CN105991738B - Method and system across security domain resource-sharing in a kind of cloud resource pond - Google Patents
Method and system across security domain resource-sharing in a kind of cloud resource pond Download PDFInfo
- Publication number
- CN105991738B CN105991738B CN201510089965.7A CN201510089965A CN105991738B CN 105991738 B CN105991738 B CN 105991738B CN 201510089965 A CN201510089965 A CN 201510089965A CN 105991738 B CN105991738 B CN 105991738B
- Authority
- CN
- China
- Prior art keywords
- resource
- server
- network
- security
- security domain
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 37
- 230000008859 change Effects 0.000 claims abstract description 16
- 238000007726 management method Methods 0.000 claims description 118
- 238000002955 isolation Methods 0.000 claims description 17
- 238000013508 migration Methods 0.000 claims description 17
- 230000005012 migration Effects 0.000 claims description 17
- 238000013439 planning Methods 0.000 claims description 11
- 238000004064 recycling Methods 0.000 claims description 10
- 238000011156 evaluation Methods 0.000 claims description 6
- 238000012790 confirmation Methods 0.000 claims description 5
- 238000004458 analytical method Methods 0.000 abstract description 9
- 238000005516 engineering process Methods 0.000 description 9
- 238000010586 diagram Methods 0.000 description 7
- 230000008569 process Effects 0.000 description 5
- 238000003860 storage Methods 0.000 description 4
- 230000010354 integration Effects 0.000 description 3
- 230000003993 interaction Effects 0.000 description 3
- 238000004519 manufacturing process Methods 0.000 description 3
- 230000006855 networking Effects 0.000 description 3
- 230000006399 behavior Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 239000002775 capsule Substances 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 238000009826 distribution Methods 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 238000004891 communication Methods 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000013480 data collection Methods 0.000 description 1
- 230000003247 decreasing effect Effects 0.000 description 1
- 238000007667 floating Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000002156 mixing Methods 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000002360 preparation method Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000013468 resource allocation Methods 0.000 description 1
- 230000006641 stabilisation Effects 0.000 description 1
- 238000011105 stabilization Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 238000012384 transportation and delivery Methods 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
本发明公开了一种云资源池中跨安全域资源共享的方法及系统,其中,该方法包括:云计算资源管理平台配置资源池,将多个网络安全域规划在同一个资源池中;云计算资源管理平台采集包括服务器在内的各个网元的数据,以进行性能分析,得到资源需求;云计算资源管理平台采取预配置的服务器安全策略,根据所述资源需求进行所述同一个资源池中的资源动态调度,以动态变更服务器的业务网络设置及网络安全设置,使服务器在同一资源池内跨安全域迁移,实现服务器跨安全域的动态资源共享。
The invention discloses a method and system for cross-security domain resource sharing in a cloud resource pool, wherein the method includes: a cloud computing resource management platform configures a resource pool, and plans multiple network security domains in the same resource pool; The computing resource management platform collects the data of each network element including the server to perform performance analysis and obtain resource requirements; the cloud computing resource management platform adopts the preconfigured server security policy, and executes the same resource pool according to the resource requirements. The resource dynamic scheduling in the server can dynamically change the service network settings and network security settings of the server, so that the server can migrate across security domains within the same resource pool, and realize the dynamic resource sharing of servers across security domains.
Description
Technical field
The present invention relates to a kind of method in technology of sharing more particularly to cloud resource pond across security domain resource-sharing and it is
System.
Background technique
Present inventor at least has found exist in the related technology during realizing the embodiment of the present application technical solution
Following technical problem:
In multiple security domain network environment, implement resource integration using mature technology to IT infrastructure, it is desirable that
In the case that number of servers is greatly decreased, the flexible shared of computing resource is improved, and maintain original security domain ring as much as possible
Border, to meet the network security code requirement of enterprise.For not doing the physical server virtualized, conventional thinking is: for clothes
Business device adds network interface card as much as possible, to meet the access needs in multiple network security domains.And server network interface card extended capability ratio
It is relatively limited, therefore design method common at present is:
Scheme 1, the application system relatively high for security requirement consider emphatically the requirement of safety, respectively accordingly
Security domain plans independent resource pool, is constructed in a manner of independent resource pond, from individual secure domain as shown in Figure 1 and resource
The organigram in pond is it can be seen that be with the corresponding security domain of a resource pool, preferably for computing resource and using ring
The safety in border provides safeguard.
Scheme 2, application system general for security requirement consider emphatically the flexible shared requirement of computing resource, can
Original multiple security domains are integrated into a big security domain, while planning a big resource pool, from as shown in Figure 2 whole
Security domain is closed with the organigram of resource pool it can be seen that being with the corresponding big security domain of a big resource pool, more
The flexible shared and dynamic migration of computing resource is realized well.
By the analysis to above scheme it is found that disadvantage of the existing technology are as follows: carry out IT foundation frame under conventional thought
Structure integration, must make a choice between safety and resource utilization.The application system high to security requirement is suitable for " independent peace
Universe and resource pool " mode, maintains the available guarantee of the requirement of original safety standard, but this mode make different security domains it
Between resource cannot achieve shared, resource utilization is relatively low;" integration peace is suitable for the general application system of security requirement
Resource-sharing in limited range may be implemented in universe and resource pool " mode, the physical server resource in resource pool, but all answers
With being deployed in a big security domain, the safety of application system will can decrease before relatively integrating.
If simply the O&M work in later period will be increased using the access way of " resource pool corresponds to multiple security domains "
Work amount and risk.For example, computing resource needs to be altered to security domain 2 from security domain 1, computer room space will be faced and (prepare and remove
Move), electric power, wire jumper, network configuration updates, system such as redeploys at the change work, and to the adjustment simple by hand of resource one
A integrate is undoubtedly a huge risk point in centralized environment.
In conclusion existing can only realize the access across security domain across safe field technique, but it cannot achieve physical services
Across the security domain dynamic migration of device resource, so there are the limitations that can not be got both between safety and resource utilization.
Summary of the invention
In view of this, the embodiment of the present invention is desirable to provide a kind of method in cloud resource pond across security domain resource-sharing and is
System, solves at least problem of the existing technology.
The technical solution of the embodiment of the present invention is achieved in that
Method across security domain resource-sharing in a kind of cloud resource pond of the embodiment of the present invention, this method comprises:
Cloud computing resources manage platform configuration resource pool, by the planning of multiple network security domains in the same resource pool;
Cloud computing resources manage the data of each network element of the platform acquisition including server, to carry out performance evaluation,
Obtain resource requirement;
Cloud computing resources management platform takes the security policy server of pre-configuration, according to resource requirement progress
Resource dynamic dispatching in the same resource pool is made with dynamically changing the business network setting and network security setting of server
Server, across safe domain migration, realizes that dynamic resource of the server across security domain is shared in same resource pool.
In above scheme, the cloud computing resources management platform takes the security policy server of pre-configuration, according to described
Resource requirement carries out the resource dynamic dispatching in the same resource pool, with dynamically change server business network setting and
Network security setting, comprising:
Cloud computing resources management platform is judged when being scheduled according to resource requirement, obtains judging result;
If the judging result is that can recycle the server resource for meeting the resource requirement, provided by the cloud computing
Source capsule platform reconfigures;
If the judging result is that cannot recycle the server resource for meeting the resource requirement, the cloud computing money
Source capsule platform is in recycling polling status, redistributes after being recovered to the server resource of the resource requirement.
In above scheme, the cloud computing resources management platform takes the security policy server of pre-configuration, according to described
Resource requirement carries out the resource dynamic dispatching in the same resource pool, with dynamically change server business network setting and
Network security setting, may further comprise:
Cloud computing resources manage platform according to scheduling of resource as a result, confirmation needs the server set of the shared adjustment of dynamic;
Cloud computing resources manage platform according to the security domain of the correspondence resource requirement, server set described in dynamic configuration
The network IP of middle server is configured and network security policy, and the network element including at least IPtables is called to carry out network security control
System.
In above scheme, institute's cloud computing resources manage platform configuration resource pool, comprising:
The resource pool is divided into default fixed resource and adjustable dynamic resource;
The default fixed resource are as follows: the pre-configured resource according to system architecture planning does not need to be modified;
The adjustable dynamic resource are as follows: resource-based actual use situation needs to carry out dynamic tune according to business calculating
The resource of degree.
In above scheme, the method also includes:
It is different by accessing the service network of the resource pool from the heterogeneous networks port of server respectively from management net
The resource pool is realized physically mutually indepedent service network and management are online, realized from physical layer by interchanger
Complete isolation;
The management net provides management service for the resource pool;The service network is each server pair on the resource pool
It is outer that the network of service is provided, carry the data of each operation system.
In above scheme, the adjustable dynamic resource includes:
Security policy server, service IP address and business network VLAN;
The method also includes:
According to the business of operation on the server, be based on the security policy server, execute the management net and
Isolation between the service network, realizing from physical layer can not exchange visits;
On the interchanger, different security domains are isolated from logic level by way of the business network VLAN
Data, and interchanger is isolated with the ports physical on firewall, realize double layer network isolation.
It is described that resource dynamic dispatching in the same resource pool is carried out according to the analysis result in above scheme,
Make server in same resource pool across safe domain migration, realize that dynamic resource of the server across security domain is shared, comprising:
Current safety domain resource bid in the same resource pool is obtained, obtains being currently available for adjusting according to the analysis result
The adjustable dynamic resource of degree;
The resource-sharing to server across security domain is realized by the adjustable dynamic resource.
It is described that the resource-sharing to server across security domain is realized by the adjustable dynamic resource in above scheme,
Include:
First safety of at least one server initialization in the service network in the first server set
Domain;
When detecting that having server to cancel in the first server set is associated with and with the first security domain from described the
It is released in one security domain, when being in idle condition, the server is determined as idle server, passes through the idle clothes
Business device constitutes second server set;
Obtain the resource bid of the resource bid or the second security domain of the second security domain to jth security domain, the cloud computing
Resource management platform dispatches idle server and second security domain or second peace in the second server set
Universe to jth security domain carries out corresponding association, and the idle server in the second server set is made to work in described second
Security domain or second security domain are to jth security domain, to realize the resource-sharing to server across security domain.
System across security domain resource-sharing in a kind of cloud resource pond of the embodiment of the present invention, the system include:
Cloud computing resource pool manages platform, and for configuring resource pool, multiple network security domains are planned in the same resource
Chi Zhong;The data for acquiring each network element including server obtain resource requirement to carry out performance evaluation;It takes prewired
The security policy server set carries out the resource dynamic dispatching in the same resource pool according to the resource requirement, with dynamic
State changes the business network setting and network security setting of server, makes server in same resource pool across safe domain migration,
Realize that dynamic resource of the server across security domain is shared;
The server, for receiving the dynamic dispatching of the cloud computing resource pool management platform, in same resource pool
It is interior across safe domain migration, realize that the dynamic resource across security domain is shared.
In above scheme, the cloud computing resources manage platform, when being further used for being scheduled according to resource requirement into
Row judgement, obtains judging result;If the judging result is that can recycle the server resource for meeting the resource requirement, by
The cloud computing resources management platform reconfigures;If the judging result is that cannot recycle the clothes for meeting the resource requirement
Business device resource, then the cloud computing resources management platform is in recycling polling status, the clothes until being recovered to the resource requirement
It is redistributed after business device resource.
In above scheme, the cloud computing resources manage platform, are further used for according to scheduling of resource as a result, confirming needs
The server set of the shared adjustment of dynamic;According to the security domain of the correspondence resource requirement, server set described in dynamic configuration
The network IP of middle server is configured and network security policy, and the network element including at least IPtables is called to carry out network security control
System.
In above scheme, the cloud computing resources manage platform, are further used in the first server set
In the case where the first security domain of at least one server initialization in the service network, when detecting the first service
There is server to cancel in device set being associated with and release from first security domain with the first security domain, in free time shape
When state, the server is determined as idle server, second server set is constituted by the idle server;Obtain the
The resource bid of the resource bid of two security domains or the second security domain to jth security domain, the cloud computing resources management platform tune
Idle server in the second server set and second security domain or second security domain are spent to jth security domain
Corresponding association is carried out, the idle server in the second server set is made to work in second security domain or described second
Security domain is to jth security domain, to realize the resource-sharing to server across security domain.
Method across security domain resource-sharing in the cloud resource pond of the embodiment of the present invention, this method comprises: cloud computing resources
Platform configuration resource pool is managed, by the planning of multiple network security domains in the same resource pool;Cloud computing resources management platform is adopted
The data for collecting each network element including server obtain resource requirement to carry out performance evaluation;Cloud computing resources management is flat
Platform takes the security policy server of pre-configuration, carries out the dynamic of the resource in the same resource pool according to the resource requirement
Scheduling makes server in same resource pool across peace dynamically to change the business network setting and network security setting of server
Universe migration realizes that dynamic resource of the server across security domain is shared.
Using the embodiment of the present invention, the allotment of platform is managed by cloud computing resources, can be carried out the same resource pool
In resource dynamic dispatching, make server in same resource pool across safe domain migration, realize server across the dynamic of security domain
State resource-sharing.
Detailed description of the invention
Fig. 1 is the organigram in existing individual secure domain and resource pool;
Fig. 2 is the existing organigram for integrating security domain and resource pool;
Fig. 3 is the method flow schematic diagram of the embodiment of the present invention;
Fig. 4 is the configuration diagram using the Multi-security domain shared resource pond scene of the embodiment of the present invention;
Fig. 5 is the security isolation schematic diagram using two layers of networking scene of the embodiment of the present invention;
Fig. 6 is the schematic diagram that scene is formed using the resource pool logic of the embodiment of the present invention;
Fig. 7 is the flow chart using the physical server dynamic dispatching scene of the embodiment of the present invention.
Specific embodiment
The implementation of technical solution is described in further detail with reference to the accompanying drawing.
Method across security domain resource-sharing in a kind of cloud resource pond of the embodiment of the present invention, as shown in figure 3, this method packet
It includes:
Step 101, cloud computing resources manage platform configuration resource pool, and multiple network security domains are planned in the same resource
Chi Zhong;
The data of each network element of step 102, cloud computing resources management platform acquisition including server, with progressive
It can analyze, obtain resource requirement;
Step 103, cloud computing resources management platform take the security policy server of pre-configuration, according to the resource requirement
The resource dynamic dispatching in the same resource pool is carried out, dynamically to change the business network setting and network security of server
Setting makes server in same resource pool across safe domain migration, realizes that dynamic resource of the server across security domain is shared.
In one embodiment of the embodiment of the present invention, the cloud computing resources management platform takes the server of pre-configuration to pacify
Full strategy, carries out the resource dynamic dispatching in the same resource pool according to the resource requirement, dynamically to change server
Business network setting and network security setting, comprising: cloud computing resources management platform when being scheduled according to resource requirement into
Row judgement, obtains judging result;If the judging result is that can recycle the server resource for meeting the resource requirement, by
The cloud computing resources management platform reconfigures;If the judging result is that cannot recycle the clothes for meeting the resource requirement
Business device resource, then the cloud computing resources management platform is in recycling polling status, the clothes until being recovered to the resource requirement
It is redistributed after business device resource.
In one embodiment of the embodiment of the present invention, the cloud computing resources management platform takes the server of pre-configuration to pacify
Full strategy, carries out the resource dynamic dispatching in the same resource pool according to the resource requirement, dynamically to change server
Business network setting and network security setting, may further comprise: cloud computing resources management platform according to scheduling of resource as a result,
Confirmation needs the server set of the shared adjustment of dynamic;Cloud computing resources manage platform according to the safety of the correspondence resource requirement
Domain, the network IP configuration of server and network security policy in server set described in dynamic configuration, and call and include at least
The network element of IPtables carries out network security control.
In one embodiment of the embodiment of the present invention, institute's cloud computing resources manage platform configuration resource pool, comprising:
The resource pool is divided into default fixed resource and adjustable dynamic resource;
The default fixed resource are as follows: the pre-configured resource according to system architecture planning does not need to be modified;
The adjustable dynamic resource are as follows: resource-based actual use situation needs to carry out dynamic tune according to business calculating
The resource of degree.
In one embodiment of the embodiment of the present invention, the method also includes: by by the service network of the resource pool with
Management net accesses different interchangers from the heterogeneous networks port of server respectively, by the resource pool in service network and management net
Upper realization physically mutually indepedent, realizes complete isolation from physical layer.
Wherein, the management net provides management service for the resource pool;The service network is respectively to take on the resource pool
Business device externally provides the network of service, carries the data of each operation system.
In one embodiment of the embodiment of the present invention, the adjustable dynamic resource includes: security policy server, business IP
Address and business network VLAN;
The method also includes: according to the business of operation on the server, it is based on the security policy server, is held
Being isolated between the row management net and the service network, realizing from physical layer can not exchange visits;On the interchanger, lead to
The data of different security domains are isolated in the mode for crossing the business network VLAN from logic level, and make on interchanger and firewall
Ports physical isolation, realize double layer network isolation.
It is described to be carried out in the same resource pool according to the analysis result in one embodiment of the embodiment of the present invention
Resource dynamic dispatching, make server in same resource pool across safe domain migration, realize that server is provided across the dynamic of security domain
Source is shared, comprising: obtains current safety domain resource bid in the same resource pool, obtains currently may be used according to the analysis result
The adjustable dynamic resource being scheduled for;Realize that the resource to server across security domain is total by the adjustable dynamic resource
It enjoys.
It is described to be realized to server by the adjustable dynamic resource across peace in one embodiment of the embodiment of the present invention
The resource-sharing of universe, comprising:
First peace of at least one server initialization in the service network in a1, the first server set
Universe;
A2, when detecting that having server to cancel in the first server set is associated with and with the first security domain from described
It is released in first security domain, when being in idle condition, the server is determined as idle server, by described idle
Server constitutes second server set;
A3, the resource bid of the resource bid or the second security domain of the second security domain to jth security domain, the cloud meter are obtained
Calculation resource management platform dispatches idle server and second security domain or described second in the second server set
Security domain to jth security domain carries out corresponding association, and the idle server in the second server set is made to work in described the
Two security domains or second security domain are to jth security domain, to realize the resource-sharing to server across security domain.
System across security domain resource-sharing in a kind of cloud resource pond of the embodiment of the present invention, which includes: cloud computing
Resource pool management platform and server, wherein cloud computing resource pool management platform is for configuring resource pool, by multiple network securitys
It plans in the same resource pool in domain;The data for acquiring each network element including server are obtained with carrying out performance evaluation
Resource requirement;The security policy server for taking pre-configuration carries out in the same resource pool according to the resource requirement
Resource dynamic dispatching makes server in same resource dynamically to change the business network setting and network security setting of server
Across safe domain migration in pond, realize that server is enjoyed across the dynamic resource of security domain;The server is for receiving the cloud
Computing resource pool manages the dynamic dispatching of platform, across safe domain migration, to realize the dynamic across security domain in same resource pool
Resource-sharing.
In one embodiment of the embodiment of the present invention, the cloud computing resources manage platform, are further used for according to resource
Judged when demand is scheduled, obtains judging result;If the judging result is that can recycle to meet the resource requirement
Server resource, then by the cloud computing resources management platform reconfigure;If the judging result is that cannot recycle symbol
The server resource of the resource requirement is closed, then the cloud computing resources management platform is in recycling polling status, until recycling
It is redistributed after to the server resource of the resource requirement.
In one embodiment of the embodiment of the present invention, the cloud computing resources manage platform, are further used for according to resource
Scheduling result, confirmation need the server set of the shared adjustment of dynamic;According to the security domain of the correspondence resource requirement, dynamically match
Network IP configuration and the network security policy of server in the server set are set, and calls the net for including at least IPtables
Member carries out network security control.
In one embodiment of the embodiment of the present invention, institute's cloud computing resources manage platform, are further used for configuring resource pool
When, the resource pool is divided into default fixed resource and adjustable dynamic resource;
Wherein, the default fixed resource are as follows: the pre-configured resource according to system architecture planning does not need to carry out more
Change;The adjustable dynamic resource are as follows: resource-based actual use situation calculates the money for needing to carry out dynamic dispatching according to business
Source.
In one embodiment of the embodiment of the present invention, the system also includes: management net and service network;
The management net, for providing management service for the resource pool, the cloud computing resource pool management platform is located at
The management net;The service network carries each industry for externally providing the network of service for each server on the resource pool
The data of business system;The multiple network security domain and the resource pool are located at the service network;
The cloud computing resource pool manages platform, is further used for realizing the scheduling pipe to resource pool by the management net
Reason, by the way that the service network of the resource pool is accessed different exchanges from the heterogeneous networks port of server respectively from management net
The resource pool is realized physically mutually indepedent service network and management are online, realized from physical layer completely by machine
Isolation.
In one embodiment of the embodiment of the present invention, the adjustable dynamic resource includes: security policy server, business IP
Address and business network VLAN;
The cloud computing resource pool manages platform, is further used for controlling the business on the server according to operation,
Based on the security policy server, being isolated between the management net and the service network is executed, is realized from physical layer
It can not exchange visits;
And control is isolated not from logic level by way of the business network VLAN on the interchanger
With the data of security domain, and interchanger is isolated with the ports physical on firewall, realizes double layer network isolation.
In one embodiment of the embodiment of the present invention, the cloud computing resource pool manages platform, is further used for obtaining institute
Current safety domain resource bid in same resource pool is stated, obtains being currently available for transfer described in scheduling according to the analysis result
State resource;The resource-sharing to server across security domain is realized by the adjustable dynamic resource.
In one embodiment of the embodiment of the present invention, the cloud computing resource pool manages platform, is further used for described
In the case where the first security domain of at least one server initialization in the service network in first server set, when
Detecting has server to cancel in the first server set is associated with and from first security domain with the first security domain
It releases, when being in idle condition, the server is determined as idle server, constitute the by the idle server
Two server sets;Obtain the resource bid of the resource bid or the second security domain of the second security domain to jth security domain, the cloud
Idle server in second server set described in managing computing resources dispatching platforms and second security domain or described the
Two security domains to jth security domain carries out corresponding association, works in the idle server in the second server set described
Second security domain or second security domain are to jth security domain, to realize the resource-sharing to server across security domain.
The application scenarios of the application embodiment of the present invention are described as follows below:
For the scene of x86 framework rack PC server, using the embodiment of the present invention, specially a kind of cloud resource
Scheme of the x86 framework rack PC server across security domain resource-sharing in pond, in simple terms, be by equipment network design and
The adjustment of server and interchanger on-link mode (OLM) manages platform as administration tool using cloud computing resources, realizes X86-based rack
Across the security domain floating in same resource pool of formula PC server, accomplishes computing resource sharing in same resource pool, it may be assumed that be able to achieve
Across the security domain dynamic migration of X86-based rack PC server resource is provided with solving physical server across the dynamic of security domain
Source sharing problem, had not only improved the utilization rate of resource, but also was able to satisfy the safety standard requirements in network security domain, accomplished both to ensure network
Safety, and resource utilization can be improved simultaneously, take into account the demand of the two.
Specifically, by the way of " resource-sharing between each security domain in a resource pool ", as each network security domain
One big resource pool of common programme, while performance is carried out to the resource in resource pool using cloud computing resource pool management platform and is adopted
Collection, analysis alarm and dynamic dispatching, so that the resource-sharing between different security domains be neatly realized;Meanwhile in resource pool
Using two layers of networking technology, the logical security isolation of different security domain resources is realized, so that it is guaranteed that the safe edge of existing security domain
Boundary remains unchanged, and mainly includes the following contents:
One, in the cloud resource pond that physical server is constituted, object is realized by the flexible dispatching control to dynamic resource
Manage across the security domain resource-sharing of server.The service network in cloud resource pond and management net are physically independent, manage network and industry
Business network accesses different physical network switch from the different network ports of physical host respectively, realizes from physical layer
Complete isolation.Wherein, management net is to belong to Internal Management System, cloud computing resource pool pipe for the management service in cloud resource pond
Platform is located at the management net, and the net loaded management includes resource pool configuration management, data collection, the adjustment of resource dynamic, performance
The data such as data and alarm;Service network is that each application server externally provides the network of service, the data of carrying on cloud resource pond
It is the data of each operation system.
Two, core is cloud computing resource pool management platform, and cloud computing resources manage platform and realized by management net to resource
The management and running in pond;Cloud resource pond is divided are as follows: default fixed resource and adjustable dynamic resource two parts.By to adjustable dynamic
The flexible dispatching of resource controls to realize across the security domain resource-sharing of physical server, is core of the invention technology.It can transfer
State resource refers to the actual use situation needed according to resource, and the resource for needing to carry out dynamic dispatching is calculated according to business.Pass through
The dynamic dispatching of resource can easily and flexibly realize the shared across security domain of resource, improve resource utilization.
Three, dynamic resource specifically includes that security policy server, service IP address and business network VLAN;Server root
According to the business of operation, specific security strategy is configured, accomplishes to manage and be isolated between network and business network, can not exchange visits;It is handing over
On changing planes, by VLAN mode logic isolation difference security domain data, interchanger and firewall upper port are physically isolated, and are realized true
The physical server resource-sharing across security domain of positive double layer network isolation.
Fig. 4 be using the configuration diagram of the Multi-security domain shared resource pond scene of the embodiment of the present invention, it is main in the framework
Be related to cloud resource pond (such as x86 framework rack PC server), cloud computing resource pool management platform, management net, service network with
And each network security domain.Wherein, service network and management net are mutually indepedent, and cloud computing resources management platform is located at the management net,
And the management and running to resource pool are realized by management net, the safety of management platform is improved, is avoided by production network service flow
Influence.(network security domain 1- network security domain n) is provided in a cloud resource pond by the cloud computing in multiple network security domains
Source pond management platform is controlled, and dynamic carries out scheduling of resource.Multiple network security domains and the cloud resource pond are located at service network.
Fig. 5 is using the security isolation schematic diagram of two layers of networking scene of the embodiment of the present invention, the system logic of resource pool
Framework as shown in figure 5, specifically include physical server, business network interface bound device (BOND), interchanger, management platform and
The parts such as network security domain (Secure Zone), the embodiment of the present invention by planning and configuration to component each in logical architecture and
Flexible dispatching realizes the resource-sharing of across a network security domain and the security boundary of security domain of resource.Different safe domain servers it
Between data flow as shown in the bold dashed lines in Fig. 5.
Fig. 6 is the schematic diagram that scene is formed using the resource pool logic of the embodiment of the present invention, and as seen from Figure 6, resource pool is patrolled
Composition is collected to specifically include that
(1) network switch (M-SW) is managed: for resource pool equipment and management platform interconnection;
(2) server admin port (eth0): it is used for connection management network;
(3) server admin IP address: server and managing network credit IP address;
(4) security policy server: the strategy of control server and management network and business network information exchange, basic
Security strategy principle: not intercommunication between a, management network and business network;B, server admin network is only open to management platform,
Do not allow between other servers through management network interworking;C, server service network only provides specified services data interaction,
System user is not supported to pass through business network login service device;D, security strategy is adjusted by management platform dynamic;
(5) server service IP address: for providing the IP address of service data interaction, the address is by resource management platform
It is set according to specific business need dynamic, IP address configuration is in virtual interface bond0.xxx, and wherein xxx is with indicating business IP
The VLAN ID of VLAN where location.
(6) server service network port binding (bond0): business network interface bound device is defaulted as bond0;
(7) server service network interface: connecting the server network interface of service switch, is defaulted as 2 networks and connects
Mouthful;
(8) service link: the interconnecting link between server service network interface and service switch, the link are exchanging
Network interface on machine must work in trunk mode;
(9) service VLAN: the VLAN on service switch (S-SW), cloud computing resources manage platform will be according to business demand
Dynamically the VLAN in interchanger is adjusted;
(10) safety chain: the data link between service switch and firewall.
(11) Secure Zone: there is specific network security in network security domain, the network security domain that original production network planning is drawn
Boundary and safety standard requirements realize network interconnection intercommunication by core exchange area between different security domains.
Cloud computing resource pool manages platform and realized by management net: the present invention is real
It applies example and resource pool is divided into two parts in advance: default fixed resource and adjustable dynamic resource.By to it is therein it is described can
It adjusts the flexible dispatching of dynamic resource to control to realize across the security domain resource-sharing of physical server, is core of the invention, below
It is specifically described:
1) fixed resource is preset
Default fixed resource refers to be planned according to system architecture, resource that can be pre-configured, under normal circumstances this part
Resource distribution does not need to be modified, it is ensured that the stabilization of entire system for cloud computing framework, reliable and safety.Fixed resource is main
Including (1) M-SW, (2) server network interface, (3) server admin IP address, the binding of (6) business network interface, (7) service
The parts such as device business network interface, (8) business datum link, (10) safety chain and (11) Secure Zone, deployment way
It is as follows:
First part: above-mentioned (1)-(2)-(7)-(8)-(10)-(11) part are to plan interconnection in advance according to resource pool simultaneously
It configures, realizes that the physical link between entire resource pool equipment is fixed, while mixing IP address (3) for (2);
Second part: the part bond of above-mentioned (6) server service network port binding (bond0), by server two
A business network interface is bound, and bound device bind0 operating mode should be 4 (BONDING_OPTS=" mode=4 ");
2) adjustable dynamic resource
Adjustable dynamic resource refers to the actual use situation needed according to resource, needs to carry out dynamic tune according to business calculating
The resource of degree.By the dynamic dispatching of resource, it can easily and flexibly realize the shared across security domain of resource, improve the utilization of resources
Rate.Dynamic resource specifically includes that
First part: above-mentioned (4) security policy server is put down according to practical business is run on server by resource management
Platform carries out dynamic adjustment to it;
Second part: above-mentioned (5) server service IP address, the address are divided by cloud computing resources management platform dynamic
Match and recycle, service IP address setting is in the virtual interface bond0.xxx (VLAN of VLAN where xxx represents service IP address
ID), while the resource that is allocated and recycles further includes business network segment gateway;
Part III: above-mentioned (9) business network VLAN, cloud computing resources management platform will adjust exchange according to the actual situation
VLAN in machine, and with server interconnection port allow by specific vlan traffic.
Fig. 7 is using the flow chart of the physical server dynamic dispatching scene of the embodiment of the present invention, needle of the embodiment of the present invention
It is that platform is managed by cloud computing resource pool to default fixed resource and adjustable dynamic resource for the shared realization of resource dynamic
Information using analysis, resource allocation, security domain network access check, scheduling of resource association etc., realization computing resource across safety
Domain rapid deployment and dynamic allocation meet the resource bid needs of each security domain in same resource pool;Meanwhile to idle resource
It can be associated with by cancelling the dynamic resource of corresponding security domain, carry out resource release recycling, really realize resource under cloud computing environment
The flexibility in pond and scalability.In conjunction with Fig. 7, illustrate the detailed process across security domain resource-sharing, including following initial configuration
The shared process of the application resource of process and step 201-208.
Initial configuration process includes: that physical server to be allocated is in default configuration state, at this time Server remote band
Outer management interface can remotely access, and management interface can remotely access;Without IP address on business network interface, while business connects
It is interconnected between mouth and service switch by TRUNK interface, link state is physics UP, logic DOWN;The safety of server is matched
Being set to only allows appointing system user (scmcc) from specified IP address (management network) by ssh telnet, other any use
Family does not allow telnet, and other than SSH, server does not provide any service externally.In short, in state to be allocated
Physical server, only provides limited SSH service, and no any other service externally provides.
Step 201, user submits the resource requirement of physical server to cloud resource pond management platform, includes in resource requirement
The information such as security domain belonging to resource quantity, resource distribution demand, resource usage and resource, as shown in table 1 below;
Table 1
It should be pointed out that the network port bondx.12, bondx in table 1 refer to network interface used in business network
(such as bond0 or bond1), 12 refer to the vlan ID where the specific service IP address.
Step 202, cloud resource pond manages platform according to the resource requirement of user, to physical server shape idle in resource pool
State is matched, if resource pool has enough slack resources to can satisfy demand at present, step 204 is carried out, if do not had
Slack resources then carry out step 203;
Here, free physical server can be communicated by management network with management platform, but the server does not belong to
In any service network security domain.Refer to the security domain across business network " across security domain " described in this programme.Citing: certain
Physical server is worked at the beginning in the security domain X of business network;After a period of time, the server is by the peace from business network
It releases, is in idle condition in universe X;When the security domain Y of business network needs to increase physical server, then the service
Device can make its work in the security domain Y of business network by managing platform.
Step 203, management platform in cloud resource pond is scheduled according to resource requirement, if enough physical services can be recycled
Device resource is given cloud resource pond management platform and is reconfigured, and recycling poll is in if it cannot recycle enough physical servers
State, it is known that recycle enough physical servers, and be handed over to resource pool management platform and redistribute.
Step 204, cloud resource pond manages platform according to scheduling of resource as a result, confirmation needs the server of the shared adjustment of dynamic
Set A;
Step 205, cloud resource pond manages the security domain of platform according to demand, physics clothes in dynamic configuration server set A
The network ip configuration of business device and network security policy, as shown in table 2 below;
| Management IP address | Service IP address | Default gateway | Host name |
| 10.95.1.4 | 10.112.110.86 | 10.112.110.1 | webservice1 |
| 10.95.1.7 | 10.112.110.88 | 10.112.110.1 | webservise2 |
Table 2
In this step, wanted firstly, managing the operating system on platform inspection server by cloud computing resources and whether meeting
It asks, calls installation and deployment system to carry out operating system preparation if being unsatisfactory for, pass through the application content of user, cloud computing resources
Operating system management network settings, including management IP address and gateway will be carried out by managing platform.Followed by business service IP
The setting of address and its gateway.
Then, cloud computing resources management platform will be to operation by way of issuing configuration file by operation and maintenance tools
System carries out security setting, including two parts: universal safety setting, and for the individual security setting of specific business.This
In can use the safe practices such as Iptables, PAM, RBAC.
For universal safety setting, 1) in terms of network security, it is only to be allowed by IPtables tool
Cloud computing resources management platform and springboard machine allow to access SSH service and the management IP address of ping server of server,
Refuse any other network flow;It 2) is the server-side for modifying telnet service SSH in terms of operating system security
Mouthful, it is the high port greater than 1024 by 22 port modifications of TCP of default, such as 41022 port TCP.By PAM, only allow to use
In the user of operating system management, such as osadm, energy telnet operating system refuses other all logging in system by user;Only permit
Perhaps operating system management user (osadm) carries out user's switching (su);Cipher Strength and complexity to user carry out pressure school
It tests.
For the security setting of specific business, 1) in terms of network security, it is by IPtables in industry
Specific serve port is decontroled on business network, for example, the TCP 80 for decontroling business network is serviced;Allow through business network ping
Lead to the service IP address of the server;It 2) is that behaviour relevant to the business is allowed by PAM for system secure context
Make system user, such as oracle, passes through SSH login system from springboard machine;Limit service relevant operation system user cannot pass through
Server logs in other systems (due to business demand, except the server for having done trust).
It is the server (belonging to server set A) that management address is 10.95.1.4 shown in the following table 3, passes through cloud management
Network security comparison after platform configuration:
Table 3
From table 3 it can be seen that management network is available before server is unallocated, and business network does not do any match then
It sets, i.e., the server is not belonging to any business network.Therefore, can only be led to cloud management platform before server is unallocated
Letter.After server is assigned, then server admin network still maintains constant, Dan Xinzeng business network, from business network
Security strategy can be seen that business network business information be only externally provided, non-traffic information can not be carried out by business network
Interaction, all relevant operations of management must carry out related behaviour by management platform or specified springboard machine game server
Make.
Core of the physical server across security domain is exactly to be set by the business network of cloud management platform dynamic change server
It sets, and IPtables is called to carry out network security control.Meanwhile system user safety is carried out using technologies such as PAM and RBAC
Limitation, to enhance the safety of system.
Step 206, management Platform deployment system in cloud resource pond carries out service deployment on server set A according to demand,
Creation etc. including operating system user.
Step 207, cloud resource pond management platform carries out phase according to VLAN where service IP address on corresponding interchanger
It should be arranged, limit the vlan traffic on interchanger interconnection port, the flow of unrelated VLAN refuses communication.
Step 208, cloud resource pond management platform updates resource pool information according to resource-sharing schedule result, by the money of scheduling
The user of source delivery request;
So far, the process across security domain resource-sharing terminates.
Using the embodiment of the present invention, based on cloud computing resources management platform to x86 framework rack PC server with exchange
Linkage management between machine, and the security strategy of physical server network and operating system is implemented, it realizes resource dynamic and adjusts
Degree, the corresponding prior art are compared, while ensuring to meet existing security domain network framework and security strategy remains unchanged, very
It is just realizing each security domain in same resource pool and is sharing physical server resource.
If the module integrated described in the embodiment of the present invention is realized in the form of software function module and as independent production
Product when selling or using, also can store in a computer readable storage medium.Based on this understanding, the present invention is real
Applying the technical solution of example, substantially the part that contributes to existing technology can embody in the form of software products in other words
Come, which is stored in a storage medium, including some instructions are used so that a computer equipment (can
To be personal computer, server or network equipment etc.) execute the whole or portion of each embodiment the method for the present invention
Point.And storage medium above-mentioned includes: USB flash disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), deposits at random
The various media that can store program code such as access to memory (RAM, Random Access Memory), magnetic or disk.
It is combined in this way, the embodiment of the present invention is not limited to any specific hardware and software.
Correspondingly, the embodiment of the present invention also provides a kind of computer storage medium, wherein it is stored with computer program, the meter
Calculation machine program is used to execute the method across security domain resource-sharing in the cloud resource pond of the embodiment of the present invention.
The foregoing is only a preferred embodiment of the present invention, is not intended to limit the scope of the present invention.
Claims (10)
1. a kind of method across security domain resource-sharing in cloud resource pond, which is characterized in that this method comprises:
Cloud computing resources manage platform configuration resource pool, by the planning of multiple network security domains in the same resource pool;
The data of each network element of the cloud computing resources management platform acquisition including server are obtained with carrying out performance evaluation
Resource requirement;
Cloud computing resources management platform takes the security policy server of pre-configuration, is carried out according to the resource requirement described same
Resource dynamic dispatching in a resource pool makes to service dynamically to change the business network setting and network security setting of server
Device, across safe domain migration, realizes that dynamic resource of the server across security domain is shared in same resource pool;
The cloud computing resources management platform takes the security policy server of pre-configuration, according to resource requirement progress
Resource dynamic dispatching in the same resource pool, dynamically to change the business network setting and network security setting of server, also
Further comprise:
Cloud computing resources manage platform according to scheduling of resource as a result, confirmation needs the server set of the shared adjustment of dynamic;
Cloud computing resources manage platform according to the security domain of the correspondence resource requirement, take in server set described in dynamic configuration
The network IP configuration of business device and network security policy, and the network element including at least IPtables is called to carry out network security control.
2. the method according to claim 1, wherein cloud computing resources management platform takes the clothes of pre-configuration
Business device security strategy, carries out the resource dynamic dispatching in the same resource pool according to the resource requirement, dynamically to change
The business network of server is arranged and network security setting, comprising:
Cloud computing resources management platform is judged when being scheduled according to resource requirement, obtains judging result;
If the judging result is that can recycle the server resource for meeting the resource requirement, by the cloud computing resources pipe
Platform reconfigures;
If the judging result is that cannot recycle the server resource for meeting the resource requirement, the cloud computing resources pipe
Platform is in recycling polling status, redistributes after being recovered to the server resource of the resource requirement.
3. method according to claim 1 or 2, which is characterized in that the cloud computing resources manage platform configuration resource pool,
Include:
The resource pool is divided into default fixed resource and adjustable dynamic resource;
The default fixed resource are as follows: the pre-configured resource according to system architecture planning does not need to be modified;
The adjustable dynamic resource are as follows: resource-based actual use situation needs to carry out dynamic dispatching according to business calculating
Resource.
4. according to the method described in claim 3, it is characterized in that, the method also includes:
By the way that the service network of the resource pool is accessed different exchanges from the heterogeneous networks port of server respectively from management net
The resource pool is realized physically mutually indepedent service network and management are online, realized from physical layer completely by machine
Isolation;
The management net provides management service for the resource pool;The service network is that each server externally mentions on the resource pool
For the network of service, the data of each operation system are carried.
5. according to the method described in claim 4, it is characterized in that, the adjustable dynamic resource includes:
Security policy server, service IP address and business network VLAN;
The method also includes:
According to the business of operation on the server, be based on the security policy server, execute the management net with it is described
Isolation between service network, realizing from physical layer can not exchange visits;
On the interchanger, the number of different security domains is isolated from logic level by way of the business network VLAN
According to, and interchanger is isolated with the ports physical on firewall, realize double layer network isolation.
6. according to the method described in claim 5, it is characterized in that, described carry out the same money according to the resource requirement
Resource dynamic dispatching in the pond of source makes server exist dynamically to change the business network setting and network security setting of server
Across safe domain migration in same resource pool, realize that dynamic resource of the server across security domain is shared, comprising:
Current safety domain resource bid in the same resource pool is obtained, is obtained being currently available for scheduling according to the resource requirement
The adjustable dynamic resource;
The resource-sharing to server across security domain is realized by the adjustable dynamic resource.
7. according to the method described in claim 6, it is characterized in that, described realized by the adjustable dynamic resource to service
Resource-sharing of the device across security domain, comprising:
First security domain of at least one server initialization in the service network in first server set;
When detect have in the first server set server cancel with the first security domain be associated with and from it is described first pacify
It is released in universe, when being in idle condition, the server is determined as idle server, passes through the idle server
Constitute second server set;
Obtain the resource bid of the resource bid or the second security domain of the second security domain to jth security domain, the cloud computing resources
Manage the idle server and second security domain or second security domain in second server set described in dispatching platforms
Corresponding association is carried out to jth security domain, the idle server in the second server set is made to work in second safety
Domain or second security domain are to jth security domain, to realize the resource-sharing to server across security domain.
8. the system across security domain resource-sharing in a kind of cloud resource pond, which is characterized in that the system includes:
Cloud computing resource pool manages platform, for configuring resource pool, by the planning of multiple network security domains in the same resource pool;
The data for acquiring each network element including server obtain resource requirement to carry out performance evaluation;Take the clothes of pre-configuration
Business device security strategy, carries out the resource dynamic dispatching in the same resource pool according to the resource requirement, dynamically to change
The business network of server is arranged and network security setting, and server is made, across safe domain migration, to realize clothes in same resource pool
Dynamic resource of the business device across security domain is shared;
The server, for receiving the dynamic dispatching of cloud computing resource pool management platform, in same resource pool across
Safe domain migration realizes that the dynamic resource across security domain is shared;
The cloud computing resources manage platform, are further used for according to scheduling of resource needing the shared adjustment of dynamic as a result, confirming
Server set;According to the security domain of the correspondence resource requirement, the network of server in server set described in dynamic configuration
IP configuration and network security policy, and the network element including at least IPtables is called to carry out network security control.
9. system according to claim 8, which is characterized in that the cloud computing resources manage platform, are further used for root
Judged when being scheduled according to resource requirement, obtains judging result;If the judging result is that can recycle to meet the money
The server resource of source demand is then reconfigured by cloud computing resources management platform;It cannot if the judging result is
Recycling meets the server resource of the resource requirement, then the cloud computing resources management platform is in recycling polling status, directly
It is redistributed after to the server resource for being recovered to the resource requirement.
10. system according to claim 9, which is characterized in that the cloud computing resources manage platform, are further used for
In the case where the first security domain of at least one server initialization in the service network in first server set, when
Detecting has server to cancel in the first server set is associated with and from first security domain with the first security domain
It releases, when being in idle condition, the server is determined as idle server, constitute the by the idle server
Two server sets;Obtain the resource bid of the resource bid or the second security domain of the second security domain to jth security domain, the cloud
Idle server in second server set described in managing computing resources dispatching platforms and second security domain or described the
Two security domains to jth security domain carries out corresponding association, works in the idle server in the second server set described
Second security domain or second security domain are to jth security domain, to realize the resource-sharing to server across security domain.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510089965.7A CN105991738B (en) | 2015-02-27 | 2015-02-27 | Method and system across security domain resource-sharing in a kind of cloud resource pond |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510089965.7A CN105991738B (en) | 2015-02-27 | 2015-02-27 | Method and system across security domain resource-sharing in a kind of cloud resource pond |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105991738A CN105991738A (en) | 2016-10-05 |
| CN105991738B true CN105991738B (en) | 2019-05-14 |
Family
ID=57038864
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510089965.7A Active CN105991738B (en) | 2015-02-27 | 2015-02-27 | Method and system across security domain resource-sharing in a kind of cloud resource pond |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105991738B (en) |
Families Citing this family (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106453307B (en) * | 2016-10-10 | 2019-03-15 | 烽火通信科技股份有限公司 | Method and system for network security protection of PON carrying small cell backhaul |
| CN108241716A (en) * | 2016-12-27 | 2018-07-03 | 北京金山云网络技术有限公司 | Method and device for importing resources |
| CN106789533A (en) * | 2016-12-27 | 2017-05-31 | 福建三元达网络技术有限公司 | Method and its system that service channel with management passage separate |
| CN107454082A (en) * | 2017-08-07 | 2017-12-08 | 中国人民解放军信息工程大学 | Secure cloud service construction method and device based on mimicry defence |
| CN108282462B (en) * | 2017-12-25 | 2021-08-31 | 中科曙光信息产业成都有限公司 | Device for isolating service network and management network |
| US10819576B2 (en) | 2018-03-23 | 2020-10-27 | Juniper Networks, Inc. | Enforcing policies in cloud domains with different application nomenclatures |
| CN110928649A (en) * | 2018-09-19 | 2020-03-27 | 北京国双科技有限公司 | Resource scheduling method and device |
| CN109525581B (en) * | 2018-11-19 | 2021-01-26 | 中国移动通信集团广东有限公司 | Cloud resource security management and control method and system |
| CN110008019B (en) * | 2019-02-28 | 2021-06-08 | 张帅辰 | Method, device and system for sharing server resources |
| CN113225375B (en) * | 2021-03-29 | 2022-01-21 | 北京城建智控科技股份有限公司 | Distributed central station integrated urban rail cloud architecture system |
| CN114443427A (en) * | 2022-01-19 | 2022-05-06 | 浪潮通信信息系统有限公司 | A cloud resource efficiency evaluation method based on big data analysis |
| CN119254539B (en) * | 2024-12-04 | 2025-06-13 | 中孚信息股份有限公司 | Application deployment isolation method, system and medium for container cloud scenarios |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101719842A (en) * | 2009-11-20 | 2010-06-02 | 中国科学院软件研究所 | Cloud computing environment-based distributed network security pre-warning method |
| US8041761B1 (en) * | 2002-12-23 | 2011-10-18 | Netapp, Inc. | Virtual filer and IP space based IT configuration transitioning framework |
| CN103650430A (en) * | 2012-06-21 | 2014-03-19 | 华为技术有限公司 | Packet processing method, apparatus, host and network system |
| CN104038444A (en) * | 2013-03-05 | 2014-09-10 | 中国移动通信集团山西有限公司 | Resource allocation method, equipment and system |
-
2015
- 2015-02-27 CN CN201510089965.7A patent/CN105991738B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8041761B1 (en) * | 2002-12-23 | 2011-10-18 | Netapp, Inc. | Virtual filer and IP space based IT configuration transitioning framework |
| CN101719842A (en) * | 2009-11-20 | 2010-06-02 | 中国科学院软件研究所 | Cloud computing environment-based distributed network security pre-warning method |
| CN103650430A (en) * | 2012-06-21 | 2014-03-19 | 华为技术有限公司 | Packet processing method, apparatus, host and network system |
| CN104038444A (en) * | 2013-03-05 | 2014-09-10 | 中国移动通信集团山西有限公司 | Resource allocation method, equipment and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105991738A (en) | 2016-10-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105991738B (en) | Method and system across security domain resource-sharing in a kind of cloud resource pond | |
| CN108062248B (en) | Resource management method, system, equipment and storage medium of heterogeneous virtualization platform | |
| EP3530037B1 (en) | System and method for network slice management in a management plane | |
| CN106656867B (en) | A kind of dynamic SDN configuration method of the application perception based on virtual network | |
| CN104202264B (en) | Bearer resource allocation method, device and system for cloud data center network | |
| CN103607432B (en) | A kind of method and system of network creation and the network control center | |
| EP2583211B1 (en) | Virtual computing infrastructure | |
| CN108989091A (en) | Based on the tenant network partition method of Kubernetes network, storage medium, electronic equipment | |
| CN104468574B (en) | A kind of method, system and device of virtual machine dynamic access IP address | |
| WO2015196813A1 (en) | Service orchestration method and apparatus in software-defined networking, and storage medium | |
| US20240098088A1 (en) | Resource allocation for virtual private label clouds | |
| CN109067827A (en) | Based on Kubernetes and OpenStack container cloud platform multi-tenant construction method, medium, equipment | |
| CN109768892B (en) | A microservice-based network security experimental system | |
| CN109462534A (en) | Regional internet controller, regional internet control method and computer storage medium | |
| CN103138990A (en) | Virtual machine management method under cloud computing network and cloud computing network management device | |
| CN103595772A (en) | Cloud data center network deployment scheme based on virtual router | |
| CN109639455A (en) | A kind of network management and system of container cloud platform | |
| CN110519404A (en) | A kind of policy management method based on SDN, device and electronic equipment | |
| CN103905340B (en) | Internet resources collaborative allocation, device and Internet | |
| CN106209562A (en) | In a kind of network VLAN ID distribution method and controller | |
| Neumann et al. | Community-lab: Architecture of a community networking testbed for the future internet | |
| WO2016095493A1 (en) | Method, apparatus, and controller for resource virtualization processing | |
| CN109542630A (en) | A kind of mobile communication net network function virtual platform based on container cloud | |
| CN107295008A (en) | A kind of connection method for building up under enterprise's mixing cloud computing environment | |
| Couto et al. | Building an IaaS cloud with droplets: a collaborative experience with OpenStack |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |