WO2024159962A1 - Traffic mirroring method and apparatus for virtual instance, virtual machine platform, and storage medium - Google Patents

Abstract

Embodiments of the present application relate to the technical field of communications, and provide a traffic mirroring method and apparatus for a virtual instance, a virtual machine platform, and a storage medium. The method comprises: acquiring traffic to be mirrored of a virtual instance; mirroring inbound traffic and outbound traffic of the virtual instance at a computing node for the virtual instance to obtain mirrored traffic; acquiring a constructed traffic flow table for the mirrored traffic, and generating a mirrored traffic packet according to the mirrored traffic and the traffic flow table; and sending the mirrored traffic packet to a destination terminal, such that the destination terminal distinguishes inbound mirrored traffic and outbound mirrored traffic of a port according to the mirrored traffic packet. By mirroring traffic to be mirrored and generating a mirrored traffic packet at a computing node, related information of mirrored traffic of a virtual instance is designed into the packet, and is thus carried in the packet and sent out from the computing node, such that the mirroring of the traffic of the virtual instance and the sending of the mirrored traffic are implemented while a minimum portion of a data center is occupied, thereby distinguishing mirrored traffic at a terminal node.

Description

Traffic mirroring method, device, virtual machine platform and storage medium for virtual instances

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims priority to a Chinese patent application filed with the China Patent Office on February 1, 2023, with application number 202310050246.9 and application name “Traffic mirroring method, device, virtual machine platform and storage medium for virtual instances”, the entire contents of which are incorporated by reference into this application.

Technical Field

The present application relates to the field of communication technology, and in particular to a traffic mirroring method for a virtual instance, a traffic mirroring device for a virtual instance, a corresponding virtual machine platform, and a corresponding computer-readable storage medium.

Background Art

In a public cloud virtual network, users usually need to mirror the inbound and outbound traffic of virtual instances (virtual machines or Docker containers) on the cloud. After mirroring the traffic, it is imported into the user-specified terminal node for traffic analysis and auditing.

In the related technology of traffic mirroring, it can be manifested as determining the monitoring port corresponding to the mirror destination request based on the mirror source IP resolution of the mirror source request, and then sending the traffic request to the corresponding monitoring port to realize traffic mirroring. However, the traffic mirroring realized by it cannot distinguish the traffic mirroring, which is not conducive to the traffic analysis and audit of the inbound and outbound traffic.

Overview

In view of the above problems, embodiments of the present application are proposed to provide a traffic mirroring method for a virtual instance, a traffic mirroring device for a virtual instance, a corresponding virtual machine platform, and a corresponding computer-readable storage medium that overcome the above problems or at least partially solve the above problems.

The embodiment of the present application discloses a traffic mirroring method of a virtual instance, which is applied to a virtual machine platform. The virtual machine platform includes a computing node of the virtual instance. The method includes:

Obtaining the traffic to be mirrored of the virtual instance, where the traffic to be mirrored of the virtual instance includes inbound traffic and/or outbound traffic;

Mirror the inbound and outbound traffic of the virtual instance on the computing node of the virtual instance to obtain mirrored traffic;

Obtain the traffic flow table constructed for the mirrored traffic, and generate a mirrored traffic message according to the mirrored traffic and the traffic flow table;

The mirrored traffic packets are sent to the destination terminal so that the destination terminal can distinguish the inbound and outbound mirrored traffic of the port according to the mirrored traffic packets.

Optionally, obtaining the constructed traffic flow table for the mirrored traffic further includes:

The configured traffic mirroring information is obtained, and a traffic flow table for the mirrored traffic is constructed using the traffic mirroring information; wherein the traffic mirroring information includes at least traffic direction information, traffic mirroring instance information, terminal node information, traffic filtering policy information, and user-defined label information.

Optionally, the mirrored traffic includes inbound mirrored traffic for inbound traffic and outbound mirrored traffic for outbound traffic. The traffic flow table for the mirrored traffic is constructed using the traffic mirroring information, including:

The traffic mirroring instance information, traffic direction information, terminal node information, traffic filtering policy information, and user-defined label information are used to construct the inbound flow table for the incoming mirrored traffic and the outbound flow table for the outgoing mirrored traffic. Traffic flow table.

Optionally, the virtual instance is located in a virtual private cloud, and the virtual private cloud has a corresponding traffic mirroring gateway instance created in the mirroring gateway, and the mirroring gateway group for carrying different traffic mirroring gateway instances includes multiple mirroring gateway nodes.

Optionally, generating a mirrored traffic packet according to the mirrored traffic and the traffic flow table includes:

After the compute node of the virtual instance builds the mirrored traffic, the mirrored traffic and traffic flow table are received through the mirrored gateway node of the mirrored gateway group;

Use mirrored traffic and traffic flow table to generate mirrored traffic packets;

Also includes:

The routing table is obtained through the mirror gateway node, and the mirror traffic message is processed according to the routing table and the traffic flow table to generate a mirror traffic packet.

Optionally, the mirrored traffic message is processed according to the routing forwarding table and the traffic flow table to generate a mirrored traffic packet, including:

Obtain traffic mirroring information from the traffic flow table and route forwarding information from the route forwarding table;

The traffic mirroring information of the response traffic flow table is matched successfully with the routing forwarding information respectively, and the routing forwarding information is used to encapsulate the mirrored traffic message to obtain a mirrored traffic packet.

Optionally, before generating the mirrored traffic packet according to the mirrored traffic and the traffic flow table, the method further includes:

An access request sent by a user destination terminal is received; wherein the access request includes a virtual instance to be accessed, and the virtual instance has a corresponding traffic mirroring gateway instance created in the mirroring gateway.

Optionally, sending the mirrored traffic message to the destination terminal includes:

Obtain the routing forwarding table through the mirror gateway and obtain the destination gateway address of the routing forwarding table;

A destination terminal node of the destination terminal is determined based on the destination gateway address, and the mirrored traffic message is sent to the destination terminal node.

Optionally, the mirrored traffic message is sent to the destination terminal node, including:

Obtain the virtual instance where the traffic mirroring gateway instance to be accessed is currently located, and forward the routing forwarding table to the traffic mirroring gateway instance corresponding to the virtual instance where the traffic mirroring gateway instance to be accessed is currently located, so as to forward the mirrored traffic message to the destination terminal node based on the routing forwarding table of the corresponding traffic mirroring gateway instance.

The embodiment of the present application also discloses a traffic mirroring method of a virtual instance, which is applied to a destination terminal, the destination terminal is communicatively connected with a virtual machine platform, and the virtual machine platform includes a computing node of the virtual instance, and the method includes:

Receive a mirrored traffic message sent by a computing node of the virtual instance; the mirrored traffic message is generated based on the mirrored traffic and the traffic flow table, wherein the mirrored traffic is obtained by mirroring the inbound and outbound traffic of the virtual instance;

Differentiate the inbound and outbound mirrored traffic on a port based on the mirrored traffic packets.

Optionally, the traffic flow table is constructed based on the configured traffic mirroring information, and the traffic mirroring information includes at least traffic direction information and/or traffic mirroring instance information;

Distinguish mirrored traffic based on the traffic direction information in the traffic flow table of the mirrored traffic packet, including:

Distinguish incoming and outgoing mirrored traffic based on the traffic direction information of the mirrored traffic packet, and analyze the incoming and outgoing traffic.

and/or, distinguishing traffic mirroring instance information and traffic direction based on the traffic mirroring packet and traffic mirroring instance information. The inbound mirror traffic and outbound mirror traffic of the virtual instance corresponding to the traffic mirroring instance information are analyzed;

And/or, based on the traffic mirroring instance information of the mirrored traffic packet, the mirrored traffic of the virtual instances corresponding to different traffic mirroring instance information is distinguished, and the mirrored traffic of the different virtual instances is analyzed.

The embodiment of the present application also discloses a traffic mirroring device for a virtual instance, which is applied to a virtual machine platform. The virtual machine platform includes a computing node of the virtual instance. The device includes:

A module for acquiring traffic to be mirrored, used for acquiring traffic to be mirrored of a virtual instance, where the traffic to be mirrored of the virtual instance includes inbound traffic and/or outbound traffic;

A traffic mirroring module is used to mirror the inbound and outbound traffic of the virtual instance on the computing node of the virtual instance to obtain mirrored traffic;

A mirrored traffic message generation module, used to obtain the traffic flow table constructed for the mirrored traffic, and generate a mirrored traffic message according to the mirrored traffic and the traffic flow table;

The mirrored traffic message sending module is used to send the mirrored traffic message to the destination terminal so that the destination terminal can distinguish the inbound and outbound mirrored traffic of the port according to the mirrored traffic message.

The embodiment of the present application also discloses a traffic mirroring device of a virtual instance, which is applied to a destination terminal, the destination terminal is communicatively connected with a virtual machine platform, and the virtual machine platform includes a computing node of the virtual instance, and the device includes:

A mirrored traffic message receiving module, used for receiving a mirrored traffic message sent by a computing node of a virtual instance; the mirrored traffic message is generated based on the mirrored traffic and a traffic flow table, wherein the mirrored traffic is obtained based on mirroring the inbound and outbound traffic of the virtual instance;

The mirrored traffic distinguishing module is used to distinguish the inbound and outbound mirrored traffic of the port according to the mirrored traffic messages.

The embodiment of the present application also discloses a virtual machine platform, including: a processor, a memory, and a computer program stored in the memory and capable of running on the processor, and when the computer program is executed by the processor, a traffic mirroring method of any virtual instance is implemented.

The embodiment of the present application also discloses a computer-readable storage medium, on which a computer program is stored. When the computer program is executed by a processor, a traffic mirroring method of any virtual instance is implemented.

The embodiments of the present application include the following advantages:

In an embodiment of the present application, the inbound and outbound traffic of the virtual instance is mirrored at the computing node of the virtual instance to obtain the mirrored traffic, and the traffic flow table constructed for the mirrored traffic can be obtained, and the mirrored traffic message is generated according to the mirrored traffic and the traffic flow table, and the mirrored traffic message is sent to the destination terminal, so that the destination terminal can distinguish the inbound and outbound mirrored traffic of the port according to the mirrored traffic message. By designing and arranging the traffic of the computing node, and by implementing the mirroring of the mirrored traffic and the generation of the mirrored traffic message at the computing node, the relevant information of the virtual instance mirrored traffic is designed into the message, and sent from the computing node through the message carrying method, the traffic of the virtual instance is mirrored while occupying the least data center, and the mirrored traffic is sent to the designated terminal node, and the mirrored traffic is distinguished at the terminal node. Furthermore, the routing forwarding table on the mirrored gateway can be designed according to the characteristics of the mirrored traffic message sent by the computing node to achieve high-speed processing of the mirrored message.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG1 is a flow chart of a flow mirroring method embodiment of a virtual instance of the present application;

FIG2 is a schematic diagram of constructing an outbound flow table for a virtual instance provided in an embodiment of the present application;

FIG3 is a schematic diagram of constructing an inflow flow table of a virtual instance provided in an embodiment of the present application;

4 is a schematic diagram of the logical network distribution of a virtual machine instance on a public cloud provided in an embodiment of the present application;

FIG5 is a flowchart of another embodiment of a traffic mirroring method for a virtual instance of the present application;

6 is a schematic diagram of an application scenario of traffic mirroring of a virtual instance provided in an embodiment of the present application;

7 is a block diagram of a flow mirroring device embodiment of a virtual instance of the present application;

FIG8 is a structural block diagram of another virtual instance of a traffic mirroring device embodiment of the present application.

Detailed Description

In order to make the above-mentioned objects, features and advantages of the present application more obvious and easy to understand, the present application is further described in detail below in conjunction with the accompanying drawings and specific implementation methods.

In a public cloud virtual network, users usually need to mirror the inbound and outbound traffic of virtual instances (virtual machines or Docker containers) on the cloud. After mirroring the traffic, it is imported into the user-specified terminal node for traffic analysis and auditing.

In order to meet the above requirements, the embodiment of the present application implements traffic mirroring based on the UDP (User Datagram Protocol) protocol in the public cloud, specifically through the traffic flow table Open vSwitch encapsulated by the VXLAN Tunnel.

The core idea of the embodiment of the present application is to mirror the inbound and outbound traffic of the virtual instance at the computing node of the virtual instance to obtain the mirrored traffic, and to obtain the traffic flow table constructed for the mirrored traffic, and to generate the mirrored traffic message according to the mirrored traffic and the traffic flow table, and to send the mirrored traffic message to the destination terminal, so that the destination terminal can distinguish the inbound and outbound mirrored traffic of the port according to the mirrored traffic message. By implementing the mirroring of the inbound and outbound traffic of the virtual instance respectively, distinguishing the traffic direction based on the relevant information designed into the message, the user can more accurately and flexibly mirror the traffic of the cloud instance, and the traffic mirroring process is completed at the computing node where the virtual instance is located, which greatly saves the network bandwidth resources of the data center, and does not affect the main process of the user's virtual instance. The user's mirrored traffic can be distributed to any designated terminal node (as long as the three-layer network is reachable) through configuration, and the traffic of the virtual instance is mirrored while occupying the least data center, and the mirrored traffic is sent to the designated terminal node, and the mirrored traffic is distinguished at the terminal node. Furthermore, the traffic mirroring gateway sends the mirrored traffic message to the destination terminal node based on the UDP encapsulated double-layer tunnel message according to the routing forwarding table. By designing the routing forwarding table on the mirroring gateway according to the characteristics of the mirrored traffic message sent by the computing node, high-speed processing of the mirrored message is achieved. In addition, the filtering strategy of the traffic filter configured by the user can also be completed on the computing node to filter out the unnecessary traffic at the source end. The filter strategy supports accepting and discarding operations.

1, a flowchart of a method for traffic mirroring of a virtual instance of the present application is shown, which is applied to a virtual machine platform, and the virtual machine platform includes a computing node of a virtual instance, and specifically may include the following steps:

Step 101, obtaining the traffic to be mirrored of the virtual instance, where the traffic to be mirrored of the virtual instance includes inbound traffic and/or outbound traffic;

Traffic mirroring refers to the process of copying the traffic of a monitored port to a specific monitoring port for the purpose of traffic monitoring. Specifically, it can be manifested as the process of copying the traffic of a virtual instance to a destination terminal.

In the embodiment of the present application, the direction of the virtual instance mirror traffic can be designed into the message by designing and arranging the traffic of the computing node, and by implementing the mirroring of the mirror traffic and the generation of the mirror traffic message at the computing node, and the message is sent from the computing node through the message carrying method, so as to occupy the least space in the data center. In this case, the traffic of the virtual instance can be mirrored, the mirrored traffic can be sent to the specified terminal node, and the mirrored traffic can be distinguished at the terminal node.

In one embodiment of the present application, in order to implement traffic mirroring of a virtual instance, the traffic to be mirrored of the virtual instance may first be acquired, and the acquired traffic to be mirrored of the virtual instance may include the inbound traffic and/or outbound traffic of the virtual instance. Exemplarily, the inbound traffic of the virtual instance may refer to access traffic or request traffic, etc., and the outbound traffic may refer to response traffic and requested data, information, etc., which is not limited in the embodiments of the present application.

Step 102, mirroring the inbound and outbound traffic of the virtual instance at the computing node of the virtual instance to obtain mirrored traffic;

At this time, the incoming and outgoing traffic of the virtual instance can be mirrored on the computing node of the virtual instance to obtain mirrored traffic for the incoming traffic and mirrored traffic for the outgoing traffic. The traffic mirroring process is completed on the computing node where the virtual instance is located. The computing node can refer to the host node to save network bandwidth resources in the data center.

Among them, by mirroring the inbound and outbound traffic of the virtual instance separately and distinguishing the traffic direction, users can mirror the traffic of the cloud instance more accurately and flexibly.

In some embodiments of the present application, the computing node may also obtain the traffic filter filtering policy configured by the user, and based on the traffic filter filtering policy configured by the user, filter out the unnecessary traffic at the source end so as to mirror the traffic of the filtered virtual instance. The filter policy may support accept and discard operations.

Step 103, obtaining the constructed traffic flow table for the mirrored traffic, and generating a mirrored traffic message according to the mirrored traffic and the traffic flow table;

After the inbound and outbound traffic of the virtual instance are mirrored to obtain the mirrored traffic, the traffic flow table constructed for the mirrored traffic can be obtained to generate mirrored traffic packets based on the mirrored traffic and the traffic flow table, so as to design the routing forwarding table on the mirrored gateway according to the characteristics of the mirrored traffic packets sent by the computing nodes, so as to realize high-speed processing of the mirrored packets.

Specifically, the traffic flow table for the mirrored traffic is obtained mainly by obtaining the configured traffic mirroring information, and then using the traffic mirroring information to construct the traffic flow table for the mirrored traffic, so as to design and arrange the traffic of the computing node Open vSwitch and optimize the flow table on the bridge.

The traffic mirroring information at least includes traffic mirroring instance information, terminal node information, traffic direction information, traffic filtering policy information, and user-defined label information, etc., so as to mirror the network traffic of the user virtual instance to the designated terminal node based on the traffic mirroring instance information, traffic direction information, terminal node information, traffic filtering policy information, and user-defined label information (such as traffic differentiation label, length of data packet intercepted after mirroring, etc.) configured by the user, so that the traffic of the mirrors of different virtual instances can be distinguished at the same terminal node (if the terminal node information of different virtual instances is configured as the same) according to the user-defined label information, so that the traffic message quintuple of the virtual instance is the same. That is, the relevant information of the aforementioned traffic mirroring can be designed into the message, so that the relevant information can be sent to the computing node in the form of message carrying.

In actual applications, since the mirrored traffic includes inbound mirrored traffic for inbound traffic and outbound mirrored traffic for outbound traffic, traffic mirroring instance information, traffic direction information, terminal node information, and traffic The filtering policy information and the user-defined label information are used to construct an inbound flow table for inbound mirrored traffic and an outbound flow table for outbound mirrored traffic.

Specifically, referring to FIG. 2, a schematic diagram of constructing an outbound flow table for a virtual instance provided by an embodiment of the present application is shown, which can be mainly manifested as adding three tables again in the normally arranged flow table Pipeline, where table refers to a table for storing flow table entries. It should be noted that the table id can be determined according to actual conditions, and the embodiment of the present application does not limit this.

In a normal orchestration flow table Pipeline, it can originally contain table0, table6, table

10 and other tables, at this time, you can add tables such as table7, table8, and table180. Among them, table0, table6, table10 and other tables can perform normal flow table processing procedures, table=6 can add ports for processing mirroring, and for the three newly added tables, table=7 can process mirroring filtering policies, table=8 can process traffic mirroring directions, and table=180 can encapsulate the mirrored traffic based on the UDP protocol and send it out to encapsulate VXLAN out of the computing node and deliver it to the mirroring gateway node.

For example, the detailed design of each outbound flow table may be as follows:

#reg1 is the direction, reg2 is the flag for whether to mirror (the specific value of reg2 can be set based on the policy that the inbound value is 1 and the outbound value is 2)

#Virtual instance mirroring
table=6,priority=100,in_port={in_port}actions=goto_table:7

#The port that needs to be mirrored passes the mirrored traffic filter table, and the priority is set higher than the normal traffic. Assume that the priority of the port that needs to be mirrored is set to 100, and the priority of the port that does not need to be mirrored is set to 10. At this time, the relevant operations of table:7 are executed, that is, the function processing filter strategy in the process of mirroring traffic, so as to filter out the unnecessary traffic at the source end based on the traffic filtering strategy information. The filter strategy supports accepting and discarding operations
table=6,priority=10,actions=goto_table:10

#By default, normal traffic does not need to be sent through mirror traffic. That is, at this time, you can perform the relevant operations of table:10 and perform normal flow table processing.

#table=7 function processing filter strategy, based on the action set reg1 flag to determine whether mirroring is needed, assuming 0x1 needs mirroring, if the mirroring switch of the port is turned off, the flow table of reg1 is set not to be sent. In the filtering process, traffic filtering can be performed based on different filtering strategy protocols, as shown below:
table=7,priority=150,tcp,in_port={in_port},nw_dst=192.168.50.6,tp_dst=80
actions=set_field:0x1->reg1,goto_table:8

#Assume that the filtering policy protocol of the mirrored traffic is tcp, the destination is 192.168.50.6, and the port is 80
table=7,priority=140,arp,in_port={in_port},arp_tpa=192.168.50.6actions=set_field:
0x1->reg1,goto_table:8

#Assume that the filtering policy protocol of the mirrored traffic is arp and the destination is 192.168.50.6
table=7,priority=130,icmp,in_port={in_port},nw_dst=192.168.50.6
actions=goto_table:8

#Assume that the filtering policy protocol of the mirrored traffic is icmp and the destination is 192.168.50.6
table=7,priority=100,actions=goto_table:8

#Default is to go to normal table

#table＝8 functions to process the mirroring direction, matching the traffic to be mirrored (expressed as match reg1＝0x1); then reuse register reg1 in action to set the direction of traffic mirroring, and then mirror the traffic. The mirrored traffic flows to table＝180 for processing, and normal traffic continues to flow through table＝10
table=8,priority=100,reg1=0x1
actions=set_field:0x2->reg1,resubmit(,10),resubmit(,180)

#Assume that reg1=0x2 is the outbound direction. If the port switch is turned off, this traffic will not be sent down.

table=8,priority=10actions=goto_table:10

#Default is to follow the normal Pipeline process

#table=180, by matching the mirroring direction of the mirroring port, the virtual private cloud to which it belongs, and the source physical address, the mirrored traffic in the outbound direction of the port is sent to the mirroring gateway, encapsulated in the VXLAN tunnel and sent out, and the direction information is carried in the data packet (the upper 24 bits of the inner source MAC)
table=180, priority=200, reg1=0x2, reg5={vni}, dl_src={port_src_mac}
actions=set_field:0x4163e->reg2,move:NXM_NX_REG2[0..23]->NXM_OF_ETH_SRC[24..47],set_field:{vni}->tun_id,group:101##Outbound direction
table=180,priority=100,actions=drop

Referring to FIG. 3 , a schematic diagram of constructing an inflow flow table of a virtual instance provided in an embodiment of the present application is shown, which is mainly manifested in adding three tables to the normally arranged flow table Pipeline, where table refers to a table for storing flow table entries. It should be noted that the table id can be determined according to actual conditions, and the embodiment of the present application does not limit this.

In the normally arranged flow table Pipeline, it may originally contain tables such as table86, table90, etc., and at this time, it may add tables such as table87, table88, and table180. Among them, tables such as table86, table90, etc. may perform normal flow table processing procedures, table=86 may be used to add mirrored ports, table=90 may be used to send traffic to the port of the virtual instance, table=87 may be used to process mirrored filtering policies, table=88 may be used to process traffic mirroring directions, and table=180 may be used to encapsulate the mirrored traffic in VXLAN based on the UDP protocol and send it out, encapsulate VXLAN out of the computing node, and deliver it to the mirrored gateway node.

For example, the detailed design of each flow table in the specific inbound direction may be as follows:

#Mirror traffic inbound direction
table=86,priority=100,reg7={in_port}actions=goto_table:87

#The port that needs to be mirrored passes through the mirror traffic filter table, and the priority is set higher than the normal traffic. Assume that the priority of the port that needs to be mirrored is set to 100, and the priority of the port that does not need to be mirrored is set to 10. At this time, the relevant operations of table:87 are executed, that is, the function processing filter strategy during the mirror traffic process, so that the unnecessary traffic can be filtered out at the source end based on the traffic filtering strategy information. The filter strategy supports accepting and discarding operations
table=86,priority=10,actions=goto_table:90

#No need to mirror, just follow the normal process, that is, you can execute the related operations of table:90 at this time and perform the normal flow table processing process
table=87,priority=150,tcp,reg7={in_port},nw_dst=192.168.50.6,tp_dst=80
actions=set_field:0x1->reg1,goto_table:88

#Filter the traffic that needs to be mirrored according to the filter policy
table=87,priority=140,arp,reg7={in_port},arp_tpa=192.168.50.6
actions=set_field:0x1->reg1,goto_table:88

#Filter the traffic that needs to be mirrored according to the filter policy
table=87,priority=130,icmp,reg7={in_port},nw_dst=192.168.50.6
actions=goto_table:88

#Filter out traffic that does not need to be mirrored according to the filter policy, and do not set reg1
table=87,priority=100,actions=goto_table:88

# Traffic that does not meet the filtering policy will jump to table88 by default
table=88,priority=100,reg1=0x1
actions=set_field:0x1->reg1,resubmit(,90),resubmit(,180)

#Mirror the traffic that meets the filtering policy and set the traffic mirroring direction. ox1 represents the inbound direction
table=88,priority=10actions=goto_table:90

##Default to normal process

#table=180 matches the mirroring direction of the mirrored port, the virtual private cloud to which it belongs, and the destination physical address, sends the mirrored traffic in the port's inbound direction to the mirrored gateway, encapsulates it through a VXLAN tunnel, and sends it out, carrying the direction information in the data packet.

table=180, priority=200, reg1=0x1, reg5={vni}, dl_dst={port_dst_mac}actions=set_field:0x2163e->reg2, move:NXM_NX_REG2[0..23]->NXM_OF_ETH_SRC[24..47] ,set_field:{vni}->tun_id,group:101#Inbound direction
table=180,priority=100,actions=drop

It should be noted that the mirroring of the inbound and outbound traffic of the above virtual instance can be selected based on the user's actual situation at the mirroring point (such as table6 and table86). Generally speaking, the mirroring point of the outbound traffic will be selected after passing the port's Qos speed limit flow table and before passing the security group flow table; the mirroring point of the inbound traffic will be selected after passing the security group and port's Qos speed limit traffic. In addition, the location and value of carrying the direction mark of the mirrored traffic to the message can also be freely selected. For example, in the above example, the direction can be carried in the physical address mac of the source end of the message memory, the outbound mark value is set to 0x4163e, and the inbound mark value is set to 0x2163e. This embodiment of the present application does not limit this.

In some embodiments of the present application, the virtual instance is located in a virtual private cloud, the virtual private cloud has a corresponding traffic mirror gateway instance created in the mirror gateway, and the mirror gateway group for carrying different traffic mirror gateway instances includes multiple mirror gateway nodes. For example, as shown in FIG4, virtual instance 1 (i.e., VM1) and virtual instance 2 (i.e., VM2) are located in subnet 2 of user VPC1 (Virtual Private Cloud). (i.e., subnet2), virtual instance 3 (i.e., VM3) is located in subnet 1 (i.e., subnet1) in user VPC2, and each VPC can create a traffic mirroring gateway instance on the mirroring gateway (for example, traffic mirroring gateway instance 1mrgw-VPC1, traffic mirroring gateway instance 2mrgw-VPC2, etc.), and a mirroring gateway group can contain multiple mirroring gateway nodes to carry traffic mirroring gateway instances of different VPCs, where different mirroring gateway nodes can be implemented based on multiple physical servers as nodes.

When generating a mirrored traffic message, after the computing node of the virtual instance constructs the mirrored traffic, the mirrored traffic and the traffic flow table can be received through the mirrored gateway node of the mirrored gateway group, and then the mirrored traffic message is generated by using the mirrored traffic and the traffic flow table. In a specific implementation, the routing forwarding table can also be obtained through the mirrored gateway node, and the mirrored traffic message is processed according to the routing forwarding table and the traffic flow table to generate a mirrored traffic packet.

In actual applications, when the mirror traffic of the virtual instance is sent from the computing node, it can be sent to the mirror gateway node in the mirror gateway group, such as the host. The destination IP address can be the anycast IP address of the mirror gateway group. When the traffic reaches the mirror gateway node host of the mirror gateway, the forwarding program on the mirror gateway node host will process the message according to the routing forwarding table.

The specific message processing process can be manifested as obtaining the traffic mirroring information of the traffic flow table and obtaining the routing forwarding information of the routing forwarding table, and then responding to the successful matching of the traffic mirroring information of the traffic flow table with the routing forwarding information, and using the routing forwarding information to encapsulate the mirrored traffic message to obtain a mirrored traffic packet.

The routing forwarding table can be obtained based on the routing forwarding information of the matching domain and the routing forwarding information of the action domain. Among them, the routing forwarding information of the matching domain is mainly used to match the traffic mirroring information of the traffic flow table, and the routing forwarding information of the action domain is mainly used to implement the message sending operation when the match is successful.

The routing forwarding information of the matching domain may include Vni (Vni can be a user ID similar to VLAN ID for identifying a Virtual Network Instance), traffic direction, port physical address portmac information. At this time, the Vni, traffic direction, and portmac information of the message can be matched with the Vni, traffic direction, and portmac information in the routing forwarding table. If the match is unsuccessful, the message will be discarded. At this time, if the data message hits the routing forwarding table, it can be forwarded according to the routing forwarding information of the routing forwarding table, and the mirrored traffic message can be encapsulated and sent out.

For example, the routing table may be as shown in Table 1 below:

Table 1

The routing forwarding information of the matching domain may include the internal destination physical address InnerDstMac, the internal source physical address InnerSrcMac, the internal source logical address innerSrcIp, the internal destination logical address innerDstIp, the internal virtual network instance identifier InnerVni, the external destination logical address OuterDstIp and the external network instance identifier OuterVni. When forwarding messages based on the routing forwarding table, it can be mainly manifested as encapsulating the intermediate layer VXLAN information according to the InnerDstMac, InnerSrcMac, innerSrcIp, innerDstIp, and InnerVni of the action domain. Then, according to the VXLAN information in the outermost layer of the OuterDstIp and OuterVni encapsulation, the message is sent from the traffic mirroring gateway to the mirroring terminal node. InnerVni can be defined by the user and is used to distinguish traffic at the mirroring terminal node.

Step 104: Send the mirrored traffic message to the destination terminal so that the destination terminal can distinguish the inbound and outbound mirrored traffic of the port according to the mirrored traffic message.

When sending a mirrored traffic message to a destination terminal, it can be manifested as obtaining a routing forwarding table and a destination gateway address of the routing forwarding table through a mirrored gateway, and then determining the destination terminal node of the destination terminal based on the destination gateway address, and sending the mirrored traffic message to the destination terminal node, that is, the traffic mirroring gateway can send the mirrored traffic message to the destination terminal node based on a UDP encapsulated double-layer tunnel message according to the routing forwarding table.

In some embodiments of the present application, before generating the mirrored traffic message, an access request sent by a user's destination terminal will be received, and the destination terminal may be a virtual instance preset in a preset virtual private cloud. The access request includes the virtual instance to be accessed, and the virtual instance has a corresponding traffic mirroring gateway instance created in the mirroring gateway.

When sending a mirrored traffic message to a destination terminal node, it can also be manifested as obtaining the virtual instance where the traffic mirroring gateway instance to be accessed is currently located, and forwarding the routing forwarding table of the traffic mirroring gateway instance corresponding to the virtual instance where the traffic mirroring gateway instance to be accessed is currently located, so as to forward the mirrored traffic message to the destination terminal node based on the routing forwarding table of the corresponding traffic mirroring gateway instance.

In actual applications, a mirrored traffic message is sent to a destination terminal, and the destination terminal can distinguish the mirrored traffic based on the relevant information carried and sent in the mirrored traffic message. The relevant information is related to the mirrored traffic, and includes at least traffic mirroring instance information, terminal node information, traffic direction information, traffic filtering policy information, and user-defined label information, etc. At this time, the mirrored traffic can be distinguished based on the traffic direction information and/or traffic mirroring instance information in the traffic flow table. Specifically, it can be manifested as distinguishing the incoming mirrored traffic and outgoing mirrored traffic of the mirrored traffic based on the traffic direction information carried by the mirrored traffic packet, and analyzing the incoming traffic and outgoing traffic; and/or distinguishing the incoming mirrored traffic and outgoing mirrored traffic of the virtual instance corresponding to the traffic mirroring instance information based on the traffic mirroring instance information and traffic direction of the mirrored traffic packet, and analyzing the incoming traffic and outgoing traffic of the virtual instance corresponding to the traffic mirroring instance information; and/or distinguishing the mirrored traffic of virtual instances corresponding to different traffic mirroring instance information based on the traffic mirroring instance information of the mirrored traffic packet, and analyzing the mirrored traffic of different virtual instances.

In an embodiment of the present application, the inbound and outbound traffic of the virtual instance is mirrored at the computing node of the virtual instance to obtain the mirrored traffic, and the traffic flow table constructed for the mirrored traffic can be obtained, and the mirrored traffic message is generated according to the mirrored traffic and the traffic flow table, and the mirrored traffic message is sent to the destination terminal, so that the destination terminal can distinguish the inbound and outbound mirrored traffic of the port according to the mirrored traffic message. By designing and arranging the traffic of the computing node, and by implementing the mirroring of the mirrored traffic and the generation of the mirrored traffic message at the computing node, the relevant information of the virtual instance mirrored traffic is designed into the message, and sent from the computing node through the message carrying method, the mirroring of the traffic of the virtual instance is realized while occupying the least data center, the mirrored sending to the designated terminal node, and the differentiation of the mirrored traffic at the terminal node. Furthermore, the routing forwarding table on the mirrored gateway can be designed according to the characteristics of the mirrored traffic message sent by the computing node to realize high-speed processing of the mirrored message.

5, there is shown a flow chart of another embodiment of a traffic mirroring method for a virtual instance of the present invention. FIG. 1 is applied to a virtual machine platform, where the virtual machine platform includes a computing node of a virtual instance, and specifically may include the following steps:

Step 501, receiving a mirrored traffic message sent by a computing node of a virtual instance;

Traffic mirroring refers to the process of copying the traffic of a monitored port to a specific monitoring port for the purpose of traffic monitoring. Specifically, it can be manifested as the process of copying the traffic of a virtual instance to a destination terminal.

In an embodiment of the present application, by designing and arranging the traffic of the computing nodes, and by implementing mirroring of the mirrored traffic and generation of mirrored traffic messages at the computing nodes, relevant information of the virtual instance mirrored traffic can be designed into the message, and sent from the computing nodes through message carrying, thereby implementing mirroring of the traffic of the virtual instance with minimal occupation of the data center, mirroring transmission to the designated terminal node, and differentiation of the mirrored traffic at the terminal node.

In one embodiment of the present application, the destination terminal can receive the mirrored traffic message sent by the computing node of the virtual instance, so as to distinguish the inbound and outbound mirrored traffic of the port according to the mirrored traffic message, for example, distinguish the mirrored traffic based on the traffic direction information contained in the carried traffic flow table.

Specifically, the received mirrored traffic message may be generated based on the mirrored traffic and the traffic flow table, wherein the mirrored traffic is obtained based on mirroring the inbound traffic and the outbound traffic of the virtual instance.

Traffic mirroring information at least includes traffic mirroring instance information, terminal node information, traffic direction information, traffic filtering policy information, and user-defined label information, etc., to mirror the network traffic of the user's virtual instance to the specified terminal node based on the user-configured traffic mirroring instance information, traffic direction information, terminal node information, traffic filtering policy information, and user-defined label information (such as traffic differentiation label, length of data packet intercepted after mirroring, etc.), so that the traffic of subsequent mirrors of different virtual instances can be distinguished at the same terminal node (if the terminal node information of different virtual instances is configured as the same) according to the user-defined label information, that is, the traffic message quintuple of the virtual instance is the same. It is also possible to mirror the inbound and outbound traffic of the virtual instance separately and distinguish the traffic direction, so that users can more accurately and flexibly mirror the traffic of cloud instances.

Step 502: Differentiate the inbound and outbound mirrored traffic of the port according to the mirrored traffic message.

In practical applications, the inbound and outbound mirrored traffic of a port can be distinguished based on the traffic direction information carried by the mirrored traffic message, the inbound and outbound mirrored traffic of a port can be distinguished based on the traffic mirroring instance information carried by the mirrored traffic message, and the inbound and outbound mirrored traffic of a port can be distinguished based on the traffic direction information and traffic mirroring instance information carried by the mirrored traffic message. It should be noted that the relevant information used to distinguish the inbound and outbound mirrored traffic of a port, in addition to the aforementioned information, can also be other information carried in the message; and the relevant information used to distinguish the inbound and outbound mirrored traffic of a port can be specifically determined based on the information designed to be carried in the message, and the embodiments of the present application do not limit this.

When distinguishing mirrored traffic, in one case, the incoming mirrored traffic and the outgoing mirrored traffic of the mirrored traffic can be distinguished based on the traffic direction information of the mirrored traffic packet, and the incoming traffic and the outgoing traffic can be analyzed; in another case, the incoming mirrored traffic and the outgoing mirrored traffic of the virtual instance corresponding to the traffic mirrored instance information can be distinguished based on the traffic mirrored instance information and the traffic direction of the mirrored traffic packet, and the incoming traffic and the outgoing traffic of the virtual instance corresponding to the traffic mirrored instance information can be analyzed; in yet another case, the mirrored traffic of the virtual instances corresponding to different traffic mirrored instance information can also be distinguished based on the traffic mirrored instance information of the mirrored traffic packet, and the mirrored traffic of different virtual instances can be analyzed.

In the embodiment of the present application, by implementing the mirroring of the inbound and outbound traffic of the virtual instance respectively and distinguishing the traffic direction, the user can more accurately and flexibly mirror the traffic of the cloud instance, and the traffic mirroring process is completed at the computing node where the virtual instance is located, which greatly saves the network bandwidth resources of the data center and does not affect the main process of the user's virtual instance. The traffic after the user's mirroring can be distributed to any designated terminal node (as long as the three-layer network is reachable) through configuration, and the traffic of the virtual instance is mirrored while occupying the least data center, and the mirroring is sent to the designated terminal node, and the mirroring traffic is distinguished at the terminal node. Further, the traffic mirroring gateway sends the mirrored traffic message to the destination terminal node based on the UDP encapsulated double-layer Tunnel message according to the routing forwarding table, and designs the routing forwarding table on the mirroring gateway according to the characteristics of the mirrored traffic message sent by the computing node, so as to realize high-speed processing of the mirrored message. In addition, the filtering strategy of the traffic filter configured by the user can also be completed at the computing node, and the unnecessary traffic is filtered out at the source end, and the filter strategy supports accepting and discarding operations.

Referring to Figure 6, a schematic diagram of the application scenario of traffic mirroring of a virtual instance provided in an embodiment of the present application is shown. The embodiment of the present application implements traffic mirroring based on the UDP protocol in a public cloud, specifically through traffic flow table Open vSwitch encapsulated by VXLAN Tunnel.

The logical network distribution of the virtual machine instances to be mirrored on the public cloud can be shown in Figure 4. Assume that virtual instance 1 (i.e. VM1) and virtual instance 2 (i.e. VM2) are located in subnet 2 (i.e. subnet2) in user VPC1, and virtual instance 3 (i.e. VM3) is located in subnet 1 (i.e. subnet1) in user VPC2. Each VPC can create a traffic mirroring gateway instance (such as mrgw-VPC1, mrgw-VPC2, etc.) on the mirroring gateway, and a mirroring gateway group can contain multiple mirroring gateway nodes to carry traffic mirroring gateway instances of different VPCs, where different mirroring gateway nodes can be implemented based on multiple physical servers as nodes.

Assume that the user mirrors the inbound or outbound traffic of virtual instance 3 (VM3) in subnet1 in VPC2, and configures a traffic filtering policy to send the inbound or outbound mirrored traffic to the specified endpoint virtual instance 2 (VM2) in subnet2 in VPC1. When the user accesses the mirrored virtual instance 3 (VM3) from virtual instance 1 in subnet2 in VPC1, data traffic forwarding can be achieved.

Specifically, as shown in Figure 6, dotted line 1 is the access traffic of VM1 accessing VM3, and dotted line 2 is the response traffic of VM1 accessing VM3. For VM3, the access traffic can be the inbound traffic, and the response traffic can be the outbound traffic. If the user configures the inbound (outbound) traffic mirroring function for VM3, the corresponding orchestration flow table will be sent up and down on the br-int bridge on the Open vSwitch of the host node (compute node 2) where VM3 is located, and the inbound (outbound) traffic will be mirrored and sent to the mirror node of the mirror gateway group through the UDP protocol. At the same time, the mirror gateway group will send a forwarding routing table to the mirror gateway instance of VPC2 (i.e., mrgw-VPC2), and the mirror gateway instance will forward the traffic to the terminal node (i.e., the virtual instance VM2 in VPC1) according to the sent forwarding routing table, so that the terminal node can distinguish the mirror traffic based on the traffic direction information in the traffic flow table of the mirror traffic message.

In the embodiment of the present application, by respectively mirroring the inbound and outbound traffic of the virtual instance and distinguishing the traffic direction, the user can more accurately and flexibly mirror the traffic of the cloud instance, and the traffic mirroring process is completed on the computing node where the virtual instance is located, which greatly saves the network bandwidth resources of the data center and does not affect the main process of the user's virtual instance. The user's mirrored traffic can be distributed to any specified terminal node (as long as the three-layer network is reachable) through configuration, and the traffic of the virtual instance can be mirrored while occupying the least data center, and the mirrored traffic can be sent to the specified terminal node, and the mirrored traffic can be mirrored at the terminal node. Distinguish. Furthermore, the traffic mirroring gateway sends the mirrored traffic message to the destination terminal node based on the UDP encapsulated double-layer tunnel message according to the routing forwarding table. By designing the routing forwarding table on the mirroring gateway according to the characteristics of the mirrored traffic message sent by the computing node, high-speed processing of the mirrored message is achieved. In addition, the filtering strategy based on the user-configured traffic filter is also completed on the computing node to filter out unnecessary traffic at the source end. The filter strategy supports accepting and discarding operations.

It should be noted that, for the method embodiments, for the sake of simplicity, they are all expressed as a series of action combinations, but those skilled in the art should be aware that the embodiments of the present application are not limited by the described action sequence, because according to the embodiments of the present application, certain steps can be performed in other sequences or simultaneously. Secondly, those skilled in the art should also be aware that the embodiments described in the specification are all preferred embodiments, and the actions involved are not necessarily required by the embodiments of the present application.

7, a block diagram of a flow mirroring device of a virtual instance of the present application is shown, which is applied to a virtual machine platform. The virtual machine platform includes a computing node of a virtual instance, and specifically may include the following modules:

The to-be-mirrored traffic acquisition module 701 is used to acquire the to-be-mirrored traffic of the virtual instance, where the to-be-mirrored traffic of the virtual instance includes inbound traffic and/or outbound traffic;

The traffic mirroring module 702 is used to mirror the inbound and outbound traffic of the virtual instance at the computing node of the virtual instance to obtain mirrored traffic;

The mirrored traffic message generation module 703 is used to obtain the constructed traffic flow table for the mirrored traffic and generate the mirrored traffic message according to the mirrored traffic and the traffic flow table;

The mirrored traffic message sending module 704 is used to send the mirrored traffic message to the destination terminal so that the destination terminal can distinguish the inbound and outbound mirrored traffic of the port according to the mirrored traffic message.

In one embodiment of the present application, the device provided in the embodiment of the present application may further include the following modules:

The traffic flow table construction module is used to obtain the configured traffic mirroring information and use the traffic mirroring information to construct a traffic flow table for the mirrored traffic; wherein the traffic mirroring information at least includes traffic direction information, traffic mirroring instance information, terminal node information, traffic filtering policy information and user-defined label information.

In one embodiment of the present application, the mirrored traffic includes inbound mirrored traffic for inbound traffic and outbound mirrored traffic for outbound traffic; the traffic flow table construction module may include the following submodules:

The traffic flow table construction submodule is used to use traffic mirroring instance information, traffic direction information, terminal node information, traffic filtering policy information and user-defined label information to respectively construct an inbound traffic flow table for incoming mirrored traffic and an outbound traffic flow table for outgoing mirrored traffic.

In one embodiment of the present application, the virtual instance is located in a virtual private cloud, and the virtual private cloud has a corresponding traffic mirroring gateway instance created in the mirroring gateway. The mirroring gateway group for carrying different traffic mirroring gateway instances includes multiple mirroring gateway nodes.

In one embodiment of the present application, the mirrored traffic packet generation module 703 may include the following submodules:

The mirror traffic receiving submodule is used to receive the mirror traffic and traffic flow table through the mirror gateway node of the mirror gateway group after the computing node of the virtual instance builds the mirror traffic;

The mirrored traffic message generation submodule is used to generate a mirrored traffic message using the mirrored traffic and the traffic flow table.

In one embodiment of the present application, the mirrored traffic message generation module 703 may further include the following submodules:

The mirror traffic packet generation submodule is used to obtain the routing forwarding table through the mirror gateway node and The forwarding table and traffic flow table process the mirrored traffic packets and generate mirrored traffic packets.

In one embodiment of the present application, the mirrored traffic packet generation submodule may include the following units:

A routing forwarding information acquisition unit, used to acquire traffic mirroring information of a traffic flow table and acquire routing forwarding information of a routing forwarding table;

The mirror traffic packet generating unit is used to respond to the traffic mirror information of the traffic flow table being matched successfully with the routing forwarding information, and to encapsulate the mirror traffic message using the routing forwarding information to obtain the mirror traffic packet.

In one embodiment of the present application, before generating a mirrored traffic message according to the mirrored traffic and the traffic flow table, the device proposed in the embodiment of the present application may further include the following modules:

The access request receiving module is used to receive the access request sent by the user's destination terminal; wherein the access request includes the virtual instance to be accessed, and the virtual instance has a corresponding traffic mirroring gateway instance created in the mirroring gateway.

In one embodiment of the present application, the mirrored traffic message sending module 704 may include the following submodules:

The target gateway address acquisition submodule is used to obtain the routing forwarding table through the mirror gateway and obtain the destination gateway address of the routing forwarding table;

The mirrored traffic message sending submodule is used to determine the destination terminal node of the destination terminal based on the destination gateway address and send the mirrored traffic message to the destination terminal node.

In one embodiment of the present application, the mirrored traffic message sending submodule may include the following units:

The mirrored traffic message sending unit is used to obtain the virtual instance where the traffic mirroring gateway instance to be accessed is currently located, and forward the routing forwarding table to the traffic mirroring gateway instance corresponding to the virtual instance where the traffic mirroring gateway instance to be accessed is currently located, so as to forward the mirrored traffic message to the destination terminal node based on the routing forwarding table based on the corresponding traffic mirroring gateway instance.

In the embodiment of the present application, the flow mirroring device of the virtual instance provided in the embodiment of the present application can mirror the inbound and outbound flows of the virtual instance at the computing node of the virtual instance to obtain the mirrored flow, and can obtain the constructed flow flow table for the mirrored flow, and generate the mirrored flow message according to the mirrored flow and the flow flow table, and send the mirrored flow message to the destination terminal, so that the destination terminal can distinguish the inbound and outbound mirrored flows of the port according to the mirrored flow message. By designing and arranging the flow of the computing node, and by implementing the mirroring of the mirrored flow and the generation of the mirrored flow message at the computing node, the relevant information of the virtual instance mirrored flow is designed into the message, and sent from the computing node through the message carrying method, the mirroring of the flow of the virtual instance is realized under the condition of occupying the least data center, the mirroring is sent to the designated terminal node, and the distinction of the mirrored flow is realized at the terminal node. Further, the routing forwarding table on the mirrored gateway can be designed according to the characteristics of the mirrored flow message sent by the computing node to realize high-speed processing of the mirrored message.

8, a structural block diagram of another embodiment of a traffic mirroring device of a virtual instance of the present application is shown, which is applied to a destination terminal, the destination terminal is connected to a virtual machine platform for communication, and the virtual machine platform includes a computing node of a virtual instance, and specifically may include the following modules:

The mirrored traffic message receiving module 801 is used to receive the mirrored traffic message sent by the computing node of the virtual instance; the mirrored traffic message is generated based on the mirrored traffic and the traffic flow table, wherein the mirrored traffic is obtained based on mirroring the inbound and outbound traffic of the virtual instance;

The mirrored traffic distinguishing module 802 is used to distinguish the inbound and outbound mirrored traffic of the port according to the mirrored traffic messages.

In one embodiment of the present application, the traffic flow table is constructed based on the configured traffic mirroring information, and the traffic mirroring information includes at least traffic direction information and/or traffic mirroring instance information; the mirrored traffic differentiation module 802 may include the following submodules:

A first mirrored traffic distinguishing submodule is used to distinguish incoming mirrored traffic and outgoing mirrored traffic of the mirrored traffic based on traffic direction information of the mirrored traffic packet, and analyze the incoming traffic and the outgoing traffic;

The second mirrored traffic distinguishing submodule is used to distinguish the incoming mirrored traffic and the outgoing mirrored traffic of the virtual instance corresponding to the traffic mirrored instance information based on the traffic mirrored instance information and the traffic direction of the mirrored traffic packet, and analyze the incoming traffic and the outgoing traffic of the virtual instance corresponding to the traffic mirrored instance information;

The third mirrored traffic distinguishing submodule is used to distinguish the mirrored traffic of virtual instances corresponding to different traffic mirroring instance information based on the traffic mirroring instance information of the mirrored traffic packet, and analyze the mirrored traffic of different virtual instances.

In the embodiment of the present application, the traffic mirroring device of the virtual instance provided by the embodiment of the present application realizes the mirroring of the inflow and outflow of the virtual instance respectively, distinguishes the traffic direction, and allows users to more accurately and flexibly mirror the traffic of the cloud instance, and the traffic mirroring process is completed at the computing node where the virtual instance is located, which greatly saves the network bandwidth resources of the data center, and does not affect the main process of the user's virtual instance. The traffic after the user's mirroring can be distributed to any designated terminal node (as long as the three-layer network is reachable) through configuration, and the traffic of the virtual instance is mirrored while occupying the least data center, and the mirroring is sent to the designated terminal node, and the mirroring traffic is distinguished at the terminal node. Further, the traffic mirroring gateway sends the mirrored traffic message to the destination terminal node based on the UDP encapsulated double-layer Tunnel message according to the routing forwarding table, and the routing forwarding table on the mirroring gateway is designed according to the characteristics of the mirrored traffic message sent by the computing node, so as to realize high-speed processing of the mirrored message. In addition, the filtering strategy of the traffic filter configured by the user can also be completed at the computing node, and the unnecessary traffic is filtered out at the source end, and the filter strategy supports acceptance and discarding operations.

As for the device embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and the relevant parts can be referred to the partial description of the method embodiment.

The embodiment of the present application also provides a virtual machine platform, including:

It includes a processor, a memory, and a computer program stored in the memory and capable of running on the processor. When the computer program is executed by the processor, each process of the traffic mirroring method embodiment of the above virtual instance is implemented, and the same technical effect can be achieved. To avoid repetition, it will not be repeated here.

The embodiment of the present application also provides a computer-readable storage medium, on which a computer program is stored. When the computer program is executed by a processor, each process of the traffic mirroring method embodiment of the above-mentioned virtual instance is implemented, and the same technical effect can be achieved. To avoid repetition, it will not be repeated here.

The various embodiments in this specification are described in a progressive manner, and each embodiment focuses on the differences from other embodiments. The same or similar parts between the various embodiments can be referenced to each other.

Those skilled in the art will appreciate that the embodiments of the present application can be provided as methods, devices, or computer program products. Therefore, the present application can adopt the form of a complete hardware embodiment, a complete software embodiment, or an embodiment in combination with software and hardware. Moreover, the present application can adopt the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.

The present application embodiment is described with reference to the flowchart and/or block diagram of the method, terminal device (system) and computer program product according to the embodiment of the present application. It should be understood that each process and/or box in the flowchart and/or block diagram, and the combination of the process and/or box in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, a special-purpose computer, an embedded processor or other programmable data processing terminal device to produce a machine, so that the instructions executed by the processor of the computer or other programmable data processing terminal device produce a device for realizing the function specified in one process or multiple processes in the flowchart and/or one box or multiple boxes in the block diagram.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing terminal device to operate in a specific manner, so that the instructions stored in the computer-readable memory produce a manufactured product including an instruction device that implements the functions specified in one or more processes in the flowchart and/or one or more boxes in the block diagram.

These computer program instructions can also be loaded onto a computer or other programmable data processing terminal device so that a series of operating steps are executed on the computer or other programmable terminal device to produce computer-implemented processing, so that the instructions executed on the computer or other programmable terminal device provide steps for implementing the functions specified in one or more processes in the flowchart and/or one or more boxes in the block diagram.

Although the preferred embodiments of the present application have been described, those skilled in the art may make additional changes and modifications to these embodiments once they have learned the basic creative concept. Therefore, the appended claims are intended to be interpreted as including the preferred embodiments and all changes and modifications that fall within the scope of the embodiments of the present application.

Finally, it should be noted that, in this article, relational terms such as first and second, etc. are only used to distinguish one entity or operation from another entity or operation, and do not necessarily require or imply any such actual relationship or order between these entities or operations. Moreover, the terms "include", "comprise" or any other variants thereof are intended to cover non-exclusive inclusion, so that a process, method, article or terminal device including a series of elements includes not only those elements, but also other elements not explicitly listed, or also includes elements inherent to such process, method, article or terminal device. In the absence of further restrictions, the elements defined by the sentence "comprise a ..." do not exclude the existence of other identical elements in the process, method, article or terminal device including the elements.

The above is a detailed introduction to a traffic mirroring method for a virtual instance, a traffic mirroring device for a virtual instance, a corresponding virtual machine platform and a corresponding computer-readable storage medium provided by the present application. Specific examples are used in this article to illustrate the principles and implementation methods of the present application. The description of the above embodiments is only used to help understand the method of the present application and its core idea; at the same time, for general technical personnel in this field, according to the idea of the present application, there will be changes in the specific implementation method and application scope. In summary, the content of this specification should not be understood as a limitation on the present application.

Claims (15)

1. A traffic mirroring method for a virtual instance, characterized in that it is applied to a virtual machine platform, the virtual machine platform includes a computing node of the virtual instance, and the method comprises:

   Acquire the traffic to be mirrored of the virtual instance, where the traffic to be mirrored of the virtual instance includes inbound traffic and/or outbound traffic;

   Mirroring the inbound and outbound traffic of the virtual instance on the computing node of the virtual instance to obtain mirrored traffic;

   Acquire the constructed traffic flow table for the mirrored traffic, and generate a mirrored traffic message according to the mirrored traffic and the traffic flow table;

   The mirrored traffic message is sent to a destination terminal so that the destination terminal can distinguish inbound and outbound mirrored traffic of a port according to the mirrored traffic message.
2. The method according to claim 1, characterized in that the step of obtaining the constructed traffic flow table for the mirrored traffic further comprises:

   The configured traffic mirroring information is obtained, and the traffic mirroring information is used to construct a traffic flow table for the mirrored traffic; wherein the traffic mirroring information includes at least traffic direction information, traffic mirroring instance information, terminal node information, traffic filtering policy information, and user-defined label information.
3. The method according to claim 2 is characterized in that the mirrored traffic includes inbound mirrored traffic for inbound traffic and outbound mirrored traffic for outbound traffic; and the step of using the traffic mirroring information to construct a traffic flow table for the mirrored traffic comprises:

   The traffic mirroring instance information, traffic direction information, terminal node information, traffic filtering policy information and user-defined label information are used to construct an inbound traffic flow table for inbound mirrored traffic and an outbound traffic flow table for outbound mirrored traffic.
4. The method according to claim 1 is characterized in that the virtual instance is located in a virtual private cloud, and the virtual private cloud has a corresponding traffic mirroring gateway instance created in the mirroring gateway, and the mirroring gateway group for carrying different traffic mirroring gateway instances includes multiple mirroring gateway nodes.
5. The method according to claim 4, characterized in that the generating the mirrored traffic message according to the mirrored traffic and the traffic flow table comprises:

   After the computing node of the virtual instance constructs the mirrored traffic, the mirrored traffic and the traffic flow table are received through the mirrored gateway node of the mirrored gateway group;

   Generate a mirrored traffic message using the mirrored traffic and the traffic flow table;

   Also includes:

   The routing forwarding table is obtained through the mirror gateway node, and the mirror traffic message is processed according to the routing forwarding table and the traffic flow table to generate a mirror traffic packet.
6. The method according to claim 5 is characterized in that the processing of the mirrored traffic message according to the routing forwarding table and the traffic flow table to generate a mirrored traffic packet comprises:

   Obtaining traffic mirroring information of the traffic flow table and obtaining routing forwarding information of the routing forwarding table;

   The traffic mirroring information of the traffic flow table is matched successfully with the routing forwarding information, and the The mirrored traffic message is encapsulated using the routing forwarding information to obtain a mirrored traffic packet.
7. The method according to claim 1 or 4, characterized in that before generating the mirrored traffic message according to the mirrored traffic and the traffic flow table, it also includes:

   An access request sent by the destination terminal of the user is received; wherein the access request includes the virtual instance to be accessed, and the virtual instance has a corresponding traffic mirroring gateway instance created in the mirroring gateway.
8. The method according to claim 7, characterized in that the sending of the mirrored traffic message to the destination terminal comprises:

   Obtaining a routing forwarding table through a mirrored gateway and obtaining a destination gateway address of the routing forwarding table;

   A destination terminal node of the destination terminal is determined based on the destination gateway address, and the mirrored traffic message is sent to the destination terminal node.
9. The method according to claim 8, characterized in that the sending of the mirrored traffic message to the destination terminal node comprises:

   Obtain the virtual instance where the traffic mirroring gateway instance to be accessed is currently located, and forward the routing forwarding table to the traffic mirroring gateway instance corresponding to the virtual instance where the traffic mirroring gateway instance to be accessed is currently located, so that the mirrored traffic message is forwarded to the destination terminal node based on the routing forwarding table based on the corresponding traffic mirroring gateway instance.
10. A traffic mirroring method for a virtual instance, characterized in that it is applied to a destination terminal, the destination terminal is communicatively connected to a virtual machine platform, the virtual machine platform includes a computing node of the virtual instance, and the method comprises:

    Receiving a mirrored traffic message sent by a computing node of the virtual instance; the mirrored traffic message is generated based on the mirrored traffic and a traffic flow table, wherein the mirrored traffic is obtained based on mirroring the inbound and outbound traffic of the virtual instance;

    The inbound and outbound mirrored traffic of the port is distinguished according to the mirrored traffic message.
11. The method according to claim 10 is characterized in that the traffic flow table is constructed based on the configured traffic mirroring information, and the traffic mirroring information at least includes traffic direction information and/or traffic mirroring instance information;

    The step of distinguishing the inbound and outbound mirrored traffic of a port according to the mirrored traffic message includes:

    Distinguishing incoming mirrored traffic and outgoing mirrored traffic of the mirrored traffic based on traffic direction information of the mirrored traffic packet, and analyzing the incoming traffic and outgoing traffic;

    And/or, based on the traffic mirroring instance information and the traffic direction of the mirrored traffic packet, distinguishing the incoming mirrored traffic and the outgoing mirrored traffic of the virtual instance corresponding to the traffic mirroring instance information, and analyzing the incoming traffic and the outgoing traffic of the virtual instance corresponding to the traffic mirroring instance information;

    And/or, based on the traffic mirroring instance information of the mirrored traffic packet, the mirrored traffic of the virtual instances corresponding to different traffic mirroring instance information is distinguished, and the mirrored traffic of the different virtual instances is analyzed.
12. A traffic mirroring device for a virtual instance, characterized in that it is applied to a virtual machine platform, the virtual machine platform includes a computing node of the virtual instance, and the device includes:

    A to-be-mirrored traffic acquisition module, used to acquire the to-be-mirrored traffic of the virtual instance, where the to-be-mirrored traffic of the virtual instance includes inbound traffic and/or outbound traffic;

    A traffic mirroring module, used for mirroring the inbound and outbound traffic of the virtual instance on the computing node of the virtual instance to obtain mirrored traffic;

    A mirrored traffic message generation module, used to obtain the constructed traffic flow table for the mirrored traffic, and generate a mirrored traffic message according to the mirrored traffic and the traffic flow table;

    The mirrored traffic message sending module is used to send the mirrored traffic message to the destination terminal so that the destination terminal can distinguish the inbound and outbound mirrored traffic of the port according to the mirrored traffic message.
13. A traffic mirroring device for a virtual instance, characterized in that it is applied to a destination terminal, the destination terminal is communicatively connected to a virtual machine platform, the virtual machine platform includes a computing node of the virtual instance, and the device comprises:

    A mirrored traffic message receiving module, used to receive a mirrored traffic message sent by a computing node of the virtual instance; the mirrored traffic message is generated based on the mirrored traffic and a traffic flow table, wherein the mirrored traffic is obtained based on mirroring the inbound and outbound traffic of the virtual instance;

    The mirrored traffic distinguishing module is used to distinguish the inbound and outbound mirrored traffic of the port according to the mirrored traffic message.
14. A virtual machine platform, characterized in that it includes: a processor, a memory, and a computer program stored in the memory and capable of running on the processor, wherein when the computer program is executed by the processor, a traffic mirroring method for a virtual instance as described in any one of claims 1 to 9 or claims 10 to 11 is implemented.
15. A computer-readable storage medium, characterized in that a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, a traffic mirroring method of a virtual instance as described in any one of claims 1 to 9 or claims 10 to 11 is implemented.