CN118282866B - Multi-tenant isolation deployment method, system, equipment and medium based on container cluster - Google Patents
Multi-tenant isolation deployment method, system, equipment and medium based on container cluster Download PDFInfo
- Publication number
- CN118282866B CN118282866B CN202410704793.9A CN202410704793A CN118282866B CN 118282866 B CN118282866 B CN 118282866B CN 202410704793 A CN202410704793 A CN 202410704793A CN 118282866 B CN118282866 B CN 118282866B
- Authority
- CN
- China
- Prior art keywords
- data center
- data
- tenant
- network
- communication tunnel
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 53
- 238000002955 isolation Methods 0.000 title claims abstract description 38
- 230000006854 communication Effects 0.000 claims abstract description 55
- 238000004891 communication Methods 0.000 claims abstract description 53
- 230000005540 biological transmission Effects 0.000 claims abstract description 26
- 238000010276 construction Methods 0.000 claims abstract description 4
- RJKFOVLPORLFTN-LEKSSAKUSA-N Progesterone Chemical compound C1CC2=CC(=O)CC[C@]2(C)[C@@H]2[C@@H]1[C@@H]1CC[C@H](C(=O)C)[C@@]1(C)CC2 RJKFOVLPORLFTN-LEKSSAKUSA-N 0.000 claims description 16
- 238000004590 computer program Methods 0.000 claims description 13
- 238000012545 processing Methods 0.000 claims description 9
- 238000004364 calculation method Methods 0.000 claims description 3
- 238000005516 engineering process Methods 0.000 description 9
- 238000011156 evaluation Methods 0.000 description 5
- 230000006855 networking Effects 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 238000012423 maintenance Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 230000000007 visual effect Effects 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000001934 delay Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000003745 diagnosis Methods 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000003032 molecular docking Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 239000002356 single layer Substances 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0896—Bandwidth or capacity management, i.e. automatically increasing or decreasing capacities
- H04L41/0897—Bandwidth or capacity management, i.e. automatically increasing or decreasing capacities by horizontal or vertical scaling of resources, or by migrating entities, e.g. virtual resources or entities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0895—Configuration of virtualised networks or elements, e.g. virtualised network function or OpenFlow elements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/22—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/40—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using virtualisation of network functions or resources, e.g. SDN or NFV entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/76—Routing in software-defined topologies, e.g. routing between virtual machines
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/12—Avoiding congestion; Recovering from congestion
- H04L47/125—Avoiding congestion; Recovering from congestion by balancing the load, e.g. traffic engineering
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/24—Traffic characterised by specific attributes, e.g. priority or QoS
- H04L47/2441—Traffic characterised by specific attributes, e.g. priority or QoS relying on flow classification, e.g. using integrated services [IntServ]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/168—Implementing security features at a particular protocol layer above the transport layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/141—Setup of application sessions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Human Computer Interaction (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a multi-tenant isolation deployment method, system equipment and medium based on a container cluster, wherein the method is based on an SD-WAN network architecture, and comprises the following steps: constructing a docker cluster network; based on three components of an orchestration management coordinator, SDNC and MANO, the construction of an SD-WAN communication tunnel between the first data center and the second data center is realized; the data intercommunication of tenants among different data centers is realized by identifying the IP address of the node where the edge equipment is located; and controlling the SD-WAN communication tunnel to dynamically adjust the bandwidths of N tenants between the first data center and the second data center, and encrypting data packet transmission to realize multi-tenant transmission data isolation between the span-distance data centers. The SD-WAN network architecture adopted by the invention can provide higher network reliability, better network performance and lower cost, and can simplify network management and deployment and reduce management complexity.
Description
Technical Field
The invention belongs to the technical field of communication, and particularly relates to a multi-tenant isolation deployment method, system, equipment and medium based on a container cluster.
Background
In the cloud computing era, container technology has only provided a new way for application deployment. The container technology solves the problems of resource isolation, low resource utilization rate, complex deployment and the like existing in the traditional virtual machine technology. After the container is deployed, the container has good isolation, and the problem caused by resource competition or failure can be effectively avoided. With the wide application of container technology, a container cluster management and scheduling system is also gradually a key technology for improving the efficiency of a cloud platform, reducing the cost and improving the utilization rate of resources. Therefore, establishing a robust, efficient container cluster management and scheduling system is an important direction of container technology development. The design of a container cluster management and scheduling system is a complex project, and relates to a plurality of technical fields including computer networks, distributed storage, databases, scheduling algorithms, fault tolerance mechanisms, security mechanisms, log records and the like. SD-WAN (Software-DEFINED WIDE AREA Network) is a Software-defined-based wide area Network technology that integrates multiple wide area Network connections into a unified, manageable Network through virtualized Network functions and intelligent routing techniques.
However, in the prior art, there are no isolation deployment methods, systems, devices and media capable of performing effective bandwidth adjustment on the SD-WAN network and performing data isolation in the effective data transmission process by using different container clusters by multiple tenants.
Disclosure of Invention
The invention aims at the defects and provides a multi-tenant isolation deployment method, system, equipment and medium based on a container cluster.
The invention provides the following technical scheme: a multi-tenant isolation deployment method based on container clusters, the method being based on SD-WAN network architecture, comprising the steps of:
s1, building a container cluster network;
S2, constructing an SD-WAN communication tunnel between the first data center and the second data center based on three components of an orchestration management coordinator, SDNC and MANO;
s3, realizing data intercommunication between the ith tenant of the first data center and the corresponding ith tenant of the second data center by identifying the IP address of the node where the edge equipment is located; i=1, 2, …, N;
s4, controlling the SD-WAN communication tunnel to dynamically adjust the bandwidths of N tenants between the first data center and the second data center, and encrypting data packet transmission to realize multi-tenant transmission data isolation between the span-distance data centers.
Further, the isolation device in the step S3 adopts an H-CPE edge device.
Further, the cluster network established in the step S1 is a hub-spoke network, a full-mesh network or a partial-mesh network;
When the hub-spoke network is adopted, the first data center and the second data center are not directly interconnected, and a data packet forwarding communication must be performed by establishing a total station between the first data center and the second data center and constructing an SD-WAN communication tunnel with the total station
When the full-mesh network is adopted, the first data center and the second data center directly carry out data packet forwarding communication, or a total station is established between the first data center and the second data center, and an SD-WAN communication tunnel is established between the first data center and the total station for data packet forwarding communication;
When the partial-mesh network is adopted, the first data center and the second data center are directly connected with each other, and a total station is established between the first data center and the second data center, and only an SD-WAN communication tunnel is independently established between the total station and the first data center or the second data center for data packet forwarding communication.
Further, the step S1 includes the steps of:
S11, creating regional VPC private network information based on IPv 4;
S12, further creating initial subnet information in the private domain IPv4 CIDR in the regional VPC private network information in the step S11;
And S13, creating a container cluster according to the VPC private network information of different areas in the step S12, creating a data center by using the client of the same private domain IPv4 CIDR address in the step S11 as a container, and further using the client in the data center created by subdivision of the subnet IPv4 CIDR address created in the step S12 as a subdivision terminal data transmission node.
Further, the regional VPC private network information created in the step S11 includes a region to which the private network information belongs, a private network name, and a private domain IPv4 CIDR address; the initial subnet information in the step S12 includes a subnet name, a subnet IPv4 CIDR address and an available region.
Further, the method for controlling the dynamic adjustment of the bandwidth of the N tenants between the first data center and the second data center by the SD-WAN communication tunnel in the step S4 includes the following steps:
s41, calculating the bandwidth required by the ith tenant between the first data center and the second data center for forwarding the data packet :
Wherein,An mth packet total amount of files forwarded between the first data center and the second data center for an ith tenant, m=1, 2, ·m; m is the total amount of data packets forwarded by the ith tenant between the first data center and the second data center; An mth data packet speed forwarded between the first data center and the second data center for an ith tenant;
s42, constructing an optimal bandwidth amount calculation model of the SD-WAN communication tunnel required by the ith tenant to forward the data packet:
。
further, the method for encrypting the data packet transmission in the step S4 is a symmetric encryption method or an asymmetric encryption method, and the symmetric encryption method is one of AES, DES or 3 DES; the asymmetric encryption method is RSA.
The invention also adopts the multi-tenant isolation deployment system based on the container cluster, which comprises a network building module, an SD-WAN communication tunnel building module, a node identification module, a bandwidth dynamic adjustment and encryption module;
The network building module is used for building a dock cluster network;
The SD-WAN communication tunnel construction module is used for constructing an SD-WAN communication tunnel between the first data center and the second data center based on three components of the orchestration management coordinator, the SDNC and the MANO;
The node identification module is used for realizing the data intercommunication of the ith tenant of the first data center and the corresponding ith tenant of the second data center by identifying the IP address of the node where the edge equipment is located; i=1, 2, …, N;
The bandwidth dynamic adjustment and encryption module is used for controlling the SD-WAN communication tunnel to dynamically adjust the bandwidths of N tenants between the first data center and the second data center, and carrying out encryption processing on data packet transmission, so as to realize multi-tenant transmission data isolation between the span-distance data centers.
The invention also provides electronic computer equipment, which comprises a memory and a processor, wherein the memory stores a computer program, and the method is characterized in that the processor realizes the steps of the multi-tenant isolation deployment method based on the container cluster when executing the computer program.
The present invention also provides a storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of a container cluster based multi-tenant isolation deployment method as described above.
The beneficial effects of the invention are as follows:
1. The SD-WAN network architecture adopted by the invention can provide higher network reliability, better network performance and lower cost, and can simplify network management and deployment and reduce management complexity.
2. The method provided by the invention can effectively carry out multi-tenant isolation by managing and controlling the whole SD-WAN network to form different container clusters, realize automatic configuration and management of the SD-WAN network, monitor network performance and flow, and realize functions of intelligent routing, load balancing and the like.
3. According to the invention, the edge equipment is arranged at the edge node of the SD-WAN network to carry out cross-region data packet transmission among different containers of a plurality of tenants, and the adopted edge equipment is usually a router, a switch or a virtual device. The network connection method can be connected with different wide area networks and local area networks to realize the forwarding and processing of the data packets, and simultaneously support various network connection modes such as MPLS, internet, 4G/5G and the like.
4. The SD-WAN network adopted by the invention can effectively carry out application identification, can identify and classify different application flows, and carries out intelligent routing and optimization according to the characteristics and the requirements of the application. This may improve the performance and reliability of the application while reducing network costs and delays.
5. The method provided by the invention can realize network security and data protection by carrying out encryption processing in the data packet communication process. The SD-WAN can support various security protocols and technologies, such as IPSec, SSL, firewall, intrusion detection and the like, and ensure the security and reliability of the network.
6. The method provided by the invention can effectively manage and operate and maintain a plurality of tenants in different container clusters by analyzing and monitoring the file quantity and speed of data packet communication transmission in the data packet communication process, can monitor network performance and flow in real time, collect and analyze network data, provide visual report and analysis, and help managers and operation and maintenance personnel to diagnose and solve network problems rapidly.
Drawings
The invention will be described in more detail hereinafter on the basis of embodiments and with reference to the accompanying drawings. Wherein:
Fig. 1 is a flow diagram of a multi-tenant isolation deployment method based on a container cluster provided by the invention;
Fig. 2 is a schematic diagram of a multi-tenant isolation deployment system based on a container cluster provided by the present invention;
Fig. 3 is a schematic diagram of an electronic device provided by the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
As shown in fig. 1, a flow chart of a multi-tenant isolation deployment method based on a container cluster provided by the invention is shown, and the multi-tenant isolation deployment method based on the container cluster provided by the invention is based on an SD-WAN network architecture and comprises the following steps:
s1, building a container cluster network;
S2, constructing an SD-WAN communication tunnel between the first data center and the second data center based on three components of an orchestration management coordinator, SDNC and MANO;
S3, realizing data intercommunication between the ith tenant of the first data center and the corresponding ith tenant of the second data center by identifying the IP address of the node where the edge equipment is located; i=1, 2, …, N;
s4, controlling the SD-WAN communication tunnel to dynamically adjust the bandwidths of N tenants between the first data center and the second data center, and encrypting data packet transmission to realize multi-tenant transmission data isolation between the span-distance data centers.
Preferably, the isolation device in step S3 employs an H-CPE edge device.
The H-CPE provides various wired and wireless WAN interfaces, supports rich networking models such as Hub-spoke, full-mesh, partial-mesh and the like, supports large-scale networking, can select single-layer networking or layered networking according to the network scale, and meets the network requirements of enterprises. And supporting an operator to deploy the CPE with multi-tenant high performance as GW equipment, and providing the enterprise tenant with the traditional private line network docking service and the POP networking service. Through multi-tenant IWG (Interworking Gateway), flexible legacy MPLS site interview functionality is provided that enables a legacy enterprise network to evolve smoothly to an SD-WAN network.
As another preferred embodiment of the present invention, the cluster network established in the step S1 is a hub-spoke network, a full-mesh network or a partial-mesh network;
When the hub-spoke network is adopted, the first data center and the second data center are not directly connected, a total station is established between the first data center and the second data center, and an SD-WAN communication tunnel is established between the first data center and the second data center and the total station for data packet forwarding communication; for example, a hotel chain, all access a headquarter database (headquarter) uniformly, and apply for a data packet to be forwarded from the headquarter;
when the full-mesh network is adopted, the first data center and the second data center directly carry out data packet forwarding communication, or a total station is established between the first data center and the second data center, and an SD-WAN communication tunnel is established between the total station and the first data center for data packet forwarding communication;
When the partial-mesh network is adopted, the first data center and the second data center are directly interconnected, and a total station is established between the first data center and the second data center, and the total station only independently constructs an SD-WAN communication tunnel with the first data center or the second data center to carry out data packet forwarding communication;
For example, when the total station is only interconnected with the first data center, the second data center can apply for the data packet downloading of other stations stored in the cloud in the total station from the total station through the first data center; when the total station is only interconnected with the second data center, the first data center can apply for the data package download of other stations stored in the cloud in the total station from the total station through the second data center.
As another preferred embodiment of the present invention, the S1 step includes the steps of:
S11, creating regional VPC private network information based on IPv 4;
S12, further creating initial subnet information in the private domain IPv4 CIDR in the regional VPC private network information in the step S11;
And S13, creating a container cluster according to the VPC private network information of different areas in the step S12, creating a data center by using the client of the same private domain IPv4 CIDR address in the step S11 as a container, and further using the client in the data center created by subdivision of the subnet IPv4 CIDR address created in the step S12 as a subdivision terminal data transmission node.
Further, the regional VPC private network information created in step S11 includes the region to which the private network name belongs and the private domain IPv4 CIDR address; the initial subnet information in step S12 includes a subnet name, a subnet IPv4 CIDR address (subnet IPv4 CIDR address) and an available region (the available region belongs to a lower-level regional area range of the region to which the regional VPC private network information created in step S11 belongs).
As another preferred embodiment of the present invention, the method for controlling the dynamic adjustment of the bandwidth of N tenants between the first data center and the second data center by the SD-WAN communication tunnel in step S4 includes the following steps:
s41, calculating the bandwidth required by the ith tenant between the first data center and the second data center for forwarding the data packet :
Wherein,The total amount of mth packet files forwarded between the first data center and the second data center for the ith tenant, m=1, 2, ·m; m is the total amount of data packets forwarded by the ith tenant between the first data center and the second data center; an mth packet speed for an ith tenant to forward between the first data center and the second data center;
s42, constructing an optimal bandwidth amount calculation model of the SD-WAN communication tunnel required by the ith tenant to forward the data packet:
。
The model can enable optimal file transfer speed between the ith first data center and the second data center to achieve maximum bandwidth And forwarding the data packet.
As another preferred embodiment of the present invention, the method of encrypting the data packet transmission in step S4 is a symmetric encryption method or an asymmetric encryption method, and the symmetric encryption method is one of AES, DES or3 DES; the asymmetric encryption method is RSA.
As shown in fig. 2, the system for deploying multi-tenant isolation based on container clusters provided by the invention comprises a network building module, an SD-WAN communication tunnel building module, a node identification module, a bandwidth dynamic adjustment and encryption module;
The network building module is used for building a dock cluster network;
the SD-WAN communication tunnel construction module is used for constructing an SD-WAN communication tunnel between the first data center and the second data center based on three components of the orchestration management coordinator, the SDNC and the MANO;
The node identification module is used for realizing the data intercommunication between the ith tenant of the first data center and the corresponding ith tenant of the second data center by identifying the IP address of the node where the edge equipment is located; i=1, 2, …, N;
the bandwidth dynamic adjustment and encryption module is used for controlling the SD-WAN communication tunnel to dynamically adjust the bandwidths of N tenants between the first data center and the second data center, and carrying out encryption processing on data packet transmission, so as to realize multi-tenant transmission data isolation between the span-distance data centers.
The method provided by the invention is based on SD-WAN network architecture to carry out multi-tenant and multi-application data packet communication transmission of different container clusters, replaces traditional hardware equipment and proprietary protocol with software-based virtualization technology and standard Internet Protocol (IP), thereby providing more flexible, reliable and safe wide area network connection, and the working principle is as follows:
The SD-WAN network may manage and configure the network of the branch office via a central control platform. An administrator can control settings of individual network devices through this platform. In addition, the SD-WAN network can simultaneously utilize a plurality of different types of network lines to carry out data transmission, including MPLS, internet, 4G and the like, distribute data traffic to different connections, and automatically select an optimal path according to the characteristics of an application program so as to realize quick and reliable data transmission.
The SD-WAN network can identify network traffic of different applications and adjust network routing according to the characteristics thereof, thereby guaranteeing low delay, high speed and good response time and improving user experience. The SD-WAN can monitor the network bandwidth use condition in real time, automatically adjust bandwidth allocation and ensure network fluency.
The SD-WAN network can provide higher-level security guarantee for the enterprise network, such as measures of traffic encryption, traffic filtering, VPN tunnel, firewall and the like, guarantee the security of the enterprise network and data, and effectively prevent network attack and data leakage.
The SD-WAN network can intensively manage the networks of all branch institutions, reduce complex network deployment and maintenance work, provide visual network monitoring and fault diagnosis functions, and enable network operation and maintenance to be simpler and more efficient.
The present invention also provides an electronic device employing the above-mentioned container cluster-based multi-tenant isolation deployment method, referring to fig. 3, which shows a schematic structural diagram of an electronic device 100 suitable for implementing an embodiment of the present disclosure. The electronic devices in the embodiments of the present disclosure may include, but are not limited to, mobile terminals such as mobile phones, notebook computers, digital broadcast receivers, PDAs (personal digital assistants), PADs (tablet computers), PMPs (portable multimedia players), in-vehicle terminals (e.g., in-vehicle navigation terminals), and the like, and stationary terminals such as digital TVs, desktop computers, and the like. The electronic device shown in fig. 3 is merely an example and should not be construed to limit the functionality and scope of use of the disclosed embodiments. The present invention also provides a storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of a container cluster based multi-tenant isolation deployment method as described above.
As shown in fig. 3, the electronic device 100 may include a processing means (e.g., a central processing unit, a graphics processor, etc.) 101 that may perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 102 or a program loaded from a storage means 108 into a Random Access Memory (RAM) 103. In the RAM 103, various programs and data necessary for the operation of the electronic apparatus 100 are also stored. The processing device 101, ROM 102, and RAM 103 are connected to each other by a bus 104. An input/output (I/O) interface 105 is also connected to bus 104.
In general, the following devices may be connected to the I/O interface 105: input devices 106 including, for example, a touch screen, touchpad, keyboard, mouse, image sensor, microphone, accelerometer, gyroscope, etc.; an output device 107 including, for example, a Liquid Crystal Display (LCD), a speaker, a vibrator, and the like; storage devices 108 including, for example, magnetic tape, hard disk, etc.; and a communication device 109. The communication means 109 may allow the electronic device 100 to communicate wirelessly or by wire with other devices to exchange data. While fig. 3 shows the electronic device 100 with various means, it is to be understood that not all of the illustrated means are required to be implemented or provided. More or fewer devices may be implemented or provided instead.
In particular, according to embodiments of the present disclosure, the processes described above with reference to flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method shown in the flowcharts. In such an embodiment, the computer program may be downloaded and installed from a network via the communication means 109, or from the storage means 108, or from the ROM 102. The above-described functions defined in the methods of the embodiments of the present disclosure are performed when the computer program is executed by the processing device 101.
It should be noted that the computer readable medium described in the present disclosure may be a computer readable signal medium or a computer readable storage medium, or any combination of the two. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples of the computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this disclosure, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present disclosure, however, the computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, with the computer-readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: electrical wires, fiber optic cables, RF (radio frequency), and the like, or any suitable combination of the foregoing.
The computer readable medium may be contained in the electronic device; or may exist alone without being incorporated into the electronic device.
The computer readable medium carries one or more programs which, when executed by the electronic device, cause the electronic device to: acquiring at least two internet protocol addresses; sending a node evaluation request comprising at least two internet protocol addresses to node evaluation equipment, wherein the node evaluation equipment selects an internet protocol address from the at least two internet protocol addresses and returns the internet protocol address; receiving an Internet protocol address returned by node evaluation equipment; wherein the acquired internet protocol address indicates an edge node in the content distribution network.
Or the computer readable medium carries one or more programs which, when executed by the electronic device, cause the electronic device to: receiving a node evaluation request comprising at least two internet protocol addresses; selecting an internet protocol address from at least two internet protocol addresses; returning the selected internet protocol address; wherein the received internet protocol address indicates an edge node in the content distribution network.
Computer program code for carrying out operations of the present disclosure may be written in one or more programming languages, including an object oriented programming language such as Java, smalltalk, C ++ and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computer (for example, through the Internet using an Internet service provider).
While the invention has been described with reference to a preferred embodiment, various modifications may be made and equivalents may be substituted for elements thereof without departing from the scope of the invention. In particular, the technical features mentioned in the respective embodiments may be combined in any manner as long as there is no structural conflict. The present invention is not limited to the specific embodiments disclosed herein, but encompasses all technical solutions falling within the scope of the claims.
Claims (8)
1. The multi-tenant isolation deployment method based on the container cluster is based on an SD-WAN network architecture and is characterized by comprising the following steps of:
s1, building a dock cluster network;
S2, constructing an SD-WAN communication tunnel between the first data center and the second data center based on three components of an orchestration management coordinator, SDNC and MANO;
s3, realizing data intercommunication between the ith tenant of the first data center and the corresponding ith tenant of the second data center by identifying the IP address of the node where the edge equipment is located; i=1, 2, …, N;
s4, controlling the SD-WAN communication tunnel to dynamically adjust the bandwidths of N tenants between the first data center and the second data center, and encrypting data packet transmission to realize multi-tenant transmission data isolation between the span-distance data centers;
the step S1 comprises the following steps:
S11, creating regional VPC private network information based on IPv 4;
S12, further creating initial subnet information in the private domain IPv4 CIDR in the regional VPC private network information in the step S11;
S13, creating a container cluster according to the VPC private network information of different areas in the step S12, creating a data center by using the client of the same private domain IPv4 CIDR address in the step S11 as a container, and further using the client in the data center created by subdivision of the subnet IPv4 CIDR address created in the step S12 as a subdivision terminal data transmission node;
The method for controlling the dynamic adjustment of the bandwidth of N tenants between the first data center and the second data center by the SD-WAN communication tunnel in the step S4 comprises the following steps:
S41, calculating a bandwidth T i required by an ith tenant between the first data center and the second data center for forwarding the data packet:
wherein Q m,i is the total amount of M-th packet files forwarded by the i-th tenant between the first data center and the second data center, m=1, 2, ·m; m is the total amount of data packets forwarded by the ith tenant between the first data center and the second data center; v m,i is the mth packet speed forwarded by the ith tenant between the first data center and the second data center;
s42, constructing an optimal bandwidth amount calculation model of the SD-WAN communication tunnel required by the ith tenant to forward the data packet:
。
2. the container cluster-based multi-tenant isolation deployment method of claim 1 wherein the isolation device in step S3 employs an H-CPE edge device.
3. The multi-tenant isolation deployment method based on container clustering according to claim 1, wherein the cluster network built in the step S1 is a hub-spoke network, a full-mesh network or a partial-mesh network;
when the hub-spoke network is adopted, the first data center and the second data center are not directly interconnected, and a total station is established between the first data center and the second data center, and an SD-WAN communication tunnel is established between the first data center and the second data center and the total station for data packet forwarding communication;
When the full-mesh network is adopted, the first data center and the second data center directly carry out data packet forwarding communication, or a total station is established between the first data center and the second data center, and an SD-WAN communication tunnel is established between the first data center and the total station for data packet forwarding communication;
When the partial-mesh network is adopted, the first data center and the second data center are directly connected with each other, and a total station is established between the first data center and the second data center, and only an SD-WAN communication tunnel is independently established between the total station and the first data center or the second data center for data packet forwarding communication.
4. The multi-tenant isolation deployment method based on the container cluster according to claim 1, wherein the regional VPC private network information created in the step S11 includes a belonging region, a private network name, and a private domain IPv4 CIDR address; the initial subnet information in the step S12 includes a subnet name, a subnet IPv4 CIDR address and an available region.
5. The multi-tenant isolation deployment method based on container clusters according to claim 1, wherein the method of encrypting data packet transmission in step S4 is a symmetric encryption method or an asymmetric encryption method, and the symmetric encryption method is one of AES, DES or 3 DES; the asymmetric encryption method is RSA.
6. The multi-tenant isolation deployment system based on the container cluster, which adopts the method as claimed in any one of claims 1 to 5, is characterized by comprising a network building module, an SD-WAN communication tunnel building module, a node identification module, a bandwidth dynamic adjustment and encryption module;
the network building module is used for building a container cluster network;
The SD-WAN communication tunnel construction module is used for constructing an SD-WAN communication tunnel between the first data center and the second data center based on three components of the orchestration management coordinator, the SDNC and the MANO;
The node identification module is used for realizing the data intercommunication of the ith tenant of the first data center and the corresponding ith tenant of the second data center by identifying the IP address of the node where the edge equipment is located; i=1, 2, …, N;
The bandwidth dynamic adjustment and encryption module is used for controlling the SD-WAN communication tunnel to dynamically adjust the bandwidths of N tenants between the first data center and the second data center, and carrying out encryption processing on data packet transmission, so as to realize multi-tenant transmission data isolation between the span-distance data centers.
7. An electronic computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor, when executing the computer program, implements the steps of the container cluster based multi-tenant isolation deployment method of any one of claims 1-5.
8. A storage medium having stored thereon a computer program, which when executed by a processor, implements the steps of the container cluster based multi-tenant quarantine deployment method according to any of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410704793.9A CN118282866B (en) | 2024-06-03 | 2024-06-03 | Multi-tenant isolation deployment method, system, equipment and medium based on container cluster |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410704793.9A CN118282866B (en) | 2024-06-03 | 2024-06-03 | Multi-tenant isolation deployment method, system, equipment and medium based on container cluster |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN118282866A CN118282866A (en) | 2024-07-02 |
| CN118282866B true CN118282866B (en) | 2024-07-26 |
Family
ID=91643908
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410704793.9A Active CN118282866B (en) | 2024-06-03 | 2024-06-03 | Multi-tenant isolation deployment method, system, equipment and medium based on container cluster |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118282866B (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114402574A (en) * | 2019-09-27 | 2022-04-26 | 甲骨文国际公司 | Methods, systems, and computer readable media for providing multi-tenant software defined wide area network (SD-WAN) nodes |
| CN116319296A (en) * | 2023-03-22 | 2023-06-23 | 新华三技术有限公司 | Method and device for deploying data centers in cross-SD-WAN fusion mode |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11611517B2 (en) * | 2020-05-29 | 2023-03-21 | Equinix, Inc. | Tenant-driven dynamic resource allocation for virtual network functions |
| US20240022499A1 (en) * | 2022-07-18 | 2024-01-18 | Vmware, Inc. | Dns-based gslb-aware sd-wan for low latency saas applications |
-
2024
- 2024-06-03 CN CN202410704793.9A patent/CN118282866B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114402574A (en) * | 2019-09-27 | 2022-04-26 | 甲骨文国际公司 | Methods, systems, and computer readable media for providing multi-tenant software defined wide area network (SD-WAN) nodes |
| CN116319296A (en) * | 2023-03-22 | 2023-06-23 | 新华三技术有限公司 | Method and device for deploying data centers in cross-SD-WAN fusion mode |
Also Published As
| Publication number | Publication date |
|---|---|
| CN118282866A (en) | 2024-07-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11632312B2 (en) | Automated provisioning of radios in a virtual radio access network | |
| US11451450B2 (en) | Scalable control plane for telemetry data collection within a distributed computing system | |
| CN112395041A (en) | Underlay-overlay correlation | |
| CN112104754B (en) | Network proxy method, system, device, equipment and storage medium | |
| CN108259554A (en) | Dynamic allocation of the network entity among monitoring agent | |
| CN103930882A (en) | Architecture of networks with middleboxes | |
| US11765014B2 (en) | Intent-based distributed alarm service | |
| CN113867884B (en) | Method and system for computer network and storage medium | |
| EP4142243A1 (en) | Adaptive flow monitoring | |
| CN111800441A (en) | Data processing method, system, device, user side server, user side and management and control server | |
| US12132623B2 (en) | Agent for aggregation of telemetry flow data | |
| US20210037061A1 (en) | Managing machine learned security for computer program products | |
| CN113867885A (en) | Method, computing system and computer readable medium for application flow monitoring | |
| US20220329529A1 (en) | 5g filters for virtual network functions | |
| US20220103415A1 (en) | Remote network and cloud infrastructure management | |
| CN113923122B (en) | Deriving network device and host connections | |
| KR102651239B1 (en) | Method for communicating using virtualization scheme and electric device for performing the same | |
| CN118282866B (en) | Multi-tenant isolation deployment method, system, equipment and medium based on container cluster | |
| US11595471B1 (en) | Method and system for electing a master in a cloud based distributed system using a serverless framework | |
| US20210281656A1 (en) | Applying application-based policy rules using a programmable application cache | |
| CN116243988A (en) | Intelligent network card control method and device, electronic equipment and storage medium | |
| CN115499432A (en) | Family terminal computing resource management system and computing resource scheduling method | |
| US10783465B1 (en) | Dynamic port bandwidth for dedicated physical connections to a provider network | |
| US11563640B2 (en) | Network data extraction parser-model in SDN | |
| US20240154863A1 (en) | Storing configuration data changes to perform root cause analysis for errors in a network of managed network devices |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: Multi tenant isolation deployment method, system, device, and medium based on container cluster Granted publication date: 20240726 Pledgee: Pudong Shanghai technology financing Company limited by guarantee Pledgor: Zhongyulian cloud computing service (Shanghai) Co.,Ltd. Registration number: Y2024310000977 |