VPC内的各个云资源的IP地址、资源标识以及类型。其中，云资源的IP地址可以为虚拟IP地址，也可以为真实IP地址；云资源的资源标识可以用于唯一标识一个云资源，例如，可以为云管理平台为该云资源分配的编号；云资源的类型可以用于指示该云资源所能实现的云服务，也即，该云资源的功能。例如，云资源的类型可以包括网关、云数据库、ELB、云服务器等。Exemplarily, the configuration information of the cloud resources corresponding to the network identifier of the VPC may include the IP address, resource identifier, and type of each cloud resource in the VPC. The IP address of the cloud resource may be a virtual IP address or a real IP address; the resource identifier of the cloud resource may be used to uniquely identify a cloud resource, for example, it may be a number assigned to the cloud resource by the cloud management platform; the type of the cloud resource may be used to indicate the cloud service that the cloud resource can implement, that is, the function of the cloud resource. For example, the types of cloud resources may include gateways, cloud databases, ELBs, cloud servers, etc.

例如，第一VPC内的云资源的配置信息可以如表1中所示，其中，表1中每一行为该第一VPC内的一个云资源的配置信息，表1中第一列为各个云资源的IP地址，第二列为各个云资源的资源标识，第三列为云资源的类型。其中，资源标识为ID5的云资源的IP地址为一个虚拟IP(virtual IP，VIP)地址，云资源的类型为系统接口时用于指示对应的云资源为一个物理主机，云资源的类型为动态主机配置协议(dynamic host configuration protocol，DHCP)时用于指示对应的云资源用于动态分配IP地址和配置信息。For example, the configuration information of the cloud resources in the first VPC may be as shown in Table 1, wherein each line in Table 1 is the configuration information of a cloud resource in the first VPC, the first column in Table 1 is the IP address of each cloud resource, the second column is the resource identifier of each cloud resource, and the third column is the type of cloud resource. Among them, the IP address of the cloud resource with the resource identifier ID5 is a virtual IP (VIP) address, when the type of cloud resource is a system interface, it is used to indicate that the corresponding cloud resource is a physical host, and when the type of cloud resource is a dynamic host configuration protocol (DHCP), it is used to indicate that the corresponding cloud resource is used to dynamically allocate IP addresses and configuration information.

表1第一VPC网络内的云资源的配置信息表
Table 1 Configuration information of cloud resources in the first VPC network

上述表1是本申请实施例给出的一种配置信息的示例，可以理解的是，云资源的配置信息可以包括比上述表1更多的信息。例如，以第一云资源为例，第一云资源的配置信息还可以包括第一云资源与其他云资源的连接关系。例如，当第一云资源为云服务器时，该云服务器的配置信息中还可以包括该云服务器所绑定的云硬盘的信息，以此来指示该云服务器与云硬盘具有连接关系。如果该云服务器还绑定有EIP，则该云服务器的配置信息还可以包括该云服务器所绑定的EIP的信息，以此来指示该云服务器与该EIP具有连接关系。可选地，任一云资源的配置信息还可以包括该云资源所属的VPC的网络标识、所属的区域的区域标识等等。Table 1 above is an example of configuration information given in an embodiment of the present application. It is understandable that the configuration information of cloud resources may include more information than Table 1 above. For example, taking the first cloud resource as an example, the configuration information of the first cloud resource may also include the connection relationship between the first cloud resource and other cloud resources. For example, when the first cloud resource is a cloud server, the configuration information of the cloud server may also include the information of the cloud hard disk bound to the cloud server, so as to indicate that the cloud server has a connection relationship with the cloud hard disk. If the cloud server is also bound to an EIP, the configuration information of the cloud server may also include the information of the EIP bound to the cloud server, so as to indicate that the The cloud server has a connection relationship with the EIP. Optionally, the configuration information of any cloud resource may also include a network identifier of the VPC to which the cloud resource belongs, a region identifier of the region to which the cloud resource belongs, and the like.

在获取到第一VPC内包括第一云资源在内的至少一个云资源的配置信息之后，云管理平台还可以根据该第一VPC内的至少一个云资源的配置信息获取与这些云资源关联的公网资源的配置信息。After obtaining the configuration information of at least one cloud resource including the first cloud resource in the first VPC, the cloud management platform may also obtain the configuration information of the public network resources associated with these cloud resources based on the configuration information of the at least one cloud resource in the first VPC.

需要说明的是，租户在构建VPC时，可以为VPC配置公网资源，如EIP、公网网络地址转换(network address translation，NAT)等。其中，公网资源可以与VPC内的云服务器或者是ELB绑定。云管理平台可以将租户对公网资源的配置信息存储在云资源信息服务器中。其中，公网资源的配置信息可以包括公网资源的IP地址、公网资源所绑定的VPC内的云资源的IP地址和/或资源标识。基于此，在本申请实施例中，云管理平台还可以根据第一VPC内的类型为云服务器和/或ELB的云资源的IP地址和/或资源标识，从云资源信息服务器中查询与第一VPC内的云资源绑定的公网资源的配置信息。It should be noted that when building a VPC, the tenant can configure public network resources for the VPC, such as EIP, public network address translation (NAT), etc. Among them, the public network resources can be bound to the cloud server or ELB in the VPC. The cloud management platform can store the tenant's configuration information on the public network resources in the cloud resource information server. Among them, the configuration information of the public network resources may include the IP address of the public network resource, the IP address and/or resource identifier of the cloud resource in the VPC to which the public network resource is bound. Based on this, in an embodiment of the present application, the cloud management platform can also query the configuration information of the public network resources bound to the cloud resources in the first VPC from the cloud resource information server according to the IP address and/or resource identifier of the cloud resource of the type of cloud server and/or ELB in the first VPC.

例如，第一VPC内的云资源包括第六云资源，该第六云资源为表1中示出的ELB，则云管理平台基于表1中示出的ELB的资源标识可以查询得到图3所示的与ELB关联的公网资源的配置信息。如图3中所示，ELB关联有一个EIP，该EIP为139.159.202.120。并且，该EIP的配置信息中还包括该EIP的带宽大小，采用的协议类型为动态边界网关协议(border gateway protocol，BGP)等。由此可见，该EIP的配置信息能够指示出该EIP与该ELB具有连接关系。For example, the cloud resources in the first VPC include the sixth cloud resource, which is the ELB shown in Table 1. The cloud management platform can query the configuration information of the public network resources associated with the ELB shown in Figure 3 based on the resource identifier of the ELB shown in Table 1. As shown in Figure 3, the ELB is associated with an EIP, which is 139.159.202.120. In addition, the configuration information of the EIP also includes the bandwidth size of the EIP, and the protocol type used is the dynamic border gateway protocol (BGP). It can be seen that the configuration information of the EIP can indicate that the EIP has a connection relationship with the ELB.

可选地，云管理平台在获取到与第一VPC内的云资源关联的公网资源后，由于这些公网资源可能还绑定有其他的公网资源，所以云管理平台还可以基于获取到的公网资源的配置信息，进一步的确定这些公网资源所关联的其他公网资源。例如，图3中示出的EIP还可以对应有域名地址，而域名地址还可以绑定有网站应用级防火墙(web application firewall，WAF)。基于此，如图3中所示，EIP的配置信息中还可以包括该EIP对应的域名地址：aaa.bbb.com，在查询到EIP对应的域名地址之后，云管理平台还可以进一步基于该域名地址获得如图4所示的该域名地址所对应的WAF的配置信息。其中，该域名地址对应的WAF的标识为ID10，工作模式为开启防护，接入状态为已接入。由此可见，某个公网资源的配置信息还可以进一步的指示出该公网资源与其他公网资源之间的连接关系。Optionally, after the cloud management platform obtains the public network resources associated with the cloud resources in the first VPC, since these public network resources may also be bound to other public network resources, the cloud management platform can also further determine other public network resources associated with these public network resources based on the configuration information of the obtained public network resources. For example, the EIP shown in FIG3 can also correspond to a domain name address, and the domain name address can also be bound to a website application firewall (WAF). Based on this, as shown in FIG3, the configuration information of the EIP can also include the domain name address corresponding to the EIP: aaa.bbb.com. After querying the domain name address corresponding to the EIP, the cloud management platform can further obtain the configuration information of the WAF corresponding to the domain name address as shown in FIG4 based on the domain name address. Among them, the identifier of the WAF corresponding to the domain name address is ID10, the working mode is to enable protection, and the access status is connected. It can be seen that the configuration information of a public network resource can further indicate the connection relationship between the public network resource and other public network resources.

上述主要介绍了在架构图生成请求携带的是第一VPC的网络标识的情况下，云管理平台获取第一VPC内包括第一云资源在内的至少一个云资源以及关联的公网资源的配置信息的实现过程。The above mainly introduces the implementation process of the cloud management platform obtaining the configuration information of at least one cloud resource including the first cloud resource and the associated public network resources in the first VPC when the architecture diagram generation request carries the network identifier of the first VPC.

在第二种可能的实现方式中，在架构图生成请求中携带的不是第一VPC的网络标识，而是第一VPC的其他指示信息的情况下，例如，当该指示信息为能够指示出第一VPC的域名地址时，云管理平台可以基于该域名地址获取该域名地址对应的EIP的配置信息。之后，基于该EIP的配置信息确定出与EIP绑定的第一VPC内的云资源如云服务器或ELB的资源标识或IP地址，进而基于该云服务器或ELB的资源标识或IP地址，获取包含有云服务器或ELB的第一VPC内的其他云资源的配置信息。如此，云管理平台即可以获得第一VPC内包括第一云资源在内的多个云资源的配置信息以及与该第一VPC内的云资源所关联的公网资源的配置信息。相关实现原理可以参考上述第一种可能的实现方式中的相关介绍。In a second possible implementation, when the architecture diagram generation request carries not the network identifier of the first VPC but other indication information of the first VPC, for example, when the indication information is a domain name address that can indicate the first VPC, the cloud management platform can obtain the configuration information of the EIP corresponding to the domain name address based on the domain name address. Afterwards, the resource identifier or IP address of the cloud resources such as the cloud server or ELB in the first VPC bound to the EIP is determined based on the configuration information of the EIP, and then the configuration information of other cloud resources in the first VPC including the cloud server or ELB is obtained based on the resource identifier or IP address of the cloud server or ELB. In this way, the cloud management platform can obtain the configuration information of multiple cloud resources including the first cloud resource in the first VPC and the configuration information of the public network resources associated with the cloud resources in the first VPC. For the relevant implementation principle, please refer to the relevant introduction in the above-mentioned first possible implementation.

由此可见，该种实现方式与第一种实现方式的区别在于，该种实现方式中是以域名地址为起点基于配置信息中包含的关联关系来逐步获得第一VPC关联的公网资源以及第一VPC内的云资源的配置信息，而前述的第一种实现方式中是以第一VPC为起点来逐步获得第一VPC内的云资源的配置信息以及所关联的公网资源的配置信息。基于此，当架构图生成请求中携带的第一VPC的指示信息为该第一VPC中的某个云资源的资源标识，例如第一云资源的资源标识时，云管理平台同样可以基于该第一云资源的资源标识确定出第一云资源所属的第一VPC的网络标识，进而基于该第一VPC的网络标识来获得该第一VPC内包括该第一云资源在内的多个云资源的配置信息，以及该第一VPC内的云资源所关联的公网资源的配置信息。也即，在这种情况下，是以该第一VPC内的第一云资源为起点，利用配置信息来获得第一VPC内的云资源的配置信息以及所关联的公网资源的配置信息。It can be seen that the difference between this implementation and the first implementation is that in this implementation, the configuration information of the public network resources associated with the first VPC and the cloud resources in the first VPC are gradually obtained based on the association relationship contained in the configuration information, while in the first implementation, the configuration information of the cloud resources in the first VPC and the configuration information of the associated public network resources are gradually obtained based on the association relationship contained in the configuration information, while in the first implementation, the configuration information of the cloud resources in the first VPC and the configuration information of the associated public network resources are gradually obtained based on the first VPC. Based on this, when the indication information of the first VPC carried in the architecture diagram generation request is the resource identifier of a cloud resource in the first VPC, such as the resource identifier of the first cloud resource, the cloud management platform can also determine the network identifier of the first VPC to which the first cloud resource belongs based on the resource identifier of the first cloud resource, and then obtain the configuration information of multiple cloud resources including the first cloud resource in the first VPC and the configuration information of the public network resources associated with the cloud resources in the first VPC based on the network identifier of the first VPC. That is, in this case, the configuration information of the cloud resources in the first VPC and the configuration information of the associated public network resources are obtained based on the first cloud resource in the first VPC.

云管理平台在接收到架构图生成请求之后，还可以基于该架构图生成请求中所携带的第一VPC的指示信息来获取第一云资源的网络流量日志。After receiving the architecture diagram generation request, the cloud management platform can also obtain the network traffic log of the first cloud resource based on the indication information of the first VPC carried in the architecture diagram generation request.

示例性的，云管理平台可以基于该第一VPC的指示信息，获取第一VPC内包括第一云资源在内的至少一个云资源的网络流量日志。其中，任一云资源的网络流量日志能够指示出该云资源和其他云资源之间的数据报文传输情况。Exemplarily, the cloud management platform can obtain the network traffic log of at least one cloud resource including the first cloud resource in the first VPC based on the indication information of the first VPC. The network traffic log of any cloud resource can indicate the data message transmission between the cloud resource and other cloud resources.

需要说明的是，由前述介绍可知，云资源的配置信息中可能会包含有静态配置的云资源之间的连接关系。而云资源之间可能还会存在一些除静态配置的连接关系之外的其他关联关系，例如，云资源之间动态的连接关系，不同云资源之间的动态的连接关系还有可能指示出云资源之间隐藏的一些其他的连接关系。基于此，云管理平台可以结合云资源的配置信息和网络流量日志来挖掘云资源之间的连接关系。It should be noted that, as can be seen from the above introduction, the configuration information of cloud resources may include the connection information between statically configured cloud resources. There may be other connections between cloud resources besides statically configured connections, such as dynamic connections between cloud resources. Dynamic connections between different cloud resources may also indicate other hidden connections between cloud resources. Based on this, the cloud management platform can combine the configuration information of cloud resources and network traffic logs to mine the connection relationships between cloud resources.

作为一种示例，云管理平台可以为租户提供VPC流日志服务，租户可以选择是否开启VPC流日志服务。其中，该VPC流日志服务可以用于生成VPC的流日志，以记录VPC内的云资源的数据报文传输情况。基于此，在本申请实施例中，租户可以预先开启第一VPC的流日志服务。响应于租户的流日志服务开启操作，租户终端可以向云管理平台发送流日志创建请求，该流日志创建请求中携带有该第一VPC的网络标识。云管理平台在接收到该流日志创建请求之后，可以在云日志服务器中创建日志组，并在日志组中创建该第一VPC的流日志。之后，根据捕捉到的经过第一VPC的云资源的数据报文的信息，在流日志中生成指示云资源之间存在数据报文传输的日志记录，其中，每条日志记录可以包括数据报文传输的详细信息。As an example, the cloud management platform can provide tenants with a VPC flow log service, and the tenant can choose whether to enable the VPC flow log service. Among them, the VPC flow log service can be used to generate a flow log of the VPC to record the data message transmission of the cloud resources within the VPC. Based on this, in an embodiment of the present application, the tenant can pre-enable the flow log service of the first VPC. In response to the tenant's flow log service activation operation, the tenant terminal can send a flow log creation request to the cloud management platform, and the flow log creation request carries the network identifier of the first VPC. After receiving the flow log creation request, the cloud management platform can create a log group in the cloud log server and create a flow log of the first VPC in the log group. Afterwards, based on the captured information of the data message of the cloud resources passing through the first VPC, a log record indicating that there is data message transmission between cloud resources is generated in the flow log, wherein each log record can include detailed information on the data message transmission.

基于此，云管理平台在接收到架构图生成请求之后，可以基于第一VPC的指示信息，从云日志服务器中获取第一VPC的流日志，其中，该流日志中包括指示第一VPC内的云资源与其他云资源之间存在数据报文传输的至少一条日志记录，相应的，该云资源的网络流量日志即包括该至少一条日志记录。Based on this, after receiving the architecture diagram generation request, the cloud management platform can obtain the flow log of the first VPC from the cloud log server based on the indication information of the first VPC, wherein the flow log includes at least one log record indicating the data packet transmission between the cloud resources within the first VPC and other cloud resources. Accordingly, the network traffic log of the cloud resource includes the at least one log record.

示例性的，如果架构图生成请求中携带的是第一VPC的网络标识，则云管理平台可以基于该第一VPC的网络标识，直接从云日志服务器中获取对应的流日志。Exemplarily, if the architecture diagram generation request carries the network identifier of the first VPC, the cloud management platform can directly obtain the corresponding flow log from the cloud log server based on the network identifier of the first VPC.

如果架构图生成请求中携带的是第一VPC的其他指示信息，例如，与第一VPC关联的域名地址，则云管理平台可以在通过前述介绍的第二种实现方式获取云资源的配置信息的过程中，在基于查找到的与域名地址对应的EIP的配置信息确定出关联的第一VPC内的云资源的信息后，基于该云资源的信息确定出第一VPC的网络标识，进而基于该第一VPC的网络标识，从云日志服务器中获取对应的流日志。If the architecture diagram generation request carries other indication information of the first VPC, for example, a domain name address associated with the first VPC, the cloud management platform can, in the process of obtaining the configuration information of the cloud resources through the second implementation method described above, determine the information of the cloud resources in the associated first VPC based on the configuration information of the EIP corresponding to the domain name address, and then determine the network identifier of the first VPC based on the information of the cloud resources, and then obtain the corresponding flow log from the cloud log server based on the network identifier of the first VPC.

需要说明的是，流日志中的日志记录可以依次包括流日志版本号、项目标识、接口标识、源地址、目的地址、源端口标识、目的端口标识、协议类型、数据包数量、数据包大小、开始时间、结束时间、动作和日志状态。It should be noted that the log records in the flow log can include the flow log version number, project identifier, interface identifier, source address, destination address, source port identifier, destination port identifier, protocol type, number of data packets, data packet size, start time, end time, action and log status in sequence.

其中，日志记录的项目标识可以为VPC的网络标识。当然，如果租户创建的是某个区域或者是VPC中某个交换机或弹性网卡的流日志，则流日志中日志记录的项目标识可以为对应的区域的标识、交换机的标识或弹性网卡的标识。The project ID of the log record can be the network ID of the VPC. Of course, if the tenant creates a flow log for a certain region or a switch or elastic network card in the VPC, the project ID of the log record in the flow log can be the ID of the corresponding region, switch ID, or elastic network card ID.

接口标识用于指示捕捉到该日志记录的接口，例如，该日志记录来自于第一VPC中的第一弹性网卡，则该日志记录中的接口标识可以为第一弹性网卡的标识。The interface identifier is used to indicate the interface that captures the log record. For example, if the log record comes from the first elastic network card in the first VPC, the interface identifier in the log record may be the identifier of the first elastic network card.

源地址和源端口标识可以为该日志记录所记录的数据报文的发送方的IP地址和对应的发送端口的标识，该源地址可以为真实IP地址，也可以为虚拟IP地址。目的地址和目的端口标识可以为该日志记录所记录的数据报文的接收方的IP地址和对应的接收端口的标识。其中，该目的地址同样可以为真实IP地址或虚拟IP地址。The source address and source port identifier may be the IP address of the sender of the data message recorded in the log record and the identifier of the corresponding sending port, and the source address may be a real IP address or a virtual IP address. The destination address and destination port identifier may be the IP address of the receiver of the data message recorded in the log record and the identifier of the corresponding receiving port. The destination address may also be a real IP address or a virtual IP address.

协议类型为数据报文传输所使用的网络协议，例如，可能为传输控制协议(transmission control protocol，TCP)、租户数据报协议(user datagram protocol，UDP)等。The protocol type is the network protocol used for datagram transmission, for example, it may be transmission control protocol (TCP), user datagram protocol (UDP), etc.

数据包数量和数据包大小分别用于指示该日志记录所记录的数据报文传输包含的数据包的数量和数据包的大小。The number of data packets and the size of data packets are respectively used to indicate the number of data packets and the size of data packets contained in the data message transmission recorded in the log record.

开始时间和结束时间分别用于指示捕捉该日志记录所记录的信息的开始时间和结束时间。The start time and the end time are respectively used to indicate the start time and the end time of capturing the information recorded by the log record.

动作用于指示此次数据报文传输是否为安全组和网络访问控制列表(access control list，ACL)允许记录的传输。The action is used to indicate whether the data message transmission is allowed by the security group and network access control list (ACL).

云管理平台在获取到第一VPC的流日志之后，可以基于上述介绍的日志记录的格式，对流日志中的每条日志记录进行解析，从而获得每条日志记录中包含的信息，这样，通过解析该流日志中的多条日志记录，云管理平台可以得到该第一VPC内包括第一云资源在内的至少一个云资源的网络流量日志。After obtaining the flow log of the first VPC, the cloud management platform can parse each log record in the flow log based on the log record format introduced above, so as to obtain the information contained in each log record. In this way, by parsing multiple log records in the flow log, the cloud management platform can obtain the network traffic log of at least one cloud resource in the first VPC including the first cloud resource.

可选地，在一些实施例中，云管理平台在基于第一VPC的指示信息，从云日志服务器中获取第一VPC的流日志之前，还可以向该第一VPC所对应的租户的租户终端发送权限申请信息，该权限申请信息用于向租户申请获取该第一VPC的流日志的权限。租户终端在接收到该权限申请信息之后，可以在云服务客户端的界面中显示该权限申请信息以及对应的同意授权和不同意授权的选项。若租户同意云管理平台获取第一VPC的流日志，则可以点击同意授权的选项，以触发租户终端向云管理平台返回同意授权的通知消息，在接收到该同意授权的通知消息之后，云管理平台可以获取第一VPC的流日志。若租户不同意云管理平台获取第一VPC的流日志，则可以点击不同意授权的选项，以触发租户终端向云管理平台反馈不同意授权的通知消息，在这种情况下，云管理平台不获取第一VPC的流日志。Optionally, in some embodiments, before the cloud management platform obtains the flow log of the first VPC from the cloud log server based on the indication information of the first VPC, it can also send permission application information to the tenant terminal of the tenant corresponding to the first VPC, and the permission application information is used to apply to the tenant for permission to obtain the flow log of the first VPC. After receiving the permission application information, the tenant terminal can The permission application information and the corresponding options of agreeing to authorization and disagreeing to authorization are displayed in the interface of the cloud service client. If the tenant agrees that the cloud management platform can obtain the flow log of the first VPC, the tenant can click the option of agreeing to authorization to trigger the tenant terminal to return a notification message of agreeing to authorization to the cloud management platform. After receiving the notification message of agreeing to authorization, the cloud management platform can obtain the flow log of the first VPC. If the tenant disagrees that the cloud management platform can obtain the flow log of the first VPC, the tenant can click the option of disagreeing to authorization to trigger the tenant terminal to feedback a notification message of disagreeing to authorization to the cloud management platform. In this case, the cloud management platform does not obtain the flow log of the first VPC.

步骤202：基于第一云资源的配置信息和网络流量日志，生成云资源架构图。Step 202: Generate a cloud resource architecture diagram based on the configuration information of the first cloud resource and the network traffic log.

在获取到第一VPC内包括第一云资源在内的至少一个云资源的配置信息和网络流量日志之后，云管理平台可以基于获取到的配置信息和网络流量日志，来生成云资源架构图。After obtaining configuration information and network traffic logs of at least one cloud resource including the first cloud resource in the first VPC, the cloud management platform may generate a cloud resource architecture diagram based on the obtained configuration information and network traffic logs.

在一些实施例中，云资源的配置信息中可能包含有云资源关联的其他云资源的信息。基于此，以第一VPC内的第四云资源为例，如果该第四云资源的配置信息还包括第四云资源所关联的第五云资源的信息，则云管理平台可以确定第四云资源与该第五云资源之间具有连接关系。In some embodiments, the configuration information of a cloud resource may include information about other cloud resources associated with the cloud resource. Based on this, taking the fourth cloud resource in the first VPC as an example, if the configuration information of the fourth cloud resource also includes information about the fifth cloud resource associated with the fourth cloud resource, the cloud management platform can determine that the fourth cloud resource has a connection relationship with the fifth cloud resource.

例如，第四云资源为一个云服务器，该第四云资源的配置信息中包括绑定的两个云硬盘的信息，则基于该配置信息，云管理平台可以确定出该第四云资源与这两个云硬盘具有连接关系。For example, the fourth cloud resource is a cloud server, and the configuration information of the fourth cloud resource includes information of two bound cloud hard disks. Based on the configuration information, the cloud management platform can determine that the fourth cloud resource has a connection relationship with the two cloud hard disks.

在一些实施例中，云管理平台还可以获取与第一VPC内的至少一个云资源关联的公网资源的配置信息，而公网资源的配置信息中可以包括有该公网资源所绑定的第一VPC内的云资源。基于此，以公网资源绑定的第一VPC内的云资源为第六云资源为例，云管理平台还可以基于该公网资源的配置信息中包括的该公网资源与第六云资源的绑定信息，确定出第六云资源与该公网资源具有连接关系。In some embodiments, the cloud management platform may also obtain configuration information of a public network resource associated with at least one cloud resource in the first VPC, and the configuration information of the public network resource may include the cloud resource in the first VPC to which the public network resource is bound. Based on this, taking the cloud resource in the first VPC to which the public network resource is bound as the sixth cloud resource as an example, the cloud management platform may also determine that the sixth cloud resource has a connection relationship with the public network resource based on the binding information of the public network resource and the sixth cloud resource included in the configuration information of the public network resource.

例如，如图3中所示，EIP的配置信息指示该EIP绑定了标识为ID3的ELB，则可以确定EIP与ELB之间具有连接关系。For example, as shown in FIG. 3 , the configuration information of the EIP indicates that the EIP is bound to the ELB identified as ID3 , and it can be determined that there is a connection relationship between the EIP and the ELB.

在一些实施例中，第一VPC内的云资源的网络流量日志可以指示出该云资源与其他云资源之间存在数据报文传输。基于此，云管理平台还可以基于第一VPC内的云资源的网络流量日志，来确定云资源之间的连接关系。In some embodiments, the network traffic log of the cloud resources in the first VPC may indicate that there is data message transmission between the cloud resources and other cloud resources. Based on this, the cloud management platform may also determine the connection relationship between the cloud resources based on the network traffic log of the cloud resources in the first VPC.

示例性的，第一VPC的流日志中的每条日志记录包括一次数据报文传输的源地址和目的地址。基于此，云管理平台可以基于每条日志记录中记录的数据报文传输的源地址和目的地址确定两个云资源之间的连接关系。Exemplarily, each log record in the flow log of the first VPC includes a source address and a destination address of a data packet transmission. Based on this, the cloud management platform can determine the connection relationship between two cloud resources based on the source address and the destination address of the data packet transmission recorded in each log record.

以第一VPC的流日志中的一条日志记录为例，将该日志记录称为第一记录。云管理平台可以根据该第一记录中的源地址和目的地址，确定出第一云资源和第二云资源之间具有连接关系，其中，第一记录中的源地址为第一云资源的IP地址，第一记录中的目的地址为第二云资源的IP地址；或，第一记录中的源地址为第二云资源的IP地址，第一记录中的目的地址为第一云资源的IP地址。Taking a log record in the flow log of the first VPC as an example, the log record is referred to as the first record. The cloud management platform can determine that there is a connection relationship between the first cloud resource and the second cloud resource based on the source address and destination address in the first record, wherein the source address in the first record is the IP address of the first cloud resource, and the destination address in the first record is the IP address of the second cloud resource; or, the source address in the first record is the IP address of the second cloud resource, and the destination address in the first record is the IP address of the first cloud resource.

由前述介绍可知，日志记录中的源地址是数据报文的发送方的地址，而目的地址则是数据报文的接收方的地址，因此，如果第一记录中的源地址为第一云资源的IP地址，目的地址为第二云资源的IP地址，则基于该第一记录可以确定第一云资源向第二云资源传输了数据报文，也即，第一云资源和第二云资源之间具有连接关系。同理，如果第一记录中的源地址为第二云资源的IP地址，目的地址为第一云资源的IP地址，则基于该第一记录可以确定出第二云资源向第一云资源传输了数据报文，也即，第一云资源和第二云资源之间具有连接关系。As can be seen from the above introduction, the source address in the log record is the address of the sender of the data message, and the destination address is the address of the receiver of the data message. Therefore, if the source address in the first record is the IP address of the first cloud resource and the destination address is the IP address of the second cloud resource, then based on the first record, it can be determined that the first cloud resource has transmitted the data message to the second cloud resource, that is, there is a connection relationship between the first cloud resource and the second cloud resource. Similarly, if the source address in the first record is the IP address of the second cloud resource and the destination address is the IP address of the first cloud resource, then based on the first record, it can be determined that the second cloud resource has transmitted the data message to the first cloud resource, that is, there is a connection relationship between the first cloud resource and the second cloud resource.

需要说明的是，第二云资源可以是第一VPC内的云资源，也可以是第二VPC内的云资源。在第二云资源为第二VPC内的云资源的情况下，如果第二VPC与第一VPC为同一个租户搭建的VPC，则云管理平台还可以将该第二云资源的IP地址作为第二VPC的指示信息，基于该第二VPC的指示信息，参考前述步骤201中介绍的方法，获取第二VPC内的云资源的配置信息和网络流量日志，进而通过第二VPC内的云资源的配置信息和网络流量日志获得第二VPC内的云资源的连接关系。由此可见，通过第一VPC的流日志不仅可以确定出同一个VPC内的云资源之间的连接关系，还可以确定出跨VPC的云资源之间的连接关系。It should be noted that the second cloud resource can be a cloud resource in the first VPC or a cloud resource in the second VPC. In the case where the second cloud resource is a cloud resource in the second VPC, if the second VPC and the first VPC are VPCs built by the same tenant, the cloud management platform can also use the IP address of the second cloud resource as the indication information of the second VPC, and based on the indication information of the second VPC, refer to the method introduced in the aforementioned step 201 to obtain the configuration information and network traffic log of the cloud resources in the second VPC, and then obtain the connection relationship of the cloud resources in the second VPC through the configuration information and network traffic log of the cloud resources in the second VPC. It can be seen that the flow log of the first VPC can not only determine the connection relationship between cloud resources in the same VPC, but also determine the connection relationship between cloud resources across VPCs.

可选地，第一VPC的流日志中的日志记录还可以包括源端口标识和目的端口标识，在此基础上，云管理平台还可以基于日志记录中的源端口标识和目的端口标识确定出两个云资源上的两个端口之间的连接关系。Optionally, the log records in the flow log of the first VPC may also include a source port identifier and a destination port identifier. On this basis, the cloud management platform may also determine the connection relationship between the two ports on the two cloud resources based on the source port identifier and the destination port identifier in the log records.

仍以第一记录为例，云管理平台还可以根据第一记录中的源端口标识和目的端口标识，确定出第一云资源上的第一端口和第二云资源上的第二端口之间具有连接关系。Still taking the first record as an example, the cloud management platform can also determine that there is a connection relationship between the first port on the first cloud resource and the second port on the second cloud resource based on the source port identifier and the destination port identifier in the first record.

由前述介绍可知，日志记录中的源端口标识是源地址所指示的数据报文的发送方上发送该数据报文的端口，而目的端口标识则为目的地址所指示的接收方上接收该数据报文的端口。基于此，如果第一记录中的源地址为第一云资源的IP地址，则第一记录中的源端口标识即为第一云资源上向第二云资源发送数据报文的端口的标识，而第一记录中的目的端口标识即为第二云资源上用于接收第一云资源发送的数据报文的端口的标识，在这种情况下，基于该第一记录，可以确定出该源端口标识所标识的第一云资源上的第一端口和目的端口标识所标识的第二云资源上的第二端口之间具有连接关系。As can be seen from the above introduction, the source port identifier in the log record is the sender of the data message indicated by the source address. The source port identifier is the port for sending the data message, and the destination port identifier is the port for receiving the data message on the receiver indicated by the destination address. Based on this, if the source address in the first record is the IP address of the first cloud resource, the source port identifier in the first record is the identifier of the port on the first cloud resource that sends the data message to the second cloud resource, and the destination port identifier in the first record is the identifier of the port on the second cloud resource for receiving the data message sent by the first cloud resource. In this case, based on the first record, it can be determined that there is a connection relationship between the first port on the first cloud resource identified by the source port identifier and the second port on the second cloud resource identified by the destination port identifier.

可选地，如果第一记录中的源地址为第二云资源的IP地址，则第一记录中的源端口标识即为第二云资源上向第一云资源发送数据报文的端口的标识，而第一记录中的目的端口标识即为第一云资源上用于接收第二云资源发送的数据报文的端口的标识，在这种情况下，基于该第一记录，可以确定出该源端口标识所标识的第二云资源上的第二端口和目的端口标识所标识的第一云资源上的第一端口之间具有连接关系。Optionally, if the source address in the first record is the IP address of the second cloud resource, the source port identifier in the first record is the identifier of the port on the second cloud resource that sends data packets to the first cloud resource, and the destination port identifier in the first record is the identifier of the port on the first cloud resource used to receive data packets sent by the second cloud resource. In this case, based on the first record, it can be determined that there is a connection relationship between the second port on the second cloud resource identified by the source port identifier and the first port on the first cloud resource identified by the destination port identifier.

例如，以第一云资源和第二云资源均为ECS实例为例，在ECS实例上部署的不同应用可能会通过不同的端口来通信。基于此，云管理平台还可以基于该第一记录确定出这两个ECS实例上的哪两个端口之间具有连接关系，也即是，可以确定出哪两个端口之间建立有通信链路。For example, if both the first cloud resource and the second cloud resource are ECS instances, different applications deployed on the ECS instances may communicate through different ports. Based on this, the cloud management platform can also determine which two ports on the two ECS instances have a connection relationship based on the first record, that is, it can determine which two ports have a communication link established between them.

可选地，如果第一记录中的源地址或目的地址为虚拟IP地址，则由于虚拟IP地址可以绑定至少一个实例，因此将对应有至少一个真实IP地址。基于此，云管理平台还可以从第一VPC的流日志中确定与第一记录指示的是相同的数据报文传输的第二记录，并基于该第二记录来确定第一记录中的虚拟IP地址所绑定的云资源。Optionally, if the source address or destination address in the first record is a virtual IP address, then since the virtual IP address can be bound to at least one instance, it will correspond to at least one real IP address. Based on this, the cloud management platform can also determine from the flow log of the first VPC a second record indicating the same data packet transmission as the first record, and determine the cloud resource bound to the virtual IP address in the first record based on the second record.

示例性的，以第一记录中的源地址为第二云资源的IP地址为例，如果第一记录中的源地址为第一虚拟IP地址，则云管理平台可以从第一VPC的流日志中查找目的地址、目的端口标识、协议类型、数据包数量、数据包大小、开始时间和结束时间均与第一记录相同且源地址为真实IP地址的第二记录。之后，云管理平台可以基于第一记录和第二记录确定出第一虚拟IP地址为第二记录中的源地址所指示的第三云资源所绑定的虚拟IP地址。For example, if the source address in the first record is the IP address of the second cloud resource, and if the source address in the first record is the first virtual IP address, the cloud management platform can search the flow log of the first VPC for a second record whose destination address, destination port identifier, protocol type, number of packets, packet size, start time, and end time are the same as the first record and whose source address is a real IP address. Afterwards, the cloud management platform can determine, based on the first record and the second record, that the first virtual IP address is the virtual IP address bound to the third cloud resource indicated by the source address in the second record.

由于第二记录和第一记录中的目的地址、目的端口、协议类型、数据包数量、数据包大小、开始时间和结束时间均相同，则说明两个记录中记录的同一次向第一云资源发送数据报文的过程，在这种情况下，第一记录和第二记录中的源地址均是指这次发送数据报文的发送方的地址。基于此，第一记录中的第一虚拟IP地址就是数据报文的发送方的虚拟IP地址，而第二记录中的源地址就是该数据报文的发送方的真实IP地址。由此可见，第二记录中的源地址即为第一虚拟IP地址所绑定的实例的真实IP地址。换句话说，第一虚拟IP地址即为第二记录中的源地址所指示的第三云资源绑定的虚拟IP地址。如此，云管理平台可以确定第三云资源和第一虚拟IP地址所代表的第二云资源之间具有连接关系。Since the destination address, destination port, protocol type, number of packets, packet size, start time, and end time in the second record and the first record are the same, it means that the two records record the same process of sending a data message to the first cloud resource. In this case, the source address in the first record and the second record refers to the address of the sender of the data message sent this time. Based on this, the first virtual IP address in the first record is the virtual IP address of the sender of the data message, and the source address in the second record is the real IP address of the sender of the data message. It can be seen that the source address in the second record is the real IP address of the instance bound to the first virtual IP address. In other words, the first virtual IP address is the virtual IP address bound to the third cloud resource indicated by the source address in the second record. In this way, the cloud management platform can determine that there is a connection relationship between the third cloud resource and the second cloud resource represented by the first virtual IP address.

可选地，以第一记录中的目的地址为第二云资源的IP地址为例，如果第一记录中的目的地址为第一虚拟IP地址，则云管理平台可以从第一VPC的流日志中查找源地址、源端口标识、协议类型、数据包数量、数据包大小、开始时间和结束时间均与第一记录相同且目的地址为真实IP地址的第二记录。之后，云管理平台可以基于第一记录和第二记录确定出第一虚拟IP地址为第二记录中的目的地址所指示的第三云资源所绑定的虚拟IP地址。Optionally, taking the IP address of the second cloud resource as an example, if the destination address in the first record is the first virtual IP address, the cloud management platform can search the flow log of the first VPC for a second record whose source address, source port identifier, protocol type, number of packets, packet size, start time and end time are the same as the first record and whose destination address is a real IP address. Afterwards, the cloud management platform can determine, based on the first record and the second record, that the first virtual IP address is the virtual IP address bound to the third cloud resource indicated by the destination address in the second record.

进一步地，如果第三云资源和第一虚拟IP地址所指示的第二云资源的云服务类型均为云数据库，且云管理平台还可以进一步的确定出云资源的网络部署关系，也即，云数据库部署在第三云资源这个实例上。Furthermore, if the cloud service types of the third cloud resource and the second cloud resource indicated by the first virtual IP address are both cloud databases, and the cloud management platform can further determine the network deployment relationship of the cloud resources, that is, the cloud database is deployed on the instance of the third cloud resource.

可选地，在第三云资源为第一VPC内的云资源的情况下，如果第一VPC内的云资源的配置信息中还包括有类型为云数据库的第七云资源，且第七云资源的IP地址为真实IP地址，则云管理平台还可以确定出第一虚拟IP地址也为第七云资源所绑定的虚拟IP地址。并且，云管理平台还可以确定出云数据库部署在第三云资源和第七云资源这两个实例上，其中，第三云资源为当前的主实例，第七云资源为当前的备实例。Optionally, in the case where the third cloud resource is a cloud resource in the first VPC, if the configuration information of the cloud resource in the first VPC also includes a seventh cloud resource of type cloud database, and the IP address of the seventh cloud resource is a real IP address, the cloud management platform can also determine that the first virtual IP address is also the virtual IP address bound to the seventh cloud resource. In addition, the cloud management platform can also determine that the cloud database is deployed on two instances of the third cloud resource and the seventh cloud resource, wherein the third cloud resource is the current primary instance and the seventh cloud resource is the current backup instance.

上述是本申请实施例给出的基于云资源的网络流量日志来确定云资源之间的关联关系的示例。在一些可能的情况中，云管理平台还可以基于第一VPC内的云资源的网络流量日志获得其他的云资源部署关系。例如，云管理平台还可以根据各个日志记录中的源地址、目的地址和接口标识，确定出第一VPC中隐藏的交换机的部署位置，根据各个日志记录中的源地址、目的地址以及动作确定出第一VPC内的哪些云资源属于同一安全组。 The above is an example of determining the association relationship between cloud resources based on the network traffic log of cloud resources given in the embodiment of the present application. In some possible cases, the cloud management platform can also obtain other cloud resource deployment relationships based on the network traffic log of cloud resources in the first VPC. For example, the cloud management platform can also determine the deployment location of the hidden switch in the first VPC based on the source address, destination address and interface identifier in each log record, and determine which cloud resources in the first VPC belong to the same security group based on the source address, destination address and action in each log record.

在通过配置信息和网络流量日志确定出云资源之间的连接关系之后，云管理平台可以根据确定出的云资源之间的连接关系和获取到的云资源和公网资源的配置信息，生成云资源架构图，该云资源架构图包含有上述云资源之间的连接关系。After determining the connection relationship between cloud resources through configuration information and network traffic logs, the cloud management platform can generate a cloud resource architecture diagram based on the determined connection relationship between cloud resources and the acquired configuration information of cloud resources and public network resources. The cloud resource architecture diagram includes the connection relationship between the above-mentioned cloud resources.

示例性的，云管理平台首先可以根据获取到的第一VPC内的云资源的配置信息，绘制表示对应的云资源的云资源节点，根据第一VPC所关联的公网资源的配置信息，绘制公网资源对应的云资源节点，从而得到资源节点图，其中，每个云资源节点可以对应有云资源或公网资源的资源标识和/或IP地址。Exemplarily, the cloud management platform can first draw cloud resource nodes representing corresponding cloud resources based on the acquired configuration information of cloud resources within the first VPC, and draw cloud resource nodes corresponding to public network resources based on the configuration information of public network resources associated with the first VPC, thereby obtaining a resource node graph, wherein each cloud resource node can correspond to a resource identifier and/or IP address of a cloud resource or a public network resource.

需要说明的是，云管理平台可以基于第一VPC内的云资源的类型，确定各个云资源对应的云资源节点的初始布局，根据公网资源的配置信息中包含的公网资源与其他资源的关联关系，确定公网资源对应的云资源节点的初始布局，从而基于该初始布局绘制资源节点图。It should be noted that the cloud management platform can determine the initial layout of cloud resource nodes corresponding to each cloud resource based on the type of cloud resources within the first VPC, and determine the initial layout of cloud resource nodes corresponding to the public network resources based on the association between the public network resources and other resources contained in the configuration information of the public network resources, thereby drawing a resource node diagram based on the initial layout.

例如，参见图5，ELB实例用于实现负载均衡，在VPC场景下通常均是与ECS实例有关联，因此，在资源节点图中，表示ELB实例的ELB节点可以靠近表示ECS1实例的ECS1节点和表示ECS2实例的ECS2节点。多个ECS实例通常均会被作为计算资源来使用，因此，ECS1节点和ECS2节点并列放置。再例如，云数据库作为数据存储服务，ECS实例可能会较为频繁的访问云数据库，因此，表示云数据库资源A的关系型数据库服务(relational database service，RDS)节点A、表示云数据库资源B的RDS节点B和表示云数据库资源C的RDS节点C可以靠近ECS1节点和ECS2节点。最后，根据公网资源的配置信息，可以获得EIP与ELB实例之间的连接关系、域名地址与EIP之间的连接关系，以及域名地址aaa.bbb.com与WAF之间的连接关系，所以，表示EIP的EIP节点可以靠近ELB节点，所以域名地址aaa.bbb.com靠近EIP节点，而代表WAF的WAF节点则靠近域名地址和EIP节点。另外，如图5中所示，各个云资源节点还可以对应有相应云资源的IP地址。For example, see Figure 5. ELB instances are used to achieve load balancing. In VPC scenarios, they are usually associated with ECS instances. Therefore, in the resource node diagram, the ELB node representing the ELB instance can be close to the ECS1 node representing the ECS1 instance and the ECS2 node representing the ECS2 instance. Multiple ECS instances are usually used as computing resources, so the ECS1 node and the ECS2 node are placed side by side. For another example, the cloud database is a data storage service, and the ECS instance may access the cloud database more frequently. Therefore, the relational database service (RDS) node A representing the cloud database resource A, the RDS node B representing the cloud database resource B, and the RDS node C representing the cloud database resource C can be close to the ECS1 node and the ECS2 node. Finally, according to the configuration information of the public network resources, the connection relationship between the EIP and the ELB instance, the connection relationship between the domain name address and the EIP, and the connection relationship between the domain name address aaa.bbb.com and the WAF can be obtained. Therefore, the EIP node representing the EIP can be close to the ELB node, so the domain name address aaa.bbb.com is close to the EIP node, and the WAF node representing the WAF is close to the domain name address and the EIP node. In addition, as shown in Figure 5, each cloud resource node can also correspond to the IP address of the corresponding cloud resource.

可选地，如果通过云资源的网络流量日志确定出的云资源之间的连接关系中包括第一VPC内的云资源与其他VPC内的云资源之间的连接关系，则云管理平台还可以基于第一VPC内的云资源与其他VPC内的云资源之间的连接关系，在资源节点图中添加表示其他VPC内的云资源的云资源节点。Optionally, if the connection relationship between cloud resources determined through the network traffic log of cloud resources includes the connection relationship between cloud resources within the first VPC and cloud resources in other VPCs, the cloud management platform can also add cloud resource nodes representing cloud resources in other VPCs in the resource node graph based on the connection relationship between cloud resources in the first VPC and cloud resources in other VPCs.

可选地，云管理平台在绘制资源节点图时，还可以根据云资源的类型，通过对应的云资源图例来表示对应的云资源节点。Optionally, when drawing the resource node diagram, the cloud management platform may also indicate corresponding cloud resource nodes through corresponding cloud resource legends according to the types of cloud resources.

在得到资源节点图之后，云管理平台可以基于前述确定出的云资源之间的连接关系将具有连接关系的云资源对应的云资源节点连接起来。After obtaining the resource node graph, the cloud management platform may connect the cloud resource nodes corresponding to the cloud resources having a connection relationship based on the connection relationship between the cloud resources determined above.

例如，仍以图5为例，云管理平台根据云资源的配置信息可以确定出EIP与ELB实例绑定，EIP与域名地址aaa.bbb.com关联，且该域名地址关联了WAF，因此，可以通过连接线将EIP节点和ELB节点连接起来，将EIP节点和域名地址A连接起来，将域名地址A与WAF连接起来。另外，根据第一VPC内的流日志，可以确定出ELB实例分别与ECS1实例和ECS2实例之间具有连接关系，因此，基于该连接关系，可以将ELB节点与ECS1节点连接起来，将ELB节点与ECS2节点连接起来。另外，根据第一VPC的流日志还可以确定出ECS1实例和ECS2实例与云数据库资源A具有连接关系，ECS1实例和ECS2实例还均与云数据库资源B具有连接关系，其中，由于云数据库资源A的IP地址为一个虚拟IP地址，而云数据库资源B和云数据库资源C的IP地址均为真实IP地址，所以，可以确定出云数据库资源A是云数据库资源B和云数据库资源C绑定的虚拟IP地址，云数据库分布式的部署在云数据库资源B和云数据库资源C上，并且，云数据库资源B为当前的主实例，云数据库资源C为当前的备实例。基于此，云管理平台可以将ECS1节点和ECS2节点均与RDS节点A连接，将RDS节点A分别与RDS节点B、RDS节点C连接，并在图中标注RDS节点B为主节点，RDS节点C为备节点，另外，云管理平台还可以针对第一VPC内的云资源标注第一VPC的网络标识VPC1。如此，云管理平台即获得了包括多个云资源之间的连接关系的云资源架构图。For example, still taking Figure 5 as an example, the cloud management platform can determine that the EIP is bound to the ELB instance based on the configuration information of the cloud resources, and that the EIP is associated with the domain name address aaa.bbb.com, and that the domain name address is associated with the WAF. Therefore, the EIP node and the ELB node can be connected by a connecting line, the EIP node and the domain name address A can be connected, and the domain name address A can be connected to the WAF. In addition, based on the flow logs in the first VPC, it can be determined that the ELB instance has a connection relationship with the ECS1 instance and the ECS2 instance respectively. Therefore, based on the connection relationship, the ELB node can be connected to the ECS1 node, and the ELB node can be connected to the ECS2 node. In addition, according to the flow log of the first VPC, it can also be determined that the ECS1 instance and the ECS2 instance have a connection relationship with the cloud database resource A, and the ECS1 instance and the ECS2 instance also have a connection relationship with the cloud database resource B. Since the IP address of the cloud database resource A is a virtual IP address, and the IP addresses of the cloud database resources B and the cloud database resources C are both real IP addresses, it can be determined that the cloud database resource A is the virtual IP address bound to the cloud database resources B and the cloud database resources C, and the cloud database is distributedly deployed on the cloud database resources B and the cloud database resources C, and the cloud database resource B is the current master instance, and the cloud database resource C is the current standby instance. Based on this, the cloud management platform can connect both the ECS1 node and the ECS2 node to the RDS node A, and connect the RDS node A to the RDS node B and the RDS node C respectively, and mark the RDS node B as the master node and the RDS node C as the standby node in the figure. In addition, the cloud management platform can also mark the network identifier VPC1 of the first VPC for the cloud resources in the first VPC. In this way, the cloud management platform obtains a cloud resource architecture diagram including the connection relationships between multiple cloud resources.

在一些实施例中，云管理平台在获取到第一VPC内的云资源的配置信息和关联的公网资源的配置信息之后，也可以首先基于获取到的配置信息，通过上述介绍的方法生成资源节点图，之后，根据获取到的配置信息和第一VPC内的云资源的网络流量日志确定云资源之间的连接关系，并按照云资源之间的连接关系对资源节点图中的云资源节点进行连接，从而得到包括多个云资源之间的连接关系的云资源架构图。In some embodiments, after obtaining the configuration information of the cloud resources within the first VPC and the configuration information of the associated public network resources, the cloud management platform may first generate a resource node graph based on the obtained configuration information through the method introduced above, and then determine the connection relationship between the cloud resources according to the obtained configuration information and the network traffic log of the cloud resources within the first VPC, and connect the cloud resource nodes in the resource node graph according to the connection relationship between the cloud resources, thereby obtaining a cloud resource architecture diagram including the connection relationship between multiple cloud resources.

在另一些实施例中，云管理平台也可以先基于架构图生成请求获取第一VPC内的第一云资源的配置信息和网络流量日志，之后，基于该第一云资源的配置信息和网络流量日志来确定该第一云资源与其他云资源之间的连接关系，进而基于该连接关系绘制云资源架构图中对应的云资源以及云资源节点之间的连接线。之后，云管理平台可以再获取与第一云资源具有连接关系的其他云资源的配置信息和网络流量日志，进而在云资源架构图中绘制其他云资源之间可能存在的连接关系，如此，通过已确定出的云资源之间的连接关系不断来获取新的连接关系，以此绘制得到云资源架构图。其中，基于任一个云资源的配置信息和网络流量日志来确定该云资源与其他云资源之间的连接关系的实现过程可以参考前文介绍，在此不再赘述。In some other embodiments, the cloud management platform may also first generate a request based on the architecture diagram to obtain the configuration information and network traffic log of the first cloud resource in the first VPC, and then determine the connection relationship between the first cloud resource and other cloud resources based on the configuration information and network traffic log of the first cloud resource, and then draw the corresponding cloud resources and cloud resource nodes in the cloud resource architecture diagram based on the connection relationship. The connection lines between them. Afterwards, the cloud management platform can obtain the configuration information and network traffic logs of other cloud resources that have a connection relationship with the first cloud resource, and then draw the possible connection relationships between other cloud resources in the cloud resource architecture diagram. In this way, new connection relationships are continuously obtained through the connection relationships between the determined cloud resources, so as to draw the cloud resource architecture diagram. Among them, the implementation process of determining the connection relationship between any cloud resource and other cloud resources based on the configuration information and network traffic log of the cloud resource can be referred to the previous introduction, which will not be repeated here.

在生成云资源架构图之后，云管理平台可以向租户终端发送该云资源架构图。相应的，租户终端可以在云服务客户端的资源架构图显示页面中显示该云资源架构图。After generating the cloud resource architecture diagram, the cloud management platform may send the cloud resource architecture diagram to the tenant terminal. Accordingly, the tenant terminal may display the cloud resource architecture diagram in the resource architecture diagram display page of the cloud service client.

可选地，云管理平台还可以将该云资源架构图进行存储。例如，在租户发送的架构图生成请求携带的是第一VPC的网络标识的情况下，云管理平台可以将该云资源架构图与第一VPC的网络标识对应存储。这样，后续如果再次接收到该租户发送的携带有第一VPC的网络标识的架构图生成请求，云管理平台可以直接基于架构图生成请求获取该云资源架构图，并返回该云资源架构图给租户终端。Optionally, the cloud management platform can also store the cloud resource architecture diagram. For example, when the architecture diagram generation request sent by the tenant carries the network identifier of the first VPC, the cloud management platform can store the cloud resource architecture diagram in correspondence with the network identifier of the first VPC. In this way, if the cloud management platform receives an architecture diagram generation request from the tenant carrying the network identifier of the first VPC again, the cloud management platform can directly obtain the cloud resource architecture diagram based on the architecture diagram generation request, and return the cloud resource architecture diagram to the tenant terminal.

可选地，在存储云资源架构图之后，如果该云资源架构图中的云资源发生变动，云管理平台还可以根据云资源的变动情况来对该云资源架构图进行更新。Optionally, after storing the cloud resource architecture diagram, if the cloud resources in the cloud resource architecture diagram change, the cloud management platform may also update the cloud resource architecture diagram according to the changes in the cloud resources.

示例性地，云数据中心可以向租户提供云审计服务。其中，云审计服务可以记录云环境中各种资源的操作活动。例如，可以记录VPC中的ECS实例、云数据库等各种云资源的删除、添加、修改等变动信息。基于此，云管理平台可以获取第一VPC的云审计信息，进而基于该云审计信息，对该云资源架构图进行更新。其中，该云审计信息可以包括至少一项云资源变动信息。Exemplarily, a cloud data center can provide a cloud audit service to tenants. The cloud audit service can record the operation activities of various resources in the cloud environment. For example, the deletion, addition, modification and other change information of various cloud resources such as ECS instances and cloud databases in the VPC can be recorded. Based on this, the cloud management platform can obtain the cloud audit information of the first VPC, and then update the cloud resource architecture diagram based on the cloud audit information. The cloud audit information may include at least one cloud resource change information.

其中，在一些实施例中，云管理平台可以每隔预设时间间隔获取一次第一VPC的云审计信息，进而根据该云审计信息更新该云资源架构图。其中，该云审计信息中可以包括该预设时间间隔内的一项或多项云资源变动信息。In some embodiments, the cloud management platform may obtain cloud audit information of the first VPC at a preset time interval, and then update the cloud resource architecture diagram according to the cloud audit information. The cloud audit information may include one or more cloud resource change information within the preset time interval.

在另一些实施例中，云审计服务在每记录一项第一VPC的云资源变动信息后，可以主动向云管理平台发送一个资源变动通知，该资源变动通知中可以包括第一VPC的网络标识和云审计服务此次记录的云资源变动信息。云管理平台在接收到该资源变动通知后，可以基于该第一VPC的网络标识，获取对应的云资源架构图，进而基于该资源变动通知中的云资源变动信息，对云资源架构图进行更新。In other embodiments, after recording each cloud resource change information of the first VPC, the cloud audit service may actively send a resource change notification to the cloud management platform, and the resource change notification may include the network identifier of the first VPC and the cloud resource change information recorded by the cloud audit service this time. After receiving the resource change notification, the cloud management platform may obtain the corresponding cloud resource architecture diagram based on the network identifier of the first VPC, and then update the cloud resource architecture diagram based on the cloud resource change information in the resource change notification.

另外，根据获取到的云审计信息中的云资源变动信息的不同，云管理平台可以对云资源架构图进行不同方式的更新。In addition, according to the different cloud resource change information in the obtained cloud audit information, the cloud management platform can update the cloud resource architecture diagram in different ways.

示例性地，如果该云审计信息包括云资源添加信息，则云管理平台可以基于该云资源添加信息，在该云资源架构图中添加新增的云资源与其他云资源的连接关系。例如，该云资源添加信息包括在云资源架构图中添加某个云资源的信息，则云管理平台可以获取添加的云资源的配置信息，进而基于该云资源的配置信息，在云资源架构图中增加该云资源对应的云资源节点。如果该云资源的配置信息中还包括该云资源与其他云资源的连接关系，则云管理平台还可以在该云资源架构图中添加该云资源与其他云资源连接关系。另外，云管理平台还可以获取该云资源的网络流量日志，并基于该云资源的网络流量日志，在云资源架构图中添加该云资源与其他云资源之间的连接关系，相关的实现方式可以参考前文中的介绍，在此不再赘述。Exemplarily, if the cloud audit information includes cloud resource addition information, the cloud management platform can add the connection relationship between the newly added cloud resource and other cloud resources in the cloud resource architecture diagram based on the cloud resource addition information. For example, if the cloud resource addition information includes information about adding a certain cloud resource in the cloud resource architecture diagram, the cloud management platform can obtain the configuration information of the added cloud resource, and then add the cloud resource node corresponding to the cloud resource in the cloud resource architecture diagram based on the configuration information of the cloud resource. If the configuration information of the cloud resource also includes the connection relationship between the cloud resource and other cloud resources, the cloud management platform can also add the connection relationship between the cloud resource and other cloud resources in the cloud resource architecture diagram. In addition, the cloud management platform can also obtain the network traffic log of the cloud resource, and add the connection relationship between the cloud resource and other cloud resources in the cloud resource architecture diagram based on the network traffic log of the cloud resource. The relevant implementation method can refer to the introduction in the previous text and will not be repeated here.

如果该云审计信息包括云资源删除信息，则云管理平台可以基于该云资源删除信息，删除云资源架构图中对应的云资源以及该云资源和其他云资源的连接关系。例如，云资源删除信息可以包括删除云资源架构图中的某个云资源的信息，则云管理平台可以删除云资源架构图中用于表示该云资源的云资源节点，同时删除该云资源节点与其他云资源节点之间存在的连接关系。在完成删除之后，云管理平台还可以通过重新获取该云资源架构图中的各个云资源的网络流量日志来挖掘连接关系，以此来对删除该云资源之后剩余的云资源之间可能出现的新的连接关系进行补充。If the cloud audit information includes cloud resource deletion information, the cloud management platform can delete the corresponding cloud resource in the cloud resource architecture diagram and the connection relationship between the cloud resource and other cloud resources based on the cloud resource deletion information. For example, the cloud resource deletion information may include information about deleting a cloud resource in the cloud resource architecture diagram. The cloud management platform can delete the cloud resource node used to represent the cloud resource in the cloud resource architecture diagram, and delete the connection relationship between the cloud resource node and other cloud resource nodes. After the deletion is completed, the cloud management platform can also mine the connection relationship by re-acquiring the network traffic logs of each cloud resource in the cloud resource architecture diagram, so as to supplement the new connection relationship that may appear between the remaining cloud resources after deleting the cloud resource.

如果云审计信息包括云资源修改信息，则云管理平台可以基于该云资源修改信息修改云资源架构图中对应的云资源的信息。例如，该云资源修改信息可以包括对当前云资源架构图中已有的某个云资源的连接关系进行修改的信息，则云管理平台可以基于该云资源修改信息修改该云资源架构图中该云资源的连接关系。If the cloud audit information includes cloud resource modification information, the cloud management platform can modify the information of the corresponding cloud resource in the cloud resource architecture diagram based on the cloud resource modification information. For example, the cloud resource modification information may include information for modifying the connection relationship of a cloud resource already in the current cloud resource architecture diagram, and the cloud management platform can modify the connection relationship of the cloud resource in the cloud resource architecture diagram based on the cloud resource modification information.

可选地，在一些实施例中，在云资源架构图中包括不同的VPC内的云资源的连接关系的情况下，云管理平台可以获取每个VPC的云审计信息，并参考上述介绍的方法，基于每个VPC的云审计信息来对云资源架构图进行更新。或者，云管理平台也可以基于云资源架构图内包括的每个云资源来获取包含有对应的云资源的变动信息的云审计信息，进而参考上述介绍的方法，基于获取到的云审计信息对云资源架构图进行更新。Optionally, in some embodiments, when the cloud resource architecture diagram includes the connection relationship of cloud resources in different VPCs, the cloud management platform can obtain the cloud audit information of each VPC, and refer to the above-mentioned method to update the cloud resource architecture diagram based on the cloud audit information of each VPC. Alternatively, the cloud management platform can also obtain cloud audit information containing the change information of the corresponding cloud resource based on each cloud resource included in the cloud resource architecture diagram, and then refer to the above-mentioned method to update the cloud audit information based on the obtained cloud audit information. Update the cloud resource architecture diagram.

在本申请实施例中，响应于租户的架构图生成请求，云管理平台可以获取第一云资源的配置信息，并获取第一云资源的网络流量日志，基于该第一云资源的配置信息和网络流量日志来自动生成包含有该第一云资源与其他云资源的连接关系的云资源架构图，无需租户手动绘图，操作简单，可用性高。In an embodiment of the present application, in response to a tenant's request to generate an architecture diagram, the cloud management platform can obtain the configuration information of the first cloud resource and the network traffic log of the first cloud resource, and automatically generate a cloud resource architecture diagram including the connection relationship between the first cloud resource and other cloud resources based on the configuration information and network traffic log of the first cloud resource. There is no need for the tenant to draw the diagram manually, and the operation is simple and the availability is high.

另外，在本申请实施例中，可以通过第一云资源关联的VPC的流日志来获得第一云资源与其他云资源的连接关系，无需安装侵入性的组件，不影响云资源所在节点的性能，可用性更强，成本更低。In addition, in an embodiment of the present application, the connection relationship between the first cloud resource and other cloud resources can be obtained through the flow log of the VPC associated with the first cloud resource, without installing invasive components, without affecting the performance of the node where the cloud resource is located, with higher availability and lower cost.

最后，由于VPC的流日志记录了该VPC内的所有云资源的数据报文传输情况，因而相较于通过安装侵入性组件来获取接口调用关系的方法，通过VPC流日志能够获取到的连接关系的覆盖度更广。相应的，基于VPC的流日志中的连接关系可以生成覆盖度更广、信息更为完善的云资源架构图。Finally, since the VPC flow log records the data packet transmission of all cloud resources in the VPC, the connection relationship that can be obtained through the VPC flow log is more extensive than the method of obtaining interface call relationships by installing intrusive components. Accordingly, the connection relationship in the VPC flow log can generate a cloud resource architecture diagram with wider coverage and more complete information.

接下来对本申请实施例提供的云管理平台进行介绍。Next, the cloud management platform provided in the embodiment of the present application is introduced.

图6是本申请实施例提供的一种云管理平台的结构示意图，参见图6，该云管理平台600可以包括：资源信息获取模块61和架构图生成模块62。FIG6 is a schematic diagram of the structure of a cloud management platform provided in an embodiment of the present application. Referring to FIG6 , the cloud management platform 600 may include: a resource information acquisition module 61 and an architecture diagram generation module 62 .

其中，资源信息获取模块61可以用于执行前述实施例中的步骤201，架构图生成模块62可以用于执行前述实施例中的步骤202。The resource information acquisition module 61 may be used to execute step 201 in the aforementioned embodiment, and the architecture diagram generation module 62 may be used to execute step 202 in the aforementioned embodiment.

示例性的，参见图6，资源信息获取模块61可以包括流日志获取单元611。其中，该流日志获取单元611可以用于获取第一云资源关联的VPC的流日志，该流日志包括指示第一云资源和第二云资源之间存在数据报文传输的第一记录，第一记录包括数据报文传输的源地址和目的地址，其中，第一记录中的源地址为第一云资源的IP地址，第一记录中的目的地址为第二云资源的IP地址；或，第一记录中的源地址为第二云资源的IP地址，第一记录中的目的地址为第一云资源的IP地址。具体的，参见图6，流日志可以存储在提供对象存储服务(object storage service，OBS)的云日志服务器上，流日志获取单元611可以从该云日志服务器中获取第一云资源关联的VPC的流日志。Exemplarily, referring to FIG6 , the resource information acquisition module 61 may include a flow log acquisition unit 611. The flow log acquisition unit 611 may be used to acquire the flow log of the VPC associated with the first cloud resource, the flow log including a first record indicating that there is data message transmission between the first cloud resource and the second cloud resource, the first record including the source address and the destination address of the data message transmission, wherein the source address in the first record is the IP address of the first cloud resource, and the destination address in the first record is the IP address of the second cloud resource; or, the source address in the first record is the IP address of the second cloud resource, and the destination address in the first record is the IP address of the first cloud resource. Specifically, referring to FIG6 , the flow log may be stored on a cloud log server that provides an object storage service (OBS), and the flow log acquisition unit 611 may acquire the flow log of the VPC associated with the first cloud resource from the cloud log server.

可选地，资源信息获取模块61还可以包括资源配置信息获取单元612，该资源配置信息获取单元612用于：获取第一的云资源的配置信息。可选地，该资源配置信息获取单元612还可以用于获取第四云资源的配置信息，其中，第四云资源的配置信息还包括第四云资源与第五云资源的连接关系，相应的，架构图生成模块62还用于利用第四云资源的配置信息生成云资源架构图，其中，该云资源架构图中的第四云资源和第五云资源具有连接关系。可选地，该资源配置信息获取单元612还可以用于获取第六云资源的配置信息，并基于第六云资源的配置信息，获取与第六云资源关联的公网资源的配置信息，其中，该公网资源的配置信息可以包括有该第六云资源与该公网资源的连接关系。相应地，架构图生成模块62还用于利用第六云资源的配置信息和关联的公网资源的配置信息生成云资源架构图，其中，云资源架构图中还包括该第六云资源和该公网资源的连接关系。例如，参见图6，云资源的配置信息可以存储于云资源信息服务器中，资源配置信息获取单元612可以从该云资源信息服务器中获取第一云资源的配置信息以及与第一云资源关联的公网资源的配置信息。Optionally, the resource information acquisition module 61 may further include a resource configuration information acquisition unit 612, which is used to: acquire the configuration information of the first cloud resource. Optionally, the resource configuration information acquisition unit 612 may also be used to acquire the configuration information of the fourth cloud resource, wherein the configuration information of the fourth cloud resource also includes the connection relationship between the fourth cloud resource and the fifth cloud resource, and accordingly, the architecture diagram generation module 62 is also used to generate a cloud resource architecture diagram using the configuration information of the fourth cloud resource, wherein the fourth cloud resource and the fifth cloud resource in the cloud resource architecture diagram have a connection relationship. Optionally, the resource configuration information acquisition unit 612 may also be used to acquire the configuration information of the sixth cloud resource, and based on the configuration information of the sixth cloud resource, acquire the configuration information of the public network resource associated with the sixth cloud resource, wherein the configuration information of the public network resource may include the connection relationship between the sixth cloud resource and the public network resource. Correspondingly, the architecture diagram generation module 62 is also used to generate a cloud resource architecture diagram using the configuration information of the sixth cloud resource and the configuration information of the associated public network resource, wherein the cloud resource architecture diagram also includes the connection relationship between the sixth cloud resource and the public network resource. For example, referring to FIG6 , the configuration information of the cloud resource can be stored in a cloud resource information server, and the resource configuration information acquisition unit 612 can acquire the configuration information of the first cloud resource and the configuration information of the public network resource associated with the first cloud resource from the cloud resource information server.

可选地，上述的第一记录还包括数据报文传输的源端口标识和目的端口标识，其中，源端口标识为第一云资源上的第一端口的标识，目的端口标识为第二云资源上的第二端口的标识；或，源端口标识为第二云资源上的第二端口的标识，目的端口标识为第一云资源上的第一端口的标识；云资源架构图中的第一云资源上的第一端口和第二云资源上的第二端口具有连接关系。Optionally, the above-mentioned first record also includes a source port identifier and a destination port identifier of the data packet transmission, wherein the source port identifier is the identifier of the first port on the first cloud resource, and the destination port identifier is the identifier of the second port on the second cloud resource; or, the source port identifier is the identifier of the second port on the second cloud resource, and the destination port identifier is the identifier of the first port on the first cloud resource; the first port on the first cloud resource and the second port on the second cloud resource in the cloud resource architecture diagram have a connection relationship.

可选地，第二云资源的IP地址为第一虚拟IP地址，第一云资源关联的VPC的流日志还包括指示第一云资源与第三云资源之间存在数据报文传输的第二记录，第二记录和第一记录指示相同的数据报文传输，且第二记录和第一记录包括的数据报文传输的源地址或目的地址为第一云资源的IP地址；云资源架构图中第三云资源与第一虚拟IP地址具有绑定关系。Optionally, the IP address of the second cloud resource is the first virtual IP address, and the flow log of the VPC associated with the first cloud resource also includes a second record indicating that there is data packet transmission between the first cloud resource and the third cloud resource, the second record and the first record indicate the same data packet transmission, and the source address or destination address of the data packet transmission included in the second record and the first record is the IP address of the first cloud resource; the third cloud resource in the cloud resource architecture diagram has a binding relationship with the first virtual IP address.

可选地，第一云资源的配置信息还包括第一云资源与第四云资源的连接关系，该云资源架构图中的第一云资源和第四云资源具有连接关系。Optionally, the configuration information of the first cloud resource also includes a connection relationship between the first cloud resource and the fourth cloud resource, and the first cloud resource and the fourth cloud resource in the cloud resource architecture diagram have a connection relationship.

可选地，云管理平台600还包括：云审计信息获取模块63和架构图更新模块64。其中，云审计信息获取模块63用于获取第一云资源部关联的VPC的云审计信息，该云审计信息包括该VPC内的云资源添加信息、云资源删除信息和云资源修改信息中的至少一种；架构图更新模块64用于基于云资源添加信息，在云资源架构图中添加对应的云资源；或者，基于云资源删除信息，删除云资源架构图中对应的云资源；或者，基于云资源修改信息，修改云资源架构图中对应的云资源。例如，参见图6，云审计信息获取模块63可以从云审计服务中获取第一云资源关联的VPC的云审计信息。Optionally, the cloud management platform 600 also includes: a cloud audit information acquisition module 63 and an architecture diagram update module 64. The cloud audit information acquisition module 63 is used to obtain the cloud audit information of the VPC associated with the first cloud resource unit, and the cloud audit information includes at least one of the cloud resource addition information, cloud resource deletion information and cloud resource modification information within the VPC; the architecture diagram update module 64 is used to add corresponding cloud resources to the cloud resource architecture diagram based on the cloud resource addition information; or, based on the cloud resource deletion information, delete the corresponding cloud resources in the cloud resource architecture diagram; or, based on the cloud resource modification information, modify the corresponding cloud resources in the cloud resource architecture diagram. For example, referring to FIG. 6, The cloud audit information acquisition module 63 can obtain the cloud audit information of the VPC associated with the first cloud resource from the cloud audit service.

在本申请实施例中，响应于租户的架构图生成请求，云管理平台可以获取第一云资源的配置信息，并获取第一云资源的网络流量日志，基于该第一云资源的配置信息和网络流量日志来自动生成云资源架构图，无需租户手动绘图，操作简单，可用性高。并且，由于可以通过第一云资源关联的VPC的流日志来获得第一云资源与其他云资源的连接关系，无需安装侵入性的组件，成本更低。In the embodiment of the present application, in response to the tenant's architecture diagram generation request, the cloud management platform can obtain the configuration information of the first cloud resource and the network traffic log of the first cloud resource, and automatically generate the cloud resource architecture diagram based on the configuration information and network traffic log of the first cloud resource, without the need for the tenant to draw manually, with simple operation and high availability. In addition, since the connection relationship between the first cloud resource and other cloud resources can be obtained through the flow log of the VPC associated with the first cloud resource, there is no need to install invasive components, and the cost is lower.

本申请实施例还提供一种计算设备700。如图7所示，计算设备700包括：总线702、处理器704、存储器706和通信接口708。处理器704、存储器706和通信接口708之间通过总线702通信。计算设备700可以是服务器或终端设备。应理解，本申请不限定计算设备700中的处理器、存储器的个数。The embodiment of the present application also provides a computing device 700. As shown in FIG7 , the computing device 700 includes: a bus 702, a processor 704, a memory 706, and a communication interface 708. The processor 704, the memory 706, and the communication interface 708 communicate with each other through the bus 702. The computing device 700 can be a server or a terminal device. It should be understood that the present application does not limit the number of processors and memories in the computing device 700.

总线702可以是外设部件互连标准(peripheral component interconnect，PCI)总线或扩展工业标准结构(extended industry standard architecture，EISA)总线等。总线可以分为地址总线、数据总线、控制总线等。为便于表示，图7中仅用一条线表示，但并不表示仅有一根总线或一种类型的总线。总线702可包括在计算设备700各个部件(例如，存储器706、处理器704、通信接口708)之间传送信息的通路。The bus 702 may be a peripheral component interconnect (PCI) bus or an extended industry standard architecture (EISA) bus, etc. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of representation, FIG. 7 is represented by only one line, but does not mean that there is only one bus or one type of bus. The bus 702 may include a path for transmitting information between various components of the computing device 700 (e.g., the memory 706, the processor 704, and the communication interface 708).

处理器704可以包括中央处理器(central processing unit，CPU)、图形处理器(graphics processing unit，GPU)、微处理器(micro processor，MP)或者数字信号处理器(digital signal processor，DSP)等处理器中的任意一种或多种。Processor 704 may include any one or more of a central processing unit (CPU), a graphics processing unit (GPU), a microprocessor (MP), or a digital signal processor (DSP).

存储器706可以包括易失性存储器(volatile memory)，例如随机存取存储器(random access memory，RAM)。处理器704还可以包括非易失性存储器(non-volatile memory)，例如只读存储器(read-only memory，ROM)，快闪存储器，机械硬盘(hard disk drive，HDD)或固态硬盘(solid state drive，SSD)。The memory 706 may include a volatile memory, such as a random access memory (RAM). The processor 704 may also include a non-volatile memory, such as a read-only memory (ROM), a flash memory, a hard disk drive (HDD), or a solid state drive (SSD).

存储器706中存储有可执行的程序代码，处理器704执行该可执行的程序代码以分别实现前述资源信息获取模块和架构图生成模块的功能，从而实现云资源架构图生成方法。也即，存储器706上存有用于执行云资源架构图生成方法的指令。The memory 706 stores executable program codes, and the processor 704 executes the executable program codes to respectively implement the functions of the resource information acquisition module and the architecture diagram generation module, thereby implementing the cloud resource architecture diagram generation method. That is, the memory 706 stores instructions for executing the cloud resource architecture diagram generation method.

或者，存储器706中存储有可执行的代码，处理器704执行该可执行的代码以分别实现前述云管理平台的功能，从而实现云资源架构图生成方法。也即，存储器706上存有用于执行云资源架构图生成方法的指令。Alternatively, the memory 706 stores executable codes, and the processor 704 executes the executable codes to respectively implement the functions of the aforementioned cloud management platform, thereby implementing the cloud resource architecture diagram generation method. That is, the memory 706 stores instructions for executing the cloud resource architecture diagram generation method.

通信接口708使用例如但不限于网络接口卡、收发器一类的收发模块，来实现计算设备700与其他设备或通信网络之间的通信。The communication interface 708 uses a transceiver module such as, but not limited to, a network interface card or a transceiver to implement communication between the computing device 700 and other devices or communication networks.

本申请实施例还提供了一种计算设备集群。该计算设备集群包括至少一台计算设备。该计算设备可以是服务器，例如是中心服务器、边缘服务器，或者是本地数据中心中的本地服务器。在一些实施例中，计算设备也可以是台式机、笔记本电脑或者智能手机等终端设备。The embodiment of the present application also provides a computing device cluster. The computing device cluster includes at least one computing device. The computing device can be a server, such as a central server, an edge server, or a local server in a local data center. In some embodiments, the computing device can also be a terminal device such as a desktop computer, a laptop computer, or a smart phone.

如图8所示，所述计算设备集群包括至少一个计算设备700。计算设备集群中的一个或多个计算设备700中的存储器706中可以存有相同的用于执行云资源架构图生成方法的指令。As shown in Fig. 8, the computing device cluster includes at least one computing device 700. The memory 706 in one or more computing devices 700 in the computing device cluster may store the same instructions for executing the cloud resource architecture diagram generation method.

在一些可能的实现方式中，该计算设备集群中的一个或多个计算设备700的存储器706中也可以分别存有用于执行云资源架构图生成方法的部分指令。换言之，一个或多个计算设备700的组合可以共同执行用于实现云资源架构图生成方法的指令。In some possible implementations, the memory 706 of one or more computing devices 700 in the computing device cluster may also store some instructions for executing the cloud resource architecture diagram generation method. In other words, the combination of one or more computing devices 700 can jointly execute the instructions for implementing the cloud resource architecture diagram generation method.

需要说明的是，计算设备集群中的不同的计算设备700中的存储器706可以存储不同的指令，分别用于执行云管理平台的部分功能。也即，不同的计算设备700中的存储器706存储的指令可以实现资源信息获取模块和架构图生成模块中的一个或多个模块的功能。It should be noted that the memory 706 in different computing devices 700 in the computing device cluster can store different instructions, which are respectively used to execute part of the functions of the cloud management platform. That is, the instructions stored in the memory 706 in different computing devices 700 can implement the functions of one or more modules in the resource information acquisition module and the architecture diagram generation module.

在一些可能的实现方式中，计算设备集群中的一个或多个计算设备可以通过网络连接。其中，所述网络可以是广域网或局域网等等。图9示出了一种可能的实现方式。如图9所示，两个计算设备700A和100B之间通过网络进行连接。具体地，通过各个计算设备中的通信接口与所述网络进行连接。在这一类可能的实现方式中，计算设备700A中的存储器706中存有执行资源信息获取模块和架构图生成模块的功能的指令。同时，计算设备700B中的存储器706中存有执行云审计信息获取模块和架构图更新模块的功能的指令。In some possible implementations, one or more computing devices in a computing device cluster may be connected via a network. The network may be a wide area network or a local area network, etc. FIG. 9 shows a possible implementation. As shown in FIG. 9 , two computing devices 700A and 100B are connected via a network. Specifically, the network is connected via a communication interface in each computing device. In this type of possible implementation, the memory 706 in the computing device 700A stores instructions for executing the functions of a resource information acquisition module and an architecture diagram generation module. At the same time, the memory 706 in the computing device 700B stores instructions for executing the functions of a cloud audit information acquisition module and an architecture diagram update module.

图9所示的计算设备集群之间的连接方式可以是考虑到本申请实施例提供的云资源架构图生成方法需要资源信息获取和架构图生成实例，因此考虑将资源信息获取模块和架构图生成模块实现的功能交由计算设备700A执行。The connection method between the computing device clusters shown in FIG9 may be considered to be a resource information acquisition module and an architecture diagram generation module. The processing is performed by the computing device 700A.

应理解，图9中示出的计算设备700A的功能也可以由多个计算设备700完成。同样，计算设备700B的功能也可以由多个计算设备700完成。It should be understood that the functions of the computing device 700A shown in FIG9 may also be completed by multiple computing devices 700. Similarly, the functions of the computing device 700B may also be completed by multiple computing devices 700.

本申请实施例还提供了另一种计算设备集群。该计算设备集群中各计算设备之间的连接关系可以类似的参考图8和图9所述计算设备集群的连接方式。不同的是，该计算设备集群中的一个或多个计算设备700中的存储器706中可以存有相同的用于执行云资源架构图生成方法的指令。The embodiment of the present application also provides another computing device cluster. The connection relationship between the computing devices in the computing device cluster can be similar to the connection mode of the computing device cluster described in Figures 8 and 9. The difference is that the memory 706 in one or more computing devices 700 in the computing device cluster can store the same instructions for executing the cloud resource architecture diagram generation method.

在一些可能的实现方式中，该计算设备集群中的一个或多个计算设备700的存储器706中也可以分别存有用于执行云资源架构图生成方法的部分指令。换言之，一个或多个计算设备700的组合可以共同执行用于执行云资源架构图生成方法的指令。In some possible implementations, the memory 706 of one or more computing devices 700 in the computing device cluster may also store partial instructions for executing the cloud resource architecture diagram generation method. In other words, the combination of one or more computing devices 700 may jointly execute instructions for executing the cloud resource architecture diagram generation method.

需要说明的是，计算设备集群中的不同的计算设备700中的存储器706可以存储不同的指令，用于执行云资源架构图生成系统的部分功能。也即，不同的计算设备700中的存储器706存储的指令可以实现云管理平台和基础设施的一个或多个装置的功能。It should be noted that the memory 706 in different computing devices 700 in the computing device cluster can store different instructions for executing part of the functions of the cloud resource architecture diagram generation system. That is, the instructions stored in the memory 706 in different computing devices 700 can implement the functions of one or more devices of the cloud management platform and infrastructure.

本申请实施例还提供了一种包含指令的计算机程序产品。该计算机程序产品可以是包含指令的，能够运行在计算设备上或被储存在任何可用介质中的软件或程序产品。当计算机程序产品在至少一个计算设备上运行时，使得至少一个计算设备执行云资源架构图生成方法。The embodiment of the present application also provides a computer program product including instructions. The computer program product may be software or a program product including instructions that can be run on a computing device or stored in any available medium. When the computer program product is run on at least one computing device, the at least one computing device executes the cloud resource architecture diagram generation method.

本申请实施例还提供了一种计算机可读存储介质。该计算机可读存储介质可以是计算设备能够存储的任何可用介质或者是包含一个或多个可用介质的数据中心等数据存储设备。可用介质可以是磁性介质，(例如，软盘、硬盘、磁带)、光介质(例如，DVD)、或者半导体介质(例如固态硬盘)等。该计算机可读存储介质包括指令，该指令指示计算设备执行云资源架构图生成方法。The embodiment of the present application also provides a computer-readable storage medium. The computer-readable storage medium can be any available medium that can be stored by the computing device or a data storage device such as a data center containing one or more available media. The available medium can be a magnetic medium (e.g., a floppy disk, a hard disk, a tape), an optical medium (e.g., a DVD), or a semiconductor medium (e.g., a solid-state hard disk). The computer-readable storage medium includes instructions that instruct the computing device to execute the cloud resource architecture diagram generation method.

在本申请的各个实施例中，如果没有特殊说明以及逻辑冲突，不同的实施例之间的术语和/或描述具有一致性、且可以相互引用，不同的实施例中的技术特征根据其内在的逻辑关系可以组合形成新的实施例。在本申请实施例中，“至少一个”是指一个或者多个，“多个”是指两个或两个以上。“和/或”，描述关联对象的关联关系，表示可以存在三种关系，例如，A和/或B，可以表示：单独存在A，同时存在A和B，单独存在B的情况，其中A，B可以是单数或者复数。在本申请实施例的文字描述中，字符“/”，一般表示前后关联对象是一种“或”的关系。在本申请中，“第一”、“第二”以及各种数字编号只是为了描述方便进行的区分，并不用来限制本申请实施例的范围。例如，区分不同的消息等，而不是用于描述特定的顺序或先后次序。In each embodiment of the present application, if there is no special explanation and logical conflict, the terms and/or descriptions between different embodiments are consistent and can be referenced to each other, and the technical features in different embodiments can be combined to form a new embodiment according to their inherent logical relationship. In the embodiment of the present application, "at least one" refers to one or more, and "multiple" refers to two or more. "And/or" describes the association relationship of the associated objects, indicating that there can be three relationships. For example, A and/or B can represent: A exists alone, A and B exist at the same time, and B exists alone, where A and B can be singular or plural. In the text description of the embodiment of the present application, the character "/" generally indicates that the front and back associated objects are in an "or" relationship. In the present application, "first", "second" and various digital numbers are only for the convenience of description, and are not used to limit the scope of the embodiment of the present application. For example, to distinguish different messages, etc., rather than to describe a specific order or sequence.

可以理解的是，在本申请实施例中涉及的各种数字编号仅为描述方便进行的区分，并不用来限制本申请实施例的范围。上述各过程的序号的大小并不意味着执行顺序的先后，各过程的执行顺序应以其功能和内在逻辑确定。It is understood that the various numerical numbers involved in the embodiments of the present application are only for the convenience of description and are not used to limit the scope of the embodiments of the present application. The size of the sequence number of the above-mentioned processes does not mean the order of execution. The execution order of each process should be determined by its function and internal logic.

最后应说明的是：以上实施例仅用以说明本申请技术方案，而非对其限制；尽管参照前述实施例对本申请进行了详细的说明，本领域的普通技术人员应当理解：其依然可以对前述各实施例所记载的技术方案进行修改，或者对其中部分技术特征进行等同替换；而这些修改或者替换，并不使相应技术方案的本质脱离本申请各实施例技术方案的保护范围。 Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present application, rather than to limit it. Although the present application has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that they can still modify the technical solutions described in the aforementioned embodiments, or make equivalent replacements for some of the technical features therein. However, these modifications or replacements do not cause the essence of the corresponding technical solutions to deviate from the protection scope of the technical solutions of the embodiments of the present application.

Claims

A method for generating a cloud resource architecture diagram, characterized in that it is applied to a cloud management platform, the cloud management platform is used to manage an infrastructure that provides multiple target cloud resources, the infrastructure includes at least one cloud data center, each cloud data center is provided with multiple servers, one or any combination of the multiple target cloud resources is deployed in at least one server of the infrastructure, the multiple target cloud resources include a first cloud resource and a second cloud resource, the method includes:

In response to an architecture diagram generation request sent by the tenant, obtain configuration information of the first cloud resource and obtain a network traffic log of the first cloud resource, wherein the configuration information of the first cloud resource includes a type of the first cloud resource, the network traffic log of the first cloud resource is obtained based on a flow log of a virtual private cloud VPC associated with the first cloud resource, and the network traffic log of the first cloud resource indicates that data message transmission exists between the first cloud resource and a second cloud resource;

Based on the configuration information of the first cloud resource and the network traffic log of the first cloud resource, a cloud resource architecture diagram is generated, and the first cloud resource and the second cloud resource in the cloud resource architecture diagram have a connection relationship.

The method according to claim 1, wherein obtaining the network traffic log of the first cloud resource comprises:

Obtain a flow log of a virtual private cloud VPC associated with the first cloud resource, the flow log including a first record indicating that data packet transmission exists between the first cloud resource and the second cloud resource, the first record including a source address and a destination address of the data packet transmission, wherein the source address in the first record is an IP address of the first cloud resource, and the destination address in the first record is an IP address of the second cloud resource; or, the source address in the first record is an IP address of the second cloud resource, and the destination address in the first record is an IP address of the first cloud resource.

The method according to claim 2 is characterized in that the first record also includes a source port identifier and a destination port identifier of the data packet transmission, wherein the source port identifier is the identifier of the first port on the first cloud resource, and the destination port identifier is the identifier of the second port on the second cloud resource; or, the source port identifier is the identifier of the second port on the second cloud resource, and the destination port identifier is the identifier of the first port on the first cloud resource; the first port on the first cloud resource and the second port on the second cloud resource in the cloud resource architecture diagram have a connection relationship.

The method according to claim 2 is characterized in that the IP address of the second cloud resource is a first virtual IP address, the flow log also includes a second record indicating that there is data packet transmission between the first cloud resource and the third cloud resource, the second record and the first record indicate the same data packet transmission, and the source address or destination address of the data packet transmission included in the second record and the first record is the IP address of the first cloud resource; the third cloud resource in the cloud resource architecture diagram has a connection relationship with the second cloud resource.

The method according to any one of claims 1 to 4, characterized in that the multiple target cloud resources further include a fourth cloud resource and a fifth cloud resource, and the method further includes:

The configuration information of the fourth cloud resource is obtained, wherein the configuration information of the fourth cloud resource also includes a connection relationship between the fourth cloud resource and the fifth cloud resource, and the fourth cloud resource and the fifth cloud resource in the cloud resource architecture diagram have a connection relationship.

The method according to any one of claims 1 to 5, characterized in that the multiple target cloud resources also include a sixth cloud resource, and the method further includes:

Obtaining configuration information of the sixth cloud resource;

Based on the configuration information of the sixth cloud resource, the configuration information of the public network resource associated with the sixth cloud resource is obtained, the configuration information of the public network resource includes the connection relationship between the sixth cloud resource and the public network resource, and the sixth cloud resource in the cloud resource architecture diagram has a connection relationship with the public network resource.

The method according to any one of claims 1 to 6, characterized in that the method further comprises:

Obtain cloud audit information of the VPC associated with the first cloud resource, the cloud audit information including at least one of cloud resource addition information, cloud resource deletion information, and cloud resource modification information in the VPC;

Based on the cloud resource addition information, add the corresponding cloud resource in the cloud resource architecture diagram; or, based on the cloud resource deletion information, The corresponding cloud resources in the cloud resource architecture diagram are deleted based on the deletion information; or the corresponding cloud resources in the cloud resource architecture diagram are modified based on the cloud resource modification information.

A cloud management platform, characterized in that the cloud management platform is used to manage an infrastructure that provides multiple target cloud resources, the infrastructure includes at least one cloud data center, each cloud data center is provided with multiple servers, one or any combination of the multiple target cloud resources is deployed in at least one server of the infrastructure, the multiple target cloud resources include a first cloud resource and a second cloud resource, and the cloud management platform includes:

a resource information acquisition module, configured to, in response to an architecture diagram generation request sent by a tenant, acquire configuration information of the first cloud resource and acquire a network traffic log of the first cloud resource, wherein the configuration information of the first cloud resource includes a type of the first cloud resource, the network traffic log of the first cloud resource is obtained based on a flow log of a virtual private cloud VPC associated with the first cloud resource, and the network traffic log of the first cloud resource indicates that data message transmission exists between the first cloud resource and a second cloud resource;

An architecture diagram generation module is used to generate a cloud resource architecture diagram based on the configuration information of the first cloud resource and the network traffic log of the first cloud resource, wherein the first cloud resource and the second cloud resource in the cloud resource architecture diagram have a connection relationship.

The cloud management platform according to claim 8, wherein the resource information acquisition module comprises:

A flow log acquisition unit is used to obtain the flow log of the virtual private cloud VPC associated with the first cloud resource, the flow log includes a first record indicating that there is data packet transmission between the first cloud resource and the second cloud resource, the first record includes a source address and a destination address of the data packet transmission, wherein the source address in the first record is the IP address of the first cloud resource, and the destination address in the first record is the IP address of the second cloud resource; or, the source address in the first record is the IP address of the second cloud resource, and the destination address in the first record is the IP address of the first cloud resource.

The cloud management platform according to claim 9 is characterized in that the first record also includes a source port identifier and a destination port identifier of the data message transmission, wherein the source port identifier is the identifier of the first port on the first cloud resource, and the destination port identifier is the identifier of the second port on the second cloud resource; or, the source port identifier is the identifier of the second port on the second cloud resource, and the destination port identifier is the identifier of the first port on the first cloud resource; the first port on the first cloud resource and the second port on the second cloud resource in the cloud resource architecture diagram have a connection relationship.

The cloud management platform according to claim 9 is characterized in that the IP address of the second cloud resource is a first virtual IP address, the flow log also includes a second record indicating that there is data packet transmission between the first cloud resource and the third cloud resource, the second record and the first record indicate the same data packet transmission, and the source address or destination address of the data packet transmission included in the second record and the first record is the IP address of the first cloud resource; the third cloud resource in the cloud resource architecture diagram has a binding relationship with the first virtual IP address.

The cloud management platform according to any one of claims 8 to 11, characterized in that the multiple target cloud resources further include a fourth cloud resource and a fifth cloud resource, and the resource information acquisition module comprises:

A resource configuration information acquisition unit is used to acquire the configuration information of the fourth cloud resource, wherein the configuration information of the fourth cloud resource also includes a connection relationship between the fourth cloud resource and the fifth cloud resource, and the fourth cloud resource and the fifth cloud resource in the cloud resource architecture diagram have a connection relationship.

The cloud management platform according to any one of claims 8 to 12, characterized in that the multiple target cloud resources further include a sixth cloud resource, and the resource information acquisition module further includes:

A resource configuration information acquisition unit is used to obtain the configuration information of the sixth cloud resource; based on the configuration information of the sixth cloud resource, the configuration information of the public network resource associated with the sixth cloud resource is acquired, the configuration information of the public network resource includes the connection relationship between the sixth cloud resource and the public network resource, and the sixth cloud resource in the cloud resource architecture diagram has a connection relationship with the public network resource.

The cloud management platform according to any one of claims 8 to 13, characterized in that the cloud management platform further comprises:

a cloud audit information acquisition module, configured to acquire cloud audit information of the VPC associated with the first cloud resource, wherein the cloud audit information includes at least one of cloud resource addition information, cloud resource deletion information, and cloud resource modification information within the VPC;

An architecture diagram updating module is used to add corresponding cloud resources in the cloud resource architecture diagram based on cloud resource addition information; or to delete corresponding cloud resources in the cloud resource architecture diagram based on cloud resource deletion information; or to modify corresponding cloud resources in the cloud resource architecture diagram based on cloud resource modification information.

A computing device cluster, characterized in that it includes at least one computing device, each computing device includes a processor and a memory;

The processor of the at least one computing device is used to execute instructions stored in the memory of the at least one computing device, so that the computing device cluster executes the cloud resource architecture diagram generation method as described in any one of claims 1 to 7.

A computer-readable storage medium, characterized in that it includes computer program instructions. When the computer program instructions are executed by a computing device cluster, the computing device cluster executes the cloud resource architecture diagram generation method as described in any one of claims 1 to 7.

A computer program product comprising instructions, characterized in that when the instructions are executed by a computing device cluster, the computing device cluster executes the cloud resource architecture diagram generation method as described in any one of claims 1 to 7.