Nothing Special   »   [go: up one dir, main page]

CN102075537A - Method and system for realizing data transmission between virtual machines - Google Patents

Method and system for realizing data transmission between virtual machines Download PDF

Info

Publication number
CN102075537A
CN102075537A CN2011100216892A CN201110021689A CN102075537A CN 102075537 A CN102075537 A CN 102075537A CN 2011100216892 A CN2011100216892 A CN 2011100216892A CN 201110021689 A CN201110021689 A CN 201110021689A CN 102075537 A CN102075537 A CN 102075537A
Authority
CN
China
Prior art keywords
virtual machine
data packet
proxy server
information
destination
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2011100216892A
Other languages
Chinese (zh)
Other versions
CN102075537B (en
Inventor
程华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
XFusion Digital Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN2011100216892A priority Critical patent/CN102075537B/en
Publication of CN102075537A publication Critical patent/CN102075537A/en
Priority to PCT/CN2011/075359 priority patent/WO2011147371A1/en
Application granted granted Critical
Publication of CN102075537B publication Critical patent/CN102075537B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/70Virtual switches

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention discloses a method and a system for realizing data transmission between virtual machines. The method comprises that: a first proxy server receives the information of a data packet which is transmitted to a target virtual machine by a source virtual machine, forwards the data packet to a second proxy server serving the target virtual machine if no local information forbids the transmission of the data packet from the source virtual machine to the target virtual machine, otherwise does not transmit the data packet; and the second proxy server receives the data packet, judges whether the data packet receiving right information of the target virtual machine permits the forwarding of the data packet to the target virtual machine or not, forwards the data packet to the target virtual machine if the data packet receiving right information of the target virtual machine permits the forwarding of the data packet to the target virtual machine, and does not transmit the data packet if the data packet receiving right information of the target virtual machine does not permit the forwarding of the data packet to the target virtual machine. The embodiment of the invention can avoid the influence of the change of an IP address of the virtual machine on the data transmission between the virtual machines.

Description

Method and system for realizing data transmission between virtual machines
Technical Field
The present invention relates to the field of network data transmission, and more particularly, to a method and system for implementing data transmission between virtual machines.
Background
With the generation and development of virtualization technology, a user can simulate one or more Virtual Machines (VMs) on one physical server. In general, a physical machine may host two or more virtual machines. After the virtual machine is successfully created, the user can arbitrarily start the virtual machine, can also stop the started virtual machine, and can also restart the previously stopped virtual machine computer.
In practical applications, when a user restarts a stopped virtual machine, the network may assign an IP (Internet Protocol, Protocol for interconnection between networks) address to the restarted virtual machine. For the virtual machine, its currently assigned IP address may be different from the IP address assigned by the virtual machine before the stop. In addition, in a virtualized environment, the IP address of a virtual machine may change at any time due to system management, virtual machine migration, and the like.
However, the isolation configuration of the conventional firewall is based on the IP address, and when the conventional firewall is applied to the virtualization environment, the configuration cannot be dynamically readjusted according to the change of the IP address of the virtual machine, that is, the conventional firewall cannot meet the requirement of the virtualization environment.
Disclosure of Invention
In view of this, embodiments of the present invention provide a method and a system for implementing data transmission between virtual machines, so as to avoid an influence of a change in an IP address of a virtual machine on data transmission between virtual machines.
The embodiment of the invention provides a method for realizing data transmission between virtual machines, which comprises the following steps:
the method comprises the steps that a first proxy server receives information of a data packet sent by a source virtual machine to a destination virtual machine, and if the information which does not allow the source virtual machine to send the data packet to the destination virtual machine does not exist locally, the first proxy server forwards the data packet to a second proxy server serving the destination virtual machine; otherwise, the first proxy server does not send the data packet;
and the second proxy server receives the data packet, judges whether to allow the data packet to be forwarded to the destination virtual machine according to the authority information of the destination virtual machine for receiving the data packet, if so, forwards the data packet to the destination virtual machine by the second proxy server, and if not, does not send the data packet.
An embodiment of the present invention further provides a system for implementing data transmission between virtual machines, where the system includes: a first proxy server and a second proxy server,
the first proxy server is used for receiving information of a data packet sent by a source virtual machine to a destination virtual machine, and forwarding the data packet to a second proxy server serving the destination virtual machine if the information which does not allow the source virtual machine to send the data packet to the destination virtual machine does not exist locally; otherwise, the first proxy server does not send the data packet;
the second proxy server is configured to receive the data packet, determine whether to allow the data packet to be forwarded to a destination virtual machine according to authority information of the destination virtual machine for receiving the data packet, forward the data packet to the destination virtual machine if the permission is allowed, and not send the data packet if the permission is not allowed.
Compared with the prior art, in the embodiment of the invention, the proxy server receives the information of the data packet sent by the source virtual machine to the destination virtual machine, and forwards the data packet to the second proxy server when the information which does not allow the source virtual machine to send the data packet to the destination virtual machine does not exist locally, so that the data communication permission among the virtual machines is carried out based on the actual virtual machine instead of only based on the IP address of the virtual machine, the influence of the IP address change of the virtual machine on the data transmission among the virtual machines is avoided, and the safety of the communication among the virtual machines is provided in the data transmission process.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a schematic flowchart illustrating steps of a method for implementing data transmission between virtual machines according to an embodiment of the present invention;
FIG. 2 is a diagram of a network system architecture according to an embodiment of the present invention;
fig. 3 is a schematic view of a complete flow chart for implementing data transmission between virtual machines according to an embodiment of the present invention;
fig. 4 is a schematic diagram of a data transmission flow between virtual machines belonging to two networks according to an embodiment of the present invention;
fig. 5 is a schematic diagram of another data transmission flow between virtual machines belonging to two networks according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of a system for implementing data transmission between virtual machines according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of another system for implementing data transmission between virtual machines according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In order to avoid the influence of the change of the IP address of the virtual machine on the data transmission between the virtual machines, the embodiment of the present invention provides a method for implementing data transmission between the virtual machines.
An embodiment of the present invention provides a method for implementing data transmission between virtual machines, and as shown in fig. 1, the method includes:
step 101: the method comprises the steps that a first proxy server receives information of a data packet sent by a source virtual machine to a destination virtual machine, and if the information which does not allow the source virtual machine to send the data packet to the destination virtual machine does not exist locally, the first proxy server forwards the data packet to a second proxy server serving the destination virtual machine; otherwise, the first proxy server does not send the data packet;
step 102: and the second proxy server receives the data packet, judges whether to allow the data packet to be forwarded to the destination virtual machine according to the authority information of the destination virtual machine for receiving the data packet, if so, forwards the data packet to the destination virtual machine by the second proxy server, and if not, does not send the data packet.
In step 101, the first proxy server receives information of a packet sent by the source virtual machine to the destination virtual machine, where the information of the packet includes at least one of the following:
a data packet sent by the source virtual machine to the destination virtual machine;
indication information, wherein the indication information is used for indicating the source virtual machine to send a data packet to a destination virtual machine to the first proxy server.
When the information of the data packet is a data packet sent by a source virtual machine to a destination virtual machine, the first proxy server can acquire the information carried in the data packet, and determine whether to send the data packet to the second proxy server according to whether the information which does not allow the source virtual machine to send the data packet to the destination virtual machine exists locally;
or,
the information of the data packet may also be indication information sent by a source side, where the indication information is used to indicate, to the first proxy server, that the source virtual machine sends the data packet to a destination virtual machine, and the indication information includes at least one of the following: an identification of a source virtual machine; identification of the destination virtual machine; and the protocol type of the data packet sent by the source virtual machine to the destination virtual machine. For example, in some specific scenarios, the first proxy server may refuse to forward a packet sent by a certain source virtual machine, refuse to send a packet to a certain destination virtual machine, or refuse to forward a packet of a certain protocol type, that is, the first proxy server may determine whether to forward the packet according to one or more of the above-mentioned contents included in the indication information.
In step 102, before a second proxy server judges whether to allow forwarding of a data packet to a destination virtual machine according to authority information of the destination virtual machine for receiving the data packet, the second proxy server obtains locally stored authority information of the destination virtual machine for receiving the data packet; or, the second proxy server requests an authorization server to acquire the authority information of the data packet received by the target virtual machine.
In step 101, before the first proxy server determines whether there is information that does not allow the source virtual machine to send a packet to the destination virtual machine, the embodiment of the present invention further includes: and the first proxy server determines a source virtual machine by acquiring a source address of the data packet, and if the source virtual machine belongs to a local virtual machine, determines that the type of the data packet belongs to a data packet sent out locally.
In step 102, before the second proxy server determines whether to forward the data packet to the destination virtual machine, the embodiment of the present invention further includes: and the second proxy server determines a destination virtual machine by acquiring a destination address of the data packet, and if the destination virtual machine belongs to a local virtual machine, determines that the type of the data packet belongs to a locally received data packet.
Further, in step 102, when the second proxy server determines that the source virtual machine is not allowed to send the data packet to the destination virtual machine as a result of the determination, the second proxy server may further send information that the source virtual machine is not allowed to send the data packet to the destination virtual machine to the first proxy server, and instruct the first proxy server to store the information that the source virtual machine is not allowed to send the data packet to the destination virtual machine, so as to filter subsequent data packets received by the first proxy server. The information sent by the second proxy server that does not allow the source virtual machine to send the data packet to the destination virtual machine may be obtained from the current determination result, or the current determination result is that the second proxy server is not allowed to trigger the locally stored filtering rule as the information that does not allow the source virtual machine to send the data packet to the destination virtual machine.
In step 102, the authority information of the destination virtual machine for receiving the data packet includes at least one of the following: an identification of a source virtual machine; identification of the destination virtual machine; the source virtual machine sends the protocol type of the data packet to the destination virtual machine; a disallow flag; the flag is allowed. For example: the authority information is { disallow flag }, which is used for indicating that the second proxy server rejects all the data packets; the permission information is { the identifier of the source virtual machine; a disallow flag }, which is used to indicate that the data packet sent by the virtual machine corresponding to the source virtual machine identifier is refused to be received; the permission information is { the identifier of the source virtual machine; an allowance flag }, which is used for indicating that the data packet sent by the virtual machine corresponding to the source virtual machine identifier is allowed to be received; the permission information is { the identifier of the source virtual machine; identification of the destination virtual machine; an allowed flag }, which is used for indicating that the data packet sent by the virtual machine corresponding to the source virtual machine identifier is allowed to be forwarded to the destination virtual machine corresponding to the destination virtual machine identifier; those skilled in the art will appreciate that there are other reasonable ways of providing rights information here, which are not exhaustive here.
Wherein the information that does not allow the source virtual machine to send the packet to the destination virtual machine comprises at least one of: an identification of a source virtual machine; identification of the destination virtual machine; the source virtual machine sends the protocol type of the data packet to the destination virtual machine; the flag is not allowed. In specific implementation, the disallow flag may be set as: no, Reject, Drop, inhibit, X, or other negative literal, abbreviated, or symbolic form. Accordingly, the permission flag for permitting the data packet to be sent out may be set as: yes (Yes), Allow, Accept, Approved, check √ g (right), and other positive text, abbreviations, or symbolic forms. The configuration information can be directly carried in a data packet or preset in the local of the proxy server.
In this embodiment of the present invention, the source virtual machine identifier and the destination virtual machine identifier refer to a network, an application, another virtual machine, or a flag used by a user to identify or designate a virtual machine, for example, the source virtual machine identifier and the destination virtual machine identifier may be one of the following information: an IP address, a URI (Uniform Resource Identifier), or a specific character string or number string assigned by the system to each virtual machine; the data packets may be data of any protocol, for example the data packets may be data of one or more of the following protocol types: UDP (User data packet Protocol), HTTP (HyperText Transfer Protocol), and SIP (Session Initiation Protocol).
Fig. 2 is a diagram illustrating a system environment architecture for an application provided by an embodiment of the present invention.
The proxy server intercepts data streams sent and received by the virtual machines in the physical machines 1 to n within the control range, and controls whether the virtual machines in the physical machines 1 to n within the control range send or receive the intercepted data streams according to authorization information (specifically, information that the source virtual machine is not allowed to send data packets to the destination virtual machine, or authority information that the destination virtual machine receives the data packets).
The authorization node server stores authorization information of data streams sent and received by the virtual machine, wherein the authorization information can be subscription data of a user or data dynamically set to the authorization node server by the user.
The authorization node server may store authorization information of virtual machines of the entire data center, may store authorization information of virtual machines in several physical machines, and may also store authorization information of a virtual machine in one physical machine.
The proxy server can manage the data stream sent and received by the virtual machines in the whole data center, can store the data stream sent and received by the virtual machines in several physical machines, and can also store the data stream sent and received by the virtual machine in one physical machine.
The proxy server may be located inside the physical machine, and the authorization node server may be integrated with the proxy server in the same physical entity.
When the proxy server receives a data packet sent out by a virtual machine within the management range, the proxy checks whether the information which does not allow the source virtual machine to send the data packet to the destination virtual machine exists locally:
if the information which does not allow the source virtual machine to send the data packet to the destination virtual machine does not exist locally: sending the data packet to a network where the target virtual machine is located;
if there is information locally that does not allow the source virtual machine to send a packet "to the destination virtual machine, the packet is not sent, or the packet is discarded.
When the proxy server receives a data packet of which the destination virtual machine is a virtual machine in the management range, the proxy server checks whether the authority information of the destination virtual machine for receiving the data packet exists locally:
if the authority information of the destination virtual machine for receiving the data packet does not exist locally, the agent can acquire the authority information of the destination virtual machine for receiving the data packet, and the method comprises the following steps:
the proxy server requests the authorization node server for the authority information of the destination virtual machine for receiving the data packet, and when the authorization node server feeds back the authority information of the destination virtual machine for receiving the data packet to the proxy server, the proxy server can store the authority information of the destination virtual machine for receiving the data packet locally (if the proxy server and the authorization node server are combined in a physical entity, the step is invisible to the outside);
if the authority information of the target virtual machine for receiving the data packet locally exists in the proxy server, checking the authority information of the target virtual machine for receiving the data packet;
judging according to the authority information of the destination virtual machine for receiving the data packet, and if the judgment result is that the source virtual machine is allowed to send the data packet to the destination virtual machine, sending the received data packet to the destination virtual machine by the proxy server; if the determination result is that the source virtual machine is not allowed to send the data packet to the destination virtual machine, the received data packet is not sent to the destination virtual machine, or the received data packet is discarded, the proxy server may also send information that the source virtual machine is not allowed to send the data packet to the destination virtual machine to a network where the source virtual machine is located, and specifically may send the information to a proxy server serving the source virtual machine, so that the proxy server serving the source virtual machine performs filtering on subsequent data packets according to the information.
Therefore, in the embodiment of the present invention, the proxy server receives information of a packet sent by the source virtual machine to the destination virtual machine, and when there is no information that does not allow the source virtual machine to send the packet to the destination virtual machine locally, forwards the packet to the proxy server serving as the destination virtual machine server, and the proxy server serving as the destination virtual machine determines whether to allow the packet to be forwarded to the destination virtual machine according to the permission information of the destination virtual machine to receive the packet, so that the permission of data communication between the virtual machines is performed based on the actual virtual machine, instead of only based on the IP address of the virtual machine, the influence of the change of the IP address of the virtual machine on data transmission between the virtual machines is avoided, and the security of communication between the virtual machines is provided in the data transmission process. .
In order to fully understand the technical solution of the embodiments of the present invention, the technical solution of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention.
As shown in fig. 3, a schematic flow diagram for implementing data transmission between virtual machines according to an embodiment of the present invention specifically includes the following contents:
201: the proxy server (first proxy server) receives the data packet: the data packet may be a data packet sent by the local virtual machine, or a received data packet sent to the local virtual machine, or information sent by the remote data destination that does not allow the source virtual machine to send the data packet to the destination virtual machine. When receiving the data packet, executing step 202 to judge the type of the data packet, and then performing corresponding operation according to the type of the data packet;
202: the first proxy server judges the type of the data packet: if the data packet is from the inside of the local network, or the source identifier of the data packet is the identifier of the local virtual machine, the type of the data packet is a locally sent data packet, and step 211 is executed; if the data packet is sent to the inside of the local network or the destination identifier of the data packet is the identifier of the local virtual machine, the type of the data packet is the locally received data packet, and step 221 is executed; if the data packet is sent by the remote data destination and the data packet includes information "the source virtual machine is not allowed to send the data packet to the destination virtual machine", then the data packet is information that the source virtual machine is not allowed to send the data packet to the destination virtual machine, and step 231 is executed;
211: the first proxy server judges whether information which does not allow the source virtual machine to send the data packet to the target virtual machine exists: searching whether matched information which does not allow the source virtual machine to send the data packet to the destination virtual machine exists according to the attribute information in the received data packet, executing step 212 if the matched information which does not allow the source virtual machine to send the data packet to the destination virtual machine does not exist, and executing step 213 if the matched information does not allow the source virtual machine to send the data packet to the destination virtual machine;
the method comprises the following steps of searching whether matched information which does not allow a source virtual machine to send a data packet to a destination virtual machine exists or not according to attribute information in a received data packet, wherein the attribute information in the data packet comprises at least one of the following: an identification of a source virtual machine; identification of the destination virtual machine; the source virtual machine sends the type of the packet to the destination virtual machine.
212: the first proxy server sends the received data packet to the network where the target virtual machine is located;
213: the first proxy server discards the received data packet;
221: the proxy server (second proxy server) serving the target virtual machine judges whether authority information for the target virtual machine to receive the data packet exists: searching authority information of the matched destination virtual machine for receiving the data packet according to the attribute information in the received data packet, if the authority information does not exist, executing step 222, and if the authority information exists, executing step 224;
222: the obtaining, by the second proxy server, the authority information of the destination virtual machine for receiving the data packet may specifically include: the second proxy server can locally inquire the authority information of the destination virtual machine for receiving the data packet, and can also request the authority information of the destination virtual machine for receiving the data packet from the authorization node server;
the method for requesting the authorization node server for the destination virtual machine to receive the authority information of the data packet may include the following steps:
222A: the second proxy server sends a request message of the authority information of the destination virtual machine for receiving the data packet to the authorized node server;
221B: and the authorization node server feeds back a response carrying the authority information of the target virtual machine for receiving the data packet.
The request message for the destination virtual machine to receive the authority information of the data packet comprises at least one of the following: an identification of a source virtual machine; identifying a target virtual machine; the source virtual machine sends the type of the data packet to the destination virtual machine; allowing identification; identification is not allowed.
The authority information of the destination virtual machine in the authorization node server for receiving the data packet may be from the subscription data of the user, or the user sets the authority information of the destination virtual machine for receiving the data packet in the authorization node server through a tool such as a web page.
223: the second proxy server stores the authority information of the destination virtual machine for receiving the data packet;
224: judging whether to allow receiving the data packet according to the authority information of the destination virtual machine for receiving the data packet, for example: if the authority information of the destination virtual machine for receiving the data packet contains the permission identifier, executing step 225, and if the authority information of the destination virtual machine for receiving the data packet contains the non-permission identifier, executing step 226;
225: and forwarding the received data packet to the destination virtual machine.
226: discarding the received data packet;
227: sending a message carrying information that does not allow the source virtual machine to send a packet to the destination virtual machine to the network where the source virtual machine is located, where an identifier of the source virtual machine may be used as a destination identifier of the message, or an identifier of a proxy entity (e.g., an identifier of a first proxy server) delivered for a service of the source virtual machine may be used as a destination identifier of the message.
231: the first proxy server maintains information that does not allow the source virtual machine to send packets to the destination virtual machine.
Fig. 4 is a schematic diagram illustrating a data transmission flow between virtual machines belonging to two networks according to an embodiment of the present invention;
preconditions of this embodiment: in this embodiment, the virtual machine-1 is a source virtual machine, the virtual machine-2 is a destination virtual machine, the proxy-1 (i.e., a first proxy server) controls a data packet sent by the virtual machine-1, the proxy-2 (i.e., a second proxy server) controls a data packet received by the virtual machine-2, the authorized node server is a server that stores data transfer authorization information, and the proxy-2 can query the authorized node server for authority information of the destination virtual machine for receiving the data packet. It should be noted that: the authorized node server may be in the same entity as the agent-2, and at this time, the interaction process between the agent-2 and the authorized node may not be visible to the outside.
301: the virtual machine-1 sends a data packet, the source IP address of the data packet is the IP address of the virtual machine-1, and the IP address of the data packet is the IP address of the virtual machine-2;
302: the agent-1 receives a data packet sent by the virtual machine-1, the agent-1 finds that a data source IP is an IP address of the virtual machine-1, and the data packet comes from a network controlled by the agent-1, so that the received data packet is determined to be a data packet sent locally, the agent-1 locally searches for information which is matched with the data packet source IP address, the destination IP address and the data packet protocol type and does not allow the source virtual machine to send the data packet to the destination virtual machine, and the search result is that the information which is matched with the data packet source IP address, the destination IP address and the data packet protocol type and does not allow the source virtual machine to send the data packet to the destination virtual machine does not exist;
it should be noted that, the source IP address, the destination IP address, and the packet protocol type of the packet are not necessary for searching, and the searching may be performed according to one or more items of the source IP address, the destination IP address, and the packet protocol type.
303: the agent-1 forwards the received data packet to the network where the virtual machine-2 is located;
304: the agent-2 finds that the destination IP of the data packet is the IP address of the virtual machine-2, so that the received data packet is determined to be the locally received data packet, the agent-2 locally searches the authority information of the destination virtual machine receiving the data packet matched with the source IP address, the destination IP address and the protocol type of the data packet, and the search result is that the authority information of the destination virtual machine receiving the data packet matched with the source IP address, the destination IP address and the protocol type of the data packet does not exist;
305: the agent-2 sends a request message of receiving the authority information of the data packet by the destination virtual machine to the authorized node server, wherein the request message comprises one or more items of a source IP address, a destination IP address and a protocol type of the data packet;
306: the authorization node server sends a response message of authority information of the destination virtual machine for receiving the data packet to the agent-2, where the response message carries the authority information of the destination virtual machine for receiving the data packet, and the authority information of the destination virtual machine for receiving the data packet may include an identifier that allows the source virtual machine to send the data packet to the destination virtual machine: (ii) an alloy;
it should be noted that when the authorized node server and the proxy-2 are in the same entity, step 305 and step 306 may be internal function calls or database queries, and step 305 and step 306 may not be visible to the outside.
307: the agent-2 stores the received authority information of the data packet received by the target virtual machine;
308: the proxy-2 checks the received authority information of the data packet received by the destination virtual machine, and the proxy-2 allows the virtual machine-2 to receive the data packet because the authority information of the data packet received by the destination virtual machine comprises an identifier (low) allowing the source virtual machine to send the data packet to the destination virtual machine;
309: the agent-2 forwards the received packet to the virtual machine-2.
As shown in fig. 5, another schematic diagram of a data transmission flow between virtual machines belonging to two networks provided in the embodiment of the present invention includes the following steps:
the precondition of this embodiment is the same as that of the previous embodiment.
401-403: step 301 to step 303 in the previous embodiment;
404: the agent-2 finds that the data destination IP is the IP address of the virtual machine-2, and the data packet comes from the outside of the network controlled by the agent-2, so that the received data packet is determined to be a locally received data packet, the agent-2 locally searches the authority information of the destination virtual machine receiving the data packet matched with the source IP address, the destination IP address and the protocol type of the data packet, and the search result is the authority information of the destination virtual machine receiving the data packet matched with the source IP address, the destination IP address and the protocol type of the data packet;
it should be noted that, as in the above embodiment, reference may be made to step 304 to step 306 in the first embodiment when the proxy-2 does not locally have the authority information of the destination virtual machine for receiving the data packet, except that the authority information of the destination virtual machine for receiving the data packet fed back by step 306 includes an identifier that does not allow the source to send the data packet to the destination: reject.
405: the agent-2 checks the authority information of the destination virtual machine for receiving the data packet, wherein the authority information of the destination virtual machine for receiving the data packet comprises an identifier Reject which does not allow the source to send the data packet to the destination, so the agent-2 refuses the virtual machine-2 to receive the data packet;
406: agent-2 discards the received packet;
407: the proxy-2 sends to the proxy-1 information that does not allow the source virtual machine to send a packet to the destination virtual machine, which may include: the IP address of the source virtual machine, the IP address of the destination virtual machine, and the disallowed identifier may also include a protocol type that the source virtual machine is not allowed to send a packet to the destination virtual machine, for example: the source virtual machine is not allowed to send the HTTP data packet to the destination virtual machine;
408: the agent-1 holds the received information that does not allow the source virtual machine to send packets to the destination virtual machine.
As can be seen from the above embodiments, the first proxy server receives information of a packet sent by the source virtual machine to the destination virtual machine, and forwards the packet to the second proxy server when there is no information that does not allow the source virtual machine to send the packet to the destination virtual machine locally, and the second proxy server determines whether to allow the received packet to be sent to the destination virtual machine according to the permission information of the destination virtual machine to receive the packet, and further, when the result is that it is not allowed, the information that does not allow the source virtual machine to send the packet to the destination virtual machine may be sent to the first proxy server, so that the first proxy server may filter subsequent packets according to the information. Therefore, the method for controlling data transmission of the virtual machine provided by the embodiment of the invention can effectively control the data stream which can be sent and allowed to be received by the virtual machine, so that the data communication permission among the virtual machines is carried out based on the actual virtual machine instead of the IP address of the virtual machine, thereby effectively avoiding the data communication permission setting of the virtual machine from changing along with the change of the IP address of the virtual machine, providing the safety of communication among the virtual machines in the data transmission process and avoiding the virtual machine from being attacked by a network storm.
Correspondingly, in the above embodiment of the method for implementing data transmission between virtual machines, an embodiment of the present invention further provides a system for implementing data transmission between virtual machines, including: a first proxy server 601 and a second proxy server 602,
the first proxy server 601 is configured to receive information of a packet sent by a source virtual machine to a destination virtual machine, and if the information does not locally allow the source virtual machine to send the packet to the destination virtual machine, forward the packet to a second proxy server 602 serving the destination virtual machine; otherwise, the first proxy server 601 does not send the data packet;
the second proxy server 602 is configured to receive the data packet, determine whether to allow the data packet to be forwarded to a destination virtual machine according to authority information of the destination virtual machine for receiving the data packet, forward the data packet to the destination virtual machine if the permission is allowed, and not send the data packet if the permission is not allowed.
Wherein the information of the data packet at least comprises at least one of the following:
a data packet sent by the source virtual machine to the destination virtual machine;
indication information, wherein the indication information is used for indicating the source virtual machine to send a data packet to a destination virtual machine to the first proxy server.
The indication information includes at least one of:
an identification of a source virtual machine; identification of the destination virtual machine; and the protocol type of the data packet sent by the source virtual machine to the destination virtual machine.
The information that does not allow the source virtual machine to send the data packet to the destination virtual machine comprises at least one of the following:
an identification of a source virtual machine; identification of the destination virtual machine; the source virtual machine sends the protocol type of the data packet to the destination virtual machine; the flag is not allowed.
When the determination result of the second proxy server 602 is that the source virtual machine is not allowed to send the data packet to the destination virtual machine, the second proxy server 602 is further configured to send, to the first proxy server 601, information that the source virtual machine is not allowed to send the data packet to the destination virtual machine, where the information that the source virtual machine is not allowed to send the data packet to the destination virtual machine includes at least one of: an identification of a source virtual machine; identification of the destination virtual machine; the source virtual machine sends the protocol type of the data packet to the destination virtual machine; a disallow flag;
the first proxy server 601 is further configured to receive and store information sent by the second proxy server 602, where the information does not allow the source virtual machine to send a packet to the destination virtual machine.
Further, the system further comprises:
the authorized node server 603 is configured to send, according to the request of the second proxy server 602, authority information of the destination virtual machine for receiving the data packet to the second proxy server 602.
The authorized node server 603 is configured to store authority information of the virtual machine for sending and receiving the data packet, where the authority information may be subscription data of the user, or data dynamically set to the authorized node server 603 by the user through a tool such as a web page. The authorized node server 603 may store the authority information of all virtual machines under the physical machine connected to the authorized node server, and may also store the authority information of a plurality of virtual machines in one physical machine.
The authorized node server 603 may be a dedicated server independent of the proxy server, or may be a functional module in the proxy server, and the proxy server has a function of presetting the authority information of the destination virtual machine for receiving the data packet.
When the proxy server obtains the authority information of the data packet received by the destination virtual machine in the authorized node server 603, the authority information obtained from the authorized node server is stored locally, so that the processing of receiving the data packet sent by the source virtual machine again in the following process is facilitated.
Fig. 7 is a schematic structural diagram of another system for implementing data transmission between virtual machines according to an embodiment of the present invention, where:
the first proxy server 601 includes: a first data receiving module 701, a first selecting module 702, a sending data control module 703;
the second proxy server 602 includes: a received data control module 704, a second data receiving module 705 and a second selecting module 706.
A first data receiving module 701, configured to receive a data packet sent by a source virtual machine to a destination virtual machine;
a first selecting module 702, configured to determine that the type of the received data packet is:
1: if the received data packet is data sent by a virtual machine within the management range of the first proxy server or indication information of the data packet sent by the virtual machine within the management range of the first proxy server, the data sending control module 703 is selected to process the data packet;
2: if the received packet is information that does not allow the source virtual machine to send the packet to the destination virtual machine, the received information that does not allow the source virtual machine to send the packet to the destination virtual machine is stored locally by the first information storage module in the send-out data control module 703.
It should be noted that, in a specific implementation, when the first proxy server is a proxy server serving a destination virtual machine, the first proxy server may further include a received data control module 704, and the first selecting module may further: 3: if the received packet is a packet destined for a virtual machine within the management scope of the first proxy server or indication information of a packet destined for a virtual machine within the management scope of the first proxy server, the received data control module 704 is selected to process the data.
The sending data control module 703 controls whether the virtual machine in the management range can send data to a destination, including: a first information searching module 7031, a first information storing module 7032, a sent data forwarding module 7033, and a sent data discarding module 7034.
A first information searching module 7031, configured to search whether there is information that does not allow the source virtual machine to send a packet to the destination virtual machine, and if there is no information that does not allow the source virtual machine to send a packet to the destination virtual machine, forward the received packet to the destination virtual machine through the send-out data forwarding module 7033; if there is information locally that does not allow the source virtual machine to send a packet to the destination virtual machine, the received packet is discarded by the outgoing data discard module 7034.
The first information storage module 7032 is configured to store, in a local place, the received information that does not allow the source virtual machine to send the packet to the destination virtual machine.
A second data receiving module 705, configured to receive a data packet forwarded by the first proxy server;
a second selecting module 706, configured to determine the type of the received data packet, and select the received data control module 704 to process the data because the data packet is a data packet forwarded by the first proxy server.
It should be noted that the second data receiving module 5 and the second selecting module 6 in the second proxy server are the same as the first proxy server, and in some scenarios, the first proxy server and the second proxy server may be mutually convertible, that is, both may serve as a forwarding party and a receiving party of the data packet.
The received data control module 704 controls whether the virtual machine in the management scope can receive the data sent by the source virtual machine, including: a second information finding module 7041, a permission information obtaining module 7042, a second information storage module 7043, a permission information judging module 7044, a received data forwarding module 7045, a received data discarding module 7046, and an information sending module 7047.
The second information searching module 7041 searches whether the authority information of the destination virtual machine for receiving the data packet exists locally, and if the authority information does not exist, the authority information obtaining module 7042 obtains the authority information of the destination virtual machine for receiving the data packet.
The authority information obtaining module 7042 requests the authorization node server 603 to obtain authority information of the destination virtual machine for receiving the data packet, the authorization node server 603 feeds back the authority information of the destination virtual machine for receiving the data packet to the second information obtaining module 7042, and the second information storage module 7043 stores the authority information of the destination virtual machine for receiving the data packet, which is fed back by the authorization node server 603, locally.
The permission information determining module 7044 is configured to determine whether to allow the source virtual machine to send a data packet to the destination virtual machine:
1: if the authority information of the destination virtual machine for receiving the data packet is to allow the source virtual machine to send the data packet to the destination virtual machine, the received data is forwarded to the destination virtual machine through the received data forwarding module 7045;
2: if the received data is that the source virtual machine is not allowed to send a packet to the destination virtual machine, the received data is discarded by the received data discarding module 7046, and information that the source virtual machine is not allowed to send the packet to the destination virtual machine is sent to the network where the source virtual machine is located by the information sending module 7047.
The embodiment of the invention provides a proxy server, which receives information of a data packet sent by a source virtual machine to a destination virtual machine, and forwards the data packet to the destination virtual machine when the information that the source virtual machine is not allowed to send the data packet to the destination virtual machine does not exist locally, wherein the proxy server can also be used for judging whether the received data packet is allowed to be sent to the destination virtual machine according to authority information of the destination virtual machine for receiving the data packet. Therefore, the proxy server provided by the embodiment of the invention can effectively control the data stream which can be sent and allowed to be received by the virtual computers, so that the data communication authority among the virtual machines is carried out based on the actual virtual machines instead of the IP addresses of the virtual machines, the data communication authority setting of the virtual machines is effectively prevented from changing along with the change of the IP addresses of the virtual computers, the communication safety among the virtual machines is provided in the data transmission process, and the virtual computers are prevented from being attacked by network storms.
The system embodiments are described relatively simply because they correspond generally to the method and apparatus embodiments, and reference may be made to some of the descriptions of the method and apparatus embodiments for related matters. The above-described device embodiments are merely illustrative, wherein the units described as separate parts may or may not be physically separate, and the parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), or the like.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the embodiments. Thus, the present embodiments are not intended to be limited to the embodiments shown herein but are to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (16)

1. A method for realizing data transmission between virtual machines is characterized in that the method comprises the following steps:
the method comprises the steps that a first proxy server receives information of a data packet sent by a source virtual machine to a destination virtual machine, and if the information which does not allow the source virtual machine to send the data packet to the destination virtual machine does not exist locally, the first proxy server forwards the data packet to a second proxy server serving the destination virtual machine; otherwise, the first proxy server does not send the data packet;
and the second proxy server receives the data packet, judges whether to allow the data packet to be forwarded to the destination virtual machine according to the authority information of the destination virtual machine for receiving the data packet, if so, forwards the data packet to the destination virtual machine by the second proxy server, and if not, does not send the data packet.
2. The method according to claim 1, wherein the information of the data packet includes at least one of:
a data packet sent by the source virtual machine to the destination virtual machine;
indication information, wherein the indication information is used for indicating the source virtual machine to send a data packet to a destination virtual machine to the first proxy server.
3. The method for implementing data transmission between virtual machines according to claim 2, wherein the indication information includes at least one of:
an identification of a source virtual machine; identification of the destination virtual machine; and the source virtual machine sends the protocol type of the data packet to the destination virtual machine.
4. The method according to claim 1, wherein the information that does not allow the source virtual machine to send the packet to the destination virtual machine includes at least one of:
an identification of a source virtual machine; identification of the destination virtual machine; the source virtual machine sends the protocol type of the data packet to the destination virtual machine; the flag is not allowed.
5. The method for implementing data transmission between virtual machines according to claim 1, wherein the method further comprises:
the second proxy server acquires the authority information of a target virtual machine receiving the data packet, which is locally stored; or,
and the second proxy server requests an authorization server to acquire the authority information of the data packet received by the target virtual machine.
6. The method of claim 1, wherein before the first proxy server determines whether there is information that does not allow the source virtual machine to send a packet to the destination virtual machine, the method further comprises:
and the first proxy server determines a source virtual machine by acquiring a source address of the data packet, and if the source virtual machine belongs to a local virtual machine, determines that the type of the data packet belongs to a data packet sent out locally.
7. The method of claim 1, wherein before the second proxy server determines whether to forward the data packet to the destination virtual machine, the method further comprises:
and the second proxy server determines a destination virtual machine by acquiring a destination address of the data packet, and if the destination virtual machine belongs to a local virtual machine, determines that the type of the data packet belongs to a locally received data packet.
8. The method according to claim 3, wherein after the second proxy server determines whether to forward the data packet to the destination virtual machine, if the determination result is that the source virtual machine is not allowed to send the data packet to the destination virtual machine, the method further comprises:
the second proxy server sends information to the first proxy server, wherein the information does not allow the source virtual machine to send the data packet to the destination virtual machine, and the information does not allow the source virtual machine to send the data packet to the destination virtual machine includes at least one of the following: an identification of a source virtual machine; identification of the destination virtual machine; the source virtual machine sends the protocol type of the data packet to the destination virtual machine; the flag is not allowed.
9. The method for implementing data transmission between virtual machines according to claim 8, wherein the method further comprises:
and the first proxy server receives and stores the information which is sent by the second proxy server and does not allow the source virtual machine to send the data packet to the destination virtual machine.
10. The method for implementing data transmission between virtual machines according to claim 1 or 5, wherein the authority information of the destination virtual machine for receiving the data packet includes at least one of:
an identification of a source virtual machine; identification of the destination virtual machine; the source virtual machine sends the protocol type of the data packet to the destination virtual machine; a disallow flag; the flag is allowed.
11. A system for implementing data transmission between virtual machines, the system comprising: a first proxy server 601 and a second proxy server 602,
the first proxy server 601 is configured to receive information of a packet sent by a source virtual machine to a destination virtual machine, and if the information does not locally allow the source virtual machine to send the packet to the destination virtual machine, forward the packet to a second proxy server 602 serving the destination virtual machine; otherwise, the first proxy server 601 does not send the data packet;
the second proxy server 602 is configured to receive the data packet, determine whether to allow the data packet to be forwarded to a destination virtual machine according to authority information of the destination virtual machine for receiving the data packet, forward the data packet to the destination virtual machine if the permission is allowed, and not send the data packet if the permission is not allowed.
12. The system according to claim 11, wherein the information of the data packet includes at least one of the following:
a data packet sent by the source virtual machine to the destination virtual machine;
indication information, wherein the indication information is used for indicating the source virtual machine to send a data packet to a destination virtual machine to the first proxy server.
13. The system according to claim 12, wherein the indication information includes at least one of:
an identification of a source virtual machine; identification of the destination virtual machine; and the protocol type of the data packet sent by the source virtual machine to the destination virtual machine.
14. The system according to claim 11, wherein the information that does not allow the source virtual machine to send the packet to the destination virtual machine includes at least one of:
an identification of a source virtual machine; identification of the destination virtual machine; the source virtual machine sends the protocol type of the data packet to the destination virtual machine; the flag is not allowed.
15. The system for implementing data transmission between virtual machines according to claim 11, wherein the system further comprises:
the authorized node server 603 is configured to send, according to the request of the second proxy server 602, authority information of the destination virtual machine for receiving the data packet to the second proxy server 602.
16. The system for implementing data transmission between virtual machines according to claim 11,
when the determination result of the second proxy server 602 is that the source virtual machine is not allowed to send the data packet to the destination virtual machine, the second proxy server 602 is further configured to send, to the first proxy server 601, information that the source virtual machine is not allowed to send the data packet to the destination virtual machine, where the information that the source virtual machine is not allowed to send the data packet to the destination virtual machine includes at least one of: an identification of a source virtual machine; identification of the destination virtual machine; the source virtual machine sends the protocol type of the data packet to the destination virtual machine; a disallow flag;
the first proxy server 601 is further configured to receive and store information sent by the second proxy server 602, where the information does not allow the source virtual machine to send a packet to the destination virtual machine.
CN2011100216892A 2011-01-19 2011-01-19 Method and system for realizing data transmission between virtual machines Active CN102075537B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN2011100216892A CN102075537B (en) 2011-01-19 2011-01-19 Method and system for realizing data transmission between virtual machines
PCT/CN2011/075359 WO2011147371A1 (en) 2011-01-19 2011-06-03 Method and system for implementing data transmission between virtual machines

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2011100216892A CN102075537B (en) 2011-01-19 2011-01-19 Method and system for realizing data transmission between virtual machines

Publications (2)

Publication Number Publication Date
CN102075537A true CN102075537A (en) 2011-05-25
CN102075537B CN102075537B (en) 2013-12-04

Family

ID=44033881

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2011100216892A Active CN102075537B (en) 2011-01-19 2011-01-19 Method and system for realizing data transmission between virtual machines

Country Status (2)

Country Link
CN (1) CN102075537B (en)
WO (1) WO2011147371A1 (en)

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011147371A1 (en) * 2011-01-19 2011-12-01 华为技术有限公司 Method and system for implementing data transmission between virtual machines
CN102739795A (en) * 2012-07-04 2012-10-17 深圳市京华科讯科技有限公司 Network proxy data forwarding system applied to virtual environment and network proxy data forwarding method
CN103458003A (en) * 2013-08-15 2013-12-18 中电长城网际系统应用有限公司 Access control method and system of self-adaptation cloud computing environment virtual security domain
CN103795752A (en) * 2012-10-31 2014-05-14 鸿富锦精密工业(深圳)有限公司 Virtual machine sharing system and method
CN103856460A (en) * 2012-12-04 2014-06-11 华为技术有限公司 Access control method, device and system
CN104219260A (en) * 2013-05-30 2014-12-17 中国电信股份有限公司 Method and system for exchanging data between virtual machines in same physical machine and physical host
CN104601428A (en) * 2014-12-23 2015-05-06 广州亦云信息技术有限公司 Communication method of virtual machines
CN105721487A (en) * 2016-03-07 2016-06-29 联想(北京)有限公司 Information processing method and electronic equipment
WO2018018640A1 (en) * 2016-07-29 2018-02-01 华为技术有限公司 Information interaction method, device and system
CN111262901A (en) * 2019-07-29 2020-06-09 深圳百灵声学有限公司 Many-to-many communication system and operation method thereof
CN112104744A (en) * 2020-03-30 2020-12-18 厦门网宿有限公司 Traffic proxy method, server and storage medium
CN114356474A (en) * 2021-12-16 2022-04-15 西安万像电子科技有限公司 Data transmission method, first virtual machine, virtual desktop management server and system
CN115913824A (en) * 2023-02-10 2023-04-04 中航金网(北京)电子商务有限公司 VPC-crossing virtual server communication method and system

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060256106A1 (en) * 2005-05-13 2006-11-16 Scarlata Vincent R Method and apparatus for migrating software-based security coprocessors
CN101031141A (en) * 2006-02-28 2007-09-05 华为技术有限公司 Safety telecommunication method
CN101207604A (en) * 2006-12-20 2008-06-25 联想(北京)有限公司 Virtual machine system and communication processing method thereof
US20100017519A1 (en) * 2008-07-15 2010-01-21 Zhu Han Method and apparatus for dynamically determining connection establishment mechanism based on the relative locations
CN101867511A (en) * 2009-04-20 2010-10-20 华为技术有限公司 Pause frame sending method, associated equipment and system
CN101867571A (en) * 2010-05-12 2010-10-20 上海电机学院 Intelligent network intrusion defensive system based on collaboration of a plurality of mobile agents
CN102598591A (en) * 2009-11-06 2012-07-18 微软公司 Employing overlays for securing connections across networks

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TW201007574A (en) * 2008-08-13 2010-02-16 Inventec Corp Internet server system and method of constructing and starting a virtual machine
CN101668022B (en) * 2009-09-14 2012-09-12 陈博东 Virtual network isolation system established on virtual machine and implementation method thereof
CN102075537B (en) * 2011-01-19 2013-12-04 华为技术有限公司 Method and system for realizing data transmission between virtual machines

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060256106A1 (en) * 2005-05-13 2006-11-16 Scarlata Vincent R Method and apparatus for migrating software-based security coprocessors
CN101031141A (en) * 2006-02-28 2007-09-05 华为技术有限公司 Safety telecommunication method
CN101207604A (en) * 2006-12-20 2008-06-25 联想(北京)有限公司 Virtual machine system and communication processing method thereof
US20100017519A1 (en) * 2008-07-15 2010-01-21 Zhu Han Method and apparatus for dynamically determining connection establishment mechanism based on the relative locations
CN101867511A (en) * 2009-04-20 2010-10-20 华为技术有限公司 Pause frame sending method, associated equipment and system
CN102598591A (en) * 2009-11-06 2012-07-18 微软公司 Employing overlays for securing connections across networks
CN101867571A (en) * 2010-05-12 2010-10-20 上海电机学院 Intelligent network intrusion defensive system based on collaboration of a plurality of mobile agents

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011147371A1 (en) * 2011-01-19 2011-12-01 华为技术有限公司 Method and system for implementing data transmission between virtual machines
CN102739795A (en) * 2012-07-04 2012-10-17 深圳市京华科讯科技有限公司 Network proxy data forwarding system applied to virtual environment and network proxy data forwarding method
CN103795752A (en) * 2012-10-31 2014-05-14 鸿富锦精密工业(深圳)有限公司 Virtual machine sharing system and method
CN103856460A (en) * 2012-12-04 2014-06-11 华为技术有限公司 Access control method, device and system
CN104219260B (en) * 2013-05-30 2017-12-12 中国电信股份有限公司 The method of data exchange, system and physical host between virtual machine in same physical machine
CN104219260A (en) * 2013-05-30 2014-12-17 中国电信股份有限公司 Method and system for exchanging data between virtual machines in same physical machine and physical host
CN103458003B (en) * 2013-08-15 2016-11-16 中电长城网际系统应用有限公司 A kind of self adaptation cloud computing environment virtual secure domain browsing control method and system
CN103458003A (en) * 2013-08-15 2013-12-18 中电长城网际系统应用有限公司 Access control method and system of self-adaptation cloud computing environment virtual security domain
CN104601428A (en) * 2014-12-23 2015-05-06 广州亦云信息技术有限公司 Communication method of virtual machines
CN104601428B (en) * 2014-12-23 2018-10-09 广州亦云信息技术有限公司 Communication means between virtual machine
CN105721487A (en) * 2016-03-07 2016-06-29 联想(北京)有限公司 Information processing method and electronic equipment
CN105721487B (en) * 2016-03-07 2019-07-26 联想(北京)有限公司 Information processing method and electronic equipment
WO2018018640A1 (en) * 2016-07-29 2018-02-01 华为技术有限公司 Information interaction method, device and system
CN111262901A (en) * 2019-07-29 2020-06-09 深圳百灵声学有限公司 Many-to-many communication system and operation method thereof
CN112104744A (en) * 2020-03-30 2020-12-18 厦门网宿有限公司 Traffic proxy method, server and storage medium
CN114356474A (en) * 2021-12-16 2022-04-15 西安万像电子科技有限公司 Data transmission method, first virtual machine, virtual desktop management server and system
CN115913824A (en) * 2023-02-10 2023-04-04 中航金网(北京)电子商务有限公司 VPC-crossing virtual server communication method and system
CN115913824B (en) * 2023-02-10 2023-07-25 中航金网(北京)电子商务有限公司 Virtual server communication method and system crossing VPC

Also Published As

Publication number Publication date
CN102075537B (en) 2013-12-04
WO2011147371A1 (en) 2011-12-01

Similar Documents

Publication Publication Date Title
CN102075537B (en) Method and system for realizing data transmission between virtual machines
US10805268B2 (en) Method and apparatuses for enabling routing of data packets between a wireless device and a service provider based in the local service cloud
CN108616490B (en) Network access control method, device and system
CN109565500B (en) On-demand security architecture
US9215237B2 (en) Communication system, control device, communication method, and program
EP1924929B1 (en) Method and computer program product for sharing a port with multiple processes
CN110311929B (en) Access control method and device, electronic equipment and storage medium
US20170048148A1 (en) Method, apparatus, and system for load balancing of service chain
CN108322467B (en) OVS-based virtual firewall configuration method, electronic equipment and storage medium
US11671363B2 (en) Method and apparatus for cross-service-zone communication, and data center network
CN109067937B (en) Terminal access control method, device, equipment, system and storage medium
JP2003525557A (en) Systems, devices and methods for rapid packet filtering and packet processing
CN112615810B (en) Access control method and device
CN106878343B (en) It is the system serviced that network security is provided under a kind of cloud computing environment
EP2466792A1 (en) Internet access control apparatus, method and gateway thereof
KR102044642B1 (en) Methods for enabling in-root resource discovery at the service layer
US10693785B2 (en) Method and system for forwarding data, virtual load balancer, and readable storage medium
EP4049425B1 (en) Email security in a multi-tenant email service
CN107547680B (en) Data processing method and device
CN108259454A (en) A kind of portal authentication method and device
CN109729043B (en) Method, device and system for preventing attack message
CN110971701A (en) Internet of things communication method and device
CN108259420B (en) Message processing method and device
CN112737850B (en) Mutually exclusive access method and device
CN116032763B (en) Processing method, system and gateway equipment of network service

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20211223

Address after: 450046 Floor 9, building 1, Zhengshang Boya Plaza, Longzihu wisdom Island, Zhengdong New Area, Zhengzhou City, Henan Province

Patentee after: xFusion Digital Technologies Co., Ltd.

Address before: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen

Patentee before: HUAWEI TECHNOLOGIES Co.,Ltd.